From 15b9077c2d41f59c716582d8f7ae6e334630c0ac Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Tue, 13 May 2014 20:43:31 +0000
Subject: [PATCH 001/354] Branching from trunk for HADOOP-10150 and HDFS-6134
 at 1594374

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1594376 13f79535-47bb-0310-9956-ffa450edef68

From 8384d57290bd94981e9c0dea546c2d307f0ad9c8 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 16 May 2014 18:53:08 +0000
Subject: [PATCH 002/354] Add CHANGES-fs-encryption.txt to Common and HDFS

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1595304 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt         | 13 +++++++++++++
 .../hadoop-hdfs/CHANGES-fs-encryption.txt           | 13 +++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
new file mode 100644
index 00000000000..fb293606add
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -0,0 +1,13 @@
+Hadoop Common Change Log for HDFS-6134 and HADOOP-10150
+
+fs-encryption (Unreleased)
+
+  INCOMPATIBLE CHANGES
+
+  NEW FEATURES
+
+  IMPROVEMENTS
+
+  OPTIMIZATIONS
+
+  BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
new file mode 100644
index 00000000000..4d02b398a73
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -0,0 +1,13 @@
+Hadoop HDFS Change Log for HDFS-6134 and HADOOP-10150
+
+fs-encryption (Unreleased)
+
+  INCOMPATIBLE CHANGES
+
+  NEW FEATURES
+
+  IMPROVEMENTS
+
+  OPTIMIZATIONS
+
+  BUG FIXES

From b20180ffa6c89396d9fcfec8b029b9c600503c3d Mon Sep 17 00:00:00 2001
From: Yi Liu <yliu@apache.org>
Date: Sat, 24 May 2014 01:19:06 +0000
Subject: [PATCH 003/354] HADOOP-10603. Crypto input and output streams
 implementing Hadoop stream interfaces. Contributed by Yi Liu and Charles
 Lamb.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1597230 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |   3 +
 .../hadoop/crypto/AESCTRCryptoCodec.java      |  57 ++
 .../org/apache/hadoop/crypto/CryptoCodec.java |  82 ++
 .../hadoop/crypto/CryptoInputStream.java      | 613 +++++++++++++++
 .../hadoop/crypto/CryptoOutputStream.java     | 291 +++++++
 .../org/apache/hadoop/crypto/Decryptor.java   |  75 ++
 .../org/apache/hadoop/crypto/Encryptor.java   |  75 ++
 .../hadoop/crypto/JCEAESCTRCryptoCodec.java   |  55 ++
 .../hadoop/crypto/JCEAESCTRDecryptor.java     |  84 +++
 .../hadoop/crypto/JCEAESCTREncryptor.java     |  84 +++
 .../fs/CommonConfigurationKeysPublic.java     |  11 +
 .../fs/crypto/CryptoFSDataInputStream.java    |  37 +
 .../fs/crypto/CryptoFSDataOutputStream.java   |  47 ++
 .../src/main/resources/core-default.xml       |  26 +
 .../hadoop/crypto/CryptoStreamsTestBase.java  | 712 ++++++++++++++++++
 .../hadoop/crypto/TestCryptoStreams.java      | 376 +++++++++
 .../crypto/TestCryptoStreamsForLocalFS.java   | 114 +++
 17 files changed, 2742 insertions(+)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Decryptor.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Encryptor.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/crypto/CryptoFSDataInputStream.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/crypto/CryptoFSDataOutputStream.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/CryptoStreamsTestBase.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreams.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsForLocalFS.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index fb293606add..e7bc580ff32 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -8,6 +8,9 @@ fs-encryption (Unreleased)
 
   IMPROVEMENTS
 
+    HADOOP-10603. Crypto input and output streams implementing Hadoop stream
+    interfaces. (Yi Liu and Charles Lamb)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
new file mode 100644
index 00000000000..b76f1bf2f6a
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+
+import com.google.common.base.Preconditions;
+
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public abstract class AESCTRCryptoCodec extends CryptoCodec {
+  /**
+   * For AES, the algorithm block is fixed size of 128 bits.
+   * @see http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
+   */
+  private static final int AES_BLOCK_SIZE = 16;
+
+  @Override
+  public int getAlgorithmBlockSize() {
+    return AES_BLOCK_SIZE;
+  }
+  
+  /**
+   * IV is produced by combining initial IV and the counter using addition.
+   * IV length should be the same as {@link #AES_BLOCK_SIZE}
+   */
+  @Override
+  public void calculateIV(byte[] initIV, long counter, byte[] IV) {
+    Preconditions.checkArgument(initIV.length == AES_BLOCK_SIZE);
+    Preconditions.checkArgument(IV.length == AES_BLOCK_SIZE);
+    
+    ByteBuffer buf = ByteBuffer.wrap(IV);
+    buf.put(initIV);
+    buf.order(ByteOrder.BIG_ENDIAN);
+    counter += buf.getLong(AES_BLOCK_SIZE - 8);
+    buf.putLong(AES_BLOCK_SIZE - 8, counter);
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
new file mode 100644
index 00000000000..80d824d0e19
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
@@ -0,0 +1,82 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.security.GeneralSecurityException;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.conf.Configurable;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.util.ReflectionUtils;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY;
+
+/**
+ * Crypto codec class, encapsulates encryptor/decryptor pair.
+ */
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public abstract class CryptoCodec implements Configurable {
+  
+  public static CryptoCodec getInstance(Configuration conf) {
+    final Class<? extends CryptoCodec> klass = conf.getClass(
+        HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY, JCEAESCTRCryptoCodec.class, 
+        CryptoCodec.class);
+    return ReflectionUtils.newInstance(klass, conf);
+  }
+  
+  /**
+   * Get block size of a block cipher.
+   * For different algorithms, the block size may be different.
+   * @return int block size
+   */
+  public abstract int getAlgorithmBlockSize();
+
+  /**
+   * Get a {@link #org.apache.hadoop.crypto.Encryptor}. 
+   * @return Encryptor
+   */
+  public abstract Encryptor getEncryptor() throws GeneralSecurityException;
+  
+  /**
+   * Get a {@link #org.apache.hadoop.crypto.Decryptor}.
+   * @return Decryptor
+   */
+  public abstract Decryptor getDecryptor() throws GeneralSecurityException;
+  
+  /**
+   * This interface is only for Counter (CTR) mode. Typically calculating 
+   * IV(Initialization Vector) is up to Encryptor or Decryptor, for 
+   * example {@link #javax.crypto.Cipher} will maintain encryption context 
+   * internally when do encryption/decryption continuously using its 
+   * Cipher#update interface. 
+   * <p/>
+   * In Hadoop, multiple nodes may read splits of a file, so decrypting of 
+   * file is not continuous, even for encrypting may be not continuous. For 
+   * each part, we need to calculate the counter through file position.
+   * <p/>
+   * Typically IV for a file position is produced by combining initial IV and 
+   * the counter using any lossless operation (concatenation, addition, or XOR).
+   * @see http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_.28CTR.29
+   * 
+   * @param initIV initial IV
+   * @param counter counter for input stream position 
+   * @param IV the IV for input stream position
+   */
+  public abstract void calculateIV(byte[] initIV, long counter, byte[] IV);
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
new file mode 100644
index 00000000000..ffcf1846cf2
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
@@ -0,0 +1,613 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.io.FileDescriptor;
+import java.io.FileInputStream;
+import java.io.FilterInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+import java.util.EnumSet;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.ByteBufferReadable;
+import org.apache.hadoop.fs.CanSetDropBehind;
+import org.apache.hadoop.fs.CanSetReadahead;
+import org.apache.hadoop.fs.HasEnhancedByteBufferAccess;
+import org.apache.hadoop.fs.HasFileDescriptor;
+import org.apache.hadoop.fs.PositionedReadable;
+import org.apache.hadoop.fs.ReadOption;
+import org.apache.hadoop.fs.Seekable;
+import org.apache.hadoop.io.ByteBufferPool;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_DEFAULT;
+
+import com.google.common.base.Preconditions;
+
+/**
+ * CryptoInputStream decrypts data. It is not thread-safe. AES CTR mode is
+ * required in order to ensure that the plain text and cipher text have a 1:1
+ * mapping. The decryption is buffer based. The key points of the decryption
+ * are (1) calculating the counter and (2) padding through stream position:
+ * <p/>
+ * counter = base + pos/(algorithm blocksize); 
+ * padding = pos%(algorithm blocksize); 
+ * <p/>
+ * The underlying stream offset is maintained as state.
+ */
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public class CryptoInputStream extends FilterInputStream implements 
+    Seekable, PositionedReadable, ByteBufferReadable, HasFileDescriptor, 
+    CanSetDropBehind, CanSetReadahead, HasEnhancedByteBufferAccess {
+  private static final int MIN_BUFFER_SIZE = 512;
+  private static final byte[] oneByteBuf = new byte[1];
+  private final CryptoCodec codec;
+  private final Decryptor decryptor;
+  /**
+   * Input data buffer. The data starts at inBuffer.position() and ends at 
+   * to inBuffer.limit().
+   */
+  private ByteBuffer inBuffer;
+  /**
+   * The decrypted data buffer. The data starts at outBuffer.position() and 
+   * ends at outBuffer.limit();
+   */
+  private ByteBuffer outBuffer;
+  private long streamOffset = 0; // Underlying stream offset.
+  /**
+   * Whether underlying stream supports 
+   * {@link #org.apache.hadoop.fs.ByteBufferReadable}
+   */
+  private Boolean usingByteBufferRead = null;
+  /**
+   * Padding = pos%(algorithm blocksize); Padding is put into {@link #inBuffer} 
+   * before any other data goes in. The purpose of padding is to put input data
+   * at proper position.
+   */
+  private byte padding;
+  private boolean closed;
+  private final byte[] key;
+  private final byte[] initIV;
+  private byte[] iv;
+  
+  public CryptoInputStream(InputStream in, CryptoCodec codec, 
+      int bufferSize, byte[] key, byte[] iv) throws IOException {
+    super(in);
+    Preconditions.checkArgument(bufferSize >= MIN_BUFFER_SIZE, 
+        "Minimum value of buffer size is 512.");
+    this.key = key;
+    this.initIV = iv;
+    this.iv = iv.clone();
+    inBuffer = ByteBuffer.allocateDirect(bufferSize);
+    outBuffer = ByteBuffer.allocateDirect(bufferSize);
+    outBuffer.limit(0);
+    this.codec = codec;
+    try {
+      decryptor = codec.getDecryptor();
+    } catch (GeneralSecurityException e) {
+      throw new IOException(e);
+    }
+    if (in instanceof Seekable) {
+      streamOffset = ((Seekable) in).getPos();
+    }
+    updateDecryptor();
+  }
+  
+  public CryptoInputStream(InputStream in, CryptoCodec codec,
+      byte[] key, byte[] iv) throws IOException {
+    this(in, codec, getBufferSize(codec.getConf()), key, iv);
+  }
+  
+  public InputStream getWrappedStream() {
+    return in;
+  }
+  
+  /**
+   * Decryption is buffer based.
+   * If there is data in {@link #outBuffer}, then read it out of this buffer.
+   * If there is no data in {@link #outBuffer}, then read more from the 
+   * underlying stream and do the decryption.
+   * @param b the buffer into which the decrypted data is read.
+   * @param off the buffer offset.
+   * @param len the maximum number of decrypted data bytes to read.
+   * @return int the total number of decrypted data bytes read into the buffer.
+   * @throws IOException
+   */
+  @Override
+  public int read(byte[] b, int off, int len) throws IOException {
+    checkStream();
+    if (b == null) {
+      throw new NullPointerException();
+    } else if (off < 0 || len < 0 || len > b.length - off) {
+      throw new IndexOutOfBoundsException();
+    } else if (len == 0) {
+      return 0;
+    }
+    
+    int remaining = outBuffer.remaining();
+    if (remaining > 0) {
+      int n = Math.min(len, remaining);
+      outBuffer.get(b, off, n);
+      return n;
+    } else {
+      int n = 0;
+      /**
+       * Check whether the underlying stream is {@link ByteBufferReadable},
+       * it can avoid bytes copy.
+       */
+      if (usingByteBufferRead == null) {
+        if (in instanceof ByteBufferReadable) {
+          try {
+            n = ((ByteBufferReadable) in).read(inBuffer);
+            usingByteBufferRead = Boolean.TRUE;
+          } catch (UnsupportedOperationException e) {
+            usingByteBufferRead = Boolean.FALSE;
+          }
+        }
+        if (!usingByteBufferRead.booleanValue()) {
+          n = readFromUnderlyingStream();
+        }
+      } else {
+        if (usingByteBufferRead.booleanValue()) {
+          n = ((ByteBufferReadable) in).read(inBuffer);
+        } else {
+          n = readFromUnderlyingStream();
+        }
+      }
+      if (n <= 0) {
+        return n;
+      }
+      
+      streamOffset += n; // Read n bytes
+      decrypt();
+      n = Math.min(len, outBuffer.remaining());
+      outBuffer.get(b, off, n);
+      return n;
+    }
+  }
+  
+  // Read data from underlying stream.
+  private int readFromUnderlyingStream() throws IOException {
+    int toRead = inBuffer.remaining();
+    byte[] tmp = getTmpBuf();
+    int n = in.read(tmp, 0, toRead);
+    if (n > 0) {
+      inBuffer.put(tmp, 0, n);
+    }
+    return n;
+  }
+  
+  private byte[] tmpBuf;
+  private byte[] getTmpBuf() {
+    if (tmpBuf == null) {
+      tmpBuf = new byte[inBuffer.capacity()];
+    }
+    return tmpBuf;
+  }
+  
+  /**
+   * Do the decryption using {@link #inBuffer} as input and {@link #outBuffer} 
+   * as output.
+   */
+  private void decrypt() throws IOException {
+    Preconditions.checkState(inBuffer.position() >= padding);
+    if(inBuffer.position() == padding) {
+      // There is no real data in inBuffer.
+      return;
+    }
+    inBuffer.flip();
+    outBuffer.clear();
+    decryptor.decrypt(inBuffer, outBuffer);
+    inBuffer.clear();
+    outBuffer.flip();
+    if (padding > 0) {
+      /**
+       * The plain text and cipher text have 1:1 mapping, they start at same 
+       * position.
+       */
+      outBuffer.position(padding);
+      padding = 0;
+    }
+    if (decryptor.isContextReset()) {
+      /**
+       * Typically we will not get here. To improve performance in CTR mode,
+       * we rely on the decryptor maintaining context, for example calculating 
+       * the counter. Unfortunately, some bad implementations can't maintain 
+       * context so we need to re-init after doing decryption.
+       */
+      updateDecryptor();
+    }
+  }
+  
+  /**
+   * Update the {@link #decryptor}. Calculate the counter and {@link #padding}.
+   */
+  private void updateDecryptor() throws IOException {
+    long counter = streamOffset / codec.getAlgorithmBlockSize();
+    padding = (byte)(streamOffset % codec.getAlgorithmBlockSize());
+    inBuffer.position(padding); // Set proper position for input data.
+    codec.calculateIV(initIV, counter, iv);
+    decryptor.init(key, iv);
+  }
+  
+  /**
+   * Reset the underlying stream offset; and clear {@link #inBuffer} and 
+   * {@link #outBuffer}. Typically this happens when doing {@link #seek(long)} 
+   * or {@link #skip(long)}.
+   */
+  private void resetStreamOffset(long offset) throws IOException {
+    streamOffset = offset;
+    inBuffer.clear();
+    outBuffer.clear();
+    outBuffer.limit(0);
+    updateDecryptor();
+  }
+  
+  @Override
+  public void close() throws IOException {
+    if (closed) {
+      return;
+    }
+    
+    super.close();
+    freeBuffers();
+    closed = true;
+  }
+  
+  /**
+   * Free the direct buffer manually.
+   */
+  private void freeBuffers() {
+    sun.misc.Cleaner inBufferCleaner =
+        ((sun.nio.ch.DirectBuffer) inBuffer).cleaner();
+    inBufferCleaner.clean();
+    sun.misc.Cleaner outBufferCleaner =
+        ((sun.nio.ch.DirectBuffer) outBuffer).cleaner();
+    outBufferCleaner.clean();
+  }
+  
+  // Positioned read.
+  @Override
+  public int read(long position, byte[] buffer, int offset, int length)
+      throws IOException {
+    checkStream();
+    try {
+      int n = ((PositionedReadable) in).read(position, buffer, offset, length);
+      if (n > 0) {
+        /** 
+         * Since this operation does not change the current offset of a file, 
+         * streamOffset should be not changed and we need to restore the 
+         * decryptor and outBuffer after decryption.
+         */
+        decrypt(position, buffer, offset, length);
+      }
+      
+      return n;
+    } catch (ClassCastException e) {
+      throw new UnsupportedOperationException("This stream does not support " +
+          "positioned read.");
+    }
+  }
+  
+  /**
+   * Decrypt given length of data in buffer: start from offset.
+   * Output is also buffer and start from same offset. Restore the 
+   * {@link #decryptor} and {@link #outBuffer} after decryption.
+   */
+  private void decrypt(long position, byte[] buffer, int offset, int length) 
+      throws IOException {
+    
+    byte[] tmp = getTmpBuf();
+    int unread = outBuffer.remaining();
+    if (unread > 0) { // Cache outBuffer
+      outBuffer.get(tmp, 0, unread);
+    }
+    long curOffset = streamOffset;
+    resetStreamOffset(position);
+    
+    int n = 0;
+    while (n < length) {
+      int toDecrypt = Math.min(length - n, inBuffer.remaining());
+      inBuffer.put(buffer, offset + n, toDecrypt);
+      // Do decryption
+      decrypt();
+      outBuffer.get(buffer, offset + n, toDecrypt);
+      n += toDecrypt;
+    }
+    
+    // After decryption
+    resetStreamOffset(curOffset);
+    if (unread > 0) { // Restore outBuffer
+      outBuffer.clear();
+      outBuffer.put(tmp, 0, unread);
+      outBuffer.flip();
+    }
+  }
+  
+  // Positioned read fully.
+  @Override
+  public void readFully(long position, byte[] buffer, int offset, int length)
+      throws IOException {
+    checkStream();
+    try {
+      ((PositionedReadable) in).readFully(position, buffer, offset, length);
+      if (length > 0) {
+        /** 
+         * Since this operation does not change the current offset of a file, 
+         * streamOffset should be not changed and we need to restore the decryptor 
+         * and outBuffer after decryption.
+         */
+        decrypt(position, buffer, offset, length);
+      }
+    } catch (ClassCastException e) {
+      throw new UnsupportedOperationException("This stream does not support " +
+          "positioned readFully.");
+    }
+  }
+
+  @Override
+  public void readFully(long position, byte[] buffer) throws IOException {
+    readFully(position, buffer, 0, buffer.length);
+  }
+
+  // Seek to a position.
+  @Override
+  public void seek(long pos) throws IOException {
+    Preconditions.checkArgument(pos >= 0, "Cannot seek to negative offset.");
+    checkStream();
+    try {
+      // If target pos we have already read and decrypt.
+      if (pos <= streamOffset && pos >= (streamOffset - outBuffer.remaining())) {
+        int forward = (int) (pos - (streamOffset - outBuffer.remaining()));
+        if (forward > 0) {
+          outBuffer.position(outBuffer.position() + forward);
+        }
+      } else {
+        ((Seekable) in).seek(pos);
+        resetStreamOffset(pos);
+      }
+    } catch (ClassCastException e) {
+      throw new UnsupportedOperationException("This stream does not support " +
+          "seek.");
+    }
+  }
+  
+  // Skip n bytes
+  @Override
+  public long skip(long n) throws IOException {
+    Preconditions.checkArgument(n >= 0, "Negative skip length.");
+    checkStream();
+    
+    if (n == 0) {
+      return 0;
+    } else if (n <= outBuffer.remaining()) {
+      int pos = outBuffer.position() + (int) n;
+      outBuffer.position(pos);
+      return n;
+    } else {
+      /**
+       * Subtract outBuffer.remaining() to see how many bytes we need to 
+       * skip in underlying stream. We get real skipped bytes number of 
+       * underlying stream then add outBuffer.remaining() to get skipped
+       * bytes number from user's view.
+       */
+      n -= outBuffer.remaining();
+      long skipped = in.skip(n);
+      if (skipped < 0) {
+        skipped = 0;
+      }
+      long pos = streamOffset + skipped;
+      skipped += outBuffer.remaining();
+      resetStreamOffset(pos);
+      return skipped;
+    }
+  }
+
+  // Get underlying stream position.
+  @Override
+  public long getPos() throws IOException {
+    checkStream();
+    // Equals: ((Seekable) in).getPos() - outBuffer.remaining()
+    return streamOffset - outBuffer.remaining();
+  }
+  
+  // ByteBuffer read.
+  @Override
+  public int read(ByteBuffer buf) throws IOException {
+    checkStream();
+    if (in instanceof ByteBufferReadable) {
+      int unread = outBuffer.remaining();
+      if (unread > 0) { // Have unread decrypted data in buffer.
+        int toRead = buf.remaining();
+        if (toRead <= unread) {
+          int limit = outBuffer.limit();
+          outBuffer.limit(outBuffer.position() + toRead);
+          buf.put(outBuffer);
+          outBuffer.limit(limit);
+          return toRead;
+        } else {
+          buf.put(outBuffer);
+        }
+      }
+      
+      int pos = buf.position();
+      int n = ((ByteBufferReadable) in).read(buf);
+      if (n > 0) {
+        streamOffset += n; // Read n bytes
+        decrypt(buf, n, pos);
+      }
+      return n;
+    }
+
+    throw new UnsupportedOperationException("ByteBuffer read unsupported " +
+        "by input stream.");
+  }
+  
+  /**
+   * Decrypt all data in buf: total n bytes from given start position.
+   * Output is also buf and same start position.
+   * buf.position() and buf.limit() should be unchanged after decryption.
+   */
+  private void decrypt(ByteBuffer buf, int n, int start) 
+      throws IOException {
+    int pos = buf.position();
+    int limit = buf.limit();
+    int len = 0;
+    while (len < n) {
+      buf.position(start + len);
+      buf.limit(start + len + Math.min(n - len, inBuffer.remaining()));
+      inBuffer.put(buf);
+      // Do decryption
+      decrypt();
+      
+      buf.position(start + len);
+      buf.limit(limit);
+      len += outBuffer.remaining();
+      buf.put(outBuffer);
+    }
+    buf.position(pos);
+  }
+  
+  @Override
+  public int available() throws IOException {
+    checkStream();
+    
+    return in.available() + outBuffer.remaining();
+  }
+
+  @Override
+  public boolean markSupported() {
+    return false;
+  }
+  
+  @Override
+  public void mark(int readLimit) {
+  }
+  
+  @Override
+  public void reset() throws IOException {
+    throw new IOException("Mark/reset not supported");
+  }
+
+  @Override
+  public boolean seekToNewSource(long targetPos) throws IOException {
+    Preconditions.checkArgument(targetPos >= 0, 
+        "Cannot seek to negative offset.");
+    checkStream();
+    try {
+      boolean result = ((Seekable) in).seekToNewSource(targetPos);
+      resetStreamOffset(targetPos);
+      return result;
+    } catch (ClassCastException e) {
+      throw new UnsupportedOperationException("This stream does not support " +
+          "seekToNewSource.");
+    }
+  }
+
+  @Override
+  public ByteBuffer read(ByteBufferPool bufferPool, int maxLength,
+      EnumSet<ReadOption> opts) throws IOException,
+      UnsupportedOperationException {
+    checkStream();
+    try {
+      if (outBuffer.remaining() > 0) {
+        // Have some decrypted data unread, need to reset.
+        ((Seekable) in).seek(getPos());
+        resetStreamOffset(getPos());
+      }
+      ByteBuffer buffer = ((HasEnhancedByteBufferAccess) in).
+          read(bufferPool, maxLength, opts);
+      if (buffer != null) {
+        int n = buffer.remaining();
+        if (n > 0) {
+          streamOffset += buffer.remaining(); // Read n bytes
+          int pos = buffer.position();
+          decrypt(buffer, n, pos);
+        }
+      }
+      return buffer;
+    } catch (ClassCastException e) {
+      throw new UnsupportedOperationException("This stream does not support " + 
+          "enhanced byte buffer access.");
+    }
+  }
+
+  @Override
+  public void releaseBuffer(ByteBuffer buffer) {
+    try {
+      ((HasEnhancedByteBufferAccess) in).releaseBuffer(buffer);
+    } catch (ClassCastException e) {
+      throw new UnsupportedOperationException("This stream does not support " + 
+          "release buffer.");
+    }
+  }
+
+  @Override
+  public void setReadahead(Long readahead) throws IOException,
+      UnsupportedOperationException {
+    try {
+      ((CanSetReadahead) in).setReadahead(readahead);
+    } catch (ClassCastException e) {
+      throw new UnsupportedOperationException("This stream does not support " +
+          "setting the readahead caching strategy.");
+    }
+  }
+
+  @Override
+  public void setDropBehind(Boolean dropCache) throws IOException,
+      UnsupportedOperationException {
+    try {
+      ((CanSetDropBehind) in).setDropBehind(dropCache);
+    } catch (ClassCastException e) {
+      throw new UnsupportedOperationException("This stream does not " +
+          "support setting the drop-behind caching setting.");
+    }
+  }
+
+  @Override
+  public FileDescriptor getFileDescriptor() throws IOException {
+    if (in instanceof HasFileDescriptor) {
+      return ((HasFileDescriptor) in).getFileDescriptor();
+    } else if (in instanceof FileInputStream) {
+      return ((FileInputStream) in).getFD();
+    } else {
+      return null;
+    }
+  }
+  
+  @Override
+  public int read() throws IOException {
+    return (read(oneByteBuf, 0, 1) == -1) ? -1 : (oneByteBuf[0] & 0xff);
+  }
+  
+  private void checkStream() throws IOException {
+    if (closed) {
+      throw new IOException("Stream closed");
+    }
+  }
+  
+  private static int getBufferSize(Configuration conf) {
+    return conf.getInt(HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY, 
+        HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_DEFAULT);
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java
new file mode 100644
index 00000000000..934c4479352
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java
@@ -0,0 +1,291 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.io.FilterOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CanSetDropBehind;
+import org.apache.hadoop.fs.Syncable;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_DEFAULT;
+
+import com.google.common.base.Preconditions;
+
+/**
+ * CryptoOutputStream encrypts data. It is not thread-safe. AES CTR mode is
+ * required in order to ensure that the plain text and cipher text have a 1:1
+ * mapping. The encryption is buffer based. The key points of the encryption are
+ * (1) calculating counter and (2) padding through stream position.
+ * <p/>
+ * counter = base + pos/(algorithm blocksize); 
+ * padding = pos%(algorithm blocksize); 
+ * <p/>
+ * The underlying stream offset is maintained as state.
+ */
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public class CryptoOutputStream extends FilterOutputStream implements 
+    Syncable, CanSetDropBehind {
+  private static final int MIN_BUFFER_SIZE = 512;
+  private static final byte[] oneByteBuf = new byte[1];
+  private final CryptoCodec codec;
+  private final Encryptor encryptor;
+  /**
+   * Input data buffer. The data starts at inBuffer.position() and ends at 
+   * inBuffer.limit().
+   */
+  private ByteBuffer inBuffer;
+  /**
+   * Encrypted data buffer. The data starts at outBuffer.position() and ends at 
+   * outBuffer.limit();
+   */
+  private ByteBuffer outBuffer;
+  private long streamOffset = 0; // Underlying stream offset.
+  /**
+   * Padding = pos%(algorithm blocksize); Padding is put into {@link #inBuffer} 
+   * before any other data goes in. The purpose of padding is to put input data
+   * at proper position.
+   */
+  private byte padding;
+  private boolean closed;
+  private final byte[] key;
+  private final byte[] initIV;
+  private byte[] iv;
+  
+  public CryptoOutputStream(OutputStream out, CryptoCodec codec, 
+      int bufferSize, byte[] key, byte[] iv) throws IOException {
+    this(out, codec, bufferSize, key, iv, 0);
+  }
+  
+  public CryptoOutputStream(OutputStream out, CryptoCodec codec, 
+      int bufferSize, byte[] key, byte[] iv, long streamOffset) 
+      throws IOException {
+    super(out);
+    Preconditions.checkArgument(bufferSize >= MIN_BUFFER_SIZE, 
+        "Minimum value of buffer size is 512.");
+    this.key = key;
+    this.initIV = iv;
+    this.iv = iv.clone();
+    inBuffer = ByteBuffer.allocateDirect(bufferSize);
+    outBuffer = ByteBuffer.allocateDirect(bufferSize);
+    this.streamOffset = streamOffset;
+    this.codec = codec;
+    try {
+      encryptor = codec.getEncryptor();
+    } catch (GeneralSecurityException e) {
+      throw new IOException(e);
+    }
+    updateEncryptor();
+  }
+  
+  public CryptoOutputStream(OutputStream out, CryptoCodec codec, 
+      byte[] key, byte[] iv) throws IOException {
+    this(out, codec, key, iv, 0);
+  }
+  
+  public CryptoOutputStream(OutputStream out, CryptoCodec codec, 
+      byte[] key, byte[] iv, long streamOffset) throws IOException {
+    this(out, codec, getBufferSize(codec.getConf()), key, iv, streamOffset);
+  }
+  
+  public OutputStream getWrappedStream() {
+    return out;
+  }
+  
+  /**
+   * Encryption is buffer based.
+   * If there is enough room in {@link #inBuffer}, then write to this buffer.
+   * If {@link #inBuffer} is full, then do encryption and write data to the
+   * underlying stream.
+   * @param b the data.
+   * @param off the start offset in the data.
+   * @param len the number of bytes to write.
+   * @throws IOException
+   */
+  @Override
+  public void write(byte[] b, int off, int len) throws IOException {
+    checkStream();
+    if (b == null) {
+      throw new NullPointerException();
+    } else if (off < 0 || len < 0 || off > b.length || 
+        len > b.length - off) {
+      throw new IndexOutOfBoundsException();
+    }
+    while (len > 0) {
+      int remaining = inBuffer.remaining();
+      if (len < remaining) {
+        inBuffer.put(b, off, len);
+        len = 0;
+      } else {
+        inBuffer.put(b, off, remaining);
+        off += remaining;
+        len -= remaining;
+        encrypt();
+      }
+    }
+  }
+  
+  /**
+   * Do the encryption, input is {@link #inBuffer} and output is 
+   * {@link #outBuffer}.
+   */
+  private void encrypt() throws IOException {
+    Preconditions.checkState(inBuffer.position() >= padding);
+    if (inBuffer.position() == padding) {
+      // There is no real data in the inBuffer.
+      return;
+    }
+    inBuffer.flip();
+    outBuffer.clear();
+    encryptor.encrypt(inBuffer, outBuffer);
+    inBuffer.clear();
+    outBuffer.flip();
+    if (padding > 0) {
+      /**
+       * The plain text and cipher text have 1:1 mapping, they start at same 
+       * position.
+       */
+      outBuffer.position(padding);
+      padding = 0;
+    }
+    int len = outBuffer.remaining();
+    /**
+     * If underlying stream supports {@link ByteBuffer} write in future, needs
+     * refine here. 
+     */
+    final byte[] tmp = getTmpBuf();
+    outBuffer.get(tmp, 0, len);
+    out.write(tmp, 0, len);
+    
+    streamOffset += len;
+    if (encryptor.isContextReset()) {
+      /**
+       * We will generally not get here.  For CTR mode, to improve
+       * performance, we rely on the encryptor maintaining context, for
+       * example to calculate the counter.  But some bad implementations
+       * can't maintain context, and need us to re-init after doing
+       * encryption.
+       */
+      updateEncryptor();
+    }
+  }
+  
+  /**
+   * Update the {@link #encryptor}: calculate counter and {@link #padding}.
+   */
+  private void updateEncryptor() throws IOException {
+    long counter = streamOffset / codec.getAlgorithmBlockSize();
+    padding = (byte)(streamOffset % codec.getAlgorithmBlockSize());
+    inBuffer.position(padding); // Set proper position for input data.
+    codec.calculateIV(initIV, counter, iv);
+    encryptor.init(key, iv);
+  }
+  
+  private byte[] tmpBuf;
+  private byte[] getTmpBuf() {
+    if (tmpBuf == null) {
+      tmpBuf = new byte[outBuffer.capacity()];
+    }
+    return tmpBuf;
+  }
+  
+  @Override
+  public void close() throws IOException {
+    if (closed) {
+      return;
+    }
+    
+    super.close();
+    freeBuffers();
+    closed = true;
+  }
+  
+  /**
+   * Free the direct buffer manually.
+   */
+  private void freeBuffers() {
+    sun.misc.Cleaner inBufferCleaner =
+        ((sun.nio.ch.DirectBuffer) inBuffer).cleaner();
+    inBufferCleaner.clean();
+    sun.misc.Cleaner outBufferCleaner =
+        ((sun.nio.ch.DirectBuffer) outBuffer).cleaner();
+    outBufferCleaner.clean();
+  }
+  
+  /**
+   * To flush, we need to encrypt the data in buffer and write to underlying
+   * stream, then do the flush.
+   */
+  @Override
+  public void flush() throws IOException {
+    checkStream();
+    encrypt();
+    super.flush();
+  }
+  
+  @Override
+  public void write(int b) throws IOException {
+    oneByteBuf[0] = (byte)(b & 0xff);
+    write(oneByteBuf, 0, oneByteBuf.length);
+  }
+  
+  private void checkStream() throws IOException {
+    if (closed) {
+      throw new IOException("Stream closed");
+    }
+  }
+  
+  @Override
+  public void setDropBehind(Boolean dropCache) throws IOException,
+      UnsupportedOperationException {
+    try {
+      ((CanSetDropBehind) out).setDropBehind(dropCache);
+    } catch (ClassCastException e) {
+      throw new UnsupportedOperationException("This stream does not " +
+          "support setting the drop-behind caching.");
+    }
+  }
+
+  @Override
+  public void hflush() throws IOException {
+    flush();
+    if (out instanceof Syncable) {
+      ((Syncable)out).hflush();
+    }
+  }
+
+  @Override
+  public void hsync() throws IOException {
+    flush();
+    if (out instanceof Syncable) {
+      ((Syncable)out).hsync();
+    }
+  }
+  
+  private static int getBufferSize(Configuration conf) {
+    return conf.getInt(HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY, 
+        HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_DEFAULT);
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Decryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Decryptor.java
new file mode 100644
index 00000000000..4afb2216580
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Decryptor.java
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public interface Decryptor {
+  
+  /**
+   * Initialize the decryptor, the internal decryption context will be 
+   * reset.
+   * @param key decryption key.
+   * @param iv decryption initialization vector
+   * @throws IOException if initialization fails
+   */
+  public void init(byte[] key, byte[] iv) throws IOException;
+  
+  /**
+   * Indicate whether decryption context is reset.
+   * <p/>
+   * It's useful for some mode like CTR which requires different IV for 
+   * different parts of data. Usually decryptor can maintain the context 
+   * internally such as calculating IV/counter, then continue a multiple-part 
+   * decryption operation without reinit the decryptor using key and the new 
+   * IV. For mode like CTR, if context is reset after each decryption, the 
+   * decryptor should be reinit before each operation, that's not efficient. 
+   * @return boolean whether context is reset.
+   */
+  public boolean isContextReset();
+  
+  /**
+   * This exposes a direct interface for record decryption with direct byte
+   * buffers.
+   * <p/>
+   * The decrypt() function need not always consume the buffers provided,
+   * it will need to be called multiple times to decrypt an entire buffer 
+   * and the object will hold the decryption context internally.
+   * <p/>
+   * Some implementation may need enough space in the destination buffer to 
+   * decrypt an entire input.
+   * <p/>
+   * The end result will move inBuffer.position() by the bytes-read and
+   * outBuffer.position() by the bytes-written. It should not modify the 
+   * inBuffer.limit() or outBuffer.limit() to maintain consistency of operation.
+   * <p/>
+   * @param inBuffer in direct {@link ByteBuffer} for reading from. Requires 
+   * inBuffer != null and inBuffer.remaining() > 0
+   * @param outBuffer out direct {@link ByteBuffer} for storing the results
+   * into. Requires outBuffer != null and outBuffer.remaining() > 0
+   * @throws IOException if decryption fails
+   */
+  public void decrypt(ByteBuffer inBuffer, ByteBuffer outBuffer) 
+      throws IOException;
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Encryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Encryptor.java
new file mode 100644
index 00000000000..398cc2e9aec
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Encryptor.java
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public interface Encryptor {
+  
+  /**
+   * Initialize the encryptor, the internal encryption context will be 
+   * reset.
+   * @param key encryption key.
+   * @param iv encryption initialization vector
+   * @throws IOException if initialization fails
+   */
+  public void init(byte[] key, byte[] iv) throws IOException;
+  
+  /**
+   * Indicate whether encryption context is reset.
+   * <p/>
+   * It's useful for some mode like CTR which requires different IV for 
+   * different parts of data. Usually encryptor can maintain the context 
+   * internally such as calculating IV/counter, then continue a multiple-part 
+   * encryption operation without reinit the encryptor using key and the new 
+   * IV. For mode like CTR, if context is reset after each encryption, the 
+   * encryptor should be reinit before each operation, that's not efficient. 
+   * @return boolean whether context is reset.
+   */
+  public boolean isContextReset();
+  
+  /**
+   * This exposes a direct interface for record encryption with direct byte
+   * buffers.
+   * <p/>
+   * The encrypt() function need not always consume the buffers provided,
+   * it will need to be called multiple times to encrypt an entire buffer 
+   * and the object will hold the encryption context internally.
+   * <p/>
+   * Some implementation may need enough space in the destination buffer to 
+   * encrypt an entire input.
+   * <p/>
+   * The end result will move inBuffer.position() by the bytes-read and
+   * outBuffer.position() by the bytes-written. It should not modify the 
+   * inBuffer.limit() or outBuffer.limit() to maintain consistency of operation.
+   * <p/>
+   * @param inBuffer in direct {@link ByteBuffer} for reading from. Requires 
+   * inBuffer != null and inBuffer.remaining() > 0
+   * @param outBuffer out direct {@link ByteBuffer} for storing the results
+   * into. Requires outBuffer != null and outBuffer.remaining() > 0
+   * @throws IOException if encryption fails
+   */
+  public void encrypt(ByteBuffer inBuffer, ByteBuffer outBuffer) 
+      throws IOException;
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
new file mode 100644
index 00000000000..aea9e07ee6a
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.security.GeneralSecurityException;
+
+import org.apache.hadoop.conf.Configuration;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY;
+
+/**
+ * Implement the AES-CTR crypto codec using JCE provider.
+ */
+public class JCEAESCTRCryptoCodec extends AESCTRCryptoCodec {
+  private Configuration conf;
+  private String provider;
+
+  public JCEAESCTRCryptoCodec() {
+  }
+  
+  @Override
+  public Configuration getConf() {
+    return conf;
+  }
+  
+  @Override
+  public void setConf(Configuration conf) {
+    this.conf = conf;
+    provider = conf.get(HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY);
+  }
+
+  @Override
+  public Encryptor getEncryptor() throws GeneralSecurityException {
+    return new JCEAESCTREncryptor(provider);
+  }
+
+  @Override
+  public Decryptor getDecryptor() throws GeneralSecurityException {
+    return new JCEAESCTRDecryptor(provider);
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java
new file mode 100644
index 00000000000..a3fb13f6291
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java
@@ -0,0 +1,84 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+
+import com.google.common.base.Preconditions;
+
+public class JCEAESCTRDecryptor implements Decryptor {
+  private final Cipher cipher;
+  private boolean contextReset = false;
+  
+  public JCEAESCTRDecryptor(String provider) throws GeneralSecurityException {
+    if (provider == null || provider.isEmpty()) {
+      cipher = Cipher.getInstance("AES/CTR/NoPadding");
+    } else {
+      cipher = Cipher.getInstance("AES/CTR/NoPadding", provider);
+    }
+  }
+
+  @Override
+  public void init(byte[] key, byte[] iv) throws IOException {
+    Preconditions.checkNotNull(key);
+    Preconditions.checkNotNull(iv);
+    contextReset = false;
+    try {
+      cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(key, "AES"), 
+          new IvParameterSpec(iv));
+    } catch (Exception e) {
+      throw new IOException(e);
+    }
+  }
+
+  /**
+   * For AES-CTR, will consume all input data and needs enough space in the 
+   * destination buffer to decrypt entire input data.
+   */
+  @Override
+  public void decrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
+      throws IOException {
+    try {
+      int inputSize = inBuffer.remaining();
+      // Cipher#update will maintain decryption context.
+      int n = cipher.update(inBuffer, outBuffer);
+      if (n < inputSize) {
+        /**
+         * Typically code will not get here. Cipher#update will decrypt all 
+         * input data and put result in outBuffer. 
+         * Cipher#doFinal will reset the decryption context.
+         */
+        contextReset = true;
+        cipher.doFinal(inBuffer, outBuffer);
+      }
+    } catch (Exception e) {
+      throw new IOException(e);
+    }
+  }
+
+  @Override
+  public boolean isContextReset() {
+    return contextReset;
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java
new file mode 100644
index 00000000000..9ee70dc4723
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java
@@ -0,0 +1,84 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+
+import com.google.common.base.Preconditions;
+
+public class JCEAESCTREncryptor implements Encryptor {
+  private final Cipher cipher;
+  private boolean contextReset = false;
+  
+  public JCEAESCTREncryptor(String provider) throws GeneralSecurityException {
+    if (provider == null || provider.isEmpty()) {
+      cipher = Cipher.getInstance("AES/CTR/NoPadding");
+    } else {
+      cipher = Cipher.getInstance("AES/CTR/NoPadding", provider);
+    }
+  }
+
+  @Override
+  public void init(byte[] key, byte[] iv) throws IOException {
+    Preconditions.checkNotNull(key);
+    Preconditions.checkNotNull(iv);
+    contextReset = false;
+    try {
+      cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(key, "AES"), 
+          new IvParameterSpec(iv));
+    } catch (Exception e) {
+      throw new IOException(e);
+    }
+  }
+
+  /**
+   * For AES-CTR, will consume all input data and needs enough space in the 
+   * destination buffer to encrypt entire input data.
+   */
+  @Override
+  public void encrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
+      throws IOException {
+    try {
+      int inputSize = inBuffer.remaining();
+      // Cipher#update will maintain encryption context.
+      int n = cipher.update(inBuffer, outBuffer);
+      if (n < inputSize) {
+        /**
+         * Typically code will not get here. Cipher#update will encrypt all 
+         * input data and put result in outBuffer. 
+         * Cipher#doFinal will reset the encryption context.
+         */
+        contextReset = true;
+        cipher.doFinal(inBuffer, outBuffer);
+      }
+    } catch (Exception e) {
+      throw new IOException(e);
+    }
+  }
+
+  @Override
+  public boolean isContextReset() {
+    return contextReset;
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
index b6be29447af..c0853a9ded9 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
@@ -282,5 +282,16 @@ public class CommonConfigurationKeysPublic {
   /** Class to override Sasl Properties for a connection */
   public static final String  HADOOP_SECURITY_SASL_PROPS_RESOLVER_CLASS =
     "hadoop.security.saslproperties.resolver.class";
+  /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
+  public static final String HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY =
+    "hadoop.security.crypto.codec.class";
+  /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
+  public static final String HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY =
+      "hadoop.security.crypto.jce.provider";
+  /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
+  public static final String HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY = 
+      "hadoop.security.crypto.buffer.size";
+  /** Defalt value for HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY */
+  public static final int HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_DEFAULT = 8192;
 }
 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/crypto/CryptoFSDataInputStream.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/crypto/CryptoFSDataInputStream.java
new file mode 100644
index 00000000000..8758d28f1de
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/crypto/CryptoFSDataInputStream.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.fs.crypto;
+
+import java.io.IOException;
+
+import org.apache.hadoop.crypto.CryptoCodec;
+import org.apache.hadoop.crypto.CryptoInputStream;
+import org.apache.hadoop.fs.FSDataInputStream;
+
+public class CryptoFSDataInputStream extends FSDataInputStream {
+  
+  public CryptoFSDataInputStream(FSDataInputStream in, CryptoCodec codec, 
+      int bufferSize, byte[] key, byte[] iv) throws IOException {
+    super(new CryptoInputStream(in, codec, bufferSize, key, iv)); 
+  }
+  
+  public CryptoFSDataInputStream(FSDataInputStream in, CryptoCodec codec, 
+      byte[] key, byte[] iv) throws IOException {
+    super(new CryptoInputStream(in, codec, key, iv)); 
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/crypto/CryptoFSDataOutputStream.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/crypto/CryptoFSDataOutputStream.java
new file mode 100644
index 00000000000..040fbcb8799
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/crypto/CryptoFSDataOutputStream.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.fs.crypto;
+
+import java.io.IOException;
+
+import org.apache.hadoop.crypto.CryptoCodec;
+import org.apache.hadoop.crypto.CryptoOutputStream;
+import org.apache.hadoop.fs.FSDataOutputStream;
+
+public class CryptoFSDataOutputStream extends FSDataOutputStream {
+  private final FSDataOutputStream fsOut;
+  
+  public CryptoFSDataOutputStream(FSDataOutputStream out, CryptoCodec codec,
+      int bufferSize, byte[] key, byte[] iv) throws IOException {
+    super(new CryptoOutputStream(out, codec, bufferSize, key, iv, 
+        out.getPos()), null, out.getPos()); 
+    this.fsOut = out;
+  }
+  
+  public CryptoFSDataOutputStream(FSDataOutputStream out, CryptoCodec codec,
+      byte[] key, byte[] iv) throws IOException {
+    super(new CryptoOutputStream(out, codec, key, iv, out.getPos()), 
+        null, out.getPos()); 
+    this.fsOut = out;
+  }
+  
+  @Override
+  public long getPos() {
+    return fsOut.getPos();
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
index ea0808eef75..6073c1a9155 100644
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -1348,4 +1348,30 @@
     true.
   </description>
 </property>
+
+<property>
+  <name>hadoop.security.crypto.codec.class</name>
+  <value></value>
+  <description>
+    The default implementation of CryptoCodec which is used for encryption 
+    and decryption. 
+  </description>
+</property>
+
+<property>
+  <name>hadoop.security.crypto.jce.provider</name>
+  <value></value>
+  <description>
+    The JCE provider name used in CryptoCodec. 
+  </description>
+</property>
+
+<property>
+  <name>hadoop.security.crypto.buffer.size</name>
+  <value>8192</value>
+  <description>
+    The buffer size used in Crypto InputStream and OutputStream, and default
+    value is 8192. 
+  </description>
+</property>
 </configuration>
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/CryptoStreamsTestBase.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/CryptoStreamsTestBase.java
new file mode 100644
index 00000000000..7f36c2b2495
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/CryptoStreamsTestBase.java
@@ -0,0 +1,712 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
+import java.util.EnumSet;
+import java.util.Random;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.fs.ByteBufferReadable;
+import org.apache.hadoop.fs.HasEnhancedByteBufferAccess;
+import org.apache.hadoop.fs.PositionedReadable;
+import org.apache.hadoop.fs.ReadOption;
+import org.apache.hadoop.fs.Seekable;
+import org.apache.hadoop.fs.Syncable;
+import org.apache.hadoop.io.ByteBufferPool;
+import org.apache.hadoop.io.DataOutputBuffer;
+import org.apache.hadoop.io.RandomDatum;
+import org.apache.hadoop.test.GenericTestUtils;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+public abstract class CryptoStreamsTestBase {
+  protected static final Log LOG= LogFactory.getLog(
+      CryptoStreamsTestBase.class);
+
+  protected static CryptoCodec codec;
+  private static final byte[] key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 
+    0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
+  private static final byte[] iv = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 
+    0x07, 0x08, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08};
+  
+  protected static final int count = 10000;
+  protected static int defaultBufferSize = 8192;
+  protected static int smallBufferSize = 1024;
+  private byte[] data;
+  private int dataLen;
+  
+  @Before
+  public void setUp() throws IOException {
+    // Generate data
+    int seed = new Random().nextInt();
+    DataOutputBuffer dataBuf = new DataOutputBuffer();
+    RandomDatum.Generator generator = new RandomDatum.Generator(seed);
+    for(int i=0; i < count; ++i) {
+      generator.next();
+      RandomDatum key = generator.getKey();
+      RandomDatum value = generator.getValue();
+      
+      key.write(dataBuf);
+      value.write(dataBuf);
+    }
+    LOG.info("Generated " + count + " records");
+    data = dataBuf.getData();
+    dataLen = dataBuf.getLength();
+  }
+  
+  protected void writeData(OutputStream out) throws Exception {
+    out.write(data, 0, dataLen);
+    out.close();
+  }
+  
+  protected int getDataLen() {
+    return dataLen;
+  }
+  
+  private int readAll(InputStream in, byte[] b, int off, int len) 
+      throws IOException {
+    int n = 0;
+    int total = 0;
+    while (n != -1) {
+      total += n;
+      if (total >= len) {
+        break;
+      }
+      n = in.read(b, off + total, len - total);
+    }
+    
+    return total;
+  }
+  
+  protected OutputStream getOutputStream(int bufferSize) throws IOException {
+    return getOutputStream(bufferSize, key, iv);
+  }
+  
+  protected abstract OutputStream getOutputStream(int bufferSize, byte[] key, 
+      byte[] iv) throws IOException;
+  
+  protected InputStream getInputStream(int bufferSize) throws IOException {
+    return getInputStream(bufferSize, key, iv);
+  }
+  
+  protected abstract InputStream getInputStream(int bufferSize, byte[] key, 
+      byte[] iv) throws IOException;
+  
+  /**
+   * Test crypto reading with different buffer size.
+   */
+  @Test(timeout=120000)
+  public void testRead() throws Exception {
+    OutputStream out = getOutputStream(defaultBufferSize);
+    writeData(out);
+    
+    // Default buffer size
+    InputStream in = getInputStream(defaultBufferSize);
+    readCheck(in);
+    in.close();
+    
+    // Small buffer size
+    in = getInputStream(smallBufferSize);
+    readCheck(in);
+    in.close();
+  }
+  
+  private void readCheck(InputStream in) throws Exception {
+    byte[] result = new byte[dataLen];
+    int n = readAll(in, result, 0, dataLen);
+    
+    Assert.assertEquals(dataLen, n);
+    byte[] expectedData = new byte[n];
+    System.arraycopy(data, 0, expectedData, 0, n);
+    Assert.assertArrayEquals(result, expectedData);
+    
+    // EOF
+    n = in.read(result, 0, dataLen);
+    Assert.assertEquals(n, -1);
+    in.close();
+  }
+  
+  /**
+   * Test crypto with different IV.
+   */
+  @Test(timeout=120000)
+  public void testCryptoIV() throws Exception {
+    byte[] iv1 = iv.clone();
+    
+    // Counter base: Long.MAX_VALUE
+    setCounterBaseForIV(iv1, Long.MAX_VALUE);
+    cryptoCheck(iv1);
+    
+    // Counter base: Long.MAX_VALUE - 1
+    setCounterBaseForIV(iv1, Long.MAX_VALUE - 1);
+    cryptoCheck(iv1);
+    
+    // Counter base: Integer.MAX_VALUE
+    setCounterBaseForIV(iv1, Integer.MAX_VALUE);
+    cryptoCheck(iv1);
+    
+    // Counter base: 0
+    setCounterBaseForIV(iv1, 0);
+    cryptoCheck(iv1);
+    
+    // Counter base: -1
+    setCounterBaseForIV(iv1, -1);
+    cryptoCheck(iv1);
+  }
+  
+  private void cryptoCheck(byte[] iv) throws Exception {
+    OutputStream out = getOutputStream(defaultBufferSize, key, iv);
+    writeData(out);
+    
+    InputStream in = getInputStream(defaultBufferSize, key, iv);
+    readCheck(in);
+    in.close();
+  }
+  
+  private void setCounterBaseForIV(byte[] iv, long counterBase) {
+    ByteBuffer buf = ByteBuffer.wrap(iv);
+    buf.order(ByteOrder.BIG_ENDIAN);
+    buf.putLong(iv.length - 8, counterBase);
+  }
+  
+  /**
+   * Test hflush/hsync of crypto output stream, and with different buffer size.
+   */
+  @Test(timeout=120000)
+  public void testSyncable() throws IOException {
+    syncableCheck();
+  }
+  
+  private void syncableCheck() throws IOException {
+    OutputStream out = getOutputStream(smallBufferSize);
+    try {
+      int bytesWritten = dataLen/3;
+      out.write(data, 0, bytesWritten);
+      ((Syncable) out).hflush();
+      
+      InputStream in = getInputStream(defaultBufferSize);
+      verify(in, bytesWritten, data);
+      in.close();
+      
+      out.write(data, bytesWritten, dataLen - bytesWritten);
+      ((Syncable) out).hsync();
+      
+      in = getInputStream(defaultBufferSize);
+      verify(in, dataLen, data);
+      in.close();
+    } finally {
+      out.close();
+    }
+  }
+  
+  private void verify(InputStream in, int bytesToVerify, 
+      byte[] expectedBytes) throws IOException {
+    byte[] readBuf = new byte[bytesToVerify];
+    readAll(in, readBuf, 0, bytesToVerify);
+    for (int i=0; i<bytesToVerify; i++) {
+      Assert.assertEquals(expectedBytes[i], readBuf[i]);
+    }
+  }
+  
+  private int readAll(InputStream in, long pos, byte[] b, int off, int len) 
+      throws IOException {
+    int n = 0;
+    int total = 0;
+    while (n != -1) {
+      total += n;
+      if (total >= len) {
+        break;
+      }
+      n = ((PositionedReadable) in).read(pos + total, b, off + total, 
+          len - total);
+    }
+    
+    return total;
+  }
+  
+  /**
+   * Test positioned read.
+   */
+  @Test(timeout=120000)
+  public void testPositionedRead() throws Exception {
+    OutputStream out = getOutputStream(defaultBufferSize);
+    writeData(out);
+    
+    InputStream in = getInputStream(defaultBufferSize);
+    // Pos: 1/3 dataLen
+    positionedReadCheck(in , dataLen/3);
+
+    // Pos: 1/2 dataLen
+    positionedReadCheck(in, dataLen/2);
+    in.close();
+  }
+  
+  private void positionedReadCheck(InputStream in, int pos) throws Exception {
+    byte[] result = new byte[dataLen];
+    int n = readAll(in, pos, result, 0, dataLen);
+    
+    Assert.assertEquals(dataLen, n + pos);
+    byte[] readData = new byte[n];
+    System.arraycopy(result, 0, readData, 0, n);
+    byte[] expectedData = new byte[n];
+    System.arraycopy(data, pos, expectedData, 0, n);
+    Assert.assertArrayEquals(readData, expectedData);
+  }
+  
+  /**
+   * Test read fully
+   */
+  @Test(timeout=120000)
+  public void testReadFully() throws Exception {
+    OutputStream out = getOutputStream(defaultBufferSize);
+    writeData(out);
+    
+    InputStream in = getInputStream(defaultBufferSize);
+    final int len1 = dataLen/4;
+    // Read len1 bytes
+    byte [] readData = new byte[len1];
+    readAll(in, readData, 0, len1);
+    byte[] expectedData = new byte[len1];
+    System.arraycopy(data, 0, expectedData, 0, len1);
+    Assert.assertArrayEquals(readData, expectedData);
+    
+    // Pos: 1/3 dataLen
+    readFullyCheck(in, dataLen/3);
+    
+    // Read len1 bytes
+    readData = new byte[len1];
+    readAll(in, readData, 0, len1);
+    expectedData = new byte[len1];
+    System.arraycopy(data, len1, expectedData, 0, len1);
+    Assert.assertArrayEquals(readData, expectedData);
+    
+    // Pos: 1/2 dataLen
+    readFullyCheck(in, dataLen/2);
+    
+    // Read len1 bytes
+    readData = new byte[len1];
+    readAll(in, readData, 0, len1);
+    expectedData = new byte[len1];
+    System.arraycopy(data, 2 * len1, expectedData, 0, len1);
+    Assert.assertArrayEquals(readData, expectedData);
+    
+    in.close();
+  }
+  
+  private void readFullyCheck(InputStream in, int pos) throws Exception {
+    byte[] result = new byte[dataLen - pos];
+    ((PositionedReadable) in).readFully(pos, result);
+    
+    byte[] expectedData = new byte[dataLen - pos];
+    System.arraycopy(data, pos, expectedData, 0, dataLen - pos);
+    Assert.assertArrayEquals(result, expectedData);
+    
+    result = new byte[dataLen]; // Exceeds maximum length 
+    try {
+      ((PositionedReadable) in).readFully(pos, result);
+      Assert.fail("Read fully exceeds maximum length should fail.");
+    } catch (IOException e) {
+    }
+  }
+  
+  /**
+   * Test seek to different position.
+   */
+  @Test(timeout=120000)
+  public void testSeek() throws Exception {
+    OutputStream out = getOutputStream(defaultBufferSize);
+    writeData(out);
+    
+    InputStream in = getInputStream(defaultBufferSize);
+    // Pos: 1/3 dataLen
+    seekCheck(in, dataLen/3);
+    
+    // Pos: 0
+    seekCheck(in, 0);
+    
+    // Pos: 1/2 dataLen
+    seekCheck(in, dataLen/2);
+    
+    // Pos: -3
+    try {
+      seekCheck(in, -3);
+      Assert.fail("Seek to negative offset should fail.");
+    } catch (IllegalArgumentException e) {
+      GenericTestUtils.assertExceptionContains("Cannot seek to negative " +
+      		"offset", e);
+    }
+    
+    // Pos: dataLen + 3
+    try {
+      seekCheck(in, dataLen + 3);
+      Assert.fail("Seek after EOF should fail.");
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains("Cannot seek after EOF", e);
+    }
+    
+    in.close();
+  }
+  
+  private void seekCheck(InputStream in, int pos) throws Exception {
+    byte[] result = new byte[dataLen];
+    ((Seekable) in).seek(pos);
+    int n = readAll(in, result, 0, dataLen);
+    
+    Assert.assertEquals(dataLen, n + pos);
+    byte[] readData = new byte[n];
+    System.arraycopy(result, 0, readData, 0, n);
+    byte[] expectedData = new byte[n];
+    System.arraycopy(data, pos, expectedData, 0, n);
+    Assert.assertArrayEquals(readData, expectedData);
+  }
+  
+  /**
+   * Test get position.
+   */
+  @Test(timeout=120000)
+  public void testGetPos() throws Exception {
+    OutputStream out = getOutputStream(defaultBufferSize);
+    writeData(out);
+    
+    // Default buffer size
+    InputStream in = getInputStream(defaultBufferSize);
+    byte[] result = new byte[dataLen];
+    int n1 = readAll(in, result, 0, dataLen/3);
+    Assert.assertEquals(n1, ((Seekable) in).getPos());
+    
+    int n2 = readAll(in, result, n1, dataLen - n1);
+    Assert.assertEquals(n1 + n2, ((Seekable) in).getPos());
+    in.close();
+  }
+  
+  @Test(timeout=120000)
+  public void testAvailable() throws Exception {
+    OutputStream out = getOutputStream(defaultBufferSize);
+    writeData(out);
+    
+    // Default buffer size
+    InputStream in = getInputStream(defaultBufferSize);
+    byte[] result = new byte[dataLen];
+    int n1 = readAll(in, result, 0, dataLen/3);
+    Assert.assertEquals(in.available(), dataLen - n1);
+    
+    int n2 = readAll(in, result, n1, dataLen - n1);
+    Assert.assertEquals(in.available(), dataLen - n1 - n2);
+    in.close();
+  }
+  
+  /**
+   * Test skip.
+   */
+  @Test(timeout=120000)
+  public void testSkip() throws Exception {
+    OutputStream out = getOutputStream(defaultBufferSize);
+    writeData(out);
+        
+    // Default buffer size
+    InputStream in = getInputStream(defaultBufferSize);
+    byte[] result = new byte[dataLen];
+    int n1 = readAll(in, result, 0, dataLen/3);
+    Assert.assertEquals(n1, ((Seekable) in).getPos());
+    
+    long skipped = in.skip(dataLen/3);
+    int n2 = readAll(in, result, 0, dataLen);
+    
+    Assert.assertEquals(dataLen, n1 + skipped + n2);
+    byte[] readData = new byte[n2];
+    System.arraycopy(result, 0, readData, 0, n2);
+    byte[] expectedData = new byte[n2];
+    System.arraycopy(data, dataLen - n2, expectedData, 0, n2);
+    Assert.assertArrayEquals(readData, expectedData);
+    
+    try {
+      skipped = in.skip(-3);
+      Assert.fail("Skip Negative length should fail.");
+    } catch (IllegalArgumentException e) {
+      GenericTestUtils.assertExceptionContains("Negative skip length", e);
+    }
+    
+    // Skip after EOF
+    skipped = in.skip(3);
+    Assert.assertEquals(skipped, 0);
+    
+    in.close();
+  }
+  
+  private void byteBufferReadCheck(InputStream in, ByteBuffer buf, 
+      int bufPos) throws Exception {
+    buf.position(bufPos);
+    int n = ((ByteBufferReadable) in).read(buf);
+    byte[] readData = new byte[n];
+    buf.rewind();
+    buf.position(bufPos);
+    buf.get(readData);
+    byte[] expectedData = new byte[n];
+    System.arraycopy(data, 0, expectedData, 0, n);
+    Assert.assertArrayEquals(readData, expectedData);
+  }
+  
+  /**
+   * Test byte buffer read with different buffer size.
+   */
+  @Test(timeout=120000)
+  public void testByteBufferRead() throws Exception {
+    OutputStream out = getOutputStream(defaultBufferSize);
+    writeData(out);
+    
+    // Default buffer size, initial buffer position is 0
+    InputStream in = getInputStream(defaultBufferSize);
+    ByteBuffer buf = ByteBuffer.allocate(dataLen + 100);
+    byteBufferReadCheck(in, buf, 0);
+    in.close();
+    
+    // Default buffer size, initial buffer position is not 0
+    in = getInputStream(defaultBufferSize);
+    buf.clear();
+    byteBufferReadCheck(in, buf, 11);
+    in.close();
+    
+    // Small buffer size, initial buffer position is 0
+    in = getInputStream(smallBufferSize);
+    buf.clear();
+    byteBufferReadCheck(in, buf, 0);
+    in.close();
+    
+    // Small buffer size, initial buffer position is not 0
+    in = getInputStream(smallBufferSize);
+    buf.clear();
+    byteBufferReadCheck(in, buf, 11);
+    in.close();
+    
+    // Direct buffer, default buffer size, initial buffer position is 0
+    in = getInputStream(defaultBufferSize);
+    buf = ByteBuffer.allocateDirect(dataLen + 100);
+    byteBufferReadCheck(in, buf, 0);
+    in.close();
+    
+    // Direct buffer, default buffer size, initial buffer position is not 0
+    in = getInputStream(defaultBufferSize);
+    buf.clear();
+    byteBufferReadCheck(in, buf, 11);
+    in.close();
+    
+    // Direct buffer, small buffer size, initial buffer position is 0
+    in = getInputStream(smallBufferSize);
+    buf.clear();
+    byteBufferReadCheck(in, buf, 0);
+    in.close();
+    
+    // Direct buffer, small buffer size, initial buffer position is not 0
+    in = getInputStream(smallBufferSize);
+    buf.clear();
+    byteBufferReadCheck(in, buf, 11);
+    in.close();
+  }
+  
+  @Test(timeout=120000)
+  public void testCombinedOp() throws Exception {
+    OutputStream out = getOutputStream(defaultBufferSize);
+    writeData(out);
+    
+    final int len1 = dataLen/8;
+    final int len2 = dataLen/10;
+    
+    InputStream in = getInputStream(defaultBufferSize);
+    // Read len1 data.
+    byte[] readData = new byte[len1];
+    readAll(in, readData, 0, len1);
+    byte[] expectedData = new byte[len1];
+    System.arraycopy(data, 0, expectedData, 0, len1);
+    Assert.assertArrayEquals(readData, expectedData);
+    
+    long pos = ((Seekable) in).getPos();
+    Assert.assertEquals(len1, pos);
+    
+    // Seek forward len2
+    ((Seekable) in).seek(pos + len2);
+    // Skip forward len2
+    long n = in.skip(len2);
+    Assert.assertEquals(len2, n);
+    
+    // Pos: 1/4 dataLen
+    positionedReadCheck(in , dataLen/4);
+    
+    // Pos should be len1 + len2 + len2
+    pos = ((Seekable) in).getPos();
+    Assert.assertEquals(len1 + len2 + len2, pos);
+    
+    // Read forward len1
+    ByteBuffer buf = ByteBuffer.allocate(len1);
+    int nRead = ((ByteBufferReadable) in).read(buf);
+    readData = new byte[nRead];
+    buf.rewind();
+    buf.get(readData);
+    expectedData = new byte[nRead];
+    System.arraycopy(data, (int)pos, expectedData, 0, nRead);
+    Assert.assertArrayEquals(readData, expectedData);
+    
+    // Pos should be len1 + 2 * len2 + nRead
+    pos = ((Seekable) in).getPos();
+    Assert.assertEquals(len1 + 2 * len2 + nRead, pos);
+    
+    // Pos: 1/3 dataLen
+    positionedReadCheck(in , dataLen/3);
+    
+    // Read forward len1
+    readData = new byte[len1];
+    readAll(in, readData, 0, len1);
+    expectedData = new byte[len1];
+    System.arraycopy(data, (int)pos, expectedData, 0, len1);
+    Assert.assertArrayEquals(readData, expectedData);
+    
+    // Pos should be 2 * len1 + 2 * len2 + nRead
+    pos = ((Seekable) in).getPos();
+    Assert.assertEquals(2 * len1 + 2 * len2 + nRead, pos);
+    
+    // Read forward len1
+    buf = ByteBuffer.allocate(len1);
+    nRead = ((ByteBufferReadable) in).read(buf);
+    readData = new byte[nRead];
+    buf.rewind();
+    buf.get(readData);
+    expectedData = new byte[nRead];
+    System.arraycopy(data, (int)pos, expectedData, 0, nRead);
+    Assert.assertArrayEquals(readData, expectedData);
+    
+    // ByteBuffer read after EOF
+    ((Seekable) in).seek(dataLen);
+    buf.clear();
+    n = ((ByteBufferReadable) in).read(buf);
+    Assert.assertEquals(n, -1);
+    
+    in.close();
+  }
+  
+  @Test(timeout=120000)
+  public void testSeekToNewSource() throws Exception {
+    OutputStream out = getOutputStream(defaultBufferSize);
+    writeData(out);
+    
+    InputStream in = getInputStream(defaultBufferSize);
+    
+    final int len1 = dataLen/8;
+    byte[] readData = new byte[len1];
+    readAll(in, readData, 0, len1);
+    
+    // Pos: 1/3 dataLen
+    seekToNewSourceCheck(in, dataLen/3);
+    
+    // Pos: 0
+    seekToNewSourceCheck(in, 0);
+    
+    // Pos: 1/2 dataLen
+    seekToNewSourceCheck(in, dataLen/2);
+    
+    // Pos: -3
+    try {
+      seekToNewSourceCheck(in, -3);
+      Assert.fail("Seek to negative offset should fail.");
+    } catch (IllegalArgumentException e) {
+      GenericTestUtils.assertExceptionContains("Cannot seek to negative " +
+          "offset", e);
+    }
+    
+    // Pos: dataLen + 3
+    try {
+      seekToNewSourceCheck(in, dataLen + 3);
+      Assert.fail("Seek after EOF should fail.");
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains("Attempted to read past end of file", e);
+    }
+    
+    in.close();
+  }
+  
+  private void seekToNewSourceCheck(InputStream in, int targetPos) 
+      throws Exception {
+    byte[] result = new byte[dataLen];
+    ((Seekable) in).seekToNewSource(targetPos);
+    int n = readAll(in, result, 0, dataLen);
+    
+    Assert.assertEquals(dataLen, n + targetPos);
+    byte[] readData = new byte[n];
+    System.arraycopy(result, 0, readData, 0, n);
+    byte[] expectedData = new byte[n];
+    System.arraycopy(data, targetPos, expectedData, 0, n);
+    Assert.assertArrayEquals(readData, expectedData);
+  }
+  
+  private ByteBufferPool getBufferPool() {
+    return new ByteBufferPool() {
+      @Override
+      public ByteBuffer getBuffer(boolean direct, int length) {
+        return ByteBuffer.allocateDirect(length);
+      }
+      
+      @Override
+      public void putBuffer(ByteBuffer buffer) {
+      }
+    };
+  }
+  
+  @Test(timeout=120000)
+  public void testHasEnhancedByteBufferAccess() throws Exception {
+    OutputStream out = getOutputStream(defaultBufferSize);
+    writeData(out);
+    
+    InputStream in = getInputStream(defaultBufferSize);
+    final int len1 = dataLen/8;
+    // ByteBuffer size is len1
+    ByteBuffer buffer = ((HasEnhancedByteBufferAccess) in).read(
+        getBufferPool(), len1, EnumSet.of(ReadOption.SKIP_CHECKSUMS));
+    int n1 = buffer.remaining();
+    byte[] readData = new byte[n1];
+    buffer.get(readData);
+    byte[] expectedData = new byte[n1];
+    System.arraycopy(data, 0, expectedData, 0, n1);
+    Assert.assertArrayEquals(readData, expectedData);
+    ((HasEnhancedByteBufferAccess) in).releaseBuffer(buffer);
+    
+    // Read len1 bytes
+    readData = new byte[len1];
+    readAll(in, readData, 0, len1);
+    expectedData = new byte[len1];
+    System.arraycopy(data, n1, expectedData, 0, len1);
+    Assert.assertArrayEquals(readData, expectedData);
+    
+    // ByteBuffer size is len1
+    buffer = ((HasEnhancedByteBufferAccess) in).read(
+        getBufferPool(), len1, EnumSet.of(ReadOption.SKIP_CHECKSUMS));
+    int n2 = buffer.remaining();
+    readData = new byte[n2];
+    buffer.get(readData);
+    expectedData = new byte[n2];
+    System.arraycopy(data, n1 + len1, expectedData, 0, n2);
+    Assert.assertArrayEquals(readData, expectedData);
+    ((HasEnhancedByteBufferAccess) in).releaseBuffer(buffer);
+    
+    in.close();
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreams.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreams.java
new file mode 100644
index 00000000000..ebe025b0eac
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreams.java
@@ -0,0 +1,376 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.io.EOFException;
+import java.io.FileDescriptor;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.ByteBuffer;
+import java.util.EnumSet;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.ByteBufferReadable;
+import org.apache.hadoop.fs.CanSetDropBehind;
+import org.apache.hadoop.fs.CanSetReadahead;
+import org.apache.hadoop.fs.HasEnhancedByteBufferAccess;
+import org.apache.hadoop.fs.HasFileDescriptor;
+import org.apache.hadoop.fs.PositionedReadable;
+import org.apache.hadoop.fs.ReadOption;
+import org.apache.hadoop.fs.Seekable;
+import org.apache.hadoop.fs.Syncable;
+import org.apache.hadoop.io.ByteBufferPool;
+import org.apache.hadoop.io.DataInputBuffer;
+import org.apache.hadoop.io.DataOutputBuffer;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+
+public class TestCryptoStreams extends CryptoStreamsTestBase {
+  /**
+   * Data storage.
+   * {@link #getOutputStream(int)} will write to this buf.
+   * {@link #getInputStream(int)} will read from this buf.
+   */
+  private byte[] buf;
+  private int bufLen;
+  
+  @BeforeClass
+  public static void init() throws Exception {
+    Configuration conf = new Configuration();
+    codec = CryptoCodec.getInstance(conf);
+  }
+  
+  @AfterClass
+  public static void shutdown() throws Exception {
+  }
+  
+  @Override
+  protected OutputStream getOutputStream(int bufferSize, byte[] key, byte[] iv) 
+      throws IOException {
+    DataOutputBuffer out = new DataOutputBuffer() {
+      @Override
+      public void flush() throws IOException {
+        buf = getData();
+        bufLen = getLength();
+      }
+      @Override
+      public void close() throws IOException {
+        buf = getData();
+        bufLen = getLength();
+      }
+    };
+    return new CryptoOutputStream(new FakeOutputStream(out),
+        codec, bufferSize, key, iv);
+  }
+  
+  @Override
+  protected InputStream getInputStream(int bufferSize, byte[] key, byte[] iv) 
+      throws IOException {
+    DataInputBuffer in = new DataInputBuffer();
+    in.reset(buf, 0, bufLen);
+    return new CryptoInputStream(new FakeInputStream(in), codec, bufferSize, 
+        key, iv);
+  }
+  
+  private class FakeOutputStream extends OutputStream 
+      implements Syncable, CanSetDropBehind{
+    private final byte[] oneByteBuf = new byte[1];
+    private final DataOutputBuffer out;
+    private boolean closed;
+    
+    public FakeOutputStream(DataOutputBuffer out) {
+      this.out = out;
+    }
+    
+    @Override
+    public void write(byte b[], int off, int len) throws IOException {
+      if (b == null) {
+        throw new NullPointerException();
+      } else if (off < 0 || len < 0 || len > b.length - off) {
+        throw new IndexOutOfBoundsException();
+      } else if (len == 0) {
+        return;
+      }
+      
+      checkStream();
+      
+      out.write(b, off, len);
+    }
+    
+    @Override
+    public void flush() throws IOException {
+      checkStream();
+      out.flush();
+    }
+    
+    @Override
+    public void close() throws IOException {
+      if (closed) {
+        return;
+      }
+      
+      out.close();
+      closed = true;
+    }
+
+    @Override
+    public void write(int b) throws IOException {
+      oneByteBuf[0] = (byte)(b & 0xff);
+      write(oneByteBuf, 0, oneByteBuf.length);
+    }
+
+    @Override
+    public void setDropBehind(Boolean dropCache) throws IOException,
+        UnsupportedOperationException {
+    }
+
+    @Override
+    public void hflush() throws IOException {
+      checkStream();
+      flush();
+    }
+
+    @Override
+    public void hsync() throws IOException {
+      checkStream();
+      flush();
+    }
+    
+    private void checkStream() throws IOException {
+      if (closed) {
+        throw new IOException("Stream is closed!");
+      }
+    }
+  }
+  
+  private class FakeInputStream extends InputStream implements 
+      Seekable, PositionedReadable, ByteBufferReadable, HasFileDescriptor, 
+      CanSetDropBehind, CanSetReadahead, HasEnhancedByteBufferAccess {
+    private final byte[] oneByteBuf = new byte[1];
+    private int pos = 0;
+    private final byte[] data;
+    private final int length;
+    private boolean closed = false;
+
+    public FakeInputStream(DataInputBuffer in) {
+      data = in.getData();
+      length = in.getLength();
+    }
+    
+    @Override
+    public void seek(long pos) throws IOException {
+      if (pos > length) {
+        throw new IOException("Cannot seek after EOF.");
+      }
+      if (pos < 0) {
+        throw new IOException("Cannot seek to negative offset.");
+      }
+      checkStream();
+      this.pos = (int)pos;
+    }
+    
+    @Override
+    public long getPos() throws IOException {
+      return pos;
+    }
+    
+    @Override
+    public int available() throws IOException {
+      return length - pos;
+    }
+    
+    @Override
+    public int read(byte b[], int off, int len) throws IOException {
+      if (b == null) {
+        throw new NullPointerException();
+      } else if (off < 0 || len < 0 || len > b.length - off) {
+        throw new IndexOutOfBoundsException();
+      } else if (len == 0) {
+        return 0;
+      }
+      
+      checkStream();
+      
+      if (pos < length) {
+        int n = (int) Math.min(len, length - pos);
+        System.arraycopy(data, pos, b, off, n);
+        pos += n;
+        return n;
+      }
+      
+      return -1;
+    }
+    
+    private void checkStream() throws IOException {
+      if (closed) {
+        throw new IOException("Stream is closed!");
+      }
+    }
+    
+    @Override
+    public int read(ByteBuffer buf) throws IOException {
+      checkStream();
+      if (pos < length) {
+        int n = (int) Math.min(buf.remaining(), length - pos);
+        if (n > 0) {
+          buf.put(data, pos, n);
+        }
+        pos += n;
+        return n;
+      }
+      return -1;
+    }
+    
+    @Override
+    public long skip(long n) throws IOException {
+      checkStream();
+      if ( n > 0 ) {
+        if( n + pos > length ) {
+          n = length - pos;
+        }
+        pos += n;
+        return n;
+      }
+      return n < 0 ? -1 : 0;
+    }
+    
+    @Override
+    public void close() throws IOException {
+      closed = true;
+    }
+
+    @Override
+    public int read(long position, byte[] b, int off, int len)
+        throws IOException {
+      if (b == null) {
+        throw new NullPointerException();
+      } else if (off < 0 || len < 0 || len > b.length - off) {
+        throw new IndexOutOfBoundsException();
+      } else if (len == 0) {
+        return 0;
+      }
+      
+      if (position > length) {
+        throw new IOException("Cannot read after EOF.");
+      }
+      if (position < 0) {
+        throw new IOException("Cannot read to negative offset.");
+      }
+      
+      checkStream();
+      
+      if (position < length) {
+        int n = (int) Math.min(len, length - position);
+        System.arraycopy(data, (int)position, b, off, n);
+        return n;
+      }
+      
+      return -1;
+    }
+
+    @Override
+    public void readFully(long position, byte[] b, int off, int len)
+        throws IOException {
+      if (b == null) {
+        throw new NullPointerException();
+      } else if (off < 0 || len < 0 || len > b.length - off) {
+        throw new IndexOutOfBoundsException();
+      } else if (len == 0) {
+        return;
+      }
+      
+      if (position > length) {
+        throw new IOException("Cannot read after EOF.");
+      }
+      if (position < 0) {
+        throw new IOException("Cannot read to negative offset.");
+      }
+      
+      checkStream();
+      
+      if (position + len > length) {
+        throw new EOFException("Reach the end of stream.");
+      }
+      
+      System.arraycopy(data, (int)position, b, off, len);
+    }
+
+    @Override
+    public void readFully(long position, byte[] buffer) throws IOException {
+      readFully(position, buffer, 0, buffer.length);
+    }
+
+    @Override
+    public ByteBuffer read(ByteBufferPool bufferPool, int maxLength,
+        EnumSet<ReadOption> opts) throws IOException,
+        UnsupportedOperationException {
+      if (bufferPool == null) {
+        throw new IOException("Please specify buffer pool.");
+      }
+      ByteBuffer buffer = bufferPool.getBuffer(true, maxLength);
+      int pos = buffer.position();
+      int n = read(buffer);
+      if (n >= 0) {
+        buffer.position(pos);
+        return buffer;
+      }
+      
+      return null;
+    }
+
+    @Override
+    public void releaseBuffer(ByteBuffer buffer) {
+      
+    }
+
+    @Override
+    public void setReadahead(Long readahead) throws IOException,
+        UnsupportedOperationException {
+    }
+
+    @Override
+    public void setDropBehind(Boolean dropCache) throws IOException,
+        UnsupportedOperationException {
+    }
+
+    @Override
+    public FileDescriptor getFileDescriptor() throws IOException {
+      return null;
+    }
+    
+    @Override
+    public boolean seekToNewSource(long targetPos) throws IOException {
+      if (targetPos > length) {
+        throw new IOException("Attempted to read past end of file.");
+      }
+      if (targetPos < 0) {
+        throw new IOException("Cannot seek after EOF.");
+      }
+      checkStream();
+      this.pos = (int)targetPos;
+      return false;
+    }
+
+    @Override
+    public int read() throws IOException {
+      int ret = read( oneByteBuf, 0, 1 );
+      return ( ret <= 0 ) ? -1 : (oneByteBuf[0] & 0xff);
+    }
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsForLocalFS.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsForLocalFS.java
new file mode 100644
index 00000000000..286fb6a3d29
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsForLocalFS.java
@@ -0,0 +1,114 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.FileUtil;
+import org.apache.hadoop.fs.LocalFileSystem;
+import org.apache.hadoop.fs.Path;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+
+public class TestCryptoStreamsForLocalFS extends CryptoStreamsTestBase {
+  private static final String TEST_ROOT_DIR
+    = System.getProperty("test.build.data","build/test/data") + "/work-dir/localfs";
+
+  private final File base = new File(TEST_ROOT_DIR);
+  private final Path file = new Path(TEST_ROOT_DIR, "test-file");
+  private static LocalFileSystem fileSys;
+  
+  @BeforeClass
+  public static void init() throws Exception {
+    Configuration conf = new Configuration();
+    conf = new Configuration(false);
+    conf.set("fs.file.impl", LocalFileSystem.class.getName());
+    fileSys = FileSystem.getLocal(conf);
+    codec = CryptoCodec.getInstance(conf);
+  }
+  
+  @AfterClass
+  public static void shutdown() throws Exception {
+  }
+  
+  @Before
+  @Override
+  public void setUp() throws IOException {
+    fileSys.delete(new Path(TEST_ROOT_DIR), true);
+    super.setUp();
+  }
+  
+  @After
+  public void cleanUp() throws IOException {
+    FileUtil.setWritable(base, true);
+    FileUtil.fullyDelete(base);
+    assertTrue(!base.exists());
+  }
+  
+  @Override
+  protected OutputStream getOutputStream(int bufferSize, byte[] key, byte[] iv) 
+      throws IOException {
+    return new CryptoOutputStream(fileSys.create(file), codec, bufferSize, 
+        key, iv);
+  }
+  
+  @Override
+  protected InputStream getInputStream(int bufferSize, byte[] key, byte[] iv) 
+      throws IOException {
+    return new CryptoInputStream(fileSys.open(file), codec, bufferSize, 
+        key, iv);
+  }
+  
+  @Ignore("ChecksumFSInputChecker doesn't support ByteBuffer read")
+  @Override
+  @Test(timeout=1000)
+  public void testByteBufferRead() throws Exception {}
+  
+  @Ignore("ChecksumFSOutputSummer doesn't support Syncable")
+  @Override
+  @Test(timeout=1000)
+  public void testSyncable() throws IOException {}
+  
+  @Ignore("ChecksumFSInputChecker doesn't support ByteBuffer read")
+  @Override
+  @Test(timeout=1000)
+  public void testCombinedOp() throws Exception {}
+  
+  @Ignore("ChecksumFSInputChecker doesn't support enhanced ByteBuffer access")
+  @Override
+  @Test(timeout=1000)
+  public void testHasEnhancedByteBufferAccess() throws Exception {
+  }
+  
+  @Ignore("ChecksumFSInputChecker doesn't support seekToNewSource")
+  @Override
+  @Test(timeout=1000)
+  public void testSeekToNewSource() throws Exception {
+  }
+}

From 2e5ae1aad74575cd35f47bd5f0f789d7056ef77d Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Thu, 29 May 2014 22:09:51 +0000
Subject: [PATCH 004/354] HADOOP-10628. Javadoc and few code style improvement
 for Crypto input and output streams. (yliu via clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1598429 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |   3 +
 .../hadoop/crypto/AESCTRCryptoCodec.java      |   6 +-
 .../org/apache/hadoop/crypto/CryptoCodec.java |  28 ++--
 .../hadoop/crypto/CryptoInputStream.java      | 124 +++++++++---------
 .../hadoop/crypto/CryptoOutputStream.java     |  41 +++---
 .../org/apache/hadoop/crypto/Decryptor.java   |  41 +++---
 .../org/apache/hadoop/crypto/Encryptor.java   |  42 +++---
 .../hadoop/crypto/JCEAESCTRDecryptor.java     |   4 +-
 .../hadoop/crypto/JCEAESCTREncryptor.java     |   4 +-
 .../src/main/resources/core-default.xml       |   3 +-
 .../hadoop/crypto/CryptoStreamsTestBase.java  | 101 +++++++-------
 11 files changed, 194 insertions(+), 203 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index e7bc580ff32..5d06794ff88 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -11,6 +11,9 @@ fs-encryption (Unreleased)
     HADOOP-10603. Crypto input and output streams implementing Hadoop stream
     interfaces. (Yi Liu and Charles Lamb)
 
+    HADOOP-10628. Javadoc and few code style improvement for Crypto
+    input and output streams. (yliu via clamb)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
index b76f1bf2f6a..a39af7ef8b7 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
@@ -40,15 +40,15 @@ public int getAlgorithmBlockSize() {
   }
   
   /**
-   * IV is produced by combining initial IV and the counter using addition.
-   * IV length should be the same as {@link #AES_BLOCK_SIZE}
+   * The IV is produced by adding the initial IV to the counter. IV length 
+   * should be the same as {@link #AES_BLOCK_SIZE}
    */
   @Override
   public void calculateIV(byte[] initIV, long counter, byte[] IV) {
     Preconditions.checkArgument(initIV.length == AES_BLOCK_SIZE);
     Preconditions.checkArgument(IV.length == AES_BLOCK_SIZE);
     
-    ByteBuffer buf = ByteBuffer.wrap(IV);
+    final ByteBuffer buf = ByteBuffer.wrap(IV);
     buf.put(initIV);
     buf.order(ByteOrder.BIG_ENDIAN);
     counter += buf.getLong(AES_BLOCK_SIZE - 8);
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
index 80d824d0e19..dd20d61faa8 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
@@ -41,37 +41,37 @@ public static CryptoCodec getInstance(Configuration conf) {
   }
   
   /**
-   * Get block size of a block cipher.
+   * Get the block size of a block cipher.
    * For different algorithms, the block size may be different.
-   * @return int block size
+   * @return int the block size
    */
   public abstract int getAlgorithmBlockSize();
 
   /**
-   * Get a {@link #org.apache.hadoop.crypto.Encryptor}. 
-   * @return Encryptor
+   * Get an {@link #org.apache.hadoop.crypto.Encryptor}. 
+   * @return Encryptor the encryptor
    */
   public abstract Encryptor getEncryptor() throws GeneralSecurityException;
   
   /**
    * Get a {@link #org.apache.hadoop.crypto.Decryptor}.
-   * @return Decryptor
+   * @return Decryptor the decryptor
    */
   public abstract Decryptor getDecryptor() throws GeneralSecurityException;
   
   /**
-   * This interface is only for Counter (CTR) mode. Typically calculating 
-   * IV(Initialization Vector) is up to Encryptor or Decryptor, for 
-   * example {@link #javax.crypto.Cipher} will maintain encryption context 
-   * internally when do encryption/decryption continuously using its 
+   * This interface is only for Counter (CTR) mode. Generally the Encryptor
+   * or Decryptor calculates the IV and maintain encryption context internally. 
+   * For example a {@link #javax.crypto.Cipher} will maintain its encryption 
+   * context internally when we do encryption/decryption using the 
    * Cipher#update interface. 
    * <p/>
-   * In Hadoop, multiple nodes may read splits of a file, so decrypting of 
-   * file is not continuous, even for encrypting may be not continuous. For 
-   * each part, we need to calculate the counter through file position.
+   * Encryption/Decryption is not always on the entire file. For example,
+   * in Hadoop, a node may only decrypt a portion of a file (i.e. a split).
+   * In these situations, the counter is derived from the file position.
    * <p/>
-   * Typically IV for a file position is produced by combining initial IV and 
-   * the counter using any lossless operation (concatenation, addition, or XOR).
+   * The IV can be calculated by combining the initial IV and the counter with 
+   * a lossless operation (concatenation, addition, or XOR).
    * @see http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_.28CTR.29
    * 
    * @param initIV initial IV
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
index ffcf1846cf2..374ca2e9483 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
@@ -63,26 +63,30 @@ public class CryptoInputStream extends FilterInputStream implements
   private static final byte[] oneByteBuf = new byte[1];
   private final CryptoCodec codec;
   private final Decryptor decryptor;
+  
   /**
    * Input data buffer. The data starts at inBuffer.position() and ends at 
    * to inBuffer.limit().
    */
   private ByteBuffer inBuffer;
+  
   /**
    * The decrypted data buffer. The data starts at outBuffer.position() and 
    * ends at outBuffer.limit();
    */
   private ByteBuffer outBuffer;
   private long streamOffset = 0; // Underlying stream offset.
+  
   /**
-   * Whether underlying stream supports 
+   * Whether the underlying stream supports 
    * {@link #org.apache.hadoop.fs.ByteBufferReadable}
    */
   private Boolean usingByteBufferRead = null;
+  
   /**
    * Padding = pos%(algorithm blocksize); Padding is put into {@link #inBuffer} 
-   * before any other data goes in. The purpose of padding is to put input data
-   * at proper position.
+   * before any other data goes in. The purpose of padding is to put the input 
+   * data at proper position.
    */
   private byte padding;
   private boolean closed;
@@ -144,14 +148,15 @@ public int read(byte[] b, int off, int len) throws IOException {
       return 0;
     }
     
-    int remaining = outBuffer.remaining();
+    final int remaining = outBuffer.remaining();
     if (remaining > 0) {
       int n = Math.min(len, remaining);
       outBuffer.get(b, off, n);
       return n;
     } else {
       int n = 0;
-      /**
+      
+      /*
        * Check whether the underlying stream is {@link ByteBufferReadable},
        * it can avoid bytes copy.
        */
@@ -186,11 +191,11 @@ public int read(byte[] b, int off, int len) throws IOException {
     }
   }
   
-  // Read data from underlying stream.
+  /** Read data from underlying stream. */
   private int readFromUnderlyingStream() throws IOException {
-    int toRead = inBuffer.remaining();
-    byte[] tmp = getTmpBuf();
-    int n = in.read(tmp, 0, toRead);
+    final int toRead = inBuffer.remaining();
+    final byte[] tmp = getTmpBuf();
+    final int n = in.read(tmp, 0, toRead);
     if (n > 0) {
       inBuffer.put(tmp, 0, n);
     }
@@ -221,19 +226,19 @@ private void decrypt() throws IOException {
     inBuffer.clear();
     outBuffer.flip();
     if (padding > 0) {
-      /**
-       * The plain text and cipher text have 1:1 mapping, they start at same 
-       * position.
+      /*
+       * The plain text and cipher text have a 1:1 mapping, they start at the 
+       * same position.
        */
       outBuffer.position(padding);
       padding = 0;
     }
     if (decryptor.isContextReset()) {
-      /**
-       * Typically we will not get here. To improve performance in CTR mode,
-       * we rely on the decryptor maintaining context, for example calculating 
-       * the counter. Unfortunately, some bad implementations can't maintain 
-       * context so we need to re-init after doing decryption.
+      /*
+       * This code is generally not executed since the decryptor usually 
+       * maintains decryption context (e.g. the counter) internally. However, 
+       * some implementations can't maintain context so a re-init is necessary 
+       * after each decryption call.
        */
       updateDecryptor();
     }
@@ -243,7 +248,7 @@ private void decrypt() throws IOException {
    * Update the {@link #decryptor}. Calculate the counter and {@link #padding}.
    */
   private void updateDecryptor() throws IOException {
-    long counter = streamOffset / codec.getAlgorithmBlockSize();
+    final long counter = streamOffset / codec.getAlgorithmBlockSize();
     padding = (byte)(streamOffset % codec.getAlgorithmBlockSize());
     inBuffer.position(padding); // Set proper position for input data.
     codec.calculateIV(initIV, counter, iv);
@@ -251,8 +256,8 @@ private void updateDecryptor() throws IOException {
   }
   
   /**
-   * Reset the underlying stream offset; and clear {@link #inBuffer} and 
-   * {@link #outBuffer}. Typically this happens when doing {@link #seek(long)} 
+   * Reset the underlying stream offset, and clear {@link #inBuffer} and 
+   * {@link #outBuffer}. This Typically happens during {@link #seek(long)} 
    * or {@link #skip(long)}.
    */
   private void resetStreamOffset(long offset) throws IOException {
@@ -274,30 +279,29 @@ public void close() throws IOException {
     closed = true;
   }
   
-  /**
-   * Free the direct buffer manually.
-   */
+  /** Forcibly free the direct buffer. */
   private void freeBuffers() {
-    sun.misc.Cleaner inBufferCleaner =
+    final sun.misc.Cleaner inBufferCleaner =
         ((sun.nio.ch.DirectBuffer) inBuffer).cleaner();
     inBufferCleaner.clean();
-    sun.misc.Cleaner outBufferCleaner =
+    final sun.misc.Cleaner outBufferCleaner =
         ((sun.nio.ch.DirectBuffer) outBuffer).cleaner();
     outBufferCleaner.clean();
   }
   
-  // Positioned read.
+  /** Positioned read. */
   @Override
   public int read(long position, byte[] buffer, int offset, int length)
       throws IOException {
     checkStream();
     try {
-      int n = ((PositionedReadable) in).read(position, buffer, offset, length);
+      final int n = ((PositionedReadable) in).read(position, buffer, offset, 
+          length);
       if (n > 0) {
-        /** 
+        /*
          * Since this operation does not change the current offset of a file, 
-         * streamOffset should be not changed and we need to restore the 
-         * decryptor and outBuffer after decryption.
+         * streamOffset should not be changed. We need to restore the decryptor 
+         * and outBuffer after decryption.
          */
         decrypt(position, buffer, offset, length);
       }
@@ -310,24 +314,23 @@ public int read(long position, byte[] buffer, int offset, int length)
   }
   
   /**
-   * Decrypt given length of data in buffer: start from offset.
-   * Output is also buffer and start from same offset. Restore the 
-   * {@link #decryptor} and {@link #outBuffer} after decryption.
+   * Decrypt length bytes in buffer starting at offset. Output is also put 
+   * into buffer starting at offset. Restore the {@link #decryptor} and 
+   * {@link #outBuffer} after the decryption.
    */
   private void decrypt(long position, byte[] buffer, int offset, int length) 
       throws IOException {
-    
-    byte[] tmp = getTmpBuf();
+    final byte[] tmp = getTmpBuf();
     int unread = outBuffer.remaining();
     if (unread > 0) { // Cache outBuffer
       outBuffer.get(tmp, 0, unread);
     }
-    long curOffset = streamOffset;
+    final long curOffset = streamOffset;
     resetStreamOffset(position);
     
     int n = 0;
     while (n < length) {
-      int toDecrypt = Math.min(length - n, inBuffer.remaining());
+      final int toDecrypt = Math.min(length - n, inBuffer.remaining());
       inBuffer.put(buffer, offset + n, toDecrypt);
       // Do decryption
       decrypt();
@@ -344,7 +347,7 @@ private void decrypt(long position, byte[] buffer, int offset, int length)
     }
   }
   
-  // Positioned read fully.
+  /** Positioned read fully. */
   @Override
   public void readFully(long position, byte[] buffer, int offset, int length)
       throws IOException {
@@ -352,9 +355,9 @@ public void readFully(long position, byte[] buffer, int offset, int length)
     try {
       ((PositionedReadable) in).readFully(position, buffer, offset, length);
       if (length > 0) {
-        /** 
-         * Since this operation does not change the current offset of a file, 
-         * streamOffset should be not changed and we need to restore the decryptor 
+        /*
+         * Since this operation does not change the current offset of the file, 
+         * streamOffset should not be changed. We need to restore the decryptor 
          * and outBuffer after decryption.
          */
         decrypt(position, buffer, offset, length);
@@ -370,13 +373,16 @@ public void readFully(long position, byte[] buffer) throws IOException {
     readFully(position, buffer, 0, buffer.length);
   }
 
-  // Seek to a position.
+  /** Seek to a position. */
   @Override
   public void seek(long pos) throws IOException {
     Preconditions.checkArgument(pos >= 0, "Cannot seek to negative offset.");
     checkStream();
     try {
-      // If target pos we have already read and decrypt.
+      /*
+       * If data of target pos in the underlying stream has already been read 
+       * and decrypted in outBuffer, we just need to re-position outBuffer.
+       */
       if (pos <= streamOffset && pos >= (streamOffset - outBuffer.remaining())) {
         int forward = (int) (pos - (streamOffset - outBuffer.remaining()));
         if (forward > 0) {
@@ -392,7 +398,7 @@ public void seek(long pos) throws IOException {
     }
   }
   
-  // Skip n bytes
+  /** Skip n bytes */
   @Override
   public long skip(long n) throws IOException {
     Preconditions.checkArgument(n >= 0, "Negative skip length.");
@@ -405,11 +411,11 @@ public long skip(long n) throws IOException {
       outBuffer.position(pos);
       return n;
     } else {
-      /**
+      /*
        * Subtract outBuffer.remaining() to see how many bytes we need to 
-       * skip in underlying stream. We get real skipped bytes number of 
-       * underlying stream then add outBuffer.remaining() to get skipped
-       * bytes number from user's view.
+       * skip in the underlying stream. Add outBuffer.remaining() to the 
+       * actual number of skipped bytes in the underlying stream to get the 
+       * number of skipped bytes from the user's point of view.
        */
       n -= outBuffer.remaining();
       long skipped = in.skip(n);
@@ -423,7 +429,7 @@ public long skip(long n) throws IOException {
     }
   }
 
-  // Get underlying stream position.
+  /** Get underlying stream position. */
   @Override
   public long getPos() throws IOException {
     checkStream();
@@ -431,16 +437,16 @@ public long getPos() throws IOException {
     return streamOffset - outBuffer.remaining();
   }
   
-  // ByteBuffer read.
+  /** ByteBuffer read. */
   @Override
   public int read(ByteBuffer buf) throws IOException {
     checkStream();
     if (in instanceof ByteBufferReadable) {
-      int unread = outBuffer.remaining();
+      final int unread = outBuffer.remaining();
       if (unread > 0) { // Have unread decrypted data in buffer.
         int toRead = buf.remaining();
         if (toRead <= unread) {
-          int limit = outBuffer.limit();
+          final int limit = outBuffer.limit();
           outBuffer.limit(outBuffer.position() + toRead);
           buf.put(outBuffer);
           outBuffer.limit(limit);
@@ -450,8 +456,8 @@ public int read(ByteBuffer buf) throws IOException {
         }
       }
       
-      int pos = buf.position();
-      int n = ((ByteBufferReadable) in).read(buf);
+      final int pos = buf.position();
+      final int n = ((ByteBufferReadable) in).read(buf);
       if (n > 0) {
         streamOffset += n; // Read n bytes
         decrypt(buf, n, pos);
@@ -470,8 +476,8 @@ public int read(ByteBuffer buf) throws IOException {
    */
   private void decrypt(ByteBuffer buf, int n, int start) 
       throws IOException {
-    int pos = buf.position();
-    int limit = buf.limit();
+    final int pos = buf.position();
+    final int limit = buf.limit();
     int len = 0;
     while (len < n) {
       buf.position(start + len);
@@ -535,13 +541,13 @@ public ByteBuffer read(ByteBufferPool bufferPool, int maxLength,
         ((Seekable) in).seek(getPos());
         resetStreamOffset(getPos());
       }
-      ByteBuffer buffer = ((HasEnhancedByteBufferAccess) in).
+      final ByteBuffer buffer = ((HasEnhancedByteBufferAccess) in).
           read(bufferPool, maxLength, opts);
       if (buffer != null) {
-        int n = buffer.remaining();
+        final int n = buffer.remaining();
         if (n > 0) {
           streamOffset += buffer.remaining(); // Read n bytes
-          int pos = buffer.position();
+          final int pos = buffer.position();
           decrypt(buffer, n, pos);
         }
       }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java
index 934c4479352..c5bd1dd6b5d 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java
@@ -52,17 +52,20 @@ public class CryptoOutputStream extends FilterOutputStream implements
   private static final byte[] oneByteBuf = new byte[1];
   private final CryptoCodec codec;
   private final Encryptor encryptor;
+  
   /**
    * Input data buffer. The data starts at inBuffer.position() and ends at 
    * inBuffer.limit().
    */
   private ByteBuffer inBuffer;
+  
   /**
    * Encrypted data buffer. The data starts at outBuffer.position() and ends at 
    * outBuffer.limit();
    */
   private ByteBuffer outBuffer;
   private long streamOffset = 0; // Underlying stream offset.
+  
   /**
    * Padding = pos%(algorithm blocksize); Padding is put into {@link #inBuffer} 
    * before any other data goes in. The purpose of padding is to put input data
@@ -134,7 +137,7 @@ public void write(byte[] b, int off, int len) throws IOException {
       throw new IndexOutOfBoundsException();
     }
     while (len > 0) {
-      int remaining = inBuffer.remaining();
+      final int remaining = inBuffer.remaining();
       if (len < remaining) {
         inBuffer.put(b, off, len);
         len = 0;
@@ -163,15 +166,16 @@ private void encrypt() throws IOException {
     inBuffer.clear();
     outBuffer.flip();
     if (padding > 0) {
-      /**
-       * The plain text and cipher text have 1:1 mapping, they start at same 
-       * position.
+      /*
+       * The plain text and cipher text have a 1:1 mapping, they start at the 
+       * same position.
        */
       outBuffer.position(padding);
       padding = 0;
     }
-    int len = outBuffer.remaining();
-    /**
+    final int len = outBuffer.remaining();
+    
+    /*
      * If underlying stream supports {@link ByteBuffer} write in future, needs
      * refine here. 
      */
@@ -181,12 +185,11 @@ private void encrypt() throws IOException {
     
     streamOffset += len;
     if (encryptor.isContextReset()) {
-      /**
-       * We will generally not get here.  For CTR mode, to improve
-       * performance, we rely on the encryptor maintaining context, for
-       * example to calculate the counter.  But some bad implementations
-       * can't maintain context, and need us to re-init after doing
-       * encryption.
+      /*
+       * This code is generally not executed since the encryptor usually
+       * maintains encryption context (e.g. the counter) internally. However,
+       * some implementations can't maintain context so a re-init is necessary
+       * after each encryption call.
        */
       updateEncryptor();
     }
@@ -196,7 +199,7 @@ private void encrypt() throws IOException {
    * Update the {@link #encryptor}: calculate counter and {@link #padding}.
    */
   private void updateEncryptor() throws IOException {
-    long counter = streamOffset / codec.getAlgorithmBlockSize();
+    final long counter = streamOffset / codec.getAlgorithmBlockSize();
     padding = (byte)(streamOffset % codec.getAlgorithmBlockSize());
     inBuffer.position(padding); // Set proper position for input data.
     codec.calculateIV(initIV, counter, iv);
@@ -222,21 +225,19 @@ public void close() throws IOException {
     closed = true;
   }
   
-  /**
-   * Free the direct buffer manually.
-   */
+  /** Forcibly free the direct buffer. */
   private void freeBuffers() {
-    sun.misc.Cleaner inBufferCleaner =
+    final sun.misc.Cleaner inBufferCleaner =
         ((sun.nio.ch.DirectBuffer) inBuffer).cleaner();
     inBufferCleaner.clean();
-    sun.misc.Cleaner outBufferCleaner =
+    final sun.misc.Cleaner outBufferCleaner =
         ((sun.nio.ch.DirectBuffer) outBuffer).cleaner();
     outBufferCleaner.clean();
   }
   
   /**
-   * To flush, we need to encrypt the data in buffer and write to underlying
-   * stream, then do the flush.
+   * To flush, we need to encrypt the data in the buffer and write to the 
+   * underlying stream, then do the flush.
    */
   @Override
   public void flush() throws IOException {
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Decryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Decryptor.java
index 4afb2216580..ded016a4acc 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Decryptor.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Decryptor.java
@@ -28,7 +28,7 @@
 public interface Decryptor {
   
   /**
-   * Initialize the decryptor, the internal decryption context will be 
+   * Initialize the decryptor and the internal decryption context. 
    * reset.
    * @param key decryption key.
    * @param iv decryption initialization vector
@@ -37,37 +37,34 @@ public interface Decryptor {
   public void init(byte[] key, byte[] iv) throws IOException;
   
   /**
-   * Indicate whether decryption context is reset.
+   * Indicate whether the decryption context is reset.
    * <p/>
-   * It's useful for some mode like CTR which requires different IV for 
-   * different parts of data. Usually decryptor can maintain the context 
-   * internally such as calculating IV/counter, then continue a multiple-part 
-   * decryption operation without reinit the decryptor using key and the new 
-   * IV. For mode like CTR, if context is reset after each decryption, the 
-   * decryptor should be reinit before each operation, that's not efficient. 
+   * Certain modes, like CTR, require a different IV depending on the 
+   * position in the stream. Generally, the decryptor maintains any necessary
+   * context for calculating the IV and counter so that no reinit is necessary 
+   * during the decryption. Reinit before each operation is inefficient.
    * @return boolean whether context is reset.
    */
   public boolean isContextReset();
   
   /**
-   * This exposes a direct interface for record decryption with direct byte
-   * buffers.
+   * This presents a direct interface decrypting with direct ByteBuffers.
    * <p/>
-   * The decrypt() function need not always consume the buffers provided,
-   * it will need to be called multiple times to decrypt an entire buffer 
-   * and the object will hold the decryption context internally.
+   * This function does not always decrypt the entire buffer and may potentially
+   * need to be called multiple times to process an entire buffer. The object 
+   * may hold the decryption context internally.
    * <p/>
-   * Some implementation may need enough space in the destination buffer to 
-   * decrypt an entire input.
+   * Some implementations may require sufficient space in the destination 
+   * buffer to decrypt the entire input buffer.
    * <p/>
-   * The end result will move inBuffer.position() by the bytes-read and
-   * outBuffer.position() by the bytes-written. It should not modify the 
-   * inBuffer.limit() or outBuffer.limit() to maintain consistency of operation.
+   * Upon return, inBuffer.position() will be advanced by the number of bytes
+   * read and outBuffer.position() by bytes written. Implementations should 
+   * not modify inBuffer.limit() and outBuffer.limit().
    * <p/>
-   * @param inBuffer in direct {@link ByteBuffer} for reading from. Requires 
-   * inBuffer != null and inBuffer.remaining() > 0
-   * @param outBuffer out direct {@link ByteBuffer} for storing the results
-   * into. Requires outBuffer != null and outBuffer.remaining() > 0
+   * @param inBuffer a direct {@link ByteBuffer} to read from. inBuffer may 
+   * not be null and inBuffer.remaining() must be > 0
+   * @param outBuffer a direct {@link ByteBuffer} to write to. outBuffer may 
+   * not be null and outBuffer.remaining() must be > 0
    * @throws IOException if decryption fails
    */
   public void decrypt(ByteBuffer inBuffer, ByteBuffer outBuffer) 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Encryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Encryptor.java
index 398cc2e9aec..00213b8cbbf 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Encryptor.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Encryptor.java
@@ -28,8 +28,7 @@
 public interface Encryptor {
   
   /**
-   * Initialize the encryptor, the internal encryption context will be 
-   * reset.
+   * Initialize the encryptor and the internal encryption context.
    * @param key encryption key.
    * @param iv encryption initialization vector
    * @throws IOException if initialization fails
@@ -37,37 +36,34 @@ public interface Encryptor {
   public void init(byte[] key, byte[] iv) throws IOException;
   
   /**
-   * Indicate whether encryption context is reset.
+   * Indicate whether the encryption context is reset.
    * <p/>
-   * It's useful for some mode like CTR which requires different IV for 
-   * different parts of data. Usually encryptor can maintain the context 
-   * internally such as calculating IV/counter, then continue a multiple-part 
-   * encryption operation without reinit the encryptor using key and the new 
-   * IV. For mode like CTR, if context is reset after each encryption, the 
-   * encryptor should be reinit before each operation, that's not efficient. 
+   * Certain modes, like CTR, require a different IV depending on the
+   * position in the stream. Generally, the encryptor maintains any necessary
+   * context for calculating the IV and counter so that no reinit is necessary
+   * during the encryption. Reinit before each operation is inefficient. 
    * @return boolean whether context is reset.
    */
   public boolean isContextReset();
   
   /**
-   * This exposes a direct interface for record encryption with direct byte
-   * buffers.
+   * This presents a direct interface encrypting with direct ByteBuffers.
    * <p/>
-   * The encrypt() function need not always consume the buffers provided,
-   * it will need to be called multiple times to encrypt an entire buffer 
-   * and the object will hold the encryption context internally.
+   * This function does not always encrypt the entire buffer and may potentially
+   * need to be called multiple times to process an entire buffer. The object 
+   * may hold the encryption context internally.
    * <p/>
-   * Some implementation may need enough space in the destination buffer to 
-   * encrypt an entire input.
+   * Some implementations may require sufficient space in the destination 
+   * buffer to encrypt the entire input buffer.
    * <p/>
-   * The end result will move inBuffer.position() by the bytes-read and
-   * outBuffer.position() by the bytes-written. It should not modify the 
-   * inBuffer.limit() or outBuffer.limit() to maintain consistency of operation.
+   * Upon return, inBuffer.position() will be advanced by the number of bytes
+   * read and outBuffer.position() by bytes written. Implementations should
+   * not modify inBuffer.limit() and outBuffer.limit().
    * <p/>
-   * @param inBuffer in direct {@link ByteBuffer} for reading from. Requires 
-   * inBuffer != null and inBuffer.remaining() > 0
-   * @param outBuffer out direct {@link ByteBuffer} for storing the results
-   * into. Requires outBuffer != null and outBuffer.remaining() > 0
+   * @param inBuffer a direct {@link ByteBuffer} to read from. inBuffer may 
+   * not be null and inBuffer.remaining() must be > 0
+   * @param outBuffer a direct {@link ByteBuffer} to write to. outBuffer may 
+   * not be null and outBuffer.remaining() must be > 0
    * @throws IOException if encryption fails
    */
   public void encrypt(ByteBuffer inBuffer, ByteBuffer outBuffer) 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java
index a3fb13f6291..569d3de9704 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java
@@ -53,8 +53,8 @@ public void init(byte[] key, byte[] iv) throws IOException {
   }
 
   /**
-   * For AES-CTR, will consume all input data and needs enough space in the 
-   * destination buffer to decrypt entire input data.
+   * AES-CTR will consume all of the input data. It requires enough space in
+   * the destination buffer to decrypt entire input buffer.
    */
   @Override
   public void decrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java
index 9ee70dc4723..28e45735110 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java
@@ -53,8 +53,8 @@ public void init(byte[] key, byte[] iv) throws IOException {
   }
 
   /**
-   * For AES-CTR, will consume all input data and needs enough space in the 
-   * destination buffer to encrypt entire input data.
+   * AES-CTR will consume all of the input data. It requires enough space in 
+   * the destination buffer to encrypt entire input buffer.
    */
   @Override
   public void encrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
index 6073c1a9155..718310f0626 100644
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -1370,8 +1370,7 @@
   <name>hadoop.security.crypto.buffer.size</name>
   <value>8192</value>
   <description>
-    The buffer size used in Crypto InputStream and OutputStream, and default
-    value is 8192. 
+    The buffer size used by CryptoInputStream and CryptoOutputStream. 
   </description>
 </property>
 </configuration>
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/CryptoStreamsTestBase.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/CryptoStreamsTestBase.java
index 7f36c2b2495..f5a8ad49ec5 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/CryptoStreamsTestBase.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/CryptoStreamsTestBase.java
@@ -42,7 +42,7 @@
 import org.junit.Test;
 
 public abstract class CryptoStreamsTestBase {
-  protected static final Log LOG= LogFactory.getLog(
+  protected static final Log LOG = LogFactory.getLog(
       CryptoStreamsTestBase.class);
 
   protected static CryptoCodec codec;
@@ -60,13 +60,13 @@ public abstract class CryptoStreamsTestBase {
   @Before
   public void setUp() throws IOException {
     // Generate data
-    int seed = new Random().nextInt();
-    DataOutputBuffer dataBuf = new DataOutputBuffer();
-    RandomDatum.Generator generator = new RandomDatum.Generator(seed);
-    for(int i=0; i < count; ++i) {
+    final int seed = new Random().nextInt();
+    final DataOutputBuffer dataBuf = new DataOutputBuffer();
+    final RandomDatum.Generator generator = new RandomDatum.Generator(seed);
+    for(int i = 0; i < count; ++i) {
       generator.next();
-      RandomDatum key = generator.getKey();
-      RandomDatum value = generator.getValue();
+      final RandomDatum key = generator.getKey();
+      final RandomDatum value = generator.getValue();
       
       key.write(dataBuf);
       value.write(dataBuf);
@@ -114,9 +114,7 @@ protected InputStream getInputStream(int bufferSize) throws IOException {
   protected abstract InputStream getInputStream(int bufferSize, byte[] key, 
       byte[] iv) throws IOException;
   
-  /**
-   * Test crypto reading with different buffer size.
-   */
+  /** Test crypto reading with different buffer size. */
   @Test(timeout=120000)
   public void testRead() throws Exception {
     OutputStream out = getOutputStream(defaultBufferSize);
@@ -148,9 +146,7 @@ private void readCheck(InputStream in) throws Exception {
     in.close();
   }
   
-  /**
-   * Test crypto with different IV.
-   */
+  /** Test crypto with different IV. */
   @Test(timeout=120000)
   public void testCryptoIV() throws Exception {
     byte[] iv1 = iv.clone();
@@ -202,7 +198,7 @@ public void testSyncable() throws IOException {
   private void syncableCheck() throws IOException {
     OutputStream out = getOutputStream(smallBufferSize);
     try {
-      int bytesWritten = dataLen/3;
+      int bytesWritten = dataLen / 3;
       out.write(data, 0, bytesWritten);
       ((Syncable) out).hflush();
       
@@ -223,9 +219,9 @@ private void syncableCheck() throws IOException {
   
   private void verify(InputStream in, int bytesToVerify, 
       byte[] expectedBytes) throws IOException {
-    byte[] readBuf = new byte[bytesToVerify];
+    final byte[] readBuf = new byte[bytesToVerify];
     readAll(in, readBuf, 0, bytesToVerify);
-    for (int i=0; i<bytesToVerify; i++) {
+    for (int i = 0; i < bytesToVerify; i++) {
       Assert.assertEquals(expectedBytes[i], readBuf[i]);
     }
   }
@@ -246,9 +242,7 @@ private int readAll(InputStream in, long pos, byte[] b, int off, int len)
     return total;
   }
   
-  /**
-   * Test positioned read.
-   */
+  /** Test positioned read. */
   @Test(timeout=120000)
   public void testPositionedRead() throws Exception {
     OutputStream out = getOutputStream(defaultBufferSize);
@@ -256,10 +250,10 @@ public void testPositionedRead() throws Exception {
     
     InputStream in = getInputStream(defaultBufferSize);
     // Pos: 1/3 dataLen
-    positionedReadCheck(in , dataLen/3);
+    positionedReadCheck(in , dataLen / 3);
 
     // Pos: 1/2 dataLen
-    positionedReadCheck(in, dataLen/2);
+    positionedReadCheck(in, dataLen / 2);
     in.close();
   }
   
@@ -275,25 +269,23 @@ private void positionedReadCheck(InputStream in, int pos) throws Exception {
     Assert.assertArrayEquals(readData, expectedData);
   }
   
-  /**
-   * Test read fully
-   */
+  /** Test read fully */
   @Test(timeout=120000)
   public void testReadFully() throws Exception {
     OutputStream out = getOutputStream(defaultBufferSize);
     writeData(out);
     
     InputStream in = getInputStream(defaultBufferSize);
-    final int len1 = dataLen/4;
+    final int len1 = dataLen / 4;
     // Read len1 bytes
-    byte [] readData = new byte[len1];
+    byte[] readData = new byte[len1];
     readAll(in, readData, 0, len1);
     byte[] expectedData = new byte[len1];
     System.arraycopy(data, 0, expectedData, 0, len1);
     Assert.assertArrayEquals(readData, expectedData);
     
     // Pos: 1/3 dataLen
-    readFullyCheck(in, dataLen/3);
+    readFullyCheck(in, dataLen / 3);
     
     // Read len1 bytes
     readData = new byte[len1];
@@ -303,7 +295,7 @@ public void testReadFully() throws Exception {
     Assert.assertArrayEquals(readData, expectedData);
     
     // Pos: 1/2 dataLen
-    readFullyCheck(in, dataLen/2);
+    readFullyCheck(in, dataLen / 2);
     
     // Read len1 bytes
     readData = new byte[len1];
@@ -331,9 +323,7 @@ private void readFullyCheck(InputStream in, int pos) throws Exception {
     }
   }
   
-  /**
-   * Test seek to different position.
-   */
+  /** Test seek to different position. */
   @Test(timeout=120000)
   public void testSeek() throws Exception {
     OutputStream out = getOutputStream(defaultBufferSize);
@@ -341,13 +331,15 @@ public void testSeek() throws Exception {
     
     InputStream in = getInputStream(defaultBufferSize);
     // Pos: 1/3 dataLen
-    seekCheck(in, dataLen/3);
+    seekCheck(in, dataLen / 3);
     
     // Pos: 0
     seekCheck(in, 0);
     
     // Pos: 1/2 dataLen
-    seekCheck(in, dataLen/2);
+    seekCheck(in, dataLen / 2);
+    
+    final long pos = ((Seekable) in).getPos();
     
     // Pos: -3
     try {
@@ -355,8 +347,9 @@ public void testSeek() throws Exception {
       Assert.fail("Seek to negative offset should fail.");
     } catch (IllegalArgumentException e) {
       GenericTestUtils.assertExceptionContains("Cannot seek to negative " +
-      		"offset", e);
+          "offset", e);
     }
+    Assert.assertEquals(pos, ((Seekable) in).getPos());
     
     // Pos: dataLen + 3
     try {
@@ -365,6 +358,7 @@ public void testSeek() throws Exception {
     } catch (IOException e) {
       GenericTestUtils.assertExceptionContains("Cannot seek after EOF", e);
     }
+    Assert.assertEquals(pos, ((Seekable) in).getPos());
     
     in.close();
   }
@@ -382,9 +376,7 @@ private void seekCheck(InputStream in, int pos) throws Exception {
     Assert.assertArrayEquals(readData, expectedData);
   }
   
-  /**
-   * Test get position.
-   */
+  /** Test get position. */
   @Test(timeout=120000)
   public void testGetPos() throws Exception {
     OutputStream out = getOutputStream(defaultBufferSize);
@@ -393,7 +385,7 @@ public void testGetPos() throws Exception {
     // Default buffer size
     InputStream in = getInputStream(defaultBufferSize);
     byte[] result = new byte[dataLen];
-    int n1 = readAll(in, result, 0, dataLen/3);
+    int n1 = readAll(in, result, 0, dataLen / 3);
     Assert.assertEquals(n1, ((Seekable) in).getPos());
     
     int n2 = readAll(in, result, n1, dataLen - n1);
@@ -409,7 +401,7 @@ public void testAvailable() throws Exception {
     // Default buffer size
     InputStream in = getInputStream(defaultBufferSize);
     byte[] result = new byte[dataLen];
-    int n1 = readAll(in, result, 0, dataLen/3);
+    int n1 = readAll(in, result, 0, dataLen / 3);
     Assert.assertEquals(in.available(), dataLen - n1);
     
     int n2 = readAll(in, result, n1, dataLen - n1);
@@ -417,9 +409,7 @@ public void testAvailable() throws Exception {
     in.close();
   }
   
-  /**
-   * Test skip.
-   */
+  /** Test skip. */
   @Test(timeout=120000)
   public void testSkip() throws Exception {
     OutputStream out = getOutputStream(defaultBufferSize);
@@ -428,10 +418,10 @@ public void testSkip() throws Exception {
     // Default buffer size
     InputStream in = getInputStream(defaultBufferSize);
     byte[] result = new byte[dataLen];
-    int n1 = readAll(in, result, 0, dataLen/3);
+    int n1 = readAll(in, result, 0, dataLen / 3);
     Assert.assertEquals(n1, ((Seekable) in).getPos());
     
-    long skipped = in.skip(dataLen/3);
+    long skipped = in.skip(dataLen / 3);
     int n2 = readAll(in, result, 0, dataLen);
     
     Assert.assertEquals(dataLen, n1 + skipped + n2);
@@ -468,9 +458,7 @@ private void byteBufferReadCheck(InputStream in, ByteBuffer buf,
     Assert.assertArrayEquals(readData, expectedData);
   }
   
-  /**
-   * Test byte buffer read with different buffer size.
-   */
+  /** Test byte buffer read with different buffer size. */
   @Test(timeout=120000)
   public void testByteBufferRead() throws Exception {
     OutputStream out = getOutputStream(defaultBufferSize);
@@ -530,8 +518,8 @@ public void testCombinedOp() throws Exception {
     OutputStream out = getOutputStream(defaultBufferSize);
     writeData(out);
     
-    final int len1 = dataLen/8;
-    final int len2 = dataLen/10;
+    final int len1 = dataLen / 8;
+    final int len2 = dataLen / 10;
     
     InputStream in = getInputStream(defaultBufferSize);
     // Read len1 data.
@@ -551,7 +539,7 @@ public void testCombinedOp() throws Exception {
     Assert.assertEquals(len2, n);
     
     // Pos: 1/4 dataLen
-    positionedReadCheck(in , dataLen/4);
+    positionedReadCheck(in , dataLen / 4);
     
     // Pos should be len1 + len2 + len2
     pos = ((Seekable) in).getPos();
@@ -572,7 +560,7 @@ public void testCombinedOp() throws Exception {
     Assert.assertEquals(len1 + 2 * len2 + nRead, pos);
     
     // Pos: 1/3 dataLen
-    positionedReadCheck(in , dataLen/3);
+    positionedReadCheck(in , dataLen / 3);
     
     // Read forward len1
     readData = new byte[len1];
@@ -611,18 +599,18 @@ public void testSeekToNewSource() throws Exception {
     
     InputStream in = getInputStream(defaultBufferSize);
     
-    final int len1 = dataLen/8;
+    final int len1 = dataLen / 8;
     byte[] readData = new byte[len1];
     readAll(in, readData, 0, len1);
     
     // Pos: 1/3 dataLen
-    seekToNewSourceCheck(in, dataLen/3);
+    seekToNewSourceCheck(in, dataLen / 3);
     
     // Pos: 0
     seekToNewSourceCheck(in, 0);
     
     // Pos: 1/2 dataLen
-    seekToNewSourceCheck(in, dataLen/2);
+    seekToNewSourceCheck(in, dataLen / 2);
     
     // Pos: -3
     try {
@@ -638,7 +626,8 @@ public void testSeekToNewSource() throws Exception {
       seekToNewSourceCheck(in, dataLen + 3);
       Assert.fail("Seek after EOF should fail.");
     } catch (IOException e) {
-      GenericTestUtils.assertExceptionContains("Attempted to read past end of file", e);
+      GenericTestUtils.assertExceptionContains("Attempted to read past " +
+          "end of file", e);
     }
     
     in.close();
@@ -677,7 +666,7 @@ public void testHasEnhancedByteBufferAccess() throws Exception {
     writeData(out);
     
     InputStream in = getInputStream(defaultBufferSize);
-    final int len1 = dataLen/8;
+    final int len1 = dataLen / 8;
     // ByteBuffer size is len1
     ByteBuffer buffer = ((HasEnhancedByteBufferAccess) in).read(
         getBufferPool(), len1, EnumSet.of(ReadOption.SKIP_CHECKSUMS));

From 9c2848e076a5c72bda3ec928de1790137c70fbbc Mon Sep 17 00:00:00 2001
From: Yi Liu <yliu@apache.org>
Date: Fri, 30 May 2014 08:08:36 +0000
Subject: [PATCH 005/354] HADOOP-10632. Minor improvements to Crypto input and
 output streams. Contributed by Yi Liu

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1598485 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |   5 +-
 .../hadoop/crypto/AESCTRCryptoCodec.java      |  29 +-
 .../org/apache/hadoop/crypto/CryptoCodec.java |  12 +-
 .../hadoop/crypto/CryptoInputStream.java      | 255 +++++++++++-------
 .../hadoop/crypto/CryptoOutputStream.java     |  50 ++--
 .../hadoop/crypto/CryptoStreamUtils.java      |  55 ++++
 .../org/apache/hadoop/crypto/Decryptor.java   |   2 +-
 .../org/apache/hadoop/crypto/Encryptor.java   |   2 +-
 .../hadoop/crypto/JCEAESCTRCryptoCodec.java   |  93 ++++++-
 .../hadoop/crypto/JCEAESCTRDecryptor.java     |  84 ------
 .../hadoop/crypto/JCEAESCTREncryptor.java     |  84 ------
 11 files changed, 349 insertions(+), 322 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoStreamUtils.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index 5d06794ff88..1e7c6f62f17 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -12,7 +12,10 @@ fs-encryption (Unreleased)
     interfaces. (Yi Liu and Charles Lamb)
 
     HADOOP-10628. Javadoc and few code style improvement for Crypto
-    input and output streams. (yliu via clamb)
+    input and output streams. (Yi Liu via clamb)
+
+    HADOOP-10632. Minor improvements to Crypto input and output streams. 
+    (Yi Liu)
 
   OPTIMIZATIONS
 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
index a39af7ef8b7..252e001e66f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
@@ -17,15 +17,12 @@
  */
 package org.apache.hadoop.crypto;
 
-import java.nio.ByteBuffer;
-import java.nio.ByteOrder;
-
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 
 import com.google.common.base.Preconditions;
 
-@InterfaceAudience.Public
+@InterfaceAudience.Private
 @InterfaceStability.Evolving
 public abstract class AESCTRCryptoCodec extends CryptoCodec {
   /**
@@ -33,6 +30,7 @@ public abstract class AESCTRCryptoCodec extends CryptoCodec {
    * @see http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
    */
   private static final int AES_BLOCK_SIZE = 16;
+  private static final int CTR_OFFSET = 8;
 
   @Override
   public int getAlgorithmBlockSize() {
@@ -48,10 +46,23 @@ public void calculateIV(byte[] initIV, long counter, byte[] IV) {
     Preconditions.checkArgument(initIV.length == AES_BLOCK_SIZE);
     Preconditions.checkArgument(IV.length == AES_BLOCK_SIZE);
     
-    final ByteBuffer buf = ByteBuffer.wrap(IV);
-    buf.put(initIV);
-    buf.order(ByteOrder.BIG_ENDIAN);
-    counter += buf.getLong(AES_BLOCK_SIZE - 8);
-    buf.putLong(AES_BLOCK_SIZE - 8, counter);
+    System.arraycopy(initIV, 0, IV, 0, CTR_OFFSET);
+    long l = (initIV[CTR_OFFSET + 0] << 56)
+        + ((initIV[CTR_OFFSET + 1] & 0xFF) << 48)
+        + ((initIV[CTR_OFFSET + 2] & 0xFF) << 40)
+        + ((initIV[CTR_OFFSET + 3] & 0xFF) << 32)
+        + ((initIV[CTR_OFFSET + 4] & 0xFF) << 24)
+        + ((initIV[CTR_OFFSET + 5] & 0xFF) << 16)
+        + ((initIV[CTR_OFFSET + 6] & 0xFF) << 8)
+        + (initIV[CTR_OFFSET + 7] & 0xFF);
+    l += counter;
+    IV[CTR_OFFSET + 0] = (byte) (l >>> 56);
+    IV[CTR_OFFSET + 1] = (byte) (l >>> 48);
+    IV[CTR_OFFSET + 2] = (byte) (l >>> 40);
+    IV[CTR_OFFSET + 3] = (byte) (l >>> 32);
+    IV[CTR_OFFSET + 4] = (byte) (l >>> 24);
+    IV[CTR_OFFSET + 5] = (byte) (l >>> 16);
+    IV[CTR_OFFSET + 6] = (byte) (l >>> 8);
+    IV[CTR_OFFSET + 7] = (byte) (l);
   }
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
index dd20d61faa8..da695e97571 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
@@ -29,7 +29,7 @@
 /**
  * Crypto codec class, encapsulates encryptor/decryptor pair.
  */
-@InterfaceAudience.Public
+@InterfaceAudience.Private
 @InterfaceStability.Evolving
 public abstract class CryptoCodec implements Configurable {
   
@@ -48,21 +48,21 @@ public static CryptoCodec getInstance(Configuration conf) {
   public abstract int getAlgorithmBlockSize();
 
   /**
-   * Get an {@link #org.apache.hadoop.crypto.Encryptor}. 
+   * Create a {@link org.apache.hadoop.crypto.Encryptor}. 
    * @return Encryptor the encryptor
    */
-  public abstract Encryptor getEncryptor() throws GeneralSecurityException;
+  public abstract Encryptor createEncryptor() throws GeneralSecurityException;
   
   /**
-   * Get a {@link #org.apache.hadoop.crypto.Decryptor}.
+   * Create a {@link org.apache.hadoop.crypto.Decryptor}.
    * @return Decryptor the decryptor
    */
-  public abstract Decryptor getDecryptor() throws GeneralSecurityException;
+  public abstract Decryptor createDecryptor() throws GeneralSecurityException;
   
   /**
    * This interface is only for Counter (CTR) mode. Generally the Encryptor
    * or Decryptor calculates the IV and maintain encryption context internally. 
-   * For example a {@link #javax.crypto.Cipher} will maintain its encryption 
+   * For example a {@link javax.crypto.Cipher} will maintain its encryption 
    * context internally when we do encryption/decryption using the 
    * Cipher#update interface. 
    * <p/>
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
index 374ca2e9483..e3eea41b1d4 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
@@ -25,10 +25,11 @@
 import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;
 import java.util.EnumSet;
+import java.util.Queue;
+import java.util.concurrent.ConcurrentLinkedQueue;
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
-import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.ByteBufferReadable;
 import org.apache.hadoop.fs.CanSetDropBehind;
 import org.apache.hadoop.fs.CanSetReadahead;
@@ -38,8 +39,6 @@
 import org.apache.hadoop.fs.ReadOption;
 import org.apache.hadoop.fs.Seekable;
 import org.apache.hadoop.io.ByteBufferPool;
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY;
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_DEFAULT;
 
 import com.google.common.base.Preconditions;
 
@@ -54,15 +53,15 @@
  * <p/>
  * The underlying stream offset is maintained as state.
  */
-@InterfaceAudience.Public
+@InterfaceAudience.Private
 @InterfaceStability.Evolving
 public class CryptoInputStream extends FilterInputStream implements 
     Seekable, PositionedReadable, ByteBufferReadable, HasFileDescriptor, 
     CanSetDropBehind, CanSetReadahead, HasEnhancedByteBufferAccess {
-  private static final int MIN_BUFFER_SIZE = 512;
   private static final byte[] oneByteBuf = new byte[1];
   private final CryptoCodec codec;
   private final Decryptor decryptor;
+  private final int bufferSize;
   
   /**
    * Input data buffer. The data starts at inBuffer.position() and ends at 
@@ -79,7 +78,7 @@ public class CryptoInputStream extends FilterInputStream implements
   
   /**
    * Whether the underlying stream supports 
-   * {@link #org.apache.hadoop.fs.ByteBufferReadable}
+   * {@link org.apache.hadoop.fs.ByteBufferReadable}
    */
   private Boolean usingByteBufferRead = null;
   
@@ -94,32 +93,33 @@ public class CryptoInputStream extends FilterInputStream implements
   private final byte[] initIV;
   private byte[] iv;
   
+  /** DirectBuffer pool */
+  private final Queue<ByteBuffer> bufferPool = 
+      new ConcurrentLinkedQueue<ByteBuffer>();
+  /** Decryptor pool */
+  private final Queue<Decryptor> decryptorPool = 
+      new ConcurrentLinkedQueue<Decryptor>();
+  
   public CryptoInputStream(InputStream in, CryptoCodec codec, 
       int bufferSize, byte[] key, byte[] iv) throws IOException {
     super(in);
-    Preconditions.checkArgument(bufferSize >= MIN_BUFFER_SIZE, 
-        "Minimum value of buffer size is 512.");
-    this.key = key;
-    this.initIV = iv;
-    this.iv = iv.clone();
-    inBuffer = ByteBuffer.allocateDirect(bufferSize);
-    outBuffer = ByteBuffer.allocateDirect(bufferSize);
-    outBuffer.limit(0);
+    this.bufferSize = CryptoStreamUtils.checkBufferSize(codec, bufferSize);
     this.codec = codec;
-    try {
-      decryptor = codec.getDecryptor();
-    } catch (GeneralSecurityException e) {
-      throw new IOException(e);
-    }
+    this.key = key.clone();
+    this.initIV = iv.clone();
+    this.iv = iv.clone();
+    inBuffer = ByteBuffer.allocateDirect(this.bufferSize);
+    outBuffer = ByteBuffer.allocateDirect(this.bufferSize);
+    decryptor = getDecryptor();
     if (in instanceof Seekable) {
       streamOffset = ((Seekable) in).getPos();
     }
-    updateDecryptor();
+    resetStreamOffset(streamOffset);
   }
   
   public CryptoInputStream(InputStream in, CryptoCodec codec,
       byte[] key, byte[] iv) throws IOException {
-    this(in, codec, getBufferSize(codec.getConf()), key, iv);
+    this(in, codec, CryptoStreamUtils.getBufferSize(codec.getConf()), key, iv);
   }
   
   public InputStream getWrappedStream() {
@@ -169,14 +169,14 @@ public int read(byte[] b, int off, int len) throws IOException {
             usingByteBufferRead = Boolean.FALSE;
           }
         }
-        if (!usingByteBufferRead.booleanValue()) {
-          n = readFromUnderlyingStream();
+        if (!usingByteBufferRead) {
+          n = readFromUnderlyingStream(inBuffer);
         }
       } else {
-        if (usingByteBufferRead.booleanValue()) {
+        if (usingByteBufferRead) {
           n = ((ByteBufferReadable) in).read(inBuffer);
         } else {
-          n = readFromUnderlyingStream();
+          n = readFromUnderlyingStream(inBuffer);
         }
       }
       if (n <= 0) {
@@ -184,7 +184,8 @@ public int read(byte[] b, int off, int len) throws IOException {
       }
       
       streamOffset += n; // Read n bytes
-      decrypt();
+      decrypt(decryptor, inBuffer, outBuffer, padding);
+      padding = afterDecryption(decryptor, inBuffer, streamOffset, iv);
       n = Math.min(len, outBuffer.remaining());
       outBuffer.get(b, off, n);
       return n;
@@ -192,7 +193,7 @@ public int read(byte[] b, int off, int len) throws IOException {
   }
   
   /** Read data from underlying stream. */
-  private int readFromUnderlyingStream() throws IOException {
+  private int readFromUnderlyingStream(ByteBuffer inBuffer) throws IOException {
     final int toRead = inBuffer.remaining();
     final byte[] tmp = getTmpBuf();
     final int n = in.read(tmp, 0, toRead);
@@ -205,16 +206,18 @@ private int readFromUnderlyingStream() throws IOException {
   private byte[] tmpBuf;
   private byte[] getTmpBuf() {
     if (tmpBuf == null) {
-      tmpBuf = new byte[inBuffer.capacity()];
+      tmpBuf = new byte[bufferSize];
     }
     return tmpBuf;
   }
   
   /**
-   * Do the decryption using {@link #inBuffer} as input and {@link #outBuffer} 
-   * as output.
+   * Do the decryption using inBuffer as input and outBuffer as output.
+   * Upon return, inBuffer is cleared; the decrypted data starts at 
+   * outBuffer.position() and ends at outBuffer.limit();
    */
-  private void decrypt() throws IOException {
+  private void decrypt(Decryptor decryptor, ByteBuffer inBuffer, 
+      ByteBuffer outBuffer, byte padding) throws IOException {
     Preconditions.checkState(inBuffer.position() >= padding);
     if(inBuffer.position() == padding) {
       // There is no real data in inBuffer.
@@ -231,8 +234,16 @@ private void decrypt() throws IOException {
        * same position.
        */
       outBuffer.position(padding);
-      padding = 0;
     }
+  }
+  
+  /**
+   * This method is executed immediately after decryption. Check whether 
+   * decryptor should be updated and recalculate padding if needed. 
+   */
+  private byte afterDecryption(Decryptor decryptor, ByteBuffer inBuffer, 
+      long position, byte[] iv) throws IOException {
+    byte padding = 0;
     if (decryptor.isContextReset()) {
       /*
        * This code is generally not executed since the decryptor usually 
@@ -240,23 +251,31 @@ private void decrypt() throws IOException {
        * some implementations can't maintain context so a re-init is necessary 
        * after each decryption call.
        */
-      updateDecryptor();
+      updateDecryptor(decryptor, position, iv);
+      padding = getPadding(position);
+      inBuffer.position(padding);
     }
+    return padding;
   }
   
-  /**
-   * Update the {@link #decryptor}. Calculate the counter and {@link #padding}.
-   */
-  private void updateDecryptor() throws IOException {
-    final long counter = streamOffset / codec.getAlgorithmBlockSize();
-    padding = (byte)(streamOffset % codec.getAlgorithmBlockSize());
-    inBuffer.position(padding); // Set proper position for input data.
+  private long getCounter(long position) {
+    return position / codec.getAlgorithmBlockSize();
+  }
+  
+  private byte getPadding(long position) {
+    return (byte)(position % codec.getAlgorithmBlockSize());
+  }
+  
+  /** Calculate the counter and iv, update the decryptor. */
+  private void updateDecryptor(Decryptor decryptor, long position, byte[] iv) 
+      throws IOException {
+    final long counter = getCounter(position);
     codec.calculateIV(initIV, counter, iv);
     decryptor.init(key, iv);
   }
   
   /**
-   * Reset the underlying stream offset, and clear {@link #inBuffer} and 
+   * Reset the underlying stream offset; clear {@link #inBuffer} and 
    * {@link #outBuffer}. This Typically happens during {@link #seek(long)} 
    * or {@link #skip(long)}.
    */
@@ -265,7 +284,9 @@ private void resetStreamOffset(long offset) throws IOException {
     inBuffer.clear();
     outBuffer.clear();
     outBuffer.limit(0);
-    updateDecryptor();
+    updateDecryptor(decryptor, offset, iv);
+    padding = getPadding(offset);
+    inBuffer.position(padding); // Set proper position for input data.
   }
   
   @Override
@@ -279,17 +300,7 @@ public void close() throws IOException {
     closed = true;
   }
   
-  /** Forcibly free the direct buffer. */
-  private void freeBuffers() {
-    final sun.misc.Cleaner inBufferCleaner =
-        ((sun.nio.ch.DirectBuffer) inBuffer).cleaner();
-    inBufferCleaner.clean();
-    final sun.misc.Cleaner outBufferCleaner =
-        ((sun.nio.ch.DirectBuffer) outBuffer).cleaner();
-    outBufferCleaner.clean();
-  }
-  
-  /** Positioned read. */
+  /** Positioned read. It is thread-safe */
   @Override
   public int read(long position, byte[] buffer, int offset, int length)
       throws IOException {
@@ -298,12 +309,8 @@ public int read(long position, byte[] buffer, int offset, int length)
       final int n = ((PositionedReadable) in).read(position, buffer, offset, 
           length);
       if (n > 0) {
-        /*
-         * Since this operation does not change the current offset of a file, 
-         * streamOffset should not be changed. We need to restore the decryptor 
-         * and outBuffer after decryption.
-         */
-        decrypt(position, buffer, offset, length);
+        // This operation does not change the current offset of the file
+        decrypt(position, buffer, offset, n);
       }
       
       return n;
@@ -315,39 +322,39 @@ public int read(long position, byte[] buffer, int offset, int length)
   
   /**
    * Decrypt length bytes in buffer starting at offset. Output is also put 
-   * into buffer starting at offset. Restore the {@link #decryptor} and 
-   * {@link #outBuffer} after the decryption.
+   * into buffer starting at offset. It is thread-safe.
    */
   private void decrypt(long position, byte[] buffer, int offset, int length) 
       throws IOException {
-    final byte[] tmp = getTmpBuf();
-    int unread = outBuffer.remaining();
-    if (unread > 0) { // Cache outBuffer
-      outBuffer.get(tmp, 0, unread);
-    }
-    final long curOffset = streamOffset;
-    resetStreamOffset(position);
-    
-    int n = 0;
-    while (n < length) {
-      final int toDecrypt = Math.min(length - n, inBuffer.remaining());
-      inBuffer.put(buffer, offset + n, toDecrypt);
-      // Do decryption
-      decrypt();
-      outBuffer.get(buffer, offset + n, toDecrypt);
-      n += toDecrypt;
-    }
-    
-    // After decryption
-    resetStreamOffset(curOffset);
-    if (unread > 0) { // Restore outBuffer
-      outBuffer.clear();
-      outBuffer.put(tmp, 0, unread);
-      outBuffer.flip();
+    ByteBuffer inBuffer = getBuffer();
+    ByteBuffer outBuffer = getBuffer();
+    Decryptor decryptor = null;
+    try {
+      decryptor = getDecryptor();
+      byte[] iv = initIV.clone();
+      updateDecryptor(decryptor, position, iv);
+      byte padding = getPadding(position);
+      inBuffer.position(padding); // Set proper position for input data.
+      
+      int n = 0;
+      while (n < length) {
+        int toDecrypt = Math.min(length - n, inBuffer.remaining());
+        inBuffer.put(buffer, offset + n, toDecrypt);
+        // Do decryption
+        decrypt(decryptor, inBuffer, outBuffer, padding);
+        
+        outBuffer.get(buffer, offset + n, toDecrypt);
+        n += toDecrypt;
+        padding = afterDecryption(decryptor, inBuffer, position + n, iv);
+      }
+    } finally {
+      returnBuffer(inBuffer);
+      returnBuffer(outBuffer);
+      returnDecryptor(decryptor);
     }
   }
   
-  /** Positioned read fully. */
+  /** Positioned read fully. It is thread-safe */
   @Override
   public void readFully(long position, byte[] buffer, int offset, int length)
       throws IOException {
@@ -355,11 +362,7 @@ public void readFully(long position, byte[] buffer, int offset, int length)
     try {
       ((PositionedReadable) in).readFully(position, buffer, offset, length);
       if (length > 0) {
-        /*
-         * Since this operation does not change the current offset of the file, 
-         * streamOffset should not be changed. We need to restore the decryptor 
-         * and outBuffer after decryption.
-         */
+        // This operation does not change the current offset of the file
         decrypt(position, buffer, offset, length);
       }
     } catch (ClassCastException e) {
@@ -484,12 +487,15 @@ private void decrypt(ByteBuffer buf, int n, int start)
       buf.limit(start + len + Math.min(n - len, inBuffer.remaining()));
       inBuffer.put(buf);
       // Do decryption
-      decrypt();
-      
-      buf.position(start + len);
-      buf.limit(limit);
-      len += outBuffer.remaining();
-      buf.put(outBuffer);
+      try {
+        decrypt(decryptor, inBuffer, outBuffer, padding);
+        buf.position(start + len);
+        buf.limit(limit);
+        len += outBuffer.remaining();
+        buf.put(outBuffer);
+      } finally {
+        padding = afterDecryption(decryptor, inBuffer, streamOffset - (n - len), iv);
+      }
     }
     buf.position(pos);
   }
@@ -612,8 +618,57 @@ private void checkStream() throws IOException {
     }
   }
   
-  private static int getBufferSize(Configuration conf) {
-    return conf.getInt(HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY, 
-        HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_DEFAULT);
+  /** Get direct buffer from pool */
+  private ByteBuffer getBuffer() {
+    ByteBuffer buffer = bufferPool.poll();
+    if (buffer == null) {
+      buffer = ByteBuffer.allocateDirect(bufferSize);
+    }
+    
+    return buffer;
+  }
+  
+  /** Return direct buffer to pool */
+  private void returnBuffer(ByteBuffer buf) {
+    if (buf != null) {
+      buf.clear();
+      bufferPool.add(buf);
+    }
+  }
+  
+  /** Forcibly free the direct buffers. */
+  private void freeBuffers() {
+    CryptoStreamUtils.freeDB(inBuffer);
+    CryptoStreamUtils.freeDB(outBuffer);
+    cleanBufferPool();
+  }
+  
+  /** Clean direct buffer pool */
+  private void cleanBufferPool() {
+    ByteBuffer buf;
+    while ((buf = bufferPool.poll()) != null) {
+      CryptoStreamUtils.freeDB(buf);
+    }
+  }
+  
+  /** Get decryptor from pool */
+  private Decryptor getDecryptor() throws IOException {
+    Decryptor decryptor = decryptorPool.poll();
+    if (decryptor == null) {
+      try {
+        decryptor = codec.createDecryptor();
+      } catch (GeneralSecurityException e) {
+        throw new IOException(e);
+      }
+    }
+    
+    return decryptor;
+  }
+  
+  /** Return decryptor to pool */
+  private void returnDecryptor(Decryptor decryptor) {
+    if (decryptor != null) {
+      decryptorPool.add(decryptor);
+    }
   }
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java
index c5bd1dd6b5d..61eca0a4616 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java
@@ -25,11 +25,8 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
-import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CanSetDropBehind;
 import org.apache.hadoop.fs.Syncable;
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY;
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_DEFAULT;
 
 import com.google.common.base.Preconditions;
 
@@ -44,14 +41,14 @@
  * <p/>
  * The underlying stream offset is maintained as state.
  */
-@InterfaceAudience.Public
+@InterfaceAudience.Private
 @InterfaceStability.Evolving
 public class CryptoOutputStream extends FilterOutputStream implements 
     Syncable, CanSetDropBehind {
-  private static final int MIN_BUFFER_SIZE = 512;
   private static final byte[] oneByteBuf = new byte[1];
   private final CryptoCodec codec;
   private final Encryptor encryptor;
+  private final int bufferSize;
   
   /**
    * Input data buffer. The data starts at inBuffer.position() and ends at 
@@ -86,17 +83,16 @@ public CryptoOutputStream(OutputStream out, CryptoCodec codec,
       int bufferSize, byte[] key, byte[] iv, long streamOffset) 
       throws IOException {
     super(out);
-    Preconditions.checkArgument(bufferSize >= MIN_BUFFER_SIZE, 
-        "Minimum value of buffer size is 512.");
-    this.key = key;
-    this.initIV = iv;
-    this.iv = iv.clone();
-    inBuffer = ByteBuffer.allocateDirect(bufferSize);
-    outBuffer = ByteBuffer.allocateDirect(bufferSize);
-    this.streamOffset = streamOffset;
+    this.bufferSize = CryptoStreamUtils.checkBufferSize(codec, bufferSize);
     this.codec = codec;
+    this.key = key.clone();
+    this.initIV = iv.clone();
+    this.iv = iv.clone();
+    inBuffer = ByteBuffer.allocateDirect(this.bufferSize);
+    outBuffer = ByteBuffer.allocateDirect(this.bufferSize);
+    this.streamOffset = streamOffset;
     try {
-      encryptor = codec.getEncryptor();
+      encryptor = codec.createEncryptor();
     } catch (GeneralSecurityException e) {
       throw new IOException(e);
     }
@@ -110,7 +106,8 @@ public CryptoOutputStream(OutputStream out, CryptoCodec codec,
   
   public CryptoOutputStream(OutputStream out, CryptoCodec codec, 
       byte[] key, byte[] iv, long streamOffset) throws IOException {
-    this(out, codec, getBufferSize(codec.getConf()), key, iv, streamOffset);
+    this(out, codec, CryptoStreamUtils.getBufferSize(codec.getConf()), 
+        key, iv, streamOffset);
   }
   
   public OutputStream getWrappedStream() {
@@ -195,9 +192,7 @@ private void encrypt() throws IOException {
     }
   }
   
-  /**
-   * Update the {@link #encryptor}: calculate counter and {@link #padding}.
-   */
+  /** Update the {@link #encryptor}: calculate counter and {@link #padding}. */
   private void updateEncryptor() throws IOException {
     final long counter = streamOffset / codec.getAlgorithmBlockSize();
     padding = (byte)(streamOffset % codec.getAlgorithmBlockSize());
@@ -209,7 +204,7 @@ private void updateEncryptor() throws IOException {
   private byte[] tmpBuf;
   private byte[] getTmpBuf() {
     if (tmpBuf == null) {
-      tmpBuf = new byte[outBuffer.capacity()];
+      tmpBuf = new byte[bufferSize];
     }
     return tmpBuf;
   }
@@ -225,16 +220,6 @@ public void close() throws IOException {
     closed = true;
   }
   
-  /** Forcibly free the direct buffer. */
-  private void freeBuffers() {
-    final sun.misc.Cleaner inBufferCleaner =
-        ((sun.nio.ch.DirectBuffer) inBuffer).cleaner();
-    inBufferCleaner.clean();
-    final sun.misc.Cleaner outBufferCleaner =
-        ((sun.nio.ch.DirectBuffer) outBuffer).cleaner();
-    outBufferCleaner.clean();
-  }
-  
   /**
    * To flush, we need to encrypt the data in the buffer and write to the 
    * underlying stream, then do the flush.
@@ -285,8 +270,9 @@ public void hsync() throws IOException {
     }
   }
   
-  private static int getBufferSize(Configuration conf) {
-    return conf.getInt(HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY, 
-        HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_DEFAULT);
+  /** Forcibly free the direct buffers. */
+  private void freeBuffers() {
+    CryptoStreamUtils.freeDB(inBuffer);
+    CryptoStreamUtils.freeDB(outBuffer);
   }
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoStreamUtils.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoStreamUtils.java
new file mode 100644
index 00000000000..c9aad816b54
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoStreamUtils.java
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_DEFAULT;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY;
+
+import java.nio.ByteBuffer;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.conf.Configuration;
+
+import com.google.common.base.Preconditions;
+
+@InterfaceAudience.Private
+public class CryptoStreamUtils {
+  private static final int MIN_BUFFER_SIZE = 512;
+  
+  /** Forcibly free the direct buffer. */
+  public static void freeDB(ByteBuffer buffer) {
+    if (buffer instanceof sun.nio.ch.DirectBuffer) {
+      final sun.misc.Cleaner bufferCleaner =
+          ((sun.nio.ch.DirectBuffer) buffer).cleaner();
+      bufferCleaner.clean();
+    }
+  }
+  
+  /** Read crypto buffer size */
+  public static int getBufferSize(Configuration conf) {
+    return conf.getInt(HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY, 
+        HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_DEFAULT);
+  }
+  
+  /** Check and floor buffer size */
+  public static int checkBufferSize(CryptoCodec codec, int bufferSize) {
+    Preconditions.checkArgument(bufferSize >= MIN_BUFFER_SIZE, 
+        "Minimum value of buffer size is " + MIN_BUFFER_SIZE + ".");
+    return bufferSize - bufferSize % codec.getAlgorithmBlockSize();
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Decryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Decryptor.java
index ded016a4acc..9958415ebd2 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Decryptor.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Decryptor.java
@@ -23,7 +23,7 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 
-@InterfaceAudience.Public
+@InterfaceAudience.Private
 @InterfaceStability.Evolving
 public interface Decryptor {
   
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Encryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Encryptor.java
index 00213b8cbbf..6dc3cfbe38f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Encryptor.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/Encryptor.java
@@ -23,7 +23,7 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 
-@InterfaceAudience.Public
+@InterfaceAudience.Private
 @InterfaceStability.Evolving
 public interface Encryptor {
   
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
index aea9e07ee6a..bd0e502eeed 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
@@ -17,14 +17,25 @@
  */
 package org.apache.hadoop.crypto;
 
+import java.io.IOException;
+import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;
 
+import javax.crypto.Cipher;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+
+import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
+
+import com.google.common.base.Preconditions;
+
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY;
 
 /**
  * Implement the AES-CTR crypto codec using JCE provider.
  */
+@InterfaceAudience.Private
 public class JCEAESCTRCryptoCodec extends AESCTRCryptoCodec {
   private Configuration conf;
   private String provider;
@@ -44,12 +55,86 @@ public void setConf(Configuration conf) {
   }
 
   @Override
-  public Encryptor getEncryptor() throws GeneralSecurityException {
-    return new JCEAESCTREncryptor(provider);
+  public Encryptor createEncryptor() throws GeneralSecurityException {
+    return new JCEAESCTRCipher(Cipher.ENCRYPT_MODE, provider);
   }
 
   @Override
-  public Decryptor getDecryptor() throws GeneralSecurityException {
-    return new JCEAESCTRDecryptor(provider);
+  public Decryptor createDecryptor() throws GeneralSecurityException {
+    return new JCEAESCTRCipher(Cipher.DECRYPT_MODE, provider);
+  }
+  
+  private static class JCEAESCTRCipher implements Encryptor, Decryptor {
+    private final Cipher cipher;
+    private final int mode;
+    private boolean contextReset = false;
+    
+    public JCEAESCTRCipher(int mode, String provider) 
+        throws GeneralSecurityException {
+      this.mode = mode;
+      if (provider == null || provider.isEmpty()) {
+        cipher = Cipher.getInstance("AES/CTR/NoPadding");
+      } else {
+        cipher = Cipher.getInstance("AES/CTR/NoPadding", provider);
+      }
+    }
+
+    @Override
+    public void init(byte[] key, byte[] iv) throws IOException {
+      Preconditions.checkNotNull(key);
+      Preconditions.checkNotNull(iv);
+      contextReset = false;
+      try {
+        cipher.init(mode, new SecretKeySpec(key, "AES"), 
+            new IvParameterSpec(iv));
+      } catch (Exception e) {
+        throw new IOException(e);
+      }
+    }
+
+    /**
+     * AES-CTR will consume all of the input data. It requires enough space in 
+     * the destination buffer to encrypt entire input buffer.
+     */
+    @Override
+    public void encrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
+        throws IOException {
+      process(inBuffer, outBuffer);
+    }
+    
+    /**
+     * AES-CTR will consume all of the input data. It requires enough space in
+     * the destination buffer to decrypt entire input buffer.
+     */
+    @Override
+    public void decrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
+        throws IOException {
+      process(inBuffer, outBuffer);
+    }
+    
+    private void process(ByteBuffer inBuffer, ByteBuffer outBuffer)
+        throws IOException {
+      try {
+        int inputSize = inBuffer.remaining();
+        // Cipher#update will maintain crypto context.
+        int n = cipher.update(inBuffer, outBuffer);
+        if (n < inputSize) {
+          /**
+           * Typically code will not get here. Cipher#update will consume all 
+           * input data and put result in outBuffer. 
+           * Cipher#doFinal will reset the crypto context.
+           */
+          contextReset = true;
+          cipher.doFinal(inBuffer, outBuffer);
+        }
+      } catch (Exception e) {
+        throw new IOException(e);
+      }
+    }
+    
+    @Override
+    public boolean isContextReset() {
+      return contextReset;
+    }
   }
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java
index 569d3de9704..e69de29bb2d 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java
@@ -1,84 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.crypto;
-
-import java.io.IOException;
-import java.nio.ByteBuffer;
-import java.security.GeneralSecurityException;
-
-import javax.crypto.Cipher;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.google.common.base.Preconditions;
-
-public class JCEAESCTRDecryptor implements Decryptor {
-  private final Cipher cipher;
-  private boolean contextReset = false;
-  
-  public JCEAESCTRDecryptor(String provider) throws GeneralSecurityException {
-    if (provider == null || provider.isEmpty()) {
-      cipher = Cipher.getInstance("AES/CTR/NoPadding");
-    } else {
-      cipher = Cipher.getInstance("AES/CTR/NoPadding", provider);
-    }
-  }
-
-  @Override
-  public void init(byte[] key, byte[] iv) throws IOException {
-    Preconditions.checkNotNull(key);
-    Preconditions.checkNotNull(iv);
-    contextReset = false;
-    try {
-      cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(key, "AES"), 
-          new IvParameterSpec(iv));
-    } catch (Exception e) {
-      throw new IOException(e);
-    }
-  }
-
-  /**
-   * AES-CTR will consume all of the input data. It requires enough space in
-   * the destination buffer to decrypt entire input buffer.
-   */
-  @Override
-  public void decrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
-      throws IOException {
-    try {
-      int inputSize = inBuffer.remaining();
-      // Cipher#update will maintain decryption context.
-      int n = cipher.update(inBuffer, outBuffer);
-      if (n < inputSize) {
-        /**
-         * Typically code will not get here. Cipher#update will decrypt all 
-         * input data and put result in outBuffer. 
-         * Cipher#doFinal will reset the decryption context.
-         */
-        contextReset = true;
-        cipher.doFinal(inBuffer, outBuffer);
-      }
-    } catch (Exception e) {
-      throw new IOException(e);
-    }
-  }
-
-  @Override
-  public boolean isContextReset() {
-    return contextReset;
-  }
-}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java
index 28e45735110..e69de29bb2d 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java
@@ -1,84 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.crypto;
-
-import java.io.IOException;
-import java.nio.ByteBuffer;
-import java.security.GeneralSecurityException;
-
-import javax.crypto.Cipher;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.google.common.base.Preconditions;
-
-public class JCEAESCTREncryptor implements Encryptor {
-  private final Cipher cipher;
-  private boolean contextReset = false;
-  
-  public JCEAESCTREncryptor(String provider) throws GeneralSecurityException {
-    if (provider == null || provider.isEmpty()) {
-      cipher = Cipher.getInstance("AES/CTR/NoPadding");
-    } else {
-      cipher = Cipher.getInstance("AES/CTR/NoPadding", provider);
-    }
-  }
-
-  @Override
-  public void init(byte[] key, byte[] iv) throws IOException {
-    Preconditions.checkNotNull(key);
-    Preconditions.checkNotNull(iv);
-    contextReset = false;
-    try {
-      cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(key, "AES"), 
-          new IvParameterSpec(iv));
-    } catch (Exception e) {
-      throw new IOException(e);
-    }
-  }
-
-  /**
-   * AES-CTR will consume all of the input data. It requires enough space in 
-   * the destination buffer to encrypt entire input buffer.
-   */
-  @Override
-  public void encrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
-      throws IOException {
-    try {
-      int inputSize = inBuffer.remaining();
-      // Cipher#update will maintain encryption context.
-      int n = cipher.update(inBuffer, outBuffer);
-      if (n < inputSize) {
-        /**
-         * Typically code will not get here. Cipher#update will encrypt all 
-         * input data and put result in outBuffer. 
-         * Cipher#doFinal will reset the encryption context.
-         */
-        contextReset = true;
-        cipher.doFinal(inBuffer, outBuffer);
-      }
-    } catch (Exception e) {
-      throw new IOException(e);
-    }
-  }
-
-  @Override
-  public boolean isContextReset() {
-    return contextReset;
-  }
-}

From f7921030cd9e3ef1c23f25c1b8defedd8ddcadb4 Mon Sep 17 00:00:00 2001
From: Yi Liu <yliu@apache.org>
Date: Fri, 30 May 2014 08:22:41 +0000
Subject: [PATCH 006/354] HADOOP-10635. Add a method to CryptoCodec to generate
 SRNs for IV. Contributed by Yi Liu

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1598493 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |  2 +
 .../org/apache/hadoop/crypto/CryptoCodec.java |  7 ++
 .../hadoop/crypto/JCEAESCTRCryptoCodec.java   | 21 +++++
 .../fs/CommonConfigurationKeysPublic.java     |  6 ++
 .../src/main/resources/core-default.xml       |  8 ++
 .../apache/hadoop/crypto/TestCryptoCodec.java | 81 +++++++++++++++++++
 6 files changed, 125 insertions(+)
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index 1e7c6f62f17..c8dc9d46709 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -17,6 +17,8 @@ fs-encryption (Unreleased)
     HADOOP-10632. Minor improvements to Crypto input and output streams. 
     (Yi Liu)
 
+    HADOOP-10635. Add a method to CryptoCodec to generate SRNs for IV. (Yi Liu)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
index da695e97571..277246c087b 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
@@ -79,4 +79,11 @@ public static CryptoCodec getInstance(Configuration conf) {
    * @param IV the IV for input stream position
    */
   public abstract void calculateIV(byte[] initIV, long counter, byte[] IV);
+  
+  /**
+   * Generate secure random.
+   * @param bytes length of the secure random
+   * @return byte[] the secure random
+   */
+  public abstract byte[] generateSecureRandom(int bytes);
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
index bd0e502eeed..22a036a5602 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
@@ -20,6 +20,7 @@
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;
+import java.security.SecureRandom;
 
 import javax.crypto.Cipher;
 import javax.crypto.spec.IvParameterSpec;
@@ -31,6 +32,8 @@
 import com.google.common.base.Preconditions;
 
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_KEY;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_DEFAULT;
 
 /**
  * Implement the AES-CTR crypto codec using JCE provider.
@@ -39,6 +42,7 @@
 public class JCEAESCTRCryptoCodec extends AESCTRCryptoCodec {
   private Configuration conf;
   private String provider;
+  private SecureRandom random;
 
   public JCEAESCTRCryptoCodec() {
   }
@@ -52,6 +56,16 @@ public Configuration getConf() {
   public void setConf(Configuration conf) {
     this.conf = conf;
     provider = conf.get(HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY);
+    final String secureRandomAlg = conf.get(
+        HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_KEY, 
+        HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_DEFAULT);
+    try {
+      random = (provider != null) ? 
+          SecureRandom.getInstance(secureRandomAlg, provider) : 
+            SecureRandom.getInstance(secureRandomAlg);
+    } catch (GeneralSecurityException e) {
+      throw new IllegalArgumentException(e);
+    }
   }
 
   @Override
@@ -64,6 +78,13 @@ public Decryptor createDecryptor() throws GeneralSecurityException {
     return new JCEAESCTRCipher(Cipher.DECRYPT_MODE, provider);
   }
   
+  @Override
+  public byte[] generateSecureRandom(int bytes) {
+    final byte[] data = new byte[bytes];
+    random.nextBytes(data);
+    return data;
+  }  
+  
   private static class JCEAESCTRCipher implements Encryptor, Decryptor {
     private final Cipher cipher;
     private final int mode;
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
index 6c595c4f057..279bbc7e2b3 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
@@ -296,5 +296,11 @@ public class CommonConfigurationKeysPublic {
   /** Class to override Impersonation provider */
   public static final String  HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS =
     "hadoop.security.impersonation.provider.class";
+  /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
+  public static final String HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_KEY = 
+      "hadoop.security.secure.random.algorithm";
+  /** Defalt value for HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_KEY */
+  public static final String HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_DEFAULT = 
+      "SHA1PRNG";
 }
 
diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
index 21c290c43cd..a174d396d5e 100644
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -1384,4 +1384,12 @@
     The buffer size used by CryptoInputStream and CryptoOutputStream. 
   </description>
 </property>
+
+<property>
+  <name>hadoop.security.secure.random.algorithm</name>
+  <value></value>
+  <description>
+    The secure random algorithm. 
+  </description>
+</property>
 </configuration>
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java
new file mode 100644
index 00000000000..8213ad8a77b
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java
@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import org.apache.hadoop.conf.Configuration;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestCryptoCodec {
+  private static CryptoCodec codec;
+  
+  @BeforeClass
+  public static void init() throws Exception {
+    Configuration conf = new Configuration();
+    codec = CryptoCodec.getInstance(conf);
+  }
+  
+  @AfterClass
+  public static void shutdown() throws Exception {
+  }
+  
+  @Test(timeout=120000)
+  public void testSecureRandom() throws Exception {
+    // len = 16
+    checkSecureRandom(16);
+    
+    // len = 32
+    checkSecureRandom(32);
+    
+    // len = 128
+    checkSecureRandom(128);
+  }
+  
+  private void checkSecureRandom(int len) {
+    byte[] rand = codec.generateSecureRandom(len);
+    byte[] rand1 = codec.generateSecureRandom(len);
+    
+    Assert.assertEquals(len, rand.length);
+    Assert.assertEquals(len, rand1.length);
+    Assert.assertFalse(bytesArrayEquals(rand, rand1));
+  }
+  
+  private boolean bytesArrayEquals(byte[] expected, byte[] actual) {
+    if ((expected == null  && actual != null) || 
+        (expected != null && actual == null)) {
+      return false;
+    }
+    if (expected == null && actual == null) {
+      return true;
+    }
+    
+    if (expected.length != actual.length) {
+      return false;
+    }
+    
+    for (int i = 0; i < expected.length; i++) {
+      if (expected[i] != actual[i]) {
+        return false;
+      }
+    }
+    
+    return true;
+  }
+}

From 4054a408915d26b54a3958320cc0d7dfbe65b2e0 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Fri, 30 May 2014 23:53:45 +0000
Subject: [PATCH 007/354] HDFS-6388. HDFS integration with KeyProvider. (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1598783 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |  2 ++
 .../hadoop/hdfs/server/namenode/NameNode.java | 36 +++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index c8dc9d46709..82f68d75160 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -6,6 +6,8 @@ fs-encryption (Unreleased)
 
   NEW FEATURES
 
+    HDFS-6388. HDFS integration with KeyProvider. (clamb)
+
   IMPROVEMENTS
 
     HADOOP-10603. Crypto input and output streams implementing Hadoop stream
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
index 9cdad26eb24..504e3ed2013 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
@@ -27,6 +27,8 @@
 import org.apache.hadoop.HadoopIllegalArgumentException;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.key.KeyProvider;
+import org.apache.hadoop.crypto.key.KeyProviderFactory;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Trash;
 import org.apache.hadoop.ha.HAServiceProtocol.HAServiceState;
@@ -270,6 +272,9 @@ public long getProtocolVersion(String protocol,
   
   private NameNodeRpcServer rpcServer;
 
+  /* The KeyProvider, if any. */
+  private KeyProvider provider = null;
+
   private JvmPauseMonitor pauseMonitor;
   private ObjectName nameNodeStatusBeanName;
   /**
@@ -581,6 +586,7 @@ protected void initialize(Configuration conf) throws IOException {
       startHttpServer(conf);
     }
     loadNamesystem(conf);
+    initializeKeyProvider(conf);
 
     rpcServer = createRpcServer(conf);
     if (clientNamenodeAddress == null) {
@@ -699,6 +705,36 @@ private void stopHttpServer() {
     }
   }
 
+  private void initializeKeyProvider(final Configuration conf) {
+    try {
+      final List<KeyProvider> providers = KeyProviderFactory.getProviders(conf);
+      if (providers == null) {
+        return;
+      }
+
+      if (providers.size() == 0) {
+        LOG.info("No KeyProviders found.");
+        return;
+      }
+
+      if (providers.size() > 1) {
+        final String err =
+            "Multiple KeyProviders found. Only one is permitted.";
+        LOG.error(err);
+        throw new RuntimeException(err);
+      }
+      provider = providers.get(0);
+      if (provider.isTransient()) {
+        final String err =
+            "A KeyProvider was found but it is a transient provider.";
+        LOG.error(err);
+        throw new RuntimeException(err);
+      }
+    } catch (IOException e) {
+      LOG.error("Exception while initializing KeyProvider", e);
+    }
+  }
+
   /**
    * Start NameNode.
    * <p>

From 75ec5792dfc5472b2aa9da7030d4e2ae7421d87c Mon Sep 17 00:00:00 2001
From: Yi Liu <yliu@apache.org>
Date: Mon, 2 Jun 2014 14:35:32 +0000
Subject: [PATCH 008/354] HADOOP-10653. Add a new constructor for
 CryptoInputStream that receives current position of wrapped stream.
 Contributed by Yi Liu

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1599228 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt        |  3 +++
 .../apache/hadoop/crypto/CryptoInputStream.java    | 10 +++++++---
 .../apache/hadoop/crypto/CryptoStreamUtils.java    | 14 ++++++++++++++
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index 82f68d75160..c99436606e9 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -21,6 +21,9 @@ fs-encryption (Unreleased)
 
     HADOOP-10635. Add a method to CryptoCodec to generate SRNs for IV. (Yi Liu)
 
+    HADOOP-10653. Add a new constructor for CryptoInputStream that 
+    receives current position of wrapped stream. (Yi Liu)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
index e3eea41b1d4..fe663f2cc9f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
@@ -102,18 +102,22 @@ public class CryptoInputStream extends FilterInputStream implements
   
   public CryptoInputStream(InputStream in, CryptoCodec codec, 
       int bufferSize, byte[] key, byte[] iv) throws IOException {
+    this(in, codec, bufferSize, key, iv, 
+        CryptoStreamUtils.getInputStreamOffset(in));
+  }
+  
+  public CryptoInputStream(InputStream in, CryptoCodec codec,
+      int bufferSize, byte[] key, byte[] iv, long streamOffset) throws IOException {
     super(in);
     this.bufferSize = CryptoStreamUtils.checkBufferSize(codec, bufferSize);
     this.codec = codec;
     this.key = key.clone();
     this.initIV = iv.clone();
     this.iv = iv.clone();
+    this.streamOffset = streamOffset;
     inBuffer = ByteBuffer.allocateDirect(this.bufferSize);
     outBuffer = ByteBuffer.allocateDirect(this.bufferSize);
     decryptor = getDecryptor();
-    if (in instanceof Seekable) {
-      streamOffset = ((Seekable) in).getPos();
-    }
     resetStreamOffset(streamOffset);
   }
   
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoStreamUtils.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoStreamUtils.java
index c9aad816b54..dfa27df172d 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoStreamUtils.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoStreamUtils.java
@@ -20,10 +20,13 @@
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_DEFAULT;
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY;
 
+import java.io.IOException;
+import java.io.InputStream;
 import java.nio.ByteBuffer;
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.Seekable;
 
 import com.google.common.base.Preconditions;
 
@@ -52,4 +55,15 @@ public static int checkBufferSize(CryptoCodec codec, int bufferSize) {
         "Minimum value of buffer size is " + MIN_BUFFER_SIZE + ".");
     return bufferSize - bufferSize % codec.getAlgorithmBlockSize();
   }
+  
+  /**
+   * If input stream is {@link org.apache.hadoop.fs.Seekable}, return it's
+   * current position, otherwise return 0;
+   */
+  public static long getInputStreamOffset(InputStream in) throws IOException {
+    if (in instanceof Seekable) {
+      return ((Seekable) in).getPos();
+    }
+    return 0;
+  }
 }

From d86db3f76f03a63c56e6dd9f5531d3b8a78980f6 Mon Sep 17 00:00:00 2001
From: Yi Liu <yliu@apache.org>
Date: Thu, 5 Jun 2014 01:30:40 +0000
Subject: [PATCH 009/354] HADOOP-10662. NullPointerException in
 CryptoInputStream while wrapped stream is not ByteBufferReadable. Add tests
 using normal stream. Contributed by Yi Liu

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1600553 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |   3 +
 .../hadoop/crypto/CryptoInputStream.java      |   2 +
 .../crypto/TestCryptoStreamsNormal.java       | 123 ++++++++++++++++++
 3 files changed, 128 insertions(+)
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsNormal.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index c99436606e9..66b55b0f508 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -24,6 +24,9 @@ fs-encryption (Unreleased)
     HADOOP-10653. Add a new constructor for CryptoInputStream that 
     receives current position of wrapped stream. (Yi Liu)
 
+    HADOOP-10662. NullPointerException in CryptoInputStream while wrapped
+    stream is not ByteBufferReadable. Add tests using normal stream. (Yi Liu)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
index fe663f2cc9f..55c891a0ace 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
@@ -172,6 +172,8 @@ public int read(byte[] b, int off, int len) throws IOException {
           } catch (UnsupportedOperationException e) {
             usingByteBufferRead = Boolean.FALSE;
           }
+        } else {
+          usingByteBufferRead = Boolean.FALSE;
         }
         if (!usingByteBufferRead) {
           n = readFromUnderlyingStream(inBuffer);
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsNormal.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsNormal.java
new file mode 100644
index 00000000000..e9c313fde36
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsNormal.java
@@ -0,0 +1,123 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+import org.apache.hadoop.conf.Configuration;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+
+/**
+ * Test crypto streams using normal stream which does not support the 
+ * additional interfaces that the Hadoop FileSystem streams implement 
+ * (Seekable, PositionedReadable, ByteBufferReadable, HasFileDescriptor, 
+ * CanSetDropBehind, CanSetReadahead, HasEnhancedByteBufferAccess, Syncable, 
+ * CanSetDropBehind)
+ */
+public class TestCryptoStreamsNormal extends CryptoStreamsTestBase {
+  /**
+   * Data storage.
+   * {@link #getOutputStream(int, byte[], byte[])} will write to this buffer.
+   * {@link #getInputStream(int, byte[], byte[])} will read from this buffer.
+   */
+  private byte[] buffer;
+  private int bufferLen;
+  
+  @BeforeClass
+  public static void init() throws Exception {
+    Configuration conf = new Configuration();
+    codec = CryptoCodec.getInstance(conf);
+  }
+  
+  @AfterClass
+  public static void shutdown() throws Exception {
+  }
+
+  @Override
+  protected OutputStream getOutputStream(int bufferSize, byte[] key, byte[] iv)
+      throws IOException {
+    OutputStream out = new ByteArrayOutputStream() {
+      @Override
+      public void flush() throws IOException {
+        buffer = buf;
+        bufferLen = count;
+      }
+      @Override
+      public void close() throws IOException {
+        buffer = buf;
+        bufferLen = count;
+      }
+    };
+    return new CryptoOutputStream(out, codec, bufferSize, key, iv);
+  }
+
+  @Override
+  protected InputStream getInputStream(int bufferSize, byte[] key, byte[] iv)
+      throws IOException {
+    ByteArrayInputStream in = new ByteArrayInputStream(buffer, 0, bufferLen);
+    return new CryptoInputStream(in, codec, bufferSize, 
+        key, iv);
+  }
+  
+  @Ignore("Wrapped stream doesn't support Syncable")
+  @Override
+  @Test(timeout=1000)
+  public void testSyncable() throws IOException {}
+  
+  @Ignore("Wrapped stream doesn't support PositionedRead")
+  @Override
+  @Test(timeout=1000)
+  public void testPositionedRead() throws IOException {}
+
+  @Ignore("Wrapped stream doesn't support ReadFully")
+  @Override
+  @Test(timeout=1000)
+  public void testReadFully() throws IOException {}
+  
+  @Ignore("Wrapped stream doesn't support Seek")
+  @Override
+  @Test(timeout=1000)
+  public void testSeek() throws IOException {}
+  
+  @Ignore("Wrapped stream doesn't support ByteBufferRead")
+  @Override
+  @Test(timeout=1000)
+  public void testByteBufferRead() throws IOException {}
+  
+  @Ignore("Wrapped stream doesn't support ByteBufferRead, Seek")
+  @Override
+  @Test(timeout=1000)
+  public void testCombinedOp() throws IOException {}
+  
+  @Ignore("Wrapped stream doesn't support SeekToNewSource")
+  @Override
+  @Test(timeout=1000)
+  public void testSeekToNewSource() throws IOException {}
+  
+  @Ignore("Wrapped stream doesn't support HasEnhancedByteBufferAccess")
+  @Override
+  @Test(timeout=1000)
+  public void testHasEnhancedByteBufferAccess() throws IOException {}
+}

From bdee397e95e98ece071345822e2e4d3f690f09c3 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Thu, 5 Jun 2014 10:10:48 +0000
Subject: [PATCH 010/354] HADOOP-6392. Wire crypto streams for encrypted files
 in DFSClient. (clamb and yliu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1600582 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |   3 +
 .../apache/hadoop/fs/FSDataOutputStream.java  |   2 +-
 .../main/java/org/apache/hadoop/fs/Hdfs.java  |  55 ++-
 .../apache/hadoop/hdfs/DFSInputStream.java    |  22 ++
 .../apache/hadoop/hdfs/DFSOutputStream.java   |  22 ++
 .../hdfs/client/HdfsDataInputStream.java      |  38 +-
 .../hdfs/client/HdfsDataOutputStream.java     |  36 +-
 .../hadoop/hdfs/protocol/HdfsConstants.java   |   4 +
 .../hadoop/hdfs/protocol/HdfsFileStatus.java  |  28 +-
 .../hdfs/protocol/HdfsLocatedFileStatus.java  |   6 +-
 .../hadoop/hdfs/protocol/LocatedBlocks.java   |  25 +-
 .../SnapshottableDirectoryStatus.java         |   2 +-
 .../hadoop/hdfs/protocolPB/PBHelper.java      |  20 +-
 .../server/blockmanagement/BlockManager.java  |   8 +-
 .../hdfs/server/namenode/FSDirectory.java     |   8 +-
 .../org/apache/hadoop/hdfs/web/JsonUtil.java  |   5 +-
 .../hadoop-hdfs/src/main/proto/hdfs.proto     |   6 +
 .../apache/hadoop/fs/TestHDFSEncryption.java  | 352 ++++++++++++++++++
 .../hadoop/hdfs/TestDFSClientRetries.java     |   7 +-
 .../org/apache/hadoop/hdfs/TestDFSUtil.java   |   2 +-
 .../org/apache/hadoop/hdfs/TestLease.java     |   4 +-
 .../hadoop/hdfs/server/namenode/TestFsck.java |   2 +-
 .../apache/hadoop/hdfs/web/TestJsonUtil.java  |   2 +-
 23 files changed, 612 insertions(+), 47 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestHDFSEncryption.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index 66b55b0f508..e19a4abf7a7 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -10,6 +10,9 @@ fs-encryption (Unreleased)
 
   IMPROVEMENTS
 
+    HADOOP-6392. Wire crypto streams for encrypted files in
+    DFSClient. (clamb and yliu)
+
     HADOOP-10603. Crypto input and output streams implementing Hadoop stream
     interfaces. (Yi Liu and Charles Lamb)
 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FSDataOutputStream.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FSDataOutputStream.java
index 689e9717d22..d8257729af8 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FSDataOutputStream.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FSDataOutputStream.java
@@ -99,7 +99,7 @@ public void close() throws IOException {
   }
 
   /**
-   * Get a reference to the wrapped output stream. Used by unit tests.
+   * Get a reference to the wrapped output stream.
    *
    * @return the underlying output stream
    */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java
index e308a966f55..6b2a01bcf39 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java
@@ -17,7 +17,6 @@
  */
 package org.apache.hadoop.fs;
 
-
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.URI;
@@ -31,12 +30,17 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CryptoCodec;
+import org.apache.hadoop.crypto.CryptoOutputStream;
+import org.apache.hadoop.crypto.CryptoInputStream;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.fs.Options.ChecksumOpt;
 import org.apache.hadoop.hdfs.CorruptFileBlockIterator;
 import org.apache.hadoop.hdfs.DFSClient;
+import org.apache.hadoop.hdfs.DFSInputStream;
+import org.apache.hadoop.hdfs.DFSOutputStream;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.client.HdfsDataInputStream;
 import org.apache.hadoop.hdfs.client.HdfsDataOutputStream;
@@ -53,11 +57,14 @@
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
 import org.apache.hadoop.util.Progressable;
 
+import com.google.common.base.Preconditions;
+
 @InterfaceAudience.Private
 @InterfaceStability.Evolving
 public class Hdfs extends AbstractFileSystem {
 
   DFSClient dfs;
+  final CryptoCodec factory;
   private boolean verifyChecksum = true;
 
   static {
@@ -84,6 +91,7 @@ public class Hdfs extends AbstractFileSystem {
     }
 
     this.dfs = new DFSClient(theUri, conf, getStatistics());
+    this.factory = CryptoCodec.getInstance(conf);
   }
 
   @Override
@@ -96,9 +104,27 @@ public HdfsDataOutputStream createInternal(Path f,
       EnumSet<CreateFlag> createFlag, FsPermission absolutePermission,
       int bufferSize, short replication, long blockSize, Progressable progress,
       ChecksumOpt checksumOpt, boolean createParent) throws IOException {
-    return new HdfsDataOutputStream(dfs.primitiveCreate(getUriPath(f),
-        absolutePermission, createFlag, createParent, replication, blockSize,
-        progress, bufferSize, checksumOpt), getStatistics());
+
+    final DFSOutputStream dfsos = dfs.primitiveCreate(getUriPath(f),
+      absolutePermission, createFlag, createParent, replication, blockSize,
+      progress, bufferSize, checksumOpt);
+    final byte[] key = dfsos.getKey();
+    final byte[] iv = dfsos.getIv();
+    Preconditions.checkState(!(key == null ^ iv == null),
+      "Only one of the Key and IV were found.");
+    if (false && key != null) {
+
+      /*
+       * The Key and IV were found. Wrap up the output stream with an encryption
+       * wrapper.
+       */
+      final CryptoOutputStream cbos =
+        new CryptoOutputStream(dfsos, factory, key, iv);
+      return new HdfsDataOutputStream(cbos, getStatistics());
+    } else {
+      /* No key/IV present so no encryption. */
+      return new HdfsDataOutputStream(dfsos, getStatistics());
+    }
   }
 
   @Override
@@ -307,8 +333,25 @@ public void mkdir(Path dir, FsPermission permission, boolean createParent)
   @Override
   public HdfsDataInputStream open(Path f, int bufferSize) 
       throws IOException, UnresolvedLinkException {
-    return new DFSClient.DFSDataInputStream(dfs.open(getUriPath(f),
-        bufferSize, verifyChecksum));
+    final DFSInputStream dfsis = dfs.open(getUriPath(f),
+      bufferSize, verifyChecksum);
+    final byte[] key = dfsis.getKey();
+    final byte[] iv = dfsis.getIv();
+    Preconditions.checkState(!(key == null ^ iv == null),
+      "Only one of the Key and IV were found.");
+    if (false && key != null) {
+
+      /*
+       * The Key and IV were found. Wrap up the input stream with an encryption
+       * wrapper.
+       */
+      final CryptoInputStream cbis =
+        new CryptoInputStream(dfsis, factory, key, iv);
+      return new HdfsDataInputStream(cbis);
+    } else {
+      /* No key/IV pair so no encryption. */
+      return new HdfsDataInputStream(dfsis);
+    }
   }
 
   @Override
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSInputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSInputStream.java
index 1750aa7a30b..f9763eced1a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSInputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSInputStream.java
@@ -88,6 +88,8 @@ public class DFSInputStream extends FSInputStream
   private final boolean verifyChecksum;
   private LocatedBlocks locatedBlocks = null;
   private long lastBlockBeingWrittenLength = 0;
+  private byte[] key = null;
+  private byte[] iv = null;
   private DatanodeInfo currentNode = null;
   private LocatedBlock currentLocatedBlock = null;
   private long pos = 0;
@@ -297,6 +299,8 @@ private long fetchLocatedBlocksAndGetLastBlockLength() throws IOException {
       }
     }
 
+    key = locatedBlocks.getKey();
+    iv = locatedBlocks.getIv();
     currentNode = null;
     return lastBlockBeingWrittenLength;
   }
@@ -1517,6 +1521,24 @@ public synchronized ReadStatistics getReadStatistics() {
     return new ReadStatistics(readStatistics);
   }
 
+  /**
+   * Get the encryption key for this stream.
+   *
+   * @return byte[] the key
+   */
+  public synchronized byte[] getKey() {
+    return key;
+  }
+
+  /**
+   * Get the encryption initialization vector (IV) for this stream.
+   *
+   * @return byte[] the initialization vector (IV).
+   */
+  public synchronized byte[] getIv() {
+    return iv;
+  }
+
   private synchronized void closeCurrentBlockReader() {
     if (blockReader == null) return;
     // Close the current block reader so that the new caching settings can 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
index 8ae750d8e89..dde4bad7ef2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
@@ -154,6 +154,8 @@ public class DFSOutputStream extends FSOutputSummer
   private boolean shouldSyncBlock = false; // force blocks to disk upon close
   private final AtomicReference<CachingStrategy> cachingStrategy;
   private boolean failPacket = false;
+  private byte[] key = null;
+  private byte[] iv = null;
   
   private static class Packet {
     private static final long HEART_BEAT_SEQNO = -1L;
@@ -1562,6 +1564,8 @@ private DFSOutputStream(DFSClient dfsClient, String src, Progressable progress,
     this.fileId = stat.getFileId();
     this.blockSize = stat.getBlockSize();
     this.blockReplication = stat.getReplication();
+    this.key = stat.getKey();
+    this.iv = stat.getIv();
     this.progress = progress;
     this.cachingStrategy = new AtomicReference<CachingStrategy>(
         dfsClient.getDefaultWriteCachingStrategy());
@@ -2178,6 +2182,24 @@ long getInitialLen() {
     return initialFileSize;
   }
 
+  /**
+   * Get the encryption key for this stream.
+   *
+   * @return byte[] the key.
+   */
+  public byte[] getKey() {
+    return key;
+  }
+
+  /**
+   * Get the encryption initialization vector (IV) for this stream.
+   *
+   * @return byte[] the initialization vector (IV).
+   */
+  public byte[] getIv() {
+    return iv;
+  }
+
   /**
    * Returns the access token currently used by streamer, for testing only
    */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsDataInputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsDataInputStream.java
index 9ed895ed7e4..e1269c49a3b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsDataInputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsDataInputStream.java
@@ -17,17 +17,21 @@
  */
 package org.apache.hadoop.hdfs.client;
 
+import java.io.InputStream;
 import java.io.IOException;
 import java.util.List;
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.fs.FSDataInputStream;
+import org.apache.hadoop.crypto.CryptoInputStream;
 import org.apache.hadoop.hdfs.DFSInputStream;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.LocatedBlock;
 
+import com.google.common.base.Preconditions;
+
 /**
  * The Hdfs implementation of {@link FSDataInputStream}.
  */
@@ -38,25 +42,49 @@ public HdfsDataInputStream(DFSInputStream in) throws IOException {
     super(in);
   }
 
+  public HdfsDataInputStream(CryptoInputStream in) throws IOException {
+    super(in);
+    Preconditions.checkArgument(in.getWrappedStream() instanceof DFSInputStream,
+        "CryptoInputStream should wrap a DFSInputStream");
+  }
+
+  private DFSInputStream getDFSInputStream() {
+    if (in instanceof CryptoInputStream) {
+      return (DFSInputStream) ((CryptoInputStream) in).getWrappedStream();
+    }
+    return (DFSInputStream) in;
+  }
+
+  /**
+   * Get a reference to the wrapped output stream. We always want to return the
+   * actual underlying InputStream, even when we're using a CryptoStream. e.g.
+   * in the delegated methods below.
+   *
+   * @return the underlying output stream
+   */
+  public InputStream getWrappedStream() {
+      return in;
+  }
+
   /**
    * Get the datanode from which the stream is currently reading.
    */
   public DatanodeInfo getCurrentDatanode() {
-    return ((DFSInputStream) in).getCurrentDatanode();
+    return getDFSInputStream().getCurrentDatanode();
   }
 
   /**
    * Get the block containing the target position.
    */
   public ExtendedBlock getCurrentBlock() {
-    return ((DFSInputStream) in).getCurrentBlock();
+    return getDFSInputStream().getCurrentBlock();
   }
 
   /**
    * Get the collection of blocks that has already been located.
    */
   public synchronized List<LocatedBlock> getAllBlocks() throws IOException {
-    return ((DFSInputStream) in).getAllBlocks();
+    return getDFSInputStream().getAllBlocks();
   }
 
   /**
@@ -66,7 +94,7 @@ public synchronized List<LocatedBlock> getAllBlocks() throws IOException {
    * @return The visible length of the file.
    */
   public long getVisibleLength() throws IOException {
-    return ((DFSInputStream) in).getFileLength();
+    return getDFSInputStream().getFileLength();
   }
 
   /**
@@ -76,6 +104,6 @@ public long getVisibleLength() throws IOException {
    * bytes read through HdfsDataInputStream.
    */
   public synchronized DFSInputStream.ReadStatistics getReadStatistics() {
-    return ((DFSInputStream) in).getReadStatistics();
+    return getDFSInputStream().getReadStatistics();
   }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsDataOutputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsDataOutputStream.java
index adc8764b66f..214967863e7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsDataOutputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsDataOutputStream.java
@@ -18,14 +18,18 @@
 package org.apache.hadoop.hdfs.client;
 
 import java.io.IOException;
+import java.io.OutputStream;
 import java.util.EnumSet;
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.crypto.CryptoOutputStream;
 import org.apache.hadoop.fs.FSDataOutputStream;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.hdfs.DFSOutputStream;
 
+import com.google.common.base.Preconditions;
+
 /**
  * The Hdfs implementation of {@link FSDataOutputStream}.
  */
@@ -42,6 +46,18 @@ public HdfsDataOutputStream(DFSOutputStream out, FileSystem.Statistics stats
     this(out, stats, 0L);
   }
 
+  public HdfsDataOutputStream(CryptoOutputStream out, FileSystem.Statistics stats,
+      long startPosition) throws IOException {
+    super(out, stats, startPosition);
+    Preconditions.checkArgument(out.getWrappedStream() instanceof DFSOutputStream,
+        "CryptoOutputStream should wrap a DFSOutputStream");
+  }
+
+  public HdfsDataOutputStream(CryptoOutputStream out, FileSystem.Statistics stats)
+      throws IOException {
+    this(out, stats, 0L);
+  }
+
   /**
    * Get the actual number of replicas of the current block.
    * 
@@ -55,7 +71,11 @@ public HdfsDataOutputStream(DFSOutputStream out, FileSystem.Statistics stats
    * @return the number of valid replicas of the current block
    */
   public synchronized int getCurrentBlockReplication() throws IOException {
-    return ((DFSOutputStream)getWrappedStream()).getCurrentBlockReplication();
+    OutputStream wrappedStream = getWrappedStream();
+    if (wrappedStream instanceof CryptoOutputStream) {
+      wrappedStream = ((CryptoOutputStream) wrappedStream).getWrappedStream();
+    }
+    return ((DFSOutputStream) wrappedStream).getCurrentBlockReplication();
   }
   
   /**
@@ -67,14 +87,20 @@ public synchronized int getCurrentBlockReplication() throws IOException {
    * @see FSDataOutputStream#hsync()
    */
   public void hsync(EnumSet<SyncFlag> syncFlags) throws IOException {
-    ((DFSOutputStream) getWrappedStream()).hsync(syncFlags);
+    OutputStream wrappedStream = getWrappedStream();
+    if (wrappedStream instanceof CryptoOutputStream) {
+      ((CryptoOutputStream) wrappedStream).flush();
+      wrappedStream = ((CryptoOutputStream) wrappedStream).getWrappedStream();
+    }
+    ((DFSOutputStream) wrappedStream).hsync(syncFlags);
   }
   
   public static enum SyncFlag {
+
     /**
-     * When doing sync to DataNodes, also update the metadata (block
-     * length) in the NameNode
+     * When doing sync to DataNodes, also update the metadata (block length) in
+     * the NameNode.
      */
     UPDATE_LENGTH;
   }
-}
\ No newline at end of file
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsConstants.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsConstants.java
index 7cc8c318803..42abbe855dc 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsConstants.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsConstants.java
@@ -161,4 +161,8 @@ public static enum DatanodeReportType {
   
   public static final String SEPARATOR_DOT_SNAPSHOT_DIR
       = Path.SEPARATOR + DOT_SNAPSHOT_DIR; 
+
+  /* Temporary until we stop hard-coding these values. */
+  public static final byte[] KEY = "0123456789012345".getBytes();
+  public static final byte[] IV = "ABCDEFGJIJKLMNOP".getBytes();
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsFileStatus.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsFileStatus.java
index 66c56faa14b..b7310c5c0c4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsFileStatus.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsFileStatus.java
@@ -44,6 +44,9 @@ public class HdfsFileStatus {
   private final String owner;
   private final String group;
   private final long fileId;
+
+  private final byte[] key;
+  private final byte[] iv;
   
   // Used by dir, not including dot and dotdot. Always zero for a regular file.
   private final int childrenNum;
@@ -65,9 +68,18 @@ public class HdfsFileStatus {
    * @param fileId the file id
    */
   public HdfsFileStatus(long length, boolean isdir, int block_replication,
-                    long blocksize, long modification_time, long access_time,
-                    FsPermission permission, String owner, String group, 
-                    byte[] symlink, byte[] path, long fileId, int childrenNum) {
+      long blocksize, long modification_time, long access_time,
+      FsPermission permission, String owner, String group, byte[] symlink,
+      byte[] path, long fileId, int childrenNum) {
+    this(length, isdir, block_replication, blocksize, modification_time,
+      access_time, permission, owner, group, symlink, path, fileId,
+      childrenNum, HdfsConstants.KEY, HdfsConstants.IV);
+  }
+
+  public HdfsFileStatus(long length, boolean isdir, int block_replication,
+      long blocksize, long modification_time, long access_time,
+      FsPermission permission, String owner, String group, byte[] symlink,
+    byte[] path, long fileId, int childrenNum, byte[] key, byte[] iv) {
     this.length = length;
     this.isdir = isdir;
     this.block_replication = (short)block_replication;
@@ -85,6 +97,8 @@ public HdfsFileStatus(long length, boolean isdir, int block_replication,
     this.path = path;
     this.fileId = fileId;
     this.childrenNum = childrenNum;
+    this.key = key;
+    this.iv = iv;
   }
 
   /**
@@ -238,6 +252,14 @@ final public long getFileId() {
     return fileId;
   }
   
+  final public byte[] getKey() {
+    return key;
+  }
+
+  final public byte[] getIv() {
+    return iv;
+  }
+
   final public int getChildrenNum() {
     return childrenNum;
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsLocatedFileStatus.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsLocatedFileStatus.java
index 0f90e435a43..dfe566077be 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsLocatedFileStatus.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsLocatedFileStatus.java
@@ -56,10 +56,10 @@ public HdfsLocatedFileStatus(long length, boolean isdir,
       int block_replication, long blocksize, long modification_time,
       long access_time, FsPermission permission, String owner, String group,
       byte[] symlink, byte[] path, long fileId, LocatedBlocks locations,
-      int childrenNum) {
+    int childrenNum, byte[] key, byte[] iv) {
     super(length, isdir, block_replication, blocksize, modification_time,
-        access_time, permission, owner, group, symlink, path, fileId,
-        childrenNum);
+      access_time, permission, owner, group, symlink, path, fileId,
+      childrenNum, key, iv);
     this.locations = locations;
   }
 	
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/LocatedBlocks.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/LocatedBlocks.java
index bac0e6a35b6..4fc2bc064c1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/LocatedBlocks.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/LocatedBlocks.java
@@ -35,22 +35,27 @@ public class LocatedBlocks {
   private final boolean underConstruction;
   private LocatedBlock lastLocatedBlock = null;
   private boolean isLastBlockComplete = false;
+  private final byte[] key;
+  private final byte[] iv;
 
   public LocatedBlocks() {
     fileLength = 0;
     blocks = null;
     underConstruction = false;
+    key = null;
+    iv = null;
   }
-  
-  /** public Constructor */
+
   public LocatedBlocks(long flength, boolean isUnderConstuction,
-      List<LocatedBlock> blks, 
-      LocatedBlock lastBlock, boolean isLastBlockCompleted) {
+    List<LocatedBlock> blks, LocatedBlock lastBlock,
+    boolean isLastBlockCompleted, byte[] key, byte[] iv) {
     fileLength = flength;
     blocks = blks;
     underConstruction = isUnderConstuction;
     this.lastLocatedBlock = lastBlock;
     this.isLastBlockComplete = isLastBlockCompleted;
+    this.key = key;
+    this.iv = iv;
   }
   
   /**
@@ -92,13 +97,21 @@ public long getFileLength() {
   }
 
   /**
-   * Return ture if file was under construction when 
-   * this LocatedBlocks was constructed, false otherwise.
+   * Return true if file was under construction when this LocatedBlocks was
+   * constructed, false otherwise.
    */
   public boolean isUnderConstruction() {
     return underConstruction;
   }
   
+  public byte[] getKey() {
+    return key;
+  }
+
+  public byte[] getIv() {
+    return iv;
+  }
+
   /**
    * Find block containing specified offset.
    * 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/SnapshottableDirectoryStatus.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/SnapshottableDirectoryStatus.java
index 959439b6342..b18e3f3458f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/SnapshottableDirectoryStatus.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/SnapshottableDirectoryStatus.java
@@ -61,7 +61,7 @@ public SnapshottableDirectoryStatus(long modification_time, long access_time,
       int snapshotNumber, int snapshotQuota, byte[] parentFullPath) {
     this.dirStatus = new HdfsFileStatus(0, true, 0, 0, modification_time,
         access_time, permission, owner, group, null, localName, inodeId,
-        childrenNum);
+        childrenNum, null /* key */, null /* IV */);
     this.snapshotNumber = snapshotNumber;
     this.snapshotQuota = snapshotQuota;
     this.parentFullPath = parentFullPath;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
index 01a173f2d95..ffa305d55ef 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
@@ -1127,7 +1127,9 @@ public static LocatedBlocks convert(LocatedBlocksProto lb) {
         lb.getFileLength(), lb.getUnderConstruction(),
         PBHelper.convertLocatedBlock(lb.getBlocksList()),
         lb.hasLastBlock() ? PBHelper.convert(lb.getLastBlock()) : null,
-        lb.getIsLastBlockComplete());
+        lb.getIsLastBlockComplete(),
+        lb.hasKey() ? lb.getKey().toByteArray() : null,
+        lb.hasIv() ? lb.getIv().toByteArray() : null);
   }
   
   public static LocatedBlocksProto convert(LocatedBlocks lb) {
@@ -1139,6 +1141,12 @@ public static LocatedBlocksProto convert(LocatedBlocks lb) {
     if (lb.getLastLocatedBlock() != null) {
       builder.setLastBlock(PBHelper.convert(lb.getLastLocatedBlock()));
     }
+    if (lb.getKey() != null) {
+      builder.setKey(ByteString.copyFrom(lb.getKey()));
+    }
+    if (lb.getIv() != null) {
+      builder.setIv(ByteString.copyFrom(lb.getIv()));
+    }
     return builder.setFileLength(lb.getFileLength())
         .setUnderConstruction(lb.isUnderConstruction())
         .addAllBlocks(PBHelper.convertLocatedBlock2(lb.getLocatedBlocks()))
@@ -1264,7 +1272,9 @@ public static HdfsFileStatus convert(HdfsFileStatusProto fs) {
         fs.getPath().toByteArray(),
         fs.hasFileId()? fs.getFileId(): INodeId.GRANDFATHER_INODE_ID,
         fs.hasLocations() ? PBHelper.convert(fs.getLocations()) : null,
-        fs.hasChildrenNum() ? fs.getChildrenNum() : -1);
+        fs.hasChildrenNum() ? fs.getChildrenNum() : -1,
+        fs.hasKey() ? fs.getKey().toByteArray() : null,
+        fs.hasIv() ? fs.getIv().toByteArray() : null);
   }
 
   public static SnapshottableDirectoryStatus convert(
@@ -1314,6 +1324,12 @@ public static HdfsFileStatusProto convert(HdfsFileStatus fs) {
     if (fs.isSymlink())  {
       builder.setSymlink(ByteString.copyFrom(fs.getSymlinkInBytes()));
     }
+    if (fs.getKey() != null) {
+      builder.setKey(ByteString.copyFrom(fs.getKey()));
+    }
+    if (fs.getIv() != null) {
+      builder.setIv(ByteString.copyFrom(fs.getIv()));
+    }
     if (fs instanceof HdfsLocatedFileStatus) {
       LocatedBlocks locations = ((HdfsLocatedFileStatus)fs).getBlockLocations();
       if (locations != null) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
index c58036fc8aa..d841100823f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
@@ -52,6 +52,8 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeID;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
+import org.apache.hadoop.hdfs.protocol.HdfsConstants;
+
 import org.apache.hadoop.hdfs.protocol.LocatedBlock;
 import org.apache.hadoop.hdfs.protocol.LocatedBlocks;
 import org.apache.hadoop.hdfs.protocol.UnregisteredNodeException;
@@ -847,7 +849,8 @@ public LocatedBlocks createLocatedBlocks(final BlockInfo[] blocks,
       return null;
     } else if (blocks.length == 0) {
       return new LocatedBlocks(0, isFileUnderConstruction,
-          Collections.<LocatedBlock>emptyList(), null, false);
+          Collections.<LocatedBlock>emptyList(), null, false,
+          null /* key */, null /* IV */);
     } else {
       if (LOG.isDebugEnabled()) {
         LOG.debug("blocks = " + java.util.Arrays.asList(blocks));
@@ -872,7 +875,8 @@ public LocatedBlocks createLocatedBlocks(final BlockInfo[] blocks,
       }
       return new LocatedBlocks(
           fileSizeExcludeBlocksUnderConstruction, isFileUnderConstruction,
-          locatedblocks, lastlb, isComplete);
+          locatedblocks, lastlb, isComplete,
+              HdfsConstants.KEY, HdfsConstants.IV);
     }
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index a21b7dba339..939cb52d473 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -1640,7 +1640,7 @@ private HdfsFileStatus getFileInfo4DotSnapshot(String src)
       throws UnresolvedLinkException {
     if (getINode4DotSnapshot(src) != null) {
       return new HdfsFileStatus(0, true, 0, 0, 0, 0, null, null, null, null,
-          HdfsFileStatus.EMPTY_NAME, -1L, 0);
+          HdfsFileStatus.EMPTY_NAME, -1L, 0, null /* key */, null /* IV */);
     }
     return null;
   }
@@ -2611,7 +2611,9 @@ HdfsFileStatus createFileStatus(byte[] path, INode node,
         node.isSymlink() ? node.asSymlink().getSymlink() : null,
         path,
         node.getId(),
-        childrenNum);
+        childrenNum,
+        HdfsConstants.KEY,  // key
+        HdfsConstants.IV); // IV
   }
 
   /**
@@ -2651,7 +2653,7 @@ private HdfsLocatedFileStatus createLocatedFileStatus(byte[] path,
           getPermissionForFileStatus(node, snapshot),
           node.getUserName(snapshot), node.getGroupName(snapshot),
           node.isSymlink() ? node.asSymlink().getSymlink() : null, path,
-          node.getId(), loc, childrenNum);
+          node.getId(), loc, childrenNum, null /* key */, null /* IV */);
     // Set caching information for the located blocks.
     if (loc != null) {
       CacheManager cacheManager = namesystem.getCacheManager();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/JsonUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/JsonUtil.java
index 41a79559f9e..3980b559b70 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/JsonUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/JsonUtil.java
@@ -251,7 +251,8 @@ public static HdfsFileStatus toFileStatus(final Map<?, ?> json, boolean includes
             : childrenNumLong.intValue();
     return new HdfsFileStatus(len, type == PathType.DIRECTORY, replication,
         blockSize, mTime, aTime, permission, owner, group,
-        symlink, DFSUtil.string2Bytes(localName), fileId, childrenNum);
+        symlink, DFSUtil.string2Bytes(localName), fileId, childrenNum,
+        null /* key */, null /* IV */);
   }
 
   /** Convert an ExtendedBlock to a Json map. */
@@ -531,7 +532,7 @@ public static LocatedBlocks toLocatedBlocks(final Map<?, ?> json
         (Map<?, ?>)m.get("lastLocatedBlock"));
     final boolean isLastBlockComplete = (Boolean)m.get("isLastBlockComplete");
     return new LocatedBlocks(fileLength, isUnderConstruction, locatedBlocks,
-        lastLocatedBlock, isLastBlockComplete);
+        lastLocatedBlock, isLastBlockComplete, null /* key */, null /* IV */);
   }
 
   /** Convert a ContentSummary to a Json string. */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
index 2d7ca245a73..6ca22a136e8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
@@ -179,6 +179,8 @@ message LocatedBlocksProto {
   required bool underConstruction = 3;
   optional LocatedBlockProto lastBlock = 4;
   required bool isLastBlockComplete = 5;
+  optional bytes key = 6;
+  optional bytes iv = 7;
 }
 
 
@@ -212,6 +214,10 @@ message HdfsFileStatusProto {
   // Optional field for fileId
   optional uint64 fileId = 13 [default = 0]; // default as an invalid id
   optional int32 childrenNum = 14 [default = -1];
+
+  // Optional fields for key/iv for encryption
+  optional bytes key = 15;
+  optional bytes iv = 16;
 } 
 
 /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestHDFSEncryption.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestHDFSEncryption.java
new file mode 100644
index 00000000000..4b32fe42135
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestHDFSEncryption.java
@@ -0,0 +1,352 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.fs;
+
+import static org.apache.hadoop.fs.CreateFlag.CREATE;
+import static org.apache.hadoop.fs.FileContextTestHelper.getDefaultBlockSize;
+import static org.apache.hadoop.fs.FileContextTestHelper.getFileData;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Arrays;
+import java.util.EnumSet;
+import java.util.List;
+import java.util.UUID;
+
+import javax.security.auth.login.LoginException;
+
+import org.apache.commons.lang.RandomStringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.key.JavaKeyStoreProvider;
+import org.apache.hadoop.crypto.key.KeyProvider;
+import org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
+import org.apache.hadoop.crypto.key.KeyProviderFactory;
+import org.apache.hadoop.hdfs.DistributedFileSystem;
+import org.apache.hadoop.hdfs.HdfsConfiguration;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.ipc.RemoteException;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.test.GenericTestUtils;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestHDFSEncryption {
+  private static MiniDFSCluster cluster;
+  private static Path defaultWorkingDirectory;
+  private static final HdfsConfiguration CONF = new HdfsConfiguration();
+  private static FileContext fc;
+  private Path localFsRootPath;
+  private Path src1;
+  /* The KeyProvider, if any. */
+  private static KeyProvider provider = null;
+
+  private static File tmpDir;
+
+  @BeforeClass
+  public static void clusterSetupAtBegining() throws IOException,
+      LoginException, URISyntaxException {
+    tmpDir = new File(System.getProperty("test.build.data", "target"),
+        UUID.randomUUID().toString()).getAbsoluteFile();
+    tmpDir.mkdirs();
+
+    CONF.set(KeyProviderFactory.KEY_PROVIDER_PATH,
+            JavaKeyStoreProvider.SCHEME_NAME + "://file" + tmpDir + "/test.jks");
+    initializeKeyProvider(CONF);
+    try {
+      createOneKey();
+      KeyVersion blort = provider.getCurrentKey("blort");
+    } catch (java.security.NoSuchAlgorithmException e) {
+      throw new RuntimeException(e);
+    }
+
+    cluster = new MiniDFSCluster.Builder(CONF).numDataNodes(1).build();
+    cluster.waitClusterUp();
+
+    URI uri0 = cluster.getURI(0);
+    fc = FileContext.getFileContext(uri0, CONF);
+    defaultWorkingDirectory = fc.makeQualified(new Path("/user/" +
+        UserGroupInformation.getCurrentUser().getShortUserName()));
+    fc.mkdir(defaultWorkingDirectory, FileContext.DEFAULT_PERM, true);
+  }
+
+  private static void initializeKeyProvider(final Configuration conf)
+    throws IOException {
+    final List<KeyProvider> providers = KeyProviderFactory.getProviders(conf);
+    if (providers == null) {
+      return;
+    }
+
+    if (providers.size() == 0) {
+      return;
+    }
+
+    if (providers.size() > 1) {
+      final String err =
+        "Multiple KeyProviders found. Only one is permitted.";
+      throw new RuntimeException(err);
+    }
+    provider = providers.get(0);
+    if (provider.isTransient()) {
+      final String err =
+        "A KeyProvider was found but it is a transient provider.";
+      throw new RuntimeException(err);
+    }
+  }
+
+  private static void createOneKey()
+    throws java.security.NoSuchAlgorithmException, IOException {
+    final org.apache.hadoop.crypto.key.KeyProvider.Options options =
+      KeyProvider.options(CONF);
+    provider.createKey("blort", options);
+    provider.flush();
+  }
+
+  @AfterClass
+  public static void ClusterShutdownAtEnd() throws Exception {
+    if (cluster != null) {
+      cluster.shutdown();
+      cluster = null;
+    }
+  }
+
+  @Before
+  public void setUp() throws Exception {
+    File testBuildData = new File(System.getProperty("test.build.data",
+            "build/test/data"), RandomStringUtils.randomAlphanumeric(10));
+    Path rootPath = new Path(testBuildData.getAbsolutePath(),
+            "root-uri");
+    localFsRootPath = rootPath.makeQualified(LocalFileSystem.NAME, null);
+    fc.mkdir(getTestRootPath(fc, "test"), FileContext.DEFAULT_PERM, true);
+    src1 = getTestRootPath(fc, "testfile");
+  }
+
+  @After
+  public void tearDown() throws Exception {
+    final boolean del =
+      fc.delete(new Path(fileContextTestHelper.getAbsoluteTestRootPath(fc), new Path("test")), true);
+    assertTrue(del);
+    fc.delete(localFsRootPath, true);
+  }
+
+  protected final FileContextTestHelper fileContextTestHelper =
+    createFileContextHelper();
+
+  protected FileContextTestHelper createFileContextHelper() {
+    return new FileContextTestHelper();
+  }
+
+  protected Path getDefaultWorkingDirectory() {
+    return defaultWorkingDirectory;
+  }
+
+  private Path getTestRootPath(FileContext fc, String path) {
+    return fileContextTestHelper.getTestRootPath(fc, path);
+  }
+
+  protected IOException unwrapException(IOException e) {
+    if (e instanceof RemoteException) {
+      return ((RemoteException) e).unwrapRemoteException();
+    }
+    return e;
+  }
+
+  private static final int NUM_BLOCKS = 3;
+
+  private static final byte[] data = getFileData(NUM_BLOCKS,
+      getDefaultBlockSize());
+
+  private void writeSomeData() throws Exception {
+    writeSomeData(false, false);
+  }
+
+  private void writeSomeData(boolean doHFlush, boolean doHSync) throws Exception {
+    final FSDataOutputStream out =
+      fc.create(src1, EnumSet.of(CREATE), Options.CreateOpts.createParent());
+    out.write(data, 0, data.length);
+    if (doHFlush) {
+      out.hflush();
+    }
+
+    if (doHSync) {
+      out.hsync();
+    }
+
+    out.close();
+  }
+
+  private void writeAndVerify(boolean doHFlush, boolean doHSync) throws Exception {
+    writeSomeData(doHFlush, doHSync);
+
+    final FSDataInputStream in = fc.open(src1);
+    try {
+      final byte[] readBuf = new byte[getDefaultBlockSize() * NUM_BLOCKS];
+
+      in.readFully(readBuf);
+      assertTrue("Expected read-back data to be equal (hflush=" + doHFlush
+        + " hfsync=" + doHSync + ")", Arrays.equals(data, readBuf));
+    } finally {
+      in.close();
+    }
+  }
+
+  @Test
+  public void testBasicEncryptionStreamNoFlushNoSync() throws Exception {
+    writeAndVerify(false, false);
+  }
+
+  @Test
+  public void testBasicEncryptionStreamFlushSync() throws Exception {
+    writeAndVerify(true, true);
+  }
+
+  @Test
+  public void testBasicEncryptionStreamNoFlushSync() throws Exception {
+    writeAndVerify(false, true);
+  }
+
+  @Test
+  public void testBasicEncryptionStreamFlushNoSync() throws Exception {
+    writeAndVerify(true, false);
+  }
+
+  @Test
+  public void testGetPos() throws Exception {
+    writeSomeData();
+
+    final FSDataInputStream in = fc.open(src1);
+
+    int expectedGetPos = 0;
+    while (in.read() != -1) {
+      assertTrue(++expectedGetPos == in.getPos());
+    }
+  }
+
+  @Test
+  public void testDoubleClose() throws Exception {
+    writeSomeData();
+
+    final FSDataInputStream in = fc.open(src1);
+    in.close();
+    try {
+      in.close();
+    } catch (Exception e) {
+      fail("Caught unexpected exception on double-close: " + e);
+    }
+  }
+
+  @Test
+  public void testHFlush() throws Exception {
+    final DistributedFileSystem fs = cluster.getFileSystem();
+    final FSDataOutputStream out =
+      fc.create(src1, EnumSet.of(CREATE), Options.CreateOpts.createParent());
+    out.write(data, 0, data.length);
+    out.hflush();
+    out.close();
+  }
+
+  @Test
+  public void testSeekBogusArgs() throws Exception {
+    writeSomeData();
+
+    final FSDataInputStream in = fc.open(src1);
+    try {
+      in.seek(-1);
+      fail("Expected IOException");
+    } catch (Exception e) {
+      GenericTestUtils.assertExceptionContains("Cannot seek to negative offset", e);
+    }
+
+    try {
+      in.seek(1 << 20);
+      fail("Expected IOException");
+    } catch (Exception e) {
+      GenericTestUtils.assertExceptionContains("Cannot seek after EOF", e);
+    }
+    in.close();
+  }
+
+  @Test
+  public void testSeekForward() throws Exception {
+    writeSomeData();
+
+    final FSDataInputStream in = fc.open(src1);
+
+    for (int seekInc = 1; seekInc < 1024; seekInc += 32) {
+      long seekTo = 0;
+      while (seekTo < data.length) {
+        in.seek(seekTo);
+        int b = in.read();
+        byte expected = data[(int) seekTo];
+        assertTrue("seek(" + seekTo + ") Expected: " + expected + ", but got: " + b,
+          b == expected);
+        seekTo += seekInc;
+      }
+    }
+    in.close();
+  }
+
+  @Test
+  public void testSeekBackwards() throws Exception {
+    writeSomeData();
+
+    final FSDataInputStream in = fc.open(src1);
+
+    for (int seekInc = 1; seekInc < 1024; seekInc += 32) {
+      long seekTo = data.length - 1;
+      while (seekTo >= 0) {
+        in.seek(seekTo);
+        int b = in.read();
+        byte expected = data[(int) seekTo];
+        assertTrue("seek(" + seekTo + ") Expected: " + expected + ", but got: " + b,
+          b == expected);
+        seekTo -= seekInc;
+      }
+    }
+    in.close();
+  }
+
+  @Test
+  public void testPostionedReadable() throws Exception {
+    writeSomeData();
+
+    final FSDataInputStream in = fc.open(src1);
+
+    try {
+      final byte[] oneByteToRead = new byte[1];
+      for (int i = 0; i < data.length; i++) {
+        int nread = in.read(i, oneByteToRead, 0, 1);
+        final byte b = oneByteToRead[0];
+        byte expected = data[(int) i];
+        assertTrue("read() expected only one byte to be read, but got " + nread, nread == 1);
+        assertTrue("read() expected: " + expected + ", but got: " + b,
+          b == expected);
+      }
+    } finally {
+      in.close();
+    }
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientRetries.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientRetries.java
index c11cdc34ead..f42496920b5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientRetries.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientRetries.java
@@ -253,12 +253,12 @@ public Object answer(InvocationOnMock invocation)
     Mockito.doReturn(
             new HdfsFileStatus(0, false, 1, 1024, 0, 0, new FsPermission(
                 (short) 777), "owner", "group", new byte[0], new byte[0],
-                1010, 0)).when(mockNN).getFileInfo(anyString());
+                1010, 0, null, null)).when(mockNN).getFileInfo(anyString());
     
     Mockito.doReturn(
             new HdfsFileStatus(0, false, 1, 1024, 0, 0, new FsPermission(
                 (short) 777), "owner", "group", new byte[0], new byte[0],
-                1010, 0))
+                1010, 0, null, null))
         .when(mockNN)
         .create(anyString(), (FsPermission) anyObject(), anyString(),
             (EnumSetWritable<CreateFlag>) anyObject(), anyBoolean(),
@@ -494,7 +494,8 @@ private LocatedBlocks makeBadBlockList(LocatedBlocks goodBlockList) {
       List<LocatedBlock> badBlocks = new ArrayList<LocatedBlock>();
       badBlocks.add(badLocatedBlock);
       return new LocatedBlocks(goodBlockList.getFileLength(), false,
-                               badBlocks, null, true);
+                               badBlocks, null, true,
+                               null /* key */, null /* IV */);
     }
   }
   
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUtil.java
index cb32de0fccb..4c34681e4fe 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUtil.java
@@ -95,7 +95,7 @@ public void testLocatedBlocks2Locations() {
     LocatedBlock l2 = new LocatedBlock(b2, ds, 0, true);
 
     List<LocatedBlock> ls = Arrays.asList(l1, l2);
-    LocatedBlocks lbs = new LocatedBlocks(10, false, ls, l2, true);
+    LocatedBlocks lbs = new LocatedBlocks(10, false, ls, l2, true, null, null);
 
     BlockLocation[] bs = DFSUtil.locatedBlocks2Locations(lbs);
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestLease.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestLease.java
index b8cab893696..6487843d008 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestLease.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestLease.java
@@ -339,12 +339,12 @@ public void testFactory() throws Exception {
     Mockito.doReturn(
         new HdfsFileStatus(0, false, 1, 1024, 0, 0, new FsPermission(
             (short) 777), "owner", "group", new byte[0], new byte[0],
-            1010, 0)).when(mcp).getFileInfo(anyString());
+            1010, 0, null, null)).when(mcp).getFileInfo(anyString());
     Mockito
         .doReturn(
             new HdfsFileStatus(0, false, 1, 1024, 0, 0, new FsPermission(
                 (short) 777), "owner", "group", new byte[0], new byte[0],
-                1010, 0))
+                1010, 0, null, null))
         .when(mcp)
         .create(anyString(), (FsPermission) anyObject(), anyString(),
             (EnumSetWritable<CreateFlag>) anyObject(), anyBoolean(),
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
index 0f68e791a6d..17df7f6ef22 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
@@ -1015,7 +1015,7 @@ public void testFsckFileNotFound() throws Exception {
 
     HdfsFileStatus file = new HdfsFileStatus(length, isDir, blockReplication,
         blockSize, modTime, accessTime, perms, owner, group, symlink, path,
-        fileId, numChildren);
+        fileId, numChildren, null, null);
     Result res = new Result(conf);
 
     try {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestJsonUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestJsonUtil.java
index ffaf193d863..e82c7066f9d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestJsonUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestJsonUtil.java
@@ -64,7 +64,7 @@ public void testHdfsFileStatus() {
     final HdfsFileStatus status = new HdfsFileStatus(1001L, false, 3, 1L << 26,
         now, now + 10, new FsPermission((short) 0644), "user", "group",
         DFSUtil.string2Bytes("bar"), DFSUtil.string2Bytes("foo"),
-        INodeId.GRANDFATHER_INODE_ID, 0);
+        INodeId.GRANDFATHER_INODE_ID, 0, null, null);
     final FileStatus fstatus = toFileStatus(status, parent);
     System.out.println("status  = " + status);
     System.out.println("fstatus = " + fstatus);

From 1cbff8ff824a330fe34a49400bdec963e74f7015 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 6 Jun 2014 00:55:14 +0000
Subject: [PATCH 011/354] HDFS-6476. Print out the KeyProvider after finding KP
 successfully on startup. Contributed by Juan Yu.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1600799 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt      | 3 +++
 .../java/org/apache/hadoop/hdfs/server/namenode/NameNode.java  | 1 +
 2 files changed, 4 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 4d02b398a73..10e5abbd9f1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -8,6 +8,9 @@ fs-encryption (Unreleased)
 
   IMPROVEMENTS
 
+    HDFS-6476. Print out the KeyProvider after finding KP successfully on
+    startup. (Juan Yu via wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
index 504e3ed2013..8f916ce253b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
@@ -730,6 +730,7 @@ private void initializeKeyProvider(final Configuration conf) {
         LOG.error(err);
         throw new RuntimeException(err);
       }
+      LOG.info("Found KeyProvider: " + provider.toString());
     } catch (IOException e) {
       LOG.error("Exception while initializing KeyProvider", e);
     }

From 3f892e9d534e05936ab849eeabef77ded4c8651b Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Fri, 6 Jun 2014 01:42:18 +0000
Subject: [PATCH 012/354] HDFS-6473. Protocol and API for Encryption Zones
 (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1600803 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |  2 +
 hadoop-hdfs-project/hadoop-hdfs/pom.xml       |  1 +
 .../org/apache/hadoop/hdfs/DFSClient.java     | 29 +++++++
 .../hadoop/hdfs/DistributedFileSystem.java    | 17 ++++
 .../apache/hadoop/hdfs/client/HdfsAdmin.java  | 70 ++++++++++++++++
 .../hadoop/hdfs/protocol/ClientProtocol.java  | 26 ++++++
 .../hadoop/hdfs/protocol/EncryptionZone.java  | 79 +++++++++++++++++++
 ...amenodeProtocolServerSideTranslatorPB.java | 41 ++++++++++
 .../ClientNamenodeProtocolTranslatorPB.java   | 41 +++++++++-
 .../hadoop/hdfs/protocolPB/PBHelper.java      | 42 ++++++++++
 .../hdfs/server/namenode/FSNamesystem.java    | 12 +++
 .../server/namenode/NameNodeRpcServer.java    | 17 ++++
 .../main/proto/ClientNamenodeProtocol.proto   |  7 ++
 .../src/main/proto/encryption.proto           | 61 ++++++++++++++
 14 files changed, 444 insertions(+), 1 deletion(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZone.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 10e5abbd9f1..b7abd062f4d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -8,6 +8,8 @@ fs-encryption (Unreleased)
 
   IMPROVEMENTS
 
+    HDFS-6473. Protocol and API for Encryption Zones (clamb)
+
     HDFS-6476. Print out the KeyProvider after finding KP successfully on
     startup. (Juan Yu via wang)
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/pom.xml b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
index 1e1972961d8..03635aa3041 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/pom.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
@@ -294,6 +294,7 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
                   <include>datatransfer.proto</include>
                   <include>fsimage.proto</include>
                   <include>hdfs.proto</include>
+                  <include>encryption.proto</include>
                 </includes>
               </source>
               <output>${project.build.directory}/generated-sources/java</output>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index 4d2da799e15..2a39bac224e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -136,6 +136,7 @@
 import org.apache.hadoop.hdfs.protocol.DSQuotaExceededException;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
+import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.HdfsBlocksMetadata;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
@@ -2775,6 +2776,34 @@ public AclStatus getAclStatus(String src) throws IOException {
     }
   }
   
+  public void createEncryptionZone(String src, String keyId)
+    throws IOException {
+    checkOpen();
+    try {
+      namenode.createEncryptionZone(src, keyId);
+    } catch (RemoteException re) {
+      throw re.unwrapRemoteException(AccessControlException.class,
+                                     SafeModeException.class,
+                                     UnresolvedPathException.class);
+    }
+  }
+
+  public void deleteEncryptionZone(String src) throws IOException {
+    checkOpen();
+    try {
+      namenode.deleteEncryptionZone(src);
+    } catch (RemoteException re) {
+      throw re.unwrapRemoteException(AccessControlException.class,
+                                     SafeModeException.class,
+                                     UnresolvedPathException.class);
+    }
+  }
+
+  public List<EncryptionZone> listEncryptionZones() throws IOException {
+    checkOpen();
+    return namenode.listEncryptionZones();
+  }
+
   public void setXAttr(String src, String name, byte[] value, 
       EnumSet<XAttrSetFlag> flag) throws IOException {
     checkOpen();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
index 1f577271b44..2fe049f68ee 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
@@ -68,6 +68,7 @@
 import org.apache.hadoop.hdfs.protocol.CachePoolInfo;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
+import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.RollingUpgradeAction;
@@ -1795,6 +1796,22 @@ public AclStatus next(final FileSystem fs, final Path p)
     }.resolve(this, absF);
   }
   
+  /* HDFS only */
+  public void createEncryptionZone(Path path, String keyId)
+    throws IOException {
+    dfs.createEncryptionZone(getPathName(path), keyId);
+  }
+
+  /* HDFS only */
+  public void deleteEncryptionZone(Path path) throws IOException {
+    dfs.deleteEncryptionZone(getPathName(path));
+  }
+
+  /* HDFS only */
+  public List<EncryptionZone> listEncryptionZones() throws IOException {
+    return dfs.listEncryptionZones();
+  }
+
   @Override
   public void setXAttr(Path path, final String name, final byte[] value, 
       final EnumSet<XAttrSetFlag> flag) throws IOException {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
index 0f0769e302c..a13edfe5c5a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
@@ -17,9 +17,11 @@
  */
 package org.apache.hadoop.hdfs.client;
 
+import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.URI;
 import java.util.EnumSet;
+import java.util.List;
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
@@ -33,7 +35,9 @@
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveInfo;
 import org.apache.hadoop.hdfs.protocol.CachePoolEntry;
 import org.apache.hadoop.hdfs.protocol.CachePoolInfo;
+import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
+import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.hdfs.tools.DFSAdmin;
 
 /**
@@ -225,4 +229,70 @@ public void removeCachePool(String poolName) throws IOException {
   public RemoteIterator<CachePoolEntry> listCachePools() throws IOException {
     return dfs.listCachePools();
   }
+
+  /**
+   * Create an encryption zone rooted at path using the optional encryption key
+   * id. An encryption zone is a portion of the HDFS file system hierarchy in
+   * which all files are encrypted with the same key, but possibly different
+   * key versions per file.
+   * <p/>
+   * Path must refer to an empty, existing directory. Otherwise an IOException
+   * will be thrown. keyId specifies the id of an encryption key in the
+   * KeyProvider that the Namenode has been configured to use. If keyId is
+   * null, then a key is generated in the KeyProvider using {@link
+   * java.util.UUID} to generate a key id.
+   *
+   * @param path The path of the root of the encryption zone.
+   *
+   * @param keyId An optional keyId in the KeyProvider. If null, then
+   * a key is generated.
+   *
+   * @throws IOException if there was a general IO exception
+   *
+   * @throws AccessControlException if the caller does not have access to path
+   *
+   * @throws FileNotFoundException if the path does not exist
+   */
+  public void createEncryptionZone(Path path, String keyId)
+    throws IOException, AccessControlException, FileNotFoundException {
+    dfs.createEncryptionZone(path, keyId);
+  }
+
+  /**
+   * Delete the encryption zone rooted at path. Path must refer to an existing,
+   * empty directory. Otherwise, an IOException is thrown. This method removes
+   * those extended attributes on the directory which indicate that it is part
+   * of an encryption zone. Following successful completion of this call, any
+   * new files created in the directory (or it's children) will not be
+   * encrypted. The directory is not removed by this method.
+   *
+   * @param path The path of the root of the encryption zone.
+   *
+   * @throws IOException if there was a general IO exception
+   *
+   * @throws AccessControlException if the caller does not have access to path
+   *
+   * @throws FileNotFoundException if the path does not exist
+   */
+  public void deleteEncryptionZone(Path path)
+    throws IOException, AccessControlException, FileNotFoundException {
+    dfs.deleteEncryptionZone(path);
+  }
+
+  /**
+   * Return a list of all {@EncryptionZone}s in the HDFS hierarchy which are
+   * visible to the caller. If the caller is the HDFS admin, then the returned
+   * EncryptionZone instances will have the key id field filled in. If the
+   * caller is not the HDFS admin, then the EncryptionZone instances will only
+   * have the path field filled in and only those zones that are visible to the
+   * user are returned.
+   *
+   * @throws IOException if there was a general IO exception
+   *
+   * @return List<EncryptionZone> the list of Encryption Zones that the caller has
+   * access to.
+   */
+  public List<EncryptionZone> listEncryptionZones() throws IOException {
+    return dfs.listEncryptionZones();
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
index c97a8c800a8..fbbd44a9d0c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
@@ -1257,6 +1257,32 @@ public void removeAclEntries(String src, List<AclEntry> aclSpec)
   @Idempotent
   public AclStatus getAclStatus(String src) throws IOException;
   
+  /**
+   * Create an encryption zone
+   */
+  @AtMostOnce
+  public void createEncryptionZone(String src, String keyId)
+    throws IOException;
+
+  /**
+   * Delete an encryption zone
+   */
+  @AtMostOnce
+  public void deleteEncryptionZone(String src)
+    throws IOException;
+
+  /**
+   * Return a list of all {@EncryptionZone}s in the HDFS hierarchy which are
+   * visible to the caller. If the caller is the HDFS admin, then the returned
+   * EncryptionZone instances will have the key id field filled in. If the
+   * caller is not the HDFS admin, then the EncryptionZone instances will only
+   * have the path field filled in and only those zones that are visible to the
+   * user are returned.
+   */
+  @Idempotent
+  public List<EncryptionZone> listEncryptionZones()
+    throws IOException;
+
   /**
    * Set xattr of a file or directory.
    * A regular user only can set xattr of "user" namespace.
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZone.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZone.java
new file mode 100644
index 00000000000..f4fcc609e41
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZone.java
@@ -0,0 +1,79 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.protocol;
+
+import org.apache.commons.lang.builder.EqualsBuilder;
+import org.apache.commons.lang.builder.HashCodeBuilder;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+
+/**
+ * A simple class for representing an encryption zone. Presently an encryption
+ * zone only has a path (the root of the encryption zone) and a key id.
+ */
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public class EncryptionZone {
+
+  private final String path;
+  private final String keyId;
+
+  public EncryptionZone(String path, String keyId) {
+    this.path = path;
+    this.keyId = keyId;
+  }
+
+  public String getPath() {
+    return path;
+  }
+
+  public String getKeyId() {
+    return keyId;
+  }
+
+  @Override
+  public int hashCode() {
+    return new HashCodeBuilder(13, 31).
+      append(path).append(keyId).
+      toHashCode();
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (obj == null) {
+      return false;
+    }
+    if (obj == this) {
+      return true;
+    }
+    if (obj.getClass() != getClass()) {
+      return false;
+    }
+
+    EncryptionZone rhs = (EncryptionZone) obj;
+    return new EqualsBuilder().
+      append(path, rhs.path).
+      append(keyId, rhs.keyId).
+      isEquals();
+  }
+
+  @Override
+  public String toString() {
+    return "EncryptionZone [path=" + path + ", keyId=" + keyId + "]";
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
index 2b19669d6aa..7f4c03d544f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
@@ -171,6 +171,12 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdateBlockForPipelineResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdatePipelineRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdatePipelineResponseProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.CreateEncryptionZoneResponseProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.CreateEncryptionZoneRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.DeleteEncryptionZoneResponseProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.DeleteEncryptionZoneRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.ListEncryptionZonesResponseProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.ListEncryptionZonesRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeIDProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeInfoProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.LocatedBlockProto;
@@ -1275,6 +1281,41 @@ public GetAclStatusResponseProto getAclStatus(RpcController controller,
     }
   }
   
+  @Override
+  public CreateEncryptionZoneResponseProto createEncryptionZone(
+    RpcController controller, CreateEncryptionZoneRequestProto req)
+    throws ServiceException {
+    try {
+      server.createEncryptionZone(req.getSrc(), req.getKeyId());
+      return CreateEncryptionZoneResponseProto.newBuilder().build();
+    } catch (IOException e) {
+      throw new ServiceException(e);
+    }
+  }
+
+  @Override
+  public DeleteEncryptionZoneResponseProto deleteEncryptionZone(
+    RpcController controller, DeleteEncryptionZoneRequestProto req)
+    throws ServiceException {
+    try {
+      server.deleteEncryptionZone(req.getSrc());
+      return DeleteEncryptionZoneResponseProto.newBuilder().build();
+    } catch (IOException e) {
+      throw new ServiceException(e);
+    }
+  }
+
+  @Override
+  public ListEncryptionZonesResponseProto listEncryptionZones(
+    RpcController controller, ListEncryptionZonesRequestProto req)
+    throws ServiceException {
+    try {
+      return PBHelper.convertListEZResponse(server.listEncryptionZones());
+    } catch (IOException e) {
+      throw new ServiceException(e);
+    }
+  }
+
   @Override
   public SetXAttrResponseProto setXAttr(RpcController controller,
       SetXAttrRequestProto req) throws ServiceException {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
index 57a46515356..bf43544bb62 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
@@ -51,6 +51,7 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeID;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
+import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.RollingUpgradeAction;
@@ -143,6 +144,9 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.SetTimesRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdateBlockForPipelineRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdatePipelineRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.CreateEncryptionZoneRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.DeleteEncryptionZoneRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.ListEncryptionZonesRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.GetXAttrsRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.RemoveXAttrRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.SetXAttrRequestProto;
@@ -1273,7 +1277,42 @@ public AclStatus getAclStatus(String src) throws IOException {
       throw ProtobufHelper.getRemoteException(e);
     }
   }
-  
+
+  @Override
+  public void createEncryptionZone(String src, String keyId)
+    throws IOException {
+    final CreateEncryptionZoneRequestProto req =
+      CreateEncryptionZoneRequestProto.newBuilder().
+      setSrc(src).setKeyId(keyId).build();
+    try {
+      rpcProxy.createEncryptionZone(null, req);
+    } catch (ServiceException e) {
+      throw ProtobufHelper.getRemoteException(e);
+    }
+  }
+
+  @Override
+  public void deleteEncryptionZone(String src) throws IOException {
+    final DeleteEncryptionZoneRequestProto req =
+      DeleteEncryptionZoneRequestProto.newBuilder().setSrc(src).build();
+    try {
+      rpcProxy.deleteEncryptionZone(null, req);
+    } catch (ServiceException e) {
+      throw ProtobufHelper.getRemoteException(e);
+    }
+  }
+
+  @Override
+  public List<EncryptionZone> listEncryptionZones() throws IOException {
+    final ListEncryptionZonesRequestProto req =
+      ListEncryptionZonesRequestProto.newBuilder().build();
+    try {
+      return PBHelper.convert(rpcProxy.listEncryptionZones(null, req));
+    } catch (ServiceException e) {
+      throw ProtobufHelper.getRemoteException(e);
+    }
+  }
+
   @Override
   public void setXAttr(String src, XAttr xAttr, EnumSet<XAttrSetFlag> flag)
       throws IOException {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
index ffa305d55ef..6a4cc0ce1b3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
@@ -58,6 +58,7 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo.AdminStates;
 import org.apache.hadoop.hdfs.protocol.DatanodeLocalInfo;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
+import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.FsAclPermission;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
@@ -110,6 +111,8 @@
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.ReceivedDeletedBlockInfoProto;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.RegisterCommandProto;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.StorageReportProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.ListEncryptionZonesResponseProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.EncryptionZoneProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.BlockKeyProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.BlockProto;
@@ -2180,6 +2183,45 @@ public static List<XAttr> convertXAttrs(List<XAttrProto> xAttrSpec) {
     return xAttrs;
   }
   
+  public static List<EncryptionZone> convert(ListEncryptionZonesResponseProto a) {
+    final List<EncryptionZoneProto> ezs = a.getPathsAndKeysList();
+    return convertEZ(ezs);
+  }
+
+  public static ListEncryptionZonesResponseProto convertListEZResponse(
+    List<EncryptionZone> ezs) {
+    final ListEncryptionZonesResponseProto.Builder builder =
+      ListEncryptionZonesResponseProto.newBuilder();
+    builder.addAllPathsAndKeys(convertEZProto(ezs));
+    return builder.build();
+  }
+
+  public static List<EncryptionZoneProto> convertEZProto(
+      List<EncryptionZone> ezs) {
+    final ArrayList<EncryptionZoneProto> ret =
+      Lists.newArrayListWithCapacity(ezs.size());
+    for (EncryptionZone a : ezs) {
+      final EncryptionZoneProto.Builder builder =
+        EncryptionZoneProto.newBuilder();
+      builder.setPath(a.getPath());
+      builder.setKeyId(a.getKeyId());
+      ret.add(builder.build());
+    }
+    return ret;
+  }
+
+  public static List<EncryptionZone> convertEZ(
+    List<EncryptionZoneProto> ezs) {
+    final ArrayList<EncryptionZone> ret =
+      Lists.newArrayListWithCapacity(ezs.size());
+    for (EncryptionZoneProto a : ezs) {
+      final EncryptionZone ez =
+        new EncryptionZone(a.getPath(), a.getKeyId());
+      ret.add(ez);
+    }
+    return ret;
+  }
+
   public static List<XAttr> convert(GetXAttrsResponseProto a) {
     List<XAttrProto> xAttrs = a.getXAttrsList();
     return convertXAttrs(xAttrs);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index ce8cbeedfc6..cbf11877533 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -155,6 +155,7 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeID;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
+import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
@@ -7824,6 +7825,17 @@ AclStatus getAclStatus(String src) throws IOException {
     }
   }
   
+  void createEncryptionZone(final String src, final String keyId)
+          throws IOException {
+  }
+
+  void deleteEncryptionZone(final String src) throws IOException {
+  }
+
+  List<EncryptionZone> listEncryptionZones() throws IOException {
+    return null;
+  }
+
   /**
    * Set xattr for a file or directory.
    * 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index 34e7979ced3..52cf5548ca0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -76,6 +76,7 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeID;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
+import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.FSLimitException;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
@@ -1384,6 +1385,22 @@ public AclStatus getAclStatus(String src) throws IOException {
     return namesystem.getAclStatus(src);
   }
   
+  @Override
+  public void createEncryptionZone(String src, String keyId)
+    throws IOException {
+    namesystem.createEncryptionZone(src, keyId);
+  }
+
+  @Override
+  public void deleteEncryptionZone(String src) throws IOException {
+    namesystem.deleteEncryptionZone(src);
+  }
+
+  @Override
+  public List<EncryptionZone> listEncryptionZones() throws IOException {
+    return namesystem.listEncryptionZones();
+  }
+
   @Override
   public void setXAttr(String src, XAttr xAttr, EnumSet<XAttrSetFlag> flag)
       throws IOException {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
index 80b96f43173..73e4aea2ce3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
@@ -32,6 +32,7 @@ import "Security.proto";
 import "hdfs.proto";
 import "acl.proto";
 import "xattr.proto";
+import "encryption.proto";
 
 /**
  * The ClientNamenodeProtocol Service defines the interface between a client 
@@ -766,4 +767,10 @@ service ClientNamenodeProtocol {
       returns(GetXAttrsResponseProto);
   rpc removeXAttr(RemoveXAttrRequestProto)
       returns(RemoveXAttrResponseProto);
+  rpc createEncryptionZone(CreateEncryptionZoneRequestProto)
+      returns(CreateEncryptionZoneResponseProto);
+  rpc deleteEncryptionZone(DeleteEncryptionZoneRequestProto)
+      returns(DeleteEncryptionZoneResponseProto);
+  rpc listEncryptionZones(ListEncryptionZonesRequestProto)
+      returns(ListEncryptionZonesResponseProto);
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
new file mode 100644
index 00000000000..748f2cb40c2
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
@@ -0,0 +1,61 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * These .proto interfaces are private and stable.
+ * Please see http://wiki.apache.org/hadoop/Compatibility
+ * for what changes are allowed for a *stable* .proto interface.
+ */
+
+// This file contains protocol buffers that are used throughout HDFS -- i.e.
+// by the client, server, and data transfer protocols.
+
+
+option java_package = "org.apache.hadoop.hdfs.protocol.proto";
+option java_outer_classname = "EncryptionZonesProtos";
+option java_generate_equals_and_hash = true;
+package hadoop.hdfs;
+
+import "hdfs.proto";
+
+message CreateEncryptionZoneRequestProto {
+  required string src = 1;
+  optional string keyId = 2;
+}
+
+message CreateEncryptionZoneResponseProto {
+}
+
+message DeleteEncryptionZoneRequestProto {
+  required string src = 1;
+}
+
+message DeleteEncryptionZoneResponseProto {
+}
+
+message ListEncryptionZonesRequestProto {
+}
+
+message EncryptionZoneProto {
+  required string path = 1;
+  required string keyId = 2;
+}
+
+message ListEncryptionZonesResponseProto {
+  repeated EncryptionZoneProto pathsAndKeys = 1;
+}

From a93a37a8cd99368ea9f52778492eb4d1ad593c27 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Fri, 6 Jun 2014 01:49:53 +0000
Subject: [PATCH 013/354] Various fixes to CHANGES-fs-encryption.txt. Various
 Jiras ended up in the hadoop-common CHANGES-fs-encryption.txt by accident.
 Moved them to HDFS CHANGES-fs-encryption.txt

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1600804 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt                  | 5 -----
 hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt    | 5 +++++
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index e19a4abf7a7..4b8e982cfb3 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -6,13 +6,8 @@ fs-encryption (Unreleased)
 
   NEW FEATURES
 
-    HDFS-6388. HDFS integration with KeyProvider. (clamb)
-
   IMPROVEMENTS
 
-    HADOOP-6392. Wire crypto streams for encrypted files in
-    DFSClient. (clamb and yliu)
-
     HADOOP-10603. Crypto input and output streams implementing Hadoop stream
     interfaces. (Yi Liu and Charles Lamb)
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index b7abd062f4d..ad971b42673 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -6,10 +6,15 @@ fs-encryption (Unreleased)
 
   NEW FEATURES
 
+    HDFS-6388. HDFS integration with KeyProvider. (clamb)
+
   IMPROVEMENTS
 
     HDFS-6473. Protocol and API for Encryption Zones (clamb)
 
+    HDFS-6392. Wire crypto streams for encrypted files in
+    DFSClient. (clamb and yliu)
+
     HDFS-6476. Print out the KeyProvider after finding KP successfully on
     startup. (Juan Yu via wang)
 

From 6ef3a9e746c52d91f1e5b4ac9f41627bd42674d7 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Wed, 18 Jun 2014 22:33:50 +0000
Subject: [PATCH 014/354] HDFS-6386. HDFS Encryption Zones (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1603658 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   2 +
 .../org/apache/hadoop/hdfs/DFSClient.java     |   6 +-
 .../hadoop/hdfs/protocol/HdfsConstants.java   |   5 +
 .../ClientNamenodeProtocolTranslatorPB.java   |  10 +-
 .../hdfs/server/namenode/FSDirectory.java     |  46 ++
 .../hdfs/server/namenode/FSNamesystem.java    | 254 ++++++++++-
 .../hadoop/hdfs/server/namenode/NameNode.java |  37 --
 .../hadoop/hdfs/TestEncryptionZonesAPI.java   | 404 ++++++++++++++++++
 8 files changed, 719 insertions(+), 45 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index ad971b42673..c02b8c674dc 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -10,6 +10,8 @@ fs-encryption (Unreleased)
 
   IMPROVEMENTS
 
+    HDFS-6386. HDFS Encryption Zones (clamb)
+
     HDFS-6473. Protocol and API for Encryption Zones (clamb)
 
     HDFS-6392. Wire crypto streams for encrypted files in
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index 924e42442b8..bf8cf2fb20c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -2802,7 +2802,11 @@ public void deleteEncryptionZone(String src) throws IOException {
 
   public List<EncryptionZone> listEncryptionZones() throws IOException {
     checkOpen();
-    return namenode.listEncryptionZones();
+    try {
+      return namenode.listEncryptionZones();
+    } catch (RemoteException re) {
+      throw re.unwrapRemoteException(AccessControlException.class);
+    }
   }
 
   public void setXAttr(String src, String name, byte[] value, 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsConstants.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsConstants.java
index 42abbe855dc..06c658cb2ec 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsConstants.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsConstants.java
@@ -162,6 +162,11 @@ public static enum DatanodeReportType {
   public static final String SEPARATOR_DOT_SNAPSHOT_DIR
       = Path.SEPARATOR + DOT_SNAPSHOT_DIR; 
 
+  public static final String CRYPTO_XATTR_KEY_ID = "system.hdfs.crypto.key-id";
+  public static final String CRYPTO_XATTR_KEY_VERSION_ID =
+    "system.hdfs.crypto.key-version-id";
+  public static final String CRYPTO_XATTR_IV = "system.hdfs.crypto.iv";
+  public static final int CRYPTO_KEY_SIZE = 128;
   /* Temporary until we stop hard-coding these values. */
   public static final byte[] KEY = "0123456789012345".getBytes();
   public static final byte[] IV = "ABCDEFGJIJKLMNOP".getBytes();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
index f366ddb6d8a..2a7ddd5305d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
@@ -1282,9 +1282,13 @@ public AclStatus getAclStatus(String src) throws IOException {
   @Override
   public void createEncryptionZone(String src, String keyId)
     throws IOException {
-    final CreateEncryptionZoneRequestProto req =
-      CreateEncryptionZoneRequestProto.newBuilder().
-      setSrc(src).setKeyId(keyId).build();
+    final CreateEncryptionZoneRequestProto.Builder builder =
+      CreateEncryptionZoneRequestProto.newBuilder();
+    builder.setSrc(src);
+    if (keyId != null && !keyId.isEmpty()) {
+      builder.setKeyId(keyId);
+    }
+    CreateEncryptionZoneRequestProto req = builder.build();
     try {
       rpcProxy.createEncryptionZone(null, req);
     } catch (ServiceException e) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index 4abd8889fe2..8bfa6125b59 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -32,6 +32,7 @@
 
 import org.apache.hadoop.HadoopIllegalArgumentException;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CryptoCodec;
 import org.apache.hadoop.fs.ContentSummary;
 import org.apache.hadoop.fs.FileAlreadyExistsException;
 import org.apache.hadoop.fs.Options;
@@ -50,6 +51,7 @@
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.DFSUtil;
 import org.apache.hadoop.hdfs.DistributedFileSystem;
+import org.apache.hadoop.hdfs.XAttrHelper;
 import org.apache.hadoop.hdfs.protocol.AclException;
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.ClientProtocol;
@@ -84,6 +86,10 @@
 import com.google.common.base.Preconditions;
 import com.google.common.collect.Lists;
 
+import static org.apache.hadoop.hdfs.protocol.HdfsConstants.CRYPTO_XATTR_KEY_ID;
+import static org.apache.hadoop.hdfs.protocol.HdfsConstants.CRYPTO_XATTR_IV;
+import static org.apache.hadoop.hdfs.protocol.HdfsConstants.CRYPTO_XATTR_KEY_VERSION_ID;
+
 /*************************************************
  * FSDirectory stores the filesystem directory state.
  * It handles writing/loading values to disk, and logging
@@ -130,6 +136,7 @@ private static INodeDirectorySnapshottable createRoot(FSNamesystem namesystem) {
   private final INodeMap inodeMap; // Synchronized by dirLock
   private long yieldCount = 0; // keep track of lock yield count.
   private final int inodeXAttrsLimit; //inode xattrs max limit
+  private final CryptoCodec codec;
 
   // lock to protect the directory and BlockMap
   private final ReentrantReadWriteLock dirLock;
@@ -198,6 +205,7 @@ public int getWriteHoldCount() {
     this.inodeXAttrsLimit = conf.getInt(
         DFSConfigKeys.DFS_NAMENODE_MAX_XATTRS_PER_INODE_KEY,
         DFSConfigKeys.DFS_NAMENODE_MAX_XATTRS_PER_INODE_DEFAULT);
+    this.codec = CryptoCodec.getInstance(conf);
     Preconditions.checkArgument(this.inodeXAttrsLimit >= 0,
         "Cannot set a negative limit on the number of xattrs per inode (%s).",
         DFSConfigKeys.DFS_NAMENODE_MAX_XATTRS_PER_INODE_KEY);
@@ -2662,6 +2670,44 @@ List<XAttr> filterINodeXAttr(List<XAttr> existingXAttrs,
     return xAttrs;
   }
   
+  XAttr createEncryptionZone(String src, String keyId)
+    throws IOException {
+    writeLock();
+    try {
+      if (isNonEmptyDirectory(src)) {
+        throw new IOException(
+          "Attempt to create an encryption zone for a non-empty directory.");
+      }
+      final XAttr keyIdXAttr =
+        XAttrHelper.buildXAttr(CRYPTO_XATTR_KEY_ID, keyId.getBytes());
+      unprotectedSetXAttr(src, keyIdXAttr, EnumSet.of(XAttrSetFlag.CREATE));
+      return keyIdXAttr;
+    } finally {
+      writeUnlock();
+    }
+  }
+
+  XAttr deleteEncryptionZone(String src)
+    throws IOException {
+    writeLock();
+    try {
+      if (isNonEmptyDirectory(src)) {
+        throw new IOException(
+          "Attempt to delete an encryption zone for a non-empty directory.");
+      }
+      final XAttr keyIdXAttr =
+        XAttrHelper.buildXAttr(CRYPTO_XATTR_KEY_ID, null);
+      final XAttr removedXAttr = unprotectedRemoveXAttr(src, keyIdXAttr);
+      if (removedXAttr == null) {
+        throw new IOException(
+          src + " does not appear to be the root of an encryption zone");
+      }
+      return removedXAttr;
+    } finally {
+      writeUnlock();
+    }
+  }
+
   void setXAttr(String src, XAttr xAttr, EnumSet<XAttrSetFlag> flag)
           throws IOException {
     writeLock();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 74a61338949..360f16d96ed 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -83,12 +83,16 @@
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_REPLICATION_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_REPLICATION_KEY;
+import static org.apache.hadoop.hdfs.protocol.HdfsConstants.CRYPTO_KEY_SIZE;
+import static org.apache.hadoop.hdfs.protocol.HdfsConstants.CRYPTO_XATTR_IV;
+import static org.apache.hadoop.hdfs.protocol.HdfsConstants.CRYPTO_XATTR_KEY_VERSION_ID;
 import static org.apache.hadoop.util.Time.now;
 
 import java.io.*;
 import java.lang.management.ManagementFactory;
 import java.net.InetAddress;
 import java.net.URI;
+import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -102,6 +106,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.UUID;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.concurrent.locks.ReentrantReadWriteLock;
@@ -116,6 +121,9 @@
 import org.apache.hadoop.HadoopIllegalArgumentException;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.key.KeyProvider;
+import org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
+import org.apache.hadoop.crypto.key.KeyProviderFactory;
 import org.apache.hadoop.fs.BatchedRemoteIterator.BatchedListEntries;
 import org.apache.hadoop.fs.CacheFlag;
 import org.apache.hadoop.fs.ContentSummary;
@@ -145,6 +153,7 @@
 import org.apache.hadoop.hdfs.HAUtil;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.StorageType;
+import org.apache.hadoop.hdfs.XAttrHelper;
 import org.apache.hadoop.hdfs.protocol.AclException;
 import org.apache.hadoop.hdfs.protocol.AlreadyBeingCreatedException;
 import org.apache.hadoop.hdfs.protocol.Block;
@@ -261,6 +270,7 @@
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Charsets;
+import com.google.common.base.Joiner;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Lists;
@@ -515,6 +525,11 @@ private void logAuditEvent(boolean succeeded,
 
   private final NNConf nnConf;
 
+  private KeyProvider provider = null;
+  private KeyProvider.Options providerOptions = null;
+
+  private final Map<String, EncryptionZone> encryptionZones;
+
   /**
    * Set the last allocated inode id when fsimage or editlog is loaded. 
    */
@@ -675,6 +690,8 @@ static FSNamesystem loadFromDisk(Configuration conf) throws IOException {
    */
   FSNamesystem(Configuration conf, FSImage fsImage, boolean ignoreRetryCache)
       throws IOException {
+    initializeKeyProvider(conf);
+    providerOptions = KeyProvider.options(conf);
     if (conf.getBoolean(DFS_NAMENODE_AUDIT_LOG_ASYNC_KEY,
                         DFS_NAMENODE_AUDIT_LOG_ASYNC_DEFAULT)) {
       LOG.info("Enabling async auditlog");
@@ -781,6 +798,7 @@ static FSNamesystem loadFromDisk(Configuration conf) throws IOException {
         auditLoggers.get(0) instanceof DefaultAuditLogger;
       this.retryCache = ignoreRetryCache ? null : initRetryCache(conf);
       this.nnConf = new NNConf(conf);
+      this.encryptionZones = new HashMap<String, EncryptionZone>();
     } catch(IOException e) {
       LOG.error(getClass().getSimpleName() + " initialization failed.", e);
       close();
@@ -826,6 +844,42 @@ void addCacheEntry(byte[] clientId, int callId) {
     }
   }
 
+  private void initializeKeyProvider(final Configuration conf) {
+    try {
+      final List<KeyProvider> providers = KeyProviderFactory.getProviders(conf);
+      if (providers == null) {
+        return;
+      }
+
+      if (providers.size() == 0) {
+        LOG.info("No KeyProviders found.");
+        return;
+      }
+
+      if (providers.size() > 1) {
+        final String err =
+            "Multiple KeyProviders found. Only one is permitted.";
+        LOG.error(err);
+        throw new RuntimeException(err);
+      }
+      provider = providers.get(0);
+      if (provider.isTransient()) {
+        final String err =
+            "A KeyProvider was found but it is a transient provider.";
+        LOG.error(err);
+        throw new RuntimeException(err);
+      }
+      LOG.info("Found KeyProvider: " + provider.toString());
+    } catch (IOException e) {
+      LOG.error("Exception while initializing KeyProvider", e);
+    }
+  }
+
+  @VisibleForTesting
+  public KeyProvider getProvider() {
+    return provider;
+  }
+
   @VisibleForTesting
   static RetryCache initRetryCache(Configuration conf) {
     boolean enable = conf.getBoolean(DFS_NAMENODE_ENABLE_RETRY_CACHE_KEY,
@@ -2358,7 +2412,7 @@ permissions, true, now())) {
       throw ie;
     }
   }
-  
+
   /**
    * Append to an existing file for append.
    * <p>
@@ -8057,14 +8111,206 @@ AclStatus getAclStatus(String src) throws IOException {
     }
   }
   
-  void createEncryptionZone(final String src, final String keyId)
-          throws IOException {
+  /**
+   * Create an encryption zone on directory src either using keyIdArg if
+   * supplied or generating a keyId if it's null.
+   *
+   * @param src the path of a directory which will be the root of the
+   * encryption zone. The directory must be empty.
+   *
+   * @param keyIdArg an optional keyId of a key in the configured
+   * KeyProvider. If this is null, then a a new key is generated.
+   *
+   * @throws AccessControlException if the caller is not the superuser.
+   *
+   * @throws UnresolvedLinkException if the path can't be resolved.
+   *
+   * @throws SafeModeException if the Namenode is in safe mode.
+   */
+  void createEncryptionZone(final String src, String keyIdArg)
+    throws IOException, UnresolvedLinkException,
+      SafeModeException, AccessControlException {
+    final CacheEntry cacheEntry = RetryCache.waitForCompletion(retryCache);
+    if (cacheEntry != null && cacheEntry.isSuccess()) {
+      return; // Return previous response
+    }
+
+    boolean createdKey = false;
+    String keyId = keyIdArg;
+    boolean success = false;
+    try {
+      if (keyId == null || keyId.isEmpty()) {
+        keyId = createNewKey(src);
+        createdKey = true;
+      } else {
+        if (provider.getCurrentKey(keyId) == null) {
+
+          /*
+           * It would be nice if we threw something more specific than
+           * IOException when the key is not found, but the KeyProvider API
+           * doesn't provide for that. If that API is ever changed to throw
+           * something more specific (e.g. UnknownKeyException) then we can
+           * update this to match it, or better yet, just rethrow the
+           * KeyProvider's exception.
+           */
+          throw new IOException("Key " + keyId + " doesn't exist.");
+        }
+      }
+      createEncryptionZoneInt(src, keyId, cacheEntry != null);
+      success = true;
+    } catch (AccessControlException e) {
+      logAuditEvent(false, "createEncryptionZone", src);
+      throw e;
+    } finally {
+      RetryCache.setState(cacheEntry, success);
+      if (!success && createdKey) {
+        /* Unwind key creation. */
+        provider.deleteKey(keyId);
+      }
+    }
   }
 
-  void deleteEncryptionZone(final String src) throws IOException {
+  private void createEncryptionZoneInt(final String srcArg, String keyId,
+    final boolean logRetryCache) throws IOException {
+    String src = srcArg;
+    HdfsFileStatus resultingStat = null;
+    checkSuperuserPrivilege();
+    checkOperation(OperationCategory.WRITE);
+    final byte[][] pathComponents =
+      FSDirectory.getPathComponentsForReservedPath(src);
+    writeLock();
+    try {
+      checkSuperuserPrivilege();
+      checkOperation(OperationCategory.WRITE);
+      checkNameNodeSafeMode("Cannot create encryption zone on " + src);
+      src = FSDirectory.resolvePath(src, pathComponents, dir);
+
+      EncryptionZone ez = getEncryptionZoneForPath(src);
+      if (ez != null) {
+        throw new IOException("Directory " + src +
+          " is already in an encryption zone. (" + ez.getPath() + ")");
+      }
+
+      final XAttr keyIdXAttr = dir.createEncryptionZone(src, keyId);
+      getEditLog().logSetXAttr(src, keyIdXAttr, logRetryCache);
+      encryptionZones.put(src, new EncryptionZone(src, keyId));
+      resultingStat = getAuditFileInfo(src, false);
+    } finally {
+      writeUnlock();
+    }
+    getEditLog().logSync();
+    logAuditEvent(true, "createEncryptionZone", src, null, resultingStat);
+  }
+
+  private String createNewKey(String src)
+    throws IOException {
+    final String keyId = UUID.randomUUID().toString();
+    // TODO pass in hdfs://HOST:PORT (HDFS-6490)
+    providerOptions.setDescription(src);
+    providerOptions.setBitLength(CRYPTO_KEY_SIZE);
+    try {
+      provider.createKey(keyId, providerOptions);
+    } catch (NoSuchAlgorithmException e) {
+      throw new IOException(e);
+    }
+    return keyId;
+  }
+
+  /**
+   * Delete the encryption zone on directory src.
+   *
+   * @param src the path of a directory which is the root of the encryption
+   * zone. The directory must be empty and must be marked as an encryption
+   * zone.
+   *
+   * @throws AccessControlException if the caller is not the superuser.
+   *
+   * @throws UnresolvedLinkException if the path can't be resolved.
+   *
+   * @throws SafeModeException if the Namenode is in safe mode.
+   */
+  void deleteEncryptionZone(final String src)
+    throws IOException, UnresolvedLinkException,
+      SafeModeException, AccessControlException {
+    final CacheEntry cacheEntry = RetryCache.waitForCompletion(retryCache);
+    if (cacheEntry != null && cacheEntry.isSuccess()) {
+      return; // Return previous response
+    }
+
+    boolean success = false;
+    try {
+      deleteEncryptionZoneInt(src, cacheEntry != null);
+      encryptionZones.remove(src);
+      success = true;
+    } catch (AccessControlException e) {
+      logAuditEvent(false, "deleteEncryptionZone", src);
+      throw e;
+    } finally {
+      RetryCache.setState(cacheEntry, success);
+    }
+  }
+
+  private void deleteEncryptionZoneInt(final String srcArg,
+    final boolean logRetryCache) throws IOException {
+    String src = srcArg;
+    HdfsFileStatus resultingStat = null;
+    checkSuperuserPrivilege();
+    checkOperation(OperationCategory.WRITE);
+    final byte[][] pathComponents =
+      FSDirectory.getPathComponentsForReservedPath(src);
+    writeLock();
+    try {
+      checkSuperuserPrivilege();
+      checkOperation(OperationCategory.WRITE);
+      checkNameNodeSafeMode("Cannot delete encryption zone on " + src);
+      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      final EncryptionZone ez = encryptionZones.get(src);
+      if (ez == null) {
+        throw new IOException("Directory " + src +
+          " is not the root of an encryption zone.");
+      }
+      final XAttr removedXAttr = dir.deleteEncryptionZone(src);
+      if (removedXAttr != null) {
+        getEditLog().logRemoveXAttr(src, removedXAttr);
+      }
+      encryptionZones.remove(src);
+      resultingStat = getAuditFileInfo(src, false);
+    } finally {
+      writeUnlock();
+    }
+    getEditLog().logSync();
+    logAuditEvent(true, "deleteEncryptionZone", src, null, resultingStat);
   }
 
   List<EncryptionZone> listEncryptionZones() throws IOException {
+    boolean success = false;
+    checkSuperuserPrivilege();
+    checkOperation(OperationCategory.READ);
+    readLock();
+    try {
+      checkSuperuserPrivilege();
+      checkOperation(OperationCategory.READ);
+      final List<EncryptionZone> ret =
+          Lists.newArrayList(encryptionZones.values());
+      success = true;
+      return ret;
+    } finally {
+      readUnlock();
+      logAuditEvent(success, "listEncryptionZones", null);
+    }
+  }
+
+  /** Lookup the encryption zone of a path. */
+  private EncryptionZone getEncryptionZoneForPath(String src) {
+    final String[] components = INode.getPathNames(src);
+    for (int i = components.length; i > 0; i--) {
+      final List<String> l = Arrays.asList(Arrays.copyOfRange(components, 0, i));
+      String p = Joiner.on(Path.SEPARATOR).join(l);
+      final EncryptionZone ret = encryptionZones.get(p);
+      if (ret != null) {
+        return ret;
+      }
+    }
     return null;
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
index 8f916ce253b..9cdad26eb24 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
@@ -27,8 +27,6 @@
 import org.apache.hadoop.HadoopIllegalArgumentException;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.crypto.key.KeyProvider;
-import org.apache.hadoop.crypto.key.KeyProviderFactory;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Trash;
 import org.apache.hadoop.ha.HAServiceProtocol.HAServiceState;
@@ -272,9 +270,6 @@ public long getProtocolVersion(String protocol,
   
   private NameNodeRpcServer rpcServer;
 
-  /* The KeyProvider, if any. */
-  private KeyProvider provider = null;
-
   private JvmPauseMonitor pauseMonitor;
   private ObjectName nameNodeStatusBeanName;
   /**
@@ -586,7 +581,6 @@ protected void initialize(Configuration conf) throws IOException {
       startHttpServer(conf);
     }
     loadNamesystem(conf);
-    initializeKeyProvider(conf);
 
     rpcServer = createRpcServer(conf);
     if (clientNamenodeAddress == null) {
@@ -705,37 +699,6 @@ private void stopHttpServer() {
     }
   }
 
-  private void initializeKeyProvider(final Configuration conf) {
-    try {
-      final List<KeyProvider> providers = KeyProviderFactory.getProviders(conf);
-      if (providers == null) {
-        return;
-      }
-
-      if (providers.size() == 0) {
-        LOG.info("No KeyProviders found.");
-        return;
-      }
-
-      if (providers.size() > 1) {
-        final String err =
-            "Multiple KeyProviders found. Only one is permitted.";
-        LOG.error(err);
-        throw new RuntimeException(err);
-      }
-      provider = providers.get(0);
-      if (provider.isTransient()) {
-        final String err =
-            "A KeyProvider was found but it is a transient provider.";
-        LOG.error(err);
-        throw new RuntimeException(err);
-      }
-      LOG.info("Found KeyProvider: " + provider.toString());
-    } catch (IOException e) {
-      LOG.error("Exception while initializing KeyProvider", e);
-    }
-  }
-
   /**
    * Start NameNode.
    * <p>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
new file mode 100644
index 00000000000..eb851d4dcb6
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
@@ -0,0 +1,404 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs;
+
+import java.io.File;
+import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivilegedExceptionAction;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.UUID;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.key.JavaKeyStoreProvider;
+import org.apache.hadoop.crypto.key.KeyProvider;
+import org.apache.hadoop.crypto.key.KeyProviderFactory;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.hdfs.client.HdfsAdmin;
+import org.apache.hadoop.hdfs.protocol.EncryptionZone;
+import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.test.GenericTestUtils;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.base.Preconditions;
+
+import static org.junit.Assert.fail;
+
+public class TestEncryptionZonesAPI {
+
+  private static final Path TEST_PATH = new Path("/test");
+  private static final Path TEST_PATH_WITH_CHILD = new Path(TEST_PATH, "foo");
+  private static final Path TEST_PATH_WITH_MULTIPLE_CHILDREN =
+    new Path(TEST_PATH_WITH_CHILD, "baz");
+  private static final String TEST_KEYID = "mykeyid";
+  private final Configuration conf = new Configuration();
+  private MiniDFSCluster cluster;
+  private static File tmpDir;
+  private FileSystem fs;
+
+  @Before
+  public void setUpCluster() throws IOException {
+    tmpDir = new File(System.getProperty("test.build.data", "target"),
+        UUID.randomUUID().toString()).getAbsoluteFile();
+    conf.set(KeyProviderFactory.KEY_PROVIDER_PATH,
+        JavaKeyStoreProvider.SCHEME_NAME + "://file" + tmpDir + "/test.jks");
+    cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
+    fs = cluster.getFileSystem();
+  }
+
+  @After
+  public void shutDownCluster() {
+    if (cluster != null) {
+      cluster.shutdown();
+    }
+  }
+
+  /** Test failure of Create EZ on a directory that doesn't exist. */
+  @Test(timeout = 30000)
+  public void testCreateEncryptionZoneDirectoryDoesntExist() throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    try {
+      dfsAdmin.createEncryptionZone(TEST_PATH, null);
+      fail("expected /test doesn't exist");
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains("cannot find", e);
+    }
+  }
+
+  /** Test failure of Create EZ on a directory which is already an EZ. */
+  @Test(timeout = 30000)
+  public void testCreateEncryptionZoneWhichAlreadyExists()
+    throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
+    dfsAdmin.createEncryptionZone(TEST_PATH, null);
+    try {
+      dfsAdmin.createEncryptionZone(TEST_PATH, null);
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains("already in an encryption zone",
+          e);
+    }
+  }
+
+  /** Test success of Create EZ in which a key is created. */
+  @Test(timeout = 30000)
+  public void testCreateEncryptionZoneAndGenerateKeyDirectoryEmpty()
+    throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
+    dfsAdmin.createEncryptionZone(TEST_PATH, null);
+  }
+
+  /** Test failure of Create EZ operation in an existing EZ. */
+  @Test(timeout = 30000)
+  public void testCreateEncryptionZoneInExistingEncryptionZone()
+    throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
+    dfsAdmin.createEncryptionZone(TEST_PATH, null);
+    FileSystem.mkdirs(fs, TEST_PATH_WITH_CHILD,
+        new FsPermission((short) 0777));
+    try {
+      dfsAdmin.createEncryptionZone(TEST_PATH_WITH_CHILD, null);
+      fail("EZ in an EZ");
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains("already in an encryption zone", e);
+    }
+  }
+
+  /** Test failure of creating an EZ using a non-empty directory. */
+  @Test(timeout = 30000)
+  public void testCreateEncryptionZoneAndGenerateKeyDirectoryNotEmpty()
+    throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
+    FileSystem.create(fs, new Path("/test/foo"),
+            new FsPermission((short) 0777));
+    try {
+      dfsAdmin.createEncryptionZone(TEST_PATH, null);
+      fail("expected key doesn't exist");
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains("create an encryption zone", e);
+    }
+  }
+
+  /** Test failure of creating an EZ passing a key that doesn't exist. */
+  @Test(timeout = 30000)
+  public void testCreateEncryptionZoneKeyDoesntExist() throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    try {
+      dfsAdmin.createEncryptionZone(TEST_PATH, TEST_KEYID);
+      fail("expected key doesn't exist");
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains("doesn't exist.", e);
+    }
+    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
+    Preconditions.checkState(zones.size() == 0, "More than one zone found?");
+  }
+
+  /** Test success of creating an EZ when they key exists. */
+  @Test(timeout = 30000)
+  public void testCreateEncryptionZoneKeyExist() throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
+    createAKey(TEST_KEYID);
+    dfsAdmin.createEncryptionZone(TEST_PATH, TEST_KEYID);
+    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
+    Preconditions.checkState(zones.size() == 1, "More than one zone found?");
+    final EncryptionZone ez = zones.get(0);
+      GenericTestUtils.assertMatches(ez.toString(),
+              "EncryptionZone \\[path=/test, keyId=");
+  }
+
+  /** Helper function to create a key in the Key Provider. */
+  private void createAKey(String keyId)
+    throws NoSuchAlgorithmException, IOException {
+    KeyProvider provider =
+        cluster.getNameNode().getNamesystem().getProvider();
+    final KeyProvider.Options options = KeyProvider.options(conf);
+    provider.createKey(keyId, options);
+    provider.flush();
+  }
+
+  /** Test failure of create/delete encryption zones as a non super user. */
+  @Test(timeout = 30000)
+  public void testCreateAndDeleteEncryptionZoneAsNonSuperUser()
+    throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+
+    final UserGroupInformation user = UserGroupInformation.
+      createUserForTesting("user", new String[] { "mygroup" });
+
+    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0700));
+
+    user.doAs(new PrivilegedExceptionAction<Object>() {
+        @Override
+        public Object run() throws Exception {
+          final HdfsAdmin userAdmin =
+            new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+          try {
+            userAdmin.createEncryptionZone(TEST_PATH, null);
+            fail("createEncryptionZone is superuser-only operation");
+          } catch (AccessControlException e) {
+            GenericTestUtils.assertExceptionContains(
+                    "Superuser privilege is required", e);
+          }
+          return null;
+        }
+      });
+    dfsAdmin.createEncryptionZone(TEST_PATH, null);
+
+    user.doAs(new PrivilegedExceptionAction<Object>() {
+      @Override
+      public Object run() throws Exception {
+        final HdfsAdmin userAdmin =
+                new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+        try {
+          userAdmin.deleteEncryptionZone(TEST_PATH);
+          fail("deleteEncryptionZone is superuser-only operation");
+        } catch (AccessControlException e) {
+          GenericTestUtils.assertExceptionContains(
+                  "Superuser privilege is required", e);
+        }
+        return null;
+      }
+    });
+  }
+
+  /** Test failure of deleting an EZ passing a directory that doesn't exist. */
+  @Test(timeout = 30000)
+  public void testDeleteEncryptionZoneDirectoryDoesntExist() throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    try {
+      dfsAdmin.deleteEncryptionZone(TEST_PATH);
+      fail("Directory doesn't exist");
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains(
+        "is not the root of an encryption zone", e);
+    }
+  }
+
+  /** Test failure of deleting an EZ which is not empty. */
+  @Test(timeout = 30000)
+  public void testDeleteEncryptionZoneAndGenerateKeyDirectoryNotEmpty()
+    throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
+    dfsAdmin.createEncryptionZone(TEST_PATH, null);
+    FileSystem.create(fs, new Path("/test/foo"),
+      new FsPermission((short) 0777));
+    try {
+      dfsAdmin.deleteEncryptionZone(TEST_PATH);
+      fail("Directory not empty");
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains("non-empty directory", e);
+    }
+  }
+
+  /** Test success of deleting an EZ. */
+  @Test(timeout = 30000)
+  public void testDeleteEncryptionZone()
+    throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
+    dfsAdmin.createEncryptionZone(TEST_PATH, null);
+    List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
+    Preconditions.checkState(zones.size() == 1, "More than one zone found?");
+    dfsAdmin.deleteEncryptionZone(TEST_PATH);
+    zones = dfsAdmin.listEncryptionZones();
+    Preconditions.checkState(zones.size() == 0, "More than one zone found?");
+  }
+
+  /**
+   * Test failure of deleting an EZ on a subdir that is not the root of an EZ.
+   */
+  @Test(timeout = 30000)
+  public void testDeleteEncryptionZoneInExistingEncryptionZone()
+    throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
+    dfsAdmin.createEncryptionZone(TEST_PATH, null);
+    FileSystem.mkdirs(fs, TEST_PATH_WITH_CHILD, new FsPermission((short) 0777));
+    try {
+      dfsAdmin.deleteEncryptionZone(TEST_PATH_WITH_CHILD);
+      fail("EZ in an EZ");
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains(
+        "is not the root of an encryption zone", e);
+    }
+  }
+
+  /**
+   * Test success of creating and deleting an encryption zone a few levels down.
+   */
+  @Test(timeout = 30000)
+  public void testCreateAndDeleteEncryptionZoneDownAFewLevels()
+    throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
+    dfsAdmin.createEncryptionZone(TEST_PATH, null);
+    FileSystem.mkdirs(fs, TEST_PATH_WITH_MULTIPLE_CHILDREN,
+      new FsPermission((short) 0777));
+    try {
+      dfsAdmin.deleteEncryptionZone(TEST_PATH_WITH_MULTIPLE_CHILDREN);
+      fail("EZ in an EZ");
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains(
+        "is not the root of an encryption zone", e);
+    }
+    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
+    Preconditions.checkState(zones.size() == 1, "More than one zone found?");
+    final EncryptionZone ez = zones.get(0);
+      GenericTestUtils.assertMatches(ez.toString(),
+         "EncryptionZone \\[path=/test, keyId=");
+  }
+
+  /** Test failure of creating an EZ using a non-empty directory. */
+  @Test(timeout = 30000)
+  public void testCreateFileInEncryptionZone() throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
+    dfsAdmin.createEncryptionZone(TEST_PATH, null);
+    FileSystem.create(fs, TEST_PATH_WITH_CHILD, new FsPermission((short) 0777));
+
+    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
+    final EncryptionZone ez = zones.get(0);
+      GenericTestUtils.assertMatches(ez.toString(),
+         "EncryptionZone \\[path=/test, keyId=");
+  }
+
+  /** Test listing encryption zones. */
+  @Test(timeout = 30000)
+  public void testListEncryptionZones() throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    final int N_EZs = 5;
+    final Set<String> ezPathNames = new HashSet<String>(N_EZs);
+    for (int i = 0; i < N_EZs; i++) {
+      final Path p = new Path(TEST_PATH, "" + i);
+      ezPathNames.add(p.toString());
+      FileSystem.mkdirs(fs, p, new FsPermission((short) 0777));
+      dfsAdmin.createEncryptionZone(p, null);
+    }
+
+    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
+    Preconditions.checkState(zones.size() == N_EZs, "wrong number of EZs returned");
+    for (EncryptionZone z : zones) {
+      final String ezPathName = z.getPath();
+      Preconditions.checkState(ezPathNames.remove(
+          ezPathName), "Path " + ezPathName + " not returned from listEZ");
+    }
+    Preconditions.checkState(ezPathNames.size() == 0);
+  }
+
+  /** Test listing encryption zones as a non super user. */
+  @Test(timeout = 30000)
+  public void testListEncryptionZonesAsNonSuperUser() throws Exception {
+    final HdfsAdmin dfsAdmin =
+      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+
+    final UserGroupInformation user = UserGroupInformation.
+      createUserForTesting("user", new String[] {"mygroup"});
+
+    final Path TEST_PATH_SUPERUSER_ONLY = new Path(TEST_PATH, "superuseronly");
+    final Path TEST_PATH_ALL = new Path(TEST_PATH, "accessall");
+
+    FileSystem.mkdirs(fs, TEST_PATH_SUPERUSER_ONLY,
+      new FsPermission((short) 0700));
+    dfsAdmin.createEncryptionZone(TEST_PATH_SUPERUSER_ONLY, null);
+    FileSystem.mkdirs(fs, TEST_PATH_ALL,
+      new FsPermission((short) 0707));
+    dfsAdmin.createEncryptionZone(TEST_PATH_ALL, null);
+
+    user.doAs(new PrivilegedExceptionAction<Object>() {
+      @Override
+      public Object run() throws Exception {
+        final HdfsAdmin userAdmin =
+                new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+        try {
+          final List<EncryptionZone> zones = userAdmin.listEncryptionZones();
+        } catch (AccessControlException e) {
+          GenericTestUtils.assertExceptionContains(
+                  "Superuser privilege is required", e);
+        }
+        return null;
+      }
+    });
+  }
+}

From f43f0999d9b43ac0f72ffde616dad4e60ff01cd9 Mon Sep 17 00:00:00 2001
From: Yi Liu <yliu@apache.org>
Date: Sun, 22 Jun 2014 07:20:47 +0000
Subject: [PATCH 015/354] HADOOP-10713. Refactor
 CryptoCodec#generateSecureRandom to take a byte[]. (wang via yliu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1604537 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt              | 3 +++
 .../main/java/org/apache/hadoop/crypto/CryptoCodec.java  | 9 +++++----
 .../org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java   | 6 ++----
 .../java/org/apache/hadoop/crypto/TestCryptoCodec.java   | 6 ++++--
 4 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index 4b8e982cfb3..8983f8e73cb 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -25,6 +25,9 @@ fs-encryption (Unreleased)
     HADOOP-10662. NullPointerException in CryptoInputStream while wrapped
     stream is not ByteBufferReadable. Add tests using normal stream. (Yi Liu)
 
+    HADOOP-10713. Refactor CryptoCodec#generateSecureRandom to take a byte[]. 
+    (wang via yliu)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
index 277246c087b..b166423db0e 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
@@ -81,9 +81,10 @@ public static CryptoCodec getInstance(Configuration conf) {
   public abstract void calculateIV(byte[] initIV, long counter, byte[] IV);
   
   /**
-   * Generate secure random.
-   * @param bytes length of the secure random
-   * @return byte[] the secure random
+   * Generate a number of secure, random bytes suitable for cryptographic use.
+   * This method needs to be thread-safe.
+   *
+   * @param bytes byte array to populate with random data
    */
-  public abstract byte[] generateSecureRandom(int bytes);
+  public abstract void generateSecureRandom(byte[] bytes);
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
index 22a036a5602..a2eeea48c94 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
@@ -79,10 +79,8 @@ public Decryptor createDecryptor() throws GeneralSecurityException {
   }
   
   @Override
-  public byte[] generateSecureRandom(int bytes) {
-    final byte[] data = new byte[bytes];
-    random.nextBytes(data);
-    return data;
+  public void generateSecureRandom(byte[] bytes) {
+    random.nextBytes(bytes);
   }  
   
   private static class JCEAESCTRCipher implements Encryptor, Decryptor {
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java
index 8213ad8a77b..f4a34a18549 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java
@@ -49,8 +49,10 @@ public void testSecureRandom() throws Exception {
   }
   
   private void checkSecureRandom(int len) {
-    byte[] rand = codec.generateSecureRandom(len);
-    byte[] rand1 = codec.generateSecureRandom(len);
+    byte[] rand = new byte[len];
+    byte[] rand1 = new byte[len];
+    codec.generateSecureRandom(rand);
+    codec.generateSecureRandom(rand1);
     
     Assert.assertEquals(len, rand.length);
     Assert.assertEquals(len, rand1.length);

From 26763657999765d08cc2de609d5f7860dfd14137 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Wed, 25 Jun 2014 17:42:03 +0000
Subject: [PATCH 016/354] HDFS-6387. HDFS CLI admin tool for creating &
 deleting an encryption zone. (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1605518 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   3 +
 .../hadoop-hdfs/src/main/bin/hdfs             |   3 +
 .../apache/hadoop/hdfs/tools/CryptoAdmin.java | 344 ++++++++++++++++++
 .../org/apache/hadoop/cli/TestCryptoCLI.java  | 169 +++++++++
 .../cli/util/CLICommandCryptoAdmin.java       |  21 ++
 .../cli/util/CryptoAdminCmdExecutor.java      |  37 ++
 .../src/test/resources/testCryptoConf.xml     | 266 ++++++++++++++
 7 files changed, 843 insertions(+)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoCLI.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/util/CLICommandCryptoAdmin.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/util/CryptoAdminCmdExecutor.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index c02b8c674dc..91b0a082a54 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -10,6 +10,9 @@ fs-encryption (Unreleased)
 
   IMPROVEMENTS
 
+    HDFS-6387. HDFS CLI admin tool for creating & deleting an
+    encryption zone. (clamb)
+
     HDFS-6386. HDFS Encryption Zones (clamb)
 
     HDFS-6473. Protocol and API for Encryption Zones (clamb)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs
index fa2d863a75c..5fbb3db1459 100755
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs
@@ -61,6 +61,7 @@ function print_usage(){
   echo "  portmap              run a portmap service"
   echo "  nfs3                 run an NFS version 3 gateway"
   echo "  cacheadmin           configure the HDFS cache"
+  echo "  crypto               configure HDFS encryption zones"
   echo ""
   echo "Most commands print help when invoked w/o parameters."
 }
@@ -184,6 +185,8 @@ elif [ "$COMMAND" = "nfs3" ] ; then
   HADOOP_OPTS="$HADOOP_OPTS $HADOOP_NFS3_OPTS"
 elif [ "$COMMAND" = "cacheadmin" ] ; then
   CLASS=org.apache.hadoop.hdfs.tools.CacheAdmin
+elif [ "$COMMAND" = "crypto" ] ; then
+  CLASS=org.apache.hadoop.hdfs.tools.CryptoAdmin
 else
   CLASS="$COMMAND"
 fi
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
new file mode 100644
index 00000000000..9347d4de5d9
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
@@ -0,0 +1,344 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.tools;
+
+import java.io.IOException;
+import java.util.LinkedList;
+import java.util.List;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.conf.Configured;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.DistributedFileSystem;
+import org.apache.hadoop.hdfs.protocol.EncryptionZone;
+import org.apache.hadoop.tools.TableListing;
+import org.apache.hadoop.util.StringUtils;
+import org.apache.hadoop.util.Tool;
+
+import com.google.common.base.Joiner;
+
+/**
+ * This class implements crypto command-line operations.
+ */
+@InterfaceAudience.Private
+public class CryptoAdmin extends Configured implements Tool {
+
+  /**
+   * Maximum length for printed lines
+   */
+  private static final int MAX_LINE_WIDTH = 80;
+
+  public CryptoAdmin() {
+    this(null);
+  }
+
+  public CryptoAdmin(Configuration conf) {
+    super(conf);
+  }
+
+  @Override
+  public int run(String[] args) throws IOException {
+    if (args.length == 0) {
+      printUsage(false);
+      return 1;
+    }
+    final Command command = determineCommand(args[0]);
+    if (command == null) {
+      System.err.println("Can't understand command '" + args[0] + "'");
+      if (!args[0].startsWith("-")) {
+        System.err.println("Command names must start with dashes.");
+      }
+      printUsage(false);
+      return 1;
+    }
+    final List<String> argsList = new LinkedList<String>();
+    for (int j = 1; j < args.length; j++) {
+      argsList.add(args[j]);
+    }
+    try {
+      return command.run(getConf(), argsList);
+    } catch (IllegalArgumentException e) {
+      System.err.println(prettifyException(e));
+      return -1;
+    }
+  }
+
+  public static void main(String[] argsArray) throws IOException {
+    final CryptoAdmin cryptoAdmin = new CryptoAdmin(new Configuration());
+    System.exit(cryptoAdmin.run(argsArray));
+  }
+
+  private static DistributedFileSystem getDFS(Configuration conf)
+      throws IOException {
+    final FileSystem fs = FileSystem.get(conf);
+    if (!(fs instanceof DistributedFileSystem)) {
+      throw new IllegalArgumentException("FileSystem " + fs.getUri() +
+      " is not an HDFS file system");
+    }
+    return (DistributedFileSystem) fs;
+  }
+
+  /**
+   * NN exceptions contain the stack trace as part of the exception message.
+   * When it's a known error, pretty-print the error and squish the stack trace.
+   */
+  private static String prettifyException(Exception e) {
+    return e.getClass().getSimpleName() + ": " +
+      e.getLocalizedMessage().split("\n")[0];
+  }
+
+  private static TableListing getOptionDescriptionListing() {
+    final TableListing listing = new TableListing.Builder()
+      .addField("").addField("", true)
+      .wrapWidth(MAX_LINE_WIDTH).hideHeaders().build();
+    return listing;
+  }
+
+  interface Command {
+    String getName();
+    String getShortUsage();
+    String getLongUsage();
+    int run(Configuration conf, List<String> args) throws IOException;
+  }
+
+  private static class CreateZoneCommand implements Command {
+    @Override
+    public String getName() {
+      return "-createZone";
+    }
+
+    @Override
+    public String getShortUsage() {
+      return "[" + getName() + " [-keyId <keyId>] -path <path> " + "]\n";
+    }
+
+    @Override
+    public String getLongUsage() {
+      final TableListing listing = getOptionDescriptionListing();
+      listing.addRow("<path>", "The path of the encryption zone to create. " +
+        "It must be an empty directory.");
+      listing.addRow("<keyId>", "The keyId of the new encryption zone.");
+      return getShortUsage() + "\n" +
+        "Create a new encryption zone.\n\n" +
+        listing.toString();
+    }
+
+    @Override
+    public int run(Configuration conf, List<String> args) throws IOException {
+      final String path = StringUtils.popOptionWithArgument("-path", args);
+      if (path == null) {
+        System.err.println("You must specify a path with -path.");
+        return 1;
+      }
+
+      final String keyId =
+          StringUtils.popOptionWithArgument("-keyId", args);
+
+      if (!args.isEmpty()) {
+        System.err.println("Can't understand argument: " + args.get(0));
+        return 1;
+      }
+
+      final DistributedFileSystem dfs = getDFS(conf);
+      try {
+        dfs.createEncryptionZone(new Path(path), keyId);
+        System.out.println("Added encryption zone " + path);
+      } catch (IOException e) {
+        System.err.println(prettifyException(e));
+        return 2;
+      }
+
+      return 0;
+    }
+  }
+
+  private static class DeleteZoneCommand implements Command {
+    @Override
+    public String getName() {
+      return "-deleteZone";
+    }
+
+    @Override
+    public String getShortUsage() {
+      return "[" + getName() + " -path <path> " + "]\n";
+    }
+
+    @Override
+    public String getLongUsage() {
+      final TableListing listing = getOptionDescriptionListing();
+      listing.addRow("<path>", "The path of the encryption zone to delete. " +
+        "It must be an empty directory and an existing encryption zone.");
+      return getShortUsage() + "\n" +
+        "Delete an encryption zone.\n\n" +
+        listing.toString();
+    }
+
+    @Override
+    public int run(Configuration conf, List<String> args) throws IOException {
+      final String path = StringUtils.popOptionWithArgument("-path", args);
+      if (path == null) {
+        System.err.println("You must specify a path with -path.");
+        return 1;
+      }
+
+      if (!args.isEmpty()) {
+        System.err.println("Can't understand argument: " + args.get(0));
+        return 1;
+      }
+
+      final DistributedFileSystem dfs = getDFS(conf);
+      try {
+        dfs.deleteEncryptionZone(new Path(path));
+        System.out.println("Deleted encryption zone " + path);
+      } catch (IOException e) {
+        System.err.println(prettifyException(e));
+        return 2;
+      }
+
+      return 0;
+    }
+  }
+
+  private static class ListZonesCommand implements Command {
+    @Override
+    public String getName() {
+      return "-listZones";
+    }
+
+    @Override
+    public String getShortUsage() {
+      return "[" + getName()+ "]\n";
+    }
+
+    @Override
+    public String getLongUsage() {
+      return getShortUsage() + "\n" +
+        "List all encryption zones.\n\n";
+    }
+
+    @Override
+    public int run(Configuration conf, List<String> args) throws IOException {
+      if (!args.isEmpty()) {
+        System.err.println("Can't understand argument: " + args.get(0));
+        return 1;
+      }
+
+      final DistributedFileSystem dfs = getDFS(conf);
+      try {
+        final TableListing listing = new TableListing.Builder()
+          .addField("").addField("", true)
+          .wrapWidth(MAX_LINE_WIDTH).hideHeaders().build();
+        final List<EncryptionZone> ezs = dfs.listEncryptionZones();
+        for (EncryptionZone ez : ezs) {
+          listing.addRow(ez.getPath(), ez.getKeyId());
+        }
+        System.out.println(listing.toString());
+      } catch (IOException e) {
+        System.err.println(prettifyException(e));
+        return 2;
+      }
+
+      return 0;
+    }
+  }
+
+  private static class HelpCommand implements Command {
+    @Override
+    public String getName() {
+      return "-help";
+    }
+
+    @Override
+    public String getShortUsage() {
+      return "[-help <command-name>]\n";
+    }
+
+    @Override
+    public String getLongUsage() {
+      final TableListing listing = getOptionDescriptionListing();
+      listing.addRow("<command-name>", "The command for which to get " +
+          "detailed help. If no command is specified, print detailed help for " +
+          "all commands");
+      return getShortUsage() + "\n" +
+        "Get detailed help about a command.\n\n" +
+        listing.toString();
+    }
+
+    @Override
+    public int run(Configuration conf, List<String> args) throws IOException {
+      if (args.size() == 0) {
+        for (Command command : COMMANDS) {
+          System.err.println(command.getLongUsage());
+        }
+        return 0;
+      }
+      if (args.size() != 1) {
+        System.out.println("You must give exactly one argument to -help.");
+        return 0;
+      }
+      final String commandName = args.get(0);
+      // prepend a dash to match against the command names
+      final Command command = determineCommand("-"+commandName);
+      if (command == null) {
+        System.err.print("Sorry, I don't know the command '" +
+          commandName + "'.\n");
+        System.err.print("Valid help command names are:\n");
+        String separator = "";
+        for (Command c : COMMANDS) {
+          System.err.print(separator + c.getName().substring(1));
+          separator = ", ";
+        }
+        System.err.print("\n");
+        return 1;
+      }
+      System.err.print(command.getLongUsage());
+      return 0;
+    }
+  }
+
+  private static final Command[] COMMANDS = {
+    new CreateZoneCommand(),
+    new DeleteZoneCommand(),
+    new ListZonesCommand(),
+    new HelpCommand(),
+  };
+
+  private static void printUsage(boolean longUsage) {
+    System.err.println(
+        "Usage: bin/hdfs crypto [COMMAND]");
+    for (Command command : COMMANDS) {
+      if (longUsage) {
+        System.err.print(command.getLongUsage());
+      } else {
+        System.err.print("          " + command.getShortUsage());
+      }
+    }
+    System.err.println();
+  }
+
+  private static Command determineCommand(String commandName) {
+    for (int i = 0; i < COMMANDS.length; i++) {
+      if (COMMANDS[i].getName().equals(commandName)) {
+        return COMMANDS[i];
+      }
+    }
+    return null;
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoCLI.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoCLI.java
new file mode 100644
index 00000000000..32ba055caa1
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoCLI.java
@@ -0,0 +1,169 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.cli;
+
+import java.io.File;
+import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
+import java.util.UUID;
+
+import static org.junit.Assert.assertTrue;
+
+import org.apache.hadoop.cli.util.CLICommand;
+import org.apache.hadoop.cli.util.CLICommandCryptoAdmin;
+import org.apache.hadoop.cli.util.CLICommandTypes;
+import org.apache.hadoop.cli.util.CLITestCmd;
+import org.apache.hadoop.cli.util.CryptoAdminCmdExecutor;
+import org.apache.hadoop.cli.util.CommandExecutor;
+import org.apache.hadoop.cli.util.CommandExecutor.Result;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.key.JavaKeyStoreProvider;
+import org.apache.hadoop.crypto.key.KeyProvider;
+import org.apache.hadoop.crypto.key.KeyProviderFactory;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.DistributedFileSystem;
+import org.apache.hadoop.hdfs.HDFSPolicyProvider;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.tools.CryptoAdmin;
+import org.apache.hadoop.security.authorize.PolicyProvider;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.xml.sax.SAXException;
+
+public class TestCryptoCLI  extends CLITestHelperDFS {
+  protected MiniDFSCluster dfsCluster = null;
+  protected FileSystem fs = null;
+  protected String namenode = null;
+  private static File tmpDir;
+
+  @Before
+  @Override
+  public void setUp() throws Exception {
+    super.setUp();
+    conf.setClass(PolicyProvider.POLICY_PROVIDER_CONFIG,
+        HDFSPolicyProvider.class, PolicyProvider.class);
+    conf.setInt(DFSConfigKeys.DFS_REPLICATION_KEY, 1);
+
+    tmpDir = new File(System.getProperty("test.build.data", "target"),
+        UUID.randomUUID().toString()).getAbsoluteFile();
+    conf.set(KeyProviderFactory.KEY_PROVIDER_PATH,
+        JavaKeyStoreProvider.SCHEME_NAME + "://file" + tmpDir + "/test.jks");
+
+    dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
+    dfsCluster.waitClusterUp();
+    createAKey("mykey", conf);
+    namenode = conf.get(DFSConfigKeys.FS_DEFAULT_NAME_KEY, "file:///");
+
+    username = System.getProperty("user.name");
+
+    fs = dfsCluster.getFileSystem();
+    assertTrue("Not an HDFS: " + fs.getUri(),
+        fs instanceof DistributedFileSystem);
+  }
+
+  @After
+  @Override
+  public void tearDown() throws Exception {
+    if (fs != null) {
+      fs.close();
+    }
+    if (dfsCluster != null) {
+      dfsCluster.shutdown();
+    }
+    Thread.sleep(2000);
+    super.tearDown();
+  }
+
+  /* Helper function to create a key in the Key Provider. */
+  private void createAKey(String keyId, Configuration conf)
+    throws NoSuchAlgorithmException, IOException {
+    final KeyProvider provider =
+        dfsCluster.getNameNode().getNamesystem().getProvider();
+    final KeyProvider.Options options = KeyProvider.options(conf);
+    provider.createKey(keyId, options);
+    provider.flush();
+    }
+
+  @Override
+  protected String getTestFile() {
+    return "testCryptoConf.xml";
+  }
+
+  @Override
+  protected String expandCommand(final String cmd) {
+    String expCmd = cmd;
+    expCmd = expCmd.replaceAll("NAMENODE", namenode);
+    expCmd = expCmd.replaceAll("#LF#",
+        System.getProperty("line.separator"));
+    expCmd = super.expandCommand(expCmd);
+    return expCmd;
+  }
+
+  @Override
+  protected TestConfigFileParser getConfigParser() {
+    return new TestConfigFileParserCryptoAdmin();
+  }
+
+  private class TestConfigFileParserCryptoAdmin extends
+      CLITestHelper.TestConfigFileParser {
+    @Override
+    public void endElement(String uri, String localName, String qName)
+        throws SAXException {
+      if (qName.equals("crypto-admin-command")) {
+        if (testCommands != null) {
+          testCommands.add(new CLITestCmdCryptoAdmin(charString,
+              new CLICommandCryptoAdmin()));
+        } else if (cleanupCommands != null) {
+          cleanupCommands.add(new CLITestCmdCryptoAdmin(charString,
+              new CLICommandCryptoAdmin()));
+        }
+      } else {
+        super.endElement(uri, localName, qName);
+      }
+    }
+  }
+
+  private class CLITestCmdCryptoAdmin extends CLITestCmd {
+    public CLITestCmdCryptoAdmin(String str, CLICommandTypes type) {
+      super(str, type);
+    }
+
+    @Override
+    public CommandExecutor getExecutor(String tag)
+        throws IllegalArgumentException {
+      if (getType() instanceof CLICommandCryptoAdmin) {
+        return new CryptoAdminCmdExecutor(tag, new CryptoAdmin(conf));
+      }
+      return super.getExecutor(tag);
+    }
+  }
+
+  @Override
+  protected Result execute(CLICommand cmd) throws Exception {
+    return cmd.getExecutor(namenode).executeCommand(cmd.getCmd());
+  }
+
+  @Test
+  @Override
+  public void testAll () {
+    super.testAll();
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/util/CLICommandCryptoAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/util/CLICommandCryptoAdmin.java
new file mode 100644
index 00000000000..89d28a7b502
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/util/CLICommandCryptoAdmin.java
@@ -0,0 +1,21 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p/>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p/>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.cli.util;
+
+public class CLICommandCryptoAdmin implements CLICommandTypes {
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/util/CryptoAdminCmdExecutor.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/util/CryptoAdminCmdExecutor.java
new file mode 100644
index 00000000000..f781bf8d877
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/util/CryptoAdminCmdExecutor.java
@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.cli.util;
+
+import org.apache.hadoop.hdfs.tools.CryptoAdmin;
+import org.apache.hadoop.util.ToolRunner;
+
+public class CryptoAdminCmdExecutor extends CommandExecutor {
+  protected String namenode = null;
+  protected CryptoAdmin admin = null;
+
+  public CryptoAdminCmdExecutor(String namenode, CryptoAdmin admin) {
+    this.namenode = namenode;
+    this.admin = admin;
+  }
+
+  @Override
+  protected void execute(final String cmd) throws Exception {
+    String[] args = getCommandAsArgs(cmd, "NAMENODE", this.namenode);
+    ToolRunner.run(admin, args);
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
new file mode 100644
index 00000000000..82b17ffda18
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
@@ -0,0 +1,266 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-stylesheet type="text/xsl" href="testConf.xsl"?>
+
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+
+<configuration>
+  <!-- Normal mode is test. To run just the commands and dump the output
+       to the log, set it to nocompare -->
+  <mode>test</mode>
+
+  <!--  Comparator types:
+           ExactComparator
+           SubstringComparator
+           RegexpComparator
+           TokenComparator
+           -->
+  <tests>
+
+    <test>
+      <description>Test basic usage</description>
+      <test-commands>
+        <crypto-admin-command></crypto-admin-command>
+      </test-commands>
+      <cleanup-commands>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+	  <expected-output>Usage: bin/hdfs crypto [COMMAND]</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test create ez, dir doesn't exist</description>
+      <test-commands>
+        <command>-fs NAMENODE -ls /test</command>-
+        <crypto-admin-command>-createZone -path /test</crypto-admin-command>
+      </test-commands>
+      <cleanup-commands>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>cannot find /test</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test failure of create ez on an existing ez</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /foo</command>
+        <command>-fs NAMENODE -ls /</command>-
+        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
+        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
+      </test-commands>
+      <cleanup-commands>
+        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
+        <command>-fs NAMENODE -rmdir /foo</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>Directory /foo is already in an encryption zone</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test success of create ez in which a key is created</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /foo</command>
+        <command>-fs NAMENODE -ls /</command>-
+        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
+      </test-commands>
+      <cleanup-commands>
+        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
+        <command>-fs NAMENODE -rmdir /foo</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>Added encryption zone /foo</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test failure of Create EZ operation in an existing EZ.</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /foo</command>
+        <command>-fs NAMENODE -ls /</command>-
+        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
+        <command>-fs NAMENODE -mkdir /foo/bar</command>
+        <crypto-admin-command>-createZone -path /foo/bar</crypto-admin-command>
+      </test-commands>
+      <cleanup-commands>
+        <command>-fs NAMENODE -rmdir /foo/bar</command>
+        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
+        <command>-fs NAMENODE -rmdir /foo</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>Directory /foo/bar is already in an encryption zone. (/foo)</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test failure of creating an EZ using a non-empty directory.</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /foo</command>
+        <command>-fs NAMENODE -touchz /foo/bar</command>
+        <command>-fs NAMENODE -ls /</command>-
+        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
+      </test-commands>
+      <cleanup-commands>
+        <command>-fs NAMENODE -rm /foo/bar</command>
+        <command>-fs NAMENODE -rmdir /foo</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>Attempt to create an encryption zone for a non-empty directory.</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test failure of creating an EZ passing a key that doesn't exist.</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /foo</command>
+        <command>-fs NAMENODE -ls /</command>-
+        <crypto-admin-command>-createZone -path /foo -keyId doesntexist</crypto-admin-command>
+      </test-commands>
+      <cleanup-commands>
+        <command>-fs NAMENODE -rmdir /foo</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>Key doesntexist doesn't exist.</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test success of creating an EZ when the key exists.</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /foo</command>
+        <command>-fs NAMENODE -ls /</command>-
+        <crypto-admin-command>-createZone -path /foo -keyId mykey</crypto-admin-command>
+      </test-commands>
+      <cleanup-commands>
+        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
+        <command>-fs NAMENODE -rmdir /foo</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>Added encryption zone /foo</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test failure of deleting an EZ passing a directory that doesn't exist.</description>
+      <test-commands>
+        <command>-fs NAMENODE -ls /</command>-
+        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
+      </test-commands>
+      <cleanup-commands>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>Directory /foo is not the root of an encryption zone.</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test failure of deleting an EZ which is not empty.</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /foo</command>
+        <command>-fs NAMENODE -ls /</command>-
+        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
+        <command>-fs NAMENODE -touchz /foo/bar</command>
+        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
+      </test-commands>
+      <cleanup-commands>
+        <command>-fs NAMENODE -rm /foo/bar</command>
+        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
+        <command>-fs NAMENODE -rmdir /foo</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>Attempt to delete an encryption zone for a non-empty directory.</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test failure of deleting an EZ on a subdir that is not the root of an EZ.</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /foo</command>
+        <command>-fs NAMENODE -ls /</command>-
+        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
+        <command>-fs NAMENODE -mkdir /foo/bar</command>
+        <crypto-admin-command>-deleteZone -path /foo/bar</crypto-admin-command>
+      </test-commands>
+      <cleanup-commands>
+        <command>-fs NAMENODE -rmdir /foo/bar</command>
+        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
+        <command>-fs NAMENODE -rmdir /foo</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>Directory /foo/bar is not the root of an encryption zone.</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test success of creating and deleting an encryption zone a few levels down.</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /foo</command>
+        <command>-fs NAMENODE -mkdir /foo/bar</command>
+        <command>-fs NAMENODE -mkdir /foo/bar/baz</command>
+        <command>-fs NAMENODE -ls /</command>-
+        <crypto-admin-command>-createZone -path /foo/bar/baz</crypto-admin-command>
+        <crypto-admin-command>-deleteZone -path /foo/bar/baz</crypto-admin-command>
+      </test-commands>
+      <cleanup-commands>
+        <command>-fs NAMENODE -rmdir /foo/bar/baz</command>
+        <command>-fs NAMENODE -rmdir /foo/bar</command>
+        <command>-fs NAMENODE -rmdir /foo/</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>Deleted encryption zone /foo/bar/baz</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+  </tests>
+</configuration>

From 6023da8ef92f56d919f4b0638eb87efaa7ed4036 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Thu, 26 Jun 2014 19:18:09 +0000
Subject: [PATCH 017/354] Removing two zero java files

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1605881 13f79535-47bb-0310-9956-ffa450edef68
---
 .../main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java    | 0
 .../main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java    | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java
 delete mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRDecryptor.java
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTREncryptor.java
deleted file mode 100644
index e69de29bb2d..00000000000

From 2efea952139b30dd1c881eed0b443ffa72be6dce Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 27 Jun 2014 20:43:41 +0000
Subject: [PATCH 018/354] HDFS-6391. Get the Key/IV from the NameNode for
 encrypted files in DFSClient. Contributed by Charles Lamb and Andrew Wang.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1606220 13f79535-47bb-0310-9956-ffa450edef68
---
 .../org/apache/hadoop/crypto/CipherSuite.java |  62 +++++++++++
 .../apache/hadoop/fs/FileEncryptionInfo.java  |  83 ++++++++++++++
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   3 +
 .../main/java/org/apache/hadoop/fs/Hdfs.java  |  41 +------
 .../org/apache/hadoop/hdfs/DFSClient.java     |  57 +++++++++-
 .../apache/hadoop/hdfs/DFSInputStream.java    |  26 ++---
 .../apache/hadoop/hdfs/DFSOutputStream.java   |  29 ++---
 .../hadoop/hdfs/DistributedFileSystem.java    |  32 +++---
 .../hadoop/hdfs/protocol/HdfsConstants.java   |   9 --
 .../hadoop/hdfs/protocol/HdfsFileStatus.java  |  27 ++---
 .../hdfs/protocol/HdfsLocatedFileStatus.java  |   6 +-
 .../hadoop/hdfs/protocol/LocatedBlocks.java   |  22 ++--
 .../SnapshottableDirectoryStatus.java         |   2 +-
 .../hadoop/hdfs/protocolPB/PBHelper.java      |  71 +++++++++---
 .../server/blockmanagement/BlockManager.java  |  11 +-
 .../server/common/HdfsServerConstants.java    |   5 +
 .../hdfs/server/namenode/FSDirectory.java     | 101 ++++++++++++++----
 .../hdfs/server/namenode/FSNamesystem.java    |  19 ++--
 .../org/apache/hadoop/hdfs/web/JsonUtil.java  |   4 +-
 .../hadoop-hdfs/src/main/proto/hdfs.proto     |  20 ++--
 .../hadoop/hdfs/TestDFSClientRetries.java     |   6 +-
 .../org/apache/hadoop/hdfs/TestDFSUtil.java   |   2 +-
 .../org/apache/hadoop/hdfs/TestLease.java     |   4 +-
 .../hadoop/hdfs/server/namenode/TestFsck.java |   2 +-
 .../apache/hadoop/hdfs/web/TestJsonUtil.java  |   2 +-
 25 files changed, 442 insertions(+), 204 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileEncryptionInfo.java

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java
new file mode 100644
index 00000000000..6363bdb5807
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java
@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.crypto;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+
+/**
+ * Defines properties of a CipherSuite. Modeled after the ciphers in
+ * {@link javax.crypto.Cipher}.
+ */
+@InterfaceAudience.Private
+public enum CipherSuite {
+  AES_CTR_NOPADDING("AES/CTR/NoPadding", 128);
+
+  private final String name;
+  private final int blockBits;
+
+  CipherSuite(String name, int blockBits) {
+    this.name = name;
+    this.blockBits = blockBits;
+  }
+
+  /**
+   * @return name of cipher suite, as in {@link javax.crypto.Cipher}
+   */
+  public String getName() {
+    return name;
+  }
+
+  /**
+   * @return size of an algorithm block in bits
+   */
+  public int getNumberBlockBits() {
+    return blockBits;
+  }
+
+  @Override
+  public String toString() {
+    StringBuilder builder = new StringBuilder("{");
+    builder.append("name: " + getName() + ", ");
+    builder.append("numBlockBits: " + getNumberBlockBits());
+    builder.append("}");
+    return builder.toString();
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileEncryptionInfo.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileEncryptionInfo.java
new file mode 100644
index 00000000000..53f35bde97f
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileEncryptionInfo.java
@@ -0,0 +1,83 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.fs;
+
+import org.apache.commons.codec.binary.Hex;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.crypto.CipherSuite;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.base.Preconditions.checkNotNull;
+
+/**
+ * FileEncryptionInfo encapsulates all the encryption-related information for
+ * an encrypted file.
+ */
+@InterfaceAudience.Private
+public class FileEncryptionInfo {
+
+  private final CipherSuite cipherSuite;
+  private final byte[] key;
+  private final byte[] iv;
+
+  public FileEncryptionInfo(CipherSuite suite, byte[] key, byte[] iv) {
+    checkNotNull(suite);
+    checkNotNull(key);
+    checkNotNull(iv);
+    checkArgument(key.length == suite.getNumberBlockBits() / 8,
+        "Unexpected key length");
+    checkArgument(iv.length == suite.getNumberBlockBits() / 8,
+        "Unexpected IV length");
+    this.cipherSuite = suite;
+    this.key = key;
+    this.iv = iv;
+  }
+
+  /**
+   * @return {@link org.apache.hadoop.crypto.CipherSuite} used to encrypt
+   * the file.
+   */
+  public CipherSuite getCipherSuite() {
+    return cipherSuite;
+  }
+
+  /**
+   * @return encrypted data encryption key for the file
+   */
+  public byte[] getEncryptedDataEncryptionKey() {
+    return key;
+  }
+
+  /**
+   * @return initialization vector for the cipher used to encrypt the file
+   */
+  public byte[] getIV() {
+    return iv;
+  }
+
+  @Override
+  public String toString() {
+    StringBuilder builder = new StringBuilder("{");
+    builder.append("cipherSuite: " + cipherSuite);
+    builder.append(", key: " + Hex.encodeHexString(key));
+    builder.append(", iv: " + Hex.encodeHexString(iv));
+    builder.append("}");
+    return builder.toString();
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 91b0a082a54..d539ef1e1a4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -23,6 +23,9 @@ fs-encryption (Unreleased)
     HDFS-6476. Print out the KeyProvider after finding KP successfully on
     startup. (Juan Yu via wang)
 
+    HDFS-6391. Get the Key/IV from the NameNode for encrypted files in
+    DFSClient. (Charles Lamb and wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java
index 23a954c0f39..e779cb51d01 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java
@@ -31,8 +31,6 @@
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.crypto.CryptoCodec;
-import org.apache.hadoop.crypto.CryptoOutputStream;
-import org.apache.hadoop.crypto.CryptoInputStream;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
 import org.apache.hadoop.fs.permission.FsPermission;
@@ -57,8 +55,6 @@
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
 import org.apache.hadoop.util.Progressable;
 
-import com.google.common.base.Preconditions;
-
 @InterfaceAudience.Private
 @InterfaceStability.Evolving
 public class Hdfs extends AbstractFileSystem {
@@ -108,23 +104,8 @@ public HdfsDataOutputStream createInternal(Path f,
     final DFSOutputStream dfsos = dfs.primitiveCreate(getUriPath(f),
       absolutePermission, createFlag, createParent, replication, blockSize,
       progress, bufferSize, checksumOpt);
-    final byte[] key = dfsos.getKey();
-    final byte[] iv = dfsos.getIv();
-    Preconditions.checkState(!(key == null ^ iv == null),
-      "Only one of the Key and IV were found.");
-    if (false && key != null) {
-
-      /*
-       * The Key and IV were found. Wrap up the output stream with an encryption
-       * wrapper.
-       */
-      final CryptoOutputStream cbos =
-        new CryptoOutputStream(dfsos, factory, key, iv);
-      return new HdfsDataOutputStream(cbos, getStatistics());
-    } else {
-      /* No key/IV present so no encryption. */
-      return new HdfsDataOutputStream(dfsos, getStatistics());
-    }
+    return dfs.createWrappedOutputStream(dfsos, statistics,
+        dfsos.getInitialLen());
   }
 
   @Override
@@ -335,23 +316,7 @@ public HdfsDataInputStream open(Path f, int bufferSize)
       throws IOException, UnresolvedLinkException {
     final DFSInputStream dfsis = dfs.open(getUriPath(f),
       bufferSize, verifyChecksum);
-    final byte[] key = dfsis.getKey();
-    final byte[] iv = dfsis.getIv();
-    Preconditions.checkState(!(key == null ^ iv == null),
-      "Only one of the Key and IV were found.");
-    if (false && key != null) {
-
-      /*
-       * The Key and IV were found. Wrap up the input stream with an encryption
-       * wrapper.
-       */
-      final CryptoInputStream cbis =
-        new CryptoInputStream(dfsis, factory, key, iv);
-      return new HdfsDataInputStream(cbis);
-    } else {
-      /* No key/IV pair so no encryption. */
-      return new HdfsDataInputStream(dfsis);
-    }
+    return dfs.createWrappedInputStream(dfsis);
   }
 
   @Override
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index bf8cf2fb20c..013fbc0f4f3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -94,6 +94,9 @@
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CryptoCodec;
+import org.apache.hadoop.crypto.CryptoInputStream;
+import org.apache.hadoop.crypto.CryptoOutputStream;
 import org.apache.hadoop.fs.BlockLocation;
 import org.apache.hadoop.fs.BlockStorageLocation;
 import org.apache.hadoop.fs.CacheFlag;
@@ -101,6 +104,7 @@
 import org.apache.hadoop.fs.ContentSummary;
 import org.apache.hadoop.fs.CreateFlag;
 import org.apache.hadoop.fs.FileAlreadyExistsException;
+import org.apache.hadoop.fs.FileEncryptionInfo;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.FsServerDefaults;
 import org.apache.hadoop.fs.FsStatus;
@@ -241,6 +245,7 @@ public class DFSClient implements java.io.Closeable, RemotePeerFactory {
   private static final DFSHedgedReadMetrics HEDGED_READ_METRIC =
       new DFSHedgedReadMetrics();
   private static ThreadPoolExecutor HEDGED_READ_THREAD_POOL;
+  private final CryptoCodec codec;
   
   /**
    * DFSClient configuration 
@@ -573,6 +578,7 @@ public DFSClient(URI nameNodeUri, ClientProtocol rpcNamenode,
     this.authority = nameNodeUri == null? "null": nameNodeUri.getAuthority();
     this.clientName = "DFSClient_" + dfsClientConf.taskId + "_" + 
         DFSUtil.getRandom().nextInt()  + "_" + Thread.currentThread().getId();
+    this.codec = CryptoCodec.getInstance(conf);
     
     int numResponseToDrop = conf.getInt(
         DFSConfigKeys.DFS_CLIENT_TEST_DROP_NAMENODE_RESPONSE_NUM_KEY,
@@ -1267,7 +1273,54 @@ public BlockStorageLocation[] getBlockStorageLocations(
 
     return volumeBlockLocations;
   }
-  
+
+  /**
+   * Wraps the stream in a CryptoInputStream if the underlying file is
+   * encrypted.
+   */
+  public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
+      throws IOException {
+    final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo();
+    if (feInfo != null) {
+      // File is encrypted, wrap the stream in a crypto stream.
+      final CryptoInputStream cryptoIn =
+          new CryptoInputStream(dfsis, codec,
+              feInfo.getEncryptedDataEncryptionKey(), feInfo.getIV());
+      return new HdfsDataInputStream(cryptoIn);
+    } else {
+      // No key/IV pair so no encryption.
+      return new HdfsDataInputStream(dfsis);
+    }
+  }
+
+  /**
+   * Wraps the stream in a CryptoOutputStream if the underlying file is
+   * encrypted.
+   */
+  public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos,
+      FileSystem.Statistics statistics) throws IOException {
+    return createWrappedOutputStream(dfsos, statistics, 0);
+  }
+
+  /**
+   * Wraps the stream in a CryptoOutputStream if the underlying file is
+   * encrypted.
+   */
+  public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos,
+      FileSystem.Statistics statistics, long startPos) throws IOException {
+    final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo();
+    if (feInfo != null) {
+      // File is encrypted, wrap the stream in a crypto stream.
+      final CryptoOutputStream cryptoOut =
+          new CryptoOutputStream(dfsos, codec,
+              feInfo.getEncryptedDataEncryptionKey(), feInfo.getIV(), startPos);
+      return new HdfsDataOutputStream(cryptoOut, statistics, startPos);
+    } else {
+      // No key/IV present so no encryption.
+      return new HdfsDataOutputStream(dfsos, statistics, startPos);
+    }
+  }
+
   public DFSInputStream open(String src) 
       throws IOException, UnresolvedLinkException {
     return open(src, dfsClientConf.ioBufferSize, true, null);
@@ -1595,7 +1648,7 @@ public HdfsDataOutputStream append(final String src, final int buffersize,
       final Progressable progress, final FileSystem.Statistics statistics
       ) throws IOException {
     final DFSOutputStream out = append(src, buffersize, progress);
-    return new HdfsDataOutputStream(out, statistics, out.getInitialLen());
+    return createWrappedOutputStream(out, statistics, out.getInitialLen());
   }
 
   private DFSOutputStream append(String src, int buffersize, Progressable progress) 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSInputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSInputStream.java
index f9763eced1a..46070ffb890 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSInputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSInputStream.java
@@ -53,6 +53,7 @@
 import org.apache.hadoop.hdfs.protocol.ClientDatanodeProtocol;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
+import org.apache.hadoop.fs.FileEncryptionInfo;
 import org.apache.hadoop.hdfs.protocol.LocatedBlock;
 import org.apache.hadoop.hdfs.protocol.LocatedBlocks;
 import org.apache.hadoop.hdfs.protocol.datatransfer.InvalidEncryptionKeyException;
@@ -88,8 +89,7 @@ public class DFSInputStream extends FSInputStream
   private final boolean verifyChecksum;
   private LocatedBlocks locatedBlocks = null;
   private long lastBlockBeingWrittenLength = 0;
-  private byte[] key = null;
-  private byte[] iv = null;
+  private FileEncryptionInfo fileEncryptionInfo = null;
   private DatanodeInfo currentNode = null;
   private LocatedBlock currentLocatedBlock = null;
   private long pos = 0;
@@ -299,8 +299,8 @@ private long fetchLocatedBlocksAndGetLastBlockLength() throws IOException {
       }
     }
 
-    key = locatedBlocks.getKey();
-    iv = locatedBlocks.getIv();
+    fileEncryptionInfo = locatedBlocks.getFileEncryptionInfo();
+
     currentNode = null;
     return lastBlockBeingWrittenLength;
   }
@@ -1521,22 +1521,8 @@ public synchronized ReadStatistics getReadStatistics() {
     return new ReadStatistics(readStatistics);
   }
 
-  /**
-   * Get the encryption key for this stream.
-   *
-   * @return byte[] the key
-   */
-  public synchronized byte[] getKey() {
-    return key;
-  }
-
-  /**
-   * Get the encryption initialization vector (IV) for this stream.
-   *
-   * @return byte[] the initialization vector (IV).
-   */
-  public synchronized byte[] getIv() {
-    return iv;
+  public synchronized FileEncryptionInfo getFileEncryptionInfo() {
+    return fileEncryptionInfo;
   }
 
   private synchronized void closeCurrentBlockReader() {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
index dde4bad7ef2..508e3bd4f66 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
@@ -46,6 +46,7 @@
 import org.apache.hadoop.fs.CreateFlag;
 import org.apache.hadoop.fs.FSOutputSummer;
 import org.apache.hadoop.fs.FileAlreadyExistsException;
+import org.apache.hadoop.fs.FileEncryptionInfo;
 import org.apache.hadoop.fs.ParentNotDirectoryException;
 import org.apache.hadoop.fs.Syncable;
 import org.apache.hadoop.fs.permission.FsPermission;
@@ -154,9 +155,8 @@ public class DFSOutputStream extends FSOutputSummer
   private boolean shouldSyncBlock = false; // force blocks to disk upon close
   private final AtomicReference<CachingStrategy> cachingStrategy;
   private boolean failPacket = false;
-  private byte[] key = null;
-  private byte[] iv = null;
-  
+  private FileEncryptionInfo fileEncryptionInfo;
+
   private static class Packet {
     private static final long HEART_BEAT_SEQNO = -1L;
     final long seqno; // sequencenumber of buffer in block
@@ -1564,8 +1564,7 @@ private DFSOutputStream(DFSClient dfsClient, String src, Progressable progress,
     this.fileId = stat.getFileId();
     this.blockSize = stat.getBlockSize();
     this.blockReplication = stat.getReplication();
-    this.key = stat.getKey();
-    this.iv = stat.getIv();
+    this.fileEncryptionInfo = stat.getFileEncryptionInfo();
     this.progress = progress;
     this.cachingStrategy = new AtomicReference<CachingStrategy>(
         dfsClient.getDefaultWriteCachingStrategy());
@@ -1654,6 +1653,7 @@ private DFSOutputStream(DFSClient dfsClient, String src,
           checksum.getBytesPerChecksum());
       streamer = new DataStreamer();
     }
+    this.fileEncryptionInfo = stat.getFileEncryptionInfo();
   }
 
   static DFSOutputStream newStreamForAppend(DFSClient dfsClient, String src,
@@ -2178,26 +2178,15 @@ synchronized void setTestFilename(String newname) {
   /**
    * Returns the size of a file as it was when this stream was opened
    */
-  long getInitialLen() {
+  public long getInitialLen() {
     return initialFileSize;
   }
 
   /**
-   * Get the encryption key for this stream.
-   *
-   * @return byte[] the key.
+   * @return the FileEncryptionInfo for this stream, or null if not encrypted.
    */
-  public byte[] getKey() {
-    return key;
-  }
-
-  /**
-   * Get the encryption initialization vector (IV) for this stream.
-   *
-   * @return byte[] the initialization vector (IV).
-   */
-  public byte[] getIv() {
-    return iv;
+  public FileEncryptionInfo getFileEncryptionInfo() {
+    return fileEncryptionInfo;
   }
 
   /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
index 0adb9202cfc..1abf85bb79b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
@@ -60,7 +60,6 @@
 import org.apache.hadoop.fs.permission.AclStatus;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.client.HdfsAdmin;
-import org.apache.hadoop.hdfs.client.HdfsDataInputStream;
 import org.apache.hadoop.hdfs.client.HdfsDataOutputStream;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveEntry;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveInfo;
@@ -291,8 +290,9 @@ public FSDataInputStream open(Path f, final int bufferSize)
       @Override
       public FSDataInputStream doCall(final Path p)
           throws IOException, UnresolvedLinkException {
-        return new HdfsDataInputStream(
-            dfs.open(getPathName(p), bufferSize, verifyChecksum));
+        final DFSInputStream dfsis =
+          dfs.open(getPathName(p), bufferSize, verifyChecksum);
+        return dfs.createWrappedInputStream(dfsis);
       }
       @Override
       public FSDataInputStream next(final FileSystem fs, final Path p)
@@ -357,7 +357,7 @@ public HdfsDataOutputStream doCall(final Path p)
                 : EnumSet.of(CreateFlag.CREATE),
             true, replication, blockSize, progress, bufferSize, null,
             favoredNodes);
-        return new HdfsDataOutputStream(out, statistics);
+        return dfs.createWrappedOutputStream(out, statistics);
       }
       @Override
       public HdfsDataOutputStream next(final FileSystem fs, final Path p)
@@ -385,9 +385,10 @@ public FSDataOutputStream create(final Path f, final FsPermission permission,
       @Override
       public FSDataOutputStream doCall(final Path p)
           throws IOException, UnresolvedLinkException {
-        return new HdfsDataOutputStream(dfs.create(getPathName(p), permission,
-            cflags, replication, blockSize, progress, bufferSize, checksumOpt),
-            statistics);
+        final DFSOutputStream dfsos = dfs.create(getPathName(p), permission,
+                cflags, replication, blockSize, progress, bufferSize,
+                checksumOpt);
+        return dfs.createWrappedOutputStream(dfsos, statistics);
       }
       @Override
       public FSDataOutputStream next(final FileSystem fs, final Path p)
@@ -404,11 +405,12 @@ protected HdfsDataOutputStream primitiveCreate(Path f,
     short replication, long blockSize, Progressable progress,
     ChecksumOpt checksumOpt) throws IOException {
     statistics.incrementWriteOps(1);
-    return new HdfsDataOutputStream(dfs.primitiveCreate(
-        getPathName(fixRelativePart(f)),
-        absolutePermission, flag, true, replication, blockSize,
-        progress, bufferSize, checksumOpt),statistics);
-   }
+    final DFSOutputStream dfsos = dfs.primitiveCreate(
+      getPathName(fixRelativePart(f)),
+      absolutePermission, flag, true, replication, blockSize,
+      progress, bufferSize, checksumOpt);
+    return dfs.createWrappedOutputStream(dfsos, statistics);
+  }
 
   /**
    * Same as create(), except fails if parent directory doesn't already exist.
@@ -428,9 +430,9 @@ public FSDataOutputStream createNonRecursive(final Path f,
       @Override
       public FSDataOutputStream doCall(final Path p) throws IOException,
           UnresolvedLinkException {
-        return new HdfsDataOutputStream(dfs.create(getPathName(p), permission,
-            flag, false, replication, blockSize, progress, bufferSize, null),
-            statistics);
+        final DFSOutputStream dfsos = dfs.create(getPathName(p), permission,
+          flag, false, replication, blockSize, progress, bufferSize, null);
+        return dfs.createWrappedOutputStream(dfsos, statistics);
       }
 
       @Override
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsConstants.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsConstants.java
index 06c658cb2ec..7cc8c318803 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsConstants.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsConstants.java
@@ -161,13 +161,4 @@ public static enum DatanodeReportType {
   
   public static final String SEPARATOR_DOT_SNAPSHOT_DIR
       = Path.SEPARATOR + DOT_SNAPSHOT_DIR; 
-
-  public static final String CRYPTO_XATTR_KEY_ID = "system.hdfs.crypto.key-id";
-  public static final String CRYPTO_XATTR_KEY_VERSION_ID =
-    "system.hdfs.crypto.key-version-id";
-  public static final String CRYPTO_XATTR_IV = "system.hdfs.crypto.iv";
-  public static final int CRYPTO_KEY_SIZE = 128;
-  /* Temporary until we stop hard-coding these values. */
-  public static final byte[] KEY = "0123456789012345".getBytes();
-  public static final byte[] IV = "ABCDEFGJIJKLMNOP".getBytes();
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsFileStatus.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsFileStatus.java
index b7310c5c0c4..90715f76b8b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsFileStatus.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsFileStatus.java
@@ -21,6 +21,7 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.fs.FileEncryptionInfo;
 import org.apache.hadoop.fs.FileStatus;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsPermission;
@@ -45,8 +46,7 @@ public class HdfsFileStatus {
   private final String group;
   private final long fileId;
 
-  private final byte[] key;
-  private final byte[] iv;
+  private final FileEncryptionInfo feInfo;
   
   // Used by dir, not including dot and dotdot. Always zero for a regular file.
   private final int childrenNum;
@@ -66,20 +66,12 @@ public class HdfsFileStatus {
    * @param group the group of the path
    * @param path the local name in java UTF8 encoding the same as that in-memory
    * @param fileId the file id
+   * @param feInfo the file's encryption info
    */
   public HdfsFileStatus(long length, boolean isdir, int block_replication,
       long blocksize, long modification_time, long access_time,
       FsPermission permission, String owner, String group, byte[] symlink,
-      byte[] path, long fileId, int childrenNum) {
-    this(length, isdir, block_replication, blocksize, modification_time,
-      access_time, permission, owner, group, symlink, path, fileId,
-      childrenNum, HdfsConstants.KEY, HdfsConstants.IV);
-  }
-
-  public HdfsFileStatus(long length, boolean isdir, int block_replication,
-      long blocksize, long modification_time, long access_time,
-      FsPermission permission, String owner, String group, byte[] symlink,
-    byte[] path, long fileId, int childrenNum, byte[] key, byte[] iv) {
+    byte[] path, long fileId, int childrenNum, FileEncryptionInfo feInfo) {
     this.length = length;
     this.isdir = isdir;
     this.block_replication = (short)block_replication;
@@ -97,8 +89,7 @@ public HdfsFileStatus(long length, boolean isdir, int block_replication,
     this.path = path;
     this.fileId = fileId;
     this.childrenNum = childrenNum;
-    this.key = key;
-    this.iv = iv;
+    this.feInfo = feInfo;
   }
 
   /**
@@ -252,12 +243,8 @@ final public long getFileId() {
     return fileId;
   }
   
-  final public byte[] getKey() {
-    return key;
-  }
-
-  final public byte[] getIv() {
-    return iv;
+  final public FileEncryptionInfo getFileEncryptionInfo() {
+    return feInfo;
   }
 
   final public int getChildrenNum() {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsLocatedFileStatus.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsLocatedFileStatus.java
index dfe566077be..6694d85c2d5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsLocatedFileStatus.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsLocatedFileStatus.java
@@ -21,6 +21,7 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.fs.FileEncryptionInfo;
 import org.apache.hadoop.fs.LocatedFileStatus;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsPermission;
@@ -51,15 +52,16 @@ public class HdfsLocatedFileStatus extends HdfsFileStatus {
    * @param path local path name in java UTF8 format 
    * @param fileId the file id
    * @param locations block locations
+   * @param feInfo file encryption info
    */
   public HdfsLocatedFileStatus(long length, boolean isdir,
       int block_replication, long blocksize, long modification_time,
       long access_time, FsPermission permission, String owner, String group,
       byte[] symlink, byte[] path, long fileId, LocatedBlocks locations,
-    int childrenNum, byte[] key, byte[] iv) {
+    int childrenNum, FileEncryptionInfo feInfo) {
     super(length, isdir, block_replication, blocksize, modification_time,
       access_time, permission, owner, group, symlink, path, fileId,
-      childrenNum, key, iv);
+      childrenNum, feInfo);
     this.locations = locations;
   }
 	
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/LocatedBlocks.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/LocatedBlocks.java
index 4fc2bc064c1..436fa14e1c5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/LocatedBlocks.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/LocatedBlocks.java
@@ -23,6 +23,7 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.fs.FileEncryptionInfo;
 
 /**
  * Collection of blocks with their locations and the file length.
@@ -35,27 +36,23 @@ public class LocatedBlocks {
   private final boolean underConstruction;
   private LocatedBlock lastLocatedBlock = null;
   private boolean isLastBlockComplete = false;
-  private final byte[] key;
-  private final byte[] iv;
+  private FileEncryptionInfo fileEncryptionInfo = null;
 
   public LocatedBlocks() {
     fileLength = 0;
     blocks = null;
     underConstruction = false;
-    key = null;
-    iv = null;
   }
 
   public LocatedBlocks(long flength, boolean isUnderConstuction,
     List<LocatedBlock> blks, LocatedBlock lastBlock,
-    boolean isLastBlockCompleted, byte[] key, byte[] iv) {
+    boolean isLastBlockCompleted, FileEncryptionInfo feInfo) {
     fileLength = flength;
     blocks = blks;
     underConstruction = isUnderConstuction;
     this.lastLocatedBlock = lastBlock;
     this.isLastBlockComplete = isLastBlockCompleted;
-    this.key = key;
-    this.iv = iv;
+    this.fileEncryptionInfo = feInfo;
   }
   
   /**
@@ -103,13 +100,12 @@ public long getFileLength() {
   public boolean isUnderConstruction() {
     return underConstruction;
   }
-  
-  public byte[] getKey() {
-    return key;
-  }
 
-  public byte[] getIv() {
-    return iv;
+  /**
+   * @return the FileEncryptionInfo for the LocatedBlocks
+   */
+  public FileEncryptionInfo getFileEncryptionInfo() {
+    return fileEncryptionInfo;
   }
 
   /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/SnapshottableDirectoryStatus.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/SnapshottableDirectoryStatus.java
index b18e3f3458f..d3952833d1b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/SnapshottableDirectoryStatus.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/SnapshottableDirectoryStatus.java
@@ -61,7 +61,7 @@ public SnapshottableDirectoryStatus(long modification_time, long access_time,
       int snapshotNumber, int snapshotQuota, byte[] parentFullPath) {
     this.dirStatus = new HdfsFileStatus(0, true, 0, 0, modification_time,
         access_time, permission, owner, group, null, localName, inodeId,
-        childrenNum, null /* key */, null /* IV */);
+        childrenNum, null);
     this.snapshotNumber = snapshotNumber;
     this.snapshotQuota = snapshotQuota;
     this.parentFullPath = parentFullPath;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
index b25c280febe..98ac0d3cfdc 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
@@ -44,7 +44,6 @@
 import org.apache.hadoop.ha.proto.HAServiceProtocolProtos;
 import org.apache.hadoop.hdfs.DFSUtil;
 import org.apache.hadoop.hdfs.StorageType;
-import org.apache.hadoop.hdfs.XAttrHelper;
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveEntry;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveInfo;
@@ -52,6 +51,7 @@
 import org.apache.hadoop.hdfs.protocol.CachePoolEntry;
 import org.apache.hadoop.hdfs.protocol.CachePoolInfo;
 import org.apache.hadoop.hdfs.protocol.CachePoolStats;
+import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.hdfs.protocol.ClientProtocol;
 import org.apache.hadoop.hdfs.protocol.CorruptFileBlocks;
 import org.apache.hadoop.hdfs.protocol.DatanodeID;
@@ -61,6 +61,7 @@
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
 import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
+import org.apache.hadoop.fs.FileEncryptionInfo;
 import org.apache.hadoop.hdfs.protocol.FsAclPermission;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.RollingUpgradeAction;
@@ -1133,8 +1134,8 @@ public static LocatedBlocks convert(LocatedBlocksProto lb) {
         PBHelper.convertLocatedBlock(lb.getBlocksList()),
         lb.hasLastBlock() ? PBHelper.convert(lb.getLastBlock()) : null,
         lb.getIsLastBlockComplete(),
-        lb.hasKey() ? lb.getKey().toByteArray() : null,
-        lb.hasIv() ? lb.getIv().toByteArray() : null);
+        lb.hasFileEncryptionInfo() ? convert(lb.getFileEncryptionInfo()) :
+            null);
   }
   
   public static LocatedBlocksProto convert(LocatedBlocks lb) {
@@ -1146,11 +1147,8 @@ public static LocatedBlocksProto convert(LocatedBlocks lb) {
     if (lb.getLastLocatedBlock() != null) {
       builder.setLastBlock(PBHelper.convert(lb.getLastLocatedBlock()));
     }
-    if (lb.getKey() != null) {
-      builder.setKey(ByteString.copyFrom(lb.getKey()));
-    }
-    if (lb.getIv() != null) {
-      builder.setIv(ByteString.copyFrom(lb.getIv()));
+    if (lb.getFileEncryptionInfo() != null) {
+      builder.setFileEncryptionInfo(convert(lb.getFileEncryptionInfo()));
     }
     return builder.setFileLength(lb.getFileLength())
         .setUnderConstruction(lb.isUnderConstruction())
@@ -1278,8 +1276,8 @@ public static HdfsFileStatus convert(HdfsFileStatusProto fs) {
         fs.hasFileId()? fs.getFileId(): INodeId.GRANDFATHER_INODE_ID,
         fs.hasLocations() ? PBHelper.convert(fs.getLocations()) : null,
         fs.hasChildrenNum() ? fs.getChildrenNum() : -1,
-        fs.hasKey() ? fs.getKey().toByteArray() : null,
-        fs.hasIv() ? fs.getIv().toByteArray() : null);
+        fs.hasFileEncryptionInfo() ? convert(fs.getFileEncryptionInfo()) :
+            null);
   }
 
   public static SnapshottableDirectoryStatus convert(
@@ -1329,11 +1327,8 @@ public static HdfsFileStatusProto convert(HdfsFileStatus fs) {
     if (fs.isSymlink())  {
       builder.setSymlink(ByteString.copyFrom(fs.getSymlinkInBytes()));
     }
-    if (fs.getKey() != null) {
-      builder.setKey(ByteString.copyFrom(fs.getKey()));
-    }
-    if (fs.getIv() != null) {
-      builder.setIv(ByteString.copyFrom(fs.getIv()));
+    if (fs.getFileEncryptionInfo() != null) {
+      builder.setFileEncryptionInfo(convert(fs.getFileEncryptionInfo()));
     }
     if (fs instanceof HdfsLocatedFileStatus) {
       LocatedBlocks locations = ((HdfsLocatedFileStatus)fs).getBlockLocations();
@@ -2280,5 +2275,49 @@ public static SlotId convert(ShortCircuitShmSlotProto slotId) {
   public static ShmId convert(ShortCircuitShmIdProto shmId) {
     return new ShmId(shmId.getHi(), shmId.getLo());
   }
-}
 
+  public static HdfsProtos.FileEncryptionInfoProto.CipherType
+      convert(CipherSuite type) {
+    switch (type) {
+    case AES_CTR_NOPADDING:
+      return HdfsProtos.FileEncryptionInfoProto.CipherType
+          .AES_CTR_NOPADDING;
+    default:
+      return null;
+    }
+  }
+
+  public static CipherSuite convert(
+      HdfsProtos.FileEncryptionInfoProto.CipherType proto) {
+    switch (proto) {
+    case AES_CTR_NOPADDING:
+      return CipherSuite.AES_CTR_NOPADDING;
+    default:
+      return null;
+    }
+  }
+
+  public static HdfsProtos.FileEncryptionInfoProto convert(
+      FileEncryptionInfo info) {
+    if (info == null) {
+      return null;
+    }
+    return HdfsProtos.FileEncryptionInfoProto.newBuilder()
+        .setType(convert(info.getCipherSuite()))
+        .setKey(getByteString(info.getEncryptedDataEncryptionKey()))
+        .setIv(getByteString(info.getIV()))
+        .build();
+  }
+
+  public static FileEncryptionInfo convert(
+      HdfsProtos.FileEncryptionInfoProto proto) {
+    if (proto == null) {
+      return null;
+    }
+    CipherSuite type = convert(proto.getType());
+    byte[] key = proto.getKey().toByteArray();
+    byte[] iv = proto.getIv().toByteArray();
+    return new FileEncryptionInfo(type, key, iv);
+  }
+
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
index 4d8863881c7..2b497bcdfbe 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
@@ -52,7 +52,7 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeID;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
-import org.apache.hadoop.hdfs.protocol.HdfsConstants;
+import org.apache.hadoop.fs.FileEncryptionInfo;
 
 import org.apache.hadoop.hdfs.protocol.LocatedBlock;
 import org.apache.hadoop.hdfs.protocol.LocatedBlocks;
@@ -842,15 +842,15 @@ private LocatedBlock createLocatedBlock(final BlockInfo blk, final long pos
   public LocatedBlocks createLocatedBlocks(final BlockInfo[] blocks,
       final long fileSizeExcludeBlocksUnderConstruction,
       final boolean isFileUnderConstruction, final long offset,
-      final long length, final boolean needBlockToken, final boolean inSnapshot)
+      final long length, final boolean needBlockToken,
+      final boolean inSnapshot, FileEncryptionInfo feInfo)
       throws IOException {
     assert namesystem.hasReadLock();
     if (blocks == null) {
       return null;
     } else if (blocks.length == 0) {
       return new LocatedBlocks(0, isFileUnderConstruction,
-          Collections.<LocatedBlock>emptyList(), null, false,
-          null /* key */, null /* IV */);
+          Collections.<LocatedBlock>emptyList(), null, false, null);
     } else {
       if (LOG.isDebugEnabled()) {
         LOG.debug("blocks = " + java.util.Arrays.asList(blocks));
@@ -875,8 +875,7 @@ public LocatedBlocks createLocatedBlocks(final BlockInfo[] blocks,
       }
       return new LocatedBlocks(
           fileSizeExcludeBlocksUnderConstruction, isFileUnderConstruction,
-          locatedblocks, lastlb, isComplete,
-              HdfsConstants.KEY, HdfsConstants.IV);
+          locatedblocks, lastlb, isComplete, feInfo);
     }
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HdfsServerConstants.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HdfsServerConstants.java
index 7a83bbf21e9..7e4841835c2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HdfsServerConstants.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HdfsServerConstants.java
@@ -292,5 +292,10 @@ static public enum BlockUCState {
   
   public static final String NAMENODE_LEASE_HOLDER = "HDFS_NameNode";
   public static final long NAMENODE_LEASE_RECHECK_INTERVAL = 2000;
+
+  public static final String CRYPTO_XATTR_ENCRYPTION_ZONE =
+      "system.hdfs.crypto.encryption.zone";
+  public static final String CRYPTO_XATTR_FILE_ENCRYPTION_INFO =
+      "system.hdfs.crypto.file.encryption.info";
 }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index 3b1517e0733..93c6fb593c5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -17,6 +17,8 @@
  */
 package org.apache.hadoop.hdfs.server.namenode;
 
+import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants.CRYPTO_XATTR_ENCRYPTION_ZONE;
+import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants.CRYPTO_XATTR_FILE_ENCRYPTION_INFO;
 import static org.apache.hadoop.util.Time.now;
 
 import java.io.Closeable;
@@ -29,12 +31,13 @@
 import java.util.ListIterator;
 import java.util.concurrent.locks.ReentrantReadWriteLock;
 
+import com.google.protobuf.InvalidProtocolBufferException;
 import org.apache.hadoop.HadoopIllegalArgumentException;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.crypto.CryptoCodec;
 import org.apache.hadoop.fs.ContentSummary;
 import org.apache.hadoop.fs.FileAlreadyExistsException;
+import org.apache.hadoop.fs.FileEncryptionInfo;
 import org.apache.hadoop.fs.Options;
 import org.apache.hadoop.fs.Options.Rename;
 import org.apache.hadoop.fs.ParentNotDirectoryException;
@@ -66,6 +69,8 @@
 import org.apache.hadoop.hdfs.protocol.QuotaExceededException;
 import org.apache.hadoop.hdfs.protocol.SnapshotAccessControlException;
 import org.apache.hadoop.hdfs.protocol.SnapshotException;
+import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos;
+import org.apache.hadoop.hdfs.protocolPB.PBHelper;
 import org.apache.hadoop.hdfs.server.blockmanagement.BlockInfo;
 import org.apache.hadoop.hdfs.server.blockmanagement.BlockInfoUnderConstruction;
 import org.apache.hadoop.hdfs.server.blockmanagement.BlockManager;
@@ -85,10 +90,6 @@
 import com.google.common.base.Preconditions;
 import com.google.common.collect.Lists;
 
-import static org.apache.hadoop.hdfs.protocol.HdfsConstants.CRYPTO_XATTR_KEY_ID;
-import static org.apache.hadoop.hdfs.protocol.HdfsConstants.CRYPTO_XATTR_IV;
-import static org.apache.hadoop.hdfs.protocol.HdfsConstants.CRYPTO_XATTR_KEY_VERSION_ID;
-
 /**
  * Both FSDirectory and FSNamesystem manage the state of the namespace.
  * FSDirectory is a pure in-memory data structure, all of whose operations
@@ -133,7 +134,6 @@ private static INodeDirectorySnapshottable createRoot(FSNamesystem namesystem) {
   private final INodeMap inodeMap; // Synchronized by dirLock
   private long yieldCount = 0; // keep track of lock yield count.
   private final int inodeXAttrsLimit; //inode xattrs max limit
-  private final CryptoCodec codec;
 
   // lock to protect the directory and BlockMap
   private final ReentrantReadWriteLock dirLock;
@@ -200,7 +200,7 @@ public int getWriteHoldCount() {
     this.inodeXAttrsLimit = conf.getInt(
         DFSConfigKeys.DFS_NAMENODE_MAX_XATTRS_PER_INODE_KEY,
         DFSConfigKeys.DFS_NAMENODE_MAX_XATTRS_PER_INODE_DEFAULT);
-    this.codec = CryptoCodec.getInstance(conf);
+
     Preconditions.checkArgument(this.inodeXAttrsLimit >= 0,
         "Cannot set a negative limit on the number of xattrs per inode (%s).",
         DFSConfigKeys.DFS_NAMENODE_MAX_XATTRS_PER_INODE_KEY);
@@ -1470,8 +1470,8 @@ private DirectoryListing getSnapshotsListing(String src, byte[] startAfter)
    * @return object containing information regarding the file
    *         or null if file not found
    */
-  HdfsFileStatus getFileInfo(String src, boolean resolveLink) 
-      throws UnresolvedLinkException {
+  HdfsFileStatus getFileInfo(String src, boolean resolveLink)
+    throws UnresolvedLinkException, IOException {
     String srcs = normalizePath(src);
     readLock();
     try {
@@ -1480,6 +1480,8 @@ HdfsFileStatus getFileInfo(String src, boolean resolveLink)
       }
       final INodesInPath inodesInPath = getLastINodeInPath(srcs, resolveLink);
       final INode i = inodesInPath.getINode(0);
+
+      final int snapshotId = inodesInPath.getPathSnapshotId();
       return i == null? null: createFileStatus(HdfsFileStatus.EMPTY_NAME, i,
           inodesInPath.getPathSnapshotId());
     } finally {
@@ -1498,7 +1500,7 @@ private HdfsFileStatus getFileInfo4DotSnapshot(String src)
       throws UnresolvedLinkException {
     if (getINode4DotSnapshot(src) != null) {
       return new HdfsFileStatus(0, true, 0, 0, 0, 0, null, null, null, null,
-          HdfsFileStatus.EMPTY_NAME, -1L, 0, null /* key */, null /* IV */);
+          HdfsFileStatus.EMPTY_NAME, -1L, 0, null);
     }
     return null;
   }
@@ -2326,7 +2328,7 @@ private HdfsFileStatus createFileStatus(byte[] path, INode node,
    * Create FileStatus by file INode 
    */
    HdfsFileStatus createFileStatus(byte[] path, INode node,
-       int snapshot) {
+       int snapshot) throws IOException {
      long size = 0;     // length is zero for directories
      short replication = 0;
      long blocksize = 0;
@@ -2338,7 +2340,9 @@ HdfsFileStatus createFileStatus(byte[] path, INode node,
      }
      int childrenNum = node.isDirectory() ? 
          node.asDirectory().getChildrenNum(snapshot) : 0;
-         
+
+     FileEncryptionInfo feInfo = getFileEncryptionInfo(node, snapshot);
+
      return new HdfsFileStatus(
         size, 
         node.isDirectory(), 
@@ -2353,8 +2357,7 @@ HdfsFileStatus createFileStatus(byte[] path, INode node,
         path,
         node.getId(),
         childrenNum,
-        HdfsConstants.KEY,  // key
-        HdfsConstants.IV); // IV
+        feInfo);
   }
 
   /**
@@ -2377,16 +2380,20 @@ private HdfsLocatedFileStatus createLocatedFileStatus(byte[] path,
       final boolean isUc = !inSnapshot && fileNode.isUnderConstruction();
       final long fileSize = !inSnapshot && isUc ? 
           fileNode.computeFileSizeNotIncludingLastUcBlock() : size;
+      final FileEncryptionInfo feInfo = getFileEncryptionInfo(node, snapshot);
+
       loc = getFSNamesystem().getBlockManager().createLocatedBlocks(
           fileNode.getBlocks(), fileSize, isUc, 0L, size, false,
-          inSnapshot);
+          inSnapshot, feInfo);
       if (loc == null) {
         loc = new LocatedBlocks();
       }
     }
     int childrenNum = node.isDirectory() ? 
         node.asDirectory().getChildrenNum(snapshot) : 0;
-        
+
+    final FileEncryptionInfo feInfo = getFileEncryptionInfo(node, snapshot);
+
     HdfsLocatedFileStatus status =
         new HdfsLocatedFileStatus(size, node.isDirectory(), replication,
           blocksize, node.getModificationTime(snapshot),
@@ -2394,7 +2401,7 @@ private HdfsLocatedFileStatus createLocatedFileStatus(byte[] path,
           getPermissionForFileStatus(node, snapshot),
           node.getUserName(snapshot), node.getGroupName(snapshot),
           node.isSymlink() ? node.asSymlink().getSymlink() : null, path,
-          node.getId(), loc, childrenNum, null /* key */, null /* IV */);
+          node.getId(), loc, childrenNum, feInfo);
     // Set caching information for the located blocks.
     if (loc != null) {
       CacheManager cacheManager = namesystem.getCacheManager();
@@ -2665,7 +2672,7 @@ XAttr createEncryptionZone(String src, String keyId)
           "Attempt to create an encryption zone for a non-empty directory.");
       }
       final XAttr keyIdXAttr =
-        XAttrHelper.buildXAttr(CRYPTO_XATTR_KEY_ID, keyId.getBytes());
+        XAttrHelper.buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, keyId.getBytes());
       List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
       xattrs.add(keyIdXAttr);
       unprotectedSetXAttrs(src, xattrs, EnumSet.of(XAttrSetFlag.CREATE));
@@ -2684,7 +2691,7 @@ List<XAttr> deleteEncryptionZone(String src)
           "Attempt to delete an encryption zone for a non-empty directory.");
       }
       final XAttr keyIdXAttr =
-        XAttrHelper.buildXAttr(CRYPTO_XATTR_KEY_ID, null);
+        XAttrHelper.buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, null);
       List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
       xattrs.add(keyIdXAttr);
       final List<XAttr> removedXAttrs = unprotectedRemoveXAttrs(src, xattrs);
@@ -2698,6 +2705,62 @@ List<XAttr> deleteEncryptionZone(String src)
     }
   }
 
+  /**
+   * Set the FileEncryptionInfo for an INode.
+   */
+  void setFileEncryptionInfo(String src, FileEncryptionInfo info)
+      throws IOException {
+    // Make the PB for the xattr
+    final HdfsProtos.FileEncryptionInfoProto proto = PBHelper.convert(info);
+    final byte[] protoBytes = proto.toByteArray();
+    final XAttr fileEncryptionAttr =
+        XAttrHelper.buildXAttr(CRYPTO_XATTR_FILE_ENCRYPTION_INFO, protoBytes);
+    final List<XAttr> xAttrs = Lists.newArrayListWithCapacity(1);
+    xAttrs.add(fileEncryptionAttr);
+
+    writeLock();
+    try {
+      unprotectedSetXAttrs(src, xAttrs, EnumSet.of(XAttrSetFlag.CREATE));
+    } finally {
+      writeUnlock();
+    }
+  }
+
+  /**
+   * Return the FileEncryptionInfo for an INode, or null if the INode is not
+   * an encrypted file.
+   */
+  FileEncryptionInfo getFileEncryptionInfo(INode inode, int snapshotId)
+      throws IOException {
+    if (!inode.isFile()) {
+      return null;
+    }
+    readLock();
+    try {
+      List<XAttr> xAttrs = XAttrStorage.readINodeXAttrs(inode, snapshotId);
+      if (xAttrs == null) {
+        return null;
+      }
+      for (XAttr x : xAttrs) {
+        if (XAttrHelper.getPrefixName(x)
+            .equals(CRYPTO_XATTR_FILE_ENCRYPTION_INFO)) {
+          try {
+            HdfsProtos.FileEncryptionInfoProto proto =
+                HdfsProtos.FileEncryptionInfoProto.parseFrom(x.getValue());
+            FileEncryptionInfo feInfo = PBHelper.convert(proto);
+            return feInfo;
+          } catch (InvalidProtocolBufferException e) {
+            throw new IOException("Could not parse file encryption info for " +
+                "inode " + inode, e);
+          }
+        }
+      }
+      return null;
+    } finally {
+      readUnlock();
+    }
+  }
+
   void setXAttrs(final String src, final List<XAttr> xAttrs,
       final EnumSet<XAttrSetFlag> flag) throws IOException {
     writeLock();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 7aa48e10621..da8fc00e08d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -83,9 +83,6 @@
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_REPLICATION_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_REPLICATION_KEY;
-import static org.apache.hadoop.hdfs.protocol.HdfsConstants.CRYPTO_KEY_SIZE;
-import static org.apache.hadoop.hdfs.protocol.HdfsConstants.CRYPTO_XATTR_IV;
-import static org.apache.hadoop.hdfs.protocol.HdfsConstants.CRYPTO_XATTR_KEY_VERSION_ID;
 import static org.apache.hadoop.util.Time.now;
 
 import java.io.*;
@@ -122,6 +119,8 @@
 import org.apache.hadoop.HadoopIllegalArgumentException;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CipherSuite;
+import org.apache.hadoop.crypto.CryptoCodec;
 import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 import org.apache.hadoop.crypto.key.KeyProviderFactory;
@@ -131,6 +130,7 @@
 import org.apache.hadoop.fs.CreateFlag;
 import org.apache.hadoop.fs.DirectoryListingStartAfterNotFoundException;
 import org.apache.hadoop.fs.FileAlreadyExistsException;
+import org.apache.hadoop.fs.FileEncryptionInfo;
 import org.apache.hadoop.fs.FileStatus;
 import org.apache.hadoop.fs.FsServerDefaults;
 import org.apache.hadoop.fs.InvalidPathException;
@@ -154,7 +154,6 @@
 import org.apache.hadoop.hdfs.HAUtil;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.StorageType;
-import org.apache.hadoop.hdfs.XAttrHelper;
 import org.apache.hadoop.hdfs.protocol.AclException;
 import org.apache.hadoop.hdfs.protocol.AlreadyBeingCreatedException;
 import org.apache.hadoop.hdfs.protocol.Block;
@@ -530,6 +529,7 @@ private void logAuditEvent(boolean succeeded,
   private KeyProvider.Options providerOptions = null;
 
   private final Map<String, EncryptionZone> encryptionZones;
+  private final CryptoCodec codec;
 
   private volatile boolean imageLoaded = false;
   private final Condition cond;
@@ -747,6 +747,7 @@ static FSNamesystem loadFromDisk(Configuration conf) throws IOException {
       throws IOException {
     initializeKeyProvider(conf);
     providerOptions = KeyProvider.options(conf);
+    this.codec = CryptoCodec.getInstance(conf);
     if (conf.getBoolean(DFS_NAMENODE_AUDIT_LOG_ASYNC_KEY,
                         DFS_NAMENODE_AUDIT_LOG_ASYNC_DEFAULT)) {
       LOG.info("Enabling async auditlog");
@@ -1873,9 +1874,13 @@ && doAccessTime && isAccessTimeSupported()) {
           length = Math.min(length, fileSize - offset);
           isUc = false;
         }
-        LocatedBlocks blocks =
+
+        final FileEncryptionInfo feInfo = dir.getFileEncryptionInfo(inode,
+            iip.getPathSnapshotId());
+
+        final LocatedBlocks blocks =
           blockManager.createLocatedBlocks(inode.getBlocks(), fileSize,
-            isUc, offset, length, needBlockToken, iip.isSnapshot());
+            isUc, offset, length, needBlockToken, iip.isSnapshot(), feInfo);
         // Set caching information for the located blocks.
         for (LocatedBlock lb: blocks.getLocatedBlocks()) {
           cacheManager.setCachedLocations(lb);
@@ -8296,7 +8301,7 @@ private String createNewKey(String src)
     final String keyId = UUID.randomUUID().toString();
     // TODO pass in hdfs://HOST:PORT (HDFS-6490)
     providerOptions.setDescription(src);
-    providerOptions.setBitLength(CRYPTO_KEY_SIZE);
+    providerOptions.setBitLength(codec.getAlgorithmBlockSize()*8);
     try {
       provider.createKey(keyId, providerOptions);
     } catch (NoSuchAlgorithmException e) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/JsonUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/JsonUtil.java
index abfeb32c142..321630c18dc 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/JsonUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/JsonUtil.java
@@ -253,7 +253,7 @@ public static HdfsFileStatus toFileStatus(final Map<?, ?> json, boolean includes
     return new HdfsFileStatus(len, type == PathType.DIRECTORY, replication,
         blockSize, mTime, aTime, permission, owner, group,
         symlink, DFSUtil.string2Bytes(localName), fileId, childrenNum,
-        null /* key */, null /* IV */);
+        null);
   }
 
   /** Convert an ExtendedBlock to a Json map. */
@@ -533,7 +533,7 @@ public static LocatedBlocks toLocatedBlocks(final Map<?, ?> json
         (Map<?, ?>)m.get("lastLocatedBlock"));
     final boolean isLastBlockComplete = (Boolean)m.get("isLastBlockComplete");
     return new LocatedBlocks(fileLength, isUnderConstruction, locatedBlocks,
-        lastLocatedBlock, isLastBlockComplete, null /* key */, null /* IV */);
+        lastLocatedBlock, isLastBlockComplete, null);
   }
 
   /** Convert a ContentSummary to a Json string. */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
index 6ca22a136e8..ab482a0e23d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
@@ -169,6 +169,17 @@ message DataEncryptionKeyProto {
   optional string encryptionAlgorithm = 6;
 }
 
+/**
+ * Encryption information for a file.
+ */
+message FileEncryptionInfoProto {
+  enum CipherType {
+    AES_CTR_NOPADDING = 1;
+  }
+  required CipherType type = 1;
+  required bytes key = 2;
+  required bytes iv = 3;
+}
 
 /**
  * A set of file blocks and their locations.
@@ -179,11 +190,9 @@ message LocatedBlocksProto {
   required bool underConstruction = 3;
   optional LocatedBlockProto lastBlock = 4;
   required bool isLastBlockComplete = 5;
-  optional bytes key = 6;
-  optional bytes iv = 7;
+  optional FileEncryptionInfoProto fileEncryptionInfo = 6;
 }
 
-
 /**
  * Status of a file, directory or symlink
  * Optionally includes a file's block locations if requested by client on the rpc call.
@@ -215,9 +224,8 @@ message HdfsFileStatusProto {
   optional uint64 fileId = 13 [default = 0]; // default as an invalid id
   optional int32 childrenNum = 14 [default = -1];
 
-  // Optional fields for key/iv for encryption
-  optional bytes key = 15;
-  optional bytes iv = 16;
+  // Optional field for file encryption
+  optional FileEncryptionInfoProto fileEncryptionInfo = 15;
 } 
 
 /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientRetries.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientRetries.java
index f42496920b5..ae1536a8e7f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientRetries.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientRetries.java
@@ -253,12 +253,12 @@ public Object answer(InvocationOnMock invocation)
     Mockito.doReturn(
             new HdfsFileStatus(0, false, 1, 1024, 0, 0, new FsPermission(
                 (short) 777), "owner", "group", new byte[0], new byte[0],
-                1010, 0, null, null)).when(mockNN).getFileInfo(anyString());
+                1010, 0, null)).when(mockNN).getFileInfo(anyString());
     
     Mockito.doReturn(
             new HdfsFileStatus(0, false, 1, 1024, 0, 0, new FsPermission(
                 (short) 777), "owner", "group", new byte[0], new byte[0],
-                1010, 0, null, null))
+                1010, 0, null))
         .when(mockNN)
         .create(anyString(), (FsPermission) anyObject(), anyString(),
             (EnumSetWritable<CreateFlag>) anyObject(), anyBoolean(),
@@ -495,7 +495,7 @@ private LocatedBlocks makeBadBlockList(LocatedBlocks goodBlockList) {
       badBlocks.add(badLocatedBlock);
       return new LocatedBlocks(goodBlockList.getFileLength(), false,
                                badBlocks, null, true,
-                               null /* key */, null /* IV */);
+                               null);
     }
   }
   
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUtil.java
index 4c34681e4fe..c64ae1ca072 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUtil.java
@@ -95,7 +95,7 @@ public void testLocatedBlocks2Locations() {
     LocatedBlock l2 = new LocatedBlock(b2, ds, 0, true);
 
     List<LocatedBlock> ls = Arrays.asList(l1, l2);
-    LocatedBlocks lbs = new LocatedBlocks(10, false, ls, l2, true, null, null);
+    LocatedBlocks lbs = new LocatedBlocks(10, false, ls, l2, true, null);
 
     BlockLocation[] bs = DFSUtil.locatedBlocks2Locations(lbs);
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestLease.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestLease.java
index 6487843d008..63c6443f6fd 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestLease.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestLease.java
@@ -339,12 +339,12 @@ public void testFactory() throws Exception {
     Mockito.doReturn(
         new HdfsFileStatus(0, false, 1, 1024, 0, 0, new FsPermission(
             (short) 777), "owner", "group", new byte[0], new byte[0],
-            1010, 0, null, null)).when(mcp).getFileInfo(anyString());
+            1010, 0, null)).when(mcp).getFileInfo(anyString());
     Mockito
         .doReturn(
             new HdfsFileStatus(0, false, 1, 1024, 0, 0, new FsPermission(
                 (short) 777), "owner", "group", new byte[0], new byte[0],
-                1010, 0, null, null))
+                1010, 0, null))
         .when(mcp)
         .create(anyString(), (FsPermission) anyObject(), anyString(),
             (EnumSetWritable<CreateFlag>) anyObject(), anyBoolean(),
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
index 17df7f6ef22..93e2fc6382f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
@@ -1015,7 +1015,7 @@ public void testFsckFileNotFound() throws Exception {
 
     HdfsFileStatus file = new HdfsFileStatus(length, isDir, blockReplication,
         blockSize, modTime, accessTime, perms, owner, group, symlink, path,
-        fileId, numChildren, null, null);
+        fileId, numChildren, null);
     Result res = new Result(conf);
 
     try {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestJsonUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestJsonUtil.java
index 345a75a63c5..b8150f7e357 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestJsonUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestJsonUtil.java
@@ -64,7 +64,7 @@ public void testHdfsFileStatus() {
     final HdfsFileStatus status = new HdfsFileStatus(1001L, false, 3, 1L << 26,
         now, now + 10, new FsPermission((short) 0644), "user", "group",
         DFSUtil.string2Bytes("bar"), DFSUtil.string2Bytes("foo"),
-        INodeId.GRANDFATHER_INODE_ID, 0, null, null);
+        INodeId.GRANDFATHER_INODE_ID, 0, null);
     final FileStatus fstatus = toFileStatus(status, parent);
     System.out.println("status  = " + status);
     System.out.println("fstatus = " + fstatus);

From 31617733aca2025cff1ffb841a533a5b1de016a5 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Fri, 27 Jun 2014 21:45:18 +0000
Subject: [PATCH 019/354] HDFS-6389. Rename restrictions for encryption zones.
 (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1606253 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |  2 +
 .../hdfs/server/namenode/FSDirectory.java     | 34 +++++++
 .../hdfs/server/namenode/FSNamesystem.java    |  2 +-
 .../hadoop/hdfs/TestEncryptionZonesAPI.java   | 25 ++++-
 .../TestFileContextEncryptionZones.java       | 70 ++++++++++++++
 .../src/test/resources/testCryptoConf.xml     | 94 +++++++++++++++++++
 6 files changed, 225 insertions(+), 2 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFileContextEncryptionZones.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index d539ef1e1a4..c1876d4acba 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -26,6 +26,8 @@ fs-encryption (Unreleased)
     HDFS-6391. Get the Key/IV from the NameNode for encrypted files in
     DFSClient. (Charles Lamb and wang)
 
+    HDFS-6389. Rename restrictions for encryption zones. (clamb)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index 93c6fb593c5..5c5ff8bb85e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -58,6 +58,7 @@
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.ClientProtocol;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
+import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.FSLimitException.MaxDirectoryItemsExceededException;
 import org.apache.hadoop.hdfs.protocol.FSLimitException.PathComponentTooLongException;
 import org.apache.hadoop.hdfs.protocol.FsAclPermission;
@@ -544,6 +545,7 @@ boolean unprotectedRenameTo(String src, String dst, long timestamp)
       return false;
     }
     
+    checkEncryptionZoneMoveValidity(src, dst);
     // Ensure dst has quota to accommodate rename
     verifyFsLimitsForRename(srcIIP, dstIIP);
     verifyQuotaForRename(srcIIP.getINodes(), dstIIP.getINodes());
@@ -748,6 +750,7 @@ boolean unprotectedRenameTo(String src, String dst, long timestamp,
       throw new IOException(error);
     }
 
+    checkEncryptionZoneMoveValidity(src, dst);
     final INode dstInode = dstIIP.getLastINode();
     List<INodeDirectorySnapshottable> snapshottableDirs = 
         new ArrayList<INodeDirectorySnapshottable>();
@@ -971,6 +974,37 @@ boolean unprotectedRenameTo(String src, String dst, long timestamp,
     throw new IOException("rename from " + src + " to " + dst + " failed.");
   }
   
+  private void checkEncryptionZoneMoveValidity(String src, String dst)
+    throws IOException {
+    final EncryptionZone srcEZ =
+      getFSNamesystem().getEncryptionZoneForPath(src);
+    final EncryptionZone dstEZ =
+      getFSNamesystem().getEncryptionZoneForPath(dst);
+    final boolean srcInEZ = srcEZ != null;
+    final boolean dstInEZ = dstEZ != null;
+    if (srcInEZ) {
+      if (!dstInEZ) {
+        throw new IOException(src + " can't be moved from an encryption zone.");
+      }
+    } else {
+      if (dstInEZ) {
+        throw new IOException(src + " can't be moved into an encryption zone.");
+      }
+    }
+
+    if (srcInEZ || dstInEZ) {
+      if (!srcEZ.getPath().equals(dstEZ.getPath())) {
+        final StringBuilder sb = new StringBuilder(src);
+        sb.append(" can't be moved from encryption zone ");
+        sb.append(srcEZ.getPath());
+        sb.append(" to encryption zone ");
+        sb.append(dstEZ.getPath());
+        sb.append(".");
+        throw new IOException(sb.toString());
+      }
+    }
+  }
+
   /**
    * Set file replication
    * 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index da8fc00e08d..e5d879ed159 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -8395,7 +8395,7 @@ List<EncryptionZone> listEncryptionZones() throws IOException {
   }
 
   /** Lookup the encryption zone of a path. */
-  private EncryptionZone getEncryptionZoneForPath(String src) {
+  EncryptionZone getEncryptionZoneForPath(String src) {
     final String[] components = INode.getPathNames(src);
     for (int i = components.length; i > 0; i--) {
       final List<String> l = Arrays.asList(Arrays.copyOfRange(components, 0, i));
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
index eb851d4dcb6..50ec77777ee 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
@@ -65,7 +65,11 @@ public void setUpCluster() throws IOException {
     conf.set(KeyProviderFactory.KEY_PROVIDER_PATH,
         JavaKeyStoreProvider.SCHEME_NAME + "://file" + tmpDir + "/test.jks");
     cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
-    fs = cluster.getFileSystem();
+    fs = createFileSystem(conf);
+  }
+
+  protected FileSystem createFileSystem(Configuration conf) throws IOException {
+    return cluster.getFileSystem();
   }
 
   @After
@@ -401,4 +405,23 @@ public Object run() throws Exception {
       }
     });
   }
+
+  /** Test success of Rename EZ on a directory which is already an EZ. */
+  @Test(timeout = 30000)
+  public void testRenameEncryptionZone()
+          throws Exception {
+    final HdfsAdmin dfsAdmin =
+            new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    FileSystem.mkdirs(fs, TEST_PATH_WITH_CHILD,
+      new FsPermission((short) 0777));
+    dfsAdmin.createEncryptionZone(TEST_PATH_WITH_CHILD, null);
+    FileSystem.mkdirs(fs, TEST_PATH_WITH_MULTIPLE_CHILDREN,
+       new FsPermission((short) 0777));
+    try {
+      fs.rename(TEST_PATH_WITH_MULTIPLE_CHILDREN, TEST_PATH);
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains(
+              "/test/foo/baz can't be moved from an encryption zone.", e);
+    }
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFileContextEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFileContextEncryptionZones.java
new file mode 100644
index 00000000000..da283f5f85b
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFileContextEncryptionZones.java
@@ -0,0 +1,70 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.server.namenode;
+
+import java.io.IOException;
+import java.net.URI;
+import java.util.EnumSet;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileContext;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.XAttrSetFlag;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.DistributedFileSystem;
+import org.apache.hadoop.hdfs.TestEncryptionZonesAPI;
+import org.junit.BeforeClass;
+
+/**
+ * Tests of encryption zone operations using FileContext APIs.
+ */
+public class TestFileContextEncryptionZones extends TestEncryptionZonesAPI  {
+
+  @Override
+  protected FileSystem createFileSystem(Configuration conf) throws IOException {
+    FileContextFS fcFs = new FileContextFS();
+    fcFs.initialize(FileSystem.getDefaultUri(conf), conf);
+    return fcFs;
+  }
+
+  /**
+   * This reuses FSXAttrBaseTest's testcases by creating a filesystem
+   * implementation which uses FileContext by only overriding the xattr related
+   * methods. Other operations will use the normal filesystem.
+   */
+  public static class FileContextFS extends DistributedFileSystem {
+
+    private FileContext fc;
+
+    @Override
+    public void initialize(URI uri, Configuration conf) throws IOException {
+      super.initialize(uri, conf);
+      fc = FileContext.getFileContext(conf);
+    }
+
+    @Override
+    public boolean rename(Path src, Path dst) throws IOException {
+      fc.rename(src, dst);
+      return true;
+    }
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
index 82b17ffda18..1bf8f74fb14 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
@@ -262,5 +262,99 @@
         </comparator>
       </comparators>
     </test>
+
+    <test>
+      <description>Test failure of renaming file cross EZ's</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /src</command>
+        <command>-fs NAMENODE -mkdir /dst</command>
+        <command>-fs NAMENODE -ls /</command>-
+        <crypto-admin-command>-createZone -path /src</crypto-admin-command>
+        <crypto-admin-command>-createZone -path /dst</crypto-admin-command>
+        <command>-fs NAMENODE -mkdir /src/subdir</command>
+        <command>-fs NAMENODE -mv /src/subdir /dst</command>-
+      </test-commands>
+      <cleanup-commands>
+        <command>-fs NAMENODE -rmdir /src/subdir</command>
+        <crypto-admin-command>-deleteZone -path /src</crypto-admin-command>
+        <crypto-admin-command>-deleteZone -path /dst</crypto-admin-command>
+        <command>-fs NAMENODE -rmdir /src</command>
+        <command>-fs NAMENODE -rmdir /dst</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>/src/subdir can't be moved from encryption zone /src to encryption zone /dst.</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test failure of renaming a non-EZ file into an EZ</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /src</command>
+        <command>-fs NAMENODE -mkdir /dst</command>
+        <command>-fs NAMENODE -ls /</command>-
+        <crypto-admin-command>-createZone -path /dst</crypto-admin-command>
+        <command>-fs NAMENODE -mv /src /dst</command>-
+      </test-commands>
+      <cleanup-commands>
+        <crypto-admin-command>-deleteZone -path /dst</crypto-admin-command>
+        <command>-fs NAMENODE -rmdir /src</command>
+        <command>-fs NAMENODE -rmdir /dst</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>/src can't be moved into an encryption zone</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test failure of renaming a non-EZ file from an EZ</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /src</command>
+        <command>-fs NAMENODE -mkdir /dst</command>
+        <command>-fs NAMENODE -ls /</command>-
+        <crypto-admin-command>-createZone -path /src</crypto-admin-command>
+        <command>-fs NAMENODE -mv /src /dst</command>-
+      </test-commands>
+      <cleanup-commands>
+        <crypto-admin-command>-deleteZone -path /src</crypto-admin-command>
+        <command>-fs NAMENODE -rmdir /src</command>
+        <command>-fs NAMENODE -rmdir /dst</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>/src can't be moved from an encryption zone</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test success of renaming file intra-EZ</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /src</command>
+        <crypto-admin-command>-createZone -path /src</crypto-admin-command>
+        <command>-fs NAMENODE -mkdir /src/subdir1</command>
+        <command>-fs NAMENODE -mkdir /src/subdir2</command>
+        <command>-fs NAMENODE -mv /src/subdir1 /src/subdir2</command>-
+      </test-commands>
+      <cleanup-commands>
+        <command>-fs NAMENODE -rmdir /src/subdir2/subdir1</command>
+        <command>-fs NAMENODE -rmdir /src/subdir2</command>
+        <crypto-admin-command>-deleteZone -path /src</crypto-admin-command>
+        <command>-fs NAMENODE -rmdir /src</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output></expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
   </tests>
 </configuration>

From 51b97a1396a4cb32aaa08b451985a6af236c0c4b Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Wed, 2 Jul 2014 23:08:29 +0000
Subject: [PATCH 020/354] HDFS-6605.Client server negotiation of cipher suite.
 (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1607499 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop/crypto/AESCTRCryptoCodec.java      |   9 +-
 .../org/apache/hadoop/crypto/CipherSuite.java |  33 ++++--
 .../org/apache/hadoop/crypto/CryptoCodec.java |   8 +-
 .../hadoop/crypto/CryptoInputStream.java      |   4 +-
 .../hadoop/crypto/CryptoOutputStream.java     |   6 +-
 .../hadoop/crypto/CryptoStreamUtils.java      |   3 +-
 .../hadoop/crypto/JCEAESCTRCryptoCodec.java   |   4 +-
 .../apache/hadoop/fs/FileEncryptionInfo.java  |   5 +-
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   2 +
 .../org/apache/hadoop/hdfs/DFSClient.java     |  10 +-
 .../apache/hadoop/hdfs/DFSOutputStream.java   |  17 +--
 .../hdfs/UnknownCipherSuiteException.java     |  38 ++++++
 .../hadoop/hdfs/protocol/ClientProtocol.java  |   4 +-
 ...amenodeProtocolServerSideTranslatorPB.java |   3 +-
 .../ClientNamenodeProtocolTranslatorPB.java   |  13 +-
 .../hadoop/hdfs/protocolPB/PBHelper.java      |  44 +++++--
 .../server/blockmanagement/BlockManager.java  |   2 +-
 .../hdfs/server/namenode/FSNamesystem.java    | 112 +++++++++++++++---
 .../server/namenode/NameNodeRpcServer.java    |   6 +-
 .../main/proto/ClientNamenodeProtocol.proto   |   1 +
 .../hadoop-hdfs/src/main/proto/hdfs.proto     |  13 +-
 .../hadoop/hdfs/TestDFSClientRetries.java     |   4 +-
 .../hadoop/hdfs/TestEncryptionZonesAPI.java   |  71 ++++++++++-
 .../apache/hadoop/hdfs/TestFileCreation.java  |   2 +-
 .../org/apache/hadoop/hdfs/TestLease.java     |   5 +-
 .../namenode/NNThroughputBenchmark.java       |   5 +-
 .../server/namenode/TestAddBlockRetry.java    |   4 +-
 .../namenode/TestNamenodeRetryCache.java      |   9 +-
 .../namenode/ha/TestRetryCacheWithHA.java     |   2 +-
 29 files changed, 347 insertions(+), 92 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/UnknownCipherSuiteException.java

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
index 252e001e66f..e26135d2669 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
@@ -25,16 +25,19 @@
 @InterfaceAudience.Private
 @InterfaceStability.Evolving
 public abstract class AESCTRCryptoCodec extends CryptoCodec {
+
+  protected static final CipherSuite SUITE = CipherSuite.AES_CTR_NOPADDING;
+
   /**
    * For AES, the algorithm block is fixed size of 128 bits.
    * @see http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
    */
-  private static final int AES_BLOCK_SIZE = 16;
+  private static final int AES_BLOCK_SIZE = SUITE.getAlgorithmBlockSize();
   private static final int CTR_OFFSET = 8;
 
   @Override
-  public int getAlgorithmBlockSize() {
-    return AES_BLOCK_SIZE;
+  public CipherSuite getCipherSuite() {
+    return SUITE;
   }
   
   /**
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java
index 6363bdb5807..9c4b8fdd8d4 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java
@@ -19,7 +19,6 @@
 package org.apache.hadoop.crypto;
 
 import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.classification.InterfaceStability;
 
 /**
  * Defines properties of a CipherSuite. Modeled after the ciphers in
@@ -27,14 +26,25 @@
  */
 @InterfaceAudience.Private
 public enum CipherSuite {
-  AES_CTR_NOPADDING("AES/CTR/NoPadding", 128);
+  UNKNOWN("Unknown", 0),
+  AES_CTR_NOPADDING("AES/CTR/NoPadding", 16);
 
   private final String name;
-  private final int blockBits;
+  private final int algoBlockSize;
 
-  CipherSuite(String name, int blockBits) {
+  private Integer unknownValue = null;
+
+  CipherSuite(String name, int algoBlockSize) {
     this.name = name;
-    this.blockBits = blockBits;
+    this.algoBlockSize = algoBlockSize;
+  }
+
+  public void setUnknownValue(int unknown) {
+    this.unknownValue = unknown;
+  }
+
+  public int getUnknownValue() {
+    return unknownValue;
   }
 
   /**
@@ -45,17 +55,20 @@ public String getName() {
   }
 
   /**
-   * @return size of an algorithm block in bits
+   * @return size of an algorithm block in bytes
    */
-  public int getNumberBlockBits() {
-    return blockBits;
+  public int getAlgorithmBlockSize() {
+    return algoBlockSize;
   }
 
   @Override
   public String toString() {
     StringBuilder builder = new StringBuilder("{");
-    builder.append("name: " + getName() + ", ");
-    builder.append("numBlockBits: " + getNumberBlockBits());
+    builder.append("name: " + name);
+    builder.append(", algorithmBlockSize: " + algoBlockSize);
+    if (unknownValue != null) {
+      builder.append(", unknownValue: " + unknownValue);
+    }
     builder.append("}");
     return builder.toString();
   }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
index b166423db0e..7d4e65ba4d3 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
@@ -39,13 +39,11 @@ public static CryptoCodec getInstance(Configuration conf) {
         CryptoCodec.class);
     return ReflectionUtils.newInstance(klass, conf);
   }
-  
+
   /**
-   * Get the block size of a block cipher.
-   * For different algorithms, the block size may be different.
-   * @return int the block size
+   * @return the CipherSuite for this codec.
    */
-  public abstract int getAlgorithmBlockSize();
+  public abstract CipherSuite getCipherSuite();
 
   /**
    * Create a {@link org.apache.hadoop.crypto.Encryptor}. 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
index 55c891a0ace..e8964ed6ed5 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoInputStream.java
@@ -265,11 +265,11 @@ private byte afterDecryption(Decryptor decryptor, ByteBuffer inBuffer,
   }
   
   private long getCounter(long position) {
-    return position / codec.getAlgorithmBlockSize();
+    return position / codec.getCipherSuite().getAlgorithmBlockSize();
   }
   
   private byte getPadding(long position) {
-    return (byte)(position % codec.getAlgorithmBlockSize());
+    return (byte)(position % codec.getCipherSuite().getAlgorithmBlockSize());
   }
   
   /** Calculate the counter and iv, update the decryptor. */
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java
index 61eca0a4616..4f9f7f5c6c4 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoOutputStream.java
@@ -194,8 +194,10 @@ private void encrypt() throws IOException {
   
   /** Update the {@link #encryptor}: calculate counter and {@link #padding}. */
   private void updateEncryptor() throws IOException {
-    final long counter = streamOffset / codec.getAlgorithmBlockSize();
-    padding = (byte)(streamOffset % codec.getAlgorithmBlockSize());
+    final long counter =
+        streamOffset / codec.getCipherSuite().getAlgorithmBlockSize();
+    padding =
+        (byte)(streamOffset % codec.getCipherSuite().getAlgorithmBlockSize());
     inBuffer.position(padding); // Set proper position for input data.
     codec.calculateIV(initIV, counter, iv);
     encryptor.init(key, iv);
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoStreamUtils.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoStreamUtils.java
index dfa27df172d..820d77580cd 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoStreamUtils.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoStreamUtils.java
@@ -53,7 +53,8 @@ public static int getBufferSize(Configuration conf) {
   public static int checkBufferSize(CryptoCodec codec, int bufferSize) {
     Preconditions.checkArgument(bufferSize >= MIN_BUFFER_SIZE, 
         "Minimum value of buffer size is " + MIN_BUFFER_SIZE + ".");
-    return bufferSize - bufferSize % codec.getAlgorithmBlockSize();
+    return bufferSize - bufferSize % codec.getCipherSuite()
+        .getAlgorithmBlockSize();
   }
   
   /**
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
index a2eeea48c94..e575e5ed66c 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
@@ -92,9 +92,9 @@ public JCEAESCTRCipher(int mode, String provider)
         throws GeneralSecurityException {
       this.mode = mode;
       if (provider == null || provider.isEmpty()) {
-        cipher = Cipher.getInstance("AES/CTR/NoPadding");
+        cipher = Cipher.getInstance(SUITE.getName());
       } else {
-        cipher = Cipher.getInstance("AES/CTR/NoPadding", provider);
+        cipher = Cipher.getInstance(SUITE.getName(), provider);
       }
     }
 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileEncryptionInfo.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileEncryptionInfo.java
index 53f35bde97f..77f4cdfe70d 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileEncryptionInfo.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileEncryptionInfo.java
@@ -19,7 +19,6 @@
 
 import org.apache.commons.codec.binary.Hex;
 import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.crypto.CipherSuite;
 
 import static com.google.common.base.Preconditions.checkArgument;
@@ -40,9 +39,9 @@ public FileEncryptionInfo(CipherSuite suite, byte[] key, byte[] iv) {
     checkNotNull(suite);
     checkNotNull(key);
     checkNotNull(iv);
-    checkArgument(key.length == suite.getNumberBlockBits() / 8,
+    checkArgument(key.length == suite.getAlgorithmBlockSize(),
         "Unexpected key length");
-    checkArgument(iv.length == suite.getNumberBlockBits() / 8,
+    checkArgument(iv.length == suite.getAlgorithmBlockSize(),
         "Unexpected IV length");
     this.cipherSuite = suite;
     this.key = key;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index c1876d4acba..dcd22697dc4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -28,6 +28,8 @@ fs-encryption (Unreleased)
 
     HDFS-6389. Rename restrictions for encryption zones. (clamb)
 
+    HDFS-6605. Client server negotiation of cipher suite. (wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index 013fbc0f4f3..1e3a179b81a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -94,6 +94,7 @@
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.crypto.CryptoCodec;
 import org.apache.hadoop.crypto.CryptoInputStream;
 import org.apache.hadoop.crypto.CryptoOutputStream;
@@ -246,6 +247,8 @@ public class DFSClient implements java.io.Closeable, RemotePeerFactory {
       new DFSHedgedReadMetrics();
   private static ThreadPoolExecutor HEDGED_READ_THREAD_POOL;
   private final CryptoCodec codec;
+  @VisibleForTesting
+  List<CipherSuite> cipherSuites;
   
   /**
    * DFSClient configuration 
@@ -579,6 +582,8 @@ public DFSClient(URI nameNodeUri, ClientProtocol rpcNamenode,
     this.clientName = "DFSClient_" + dfsClientConf.taskId + "_" + 
         DFSUtil.getRandom().nextInt()  + "_" + Thread.currentThread().getId();
     this.codec = CryptoCodec.getInstance(conf);
+    this.cipherSuites = Lists.newArrayListWithCapacity(1);
+    cipherSuites.add(codec.getCipherSuite());
     
     int numResponseToDrop = conf.getInt(
         DFSConfigKeys.DFS_CLIENT_TEST_DROP_NAMENODE_RESPONSE_NUM_KEY,
@@ -1523,7 +1528,8 @@ public DFSOutputStream create(String src,
     }
     final DFSOutputStream result = DFSOutputStream.newStreamForCreate(this,
         src, masked, flag, createParent, replication, blockSize, progress,
-        buffersize, dfsClientConf.createChecksum(checksumOpt), favoredNodeStrs);
+        buffersize, dfsClientConf.createChecksum(checksumOpt),
+        favoredNodeStrs, cipherSuites);
     beginFileLease(result.getFileId(), result);
     return result;
   }
@@ -1570,7 +1576,7 @@ public DFSOutputStream primitiveCreate(String src,
       DataChecksum checksum = dfsClientConf.createChecksum(checksumOpt);
       result = DFSOutputStream.newStreamForCreate(this, src, absPermission,
           flag, createParent, replication, blockSize, progress, buffersize,
-          checksum);
+          checksum, null, cipherSuites);
     }
     beginFileLease(result.getFileId(), result);
     return result;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
index 508e3bd4f66..c74f2d019e6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
@@ -42,6 +42,7 @@
 import java.util.concurrent.atomic.AtomicReference;
 
 import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.fs.CanSetDropBehind;
 import org.apache.hadoop.fs.CreateFlag;
 import org.apache.hadoop.fs.FSOutputSummer;
@@ -1605,12 +1606,13 @@ private DFSOutputStream(DFSClient dfsClient, String src, HdfsFileStatus stat,
   static DFSOutputStream newStreamForCreate(DFSClient dfsClient, String src,
       FsPermission masked, EnumSet<CreateFlag> flag, boolean createParent,
       short replication, long blockSize, Progressable progress, int buffersize,
-      DataChecksum checksum, String[] favoredNodes) throws IOException {
+      DataChecksum checksum, String[] favoredNodes,
+      List<CipherSuite> cipherSuites) throws IOException {
     final HdfsFileStatus stat;
     try {
       stat = dfsClient.namenode.create(src, masked, dfsClient.clientName,
           new EnumSetWritable<CreateFlag>(flag), createParent, replication,
-          blockSize);
+          blockSize, cipherSuites);
     } catch(RemoteException re) {
       throw re.unwrapRemoteException(AccessControlException.class,
                                      DSQuotaExceededException.class,
@@ -1620,7 +1622,8 @@ static DFSOutputStream newStreamForCreate(DFSClient dfsClient, String src,
                                      NSQuotaExceededException.class,
                                      SafeModeException.class,
                                      UnresolvedPathException.class,
-                                     SnapshotAccessControlException.class);
+                                     SnapshotAccessControlException.class,
+                                     UnknownCipherSuiteException.class);
     }
     final DFSOutputStream out = new DFSOutputStream(dfsClient, src, stat,
         flag, progress, checksum, favoredNodes);
@@ -1628,14 +1631,6 @@ static DFSOutputStream newStreamForCreate(DFSClient dfsClient, String src,
     return out;
   }
 
-  static DFSOutputStream newStreamForCreate(DFSClient dfsClient, String src,
-      FsPermission masked, EnumSet<CreateFlag> flag, boolean createParent,
-      short replication, long blockSize, Progressable progress, int buffersize,
-      DataChecksum checksum) throws IOException {
-    return newStreamForCreate(dfsClient, src, masked, flag, createParent, replication,
-        blockSize, progress, buffersize, checksum, null);
-  }
-
   /** Construct a new output stream for append. */
   private DFSOutputStream(DFSClient dfsClient, String src,
       Progressable progress, LocatedBlock lastBlock, HdfsFileStatus stat,
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/UnknownCipherSuiteException.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/UnknownCipherSuiteException.java
new file mode 100644
index 00000000000..b85edf69c48
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/UnknownCipherSuiteException.java
@@ -0,0 +1,38 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs;
+
+import java.io.IOException;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public class UnknownCipherSuiteException extends IOException {
+  private static final long serialVersionUID = 8957192l;
+
+  public UnknownCipherSuiteException() {
+    super();
+  }
+
+  public UnknownCipherSuiteException(String msg) {
+    super(msg);
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
index 203d10f74c1..83e4278e16b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
@@ -24,6 +24,7 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.fs.CacheFlag;
 import org.apache.hadoop.fs.ContentSummary;
 import org.apache.hadoop.fs.CreateFlag;
@@ -186,7 +187,8 @@ public LocatedBlocks getBlockLocations(String src,
   @AtMostOnce
   public HdfsFileStatus create(String src, FsPermission masked,
       String clientName, EnumSetWritable<CreateFlag> flag,
-      boolean createParent, short replication, long blockSize)
+      boolean createParent, short replication, long blockSize, 
+      List<CipherSuite> cipherSuites)
       throws AccessControlException, AlreadyBeingCreatedException,
       DSQuotaExceededException, FileAlreadyExistsException,
       FileNotFoundException, NSQuotaExceededException,
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
index 57c456b2233..3fdf5a07eb8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
@@ -375,7 +375,8 @@ public CreateResponseProto create(RpcController controller,
       HdfsFileStatus result = server.create(req.getSrc(),
           PBHelper.convert(req.getMasked()), req.getClientName(),
           PBHelper.convertCreateFlag(req.getCreateFlag()), req.getCreateParent(),
-          (short) req.getReplication(), req.getBlockSize());
+          (short) req.getReplication(), req.getBlockSize(), 
+          PBHelper.convertCipherSuiteProtos(req.getCipherSuitesList()));
 
       if (result != null) {
         return CreateResponseProto.newBuilder().setFs(PBHelper.convert(result))
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
index 2a7ddd5305d..81d4e432f49 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
@@ -26,6 +26,7 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.fs.BatchedRemoteIterator.BatchedEntries;
 import org.apache.hadoop.fs.CacheFlag;
 import org.apache.hadoop.fs.ContentSummary;
@@ -249,21 +250,25 @@ public FsServerDefaults getServerDefaults() throws IOException {
   @Override
   public HdfsFileStatus create(String src, FsPermission masked,
       String clientName, EnumSetWritable<CreateFlag> flag,
-      boolean createParent, short replication, long blockSize)
+      boolean createParent, short replication, long blockSize, 
+      List<CipherSuite> cipherSuites)
       throws AccessControlException, AlreadyBeingCreatedException,
       DSQuotaExceededException, FileAlreadyExistsException,
       FileNotFoundException, NSQuotaExceededException,
       ParentNotDirectoryException, SafeModeException, UnresolvedLinkException,
       IOException {
-    CreateRequestProto req = CreateRequestProto.newBuilder()
+    CreateRequestProto.Builder builder = CreateRequestProto.newBuilder()
         .setSrc(src)
         .setMasked(PBHelper.convert(masked))
         .setClientName(clientName)
         .setCreateFlag(PBHelper.convertCreateFlag(flag))
         .setCreateParent(createParent)
         .setReplication(replication)
-        .setBlockSize(blockSize)
-        .build();
+        .setBlockSize(blockSize);
+    if (cipherSuites != null) {
+      builder.addAllCipherSuites(PBHelper.convertCipherSuites(cipherSuites));
+    }
+    CreateRequestProto req = builder.build();
     try {
       CreateResponseProto res = rpcProxy.create(null, req);
       return res.hasFs() ? PBHelper.convert(res.getFs()) : null;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
index 98ac0d3cfdc..0fb764b8841 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
@@ -2276,25 +2276,49 @@ public static ShmId convert(ShortCircuitShmIdProto shmId) {
     return new ShmId(shmId.getHi(), shmId.getLo());
   }
 
-  public static HdfsProtos.FileEncryptionInfoProto.CipherType
-      convert(CipherSuite type) {
-    switch (type) {
+  public static HdfsProtos.CipherSuite convert(CipherSuite suite) {
+    switch (suite) {
+    case UNKNOWN:
+      return HdfsProtos.CipherSuite.UNKNOWN;
     case AES_CTR_NOPADDING:
-      return HdfsProtos.FileEncryptionInfoProto.CipherType
-          .AES_CTR_NOPADDING;
+      return HdfsProtos.CipherSuite.AES_CTR_NOPADDING;
     default:
       return null;
     }
   }
 
-  public static CipherSuite convert(
-      HdfsProtos.FileEncryptionInfoProto.CipherType proto) {
+  public static CipherSuite convert(HdfsProtos.CipherSuite proto) {
     switch (proto) {
     case AES_CTR_NOPADDING:
       return CipherSuite.AES_CTR_NOPADDING;
     default:
+      // Set to UNKNOWN and stash the unknown enum value
+      CipherSuite suite = CipherSuite.UNKNOWN;
+      suite.setUnknownValue(proto.getNumber());
+      return suite;
+    }
+  }
+
+  public static List<HdfsProtos.CipherSuite> convertCipherSuites
+      (List<CipherSuite> suites) {
+    if (suites == null) {
       return null;
     }
+    List<HdfsProtos.CipherSuite> protos =
+        Lists.newArrayListWithCapacity(suites.size());
+    for (CipherSuite suite : suites) {
+      protos.add(convert(suite));
+    }
+    return protos;
+  }
+
+  public static List<CipherSuite> convertCipherSuiteProtos(
+      List<HdfsProtos.CipherSuite> protos) {
+    List<CipherSuite> suites = Lists.newArrayListWithCapacity(protos.size());
+    for (HdfsProtos.CipherSuite proto : protos) {
+      suites.add(convert(proto));
+    }
+    return suites;
   }
 
   public static HdfsProtos.FileEncryptionInfoProto convert(
@@ -2303,7 +2327,7 @@ public static HdfsProtos.FileEncryptionInfoProto convert(
       return null;
     }
     return HdfsProtos.FileEncryptionInfoProto.newBuilder()
-        .setType(convert(info.getCipherSuite()))
+        .setSuite(convert(info.getCipherSuite()))
         .setKey(getByteString(info.getEncryptedDataEncryptionKey()))
         .setIv(getByteString(info.getIV()))
         .build();
@@ -2314,10 +2338,10 @@ public static FileEncryptionInfo convert(
     if (proto == null) {
       return null;
     }
-    CipherSuite type = convert(proto.getType());
+    CipherSuite suite = convert(proto.getSuite());
     byte[] key = proto.getKey().toByteArray();
     byte[] iv = proto.getIv().toByteArray();
-    return new FileEncryptionInfo(type, key, iv);
+    return new FileEncryptionInfo(suite, key, iv);
   }
 
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
index 2b497bcdfbe..bb600f0043d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
@@ -850,7 +850,7 @@ public LocatedBlocks createLocatedBlocks(final BlockInfo[] blocks,
       return null;
     } else if (blocks.length == 0) {
       return new LocatedBlocks(0, isFileUnderConstruction,
-          Collections.<LocatedBlock>emptyList(), null, false, null);
+          Collections.<LocatedBlock>emptyList(), null, false, feInfo);
     } else {
       if (LOG.isDebugEnabled()) {
         LOG.debug("blocks = " + java.util.Arrays.asList(blocks));
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index e5d879ed159..ca793ab7acd 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -122,7 +122,6 @@
 import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.crypto.CryptoCodec;
 import org.apache.hadoop.crypto.key.KeyProvider;
-import org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 import org.apache.hadoop.crypto.key.KeyProviderFactory;
 import org.apache.hadoop.fs.BatchedRemoteIterator.BatchedListEntries;
 import org.apache.hadoop.fs.CacheFlag;
@@ -154,6 +153,7 @@
 import org.apache.hadoop.hdfs.HAUtil;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.StorageType;
+import org.apache.hadoop.hdfs.UnknownCipherSuiteException;
 import org.apache.hadoop.hdfs.protocol.AclException;
 import org.apache.hadoop.hdfs.protocol.AlreadyBeingCreatedException;
 import org.apache.hadoop.hdfs.protocol.Block;
@@ -2296,7 +2296,50 @@ private void verifyParentDir(String src) throws FileNotFoundException,
       }
     }
   }
-  
+
+  /**
+   * If the file is within an encryption zone, select the appropriate 
+   * CipherSuite from the list provided by the client. Since the client may 
+   * be newer, need to handle unknown CipherSuites.
+   *
+   * @param src path of the file
+   * @param cipherSuites client-provided list of supported CipherSuites, 
+   *                     in desired order.
+   * @return chosen CipherSuite, or null if file is not in an EncryptionZone
+   * @throws IOException
+   */
+  private CipherSuite chooseCipherSuite(String src, List<CipherSuite> 
+      cipherSuites) throws UnknownCipherSuiteException {
+    EncryptionZone zone = getEncryptionZoneForPath(src);
+    // Not in an EZ
+    if (zone == null) {
+      return null;
+    }
+    CipherSuite chosen = null;
+    for (CipherSuite c : cipherSuites) {
+      if (c.equals(CipherSuite.UNKNOWN)) {
+        if (LOG.isDebugEnabled()) {
+          LOG.debug("Ignoring unknown CipherSuite provided by client: "
+              + c.getUnknownValue());
+        }
+        continue;
+      }
+      for (CipherSuite supported : CipherSuite.values()) {
+        if (supported.equals(c)) {
+          chosen = c;
+          break;
+        }
+      }
+    }
+    if (chosen == null) {
+      throw new UnknownCipherSuiteException(
+          "No cipher suites provided by the client are supported."
+              + " Client provided: " + Arrays.toString(cipherSuites.toArray())
+              + " NameNode supports: " + Arrays.toString(CipherSuite.values()));
+    }
+    return chosen;
+  }
+
   /**
    * Create a new file entry in the namespace.
    * 
@@ -2306,7 +2349,8 @@ private void verifyParentDir(String src) throws FileNotFoundException,
    */
   HdfsFileStatus startFile(String src, PermissionStatus permissions,
       String holder, String clientMachine, EnumSet<CreateFlag> flag,
-      boolean createParent, short replication, long blockSize)
+      boolean createParent, short replication, long blockSize, 
+      List<CipherSuite> cipherSuites)
       throws AccessControlException, SafeModeException,
       FileAlreadyExistsException, UnresolvedLinkException,
       FileNotFoundException, ParentNotDirectoryException, IOException {
@@ -2319,7 +2363,8 @@ HdfsFileStatus startFile(String src, PermissionStatus permissions,
     
     try {
       status = startFileInt(src, permissions, holder, clientMachine, flag,
-          createParent, replication, blockSize, cacheEntry != null);
+          createParent, replication, blockSize, cipherSuites,
+          cacheEntry != null);
     } catch (AccessControlException e) {
       logAuditEvent(false, "create", src);
       throw e;
@@ -2332,16 +2377,26 @@ HdfsFileStatus startFile(String src, PermissionStatus permissions,
   private HdfsFileStatus startFileInt(String src, PermissionStatus permissions,
       String holder, String clientMachine, EnumSet<CreateFlag> flag,
       boolean createParent, short replication, long blockSize,
-      boolean logRetryCache) throws AccessControlException, SafeModeException,
+      List<CipherSuite> cipherSuites, boolean logRetryCache)
+      throws AccessControlException, SafeModeException,
       FileAlreadyExistsException, UnresolvedLinkException,
       FileNotFoundException, ParentNotDirectoryException, IOException {
     if (NameNode.stateChangeLog.isDebugEnabled()) {
-      NameNode.stateChangeLog.debug("DIR* NameSystem.startFile: src=" + src
-          + ", holder=" + holder
-          + ", clientMachine=" + clientMachine
-          + ", createParent=" + createParent
-          + ", replication=" + replication
-          + ", createFlag=" + flag.toString());
+      StringBuilder builder = new StringBuilder();
+      builder.append("DIR* NameSystem.startFile: src=" + src
+              + ", holder=" + holder
+              + ", clientMachine=" + clientMachine
+              + ", createParent=" + createParent
+              + ", replication=" + replication
+              + ", createFlag=" + flag.toString()
+              + ", blockSize=" + blockSize);
+      builder.append(", cipherSuites=");
+      if (cipherSuites != null) {
+        builder.append(Arrays.toString(cipherSuites.toArray()));
+      } else {
+        builder.append("null");
+      }
+      NameNode.stateChangeLog.debug(builder.toString());
     }
     if (!DFSUtil.isValidName(src)) {
       throw new InvalidPathException(src);
@@ -2368,7 +2423,8 @@ private HdfsFileStatus startFileInt(String src, PermissionStatus permissions,
       checkNameNodeSafeMode("Cannot create file" + src);
       src = FSDirectory.resolvePath(src, pathComponents, dir);
       startFileInternal(pc, src, permissions, holder, clientMachine, create,
-          overwrite, createParent, replication, blockSize, logRetryCache);
+          overwrite, createParent, replication, blockSize, cipherSuites,
+          logRetryCache);
       stat = dir.getFileInfo(src, false);
     } catch (StandbyException se) {
       skipSync = true;
@@ -2398,7 +2454,8 @@ private HdfsFileStatus startFileInt(String src, PermissionStatus permissions,
   private void startFileInternal(FSPermissionChecker pc, String src,
       PermissionStatus permissions, String holder, String clientMachine,
       boolean create, boolean overwrite, boolean createParent,
-      short replication, long blockSize, boolean logRetryEntry)
+      short replication, long blockSize, List<CipherSuite> cipherSuites,
+      boolean logRetryEntry)
       throws FileAlreadyExistsException, AccessControlException,
       UnresolvedLinkException, FileNotFoundException,
       ParentNotDirectoryException, IOException {
@@ -2410,6 +2467,25 @@ private void startFileInternal(FSPermissionChecker pc, String src,
       throw new FileAlreadyExistsException(src +
           " already exists as a directory");
     }
+
+    FileEncryptionInfo feInfo = null;
+    CipherSuite suite = chooseCipherSuite(src, cipherSuites);
+    if (suite != null) {
+      Preconditions.checkArgument(!suite.equals(CipherSuite.UNKNOWN), 
+          "Chose an UNKNOWN CipherSuite!");
+      // TODO: fill in actual key/iv in HDFS-6474
+      // For now, populate with dummy data
+      byte[] key = new byte[suite.getAlgorithmBlockSize()];
+      for (int i = 0; i < key.length; i++) {
+        key[i] = (byte)i;
+      }
+      byte[] iv = new byte[suite.getAlgorithmBlockSize()];
+      for (int i = 0; i < iv.length; i++) {
+        iv[i] = (byte)(3+i*2);
+      }
+      feInfo = new FileEncryptionInfo(suite, key, iv);
+    }
+
     final INodeFile myFile = INodeFile.valueOf(inode, src, true);
     if (isPermissionEnabled) {
       if (overwrite && myFile != null) {
@@ -2465,6 +2541,12 @@ permissions, true, now())) {
       leaseManager.addLease(newNode.getFileUnderConstructionFeature()
           .getClientName(), src);
 
+      // Set encryption attributes if necessary
+      if (feInfo != null) {
+        dir.setFileEncryptionInfo(src, feInfo);
+        newNode = dir.getInode(newNode.getId()).asFile();
+      }
+
       // record file record in log, record new generation stamp
       getEditLog().logOpenFile(src, newNode, logRetryEntry);
       if (NameNode.stateChangeLog.isDebugEnabled()) {
@@ -8301,7 +8383,8 @@ private String createNewKey(String src)
     final String keyId = UUID.randomUUID().toString();
     // TODO pass in hdfs://HOST:PORT (HDFS-6490)
     providerOptions.setDescription(src);
-    providerOptions.setBitLength(codec.getAlgorithmBlockSize()*8);
+    providerOptions.setBitLength(codec.getCipherSuite()
+        .getAlgorithmBlockSize()*8);
     try {
       provider.createKey(keyId, providerOptions);
     } catch (NoSuchAlgorithmException e) {
@@ -8396,6 +8479,7 @@ List<EncryptionZone> listEncryptionZones() throws IOException {
 
   /** Lookup the encryption zone of a path. */
   EncryptionZone getEncryptionZoneForPath(String src) {
+    assert hasReadLock();
     final String[] components = INode.getPathNames(src);
     for (int i = components.length; i > 0; i--) {
       final List<String> l = Arrays.asList(Arrays.copyOfRange(components, 0, i));
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index c98e6711706..35d6266644e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -37,6 +37,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.hadoop.HadoopIllegalArgumentException;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.fs.BatchedRemoteIterator.BatchedEntries;
 import org.apache.hadoop.fs.CacheFlag;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
@@ -534,7 +535,8 @@ public FsServerDefaults getServerDefaults() throws IOException {
   @Override // ClientProtocol
   public HdfsFileStatus create(String src, FsPermission masked,
       String clientName, EnumSetWritable<CreateFlag> flag,
-      boolean createParent, short replication, long blockSize)
+      boolean createParent, short replication, long blockSize, 
+      List<CipherSuite> cipherSuites)
       throws IOException {
     String clientMachine = getClientMachine();
     if (stateChangeLog.isDebugEnabled()) {
@@ -548,7 +550,7 @@ public HdfsFileStatus create(String src, FsPermission masked,
     HdfsFileStatus fileStatus = namesystem.startFile(src, new PermissionStatus(
         getRemoteUser().getShortUserName(), null, masked),
         clientName, clientMachine, flag.get(), createParent, replication,
-        blockSize);
+        blockSize, cipherSuites);
     metrics.incrFilesCreated();
     metrics.incrCreateFileOps();
     return fileStatus;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
index 8696775981f..70455989e7f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
@@ -74,6 +74,7 @@ message CreateRequestProto {
   required bool createParent = 5;
   required uint32 replication = 6; // Short: Only 16 bits used
   required uint64 blockSize = 7;
+  repeated CipherSuite cipherSuites = 8;
 }
 
 message CreateResponseProto {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
index ab482a0e23d..ea0164c4253 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
@@ -169,14 +169,19 @@ message DataEncryptionKeyProto {
   optional string encryptionAlgorithm = 6;
 }
 
+/**
+ * Cipher suite.
+ */
+enum CipherSuite {
+    UNKNOWN = 1;
+    AES_CTR_NOPADDING = 2;
+}
+
 /**
  * Encryption information for a file.
  */
 message FileEncryptionInfoProto {
-  enum CipherType {
-    AES_CTR_NOPADDING = 1;
-  }
-  required CipherType type = 1;
+  required CipherSuite suite = 1;
   required bytes key = 2;
   required bytes iv = 3;
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientRetries.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientRetries.java
index ae1536a8e7f..74daccc9e2d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientRetries.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientRetries.java
@@ -24,6 +24,7 @@
 import static org.junit.Assert.fail;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anyBoolean;
+import static org.mockito.Matchers.anyList;
 import static org.mockito.Matchers.anyLong;
 import static org.mockito.Matchers.anyObject;
 import static org.mockito.Matchers.anyShort;
@@ -51,6 +52,7 @@
 import org.apache.commons.logging.LogFactory;
 import org.apache.commons.logging.impl.Log4JLogger;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 import org.apache.hadoop.fs.CreateFlag;
 import org.apache.hadoop.fs.FSDataInputStream;
@@ -262,7 +264,7 @@ public Object answer(InvocationOnMock invocation)
         .when(mockNN)
         .create(anyString(), (FsPermission) anyObject(), anyString(),
             (EnumSetWritable<CreateFlag>) anyObject(), anyBoolean(),
-            anyShort(), anyLong());
+            anyShort(), anyLong(), (List<CipherSuite>) anyList());
 
     final DFSClient client = new DFSClient(null, mockNN, conf, null);
     OutputStream os = client.create("testfile", true);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
index 50ec77777ee..c787da69d7f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
@@ -26,15 +26,19 @@
 import java.util.Set;
 import java.util.UUID;
 
+import com.google.common.collect.Lists;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.crypto.key.JavaKeyStoreProvider;
 import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.crypto.key.KeyProviderFactory;
+import org.apache.hadoop.fs.FileEncryptionInfo;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.client.HdfsAdmin;
 import org.apache.hadoop.hdfs.protocol.EncryptionZone;
+import org.apache.hadoop.hdfs.protocol.LocatedBlocks;
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.test.GenericTestUtils;
@@ -44,6 +48,7 @@
 
 import com.google.common.base.Preconditions;
 
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
 
 public class TestEncryptionZonesAPI {
@@ -56,7 +61,7 @@ public class TestEncryptionZonesAPI {
   private final Configuration conf = new Configuration();
   private MiniDFSCluster cluster;
   private static File tmpDir;
-  private FileSystem fs;
+  private DistributedFileSystem fs;
 
   @Before
   public void setUpCluster() throws IOException {
@@ -65,7 +70,7 @@ public void setUpCluster() throws IOException {
     conf.set(KeyProviderFactory.KEY_PROVIDER_PATH,
         JavaKeyStoreProvider.SCHEME_NAME + "://file" + tmpDir + "/test.jks");
     cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
-    fs = createFileSystem(conf);
+    fs = (DistributedFileSystem) createFileSystem(conf);
   }
 
   protected FileSystem createFileSystem(Configuration conf) throws IOException {
@@ -424,4 +429,66 @@ public void testRenameEncryptionZone()
               "/test/foo/baz can't be moved from an encryption zone.", e);
     }
   }
+
+  @Test(timeout = 60000)
+  public void testCipherSuiteNegotiation() throws Exception {
+    final HdfsAdmin dfsAdmin =
+        new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    final Path zone = new Path("/zone");
+    fs.mkdirs(zone);
+    dfsAdmin.createEncryptionZone(zone, null);
+    // Create a file in an EZ, which should succeed
+    DFSTestUtil.createFile(fs, new Path(zone, "success1"), 0, (short) 1,
+        0xFEED);
+    // Pass no cipherSuites, fail
+    fs.getClient().cipherSuites = Lists.newArrayListWithCapacity(0);
+    try {
+      DFSTestUtil.createFile(fs, new Path(zone, "fail"), 0, (short) 1,
+          0xFEED);
+      fail("Created a file without specifying a CipherSuite!");
+    } catch (UnknownCipherSuiteException e) {
+      GenericTestUtils.assertExceptionContains("No cipher suites", e);
+    }
+    // Pass some unknown cipherSuites, fail
+    fs.getClient().cipherSuites = Lists.newArrayListWithCapacity(3);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    try {
+      DFSTestUtil.createFile(fs, new Path(zone, "fail"), 0, (short) 1,
+          0xFEED);
+      fail("Created a file without specifying a CipherSuite!");
+    } catch (UnknownCipherSuiteException e) {
+      GenericTestUtils.assertExceptionContains("No cipher suites", e);
+    }
+    // Pass some unknown and a good cipherSuites, success
+    fs.getClient().cipherSuites = Lists.newArrayListWithCapacity(3);
+    fs.getClient().cipherSuites.add(CipherSuite.AES_CTR_NOPADDING);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    DFSTestUtil.createFile(fs, new Path(zone, "success2"), 0, (short) 1,
+        0xFEED);
+    fs.getClient().cipherSuites = Lists.newArrayListWithCapacity(3);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    fs.getClient().cipherSuites.add(CipherSuite.AES_CTR_NOPADDING);
+    DFSTestUtil.createFile(fs, new Path(zone, "success3"), 4096, (short) 1,
+        0xFEED);
+    // Check that the specified CipherSuite was correctly saved on the NN
+    for (int i=2; i<=3; i++) {
+      LocatedBlocks blocks =
+          fs.getClient().getLocatedBlocks(zone.toString() + "/success2", 0);
+      FileEncryptionInfo feInfo = blocks.getFileEncryptionInfo();
+      assertEquals(feInfo.getCipherSuite(), CipherSuite.AES_CTR_NOPADDING);
+      // TODO: validate against actual key/iv in HDFS-6474
+      byte[] key = feInfo.getEncryptedDataEncryptionKey();
+      for (int j = 0; j < key.length; j++) {
+        assertEquals("Unexpected key byte", (byte)j, key[j]);
+      }
+      byte[] iv = feInfo.getIV();
+      for (int j = 0; j < iv.length; j++) {
+        assertEquals("Unexpected IV byte", (byte)(3+j*2), iv[j]);
+      }
+    }
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileCreation.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileCreation.java
index 64697bf9d82..1cbcf52bf56 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileCreation.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileCreation.java
@@ -1131,7 +1131,7 @@ private void doCreateTest(CreationMethod method) throws Exception {
           try {
             nnrpc.create(pathStr, new FsPermission((short)0755), "client",
                 new EnumSetWritable<CreateFlag>(EnumSet.of(CreateFlag.CREATE)),
-                true, (short)1, 128*1024*1024L);
+                true, (short)1, 128*1024*1024L, null);
             fail("Should have thrown exception when creating '"
                 + pathStr + "'" + " by " + method);
           } catch (InvalidPathException ipe) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestLease.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestLease.java
index 63c6443f6fd..28c253fd157 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestLease.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestLease.java
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.hdfs;
 
+import static org.mockito.Matchers.anyList;
 import static org.mockito.Matchers.anyString;
 import static org.mockito.Matchers.anyShort;
 import static org.mockito.Matchers.anyLong;
@@ -29,10 +30,12 @@
 import java.io.DataOutputStream;
 import java.io.IOException;
 import java.security.PrivilegedExceptionAction;
+import java.util.List;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.fs.CreateFlag;
 import org.apache.hadoop.fs.FSDataOutputStream;
 import org.apache.hadoop.fs.FileStatus;
@@ -348,7 +351,7 @@ public void testFactory() throws Exception {
         .when(mcp)
         .create(anyString(), (FsPermission) anyObject(), anyString(),
             (EnumSetWritable<CreateFlag>) anyObject(), anyBoolean(),
-            anyShort(), anyLong());
+            anyShort(), anyLong(), (List<CipherSuite>) anyList());
 
     final Configuration conf = new Configuration();
     final DFSClient c1 = createDFSClientAs(ugi[0], conf);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/NNThroughputBenchmark.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/NNThroughputBenchmark.java
index 7279aff9387..1fb1c1f9942 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/NNThroughputBenchmark.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/NNThroughputBenchmark.java
@@ -587,7 +587,8 @@ long executeOp(int daemonId, int inputIdx, String clientName)
       // dummyActionNoSynch(fileIdx);
       nameNodeProto.create(fileNames[daemonId][inputIdx], FsPermission.getDefault(),
                       clientName, new EnumSetWritable<CreateFlag>(EnumSet
-              .of(CreateFlag.CREATE, CreateFlag.OVERWRITE)), true, replication, BLOCK_SIZE);
+              .of(CreateFlag.CREATE, CreateFlag.OVERWRITE)), true, 
+          replication, BLOCK_SIZE, null);
       long end = Time.now();
       for(boolean written = !closeUponCreate; !written; 
         written = nameNodeProto.complete(fileNames[daemonId][inputIdx],
@@ -1133,7 +1134,7 @@ void generateInputs(int[] ignore) throws IOException {
         String fileName = nameGenerator.getNextFileName("ThroughputBench");
         nameNodeProto.create(fileName, FsPermission.getDefault(), clientName,
             new EnumSetWritable<CreateFlag>(EnumSet.of(CreateFlag.CREATE, CreateFlag.OVERWRITE)), true, replication,
-            BLOCK_SIZE);
+            BLOCK_SIZE, null);
         ExtendedBlock lastBlock = addBlocks(fileName, clientName);
         nameNodeProto.complete(fileName, clientName, lastBlock, INodeId.GRANDFATHER_INODE_ID);
       }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAddBlockRetry.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAddBlockRetry.java
index 08c44c23edb..5153e76f965 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAddBlockRetry.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAddBlockRetry.java
@@ -128,7 +128,7 @@ public DatanodeStorageInfo[] answer(InvocationOnMock invocation)
     nn.create(src, FsPermission.getFileDefault(),
         "clientName",
         new EnumSetWritable<CreateFlag>(EnumSet.of(CreateFlag.CREATE)),
-        true, (short)3, 1024);
+        true, (short)3, 1024, null);
 
     // start first addBlock()
     LOG.info("Starting first addBlock for " + src);
@@ -155,7 +155,7 @@ public void testAddBlockRetryShouldReturnBlockWithLocations()
     // create file
     nameNodeRpc.create(src, FsPermission.getFileDefault(), "clientName",
         new EnumSetWritable<CreateFlag>(EnumSet.of(CreateFlag.CREATE)), true,
-        (short) 3, 1024);
+        (short) 3, 1024, null);
     // start first addBlock()
     LOG.info("Starting first addBlock for " + src);
     LocatedBlock lb1 = nameNodeRpc.addBlock(src, "clientName", null, null,
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNamenodeRetryCache.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNamenodeRetryCache.java
index d6f38853474..974dd55d0ea 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNamenodeRetryCache.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNamenodeRetryCache.java
@@ -209,19 +209,20 @@ public void testCreate() throws Exception {
     // Two retried calls succeed
     newCall();
     HdfsFileStatus status = namesystem.startFile(src, perm, "holder",
-        "clientmachine", EnumSet.of(CreateFlag.CREATE), true, (short) 1, BlockSize);
+        "clientmachine", EnumSet.of(CreateFlag.CREATE), true, (short) 1, 
+        BlockSize, null);
     Assert.assertEquals(status, namesystem.startFile(src, perm, 
         "holder", "clientmachine", EnumSet.of(CreateFlag.CREATE), 
-        true, (short) 1, BlockSize));
+        true, (short) 1, BlockSize, null));
     Assert.assertEquals(status, namesystem.startFile(src, perm, 
         "holder", "clientmachine", EnumSet.of(CreateFlag.CREATE), 
-        true, (short) 1, BlockSize));
+        true, (short) 1, BlockSize, null));
     
     // A non-retried call fails
     newCall();
     try {
       namesystem.startFile(src, perm, "holder", "clientmachine",
-          EnumSet.of(CreateFlag.CREATE), true, (short) 1, BlockSize);
+          EnumSet.of(CreateFlag.CREATE), true, (short) 1, BlockSize, null);
       Assert.fail("testCreate - expected exception is not thrown");
     } catch (IOException e) {
       // expected
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestRetryCacheWithHA.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestRetryCacheWithHA.java
index a34a0365f99..8921c809b32 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestRetryCacheWithHA.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestRetryCacheWithHA.java
@@ -394,7 +394,7 @@ void invoke() throws Exception {
       this.status = client.getNamenode().create(fileName,
           FsPermission.getFileDefault(), client.getClientName(),
           new EnumSetWritable<CreateFlag>(createFlag), false, DataNodes,
-          BlockSize);
+          BlockSize, null);
     }
 
     @Override

From 2a3bccddd939ee0d6941aa2d22edc67dea85fe35 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Thu, 3 Jul 2014 00:58:45 +0000
Subject: [PATCH 021/354] HDFS-6625. Remove the Delete Encryption Zone function
 (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1607507 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   2 +
 .../org/apache/hadoop/hdfs/DFSClient.java     |  11 --
 .../hadoop/hdfs/DistributedFileSystem.java    |   5 -
 .../apache/hadoop/hdfs/client/HdfsAdmin.java  |  21 ---
 .../hadoop/hdfs/protocol/ClientProtocol.java  |   7 -
 ...amenodeProtocolServerSideTranslatorPB.java |  15 --
 .../ClientNamenodeProtocolTranslatorPB.java   |  12 --
 .../hdfs/server/namenode/FSDirectory.java     |  23 ----
 .../hdfs/server/namenode/FSNamesystem.java    |  73 +---------
 .../server/namenode/NameNodeRpcServer.java    |   5 -
 .../apache/hadoop/hdfs/tools/CryptoAdmin.java |  50 -------
 .../main/proto/ClientNamenodeProtocol.proto   |   2 -
 .../src/main/proto/encryption.proto           |   7 -
 .../hadoop/hdfs/TestEncryptionZonesAPI.java   | 130 +++---------------
 .../src/test/resources/testCryptoConf.xml     |  74 +---------
 15 files changed, 30 insertions(+), 407 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index dcd22697dc4..f6f68e433ce 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -30,6 +30,8 @@ fs-encryption (Unreleased)
 
     HDFS-6605. Client server negotiation of cipher suite. (wang)
 
+    HDFS-6625. Remove the Delete Encryption Zone function (clamb)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index 1e3a179b81a..47ac88c75c6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -2848,17 +2848,6 @@ public void createEncryptionZone(String src, String keyId)
     }
   }
 
-  public void deleteEncryptionZone(String src) throws IOException {
-    checkOpen();
-    try {
-      namenode.deleteEncryptionZone(src);
-    } catch (RemoteException re) {
-      throw re.unwrapRemoteException(AccessControlException.class,
-                                     SafeModeException.class,
-                                     UnresolvedPathException.class);
-    }
-  }
-
   public List<EncryptionZone> listEncryptionZones() throws IOException {
     checkOpen();
     try {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
index 1abf85bb79b..c348a1b3a95 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
@@ -1804,11 +1804,6 @@ public void createEncryptionZone(Path path, String keyId)
     dfs.createEncryptionZone(getPathName(path), keyId);
   }
 
-  /* HDFS only */
-  public void deleteEncryptionZone(Path path) throws IOException {
-    dfs.deleteEncryptionZone(getPathName(path));
-  }
-
   /* HDFS only */
   public List<EncryptionZone> listEncryptionZones() throws IOException {
     return dfs.listEncryptionZones();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
index a13edfe5c5a..018fce4e797 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
@@ -258,27 +258,6 @@ public void createEncryptionZone(Path path, String keyId)
     dfs.createEncryptionZone(path, keyId);
   }
 
-  /**
-   * Delete the encryption zone rooted at path. Path must refer to an existing,
-   * empty directory. Otherwise, an IOException is thrown. This method removes
-   * those extended attributes on the directory which indicate that it is part
-   * of an encryption zone. Following successful completion of this call, any
-   * new files created in the directory (or it's children) will not be
-   * encrypted. The directory is not removed by this method.
-   *
-   * @param path The path of the root of the encryption zone.
-   *
-   * @throws IOException if there was a general IO exception
-   *
-   * @throws AccessControlException if the caller does not have access to path
-   *
-   * @throws FileNotFoundException if the path does not exist
-   */
-  public void deleteEncryptionZone(Path path)
-    throws IOException, AccessControlException, FileNotFoundException {
-    dfs.deleteEncryptionZone(path);
-  }
-
   /**
    * Return a list of all {@EncryptionZone}s in the HDFS hierarchy which are
    * visible to the caller. If the caller is the HDFS admin, then the returned
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
index 83e4278e16b..a307520fc05 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
@@ -1266,13 +1266,6 @@ public void removeAclEntries(String src, List<AclEntry> aclSpec)
   public void createEncryptionZone(String src, String keyId)
     throws IOException;
 
-  /**
-   * Delete an encryption zone
-   */
-  @AtMostOnce
-  public void deleteEncryptionZone(String src)
-    throws IOException;
-
   /**
    * Return a list of all {@EncryptionZone}s in the HDFS hierarchy which are
    * visible to the caller. If the caller is the HDFS admin, then the returned
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
index 3fdf5a07eb8..570386e04e6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
@@ -173,14 +173,11 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdatePipelineResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.CreateEncryptionZoneResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.CreateEncryptionZoneRequestProto;
-import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.DeleteEncryptionZoneResponseProto;
-import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.DeleteEncryptionZoneRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.ListEncryptionZonesResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.ListEncryptionZonesRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeIDProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeInfoProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.LocatedBlockProto;
-import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.GetXAttrsRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.GetXAttrsResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.ListXAttrsRequestProto;
@@ -1297,18 +1294,6 @@ public CreateEncryptionZoneResponseProto createEncryptionZone(
     }
   }
 
-  @Override
-  public DeleteEncryptionZoneResponseProto deleteEncryptionZone(
-    RpcController controller, DeleteEncryptionZoneRequestProto req)
-    throws ServiceException {
-    try {
-      server.deleteEncryptionZone(req.getSrc());
-      return DeleteEncryptionZoneResponseProto.newBuilder().build();
-    } catch (IOException e) {
-      throw new ServiceException(e);
-    }
-  }
-
   @Override
   public ListEncryptionZonesResponseProto listEncryptionZones(
     RpcController controller, ListEncryptionZonesRequestProto req)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
index 81d4e432f49..6a15ac57752 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
@@ -146,7 +146,6 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdateBlockForPipelineRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdatePipelineRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.CreateEncryptionZoneRequestProto;
-import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.DeleteEncryptionZoneRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.ListEncryptionZonesRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.GetXAttrsRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.ListXAttrsRequestProto;
@@ -1301,17 +1300,6 @@ public void createEncryptionZone(String src, String keyId)
     }
   }
 
-  @Override
-  public void deleteEncryptionZone(String src) throws IOException {
-    final DeleteEncryptionZoneRequestProto req =
-      DeleteEncryptionZoneRequestProto.newBuilder().setSrc(src).build();
-    try {
-      rpcProxy.deleteEncryptionZone(null, req);
-    } catch (ServiceException e) {
-      throw ProtobufHelper.getRemoteException(e);
-    }
-  }
-
   @Override
   public List<EncryptionZone> listEncryptionZones() throws IOException {
     final ListEncryptionZonesRequestProto req =
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index 5c5ff8bb85e..391e6a733dc 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -2716,29 +2716,6 @@ XAttr createEncryptionZone(String src, String keyId)
     }
   }
 
-  List<XAttr> deleteEncryptionZone(String src)
-    throws IOException {
-    writeLock();
-    try {
-      if (isNonEmptyDirectory(src)) {
-        throw new IOException(
-          "Attempt to delete an encryption zone for a non-empty directory.");
-      }
-      final XAttr keyIdXAttr =
-        XAttrHelper.buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, null);
-      List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
-      xattrs.add(keyIdXAttr);
-      final List<XAttr> removedXAttrs = unprotectedRemoveXAttrs(src, xattrs);
-      if (removedXAttrs == null || removedXAttrs.isEmpty()) {
-        throw new IOException(
-          src + " does not appear to be the root of an encryption zone");
-      }
-      return removedXAttrs;
-    } finally {
-      writeUnlock();
-    }
-  }
-
   /**
    * Set the FileEncryptionInfo for an INode.
    */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index ca793ab7acd..5a7cb12304c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -3650,6 +3650,12 @@ private boolean deleteInternal(String src, boolean recursive,
         checkPermission(pc, src, false, null, FsAction.WRITE, null,
             FsAction.ALL, true, false);
       }
+
+      final EncryptionZone ez = getEncryptionZoneForPath(src);
+      if (ez != null) {
+        encryptionZones.remove(src);
+      }
+
       long mtime = now();
       // Unlink the target directory from directory tree
       long filesRemoved = dir.delete(src, collectedBlocks, removedINodes,
@@ -8393,73 +8399,8 @@ private String createNewKey(String src)
     return keyId;
   }
 
-  /**
-   * Delete the encryption zone on directory src.
-   *
-   * @param src the path of a directory which is the root of the encryption
-   * zone. The directory must be empty and must be marked as an encryption
-   * zone.
-   *
-   * @throws AccessControlException if the caller is not the superuser.
-   *
-   * @throws UnresolvedLinkException if the path can't be resolved.
-   *
-   * @throws SafeModeException if the Namenode is in safe mode.
-   */
-  void deleteEncryptionZone(final String src)
-    throws IOException, UnresolvedLinkException,
-      SafeModeException, AccessControlException {
-    final CacheEntry cacheEntry = RetryCache.waitForCompletion(retryCache);
-    if (cacheEntry != null && cacheEntry.isSuccess()) {
-      return; // Return previous response
-    }
-
-    boolean success = false;
-    try {
-      deleteEncryptionZoneInt(src, cacheEntry != null);
-      encryptionZones.remove(src);
-      success = true;
-    } catch (AccessControlException e) {
-      logAuditEvent(false, "deleteEncryptionZone", src);
-      throw e;
-    } finally {
-      RetryCache.setState(cacheEntry, success);
-    }
-  }
-
-  private void deleteEncryptionZoneInt(final String srcArg,
-    final boolean logRetryCache) throws IOException {
-    String src = srcArg;
-    HdfsFileStatus resultingStat = null;
-    checkSuperuserPrivilege();
-    checkOperation(OperationCategory.WRITE);
-    final byte[][] pathComponents =
-      FSDirectory.getPathComponentsForReservedPath(src);
-    writeLock();
-    try {
-      checkSuperuserPrivilege();
-      checkOperation(OperationCategory.WRITE);
-      checkNameNodeSafeMode("Cannot delete encryption zone on " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
-      final EncryptionZone ez = encryptionZones.get(src);
-      if (ez == null) {
-        throw new IOException("Directory " + src +
-          " is not the root of an encryption zone.");
-      }
-      final List<XAttr> removedXAttrs = dir.deleteEncryptionZone(src);
-      if (removedXAttrs != null && !removedXAttrs.isEmpty()) {
-        getEditLog().logRemoveXAttrs(src, removedXAttrs);
-      }
-      encryptionZones.remove(src);
-      resultingStat = getAuditFileInfo(src, false);
-    } finally {
-      writeUnlock();
-    }
-    getEditLog().logSync();
-    logAuditEvent(true, "deleteEncryptionZone", src, null, resultingStat);
-  }
-
   List<EncryptionZone> listEncryptionZones() throws IOException {
+
     boolean success = false;
     checkSuperuserPrivilege();
     checkOperation(OperationCategory.READ);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index 35d6266644e..efbc92ddc66 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -1413,11 +1413,6 @@ public void createEncryptionZone(String src, String keyId)
     namesystem.createEncryptionZone(src, keyId);
   }
 
-  @Override
-  public void deleteEncryptionZone(String src) throws IOException {
-    namesystem.deleteEncryptionZone(src);
-  }
-
   @Override
   public List<EncryptionZone> listEncryptionZones() throws IOException {
     return namesystem.listEncryptionZones();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
index 9347d4de5d9..f1ec3cbfc57 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
@@ -32,8 +32,6 @@
 import org.apache.hadoop.util.StringUtils;
 import org.apache.hadoop.util.Tool;
 
-import com.google.common.base.Joiner;
-
 /**
  * This class implements crypto command-line operations.
  */
@@ -169,53 +167,6 @@ public int run(Configuration conf, List<String> args) throws IOException {
     }
   }
 
-  private static class DeleteZoneCommand implements Command {
-    @Override
-    public String getName() {
-      return "-deleteZone";
-    }
-
-    @Override
-    public String getShortUsage() {
-      return "[" + getName() + " -path <path> " + "]\n";
-    }
-
-    @Override
-    public String getLongUsage() {
-      final TableListing listing = getOptionDescriptionListing();
-      listing.addRow("<path>", "The path of the encryption zone to delete. " +
-        "It must be an empty directory and an existing encryption zone.");
-      return getShortUsage() + "\n" +
-        "Delete an encryption zone.\n\n" +
-        listing.toString();
-    }
-
-    @Override
-    public int run(Configuration conf, List<String> args) throws IOException {
-      final String path = StringUtils.popOptionWithArgument("-path", args);
-      if (path == null) {
-        System.err.println("You must specify a path with -path.");
-        return 1;
-      }
-
-      if (!args.isEmpty()) {
-        System.err.println("Can't understand argument: " + args.get(0));
-        return 1;
-      }
-
-      final DistributedFileSystem dfs = getDFS(conf);
-      try {
-        dfs.deleteEncryptionZone(new Path(path));
-        System.out.println("Deleted encryption zone " + path);
-      } catch (IOException e) {
-        System.err.println(prettifyException(e));
-        return 2;
-      }
-
-      return 0;
-    }
-  }
-
   private static class ListZonesCommand implements Command {
     @Override
     public String getName() {
@@ -315,7 +266,6 @@ public int run(Configuration conf, List<String> args) throws IOException {
 
   private static final Command[] COMMANDS = {
     new CreateZoneCommand(),
-    new DeleteZoneCommand(),
     new ListZonesCommand(),
     new HelpCommand(),
   };
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
index 70455989e7f..d0e2fcaba6a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
@@ -772,8 +772,6 @@ service ClientNamenodeProtocol {
       returns(RemoveXAttrResponseProto);
   rpc createEncryptionZone(CreateEncryptionZoneRequestProto)
       returns(CreateEncryptionZoneResponseProto);
-  rpc deleteEncryptionZone(DeleteEncryptionZoneRequestProto)
-      returns(DeleteEncryptionZoneResponseProto);
   rpc listEncryptionZones(ListEncryptionZonesRequestProto)
       returns(ListEncryptionZonesResponseProto);
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
index 748f2cb40c2..6b091a572be 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
@@ -41,13 +41,6 @@ message CreateEncryptionZoneRequestProto {
 message CreateEncryptionZoneResponseProto {
 }
 
-message DeleteEncryptionZoneRequestProto {
-  required string src = 1;
-}
-
-message DeleteEncryptionZoneResponseProto {
-}
-
 message ListEncryptionZonesRequestProto {
 }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
index c787da69d7f..85f7ff57013 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
@@ -85,7 +85,7 @@ public void shutDownCluster() {
   }
 
   /** Test failure of Create EZ on a directory that doesn't exist. */
-  @Test(timeout = 30000)
+  @Test(timeout = 60000)
   public void testCreateEncryptionZoneDirectoryDoesntExist() throws Exception {
     final HdfsAdmin dfsAdmin =
       new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
@@ -98,7 +98,7 @@ public void testCreateEncryptionZoneDirectoryDoesntExist() throws Exception {
   }
 
   /** Test failure of Create EZ on a directory which is already an EZ. */
-  @Test(timeout = 30000)
+  @Test(timeout = 60000)
   public void testCreateEncryptionZoneWhichAlreadyExists()
     throws Exception {
     final HdfsAdmin dfsAdmin =
@@ -114,7 +114,7 @@ public void testCreateEncryptionZoneWhichAlreadyExists()
   }
 
   /** Test success of Create EZ in which a key is created. */
-  @Test(timeout = 30000)
+  @Test(timeout = 60000)
   public void testCreateEncryptionZoneAndGenerateKeyDirectoryEmpty()
     throws Exception {
     final HdfsAdmin dfsAdmin =
@@ -124,7 +124,7 @@ public void testCreateEncryptionZoneAndGenerateKeyDirectoryEmpty()
   }
 
   /** Test failure of Create EZ operation in an existing EZ. */
-  @Test(timeout = 30000)
+  @Test(timeout = 60000)
   public void testCreateEncryptionZoneInExistingEncryptionZone()
     throws Exception {
     final HdfsAdmin dfsAdmin =
@@ -142,7 +142,7 @@ public void testCreateEncryptionZoneInExistingEncryptionZone()
   }
 
   /** Test failure of creating an EZ using a non-empty directory. */
-  @Test(timeout = 30000)
+  @Test(timeout = 60000)
   public void testCreateEncryptionZoneAndGenerateKeyDirectoryNotEmpty()
     throws Exception {
     final HdfsAdmin dfsAdmin =
@@ -159,7 +159,7 @@ public void testCreateEncryptionZoneAndGenerateKeyDirectoryNotEmpty()
   }
 
   /** Test failure of creating an EZ passing a key that doesn't exist. */
-  @Test(timeout = 30000)
+  @Test(timeout = 60000)
   public void testCreateEncryptionZoneKeyDoesntExist() throws Exception {
     final HdfsAdmin dfsAdmin =
       new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
@@ -174,7 +174,7 @@ public void testCreateEncryptionZoneKeyDoesntExist() throws Exception {
   }
 
   /** Test success of creating an EZ when they key exists. */
-  @Test(timeout = 30000)
+  @Test(timeout = 60000)
   public void testCreateEncryptionZoneKeyExist() throws Exception {
     final HdfsAdmin dfsAdmin =
       new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
@@ -198,9 +198,9 @@ private void createAKey(String keyId)
     provider.flush();
   }
 
-  /** Test failure of create/delete encryption zones as a non super user. */
-  @Test(timeout = 30000)
-  public void testCreateAndDeleteEncryptionZoneAsNonSuperUser()
+  /** Test failure of create encryption zones as a non super user. */
+  @Test(timeout = 60000)
+  public void testCreateEncryptionZoneAsNonSuperUser()
     throws Exception {
     final HdfsAdmin dfsAdmin =
       new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
@@ -225,120 +225,28 @@ public Object run() throws Exception {
           return null;
         }
       });
-    dfsAdmin.createEncryptionZone(TEST_PATH, null);
-
-    user.doAs(new PrivilegedExceptionAction<Object>() {
-      @Override
-      public Object run() throws Exception {
-        final HdfsAdmin userAdmin =
-                new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-        try {
-          userAdmin.deleteEncryptionZone(TEST_PATH);
-          fail("deleteEncryptionZone is superuser-only operation");
-        } catch (AccessControlException e) {
-          GenericTestUtils.assertExceptionContains(
-                  "Superuser privilege is required", e);
-        }
-        return null;
-      }
-    });
-  }
-
-  /** Test failure of deleting an EZ passing a directory that doesn't exist. */
-  @Test(timeout = 30000)
-  public void testDeleteEncryptionZoneDirectoryDoesntExist() throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    try {
-      dfsAdmin.deleteEncryptionZone(TEST_PATH);
-      fail("Directory doesn't exist");
-    } catch (IOException e) {
-      GenericTestUtils.assertExceptionContains(
-        "is not the root of an encryption zone", e);
-    }
-  }
-
-  /** Test failure of deleting an EZ which is not empty. */
-  @Test(timeout = 30000)
-  public void testDeleteEncryptionZoneAndGenerateKeyDirectoryNotEmpty()
-    throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
-    dfsAdmin.createEncryptionZone(TEST_PATH, null);
-    FileSystem.create(fs, new Path("/test/foo"),
-      new FsPermission((short) 0777));
-    try {
-      dfsAdmin.deleteEncryptionZone(TEST_PATH);
-      fail("Directory not empty");
-    } catch (IOException e) {
-      GenericTestUtils.assertExceptionContains("non-empty directory", e);
-    }
-  }
-
-  /** Test success of deleting an EZ. */
-  @Test(timeout = 30000)
-  public void testDeleteEncryptionZone()
-    throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
-    dfsAdmin.createEncryptionZone(TEST_PATH, null);
-    List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
-    Preconditions.checkState(zones.size() == 1, "More than one zone found?");
-    dfsAdmin.deleteEncryptionZone(TEST_PATH);
-    zones = dfsAdmin.listEncryptionZones();
-    Preconditions.checkState(zones.size() == 0, "More than one zone found?");
   }
 
   /**
-   * Test failure of deleting an EZ on a subdir that is not the root of an EZ.
+   * Test success of creating an encryption zone a few levels down.
    */
-  @Test(timeout = 30000)
-  public void testDeleteEncryptionZoneInExistingEncryptionZone()
+  @Test(timeout = 60000)
+  public void testCreateEncryptionZoneDownAFewLevels()
     throws Exception {
     final HdfsAdmin dfsAdmin =
       new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
-    dfsAdmin.createEncryptionZone(TEST_PATH, null);
-    FileSystem.mkdirs(fs, TEST_PATH_WITH_CHILD, new FsPermission((short) 0777));
-    try {
-      dfsAdmin.deleteEncryptionZone(TEST_PATH_WITH_CHILD);
-      fail("EZ in an EZ");
-    } catch (IOException e) {
-      GenericTestUtils.assertExceptionContains(
-        "is not the root of an encryption zone", e);
-    }
-  }
-
-  /**
-   * Test success of creating and deleting an encryption zone a few levels down.
-   */
-  @Test(timeout = 30000)
-  public void testCreateAndDeleteEncryptionZoneDownAFewLevels()
-    throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
-    dfsAdmin.createEncryptionZone(TEST_PATH, null);
     FileSystem.mkdirs(fs, TEST_PATH_WITH_MULTIPLE_CHILDREN,
       new FsPermission((short) 0777));
-    try {
-      dfsAdmin.deleteEncryptionZone(TEST_PATH_WITH_MULTIPLE_CHILDREN);
-      fail("EZ in an EZ");
-    } catch (IOException e) {
-      GenericTestUtils.assertExceptionContains(
-        "is not the root of an encryption zone", e);
-    }
+    dfsAdmin.createEncryptionZone(TEST_PATH_WITH_MULTIPLE_CHILDREN, null);
     final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
     Preconditions.checkState(zones.size() == 1, "More than one zone found?");
     final EncryptionZone ez = zones.get(0);
       GenericTestUtils.assertMatches(ez.toString(),
-         "EncryptionZone \\[path=/test, keyId=");
+         "EncryptionZone \\[path=/test/foo/baz, keyId=");
   }
 
   /** Test failure of creating an EZ using a non-empty directory. */
-  @Test(timeout = 30000)
+  @Test(timeout = 60000)
   public void testCreateFileInEncryptionZone() throws Exception {
     final HdfsAdmin dfsAdmin =
       new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
@@ -353,7 +261,7 @@ public void testCreateFileInEncryptionZone() throws Exception {
   }
 
   /** Test listing encryption zones. */
-  @Test(timeout = 30000)
+  @Test(timeout = 60000)
   public void testListEncryptionZones() throws Exception {
     final HdfsAdmin dfsAdmin =
       new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
@@ -377,7 +285,7 @@ public void testListEncryptionZones() throws Exception {
   }
 
   /** Test listing encryption zones as a non super user. */
-  @Test(timeout = 30000)
+  @Test(timeout = 60000)
   public void testListEncryptionZonesAsNonSuperUser() throws Exception {
     final HdfsAdmin dfsAdmin =
       new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
@@ -412,7 +320,7 @@ public Object run() throws Exception {
   }
 
   /** Test success of Rename EZ on a directory which is already an EZ. */
-  @Test(timeout = 30000)
+  @Test(timeout = 60000)
   public void testRenameEncryptionZone()
           throws Exception {
     final HdfsAdmin dfsAdmin =
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
index 1bf8f74fb14..36df642b104 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
@@ -71,7 +71,6 @@
         <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
       </test-commands>
       <cleanup-commands>
-        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
         <command>-fs NAMENODE -rmdir /foo</command>
       </cleanup-commands>
       <comparators>
@@ -90,7 +89,6 @@
         <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
       </test-commands>
       <cleanup-commands>
-        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
         <command>-fs NAMENODE -rmdir /foo</command>
       </cleanup-commands>
       <comparators>
@@ -112,7 +110,6 @@
       </test-commands>
       <cleanup-commands>
         <command>-fs NAMENODE -rmdir /foo/bar</command>
-        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
         <command>-fs NAMENODE -rmdir /foo</command>
       </cleanup-commands>
       <comparators>
@@ -169,7 +166,6 @@
         <crypto-admin-command>-createZone -path /foo -keyId mykey</crypto-admin-command>
       </test-commands>
       <cleanup-commands>
-        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
         <command>-fs NAMENODE -rmdir /foo</command>
       </cleanup-commands>
       <comparators>
@@ -181,74 +177,13 @@
     </test>
 
     <test>
-      <description>Test failure of deleting an EZ passing a directory that doesn't exist.</description>
-      <test-commands>
-        <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
-      </test-commands>
-      <cleanup-commands>
-      </cleanup-commands>
-      <comparators>
-        <comparator>
-          <type>SubstringComparator</type>
-          <expected-output>Directory /foo is not the root of an encryption zone.</expected-output>
-        </comparator>
-      </comparators>
-    </test>
-
-    <test>
-      <description>Test failure of deleting an EZ which is not empty.</description>
-      <test-commands>
-        <command>-fs NAMENODE -mkdir /foo</command>
-        <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
-        <command>-fs NAMENODE -touchz /foo/bar</command>
-        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
-      </test-commands>
-      <cleanup-commands>
-        <command>-fs NAMENODE -rm /foo/bar</command>
-        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
-        <command>-fs NAMENODE -rmdir /foo</command>
-      </cleanup-commands>
-      <comparators>
-        <comparator>
-          <type>SubstringComparator</type>
-          <expected-output>Attempt to delete an encryption zone for a non-empty directory.</expected-output>
-        </comparator>
-      </comparators>
-    </test>
-
-    <test>
-      <description>Test failure of deleting an EZ on a subdir that is not the root of an EZ.</description>
-      <test-commands>
-        <command>-fs NAMENODE -mkdir /foo</command>
-        <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
-        <command>-fs NAMENODE -mkdir /foo/bar</command>
-        <crypto-admin-command>-deleteZone -path /foo/bar</crypto-admin-command>
-      </test-commands>
-      <cleanup-commands>
-        <command>-fs NAMENODE -rmdir /foo/bar</command>
-        <crypto-admin-command>-deleteZone -path /foo</crypto-admin-command>
-        <command>-fs NAMENODE -rmdir /foo</command>
-      </cleanup-commands>
-      <comparators>
-        <comparator>
-          <type>SubstringComparator</type>
-          <expected-output>Directory /foo/bar is not the root of an encryption zone.</expected-output>
-        </comparator>
-      </comparators>
-    </test>
-
-    <test>
-      <description>Test success of creating and deleting an encryption zone a few levels down.</description>
+      <description>Test success of creating an encryption zone a few levels down.</description>
       <test-commands>
         <command>-fs NAMENODE -mkdir /foo</command>
         <command>-fs NAMENODE -mkdir /foo/bar</command>
         <command>-fs NAMENODE -mkdir /foo/bar/baz</command>
         <command>-fs NAMENODE -ls /</command>-
         <crypto-admin-command>-createZone -path /foo/bar/baz</crypto-admin-command>
-        <crypto-admin-command>-deleteZone -path /foo/bar/baz</crypto-admin-command>
       </test-commands>
       <cleanup-commands>
         <command>-fs NAMENODE -rmdir /foo/bar/baz</command>
@@ -258,7 +193,7 @@
       <comparators>
         <comparator>
           <type>SubstringComparator</type>
-          <expected-output>Deleted encryption zone /foo/bar/baz</expected-output>
+          <expected-output>Added encryption zone /foo/bar/baz</expected-output>
         </comparator>
       </comparators>
     </test>
@@ -276,8 +211,6 @@
       </test-commands>
       <cleanup-commands>
         <command>-fs NAMENODE -rmdir /src/subdir</command>
-        <crypto-admin-command>-deleteZone -path /src</crypto-admin-command>
-        <crypto-admin-command>-deleteZone -path /dst</crypto-admin-command>
         <command>-fs NAMENODE -rmdir /src</command>
         <command>-fs NAMENODE -rmdir /dst</command>
       </cleanup-commands>
@@ -299,7 +232,6 @@
         <command>-fs NAMENODE -mv /src /dst</command>-
       </test-commands>
       <cleanup-commands>
-        <crypto-admin-command>-deleteZone -path /dst</crypto-admin-command>
         <command>-fs NAMENODE -rmdir /src</command>
         <command>-fs NAMENODE -rmdir /dst</command>
       </cleanup-commands>
@@ -321,7 +253,6 @@
         <command>-fs NAMENODE -mv /src /dst</command>-
       </test-commands>
       <cleanup-commands>
-        <crypto-admin-command>-deleteZone -path /src</crypto-admin-command>
         <command>-fs NAMENODE -rmdir /src</command>
         <command>-fs NAMENODE -rmdir /dst</command>
       </cleanup-commands>
@@ -345,7 +276,6 @@
       <cleanup-commands>
         <command>-fs NAMENODE -rmdir /src/subdir2/subdir1</command>
         <command>-fs NAMENODE -rmdir /src/subdir2</command>
-        <crypto-admin-command>-deleteZone -path /src</crypto-admin-command>
         <command>-fs NAMENODE -rmdir /src</command>
       </cleanup-commands>
       <comparators>

From bfef9807a08435822546dd66dc72531465f34743 Mon Sep 17 00:00:00 2001
From: Colin McCabe <cmccabe@apache.org>
Date: Thu, 3 Jul 2014 23:40:31 +0000
Subject: [PATCH 022/354] HADOOP-10693. Implementation of AES-CTR CryptoCodec
 using JNI to OpenSSL (hitliuyi via cmccabe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1607768 13f79535-47bb-0310-9956-ffa450edef68
---
 BUILDING.txt                                  |  21 ++
 hadoop-common-project/hadoop-common/pom.xml   |  17 +-
 .../hadoop-common/src/CMakeLists.txt          |  33 +++
 .../hadoop-common/src/config.h.cmake          |   1 +
 .../hadoop/crypto/AESCTRCryptoCodec.java      |  71 -------
 .../org/apache/hadoop/crypto/CryptoCodec.java |   2 +-
 .../hadoop/crypto/JCEAESCTRCryptoCodec.java   | 159 --------------
 .../apache/hadoop/util/NativeCodeLoader.java  |   5 +
 .../hadoop/util/NativeLibraryChecker.java     |  19 +-
 .../org/apache/hadoop/util/NativeCodeLoader.c |  10 +
 .../apache/hadoop/crypto/TestCryptoCodec.java | 195 ++++++++++++++----
 .../hadoop/util/TestNativeCodeLoader.java     |   4 +
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   3 +
 hadoop-project-dist/pom.xml                   |  12 ++
 hadoop-project/pom.xml                        |   2 +
 15 files changed, 272 insertions(+), 282 deletions(-)

diff --git a/BUILDING.txt b/BUILDING.txt
index bfb0e0852e7..7b99537a260 100644
--- a/BUILDING.txt
+++ b/BUILDING.txt
@@ -81,6 +81,27 @@ Maven build goals:
     the final tar file. This option requires that -Dsnappy.lib is also given,
     and it ignores the -Dsnappy.prefix option.
 
+ OpenSSL build options:
+
+   OpenSSL includes a crypto library that can be utilized by the native code.
+   It is currently an optional component, meaning that Hadoop can be built with
+   or without this dependency.
+
+  * Use -Drequire.openssl to fail the build if libcrypto.so is not found.
+    If this option is not specified and the openssl library is missing,
+    we silently build a version of libhadoop.so that cannot make use of
+    openssl. This option is recommended if you plan on making use of openssl 
+    and want to get more repeatable builds.
+  * Use -Dopenssl.prefix to specify a nonstandard location for the libcrypto
+    header files and library files. You do not need this option if you have
+    installed openssl using a package manager.
+  * Use -Dopenssl.lib to specify a nonstandard location for the libcrypto library
+    files. Similarly to openssl.prefix, you do not need this option if you have
+    installed openssl using a package manager.
+  * Use -Dbundle.openssl to copy the contents of the openssl.lib directory into
+    the final tar file. This option requires that -Dopenssl.lib is also given,
+    and it ignores the -Dopenssl.prefix option.
+
    Tests options:
 
   * Use -DskipTests to skip tests when running the following Maven goals:
diff --git a/hadoop-common-project/hadoop-common/pom.xml b/hadoop-common-project/hadoop-common/pom.xml
index ce14b21c388..13b0c3b369b 100644
--- a/hadoop-common-project/hadoop-common/pom.xml
+++ b/hadoop-common-project/hadoop-common/pom.xml
@@ -483,6 +483,10 @@
         <snappy.lib></snappy.lib>
         <snappy.include></snappy.include>
         <require.snappy>false</require.snappy>
+        <openssl.prefix></openssl.prefix>
+        <openssl.lib></openssl.lib>
+        <openssl.include></openssl.include>
+        <require.openssl>false</require.openssl>
       </properties>
       <build>
         <plugins>
@@ -532,6 +536,7 @@
                     <javahClassName>org.apache.hadoop.io.compress.snappy.SnappyDecompressor</javahClassName>
                     <javahClassName>org.apache.hadoop.io.compress.lz4.Lz4Compressor</javahClassName>
                     <javahClassName>org.apache.hadoop.io.compress.lz4.Lz4Decompressor</javahClassName>
+                    <javahClassName>org.apache.hadoop.crypto.OpensslCipher</javahClassName>
                     <javahClassName>org.apache.hadoop.util.NativeCrc32</javahClassName>
                     <javahClassName>org.apache.hadoop.net.unix.DomainSocket</javahClassName>
                     <javahClassName>org.apache.hadoop.net.unix.DomainSocketWatcher</javahClassName>
@@ -552,7 +557,7 @@
                 <configuration>
                   <target>
                     <exec executable="cmake" dir="${project.build.directory}/native" failonerror="true">
-                      <arg line="${basedir}/src/ -DGENERATED_JAVAH=${project.build.directory}/native/javah -DJVM_ARCH_DATA_MODEL=${sun.arch.data.model} -DREQUIRE_BZIP2=${require.bzip2} -DREQUIRE_SNAPPY=${require.snappy} -DCUSTOM_SNAPPY_PREFIX=${snappy.prefix} -DCUSTOM_SNAPPY_LIB=${snappy.lib} -DCUSTOM_SNAPPY_INCLUDE=${snappy.include}"/>
+                      <arg line="${basedir}/src/ -DGENERATED_JAVAH=${project.build.directory}/native/javah -DJVM_ARCH_DATA_MODEL=${sun.arch.data.model} -DREQUIRE_BZIP2=${require.bzip2} -DREQUIRE_SNAPPY=${require.snappy} -DCUSTOM_SNAPPY_PREFIX=${snappy.prefix} -DCUSTOM_SNAPPY_LIB=${snappy.lib} -DCUSTOM_SNAPPY_INCLUDE=${snappy.include} -DREQUIRE_OPENSSL=${require.openssl} -DCUSTOM_OPENSSL_PREFIX=${openssl.prefix} -DCUSTOM_OPENSSL_LIB=${openssl.lib} -DCUSTOM_OPENSSL_INCLUDE=${openssl.include}"/>
                     </exec>
                     <exec executable="make" dir="${project.build.directory}/native" failonerror="true">
                       <arg line="VERBOSE=1"/>
@@ -596,6 +601,11 @@
         <snappy.include></snappy.include>
         <require.snappy>false</require.snappy>
         <bundle.snappy.in.bin>true</bundle.snappy.in.bin>
+        <openssl.prefix></openssl.prefix>
+        <openssl.lib></openssl.lib>
+        <openssl.include></openssl.include>
+        <require.openssl>false</require.openssl>
+        <bundle.openssl.in.bin>true</bundle.openssl.in.bin>
       </properties>
       <build>
         <plugins>
@@ -641,6 +651,7 @@
                     <javahClassName>org.apache.hadoop.io.compress.snappy.SnappyDecompressor</javahClassName>
                     <javahClassName>org.apache.hadoop.io.compress.lz4.Lz4Compressor</javahClassName>
                     <javahClassName>org.apache.hadoop.io.compress.lz4.Lz4Decompressor</javahClassName>
+                    <javahClassName>org.apache.hadoop.crypto.OpensslCipher</javahClassName>
                     <javahClassName>org.apache.hadoop.util.NativeCrc32</javahClassName>
                   </javahClassNames>
                   <javahOutputDirectory>${project.build.directory}/native/javah</javahOutputDirectory>
@@ -685,6 +696,10 @@
                     <argument>/p:CustomSnappyLib=${snappy.lib}</argument>
                     <argument>/p:CustomSnappyInclude=${snappy.include}</argument>
                     <argument>/p:RequireSnappy=${require.snappy}</argument>
+                    <argument>/p:CustomOpensslPrefix=${openssl.prefix}</argument>
+                    <argument>/p:CustomOpensslLib=${openssl.lib}</argument>
+                    <argument>/p:CustomOpensslInclude=${openssl.include}</argument>
+                    <argument>/p:RequireOpenssl=${require.openssl}</argument>
                   </arguments>
                 </configuration>
               </execution>
diff --git a/hadoop-common-project/hadoop-common/src/CMakeLists.txt b/hadoop-common-project/hadoop-common/src/CMakeLists.txt
index dec63c45d7a..9ad049e0853 100644
--- a/hadoop-common-project/hadoop-common/src/CMakeLists.txt
+++ b/hadoop-common-project/hadoop-common/src/CMakeLists.txt
@@ -145,6 +145,37 @@ else (SNAPPY_LIBRARY AND SNAPPY_INCLUDE_DIR)
     ENDIF(REQUIRE_SNAPPY)
 endif (SNAPPY_LIBRARY AND SNAPPY_INCLUDE_DIR)
 
+SET(STORED_CMAKE_FIND_LIBRARY_SUFFIXES CMAKE_FIND_LIBRARY_SUFFIXES)
+set_find_shared_library_version("1.0.0")
+SET(OPENSSL_NAME "crypto")
+IF(${CMAKE_SYSTEM_NAME} MATCHES "Windows")
+    SET(OPENSSL_NAME "eay32")
+ENDIF()
+find_library(OPENSSL_LIBRARY
+    NAMES ${OPENSSL_NAME}
+    PATHS ${CUSTOM_OPENSSL_PREFIX} ${CUSTOM_OPENSSL_PREFIX}/lib
+          ${CUSTOM_OPENSSL_PREFIX}/lib64 ${CUSTOM_OPENSSL_LIB} NO_DEFAULT_PATH)
+find_library(OPENSSL_LIBRARY
+    NAMES ${OPENSSL_NAME})
+SET(CMAKE_FIND_LIBRARY_SUFFIXES STORED_CMAKE_FIND_LIBRARY_SUFFIXES)
+find_path(OPENSSL_INCLUDE_DIR 
+    NAMES openssl/evp.h
+    PATHS ${CUSTOM_OPENSSL_PREFIX} ${CUSTOM_OPENSSL_PREFIX}/include
+          ${CUSTOM_OPENSSL_INCLUDE} NO_DEFAULT_PATH)
+find_path(OPENSSL_INCLUDE_DIR 
+    NAMES openssl/evp.h)
+if (OPENSSL_LIBRARY AND OPENSSL_INCLUDE_DIR)
+    GET_FILENAME_COMPONENT(HADOOP_OPENSSL_LIBRARY ${OPENSSL_LIBRARY} NAME)
+    SET(OPENSSL_SOURCE_FILES
+        "${D}/crypto/OpensslCipher.c")
+else (OPENSSL_LIBRARY AND OPENSSL_INCLUDE_DIR)
+    SET(OPENSSL_INCLUDE_DIR "")
+    SET(OPENSSL_SOURCE_FILES "")
+    IF(REQUIRE_OPENSSL)
+        MESSAGE(FATAL_ERROR "Required openssl library could not be found.  OPENSSL_LIBRARY=${OPENSSL_LIBRARY}, OPENSSL_INCLUDE_DIR=${OPENSSL_INCLUDE_DIR}, CUSTOM_OPENSSL_INCLUDE_DIR=${CUSTOM_OPENSSL_INCLUDE_DIR}, CUSTOM_OPENSSL_PREFIX=${CUSTOM_OPENSSL_PREFIX}, CUSTOM_OPENSSL_INCLUDE=${CUSTOM_OPENSSL_INCLUDE}")
+    ENDIF(REQUIRE_OPENSSL)
+endif (OPENSSL_LIBRARY AND OPENSSL_INCLUDE_DIR)
+
 include_directories(
     ${GENERATED_JAVAH}
     main/native/src
@@ -155,6 +186,7 @@ include_directories(
     ${ZLIB_INCLUDE_DIRS}
     ${BZIP2_INCLUDE_DIR}
     ${SNAPPY_INCLUDE_DIR}
+    ${OPENSSL_INCLUDE_DIR}
     ${D}/util
 )
 CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/config.h.cmake ${CMAKE_BINARY_DIR}/config.h)
@@ -172,6 +204,7 @@ add_dual_library(hadoop
     ${D}/io/compress/lz4/lz4.c
     ${D}/io/compress/lz4/lz4hc.c
     ${SNAPPY_SOURCE_FILES}
+    ${OPENSSL_SOURCE_FILES}
     ${D}/io/compress/zlib/ZlibCompressor.c
     ${D}/io/compress/zlib/ZlibDecompressor.c
     ${BZIP2_SOURCE_FILES}
diff --git a/hadoop-common-project/hadoop-common/src/config.h.cmake b/hadoop-common-project/hadoop-common/src/config.h.cmake
index 020017c02fa..d71271dd3ee 100644
--- a/hadoop-common-project/hadoop-common/src/config.h.cmake
+++ b/hadoop-common-project/hadoop-common/src/config.h.cmake
@@ -21,6 +21,7 @@
 #cmakedefine HADOOP_ZLIB_LIBRARY "@HADOOP_ZLIB_LIBRARY@"
 #cmakedefine HADOOP_BZIP2_LIBRARY "@HADOOP_BZIP2_LIBRARY@"
 #cmakedefine HADOOP_SNAPPY_LIBRARY "@HADOOP_SNAPPY_LIBRARY@"
+#cmakedefine HADOOP_OPENSSL_LIBRARY "@HADOOP_OPENSSL_LIBRARY@"
 #cmakedefine HAVE_SYNC_FILE_RANGE
 #cmakedefine HAVE_POSIX_FADVISE
 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
index e26135d2669..e69de29bb2d 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
@@ -1,71 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.crypto;
-
-import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.classification.InterfaceStability;
-
-import com.google.common.base.Preconditions;
-
-@InterfaceAudience.Private
-@InterfaceStability.Evolving
-public abstract class AESCTRCryptoCodec extends CryptoCodec {
-
-  protected static final CipherSuite SUITE = CipherSuite.AES_CTR_NOPADDING;
-
-  /**
-   * For AES, the algorithm block is fixed size of 128 bits.
-   * @see http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
-   */
-  private static final int AES_BLOCK_SIZE = SUITE.getAlgorithmBlockSize();
-  private static final int CTR_OFFSET = 8;
-
-  @Override
-  public CipherSuite getCipherSuite() {
-    return SUITE;
-  }
-  
-  /**
-   * The IV is produced by adding the initial IV to the counter. IV length 
-   * should be the same as {@link #AES_BLOCK_SIZE}
-   */
-  @Override
-  public void calculateIV(byte[] initIV, long counter, byte[] IV) {
-    Preconditions.checkArgument(initIV.length == AES_BLOCK_SIZE);
-    Preconditions.checkArgument(IV.length == AES_BLOCK_SIZE);
-    
-    System.arraycopy(initIV, 0, IV, 0, CTR_OFFSET);
-    long l = (initIV[CTR_OFFSET + 0] << 56)
-        + ((initIV[CTR_OFFSET + 1] & 0xFF) << 48)
-        + ((initIV[CTR_OFFSET + 2] & 0xFF) << 40)
-        + ((initIV[CTR_OFFSET + 3] & 0xFF) << 32)
-        + ((initIV[CTR_OFFSET + 4] & 0xFF) << 24)
-        + ((initIV[CTR_OFFSET + 5] & 0xFF) << 16)
-        + ((initIV[CTR_OFFSET + 6] & 0xFF) << 8)
-        + (initIV[CTR_OFFSET + 7] & 0xFF);
-    l += counter;
-    IV[CTR_OFFSET + 0] = (byte) (l >>> 56);
-    IV[CTR_OFFSET + 1] = (byte) (l >>> 48);
-    IV[CTR_OFFSET + 2] = (byte) (l >>> 40);
-    IV[CTR_OFFSET + 3] = (byte) (l >>> 32);
-    IV[CTR_OFFSET + 4] = (byte) (l >>> 24);
-    IV[CTR_OFFSET + 5] = (byte) (l >>> 16);
-    IV[CTR_OFFSET + 6] = (byte) (l >>> 8);
-    IV[CTR_OFFSET + 7] = (byte) (l);
-  }
-}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
index 7d4e65ba4d3..80e15cd6b70 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
@@ -35,7 +35,7 @@ public abstract class CryptoCodec implements Configurable {
   
   public static CryptoCodec getInstance(Configuration conf) {
     final Class<? extends CryptoCodec> klass = conf.getClass(
-        HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY, JCEAESCTRCryptoCodec.class, 
+        HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY, JceAesCtrCryptoCodec.class, 
         CryptoCodec.class);
     return ReflectionUtils.newInstance(klass, conf);
   }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
index e575e5ed66c..e69de29bb2d 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
@@ -1,159 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.crypto;
-
-import java.io.IOException;
-import java.nio.ByteBuffer;
-import java.security.GeneralSecurityException;
-import java.security.SecureRandom;
-
-import javax.crypto.Cipher;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.SecretKeySpec;
-
-import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.conf.Configuration;
-
-import com.google.common.base.Preconditions;
-
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY;
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_KEY;
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_DEFAULT;
-
-/**
- * Implement the AES-CTR crypto codec using JCE provider.
- */
-@InterfaceAudience.Private
-public class JCEAESCTRCryptoCodec extends AESCTRCryptoCodec {
-  private Configuration conf;
-  private String provider;
-  private SecureRandom random;
-
-  public JCEAESCTRCryptoCodec() {
-  }
-  
-  @Override
-  public Configuration getConf() {
-    return conf;
-  }
-  
-  @Override
-  public void setConf(Configuration conf) {
-    this.conf = conf;
-    provider = conf.get(HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY);
-    final String secureRandomAlg = conf.get(
-        HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_KEY, 
-        HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_DEFAULT);
-    try {
-      random = (provider != null) ? 
-          SecureRandom.getInstance(secureRandomAlg, provider) : 
-            SecureRandom.getInstance(secureRandomAlg);
-    } catch (GeneralSecurityException e) {
-      throw new IllegalArgumentException(e);
-    }
-  }
-
-  @Override
-  public Encryptor createEncryptor() throws GeneralSecurityException {
-    return new JCEAESCTRCipher(Cipher.ENCRYPT_MODE, provider);
-  }
-
-  @Override
-  public Decryptor createDecryptor() throws GeneralSecurityException {
-    return new JCEAESCTRCipher(Cipher.DECRYPT_MODE, provider);
-  }
-  
-  @Override
-  public void generateSecureRandom(byte[] bytes) {
-    random.nextBytes(bytes);
-  }  
-  
-  private static class JCEAESCTRCipher implements Encryptor, Decryptor {
-    private final Cipher cipher;
-    private final int mode;
-    private boolean contextReset = false;
-    
-    public JCEAESCTRCipher(int mode, String provider) 
-        throws GeneralSecurityException {
-      this.mode = mode;
-      if (provider == null || provider.isEmpty()) {
-        cipher = Cipher.getInstance(SUITE.getName());
-      } else {
-        cipher = Cipher.getInstance(SUITE.getName(), provider);
-      }
-    }
-
-    @Override
-    public void init(byte[] key, byte[] iv) throws IOException {
-      Preconditions.checkNotNull(key);
-      Preconditions.checkNotNull(iv);
-      contextReset = false;
-      try {
-        cipher.init(mode, new SecretKeySpec(key, "AES"), 
-            new IvParameterSpec(iv));
-      } catch (Exception e) {
-        throw new IOException(e);
-      }
-    }
-
-    /**
-     * AES-CTR will consume all of the input data. It requires enough space in 
-     * the destination buffer to encrypt entire input buffer.
-     */
-    @Override
-    public void encrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
-        throws IOException {
-      process(inBuffer, outBuffer);
-    }
-    
-    /**
-     * AES-CTR will consume all of the input data. It requires enough space in
-     * the destination buffer to decrypt entire input buffer.
-     */
-    @Override
-    public void decrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
-        throws IOException {
-      process(inBuffer, outBuffer);
-    }
-    
-    private void process(ByteBuffer inBuffer, ByteBuffer outBuffer)
-        throws IOException {
-      try {
-        int inputSize = inBuffer.remaining();
-        // Cipher#update will maintain crypto context.
-        int n = cipher.update(inBuffer, outBuffer);
-        if (n < inputSize) {
-          /**
-           * Typically code will not get here. Cipher#update will consume all 
-           * input data and put result in outBuffer. 
-           * Cipher#doFinal will reset the crypto context.
-           */
-          contextReset = true;
-          cipher.doFinal(inBuffer, outBuffer);
-        }
-      } catch (Exception e) {
-        throw new IOException(e);
-      }
-    }
-    
-    @Override
-    public boolean isContextReset() {
-      return contextReset;
-    }
-  }
-}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCodeLoader.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCodeLoader.java
index 5667d98b3e7..533fc07f8db 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCodeLoader.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCodeLoader.java
@@ -78,6 +78,11 @@ public static boolean isNativeCodeLoaded() {
    * Returns true only if this build was compiled with support for snappy.
    */
   public static native boolean buildSupportsSnappy();
+  
+  /**
+   * Returns true only if this build was compiled with support for openssl.
+   */
+  public static native boolean buildSupportsOpenssl();
 
   public static native String getLibraryName();
 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeLibraryChecker.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeLibraryChecker.java
index 84117e2002e..4891f03cbb8 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeLibraryChecker.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeLibraryChecker.java
@@ -20,6 +20,7 @@
 
 import org.apache.hadoop.util.NativeCodeLoader;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.OpensslCipher;
 import org.apache.hadoop.io.compress.Lz4Codec;
 import org.apache.hadoop.io.compress.SnappyCodec;
 import org.apache.hadoop.io.compress.bzip2.Bzip2Factory;
@@ -57,12 +58,14 @@ public static void main(String[] args) {
     boolean nativeHadoopLoaded = NativeCodeLoader.isNativeCodeLoaded();
     boolean zlibLoaded = false;
     boolean snappyLoaded = false;
+    boolean opensslLoaded = false;
     // lz4 is linked within libhadoop
     boolean lz4Loaded = nativeHadoopLoaded;
     boolean bzip2Loaded = Bzip2Factory.isNativeBzip2Loaded(conf);
     String hadoopLibraryName = "";
     String zlibLibraryName = "";
     String snappyLibraryName = "";
+    String opensslLibraryName = "";
     String lz4LibraryName = "";
     String bzip2LibraryName = "";
     if (nativeHadoopLoaded) {
@@ -76,6 +79,11 @@ public static void main(String[] args) {
       if (snappyLoaded && NativeCodeLoader.buildSupportsSnappy()) {
         snappyLibraryName = SnappyCodec.getLibraryName();
       }
+      opensslLoaded = NativeCodeLoader.buildSupportsOpenssl() &&
+          OpensslCipher.isNativeCodeLoaded();
+      if (opensslLoaded) {
+        opensslLibraryName = OpensslCipher.getLibraryName();
+      }
       if (lz4Loaded) {
         lz4LibraryName = Lz4Codec.getLibraryName();
       }
@@ -84,11 +92,12 @@ public static void main(String[] args) {
       }
     }
     System.out.println("Native library checking:");
-    System.out.printf("hadoop: %b %s\n", nativeHadoopLoaded, hadoopLibraryName);
-    System.out.printf("zlib:   %b %s\n", zlibLoaded, zlibLibraryName);
-    System.out.printf("snappy: %b %s\n", snappyLoaded, snappyLibraryName);
-    System.out.printf("lz4:    %b %s\n", lz4Loaded, lz4LibraryName);
-    System.out.printf("bzip2:  %b %s\n", bzip2Loaded, bzip2LibraryName);
+    System.out.printf("hadoop:  %b %s\n", nativeHadoopLoaded, hadoopLibraryName);
+    System.out.printf("zlib:    %b %s\n", zlibLoaded, zlibLibraryName);
+    System.out.printf("snappy:  %b %s\n", snappyLoaded, snappyLibraryName);
+    System.out.printf("lz4:     %b %s\n", lz4Loaded, lz4LibraryName);
+    System.out.printf("bzip2:   %b %s\n", bzip2Loaded, bzip2LibraryName);
+    System.out.printf("openssl: %b %s\n", opensslLoaded, opensslLibraryName);
     if ((!nativeHadoopLoaded) ||
         (checkAll && !(zlibLoaded && snappyLoaded && lz4Loaded && bzip2Loaded))) {
       // return 1 to indicated check failed
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/NativeCodeLoader.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/NativeCodeLoader.c
index d03050c591b..36251123113 100644
--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/NativeCodeLoader.c
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/NativeCodeLoader.c
@@ -39,6 +39,16 @@ JNIEXPORT jboolean JNICALL Java_org_apache_hadoop_util_NativeCodeLoader_buildSup
 #endif
 }
 
+JNIEXPORT jboolean JNICALL Java_org_apache_hadoop_util_NativeCodeLoader_buildSupportsOpenssl
+  (JNIEnv *env, jclass clazz)
+{
+#ifdef HADOOP_OPENSSL_LIBRARY
+  return JNI_TRUE;
+#else
+  return JNI_FALSE;
+#endif
+}
+
 JNIEXPORT jstring JNICALL Java_org_apache_hadoop_util_NativeCodeLoader_getLibraryName
   (JNIEnv *env, jclass clazz)
 {
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java
index f4a34a18549..d95052815cf 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java
@@ -17,38 +17,165 @@
  */
 package org.apache.hadoop.crypto;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.BufferedInputStream;
+import java.io.DataInputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Random;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
-import org.junit.AfterClass;
+import org.apache.hadoop.io.DataInputBuffer;
+import org.apache.hadoop.io.DataOutputBuffer;
+import org.apache.hadoop.io.RandomDatum;
+import org.apache.hadoop.util.NativeCodeLoader;
+import org.apache.hadoop.util.ReflectionUtils;
 import org.junit.Assert;
-import org.junit.BeforeClass;
 import org.junit.Test;
 
 public class TestCryptoCodec {
-  private static CryptoCodec codec;
+  private static final Log LOG= LogFactory.getLog(TestCryptoCodec.class);
+  private static final byte[] key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 
+    0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
+  private static final byte[] iv = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 
+    0x07, 0x08, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08};
+  private static final int bufferSize = 4096;
   
-  @BeforeClass
-  public static void init() throws Exception {
-    Configuration conf = new Configuration();
-    codec = CryptoCodec.getInstance(conf);
-  }
-  
-  @AfterClass
-  public static void shutdown() throws Exception {
-  }
+  private Configuration conf = new Configuration();
+  private int count = 10000;
+  private int seed = new Random().nextInt();
   
   @Test(timeout=120000)
-  public void testSecureRandom() throws Exception {
-    // len = 16
-    checkSecureRandom(16);
-    
-    // len = 32
-    checkSecureRandom(32);
-    
-    // len = 128
-    checkSecureRandom(128);
+  public void testJceAesCtrCryptoCodec() throws Exception {
+    cryptoCodecTest(conf, seed, 0, 
+        "org.apache.hadoop.crypto.JceAesCtrCryptoCodec");
+    cryptoCodecTest(conf, seed, count, 
+        "org.apache.hadoop.crypto.JceAesCtrCryptoCodec");
   }
   
-  private void checkSecureRandom(int len) {
+  @Test(timeout=1200000)
+  public void testOpensslAesCtrCryptoCodec() throws Exception {
+    if (NativeCodeLoader.buildSupportsOpenssl()) {
+      Assert.assertTrue(OpensslCipher.isNativeCodeLoaded());
+    }
+    if (OpensslCipher.isNativeCodeLoaded()) {
+      cryptoCodecTest(conf, seed, 0, 
+          "org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec");
+      cryptoCodecTest(conf, seed, count, 
+          "org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec");
+    }
+  }
+  
+  private void cryptoCodecTest(Configuration conf, int seed, int count, 
+      String codecClass) throws IOException, GeneralSecurityException {
+    CryptoCodec codec = null;
+    try {
+      codec = (CryptoCodec)ReflectionUtils.newInstance(
+          conf.getClassByName(codecClass), conf);
+    } catch (ClassNotFoundException cnfe) {
+      throw new IOException("Illegal crypto codec!");
+    }
+    LOG.info("Created a Codec object of type: " + codecClass);
+    
+    // Generate data
+    DataOutputBuffer data = new DataOutputBuffer();
+    RandomDatum.Generator generator = new RandomDatum.Generator(seed);
+    for(int i = 0; i < count; ++i) {
+      generator.next();
+      RandomDatum key = generator.getKey();
+      RandomDatum value = generator.getValue();
+      
+      key.write(data);
+      value.write(data);
+    }
+    LOG.info("Generated " + count + " records");
+    
+    // Encrypt data
+    DataOutputBuffer encryptedDataBuffer = new DataOutputBuffer();
+    CryptoOutputStream out = new CryptoOutputStream(encryptedDataBuffer, 
+        codec, bufferSize, key, iv);
+    out.write(data.getData(), 0, data.getLength());
+    out.flush();
+    out.close();
+    LOG.info("Finished encrypting data");
+    
+    // Decrypt data
+    DataInputBuffer decryptedDataBuffer = new DataInputBuffer();
+    decryptedDataBuffer.reset(encryptedDataBuffer.getData(), 0, 
+        encryptedDataBuffer.getLength());
+    CryptoInputStream in = new CryptoInputStream(decryptedDataBuffer, 
+        codec, bufferSize, key, iv);
+    DataInputStream dataIn = new DataInputStream(new BufferedInputStream(in));
+    
+    // Check
+    DataInputBuffer originalData = new DataInputBuffer();
+    originalData.reset(data.getData(), 0, data.getLength());
+    DataInputStream originalIn = new DataInputStream(
+        new BufferedInputStream(originalData));
+    
+    for(int i=0; i < count; ++i) {
+      RandomDatum k1 = new RandomDatum();
+      RandomDatum v1 = new RandomDatum();
+      k1.readFields(originalIn);
+      v1.readFields(originalIn);
+      
+      RandomDatum k2 = new RandomDatum();
+      RandomDatum v2 = new RandomDatum();
+      k2.readFields(dataIn);
+      v2.readFields(dataIn);
+      assertTrue("original and encrypted-then-decrypted-output not equal",
+                 k1.equals(k2) && v1.equals(v2));
+      
+      // original and encrypted-then-decrypted-output have the same hashCode
+      Map<RandomDatum, String> m = new HashMap<RandomDatum, String>();
+      m.put(k1, k1.toString());
+      m.put(v1, v1.toString());
+      String result = m.get(k2);
+      assertEquals("k1 and k2 hashcode not equal", result, k1.toString());
+      result = m.get(v2);
+      assertEquals("v1 and v2 hashcode not equal", result, v1.toString());
+    }
+
+    // Decrypt data byte-at-a-time
+    originalData.reset(data.getData(), 0, data.getLength());
+    decryptedDataBuffer.reset(encryptedDataBuffer.getData(), 0, 
+        encryptedDataBuffer.getLength());
+    in = new CryptoInputStream(decryptedDataBuffer, 
+        codec, bufferSize, key, iv);
+
+    // Check
+    originalIn = new DataInputStream(new BufferedInputStream(originalData));
+    int expected;
+    do {
+      expected = originalIn.read();
+      assertEquals("Decrypted stream read by byte does not match",
+        expected, in.read());
+    } while (expected != -1);
+
+    LOG.info("SUCCESS! Completed checking " + count + " records");
+    
+    // Check secure random generator
+    testSecureRandom(codec);
+  }
+  
+  /** Test secure random generator */
+  private void testSecureRandom(CryptoCodec codec) {
+    // len = 16
+    checkSecureRandom(codec, 16);
+    // len = 32
+    checkSecureRandom(codec, 32);
+    // len = 128
+    checkSecureRandom(codec, 128);
+  }
+  
+  private void checkSecureRandom(CryptoCodec codec, int len) {
     byte[] rand = new byte[len];
     byte[] rand1 = new byte[len];
     codec.generateSecureRandom(rand);
@@ -56,28 +183,6 @@ private void checkSecureRandom(int len) {
     
     Assert.assertEquals(len, rand.length);
     Assert.assertEquals(len, rand1.length);
-    Assert.assertFalse(bytesArrayEquals(rand, rand1));
-  }
-  
-  private boolean bytesArrayEquals(byte[] expected, byte[] actual) {
-    if ((expected == null  && actual != null) || 
-        (expected != null && actual == null)) {
-      return false;
-    }
-    if (expected == null && actual == null) {
-      return true;
-    }
-    
-    if (expected.length != actual.length) {
-      return false;
-    }
-    
-    for (int i = 0; i < expected.length; i++) {
-      if (expected[i] != actual[i]) {
-        return false;
-      }
-    }
-    
-    return true;
+    Assert.assertFalse(Arrays.equals(rand, rand1));
   }
 }
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestNativeCodeLoader.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestNativeCodeLoader.java
index 9efaca95c89..473c17738eb 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestNativeCodeLoader.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestNativeCodeLoader.java
@@ -22,6 +22,7 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.crypto.OpensslCipher;
 import org.apache.hadoop.io.compress.Lz4Codec;
 import org.apache.hadoop.io.compress.SnappyCodec;
 import org.apache.hadoop.io.compress.zlib.ZlibFactory;
@@ -54,6 +55,9 @@ public void testNativeCodeLoaded() {
     if (NativeCodeLoader.buildSupportsSnappy()) {
       assertFalse(SnappyCodec.getLibraryName().isEmpty());
     }
+    if (NativeCodeLoader.buildSupportsOpenssl()) {
+      assertFalse(OpensslCipher.getLibraryName().isEmpty());
+    }
     assertFalse(Lz4Codec.getLibraryName().isEmpty());
     LOG.info("TestNativeCodeLoader: libhadoop.so is loaded.");
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index f6f68e433ce..7c057bb8bc2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -10,6 +10,9 @@ fs-encryption (Unreleased)
 
   IMPROVEMENTS
 
+    HADOOP-10693. Implementation of AES-CTR CryptoCodec using JNI to OpenSSL
+    (hitliuyi via cmccabe)
+
     HDFS-6387. HDFS CLI admin tool for creating & deleting an
     encryption zone. (clamb)
 
diff --git a/hadoop-project-dist/pom.xml b/hadoop-project-dist/pom.xml
index dcb3875a12c..e6dc75d3ca0 100644
--- a/hadoop-project-dist/pom.xml
+++ b/hadoop-project-dist/pom.xml
@@ -41,6 +41,8 @@
     <hadoop.component>UNDEF</hadoop.component>
     <bundle.snappy>false</bundle.snappy>
     <bundle.snappy.in.bin>false</bundle.snappy.in.bin>
+    <bundle.openssl>false</bundle.openssl>
+    <bundle.openssl.in.bin>false</bundle.openssl.in.bin>
   </properties>
   
   <dependencies>
@@ -349,6 +351,10 @@
                           cd "${snappy.lib}"
                           $$TAR *snappy* | (cd $${TARGET_DIR}/; $$UNTAR)
                         fi
+                        if [ "${bundle.openssl}" = "true" ] ; then
+                          cd "${openssl.lib}"
+                          $$TAR *crypto* | (cd $${TARGET_DIR}/; $$UNTAR)
+                        fi
                       fi
                       BIN_DIR="${BUILD_DIR}/bin"
                       if [ -d $${BIN_DIR} ] ; then
@@ -362,6 +368,12 @@
                             $$TAR *snappy* | (cd $${TARGET_BIN_DIR}/; $$UNTAR)
                           fi
                         fi
+                        if [ "${bundle.openssl.in.bin}" = "true" ] ; then
+                          if [ "${bundle.openssl}" = "true" ] ; then
+                            cd "${openssl.lib}"
+                            $$TAR *crypto* | (cd $${TARGET_BIN_DIR}/; $$UNTAR)
+                          fi
+                        fi
                       fi
                     </echo>
                     <exec executable="sh" dir="${project.build.directory}" failonerror="true">
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index 472febf87a2..ed20742c327 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -1031,6 +1031,7 @@
         <!-- attempt to open a file at this path. -->
         <java.security.egd>file:/dev/urandom</java.security.egd>
         <bundle.snappy.in.bin>true</bundle.snappy.in.bin>
+        <bundle.openssl.in.bin>true</bundle.openssl.in.bin>
       </properties>
       <build>
         <plugins>
@@ -1041,6 +1042,7 @@
               <environmentVariables>
                 <!-- Specify where to look for the native DLL on Windows -->
                 <PATH>${env.PATH};${hadoop.common.build.dir}/bin;${snappy.lib}</PATH>
+                <PATH>${env.PATH};${hadoop.common.build.dir}/bin;${openssl.lib}</PATH>
               </environmentVariables>
             </configuration>
           </plugin>

From 03c858dad46e440028c58a716630160338db4b14 Mon Sep 17 00:00:00 2001
From: Colin McCabe <cmccabe@apache.org>
Date: Thu, 3 Jul 2014 23:51:50 +0000
Subject: [PATCH 023/354] HADOOP-10693: add files left out of previous checkin
 (cmccabe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1607769 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop/crypto/AesCtrCryptoCodec.java      |  71 ++++
 .../hadoop/crypto/JceAesCtrCryptoCodec.java   | 159 ++++++++
 .../crypto/OpensslAesCtrCryptoCodec.java      | 130 ++++++
 .../apache/hadoop/crypto/OpensslCipher.java   | 213 ++++++++++
 .../org/apache/hadoop/crypto/OpensslCipher.c  | 382 ++++++++++++++++++
 .../hadoop/crypto/org_apache_hadoop_crypto.h  |  61 +++
 ...toStreamsWithOpensslAesCtrCryptoCodec.java |  35 ++
 .../hadoop/crypto/TestOpensslCipher.java      | 120 ++++++
 8 files changed, 1171 insertions(+)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AesCtrCryptoCodec.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JceAesCtrCryptoCodec.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/OpensslCipher.c
 create mode 100644 hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/org_apache_hadoop_crypto.h
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsWithOpensslAesCtrCryptoCodec.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AesCtrCryptoCodec.java
new file mode 100644
index 00000000000..b469fddaf2a
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AesCtrCryptoCodec.java
@@ -0,0 +1,71 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+
+import com.google.common.base.Preconditions;
+
+@InterfaceAudience.Private
+@InterfaceStability.Evolving
+public abstract class AesCtrCryptoCodec extends CryptoCodec {
+
+  protected static final CipherSuite SUITE = CipherSuite.AES_CTR_NOPADDING;
+
+  /**
+   * For AES, the algorithm block is fixed size of 128 bits.
+   * @see http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
+   */
+  private static final int AES_BLOCK_SIZE = SUITE.getAlgorithmBlockSize();
+  private static final int CTR_OFFSET = 8;
+
+  @Override
+  public CipherSuite getCipherSuite() {
+    return SUITE;
+  }
+  
+  /**
+   * The IV is produced by adding the initial IV to the counter. IV length 
+   * should be the same as {@link #AES_BLOCK_SIZE}
+   */
+  @Override
+  public void calculateIV(byte[] initIV, long counter, byte[] IV) {
+    Preconditions.checkArgument(initIV.length == AES_BLOCK_SIZE);
+    Preconditions.checkArgument(IV.length == AES_BLOCK_SIZE);
+    
+    System.arraycopy(initIV, 0, IV, 0, CTR_OFFSET);
+    long l = (initIV[CTR_OFFSET + 0] << 56)
+        + ((initIV[CTR_OFFSET + 1] & 0xFF) << 48)
+        + ((initIV[CTR_OFFSET + 2] & 0xFF) << 40)
+        + ((initIV[CTR_OFFSET + 3] & 0xFF) << 32)
+        + ((initIV[CTR_OFFSET + 4] & 0xFF) << 24)
+        + ((initIV[CTR_OFFSET + 5] & 0xFF) << 16)
+        + ((initIV[CTR_OFFSET + 6] & 0xFF) << 8)
+        + (initIV[CTR_OFFSET + 7] & 0xFF);
+    l += counter;
+    IV[CTR_OFFSET + 0] = (byte) (l >>> 56);
+    IV[CTR_OFFSET + 1] = (byte) (l >>> 48);
+    IV[CTR_OFFSET + 2] = (byte) (l >>> 40);
+    IV[CTR_OFFSET + 3] = (byte) (l >>> 32);
+    IV[CTR_OFFSET + 4] = (byte) (l >>> 24);
+    IV[CTR_OFFSET + 5] = (byte) (l >>> 16);
+    IV[CTR_OFFSET + 6] = (byte) (l >>> 8);
+    IV[CTR_OFFSET + 7] = (byte) (l);
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JceAesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JceAesCtrCryptoCodec.java
new file mode 100644
index 00000000000..2482586720c
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JceAesCtrCryptoCodec.java
@@ -0,0 +1,159 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+import java.security.SecureRandom;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.conf.Configuration;
+
+import com.google.common.base.Preconditions;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_KEY;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_DEFAULT;
+
+/**
+ * Implement the AES-CTR crypto codec using JCE provider.
+ */
+@InterfaceAudience.Private
+public class JceAesCtrCryptoCodec extends AesCtrCryptoCodec {
+  private Configuration conf;
+  private String provider;
+  private SecureRandom random;
+
+  public JceAesCtrCryptoCodec() {
+  }
+  
+  @Override
+  public Configuration getConf() {
+    return conf;
+  }
+  
+  @Override
+  public void setConf(Configuration conf) {
+    this.conf = conf;
+    provider = conf.get(HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY);
+    final String secureRandomAlg = conf.get(
+        HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_KEY, 
+        HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_DEFAULT);
+    try {
+      random = (provider != null) ? 
+          SecureRandom.getInstance(secureRandomAlg, provider) : 
+            SecureRandom.getInstance(secureRandomAlg);
+    } catch (GeneralSecurityException e) {
+      throw new IllegalArgumentException(e);
+    }
+  }
+
+  @Override
+  public Encryptor createEncryptor() throws GeneralSecurityException {
+    return new JceAesCtrCipher(Cipher.ENCRYPT_MODE, provider);
+  }
+
+  @Override
+  public Decryptor createDecryptor() throws GeneralSecurityException {
+    return new JceAesCtrCipher(Cipher.DECRYPT_MODE, provider);
+  }
+  
+  @Override
+  public void generateSecureRandom(byte[] bytes) {
+    random.nextBytes(bytes);
+  }  
+  
+  private static class JceAesCtrCipher implements Encryptor, Decryptor {
+    private final Cipher cipher;
+    private final int mode;
+    private boolean contextReset = false;
+    
+    public JceAesCtrCipher(int mode, String provider) 
+        throws GeneralSecurityException {
+      this.mode = mode;
+      if (provider == null || provider.isEmpty()) {
+        cipher = Cipher.getInstance(SUITE.getName());
+      } else {
+        cipher = Cipher.getInstance(SUITE.getName(), provider);
+      }
+    }
+
+    @Override
+    public void init(byte[] key, byte[] iv) throws IOException {
+      Preconditions.checkNotNull(key);
+      Preconditions.checkNotNull(iv);
+      contextReset = false;
+      try {
+        cipher.init(mode, new SecretKeySpec(key, "AES"), 
+            new IvParameterSpec(iv));
+      } catch (Exception e) {
+        throw new IOException(e);
+      }
+    }
+
+    /**
+     * AES-CTR will consume all of the input data. It requires enough space in 
+     * the destination buffer to encrypt entire input buffer.
+     */
+    @Override
+    public void encrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
+        throws IOException {
+      process(inBuffer, outBuffer);
+    }
+    
+    /**
+     * AES-CTR will consume all of the input data. It requires enough space in
+     * the destination buffer to decrypt entire input buffer.
+     */
+    @Override
+    public void decrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
+        throws IOException {
+      process(inBuffer, outBuffer);
+    }
+    
+    private void process(ByteBuffer inBuffer, ByteBuffer outBuffer)
+        throws IOException {
+      try {
+        int inputSize = inBuffer.remaining();
+        // Cipher#update will maintain crypto context.
+        int n = cipher.update(inBuffer, outBuffer);
+        if (n < inputSize) {
+          /**
+           * Typically code will not get here. Cipher#update will consume all 
+           * input data and put result in outBuffer. 
+           * Cipher#doFinal will reset the crypto context.
+           */
+          contextReset = true;
+          cipher.doFinal(inBuffer, outBuffer);
+        }
+      } catch (Exception e) {
+        throw new IOException(e);
+      }
+    }
+    
+    @Override
+    public boolean isContextReset() {
+      return contextReset;
+    }
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
new file mode 100644
index 00000000000..669271fa9ef
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
@@ -0,0 +1,130 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+import java.security.SecureRandom;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.conf.Configuration;
+
+import com.google.common.base.Preconditions;
+
+/**
+ * Implement the AES-CTR crypto codec using JNI into OpenSSL.
+ */
+@InterfaceAudience.Private
+public class OpensslAesCtrCryptoCodec extends AesCtrCryptoCodec {
+  private Configuration conf;
+  private SecureRandom random = new SecureRandom();
+  
+  public OpensslAesCtrCryptoCodec() {
+  }
+
+  @Override
+  public void setConf(Configuration conf) {
+    this.conf = conf;
+  }
+
+  @Override
+  public Configuration getConf() {
+    return conf;
+  }
+
+  @Override
+  public Encryptor createEncryptor() throws GeneralSecurityException {
+    return new OpensslAesCtrCipher(OpensslCipher.ENCRYPT_MODE);
+  }
+
+  @Override
+  public Decryptor createDecryptor() throws GeneralSecurityException {
+    return new OpensslAesCtrCipher(OpensslCipher.DECRYPT_MODE);
+  }
+  
+  @Override
+  public void generateSecureRandom(byte[] bytes) {
+    random.nextBytes(bytes);
+  }
+  
+  private static class OpensslAesCtrCipher implements Encryptor, Decryptor {
+    private final OpensslCipher cipher;
+    private final int mode;
+    private boolean contextReset = false;
+    
+    public OpensslAesCtrCipher(int mode) throws GeneralSecurityException {
+      this.mode = mode;
+      cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, 
+          OpensslCipher.PADDING_NOPADDING);
+    }
+
+    @Override
+    public void init(byte[] key, byte[] iv) throws IOException {
+      Preconditions.checkNotNull(key);
+      Preconditions.checkNotNull(iv);
+      contextReset = false;
+      cipher.init(mode, key, iv);
+    }
+    
+    /**
+     * AES-CTR will consume all of the input data. It requires enough space in 
+     * the destination buffer to encrypt entire input buffer.
+     */
+    @Override
+    public void encrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
+        throws IOException {
+      process(inBuffer, outBuffer);
+    }
+    
+    /**
+     * AES-CTR will consume all of the input data. It requires enough space in
+     * the destination buffer to decrypt entire input buffer.
+     */
+    @Override
+    public void decrypt(ByteBuffer inBuffer, ByteBuffer outBuffer)
+        throws IOException {
+      process(inBuffer, outBuffer);
+    }
+    
+    private void process(ByteBuffer inBuffer, ByteBuffer outBuffer)
+        throws IOException {
+      try {
+        int inputSize = inBuffer.remaining();
+        // OpensslCipher#update will maintain crypto context.
+        int n = cipher.update(inBuffer, outBuffer);
+        if (n < inputSize) {
+          /**
+           * Typically code will not get here. OpensslCipher#update will 
+           * consume all input data and put result in outBuffer. 
+           * OpensslCipher#doFinal will reset the crypto context.
+           */
+          contextReset = true;
+          cipher.doFinal(outBuffer);
+        }
+      } catch (Exception e) {
+        throw new IOException(e);
+      }
+    }
+    
+    @Override
+    public boolean isContextReset() {
+      return contextReset;
+    }
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java
new file mode 100644
index 00000000000..c0a4e9bdb45
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java
@@ -0,0 +1,213 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.ShortBufferException;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.util.NativeCodeLoader;
+
+import com.google.common.base.Preconditions;
+
+/**
+ * OpenSSL cipher using JNI.
+ * Currently only AES-CTR is supported. It's flexible to add 
+ * other crypto algorithms/modes.
+ */
+@InterfaceAudience.Private
+public final class OpensslCipher {
+  private static final Log LOG =
+      LogFactory.getLog(OpensslCipher.class.getName());
+  public static final int ENCRYPT_MODE = 1;
+  public static final int DECRYPT_MODE = 0;
+  
+  /** Currently only support AES/CTR/NoPadding. */
+  public static final int AES_CTR = 0;
+  public static final int PADDING_NOPADDING = 0;
+  
+  private long context = 0;
+  private final int algorithm;
+  private final int padding;
+  
+  private static boolean nativeCipherLoaded = false;
+  static {
+    if (NativeCodeLoader.isNativeCodeLoaded() &&
+        NativeCodeLoader.buildSupportsOpenssl()) {
+      try {
+        initIDs();
+        nativeCipherLoaded = true;
+      } catch (Throwable t) {
+        LOG.error("Failed to load OpenSSL Cipher.", t);
+      }
+    }
+  }
+  
+  public static boolean isNativeCodeLoaded() {
+    return nativeCipherLoaded;
+  }
+  
+  private OpensslCipher(long context, int algorithm, int padding) {
+    this.context = context;
+    this.algorithm = algorithm;
+    this.padding = padding;
+  }
+  
+  /**
+   * Return an <code>OpensslCipher<code> object that implements the specified
+   * algorithm.
+   * 
+   * @param algorithm currently only supports {@link #AES_CTR}
+   * @param padding currently only supports {@link #PADDING_NOPADDING}
+   * @return OpensslCipher an <code>OpensslCipher<code> object 
+   * @throws NoSuchAlgorithmException
+   * @throws NoSuchPaddingException
+   */
+  public static final OpensslCipher getInstance(int algorithm, 
+      int padding) throws NoSuchAlgorithmException, NoSuchPaddingException {
+    long context = initContext(algorithm, padding);
+    return new OpensslCipher(context, algorithm, padding);
+  }
+  
+  /**
+   * Initialize this cipher with a key and IV.
+   * 
+   * @param mode {@link #ENCRYPT_MODE} or {@link #DECRYPT_MODE}
+   * @param key crypto key
+   * @param iv crypto iv
+   */
+  public void init(int mode, byte[] key, byte[] iv) {
+    context = init(context, mode, algorithm, padding, key, iv);
+  }
+  
+  /**
+   * Continues a multiple-part encryption or decryption operation. The data
+   * is encrypted or decrypted, depending on how this cipher was initialized.
+   * <p/>
+   * 
+   * All <code>input.remaining()</code> bytes starting at 
+   * <code>input.position()</code> are processed. The result is stored in
+   * the output buffer.
+   * <p/>
+   * 
+   * Upon return, the input buffer's position will be equal to its limit;
+   * its limit will not have changed. The output buffer's position will have
+   * advanced by n, when n is the value returned by this method; the output
+   * buffer's limit will not have changed.
+   * <p/>
+   * 
+   * If <code>output.remaining()</code> bytes are insufficient to hold the
+   * result, a <code>ShortBufferException</code> is thrown.
+   * 
+   * @param input the input ByteBuffer
+   * @param output the output ByteBuffer
+   * @return int number of bytes stored in <code>output</code>
+   * @throws ShortBufferException if there is insufficient space in the
+   * output buffer
+   */
+  public int update(ByteBuffer input, ByteBuffer output) 
+      throws ShortBufferException {
+    checkState();
+    Preconditions.checkArgument(input.isDirect() && output.isDirect(), 
+        "Direct buffers are required.");
+    int len = update(context, input, input.position(), input.remaining(),
+        output, output.position(), output.remaining());
+    input.position(input.limit());
+    output.position(output.position() + len);
+    return len;
+  }
+  
+  /**
+   * Finishes a multiple-part operation. The data is encrypted or decrypted,
+   * depending on how this cipher was initialized.
+   * <p/>
+   * 
+   * The result is stored in the output buffer. Upon return, the output buffer's
+   * position will have advanced by n, where n is the value returned by this
+   * method; the output buffer's limit will not have changed.
+   * <p/>
+   * 
+   * If <code>output.remaining()</code> bytes are insufficient to hold the result,
+   * a <code>ShortBufferException</code> is thrown.
+   * <p/>
+   * 
+   * Upon finishing, this method resets this cipher object to the state it was
+   * in when previously initialized. That is, the object is available to encrypt
+   * or decrypt more data.
+   * <p/>
+   * 
+   * If any exception is thrown, this cipher object need to be reset before it 
+   * can be used again.
+   * 
+   * @param output the output ByteBuffer
+   * @return int number of bytes stored in <code>output</code>
+   * @throws ShortBufferException
+   * @throws IllegalBlockSizeException
+   * @throws BadPaddingException
+   */
+  public int doFinal(ByteBuffer output) throws ShortBufferException, 
+      IllegalBlockSizeException, BadPaddingException {
+    checkState();
+    Preconditions.checkArgument(output.isDirect(), "Direct buffer is required.");
+    int len = doFinal(context, output, output.position(), output.remaining());
+    output.position(output.position() + len);
+    return len;
+  }
+  
+  /** Forcibly clean the context. */
+  public void clean() {
+    if (context != 0) {
+      clean(context);
+      context = 0;
+    }
+  }
+
+  /** Check whether context is initialized. */
+  private void checkState() {
+    Preconditions.checkState(context != 0);
+  }
+  
+  @Override
+  protected void finalize() throws Throwable {
+    clean();
+  }
+
+  private native static void initIDs();
+  
+  private native static long initContext(int alg, int padding);
+  
+  private native long init(long context, int mode, int alg, int padding, 
+      byte[] key, byte[] iv);
+  
+  private native int update(long context, ByteBuffer input, int inputOffset, 
+      int inputLength, ByteBuffer output, int outputOffset, int maxOutputLength);
+  
+  private native int doFinal(long context, ByteBuffer output, int offset, 
+      int maxOutputLength);
+  
+  private native void clean(long context);
+  
+  public native static String getLibraryName();
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/OpensslCipher.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/OpensslCipher.c
new file mode 100644
index 00000000000..5cb5bba9aee
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/OpensslCipher.c
@@ -0,0 +1,382 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+ 
+#include "org_apache_hadoop_crypto.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+ 
+#include "org_apache_hadoop_crypto_OpensslCipher.h"
+
+#ifdef UNIX
+static EVP_CIPHER_CTX * (*dlsym_EVP_CIPHER_CTX_new)(void);
+static void (*dlsym_EVP_CIPHER_CTX_free)(EVP_CIPHER_CTX *);
+static int (*dlsym_EVP_CIPHER_CTX_cleanup)(EVP_CIPHER_CTX *);
+static void (*dlsym_EVP_CIPHER_CTX_init)(EVP_CIPHER_CTX *);
+static int (*dlsym_EVP_CIPHER_CTX_set_padding)(EVP_CIPHER_CTX *, int);
+static int (*dlsym_EVP_CipherInit_ex)(EVP_CIPHER_CTX *, const EVP_CIPHER *,  \
+           ENGINE *, const unsigned char *, const unsigned char *, int);
+static int (*dlsym_EVP_CipherUpdate)(EVP_CIPHER_CTX *, unsigned char *,  \
+           int *, const unsigned char *, int);
+static int (*dlsym_EVP_CipherFinal_ex)(EVP_CIPHER_CTX *, unsigned char *, int *);
+static EVP_CIPHER * (*dlsym_EVP_aes_256_ctr)(void);
+static EVP_CIPHER * (*dlsym_EVP_aes_128_ctr)(void);
+static void *openssl;
+#endif
+
+#ifdef WINDOWS
+typedef EVP_CIPHER_CTX * (__cdecl *__dlsym_EVP_CIPHER_CTX_new)(void);
+typedef void (__cdecl *__dlsym_EVP_CIPHER_CTX_free)(EVP_CIPHER_CTX *);
+typedef int (__cdecl *__dlsym_EVP_CIPHER_CTX_cleanup)(EVP_CIPHER_CTX *);
+typedef void (__cdecl *__dlsym_EVP_CIPHER_CTX_init)(EVP_CIPHER_CTX *);
+typedef int (__cdecl *__dlsym_EVP_CIPHER_CTX_set_padding)(EVP_CIPHER_CTX *, int);
+typedef int (__cdecl *__dlsym_EVP_CipherInit_ex)(EVP_CIPHER_CTX *,  \
+             const EVP_CIPHER *, ENGINE *, const unsigned char *,  \
+             const unsigned char *, int);
+typedef int (__cdecl *__dlsym_EVP_CipherUpdate)(EVP_CIPHER_CTX *,  \
+             unsigned char *, int *, const unsigned char *, int);
+typedef int (__cdecl *__dlsym_EVP_CipherFinal_ex)(EVP_CIPHER_CTX *,  \
+             unsigned char *, int *);
+typedef EVP_CIPHER * (__cdecl *__dlsym_EVP_aes_256_ctr)(void);
+typedef EVP_CIPHER * (__cdecl *__dlsym_EVP_aes_128_ctr)(void);
+static __dlsym_EVP_CIPHER_CTX_new dlsym_EVP_CIPHER_CTX_new;
+static __dlsym_EVP_CIPHER_CTX_free dlsym_EVP_CIPHER_CTX_free;
+static __dlsym_EVP_CIPHER_CTX_cleanup dlsym_EVP_CIPHER_CTX_cleanup;
+static __dlsym_EVP_CIPHER_CTX_init dlsym_EVP_CIPHER_CTX_init;
+static __dlsym_EVP_CIPHER_CTX_set_padding dlsym_EVP_CIPHER_CTX_set_padding;
+static __dlsym_EVP_CipherInit_ex dlsym_EVP_CipherInit_ex;
+static __dlsym_EVP_CipherUpdate dlsym_EVP_CipherUpdate;
+static __dlsym_EVP_CipherFinal_ex dlsym_EVP_CipherFinal_ex;
+static __dlsym_EVP_aes_256_ctr dlsym_EVP_aes_256_ctr;
+static __dlsym_EVP_aes_128_ctr dlsym_EVP_aes_128_ctr;
+static HMODULE openssl;
+#endif
+
+static void loadAesCtr(JNIEnv *env)
+{
+#ifdef UNIX
+  LOAD_DYNAMIC_SYMBOL(dlsym_EVP_aes_256_ctr, env, openssl, "EVP_aes_256_ctr");
+  LOAD_DYNAMIC_SYMBOL(dlsym_EVP_aes_128_ctr, env, openssl, "EVP_aes_128_ctr");
+#endif
+
+#ifdef WINDOWS
+  LOAD_DYNAMIC_SYMBOL(__dlsym_EVP_aes_256_ctr, dlsym_EVP_aes_256_ctr,  \
+                      env, openssl, "EVP_aes_256_ctr");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_EVP_aes_128_ctr, dlsym_EVP_aes_128_ctr,  \
+                      env, openssl, "EVP_aes_128_ctr");
+#endif
+}
+
+JNIEXPORT void JNICALL Java_org_apache_hadoop_crypto_OpensslCipher_initIDs
+    (JNIEnv *env, jclass clazz)
+{
+  char msg[1000];
+#ifdef UNIX
+  openssl = dlopen(HADOOP_OPENSSL_LIBRARY, RTLD_LAZY | RTLD_GLOBAL);
+#endif
+
+#ifdef WINDOWS
+  openssl = LoadLibrary(HADOOP_OPENSSL_LIBRARY);
+#endif
+
+  if (!openssl) {
+    snprintf(msg, sizeof(msg), "Cannot load %s (%s)!", HADOOP_OPENSSL_LIBRARY,  \
+        dlerror());
+    THROW(env, "java/lang/UnsatisfiedLinkError", msg);
+    return;
+  }
+
+#ifdef UNIX
+  dlerror();  // Clear any existing error
+  LOAD_DYNAMIC_SYMBOL(dlsym_EVP_CIPHER_CTX_new, env, openssl,  \
+                      "EVP_CIPHER_CTX_new");
+  LOAD_DYNAMIC_SYMBOL(dlsym_EVP_CIPHER_CTX_free, env, openssl,  \
+                      "EVP_CIPHER_CTX_free");
+  LOAD_DYNAMIC_SYMBOL(dlsym_EVP_CIPHER_CTX_cleanup, env, openssl,  \
+                      "EVP_CIPHER_CTX_cleanup");
+  LOAD_DYNAMIC_SYMBOL(dlsym_EVP_CIPHER_CTX_init, env, openssl,  \
+                      "EVP_CIPHER_CTX_init");
+  LOAD_DYNAMIC_SYMBOL(dlsym_EVP_CIPHER_CTX_set_padding, env, openssl,  \
+                      "EVP_CIPHER_CTX_set_padding");
+  LOAD_DYNAMIC_SYMBOL(dlsym_EVP_CipherInit_ex, env, openssl,  \
+                      "EVP_CipherInit_ex");
+  LOAD_DYNAMIC_SYMBOL(dlsym_EVP_CipherUpdate, env, openssl,  \
+                      "EVP_CipherUpdate");
+  LOAD_DYNAMIC_SYMBOL(dlsym_EVP_CipherFinal_ex, env, openssl,  \
+                      "EVP_CipherFinal_ex");
+#endif
+
+#ifdef WINDOWS
+  LOAD_DYNAMIC_SYMBOL(__dlsym_EVP_CIPHER_CTX_new, dlsym_EVP_CIPHER_CTX_new,  \
+                      env, openssl, "EVP_CIPHER_CTX_new");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_EVP_CIPHER_CTX_free, dlsym_EVP_CIPHER_CTX_free,  \
+                      env, openssl, "EVP_CIPHER_CTX_free");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_EVP_CIPHER_CTX_cleanup,  \
+                      dlsym_EVP_CIPHER_CTX_cleanup, env, 
+                      openssl, "EVP_CIPHER_CTX_cleanup");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_EVP_CIPHER_CTX_init, dlsym_EVP_CIPHER_CTX_init,  \
+                      env, openssl, "EVP_CIPHER_CTX_init");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_EVP_CIPHER_CTX_set_padding,  \
+                      dlsym_EVP_CIPHER_CTX_set_padding, env,  \
+                      openssl, "EVP_CIPHER_CTX_set_padding");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_EVP_CipherInit_ex, dlsym_EVP_CipherInit_ex,  \
+                      env, openssl, "EVP_CipherInit_ex");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_EVP_CipherUpdate, dlsym_EVP_CipherUpdate,  \
+                      env, openssl, "EVP_CipherUpdate");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_EVP_CipherFinal_ex, dlsym_EVP_CipherFinal_ex,  \
+                      env, openssl, "EVP_CipherFinal_ex");
+#endif
+
+  loadAesCtr(env);
+  jthrowable jthr = (*env)->ExceptionOccurred(env);
+  if (jthr) {
+    (*env)->DeleteLocalRef(env, jthr);
+    THROW(env, "java/lang/UnsatisfiedLinkError",  \
+        "Cannot find AES-CTR support, is your version of Openssl new enough?");
+    return;
+  }
+}
+
+JNIEXPORT jlong JNICALL Java_org_apache_hadoop_crypto_OpensslCipher_initContext
+    (JNIEnv *env, jclass clazz, jint alg, jint padding)
+{
+  if (alg != AES_CTR) {
+    THROW(env, "java/security/NoSuchAlgorithmException", NULL);
+    return (jlong)0;
+  }
+  if (padding != NOPADDING) {
+    THROW(env, "javax/crypto/NoSuchPaddingException", NULL);
+    return (jlong)0;
+  }
+  
+  if (dlsym_EVP_aes_256_ctr == NULL || dlsym_EVP_aes_128_ctr == NULL) {
+    THROW(env, "java/security/NoSuchAlgorithmException",  \
+        "Doesn't support AES CTR.");
+    return (jlong)0;
+  }
+  
+  // Create and initialize a EVP_CIPHER_CTX
+  EVP_CIPHER_CTX *context = dlsym_EVP_CIPHER_CTX_new();
+  if (!context) {
+    THROW(env, "java/lang/OutOfMemoryError", NULL);
+    return (jlong)0;
+  }
+   
+  return JLONG(context);
+}
+
+// Only supports AES-CTR currently
+static EVP_CIPHER * getEvpCipher(int alg, int keyLen)
+{
+  EVP_CIPHER *cipher = NULL;
+  if (alg == AES_CTR) {
+    if (keyLen == KEY_LENGTH_256) {
+      cipher = dlsym_EVP_aes_256_ctr();
+    } else if (keyLen == KEY_LENGTH_128) {
+      cipher = dlsym_EVP_aes_128_ctr();
+    }
+  }
+  return cipher;
+}
+
+JNIEXPORT jlong JNICALL Java_org_apache_hadoop_crypto_OpensslCipher_init
+    (JNIEnv *env, jobject object, jlong ctx, jint mode, jint alg, jint padding, 
+    jbyteArray key, jbyteArray iv)
+{
+  int jKeyLen = (*env)->GetArrayLength(env, key);
+  int jIvLen = (*env)->GetArrayLength(env, iv);
+  if (jKeyLen != KEY_LENGTH_128 && jKeyLen != KEY_LENGTH_256) {
+    THROW(env, "java/lang/IllegalArgumentException", "Invalid key length.");
+    return (jlong)0;
+  }
+  if (jIvLen != IV_LENGTH) {
+    THROW(env, "java/lang/IllegalArgumentException", "Invalid iv length.");
+    return (jlong)0;
+  }
+  
+  EVP_CIPHER_CTX *context = CONTEXT(ctx);
+  if (context == 0) {
+    // Create and initialize a EVP_CIPHER_CTX
+    context = dlsym_EVP_CIPHER_CTX_new();
+    if (!context) {
+      THROW(env, "java/lang/OutOfMemoryError", NULL);
+      return (jlong)0;
+    }
+  }
+  
+  jbyte *jKey = (*env)->GetByteArrayElements(env, key, NULL);
+  if (jKey == NULL) {
+    THROW(env, "java/lang/InternalError", "Cannot get bytes array for key.");
+    return (jlong)0;
+  }
+  jbyte *jIv = (*env)->GetByteArrayElements(env, iv, NULL);
+  if (jIv == NULL) {
+    (*env)->ReleaseByteArrayElements(env, key, jKey, 0);
+    THROW(env, "java/lang/InternalError", "Cannot get bytes array for iv.");
+    return (jlong)0;
+  }
+  
+  int rc = dlsym_EVP_CipherInit_ex(context, getEvpCipher(alg, jKeyLen),  \
+      NULL, (unsigned char *)jKey, (unsigned char *)jIv, mode == ENCRYPT_MODE);
+  (*env)->ReleaseByteArrayElements(env, key, jKey, 0);
+  (*env)->ReleaseByteArrayElements(env, iv, jIv, 0);
+  if (rc == 0) {
+    dlsym_EVP_CIPHER_CTX_cleanup(context);
+    THROW(env, "java/lang/InternalError", "Error in EVP_CipherInit_ex.");
+    return (jlong)0;
+  }
+  
+  if (padding == NOPADDING) {
+    dlsym_EVP_CIPHER_CTX_set_padding(context, 0);
+  }
+  
+  return JLONG(context);
+}
+
+// https://www.openssl.org/docs/crypto/EVP_EncryptInit.html
+static int check_update_max_output_len(EVP_CIPHER_CTX *context, int input_len, 
+    int max_output_len)
+{
+  if (context->flags & EVP_CIPH_NO_PADDING) {
+    if (max_output_len >= input_len) {
+      return 1;
+    }
+    return 0;
+  } else {
+    int b = context->cipher->block_size;
+    if (context->encrypt) {
+      if (max_output_len >= input_len + b - 1) {
+        return 1;
+      }
+    } else {
+      if (max_output_len >= input_len + b) {
+        return 1;
+      }
+    }
+    
+    return 0;
+  }
+}
+
+JNIEXPORT jint JNICALL Java_org_apache_hadoop_crypto_OpensslCipher_update
+    (JNIEnv *env, jobject object, jlong ctx, jobject input, jint input_offset, 
+    jint input_len, jobject output, jint output_offset, jint max_output_len)
+{
+  EVP_CIPHER_CTX *context = CONTEXT(ctx);
+  if (!check_update_max_output_len(context, input_len, max_output_len)) {
+    THROW(env, "javax/crypto/ShortBufferException",  \
+        "Output buffer is not sufficient.");
+    return 0;
+  }
+  unsigned char *input_bytes = (*env)->GetDirectBufferAddress(env, input);
+  unsigned char *output_bytes = (*env)->GetDirectBufferAddress(env, output);
+  if (input_bytes == NULL || output_bytes == NULL) {
+    THROW(env, "java/lang/InternalError", "Cannot get buffer address.");
+    return 0;
+  }
+  input_bytes = input_bytes + input_offset;
+  output_bytes = output_bytes + output_offset;
+  
+  int output_len = 0;
+  if (!dlsym_EVP_CipherUpdate(context, output_bytes, &output_len,  \
+      input_bytes, input_len)) {
+    dlsym_EVP_CIPHER_CTX_cleanup(context);
+    THROW(env, "java/lang/InternalError", "Error in EVP_CipherUpdate.");
+    return 0;
+  }
+  return output_len;
+}
+
+// https://www.openssl.org/docs/crypto/EVP_EncryptInit.html
+static int check_doFinal_max_output_len(EVP_CIPHER_CTX *context, 
+    int max_output_len)
+{
+  if (context->flags & EVP_CIPH_NO_PADDING) {
+    return 1;
+  } else {
+    int b = context->cipher->block_size;
+    if (max_output_len >= b) {
+      return 1;
+    }
+    
+    return 0;
+  }
+}
+
+JNIEXPORT jint JNICALL Java_org_apache_hadoop_crypto_OpensslCipher_doFinal
+    (JNIEnv *env, jobject object, jlong ctx, jobject output, jint offset, 
+    jint max_output_len)
+{
+  EVP_CIPHER_CTX *context = CONTEXT(ctx);
+  if (!check_doFinal_max_output_len(context, max_output_len)) {
+    THROW(env, "javax/crypto/ShortBufferException",  \
+        "Output buffer is not sufficient.");
+    return 0;
+  }
+  unsigned char *output_bytes = (*env)->GetDirectBufferAddress(env, output);
+  if (output_bytes == NULL) {
+    THROW(env, "java/lang/InternalError", "Cannot get buffer address.");
+    return 0;
+  }
+  output_bytes = output_bytes + offset;
+  
+  int output_len = 0;
+  if (!dlsym_EVP_CipherFinal_ex(context, output_bytes, &output_len)) {
+    dlsym_EVP_CIPHER_CTX_cleanup(context);
+    THROW(env, "java/lang/InternalError", "Error in EVP_CipherFinal_ex.");
+    return 0;
+  }
+  return output_len;
+}
+
+JNIEXPORT void JNICALL Java_org_apache_hadoop_crypto_OpensslCipher_clean
+    (JNIEnv *env, jobject object, jlong ctx) 
+{
+  EVP_CIPHER_CTX *context = CONTEXT(ctx);
+  if (context) {
+    dlsym_EVP_CIPHER_CTX_free(context);
+  }
+}
+
+JNIEXPORT jstring JNICALL Java_org_apache_hadoop_crypto_OpensslCipher_getLibraryName
+    (JNIEnv *env, jclass clazz) 
+{
+#ifdef UNIX
+  if (dlsym_EVP_CIPHER_CTX_init) {
+    Dl_info dl_info;
+    if(dladdr(
+        dlsym_EVP_CIPHER_CTX_init,
+        &dl_info)) {
+      return (*env)->NewStringUTF(env, dl_info.dli_fname);
+    }
+  }
+
+  return (*env)->NewStringUTF(env, HADOOP_OPENSSL_LIBRARY);
+#endif
+
+#ifdef WINDOWS
+  LPWSTR filename = NULL;
+  GetLibraryName(dlsym_EVP_CIPHER_CTX_init, &filename);
+  if (filename != NULL) {
+    return (*env)->NewString(env, filename, (jsize) wcslen(filename));
+  } else {
+    return (*env)->NewStringUTF(env, "Unavailable");
+  }
+#endif
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/org_apache_hadoop_crypto.h b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/org_apache_hadoop_crypto.h
new file mode 100644
index 00000000000..0afab021dac
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/org_apache_hadoop_crypto.h
@@ -0,0 +1,61 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+ 
+#ifndef ORG_APACHE_HADOOP_CRYPTO_H
+#define ORG_APACHE_HADOOP_CRYPTO_H
+
+#include "org_apache_hadoop.h"
+
+#ifdef UNIX
+#include <dlfcn.h>
+#include "config.h"
+#endif
+
+#ifdef WINDOWS
+#include "winutils.h"
+#endif
+
+#include <openssl/aes.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+
+/**
+ * A helper macro to convert the java 'context-handle' 
+ * to a EVP_CIPHER_CTX pointer. 
+ */
+#define CONTEXT(context) ((EVP_CIPHER_CTX*)((ptrdiff_t)(context)))
+
+/**
+ * A helper macro to convert the EVP_CIPHER_CTX pointer to the 
+ * java 'context-handle'.
+ */
+#define JLONG(context) ((jlong)((ptrdiff_t)(context)))
+
+#define KEY_LENGTH_128 16
+#define KEY_LENGTH_256 32
+#define IV_LENGTH 16
+
+#define ENCRYPT_MODE 1
+#define DECRYPT_MODE 0
+
+/** Currently only support AES/CTR/NoPadding. */
+#define AES_CTR 0
+#define NOPADDING 0
+#define PKCSPADDING 1
+
+#endif //ORG_APACHE_HADOOP_CRYPTO_H
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsWithOpensslAesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsWithOpensslAesCtrCryptoCodec.java
new file mode 100644
index 00000000000..8150d57ee66
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsWithOpensslAesCtrCryptoCodec.java
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import org.apache.hadoop.conf.Configuration;
+import org.junit.BeforeClass;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY;
+
+public class TestCryptoStreamsWithOpensslAesCtrCryptoCodec 
+    extends TestCryptoStreams {
+  
+  @BeforeClass
+  public static void init() throws Exception {
+    Configuration conf = new Configuration();
+    conf.set(HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY, 
+        OpensslAesCtrCryptoCodec.class.getName());
+    codec = CryptoCodec.getInstance(conf);
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java
new file mode 100644
index 00000000000..739e53fdc8f
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java
@@ -0,0 +1,120 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto;
+
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.ShortBufferException;
+
+import org.apache.hadoop.test.GenericTestUtils;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestOpensslCipher {
+  private static final byte[] key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 
+    0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
+  private static final byte[] iv = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 
+    0x07, 0x08, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08};
+  
+  @Test(timeout=120000)
+  public void testGetInstance() throws Exception {
+    if (!OpensslCipher.isNativeCodeLoaded()) {
+      return;
+    }
+    OpensslCipher cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, 
+        OpensslCipher.PADDING_NOPADDING);
+    Assert.assertTrue(cipher != null);
+    
+    try {
+      cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR + 100, 
+          OpensslCipher.PADDING_NOPADDING);
+      Assert.fail("Should specify correct algorithm.");
+    } catch (NoSuchAlgorithmException e) {
+      // Expect NoSuchAlgorithmException
+    }
+    
+    try {
+      cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, 
+          OpensslCipher.PADDING_NOPADDING + 100);
+      Assert.fail("Should specify correct padding.");
+    } catch (NoSuchPaddingException e) {
+      // Expect NoSuchPaddingException
+    }
+  }
+  
+  @Test(timeout=120000)
+  public void testUpdateArguments() throws Exception {
+    if (!OpensslCipher.isNativeCodeLoaded()) {
+      return;
+    }
+    OpensslCipher cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, 
+        OpensslCipher.PADDING_NOPADDING);
+    Assert.assertTrue(cipher != null);
+    
+    cipher.init(OpensslCipher.ENCRYPT_MODE, key, iv);
+    
+    // Require direct buffers
+    ByteBuffer input = ByteBuffer.allocate(1024);
+    ByteBuffer output = ByteBuffer.allocate(1024);
+    
+    try {
+      cipher.update(input, output);
+      Assert.fail("Input and output buffer should be direct buffer.");
+    } catch (IllegalArgumentException e) {
+      GenericTestUtils.assertExceptionContains(
+          "Direct buffers are required", e);
+    }
+    
+    // Output buffer length should be sufficient to store output data 
+    input = ByteBuffer.allocateDirect(1024);
+    output = ByteBuffer.allocateDirect(1000);
+    try {
+      cipher.update(input, output);
+      Assert.fail("Output buffer length should be sufficient " +
+          "to store output data");
+    } catch (ShortBufferException e) {
+      GenericTestUtils.assertExceptionContains(
+          "Output buffer is not sufficient", e);
+    }
+  }
+  
+  @Test(timeout=120000)
+  public void testDoFinalArguments() throws Exception {
+    if (!OpensslCipher.isNativeCodeLoaded()) {
+      return;
+    }
+    OpensslCipher cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, 
+        OpensslCipher.PADDING_NOPADDING);
+    Assert.assertTrue(cipher != null);
+    
+    cipher.init(OpensslCipher.ENCRYPT_MODE, key, iv);
+    
+    // Require direct buffer
+    ByteBuffer output = ByteBuffer.allocate(1024);
+    
+    try {
+      cipher.doFinal(output);
+      Assert.fail("Output buffer should be direct buffer.");
+    } catch (IllegalArgumentException e) {
+      GenericTestUtils.assertExceptionContains(
+          "Direct buffer is required", e);
+    }
+  }
+}

From c38665282884122d3c82b6f68376cce036aee748 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Fri, 4 Jul 2014 00:24:28 +0000
Subject: [PATCH 024/354] HDFS-6516. List of Encryption Zones should be based
 on inodes (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1607770 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   2 +
 .../hdfs/server/namenode/FSDirectory.java     | 148 ++++++++++++++++--
 .../hdfs/server/namenode/FSNamesystem.java    |  45 +-----
 3 files changed, 142 insertions(+), 53 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 7c057bb8bc2..e1bab08693e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -35,6 +35,8 @@ fs-encryption (Unreleased)
 
     HDFS-6625. Remove the Delete Encryption Zone function (clamb)
 
+    HDFS-6516. List of Encryption Zones should be based on inodes (clamb)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index 391e6a733dc..53994f91af9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -27,8 +27,10 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.EnumSet;
+import java.util.HashMap;
 import java.util.List;
 import java.util.ListIterator;
+import java.util.Map;
 import java.util.concurrent.locks.ReentrantReadWriteLock;
 
 import com.google.protobuf.InvalidProtocolBufferException;
@@ -124,6 +126,9 @@ private static INodeDirectorySnapshottable createRoot(FSNamesystem namesystem) {
   public final static String DOT_INODES_STRING = ".inodes";
   public final static byte[] DOT_INODES = 
       DFSUtil.string2Bytes(DOT_INODES_STRING);
+  private final XAttr KEYID_XATTR =
+      XAttrHelper.buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, null);
+
   INodeDirectory rootDir;
   FSImage fsImage;  
   private final FSNamesystem namesystem;
@@ -136,6 +141,35 @@ private static INodeDirectorySnapshottable createRoot(FSNamesystem namesystem) {
   private long yieldCount = 0; // keep track of lock yield count.
   private final int inodeXAttrsLimit; //inode xattrs max limit
 
+  /*
+   * EncryptionZoneInt is the internal representation of an encryption
+   * zone. The external representation of an EZ is embodied in an
+   * EncryptionZone and contains the EZ's pathname.
+   */
+  private class EncryptionZoneInt {
+    private final String keyId;
+    private final long inodeId;
+
+    EncryptionZoneInt(String keyId, long inodeId) {
+      this.keyId = keyId;
+      this.inodeId = inodeId;
+    }
+
+    String getKeyId() {
+      return keyId;
+    }
+
+    long getINodeId() {
+      return inodeId;
+    }
+
+    String getFullPathName() {
+      return getInode(inodeId).getFullPathName();
+    }
+  }
+
+  private final Map<Long, EncryptionZoneInt> encryptionZones;
+
   // lock to protect the directory and BlockMap
   private final ReentrantReadWriteLock dirLock;
 
@@ -221,6 +255,7 @@ public int getWriteHoldCount() {
         + " times");
     nameCache = new NameCache<ByteArray>(threshold);
     namesystem = ns;
+    encryptionZones = new HashMap<Long, EncryptionZoneInt>();
   }
     
   private FSNamesystem getFSNamesystem() {
@@ -545,7 +580,7 @@ boolean unprotectedRenameTo(String src, String dst, long timestamp)
       return false;
     }
     
-    checkEncryptionZoneMoveValidity(src, dst);
+    checkEncryptionZoneMoveValidity(srcIIP, dstIIP, src);
     // Ensure dst has quota to accommodate rename
     verifyFsLimitsForRename(srcIIP, dstIIP);
     verifyQuotaForRename(srcIIP.getINodes(), dstIIP.getINodes());
@@ -750,7 +785,7 @@ boolean unprotectedRenameTo(String src, String dst, long timestamp,
       throw new IOException(error);
     }
 
-    checkEncryptionZoneMoveValidity(src, dst);
+    checkEncryptionZoneMoveValidity(srcIIP, dstIIP, src);
     final INode dstInode = dstIIP.getLastINode();
     List<INodeDirectorySnapshottable> snapshottableDirs = 
         new ArrayList<INodeDirectorySnapshottable>();
@@ -974,14 +1009,36 @@ boolean unprotectedRenameTo(String src, String dst, long timestamp,
     throw new IOException("rename from " + src + " to " + dst + " failed.");
   }
   
-  private void checkEncryptionZoneMoveValidity(String src, String dst)
+  boolean isInAnEZ(INodesInPath iip)
+    throws UnresolvedLinkException, SnapshotAccessControlException {
+    readLock();
+    try {
+      return (getEncryptionZoneForPath(iip) != null);
+    } finally {
+      readUnlock();
+    }
+  }
+
+  private EncryptionZoneInt getEncryptionZoneForPath(INodesInPath iip) {
+    Preconditions.checkNotNull(iip);
+    final INode[] inodes = iip.getINodes();
+    for (int i = inodes.length -1; i >= 0; i--) {
+      final INode inode = inodes[i];
+      if (inode != null) {
+        final EncryptionZoneInt ezi = encryptionZones.get(inode.getId());
+        if (ezi != null) {
+          return ezi;
+        }
+      }
+    }
+    return null;
+  }
+
+  private void checkEncryptionZoneMoveValidity(INodesInPath srcIIP,
+    INodesInPath dstIIP, String src)
     throws IOException {
-    final EncryptionZone srcEZ =
-      getFSNamesystem().getEncryptionZoneForPath(src);
-    final EncryptionZone dstEZ =
-      getFSNamesystem().getEncryptionZoneForPath(dst);
-    final boolean srcInEZ = srcEZ != null;
-    final boolean dstInEZ = dstEZ != null;
+    final boolean srcInEZ = (getEncryptionZoneForPath(srcIIP) != null);
+    final boolean dstInEZ = (getEncryptionZoneForPath(dstIIP) != null);
     if (srcInEZ) {
       if (!dstInEZ) {
         throw new IOException(src + " can't be moved from an encryption zone.");
@@ -993,12 +1050,18 @@ private void checkEncryptionZoneMoveValidity(String src, String dst)
     }
 
     if (srcInEZ || dstInEZ) {
-      if (!srcEZ.getPath().equals(dstEZ.getPath())) {
+      final EncryptionZoneInt srcEZI = getEncryptionZoneForPath(srcIIP);
+      final EncryptionZoneInt dstEZI = getEncryptionZoneForPath(dstIIP);
+      Preconditions.checkArgument(srcEZI != null, "couldn't find src EZ?");
+      Preconditions.checkArgument(dstEZI != null, "couldn't find dst EZ?");
+      if (srcEZI != dstEZI) {
+        final String srcEZPath = srcEZI.getFullPathName();
+        final String dstEZPath = dstEZI.getFullPathName();
         final StringBuilder sb = new StringBuilder(src);
         sb.append(" can't be moved from encryption zone ");
-        sb.append(srcEZ.getPath());
+        sb.append(srcEZPath);
         sb.append(" to encryption zone ");
-        sb.append(dstEZ.getPath());
+        sb.append(dstEZPath);
         sb.append(".");
         throw new IOException(sb.toString());
       }
@@ -2167,6 +2230,18 @@ public INodeMap getINodeMap() {
   public final void addToInodeMap(INode inode) {
     if (inode instanceof INodeWithAdditionalFields) {
       inodeMap.put(inode);
+      final XAttrFeature xaf = inode.getXAttrFeature();
+      if (xaf != null) {
+        final List<XAttr> xattrs = xaf.getXAttrs();
+        for (XAttr xattr : xattrs) {
+          final String xaName = XAttrHelper.getPrefixName(xattr);
+          if (CRYPTO_XATTR_ENCRYPTION_ZONE.equals(xaName)) {
+            encryptionZones.put(inode.getId(),
+              new EncryptionZoneInt(new String(xattr.getValue()),
+                                    inode.getId()));
+          }
+        }
+      }
     }
   }
   
@@ -2178,6 +2253,7 @@ public final void removeFromInodeMap(List<? extends INode> inodes) {
       for (INode inode : inodes) {
         if (inode != null && inode instanceof INodeWithAdditionalFields) {
           inodeMap.remove(inode);
+          encryptionZones.remove(inode.getId());
         }
       }
     }
@@ -2682,6 +2758,8 @@ List<XAttr> filterINodeXAttrs(final List<XAttr> existingXAttrs,
       for (ListIterator<XAttr> it = toFilter.listIterator(); it.hasNext()
           ;) {
         XAttr filter = it.next();
+        Preconditions.checkArgument(!KEYID_XATTR.equalsIgnoreValue(filter),
+            "The encryption zone xattr should never be deleted.");
         if (a.equalsIgnoreValue(filter)) {
           add = false;
           it.remove();
@@ -2705,17 +2783,42 @@ XAttr createEncryptionZone(String src, String keyId)
         throw new IOException(
           "Attempt to create an encryption zone for a non-empty directory.");
       }
+
+      final INodesInPath srcIIP = getINodesInPath4Write(src, false);
+      final EncryptionZoneInt ezi = getEncryptionZoneForPath(srcIIP);
+      if (ezi != null) {
+        throw new IOException("Directory " + src +
+          " is already in an encryption zone. (" + ezi.getFullPathName() + ")");
+      }
+
       final XAttr keyIdXAttr =
         XAttrHelper.buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, keyId.getBytes());
-      List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
+      final List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
       xattrs.add(keyIdXAttr);
-      unprotectedSetXAttrs(src, xattrs, EnumSet.of(XAttrSetFlag.CREATE));
+      final INode inode = unprotectedSetXAttrs(src, xattrs,
+        EnumSet.of(XAttrSetFlag.CREATE));
+      encryptionZones.put(inode.getId(),
+          new EncryptionZoneInt(keyId, inode.getId()));
       return keyIdXAttr;
     } finally {
       writeUnlock();
     }
   }
 
+  List<EncryptionZone> listEncryptionZones() throws IOException {
+    readLock();
+    try {
+      final List<EncryptionZone> ret =
+        Lists.newArrayListWithExpectedSize(encryptionZones.size());
+      for (EncryptionZoneInt ezi : encryptionZones.values()) {
+        ret.add(new EncryptionZone(ezi.getFullPathName(), ezi.getKeyId()));
+      }
+      return ret;
+    } finally {
+      readUnlock();
+    }
+  }
+
   /**
    * Set the FileEncryptionInfo for an INode.
    */
@@ -2782,7 +2885,7 @@ void setXAttrs(final String src, final List<XAttr> xAttrs,
     }
   }
   
-  void unprotectedSetXAttrs(final String src, final List<XAttr> xAttrs,
+  INode unprotectedSetXAttrs(final String src, final List<XAttr> xAttrs,
       final EnumSet<XAttrSetFlag> flag)
       throws QuotaExceededException, IOException {
     assert hasWriteLock();
@@ -2791,7 +2894,22 @@ void unprotectedSetXAttrs(final String src, final List<XAttr> xAttrs,
     int snapshotId = iip.getLatestSnapshotId();
     List<XAttr> existingXAttrs = XAttrStorage.readINodeXAttrs(inode);
     List<XAttr> newXAttrs = setINodeXAttrs(existingXAttrs, xAttrs, flag);
+
+    /*
+     * If we're adding the encryption zone xattr, then add src to the list
+     * of encryption zones.
+     */
+    for (XAttr xattr : newXAttrs) {
+      final String xaName = XAttrHelper.getPrefixName(xattr);
+      if (CRYPTO_XATTR_ENCRYPTION_ZONE.equals(xaName)) {
+        final EncryptionZoneInt ez =
+            new EncryptionZoneInt(new String(xattr.getValue()), inode.getId());
+        encryptionZones.put(inode.getId(), ez);
+      }
+    }
+
     XAttrStorage.updateINodeXAttrs(inode, newXAttrs, snapshotId);
+    return inode;
   }
 
   List<XAttr> setINodeXAttrs(final List<XAttr> existingXAttrs,
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 5a7cb12304c..efa153a5edb 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -270,7 +270,6 @@
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Charsets;
-import com.google.common.base.Joiner;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Lists;
@@ -528,7 +527,6 @@ private void logAuditEvent(boolean succeeded,
   private KeyProvider provider = null;
   private KeyProvider.Options providerOptions = null;
 
-  private final Map<String, EncryptionZone> encryptionZones;
   private final CryptoCodec codec;
 
   private volatile boolean imageLoaded = false;
@@ -855,7 +853,6 @@ static FSNamesystem loadFromDisk(Configuration conf) throws IOException {
         auditLoggers.get(0) instanceof DefaultAuditLogger;
       this.retryCache = ignoreRetryCache ? null : initRetryCache(conf);
       this.nnConf = new NNConf(conf);
-      this.encryptionZones = new HashMap<String, EncryptionZone>();
     } catch(IOException e) {
       LOG.error(getClass().getSimpleName() + " initialization failed.", e);
       close();
@@ -2308,11 +2305,12 @@ private void verifyParentDir(String src) throws FileNotFoundException,
    * @return chosen CipherSuite, or null if file is not in an EncryptionZone
    * @throws IOException
    */
-  private CipherSuite chooseCipherSuite(String src, List<CipherSuite> 
-      cipherSuites) throws UnknownCipherSuiteException {
-    EncryptionZone zone = getEncryptionZoneForPath(src);
+  private CipherSuite chooseCipherSuite(INodesInPath srcIIP, List<CipherSuite>
+      cipherSuites)
+      throws UnknownCipherSuiteException, UnresolvedLinkException,
+        SnapshotAccessControlException {
     // Not in an EZ
-    if (zone == null) {
+    if (!dir.isInAnEZ(srcIIP)) {
       return null;
     }
     CipherSuite chosen = null;
@@ -2469,7 +2467,7 @@ private void startFileInternal(FSPermissionChecker pc, String src,
     }
 
     FileEncryptionInfo feInfo = null;
-    CipherSuite suite = chooseCipherSuite(src, cipherSuites);
+    CipherSuite suite = chooseCipherSuite(iip, cipherSuites);
     if (suite != null) {
       Preconditions.checkArgument(!suite.equals(CipherSuite.UNKNOWN), 
           "Chose an UNKNOWN CipherSuite!");
@@ -3651,11 +3649,6 @@ private boolean deleteInternal(String src, boolean recursive,
             FsAction.ALL, true, false);
       }
 
-      final EncryptionZone ez = getEncryptionZoneForPath(src);
-      if (ez != null) {
-        encryptionZones.remove(src);
-      }
-
       long mtime = now();
       // Unlink the target directory from directory tree
       long filesRemoved = dir.delete(src, collectedBlocks, removedINodes,
@@ -8365,17 +8358,10 @@ private void createEncryptionZoneInt(final String srcArg, String keyId,
       checkNameNodeSafeMode("Cannot create encryption zone on " + src);
       src = FSDirectory.resolvePath(src, pathComponents, dir);
 
-      EncryptionZone ez = getEncryptionZoneForPath(src);
-      if (ez != null) {
-        throw new IOException("Directory " + src +
-          " is already in an encryption zone. (" + ez.getPath() + ")");
-      }
-
       final XAttr keyIdXAttr = dir.createEncryptionZone(src, keyId);
       List<XAttr> xAttrs = Lists.newArrayListWithCapacity(1);
       xAttrs.add(keyIdXAttr);
       getEditLog().logSetXAttrs(src, xAttrs, logRetryCache);
-      encryptionZones.put(src, new EncryptionZone(src, keyId));
       resultingStat = getAuditFileInfo(src, false);
     } finally {
       writeUnlock();
@@ -8400,7 +8386,6 @@ private String createNewKey(String src)
   }
 
   List<EncryptionZone> listEncryptionZones() throws IOException {
-
     boolean success = false;
     checkSuperuserPrivilege();
     checkOperation(OperationCategory.READ);
@@ -8408,8 +8393,7 @@ List<EncryptionZone> listEncryptionZones() throws IOException {
     try {
       checkSuperuserPrivilege();
       checkOperation(OperationCategory.READ);
-      final List<EncryptionZone> ret =
-          Lists.newArrayList(encryptionZones.values());
+      final List<EncryptionZone> ret = dir.listEncryptionZones();
       success = true;
       return ret;
     } finally {
@@ -8418,21 +8402,6 @@ List<EncryptionZone> listEncryptionZones() throws IOException {
     }
   }
 
-  /** Lookup the encryption zone of a path. */
-  EncryptionZone getEncryptionZoneForPath(String src) {
-    assert hasReadLock();
-    final String[] components = INode.getPathNames(src);
-    for (int i = components.length; i > 0; i--) {
-      final List<String> l = Arrays.asList(Arrays.copyOfRange(components, 0, i));
-      String p = Joiner.on(Path.SEPARATOR).join(l);
-      final EncryptionZone ret = encryptionZones.get(p);
-      if (ret != null) {
-        return ret;
-      }
-    }
-    return null;
-  }
-
   /**
    * Set xattr for a file or directory.
    * 

From 83702b070709a2d9ccdc233f96d5e4cd442dfe9b Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Mon, 7 Jul 2014 09:51:49 +0000
Subject: [PATCH 025/354] HDFS-6629. Not able to create symlinks after
 HDFS-6516 (umamaheswararao)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1608389 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |  2 ++
 .../hdfs/server/namenode/FSDirectory.java     | 19 ++++++++++---------
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index e1bab08693e..75eace4d865 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -37,6 +37,8 @@ fs-encryption (Unreleased)
 
     HDFS-6516. List of Encryption Zones should be based on inodes (clamb)
 
+    HDFS-6629. Not able to create symlinks after HDFS-6516 (umamaheswararao)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index 53994f91af9..d8bf08d6120 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -2230,15 +2230,16 @@ public INodeMap getINodeMap() {
   public final void addToInodeMap(INode inode) {
     if (inode instanceof INodeWithAdditionalFields) {
       inodeMap.put(inode);
-      final XAttrFeature xaf = inode.getXAttrFeature();
-      if (xaf != null) {
-        final List<XAttr> xattrs = xaf.getXAttrs();
-        for (XAttr xattr : xattrs) {
-          final String xaName = XAttrHelper.getPrefixName(xattr);
-          if (CRYPTO_XATTR_ENCRYPTION_ZONE.equals(xaName)) {
-            encryptionZones.put(inode.getId(),
-              new EncryptionZoneInt(new String(xattr.getValue()),
-                                    inode.getId()));
+      if (!inode.isSymlink()) {
+        final XAttrFeature xaf = inode.getXAttrFeature();
+        if (xaf != null) {
+          final List<XAttr> xattrs = xaf.getXAttrs();
+          for (XAttr xattr : xattrs) {
+            final String xaName = XAttrHelper.getPrefixName(xattr);
+            if (CRYPTO_XATTR_ENCRYPTION_ZONE.equals(xaName)) {
+              encryptionZones.put(inode.getId(), new EncryptionZoneInt(
+                  new String(xattr.getValue()), inode.getId()));
+            }
           }
         }
       }

From ceed0f6c46736323bd1b077125ff4e217c649208 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 8 Jul 2014 04:34:04 +0000
Subject: [PATCH 026/354] HDFS-6635. Refactor encryption zone functionality
 into new EncryptionZoneManager class. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1608657 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   3 +
 .../namenode/EncryptionZoneManager.java       | 180 ++++++++++++++++++
 .../hdfs/server/namenode/FSDirectory.java     | 132 ++-----------
 3 files changed, 197 insertions(+), 118 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 75eace4d865..e6db71fde45 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -39,6 +39,9 @@ fs-encryption (Unreleased)
 
     HDFS-6629. Not able to create symlinks after HDFS-6516 (umamaheswararao)
 
+    HDFS-6635. Refactor encryption zone functionality into new
+    EncryptionZoneManager class. (wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
new file mode 100644
index 00000000000..a43273dfe34
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
@@ -0,0 +1,180 @@
+package org.apache.hadoop.hdfs.server.namenode;
+
+import java.io.IOException;
+import java.util.EnumSet;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import com.google.common.base.Preconditions;
+import com.google.common.collect.Lists;
+import org.apache.hadoop.fs.UnresolvedLinkException;
+import org.apache.hadoop.fs.XAttr;
+import org.apache.hadoop.fs.XAttrSetFlag;
+import org.apache.hadoop.hdfs.XAttrHelper;
+import org.apache.hadoop.hdfs.protocol.EncryptionZone;
+import org.apache.hadoop.hdfs.protocol.SnapshotAccessControlException;
+
+
+import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants
+    .CRYPTO_XATTR_ENCRYPTION_ZONE;
+
+/**
+ * Manages the list of encryption zones in the filesystem. Relies on the
+ * FSDirectory lock for synchronization.
+ */
+public class EncryptionZoneManager {
+
+  /**
+   * EncryptionZoneInt is the internal representation of an encryption zone. The
+   * external representation of an EZ is embodied in an EncryptionZone and
+   * contains the EZ's pathname.
+   */
+  private class EncryptionZoneInt {
+    private final String keyId;
+    private final long inodeId;
+
+    EncryptionZoneInt(long inodeId, String keyId) {
+      this.keyId = keyId;
+      this.inodeId = inodeId;
+    }
+
+    String getKeyId() {
+      return keyId;
+    }
+
+    long getINodeId() {
+      return inodeId;
+    }
+
+    String getFullPathName() {
+      return dir.getInode(inodeId).getFullPathName();
+    }
+  }
+
+  private final Map<Long, EncryptionZoneInt> encryptionZones;
+
+  private final FSDirectory dir;
+
+  /**
+   * Construct a new EncryptionZoneManager.
+   *
+   * @param dir Enclosing FSDirectory
+   */
+  public EncryptionZoneManager(FSDirectory dir) {
+    this.dir = dir;
+    encryptionZones = new HashMap<Long, EncryptionZoneInt>();
+  }
+
+  /**
+   * Add a new encryption zone.
+   *
+   * @param inodeId of the encryption zone
+   * @param keyId   encryption zone key id
+   */
+  void addEncryptionZone(Long inodeId, String keyId) {
+    final EncryptionZoneInt ez = new EncryptionZoneInt(inodeId, keyId);
+    encryptionZones.put(inodeId, ez);
+  }
+
+  void removeEncryptionZone(Long inodeId) {
+    encryptionZones.remove(inodeId);
+  }
+
+  /**
+   * Returns true if an IIP is within an encryption zone.
+   */
+  boolean isInAnEZ(INodesInPath iip)
+      throws UnresolvedLinkException, SnapshotAccessControlException {
+    return (getEncryptionZoneForPath(iip) != null);
+  }
+
+  private EncryptionZoneInt getEncryptionZoneForPath(INodesInPath iip) {
+    Preconditions.checkNotNull(iip);
+    final INode[] inodes = iip.getINodes();
+    for (int i = inodes.length - 1; i >= 0; i--) {
+      final INode inode = inodes[i];
+      if (inode != null) {
+        final EncryptionZoneInt ezi = encryptionZones.get(inode.getId());
+        if (ezi != null) {
+          return ezi;
+        }
+      }
+    }
+    return null;
+  }
+
+  /**
+   * Throws an exception if the provided inode cannot be renamed into the
+   * destination because of differing encryption zones.
+   *
+   * @param srcIIP source IIP
+   * @param dstIIP destination IIP
+   * @param src    source path, used for debugging
+   * @throws IOException if the src cannot be renamed to the dst
+   */
+  void checkMoveValidity(INodesInPath srcIIP, INodesInPath dstIIP, String src)
+      throws IOException {
+    final boolean srcInEZ = (getEncryptionZoneForPath(srcIIP) != null);
+    final boolean dstInEZ = (getEncryptionZoneForPath(dstIIP) != null);
+    if (srcInEZ) {
+      if (!dstInEZ) {
+        throw new IOException(src + " can't be moved from an encryption zone.");
+      }
+    } else {
+      if (dstInEZ) {
+        throw new IOException(src + " can't be moved into an encryption zone.");
+      }
+    }
+
+    if (srcInEZ || dstInEZ) {
+      final EncryptionZoneInt srcEZI = getEncryptionZoneForPath(srcIIP);
+      final EncryptionZoneInt dstEZI = getEncryptionZoneForPath(dstIIP);
+      Preconditions.checkArgument(srcEZI != null, "couldn't find src EZ?");
+      Preconditions.checkArgument(dstEZI != null, "couldn't find dst EZ?");
+      if (srcEZI != dstEZI) {
+        final String srcEZPath = srcEZI.getFullPathName();
+        final String dstEZPath = dstEZI.getFullPathName();
+        final StringBuilder sb = new StringBuilder(src);
+        sb.append(" can't be moved from encryption zone ");
+        sb.append(srcEZPath);
+        sb.append(" to encryption zone ");
+        sb.append(dstEZPath);
+        sb.append(".");
+        throw new IOException(sb.toString());
+      }
+    }
+  }
+
+  XAttr createEncryptionZone(String src, String keyId) throws IOException {
+    if (dir.isNonEmptyDirectory(src)) {
+      throw new IOException(
+          "Attempt to create an encryption zone for a non-empty directory.");
+    }
+
+    final INodesInPath srcIIP = dir.getINodesInPath4Write(src, false);
+    final EncryptionZoneInt ezi = getEncryptionZoneForPath(srcIIP);
+    if (ezi != null) {
+      throw new IOException("Directory " + src +
+          " is already in an encryption zone. (" + ezi.getFullPathName() + ")");
+    }
+
+    final XAttr keyIdXAttr =
+        XAttrHelper.buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, keyId.getBytes());
+    final List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
+    xattrs.add(keyIdXAttr);
+    final INode inode =
+        dir.unprotectedSetXAttrs(src, xattrs, EnumSet.of(XAttrSetFlag.CREATE));
+    addEncryptionZone(inode.getId(), keyId);
+    return keyIdXAttr;
+  }
+
+  List<EncryptionZone> listEncryptionZones() throws IOException {
+    final List<EncryptionZone> ret =
+        Lists.newArrayListWithExpectedSize(encryptionZones.size());
+    for (EncryptionZoneInt ezi : encryptionZones.values()) {
+      ret.add(new EncryptionZone(ezi.getFullPathName(), ezi.getKeyId()));
+    }
+    return ret;
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index ec015d94f13..81dcf9ef95b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -27,10 +27,8 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.EnumSet;
-import java.util.HashMap;
 import java.util.List;
 import java.util.ListIterator;
-import java.util.Map;
 import java.util.concurrent.locks.ReentrantReadWriteLock;
 
 import com.google.protobuf.InvalidProtocolBufferException;
@@ -139,35 +137,6 @@ private static INodeDirectorySnapshottable createRoot(FSNamesystem namesystem) {
   private long yieldCount = 0; // keep track of lock yield count.
   private final int inodeXAttrsLimit; //inode xattrs max limit
 
-  /*
-   * EncryptionZoneInt is the internal representation of an encryption
-   * zone. The external representation of an EZ is embodied in an
-   * EncryptionZone and contains the EZ's pathname.
-   */
-  private class EncryptionZoneInt {
-    private final String keyId;
-    private final long inodeId;
-
-    EncryptionZoneInt(String keyId, long inodeId) {
-      this.keyId = keyId;
-      this.inodeId = inodeId;
-    }
-
-    String getKeyId() {
-      return keyId;
-    }
-
-    long getINodeId() {
-      return inodeId;
-    }
-
-    String getFullPathName() {
-      return getInode(inodeId).getFullPathName();
-    }
-  }
-
-  private final Map<Long, EncryptionZoneInt> encryptionZones;
-
   // lock to protect the directory and BlockMap
   private final ReentrantReadWriteLock dirLock;
 
@@ -204,6 +173,8 @@ public int getWriteHoldCount() {
     return this.dirLock.getWriteHoldCount();
   }
 
+  final EncryptionZoneManager ezManager;
+
   /**
    * Caches frequently used file names used in {@link INode} to reuse 
    * byte[] objects and reduce heap usage.
@@ -252,7 +223,8 @@ public int getWriteHoldCount() {
         + " times");
     nameCache = new NameCache<ByteArray>(threshold);
     namesystem = ns;
-    encryptionZones = new HashMap<Long, EncryptionZoneInt>();
+
+    ezManager = new EncryptionZoneManager(this);
   }
     
   private FSNamesystem getFSNamesystem() {
@@ -550,7 +522,7 @@ boolean unprotectedRenameTo(String src, String dst, long timestamp)
       return false;
     }
     
-    checkEncryptionZoneMoveValidity(srcIIP, dstIIP, src);
+    ezManager.checkMoveValidity(srcIIP, dstIIP, src);
     // Ensure dst has quota to accommodate rename
     verifyFsLimitsForRename(srcIIP, dstIIP);
     verifyQuotaForRename(srcIIP.getINodes(), dstIIP.getINodes());
@@ -629,7 +601,7 @@ boolean unprotectedRenameTo(String src, String dst, long timestamp,
       throw new IOException(error);
     }
 
-    checkEncryptionZoneMoveValidity(srcIIP, dstIIP, src);
+    ezManager.checkMoveValidity(srcIIP, dstIIP, src);
     final INode dstInode = dstIIP.getLastINode();
     List<INodeDirectorySnapshottable> snapshottableDirs = 
         new ArrayList<INodeDirectorySnapshottable>();
@@ -937,61 +909,12 @@ boolean isInAnEZ(INodesInPath iip)
     throws UnresolvedLinkException, SnapshotAccessControlException {
     readLock();
     try {
-      return (getEncryptionZoneForPath(iip) != null);
+      return ezManager.isInAnEZ(iip);
     } finally {
       readUnlock();
     }
   }
 
-  private EncryptionZoneInt getEncryptionZoneForPath(INodesInPath iip) {
-    Preconditions.checkNotNull(iip);
-    final INode[] inodes = iip.getINodes();
-    for (int i = inodes.length -1; i >= 0; i--) {
-      final INode inode = inodes[i];
-      if (inode != null) {
-        final EncryptionZoneInt ezi = encryptionZones.get(inode.getId());
-        if (ezi != null) {
-          return ezi;
-        }
-      }
-    }
-    return null;
-  }
-
-  private void checkEncryptionZoneMoveValidity(INodesInPath srcIIP,
-    INodesInPath dstIIP, String src)
-    throws IOException {
-    final boolean srcInEZ = (getEncryptionZoneForPath(srcIIP) != null);
-    final boolean dstInEZ = (getEncryptionZoneForPath(dstIIP) != null);
-    if (srcInEZ) {
-      if (!dstInEZ) {
-        throw new IOException(src + " can't be moved from an encryption zone.");
-      }
-    } else {
-      if (dstInEZ) {
-        throw new IOException(src + " can't be moved into an encryption zone.");
-      }
-    }
-
-    if (srcInEZ || dstInEZ) {
-      final EncryptionZoneInt srcEZI = getEncryptionZoneForPath(srcIIP);
-      final EncryptionZoneInt dstEZI = getEncryptionZoneForPath(dstIIP);
-      Preconditions.checkArgument(srcEZI != null, "couldn't find src EZ?");
-      Preconditions.checkArgument(dstEZI != null, "couldn't find dst EZ?");
-      if (srcEZI != dstEZI) {
-        final String srcEZPath = srcEZI.getFullPathName();
-        final String dstEZPath = dstEZI.getFullPathName();
-        final StringBuilder sb = new StringBuilder(src);
-        sb.append(" can't be moved from encryption zone ");
-        sb.append(srcEZPath);
-        sb.append(" to encryption zone ");
-        sb.append(dstEZPath);
-        sb.append(".");
-        throw new IOException(sb.toString());
-      }
-    }
-  }
-
   /**
    * Set file replication
    * 
@@ -2157,8 +2080,8 @@ public final void addToInodeMap(INode inode) {
           for (XAttr xattr : xattrs) {
             final String xaName = XAttrHelper.getPrefixName(xattr);
             if (CRYPTO_XATTR_ENCRYPTION_ZONE.equals(xaName)) {
-              encryptionZones.put(inode.getId(), new EncryptionZoneInt(
-                  new String(xattr.getValue()), inode.getId()));
+              ezManager.addEncryptionZone(inode.getId(),
+                  new String(xattr.getValue()));
             }
           }
         }
@@ -2174,7 +2097,7 @@ public final void removeFromInodeMap(List<? extends INode> inodes) {
       for (INode inode : inodes) {
         if (inode != null && inode instanceof INodeWithAdditionalFields) {
           inodeMap.remove(inode);
-          encryptionZones.remove(inode.getId());
+          ezManager.removeEncryptionZone(inode.getId());
         }
       }
     }
@@ -2700,27 +2623,7 @@ XAttr createEncryptionZone(String src, String keyId)
     throws IOException {
     writeLock();
     try {
-      if (isNonEmptyDirectory(src)) {
-        throw new IOException(
-          "Attempt to create an encryption zone for a non-empty directory.");
-      }
-
-      final INodesInPath srcIIP = getINodesInPath4Write(src, false);
-      final EncryptionZoneInt ezi = getEncryptionZoneForPath(srcIIP);
-      if (ezi != null) {
-        throw new IOException("Directory " + src +
-          " is already in an encryption zone. (" + ezi.getFullPathName() + ")");
-      }
-
-      final XAttr keyIdXAttr =
-        XAttrHelper.buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, keyId.getBytes());
-      final List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
-      xattrs.add(keyIdXAttr);
-      final INode inode = unprotectedSetXAttrs(src, xattrs,
-        EnumSet.of(XAttrSetFlag.CREATE));
-      encryptionZones.put(inode.getId(),
-          new EncryptionZoneInt(keyId, inode.getId()));
-      return keyIdXAttr;
+      return ezManager.createEncryptionZone(src, keyId);
     } finally {
       writeUnlock();
     }
@@ -2729,12 +2632,7 @@ XAttr createEncryptionZone(String src, String keyId)
   List<EncryptionZone> listEncryptionZones() throws IOException {
     readLock();
     try {
-      final List<EncryptionZone> ret =
-        Lists.newArrayListWithExpectedSize(encryptionZones.size());
-      for (EncryptionZoneInt ezi : encryptionZones.values()) {
-        ret.add(new EncryptionZone(ezi.getFullPathName(), ezi.getKeyId()));
-      }
-      return ret;
+      return ezManager.listEncryptionZones();
     } finally {
       readUnlock();
     }
@@ -2823,9 +2721,7 @@ INode unprotectedSetXAttrs(final String src, final List<XAttr> xAttrs,
     for (XAttr xattr : newXAttrs) {
       final String xaName = XAttrHelper.getPrefixName(xattr);
       if (CRYPTO_XATTR_ENCRYPTION_ZONE.equals(xaName)) {
-        final EncryptionZoneInt ez =
-            new EncryptionZoneInt(new String(xattr.getValue()), inode.getId());
-        encryptionZones.put(inode.getId(), ez);
+        ezManager.addEncryptionZone(inode.getId(), new String(xattr.getValue()));
       }
     }
 
@@ -3084,7 +2980,7 @@ private INode getINode4Write(String src, boolean resolveLink)
    * @throws UnresolvedLinkException if symlink can't be resolved
    * @throws SnapshotAccessControlException if path is in RO snapshot
    */
-  private INodesInPath getINodesInPath4Write(String src, boolean resolveLink)
+  INodesInPath getINodesInPath4Write(String src, boolean resolveLink)
           throws UnresolvedLinkException, SnapshotAccessControlException {
     final byte[][] components = INode.getPathComponents(src);
     INodesInPath inodesInPath = INodesInPath.resolve(rootDir, components,

From 7aa07912dcf48e363555f6dbb0727cf466259334 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 8 Jul 2014 04:34:52 +0000
Subject: [PATCH 027/354] Move something down in CHANGES-fs-encryption.txt

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1608658 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index e6db71fde45..dfc8055c6f1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -6,8 +6,6 @@ fs-encryption (Unreleased)
 
   NEW FEATURES
 
-    HDFS-6388. HDFS integration with KeyProvider. (clamb)
-
   IMPROVEMENTS
 
     HADOOP-10693. Implementation of AES-CTR CryptoCodec using JNI to OpenSSL
@@ -18,6 +16,8 @@ fs-encryption (Unreleased)
 
     HDFS-6386. HDFS Encryption Zones (clamb)
 
+    HDFS-6388. HDFS integration with KeyProvider. (clamb)
+
     HDFS-6473. Protocol and API for Encryption Zones (clamb)
 
     HDFS-6392. Wire crypto streams for encrypted files in

From d90671137e005e05b3f41ee1f66387dee95b609a Mon Sep 17 00:00:00 2001
From: Yi Liu <yliu@apache.org>
Date: Thu, 10 Jul 2014 06:27:52 +0000
Subject: [PATCH 028/354] HADOOP-10803. Update OpensslCipher#getInstance to
 accept CipherSuite#name format. (yliu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1609403 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |   6 ++
 .../crypto/OpensslAesCtrCryptoCodec.java      |   3 +-
 .../apache/hadoop/crypto/OpensslCipher.java   | 101 +++++++++++++++---
 .../hadoop/crypto/TestOpensslCipher.java      |  15 +--
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   3 -
 5 files changed, 97 insertions(+), 31 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index 8983f8e73cb..2ea4420bce2 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -28,6 +28,12 @@ fs-encryption (Unreleased)
     HADOOP-10713. Refactor CryptoCodec#generateSecureRandom to take a byte[]. 
     (wang via yliu)
 
+    HADOOP-10693. Implementation of AES-CTR CryptoCodec using JNI to OpenSSL. 
+    (Yi Liu via cmccabe)
+
+    HADOOP-10803. Update OpensslCipher#getInstance to accept CipherSuite#name
+    format. (Yi Liu)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
index 669271fa9ef..ee11f50683b 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
@@ -70,8 +70,7 @@ private static class OpensslAesCtrCipher implements Encryptor, Decryptor {
     
     public OpensslAesCtrCipher(int mode) throws GeneralSecurityException {
       this.mode = mode;
-      cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, 
-          OpensslCipher.PADDING_NOPADDING);
+      cipher = OpensslCipher.getInstance(SUITE.getName());
     }
 
     @Override
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java
index c0a4e9bdb45..652a8b4c324 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java
@@ -19,6 +19,7 @@
 
 import java.nio.ByteBuffer;
 import java.security.NoSuchAlgorithmException;
+import java.util.StringTokenizer;
 
 import javax.crypto.BadPaddingException;
 import javax.crypto.IllegalBlockSizeException;
@@ -45,11 +46,34 @@ public final class OpensslCipher {
   public static final int DECRYPT_MODE = 0;
   
   /** Currently only support AES/CTR/NoPadding. */
-  public static final int AES_CTR = 0;
-  public static final int PADDING_NOPADDING = 0;
+  private static enum AlgMode {
+    AES_CTR;
+    
+    static int get(String algorithm, String mode) 
+        throws NoSuchAlgorithmException {
+      try {
+        return AlgMode.valueOf(algorithm + "_" + mode).ordinal();
+      } catch (Exception e) {
+        throw new NoSuchAlgorithmException("Doesn't support algorithm: " + 
+            algorithm + " and mode: " + mode);
+      }
+    }
+  }
+  
+  private static enum Padding {
+    NoPadding;
+    
+    static int get(String padding) throws NoSuchPaddingException {
+      try {
+        return Padding.valueOf(padding).ordinal();
+      } catch (Exception e) {
+        throw new NoSuchPaddingException("Doesn't support padding: " + padding);
+      }
+    }
+  }
   
   private long context = 0;
-  private final int algorithm;
+  private final int alg;
   private final int padding;
   
   private static boolean nativeCipherLoaded = false;
@@ -69,26 +93,71 @@ public static boolean isNativeCodeLoaded() {
     return nativeCipherLoaded;
   }
   
-  private OpensslCipher(long context, int algorithm, int padding) {
+  private OpensslCipher(long context, int alg, int padding) {
     this.context = context;
-    this.algorithm = algorithm;
+    this.alg = alg;
     this.padding = padding;
   }
   
   /**
    * Return an <code>OpensslCipher<code> object that implements the specified
-   * algorithm.
+   * transformation.
    * 
-   * @param algorithm currently only supports {@link #AES_CTR}
-   * @param padding currently only supports {@link #PADDING_NOPADDING}
-   * @return OpensslCipher an <code>OpensslCipher<code> object 
-   * @throws NoSuchAlgorithmException
-   * @throws NoSuchPaddingException
+   * @param transformation the name of the transformation, e.g., 
+   * AES/CTR/NoPadding.
+   * @return OpensslCipher an <code>OpensslCipher<code> object
+   * @throws NoSuchAlgorithmException if <code>transformation</code> is null, 
+   * empty, in an invalid format, or if Openssl doesn't implement the 
+   * specified algorithm.
+   * @throws NoSuchPaddingException if <code>transformation</code> contains 
+   * a padding scheme that is not available.
    */
-  public static final OpensslCipher getInstance(int algorithm, 
-      int padding) throws NoSuchAlgorithmException, NoSuchPaddingException {
-    long context = initContext(algorithm, padding);
-    return new OpensslCipher(context, algorithm, padding);
+  public static final OpensslCipher getInstance(String transformation) 
+      throws NoSuchAlgorithmException, NoSuchPaddingException {
+    Transform transform = tokenizeTransformation(transformation);
+    int algMode = AlgMode.get(transform.alg, transform.mode);
+    int padding = Padding.get(transform.padding);
+    long context = initContext(algMode, padding);
+    return new OpensslCipher(context, algMode, padding);
+  }
+  
+  /** Nested class for algorithm, mode and padding. */
+  private static class Transform {
+    final String alg;
+    final String mode;
+    final String padding;
+    
+    public Transform(String alg, String mode, String padding) {
+      this.alg = alg;
+      this.mode = mode;
+      this.padding = padding;
+    }
+  }
+  
+  private static Transform tokenizeTransformation(String transformation) 
+      throws NoSuchAlgorithmException {
+    if (transformation == null) {
+      throw new NoSuchAlgorithmException("No transformation given.");
+    }
+    
+    /*
+     * Array containing the components of a Cipher transformation:
+     * 
+     * index 0: algorithm (e.g., AES)
+     * index 1: mode (e.g., CTR)
+     * index 2: padding (e.g., NoPadding)
+     */
+    String[] parts = new String[3];
+    int count = 0;
+    StringTokenizer parser = new StringTokenizer(transformation, "/");
+    while (parser.hasMoreTokens() && count < 3) {
+      parts[count++] = parser.nextToken().trim();
+    }
+    if (count != 3 || parser.hasMoreTokens()) {
+      throw new NoSuchAlgorithmException("Invalid transformation format: " + 
+          transformation);
+    }
+    return new Transform(parts[0], parts[1], parts[2]);
   }
   
   /**
@@ -99,7 +168,7 @@ public static final OpensslCipher getInstance(int algorithm,
    * @param iv crypto iv
    */
   public void init(int mode, byte[] key, byte[] iv) {
-    context = init(context, mode, algorithm, padding, key, iv);
+    context = init(context, mode, alg, padding, key, iv);
   }
   
   /**
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java
index 739e53fdc8f..b3a894a164f 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java
@@ -38,21 +38,18 @@ public void testGetInstance() throws Exception {
     if (!OpensslCipher.isNativeCodeLoaded()) {
       return;
     }
-    OpensslCipher cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, 
-        OpensslCipher.PADDING_NOPADDING);
+    OpensslCipher cipher = OpensslCipher.getInstance("AES/CTR/NoPadding");
     Assert.assertTrue(cipher != null);
     
     try {
-      cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR + 100, 
-          OpensslCipher.PADDING_NOPADDING);
+      cipher = OpensslCipher.getInstance("AES2/CTR/NoPadding");
       Assert.fail("Should specify correct algorithm.");
     } catch (NoSuchAlgorithmException e) {
       // Expect NoSuchAlgorithmException
     }
     
     try {
-      cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, 
-          OpensslCipher.PADDING_NOPADDING + 100);
+      cipher = OpensslCipher.getInstance("AES/CTR/NoPadding2");
       Assert.fail("Should specify correct padding.");
     } catch (NoSuchPaddingException e) {
       // Expect NoSuchPaddingException
@@ -64,8 +61,7 @@ public void testUpdateArguments() throws Exception {
     if (!OpensslCipher.isNativeCodeLoaded()) {
       return;
     }
-    OpensslCipher cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, 
-        OpensslCipher.PADDING_NOPADDING);
+    OpensslCipher cipher = OpensslCipher.getInstance("AES/CTR/NoPadding");
     Assert.assertTrue(cipher != null);
     
     cipher.init(OpensslCipher.ENCRYPT_MODE, key, iv);
@@ -100,8 +96,7 @@ public void testDoFinalArguments() throws Exception {
     if (!OpensslCipher.isNativeCodeLoaded()) {
       return;
     }
-    OpensslCipher cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, 
-        OpensslCipher.PADDING_NOPADDING);
+    OpensslCipher cipher = OpensslCipher.getInstance("AES/CTR/NoPadding");
     Assert.assertTrue(cipher != null);
     
     cipher.init(OpensslCipher.ENCRYPT_MODE, key, iv);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index dfc8055c6f1..4c2a60ef4b1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -8,9 +8,6 @@ fs-encryption (Unreleased)
 
   IMPROVEMENTS
 
-    HADOOP-10693. Implementation of AES-CTR CryptoCodec using JNI to OpenSSL
-    (hitliuyi via cmccabe)
-
     HDFS-6387. HDFS CLI admin tool for creating & deleting an
     encryption zone. (clamb)
 

From c30872a4ee694c8866fff1bc22b8a1afa88f3137 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Thu, 10 Jul 2014 22:11:01 +0000
Subject: [PATCH 029/354] Temporary removing files incorrect case in SVN that
 break OSX

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1609581 13f79535-47bb-0310-9956-ffa450edef68
---
 .../src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java | 0
 .../main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java  | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
 delete mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AESCTRCryptoCodec.java
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JCEAESCTRCryptoCodec.java
deleted file mode 100644
index e69de29bb2d..00000000000

From 95986dd2fb4527c43fa4c088c61fb7b4bd794d23 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Fri, 11 Jul 2014 00:43:03 +0000
Subject: [PATCH 030/354] MAPREDUCE-5890. Support for encrypting Intermediate
 data and spills in local filesystem. (asuresh via tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1609597 13f79535-47bb-0310-9956-ffa450edef68
---
 .../CHANGES-fs-encryption.txt                 |  15 ++
 .../org/apache/hadoop/mapred/BackupStore.java |   6 +-
 .../java/org/apache/hadoop/mapred/IFile.java  |  21 +-
 .../org/apache/hadoop/mapred/MapTask.java     |  29 +-
 .../java/org/apache/hadoop/mapred/Merger.java |  15 +-
 .../apache/hadoop/mapreduce/CryptoUtils.java  | 199 ++++++++++++++
 .../apache/hadoop/mapreduce/JobSubmitter.java |   9 +-
 .../apache/hadoop/mapreduce/MRJobConfig.java  |  14 +
 .../hadoop/mapreduce/task/reduce/Fetcher.java |  12 +-
 .../mapreduce/task/reduce/LocalFetcher.java   |   4 +
 .../task/reduce/MergeManagerImpl.java         |  32 ++-
 .../task/reduce/OnDiskMapOutput.java          |   3 +-
 .../mapreduce/task/reduce/TestMerger.java     | 148 +++++++---
 .../org/apache/hadoop/mapred/TestIFile.java   |  11 +-
 .../TestMRIntermediateDataEncryption.java     | 254 ++++++++++++++++++
 .../apache/hadoop/mapred/TestReduceTask.java  |   2 +-
 .../mapred/pipes/TestPipeApplication.java     |  12 +-
 17 files changed, 692 insertions(+), 94 deletions(-)
 create mode 100644 hadoop-mapreduce-project/CHANGES-fs-encryption.txt
 create mode 100644 hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/CryptoUtils.java
 create mode 100644 hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestMRIntermediateDataEncryption.java

diff --git a/hadoop-mapreduce-project/CHANGES-fs-encryption.txt b/hadoop-mapreduce-project/CHANGES-fs-encryption.txt
new file mode 100644
index 00000000000..83fdc1ef804
--- /dev/null
+++ b/hadoop-mapreduce-project/CHANGES-fs-encryption.txt
@@ -0,0 +1,15 @@
+Hadoop MapReduce Change Log
+
+fs-encryption (Unreleased)
+
+  INCOMPATIBLE CHANGES
+
+  NEW FEATURES
+
+    MAPREDUCE-5890. Support for encrypting Intermediate 
+    data and spills in local filesystem. (asuresh via tucu)
+
+  IMPROVEMENTS
+
+  BUG FIXES
+
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/BackupStore.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/BackupStore.java
index cfcf0f2c6c7..be7fe181f90 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/BackupStore.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/BackupStore.java
@@ -31,6 +31,7 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FSDataOutputStream;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.LocalDirAllocator;
 import org.apache.hadoop.fs.Path;
@@ -43,6 +44,7 @@
 import org.apache.hadoop.mapreduce.MRConfig;
 import org.apache.hadoop.mapreduce.MRJobConfig;
 import org.apache.hadoop.mapreduce.TaskAttemptID;
+import org.apache.hadoop.mapreduce.CryptoUtils;
 
 /**
  * <code>BackupStore</code> is an utility class that is used to support
@@ -572,7 +574,9 @@ private Writer<K,V> createSpillFile() throws IOException {
 
       file = lDirAlloc.getLocalPathForWrite(tmp.toUri().getPath(), 
           -1, conf);
-      return new Writer<K, V>(conf, fs, file);
+      FSDataOutputStream out = fs.create(file);
+      out = CryptoUtils.wrapIfNecessary(conf, out);
+      return new Writer<K, V>(conf, out, null, null, null, null, true);
     }
   }
 
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/IFile.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/IFile.java
index a410c975578..30ebd6b8ca3 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/IFile.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/IFile.java
@@ -90,13 +90,11 @@ public static class Writer<K extends Object, V extends Object> {
     
     DataOutputBuffer buffer = new DataOutputBuffer();
 
-    public Writer(Configuration conf, FileSystem fs, Path file, 
-                  Class<K> keyClass, Class<V> valueClass,
-                  CompressionCodec codec,
-                  Counters.Counter writesCounter) throws IOException {
-      this(conf, fs.create(file), keyClass, valueClass, codec,
-           writesCounter);
-      ownOutputStream = true;
+    public Writer(Configuration conf, FSDataOutputStream out,
+        Class<K> keyClass, Class<V> valueClass,
+        CompressionCodec codec, Counters.Counter writesCounter)
+        throws IOException {
+      this(conf, out, keyClass, valueClass, codec, writesCounter, false);
     }
     
     protected Writer(Counters.Counter writesCounter) {
@@ -105,7 +103,8 @@ protected Writer(Counters.Counter writesCounter) {
 
     public Writer(Configuration conf, FSDataOutputStream out, 
         Class<K> keyClass, Class<V> valueClass,
-        CompressionCodec codec, Counters.Counter writesCounter)
+        CompressionCodec codec, Counters.Counter writesCounter,
+        boolean ownOutputStream)
         throws IOException {
       this.writtenRecordsCounter = writesCounter;
       this.checksumOut = new IFileOutputStream(out);
@@ -137,11 +136,7 @@ public Writer(Configuration conf, FSDataOutputStream out,
         this.valueSerializer = serializationFactory.getSerializer(valueClass);
         this.valueSerializer.open(buffer);
       }
-    }
-
-    public Writer(Configuration conf, FileSystem fs, Path file) 
-    throws IOException {
-      this(conf, fs, file, null, null, null, null);
+      this.ownOutputStream = ownOutputStream;
     }
 
     public void close() throws IOException {
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/MapTask.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/MapTask.java
index 84fdd92cc5d..b533ebe8e47 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/MapTask.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/MapTask.java
@@ -66,6 +66,7 @@
 import org.apache.hadoop.mapreduce.lib.output.FileOutputFormatCounter;
 import org.apache.hadoop.mapreduce.split.JobSplit.TaskSplitIndex;
 import org.apache.hadoop.mapreduce.task.MapContextImpl;
+import org.apache.hadoop.mapreduce.CryptoUtils;
 import org.apache.hadoop.util.IndexedSortable;
 import org.apache.hadoop.util.IndexedSorter;
 import org.apache.hadoop.util.Progress;
@@ -1580,7 +1581,8 @@ private void sortAndSpill() throws IOException, ClassNotFoundException,
           IFile.Writer<K, V> writer = null;
           try {
             long segmentStart = out.getPos();
-            writer = new Writer<K, V>(job, out, keyClass, valClass, codec,
+            FSDataOutputStream partitionOut = CryptoUtils.wrapIfNecessary(job, out);
+            writer = new Writer<K, V>(job, partitionOut, keyClass, valClass, codec,
                                       spilledRecordsCounter);
             if (combinerRunner == null) {
               // spill directly
@@ -1617,8 +1619,8 @@ private void sortAndSpill() throws IOException, ClassNotFoundException,
 
             // record offsets
             rec.startOffset = segmentStart;
-            rec.rawLength = writer.getRawLength();
-            rec.partLength = writer.getCompressedLength();
+            rec.rawLength = writer.getRawLength() + CryptoUtils.cryptoPadding(job);
+            rec.partLength = writer.getCompressedLength() + CryptoUtils.cryptoPadding(job);
             spillRec.putIndex(rec, i);
 
             writer = null;
@@ -1668,7 +1670,8 @@ private void spillSingleRecord(final K key, final V value,
           try {
             long segmentStart = out.getPos();
             // Create a new codec, don't care!
-            writer = new IFile.Writer<K,V>(job, out, keyClass, valClass, codec,
+            FSDataOutputStream partitionOut = CryptoUtils.wrapIfNecessary(job, out);
+            writer = new IFile.Writer<K,V>(job, partitionOut, keyClass, valClass, codec,
                                             spilledRecordsCounter);
 
             if (i == partition) {
@@ -1682,8 +1685,8 @@ private void spillSingleRecord(final K key, final V value,
 
             // record offsets
             rec.startOffset = segmentStart;
-            rec.rawLength = writer.getRawLength();
-            rec.partLength = writer.getCompressedLength();
+            rec.rawLength = writer.getRawLength() + CryptoUtils.cryptoPadding(job);
+            rec.partLength = writer.getCompressedLength() + CryptoUtils.cryptoPadding(job);
             spillRec.putIndex(rec, i);
 
             writer = null;
@@ -1825,12 +1828,13 @@ private void mergeParts() throws IOException, InterruptedException,
         try {
           for (int i = 0; i < partitions; i++) {
             long segmentStart = finalOut.getPos();
+            FSDataOutputStream finalPartitionOut = CryptoUtils.wrapIfNecessary(job, finalOut);
             Writer<K, V> writer =
-              new Writer<K, V>(job, finalOut, keyClass, valClass, codec, null);
+              new Writer<K, V>(job, finalPartitionOut, keyClass, valClass, codec, null);
             writer.close();
             rec.startOffset = segmentStart;
-            rec.rawLength = writer.getRawLength();
-            rec.partLength = writer.getCompressedLength();
+            rec.rawLength = writer.getRawLength() + CryptoUtils.cryptoPadding(job);
+            rec.partLength = writer.getCompressedLength() + CryptoUtils.cryptoPadding(job);
             sr.putIndex(rec, i);
           }
           sr.writeToFile(finalIndexFile, job);
@@ -1879,8 +1883,9 @@ private void mergeParts() throws IOException, InterruptedException,
 
           //write merged output to disk
           long segmentStart = finalOut.getPos();
+          FSDataOutputStream finalPartitionOut = CryptoUtils.wrapIfNecessary(job, finalOut);
           Writer<K, V> writer =
-              new Writer<K, V>(job, finalOut, keyClass, valClass, codec,
+              new Writer<K, V>(job, finalPartitionOut, keyClass, valClass, codec,
                                spilledRecordsCounter);
           if (combinerRunner == null || numSpills < minSpillsForCombine) {
             Merger.writeFile(kvIter, writer, reporter, job);
@@ -1896,8 +1901,8 @@ private void mergeParts() throws IOException, InterruptedException,
           
           // record offsets
           rec.startOffset = segmentStart;
-          rec.rawLength = writer.getRawLength();
-          rec.partLength = writer.getCompressedLength();
+          rec.rawLength = writer.getRawLength() + CryptoUtils.cryptoPadding(job);
+          rec.partLength = writer.getCompressedLength() + CryptoUtils.cryptoPadding(job);
           spillRec.putIndex(rec, parts);
         }
         spillRec.writeToFile(finalIndexFile, job);
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/Merger.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/Merger.java
index 9493871138d..92855169c82 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/Merger.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/Merger.java
@@ -30,6 +30,7 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FSDataInputStream;
 import org.apache.hadoop.fs.ChecksumFileSystem;
+import org.apache.hadoop.fs.FSDataOutputStream;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.LocalDirAllocator;
 import org.apache.hadoop.fs.Path;
@@ -40,6 +41,7 @@
 import org.apache.hadoop.mapred.IFile.Writer;
 import org.apache.hadoop.mapreduce.MRConfig;
 import org.apache.hadoop.mapreduce.TaskType;
+import org.apache.hadoop.mapreduce.CryptoUtils;
 import org.apache.hadoop.util.PriorityQueue;
 import org.apache.hadoop.util.Progress;
 import org.apache.hadoop.util.Progressable;
@@ -298,8 +300,12 @@ public Segment(Reader<K, V> reader, boolean preserve,
     void init(Counters.Counter readsCounter) throws IOException {
       if (reader == null) {
         FSDataInputStream in = fs.open(file);
+
         in.seek(segmentOffset);
-        reader = new Reader<K, V>(conf, in, segmentLength, codec, readsCounter);
+        in = CryptoUtils.wrapIfNecessary(conf, in);
+        reader = new Reader<K, V>(conf, in,
+            segmentLength - CryptoUtils.cryptoPadding(conf),
+            codec, readsCounter);
       }
       
       if (mapOutputsCounter != null) {
@@ -714,9 +720,10 @@ RawKeyValueIterator merge(Class<K> keyClass, Class<V> valueClass,
                                               tmpFilename.toString(),
                                               approxOutputSize, conf);
 
-          Writer<K, V> writer = 
-            new Writer<K, V>(conf, fs, outputFile, keyClass, valueClass, codec,
-                             writesCounter);
+          FSDataOutputStream out = fs.create(outputFile);
+          out = CryptoUtils.wrapIfNecessary(conf, out);
+          Writer<K, V> writer = new Writer<K, V>(conf, out, keyClass, valueClass,
+              codec, writesCounter, true);
           writeFile(this, writer, reporter, conf);
           writer.close();
           
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/CryptoUtils.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/CryptoUtils.java
new file mode 100644
index 00000000000..7d8a4962c65
--- /dev/null
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/CryptoUtils.java
@@ -0,0 +1,199 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.mapreduce;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.ByteBuffer;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CryptoCodec;
+import org.apache.hadoop.crypto.CryptoInputStream;
+import org.apache.hadoop.fs.FSDataInputStream;
+import org.apache.hadoop.fs.FSDataOutputStream;
+import org.apache.hadoop.fs.crypto.CryptoFSDataInputStream;
+import org.apache.hadoop.fs.crypto.CryptoFSDataOutputStream;
+import org.apache.hadoop.io.IOUtils;
+import org.apache.hadoop.mapreduce.MRJobConfig;
+import org.apache.hadoop.mapreduce.security.TokenCache;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import com.google.common.io.LimitInputStream;
+
+/**
+ * This class provides utilities to make it easier to work with Cryptographic
+ * Streams. Specifically for dealing with encrypting intermediate data such
+ * MapReduce spill files.
+ */
+@InterfaceAudience.Private
+@InterfaceStability.Unstable
+public class CryptoUtils {
+
+  private static final Log LOG = LogFactory.getLog(CryptoUtils.class);
+
+  public static boolean isShuffleEncrypted(Configuration conf) {
+    return conf.getBoolean(MRJobConfig.MR_ENCRYPTED_INTERMEDIATE_DATA,
+        MRJobConfig.DEFAULT_MR_ENCRYPTED_INTERMEDIATE_DATA);
+  }
+
+  /**
+   * This method creates and initializes an IV (Initialization Vector)
+   * 
+   * @param conf
+   * @return byte[]
+   * @throws IOException
+   */
+  public static byte[] createIV(Configuration conf) throws IOException {
+    CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
+    if (isShuffleEncrypted(conf)) {
+      byte[] iv = new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
+      cryptoCodec.generateSecureRandom(iv);
+      return iv;
+    } else {
+      return null;
+    }
+  }
+
+  public static int cryptoPadding(Configuration conf) {
+    // Sizeof(IV) + long(start-offset)
+    return isShuffleEncrypted(conf) ? CryptoCodec.getInstance(conf)
+        .getCipherSuite().getAlgorithmBlockSize() + 8 : 0;
+  }
+
+  private static byte[] getEncryptionKey() throws IOException {
+    return TokenCache.getShuffleSecretKey(UserGroupInformation.getCurrentUser()
+        .getCredentials());
+  }
+
+  private static int getBufferSize(Configuration conf) {
+    return conf.getInt(MRJobConfig.MR_ENCRYPTED_INTERMEDIATE_DATA_BUFFER_KB,
+        MRJobConfig.DEFAULT_MR_ENCRYPTED_INTERMEDIATE_DATA_BUFFER_KB) * 1024;
+  }
+
+  /**
+   * Wraps a given FSDataOutputStream with a CryptoOutputStream. The size of the
+   * data buffer required for the stream is specified by the
+   * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
+   * variable.
+   * 
+   * @param conf
+   * @param out
+   * @return FSDataOutputStream
+   * @throws IOException
+   */
+  public static FSDataOutputStream wrapIfNecessary(Configuration conf,
+      FSDataOutputStream out) throws IOException {
+    if (isShuffleEncrypted(conf)) {
+      out.write(ByteBuffer.allocate(8).putLong(out.getPos()).array());
+      byte[] iv = createIV(conf);
+      out.write(iv);
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("IV written to Stream ["
+            + Base64.encodeBase64URLSafeString(iv) + "]");
+      }
+      return new CryptoFSDataOutputStream(out, CryptoCodec.getInstance(conf),
+          getBufferSize(conf), getEncryptionKey(), iv);
+    } else {
+      return out;
+    }
+  }
+
+  /**
+   * Wraps a given InputStream with a CryptoInputStream. The size of the data
+   * buffer required for the stream is specified by the
+   * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
+   * variable.
+   * 
+   * If the value of 'length' is > -1, The InputStream is additionally wrapped
+   * in a LimitInputStream. CryptoStreams are late buffering in nature. This
+   * means they will always try to read ahead if they can. The LimitInputStream
+   * will ensure that the CryptoStream does not read past the provided length
+   * from the given Input Stream.
+   * 
+   * @param conf
+   * @param in
+   * @param length
+   * @return InputStream
+   * @throws IOException
+   */
+  public static InputStream wrapIfNecessary(Configuration conf, InputStream in,
+      long length) throws IOException {
+    if (isShuffleEncrypted(conf)) {
+      int bufferSize = getBufferSize(conf);
+      if (length > -1) {
+        in = new LimitInputStream(in, length);
+      }
+      byte[] offsetArray = new byte[8];
+      IOUtils.readFully(in, offsetArray, 0, 8);
+      long offset = ByteBuffer.wrap(offsetArray).getLong();
+      CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
+      byte[] iv = 
+          new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
+      IOUtils.readFully(in, iv, 0, 
+          cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("IV read from ["
+            + Base64.encodeBase64URLSafeString(iv) + "]");
+      }
+      return new CryptoInputStream(in, cryptoCodec, bufferSize,
+          getEncryptionKey(), iv, offset + cryptoPadding(conf));
+    } else {
+      return in;
+    }
+  }
+
+  /**
+   * Wraps a given FSDataInputStream with a CryptoInputStream. The size of the
+   * data buffer required for the stream is specified by the
+   * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
+   * variable.
+   * 
+   * @param conf
+   * @param in
+   * @return FSDataInputStream
+   * @throws IOException
+   */
+  public static FSDataInputStream wrapIfNecessary(Configuration conf,
+      FSDataInputStream in) throws IOException {
+    if (isShuffleEncrypted(conf)) {
+      CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
+      int bufferSize = getBufferSize(conf);
+      // Not going to be used... but still has to be read...
+      // Since the O/P stream always writes it..
+      IOUtils.readFully(in, new byte[8], 0, 8);
+      byte[] iv = 
+          new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
+      IOUtils.readFully(in, iv, 0, 
+          cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("IV read from Stream ["
+            + Base64.encodeBase64URLSafeString(iv) + "]");
+      }
+      return new CryptoFSDataInputStream(in, cryptoCodec, bufferSize,
+          getEncryptionKey(), iv);
+    } else {
+      return in;
+    }
+  }
+
+}
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/JobSubmitter.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/JobSubmitter.java
index 94e71257498..0734e7f2953 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/JobSubmitter.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/JobSubmitter.java
@@ -291,7 +291,7 @@ private void copyJar(Path originalJarPath, Path submitJarFile,
   /**
    * configure the jobconf of the user with the command line options of 
    * -libjars, -files, -archives.
-   * @param conf
+   * @param job
    * @throws IOException
    */
   private void copyAndConfigureFiles(Job job, Path jobSubmitDir) 
@@ -376,8 +376,13 @@ JobStatus submitJobInternal(Job job, Cluster cluster)
       if (TokenCache.getShuffleSecretKey(job.getCredentials()) == null) {
         KeyGenerator keyGen;
         try {
+         
+          int keyLen = CryptoUtils.isShuffleEncrypted(conf) 
+              ? conf.getInt(MRJobConfig.MR_ENCRYPTED_INTERMEDIATE_DATA_KEY_SIZE_BITS, 
+                  MRJobConfig.DEFAULT_MR_ENCRYPTED_INTERMEDIATE_DATA_KEY_SIZE_BITS)
+              : SHUFFLE_KEY_LENGTH;
           keyGen = KeyGenerator.getInstance(SHUFFLE_KEYGEN_ALGORITHM);
-          keyGen.init(SHUFFLE_KEY_LENGTH);
+          keyGen.init(keyLen);
         } catch (NoSuchAlgorithmException e) {
           throw new IOException("Error generating shuffle secret key", e);
         }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRJobConfig.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRJobConfig.java
index 4795af78d2a..e4ded57a49c 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRJobConfig.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRJobConfig.java
@@ -762,4 +762,18 @@ public interface MRJobConfig {
   
   public static final String TASK_PREEMPTION =
       "mapreduce.job.preemption";
+
+  public static final String MR_ENCRYPTED_INTERMEDIATE_DATA =
+      "mapreduce.job.encrypted-intermediate-data";
+  public static final boolean DEFAULT_MR_ENCRYPTED_INTERMEDIATE_DATA = false;
+
+  public static final String MR_ENCRYPTED_INTERMEDIATE_DATA_KEY_SIZE_BITS =
+      "mapreduce.job.encrypted-intermediate-data-key-size-bits";
+  public static final int DEFAULT_MR_ENCRYPTED_INTERMEDIATE_DATA_KEY_SIZE_BITS =
+      128;
+
+  public static final String MR_ENCRYPTED_INTERMEDIATE_DATA_BUFFER_KB =
+      "mapreduce.job.encrypted-intermediate-data.buffer.kb";
+  public static final int DEFAULT_MR_ENCRYPTED_INTERMEDIATE_DATA_BUFFER_KB =
+          128;
 }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/Fetcher.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/Fetcher.java
index 00d4764e665..20db9dc7e5e 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/Fetcher.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/Fetcher.java
@@ -19,6 +19,7 @@
 
 import java.io.DataInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.net.ConnectException;
 import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
@@ -43,6 +44,7 @@
 import org.apache.hadoop.mapreduce.MRJobConfig;
 import org.apache.hadoop.mapreduce.TaskAttemptID;
 import org.apache.hadoop.mapreduce.security.SecureShuffleUtils;
+import org.apache.hadoop.mapreduce.CryptoUtils;
 import org.apache.hadoop.security.ssl.SSLFactory;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -65,6 +67,7 @@ private static enum ShuffleErrors{IO_ERROR, WRONG_LENGTH, BAD_ID, WRONG_MAP,
                                     CONNECTION, WRONG_REDUCE}
   
   private final static String SHUFFLE_ERR_GRP_NAME = "Shuffle Errors";
+  private final JobConf jobConf;
   private final Counters.Counter connectionErrs;
   private final Counters.Counter ioErrs;
   private final Counters.Counter wrongLengthErrs;
@@ -104,6 +107,7 @@ public Fetcher(JobConf job, TaskAttemptID reduceId,
                  Reporter reporter, ShuffleClientMetrics metrics,
                  ExceptionReporter exceptionReporter, SecretKey shuffleKey,
                  int id) {
+    this.jobConf = job;
     this.reporter = reporter;
     this.scheduler = scheduler;
     this.merger = merger;
@@ -394,7 +398,11 @@ private TaskAttemptID[] copyMapOutput(MapHost host,
         return remaining.toArray(new TaskAttemptID[remaining.size()]);
       }
 
- 
+      InputStream is = input;
+      is = CryptoUtils.wrapIfNecessary(jobConf, is, compressedLength);
+      compressedLength -= CryptoUtils.cryptoPadding(jobConf);
+      decompressedLength -= CryptoUtils.cryptoPadding(jobConf);
+      
       // Do some basic sanity verification
       if (!verifySanity(compressedLength, decompressedLength, forReduce,
           remaining, mapId)) {
@@ -431,7 +439,7 @@ private TaskAttemptID[] copyMapOutput(MapHost host,
         LOG.info("fetcher#" + id + " about to shuffle output of map "
             + mapOutput.getMapId() + " decomp: " + decompressedLength
             + " len: " + compressedLength + " to " + mapOutput.getDescription());
-        mapOutput.shuffle(host, input, compressedLength, decompressedLength,
+        mapOutput.shuffle(host, is, compressedLength, decompressedLength,
             metrics, reporter);
       } catch (java.lang.InternalError e) {
         LOG.warn("Failed to shuffle for fetcher#"+id, e);
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/LocalFetcher.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/LocalFetcher.java
index 52796524da5..98256c2d65b 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/LocalFetcher.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/LocalFetcher.java
@@ -36,6 +36,7 @@
 import org.apache.hadoop.mapred.Reporter;
 import org.apache.hadoop.mapred.SpillRecord;
 import org.apache.hadoop.mapreduce.TaskAttemptID;
+import org.apache.hadoop.mapreduce.CryptoUtils;
 
 /**
  * LocalFetcher is used by LocalJobRunner to perform a local filesystem
@@ -145,6 +146,9 @@ private boolean copyMapOutput(TaskAttemptID mapTaskId) throws IOException {
     // now read the file, seek to the appropriate section, and send it.
     FileSystem localFs = FileSystem.getLocal(job).getRaw();
     FSDataInputStream inStream = localFs.open(mapOutputFileName);
+
+    inStream = CryptoUtils.wrapIfNecessary(job, inStream);
+
     try {
       inStream.seek(ir.startOffset);
 
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/MergeManagerImpl.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/MergeManagerImpl.java
index a821e4d1b8a..1fa1da0f704 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/MergeManagerImpl.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/MergeManagerImpl.java
@@ -30,6 +30,7 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.fs.ChecksumFileSystem;
+import org.apache.hadoop.fs.FSDataOutputStream;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.LocalDirAllocator;
 import org.apache.hadoop.fs.LocalFileSystem;
@@ -54,6 +55,7 @@
 import org.apache.hadoop.mapreduce.MRJobConfig;
 import org.apache.hadoop.mapreduce.TaskAttemptID;
 import org.apache.hadoop.mapreduce.TaskID;
+import org.apache.hadoop.mapreduce.CryptoUtils;
 import org.apache.hadoop.mapreduce.task.reduce.MapOutput.MapOutputComparator;
 import org.apache.hadoop.util.Progress;
 import org.apache.hadoop.util.ReflectionUtils;
@@ -227,6 +229,10 @@ protected MergeThread<InMemoryMapOutput<K,V>, K,V> createInMemoryMerger() {
     return new InMemoryMerger(this);
   }
 
+  protected MergeThread<CompressAwarePath,K,V> createOnDiskMerger() {
+    return new OnDiskMerger(this);
+  }
+
   TaskAttemptID getReduceId() {
     return reduceId;
   }
@@ -452,11 +458,10 @@ public void merge(List<InMemoryMapOutput<K,V>> inputs) throws IOException {
                                            mergeOutputSize).suffix(
                                                Task.MERGED_OUTPUT_PREFIX);
 
-      Writer<K,V> writer = 
-        new Writer<K,V>(jobConf, rfs, outputPath,
-                        (Class<K>) jobConf.getMapOutputKeyClass(),
-                        (Class<V>) jobConf.getMapOutputValueClass(),
-                        codec, null);
+      FSDataOutputStream out = CryptoUtils.wrapIfNecessary(jobConf, rfs.create(outputPath));
+      Writer<K, V> writer = new Writer<K, V>(jobConf, out,
+          (Class<K>) jobConf.getMapOutputKeyClass(),
+          (Class<V>) jobConf.getMapOutputValueClass(), codec, null, true);
 
       RawKeyValueIterator rIter = null;
       CompressAwarePath compressAwarePath;
@@ -536,11 +541,12 @@ public void merge(List<CompressAwarePath> inputs) throws IOException {
       Path outputPath = 
         localDirAllocator.getLocalPathForWrite(inputs.get(0).toString(), 
             approxOutputSize, jobConf).suffix(Task.MERGED_OUTPUT_PREFIX);
-      Writer<K,V> writer = 
-        new Writer<K,V>(jobConf, rfs, outputPath, 
-                        (Class<K>) jobConf.getMapOutputKeyClass(), 
-                        (Class<V>) jobConf.getMapOutputValueClass(),
-                        codec, null);
+
+      FSDataOutputStream out = CryptoUtils.wrapIfNecessary(jobConf, rfs.create(outputPath));
+      Writer<K, V> writer = new Writer<K, V>(jobConf, out,
+          (Class<K>) jobConf.getMapOutputKeyClass(),
+          (Class<V>) jobConf.getMapOutputValueClass(), codec, null, true);
+
       RawKeyValueIterator iter  = null;
       CompressAwarePath compressAwarePath;
       Path tmpDir = new Path(reduceId.toString());
@@ -716,8 +722,10 @@ private RawKeyValueIterator finalMerge(JobConf job, FileSystem fs,
             keyClass, valueClass, memDiskSegments, numMemDiskSegments,
             tmpDir, comparator, reporter, spilledRecordsCounter, null, 
             mergePhase);
-        Writer<K,V> writer = new Writer<K,V>(job, fs, outputPath,
-            keyClass, valueClass, codec, null);
+
+        FSDataOutputStream out = CryptoUtils.wrapIfNecessary(job, fs.create(outputPath));
+        Writer<K, V> writer = new Writer<K, V>(job, out, keyClass, valueClass,
+            codec, null, true);
         try {
           Merger.writeFile(rIter, writer, reporter, job);
           writer.close();
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/OnDiskMapOutput.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/OnDiskMapOutput.java
index 59bb04a9dea..6e0e92bd4df 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/OnDiskMapOutput.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/OnDiskMapOutput.java
@@ -37,6 +37,7 @@
 import org.apache.hadoop.mapred.MapOutputFile;
 
 import org.apache.hadoop.mapreduce.TaskAttemptID;
+import org.apache.hadoop.mapreduce.CryptoUtils;
 import org.apache.hadoop.mapreduce.task.reduce.MergeManagerImpl.CompressAwarePath;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -75,7 +76,7 @@ public OnDiskMapOutput(TaskAttemptID mapId, TaskAttemptID reduceId,
     this.merger = merger;
     this.outputPath = outputPath;
     tmpOutputPath = getTempPath(outputPath, fetcher);
-    disk = fs.create(tmpOutputPath);
+    disk = CryptoUtils.wrapIfNecessary(conf, fs.create(tmpOutputPath));
   }
 
   @VisibleForTesting
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestMerger.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestMerger.java
index 1aea5004a58..c5ab420b81f 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestMerger.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestMerger.java
@@ -24,14 +24,16 @@
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.TreeMap;
 
+import org.apache.hadoop.fs.FSDataInputStream;
 import org.junit.Assert;
-
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FSDataOutputStream;
 import org.apache.hadoop.fs.FileSystem;
@@ -51,10 +53,16 @@
 import org.apache.hadoop.mapred.Reporter;
 import org.apache.hadoop.mapreduce.JobID;
 import org.apache.hadoop.mapreduce.MRConfig;
+import org.apache.hadoop.mapreduce.MRJobConfig;
 import org.apache.hadoop.mapreduce.TaskAttemptID;
 import org.apache.hadoop.mapreduce.TaskID;
 import org.apache.hadoop.mapreduce.TaskType;
+import org.apache.hadoop.mapreduce.security.TokenCache;
+import org.apache.hadoop.mapreduce.CryptoUtils;
 import org.apache.hadoop.mapreduce.task.reduce.MergeManagerImpl;
+import org.apache.hadoop.mapreduce.task.reduce.MergeManagerImpl.CompressAwarePath;
+import org.apache.hadoop.security.Credentials;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.util.Progress;
 import org.apache.hadoop.util.Progressable;
 import org.junit.After;
@@ -63,40 +71,48 @@
 import org.mockito.invocation.InvocationOnMock;
 import org.mockito.stubbing.Answer;
 
+import com.google.common.collect.Lists;
+
 public class TestMerger {
 
   private Configuration conf;
   private JobConf jobConf;
   private FileSystem fs;
-  
+
   @Before
   public void setup() throws IOException {
     conf = new Configuration();
     jobConf = new JobConf();
     fs = FileSystem.getLocal(conf);
   }
-  
-  @After
-  public void cleanup() throws IOException {    
-    fs.delete(new Path(jobConf.getLocalDirs()[0]), true);
-  }
-  
+
+
   @Test
-  public void testInMemoryMerger() throws Throwable {
+  public void testEncryptedMerger() throws Throwable {
+    jobConf.setBoolean(MRJobConfig.MR_ENCRYPTED_INTERMEDIATE_DATA, true);
+    conf.setBoolean(MRJobConfig.MR_ENCRYPTED_INTERMEDIATE_DATA, true);
+    Credentials credentials = UserGroupInformation.getCurrentUser().getCredentials();
+    TokenCache.setShuffleSecretKey(new byte[16], credentials);
+    UserGroupInformation.getCurrentUser().addCredentials(credentials);
+    testInMemoryAndOnDiskMerger();
+  }
+
+  @Test
+  public void testInMemoryAndOnDiskMerger() throws Throwable {
     JobID jobId = new JobID("a", 0);
-    TaskAttemptID reduceId = new TaskAttemptID(
+    TaskAttemptID reduceId1 = new TaskAttemptID(
         new TaskID(jobId, TaskType.REDUCE, 0), 0);
     TaskAttemptID mapId1 = new TaskAttemptID(
         new TaskID(jobId, TaskType.MAP, 1), 0);
     TaskAttemptID mapId2 = new TaskAttemptID(
         new TaskID(jobId, TaskType.MAP, 2), 0);
-    
+
     LocalDirAllocator lda = new LocalDirAllocator(MRConfig.LOCAL_DIR);
-    
+
     MergeManagerImpl<Text, Text> mergeManager = new MergeManagerImpl<Text, Text>(
-        reduceId, jobConf, fs, lda, Reporter.NULL, null, null, null, null, null,
+        reduceId1, jobConf, fs, lda, Reporter.NULL, null, null, null, null, null,
         null, null, new Progress(), new MROutputFiles());
-    
+
     // write map outputs
     Map<String, String> map1 = new TreeMap<String, String>();
     map1.put("apple", "disgusting");
@@ -113,32 +129,88 @@ public void testInMemoryMerger() throws Throwable {
         mapOutputBytes1.length);
     System.arraycopy(mapOutputBytes2, 0, mapOutput2.getMemory(), 0,
         mapOutputBytes2.length);
-    
+
     // create merger and run merge
     MergeThread<InMemoryMapOutput<Text, Text>, Text, Text> inMemoryMerger =
         mergeManager.createInMemoryMerger();
-    List<InMemoryMapOutput<Text, Text>> mapOutputs =
+    List<InMemoryMapOutput<Text, Text>> mapOutputs1 =
         new ArrayList<InMemoryMapOutput<Text, Text>>();
-    mapOutputs.add(mapOutput1);
-    mapOutputs.add(mapOutput2);
-    
-    inMemoryMerger.merge(mapOutputs);
-    
+    mapOutputs1.add(mapOutput1);
+    mapOutputs1.add(mapOutput2);
+
+    inMemoryMerger.merge(mapOutputs1);
+
     Assert.assertEquals(1, mergeManager.onDiskMapOutputs.size());
-    Path outPath = mergeManager.onDiskMapOutputs.iterator().next();
-    
+
+    TaskAttemptID reduceId2 = new TaskAttemptID(
+        new TaskID(jobId, TaskType.REDUCE, 3), 0);
+    TaskAttemptID mapId3 = new TaskAttemptID(
+        new TaskID(jobId, TaskType.MAP, 4), 0);
+    TaskAttemptID mapId4 = new TaskAttemptID(
+        new TaskID(jobId, TaskType.MAP, 5), 0);
+    // write map outputs
+    Map<String, String> map3 = new TreeMap<String, String>();
+    map3.put("apple", "awesome");
+    map3.put("carrot", "amazing");
+    Map<String, String> map4 = new TreeMap<String, String>();
+    map4.put("banana", "bla");
+    byte[] mapOutputBytes3 = writeMapOutput(conf, map3);
+    byte[] mapOutputBytes4 = writeMapOutput(conf, map4);
+    InMemoryMapOutput<Text, Text> mapOutput3 = new InMemoryMapOutput<Text, Text>(
+        conf, mapId3, mergeManager, mapOutputBytes3.length, null, true);
+    InMemoryMapOutput<Text, Text> mapOutput4 = new InMemoryMapOutput<Text, Text>(
+        conf, mapId4, mergeManager, mapOutputBytes4.length, null, true);
+    System.arraycopy(mapOutputBytes3, 0, mapOutput3.getMemory(), 0,
+        mapOutputBytes3.length);
+    System.arraycopy(mapOutputBytes4, 0, mapOutput4.getMemory(), 0,
+        mapOutputBytes4.length);
+
+//    // create merger and run merge
+    MergeThread<InMemoryMapOutput<Text, Text>, Text, Text> inMemoryMerger2 =
+        mergeManager.createInMemoryMerger();
+    List<InMemoryMapOutput<Text, Text>> mapOutputs2 =
+        new ArrayList<InMemoryMapOutput<Text, Text>>();
+    mapOutputs2.add(mapOutput3);
+    mapOutputs2.add(mapOutput4);
+
+    inMemoryMerger2.merge(mapOutputs2);
+
+    Assert.assertEquals(2, mergeManager.onDiskMapOutputs.size());
+
+    List<CompressAwarePath> paths = new ArrayList<CompressAwarePath>();
+    Iterator<CompressAwarePath> iterator = mergeManager.onDiskMapOutputs.iterator();
     List<String> keys = new ArrayList<String>();
     List<String> values = new ArrayList<String>();
-    readOnDiskMapOutput(conf, fs, outPath, keys, values);
-    Assert.assertEquals(keys, Arrays.asList("apple", "banana", "carrot"));
-    Assert.assertEquals(values, Arrays.asList("disgusting", "pretty good", "delicious"));
+    while (iterator.hasNext()) {
+      CompressAwarePath next = iterator.next();
+      readOnDiskMapOutput(conf, fs, next, keys, values);
+      paths.add(next);
+    }
+    Assert.assertEquals(keys, Arrays.asList("apple", "banana", "carrot", "apple", "banana", "carrot"));
+    Assert.assertEquals(values, Arrays.asList("awesome", "bla", "amazing", "disgusting", "pretty good", "delicious"));
+    mergeManager.close();
+
+    mergeManager = new MergeManagerImpl<Text, Text>(
+        reduceId2, jobConf, fs, lda, Reporter.NULL, null, null, null, null, null,
+        null, null, new Progress(), new MROutputFiles());
+
+    MergeThread<CompressAwarePath,Text,Text> onDiskMerger = mergeManager.createOnDiskMerger();
+    onDiskMerger.merge(paths);
+
+    Assert.assertEquals(1, mergeManager.onDiskMapOutputs.size());
+
+    keys = new ArrayList<String>();
+    values = new ArrayList<String>();
+    readOnDiskMapOutput(conf, fs, mergeManager.onDiskMapOutputs.iterator().next(), keys, values);
+    Assert.assertEquals(keys, Arrays.asList("apple", "apple", "banana", "banana", "carrot", "carrot"));
+    Assert.assertEquals(values, Arrays.asList("awesome", "disgusting", "pretty good", "bla", "amazing", "delicious"));
 
     mergeManager.close();
     Assert.assertEquals(0, mergeManager.inMemoryMapOutputs.size());
     Assert.assertEquals(0, mergeManager.inMemoryMergedMapOutputs.size());
     Assert.assertEquals(0, mergeManager.onDiskMapOutputs.size());
   }
-  
+
   private byte[] writeMapOutput(Configuration conf, Map<String, String> keysToValues)
       throws IOException {
     ByteArrayOutputStream baos = new ByteArrayOutputStream();
@@ -152,11 +224,13 @@ private byte[] writeMapOutput(Configuration conf, Map<String, String> keysToValu
     writer.close();
     return baos.toByteArray();
   }
-  
+
   private void readOnDiskMapOutput(Configuration conf, FileSystem fs, Path path,
       List<String> keys, List<String> values) throws IOException {
-    IFile.Reader<Text, Text> reader = new IFile.Reader<Text, Text>(conf, fs,
-        path, null, null);
+    FSDataInputStream in = CryptoUtils.wrapIfNecessary(conf, fs.open(path));
+
+    IFile.Reader<Text, Text> reader = new IFile.Reader<Text, Text>(conf, in,
+        fs.getFileStatus(path).getLen(), null, null);
     DataInputBuffer keyBuff = new DataInputBuffer();
     DataInputBuffer valueBuff = new DataInputBuffer();
     Text key = new Text();
@@ -169,17 +243,17 @@ private void readOnDiskMapOutput(Configuration conf, FileSystem fs, Path path,
       values.add(value.toString());
     }
   }
-  
+
   @Test
   public void testCompressed() throws IOException {
     testMergeShouldReturnProperProgress(getCompressedSegments());
-  }
-  
+}
+
   @Test
   public void testUncompressed() throws IOException {
     testMergeShouldReturnProperProgress(getUncompressedSegments());
   }
-  
+
   @SuppressWarnings( { "deprecation", "unchecked" })
   public void testMergeShouldReturnProperProgress(
       List<Segment<Text, Text>> segments) throws IOException {
@@ -212,7 +286,7 @@ private List<Segment<Text, Text>> getUncompressedSegments() throws IOException {
     }
     return segments;
   }
-  
+
   private List<Segment<Text, Text>> getCompressedSegments() throws IOException {
     List<Segment<Text, Text>> segments = new ArrayList<Segment<Text, Text>>();
     for (int i = 1; i < 1; i++) {
@@ -220,7 +294,7 @@ private List<Segment<Text, Text>> getCompressedSegments() throws IOException {
     }
     return segments;
   }
-  
+
   private Segment<Text, Text> getUncompressedSegment(int i) throws IOException {
     return new Segment<Text, Text>(getReader(i), false);
   }
@@ -258,7 +332,7 @@ public Boolean answer(InvocationOnMock invocation) {
       }
     };
   }
-  
+
   private Answer<?> getValueAnswer(final String segmentName) {
     return new Answer<Void>() {
       int i = 0;
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestIFile.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestIFile.java
index e3c7253afcb..a314fc1f578 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestIFile.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestIFile.java
@@ -18,6 +18,8 @@
 package org.apache.hadoop.mapred;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FSDataInputStream;
+import org.apache.hadoop.fs.FSDataOutputStream;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.LocalFileSystem;
 import org.apache.hadoop.fs.Path;
@@ -42,7 +44,7 @@ public void testIFileWriterWithCodec() throws Exception {
     DefaultCodec codec = new GzipCodec();
     codec.setConf(conf);
     IFile.Writer<Text, Text> writer =
-      new IFile.Writer<Text, Text>(conf, rfs, path, Text.class, Text.class,
+      new IFile.Writer<Text, Text>(conf, rfs.create(path), Text.class, Text.class,
                                    codec, null);
     writer.close();
   }
@@ -56,12 +58,15 @@ public void testIFileReaderWithCodec() throws Exception {
     Path path = new Path(new Path("build/test.ifile"), "data");
     DefaultCodec codec = new GzipCodec();
     codec.setConf(conf);
+    FSDataOutputStream out = rfs.create(path);
     IFile.Writer<Text, Text> writer =
-        new IFile.Writer<Text, Text>(conf, rfs, path, Text.class, Text.class,
+        new IFile.Writer<Text, Text>(conf, out, Text.class, Text.class,
                                      codec, null);
     writer.close();
+    FSDataInputStream in = rfs.open(path);
     IFile.Reader<Text, Text> reader =
-      new IFile.Reader<Text, Text>(conf, rfs, path, codec, null);
+      new IFile.Reader<Text, Text>(conf, in, rfs.getFileStatus(path).getLen(),
+          codec, null);
     reader.close();
     
     // test check sum 
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestMRIntermediateDataEncryption.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestMRIntermediateDataEncryption.java
new file mode 100644
index 00000000000..ebc32adb9d9
--- /dev/null
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestMRIntermediateDataEncryption.java
@@ -0,0 +1,254 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.mapred;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FSDataInputStream;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.FileUtil;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.io.LongWritable;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.mapreduce.MRJobConfig;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.io.Writer;
+
+import static org.junit.Assert.*;
+
+@SuppressWarnings(value={"unchecked", "deprecation"})
+/**
+ * This test tests the support for a merge operation in Hadoop.  The input files
+ * are already sorted on the key.  This test implements an external
+ * MapOutputCollector implementation that just copies the records to different
+ * partitions while maintaining the sort order in each partition.  The Hadoop
+ * framework's merge on the reduce side will merge the partitions created to
+ * generate the final output which is sorted on the key.
+ */
+public class TestMRIntermediateDataEncryption {
+  // Where MR job's input will reside.
+  private static final Path INPUT_DIR = new Path("/test/input");
+  // Where output goes.
+  private static final Path OUTPUT = new Path("/test/output");
+
+  @Test
+  public void testSingleReducer() throws Exception {
+    doEncryptionTest(3, 1, 2);
+  }
+
+  @Test
+  public void testMultipleMapsPerNode() throws Exception {
+    doEncryptionTest(8, 1, 2);
+  }
+
+  @Test
+  public void testMultipleReducers() throws Exception {
+    doEncryptionTest(2, 4, 2);
+  }
+
+  public void doEncryptionTest(int numMappers, int numReducers, int numNodes) throws Exception {
+    doEncryptionTest(numMappers, numReducers, numNodes, 1000);
+  }
+
+  public void doEncryptionTest(int numMappers, int numReducers, int numNodes, int numLines) throws Exception {
+    MiniDFSCluster dfsCluster = null;
+    MiniMRClientCluster mrCluster = null;
+    FileSystem fileSystem = null;
+    try {
+      Configuration conf = new Configuration();
+      // Start the mini-MR and mini-DFS clusters
+
+      dfsCluster = new MiniDFSCluster.Builder(conf)
+          .numDataNodes(numNodes).build();
+      fileSystem = dfsCluster.getFileSystem();
+      mrCluster = MiniMRClientClusterFactory.create(this.getClass(),
+                                                 numNodes, conf);
+      // Generate input.
+      createInput(fileSystem, numMappers, numLines);
+      // Run the test.
+      runMergeTest(new JobConf(mrCluster.getConfig()), fileSystem, numMappers, numReducers, numLines);
+    } finally {
+      if (dfsCluster != null) {
+        dfsCluster.shutdown();
+      }
+      if (mrCluster != null) {
+        mrCluster.stop();
+      }
+    }
+  }
+
+  private void createInput(FileSystem fs, int numMappers, int numLines) throws Exception {
+    fs.delete(INPUT_DIR, true);
+    for (int i = 0; i < numMappers; i++) {
+      OutputStream os = fs.create(new Path(INPUT_DIR, "input_" + i + ".txt"));
+      Writer writer = new OutputStreamWriter(os);
+      for (int j = 0; j < numLines; j++) {
+        // Create sorted key, value pairs.
+        int k = j + 1;
+        String formattedNumber = String.format("%09d", k);
+        writer.write(formattedNumber + " " + formattedNumber + "\n");
+      }
+      writer.close();
+    }
+  }
+
+  private void runMergeTest(JobConf job, FileSystem fileSystem, int numMappers, int numReducers, int numLines)
+    throws Exception {
+    fileSystem.delete(OUTPUT, true);
+    job.setJobName("Test");
+    JobClient client = new JobClient(job);
+    RunningJob submittedJob = null;
+    FileInputFormat.setInputPaths(job, INPUT_DIR);
+    FileOutputFormat.setOutputPath(job, OUTPUT);
+    job.set("mapreduce.output.textoutputformat.separator", " ");
+    job.setInputFormat(TextInputFormat.class);
+    job.setMapOutputKeyClass(Text.class);
+    job.setMapOutputValueClass(Text.class);
+    job.setOutputKeyClass(Text.class);
+    job.setOutputValueClass(Text.class);
+    job.setMapperClass(MyMapper.class);
+    job.setPartitionerClass(MyPartitioner.class);
+    job.setOutputFormat(TextOutputFormat.class);
+    job.setNumReduceTasks(numReducers);
+
+    job.setInt("mapreduce.map.maxattempts", 1);
+    job.setInt("mapreduce.reduce.maxattempts", 1);
+    job.setInt("mapred.test.num_lines", numLines);
+    job.setBoolean(MRJobConfig.MR_ENCRYPTED_INTERMEDIATE_DATA, true);
+    try {
+      submittedJob = client.submitJob(job);
+      try {
+        if (! client.monitorAndPrintJob(job, submittedJob)) {
+          throw new IOException("Job failed!");
+        }
+      } catch(InterruptedException ie) {
+        Thread.currentThread().interrupt();
+      }
+    } catch(IOException ioe) {
+      System.err.println("Job failed with: " + ioe);
+    } finally {
+      verifyOutput(submittedJob, fileSystem, numMappers, numLines);
+    }
+  }
+
+  private void verifyOutput(RunningJob submittedJob, FileSystem fileSystem, int numMappers, int numLines)
+    throws Exception {
+    FSDataInputStream dis = null;
+    long numValidRecords = 0;
+    long numInvalidRecords = 0;
+    String prevKeyValue = "000000000";
+    Path[] fileList =
+      FileUtil.stat2Paths(fileSystem.listStatus(OUTPUT,
+          new Utils.OutputFileUtils.OutputFilesFilter()));
+    for (Path outFile : fileList) {
+      try {
+        dis = fileSystem.open(outFile);
+        String record;
+        while((record = dis.readLine()) != null) {
+          // Split the line into key and value.
+          int blankPos = record.indexOf(" ");
+          String keyString = record.substring(0, blankPos);
+          String valueString = record.substring(blankPos+1);
+          // Check for sorted output and correctness of record.
+          if (keyString.compareTo(prevKeyValue) >= 0
+              && keyString.equals(valueString)) {
+            prevKeyValue = keyString;
+            numValidRecords++;
+          } else {
+            numInvalidRecords++;
+          }
+        }
+      } finally {
+        if (dis != null) {
+          dis.close();
+          dis = null;
+        }
+      }
+    }
+    // Make sure we got all input records in the output in sorted order.
+    assertEquals((long)(numMappers * numLines), numValidRecords);
+    // Make sure there is no extraneous invalid record.
+    assertEquals(0, numInvalidRecords);
+  }
+
+  /**
+   * A mapper implementation that assumes that key text contains valid integers
+   * in displayable form.
+   */
+  public static class MyMapper extends MapReduceBase
+    implements Mapper<LongWritable, Text, Text, Text> {
+      private Text keyText;
+      private Text valueText;
+
+      public MyMapper() {
+        keyText = new Text();
+        valueText = new Text();
+      }
+
+      @Override
+      public void map(LongWritable key, Text value,
+                      OutputCollector<Text, Text> output,
+                      Reporter reporter) throws IOException {
+        String record = value.toString();
+        int blankPos = record.indexOf(" ");
+        keyText.set(record.substring(0, blankPos));
+        valueText.set(record.substring(blankPos+1));
+        output.collect(keyText, valueText);
+      }
+
+      public void close() throws IOException {
+      }
+    }
+
+  /**
+   * Partitioner implementation to make sure that output is in total sorted
+   * order.  We basically route key ranges to different reducers such that
+   * key values monotonically increase with the partition number.  For example,
+   * in this test, the keys are numbers from 1 to 1000 in the form "000000001"
+   * to "000001000" in each input file.  The keys "000000001" to "000000250" are
+   * routed to partition 0, "000000251" to "000000500" are routed to partition 1
+   * and so on since we have 4 reducers.
+   */
+  static class MyPartitioner implements Partitioner<Text, Text> {
+
+    private JobConf job;
+
+    public MyPartitioner() {
+    }
+
+    public void configure(JobConf job) {
+      this.job = job;
+    }
+
+    public int getPartition(Text key, Text value, int numPartitions) {
+      int keyValue = 0;
+      try {
+        keyValue = Integer.parseInt(key.toString());
+      } catch(NumberFormatException nfe) {
+        keyValue = 0;
+      }
+      int partitionNumber = (numPartitions*(Math.max(0, keyValue-1)))/job.getInt("mapred.test.num_lines", 10000);
+      return partitionNumber;
+    }
+  }
+
+}
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestReduceTask.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestReduceTask.java
index d3a084449a1..43fd94871a2 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestReduceTask.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestReduceTask.java
@@ -80,7 +80,7 @@ public void runValueIterator(Path tmpDir, Pair[] vals,
     FileSystem rfs = ((LocalFileSystem)localFs).getRaw();
     Path path = new Path(tmpDir, "data.in");
     IFile.Writer<Text, Text> writer = 
-      new IFile.Writer<Text, Text>(conf, rfs, path, Text.class, Text.class,
+      new IFile.Writer<Text, Text>(conf, rfs.create(path), Text.class, Text.class,
                                    codec, null);
     for(Pair p: vals) {
       writer.append(new Text(p.key), new Text(p.value));
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/pipes/TestPipeApplication.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/pipes/TestPipeApplication.java
index 69994f36bd2..f447ebcc7c9 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/pipes/TestPipeApplication.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/pipes/TestPipeApplication.java
@@ -95,9 +95,9 @@ public void testRunner() throws Exception {
               new Counters.Counter(), new Progress());
       FileSystem fs = new RawLocalFileSystem();
       fs.setConf(conf);
-      Writer<IntWritable, Text> wr = new Writer<IntWritable, Text>(conf, fs,
-              new Path(workSpace + File.separator + "outfile"), IntWritable.class,
-              Text.class, null, null);
+      Writer<IntWritable, Text> wr = new Writer<IntWritable, Text>(conf, fs.create(
+              new Path(workSpace + File.separator + "outfile")), IntWritable.class,
+              Text.class, null, null, true);
       output.setWriter(wr);
       // stub for client
       File fCommand = getFileCommand("org.apache.hadoop.mapred.pipes.PipeApplicationRunnableStub");
@@ -177,9 +177,9 @@ public void testApplication() throws Throwable {
               new Progress());
       FileSystem fs = new RawLocalFileSystem();
       fs.setConf(conf);
-      Writer<IntWritable, Text> wr = new Writer<IntWritable, Text>(conf, fs,
-              new Path(workSpace.getAbsolutePath() + File.separator + "outfile"),
-              IntWritable.class, Text.class, null, null);
+      Writer<IntWritable, Text> wr = new Writer<IntWritable, Text>(conf, fs.create(
+              new Path(workSpace.getAbsolutePath() + File.separator + "outfile")),
+              IntWritable.class, Text.class, null, null, true);
       output.setWriter(wr);
       conf.set(Submitter.PRESERVE_COMMANDFILE, "true");
 

From d79f27b429410daa6770a51867d7ecea728dff89 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 11 Jul 2014 20:54:47 +0000
Subject: [PATCH 031/354] HDFS-6474. Namenode needs to get the actual keys and
 iv from the KeyProvider. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1609833 13f79535-47bb-0310-9956-ffa450edef68
---
 .../apache/hadoop/fs/FileEncryptionInfo.java  |  38 +-
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   3 +
 .../org/apache/hadoop/hdfs/DFSConfigKeys.java |   2 +
 .../hadoop/hdfs/protocolPB/PBHelper.java      |   4 +-
 .../namenode/EncryptionZoneManager.java       | 416 +++++++++++++++---
 .../hdfs/server/namenode/FSDirectory.java     |  59 ++-
 .../hdfs/server/namenode/FSNamesystem.java    | 192 ++++++--
 .../namenode/RetryStartFileException.java     |  21 +
 .../hadoop-hdfs/src/main/proto/hdfs.proto     |   1 +
 .../src/main/resources/hdfs-default.xml       |  11 +
 .../hadoop/hdfs/TestEncryptionZonesAPI.java   |  93 +++-
 11 files changed, 699 insertions(+), 141 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/RetryStartFileException.java

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileEncryptionInfo.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileEncryptionInfo.java
index 77f4cdfe70d..f960233fb78 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileEncryptionInfo.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileEncryptionInfo.java
@@ -32,20 +32,33 @@
 public class FileEncryptionInfo {
 
   private final CipherSuite cipherSuite;
-  private final byte[] key;
+  private final byte[] edek;
   private final byte[] iv;
+  private final String ezKeyVersionName;
 
-  public FileEncryptionInfo(CipherSuite suite, byte[] key, byte[] iv) {
+  /**
+   * Create a FileEncryptionInfo.
+   *
+   * @param suite CipherSuite used to encrypt the file
+   * @param edek encrypted data encryption key (EDEK) of the file
+   * @param iv initialization vector (IV) used to encrypt the file
+   * @param ezKeyVersionName name of the KeyVersion used to encrypt the
+   *                         encrypted data encryption key.
+   */
+  public FileEncryptionInfo(final CipherSuite suite, final byte[] edek,
+      final byte[] iv, final String ezKeyVersionName) {
     checkNotNull(suite);
-    checkNotNull(key);
+    checkNotNull(edek);
     checkNotNull(iv);
-    checkArgument(key.length == suite.getAlgorithmBlockSize(),
+    checkNotNull(ezKeyVersionName);
+    checkArgument(edek.length == suite.getAlgorithmBlockSize(),
         "Unexpected key length");
     checkArgument(iv.length == suite.getAlgorithmBlockSize(),
         "Unexpected IV length");
     this.cipherSuite = suite;
-    this.key = key;
+    this.edek = edek;
     this.iv = iv;
+    this.ezKeyVersionName = ezKeyVersionName;
   }
 
   /**
@@ -57,25 +70,32 @@ public CipherSuite getCipherSuite() {
   }
 
   /**
-   * @return encrypted data encryption key for the file
+   * @return encrypted data encryption key (EDEK) for the file
    */
   public byte[] getEncryptedDataEncryptionKey() {
-    return key;
+    return edek;
   }
 
   /**
-   * @return initialization vector for the cipher used to encrypt the file
+   * @return initialization vector (IV) for the cipher used to encrypt the file
    */
   public byte[] getIV() {
     return iv;
   }
 
+  /**
+   * @return name of the encryption zone KeyVersion used to encrypt the
+   * encrypted data encryption key (EDEK).
+   */
+  public String getEzKeyVersionName() { return ezKeyVersionName; }
+
   @Override
   public String toString() {
     StringBuilder builder = new StringBuilder("{");
     builder.append("cipherSuite: " + cipherSuite);
-    builder.append(", key: " + Hex.encodeHexString(key));
+    builder.append(", edek: " + Hex.encodeHexString(edek));
     builder.append(", iv: " + Hex.encodeHexString(iv));
+    builder.append(", ezKeyVersionName: " + ezKeyVersionName);
     builder.append("}");
     return builder.toString();
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 4c2a60ef4b1..e75b065130c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -39,6 +39,9 @@ fs-encryption (Unreleased)
     HDFS-6635. Refactor encryption zone functionality into new
     EncryptionZoneManager class. (wang)
 
+    HDFS-6474. Namenode needs to get the actual keys and iv from the
+    KeyProvider. (wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
index a43106943bb..fc2e4053447 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
@@ -561,6 +561,8 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
   public static final boolean DFS_ENCRYPT_DATA_TRANSFER_DEFAULT = false;
   public static final String DFS_DATA_ENCRYPTION_ALGORITHM_KEY = "dfs.encrypt.data.transfer.algorithm";
   public static final String DFS_TRUSTEDCHANNEL_RESOLVER_CLASS = "dfs.trustedchannel.resolver.class";
+  public static final String DFS_NAMENODE_KEY_VERSION_REFRESH_INTERVAL_MS_KEY = "dfs.namenode.key.version.refresh.interval.ms";
+  public static final int DFS_NAMENODE_KEY_VERSION_REFRESH_INTERVAL_MS_DEFAULT = 5*60*1000;
   
   // Journal-node related configs. These are read on the JN side.
   public static final String  DFS_JOURNALNODE_EDITS_DIR_KEY = "dfs.journalnode.edits.dir";
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
index cd6a0e576ad..4f62b42ddaa 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
@@ -2335,6 +2335,7 @@ public static HdfsProtos.FileEncryptionInfoProto convert(
         .setSuite(convert(info.getCipherSuite()))
         .setKey(getByteString(info.getEncryptedDataEncryptionKey()))
         .setIv(getByteString(info.getIV()))
+        .setEzKeyVersionName(info.getEzKeyVersionName())
         .build();
   }
 
@@ -2346,7 +2347,8 @@ public static FileEncryptionInfo convert(
     CipherSuite suite = convert(proto.getSuite());
     byte[] key = proto.getKey().toByteArray();
     byte[] iv = proto.getIv().toByteArray();
-    return new FileEncryptionInfo(suite, key, iv);
+    String ezKeyVersionName = proto.getEzKeyVersionName();
+    return new FileEncryptionInfo(suite, key, iv, ezKeyVersionName);
   }
 
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
index a43273dfe34..faba3a929c0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
@@ -3,28 +3,50 @@
 import java.io.IOException;
 import java.util.EnumSet;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.locks.ReentrantReadWriteLock;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+import com.google.common.util.concurrent.ThreadFactoryBuilder;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.fs.UnresolvedLinkException;
 import org.apache.hadoop.fs.XAttr;
 import org.apache.hadoop.fs.XAttrSetFlag;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.XAttrHelper;
 import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.SnapshotAccessControlException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 
+import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants
     .CRYPTO_XATTR_ENCRYPTION_ZONE;
 
 /**
- * Manages the list of encryption zones in the filesystem. Relies on the
- * FSDirectory lock for synchronization.
+ * Manages the list of encryption zones in the filesystem.
+ * <p/>
+ * The EncryptionZoneManager has its own lock, but relies on the FSDirectory
+ * lock being held for many operations. The FSDirectory lock should not be
+ * taken if the manager lock is already held.
  */
 public class EncryptionZoneManager {
 
+  public static Logger LOG = LoggerFactory.getLogger(EncryptionZoneManager
+      .class);
+
   /**
    * EncryptionZoneInt is the internal representation of an encryption zone. The
    * external representation of an EZ is embodied in an EncryptionZone and
@@ -34,9 +56,30 @@ private class EncryptionZoneInt {
     private final String keyId;
     private final long inodeId;
 
+    private final HashSet<KeyVersion> keyVersions;
+    private KeyVersion latestVersion;
+
     EncryptionZoneInt(long inodeId, String keyId) {
       this.keyId = keyId;
       this.inodeId = inodeId;
+      keyVersions = Sets.newHashSet();
+      latestVersion = null;
+    }
+
+    KeyVersion getLatestKeyVersion() {
+      return latestVersion;
+    }
+
+    void addKeyVersion(KeyVersion version) {
+      Preconditions.checkNotNull(version);
+      if (!keyVersions.contains(version)) {
+        LOG.debug("Key {} has new key version {}", keyId, version);
+        keyVersions.add(version);
+      }
+      // Always set the latestVersion to not get stuck on an old version in
+      // racy situations. Should eventually converge thanks to the
+      // monitor.
+      latestVersion = version;
     }
 
     String getKeyId() {
@@ -47,49 +90,265 @@ long getINodeId() {
       return inodeId;
     }
 
-    String getFullPathName() {
-      return dir.getInode(inodeId).getFullPathName();
-    }
+  }
+
+  /**
+   * Protects the <tt>encryptionZones</tt> map and its contents.
+   */
+  private final ReentrantReadWriteLock lock;
+
+  private void readLock() {
+    lock.readLock().lock();
+  }
+
+  private void readUnlock() {
+    lock.readLock().unlock();
+  }
+
+  private void writeLock() {
+    lock.writeLock().lock();
+  }
+
+  private void writeUnlock() {
+    lock.writeLock().unlock();
+  }
+
+  public boolean hasWriteLock() {
+    return lock.isWriteLockedByCurrentThread();
+  }
+
+  public boolean hasReadLock() {
+    return lock.getReadHoldCount() > 0 || hasWriteLock();
   }
 
   private final Map<Long, EncryptionZoneInt> encryptionZones;
-
   private final FSDirectory dir;
+  private final ScheduledExecutorService monitor;
+  private final KeyProvider provider;
 
   /**
    * Construct a new EncryptionZoneManager.
    *
    * @param dir Enclosing FSDirectory
    */
-  public EncryptionZoneManager(FSDirectory dir) {
+  public EncryptionZoneManager(FSDirectory dir, Configuration conf,
+      KeyProvider provider) {
+
     this.dir = dir;
+    this.provider = provider;
+    lock = new ReentrantReadWriteLock();
     encryptionZones = new HashMap<Long, EncryptionZoneInt>();
+
+    monitor = Executors.newScheduledThreadPool(1,
+        new ThreadFactoryBuilder()
+            .setDaemon(true)
+            .setNameFormat(EncryptionZoneMonitor.class.getSimpleName() + "-%d")
+            .build());
+    final int refreshMs = conf.getInt(
+        DFSConfigKeys.DFS_NAMENODE_KEY_VERSION_REFRESH_INTERVAL_MS_KEY,
+        DFSConfigKeys.DFS_NAMENODE_KEY_VERSION_REFRESH_INTERVAL_MS_DEFAULT
+    );
+    Preconditions.checkArgument(refreshMs >= 0, "%s cannot be negative",
+        DFSConfigKeys.DFS_NAMENODE_KEY_VERSION_REFRESH_INTERVAL_MS_KEY);
+    monitor.scheduleAtFixedRate(new EncryptionZoneMonitor(), 0, refreshMs,
+        TimeUnit.MILLISECONDS);
+  }
+
+  /**
+   * Periodically wakes up to fetch the latest version of each encryption
+   * zone key.
+   */
+  private class EncryptionZoneMonitor implements Runnable {
+    @Override
+    public void run() {
+      LOG.debug("Monitor waking up to refresh encryption zone key versions");
+      HashMap<Long, String> toFetch = Maps.newHashMap();
+      HashMap<Long, KeyVersion> toUpdate =
+          Maps.newHashMap();
+      // Determine the keyIds to fetch
+      readLock();
+      try {
+        for (EncryptionZoneInt ezi : encryptionZones.values()) {
+          toFetch.put(ezi.getINodeId(), ezi.getKeyId());
+        }
+      } finally {
+        readUnlock();
+      }
+      LOG.trace("Found {} keys to check", toFetch.size());
+      // Fetch the key versions while not holding the lock
+      for (Map.Entry<Long, String> entry : toFetch.entrySet()) {
+        try {
+          KeyVersion version = provider.getCurrentKey(entry.getValue());
+          toUpdate.put(entry.getKey(), version);
+        } catch (IOException e) {
+          LOG.warn("Error while getting the current key for {} {}",
+              entry.getValue(), e);
+        }
+      }
+      LOG.trace("Fetched {} key versions from KeyProvider", toUpdate.size());
+      // Update the key versions for each encryption zone
+      writeLock();
+      try {
+        for (Map.Entry<Long, KeyVersion> entry : toUpdate.entrySet()) {
+          EncryptionZoneInt ezi = encryptionZones.get(entry.getKey());
+          // zone might have been removed in the intervening time
+          if (ezi == null) {
+            continue;
+          }
+          ezi.addKeyVersion(entry.getValue());
+        }
+      } finally {
+        writeUnlock();
+      }
+    }
+  }
+
+  /**
+   * Forces the EncryptionZoneMonitor to run, waiting until completion.
+   */
+  @VisibleForTesting
+  public void kickMonitor() throws Exception {
+    Future future = monitor.submit(new EncryptionZoneMonitor());
+    future.get();
+  }
+
+  /**
+   * Immediately fetches the latest KeyVersion for an encryption zone,
+   * also updating the encryption zone.
+   *
+   * @param iip of the encryption zone
+   * @return latest KeyVersion
+   * @throws IOException on KeyProvider error
+   */
+  KeyVersion updateLatestKeyVersion(INodesInPath iip) throws IOException {
+    EncryptionZoneInt ezi;
+    readLock();
+    try {
+      ezi = getEncryptionZoneForPath(iip);
+    } finally {
+      readUnlock();
+    }
+    if (ezi == null) {
+      throw new IOException("Cannot update KeyVersion since iip is not within" +
+          " an encryption zone");
+    }
+
+    // Do not hold the lock while doing KeyProvider operations
+    KeyVersion version = provider.getCurrentKey(ezi.getKeyId());
+
+    writeLock();
+    try {
+      ezi.addKeyVersion(version);
+      return version;
+    } finally {
+      writeUnlock();
+    }
   }
 
   /**
    * Add a new encryption zone.
+   * <p/>
+   * Called while holding the FSDirectory lock.
    *
    * @param inodeId of the encryption zone
    * @param keyId   encryption zone key id
    */
   void addEncryptionZone(Long inodeId, String keyId) {
+    assert dir.hasWriteLock();
     final EncryptionZoneInt ez = new EncryptionZoneInt(inodeId, keyId);
-    encryptionZones.put(inodeId, ez);
+    writeLock();
+    try {
+      encryptionZones.put(inodeId, ez);
+    } finally {
+      writeUnlock();
+    }
   }
 
+  /**
+   * Remove an encryption zone.
+   * <p/>
+   * Called while holding the FSDirectory lock.
+   */
   void removeEncryptionZone(Long inodeId) {
-    encryptionZones.remove(inodeId);
+    assert dir.hasWriteLock();
+    writeLock();
+    try {
+      encryptionZones.remove(inodeId);
+    } finally {
+      writeUnlock();
+    }
   }
 
   /**
    * Returns true if an IIP is within an encryption zone.
+   * <p/>
+   * Called while holding the FSDirectory lock.
    */
   boolean isInAnEZ(INodesInPath iip)
       throws UnresolvedLinkException, SnapshotAccessControlException {
-    return (getEncryptionZoneForPath(iip) != null);
+    assert dir.hasReadLock();
+    readLock();
+    try {
+      return (getEncryptionZoneForPath(iip) != null);
+    } finally {
+      readUnlock();
+    }
   }
 
+  /**
+   * Returns the path of the EncryptionZoneInt.
+   * <p/>
+   * Called while holding the FSDirectory lock.
+   */
+  private String getFullPathName(EncryptionZoneInt ezi) {
+    assert dir.hasReadLock();
+    return dir.getInode(ezi.getINodeId()).getFullPathName();
+  }
+
+  KeyVersion getLatestKeyVersion(final INodesInPath iip) {
+    readLock();
+    try {
+      EncryptionZoneInt ezi = getEncryptionZoneForPath(iip);
+      if (ezi == null) {
+        return null;
+      }
+      return ezi.getLatestKeyVersion();
+    } finally {
+      readUnlock();
+    }
+  }
+
+  /**
+   * @return true if the provided <tt>keyVersionName</tt> is the name of a
+   * valid KeyVersion for the encryption zone of <tt>iip</tt>,
+   * and <tt>iip</tt> is within an encryption zone.
+   */
+  boolean isValidKeyVersion(final INodesInPath iip, String keyVersionName) {
+    readLock();
+    try {
+      EncryptionZoneInt ezi = getEncryptionZoneForPath(iip);
+      if (ezi == null) {
+        return false;
+      }
+      for (KeyVersion ezVersion : ezi.keyVersions) {
+        if (keyVersionName.equals(ezVersion.getVersionName())) {
+          return true;
+        }
+      }
+      return false;
+    } finally {
+      readUnlock();
+    }
+  }
+
+  /**
+   * Looks up the EncryptionZoneInt for a path within an encryption zone.
+   * Returns null if path is not within an EZ.
+   * <p/>
+   * Must be called while holding the manager lock.
+   */
   private EncryptionZoneInt getEncryptionZoneForPath(INodesInPath iip) {
+    assert hasReadLock();
     Preconditions.checkNotNull(iip);
     final INode[] inodes = iip.getINodes();
     for (int i = inodes.length - 1; i >= 0; i--) {
@@ -105,8 +364,10 @@ private EncryptionZoneInt getEncryptionZoneForPath(INodesInPath iip) {
   }
 
   /**
-   * Throws an exception if the provided inode cannot be renamed into the
+   * Throws an exception if the provided path cannot be renamed into the
    * destination because of differing encryption zones.
+   * <p/>
+   * Called while holding the FSDirectory lock.
    *
    * @param srcIIP source IIP
    * @param dstIIP destination IIP
@@ -115,66 +376,101 @@ private EncryptionZoneInt getEncryptionZoneForPath(INodesInPath iip) {
    */
   void checkMoveValidity(INodesInPath srcIIP, INodesInPath dstIIP, String src)
       throws IOException {
-    final boolean srcInEZ = (getEncryptionZoneForPath(srcIIP) != null);
-    final boolean dstInEZ = (getEncryptionZoneForPath(dstIIP) != null);
-    if (srcInEZ) {
-      if (!dstInEZ) {
-        throw new IOException(src + " can't be moved from an encryption zone.");
-      }
-    } else {
-      if (dstInEZ) {
-        throw new IOException(src + " can't be moved into an encryption zone.");
-      }
-    }
-
-    if (srcInEZ || dstInEZ) {
+    assert dir.hasReadLock();
+    readLock();
+    try {
       final EncryptionZoneInt srcEZI = getEncryptionZoneForPath(srcIIP);
       final EncryptionZoneInt dstEZI = getEncryptionZoneForPath(dstIIP);
-      Preconditions.checkArgument(srcEZI != null, "couldn't find src EZ?");
-      Preconditions.checkArgument(dstEZI != null, "couldn't find dst EZ?");
-      if (srcEZI != dstEZI) {
-        final String srcEZPath = srcEZI.getFullPathName();
-        final String dstEZPath = dstEZI.getFullPathName();
-        final StringBuilder sb = new StringBuilder(src);
-        sb.append(" can't be moved from encryption zone ");
-        sb.append(srcEZPath);
-        sb.append(" to encryption zone ");
-        sb.append(dstEZPath);
-        sb.append(".");
-        throw new IOException(sb.toString());
+      final boolean srcInEZ = (srcEZI != null);
+      final boolean dstInEZ = (dstEZI != null);
+      if (srcInEZ) {
+        if (!dstInEZ) {
+          throw new IOException(
+              src + " can't be moved from an encryption zone.");
+        }
+      } else {
+        if (dstInEZ) {
+          throw new IOException(
+              src + " can't be moved into an encryption zone.");
+        }
       }
+
+      if (srcInEZ || dstInEZ) {
+        Preconditions.checkState(srcEZI != null, "couldn't find src EZ?");
+        Preconditions.checkState(dstEZI != null, "couldn't find dst EZ?");
+        if (srcEZI != dstEZI) {
+          final String srcEZPath = getFullPathName(srcEZI);
+          final String dstEZPath = getFullPathName(dstEZI);
+          final StringBuilder sb = new StringBuilder(src);
+          sb.append(" can't be moved from encryption zone ");
+          sb.append(srcEZPath);
+          sb.append(" to encryption zone ");
+          sb.append(dstEZPath);
+          sb.append(".");
+          throw new IOException(sb.toString());
+        }
+      }
+    } finally {
+      readUnlock();
     }
   }
 
-  XAttr createEncryptionZone(String src, String keyId) throws IOException {
-    if (dir.isNonEmptyDirectory(src)) {
-      throw new IOException(
-          "Attempt to create an encryption zone for a non-empty directory.");
-    }
+  /**
+   * Create a new encryption zone.
+   * <p/>
+   * Called while holding the FSDirectory lock.
+   */
+  XAttr createEncryptionZone(String src, String keyId, KeyVersion keyVersion)
+      throws IOException {
+    assert dir.hasWriteLock();
+    writeLock();
+    try {
+      if (dir.isNonEmptyDirectory(src)) {
+        throw new IOException(
+            "Attempt to create an encryption zone for a non-empty directory.");
+      }
 
-    final INodesInPath srcIIP = dir.getINodesInPath4Write(src, false);
-    final EncryptionZoneInt ezi = getEncryptionZoneForPath(srcIIP);
-    if (ezi != null) {
-      throw new IOException("Directory " + src +
-          " is already in an encryption zone. (" + ezi.getFullPathName() + ")");
-    }
+      final INodesInPath srcIIP = dir.getINodesInPath4Write(src, false);
+      EncryptionZoneInt ezi = getEncryptionZoneForPath(srcIIP);
+      if (ezi != null) {
+        throw new IOException("Directory " + src + " is already in an " +
+            "encryption zone. (" + getFullPathName(ezi) + ")");
+      }
 
-    final XAttr keyIdXAttr =
-        XAttrHelper.buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, keyId.getBytes());
-    final List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
-    xattrs.add(keyIdXAttr);
-    final INode inode =
-        dir.unprotectedSetXAttrs(src, xattrs, EnumSet.of(XAttrSetFlag.CREATE));
-    addEncryptionZone(inode.getId(), keyId);
-    return keyIdXAttr;
+      final XAttr keyIdXAttr = XAttrHelper
+          .buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, keyId.getBytes());
+
+      final List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
+      xattrs.add(keyIdXAttr);
+      // updating the xattr will call addEncryptionZone,
+      // done this way to handle edit log loading
+      dir.unprotectedSetXAttrs(src, xattrs, EnumSet.of(XAttrSetFlag.CREATE));
+      // Re-get the new encryption zone add the latest key version
+      ezi = getEncryptionZoneForPath(srcIIP);
+      ezi.addKeyVersion(keyVersion);
+      return keyIdXAttr;
+    } finally {
+      writeUnlock();
+    }
   }
 
+  /**
+   * Return the current list of encryption zones.
+   * <p/>
+   * Called while holding the FSDirectory lock.
+   */
   List<EncryptionZone> listEncryptionZones() throws IOException {
-    final List<EncryptionZone> ret =
-        Lists.newArrayListWithExpectedSize(encryptionZones.size());
-    for (EncryptionZoneInt ezi : encryptionZones.values()) {
-      ret.add(new EncryptionZone(ezi.getFullPathName(), ezi.getKeyId()));
+    assert dir.hasReadLock();
+    readLock();
+    try {
+      final List<EncryptionZone> ret =
+          Lists.newArrayListWithExpectedSize(encryptionZones.size());
+      for (EncryptionZoneInt ezi : encryptionZones.values()) {
+        ret.add(new EncryptionZone(getFullPathName(ezi), ezi.getKeyId()));
+      }
+      return ret;
+    } finally {
+      readUnlock();
     }
-    return ret;
   }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index 81dcf9ef95b..5c070d50971 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.hdfs.server.namenode;
 
+import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants.CRYPTO_XATTR_ENCRYPTION_ZONE;
 import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants.CRYPTO_XATTR_FILE_ENCRYPTION_INFO;
 import static org.apache.hadoop.util.Time.now;
@@ -35,6 +36,7 @@
 import org.apache.hadoop.HadoopIllegalArgumentException;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.fs.ContentSummary;
 import org.apache.hadoop.fs.FileAlreadyExistsException;
 import org.apache.hadoop.fs.FileEncryptionInfo;
@@ -162,7 +164,7 @@ boolean hasWriteLock() {
   }
 
   boolean hasReadLock() {
-    return this.dirLock.getReadHoldCount() > 0;
+    return this.dirLock.getReadHoldCount() > 0 || hasWriteLock();
   }
 
   public int getReadHoldCount() {
@@ -173,7 +175,8 @@ public int getWriteHoldCount() {
     return this.dirLock.getWriteHoldCount();
   }
 
-  final EncryptionZoneManager ezManager;
+  @VisibleForTesting
+  public final EncryptionZoneManager ezManager;
 
   /**
    * Caches frequently used file names used in {@link INode} to reuse 
@@ -224,7 +227,7 @@ public int getWriteHoldCount() {
     nameCache = new NameCache<ByteArray>(threshold);
     namesystem = ns;
 
-    ezManager = new EncryptionZoneManager(this);
+    ezManager = new EncryptionZoneManager(this, conf, ns.getProvider());
   }
     
   private FSNamesystem getFSNamesystem() {
@@ -905,16 +908,6 @@ void updateQuotasInSourceTree() throws QuotaExceededException {
     }
   }
 
-  boolean isInAnEZ(INodesInPath iip)
-    throws UnresolvedLinkException, SnapshotAccessControlException {
-    readLock();
-    try {
-      return ezManager.isInAnEZ(iip);
-    } finally {
-      readUnlock();
-    }
-  }
-
   /**
    * Set file replication
    * 
@@ -2618,12 +2611,46 @@ List<XAttr> filterINodeXAttrs(final List<XAttr> existingXAttrs,
 
     return newXAttrs;
   }
-  
-  XAttr createEncryptionZone(String src, String keyId)
+
+  boolean isInAnEZ(INodesInPath iip)
+      throws UnresolvedLinkException, SnapshotAccessControlException {
+    readLock();
+    try {
+      return ezManager.isInAnEZ(iip);
+    } finally {
+      readUnlock();
+    }
+  }
+
+  KeyVersion getLatestKeyVersion(INodesInPath iip) {
+    readLock();
+    try {
+      return ezManager.getLatestKeyVersion(iip);
+    } finally {
+      readUnlock();
+    }
+  }
+
+  KeyVersion updateLatestKeyVersion(INodesInPath iip) throws
+      IOException {
+    // No locking, this operation does not involve any FSDirectory operations
+    return ezManager.updateLatestKeyVersion(iip);
+  }
+
+  boolean isValidKeyVersion(INodesInPath iip, String keyVersionName) {
+    readLock();
+    try {
+      return ezManager.isValidKeyVersion(iip, keyVersionName);
+    } finally {
+      readUnlock();
+    }
+  }
+
+  XAttr createEncryptionZone(String src, String keyId, KeyVersion keyVersion)
     throws IOException {
     writeLock();
     try {
-      return ezManager.createEncryptionZone(src, keyId);
+      return ezManager.createEncryptionZone(src, keyId, keyVersion);
     } finally {
       writeUnlock();
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 6d0ca573a34..1e6fbd777bb 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.hdfs.server.namenode;
 
+import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.FS_TRASH_INTERVAL_DEFAULT;
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.FS_TRASH_INTERVAL_KEY;
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.IO_FILE_BUFFER_SIZE_DEFAULT;
@@ -100,6 +101,7 @@
 import java.lang.management.ManagementFactory;
 import java.net.InetAddress;
 import java.net.URI;
+import java.security.GeneralSecurityException;
 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -133,6 +135,7 @@
 import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.crypto.CryptoCodec;
 import org.apache.hadoop.crypto.key.KeyProvider;
+import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
 import org.apache.hadoop.crypto.key.KeyProviderFactory;
 import org.apache.hadoop.fs.BatchedRemoteIterator.BatchedListEntries;
 import org.apache.hadoop.fs.CacheFlag;
@@ -533,7 +536,7 @@ private void logAuditEvent(boolean succeeded,
 
   private final NNConf nnConf;
 
-  private KeyProvider provider = null;
+  private KeyProviderCryptoExtension provider = null;
   private KeyProvider.Options providerOptions = null;
 
   private final CryptoCodec codec;
@@ -929,7 +932,8 @@ private void initializeKeyProvider(final Configuration conf) {
         LOG.error(err);
         throw new RuntimeException(err);
       }
-      provider = providers.get(0);
+      provider = KeyProviderCryptoExtension
+          .createKeyProviderCryptoExtension(providers.get(0));
       if (provider.isTransient()) {
         final String err =
             "A KeyProvider was found but it is a transient provider.";
@@ -2310,7 +2314,7 @@ private void verifyParentDir(String src) throws FileNotFoundException,
    * CipherSuite from the list provided by the client. Since the client may 
    * be newer, need to handle unknown CipherSuites.
    *
-   * @param src path of the file
+   * @param srcIIP path of the file
    * @param cipherSuites client-provided list of supported CipherSuites, 
    *                     in desired order.
    * @return chosen CipherSuite, or null if file is not in an EncryptionZone
@@ -2349,6 +2353,62 @@ private CipherSuite chooseCipherSuite(INodesInPath srcIIP, List<CipherSuite>
     return chosen;
   }
 
+  /**
+   * Create a new FileEncryptionInfo for a path. Also chooses an
+   * appropriate CipherSuite to use from the list provided by the
+   * client.
+   *
+   * @param src Target path
+   * @param pathComponents Target path split up into path components
+   * @param cipherSuites List of CipherSuites provided by the client
+   * @return a new FileEncryptionInfo, or null if path is not within an
+   * encryption
+   * zone.
+   * @throws IOException
+   */
+  private FileEncryptionInfo newFileEncryptionInfo(String src,
+      byte[][] pathComponents, List<CipherSuite> cipherSuites)
+      throws IOException {
+    INodesInPath iip = null;
+    CipherSuite suite = null;
+    KeyVersion latestEZKeyVersion = null;
+    readLock();
+    try {
+      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      iip = dir.getINodesInPath4Write(src);
+      // Nothing to do if the path is not within an EZ
+      if (!dir.isInAnEZ(iip)) {
+        return null;
+      }
+      suite = chooseCipherSuite(iip, cipherSuites);
+      if (suite != null) {
+        Preconditions.checkArgument(!suite.equals(CipherSuite.UNKNOWN),
+            "Chose an UNKNOWN CipherSuite!");
+      }
+      latestEZKeyVersion = dir.getLatestKeyVersion(iip);
+    } finally {
+      readUnlock();
+    }
+
+    // If the latest key version is null, need to fetch it and update
+    if (latestEZKeyVersion == null) {
+      latestEZKeyVersion = dir.updateLatestKeyVersion(iip);
+    }
+    Preconditions.checkState(latestEZKeyVersion != null);
+
+    // Generate the EDEK while not holding the lock
+    KeyProviderCryptoExtension.EncryptedKeyVersion edek = null;
+    try {
+      edek = provider.generateEncryptedKey(latestEZKeyVersion);
+    } catch (GeneralSecurityException e) {
+      throw new IOException(e);
+    }
+    Preconditions.checkNotNull(edek);
+
+    return new FileEncryptionInfo(suite, edek.getEncryptedKey().getMaterial(),
+        edek.getIv(), edek.getKeyVersionName());
+  }
+
   /**
    * Create a new file entry in the namespace.
    * 
@@ -2426,26 +2486,62 @@ private HdfsFileStatus startFileInt(String src, PermissionStatus permissions,
     boolean overwrite = flag.contains(CreateFlag.OVERWRITE);
 
     waitForLoadingFSImage();
-    writeLock();
+
+    /*
+     * We want to avoid holding any locks while creating a new
+     * FileEncryptionInfo, since this can be very slow. Since the path can
+     * flip flop between being in an encryption zone and not in the meantime,
+     * we need to recheck the preconditions and generate a new
+     * FileEncryptionInfo in some circumstances.
+     *
+     * A special RetryStartFileException is used to indicate that we should
+     * retry creation of a FileEncryptionInfo.
+     */
     try {
-      checkOperation(OperationCategory.WRITE);
-      checkNameNodeSafeMode("Cannot create file" + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
-      startFileInternal(pc, src, permissions, holder, clientMachine, create,
-          overwrite, createParent, replication, blockSize, cipherSuites,
-          logRetryCache);
-      stat = dir.getFileInfo(src, false);
-    } catch (StandbyException se) {
-      skipSync = true;
-      throw se;
+      boolean shouldContinue = true;
+      int iters = 0;
+      while (shouldContinue) {
+        skipSync = false;
+        if (iters >= 10) {
+          throw new IOException("Too many retries because of encryption zone " +
+              "operations, something might be broken!");
+        }
+        shouldContinue = false;
+        iters++;
+        // Optimistically generate a FileEncryptionInfo for this path.
+        FileEncryptionInfo feInfo =
+            newFileEncryptionInfo(src, pathComponents, cipherSuites);
+
+        // Try to create the file with this feInfo
+        writeLock();
+        try {
+          checkOperation(OperationCategory.WRITE);
+          checkNameNodeSafeMode("Cannot create file" + src);
+          src = FSDirectory.resolvePath(src, pathComponents, dir);
+          startFileInternal(pc, src, permissions, holder, clientMachine, create,
+              overwrite, createParent, replication, blockSize, feInfo,
+              logRetryCache);
+          stat = dir.getFileInfo(src, false);
+        } catch (StandbyException se) {
+          skipSync = true;
+          throw se;
+        } catch (RetryStartFileException e) {
+          shouldContinue = true;
+          if (LOG.isTraceEnabled()) {
+            LOG.trace("Preconditions failed, retrying creation of " +
+                    "FileEncryptionInfo", e);
+          }
+        } finally {
+          writeUnlock();
+        }
+      }
     } finally {
-      writeUnlock();
       // There might be transactions logged while trying to recover the lease.
       // They need to be sync'ed even when an exception was thrown.
       if (!skipSync) {
         getEditLog().logSync();
       }
-    } 
+    }
 
     logAuditEvent(true, "create", src, null, stat);
     return stat;
@@ -2463,11 +2559,11 @@ private HdfsFileStatus startFileInt(String src, PermissionStatus permissions,
   private void startFileInternal(FSPermissionChecker pc, String src,
       PermissionStatus permissions, String holder, String clientMachine,
       boolean create, boolean overwrite, boolean createParent,
-      short replication, long blockSize, List<CipherSuite> cipherSuites,
+      short replication, long blockSize, FileEncryptionInfo feInfo,
       boolean logRetryEntry)
       throws FileAlreadyExistsException, AccessControlException,
       UnresolvedLinkException, FileNotFoundException,
-      ParentNotDirectoryException, IOException {
+      ParentNotDirectoryException, RetryStartFileException, IOException {
     assert hasWriteLock();
     // Verify that the destination does not exist as a directory already.
     final INodesInPath iip = dir.getINodesInPath4Write(src);
@@ -2477,22 +2573,21 @@ private void startFileInternal(FSPermissionChecker pc, String src,
           " already exists as a directory");
     }
 
-    FileEncryptionInfo feInfo = null;
-    CipherSuite suite = chooseCipherSuite(iip, cipherSuites);
-    if (suite != null) {
-      Preconditions.checkArgument(!suite.equals(CipherSuite.UNKNOWN), 
-          "Chose an UNKNOWN CipherSuite!");
-      // TODO: fill in actual key/iv in HDFS-6474
-      // For now, populate with dummy data
-      byte[] key = new byte[suite.getAlgorithmBlockSize()];
-      for (int i = 0; i < key.length; i++) {
-        key[i] = (byte)i;
+    if (!dir.isInAnEZ(iip)) {
+      // If the path is not in an EZ, we don't need an feInfo.
+      // Null it out in case one was already generated.
+      feInfo = null;
+    } else {
+      // The path is now within an EZ, but no feInfo. Retry.
+      if (feInfo == null) {
+        throw new RetryStartFileException();
       }
-      byte[] iv = new byte[suite.getAlgorithmBlockSize()];
-      for (int i = 0; i < iv.length; i++) {
-        iv[i] = (byte)(3+i*2);
+      // It's in an EZ and we have a provided feInfo. Make sure the
+      // keyVersion of the encryption key used matches one of the keyVersions of
+      // the key of the encryption zone.
+      if (!dir.isValidKeyVersion(iip, feInfo.getEzKeyVersionName())) {
+        throw new RetryStartFileException();
       }
-      feInfo = new FileEncryptionInfo(suite, key, iv);
     }
 
     final INodeFile myFile = INodeFile.valueOf(inode, src, true);
@@ -8319,12 +8414,14 @@ void createEncryptionZone(final String src, String keyIdArg)
     String keyId = keyIdArg;
     boolean success = false;
     try {
+      KeyVersion keyVersion;
       if (keyId == null || keyId.isEmpty()) {
-        keyId = createNewKey(src);
+        keyId = UUID.randomUUID().toString();
+        keyVersion = createNewKey(keyId, src);
         createdKey = true;
       } else {
-        if (provider.getCurrentKey(keyId) == null) {
-
+        keyVersion = provider.getCurrentKey(keyId);
+        if (keyVersion == null) {
           /*
            * It would be nice if we threw something more specific than
            * IOException when the key is not found, but the KeyProvider API
@@ -8336,7 +8433,7 @@ void createEncryptionZone(final String src, String keyIdArg)
           throw new IOException("Key " + keyId + " doesn't exist.");
         }
       }
-      createEncryptionZoneInt(src, keyId, cacheEntry != null);
+      createEncryptionZoneInt(src, keyId, keyVersion, cacheEntry != null);
       success = true;
     } catch (AccessControlException e) {
       logAuditEvent(false, "createEncryptionZone", src);
@@ -8351,7 +8448,8 @@ void createEncryptionZone(final String src, String keyIdArg)
   }
 
   private void createEncryptionZoneInt(final String srcArg, String keyId,
-    final boolean logRetryCache) throws IOException {
+    final KeyVersion keyVersion, final boolean logRetryCache) throws
+      IOException {
     String src = srcArg;
     HdfsFileStatus resultingStat = null;
     checkSuperuserPrivilege();
@@ -8365,7 +8463,7 @@ private void createEncryptionZoneInt(final String srcArg, String keyId,
       checkNameNodeSafeMode("Cannot create encryption zone on " + src);
       src = FSDirectory.resolvePath(src, pathComponents, dir);
 
-      final XAttr keyIdXAttr = dir.createEncryptionZone(src, keyId);
+      final XAttr keyIdXAttr = dir.createEncryptionZone(src, keyId, keyVersion);
       List<XAttr> xAttrs = Lists.newArrayListWithCapacity(1);
       xAttrs.add(keyIdXAttr);
       getEditLog().logSetXAttrs(src, xAttrs, logRetryCache);
@@ -8377,19 +8475,29 @@ private void createEncryptionZoneInt(final String srcArg, String keyId,
     logAuditEvent(true, "createEncryptionZone", src, null, resultingStat);
   }
 
-  private String createNewKey(String src)
+  /**
+   * Create a new key on the KeyProvider for an encryption zone.
+   *
+   * @param keyId id of the key
+   * @param src path of the encryption zone.
+   * @return KeyVersion of the created key
+   * @throws IOException
+   */
+  private KeyVersion createNewKey(String keyId, String src)
     throws IOException {
-    final String keyId = UUID.randomUUID().toString();
+    Preconditions.checkNotNull(keyId);
+    Preconditions.checkNotNull(src);
     // TODO pass in hdfs://HOST:PORT (HDFS-6490)
     providerOptions.setDescription(src);
     providerOptions.setBitLength(codec.getCipherSuite()
         .getAlgorithmBlockSize()*8);
+    KeyVersion version = null;
     try {
-      provider.createKey(keyId, providerOptions);
+      version = provider.createKey(keyId, providerOptions);
     } catch (NoSuchAlgorithmException e) {
       throw new IOException(e);
     }
-    return keyId;
+    return version;
   }
 
   List<EncryptionZone> listEncryptionZones() throws IOException {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/RetryStartFileException.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/RetryStartFileException.java
new file mode 100644
index 00000000000..a5758a7e0e4
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/RetryStartFileException.java
@@ -0,0 +1,21 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.server.namenode;
+
+public class RetryStartFileException extends Exception {
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
index b9f17e4bc20..da53be1006e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
@@ -184,6 +184,7 @@ message FileEncryptionInfoProto {
   required CipherSuite suite = 1;
   required bytes key = 2;
   required bytes iv = 3;
+  required string ezKeyVersionName = 4;
 }
 
 /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
index 1a1f22aaf17..222bf92cd58 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
@@ -2008,4 +2008,15 @@
   </description>
 </property>
 
+<property>
+  <name>dfs.namenode.key.version.refresh.interval.ms</name>
+  <value>300000</value>
+  <description>How frequently the namenode will attempt to fetch the latest
+      key version of encryption zone keys from the configured KeyProvider, in
+      milliseconds. New key versions are created when a key is rolled. This
+      setting thus controls the window of staleness where an old key version
+      is used after a key is rolled.
+  </description>
+</property>
+
 </configuration>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
index 85f7ff57013..a75e46e4bd4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
@@ -21,17 +21,20 @@
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivilegedExceptionAction;
+import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import java.util.UUID;
 
+import com.google.common.base.Preconditions;
 import com.google.common.collect.Lists;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.crypto.key.JavaKeyStoreProvider;
 import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.crypto.key.KeyProviderFactory;
+import org.apache.hadoop.fs.FSDataInputStream;
 import org.apache.hadoop.fs.FileEncryptionInfo;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
@@ -39,16 +42,20 @@
 import org.apache.hadoop.hdfs.client.HdfsAdmin;
 import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.LocatedBlocks;
+import org.apache.hadoop.hdfs.server.namenode.EncryptionZoneManager;
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.test.GenericTestUtils;
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 
-import com.google.common.base.Preconditions;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.fail;
 
 public class TestEncryptionZonesAPI {
@@ -71,6 +78,7 @@ public void setUpCluster() throws IOException {
         JavaKeyStoreProvider.SCHEME_NAME + "://file" + tmpDir + "/test.jks");
     cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
     fs = (DistributedFileSystem) createFileSystem(conf);
+    Logger.getLogger(EncryptionZoneManager.class).setLevel(Level.TRACE);
   }
 
   protected FileSystem createFileSystem(Configuration conf) throws IOException {
@@ -382,21 +390,80 @@ public void testCipherSuiteNegotiation() throws Exception {
     fs.getClient().cipherSuites.add(CipherSuite.AES_CTR_NOPADDING);
     DFSTestUtil.createFile(fs, new Path(zone, "success3"), 4096, (short) 1,
         0xFEED);
+    // Check KeyProvider state
+    // Flushing the KP on the NN, since it caches, and init a test one
+    cluster.getNamesystem().getProvider().flush();
+    KeyProvider provider = KeyProviderFactory.getProviders(conf).get(0);
+    List<String> keys = provider.getKeys();
+    assertEquals("Expected NN to have created one key per zone", 1,
+        keys.size());
+    List<KeyProvider.KeyVersion> allVersions = Lists.newArrayList();
+    for (String key : keys) {
+      List<KeyProvider.KeyVersion> versions = provider.getKeyVersions(key);
+      assertEquals("Should only have one key version per key", 1,
+          versions.size());
+      allVersions.addAll(versions);
+    }
     // Check that the specified CipherSuite was correctly saved on the NN
     for (int i=2; i<=3; i++) {
-      LocatedBlocks blocks =
-          fs.getClient().getLocatedBlocks(zone.toString() + "/success2", 0);
-      FileEncryptionInfo feInfo = blocks.getFileEncryptionInfo();
+      FileEncryptionInfo feInfo =
+          getFileEncryptionInfo(new Path(zone.toString() +
+              "/success" + i));
       assertEquals(feInfo.getCipherSuite(), CipherSuite.AES_CTR_NOPADDING);
-      // TODO: validate against actual key/iv in HDFS-6474
-      byte[] key = feInfo.getEncryptedDataEncryptionKey();
-      for (int j = 0; j < key.length; j++) {
-        assertEquals("Unexpected key byte", (byte)j, key[j]);
-      }
-      byte[] iv = feInfo.getIV();
-      for (int j = 0; j < iv.length; j++) {
-        assertEquals("Unexpected IV byte", (byte)(3+j*2), iv[j]);
-      }
     }
   }
+
+  private void validateFiles(Path p1, Path p2, int len) throws Exception {
+    FSDataInputStream in1 = fs.open(p1);
+    FSDataInputStream in2 = fs.open(p2);
+    for (int i=0; i<len; i++) {
+      assertEquals("Mismatch at byte " + i, in1.read(), in2.read());
+    }
+    in1.close();
+    in2.close();
+  }
+
+  private FileEncryptionInfo getFileEncryptionInfo(Path path) throws Exception {
+    LocatedBlocks blocks = fs.getClient().getLocatedBlocks(path.toString(), 0);
+    return blocks.getFileEncryptionInfo();
+  }
+
+  @Test(timeout = 120000)
+  public void testReadWrite() throws Exception {
+    final HdfsAdmin dfsAdmin =
+        new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    // Create a base file for comparison
+    final Path baseFile = new Path("/base");
+    final int len = 8192;
+    DFSTestUtil.createFile(fs, baseFile, len, (short) 1, 0xFEED);
+    // Create the first enc file
+    final Path zone = new Path("/zone");
+    fs.mkdirs(zone);
+    dfsAdmin.createEncryptionZone(zone, null);
+    final Path encFile1 = new Path(zone, "myfile");
+    DFSTestUtil.createFile(fs, encFile1, len, (short) 1, 0xFEED);
+    // Read them back in and compare byte-by-byte
+    validateFiles(baseFile, encFile1, len);
+    // Roll the key of the encryption zone
+    List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
+    assertEquals("Expected 1 EZ", 1, zones.size());
+    String keyId = zones.get(0).getKeyId();
+    cluster.getNamesystem().getProvider().rollNewVersion(keyId);
+    cluster.getNamesystem().getFSDirectory().ezManager.kickMonitor();
+    // Read them back in and compare byte-by-byte
+    validateFiles(baseFile, encFile1, len);
+    // Write a new enc file and validate
+    final Path encFile2 = new Path(zone, "myfile2");
+    DFSTestUtil.createFile(fs, encFile2, len, (short) 1, 0xFEED);
+    // FEInfos should be different
+    FileEncryptionInfo feInfo1 = getFileEncryptionInfo(encFile1);
+    FileEncryptionInfo feInfo2 = getFileEncryptionInfo(encFile2);
+    assertFalse("EDEKs should be different", Arrays.equals(
+        feInfo1.getEncryptedDataEncryptionKey(),
+        feInfo2.getEncryptedDataEncryptionKey()));
+    assertNotEquals("Key was rolled, versions should be different",
+        feInfo1.getEzKeyVersionName(), feInfo2.getEzKeyVersionName());
+    // Contents still equal
+    validateFiles(encFile1, encFile2, len);
+  }
 }

From 905c90b066503c966ff78e3d1add57f4aff6e9c6 Mon Sep 17 00:00:00 2001
From: Colin McCabe <cmccabe@apache.org>
Date: Sat, 12 Jul 2014 01:29:26 +0000
Subject: [PATCH 032/354] HADOOP-10734. Implement high-performance secure
 random number sources. (Yi Liu via Colin Patrick McCabe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1609874 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |   3 +
 hadoop-common-project/hadoop-common/pom.xml   |   2 +
 .../hadoop-common/src/CMakeLists.txt          |   3 +-
 .../hadoop/crypto/JceAesCtrCryptoCodec.java   |   8 +-
 .../crypto/OpensslAesCtrCryptoCodec.java      |  33 +-
 .../crypto/random/OpensslSecureRandom.java    | 119 +++++++
 .../hadoop/crypto/random/OsSecureRandom.java  | 115 ++++++
 .../hadoop/fs/CommonConfigurationKeys.java    |   1 -
 .../fs/CommonConfigurationKeysPublic.java     |  14 +-
 .../crypto/random/OpensslSecureRandom.c       | 335 ++++++++++++++++++
 .../random/org_apache_hadoop_crypto_random.h  |  40 +++
 .../src/main/resources/core-default.xml       |  20 +-
 .../random/TestOpensslSecureRandom.java       | 114 ++++++
 .../crypto/random/TestOsSecureRandom.java     | 139 ++++++++
 14 files changed, 933 insertions(+), 13 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OpensslSecureRandom.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OsSecureRandom.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
 create mode 100644 hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/org_apache_hadoop_crypto_random.h
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/random/TestOpensslSecureRandom.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/random/TestOsSecureRandom.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index 2ea4420bce2..f133f813136 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -6,6 +6,9 @@ fs-encryption (Unreleased)
 
   NEW FEATURES
 
+    HADOOP-10734. Implement high-performance secure random number sources.
+    (Yi Liu via Colin Patrick McCabe)
+
   IMPROVEMENTS
 
     HADOOP-10603. Crypto input and output streams implementing Hadoop stream
diff --git a/hadoop-common-project/hadoop-common/pom.xml b/hadoop-common-project/hadoop-common/pom.xml
index 9a5e36c7561..0c90a9490df 100644
--- a/hadoop-common-project/hadoop-common/pom.xml
+++ b/hadoop-common-project/hadoop-common/pom.xml
@@ -542,6 +542,7 @@
                     <javahClassName>org.apache.hadoop.io.compress.lz4.Lz4Compressor</javahClassName>
                     <javahClassName>org.apache.hadoop.io.compress.lz4.Lz4Decompressor</javahClassName>
                     <javahClassName>org.apache.hadoop.crypto.OpensslCipher</javahClassName>
+                    <javahClassName>org.apache.hadoop.crypto.random.OpensslSecureRandom</javahClassName>
                     <javahClassName>org.apache.hadoop.util.NativeCrc32</javahClassName>
                     <javahClassName>org.apache.hadoop.net.unix.DomainSocket</javahClassName>
                     <javahClassName>org.apache.hadoop.net.unix.DomainSocketWatcher</javahClassName>
@@ -657,6 +658,7 @@
                     <javahClassName>org.apache.hadoop.io.compress.lz4.Lz4Compressor</javahClassName>
                     <javahClassName>org.apache.hadoop.io.compress.lz4.Lz4Decompressor</javahClassName>
                     <javahClassName>org.apache.hadoop.crypto.OpensslCipher</javahClassName>
+                    <javahClassName>org.apache.hadoop.crypto.random.OpensslSecureRandom</javahClassName>
                     <javahClassName>org.apache.hadoop.util.NativeCrc32</javahClassName>
                   </javahClassNames>
                   <javahOutputDirectory>${project.build.directory}/native/javah</javahOutputDirectory>
diff --git a/hadoop-common-project/hadoop-common/src/CMakeLists.txt b/hadoop-common-project/hadoop-common/src/CMakeLists.txt
index 9ad049e0853..84c27e5db71 100644
--- a/hadoop-common-project/hadoop-common/src/CMakeLists.txt
+++ b/hadoop-common-project/hadoop-common/src/CMakeLists.txt
@@ -167,7 +167,8 @@ find_path(OPENSSL_INCLUDE_DIR
 if (OPENSSL_LIBRARY AND OPENSSL_INCLUDE_DIR)
     GET_FILENAME_COMPONENT(HADOOP_OPENSSL_LIBRARY ${OPENSSL_LIBRARY} NAME)
     SET(OPENSSL_SOURCE_FILES
-        "${D}/crypto/OpensslCipher.c")
+        "${D}/crypto/OpensslCipher.c"
+        "${D}/crypto/random/OpensslSecureRandom.c")
 else (OPENSSL_LIBRARY AND OPENSSL_INCLUDE_DIR)
     SET(OPENSSL_INCLUDE_DIR "")
     SET(OPENSSL_SOURCE_FILES "")
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JceAesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JceAesCtrCryptoCodec.java
index 2482586720c..cd093203867 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JceAesCtrCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JceAesCtrCryptoCodec.java
@@ -32,8 +32,8 @@
 import com.google.common.base.Preconditions;
 
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY;
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_KEY;
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_DEFAULT;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_JAVA_SECURE_RANDOM_ALGORITHM_KEY;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_JAVA_SECURE_RANDOM_ALGORITHM_DEFAULT;
 
 /**
  * Implement the AES-CTR crypto codec using JCE provider.
@@ -57,8 +57,8 @@ public void setConf(Configuration conf) {
     this.conf = conf;
     provider = conf.get(HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY);
     final String secureRandomAlg = conf.get(
-        HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_KEY, 
-        HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_DEFAULT);
+        HADOOP_SECURITY_JAVA_SECURE_RANDOM_ALGORITHM_KEY, 
+        HADOOP_SECURITY_JAVA_SECURE_RANDOM_ALGORITHM_DEFAULT);
     try {
       random = (provider != null) ? 
           SecureRandom.getInstance(secureRandomAlg, provider) : 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
index ee11f50683b..04c2db09e1e 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
@@ -17,23 +17,34 @@
  */
 package org.apache.hadoop.crypto;
 
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_SECURE_RANDOM_IMPL_KEY;
+
+import java.io.Closeable;
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;
 import java.security.SecureRandom;
+import java.util.Random;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 
 import com.google.common.base.Preconditions;
+import org.apache.hadoop.crypto.random.OsSecureRandom;
+import org.apache.hadoop.util.ReflectionUtils;
 
 /**
  * Implement the AES-CTR crypto codec using JNI into OpenSSL.
  */
 @InterfaceAudience.Private
 public class OpensslAesCtrCryptoCodec extends AesCtrCryptoCodec {
+  private static final Log LOG =
+      LogFactory.getLog(OpensslAesCtrCryptoCodec.class.getName());
+
   private Configuration conf;
-  private SecureRandom random = new SecureRandom();
+  private Random random;
   
   public OpensslAesCtrCryptoCodec() {
   }
@@ -41,6 +52,26 @@ public OpensslAesCtrCryptoCodec() {
   @Override
   public void setConf(Configuration conf) {
     this.conf = conf;
+    final Class<? extends Random> klass = conf.getClass(
+        HADOOP_SECURITY_SECURE_RANDOM_IMPL_KEY, OsSecureRandom.class, 
+        Random.class);
+    try {
+      random = ReflectionUtils.newInstance(klass, conf);
+    } catch (Exception e) {
+      LOG.info("Unable to use " + klass.getName() + ".  Falling back to " +
+          "Java SecureRandom.", e);
+      this.random = new SecureRandom();
+    }
+  }
+
+  @Override
+  protected void finalize() throws Throwable {
+    try {
+      Closeable r = (Closeable) this.random;
+      r.close();
+    } catch (ClassCastException e) {
+    }
+    super.finalize();
   }
 
   @Override
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OpensslSecureRandom.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OpensslSecureRandom.java
new file mode 100644
index 00000000000..b1fa9883373
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OpensslSecureRandom.java
@@ -0,0 +1,119 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.random;
+
+import java.util.Random;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.util.NativeCodeLoader;
+
+import com.google.common.base.Preconditions;
+
+/**
+ * OpenSSL secure random using JNI.
+ * This implementation is thread-safe.
+ * <p/>
+ * 
+ * If using an Intel chipset with RDRAND, the high-performance hardware 
+ * random number generator will be used and it's much faster than
+ * {@link java.security.SecureRandom}. If RDRAND is unavailable, default
+ * OpenSSL secure random generator will be used. It's still faster
+ * and can generate strong random bytes.
+ * <p/>
+ * @see https://wiki.openssl.org/index.php/Random_Numbers
+ * @see http://en.wikipedia.org/wiki/RdRand
+ */
+@InterfaceAudience.Private
+public class OpensslSecureRandom extends Random {
+  private static final long serialVersionUID = -7828193502768789584L;
+  private static final Log LOG =
+      LogFactory.getLog(OpensslSecureRandom.class.getName());
+  
+  /** If native SecureRandom unavailable, use java SecureRandom */
+  private java.security.SecureRandom fallback = null;
+  private static boolean nativeEnabled = false;
+  static {
+    if (NativeCodeLoader.isNativeCodeLoaded() &&
+        NativeCodeLoader.buildSupportsOpenssl()) {
+      try {
+        initSR();
+        nativeEnabled = true;
+      } catch (Throwable t) {
+        LOG.error("Failed to load Openssl SecureRandom", t);
+      }
+    }
+  }
+  
+  public static boolean isNativeCodeLoaded() {
+    return nativeEnabled;
+  }
+  
+  public OpensslSecureRandom() {
+    if (!nativeEnabled) {
+      fallback = new java.security.SecureRandom();
+    }
+  }
+  
+  /**
+   * Generates a user-specified number of random bytes.
+   * It's thread-safe.
+   * 
+   * @param bytes the array to be filled in with random bytes.
+   */
+  @Override
+  public void nextBytes(byte[] bytes) {
+    if (!nativeEnabled || !nextRandBytes(bytes)) {
+      fallback.nextBytes(bytes);
+    }
+  }
+  
+  @Override
+  public void setSeed(long seed) {
+    // Self-seeding.
+  }
+  
+  /**
+   * Generates an integer containing the user-specified number of
+   * random bits (right justified, with leading zeros).
+   *
+   * @param numBits number of random bits to be generated, where
+   * 0 <= <code>numBits</code> <= 32.
+   *
+   * @return int an <code>int</code> containing the user-specified number
+   * of random bits (right justified, with leading zeros).
+   */
+  @Override
+  final protected int next(int numBits) {
+    Preconditions.checkArgument(numBits >= 0 && numBits <= 32);
+    int numBytes = (numBits + 7) / 8;
+    byte b[] = new byte[numBytes];
+    int next = 0;
+    
+    nextBytes(b);
+    for (int i = 0; i < numBytes; i++) {
+      next = (next << 8) + (b[i] & 0xFF);
+    }
+    
+    return next >>> (numBytes * 8 - numBits);
+  }
+  
+  private native static void initSR();
+  private native boolean nextRandBytes(byte[] bytes); 
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OsSecureRandom.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OsSecureRandom.java
new file mode 100644
index 00000000000..3fa61fbbdce
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OsSecureRandom.java
@@ -0,0 +1,115 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.random;
+
+import java.io.Closeable;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.util.Random;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.conf.Configurable;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.io.IOUtils;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_SECURE_RANDOM_DEVICE_FILE_PATH_KEY;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_SECURE_RANDOM_DEVICE_FILE_PATH_DEFAULT;
+
+/**
+ * A Random implementation that uses random bytes sourced from the
+ * operating system.
+ */
+@InterfaceAudience.Private
+public class OsSecureRandom extends Random implements Closeable, Configurable {
+
+  private Configuration conf;
+
+  private final int RESERVOIR_LENGTH = 8192;
+
+  private String randomDevPath;
+
+  private FileInputStream stream;
+
+  private final byte[] reservoir = new byte[RESERVOIR_LENGTH];
+
+  private int pos = reservoir.length;
+
+  private void fillReservoir(int min) {
+    if (pos >= reservoir.length - min) {
+      try {
+        IOUtils.readFully(stream, reservoir, 0, reservoir.length);
+      } catch (IOException e) {
+        throw new RuntimeException("failed to fill reservoir", e);
+      }
+      pos = 0;
+    }
+  }
+
+  public OsSecureRandom() {
+  }
+  
+  @Override
+  public void setConf(Configuration conf) {
+    this.conf = conf;
+    this.randomDevPath = conf.get(
+        HADOOP_SECURITY_SECURE_RANDOM_DEVICE_FILE_PATH_KEY,
+        HADOOP_SECURITY_SECURE_RANDOM_DEVICE_FILE_PATH_DEFAULT);
+    File randomDevFile = new File(randomDevPath);
+    try {
+      this.stream = new FileInputStream(randomDevFile);
+      fillReservoir(0);
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  @Override
+  public Configuration getConf() {
+    return conf;
+  }
+
+  @Override
+  synchronized public void nextBytes(byte[] bytes) {
+    int off = 0;
+    int n = 0;
+    while (off < bytes.length) {
+      fillReservoir(0);
+      n = Math.min(bytes.length - off, reservoir.length - pos);
+      System.arraycopy(reservoir, pos, bytes, off, n);
+      off += n;
+      pos += n;
+    }
+  }
+
+  @Override
+  synchronized protected int next(int nbits) {
+    fillReservoir(4);
+    int n = reservoir[pos] |
+        (reservoir[pos + 1] << 8) |
+        (reservoir[pos + 2] << 16) |
+        (reservoir[pos + 3] << 24);
+    pos += 4;
+    return n & (0xffffffff >> (32 - nbits));
+  }
+
+  @Override
+  public void close() throws IOException {
+    stream.close();
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java
index 3345e3c93d5..69503ba21ca 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java
@@ -280,5 +280,4 @@ public class CommonConfigurationKeys extends CommonConfigurationKeysPublic {
   public static final String NFS_EXPORTS_ALLOWED_HOSTS_SEPARATOR = ";";
   public static final String NFS_EXPORTS_ALLOWED_HOSTS_KEY = "nfs.exports.allowed.hosts";
   public static final String NFS_EXPORTS_ALLOWED_HOSTS_KEY_DEFAULT = "* rw";
-
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
index 279bbc7e2b3..9691539821b 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
@@ -297,10 +297,16 @@ public class CommonConfigurationKeysPublic {
   public static final String  HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS =
     "hadoop.security.impersonation.provider.class";
   /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
-  public static final String HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_KEY = 
-      "hadoop.security.secure.random.algorithm";
-  /** Defalt value for HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_KEY */
-  public static final String HADOOP_SECURITY_SECURE_RANDOM_ALGORITHM_DEFAULT = 
+  public static final String HADOOP_SECURITY_JAVA_SECURE_RANDOM_ALGORITHM_KEY = 
+      "hadoop.security.java.secure.random.algorithm";
+  /** Defalt value for HADOOP_SECURITY_JAVA_SECURE_RANDOM_ALGORITHM_KEY */
+  public static final String HADOOP_SECURITY_JAVA_SECURE_RANDOM_ALGORITHM_DEFAULT = 
       "SHA1PRNG";
+  public static final String HADOOP_SECURITY_SECURE_RANDOM_IMPL_KEY = 
+      "hadoop.security.secure.random.impl";
+  public static final String HADOOP_SECURITY_SECURE_RANDOM_DEVICE_FILE_PATH_KEY = 
+      "hadoop.security.random.device.file.path";
+  public static final String HADOOP_SECURITY_SECURE_RANDOM_DEVICE_FILE_PATH_DEFAULT = 
+      "/dev/urandom";
 }
 
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
new file mode 100644
index 00000000000..ee09aedff8b
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
@@ -0,0 +1,335 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "org_apache_hadoop_crypto_random.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef UNIX
+#include <pthread.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#endif
+
+#ifdef WINDOWS
+#include <windows.h>
+#endif
+ 
+#include "org_apache_hadoop_crypto_random_OpensslSecureRandom.h"
+
+#ifdef UNIX
+static void * (*dlsym_CRYPTO_malloc) (int, const char *, int);
+static void (*dlsym_CRYPTO_free) (void *);
+static int (*dlsym_CRYPTO_num_locks) (void);
+static void (*dlsym_CRYPTO_set_locking_callback) (void (*)());
+static void (*dlsym_CRYPTO_set_id_callback) (unsigned long (*)());
+static void (*dlsym_ENGINE_load_rdrand) (void);
+static ENGINE * (*dlsym_ENGINE_by_id) (const char *);
+static int (*dlsym_ENGINE_init) (ENGINE *);
+static int (*dlsym_ENGINE_set_default) (ENGINE *, unsigned int);
+static int (*dlsym_ENGINE_finish) (ENGINE *);
+static int (*dlsym_ENGINE_free) (ENGINE *);
+static void (*dlsym_ENGINE_cleanup) (void);
+static int (*dlsym_RAND_bytes) (unsigned char *, int);
+static unsigned long (*dlsym_ERR_get_error) (void);
+#endif
+
+#ifdef WINDOWS
+typedef void * (__cdecl *__dlsym_CRYPTO_malloc) (int, const char *, int);
+typedef void (__cdecl *__dlsym_CRYPTO_free) (void *);
+typedef int (__cdecl *__dlsym_CRYPTO_num_locks) (void);
+typedef void (__cdecl *__dlsym_CRYPTO_set_locking_callback)  \
+              (void (*)(int, int, char *, int);
+typedef void (__cdecl *__dlsym_ENGINE_load_rdrand) (void);
+typedef ENGINE * (__cdecl *__dlsym_ENGINE_by_id) (const char *);
+typedef int (__cdecl *__dlsym_ENGINE_init) (ENGINE *);
+typedef int (__cdecl *__dlsym_ENGINE_set_default) (ENGINE *, unsigned int);
+typedef int (__cdecl *__dlsym_ENGINE_finish) (ENGINE *);
+typedef int (__cdecl *__dlsym_ENGINE_free) (ENGINE *);
+typedef void (__cdecl *__dlsym_ENGINE_cleanup) (void);
+typedef int (__cdecl *__dlsym_RAND_bytes) (unsigned char *, int);
+typedef unsigned long (__cdecl *__dlsym_ERR_get_error) (void);
+static __dlsym_CRYPTO_malloc dlsym_CRYPTO_malloc;
+static __dlsym_CRYPTO_free dlsym_CRYPTO_free;
+static __dlsym_CRYPTO_num_locks dlsym_CRYPTO_num_locks;
+static __dlsym_CRYPTO_set_locking_callback dlsym_CRYPTO_set_locking_callback;
+static __dlsym_ENGINE_load_rdrand dlsym_ENGINE_load_rdrand;
+static __dlsym_ENGINE_by_id dlsym_ENGINE_by_id;
+static __dlsym_ENGINE_init dlsym_ENGINE_init;
+static __dlsym_ENGINE_set_default dlsym_ENGINE_set_default;
+static __dlsym_ENGINE_finish dlsym_ENGINE_finish;
+static __dlsym_ENGINE_free dlsym_ENGINE_free;
+static __dlsym_ENGINE_cleanup dlsym_ENGINE_cleanup;
+static __dlsym_RAND_bytes dlsym_RAND_bytes;
+static __dlsym_ERR_get_error dlsym_ERR_get_error;
+#endif
+
+static ENGINE * openssl_rand_init();
+static void openssl_rand_clean(ENGINE *eng, int clean_locks);
+static int openssl_rand_bytes(unsigned char *buf, int num);
+
+JNIEXPORT void JNICALL Java_org_apache_hadoop_crypto_random_OpensslSecureRandom_initSR
+    (JNIEnv *env, jclass clazz)
+{
+  char msg[1000];
+#ifdef UNIX
+  void *openssl = dlopen(HADOOP_OPENSSL_LIBRARY, RTLD_LAZY | RTLD_GLOBAL);
+#endif
+
+#ifdef WINDOWS
+  HMODULE openssl = LoadLibrary(HADOOP_OPENSSL_LIBRARY);
+#endif
+
+  if (!openssl) {
+    snprintf(msg, sizeof(msg), "Cannot load %s (%s)!", HADOOP_OPENSSL_LIBRARY,  \
+        dlerror());
+    THROW(env, "java/lang/UnsatisfiedLinkError", msg);
+    return;
+  }
+
+#ifdef UNIX
+  dlerror();  // Clear any existing error
+  LOAD_DYNAMIC_SYMBOL(dlsym_CRYPTO_malloc, env, openssl, "CRYPTO_malloc");
+  LOAD_DYNAMIC_SYMBOL(dlsym_CRYPTO_free, env, openssl, "CRYPTO_free");
+  LOAD_DYNAMIC_SYMBOL(dlsym_CRYPTO_num_locks, env, openssl, "CRYPTO_num_locks");
+  LOAD_DYNAMIC_SYMBOL(dlsym_CRYPTO_set_locking_callback,  \
+                      env, openssl, "CRYPTO_set_locking_callback");
+  LOAD_DYNAMIC_SYMBOL(dlsym_CRYPTO_set_id_callback, env,  \
+                      openssl, "CRYPTO_set_id_callback");
+  LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_load_rdrand, env,  \
+                      openssl, "ENGINE_load_rdrand");
+  LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_by_id, env, openssl, "ENGINE_by_id");
+  LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_init, env, openssl, "ENGINE_init");
+  LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_set_default, env,  \
+                      openssl, "ENGINE_set_default");
+  LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_finish, env, openssl, "ENGINE_finish");
+  LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_free, env, openssl, "ENGINE_free");
+  LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_cleanup, env, openssl, "ENGINE_cleanup");
+  LOAD_DYNAMIC_SYMBOL(dlsym_RAND_bytes, env, openssl, "RAND_bytes");
+  LOAD_DYNAMIC_SYMBOL(dlsym_ERR_get_error, env, openssl, "ERR_get_error");
+#endif
+
+#ifdef WINDOWS
+  LOAD_DYNAMIC_SYMBOL(__dlsym_CRYPTO_malloc, dlsym_CRYPTO_malloc,  \
+                      env, openssl, "CRYPTO_malloc");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_CRYPTO_free, dlsym_CRYPTO_free,  \
+                      env, openssl, "CRYPTO_free");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_CRYPTO_num_locks, dlsym_CRYPTO_num_locks,  \
+                      env, openssl, "CRYPTO_num_locks");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_CRYPTO_set_locking_callback,  \
+                      dlsym_CRYPTO_set_locking_callback,  \
+                      env, openssl, "CRYPTO_set_locking_callback");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_ENGINE_load_rdrand, dlsym_ENGINE_load_rdrand,  \
+                      env, openssl, "ENGINE_load_rdrand");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_ENGINE_by_id, dlsym_ENGINE_by_id,  \
+                      env, openssl, "ENGINE_by_id");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_ENGINE_init, dlsym_ENGINE_init,  \
+                      env, openssl, "ENGINE_init");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_ENGINE_set_default, dlsym_ENGINE_set_default,  \
+                      env, openssl, "ENGINE_set_default");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_ENGINE_finish, dlsym_ENGINE_finish,  \
+                      env, openssl, "ENGINE_finish");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_ENGINE_free, dlsym_ENGINE_free,  \
+                      env, openssl, "ENGINE_free");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_ENGINE_cleanup, dlsym_ENGINE_cleanup,  \
+                      env, openssl, "ENGINE_cleanup");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_RAND_bytes, dlsym_RAND_bytes,  \
+                      env, openssl, "RAND_bytes");
+  LOAD_DYNAMIC_SYMBOL(__dlsym_ERR_get_error, dlsym_ERR_get_error,  \
+                      env, openssl, "ERR_get_error");
+#endif
+
+  openssl_rand_init(env);
+}
+
+JNIEXPORT jboolean JNICALL Java_org_apache_hadoop_crypto_random_OpensslSecureRandom_nextRandBytes___3B
+    (JNIEnv *env, jobject object, jbyteArray bytes)
+{
+  if (NULL == bytes) {
+    THROW(env, "java/lang/NullPointerException", "Buffer cannot be null.");
+    return JNI_FALSE;
+  }
+  jbyte *b = (*env)->GetByteArrayElements(env, bytes, NULL);
+  if (NULL == b) {
+    THROW(env, "java/lang/InternalError", "Cannot get bytes array.");
+    return JNI_FALSE;
+  }
+  int b_len = (*env)->GetArrayLength(env, bytes);
+  int ret = openssl_rand_bytes((unsigned char *)b, b_len);
+  (*env)->ReleaseByteArrayElements(env, bytes, b, 0);
+  
+  if (1 != ret) {
+    return JNI_FALSE;
+  }
+  return JNI_TRUE;
+}
+
+/**
+ * To ensure thread safety for random number generators, we need to call 
+ * CRYPTO_set_locking_callback.
+ * http://wiki.openssl.org/index.php/Random_Numbers
+ * Example: crypto/threads/mttest.c
+ */
+
+#ifdef WINDOWS
+static void windows_locking_callback(int mode, int type, char *file, int line);
+static HANDLE *lock_cs;
+
+static void locks_setup(void)
+{
+  int i;
+  lock_cs = dlsym_CRYPTO_malloc(dlsym_CRYPTO_num_locks() * sizeof(HANDLE),  \
+      __FILE__, __LINE__);
+
+  for (i = 0; i < dlsym_CRYPTO_num_locks(); i++) {
+    lock_cs[i] = CreateMutex(NULL, FALSE, NULL);
+  }
+  dlsym_CRYPTO_set_locking_callback((void (*)(int, int, char *, int))  \
+      windows_locking_callback);
+  /* id callback defined */
+}
+
+static void locks_cleanup(void)
+{
+  int i;
+  dlsym_CRYPTO_set_locking_callback(NULL);
+
+  for (i = 0; i < dlsym_CRYPTO_num_locks(); i++) {
+    CloseHandle(lock_cs[i]);
+  }
+  dlsym_CRYPTO_free(lock_cs);
+}
+
+static void windows_locking_callback(int mode, int type, char *file, int line)
+{
+  UNUSED(file), UNUSED(line);
+  
+  if (mode & CRYPTO_LOCK) {
+    WaitForSingleObject(lock_cs[type], INFINITE);
+  } else {
+    ReleaseMutex(lock_cs[type]);
+  }
+}
+#endif /* WINDOWS */
+
+#ifdef UNIX
+static void pthreads_locking_callback(int mode, int type, char *file, int line);
+static unsigned long pthreads_thread_id(void);
+static pthread_mutex_t *lock_cs;
+
+static void locks_setup(void)
+{
+  int i;
+  lock_cs = dlsym_CRYPTO_malloc(dlsym_CRYPTO_num_locks() *  \
+      sizeof(pthread_mutex_t), __FILE__, __LINE__);
+
+  for (i = 0; i < dlsym_CRYPTO_num_locks(); i++) {
+    pthread_mutex_init(&(lock_cs[i]), NULL);
+  }
+  
+  dlsym_CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id);
+  dlsym_CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback);
+}
+
+static void locks_cleanup(void)
+{
+  int i;
+  dlsym_CRYPTO_set_locking_callback(NULL);
+  
+  for (i = 0; i < dlsym_CRYPTO_num_locks(); i++) {
+    pthread_mutex_destroy(&(lock_cs[i]));
+  }
+  
+  dlsym_CRYPTO_free(lock_cs);
+}
+
+static void pthreads_locking_callback(int mode, int type, char *file, int line)
+{
+  UNUSED(file), UNUSED(line);
+  
+  if (mode & CRYPTO_LOCK) {
+    pthread_mutex_lock(&(lock_cs[type]));
+  } else {
+    pthread_mutex_unlock(&(lock_cs[type]));
+  }
+}
+
+static unsigned long pthreads_thread_id(void)
+{
+  return (unsigned long)syscall(SYS_gettid);
+}
+
+#endif /* UNIX */
+
+/**
+ * If using an Intel chipset with RDRAND, the high-performance hardware
+ * random number generator will be used.
+ */
+static ENGINE * openssl_rand_init()
+{
+  locks_setup();
+  
+  dlsym_ENGINE_load_rdrand();
+  ENGINE *eng = dlsym_ENGINE_by_id("rdrand");
+  
+  int ret = -1;
+  do {
+    if (NULL == eng) {
+      break;
+    }
+    
+    int rc = dlsym_ENGINE_init(eng);
+    if (0 == rc) {
+      break;
+    }
+    
+    rc = dlsym_ENGINE_set_default(eng, ENGINE_METHOD_RAND);
+    if (0 == rc) {
+      break;
+    }
+  
+    ret = 0;
+  } while(0);
+  
+  if (ret == -1) {
+    openssl_rand_clean(eng, 0);
+  }
+  
+  return eng;
+}
+
+static void openssl_rand_clean(ENGINE *eng, int clean_locks)
+{
+  if (NULL != eng) {
+    dlsym_ENGINE_finish(eng);
+    dlsym_ENGINE_free(eng);
+  }
+    
+  dlsym_ENGINE_cleanup();
+  if (clean_locks) {
+    locks_cleanup();
+  }
+}
+
+static int openssl_rand_bytes(unsigned char *buf, int num)
+{
+  return dlsym_RAND_bytes(buf, num);
+}
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/org_apache_hadoop_crypto_random.h b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/org_apache_hadoop_crypto_random.h
new file mode 100644
index 00000000000..1200718e69f
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/org_apache_hadoop_crypto_random.h
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+ 
+#ifndef ORG_APACHE_HADOOP_CRYPTO_RANDOM_H
+#define ORG_APACHE_HADOOP_CRYPTO_RANDOM_H
+
+#include "org_apache_hadoop.h"
+
+#ifdef UNIX
+#include <dlfcn.h>
+#include "config.h"
+#endif
+
+#ifdef WINDOWS
+#include "winutils.h"
+#endif
+
+#define UNUSED(x) ((void)(x))
+
+#include <openssl/crypto.h>
+#include <openssl/engine.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+
+#endif //ORG_APACHE_HADOOP_CRYPTO_RANDOM_H
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
index d4b775643cf..224fb12e921 100644
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -1477,10 +1477,26 @@ for ldap providers in the same way as above does.
 </property>
 
 <property>
-  <name>hadoop.security.secure.random.algorithm</name>
+  <name>hadoop.security.java.secure.random.algorithm</name>
   <value></value>
   <description>
-    The secure random algorithm. 
+    The java secure random algorithm. 
+  </description>
+</property>
+
+<property>
+  <name>hadoop.security.secure.random.impl</name>
+  <value></value>
+  <description>
+    Implementation of secure random. 
+  </description>
+</property>
+
+<property>
+  <name>hadoop.security.random.device.file.path</name>
+  <value></value>
+  <description>
+    OS security random dev path, it's /dev/urandom in linux.
   </description>
 </property>
 
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/random/TestOpensslSecureRandom.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/random/TestOpensslSecureRandom.java
new file mode 100644
index 00000000000..f40c6ac4c91
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/random/TestOpensslSecureRandom.java
@@ -0,0 +1,114 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.random;
+
+import java.util.Arrays;
+
+import org.junit.Test;
+
+public class TestOpensslSecureRandom {
+  
+  @Test(timeout=120000)
+  public void testRandomBytes() throws Exception {
+    OpensslSecureRandom random = new OpensslSecureRandom();
+    
+    // len = 16
+    checkRandomBytes(random, 16);
+    // len = 32
+    checkRandomBytes(random, 32);
+    // len = 128
+    checkRandomBytes(random, 128);
+    // len = 256
+    checkRandomBytes(random, 256);
+  }
+  
+  /**
+   * Test will timeout if secure random implementation always returns a 
+   * constant value.
+   */
+  private void checkRandomBytes(OpensslSecureRandom random, int len) {
+    byte[] bytes = new byte[len];
+    byte[] bytes1 = new byte[len];
+    random.nextBytes(bytes);
+    random.nextBytes(bytes1);
+    
+    while (Arrays.equals(bytes, bytes1)) {
+      random.nextBytes(bytes1);
+    }
+  }
+  
+  /**
+   * Test will timeout if secure random implementation always returns a 
+   * constant value.
+   */
+  @Test(timeout=120000)
+  public void testRandomInt() throws Exception {
+    OpensslSecureRandom random = new OpensslSecureRandom();
+    
+    int rand1 = random.nextInt();
+    int rand2 = random.nextInt();
+    while (rand1 == rand2) {
+      rand2 = random.nextInt();
+    }
+  }
+  
+  /**
+   * Test will timeout if secure random implementation always returns a 
+   * constant value.
+   */
+  @Test(timeout=120000)
+  public void testRandomLong() throws Exception {
+    OpensslSecureRandom random = new OpensslSecureRandom();
+    
+    long rand1 = random.nextLong();
+    long rand2 = random.nextLong();
+    while (rand1 == rand2) {
+      rand2 = random.nextLong();
+    }
+  }
+  
+  /**
+   * Test will timeout if secure random implementation always returns a 
+   * constant value.
+   */
+  @Test(timeout=120000)
+  public void testRandomFloat() throws Exception {
+    OpensslSecureRandom random = new OpensslSecureRandom();
+    
+    float rand1 = random.nextFloat();
+    float rand2 = random.nextFloat();
+    while (rand1 == rand2) {
+      rand2 = random.nextFloat();
+    }
+  }
+  
+  /**
+   * Test will timeout if secure random implementation always returns a 
+   * constant value.
+   */
+  @Test(timeout=120000)
+  public void testRandomDouble() throws Exception {
+    OpensslSecureRandom random = new OpensslSecureRandom();
+    
+    double rand1 = random.nextDouble();
+    double rand2 = random.nextDouble();
+    while (rand1 == rand2) {
+      rand2 = random.nextDouble();
+    }
+  }
+}
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/random/TestOsSecureRandom.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/random/TestOsSecureRandom.java
new file mode 100644
index 00000000000..8fc5c70775a
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/random/TestOsSecureRandom.java
@@ -0,0 +1,139 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.random;
+
+import java.io.IOException;
+import java.util.Arrays;
+
+import org.apache.commons.lang.SystemUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.junit.Assume;
+import org.junit.Test;
+
+public class TestOsSecureRandom {
+
+  private static OsSecureRandom getOsSecureRandom() throws IOException {
+    Assume.assumeTrue(SystemUtils.IS_OS_LINUX);
+    OsSecureRandom random = new OsSecureRandom();
+    random.setConf(new Configuration());
+    return random;
+  }
+
+  @Test(timeout=120000)
+  public void testRandomBytes() throws Exception {
+    OsSecureRandom random = getOsSecureRandom();
+    // len = 16
+    checkRandomBytes(random, 16);
+    // len = 32
+    checkRandomBytes(random, 32);
+    // len = 128
+    checkRandomBytes(random, 128);
+    // len = 256
+    checkRandomBytes(random, 256);
+    random.close();
+  }
+  
+  /**
+   * Test will timeout if secure random implementation always returns a 
+   * constant value.
+   */
+  private void checkRandomBytes(OsSecureRandom random, int len) {
+    byte[] bytes = new byte[len];
+    byte[] bytes1 = new byte[len];
+    random.nextBytes(bytes);
+    random.nextBytes(bytes1);
+    
+    while (Arrays.equals(bytes, bytes1)) {
+      random.nextBytes(bytes1);
+    }
+  }
+  
+  /**
+   * Test will timeout if secure random implementation always returns a 
+   * constant value.
+   */
+  @Test(timeout=120000)
+  public void testRandomInt() throws Exception {
+    OsSecureRandom random = getOsSecureRandom();
+    
+    int rand1 = random.nextInt();
+    int rand2 = random.nextInt();
+    while (rand1 == rand2) {
+      rand2 = random.nextInt();
+    }
+    random.close();
+  }
+  
+  /**
+   * Test will timeout if secure random implementation always returns a 
+   * constant value.
+   */
+  @Test(timeout=120000)
+  public void testRandomLong() throws Exception {
+    OsSecureRandom random = getOsSecureRandom();
+    
+    long rand1 = random.nextLong();
+    long rand2 = random.nextLong();
+    while (rand1 == rand2) {
+      rand2 = random.nextLong();
+    }
+    random.close();
+  }
+  
+  /**
+   * Test will timeout if secure random implementation always returns a 
+   * constant value.
+   */
+  @Test(timeout=120000)
+  public void testRandomFloat() throws Exception {
+    OsSecureRandom random = getOsSecureRandom();
+    
+    float rand1 = random.nextFloat();
+    float rand2 = random.nextFloat();
+    while (rand1 == rand2) {
+      rand2 = random.nextFloat();
+    }
+    random.close();
+  }
+  
+  /**
+   * Test will timeout if secure random implementation always returns a 
+   * constant value.
+   */
+  @Test(timeout=120000)
+  public void testRandomDouble() throws Exception {
+    OsSecureRandom random = getOsSecureRandom();
+    
+    double rand1 = random.nextDouble();
+    double rand2 = random.nextDouble();
+    while (rand1 == rand2) {
+      rand2 = random.nextDouble();
+    }
+    random.close();
+  }
+
+  @Test(timeout=120000)
+  public void testRefillReservoir() throws Exception {
+    OsSecureRandom random = getOsSecureRandom();
+
+    for (int i = 0; i < 8196; i++) {
+      random.nextLong();
+    }
+    random.close();
+  }
+}

From b066be8115eeee3099f4e16259b13063bd3f1104 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 15 Jul 2014 20:59:40 +0000
Subject: [PATCH 033/354] HDFS-6619. Clean up encryption-related tests. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1610849 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   2 +
 .../apache/hadoop/fs/TestHDFSEncryption.java  | 352 -------------
 .../hadoop/hdfs/TestEncryptionZones.java      | 433 ++++++++++++++++
 .../hadoop/hdfs/TestEncryptionZonesAPI.java   | 469 ------------------
 .../TestFileContextEncryptionZones.java       |  70 ---
 5 files changed, 435 insertions(+), 891 deletions(-)
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestHDFSEncryption.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFileContextEncryptionZones.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index e75b065130c..0b7986a470b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -42,6 +42,8 @@ fs-encryption (Unreleased)
     HDFS-6474. Namenode needs to get the actual keys and iv from the
     KeyProvider. (wang)
 
+    HDFS-6619. Clean up encryption-related tests. (wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestHDFSEncryption.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestHDFSEncryption.java
deleted file mode 100644
index 4b32fe42135..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestHDFSEncryption.java
+++ /dev/null
@@ -1,352 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.fs;
-
-import static org.apache.hadoop.fs.CreateFlag.CREATE;
-import static org.apache.hadoop.fs.FileContextTestHelper.getDefaultBlockSize;
-import static org.apache.hadoop.fs.FileContextTestHelper.getFileData;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.io.File;
-import java.io.IOException;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.util.Arrays;
-import java.util.EnumSet;
-import java.util.List;
-import java.util.UUID;
-
-import javax.security.auth.login.LoginException;
-
-import org.apache.commons.lang.RandomStringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.crypto.key.JavaKeyStoreProvider;
-import org.apache.hadoop.crypto.key.KeyProvider;
-import org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
-import org.apache.hadoop.crypto.key.KeyProviderFactory;
-import org.apache.hadoop.hdfs.DistributedFileSystem;
-import org.apache.hadoop.hdfs.HdfsConfiguration;
-import org.apache.hadoop.hdfs.MiniDFSCluster;
-import org.apache.hadoop.ipc.RemoteException;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.test.GenericTestUtils;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-public class TestHDFSEncryption {
-  private static MiniDFSCluster cluster;
-  private static Path defaultWorkingDirectory;
-  private static final HdfsConfiguration CONF = new HdfsConfiguration();
-  private static FileContext fc;
-  private Path localFsRootPath;
-  private Path src1;
-  /* The KeyProvider, if any. */
-  private static KeyProvider provider = null;
-
-  private static File tmpDir;
-
-  @BeforeClass
-  public static void clusterSetupAtBegining() throws IOException,
-      LoginException, URISyntaxException {
-    tmpDir = new File(System.getProperty("test.build.data", "target"),
-        UUID.randomUUID().toString()).getAbsoluteFile();
-    tmpDir.mkdirs();
-
-    CONF.set(KeyProviderFactory.KEY_PROVIDER_PATH,
-            JavaKeyStoreProvider.SCHEME_NAME + "://file" + tmpDir + "/test.jks");
-    initializeKeyProvider(CONF);
-    try {
-      createOneKey();
-      KeyVersion blort = provider.getCurrentKey("blort");
-    } catch (java.security.NoSuchAlgorithmException e) {
-      throw new RuntimeException(e);
-    }
-
-    cluster = new MiniDFSCluster.Builder(CONF).numDataNodes(1).build();
-    cluster.waitClusterUp();
-
-    URI uri0 = cluster.getURI(0);
-    fc = FileContext.getFileContext(uri0, CONF);
-    defaultWorkingDirectory = fc.makeQualified(new Path("/user/" +
-        UserGroupInformation.getCurrentUser().getShortUserName()));
-    fc.mkdir(defaultWorkingDirectory, FileContext.DEFAULT_PERM, true);
-  }
-
-  private static void initializeKeyProvider(final Configuration conf)
-    throws IOException {
-    final List<KeyProvider> providers = KeyProviderFactory.getProviders(conf);
-    if (providers == null) {
-      return;
-    }
-
-    if (providers.size() == 0) {
-      return;
-    }
-
-    if (providers.size() > 1) {
-      final String err =
-        "Multiple KeyProviders found. Only one is permitted.";
-      throw new RuntimeException(err);
-    }
-    provider = providers.get(0);
-    if (provider.isTransient()) {
-      final String err =
-        "A KeyProvider was found but it is a transient provider.";
-      throw new RuntimeException(err);
-    }
-  }
-
-  private static void createOneKey()
-    throws java.security.NoSuchAlgorithmException, IOException {
-    final org.apache.hadoop.crypto.key.KeyProvider.Options options =
-      KeyProvider.options(CONF);
-    provider.createKey("blort", options);
-    provider.flush();
-  }
-
-  @AfterClass
-  public static void ClusterShutdownAtEnd() throws Exception {
-    if (cluster != null) {
-      cluster.shutdown();
-      cluster = null;
-    }
-  }
-
-  @Before
-  public void setUp() throws Exception {
-    File testBuildData = new File(System.getProperty("test.build.data",
-            "build/test/data"), RandomStringUtils.randomAlphanumeric(10));
-    Path rootPath = new Path(testBuildData.getAbsolutePath(),
-            "root-uri");
-    localFsRootPath = rootPath.makeQualified(LocalFileSystem.NAME, null);
-    fc.mkdir(getTestRootPath(fc, "test"), FileContext.DEFAULT_PERM, true);
-    src1 = getTestRootPath(fc, "testfile");
-  }
-
-  @After
-  public void tearDown() throws Exception {
-    final boolean del =
-      fc.delete(new Path(fileContextTestHelper.getAbsoluteTestRootPath(fc), new Path("test")), true);
-    assertTrue(del);
-    fc.delete(localFsRootPath, true);
-  }
-
-  protected final FileContextTestHelper fileContextTestHelper =
-    createFileContextHelper();
-
-  protected FileContextTestHelper createFileContextHelper() {
-    return new FileContextTestHelper();
-  }
-
-  protected Path getDefaultWorkingDirectory() {
-    return defaultWorkingDirectory;
-  }
-
-  private Path getTestRootPath(FileContext fc, String path) {
-    return fileContextTestHelper.getTestRootPath(fc, path);
-  }
-
-  protected IOException unwrapException(IOException e) {
-    if (e instanceof RemoteException) {
-      return ((RemoteException) e).unwrapRemoteException();
-    }
-    return e;
-  }
-
-  private static final int NUM_BLOCKS = 3;
-
-  private static final byte[] data = getFileData(NUM_BLOCKS,
-      getDefaultBlockSize());
-
-  private void writeSomeData() throws Exception {
-    writeSomeData(false, false);
-  }
-
-  private void writeSomeData(boolean doHFlush, boolean doHSync) throws Exception {
-    final FSDataOutputStream out =
-      fc.create(src1, EnumSet.of(CREATE), Options.CreateOpts.createParent());
-    out.write(data, 0, data.length);
-    if (doHFlush) {
-      out.hflush();
-    }
-
-    if (doHSync) {
-      out.hsync();
-    }
-
-    out.close();
-  }
-
-  private void writeAndVerify(boolean doHFlush, boolean doHSync) throws Exception {
-    writeSomeData(doHFlush, doHSync);
-
-    final FSDataInputStream in = fc.open(src1);
-    try {
-      final byte[] readBuf = new byte[getDefaultBlockSize() * NUM_BLOCKS];
-
-      in.readFully(readBuf);
-      assertTrue("Expected read-back data to be equal (hflush=" + doHFlush
-        + " hfsync=" + doHSync + ")", Arrays.equals(data, readBuf));
-    } finally {
-      in.close();
-    }
-  }
-
-  @Test
-  public void testBasicEncryptionStreamNoFlushNoSync() throws Exception {
-    writeAndVerify(false, false);
-  }
-
-  @Test
-  public void testBasicEncryptionStreamFlushSync() throws Exception {
-    writeAndVerify(true, true);
-  }
-
-  @Test
-  public void testBasicEncryptionStreamNoFlushSync() throws Exception {
-    writeAndVerify(false, true);
-  }
-
-  @Test
-  public void testBasicEncryptionStreamFlushNoSync() throws Exception {
-    writeAndVerify(true, false);
-  }
-
-  @Test
-  public void testGetPos() throws Exception {
-    writeSomeData();
-
-    final FSDataInputStream in = fc.open(src1);
-
-    int expectedGetPos = 0;
-    while (in.read() != -1) {
-      assertTrue(++expectedGetPos == in.getPos());
-    }
-  }
-
-  @Test
-  public void testDoubleClose() throws Exception {
-    writeSomeData();
-
-    final FSDataInputStream in = fc.open(src1);
-    in.close();
-    try {
-      in.close();
-    } catch (Exception e) {
-      fail("Caught unexpected exception on double-close: " + e);
-    }
-  }
-
-  @Test
-  public void testHFlush() throws Exception {
-    final DistributedFileSystem fs = cluster.getFileSystem();
-    final FSDataOutputStream out =
-      fc.create(src1, EnumSet.of(CREATE), Options.CreateOpts.createParent());
-    out.write(data, 0, data.length);
-    out.hflush();
-    out.close();
-  }
-
-  @Test
-  public void testSeekBogusArgs() throws Exception {
-    writeSomeData();
-
-    final FSDataInputStream in = fc.open(src1);
-    try {
-      in.seek(-1);
-      fail("Expected IOException");
-    } catch (Exception e) {
-      GenericTestUtils.assertExceptionContains("Cannot seek to negative offset", e);
-    }
-
-    try {
-      in.seek(1 << 20);
-      fail("Expected IOException");
-    } catch (Exception e) {
-      GenericTestUtils.assertExceptionContains("Cannot seek after EOF", e);
-    }
-    in.close();
-  }
-
-  @Test
-  public void testSeekForward() throws Exception {
-    writeSomeData();
-
-    final FSDataInputStream in = fc.open(src1);
-
-    for (int seekInc = 1; seekInc < 1024; seekInc += 32) {
-      long seekTo = 0;
-      while (seekTo < data.length) {
-        in.seek(seekTo);
-        int b = in.read();
-        byte expected = data[(int) seekTo];
-        assertTrue("seek(" + seekTo + ") Expected: " + expected + ", but got: " + b,
-          b == expected);
-        seekTo += seekInc;
-      }
-    }
-    in.close();
-  }
-
-  @Test
-  public void testSeekBackwards() throws Exception {
-    writeSomeData();
-
-    final FSDataInputStream in = fc.open(src1);
-
-    for (int seekInc = 1; seekInc < 1024; seekInc += 32) {
-      long seekTo = data.length - 1;
-      while (seekTo >= 0) {
-        in.seek(seekTo);
-        int b = in.read();
-        byte expected = data[(int) seekTo];
-        assertTrue("seek(" + seekTo + ") Expected: " + expected + ", but got: " + b,
-          b == expected);
-        seekTo -= seekInc;
-      }
-    }
-    in.close();
-  }
-
-  @Test
-  public void testPostionedReadable() throws Exception {
-    writeSomeData();
-
-    final FSDataInputStream in = fc.open(src1);
-
-    try {
-      final byte[] oneByteToRead = new byte[1];
-      for (int i = 0; i < data.length; i++) {
-        int nread = in.read(i, oneByteToRead, 0, 1);
-        final byte b = oneByteToRead[0];
-        byte expected = data[(int) i];
-        assertTrue("read() expected only one byte to be read, but got " + nread, nread == 1);
-        assertTrue("read() expected: " + expected + ", but got: " + b,
-          b == expected);
-      }
-    } finally {
-      in.close();
-    }
-  }
-}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
new file mode 100644
index 00000000000..09ccf2860b3
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
@@ -0,0 +1,433 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs;
+
+import java.io.File;
+import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Arrays;
+import java.util.List;
+
+import com.google.common.collect.Lists;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CipherSuite;
+import org.apache.hadoop.crypto.key.JavaKeyStoreProvider;
+import org.apache.hadoop.crypto.key.KeyProvider;
+import org.apache.hadoop.crypto.key.KeyProviderFactory;
+import org.apache.hadoop.fs.FSDataInputStream;
+import org.apache.hadoop.fs.FSTestWrapper;
+import org.apache.hadoop.fs.FileContext;
+import org.apache.hadoop.fs.FileContextTestWrapper;
+import org.apache.hadoop.fs.FileEncryptionInfo;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.FileSystemTestHelper;
+import org.apache.hadoop.fs.FileSystemTestWrapper;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.hdfs.client.HdfsAdmin;
+import org.apache.hadoop.hdfs.protocol.EncryptionZone;
+import org.apache.hadoop.hdfs.protocol.LocatedBlocks;
+import org.apache.hadoop.hdfs.server.namenode.EncryptionZoneManager;
+import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+
+import static org.apache.hadoop.test.GenericTestUtils.assertExceptionContains;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class TestEncryptionZones {
+
+  private Configuration conf;
+  private FileSystemTestHelper fsHelper;
+
+  private MiniDFSCluster cluster;
+  private HdfsAdmin dfsAdmin;
+  private DistributedFileSystem fs;
+
+  protected FileSystemTestWrapper fsWrapper;
+  protected FileContextTestWrapper fcWrapper;
+
+  @Before
+  public void setup() throws IOException {
+    conf = new HdfsConfiguration();
+    fsHelper = new FileSystemTestHelper();
+    // Set up java key store
+    String testRoot = fsHelper.getTestRootDir();
+    File testRootDir = new File(testRoot).getAbsoluteFile();
+    conf.set(KeyProviderFactory.KEY_PROVIDER_PATH,
+        JavaKeyStoreProvider.SCHEME_NAME + "://file" + testRootDir + "/test.jks"
+    );
+    cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
+    Logger.getLogger(EncryptionZoneManager.class).setLevel(Level.TRACE);
+    fs = cluster.getFileSystem();
+    fsWrapper = new FileSystemTestWrapper(cluster.getFileSystem());
+    fcWrapper = new FileContextTestWrapper(
+        FileContext.getFileContext(cluster.getURI(), conf));
+    dfsAdmin = new HdfsAdmin(cluster.getURI(), conf);
+  }
+
+  @After
+  public void teardown() {
+    if (cluster != null) {
+      cluster.shutdown();
+    }
+  }
+
+  public void assertNumZones(final int numZones) throws IOException {
+    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
+    assertEquals("Unexpected number of encryption zones!", numZones,
+        zones.size());
+  }
+
+  /**
+   * Checks that an encryption zone with the specified keyId and path (if not
+   * null) is present.
+   *
+   * @throws IOException if a matching zone could not be found
+   */
+  public void assertZonePresent(String keyId, String path) throws IOException {
+    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
+    boolean match = false;
+    for (EncryptionZone zone : zones) {
+      boolean matchKey = (keyId == null);
+      boolean matchPath = (path == null);
+      if (keyId != null && zone.getKeyId().equals(keyId)) {
+        matchKey = true;
+      }
+      if (path != null && zone.getPath().equals(path)) {
+        matchPath = true;
+      }
+      if (matchKey && matchPath) {
+        match = true;
+        break;
+      }
+    }
+    assertTrue("Did not find expected encryption zone with keyId " + keyId +
+            " path " + path, match
+    );
+  }
+
+  /**
+   * Helper function to create a key in the Key Provider.
+   */
+  private void createKey(String keyId)
+      throws NoSuchAlgorithmException, IOException {
+    KeyProvider provider = cluster.getNameNode().getNamesystem().getProvider();
+    final KeyProvider.Options options = KeyProvider.options(conf);
+    provider.createKey(keyId, options);
+    provider.flush();
+  }
+
+  @Test(timeout = 60000)
+  public void testBasicOperations() throws Exception {
+
+    int numZones = 0;
+
+    /* Test failure of create EZ on a directory that doesn't exist. */
+    final Path zone1 = new Path("/zone1");
+    try {
+      dfsAdmin.createEncryptionZone(zone1, null);
+      fail("expected /test doesn't exist");
+    } catch (IOException e) {
+      assertExceptionContains("cannot find", e);
+    }
+
+    /* Normal creation of an EZ */
+    fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true);
+    dfsAdmin.createEncryptionZone(zone1, null);
+    assertNumZones(++numZones);
+    assertZonePresent(null, zone1.toString());
+
+    /* Test failure of create EZ on a directory which is already an EZ. */
+    try {
+      dfsAdmin.createEncryptionZone(zone1, null);
+    } catch (IOException e) {
+      assertExceptionContains("already in an encryption zone", e);
+    }
+
+    /* Test failure of create EZ operation in an existing EZ. */
+    final Path zone1Child = new Path(zone1, "child");
+    fsWrapper.mkdir(zone1Child, FsPermission.getDirDefault(), false);
+    try {
+      dfsAdmin.createEncryptionZone(zone1Child, null);
+      fail("EZ in an EZ");
+    } catch (IOException e) {
+      assertExceptionContains("already in an encryption zone", e);
+    }
+
+    /* create EZ on a folder with a folder fails */
+    final Path notEmpty = new Path("/notEmpty");
+    final Path notEmptyChild = new Path(notEmpty, "child");
+    fsWrapper.mkdir(notEmptyChild, FsPermission.getDirDefault(), true);
+    try {
+      dfsAdmin.createEncryptionZone(notEmpty, null);
+      fail("Created EZ on an non-empty directory with folder");
+    } catch (IOException e) {
+      assertExceptionContains("create an encryption zone", e);
+    }
+    fsWrapper.delete(notEmptyChild, false);
+
+    /* create EZ on a folder with a file fails */
+    fsWrapper.createFile(notEmptyChild);
+    try {
+      dfsAdmin.createEncryptionZone(notEmpty, null);
+      fail("Created EZ on an non-empty directory with file");
+    } catch (IOException e) {
+      assertExceptionContains("create an encryption zone", e);
+    }
+
+    /* Test failure of creating an EZ passing a key that doesn't exist. */
+    final Path zone2 = new Path("/zone2");
+    fsWrapper.mkdir(zone2, FsPermission.getDirDefault(), false);
+    final String myKeyId = "mykeyid";
+    try {
+      dfsAdmin.createEncryptionZone(zone2, myKeyId);
+      fail("expected key doesn't exist");
+    } catch (IOException e) {
+      assertExceptionContains("doesn't exist.", e);
+    }
+    assertNumZones(1);
+
+    /* Test success of creating an EZ when they key exists. */
+    createKey(myKeyId);
+    dfsAdmin.createEncryptionZone(zone2, myKeyId);
+    assertNumZones(++numZones);
+    assertZonePresent(myKeyId, zone2.toString());
+
+    /* Test failure of create encryption zones as a non super user. */
+    final UserGroupInformation user = UserGroupInformation.
+        createUserForTesting("user", new String[] { "mygroup" });
+    final Path nonSuper = new Path("/nonSuper");
+    fsWrapper.mkdir(nonSuper, FsPermission.getDirDefault(), false);
+
+    user.doAs(new PrivilegedExceptionAction<Object>() {
+      @Override
+      public Object run() throws Exception {
+        final HdfsAdmin userAdmin =
+            new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+        try {
+          userAdmin.createEncryptionZone(nonSuper, null);
+          fail("createEncryptionZone is superuser-only operation");
+        } catch (AccessControlException e) {
+          assertExceptionContains("Superuser privilege is required", e);
+        }
+        return null;
+      }
+    });
+
+    // Test success of creating an encryption zone a few levels down.
+    Path deepZone = new Path("/d/e/e/p/zone");
+    fsWrapper.mkdir(deepZone, FsPermission.getDirDefault(), true);
+    dfsAdmin.createEncryptionZone(deepZone, null);
+    assertNumZones(++numZones);
+    assertZonePresent(null, deepZone.toString());
+  }
+
+  /**
+   * Test listing encryption zones as a non super user.
+   */
+  @Test(timeout = 60000)
+  public void testListEncryptionZonesAsNonSuperUser() throws Exception {
+
+    final UserGroupInformation user = UserGroupInformation.
+        createUserForTesting("user", new String[] { "mygroup" });
+
+    final Path testRoot = new Path(fsHelper.getTestRootDir());
+    final Path superPath = new Path(testRoot, "superuseronly");
+    final Path allPath = new Path(testRoot, "accessall");
+
+    fsWrapper.mkdir(superPath, new FsPermission((short) 0700), true);
+    dfsAdmin.createEncryptionZone(superPath, null);
+
+    fsWrapper.mkdir(allPath, new FsPermission((short) 0707), true);
+    dfsAdmin.createEncryptionZone(allPath, null);
+
+    user.doAs(new PrivilegedExceptionAction<Object>() {
+      @Override
+      public Object run() throws Exception {
+        final HdfsAdmin userAdmin =
+            new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+        try {
+          userAdmin.listEncryptionZones();
+        } catch (AccessControlException e) {
+          assertExceptionContains("Superuser privilege is required", e);
+        }
+        return null;
+      }
+    });
+  }
+
+  /**
+   * Test success of Rename EZ on a directory which is already an EZ.
+   */
+  private void doRenameEncryptionZone(FSTestWrapper wrapper) throws Exception {
+    final Path testRoot = new Path(fsHelper.getTestRootDir());
+    final Path pathFoo = new Path(testRoot, "foo");
+    final Path pathFooBaz = new Path(pathFoo, "baz");
+    wrapper.mkdir(pathFoo, FsPermission.getDirDefault(), true);
+    dfsAdmin.createEncryptionZone(pathFoo, null);
+    wrapper.mkdir(pathFooBaz, FsPermission.getDirDefault(), true);
+    try {
+      wrapper.rename(pathFooBaz, testRoot);
+    } catch (IOException e) {
+      assertExceptionContains(pathFooBaz.toString() + " can't be moved from" +
+              " an encryption zone.", e
+      );
+    }
+  }
+
+  @Test(timeout = 60000)
+  public void testRenameFileSystem() throws Exception {
+    doRenameEncryptionZone(fsWrapper);
+  }
+
+  @Test(timeout = 60000)
+  public void testRenameFileContext() throws Exception {
+    doRenameEncryptionZone(fcWrapper);
+  }
+
+  private void validateFiles(Path p1, Path p2, int len) throws Exception {
+    FSDataInputStream in1 = fs.open(p1);
+    FSDataInputStream in2 = fs.open(p2);
+    for (int i = 0; i < len; i++) {
+      assertEquals("Mismatch at byte " + i, in1.read(), in2.read());
+    }
+    in1.close();
+    in2.close();
+  }
+
+  private FileEncryptionInfo getFileEncryptionInfo(Path path) throws Exception {
+    LocatedBlocks blocks = fs.getClient().getLocatedBlocks(path.toString(), 0);
+    return blocks.getFileEncryptionInfo();
+  }
+
+  @Test(timeout = 120000)
+  public void testReadWrite() throws Exception {
+    final HdfsAdmin dfsAdmin =
+        new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    // Create a base file for comparison
+    final Path baseFile = new Path("/base");
+    final int len = 8192;
+    DFSTestUtil.createFile(fs, baseFile, len, (short) 1, 0xFEED);
+    // Create the first enc file
+    final Path zone = new Path("/zone");
+    fs.mkdirs(zone);
+    dfsAdmin.createEncryptionZone(zone, null);
+    final Path encFile1 = new Path(zone, "myfile");
+    DFSTestUtil.createFile(fs, encFile1, len, (short) 1, 0xFEED);
+    // Read them back in and compare byte-by-byte
+    validateFiles(baseFile, encFile1, len);
+    // Roll the key of the encryption zone
+    List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
+    assertEquals("Expected 1 EZ", 1, zones.size());
+    String keyId = zones.get(0).getKeyId();
+    cluster.getNamesystem().getProvider().rollNewVersion(keyId);
+    cluster.getNamesystem().getFSDirectory().ezManager.kickMonitor();
+    // Read them back in and compare byte-by-byte
+    validateFiles(baseFile, encFile1, len);
+    // Write a new enc file and validate
+    final Path encFile2 = new Path(zone, "myfile2");
+    DFSTestUtil.createFile(fs, encFile2, len, (short) 1, 0xFEED);
+    // FEInfos should be different
+    FileEncryptionInfo feInfo1 = getFileEncryptionInfo(encFile1);
+    FileEncryptionInfo feInfo2 = getFileEncryptionInfo(encFile2);
+    assertFalse("EDEKs should be different", Arrays
+        .equals(feInfo1.getEncryptedDataEncryptionKey(),
+            feInfo2.getEncryptedDataEncryptionKey()));
+    assertNotEquals("Key was rolled, versions should be different",
+        feInfo1.getEzKeyVersionName(), feInfo2.getEzKeyVersionName());
+    // Contents still equal
+    validateFiles(encFile1, encFile2, len);
+  }
+
+  @Test(timeout = 60000)
+  public void testCipherSuiteNegotiation() throws Exception {
+    final HdfsAdmin dfsAdmin =
+        new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+    final Path zone = new Path("/zone");
+    fs.mkdirs(zone);
+    dfsAdmin.createEncryptionZone(zone, null);
+    // Create a file in an EZ, which should succeed
+    DFSTestUtil
+        .createFile(fs, new Path(zone, "success1"), 0, (short) 1, 0xFEED);
+    // Pass no cipherSuites, fail
+    fs.getClient().cipherSuites = Lists.newArrayListWithCapacity(0);
+    try {
+      DFSTestUtil.createFile(fs, new Path(zone, "fail"), 0, (short) 1, 0xFEED);
+      fail("Created a file without specifying a CipherSuite!");
+    } catch (UnknownCipherSuiteException e) {
+      assertExceptionContains("No cipher suites", e);
+    }
+    // Pass some unknown cipherSuites, fail
+    fs.getClient().cipherSuites = Lists.newArrayListWithCapacity(3);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    try {
+      DFSTestUtil.createFile(fs, new Path(zone, "fail"), 0, (short) 1, 0xFEED);
+      fail("Created a file without specifying a CipherSuite!");
+    } catch (UnknownCipherSuiteException e) {
+      assertExceptionContains("No cipher suites", e);
+    }
+    // Pass some unknown and a good cipherSuites, success
+    fs.getClient().cipherSuites = Lists.newArrayListWithCapacity(3);
+    fs.getClient().cipherSuites.add(CipherSuite.AES_CTR_NOPADDING);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    DFSTestUtil
+        .createFile(fs, new Path(zone, "success2"), 0, (short) 1, 0xFEED);
+    fs.getClient().cipherSuites = Lists.newArrayListWithCapacity(3);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
+    fs.getClient().cipherSuites.add(CipherSuite.AES_CTR_NOPADDING);
+    DFSTestUtil
+        .createFile(fs, new Path(zone, "success3"), 4096, (short) 1, 0xFEED);
+    // Check KeyProvider state
+    // Flushing the KP on the NN, since it caches, and init a test one
+    cluster.getNamesystem().getProvider().flush();
+    KeyProvider provider = KeyProviderFactory.getProviders(conf).get(0);
+    List<String> keys = provider.getKeys();
+    assertEquals("Expected NN to have created one key per zone", 1,
+        keys.size());
+    List<KeyProvider.KeyVersion> allVersions = Lists.newArrayList();
+    for (String key : keys) {
+      List<KeyProvider.KeyVersion> versions = provider.getKeyVersions(key);
+      assertEquals("Should only have one key version per key", 1,
+          versions.size());
+      allVersions.addAll(versions);
+    }
+    // Check that the specified CipherSuite was correctly saved on the NN
+    for (int i = 2; i <= 3; i++) {
+      FileEncryptionInfo feInfo =
+          getFileEncryptionInfo(new Path(zone.toString() +
+              "/success" + i));
+      assertEquals(feInfo.getCipherSuite(), CipherSuite.AES_CTR_NOPADDING);
+    }
+  }
+
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
deleted file mode 100644
index a75e46e4bd4..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZonesAPI.java
+++ /dev/null
@@ -1,469 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.hdfs;
-
-import java.io.File;
-import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivilegedExceptionAction;
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-import java.util.UUID;
-
-import com.google.common.base.Preconditions;
-import com.google.common.collect.Lists;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.crypto.CipherSuite;
-import org.apache.hadoop.crypto.key.JavaKeyStoreProvider;
-import org.apache.hadoop.crypto.key.KeyProvider;
-import org.apache.hadoop.crypto.key.KeyProviderFactory;
-import org.apache.hadoop.fs.FSDataInputStream;
-import org.apache.hadoop.fs.FileEncryptionInfo;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.fs.permission.FsPermission;
-import org.apache.hadoop.hdfs.client.HdfsAdmin;
-import org.apache.hadoop.hdfs.protocol.EncryptionZone;
-import org.apache.hadoop.hdfs.protocol.LocatedBlocks;
-import org.apache.hadoop.hdfs.server.namenode.EncryptionZoneManager;
-import org.apache.hadoop.security.AccessControlException;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.test.GenericTestUtils;
-import org.apache.log4j.Level;
-import org.apache.log4j.Logger;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotEquals;
-import static org.junit.Assert.fail;
-
-public class TestEncryptionZonesAPI {
-
-  private static final Path TEST_PATH = new Path("/test");
-  private static final Path TEST_PATH_WITH_CHILD = new Path(TEST_PATH, "foo");
-  private static final Path TEST_PATH_WITH_MULTIPLE_CHILDREN =
-    new Path(TEST_PATH_WITH_CHILD, "baz");
-  private static final String TEST_KEYID = "mykeyid";
-  private final Configuration conf = new Configuration();
-  private MiniDFSCluster cluster;
-  private static File tmpDir;
-  private DistributedFileSystem fs;
-
-  @Before
-  public void setUpCluster() throws IOException {
-    tmpDir = new File(System.getProperty("test.build.data", "target"),
-        UUID.randomUUID().toString()).getAbsoluteFile();
-    conf.set(KeyProviderFactory.KEY_PROVIDER_PATH,
-        JavaKeyStoreProvider.SCHEME_NAME + "://file" + tmpDir + "/test.jks");
-    cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
-    fs = (DistributedFileSystem) createFileSystem(conf);
-    Logger.getLogger(EncryptionZoneManager.class).setLevel(Level.TRACE);
-  }
-
-  protected FileSystem createFileSystem(Configuration conf) throws IOException {
-    return cluster.getFileSystem();
-  }
-
-  @After
-  public void shutDownCluster() {
-    if (cluster != null) {
-      cluster.shutdown();
-    }
-  }
-
-  /** Test failure of Create EZ on a directory that doesn't exist. */
-  @Test(timeout = 60000)
-  public void testCreateEncryptionZoneDirectoryDoesntExist() throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    try {
-      dfsAdmin.createEncryptionZone(TEST_PATH, null);
-      fail("expected /test doesn't exist");
-    } catch (IOException e) {
-      GenericTestUtils.assertExceptionContains("cannot find", e);
-    }
-  }
-
-  /** Test failure of Create EZ on a directory which is already an EZ. */
-  @Test(timeout = 60000)
-  public void testCreateEncryptionZoneWhichAlreadyExists()
-    throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
-    dfsAdmin.createEncryptionZone(TEST_PATH, null);
-    try {
-      dfsAdmin.createEncryptionZone(TEST_PATH, null);
-    } catch (IOException e) {
-      GenericTestUtils.assertExceptionContains("already in an encryption zone",
-          e);
-    }
-  }
-
-  /** Test success of Create EZ in which a key is created. */
-  @Test(timeout = 60000)
-  public void testCreateEncryptionZoneAndGenerateKeyDirectoryEmpty()
-    throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
-    dfsAdmin.createEncryptionZone(TEST_PATH, null);
-  }
-
-  /** Test failure of Create EZ operation in an existing EZ. */
-  @Test(timeout = 60000)
-  public void testCreateEncryptionZoneInExistingEncryptionZone()
-    throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
-    dfsAdmin.createEncryptionZone(TEST_PATH, null);
-    FileSystem.mkdirs(fs, TEST_PATH_WITH_CHILD,
-        new FsPermission((short) 0777));
-    try {
-      dfsAdmin.createEncryptionZone(TEST_PATH_WITH_CHILD, null);
-      fail("EZ in an EZ");
-    } catch (IOException e) {
-      GenericTestUtils.assertExceptionContains("already in an encryption zone", e);
-    }
-  }
-
-  /** Test failure of creating an EZ using a non-empty directory. */
-  @Test(timeout = 60000)
-  public void testCreateEncryptionZoneAndGenerateKeyDirectoryNotEmpty()
-    throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
-    FileSystem.create(fs, new Path("/test/foo"),
-            new FsPermission((short) 0777));
-    try {
-      dfsAdmin.createEncryptionZone(TEST_PATH, null);
-      fail("expected key doesn't exist");
-    } catch (IOException e) {
-      GenericTestUtils.assertExceptionContains("create an encryption zone", e);
-    }
-  }
-
-  /** Test failure of creating an EZ passing a key that doesn't exist. */
-  @Test(timeout = 60000)
-  public void testCreateEncryptionZoneKeyDoesntExist() throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    try {
-      dfsAdmin.createEncryptionZone(TEST_PATH, TEST_KEYID);
-      fail("expected key doesn't exist");
-    } catch (IOException e) {
-      GenericTestUtils.assertExceptionContains("doesn't exist.", e);
-    }
-    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
-    Preconditions.checkState(zones.size() == 0, "More than one zone found?");
-  }
-
-  /** Test success of creating an EZ when they key exists. */
-  @Test(timeout = 60000)
-  public void testCreateEncryptionZoneKeyExist() throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
-    createAKey(TEST_KEYID);
-    dfsAdmin.createEncryptionZone(TEST_PATH, TEST_KEYID);
-    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
-    Preconditions.checkState(zones.size() == 1, "More than one zone found?");
-    final EncryptionZone ez = zones.get(0);
-      GenericTestUtils.assertMatches(ez.toString(),
-              "EncryptionZone \\[path=/test, keyId=");
-  }
-
-  /** Helper function to create a key in the Key Provider. */
-  private void createAKey(String keyId)
-    throws NoSuchAlgorithmException, IOException {
-    KeyProvider provider =
-        cluster.getNameNode().getNamesystem().getProvider();
-    final KeyProvider.Options options = KeyProvider.options(conf);
-    provider.createKey(keyId, options);
-    provider.flush();
-  }
-
-  /** Test failure of create encryption zones as a non super user. */
-  @Test(timeout = 60000)
-  public void testCreateEncryptionZoneAsNonSuperUser()
-    throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-
-    final UserGroupInformation user = UserGroupInformation.
-      createUserForTesting("user", new String[] { "mygroup" });
-
-    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0700));
-
-    user.doAs(new PrivilegedExceptionAction<Object>() {
-        @Override
-        public Object run() throws Exception {
-          final HdfsAdmin userAdmin =
-            new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-          try {
-            userAdmin.createEncryptionZone(TEST_PATH, null);
-            fail("createEncryptionZone is superuser-only operation");
-          } catch (AccessControlException e) {
-            GenericTestUtils.assertExceptionContains(
-                    "Superuser privilege is required", e);
-          }
-          return null;
-        }
-      });
-  }
-
-  /**
-   * Test success of creating an encryption zone a few levels down.
-   */
-  @Test(timeout = 60000)
-  public void testCreateEncryptionZoneDownAFewLevels()
-    throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    FileSystem.mkdirs(fs, TEST_PATH_WITH_MULTIPLE_CHILDREN,
-      new FsPermission((short) 0777));
-    dfsAdmin.createEncryptionZone(TEST_PATH_WITH_MULTIPLE_CHILDREN, null);
-    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
-    Preconditions.checkState(zones.size() == 1, "More than one zone found?");
-    final EncryptionZone ez = zones.get(0);
-      GenericTestUtils.assertMatches(ez.toString(),
-         "EncryptionZone \\[path=/test/foo/baz, keyId=");
-  }
-
-  /** Test failure of creating an EZ using a non-empty directory. */
-  @Test(timeout = 60000)
-  public void testCreateFileInEncryptionZone() throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    FileSystem.mkdirs(fs, TEST_PATH, new FsPermission((short) 0777));
-    dfsAdmin.createEncryptionZone(TEST_PATH, null);
-    FileSystem.create(fs, TEST_PATH_WITH_CHILD, new FsPermission((short) 0777));
-
-    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
-    final EncryptionZone ez = zones.get(0);
-      GenericTestUtils.assertMatches(ez.toString(),
-         "EncryptionZone \\[path=/test, keyId=");
-  }
-
-  /** Test listing encryption zones. */
-  @Test(timeout = 60000)
-  public void testListEncryptionZones() throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    final int N_EZs = 5;
-    final Set<String> ezPathNames = new HashSet<String>(N_EZs);
-    for (int i = 0; i < N_EZs; i++) {
-      final Path p = new Path(TEST_PATH, "" + i);
-      ezPathNames.add(p.toString());
-      FileSystem.mkdirs(fs, p, new FsPermission((short) 0777));
-      dfsAdmin.createEncryptionZone(p, null);
-    }
-
-    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
-    Preconditions.checkState(zones.size() == N_EZs, "wrong number of EZs returned");
-    for (EncryptionZone z : zones) {
-      final String ezPathName = z.getPath();
-      Preconditions.checkState(ezPathNames.remove(
-          ezPathName), "Path " + ezPathName + " not returned from listEZ");
-    }
-    Preconditions.checkState(ezPathNames.size() == 0);
-  }
-
-  /** Test listing encryption zones as a non super user. */
-  @Test(timeout = 60000)
-  public void testListEncryptionZonesAsNonSuperUser() throws Exception {
-    final HdfsAdmin dfsAdmin =
-      new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-
-    final UserGroupInformation user = UserGroupInformation.
-      createUserForTesting("user", new String[] {"mygroup"});
-
-    final Path TEST_PATH_SUPERUSER_ONLY = new Path(TEST_PATH, "superuseronly");
-    final Path TEST_PATH_ALL = new Path(TEST_PATH, "accessall");
-
-    FileSystem.mkdirs(fs, TEST_PATH_SUPERUSER_ONLY,
-      new FsPermission((short) 0700));
-    dfsAdmin.createEncryptionZone(TEST_PATH_SUPERUSER_ONLY, null);
-    FileSystem.mkdirs(fs, TEST_PATH_ALL,
-      new FsPermission((short) 0707));
-    dfsAdmin.createEncryptionZone(TEST_PATH_ALL, null);
-
-    user.doAs(new PrivilegedExceptionAction<Object>() {
-      @Override
-      public Object run() throws Exception {
-        final HdfsAdmin userAdmin =
-                new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-        try {
-          final List<EncryptionZone> zones = userAdmin.listEncryptionZones();
-        } catch (AccessControlException e) {
-          GenericTestUtils.assertExceptionContains(
-                  "Superuser privilege is required", e);
-        }
-        return null;
-      }
-    });
-  }
-
-  /** Test success of Rename EZ on a directory which is already an EZ. */
-  @Test(timeout = 60000)
-  public void testRenameEncryptionZone()
-          throws Exception {
-    final HdfsAdmin dfsAdmin =
-            new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    FileSystem.mkdirs(fs, TEST_PATH_WITH_CHILD,
-      new FsPermission((short) 0777));
-    dfsAdmin.createEncryptionZone(TEST_PATH_WITH_CHILD, null);
-    FileSystem.mkdirs(fs, TEST_PATH_WITH_MULTIPLE_CHILDREN,
-       new FsPermission((short) 0777));
-    try {
-      fs.rename(TEST_PATH_WITH_MULTIPLE_CHILDREN, TEST_PATH);
-    } catch (IOException e) {
-      GenericTestUtils.assertExceptionContains(
-              "/test/foo/baz can't be moved from an encryption zone.", e);
-    }
-  }
-
-  @Test(timeout = 60000)
-  public void testCipherSuiteNegotiation() throws Exception {
-    final HdfsAdmin dfsAdmin =
-        new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    final Path zone = new Path("/zone");
-    fs.mkdirs(zone);
-    dfsAdmin.createEncryptionZone(zone, null);
-    // Create a file in an EZ, which should succeed
-    DFSTestUtil.createFile(fs, new Path(zone, "success1"), 0, (short) 1,
-        0xFEED);
-    // Pass no cipherSuites, fail
-    fs.getClient().cipherSuites = Lists.newArrayListWithCapacity(0);
-    try {
-      DFSTestUtil.createFile(fs, new Path(zone, "fail"), 0, (short) 1,
-          0xFEED);
-      fail("Created a file without specifying a CipherSuite!");
-    } catch (UnknownCipherSuiteException e) {
-      GenericTestUtils.assertExceptionContains("No cipher suites", e);
-    }
-    // Pass some unknown cipherSuites, fail
-    fs.getClient().cipherSuites = Lists.newArrayListWithCapacity(3);
-    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
-    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
-    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
-    try {
-      DFSTestUtil.createFile(fs, new Path(zone, "fail"), 0, (short) 1,
-          0xFEED);
-      fail("Created a file without specifying a CipherSuite!");
-    } catch (UnknownCipherSuiteException e) {
-      GenericTestUtils.assertExceptionContains("No cipher suites", e);
-    }
-    // Pass some unknown and a good cipherSuites, success
-    fs.getClient().cipherSuites = Lists.newArrayListWithCapacity(3);
-    fs.getClient().cipherSuites.add(CipherSuite.AES_CTR_NOPADDING);
-    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
-    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
-    DFSTestUtil.createFile(fs, new Path(zone, "success2"), 0, (short) 1,
-        0xFEED);
-    fs.getClient().cipherSuites = Lists.newArrayListWithCapacity(3);
-    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
-    fs.getClient().cipherSuites.add(CipherSuite.UNKNOWN);
-    fs.getClient().cipherSuites.add(CipherSuite.AES_CTR_NOPADDING);
-    DFSTestUtil.createFile(fs, new Path(zone, "success3"), 4096, (short) 1,
-        0xFEED);
-    // Check KeyProvider state
-    // Flushing the KP on the NN, since it caches, and init a test one
-    cluster.getNamesystem().getProvider().flush();
-    KeyProvider provider = KeyProviderFactory.getProviders(conf).get(0);
-    List<String> keys = provider.getKeys();
-    assertEquals("Expected NN to have created one key per zone", 1,
-        keys.size());
-    List<KeyProvider.KeyVersion> allVersions = Lists.newArrayList();
-    for (String key : keys) {
-      List<KeyProvider.KeyVersion> versions = provider.getKeyVersions(key);
-      assertEquals("Should only have one key version per key", 1,
-          versions.size());
-      allVersions.addAll(versions);
-    }
-    // Check that the specified CipherSuite was correctly saved on the NN
-    for (int i=2; i<=3; i++) {
-      FileEncryptionInfo feInfo =
-          getFileEncryptionInfo(new Path(zone.toString() +
-              "/success" + i));
-      assertEquals(feInfo.getCipherSuite(), CipherSuite.AES_CTR_NOPADDING);
-    }
-  }
-
-  private void validateFiles(Path p1, Path p2, int len) throws Exception {
-    FSDataInputStream in1 = fs.open(p1);
-    FSDataInputStream in2 = fs.open(p2);
-    for (int i=0; i<len; i++) {
-      assertEquals("Mismatch at byte " + i, in1.read(), in2.read());
-    }
-    in1.close();
-    in2.close();
-  }
-
-  private FileEncryptionInfo getFileEncryptionInfo(Path path) throws Exception {
-    LocatedBlocks blocks = fs.getClient().getLocatedBlocks(path.toString(), 0);
-    return blocks.getFileEncryptionInfo();
-  }
-
-  @Test(timeout = 120000)
-  public void testReadWrite() throws Exception {
-    final HdfsAdmin dfsAdmin =
-        new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
-    // Create a base file for comparison
-    final Path baseFile = new Path("/base");
-    final int len = 8192;
-    DFSTestUtil.createFile(fs, baseFile, len, (short) 1, 0xFEED);
-    // Create the first enc file
-    final Path zone = new Path("/zone");
-    fs.mkdirs(zone);
-    dfsAdmin.createEncryptionZone(zone, null);
-    final Path encFile1 = new Path(zone, "myfile");
-    DFSTestUtil.createFile(fs, encFile1, len, (short) 1, 0xFEED);
-    // Read them back in and compare byte-by-byte
-    validateFiles(baseFile, encFile1, len);
-    // Roll the key of the encryption zone
-    List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
-    assertEquals("Expected 1 EZ", 1, zones.size());
-    String keyId = zones.get(0).getKeyId();
-    cluster.getNamesystem().getProvider().rollNewVersion(keyId);
-    cluster.getNamesystem().getFSDirectory().ezManager.kickMonitor();
-    // Read them back in and compare byte-by-byte
-    validateFiles(baseFile, encFile1, len);
-    // Write a new enc file and validate
-    final Path encFile2 = new Path(zone, "myfile2");
-    DFSTestUtil.createFile(fs, encFile2, len, (short) 1, 0xFEED);
-    // FEInfos should be different
-    FileEncryptionInfo feInfo1 = getFileEncryptionInfo(encFile1);
-    FileEncryptionInfo feInfo2 = getFileEncryptionInfo(encFile2);
-    assertFalse("EDEKs should be different", Arrays.equals(
-        feInfo1.getEncryptedDataEncryptionKey(),
-        feInfo2.getEncryptedDataEncryptionKey()));
-    assertNotEquals("Key was rolled, versions should be different",
-        feInfo1.getEzKeyVersionName(), feInfo2.getEzKeyVersionName());
-    // Contents still equal
-    validateFiles(encFile1, encFile2, len);
-  }
-}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFileContextEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFileContextEncryptionZones.java
deleted file mode 100644
index da283f5f85b..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFileContextEncryptionZones.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.hdfs.server.namenode;
-
-import java.io.IOException;
-import java.net.URI;
-import java.util.EnumSet;
-import java.util.List;
-import java.util.Map;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.FileContext;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.fs.XAttrSetFlag;
-import org.apache.hadoop.hdfs.DFSConfigKeys;
-import org.apache.hadoop.hdfs.DistributedFileSystem;
-import org.apache.hadoop.hdfs.TestEncryptionZonesAPI;
-import org.junit.BeforeClass;
-
-/**
- * Tests of encryption zone operations using FileContext APIs.
- */
-public class TestFileContextEncryptionZones extends TestEncryptionZonesAPI  {
-
-  @Override
-  protected FileSystem createFileSystem(Configuration conf) throws IOException {
-    FileContextFS fcFs = new FileContextFS();
-    fcFs.initialize(FileSystem.getDefaultUri(conf), conf);
-    return fcFs;
-  }
-
-  /**
-   * This reuses FSXAttrBaseTest's testcases by creating a filesystem
-   * implementation which uses FileContext by only overriding the xattr related
-   * methods. Other operations will use the normal filesystem.
-   */
-  public static class FileContextFS extends DistributedFileSystem {
-
-    private FileContext fc;
-
-    @Override
-    public void initialize(URI uri, Configuration conf) throws IOException {
-      super.initialize(uri, conf);
-      fc = FileContext.getFileContext(conf);
-    }
-
-    @Override
-    public boolean rename(Path src, Path dst) throws IOException {
-      fc.rename(src, dst);
-      return true;
-    }
-  }
-}

From beb0c19cde5db554c4a665cce0a16188070c6a7b Mon Sep 17 00:00:00 2001
From: Yi Liu <yliu@apache.org>
Date: Wed, 16 Jul 2014 00:36:30 +0000
Subject: [PATCH 034/354] HADOOP-10735. Fall back AesCtrCryptoCodec
 implementation from OpenSSL to JCE if non native support. (yliu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1610887 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |  3 +
 .../org/apache/hadoop/crypto/CipherSuite.java | 10 +++
 .../org/apache/hadoop/crypto/CryptoCodec.java | 63 +++++++++++++++++--
 .../crypto/OpensslAesCtrCryptoCodec.java      |  3 +
 .../fs/CommonConfigurationKeysPublic.java     | 10 +++
 .../src/main/resources/core-default.xml       | 16 ++++-
 ...toStreamsWithOpensslAesCtrCryptoCodec.java |  3 +-
 7 files changed, 100 insertions(+), 8 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index f133f813136..aa65991d2e9 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -37,6 +37,9 @@ fs-encryption (Unreleased)
     HADOOP-10803. Update OpensslCipher#getInstance to accept CipherSuite#name
     format. (Yi Liu)
 
+    HADOOP-10735. Fall back AesCtrCryptoCodec implementation from OpenSSL to
+    JCE if non native support. (Yi Liu)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java
index 9c4b8fdd8d4..c75311aef65 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java
@@ -72,4 +72,14 @@ public String toString() {
     builder.append("}");
     return builder.toString();
   }
+  
+  public static void checkName(String name) {
+    CipherSuite[] suites = CipherSuite.values();
+    for (CipherSuite suite : suites) {
+      if (suite.getName().equals(name)) {
+        return;
+      }
+    }
+    throw new IllegalArgumentException("Invalid cipher suite name: " + name);
+  }
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
index 80e15cd6b70..45c06f02daa 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
@@ -18,13 +18,23 @@
 package org.apache.hadoop.crypto;
 
 import java.security.GeneralSecurityException;
+import java.util.List;
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configurable;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.util.ReflectionUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Splitter;
+import com.google.common.collect.Lists;
+
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CODEC_CLASS_DEFAULT;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_KEY;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_DEFAULT;
 
 /**
  * Crypto codec class, encapsulates encryptor/decryptor pair.
@@ -32,12 +42,57 @@
 @InterfaceAudience.Private
 @InterfaceStability.Evolving
 public abstract class CryptoCodec implements Configurable {
+  public static Logger LOG = LoggerFactory.getLogger(CryptoCodec.class);
   
   public static CryptoCodec getInstance(Configuration conf) {
-    final Class<? extends CryptoCodec> klass = conf.getClass(
-        HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY, JceAesCtrCryptoCodec.class, 
-        CryptoCodec.class);
-    return ReflectionUtils.newInstance(klass, conf);
+    List<Class<? extends CryptoCodec>> klasses = getCodecClasses(conf);
+    String name = conf.get(HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_KEY, 
+        HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_DEFAULT);
+    CipherSuite.checkName(name);
+    CryptoCodec codec = null;
+    for (Class<? extends CryptoCodec> klass : klasses) {
+      try {
+        CryptoCodec c = ReflectionUtils.newInstance(klass, conf);
+        if (c.getCipherSuite().getName().equalsIgnoreCase(name)) {
+          if (codec == null) {
+            LOG.debug("Using crypto codec {}.", klass.getName());
+            codec = c;
+          }
+        } else {
+          LOG.warn("Crypto codec {} doesn't meet the cipher suite {}.", 
+              klass.getName(), name);
+        }
+      } catch (Exception e) {
+        LOG.warn("Crypto codec {} is not available.", klass.getName());
+      }
+    }
+    
+    if (codec != null) {
+      return codec;
+    }
+    
+    throw new RuntimeException("No available crypto codec which meets " + 
+        "the cipher suite " + name + ".");
+  }
+  
+  private static List<Class<? extends CryptoCodec>> getCodecClasses(
+      Configuration conf) {
+    List<Class<? extends CryptoCodec>> result = Lists.newArrayList();
+    String codecString = conf.get(HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY,
+        HADOOP_SECURITY_CRYPTO_CODEC_CLASS_DEFAULT);
+    for (String c : Splitter.on(',').trimResults().omitEmptyStrings().
+        split(codecString)) {
+      try {
+        Class<?> cls = conf.getClassByName(c);
+        result.add(cls.asSubclass(CryptoCodec.class));
+      } catch (ClassCastException e) {
+        LOG.warn("Class " + c + " is not a CryptoCodec.");
+      } catch (ClassNotFoundException e) {
+        LOG.warn("Crypto codec " + c + " not found.");
+      }
+    }
+    
+    return result;
   }
 
   /**
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
index 04c2db09e1e..7db7b063e5c 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
@@ -47,6 +47,9 @@ public class OpensslAesCtrCryptoCodec extends AesCtrCryptoCodec {
   private Random random;
   
   public OpensslAesCtrCryptoCodec() {
+    if (!OpensslCipher.isNativeCodeLoaded()) {
+      throw new RuntimeException("Failed to load OpenSSL Cipher.");
+    }
   }
 
   @Override
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
index 9691539821b..35c3bce6c79 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
@@ -285,6 +285,14 @@ public class CommonConfigurationKeysPublic {
   /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
   public static final String HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY =
     "hadoop.security.crypto.codec.class";
+  public static final String HADOOP_SECURITY_CRYPTO_CODEC_CLASS_DEFAULT = 
+    "org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec," +
+    "org.apache.hadoop.crypto.JceAesCtrCryptoCodec";
+  /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
+  public static final String HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_KEY =
+    "hadoop.security.crypto.cipher.suite";
+  public static final String HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_DEFAULT = 
+    "AES/CTR/NoPadding";
   /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
   public static final String HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY =
       "hadoop.security.crypto.jce.provider";
@@ -302,8 +310,10 @@ public class CommonConfigurationKeysPublic {
   /** Defalt value for HADOOP_SECURITY_JAVA_SECURE_RANDOM_ALGORITHM_KEY */
   public static final String HADOOP_SECURITY_JAVA_SECURE_RANDOM_ALGORITHM_DEFAULT = 
       "SHA1PRNG";
+  /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
   public static final String HADOOP_SECURITY_SECURE_RANDOM_IMPL_KEY = 
       "hadoop.security.secure.random.impl";
+  /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
   public static final String HADOOP_SECURITY_SECURE_RANDOM_DEVICE_FILE_PATH_KEY = 
       "hadoop.security.random.device.file.path";
   public static final String HADOOP_SECURITY_SECURE_RANDOM_DEVICE_FILE_PATH_DEFAULT = 
diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
index 224fb12e921..3c93ab8f111 100644
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -1453,10 +1453,20 @@ for ldap providers in the same way as above does.
 
 <property>
   <name>hadoop.security.crypto.codec.class</name>
-  <value></value>
+  <value>org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec,
+  org.apache.hadoop.crypto.JceAesCtrCryptoCodec</value>
   <description>
-    The default implementation of CryptoCodec which is used for encryption 
-    and decryption. 
+    Comma list of CryptoCodec implementations which are used for encryption 
+    and decryption. The first implementation will be used if avaiable, others
+    are fallbacks.
+  </description>
+</property>
+
+<property>
+  <name>hadoop.security.crypto.cipher.suite</name>
+  <value>AES/CTR/NoPadding</value>
+  <description>
+    Cipher suite for crypto codec.
   </description>
 </property>
 
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsWithOpensslAesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsWithOpensslAesCtrCryptoCodec.java
index 8150d57ee66..4e962cb42d5 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsWithOpensslAesCtrCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsWithOpensslAesCtrCryptoCodec.java
@@ -29,7 +29,8 @@ public class TestCryptoStreamsWithOpensslAesCtrCryptoCodec
   public static void init() throws Exception {
     Configuration conf = new Configuration();
     conf.set(HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY, 
-        OpensslAesCtrCryptoCodec.class.getName());
+        OpensslAesCtrCryptoCodec.class.getName() + "," + 
+            JceAesCtrCryptoCodec.class.getName());
     codec = CryptoCodec.getInstance(conf);
   }
 }

From 77f0e2cca57f74fc66d92ff240f64eed73c5e528 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Wed, 16 Jul 2014 19:04:06 +0000
Subject: [PATCH 035/354] HDFS-6405. Test Crypto streams in HDFS. (yliu via
 wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1611140 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop/crypto/CryptoStreamsTestBase.java  | 20 ++++
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |  2 +
 .../hdfs/crypto/TestHdfsCryptoStreams.java    | 91 +++++++++++++++++++
 3 files changed, 113 insertions(+)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/crypto/TestHdfsCryptoStreams.java

diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/CryptoStreamsTestBase.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/CryptoStreamsTestBase.java
index f5a8ad49ec5..f5acc73b147 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/CryptoStreamsTestBase.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/CryptoStreamsTestBase.java
@@ -28,6 +28,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.fs.ByteBufferReadable;
+import org.apache.hadoop.fs.FSDataOutputStream;
 import org.apache.hadoop.fs.HasEnhancedByteBufferAccess;
 import org.apache.hadoop.fs.PositionedReadable;
 import org.apache.hadoop.fs.ReadOption;
@@ -146,6 +147,25 @@ private void readCheck(InputStream in) throws Exception {
     in.close();
   }
   
+  /** Test crypto writing with different buffer size. */
+  @Test(timeout = 120000)
+  public void testWrite() throws Exception {
+    // Default buffer size
+    writeCheck(defaultBufferSize);
+
+    // Small buffer size
+    writeCheck(smallBufferSize);
+  }
+
+  private void writeCheck(int bufferSize) throws Exception {
+    OutputStream out = getOutputStream(bufferSize);
+    writeData(out);
+
+    if (out instanceof FSDataOutputStream) {
+      Assert.assertEquals(((FSDataOutputStream) out).getPos(), getDataLen());
+    }
+  }
+
   /** Test crypto with different IV. */
   @Test(timeout=120000)
   public void testCryptoIV() throws Exception {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 0b7986a470b..f40841715e5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -44,6 +44,8 @@ fs-encryption (Unreleased)
 
     HDFS-6619. Clean up encryption-related tests. (wang)
 
+    HDFS-6405. Test Crypto streams in HDFS. (yliu via wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/crypto/TestHdfsCryptoStreams.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/crypto/TestHdfsCryptoStreams.java
new file mode 100644
index 00000000000..35c13e65b51
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/crypto/TestHdfsCryptoStreams.java
@@ -0,0 +1,91 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.crypto;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CryptoCodec;
+import org.apache.hadoop.crypto.CryptoStreamsTestBase;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.crypto.CryptoFSDataInputStream;
+import org.apache.hadoop.fs.crypto.CryptoFSDataOutputStream;
+import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.hdfs.HdfsConfiguration;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+
+public class TestHdfsCryptoStreams extends CryptoStreamsTestBase {
+  private static MiniDFSCluster dfsCluster;
+  private static FileSystem fs;
+  private static int pathCount = 0;
+  private static Path path;
+  private static Path file;
+
+  @BeforeClass
+  public static void init() throws Exception {
+    Configuration conf = new HdfsConfiguration();
+    dfsCluster = new MiniDFSCluster.Builder(conf).build();
+    dfsCluster.waitClusterUp();
+    fs = dfsCluster.getFileSystem();
+    codec = CryptoCodec.getInstance(conf);
+  }
+
+  @AfterClass
+  public static void shutdown() throws Exception {
+    if (dfsCluster != null) {
+      dfsCluster.shutdown();
+    }
+  }
+
+  @Before
+  @Override
+  public void setUp() throws IOException {
+    ++pathCount;
+    path = new Path("/p" + pathCount);
+    file = new Path(path, "file");
+    FileSystem.mkdirs(fs, path, FsPermission.createImmutable((short) 0700));
+
+    super.setUp();
+  }
+
+  @After
+  public void cleanUp() throws IOException {
+    fs.delete(path, true);
+  }
+
+  @Override
+  protected OutputStream getOutputStream(int bufferSize, byte[] key, byte[] iv)
+      throws IOException {
+    return new CryptoFSDataOutputStream(fs.create(file), codec, bufferSize,
+        key, iv);
+  }
+
+  @Override
+  protected InputStream getInputStream(int bufferSize, byte[] key, byte[] iv)
+      throws IOException {
+    return new CryptoFSDataInputStream(fs.open(file), codec, bufferSize, key,
+        iv);
+  }
+}

From 962ef6939e55f9e9643ef8a04ffc5877b8a762fc Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Fri, 18 Jul 2014 17:13:55 +0000
Subject: [PATCH 036/354] HDFS-6490. Fix the keyid format for generated keys in
 FSNamesystem.createEncryptionZone (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1611722 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |  3 +++
 .../hdfs/server/namenode/FSNamesystem.java    | 25 +++++++++++++------
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index f40841715e5..4803dcbc809 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -46,6 +46,9 @@ fs-encryption (Unreleased)
 
     HDFS-6405. Test Crypto streams in HDFS. (yliu via wang)
 
+    HDFS-6490. Fix the keyid format for generated keys in
+    FSNamesystem.createEncryptionZone (clamb)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index fa52d3e5452..387c372404c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -420,6 +420,8 @@ private void logAuditEvent(boolean succeeded,
   private final CacheManager cacheManager;
   private final DatanodeStatistics datanodeStatistics;
 
+  private String nameserviceId;
+
   private RollingUpgradeInfo rollingUpgradeInfo = null;
   /**
    * A flag that indicates whether the checkpointer should checkpoint a rollback
@@ -791,7 +793,7 @@ static FSNamesystem loadFromDisk(Configuration conf) throws IOException {
 
       // block allocation has to be persisted in HA using a shared edits directory
       // so that the standby has up-to-date namespace information
-      String nameserviceId = DFSUtil.getNamenodeNameServiceId(conf);
+      nameserviceId = DFSUtil.getNamenodeNameServiceId(conf);
       this.haEnabled = HAUtil.isHAEnabled(conf, nameserviceId);  
       
       // Sanity check the HA-related config.
@@ -8502,22 +8504,31 @@ private void createEncryptionZoneInt(final String srcArg, String keyId,
   /**
    * Create a new key on the KeyProvider for an encryption zone.
    *
-   * @param keyId id of the key
+   * @param keyIdArg id of the key
    * @param src path of the encryption zone.
    * @return KeyVersion of the created key
    * @throws IOException
    */
-  private KeyVersion createNewKey(String keyId, String src)
+  private KeyVersion createNewKey(String keyIdArg, String src)
     throws IOException {
-    Preconditions.checkNotNull(keyId);
+    Preconditions.checkNotNull(keyIdArg);
     Preconditions.checkNotNull(src);
-    // TODO pass in hdfs://HOST:PORT (HDFS-6490)
-    providerOptions.setDescription(src);
+    final StringBuilder sb = new StringBuilder("hdfs://");
+    if (nameserviceId != null) {
+      sb.append(nameserviceId);
+    }
+    sb.append(src);
+    if (!src.endsWith("/")) {
+      sb.append('/');
+    }
+    sb.append(keyIdArg);
+    final String keyId = sb.toString();
+    providerOptions.setDescription(keyId);
     providerOptions.setBitLength(codec.getCipherSuite()
         .getAlgorithmBlockSize()*8);
     KeyVersion version = null;
     try {
-      version = provider.createKey(keyId, providerOptions);
+      version = provider.createKey(keyIdArg, providerOptions);
     } catch (NoSuchAlgorithmException e) {
       throw new IOException(e);
     }

From a4984f5f0a21fb9f3c84d8f959b8009264a43db2 Mon Sep 17 00:00:00 2001
From: Colin McCabe <cmccabe@apache.org>
Date: Mon, 21 Jul 2014 23:56:53 +0000
Subject: [PATCH 037/354] HADOOP-10871. incorrect prototype in
 OpensslSecureRandom.c (cmccabe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1612436 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt               | 2 ++
 .../org/apache/hadoop/crypto/random/OpensslSecureRandom.c | 8 ++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index aa65991d2e9..4c365bf0aeb 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -43,3 +43,5 @@ fs-encryption (Unreleased)
   OPTIMIZATIONS
 
   BUG FIXES
+
+    HADOOP-10871. incorrect prototype in OpensslSecureRandom.c (cmccabe)
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
index ee09aedff8b..6c31d10599c 100644
--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
@@ -82,7 +82,7 @@ static __dlsym_RAND_bytes dlsym_RAND_bytes;
 static __dlsym_ERR_get_error dlsym_ERR_get_error;
 #endif
 
-static ENGINE * openssl_rand_init();
+static ENGINE * openssl_rand_init(void);
 static void openssl_rand_clean(ENGINE *eng, int clean_locks);
 static int openssl_rand_bytes(unsigned char *buf, int num);
 
@@ -157,7 +157,7 @@ JNIEXPORT void JNICALL Java_org_apache_hadoop_crypto_random_OpensslSecureRandom_
                       env, openssl, "ERR_get_error");
 #endif
 
-  openssl_rand_init(env);
+  openssl_rand_init();
 }
 
 JNIEXPORT jboolean JNICALL Java_org_apache_hadoop_crypto_random_OpensslSecureRandom_nextRandBytes___3B
@@ -283,7 +283,7 @@ static unsigned long pthreads_thread_id(void)
  * If using an Intel chipset with RDRAND, the high-performance hardware
  * random number generator will be used.
  */
-static ENGINE * openssl_rand_init()
+static ENGINE * openssl_rand_init(void)
 {
   locks_setup();
   
@@ -332,4 +332,4 @@ static void openssl_rand_clean(ENGINE *eng, int clean_locks)
 static int openssl_rand_bytes(unsigned char *buf, int num)
 {
   return dlsym_RAND_bytes(buf, num);
-}
\ No newline at end of file
+}

From 7b466b3b7087a7b8c6e4e466600f6e13284e0dee Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 22 Jul 2014 00:27:51 +0000
Subject: [PATCH 038/354] HDFS-6716. Update usage of KeyProviderCryptoExtension
 APIs on NameNode. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1612438 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   3 +
 .../org/apache/hadoop/hdfs/DFSConfigKeys.java |   2 -
 .../namenode/EncryptionZoneManager.java       | 188 ++----------------
 .../hdfs/server/namenode/FSDirectory.java     |  21 +-
 .../hdfs/server/namenode/FSNamesystem.java    | 128 ++++++------
 .../src/main/resources/hdfs-default.xml       |  11 -
 .../hadoop/hdfs/TestEncryptionZones.java      |   1 -
 7 files changed, 83 insertions(+), 271 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 4803dcbc809..24cfbfb5b20 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -49,6 +49,9 @@ fs-encryption (Unreleased)
     HDFS-6490. Fix the keyid format for generated keys in
     FSNamesystem.createEncryptionZone (clamb)
 
+    HDFS-6716. Update usage of KeyProviderCryptoExtension APIs on NameNode.
+    (wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
index 86eda952096..2c0bdb0794f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
@@ -563,8 +563,6 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
   public static final String DFS_TRUSTEDCHANNEL_RESOLVER_CLASS = "dfs.trustedchannel.resolver.class";
   public static final String DFS_DATA_TRANSFER_PROTECTION_KEY = "dfs.data.transfer.protection";
   public static final String DFS_DATA_TRANSFER_SASL_PROPS_RESOLVER_CLASS_KEY = "dfs.data.transfer.saslproperties.resolver.class";
-  public static final String DFS_NAMENODE_KEY_VERSION_REFRESH_INTERVAL_MS_KEY = "dfs.namenode.key.version.refresh.interval.ms";
-  public static final int DFS_NAMENODE_KEY_VERSION_REFRESH_INTERVAL_MS_DEFAULT = 5*60*1000;
   
   // Journal-node related configs. These are read on the JN side.
   public static final String  DFS_JOURNALNODE_EDITS_DIR_KEY = "dfs.journalnode.edits.dir";
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
index faba3a929c0..890200d787b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
@@ -3,27 +3,16 @@
 import java.io.IOException;
 import java.util.EnumSet;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.TimeUnit;
 import java.util.concurrent.locks.ReentrantReadWriteLock;
 
-import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-import com.google.common.util.concurrent.ThreadFactoryBuilder;
-import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.fs.UnresolvedLinkException;
 import org.apache.hadoop.fs.XAttr;
 import org.apache.hadoop.fs.XAttrSetFlag;
-import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.XAttrHelper;
 import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.SnapshotAccessControlException;
@@ -53,37 +42,16 @@ public class EncryptionZoneManager {
    * contains the EZ's pathname.
    */
   private class EncryptionZoneInt {
-    private final String keyId;
+    private final String keyName;
     private final long inodeId;
 
-    private final HashSet<KeyVersion> keyVersions;
-    private KeyVersion latestVersion;
-
-    EncryptionZoneInt(long inodeId, String keyId) {
-      this.keyId = keyId;
+    EncryptionZoneInt(long inodeId, String keyName) {
+      this.keyName = keyName;
       this.inodeId = inodeId;
-      keyVersions = Sets.newHashSet();
-      latestVersion = null;
     }
 
-    KeyVersion getLatestKeyVersion() {
-      return latestVersion;
-    }
-
-    void addKeyVersion(KeyVersion version) {
-      Preconditions.checkNotNull(version);
-      if (!keyVersions.contains(version)) {
-        LOG.debug("Key {} has new key version {}", keyId, version);
-        keyVersions.add(version);
-      }
-      // Always set the latestVersion to not get stuck on an old version in
-      // racy situations. Should eventually converge thanks to the
-      // monitor.
-      latestVersion = version;
-    }
-
-    String getKeyId() {
-      return keyId;
+    String getKeyName() {
+      return keyName;
     }
 
     long getINodeId() {
@@ -123,7 +91,6 @@ public boolean hasReadLock() {
 
   private final Map<Long, EncryptionZoneInt> encryptionZones;
   private final FSDirectory dir;
-  private final ScheduledExecutorService monitor;
   private final KeyProvider provider;
 
   /**
@@ -131,118 +98,11 @@ public boolean hasReadLock() {
    *
    * @param dir Enclosing FSDirectory
    */
-  public EncryptionZoneManager(FSDirectory dir, Configuration conf,
-      KeyProvider provider) {
-
+  public EncryptionZoneManager(FSDirectory dir, KeyProvider provider) {
     this.dir = dir;
     this.provider = provider;
     lock = new ReentrantReadWriteLock();
     encryptionZones = new HashMap<Long, EncryptionZoneInt>();
-
-    monitor = Executors.newScheduledThreadPool(1,
-        new ThreadFactoryBuilder()
-            .setDaemon(true)
-            .setNameFormat(EncryptionZoneMonitor.class.getSimpleName() + "-%d")
-            .build());
-    final int refreshMs = conf.getInt(
-        DFSConfigKeys.DFS_NAMENODE_KEY_VERSION_REFRESH_INTERVAL_MS_KEY,
-        DFSConfigKeys.DFS_NAMENODE_KEY_VERSION_REFRESH_INTERVAL_MS_DEFAULT
-    );
-    Preconditions.checkArgument(refreshMs >= 0, "%s cannot be negative",
-        DFSConfigKeys.DFS_NAMENODE_KEY_VERSION_REFRESH_INTERVAL_MS_KEY);
-    monitor.scheduleAtFixedRate(new EncryptionZoneMonitor(), 0, refreshMs,
-        TimeUnit.MILLISECONDS);
-  }
-
-  /**
-   * Periodically wakes up to fetch the latest version of each encryption
-   * zone key.
-   */
-  private class EncryptionZoneMonitor implements Runnable {
-    @Override
-    public void run() {
-      LOG.debug("Monitor waking up to refresh encryption zone key versions");
-      HashMap<Long, String> toFetch = Maps.newHashMap();
-      HashMap<Long, KeyVersion> toUpdate =
-          Maps.newHashMap();
-      // Determine the keyIds to fetch
-      readLock();
-      try {
-        for (EncryptionZoneInt ezi : encryptionZones.values()) {
-          toFetch.put(ezi.getINodeId(), ezi.getKeyId());
-        }
-      } finally {
-        readUnlock();
-      }
-      LOG.trace("Found {} keys to check", toFetch.size());
-      // Fetch the key versions while not holding the lock
-      for (Map.Entry<Long, String> entry : toFetch.entrySet()) {
-        try {
-          KeyVersion version = provider.getCurrentKey(entry.getValue());
-          toUpdate.put(entry.getKey(), version);
-        } catch (IOException e) {
-          LOG.warn("Error while getting the current key for {} {}",
-              entry.getValue(), e);
-        }
-      }
-      LOG.trace("Fetched {} key versions from KeyProvider", toUpdate.size());
-      // Update the key versions for each encryption zone
-      writeLock();
-      try {
-        for (Map.Entry<Long, KeyVersion> entry : toUpdate.entrySet()) {
-          EncryptionZoneInt ezi = encryptionZones.get(entry.getKey());
-          // zone might have been removed in the intervening time
-          if (ezi == null) {
-            continue;
-          }
-          ezi.addKeyVersion(entry.getValue());
-        }
-      } finally {
-        writeUnlock();
-      }
-    }
-  }
-
-  /**
-   * Forces the EncryptionZoneMonitor to run, waiting until completion.
-   */
-  @VisibleForTesting
-  public void kickMonitor() throws Exception {
-    Future future = monitor.submit(new EncryptionZoneMonitor());
-    future.get();
-  }
-
-  /**
-   * Immediately fetches the latest KeyVersion for an encryption zone,
-   * also updating the encryption zone.
-   *
-   * @param iip of the encryption zone
-   * @return latest KeyVersion
-   * @throws IOException on KeyProvider error
-   */
-  KeyVersion updateLatestKeyVersion(INodesInPath iip) throws IOException {
-    EncryptionZoneInt ezi;
-    readLock();
-    try {
-      ezi = getEncryptionZoneForPath(iip);
-    } finally {
-      readUnlock();
-    }
-    if (ezi == null) {
-      throw new IOException("Cannot update KeyVersion since iip is not within" +
-          " an encryption zone");
-    }
-
-    // Do not hold the lock while doing KeyProvider operations
-    KeyVersion version = provider.getCurrentKey(ezi.getKeyId());
-
-    writeLock();
-    try {
-      ezi.addKeyVersion(version);
-      return version;
-    } finally {
-      writeUnlock();
-    }
   }
 
   /**
@@ -305,37 +165,20 @@ private String getFullPathName(EncryptionZoneInt ezi) {
     return dir.getInode(ezi.getINodeId()).getFullPathName();
   }
 
-  KeyVersion getLatestKeyVersion(final INodesInPath iip) {
+  /**
+   * Get the key name for an encryption zone. Returns null if <tt>iip</tt> is
+   * not within an encryption zone.
+   * <p/>
+   * Called while holding the FSDirectory lock.
+   */
+  String getKeyName(final INodesInPath iip) {
     readLock();
     try {
       EncryptionZoneInt ezi = getEncryptionZoneForPath(iip);
       if (ezi == null) {
         return null;
       }
-      return ezi.getLatestKeyVersion();
-    } finally {
-      readUnlock();
-    }
-  }
-
-  /**
-   * @return true if the provided <tt>keyVersionName</tt> is the name of a
-   * valid KeyVersion for the encryption zone of <tt>iip</tt>,
-   * and <tt>iip</tt> is within an encryption zone.
-   */
-  boolean isValidKeyVersion(final INodesInPath iip, String keyVersionName) {
-    readLock();
-    try {
-      EncryptionZoneInt ezi = getEncryptionZoneForPath(iip);
-      if (ezi == null) {
-        return false;
-      }
-      for (KeyVersion ezVersion : ezi.keyVersions) {
-        if (keyVersionName.equals(ezVersion.getVersionName())) {
-          return true;
-        }
-      }
-      return false;
+      return ezi.getKeyName();
     } finally {
       readUnlock();
     }
@@ -447,7 +290,6 @@ XAttr createEncryptionZone(String src, String keyId, KeyVersion keyVersion)
       dir.unprotectedSetXAttrs(src, xattrs, EnumSet.of(XAttrSetFlag.CREATE));
       // Re-get the new encryption zone add the latest key version
       ezi = getEncryptionZoneForPath(srcIIP);
-      ezi.addKeyVersion(keyVersion);
       return keyIdXAttr;
     } finally {
       writeUnlock();
@@ -466,7 +308,7 @@ List<EncryptionZone> listEncryptionZones() throws IOException {
       final List<EncryptionZone> ret =
           Lists.newArrayListWithExpectedSize(encryptionZones.size());
       for (EncryptionZoneInt ezi : encryptionZones.values()) {
-        ret.add(new EncryptionZone(getFullPathName(ezi), ezi.getKeyId()));
+        ret.add(new EncryptionZone(getFullPathName(ezi), ezi.getKeyName()));
       }
       return ret;
     } finally {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index b7a7857a269..4b13da6a513 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -227,7 +227,7 @@ public int getWriteHoldCount() {
     nameCache = new NameCache<ByteArray>(threshold);
     namesystem = ns;
 
-    ezManager = new EncryptionZoneManager(this, conf, ns.getProvider());
+    ezManager = new EncryptionZoneManager(this, ns.getProvider());
   }
     
   private FSNamesystem getFSNamesystem() {
@@ -2623,25 +2623,10 @@ boolean isInAnEZ(INodesInPath iip)
     }
   }
 
-  KeyVersion getLatestKeyVersion(INodesInPath iip) {
+  String getKeyName(INodesInPath iip) {
     readLock();
     try {
-      return ezManager.getLatestKeyVersion(iip);
-    } finally {
-      readUnlock();
-    }
-  }
-
-  KeyVersion updateLatestKeyVersion(INodesInPath iip) throws
-      IOException {
-    // No locking, this operation does not involve any FSDirectory operations
-    return ezManager.updateLatestKeyVersion(iip);
-  }
-
-  boolean isValidKeyVersion(INodesInPath iip, String keyVersionName) {
-    readLock();
-    try {
-      return ezManager.isValidKeyVersion(iip, keyVersionName);
+      return ezManager.getKeyName(iip);
     } finally {
       readUnlock();
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 10a4db3d31e..9c3f1320b7d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -18,6 +18,8 @@
 package org.apache.hadoop.hdfs.server.namenode;
 
 import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
+import static org.apache.hadoop.crypto.key.KeyProviderCryptoExtension
+    .EncryptedKeyVersion;
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.FS_TRASH_INTERVAL_DEFAULT;
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.FS_TRASH_INTERVAL_KEY;
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.IO_FILE_BUFFER_SIZE_DEFAULT;
@@ -2356,59 +2358,26 @@ private CipherSuite chooseCipherSuite(INodesInPath srcIIP, List<CipherSuite>
   }
 
   /**
-   * Create a new FileEncryptionInfo for a path. Also chooses an
-   * appropriate CipherSuite to use from the list provided by the
-   * client.
+   * Invoke KeyProvider APIs to generate an encrypted data encryption key for an
+   * encryption zone. Should not be called with any locks held.
    *
-   * @param src Target path
-   * @param pathComponents Target path split up into path components
-   * @param cipherSuites List of CipherSuites provided by the client
-   * @return a new FileEncryptionInfo, or null if path is not within an
-   * encryption
-   * zone.
+   * @param ezKeyName key name of an encryption zone
+   * @return New EDEK, or null if ezKeyName is null
    * @throws IOException
    */
-  private FileEncryptionInfo newFileEncryptionInfo(String src,
-      byte[][] pathComponents, List<CipherSuite> cipherSuites)
-      throws IOException {
-    INodesInPath iip = null;
-    CipherSuite suite = null;
-    KeyVersion latestEZKeyVersion = null;
-    readLock();
-    try {
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
-      iip = dir.getINodesInPath4Write(src);
-      // Nothing to do if the path is not within an EZ
-      if (!dir.isInAnEZ(iip)) {
-        return null;
-      }
-      suite = chooseCipherSuite(iip, cipherSuites);
-      if (suite != null) {
-        Preconditions.checkArgument(!suite.equals(CipherSuite.UNKNOWN),
-            "Chose an UNKNOWN CipherSuite!");
-      }
-      latestEZKeyVersion = dir.getLatestKeyVersion(iip);
-    } finally {
-      readUnlock();
+  private EncryptedKeyVersion generateEncryptedDataEncryptionKey(String
+      ezKeyName) throws IOException {
+    if (ezKeyName == null) {
+      return null;
     }
-
-    // If the latest key version is null, need to fetch it and update
-    if (latestEZKeyVersion == null) {
-      latestEZKeyVersion = dir.updateLatestKeyVersion(iip);
-    }
-    Preconditions.checkState(latestEZKeyVersion != null);
-
-    // Generate the EDEK while not holding the lock
-    KeyProviderCryptoExtension.EncryptedKeyVersion edek = null;
+    EncryptedKeyVersion edek = null;
     try {
-      edek = provider.generateEncryptedKey("");
+      edek = provider.generateEncryptedKey(ezKeyName);
     } catch (GeneralSecurityException e) {
       throw new IOException(e);
     }
     Preconditions.checkNotNull(edek);
-
-    return new FileEncryptionInfo(suite, edek.getEncryptedKey().getMaterial(),
-        edek.getIv(), edek.getKeyVersionName());
+    return edek;
   }
 
   /**
@@ -2490,11 +2459,11 @@ private HdfsFileStatus startFileInt(String src, PermissionStatus permissions,
     waitForLoadingFSImage();
 
     /*
-     * We want to avoid holding any locks while creating a new
-     * FileEncryptionInfo, since this can be very slow. Since the path can
+     * We want to avoid holding any locks while doing KeyProvider operations,
+     * since they can be very slow. Since the path can
      * flip flop between being in an encryption zone and not in the meantime,
-     * we need to recheck the preconditions and generate a new
-     * FileEncryptionInfo in some circumstances.
+     * we need to recheck the preconditions and redo KeyProvider operations
+     * in some situations.
      *
      * A special RetryStartFileException is used to indicate that we should
      * retry creation of a FileEncryptionInfo.
@@ -2510,18 +2479,45 @@ private HdfsFileStatus startFileInt(String src, PermissionStatus permissions,
         }
         shouldContinue = false;
         iters++;
-        // Optimistically generate a FileEncryptionInfo for this path.
-        FileEncryptionInfo feInfo =
-            newFileEncryptionInfo(src, pathComponents, cipherSuites);
 
-        // Try to create the file with this feInfo
+        // Optimistically determine CipherSuite and ezKeyName if the path is
+        // currently within an encryption zone
+        CipherSuite suite = null;
+        String ezKeyName = null;
+        readLock();
+        try {
+          src = FSDirectory.resolvePath(src, pathComponents, dir);
+          INodesInPath iip = dir.getINodesInPath4Write(src);
+          // Nothing to do if the path is not within an EZ
+          if (dir.isInAnEZ(iip)) {
+            suite = chooseCipherSuite(iip, cipherSuites);
+            if (suite != null) {
+              Preconditions.checkArgument(!suite.equals(CipherSuite.UNKNOWN),
+                  "Chose an UNKNOWN CipherSuite!");
+            }
+            ezKeyName = dir.getKeyName(iip);
+            Preconditions.checkState(ezKeyName != null);
+          }
+        } finally {
+          readUnlock();
+        }
+
+        Preconditions.checkState(
+            (suite == null && ezKeyName == null) ||
+            (suite != null && ezKeyName != null),
+            "Both suite and ezKeyName should both be null or not null");
+        // Generate EDEK if necessary while not holding the lock
+        EncryptedKeyVersion edek =
+            generateEncryptedDataEncryptionKey(ezKeyName);
+
+        // Try to create the file with the computed cipher suite and EDEK
         writeLock();
         try {
           checkOperation(OperationCategory.WRITE);
           checkNameNodeSafeMode("Cannot create file" + src);
           src = FSDirectory.resolvePath(src, pathComponents, dir);
           startFileInternal(pc, src, permissions, holder, clientMachine, create,
-              overwrite, createParent, replication, blockSize, feInfo,
+              overwrite, createParent, replication, blockSize, suite, edek,
               logRetryCache);
           stat = dir.getFileInfo(src, false);
         } catch (StandbyException se) {
@@ -2561,8 +2557,8 @@ private HdfsFileStatus startFileInt(String src, PermissionStatus permissions,
   private void startFileInternal(FSPermissionChecker pc, String src,
       PermissionStatus permissions, String holder, String clientMachine,
       boolean create, boolean overwrite, boolean createParent,
-      short replication, long blockSize, FileEncryptionInfo feInfo,
-      boolean logRetryEntry)
+      short replication, long blockSize, CipherSuite suite,
+      EncryptedKeyVersion edek, boolean logRetryEntry)
       throws FileAlreadyExistsException, AccessControlException,
       UnresolvedLinkException, FileNotFoundException,
       ParentNotDirectoryException, RetryStartFileException, IOException {
@@ -2575,21 +2571,21 @@ private void startFileInternal(FSPermissionChecker pc, String src,
           " already exists as a directory");
     }
 
-    if (!dir.isInAnEZ(iip)) {
-      // If the path is not in an EZ, we don't need an feInfo.
-      // Null it out in case one was already generated.
-      feInfo = null;
-    } else {
-      // The path is now within an EZ, but no feInfo. Retry.
-      if (feInfo == null) {
+    FileEncryptionInfo feInfo = null;
+    if (dir.isInAnEZ(iip)) {
+      // The path is now within an EZ, but we're missing encryption parameters
+      if (suite == null || edek == null) {
         throw new RetryStartFileException();
       }
-      // It's in an EZ and we have a provided feInfo. Make sure the
-      // keyVersion of the encryption key used matches one of the keyVersions of
-      // the key of the encryption zone.
-      if (!dir.isValidKeyVersion(iip, feInfo.getEzKeyVersionName())) {
+      // Path is within an EZ and we have provided encryption parameters.
+      // Make sure that the generated EDEK matches the settings of the EZ.
+      String ezKeyName = dir.getKeyName(iip);
+      if (!ezKeyName.equals(edek.getKeyName())) {
         throw new RetryStartFileException();
       }
+      feInfo = new FileEncryptionInfo(suite, edek.getEncryptedKey()
+          .getMaterial(), edek.getIv(), edek.getKeyVersionName());
+      Preconditions.checkNotNull(feInfo);
     }
 
     final INodeFile myFile = INodeFile.valueOf(inode, src, true);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
index 5a7d4fb8324..f80b9f85e51 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
@@ -2039,15 +2039,4 @@
   </description>
 </property>
 
-<property>
-  <name>dfs.namenode.key.version.refresh.interval.ms</name>
-  <value>300000</value>
-  <description>How frequently the namenode will attempt to fetch the latest
-      key version of encryption zone keys from the configured KeyProvider, in
-      milliseconds. New key versions are created when a key is rolled. This
-      setting thus controls the window of staleness where an old key version
-      is used after a key is rolled.
-  </description>
-</property>
-
 </configuration>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
index 09ccf2860b3..cf5cec64a79 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
@@ -347,7 +347,6 @@ public void testReadWrite() throws Exception {
     assertEquals("Expected 1 EZ", 1, zones.size());
     String keyId = zones.get(0).getKeyId();
     cluster.getNamesystem().getProvider().rollNewVersion(keyId);
-    cluster.getNamesystem().getFSDirectory().ezManager.kickMonitor();
     // Read them back in and compare byte-by-byte
     validateFiles(baseFile, encFile1, len);
     // Write a new enc file and validate

From b57ec165674143daf4fa50378446a9f831d3b9d3 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 22 Jul 2014 00:55:20 +0000
Subject: [PATCH 039/354] HDFS-6718. Remove EncryptionZoneManager lock. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1612439 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   2 +
 .../namenode/EncryptionZoneManager.java       | 190 ++++++------------
 2 files changed, 65 insertions(+), 127 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 24cfbfb5b20..311e42c6dae 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -52,6 +52,8 @@ fs-encryption (Unreleased)
     HDFS-6716. Update usage of KeyProviderCryptoExtension APIs on NameNode.
     (wang)
 
+    HDFS-6718. Remove EncryptionZoneManager lock. (wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
index 890200d787b..0f7f61c264d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
@@ -60,35 +60,6 @@ long getINodeId() {
 
   }
 
-  /**
-   * Protects the <tt>encryptionZones</tt> map and its contents.
-   */
-  private final ReentrantReadWriteLock lock;
-
-  private void readLock() {
-    lock.readLock().lock();
-  }
-
-  private void readUnlock() {
-    lock.readLock().unlock();
-  }
-
-  private void writeLock() {
-    lock.writeLock().lock();
-  }
-
-  private void writeUnlock() {
-    lock.writeLock().unlock();
-  }
-
-  public boolean hasWriteLock() {
-    return lock.isWriteLockedByCurrentThread();
-  }
-
-  public boolean hasReadLock() {
-    return lock.getReadHoldCount() > 0 || hasWriteLock();
-  }
-
   private final Map<Long, EncryptionZoneInt> encryptionZones;
   private final FSDirectory dir;
   private final KeyProvider provider;
@@ -101,7 +72,6 @@ public boolean hasReadLock() {
   public EncryptionZoneManager(FSDirectory dir, KeyProvider provider) {
     this.dir = dir;
     this.provider = provider;
-    lock = new ReentrantReadWriteLock();
     encryptionZones = new HashMap<Long, EncryptionZoneInt>();
   }
 
@@ -116,12 +86,7 @@ public EncryptionZoneManager(FSDirectory dir, KeyProvider provider) {
   void addEncryptionZone(Long inodeId, String keyId) {
     assert dir.hasWriteLock();
     final EncryptionZoneInt ez = new EncryptionZoneInt(inodeId, keyId);
-    writeLock();
-    try {
-      encryptionZones.put(inodeId, ez);
-    } finally {
-      writeUnlock();
-    }
+    encryptionZones.put(inodeId, ez);
   }
 
   /**
@@ -131,12 +96,7 @@ void addEncryptionZone(Long inodeId, String keyId) {
    */
   void removeEncryptionZone(Long inodeId) {
     assert dir.hasWriteLock();
-    writeLock();
-    try {
-      encryptionZones.remove(inodeId);
-    } finally {
-      writeUnlock();
-    }
+    encryptionZones.remove(inodeId);
   }
 
   /**
@@ -147,12 +107,7 @@ void removeEncryptionZone(Long inodeId) {
   boolean isInAnEZ(INodesInPath iip)
       throws UnresolvedLinkException, SnapshotAccessControlException {
     assert dir.hasReadLock();
-    readLock();
-    try {
-      return (getEncryptionZoneForPath(iip) != null);
-    } finally {
-      readUnlock();
-    }
+    return (getEncryptionZoneForPath(iip) != null);
   }
 
   /**
@@ -172,16 +127,12 @@ private String getFullPathName(EncryptionZoneInt ezi) {
    * Called while holding the FSDirectory lock.
    */
   String getKeyName(final INodesInPath iip) {
-    readLock();
-    try {
-      EncryptionZoneInt ezi = getEncryptionZoneForPath(iip);
-      if (ezi == null) {
-        return null;
-      }
-      return ezi.getKeyName();
-    } finally {
-      readUnlock();
+    assert dir.hasReadLock();
+    EncryptionZoneInt ezi = getEncryptionZoneForPath(iip);
+    if (ezi == null) {
+      return null;
     }
+    return ezi.getKeyName();
   }
 
   /**
@@ -191,7 +142,7 @@ String getKeyName(final INodesInPath iip) {
    * Must be called while holding the manager lock.
    */
   private EncryptionZoneInt getEncryptionZoneForPath(INodesInPath iip) {
-    assert hasReadLock();
+    assert dir.hasReadLock();
     Preconditions.checkNotNull(iip);
     final INode[] inodes = iip.getINodes();
     for (int i = inodes.length - 1; i >= 0; i--) {
@@ -220,41 +171,36 @@ private EncryptionZoneInt getEncryptionZoneForPath(INodesInPath iip) {
   void checkMoveValidity(INodesInPath srcIIP, INodesInPath dstIIP, String src)
       throws IOException {
     assert dir.hasReadLock();
-    readLock();
-    try {
-      final EncryptionZoneInt srcEZI = getEncryptionZoneForPath(srcIIP);
-      final EncryptionZoneInt dstEZI = getEncryptionZoneForPath(dstIIP);
-      final boolean srcInEZ = (srcEZI != null);
-      final boolean dstInEZ = (dstEZI != null);
-      if (srcInEZ) {
-        if (!dstInEZ) {
-          throw new IOException(
-              src + " can't be moved from an encryption zone.");
-        }
-      } else {
-        if (dstInEZ) {
-          throw new IOException(
-              src + " can't be moved into an encryption zone.");
-        }
+    final EncryptionZoneInt srcEZI = getEncryptionZoneForPath(srcIIP);
+    final EncryptionZoneInt dstEZI = getEncryptionZoneForPath(dstIIP);
+    final boolean srcInEZ = (srcEZI != null);
+    final boolean dstInEZ = (dstEZI != null);
+    if (srcInEZ) {
+      if (!dstInEZ) {
+        throw new IOException(
+            src + " can't be moved from an encryption zone.");
       }
+    } else {
+      if (dstInEZ) {
+        throw new IOException(
+            src + " can't be moved into an encryption zone.");
+      }
+    }
 
-      if (srcInEZ || dstInEZ) {
-        Preconditions.checkState(srcEZI != null, "couldn't find src EZ?");
-        Preconditions.checkState(dstEZI != null, "couldn't find dst EZ?");
-        if (srcEZI != dstEZI) {
-          final String srcEZPath = getFullPathName(srcEZI);
-          final String dstEZPath = getFullPathName(dstEZI);
-          final StringBuilder sb = new StringBuilder(src);
-          sb.append(" can't be moved from encryption zone ");
-          sb.append(srcEZPath);
-          sb.append(" to encryption zone ");
-          sb.append(dstEZPath);
-          sb.append(".");
-          throw new IOException(sb.toString());
-        }
+    if (srcInEZ || dstInEZ) {
+      Preconditions.checkState(srcEZI != null, "couldn't find src EZ?");
+      Preconditions.checkState(dstEZI != null, "couldn't find dst EZ?");
+      if (srcEZI != dstEZI) {
+        final String srcEZPath = getFullPathName(srcEZI);
+        final String dstEZPath = getFullPathName(dstEZI);
+        final StringBuilder sb = new StringBuilder(src);
+        sb.append(" can't be moved from encryption zone ");
+        sb.append(srcEZPath);
+        sb.append(" to encryption zone ");
+        sb.append(dstEZPath);
+        sb.append(".");
+        throw new IOException(sb.toString());
       }
-    } finally {
-      readUnlock();
     }
   }
 
@@ -266,34 +212,29 @@ void checkMoveValidity(INodesInPath srcIIP, INodesInPath dstIIP, String src)
   XAttr createEncryptionZone(String src, String keyId, KeyVersion keyVersion)
       throws IOException {
     assert dir.hasWriteLock();
-    writeLock();
-    try {
-      if (dir.isNonEmptyDirectory(src)) {
-        throw new IOException(
-            "Attempt to create an encryption zone for a non-empty directory.");
-      }
-
-      final INodesInPath srcIIP = dir.getINodesInPath4Write(src, false);
-      EncryptionZoneInt ezi = getEncryptionZoneForPath(srcIIP);
-      if (ezi != null) {
-        throw new IOException("Directory " + src + " is already in an " +
-            "encryption zone. (" + getFullPathName(ezi) + ")");
-      }
-
-      final XAttr keyIdXAttr = XAttrHelper
-          .buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, keyId.getBytes());
-
-      final List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
-      xattrs.add(keyIdXAttr);
-      // updating the xattr will call addEncryptionZone,
-      // done this way to handle edit log loading
-      dir.unprotectedSetXAttrs(src, xattrs, EnumSet.of(XAttrSetFlag.CREATE));
-      // Re-get the new encryption zone add the latest key version
-      ezi = getEncryptionZoneForPath(srcIIP);
-      return keyIdXAttr;
-    } finally {
-      writeUnlock();
+    if (dir.isNonEmptyDirectory(src)) {
+      throw new IOException(
+          "Attempt to create an encryption zone for a non-empty directory.");
     }
+
+    final INodesInPath srcIIP = dir.getINodesInPath4Write(src, false);
+    EncryptionZoneInt ezi = getEncryptionZoneForPath(srcIIP);
+    if (ezi != null) {
+      throw new IOException("Directory " + src + " is already in an " +
+          "encryption zone. (" + getFullPathName(ezi) + ")");
+    }
+
+    final XAttr keyIdXAttr = XAttrHelper
+        .buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, keyId.getBytes());
+
+    final List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
+    xattrs.add(keyIdXAttr);
+    // updating the xattr will call addEncryptionZone,
+    // done this way to handle edit log loading
+    dir.unprotectedSetXAttrs(src, xattrs, EnumSet.of(XAttrSetFlag.CREATE));
+    // Re-get the new encryption zone add the latest key version
+    ezi = getEncryptionZoneForPath(srcIIP);
+    return keyIdXAttr;
   }
 
   /**
@@ -303,16 +244,11 @@ XAttr createEncryptionZone(String src, String keyId, KeyVersion keyVersion)
    */
   List<EncryptionZone> listEncryptionZones() throws IOException {
     assert dir.hasReadLock();
-    readLock();
-    try {
-      final List<EncryptionZone> ret =
-          Lists.newArrayListWithExpectedSize(encryptionZones.size());
-      for (EncryptionZoneInt ezi : encryptionZones.values()) {
-        ret.add(new EncryptionZone(getFullPathName(ezi), ezi.getKeyName()));
-      }
-      return ret;
-    } finally {
-      readUnlock();
+    final List<EncryptionZone> ret =
+        Lists.newArrayListWithExpectedSize(encryptionZones.size());
+    for (EncryptionZoneInt ezi : encryptionZones.values()) {
+      ret.add(new EncryptionZone(getFullPathName(ezi), ezi.getKeyName()));
     }
+    return ret;
   }
 }

From 6fac3e9b611c43b4f7a97c80f86dd761782cef09 Mon Sep 17 00:00:00 2001
From: Colin McCabe <cmccabe@apache.org>
Date: Tue, 22 Jul 2014 00:58:10 +0000
Subject: [PATCH 040/354] HADOOP-10870. Failed to load OpenSSL cipher error
 logs on systems with old openssl versions (cmccabe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1612440 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |  3 +++
 .../crypto/OpensslAesCtrCryptoCodec.java      |  5 ++--
 .../apache/hadoop/crypto/OpensslCipher.java   | 23 +++++++++++--------
 .../hadoop/util/NativeLibraryChecker.java     | 16 +++++++------
 .../apache/hadoop/crypto/TestCryptoCodec.java | 16 ++++++-------
 .../hadoop/crypto/TestOpensslCipher.java      | 13 ++++-------
 6 files changed, 40 insertions(+), 36 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index 4c365bf0aeb..3f9f13df0e0 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -40,6 +40,9 @@ fs-encryption (Unreleased)
     HADOOP-10735. Fall back AesCtrCryptoCodec implementation from OpenSSL to
     JCE if non native support. (Yi Liu)
 
+    HADOOP-10870. Failed to load OpenSSL cipher error logs on systems with old
+    openssl versions (cmccabe)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
index 7db7b063e5c..4ca79b307d6 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java
@@ -47,8 +47,9 @@ public class OpensslAesCtrCryptoCodec extends AesCtrCryptoCodec {
   private Random random;
   
   public OpensslAesCtrCryptoCodec() {
-    if (!OpensslCipher.isNativeCodeLoaded()) {
-      throw new RuntimeException("Failed to load OpenSSL Cipher.");
+    String loadingFailureReason = OpensslCipher.getLoadingFailureReason();
+    if (loadingFailureReason != null) {
+      throw new RuntimeException(loadingFailureReason);
     }
   }
 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java
index 652a8b4c324..264652b202a 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java
@@ -76,21 +76,26 @@ static int get(String padding) throws NoSuchPaddingException {
   private final int alg;
   private final int padding;
   
-  private static boolean nativeCipherLoaded = false;
+  private static final String loadingFailureReason;
+
   static {
-    if (NativeCodeLoader.isNativeCodeLoaded() &&
-        NativeCodeLoader.buildSupportsOpenssl()) {
-      try {
+    String loadingFailure = null;
+    try {
+      if (!NativeCodeLoader.buildSupportsOpenssl()) {
+        loadingFailure = "build does not support openssl.";
+      } else {
         initIDs();
-        nativeCipherLoaded = true;
-      } catch (Throwable t) {
-        LOG.error("Failed to load OpenSSL Cipher.", t);
       }
+    } catch (Throwable t) {
+      loadingFailure = t.getMessage();
+      LOG.debug("Failed to load OpenSSL Cipher.", t);
+    } finally {
+      loadingFailureReason = loadingFailure;
     }
   }
   
-  public static boolean isNativeCodeLoaded() {
-    return nativeCipherLoaded;
+  public static String getLoadingFailureReason() {
+    return loadingFailureReason;
   }
   
   private OpensslCipher(long context, int alg, int padding) {
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeLibraryChecker.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeLibraryChecker.java
index 4891f03cbb8..0d87bceda17 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeLibraryChecker.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeLibraryChecker.java
@@ -58,14 +58,14 @@ public static void main(String[] args) {
     boolean nativeHadoopLoaded = NativeCodeLoader.isNativeCodeLoaded();
     boolean zlibLoaded = false;
     boolean snappyLoaded = false;
-    boolean opensslLoaded = false;
     // lz4 is linked within libhadoop
     boolean lz4Loaded = nativeHadoopLoaded;
     boolean bzip2Loaded = Bzip2Factory.isNativeBzip2Loaded(conf);
+    boolean openSslLoaded = false;
+    String openSslDetail = "";
     String hadoopLibraryName = "";
     String zlibLibraryName = "";
     String snappyLibraryName = "";
-    String opensslLibraryName = "";
     String lz4LibraryName = "";
     String bzip2LibraryName = "";
     if (nativeHadoopLoaded) {
@@ -79,10 +79,12 @@ public static void main(String[] args) {
       if (snappyLoaded && NativeCodeLoader.buildSupportsSnappy()) {
         snappyLibraryName = SnappyCodec.getLibraryName();
       }
-      opensslLoaded = NativeCodeLoader.buildSupportsOpenssl() &&
-          OpensslCipher.isNativeCodeLoaded();
-      if (opensslLoaded) {
-        opensslLibraryName = OpensslCipher.getLibraryName();
+      if (OpensslCipher.getLoadingFailureReason() != null) {
+        openSslDetail = OpensslCipher.getLoadingFailureReason();
+        openSslLoaded = false;
+      } else {
+        openSslDetail = OpensslCipher.getLibraryName();
+        openSslLoaded = true;
       }
       if (lz4Loaded) {
         lz4LibraryName = Lz4Codec.getLibraryName();
@@ -97,7 +99,7 @@ public static void main(String[] args) {
     System.out.printf("snappy:  %b %s\n", snappyLoaded, snappyLibraryName);
     System.out.printf("lz4:     %b %s\n", lz4Loaded, lz4LibraryName);
     System.out.printf("bzip2:   %b %s\n", bzip2Loaded, bzip2LibraryName);
-    System.out.printf("openssl: %b %s\n", opensslLoaded, opensslLibraryName);
+    System.out.printf("openssl: %b %s\n", openSslLoaded, openSslDetail);
     if ((!nativeHadoopLoaded) ||
         (checkAll && !(zlibLoaded && snappyLoaded && lz4Loaded && bzip2Loaded))) {
       // return 1 to indicated check failed
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java
index d95052815cf..49b5056a86f 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoCodec.java
@@ -38,6 +38,7 @@
 import org.apache.hadoop.util.NativeCodeLoader;
 import org.apache.hadoop.util.ReflectionUtils;
 import org.junit.Assert;
+import org.junit.Assume;
 import org.junit.Test;
 
 public class TestCryptoCodec {
@@ -62,15 +63,12 @@ public void testJceAesCtrCryptoCodec() throws Exception {
   
   @Test(timeout=1200000)
   public void testOpensslAesCtrCryptoCodec() throws Exception {
-    if (NativeCodeLoader.buildSupportsOpenssl()) {
-      Assert.assertTrue(OpensslCipher.isNativeCodeLoaded());
-    }
-    if (OpensslCipher.isNativeCodeLoaded()) {
-      cryptoCodecTest(conf, seed, 0, 
-          "org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec");
-      cryptoCodecTest(conf, seed, count, 
-          "org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec");
-    }
+    Assume.assumeTrue(NativeCodeLoader.buildSupportsOpenssl());
+    Assert.assertEquals(null, OpensslCipher.getLoadingFailureReason());
+    cryptoCodecTest(conf, seed, 0, 
+        "org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec");
+    cryptoCodecTest(conf, seed, count, 
+        "org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec");
   }
   
   private void cryptoCodecTest(Configuration conf, int seed, int count, 
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java
index b3a894a164f..966a88723a2 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java
@@ -24,6 +24,7 @@
 import javax.crypto.ShortBufferException;
 
 import org.apache.hadoop.test.GenericTestUtils;
+import org.junit.Assume;
 import org.junit.Assert;
 import org.junit.Test;
 
@@ -35,9 +36,7 @@ public class TestOpensslCipher {
   
   @Test(timeout=120000)
   public void testGetInstance() throws Exception {
-    if (!OpensslCipher.isNativeCodeLoaded()) {
-      return;
-    }
+    Assume.assumeTrue(OpensslCipher.getLoadingFailureReason() == null);
     OpensslCipher cipher = OpensslCipher.getInstance("AES/CTR/NoPadding");
     Assert.assertTrue(cipher != null);
     
@@ -58,9 +57,7 @@ public void testGetInstance() throws Exception {
   
   @Test(timeout=120000)
   public void testUpdateArguments() throws Exception {
-    if (!OpensslCipher.isNativeCodeLoaded()) {
-      return;
-    }
+    Assume.assumeTrue(OpensslCipher.getLoadingFailureReason() == null);
     OpensslCipher cipher = OpensslCipher.getInstance("AES/CTR/NoPadding");
     Assert.assertTrue(cipher != null);
     
@@ -93,9 +90,7 @@ public void testUpdateArguments() throws Exception {
   
   @Test(timeout=120000)
   public void testDoFinalArguments() throws Exception {
-    if (!OpensslCipher.isNativeCodeLoaded()) {
-      return;
-    }
+    Assume.assumeTrue(OpensslCipher.getLoadingFailureReason() == null);
     OpensslCipher cipher = OpensslCipher.getInstance("AES/CTR/NoPadding");
     Assert.assertTrue(cipher != null);
     

From b52b80d7bdcad00b95619544fa869af56746ebf0 Mon Sep 17 00:00:00 2001
From: Yi Liu <yliu@apache.org>
Date: Tue, 22 Jul 2014 08:38:38 +0000
Subject: [PATCH 041/354] HADOOP-10853. Refactor get instance of CryptoCodec
 and support create via algorithm/mode/padding. (yliu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1612513 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |  3 ++
 .../org/apache/hadoop/crypto/CipherSuite.java | 30 +++++++++++++
 .../org/apache/hadoop/crypto/CryptoCodec.java | 43 +++++++++++++------
 .../hadoop/crypto/JceAesCtrCryptoCodec.java   |  8 +++-
 .../fs/CommonConfigurationKeysPublic.java     | 22 ++++------
 .../src/main/resources/core-default.xml       | 26 +++++++----
 ...toStreamsWithOpensslAesCtrCryptoCodec.java |  5 ---
 .../org/apache/hadoop/hdfs/DFSClient.java     |  5 ++-
 8 files changed, 99 insertions(+), 43 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index 3f9f13df0e0..3ce7695ddfe 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -43,6 +43,9 @@ fs-encryption (Unreleased)
     HADOOP-10870. Failed to load OpenSSL cipher error logs on systems with old
     openssl versions (cmccabe)
 
+    HADOOP-10853. Refactor get instance of CryptoCodec and support create via
+    algorithm/mode/padding. (Yi Liu)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java
index c75311aef65..9962b3870da 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CipherSuite.java
@@ -82,4 +82,34 @@ public static void checkName(String name) {
     }
     throw new IllegalArgumentException("Invalid cipher suite name: " + name);
   }
+  
+  /**
+   * Convert to CipherSuite from name, {@link #algoBlockSize} is fixed for
+   * certain cipher suite, just need to compare the name.
+   * @param name cipher suite name
+   * @return CipherSuite cipher suite
+   */
+  public static CipherSuite convert(String name) {
+    CipherSuite[] suites = CipherSuite.values();
+    for (CipherSuite suite : suites) {
+      if (suite.getName().equals(name)) {
+        return suite;
+      }
+    }
+    throw new IllegalArgumentException("Invalid cipher suite name: " + name);
+  }
+  
+  /**
+   * Returns suffix of cipher suite configuration.
+   * @return String configuration suffix
+   */
+  public String getConfigSuffix() {
+    String[] parts = name.split("/");
+    StringBuilder suffix = new StringBuilder();
+    for (String part : parts) {
+      suffix.append(".").append(part.toLowerCase());
+    }
+    
+    return suffix.toString();
+  }
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
index 45c06f02daa..f484083b592 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
@@ -31,8 +31,7 @@
 import com.google.common.base.Splitter;
 import com.google.common.collect.Lists;
 
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY;
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CODEC_CLASS_DEFAULT;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX;
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_KEY;
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_DEFAULT;
 
@@ -44,23 +43,28 @@
 public abstract class CryptoCodec implements Configurable {
   public static Logger LOG = LoggerFactory.getLogger(CryptoCodec.class);
   
-  public static CryptoCodec getInstance(Configuration conf) {
-    List<Class<? extends CryptoCodec>> klasses = getCodecClasses(conf);
-    String name = conf.get(HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_KEY, 
-        HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_DEFAULT);
-    CipherSuite.checkName(name);
+  /**
+   * Get crypto codec for specified algorithm/mode/padding.
+   * @param conf the configuration
+   * @param CipherSuite algorithm/mode/padding
+   * @return CryptoCodec the codec object
+   */
+  public static CryptoCodec getInstance(Configuration conf, 
+      CipherSuite cipherSuite) {
+    List<Class<? extends CryptoCodec>> klasses = getCodecClasses(
+        conf, cipherSuite);
     CryptoCodec codec = null;
     for (Class<? extends CryptoCodec> klass : klasses) {
       try {
         CryptoCodec c = ReflectionUtils.newInstance(klass, conf);
-        if (c.getCipherSuite().getName().equalsIgnoreCase(name)) {
+        if (c.getCipherSuite().getName().equals(cipherSuite.getName())) {
           if (codec == null) {
             LOG.debug("Using crypto codec {}.", klass.getName());
             codec = c;
           }
         } else {
           LOG.warn("Crypto codec {} doesn't meet the cipher suite {}.", 
-              klass.getName(), name);
+              klass.getName(), cipherSuite.getName());
         }
       } catch (Exception e) {
         LOG.warn("Crypto codec {} is not available.", klass.getName());
@@ -72,14 +76,27 @@ public static CryptoCodec getInstance(Configuration conf) {
     }
     
     throw new RuntimeException("No available crypto codec which meets " + 
-        "the cipher suite " + name + ".");
+        "the cipher suite " + cipherSuite.getName() + ".");
+  }
+  
+  /**
+   * Get crypto codec for algorithm/mode/padding in config value 
+   * hadoop.security.crypto.cipher.suite
+   * @param conf the configuration
+   * @return CryptoCodec the codec object
+   */
+  public static CryptoCodec getInstance(Configuration conf) {
+    String name = conf.get(HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_KEY, 
+        HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_DEFAULT);
+    return getInstance(conf, CipherSuite.convert(name));
   }
   
   private static List<Class<? extends CryptoCodec>> getCodecClasses(
-      Configuration conf) {
+      Configuration conf, CipherSuite cipherSuite) {
     List<Class<? extends CryptoCodec>> result = Lists.newArrayList();
-    String codecString = conf.get(HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY,
-        HADOOP_SECURITY_CRYPTO_CODEC_CLASS_DEFAULT);
+    String configName = HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX + 
+        cipherSuite.getConfigSuffix();
+    String codecString = conf.get(configName);
     for (String c : Splitter.on(',').trimResults().omitEmptyStrings().
         split(codecString)) {
       try {
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JceAesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JceAesCtrCryptoCodec.java
index cd093203867..61ee743c421 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JceAesCtrCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/JceAesCtrCryptoCodec.java
@@ -26,6 +26,8 @@
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 
@@ -40,6 +42,9 @@
  */
 @InterfaceAudience.Private
 public class JceAesCtrCryptoCodec extends AesCtrCryptoCodec {
+  private static final Log LOG =
+      LogFactory.getLog(JceAesCtrCryptoCodec.class.getName());
+  
   private Configuration conf;
   private String provider;
   private SecureRandom random;
@@ -64,7 +69,8 @@ public void setConf(Configuration conf) {
           SecureRandom.getInstance(secureRandomAlg, provider) : 
             SecureRandom.getInstance(secureRandomAlg);
     } catch (GeneralSecurityException e) {
-      throw new IllegalArgumentException(e);
+      LOG.warn(e.getMessage());
+      random = new SecureRandom();
     }
   }
 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
index 3b353ebcdb3..933f2c239a1 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
@@ -282,12 +282,8 @@ public class CommonConfigurationKeysPublic {
   /** Class to override Sasl Properties for a connection */
   public static final String  HADOOP_SECURITY_SASL_PROPS_RESOLVER_CLASS =
     "hadoop.security.saslproperties.resolver.class";
-  /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
-  public static final String HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY =
-    "hadoop.security.crypto.codec.class";
-  public static final String HADOOP_SECURITY_CRYPTO_CODEC_CLASS_DEFAULT = 
-    "org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec," +
-    "org.apache.hadoop.crypto.JceAesCtrCryptoCodec";
+  public static final String HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX = 
+    "hadoop.security.crypto.codec.classes";
   /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
   public static final String HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_KEY =
     "hadoop.security.crypto.cipher.suite";
@@ -295,10 +291,10 @@ public class CommonConfigurationKeysPublic {
     "AES/CTR/NoPadding";
   /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
   public static final String HADOOP_SECURITY_CRYPTO_JCE_PROVIDER_KEY =
-      "hadoop.security.crypto.jce.provider";
+    "hadoop.security.crypto.jce.provider";
   /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
   public static final String HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY = 
-      "hadoop.security.crypto.buffer.size";
+    "hadoop.security.crypto.buffer.size";
   /** Defalt value for HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY */
   public static final int HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_DEFAULT = 8192;
   /** Class to override Impersonation provider */
@@ -334,17 +330,17 @@ public class CommonConfigurationKeysPublic {
 
   /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
   public static final String HADOOP_SECURITY_JAVA_SECURE_RANDOM_ALGORITHM_KEY = 
-      "hadoop.security.java.secure.random.algorithm";
+    "hadoop.security.java.secure.random.algorithm";
   /** Defalt value for HADOOP_SECURITY_JAVA_SECURE_RANDOM_ALGORITHM_KEY */
   public static final String HADOOP_SECURITY_JAVA_SECURE_RANDOM_ALGORITHM_DEFAULT = 
-      "SHA1PRNG";
+    "SHA1PRNG";
   /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
   public static final String HADOOP_SECURITY_SECURE_RANDOM_IMPL_KEY = 
-      "hadoop.security.secure.random.impl";
+    "hadoop.security.secure.random.impl";
   /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
   public static final String HADOOP_SECURITY_SECURE_RANDOM_DEVICE_FILE_PATH_KEY = 
-      "hadoop.security.random.device.file.path";
+    "hadoop.security.random.device.file.path";
   public static final String HADOOP_SECURITY_SECURE_RANDOM_DEVICE_FILE_PATH_DEFAULT = 
-      "/dev/urandom";
+    "/dev/urandom";
 }
 
diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
index 24e6726f71a..37348eaeac1 100644
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -1452,13 +1452,21 @@ for ldap providers in the same way as above does.
 </property>
 
 <property>
-  <name>hadoop.security.crypto.codec.class</name>
-  <value>org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec,
-  org.apache.hadoop.crypto.JceAesCtrCryptoCodec</value>
+  <name>hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE</name>
+  <value></value>
   <description>
-    Comma list of CryptoCodec implementations which are used for encryption 
-    and decryption. The first implementation will be used if avaiable, others
-    are fallbacks.
+    The prefix for a given crypto codec, contains a comma-separated
+    list of implementation classes for a given crypto codec (eg EXAMPLECIPHERSUITE).
+    The first implementation will be used if available, others are fallbacks.
+  </description>
+</property>
+
+<property>
+  <name>hadoop.security.crypto.codec.classes.aes.ctr.nopadding</name>
+  <value>org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec,org.apache.hadoop.crypto.JceAesCtrCryptoCodec</value>
+  <description>
+    Comma-separated list of crypto codec implementations for AES/CTR/NoPadding. 
+    The first implementation will be used if available, others are fallbacks.
   </description>
 </property>
 
@@ -1488,7 +1496,7 @@ for ldap providers in the same way as above does.
 
 <property>
   <name>hadoop.security.java.secure.random.algorithm</name>
-  <value></value>
+  <value>SHA1PRNG</value>
   <description>
     The java secure random algorithm. 
   </description>
@@ -1504,9 +1512,9 @@ for ldap providers in the same way as above does.
 
 <property>
   <name>hadoop.security.random.device.file.path</name>
-  <value></value>
+  <value>/dev/urandom</value>
   <description>
-    OS security random dev path, it's /dev/urandom in linux.
+    OS security random device file path.
   </description>
 </property>
 
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsWithOpensslAesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsWithOpensslAesCtrCryptoCodec.java
index 4e962cb42d5..f64e8dcca69 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsWithOpensslAesCtrCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsWithOpensslAesCtrCryptoCodec.java
@@ -20,17 +20,12 @@
 import org.apache.hadoop.conf.Configuration;
 import org.junit.BeforeClass;
 
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY;
-
 public class TestCryptoStreamsWithOpensslAesCtrCryptoCodec 
     extends TestCryptoStreams {
   
   @BeforeClass
   public static void init() throws Exception {
     Configuration conf = new Configuration();
-    conf.set(HADOOP_SECURITY_CRYPTO_CODEC_CLASS_KEY, 
-        OpensslAesCtrCryptoCodec.class.getName() + "," + 
-            JceAesCtrCryptoCodec.class.getName());
     codec = CryptoCodec.getInstance(conf);
   }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index 9f471d8e21f..102343797c6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -1301,8 +1301,9 @@ public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
     if (feInfo != null) {
       // File is encrypted, wrap the stream in a crypto stream.
       final CryptoInputStream cryptoIn =
-          new CryptoInputStream(dfsis, codec,
-              feInfo.getEncryptedDataEncryptionKey(), feInfo.getIV());
+          new CryptoInputStream(dfsis, CryptoCodec.getInstance(conf, 
+              feInfo.getCipherSuite()), feInfo.getEncryptedDataEncryptionKey(),
+              feInfo.getIV());
       return new HdfsDataInputStream(cryptoIn);
     } else {
       // No key/IV pair so no encryption.

From 69b75fca7aec5f5cbf79bc7db3915119cef69e65 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 22 Jul 2014 17:57:06 +0000
Subject: [PATCH 042/354] HDFS-6720. Remove KeyProvider in
 EncryptionZoneManager. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1612632 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |  2 +
 .../org/apache/hadoop/hdfs/DFSClient.java     |  4 +-
 .../hadoop/hdfs/DistributedFileSystem.java    |  4 +-
 .../apache/hadoop/hdfs/client/HdfsAdmin.java  | 34 +++++--------
 .../hadoop/hdfs/protocol/ClientProtocol.java  |  2 +-
 .../hadoop/hdfs/protocol/EncryptionZone.java  | 18 +++----
 ...amenodeProtocolServerSideTranslatorPB.java |  2 +-
 .../ClientNamenodeProtocolTranslatorPB.java   |  6 +--
 .../hadoop/hdfs/protocolPB/PBHelper.java      |  4 +-
 .../namenode/EncryptionZoneManager.java       | 24 ++++------
 .../hdfs/server/namenode/FSDirectory.java     |  8 ++--
 .../hdfs/server/namenode/FSNamesystem.java    | 48 +++++++++----------
 .../server/namenode/NameNodeRpcServer.java    |  4 +-
 .../apache/hadoop/hdfs/tools/CryptoAdmin.java | 13 ++---
 .../src/main/proto/encryption.proto           |  4 +-
 .../org/apache/hadoop/cli/TestCryptoCLI.java  |  4 +-
 .../hadoop/hdfs/TestEncryptionZones.java      | 28 +++++------
 .../src/test/resources/testCryptoConf.xml     |  4 +-
 18 files changed, 99 insertions(+), 114 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 311e42c6dae..7170acb225a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -54,6 +54,8 @@ fs-encryption (Unreleased)
 
     HDFS-6718. Remove EncryptionZoneManager lock. (wang)
 
+    HDFS-6720. Remove KeyProvider in EncryptionZoneManager. (wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index 102343797c6..a6f02fbfab5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -2807,11 +2807,11 @@ public AclStatus getAclStatus(String src) throws IOException {
     }
   }
   
-  public void createEncryptionZone(String src, String keyId)
+  public void createEncryptionZone(String src, String keyName)
     throws IOException {
     checkOpen();
     try {
-      namenode.createEncryptionZone(src, keyId);
+      namenode.createEncryptionZone(src, keyName);
     } catch (RemoteException re) {
       throw re.unwrapRemoteException(AccessControlException.class,
                                      SafeModeException.class,
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
index c348a1b3a95..eccd563b270 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
@@ -1799,9 +1799,9 @@ public AclStatus next(final FileSystem fs, final Path p)
   }
   
   /* HDFS only */
-  public void createEncryptionZone(Path path, String keyId)
+  public void createEncryptionZone(Path path, String keyName)
     throws IOException {
-    dfs.createEncryptionZone(getPathName(path), keyId);
+    dfs.createEncryptionZone(getPathName(path), keyName);
   }
 
   /* HDFS only */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
index 018fce4e797..be3ac51cfe7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
@@ -231,21 +231,16 @@ public RemoteIterator<CachePoolEntry> listCachePools() throws IOException {
   }
 
   /**
-   * Create an encryption zone rooted at path using the optional encryption key
-   * id. An encryption zone is a portion of the HDFS file system hierarchy in
-   * which all files are encrypted with the same key, but possibly different
-   * key versions per file.
-   * <p/>
-   * Path must refer to an empty, existing directory. Otherwise an IOException
-   * will be thrown. keyId specifies the id of an encryption key in the
-   * KeyProvider that the Namenode has been configured to use. If keyId is
-   * null, then a key is generated in the KeyProvider using {@link
-   * java.util.UUID} to generate a key id.
+   * Create an encryption zone rooted at an empty existing directory. An
+   * encryption zone has an associated encryption key used when reading and
+   * writing files within the zone. An existing key can be specified,
+   * else a new key will be generated for the encryption zone.
    *
-   * @param path The path of the root of the encryption zone.
+   * @param path The path of the root of the encryption zone. Must refer to
+   *             an empty, existing directory.
    *
-   * @param keyId An optional keyId in the KeyProvider. If null, then
-   * a key is generated.
+   * @param keyName Optional name of key available at the KeyProvider. If null,
+   *                then a key is generated.
    *
    * @throws IOException if there was a general IO exception
    *
@@ -253,18 +248,15 @@ public RemoteIterator<CachePoolEntry> listCachePools() throws IOException {
    *
    * @throws FileNotFoundException if the path does not exist
    */
-  public void createEncryptionZone(Path path, String keyId)
+  public void createEncryptionZone(Path path, String keyName)
     throws IOException, AccessControlException, FileNotFoundException {
-    dfs.createEncryptionZone(path, keyId);
+    dfs.createEncryptionZone(path, keyName);
   }
 
   /**
-   * Return a list of all {@EncryptionZone}s in the HDFS hierarchy which are
-   * visible to the caller. If the caller is the HDFS admin, then the returned
-   * EncryptionZone instances will have the key id field filled in. If the
-   * caller is not the HDFS admin, then the EncryptionZone instances will only
-   * have the path field filled in and only those zones that are visible to the
-   * user are returned.
+   * Return a list of all {@link EncryptionZone}s in the HDFS hierarchy which
+   * are visible to the caller. If the caller is an HDFS superuser,
+   * then the key name of each encryption zone will also be provided.
    *
    * @throws IOException if there was a general IO exception
    *
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
index a307520fc05..7996717d9d1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
@@ -1263,7 +1263,7 @@ public void removeAclEntries(String src, List<AclEntry> aclSpec)
    * Create an encryption zone
    */
   @AtMostOnce
-  public void createEncryptionZone(String src, String keyId)
+  public void createEncryptionZone(String src, String keyName)
     throws IOException;
 
   /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZone.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZone.java
index f4fcc609e41..a20e93c111e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZone.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZone.java
@@ -24,32 +24,32 @@
 
 /**
  * A simple class for representing an encryption zone. Presently an encryption
- * zone only has a path (the root of the encryption zone) and a key id.
+ * zone only has a path (the root of the encryption zone) and a key name.
  */
 @InterfaceAudience.Public
 @InterfaceStability.Evolving
 public class EncryptionZone {
 
   private final String path;
-  private final String keyId;
+  private final String keyName;
 
-  public EncryptionZone(String path, String keyId) {
+  public EncryptionZone(String path, String keyName) {
     this.path = path;
-    this.keyId = keyId;
+    this.keyName = keyName;
   }
 
   public String getPath() {
     return path;
   }
 
-  public String getKeyId() {
-    return keyId;
+  public String getKeyName() {
+    return keyName;
   }
 
   @Override
   public int hashCode() {
     return new HashCodeBuilder(13, 31).
-      append(path).append(keyId).
+      append(path).append(keyName).
       toHashCode();
   }
 
@@ -68,12 +68,12 @@ public boolean equals(Object obj) {
     EncryptionZone rhs = (EncryptionZone) obj;
     return new EqualsBuilder().
       append(path, rhs.path).
-      append(keyId, rhs.keyId).
+      append(keyName, rhs.keyName).
       isEquals();
   }
 
   @Override
   public String toString() {
-    return "EncryptionZone [path=" + path + ", keyId=" + keyId + "]";
+    return "EncryptionZone [path=" + path + ", keyName=" + keyName + "]";
   }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
index 570386e04e6..203fa381083 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
@@ -1287,7 +1287,7 @@ public CreateEncryptionZoneResponseProto createEncryptionZone(
     RpcController controller, CreateEncryptionZoneRequestProto req)
     throws ServiceException {
     try {
-      server.createEncryptionZone(req.getSrc(), req.getKeyId());
+      server.createEncryptionZone(req.getSrc(), req.getKeyName());
       return CreateEncryptionZoneResponseProto.newBuilder().build();
     } catch (IOException e) {
       throw new ServiceException(e);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
index 6a15ac57752..85fb745ca84 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
@@ -1284,13 +1284,13 @@ public AclStatus getAclStatus(String src) throws IOException {
   }
 
   @Override
-  public void createEncryptionZone(String src, String keyId)
+  public void createEncryptionZone(String src, String keyName)
     throws IOException {
     final CreateEncryptionZoneRequestProto.Builder builder =
       CreateEncryptionZoneRequestProto.newBuilder();
     builder.setSrc(src);
-    if (keyId != null && !keyId.isEmpty()) {
-      builder.setKeyId(keyId);
+    if (keyName != null && !keyName.isEmpty()) {
+      builder.setKeyName(keyName);
     }
     CreateEncryptionZoneRequestProto req = builder.build();
     try {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
index 4f62b42ddaa..edbd284dfc4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
@@ -2209,7 +2209,7 @@ public static List<EncryptionZoneProto> convertEZProto(
       final EncryptionZoneProto.Builder builder =
         EncryptionZoneProto.newBuilder();
       builder.setPath(a.getPath());
-      builder.setKeyId(a.getKeyId());
+      builder.setKeyName(a.getKeyName());
       ret.add(builder.build());
     }
     return ret;
@@ -2221,7 +2221,7 @@ public static List<EncryptionZone> convertEZ(
       Lists.newArrayListWithCapacity(ezs.size());
     for (EncryptionZoneProto a : ezs) {
       final EncryptionZone ez =
-        new EncryptionZone(a.getPath(), a.getKeyId());
+        new EncryptionZone(a.getPath(), a.getKeyName());
       ret.add(ez);
     }
     return ret;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
index 0f7f61c264d..f40d315676a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
@@ -5,11 +5,9 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.concurrent.locks.ReentrantReadWriteLock;
 
 import com.google.common.base.Preconditions;
 import com.google.common.collect.Lists;
-import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.fs.UnresolvedLinkException;
 import org.apache.hadoop.fs.XAttr;
 import org.apache.hadoop.fs.XAttrSetFlag;
@@ -20,7 +18,6 @@
 import org.slf4j.LoggerFactory;
 
 
-import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants
     .CRYPTO_XATTR_ENCRYPTION_ZONE;
 
@@ -62,16 +59,14 @@ long getINodeId() {
 
   private final Map<Long, EncryptionZoneInt> encryptionZones;
   private final FSDirectory dir;
-  private final KeyProvider provider;
 
   /**
    * Construct a new EncryptionZoneManager.
    *
    * @param dir Enclosing FSDirectory
    */
-  public EncryptionZoneManager(FSDirectory dir, KeyProvider provider) {
+  public EncryptionZoneManager(FSDirectory dir) {
     this.dir = dir;
-    this.provider = provider;
     encryptionZones = new HashMap<Long, EncryptionZoneInt>();
   }
 
@@ -81,11 +76,11 @@ public EncryptionZoneManager(FSDirectory dir, KeyProvider provider) {
    * Called while holding the FSDirectory lock.
    *
    * @param inodeId of the encryption zone
-   * @param keyId   encryption zone key id
+   * @param keyName encryption zone key name
    */
-  void addEncryptionZone(Long inodeId, String keyId) {
+  void addEncryptionZone(Long inodeId, String keyName) {
     assert dir.hasWriteLock();
-    final EncryptionZoneInt ez = new EncryptionZoneInt(inodeId, keyId);
+    final EncryptionZoneInt ez = new EncryptionZoneInt(inodeId, keyName);
     encryptionZones.put(inodeId, ez);
   }
 
@@ -209,7 +204,7 @@ void checkMoveValidity(INodesInPath srcIIP, INodesInPath dstIIP, String src)
    * <p/>
    * Called while holding the FSDirectory lock.
    */
-  XAttr createEncryptionZone(String src, String keyId, KeyVersion keyVersion)
+  XAttr createEncryptionZone(String src, String keyName)
       throws IOException {
     assert dir.hasWriteLock();
     if (dir.isNonEmptyDirectory(src)) {
@@ -224,17 +219,16 @@ XAttr createEncryptionZone(String src, String keyId, KeyVersion keyVersion)
           "encryption zone. (" + getFullPathName(ezi) + ")");
     }
 
-    final XAttr keyIdXAttr = XAttrHelper
-        .buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, keyId.getBytes());
+    final XAttr ezXAttr = XAttrHelper
+        .buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, keyName.getBytes());
 
     final List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
-    xattrs.add(keyIdXAttr);
+    xattrs.add(ezXAttr);
     // updating the xattr will call addEncryptionZone,
     // done this way to handle edit log loading
     dir.unprotectedSetXAttrs(src, xattrs, EnumSet.of(XAttrSetFlag.CREATE));
-    // Re-get the new encryption zone add the latest key version
     ezi = getEncryptionZoneForPath(srcIIP);
-    return keyIdXAttr;
+    return ezXAttr;
   }
 
   /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index 4b13da6a513..d20f3b991bc 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -17,7 +17,6 @@
  */
 package org.apache.hadoop.hdfs.server.namenode;
 
-import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants.CRYPTO_XATTR_ENCRYPTION_ZONE;
 import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants.CRYPTO_XATTR_FILE_ENCRYPTION_INFO;
 import static org.apache.hadoop.util.Time.now;
@@ -36,7 +35,6 @@
 import org.apache.hadoop.HadoopIllegalArgumentException;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.fs.ContentSummary;
 import org.apache.hadoop.fs.FileAlreadyExistsException;
 import org.apache.hadoop.fs.FileEncryptionInfo;
@@ -227,7 +225,7 @@ public int getWriteHoldCount() {
     nameCache = new NameCache<ByteArray>(threshold);
     namesystem = ns;
 
-    ezManager = new EncryptionZoneManager(this, ns.getProvider());
+    ezManager = new EncryptionZoneManager(this);
   }
     
   private FSNamesystem getFSNamesystem() {
@@ -2632,11 +2630,11 @@ String getKeyName(INodesInPath iip) {
     }
   }
 
-  XAttr createEncryptionZone(String src, String keyId, KeyVersion keyVersion)
+  XAttr createEncryptionZone(String src, String keyName)
     throws IOException {
     writeLock();
     try {
-      return ezManager.createEncryptionZone(src, keyId, keyVersion);
+      return ezManager.createEncryptionZone(src, keyName);
     } finally {
       writeUnlock();
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 9c3f1320b7d..31a89bfde2e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -8421,13 +8421,13 @@ AclStatus getAclStatus(String src) throws IOException {
   }
   
   /**
-   * Create an encryption zone on directory src either using keyIdArg if
-   * supplied or generating a keyId if it's null.
+   * Create an encryption zone on directory src. If provided,
+   * will use an existing key, else will generate a new key.
    *
    * @param src the path of a directory which will be the root of the
    * encryption zone. The directory must be empty.
    *
-   * @param keyIdArg an optional keyId of a key in the configured
+   * @param keyNameArg an optional name of a key in the configured
    * KeyProvider. If this is null, then a a new key is generated.
    *
    * @throws AccessControlException if the caller is not the superuser.
@@ -8436,7 +8436,7 @@ AclStatus getAclStatus(String src) throws IOException {
    *
    * @throws SafeModeException if the Namenode is in safe mode.
    */
-  void createEncryptionZone(final String src, String keyIdArg)
+  void createEncryptionZone(final String src, String keyNameArg)
     throws IOException, UnresolvedLinkException,
       SafeModeException, AccessControlException {
     final CacheEntry cacheEntry = RetryCache.waitForCompletion(retryCache);
@@ -8445,16 +8445,15 @@ void createEncryptionZone(final String src, String keyIdArg)
     }
 
     boolean createdKey = false;
-    String keyId = keyIdArg;
+    String keyName = keyNameArg;
     boolean success = false;
     try {
-      KeyVersion keyVersion;
-      if (keyId == null || keyId.isEmpty()) {
-        keyId = UUID.randomUUID().toString();
-        keyVersion = createNewKey(keyId, src);
+      if (keyName == null || keyName.isEmpty()) {
+        keyName = UUID.randomUUID().toString();
+        createNewKey(keyName, src);
         createdKey = true;
       } else {
-        keyVersion = provider.getCurrentKey(keyId);
+        KeyVersion keyVersion = provider.getCurrentKey(keyName);
         if (keyVersion == null) {
           /*
            * It would be nice if we threw something more specific than
@@ -8464,10 +8463,10 @@ void createEncryptionZone(final String src, String keyIdArg)
            * update this to match it, or better yet, just rethrow the
            * KeyProvider's exception.
            */
-          throw new IOException("Key " + keyId + " doesn't exist.");
+          throw new IOException("Key " + keyName + " doesn't exist.");
         }
       }
-      createEncryptionZoneInt(src, keyId, keyVersion, cacheEntry != null);
+      createEncryptionZoneInt(src, keyName, cacheEntry != null);
       success = true;
     } catch (AccessControlException e) {
       logAuditEvent(false, "createEncryptionZone", src);
@@ -8476,14 +8475,13 @@ void createEncryptionZone(final String src, String keyIdArg)
       RetryCache.setState(cacheEntry, success);
       if (!success && createdKey) {
         /* Unwind key creation. */
-        provider.deleteKey(keyId);
+        provider.deleteKey(keyName);
       }
     }
   }
 
-  private void createEncryptionZoneInt(final String srcArg, String keyId,
-    final KeyVersion keyVersion, final boolean logRetryCache) throws
-      IOException {
+  private void createEncryptionZoneInt(final String srcArg, String keyName,
+      final boolean logRetryCache) throws IOException {
     String src = srcArg;
     HdfsFileStatus resultingStat = null;
     checkSuperuserPrivilege();
@@ -8497,9 +8495,9 @@ private void createEncryptionZoneInt(final String srcArg, String keyId,
       checkNameNodeSafeMode("Cannot create encryption zone on " + src);
       src = FSDirectory.resolvePath(src, pathComponents, dir);
 
-      final XAttr keyIdXAttr = dir.createEncryptionZone(src, keyId, keyVersion);
+      final XAttr ezXAttr = dir.createEncryptionZone(src, keyName);
       List<XAttr> xAttrs = Lists.newArrayListWithCapacity(1);
-      xAttrs.add(keyIdXAttr);
+      xAttrs.add(ezXAttr);
       getEditLog().logSetXAttrs(src, xAttrs, logRetryCache);
       resultingStat = getAuditFileInfo(src, false);
     } finally {
@@ -8512,14 +8510,14 @@ private void createEncryptionZoneInt(final String srcArg, String keyId,
   /**
    * Create a new key on the KeyProvider for an encryption zone.
    *
-   * @param keyIdArg id of the key
+   * @param keyNameArg name of the key
    * @param src path of the encryption zone.
    * @return KeyVersion of the created key
    * @throws IOException
    */
-  private KeyVersion createNewKey(String keyIdArg, String src)
+  private KeyVersion createNewKey(String keyNameArg, String src)
     throws IOException {
-    Preconditions.checkNotNull(keyIdArg);
+    Preconditions.checkNotNull(keyNameArg);
     Preconditions.checkNotNull(src);
     final StringBuilder sb = new StringBuilder("hdfs://");
     if (nameserviceId != null) {
@@ -8529,14 +8527,14 @@ private KeyVersion createNewKey(String keyIdArg, String src)
     if (!src.endsWith("/")) {
       sb.append('/');
     }
-    sb.append(keyIdArg);
-    final String keyId = sb.toString();
-    providerOptions.setDescription(keyId);
+    sb.append(keyNameArg);
+    final String keyName = sb.toString();
+    providerOptions.setDescription(keyName);
     providerOptions.setBitLength(codec.getCipherSuite()
         .getAlgorithmBlockSize()*8);
     KeyVersion version = null;
     try {
-      version = provider.createKey(keyIdArg, providerOptions);
+      version = provider.createKey(keyNameArg, providerOptions);
     } catch (NoSuchAlgorithmException e) {
       throw new IOException(e);
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index 003b3171782..c47dd6f9f8f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -1413,9 +1413,9 @@ public AclStatus getAclStatus(String src) throws IOException {
   }
   
   @Override
-  public void createEncryptionZone(String src, String keyId)
+  public void createEncryptionZone(String src, String keyName)
     throws IOException {
-    namesystem.createEncryptionZone(src, keyId);
+    namesystem.createEncryptionZone(src, keyName);
   }
 
   @Override
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
index f1ec3cbfc57..c0155fcb72b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
@@ -124,7 +124,7 @@ public String getName() {
 
     @Override
     public String getShortUsage() {
-      return "[" + getName() + " [-keyId <keyId>] -path <path> " + "]\n";
+      return "[" + getName() + " [-keyName <keyName>] -path <path> " + "]\n";
     }
 
     @Override
@@ -132,7 +132,8 @@ public String getLongUsage() {
       final TableListing listing = getOptionDescriptionListing();
       listing.addRow("<path>", "The path of the encryption zone to create. " +
         "It must be an empty directory.");
-      listing.addRow("<keyId>", "The keyId of the new encryption zone.");
+      listing.addRow("<keyName>", "Name of the key to use for the " +
+          "encryption zone. A new key will be generated if unspecified.");
       return getShortUsage() + "\n" +
         "Create a new encryption zone.\n\n" +
         listing.toString();
@@ -146,8 +147,8 @@ public int run(Configuration conf, List<String> args) throws IOException {
         return 1;
       }
 
-      final String keyId =
-          StringUtils.popOptionWithArgument("-keyId", args);
+      final String keyName =
+          StringUtils.popOptionWithArgument("-keyName", args);
 
       if (!args.isEmpty()) {
         System.err.println("Can't understand argument: " + args.get(0));
@@ -156,7 +157,7 @@ public int run(Configuration conf, List<String> args) throws IOException {
 
       final DistributedFileSystem dfs = getDFS(conf);
       try {
-        dfs.createEncryptionZone(new Path(path), keyId);
+        dfs.createEncryptionZone(new Path(path), keyName);
         System.out.println("Added encryption zone " + path);
       } catch (IOException e) {
         System.err.println(prettifyException(e));
@@ -198,7 +199,7 @@ public int run(Configuration conf, List<String> args) throws IOException {
           .wrapWidth(MAX_LINE_WIDTH).hideHeaders().build();
         final List<EncryptionZone> ezs = dfs.listEncryptionZones();
         for (EncryptionZone ez : ezs) {
-          listing.addRow(ez.getPath(), ez.getKeyId());
+          listing.addRow(ez.getPath(), ez.getKeyName());
         }
         System.out.println(listing.toString());
       } catch (IOException e) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
index 6b091a572be..391b0aa5ff5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
@@ -35,7 +35,7 @@ import "hdfs.proto";
 
 message CreateEncryptionZoneRequestProto {
   required string src = 1;
-  optional string keyId = 2;
+  optional string keyName = 2;
 }
 
 message CreateEncryptionZoneResponseProto {
@@ -46,7 +46,7 @@ message ListEncryptionZonesRequestProto {
 
 message EncryptionZoneProto {
   required string path = 1;
-  required string keyId = 2;
+  required string keyName = 2;
 }
 
 message ListEncryptionZonesResponseProto {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoCLI.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoCLI.java
index 32ba055caa1..1b4468e545b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoCLI.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoCLI.java
@@ -93,12 +93,12 @@ public void tearDown() throws Exception {
   }
 
   /* Helper function to create a key in the Key Provider. */
-  private void createAKey(String keyId, Configuration conf)
+  private void createAKey(String keyName, Configuration conf)
     throws NoSuchAlgorithmException, IOException {
     final KeyProvider provider =
         dfsCluster.getNameNode().getNamesystem().getProvider();
     final KeyProvider.Options options = KeyProvider.options(conf);
-    provider.createKey(keyId, options);
+    provider.createKey(keyName, options);
     provider.flush();
     }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
index cf5cec64a79..7b268ed16d4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
@@ -105,18 +105,18 @@ public void assertNumZones(final int numZones) throws IOException {
   }
 
   /**
-   * Checks that an encryption zone with the specified keyId and path (if not
+   * Checks that an encryption zone with the specified keyName and path (if not
    * null) is present.
    *
    * @throws IOException if a matching zone could not be found
    */
-  public void assertZonePresent(String keyId, String path) throws IOException {
+  public void assertZonePresent(String keyName, String path) throws IOException {
     final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
     boolean match = false;
     for (EncryptionZone zone : zones) {
-      boolean matchKey = (keyId == null);
+      boolean matchKey = (keyName == null);
       boolean matchPath = (path == null);
-      if (keyId != null && zone.getKeyId().equals(keyId)) {
+      if (keyName != null && zone.getKeyName().equals(keyName)) {
         matchKey = true;
       }
       if (path != null && zone.getPath().equals(path)) {
@@ -127,7 +127,7 @@ public void assertZonePresent(String keyId, String path) throws IOException {
         break;
       }
     }
-    assertTrue("Did not find expected encryption zone with keyId " + keyId +
+    assertTrue("Did not find expected encryption zone with keyName " + keyName +
             " path " + path, match
     );
   }
@@ -135,11 +135,11 @@ public void assertZonePresent(String keyId, String path) throws IOException {
   /**
    * Helper function to create a key in the Key Provider.
    */
-  private void createKey(String keyId)
+  private void createKey(String keyName)
       throws NoSuchAlgorithmException, IOException {
     KeyProvider provider = cluster.getNameNode().getNamesystem().getProvider();
     final KeyProvider.Options options = KeyProvider.options(conf);
-    provider.createKey(keyId, options);
+    provider.createKey(keyName, options);
     provider.flush();
   }
 
@@ -204,9 +204,9 @@ public void testBasicOperations() throws Exception {
     /* Test failure of creating an EZ passing a key that doesn't exist. */
     final Path zone2 = new Path("/zone2");
     fsWrapper.mkdir(zone2, FsPermission.getDirDefault(), false);
-    final String myKeyId = "mykeyid";
+    final String myKeyName = "mykeyname";
     try {
-      dfsAdmin.createEncryptionZone(zone2, myKeyId);
+      dfsAdmin.createEncryptionZone(zone2, myKeyName);
       fail("expected key doesn't exist");
     } catch (IOException e) {
       assertExceptionContains("doesn't exist.", e);
@@ -214,10 +214,10 @@ public void testBasicOperations() throws Exception {
     assertNumZones(1);
 
     /* Test success of creating an EZ when they key exists. */
-    createKey(myKeyId);
-    dfsAdmin.createEncryptionZone(zone2, myKeyId);
+    createKey(myKeyName);
+    dfsAdmin.createEncryptionZone(zone2, myKeyName);
     assertNumZones(++numZones);
-    assertZonePresent(myKeyId, zone2.toString());
+    assertZonePresent(myKeyName, zone2.toString());
 
     /* Test failure of create encryption zones as a non super user. */
     final UserGroupInformation user = UserGroupInformation.
@@ -345,8 +345,8 @@ public void testReadWrite() throws Exception {
     // Roll the key of the encryption zone
     List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
     assertEquals("Expected 1 EZ", 1, zones.size());
-    String keyId = zones.get(0).getKeyId();
-    cluster.getNamesystem().getProvider().rollNewVersion(keyId);
+    String keyName = zones.get(0).getKeyName();
+    cluster.getNamesystem().getProvider().rollNewVersion(keyName);
     // Read them back in and compare byte-by-byte
     validateFiles(baseFile, encFile1, len);
     // Write a new enc file and validate
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
index 36df642b104..2ff2f20ae41 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
@@ -145,7 +145,7 @@
       <test-commands>
         <command>-fs NAMENODE -mkdir /foo</command>
         <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-createZone -path /foo -keyId doesntexist</crypto-admin-command>
+        <crypto-admin-command>-createZone -path /foo -keyName doesntexist</crypto-admin-command>
       </test-commands>
       <cleanup-commands>
         <command>-fs NAMENODE -rmdir /foo</command>
@@ -163,7 +163,7 @@
       <test-commands>
         <command>-fs NAMENODE -mkdir /foo</command>
         <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-createZone -path /foo -keyId mykey</crypto-admin-command>
+        <crypto-admin-command>-createZone -path /foo -keyName mykey</crypto-admin-command>
       </test-commands>
       <cleanup-commands>
         <command>-fs NAMENODE -rmdir /foo</command>

From 687ce1a5fca2d58a781e7382bf0333a16d39839d Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Wed, 23 Jul 2014 14:51:06 +0000
Subject: [PATCH 043/354] HDFS-6733. Creating encryption zone results in NPE
 when KeyProvider is null. (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1612843 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |  3 +++
 .../hdfs/server/namenode/FSNamesystem.java    |  5 ++++
 .../hadoop/hdfs/TestEncryptionZones.java      | 26 +++++++++++++++++--
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 7170acb225a..c447d49b52c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -59,3 +59,6 @@ fs-encryption (Unreleased)
   OPTIMIZATIONS
 
   BUG FIXES
+
+    HDFS-6733. Creating encryption zone results in NPE when
+    KeyProvider is null. (clamb)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 31a89bfde2e..9b7cb199583 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -8448,6 +8448,11 @@ void createEncryptionZone(final String src, String keyNameArg)
     String keyName = keyNameArg;
     boolean success = false;
     try {
+      if (provider == null) {
+        throw new IOException(
+            "Can't create an encryption zone for " + src +
+            " since no key provider is available.");
+      }
       if (keyName == null || keyName.isEmpty()) {
         keyName = UUID.randomUUID().toString();
         createNewKey(keyName, src);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
index 7b268ed16d4..421396bdf38 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
@@ -68,6 +68,7 @@ public class TestEncryptionZones {
   private MiniDFSCluster cluster;
   private HdfsAdmin dfsAdmin;
   private DistributedFileSystem fs;
+  private File testRootDir;
 
   protected FileSystemTestWrapper fsWrapper;
   protected FileContextTestWrapper fcWrapper;
@@ -78,14 +79,14 @@ public void setup() throws IOException {
     fsHelper = new FileSystemTestHelper();
     // Set up java key store
     String testRoot = fsHelper.getTestRootDir();
-    File testRootDir = new File(testRoot).getAbsoluteFile();
+    testRootDir = new File(testRoot).getAbsoluteFile();
     conf.set(KeyProviderFactory.KEY_PROVIDER_PATH,
         JavaKeyStoreProvider.SCHEME_NAME + "://file" + testRootDir + "/test.jks"
     );
     cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
     Logger.getLogger(EncryptionZoneManager.class).setLevel(Level.TRACE);
     fs = cluster.getFileSystem();
-    fsWrapper = new FileSystemTestWrapper(cluster.getFileSystem());
+    fsWrapper = new FileSystemTestWrapper(fs);
     fcWrapper = new FileContextTestWrapper(
         FileContext.getFileContext(cluster.getURI(), conf));
     dfsAdmin = new HdfsAdmin(cluster.getURI(), conf);
@@ -429,4 +430,25 @@ public void testCipherSuiteNegotiation() throws Exception {
     }
   }
 
+  @Test(timeout = 120000)
+  public void testCreateEZWithNoProvider() throws Exception {
+
+    final Configuration clusterConf = cluster.getConfiguration(0);
+    clusterConf.set(KeyProviderFactory.KEY_PROVIDER_PATH, "");
+    cluster.restartNameNode(true);
+    /* Test failure of create EZ on a directory that doesn't exist. */
+    final Path zone1 = new Path("/zone1");
+    /* Normal creation of an EZ */
+    fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true);
+    try {
+      dfsAdmin.createEncryptionZone(zone1, null);
+      fail("expected exception");
+    } catch (IOException e) {
+      assertExceptionContains("since no key provider is available", e);
+    }
+    clusterConf.set(KeyProviderFactory.KEY_PROVIDER_PATH,
+        JavaKeyStoreProvider.SCHEME_NAME + "://file" + testRootDir + "/test.jks"
+    );
+    cluster.restartNameNode(true);
+  }
 }

From 512b756973f31359510b8af01bb26c9ddbe06ed9 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Wed, 23 Jul 2014 15:23:03 +0000
Subject: [PATCH 044/354] HDFS-6738. Remove unnecessary
 getEncryptionZoneForPath call in EZManager#createEncryptionZone. (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1612849 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt      | 3 +++
 .../hadoop/hdfs/server/namenode/EncryptionZoneManager.java     | 1 -
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index c447d49b52c..e91ce99acb8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -56,6 +56,9 @@ fs-encryption (Unreleased)
 
     HDFS-6720. Remove KeyProvider in EncryptionZoneManager. (wang)
 
+    HDFS-6738. Remove unnecessary getEncryptionZoneForPath call in
+    EZManager#createEncryptionZone. (clamb)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
index f40d315676a..7b1331d1496 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
@@ -227,7 +227,6 @@ XAttr createEncryptionZone(String src, String keyName)
     // updating the xattr will call addEncryptionZone,
     // done this way to handle edit log loading
     dir.unprotectedSetXAttrs(src, xattrs, EnumSet.of(XAttrSetFlag.CREATE));
-    ezi = getEncryptionZoneForPath(srcIIP);
     return ezXAttr;
   }
 

From 552b4fb9f9a76b18605322c0b0e8072613d67773 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Wed, 23 Jul 2014 19:26:29 +0000
Subject: [PATCH 045/354] Merge from trunk to branch

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1612928 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  21 +++
 .../org/apache/hadoop/hdfs/DFSConfigKeys.java |   3 +
 .../apache/hadoop/hdfs/DFSOutputStream.java   |  50 +++---
 .../datatransfer/DataTransferProtocol.java    |  21 ++-
 .../hdfs/protocol/datatransfer/Receiver.java  |  11 +-
 .../hdfs/protocol/datatransfer/Sender.java    |  11 +-
 .../hadoop/hdfs/protocolPB/PBHelper.java      |  67 +++++---
 .../hadoop/hdfs/server/balancer/Balancer.java |   6 +-
 .../BlockPlacementPolicyDefault.java          |  18 ++-
 .../BlockPlacementPolicyWithNodeGroup.java    |   7 +-
 .../blockmanagement/DatanodeManager.java      |   7 +-
 .../hdfs/server/datanode/BPOfferService.java  |   3 +-
 .../hdfs/server/datanode/BlockReceiver.java   |  10 +-
 .../hadoop/hdfs/server/datanode/DataNode.java | 150 ++++++++++++++----
 .../hdfs/server/datanode/DataXceiver.java     |  25 +--
 .../datanode/fsdataset/FsDatasetSpi.java      |   9 +-
 .../fsdataset/impl/FsDatasetImpl.java         |  74 ++++++---
 .../datanode/fsdataset/impl/FsVolumeList.java |  21 ++-
 .../hdfs/server/namenode/FSNamesystem.java    |  27 +++-
 .../hdfs/server/protocol/BlockCommand.java    |  15 +-
 .../hdfs/tools/DFSZKFailoverController.java   |   5 +
 .../src/main/proto/DatanodeProtocol.proto     |   1 +
 .../src/main/proto/datatransfer.proto         |   4 +
 .../hadoop-hdfs/src/main/proto/hdfs.proto     |   7 +
 .../src/main/resources/hdfs-default.xml       |  13 ++
 .../apt/HDFSHighAvailabilityWithQJM.apt.vm    |   4 +-
 .../src/site/apt/HdfsMultihoming.apt.vm       | 145 +++++++++++++++++
 .../org/apache/hadoop/hdfs/DFSTestUtil.java   |   7 +-
 .../hadoop/hdfs/TestDataTransferProtocol.java |  54 +++----
 .../hadoop/hdfs/protocolPB/TestPBHelper.java  |   4 +-
 .../server/datanode/BlockReportTestBase.java  |   5 +-
 .../server/datanode/SimulatedFSDataset.java   |  10 +-
 .../server/datanode/TestBlockRecovery.java    |   6 +-
 .../server/datanode/TestBlockReplacement.java |   4 +-
 .../hdfs/server/datanode/TestDiskError.java   |   5 +-
 .../datanode/TestSimulatedFSDataset.java      |   4 +-
 .../fsdataset/impl/TestWriteToReplica.java    |  27 ++--
 .../namenode/TestFavoredNodesEndToEnd.java    |  62 +++++---
 .../hadoop/net/TestNetworkTopology.java       |  45 ++++--
 39 files changed, 736 insertions(+), 232 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsMultihoming.apt.vm

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 37878727536..8c172bf03cf 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -307,6 +307,13 @@ Release 2.6.0 - UNRELEASED
     HDFS-6616. Add exclude-datanodes feature to WebHDFS redirection so that it
     will not redirect retries to the same datanode. (zhaoyunjiong via szetszwo)
 
+    HDFS-6702. Change DFSClient to pass the StorageType from the namenode to
+    datanodes and change datanode to write block replicas using the specified
+    storage type. (szetszwo)
+
+    HDFS-6701. Make seed optional in NetworkTopology#sortByDistance.
+    (Ashwin Shankar via wang)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
@@ -344,6 +351,12 @@ Release 2.6.0 - UNRELEASED
     HDFS-6667. In HDFS HA mode, Distcp/SLive with webhdfs on secure cluster fails
     with Client cannot authenticate via:[TOKEN, KERBEROS] error. (jing9)
 
+    HDFS-6704. Fix the command to launch JournalNode in HDFS-HA document.
+    (Akira AJISAKA via jing9)
+
+    HDFS-6731. Run "hdfs zkfc-formatZK" on a server in a non-namenode will cause
+    a null pointer exception. (Masatake Iwasaki via brandonli)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
@@ -589,6 +602,11 @@ Release 2.5.0 - UNRELEASED
     HDFS-6493. Change dfs.namenode.startup.delay.block.deletion to second
     instead of millisecond. (Juan Yu via wang)
 
+    HDFS-6680. BlockPlacementPolicyDefault does not choose favored nodes
+    correctly.  (szetszwo) 
+
+    HDFS-6712. Document HDFS Multihoming Settings. (Arpit Agarwal)
+
   OPTIMIZATIONS
 
     HDFS-6214. Webhdfs has poor throughput for files >2GB (daryn)
@@ -871,6 +889,9 @@ Release 2.5.0 - UNRELEASED
     HDFS-6378. NFS registration should timeout instead of hanging when
     portmap/rpcbind is not available (Abhiraj Butala via brandonli)
 
+    HDFS-6703. NFS: Files can be deleted from a read-only mount
+    (Srikanth Upputuri via brandonli)
+
   BREAKDOWN OF HDFS-2006 SUBTASKS AND RELATED JIRAS
 
     HDFS-6299. Protobuf for XAttr and client-side implementation. (Yi Liu via umamahesh)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
index 2c0bdb0794f..c16c15d34b0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
@@ -214,6 +214,9 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
   public static final String  DFS_NAMENODE_MIN_SUPPORTED_DATANODE_VERSION_KEY = "dfs.namenode.min.supported.datanode.version";
   public static final String  DFS_NAMENODE_MIN_SUPPORTED_DATANODE_VERSION_DEFAULT = "3.0.0-SNAPSHOT";
 
+  public static final String DFS_NAMENODE_RANDOMIZE_BLOCK_LOCATIONS_PER_BLOCK = "dfs.namenode.randomize-block-locations-per-block";
+  public static final boolean DFS_NAMENODE_RANDOMIZE_BLOCK_LOCATIONS_PER_BLOCK_DEFAULT = false;
+
   public static final String  DFS_NAMENODE_EDITS_DIR_MINIMUM_KEY = "dfs.namenode.edits.dir.minimum";
   public static final int     DFS_NAMENODE_EDITS_DIR_MINIMUM_DEFAULT = 1;
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
index d161eff4968..8ee66352689 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
@@ -316,6 +316,7 @@ class DataStreamer extends Daemon {
     private DataInputStream blockReplyStream;
     private ResponseProcessor response = null;
     private volatile DatanodeInfo[] nodes = null; // list of targets for current block
+    private volatile StorageType[] storageTypes = null;
     private volatile String[] storageIDs = null;
     private final LoadingCache<DatanodeInfo, DatanodeInfo> excludedNodes =
         CacheBuilder.newBuilder()
@@ -420,10 +421,12 @@ private DataStreamer(LocatedBlock lastBlock, HdfsFileStatus stat,
     }
     
     private void setPipeline(LocatedBlock lb) {
-      setPipeline(lb.getLocations(), lb.getStorageIDs());
+      setPipeline(lb.getLocations(), lb.getStorageTypes(), lb.getStorageIDs());
     }
-    private void setPipeline(DatanodeInfo[] nodes, String[] storageIDs) {
+    private void setPipeline(DatanodeInfo[] nodes, StorageType[] storageTypes,
+        String[] storageIDs) {
       this.nodes = nodes;
+      this.storageTypes = storageTypes;
       this.storageIDs = storageIDs;
     }
 
@@ -449,7 +452,7 @@ private void endBlock() {
       this.setName("DataStreamer for file " + src);
       closeResponder();
       closeStream();
-      setPipeline(null, null);
+      setPipeline(null, null, null);
       stage = BlockConstructionStage.PIPELINE_SETUP_CREATE;
     }
     
@@ -1034,10 +1037,12 @@ private void addDatanode2ExistingPipeline() throws IOException {
       //transfer replica
       final DatanodeInfo src = d == 0? nodes[1]: nodes[d - 1];
       final DatanodeInfo[] targets = {nodes[d]};
-      transfer(src, targets, lb.getBlockToken());
+      final StorageType[] targetStorageTypes = {storageTypes[d]};
+      transfer(src, targets, targetStorageTypes, lb.getBlockToken());
     }
 
     private void transfer(final DatanodeInfo src, final DatanodeInfo[] targets,
+        final StorageType[] targetStorageTypes,
         final Token<BlockTokenIdentifier> blockToken) throws IOException {
       //transfer replica to the new datanode
       Socket sock = null;
@@ -1059,7 +1064,7 @@ private void transfer(final DatanodeInfo src, final DatanodeInfo[] targets,
 
         //send the TRANSFER_BLOCK request
         new Sender(out).transferBlock(block, blockToken, dfsClient.clientName,
-            targets);
+            targets, targetStorageTypes);
         out.flush();
 
         //ack
@@ -1138,16 +1143,15 @@ private boolean setupPipelineForAppendOrRecovery() throws IOException {
           failed.add(nodes[errorIndex]);
 
           DatanodeInfo[] newnodes = new DatanodeInfo[nodes.length-1];
-          System.arraycopy(nodes, 0, newnodes, 0, errorIndex);
-          System.arraycopy(nodes, errorIndex+1, newnodes, errorIndex,
-              newnodes.length-errorIndex);
+          arraycopy(nodes, newnodes, errorIndex);
+
+          final StorageType[] newStorageTypes = new StorageType[newnodes.length];
+          arraycopy(storageTypes, newStorageTypes, errorIndex);
 
           final String[] newStorageIDs = new String[newnodes.length];
-          System.arraycopy(storageIDs, 0, newStorageIDs, 0, errorIndex);
-          System.arraycopy(storageIDs, errorIndex+1, newStorageIDs, errorIndex,
-              newStorageIDs.length-errorIndex);
+          arraycopy(storageIDs, newStorageIDs, errorIndex);
           
-          setPipeline(newnodes, newStorageIDs);
+          setPipeline(newnodes, newStorageTypes, newStorageIDs);
 
           // Just took care of a node error while waiting for a node restart
           if (restartingNodeIndex >= 0) {
@@ -1184,7 +1188,7 @@ private boolean setupPipelineForAppendOrRecovery() throws IOException {
         
         // set up the pipeline again with the remaining nodes
         if (failPacket) { // for testing
-          success = createBlockOutputStream(nodes, newGS, isRecovery);
+          success = createBlockOutputStream(nodes, storageTypes, newGS, isRecovery);
           failPacket = false;
           try {
             // Give DNs time to send in bad reports. In real situations,
@@ -1193,7 +1197,7 @@ private boolean setupPipelineForAppendOrRecovery() throws IOException {
             Thread.sleep(2000);
           } catch (InterruptedException ie) {}
         } else {
-          success = createBlockOutputStream(nodes, newGS, isRecovery);
+          success = createBlockOutputStream(nodes, storageTypes, newGS, isRecovery);
         }
 
         if (restartingNodeIndex >= 0) {
@@ -1245,6 +1249,7 @@ private boolean setupPipelineForAppendOrRecovery() throws IOException {
     private LocatedBlock nextBlockOutputStream() throws IOException {
       LocatedBlock lb = null;
       DatanodeInfo[] nodes = null;
+      StorageType[] storageTypes = null;
       int count = dfsClient.getConf().nBlockWriteRetry;
       boolean success = false;
       ExtendedBlock oldBlock = block;
@@ -1267,11 +1272,12 @@ private LocatedBlock nextBlockOutputStream() throws IOException {
         bytesSent = 0;
         accessToken = lb.getBlockToken();
         nodes = lb.getLocations();
+        storageTypes = lb.getStorageTypes();
 
         //
         // Connect to first DataNode in the list.
         //
-        success = createBlockOutputStream(nodes, 0L, false);
+        success = createBlockOutputStream(nodes, storageTypes, 0L, false);
 
         if (!success) {
           DFSClient.LOG.info("Abandoning " + block);
@@ -1292,8 +1298,8 @@ private LocatedBlock nextBlockOutputStream() throws IOException {
     // connects to the first datanode in the pipeline
     // Returns true if success, otherwise return failure.
     //
-    private boolean createBlockOutputStream(DatanodeInfo[] nodes, long newGS,
-        boolean recoveryFlag) {
+    private boolean createBlockOutputStream(DatanodeInfo[] nodes,
+        StorageType[] nodeStorageTypes, long newGS, boolean recoveryFlag) {
       if (nodes.length == 0) {
         DFSClient.LOG.info("nodes are empty for write pipeline of block "
             + block);
@@ -1335,9 +1341,10 @@ private boolean createBlockOutputStream(DatanodeInfo[] nodes, long newGS,
           // Xmit header info to datanode
           //
   
+          BlockConstructionStage bcs = recoveryFlag? stage.getRecoveryStage(): stage;
           // send the request
-          new Sender(out).writeBlock(block, accessToken, dfsClient.clientName,
-              nodes, null, recoveryFlag? stage.getRecoveryStage() : stage, 
+          new Sender(out).writeBlock(block, nodeStorageTypes[0], accessToken,
+              dfsClient.clientName, nodes, nodeStorageTypes, null, bcs, 
               nodes.length, block.getNumBytes(), bytesSent, newGS, checksum,
               cachingStrategy.get());
   
@@ -2203,4 +2210,9 @@ ExtendedBlock getBlock() {
   public long getFileId() {
     return fileId;
   }
+
+  private static <T> void arraycopy(T[] srcs, T[] dsts, int skipIndex) {
+    System.arraycopy(srcs, 0, dsts, 0, skipIndex);
+    System.arraycopy(srcs, skipIndex+1, dsts, skipIndex, dsts.length-skipIndex);
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferProtocol.java
index d620c6b502b..d54d5bed002 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferProtocol.java
@@ -23,6 +23,7 @@
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.security.token.block.BlockTokenIdentifier;
@@ -71,11 +72,20 @@ public void readBlock(final ExtendedBlock blk,
 
   /**
    * Write a block to a datanode pipeline.
-   * 
+   * The receiver datanode of this call is the next datanode in the pipeline.
+   * The other downstream datanodes are specified by the targets parameter.
+   * Note that the receiver {@link DatanodeInfo} is not required in the
+   * parameter list since the receiver datanode knows its info.  However, the
+   * {@link StorageType} for storing the replica in the receiver datanode is a 
+   * parameter since the receiver datanode may support multiple storage types.
+   *
    * @param blk the block being written.
+   * @param storageType for storing the replica in the receiver datanode.
    * @param blockToken security token for accessing the block.
    * @param clientName client's name.
-   * @param targets target datanodes in the pipeline.
+   * @param targets other downstream datanodes in the pipeline.
+   * @param targetStorageTypes target {@link StorageType}s corresponding
+   *                           to the target datanodes.
    * @param source source datanode.
    * @param stage pipeline stage.
    * @param pipelineSize the size of the pipeline.
@@ -84,9 +94,11 @@ public void readBlock(final ExtendedBlock blk,
    * @param latestGenerationStamp the latest generation stamp of the block.
    */
   public void writeBlock(final ExtendedBlock blk,
+      final StorageType storageType, 
       final Token<BlockTokenIdentifier> blockToken,
       final String clientName,
       final DatanodeInfo[] targets,
+      final StorageType[] targetStorageTypes, 
       final DatanodeInfo source,
       final BlockConstructionStage stage,
       final int pipelineSize,
@@ -110,7 +122,8 @@ public void writeBlock(final ExtendedBlock blk,
   public void transferBlock(final ExtendedBlock blk,
       final Token<BlockTokenIdentifier> blockToken,
       final String clientName,
-      final DatanodeInfo[] targets) throws IOException;
+      final DatanodeInfo[] targets,
+      final StorageType[] targetStorageTypes) throws IOException;
 
   /**
    * Request short circuit access file descriptors from a DataNode.
@@ -148,11 +161,13 @@ public void requestShortCircuitFds(final ExtendedBlock blk,
    * It is used for balancing purpose.
    * 
    * @param blk the block being replaced.
+   * @param storageType the {@link StorageType} for storing the block.
    * @param blockToken security token for accessing the block.
    * @param delHint the hint for deleting the block in the original datanode.
    * @param source the source datanode for receiving the block.
    */
   public void replaceBlock(final ExtendedBlock blk,
+      final StorageType storageType, 
       final Token<BlockTokenIdentifier> blockToken,
       final String delHint,
       final DatanodeInfo source) throws IOException;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/Receiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/Receiver.java
index 5a80f689da3..a09437c0b0a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/Receiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/Receiver.java
@@ -25,6 +25,7 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.CachingStrategyProto;
 import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.OpBlockChecksumProto;
 import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.OpCopyBlockProto;
@@ -121,10 +122,13 @@ private void opReadBlock() throws IOException {
   /** Receive OP_WRITE_BLOCK */
   private void opWriteBlock(DataInputStream in) throws IOException {
     final OpWriteBlockProto proto = OpWriteBlockProto.parseFrom(vintPrefixed(in));
+    final DatanodeInfo[] targets = PBHelper.convert(proto.getTargetsList());
     writeBlock(PBHelper.convert(proto.getHeader().getBaseHeader().getBlock()),
+        PBHelper.convertStorageType(proto.getStorageType()),
         PBHelper.convert(proto.getHeader().getBaseHeader().getToken()),
         proto.getHeader().getClientName(),
-        PBHelper.convert(proto.getTargetsList()),
+        targets,
+        PBHelper.convertStorageTypes(proto.getTargetStorageTypesList(), targets.length),
         PBHelper.convert(proto.getSource()),
         fromProto(proto.getStage()),
         proto.getPipelineSize(),
@@ -140,10 +144,12 @@ private void opWriteBlock(DataInputStream in) throws IOException {
   private void opTransferBlock(DataInputStream in) throws IOException {
     final OpTransferBlockProto proto =
       OpTransferBlockProto.parseFrom(vintPrefixed(in));
+    final DatanodeInfo[] targets = PBHelper.convert(proto.getTargetsList());
     transferBlock(PBHelper.convert(proto.getHeader().getBaseHeader().getBlock()),
         PBHelper.convert(proto.getHeader().getBaseHeader().getToken()),
         proto.getHeader().getClientName(),
-        PBHelper.convert(proto.getTargetsList()));
+        targets,
+        PBHelper.convertStorageTypes(proto.getTargetStorageTypesList(), targets.length));
   }
 
   /** Receive {@link Op#REQUEST_SHORT_CIRCUIT_FDS} */
@@ -176,6 +182,7 @@ private void opRequestShortCircuitShm(DataInputStream in) throws IOException {
   private void opReplaceBlock(DataInputStream in) throws IOException {
     OpReplaceBlockProto proto = OpReplaceBlockProto.parseFrom(vintPrefixed(in));
     replaceBlock(PBHelper.convert(proto.getHeader().getBlock()),
+        PBHelper.convertStorageType(proto.getStorageType()),
         PBHelper.convert(proto.getHeader().getToken()),
         proto.getDelHint(),
         PBHelper.convert(proto.getSource()));
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/Sender.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/Sender.java
index c03f33fb276..68da52399c8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/Sender.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/Sender.java
@@ -25,6 +25,7 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.CachingStrategyProto;
@@ -111,9 +112,11 @@ public void readBlock(final ExtendedBlock blk,
 
   @Override
   public void writeBlock(final ExtendedBlock blk,
+      final StorageType storageType, 
       final Token<BlockTokenIdentifier> blockToken,
       final String clientName,
       final DatanodeInfo[] targets,
+      final StorageType[] targetStorageTypes, 
       final DatanodeInfo source,
       final BlockConstructionStage stage,
       final int pipelineSize,
@@ -130,7 +133,9 @@ public void writeBlock(final ExtendedBlock blk,
 
     OpWriteBlockProto.Builder proto = OpWriteBlockProto.newBuilder()
       .setHeader(header)
+      .setStorageType(PBHelper.convertStorageType(storageType))
       .addAllTargets(PBHelper.convert(targets, 1))
+      .addAllTargetStorageTypes(PBHelper.convertStorageTypes(targetStorageTypes, 1))
       .setStage(toProto(stage))
       .setPipelineSize(pipelineSize)
       .setMinBytesRcvd(minBytesRcvd)
@@ -150,12 +155,14 @@ public void writeBlock(final ExtendedBlock blk,
   public void transferBlock(final ExtendedBlock blk,
       final Token<BlockTokenIdentifier> blockToken,
       final String clientName,
-      final DatanodeInfo[] targets) throws IOException {
+      final DatanodeInfo[] targets,
+      final StorageType[] targetStorageTypes) throws IOException {
     
     OpTransferBlockProto proto = OpTransferBlockProto.newBuilder()
       .setHeader(DataTransferProtoUtil.buildClientHeader(
           blk, clientName, blockToken))
       .addAllTargets(PBHelper.convert(targets))
+      .addAllTargetStorageTypes(PBHelper.convertStorageTypes(targetStorageTypes))
       .build();
 
     send(out, Op.TRANSFER_BLOCK, proto);
@@ -196,11 +203,13 @@ public void requestShortCircuitShm(String clientName) throws IOException {
   
   @Override
   public void replaceBlock(final ExtendedBlock blk,
+      final StorageType storageType, 
       final Token<BlockTokenIdentifier> blockToken,
       final String delHint,
       final DatanodeInfo source) throws IOException {
     OpReplaceBlockProto proto = OpReplaceBlockProto.newBuilder()
       .setHeader(DataTransferProtoUtil.buildBaseHeader(blk, blockToken))
+      .setStorageType(PBHelper.convertStorageType(storageType))
       .setDelHint(delHint)
       .setSource(PBHelper.convertDatanodeInfo(source))
       .build();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
index edbd284dfc4..bdf2f06b420 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
@@ -155,6 +155,7 @@
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.SnapshottableDirectoryStatusProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.StorageInfoProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.StorageTypeProto;
+import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.StorageTypesProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.StorageUuidsProto;
 import org.apache.hadoop.hdfs.protocol.proto.JournalProtocolProtos.JournalInfoProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.GetXAttrsResponseProto;
@@ -679,14 +680,8 @@ public static LocatedBlock convert(LocatedBlockProto proto) {
       targets[i] = PBHelper.convert(locs.get(i));
     }
 
-    final int storageTypesCount = proto.getStorageTypesCount();
-    final StorageType[] storageTypes;
-    if (storageTypesCount == 0) {
-      storageTypes = null;
-    } else {
-      Preconditions.checkState(storageTypesCount == locs.size());
-      storageTypes = convertStorageTypeProtos(proto.getStorageTypesList());
-    }
+    final StorageType[] storageTypes = convertStorageTypes(
+        proto.getStorageTypesList(), locs.size());
 
     final int storageIDsCount = proto.getStorageIDsCount();
     final String[] storageIDs;
@@ -974,6 +969,20 @@ public static BlockCommand convert(BlockCommandProto blkCmd) {
       targets[i] = PBHelper.convert(targetList.get(i));
     }
 
+    StorageType[][] targetStorageTypes = new StorageType[targetList.size()][];
+    List<StorageTypesProto> targetStorageTypesList = blkCmd.getTargetStorageTypesList();
+    if (targetStorageTypesList.isEmpty()) { // missing storage types
+      for(int i = 0; i < targetStorageTypes.length; i++) {
+        targetStorageTypes[i] = new StorageType[targets[i].length];
+        Arrays.fill(targetStorageTypes[i], StorageType.DEFAULT);
+      }
+    } else {
+      for(int i = 0; i < targetStorageTypes.length; i++) {
+        List<StorageTypeProto> p = targetStorageTypesList.get(i).getStorageTypesList();
+        targetStorageTypes[i] = p.toArray(new StorageType[p.size()]);
+      }
+    }
+
     List<StorageUuidsProto> targetStorageUuidsList = blkCmd.getTargetStorageUuidsList();
     String[][] targetStorageIDs = new String[targetStorageUuidsList.size()][];
     for(int i = 0; i < targetStorageIDs.length; i++) {
@@ -996,7 +1005,7 @@ public static BlockCommand convert(BlockCommandProto blkCmd) {
       throw new AssertionError("Unknown action type: " + blkCmd.getAction());
     }
     return new BlockCommand(action, blkCmd.getBlockPoolId(), blocks, targets,
-        targetStorageIDs);
+        targetStorageTypes, targetStorageIDs);
   }
 
   public static BlockIdCommand convert(BlockIdCommandProto blkIdCmd) {
@@ -1620,8 +1629,25 @@ private static StorageState convertState(State state) {
     }
   }
 
-  private static StorageTypeProto convertStorageType(
-      StorageType type) {
+  public static List<StorageTypeProto> convertStorageTypes(
+      StorageType[] types) {
+    return convertStorageTypes(types, 0);
+  }
+
+  public static List<StorageTypeProto> convertStorageTypes(
+      StorageType[] types, int startIdx) {
+    if (types == null) {
+      return null;
+    }
+    final List<StorageTypeProto> protos = new ArrayList<StorageTypeProto>(
+        types.length);
+    for (int i = startIdx; i < types.length; ++i) {
+      protos.add(convertStorageType(types[i]));
+    }
+    return protos; 
+  }
+
+  public static StorageTypeProto convertStorageType(StorageType type) {
     switch(type) {
     case DISK:
       return StorageTypeProto.DISK;
@@ -1636,7 +1662,7 @@ private static StorageTypeProto convertStorageType(
   public static DatanodeStorage convert(DatanodeStorageProto s) {
     return new DatanodeStorage(s.getStorageUuid(),
                                PBHelper.convertState(s.getState()),
-                               PBHelper.convertType(s.getStorageType()));
+                               PBHelper.convertStorageType(s.getStorageType()));
   }
 
   private static State convertState(StorageState state) {
@@ -1649,7 +1675,7 @@ private static State convertState(StorageState state) {
     }
   }
 
-  private static StorageType convertType(StorageTypeProto type) {
+  public static StorageType convertStorageType(StorageTypeProto type) {
     switch(type) {
       case DISK:
         return StorageType.DISK;
@@ -1661,11 +1687,16 @@ private static StorageType convertType(StorageTypeProto type) {
     }
   }
 
-  private static StorageType[] convertStorageTypeProtos(
-      List<StorageTypeProto> storageTypesList) {
-    final StorageType[] storageTypes = new StorageType[storageTypesList.size()];
-    for (int i = 0; i < storageTypes.length; ++i) {
-      storageTypes[i] = PBHelper.convertType(storageTypesList.get(i));
+  public static StorageType[] convertStorageTypes(
+      List<StorageTypeProto> storageTypesList, int expectedSize) {
+    final StorageType[] storageTypes = new StorageType[expectedSize];
+    if (storageTypesList.size() != expectedSize) { // missing storage types
+      Preconditions.checkState(storageTypesList.isEmpty());
+      Arrays.fill(storageTypes, StorageType.DEFAULT);
+    } else {
+      for (int i = 0; i < storageTypes.length; ++i) {
+        storageTypes[i] = convertStorageType(storageTypesList.get(i));
+      }
     }
     return storageTypes;
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
index 7482b2fcdce..5dbdd643cdf 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
@@ -59,6 +59,7 @@
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.DFSUtil;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
@@ -368,7 +369,7 @@ private void dispatch() {
         in = new DataInputStream(new BufferedInputStream(unbufIn,
             HdfsConstants.IO_FILE_BUFFER_SIZE));
         
-        sendRequest(out, eb, accessToken);
+        sendRequest(out, eb, StorageType.DEFAULT, accessToken);
         receiveResponse(in);
         bytesMoved.addAndGet(block.getNumBytes());
         LOG.info("Successfully moved " + this);
@@ -400,8 +401,9 @@ private void dispatch() {
     
     /* Send a block replace request to the output stream*/
     private void sendRequest(DataOutputStream out, ExtendedBlock eb,
+        StorageType storageType, 
         Token<BlockTokenIdentifier> accessToken) throws IOException {
-      new Sender(out).replaceBlock(eb, accessToken,
+      new Sender(out).replaceBlock(eb, storageType, accessToken,
           source.getStorageID(), proxySource.getDatanode());
     }
     
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockPlacementPolicyDefault.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockPlacementPolicyDefault.java
index accdddf5250..e2026c1dfbb 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockPlacementPolicyDefault.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockPlacementPolicyDefault.java
@@ -145,14 +145,14 @@ DatanodeStorageInfo[] chooseTarget(String src,
       List<DatanodeStorageInfo> results = new ArrayList<DatanodeStorageInfo>();
       boolean avoidStaleNodes = stats != null
           && stats.isAvoidingStaleDataNodesForWrite();
-      for (int i = 0; i < Math.min(favoredNodes.size(), numOfReplicas); i++) {
+      for (int i = 0; i < favoredNodes.size() && results.size() < numOfReplicas; i++) {
         DatanodeDescriptor favoredNode = favoredNodes.get(i);
         // Choose a single node which is local to favoredNode.
         // 'results' is updated within chooseLocalNode
         final DatanodeStorageInfo target = chooseLocalStorage(favoredNode,
             favoriteAndExcludedNodes, blocksize, 
             getMaxNodesPerRack(results.size(), numOfReplicas)[1],
-            results, avoidStaleNodes, storageType);
+            results, avoidStaleNodes, storageType, false);
         if (target == null) {
           LOG.warn("Could not find a target for file " + src
               + " with favored node " + favoredNode); 
@@ -271,7 +271,7 @@ private Node chooseTarget(int numOfReplicas,
     try {
       if (numOfResults == 0) {
         writer = chooseLocalStorage(writer, excludedNodes, blocksize,
-            maxNodesPerRack, results, avoidStaleNodes, storageType)
+            maxNodesPerRack, results, avoidStaleNodes, storageType, true)
                 .getDatanodeDescriptor();
         if (--numOfReplicas == 0) {
           return writer;
@@ -345,12 +345,14 @@ protected DatanodeStorageInfo chooseLocalStorage(Node localMachine,
                                              int maxNodesPerRack,
                                              List<DatanodeStorageInfo> results,
                                              boolean avoidStaleNodes,
-                                             StorageType storageType)
+                                             StorageType storageType,
+                                             boolean fallbackToLocalRack)
       throws NotEnoughReplicasException {
     // if no local machine, randomly choose one node
-    if (localMachine == null)
+    if (localMachine == null) {
       return chooseRandom(NodeBase.ROOT, excludedNodes, blocksize,
           maxNodesPerRack, results, avoidStaleNodes, storageType);
+    }
     if (preferLocalNode && localMachine instanceof DatanodeDescriptor) {
       DatanodeDescriptor localDatanode = (DatanodeDescriptor) localMachine;
       // otherwise try local machine first
@@ -363,7 +365,11 @@ protected DatanodeStorageInfo chooseLocalStorage(Node localMachine,
           }
         }
       } 
-    }      
+    }
+
+    if (!fallbackToLocalRack) {
+      return null;
+    }
     // try a node on local rack
     return chooseLocalRack(localMachine, excludedNodes, blocksize,
         maxNodesPerRack, results, avoidStaleNodes, storageType);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockPlacementPolicyWithNodeGroup.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockPlacementPolicyWithNodeGroup.java
index 1069b4e3d75..b3ff6b9b1f0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockPlacementPolicyWithNodeGroup.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockPlacementPolicyWithNodeGroup.java
@@ -70,7 +70,8 @@ public void initialize(Configuration conf,  FSClusterStats stats,
   protected DatanodeStorageInfo chooseLocalStorage(Node localMachine,
       Set<Node> excludedNodes, long blocksize, int maxNodesPerRack,
       List<DatanodeStorageInfo> results, boolean avoidStaleNodes,
-      StorageType storageType) throws NotEnoughReplicasException {
+      StorageType storageType, boolean fallbackToLocalRack
+      ) throws NotEnoughReplicasException {
     // if no local machine, randomly choose one node
     if (localMachine == null)
       return chooseRandom(NodeBase.ROOT, excludedNodes, 
@@ -97,6 +98,10 @@ protected DatanodeStorageInfo chooseLocalStorage(Node localMachine,
     if (chosenStorage != null) {
       return chosenStorage;
     }
+
+    if (!fallbackToLocalRack) {
+      return null;
+    }
     // try a node on local rack
     return chooseLocalRack(localMachine, excludedNodes, 
         blocksize, maxNodesPerRack, results, avoidStaleNodes, storageType);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeManager.java
index 791c6dff5be..69b2b695415 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeManager.java
@@ -345,7 +345,8 @@ private boolean isInactive(DatanodeInfo datanode) {
   
   /** Sort the located blocks by the distance to the target host. */
   public void sortLocatedBlocks(final String targethost,
-      final List<LocatedBlock> locatedblocks) {
+      final List<LocatedBlock> locatedblocks,
+      boolean randomizeBlockLocationsPerBlock) {
     //sort the blocks
     // As it is possible for the separation of node manager and datanode, 
     // here we should get node but not datanode only .
@@ -372,8 +373,8 @@ public void sortLocatedBlocks(final String targethost,
           --lastActiveIndex;
       }
       int activeLen = lastActiveIndex + 1;      
-      networktopology.sortByDistance(client, b.getLocations(), activeLen,
-          b.getBlock().getBlockId());
+      networktopology.sortByDistance(client, b.getLocations(), activeLen, b
+          .getBlock().getBlockId(), randomizeBlockLocationsPerBlock);
     }
   }
   
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPOfferService.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPOfferService.java
index cab61364ed2..0a6549de8f9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPOfferService.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPOfferService.java
@@ -575,7 +575,8 @@ private boolean processCommandFromActive(DatanodeCommand cmd,
     switch(cmd.getAction()) {
     case DatanodeProtocol.DNA_TRANSFER:
       // Send a copy of a block to another datanode
-      dn.transferBlocks(bcmd.getBlockPoolId(), bcmd.getBlocks(), bcmd.getTargets());
+      dn.transferBlocks(bcmd.getBlockPoolId(), bcmd.getBlocks(),
+          bcmd.getTargets(), bcmd.getTargetStorageTypes());
       dn.metrics.incrBlocksReplicated(bcmd.getBlocks().length);
       break;
     case DatanodeProtocol.DNA_INVALIDATE:
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
index 3d9ccdcca90..2f3909ba564 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
@@ -37,6 +37,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.hadoop.fs.ChecksumException;
 import org.apache.hadoop.fs.FSOutputSummer;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
@@ -122,7 +123,8 @@ class BlockReceiver implements Closeable {
   private boolean syncOnClose;
   private long restartBudget;
 
-  BlockReceiver(final ExtendedBlock block, final DataInputStream in,
+  BlockReceiver(final ExtendedBlock block, final StorageType storageType,
+      final DataInputStream in,
       final String inAddr, final String myAddr,
       final BlockConstructionStage stage, 
       final long newGs, final long minBytesRcvd, final long maxBytesRcvd, 
@@ -162,11 +164,11 @@ class BlockReceiver implements Closeable {
       // Open local disk out
       //
       if (isDatanode) { //replication or move
-        replicaInfo = datanode.data.createTemporary(block);
+        replicaInfo = datanode.data.createTemporary(storageType, block);
       } else {
         switch (stage) {
         case PIPELINE_SETUP_CREATE:
-          replicaInfo = datanode.data.createRbw(block);
+          replicaInfo = datanode.data.createRbw(storageType, block);
           datanode.notifyNamenodeReceivingBlock(
               block, replicaInfo.getStorageUuid());
           break;
@@ -198,7 +200,7 @@ class BlockReceiver implements Closeable {
         case TRANSFER_RBW:
         case TRANSFER_FINALIZED:
           // this is a transfer destination
-          replicaInfo = datanode.data.createTemporary(block);
+          replicaInfo = datanode.data.createTemporary(storageType, block);
           break;
         default: throw new IOException("Unsupported stage " + stage + 
               " while receiving block " + block + " from " + inAddr);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
index 5f32e29cd29..b55abed7e46 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
@@ -19,11 +19,66 @@
 
 import static org.apache.hadoop.fs.CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT;
 import static org.apache.hadoop.fs.CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_ADMIN;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_ADDRESS_DEFAULT;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_ADDRESS_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_DATA_DIR_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_DATA_DIR_PERMISSION_DEFAULT;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_DATA_DIR_PERMISSION_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_DIRECTORYSCAN_INTERVAL_DEFAULT;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_DIRECTORYSCAN_INTERVAL_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_DNS_INTERFACE_DEFAULT;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_DNS_INTERFACE_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_DNS_NAMESERVER_DEFAULT;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_DNS_NAMESERVER_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_HANDLER_COUNT_DEFAULT;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_HANDLER_COUNT_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_HOST_NAME_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_HTTPS_ADDRESS_DEFAULT;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_HTTPS_ADDRESS_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_HTTP_ADDRESS_DEFAULT;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_HTTP_ADDRESS_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_IPC_ADDRESS_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_KERBEROS_PRINCIPAL_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_KEYTAB_FILE_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_MAX_LOCKED_MEMORY_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_PLUGINS_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_SCAN_PERIOD_HOURS_DEFAULT;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_SCAN_PERIOD_HOURS_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_STARTUP_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATA_TRANSFER_PROTECTION_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_MAX_NUM_BLOCKS_TO_LOG_DEFAULT;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_MAX_NUM_BLOCKS_TO_LOG_KEY;
+import static org.apache.hadoop.util.ExitUtil.terminate;
 
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Joiner;
-import com.google.common.base.Preconditions;
-import com.google.protobuf.BlockingService;
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayInputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.lang.management.ManagementFactory;
+import java.net.InetSocketAddress;
+import java.net.Socket;
+import java.net.URI;
+import java.net.UnknownHostException;
+import java.nio.channels.SocketChannel;
+import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.EnumSet;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.UUID;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import javax.management.ObjectName;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -39,10 +94,23 @@
 import org.apache.hadoop.hdfs.DFSUtil;
 import org.apache.hadoop.hdfs.HDFSPolicyProvider;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.net.DomainPeerServer;
 import org.apache.hadoop.hdfs.net.TcpPeerServer;
-import org.apache.hadoop.hdfs.protocol.*;
-import org.apache.hadoop.hdfs.protocol.datatransfer.*;
+import org.apache.hadoop.hdfs.protocol.Block;
+import org.apache.hadoop.hdfs.protocol.BlockLocalPathInfo;
+import org.apache.hadoop.hdfs.protocol.ClientDatanodeProtocol;
+import org.apache.hadoop.hdfs.protocol.DatanodeID;
+import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
+import org.apache.hadoop.hdfs.protocol.DatanodeLocalInfo;
+import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
+import org.apache.hadoop.hdfs.protocol.HdfsBlocksMetadata;
+import org.apache.hadoop.hdfs.protocol.HdfsConstants;
+import org.apache.hadoop.hdfs.protocol.RecoveryInProgressException;
+import org.apache.hadoop.hdfs.protocol.datatransfer.BlockConstructionStage;
+import org.apache.hadoop.hdfs.protocol.datatransfer.DataTransferProtocol;
+import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair;
+import org.apache.hadoop.hdfs.protocol.datatransfer.Sender;
 import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.DataEncryptionKeyFactory;
 import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferClient;
 import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferServer;
@@ -50,9 +118,20 @@
 import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.DNTransferAckProto;
 import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.Status;
 import org.apache.hadoop.hdfs.protocol.proto.InterDatanodeProtocolProtos.InterDatanodeProtocolService;
-import org.apache.hadoop.hdfs.protocolPB.*;
-import org.apache.hadoop.hdfs.security.token.block.*;
+import org.apache.hadoop.hdfs.protocolPB.ClientDatanodeProtocolPB;
+import org.apache.hadoop.hdfs.protocolPB.ClientDatanodeProtocolServerSideTranslatorPB;
+import org.apache.hadoop.hdfs.protocolPB.DatanodeProtocolClientSideTranslatorPB;
+import org.apache.hadoop.hdfs.protocolPB.InterDatanodeProtocolPB;
+import org.apache.hadoop.hdfs.protocolPB.InterDatanodeProtocolServerSideTranslatorPB;
+import org.apache.hadoop.hdfs.protocolPB.InterDatanodeProtocolTranslatorPB;
+import org.apache.hadoop.hdfs.protocolPB.PBHelper;
+import org.apache.hadoop.hdfs.security.token.block.BlockPoolTokenSecretManager;
+import org.apache.hadoop.hdfs.security.token.block.BlockTokenIdentifier;
+import org.apache.hadoop.hdfs.security.token.block.BlockTokenSecretManager;
 import org.apache.hadoop.hdfs.security.token.block.BlockTokenSecretManager.AccessMode;
+import org.apache.hadoop.hdfs.security.token.block.DataEncryptionKey;
+import org.apache.hadoop.hdfs.security.token.block.ExportedBlockKeys;
+import org.apache.hadoop.hdfs.security.token.block.InvalidBlockTokenException;
 import org.apache.hadoop.hdfs.server.common.HdfsServerConstants;
 import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.NodeType;
 import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.ReplicaState;
@@ -65,7 +144,11 @@
 import org.apache.hadoop.hdfs.server.datanode.metrics.DataNodeMetrics;
 import org.apache.hadoop.hdfs.server.datanode.web.resources.DatanodeWebHdfsMethods;
 import org.apache.hadoop.hdfs.server.protocol.BlockRecoveryCommand.RecoveringBlock;
-import org.apache.hadoop.hdfs.server.protocol.*;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeRegistration;
+import org.apache.hadoop.hdfs.server.protocol.InterDatanodeProtocol;
+import org.apache.hadoop.hdfs.server.protocol.NamespaceInfo;
+import org.apache.hadoop.hdfs.server.protocol.ReplicaRecoveryInfo;
 import org.apache.hadoop.hdfs.web.WebHdfsFileSystem;
 import org.apache.hadoop.hdfs.web.resources.Param;
 import org.apache.hadoop.http.HttpConfig;
@@ -88,22 +171,21 @@
 import org.apache.hadoop.security.authorize.AccessControlList;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
-import org.apache.hadoop.util.*;
+import org.apache.hadoop.util.Daemon;
+import org.apache.hadoop.util.DiskChecker;
 import org.apache.hadoop.util.DiskChecker.DiskErrorException;
+import org.apache.hadoop.util.GenericOptionsParser;
+import org.apache.hadoop.util.JvmPauseMonitor;
+import org.apache.hadoop.util.ServicePlugin;
+import org.apache.hadoop.util.StringUtils;
+import org.apache.hadoop.util.Time;
+import org.apache.hadoop.util.VersionInfo;
 import org.mortbay.util.ajax.JSON;
 
-import javax.management.ObjectName;
-
-import java.io.*;
-import java.lang.management.ManagementFactory;
-import java.net.*;
-import java.nio.channels.SocketChannel;
-import java.security.PrivilegedExceptionAction;
-import java.util.*;
-import java.util.concurrent.atomic.AtomicInteger;
-
-import static org.apache.hadoop.hdfs.DFSConfigKeys.*;
-import static org.apache.hadoop.util.ExitUtil.terminate;
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Joiner;
+import com.google.common.base.Preconditions;
+import com.google.protobuf.BlockingService;
 
 /**********************************************************
  * DataNode is a class (and program) that stores a set of
@@ -1475,8 +1557,8 @@ int getXmitsInProgress() {
     return xmitsInProgress.get();
   }
     
-  private void transferBlock(ExtendedBlock block, DatanodeInfo xferTargets[])
-      throws IOException {
+  private void transferBlock(ExtendedBlock block, DatanodeInfo[] xferTargets,
+      StorageType[] xferTargetStorageTypes) throws IOException {
     BPOfferService bpos = getBPOSForBlock(block);
     DatanodeRegistration bpReg = getDNRegistrationForBP(block.getBlockPoolId());
     
@@ -1512,16 +1594,17 @@ private void transferBlock(ExtendedBlock block, DatanodeInfo xferTargets[])
       LOG.info(bpReg + " Starting thread to transfer " + 
                block + " to " + xfersBuilder);                       
 
-      new Daemon(new DataTransfer(xferTargets, block,
+      new Daemon(new DataTransfer(xferTargets, xferTargetStorageTypes, block,
           BlockConstructionStage.PIPELINE_SETUP_CREATE, "")).start();
     }
   }
 
   void transferBlocks(String poolId, Block blocks[],
-      DatanodeInfo xferTargets[][]) {
+      DatanodeInfo xferTargets[][], StorageType[][] xferTargetStorageTypes) {
     for (int i = 0; i < blocks.length; i++) {
       try {
-        transferBlock(new ExtendedBlock(poolId, blocks[i]), xferTargets[i]);
+        transferBlock(new ExtendedBlock(poolId, blocks[i]), xferTargets[i],
+            xferTargetStorageTypes[i]);
       } catch (IOException ie) {
         LOG.warn("Failed to transfer block " + blocks[i], ie);
       }
@@ -1624,6 +1707,7 @@ CHECKSUM_SIZE depends on CHECKSUM_TYPE (usually, 4 for CRC32)
    */
   private class DataTransfer implements Runnable {
     final DatanodeInfo[] targets;
+    final StorageType[] targetStorageTypes;
     final ExtendedBlock b;
     final BlockConstructionStage stage;
     final private DatanodeRegistration bpReg;
@@ -1634,7 +1718,8 @@ private class DataTransfer implements Runnable {
      * Connect to the first item in the target list.  Pass along the 
      * entire target list, the block, and the data.
      */
-    DataTransfer(DatanodeInfo targets[], ExtendedBlock b, BlockConstructionStage stage,
+    DataTransfer(DatanodeInfo targets[], StorageType[] targetStorageTypes,
+        ExtendedBlock b, BlockConstructionStage stage,
         final String clientname) {
       if (DataTransferProtocol.LOG.isDebugEnabled()) {
         DataTransferProtocol.LOG.debug(getClass().getSimpleName() + ": "
@@ -1644,6 +1729,7 @@ private class DataTransfer implements Runnable {
             + ", targests=" + Arrays.asList(targets));
       }
       this.targets = targets;
+      this.targetStorageTypes = targetStorageTypes;
       this.b = b;
       this.stage = stage;
       BPOfferService bpos = blockPoolManager.get(b.getBlockPoolId());
@@ -1702,7 +1788,8 @@ public void run() {
             false, false, true, DataNode.this, null, cachingStrategy);
         DatanodeInfo srcNode = new DatanodeInfo(bpReg);
 
-        new Sender(out).writeBlock(b, accessToken, clientname, targets, srcNode,
+        new Sender(out).writeBlock(b, targetStorageTypes[0], accessToken,
+            clientname, targets, targetStorageTypes, srcNode,
             stage, 0, 0, 0, 0, blockSender.getChecksum(), cachingStrategy);
 
         // send data & checksum
@@ -2403,7 +2490,8 @@ private void checkReadAccess(final ExtendedBlock block) throws IOException {
    * @param client client name
    */
   void transferReplicaForPipelineRecovery(final ExtendedBlock b,
-      final DatanodeInfo[] targets, final String client) throws IOException {
+      final DatanodeInfo[] targets, final StorageType[] targetStorageTypes,
+      final String client) throws IOException {
     final long storedGS;
     final long visible;
     final BlockConstructionStage stage;
@@ -2436,7 +2524,7 @@ void transferReplicaForPipelineRecovery(final ExtendedBlock b,
     b.setNumBytes(visible);
 
     if (targets.length > 0) {
-      new DataTransfer(targets, b, stage, client).run();
+      new DataTransfer(targets, targetStorageTypes, b, stage, client).run();
     }
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
index 7b730905156..5ef6cc7ee22 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
@@ -45,6 +45,7 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.hadoop.hdfs.ExtendedBlockId;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.net.Peer;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
@@ -524,9 +525,11 @@ public void readBlock(final ExtendedBlock block,
 
   @Override
   public void writeBlock(final ExtendedBlock block,
+      final StorageType storageType, 
       final Token<BlockTokenIdentifier> blockToken,
       final String clientname,
       final DatanodeInfo[] targets,
+      final StorageType[] targetStorageTypes, 
       final DatanodeInfo srcDataNode,
       final BlockConstructionStage stage,
       final int pipelineSize,
@@ -590,12 +593,13 @@ public void writeBlock(final ExtendedBlock block,
       if (isDatanode || 
           stage != BlockConstructionStage.PIPELINE_CLOSE_RECOVERY) {
         // open a block receiver
-        blockReceiver = new BlockReceiver(block, in, 
+        blockReceiver = new BlockReceiver(block, storageType, in,
             peer.getRemoteAddressString(),
             peer.getLocalAddressString(),
             stage, latestGenerationStamp, minBytesRcvd, maxBytesRcvd,
             clientname, srcDataNode, datanode, requestedChecksum,
             cachingStrategy);
+        
         storageUuid = blockReceiver.getStorageUuid();
       } else {
         storageUuid = datanode.data.recoverClose(
@@ -636,10 +640,10 @@ public void writeBlock(final ExtendedBlock block,
               HdfsConstants.SMALL_BUFFER_SIZE));
           mirrorIn = new DataInputStream(unbufMirrorIn);
 
-          new Sender(mirrorOut).writeBlock(originalBlock, blockToken,
-              clientname, targets, srcDataNode, stage, pipelineSize,
-              minBytesRcvd, maxBytesRcvd, latestGenerationStamp, requestedChecksum,
-              cachingStrategy);
+          new Sender(mirrorOut).writeBlock(originalBlock, targetStorageTypes[0],
+              blockToken, clientname, targets, targetStorageTypes, srcDataNode,
+              stage, pipelineSize, minBytesRcvd, maxBytesRcvd,
+              latestGenerationStamp, requestedChecksum, cachingStrategy);
 
           mirrorOut.flush();
 
@@ -754,7 +758,8 @@ public void writeBlock(final ExtendedBlock block,
   public void transferBlock(final ExtendedBlock blk,
       final Token<BlockTokenIdentifier> blockToken,
       final String clientName,
-      final DatanodeInfo[] targets) throws IOException {
+      final DatanodeInfo[] targets,
+      final StorageType[] targetStorageTypes) throws IOException {
     checkAccess(socketOut, true, blk, blockToken,
         Op.TRANSFER_BLOCK, BlockTokenSecretManager.AccessMode.COPY);
     previousOpClientName = clientName;
@@ -763,7 +768,8 @@ public void transferBlock(final ExtendedBlock blk,
     final DataOutputStream out = new DataOutputStream(
         getOutputStream());
     try {
-      datanode.transferReplicaForPipelineRecovery(blk, targets, clientName);
+      datanode.transferReplicaForPipelineRecovery(blk, targets,
+          targetStorageTypes, clientName);
       writeResponse(Status.SUCCESS, null, out);
     } finally {
       IOUtils.closeStream(out);
@@ -941,6 +947,7 @@ public void copyBlock(final ExtendedBlock block,
 
   @Override
   public void replaceBlock(final ExtendedBlock block,
+      final StorageType storageType, 
       final Token<BlockTokenIdentifier> blockToken,
       final String delHint,
       final DatanodeInfo proxySource) throws IOException {
@@ -1026,8 +1033,8 @@ public void replaceBlock(final ExtendedBlock block,
       DataChecksum remoteChecksum = DataTransferProtoUtil.fromProto(
           checksumInfo.getChecksum());
       // open a block receiver and check if the block does not exist
-      blockReceiver = new BlockReceiver(
-          block, proxyReply, proxySock.getRemoteSocketAddress().toString(),
+      blockReceiver = new BlockReceiver(block, storageType,
+          proxyReply, proxySock.getRemoteSocketAddress().toString(),
           proxySock.getLocalSocketAddress().toString(),
           null, 0, 0, 0, "", null, datanode, remoteChecksum,
           CachingStrategy.newDropBehind());
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/FsDatasetSpi.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/FsDatasetSpi.java
index 8eb083a93f8..5e4f55e7339 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/FsDatasetSpi.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/FsDatasetSpi.java
@@ -28,6 +28,7 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.BlockListAsLongs;
 import org.apache.hadoop.hdfs.protocol.BlockLocalPathInfo;
@@ -176,8 +177,8 @@ public ReplicaInputStreams getTmpInputStreams(ExtendedBlock b, long blkoff,
    * @return the meta info of the replica which is being written to
    * @throws IOException if an error occurs
    */
-  public ReplicaInPipelineInterface createTemporary(ExtendedBlock b
-      ) throws IOException;
+  public ReplicaInPipelineInterface createTemporary(StorageType storageType,
+      ExtendedBlock b) throws IOException;
 
   /**
    * Creates a RBW replica and returns the meta info of the replica
@@ -186,8 +187,8 @@ public ReplicaInPipelineInterface createTemporary(ExtendedBlock b
    * @return the meta info of the replica which is being written to
    * @throws IOException if an error occurs
    */
-  public ReplicaInPipelineInterface createRbw(ExtendedBlock b
-      ) throws IOException;
+  public ReplicaInPipelineInterface createRbw(StorageType storageType,
+      ExtendedBlock b) throws IOException;
 
   /**
    * Recovers a RBW replica and returns the meta info of the replica
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
index 40d3e81ad62..b068c664fe3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
@@ -17,6 +17,28 @@
  */
 package org.apache.hadoop.hdfs.server.datanode.fsdataset.impl;
 
+import java.io.File;
+import java.io.FileDescriptor;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.RandomAccessFile;
+import java.nio.ByteBuffer;
+import java.nio.channels.FileChannel;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.Executor;
+
+import javax.management.NotCompliantMBeanException;
+import javax.management.ObjectName;
+import javax.management.StandardMBean;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
@@ -24,12 +46,37 @@
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.StorageType;
-import org.apache.hadoop.hdfs.protocol.*;
+import org.apache.hadoop.hdfs.protocol.Block;
+import org.apache.hadoop.hdfs.protocol.BlockListAsLongs;
+import org.apache.hadoop.hdfs.protocol.BlockLocalPathInfo;
+import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
+import org.apache.hadoop.hdfs.protocol.HdfsBlocksMetadata;
+import org.apache.hadoop.hdfs.protocol.RecoveryInProgressException;
 import org.apache.hadoop.hdfs.server.common.GenerationStamp;
 import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.ReplicaState;
 import org.apache.hadoop.hdfs.server.common.Storage;
-import org.apache.hadoop.hdfs.server.datanode.*;
-import org.apache.hadoop.hdfs.server.datanode.fsdataset.*;
+import org.apache.hadoop.hdfs.server.datanode.BlockMetadataHeader;
+import org.apache.hadoop.hdfs.server.datanode.DataBlockScanner;
+import org.apache.hadoop.hdfs.server.datanode.DataNode;
+import org.apache.hadoop.hdfs.server.datanode.DataStorage;
+import org.apache.hadoop.hdfs.server.datanode.FinalizedReplica;
+import org.apache.hadoop.hdfs.server.datanode.Replica;
+import org.apache.hadoop.hdfs.server.datanode.ReplicaAlreadyExistsException;
+import org.apache.hadoop.hdfs.server.datanode.ReplicaBeingWritten;
+import org.apache.hadoop.hdfs.server.datanode.ReplicaInPipeline;
+import org.apache.hadoop.hdfs.server.datanode.ReplicaInfo;
+import org.apache.hadoop.hdfs.server.datanode.ReplicaNotFoundException;
+import org.apache.hadoop.hdfs.server.datanode.ReplicaUnderRecovery;
+import org.apache.hadoop.hdfs.server.datanode.ReplicaWaitingToBeRecovered;
+import org.apache.hadoop.hdfs.server.datanode.StorageLocation;
+import org.apache.hadoop.hdfs.server.datanode.fsdataset.FsDatasetSpi;
+import org.apache.hadoop.hdfs.server.datanode.fsdataset.FsVolumeSpi;
+import org.apache.hadoop.hdfs.server.datanode.fsdataset.LengthInputStream;
+import org.apache.hadoop.hdfs.server.datanode.fsdataset.ReplicaInputStreams;
+import org.apache.hadoop.hdfs.server.datanode.fsdataset.ReplicaOutputStreams;
+import org.apache.hadoop.hdfs.server.datanode.fsdataset.RollingLogs;
+import org.apache.hadoop.hdfs.server.datanode.fsdataset.RoundRobinVolumeChoosingPolicy;
+import org.apache.hadoop.hdfs.server.datanode.fsdataset.VolumeChoosingPolicy;
 import org.apache.hadoop.hdfs.server.datanode.metrics.FSDatasetMBean;
 import org.apache.hadoop.hdfs.server.protocol.BlockRecoveryCommand.RecoveringBlock;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeStorage;
@@ -43,15 +90,6 @@
 import org.apache.hadoop.util.ReflectionUtils;
 import org.apache.hadoop.util.Time;
 
-import javax.management.NotCompliantMBeanException;
-import javax.management.ObjectName;
-import javax.management.StandardMBean;
-import java.io.*;
-import java.nio.ByteBuffer;
-import java.nio.channels.FileChannel;
-import java.util.*;
-import java.util.concurrent.Executor;
-
 /**************************************************
  * FSDataset manages a set of data blocks.  Each block
  * has a unique name and an extent on disk.
@@ -736,8 +774,8 @@ private void bumpReplicaGS(ReplicaInfo replicaInfo,
   }
 
   @Override // FsDatasetSpi
-  public synchronized ReplicaInPipeline createRbw(ExtendedBlock b)
-      throws IOException {
+  public synchronized ReplicaInPipeline createRbw(StorageType storageType,
+      ExtendedBlock b) throws IOException {
     ReplicaInfo replicaInfo = volumeMap.get(b.getBlockPoolId(), 
         b.getBlockId());
     if (replicaInfo != null) {
@@ -746,7 +784,7 @@ public synchronized ReplicaInPipeline createRbw(ExtendedBlock b)
       " and thus cannot be created.");
     }
     // create a new block
-    FsVolumeImpl v = volumes.getNextVolume(b.getNumBytes());
+    FsVolumeImpl v = volumes.getNextVolume(storageType, b.getNumBytes());
     // create a rbw file to hold block in the designated volume
     File f = v.createRbwFile(b.getBlockPoolId(), b.getLocalBlock());
     ReplicaBeingWritten newReplicaInfo = new ReplicaBeingWritten(b.getBlockId(), 
@@ -874,8 +912,8 @@ public synchronized ReplicaInPipeline convertTemporaryToRbw(
   }
 
   @Override // FsDatasetSpi
-  public synchronized ReplicaInPipeline createTemporary(ExtendedBlock b)
-      throws IOException {
+  public synchronized ReplicaInPipeline createTemporary(StorageType storageType,
+      ExtendedBlock b) throws IOException {
     ReplicaInfo replicaInfo = volumeMap.get(b.getBlockPoolId(), b.getBlockId());
     if (replicaInfo != null) {
       throw new ReplicaAlreadyExistsException("Block " + b +
@@ -883,7 +921,7 @@ public synchronized ReplicaInPipeline createTemporary(ExtendedBlock b)
           " and thus cannot be created.");
     }
     
-    FsVolumeImpl v = volumes.getNextVolume(b.getNumBytes());
+    FsVolumeImpl v = volumes.getNextVolume(storageType, b.getNumBytes());
     // create a temporary file to hold block in the designated volume
     File f = v.createTmpFile(b.getBlockPoolId(), b.getLocalBlock());
     ReplicaInPipeline newReplicaInfo = new ReplicaInPipeline(b.getBlockId(), 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeList.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeList.java
index 76b3ee8ba9a..59a5c9021cd 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeList.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeList.java
@@ -18,13 +18,17 @@
 package org.apache.hadoop.hdfs.server.datanode.fsdataset.impl;
 
 import java.io.IOException;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.FsVolumeSpi;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.VolumeChoosingPolicy;
-import org.apache.hadoop.util.Time;
 import org.apache.hadoop.util.DiskChecker.DiskErrorException;
+import org.apache.hadoop.util.Time;
 
 class FsVolumeList {
   /**
@@ -52,11 +56,18 @@ int numberOfFailedVolumes() {
    * by a single thread and next volume is chosen with no concurrent
    * update to {@link #volumes}.
    * @param blockSize free space needed on the volume
+   * @param storageType the desired {@link StorageType} 
    * @return next volume to store the block in.
    */
-  // TODO should choose volume with storage type
-  synchronized FsVolumeImpl getNextVolume(long blockSize) throws IOException {
-    return blockChooser.chooseVolume(volumes, blockSize);
+  synchronized FsVolumeImpl getNextVolume(StorageType storageType,
+      long blockSize) throws IOException {
+    final List<FsVolumeImpl> list = new ArrayList<FsVolumeImpl>(volumes.size());
+    for(FsVolumeImpl v : volumes) {
+      if (v.getStorageType() == storageType) {
+        list.add(v);
+      }
+    }
+    return blockChooser.chooseVolume(list, blockSize);
   }
     
   long getDfsUsed() throws IOException {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 9b7cb199583..9807c4f5b8e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -86,6 +86,9 @@
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_REPLICATION_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_REPLICATION_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_RANDOMIZE_BLOCK_LOCATIONS_PER_BLOCK;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_RANDOMIZE_BLOCK_LOCATIONS_PER_BLOCK_DEFAULT;
+
 import static org.apache.hadoop.util.Time.now;
 
 import java.io.BufferedWriter;
@@ -549,6 +552,8 @@ private void logAuditEvent(boolean succeeded,
 
   private final FSImage fsImage;
 
+  private boolean randomizeBlockLocationsPerBlock;
+
   /**
    * Notify that loading of this FSDirectory is complete, and
    * it is imageLoaded for use
@@ -861,6 +866,10 @@ static FSNamesystem loadFromDisk(Configuration conf) throws IOException {
       alwaysUseDelegationTokensForTests = conf.getBoolean(
           DFS_NAMENODE_DELEGATION_TOKEN_ALWAYS_USE_KEY,
           DFS_NAMENODE_DELEGATION_TOKEN_ALWAYS_USE_DEFAULT);
+      
+      this.randomizeBlockLocationsPerBlock = conf.getBoolean(
+          DFS_NAMENODE_RANDOMIZE_BLOCK_LOCATIONS_PER_BLOCK,
+          DFS_NAMENODE_RANDOMIZE_BLOCK_LOCATIONS_PER_BLOCK_DEFAULT);
 
       this.dtSecretManager = createDelegationTokenSecretManager(conf);
       this.dir = new FSDirectory(this, conf);
@@ -1761,17 +1770,17 @@ LocatedBlocks getBlockLocations(String clientMachine, String src,
     LocatedBlocks blocks = getBlockLocations(src, offset, length, true, true,
         true);
     if (blocks != null) {
-      blockManager.getDatanodeManager().sortLocatedBlocks(
-          clientMachine, blocks.getLocatedBlocks());
-      
+      blockManager.getDatanodeManager().sortLocatedBlocks(clientMachine,
+          blocks.getLocatedBlocks(), randomizeBlockLocationsPerBlock);
+
       // lastBlock is not part of getLocatedBlocks(), might need to sort it too
       LocatedBlock lastBlock = blocks.getLastLocatedBlock();
       if (lastBlock != null) {
         ArrayList<LocatedBlock> lastBlockList =
             Lists.newArrayListWithCapacity(1);
         lastBlockList.add(lastBlock);
-        blockManager.getDatanodeManager().sortLocatedBlocks(
-                              clientMachine, lastBlockList);
+        blockManager.getDatanodeManager().sortLocatedBlocks(clientMachine,
+            lastBlockList, randomizeBlockLocationsPerBlock);
       }
     }
     return blocks;
@@ -2580,11 +2589,13 @@ private void startFileInternal(FSPermissionChecker pc, String src,
       // Path is within an EZ and we have provided encryption parameters.
       // Make sure that the generated EDEK matches the settings of the EZ.
       String ezKeyName = dir.getKeyName(iip);
-      if (!ezKeyName.equals(edek.getKeyName())) {
+      if (!ezKeyName.equals(edek.getEncryptionKeyName())) {
         throw new RetryStartFileException();
       }
-      feInfo = new FileEncryptionInfo(suite, edek.getEncryptedKey()
-          .getMaterial(), edek.getIv(), edek.getKeyVersionName());
+      feInfo = new FileEncryptionInfo(suite,
+          edek.getEncryptedKeyVersion().getMaterial(),
+          edek.getEncryptedKeyIv(),
+          edek.getEncryptionKeyVersionName());
       Preconditions.checkNotNull(feInfo);
     }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/BlockCommand.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/BlockCommand.java
index 1798d664f93..f17d702f483 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/BlockCommand.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/BlockCommand.java
@@ -21,6 +21,7 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.server.blockmanagement.DatanodeDescriptor.BlockTargetPair;
@@ -50,6 +51,7 @@ public class BlockCommand extends DatanodeCommand {
   final String poolId;
   final Block[] blocks;
   final DatanodeInfo[][] targets;
+  final StorageType[][] targetStorageTypes;
   final String[][] targetStorageIDs;
 
   /**
@@ -62,17 +64,20 @@ public BlockCommand(int action, String poolId,
     this.poolId = poolId;
     blocks = new Block[blocktargetlist.size()]; 
     targets = new DatanodeInfo[blocks.length][];
+    targetStorageTypes = new StorageType[blocks.length][];
     targetStorageIDs = new String[blocks.length][];
 
     for(int i = 0; i < blocks.length; i++) {
       BlockTargetPair p = blocktargetlist.get(i);
       blocks[i] = p.block;
       targets[i] = DatanodeStorageInfo.toDatanodeInfos(p.targets);
+      targetStorageTypes[i] = DatanodeStorageInfo.toStorageTypes(p.targets);
       targetStorageIDs[i] = DatanodeStorageInfo.toStorageIDs(p.targets);
     }
   }
 
   private static final DatanodeInfo[][] EMPTY_TARGET_DATANODES = {};
+  private static final StorageType[][] EMPTY_TARGET_STORAGE_TYPES = {};
   private static final String[][] EMPTY_TARGET_STORAGEIDS = {};
 
   /**
@@ -81,7 +86,7 @@ public BlockCommand(int action, String poolId,
    */
   public BlockCommand(int action, String poolId, Block blocks[]) {
     this(action, poolId, blocks, EMPTY_TARGET_DATANODES,
-        EMPTY_TARGET_STORAGEIDS);
+        EMPTY_TARGET_STORAGE_TYPES, EMPTY_TARGET_STORAGEIDS);
   }
 
   /**
@@ -89,11 +94,13 @@ public BlockCommand(int action, String poolId, Block blocks[]) {
    * @param blocks blocks related to the action
    */
   public BlockCommand(int action, String poolId, Block[] blocks,
-      DatanodeInfo[][] targets, String[][] targetStorageIDs) {
+      DatanodeInfo[][] targets, StorageType[][] targetStorageTypes,
+      String[][] targetStorageIDs) {
     super(action);
     this.poolId = poolId;
     this.blocks = blocks;
     this.targets = targets;
+    this.targetStorageTypes = targetStorageTypes;
     this.targetStorageIDs = targetStorageIDs;
   }
   
@@ -109,6 +116,10 @@ public DatanodeInfo[][] getTargets() {
     return targets;
   }
 
+  public StorageType[][] getTargetStorageTypes() {
+    return targetStorageTypes;
+  }
+
   public String[][] getTargetStorageIDs() {
     return targetStorageIDs;
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/DFSZKFailoverController.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/DFSZKFailoverController.java
index 8b7a9956c61..a42b1e31895 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/DFSZKFailoverController.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/DFSZKFailoverController.java
@@ -122,6 +122,11 @@ public static DFSZKFailoverController create(Configuration conf) {
           "HA is not enabled for this namenode.");
     }
     String nnId = HAUtil.getNameNodeId(localNNConf, nsId);
+    if (nnId == null) {
+      String msg = "Could not get the namenode ID of this node. " +
+          "You may run zkfc on the node other than namenode.";
+      throw new HadoopIllegalArgumentException(msg);
+    }
     NameNode.initializeGenericKeys(localNNConf, nsId, nnId);
     DFSUtil.setGenericConf(localNNConf, nsId, nnId, ZKFC_CONF_KEYS);
     
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/DatanodeProtocol.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/DatanodeProtocol.proto
index d6cc3d37777..2afcf057f70 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/DatanodeProtocol.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/DatanodeProtocol.proto
@@ -113,6 +113,7 @@ message BlockCommandProto {
   repeated BlockProto blocks = 3;
   repeated DatanodeInfosProto targets = 4;
   repeated StorageUuidsProto targetStorageUuids = 5;
+  repeated StorageTypesProto targetStorageTypes = 6;
 }
 
 /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto
index d9147138948..9b4ba339d23 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto
@@ -107,17 +107,21 @@ message OpWriteBlockProto {
    */
   required ChecksumProto requestedChecksum = 9;
   optional CachingStrategyProto cachingStrategy = 10;
+  optional StorageTypeProto storageType = 11 [default = DISK];
+  repeated StorageTypeProto targetStorageTypes = 12;
 }
   
 message OpTransferBlockProto {
   required ClientOperationHeaderProto header = 1;
   repeated DatanodeInfoProto targets = 2;
+  repeated StorageTypeProto targetStorageTypes = 3;
 }
 
 message OpReplaceBlockProto {
   required BaseHeaderProto header = 1;
   required string delHint = 2;
   required DatanodeInfoProto source = 3;
+  optional StorageTypeProto storageType = 4 [default = DISK];
 }
 
 message OpCopyBlockProto {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
index da53be1006e..2557b48ed30 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
@@ -136,6 +136,13 @@ enum StorageTypeProto {
   SSD = 2;
 }
 
+/**
+ * A list of storage types. 
+ */
+message StorageTypesProto {
+  repeated StorageTypeProto storageTypes = 1;
+}
+
 /**
  * A list of storage IDs. 
  */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
index f80b9f85e51..fea88166c24 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
@@ -2039,4 +2039,17 @@
   </description>
 </property>
 
+<property>
+  <name>dfs.namenode.randomize-block-locations-per-block</name>
+  <value>false</value>
+  <description>When fetching replica locations of a block, the replicas
+   are sorted based on network distance. This configuration parameter
+   determines whether the replicas at the same network distance are randomly
+   shuffled. By default, this is false, such that repeated requests for a block's
+   replicas always result in the same order. This potentially improves page cache
+   behavior. However, for some network topologies, it is desirable to shuffle this
+   order for better load balancing.
+  </description>
+</property>
+
 </configuration>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HDFSHighAvailabilityWithQJM.apt.vm b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HDFSHighAvailabilityWithQJM.apt.vm
index 3a34dffb682..ff6a42c2592 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HDFSHighAvailabilityWithQJM.apt.vm
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HDFSHighAvailabilityWithQJM.apt.vm
@@ -416,8 +416,8 @@ HDFS High Availability Using the Quorum Journal Manager
 
   After all of the necessary configuration options have been set, you must
   start the JournalNode daemons on the set of machines where they will run. This
-  can be done by running the command "<hdfs-daemon.sh journalnode>" and waiting
-  for the daemon to start on each of the relevant machines.
+  can be done by running the command "<hadoop-daemon.sh start journalnode>" and
+  waiting for the daemon to start on each of the relevant machines.
 
   Once the JournalNodes have been started, one must initially synchronize the
   two HA NameNodes' on-disk metadata.
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsMultihoming.apt.vm b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsMultihoming.apt.vm
new file mode 100644
index 00000000000..2be45671e28
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsMultihoming.apt.vm
@@ -0,0 +1,145 @@
+~~ Licensed under the Apache License, Version 2.0 (the "License");
+~~ you may not use this file except in compliance with the License.
+~~ You may obtain a copy of the License at
+~~
+~~   http://www.apache.org/licenses/LICENSE-2.0
+~~
+~~ Unless required by applicable law or agreed to in writing, software
+~~ distributed under the License is distributed on an "AS IS" BASIS,
+~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+~~ See the License for the specific language governing permissions and
+~~ limitations under the License. See accompanying LICENSE file.
+
+  ---
+  Hadoop Distributed File System-${project.version} - Support for Multi-Homed Networks
+  ---
+  ---
+  ${maven.build.timestamp}
+
+HDFS Support for Multihomed Networks
+
+  This document is targetted to cluster administrators deploying <<<HDFS>>> in
+  multihomed networks. Similar support for <<<YARN>>>/<<<MapReduce>>> is
+  work in progress and will be documented when available.
+
+%{toc|section=1|fromDepth=0}
+
+* Multihoming Background
+
+  In multihomed networks the cluster nodes are connected to more than one
+  network interface. There could be multiple reasons for doing so.
+
+  [[1]] <<Security>>: Security requirements may dictate that intra-cluster
+  traffic be confined to a different network than the network used to
+  transfer data in and out of the cluster.
+
+  [[2]] <<Performance>>: Intra-cluster traffic may use one or more high bandwidth
+  interconnects like Fiber Channel, Infiniband or 10GbE.
+
+  [[3]] <<Failover/Redundancy>>: The nodes may have multiple network adapters
+  connected to a single network to handle network adapter failure.
+
+
+  Note that NIC Bonding (also known as NIC Teaming or Link
+  Aggregation) is a related but separate topic. The following settings
+  are usually not applicable to a NIC bonding configuration which handles
+  multiplexing and failover transparently while presenting a single 'logical
+  network' to applications.
+
+* Fixing Hadoop Issues In Multihomed Environments
+
+** Ensuring HDFS Daemons Bind All Interfaces
+
+  By default <<<HDFS>>> endpoints are specified as either hostnames or IP addresses.
+  In either case <<<HDFS>>> daemons will bind to a single IP address making
+  the daemons unreachable from other networks.
+
+  The solution is to have separate setting for server endpoints to force binding
+  the wildcard IP address <<<INADDR_ANY>>> i.e. <<<0.0.0.0>>>. Do NOT supply a port
+  number with any of these settings.
+
+----
+<property>
+  <name>dfs.namenode.rpc-bind-host</name>
+  <value>0.0.0.0</value>
+  <description>
+    The actual address the RPC server will bind to. If this optional address is
+    set, it overrides only the hostname portion of dfs.namenode.rpc-address.
+    It can also be specified per name node or name service for HA/Federation.
+    This is useful for making the name node listen on all interfaces by
+    setting it to 0.0.0.0.
+  </description>
+</property>
+
+<property>
+  <name>dfs.namenode.servicerpc-bind-host</name>
+  <value>0.0.0.0</value>
+  <description>
+    The actual address the service RPC server will bind to. If this optional address is
+    set, it overrides only the hostname portion of dfs.namenode.servicerpc-address.
+    It can also be specified per name node or name service for HA/Federation.
+    This is useful for making the name node listen on all interfaces by
+    setting it to 0.0.0.0.
+  </description>
+</property>
+
+<property>
+  <name>dfs.namenode.http-bind-host</name>
+  <value>0.0.0.0</value>
+  <description>
+    The actual adress the HTTP server will bind to. If this optional address
+    is set, it overrides only the hostname portion of dfs.namenode.http-address.
+    It can also be specified per name node or name service for HA/Federation.
+    This is useful for making the name node HTTP server listen on all
+    interfaces by setting it to 0.0.0.0.
+  </description>
+</property>
+
+<property>
+  <name>dfs.namenode.https-bind-host</name>
+  <value>0.0.0.0</value>
+  <description>
+    The actual adress the HTTPS server will bind to. If this optional address
+    is set, it overrides only the hostname portion of dfs.namenode.https-address.
+    It can also be specified per name node or name service for HA/Federation.
+    This is useful for making the name node HTTPS server listen on all
+    interfaces by setting it to 0.0.0.0.
+  </description>
+</property>
+----
+
+** Clients use Hostnames when connecting to DataNodes
+
+  By default <<<HDFS>>> clients connect to DataNodes using the IP address
+  provided by the NameNode. Depending on the network configuration this
+  IP address may be unreachable by the clients. The fix is letting clients perform
+  their own DNS resolution of the DataNode hostname. The following setting
+  enables this behavior.
+
+----
+<property>
+  <name>dfs.client.use.datanode.hostname</name>
+  <value>true</value>
+  <description>Whether clients should use datanode hostnames when
+    connecting to datanodes.
+  </description>
+</property>
+----
+
+** DataNodes use HostNames when connecting to other DataNodes
+
+  Rarely, the NameNode-resolved IP address for a DataNode may be unreachable
+  from other DataNodes. The fix is to force DataNodes to perform their own
+  DNS resolution for inter-DataNode connections. The following setting enables
+  this behavior.
+
+----
+<property>
+  <name>dfs.datanode.use.datanode.hostname</name>
+  <value>true</value>
+  <description>Whether datanodes should use datanode hostnames when
+    connecting to other datanodes for data transfer.
+  </description>
+</property>
+----
+
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java
index bebb946d27c..949713e6f44 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java
@@ -380,7 +380,7 @@ public static boolean allBlockReplicasCorrupt(MiniDFSCluster cluster,
    */
   public static void waitForReplication(MiniDFSCluster cluster, ExtendedBlock b,
       int racks, int replicas, int neededReplicas)
-      throws IOException, TimeoutException, InterruptedException {
+      throws TimeoutException, InterruptedException {
     int curRacks = 0;
     int curReplicas = 0;
     int curNeededReplicas = 0;
@@ -414,7 +414,7 @@ public static void waitForReplication(MiniDFSCluster cluster, ExtendedBlock b,
    */
   public static void waitCorruptReplicas(FileSystem fs, FSNamesystem ns,
       Path file, ExtendedBlock b, int corruptRepls)
-      throws IOException, TimeoutException, InterruptedException {
+      throws TimeoutException, InterruptedException {
     int count = 0;
     final int ATTEMPTS = 50;
     int repls = ns.getBlockManager().numCorruptReplicas(b.getLocalBlock());
@@ -839,7 +839,8 @@ public static BlockOpResponseProto transferRbw(final ExtendedBlock b,
 
     // send the request
     new Sender(out).transferBlock(b, new Token<BlockTokenIdentifier>(),
-        dfsClient.clientName, new DatanodeInfo[]{datanodes[1]});
+        dfsClient.clientName, new DatanodeInfo[]{datanodes[1]},
+        new StorageType[]{StorageType.DEFAULT});
     out.flush();
 
     return BlockOpResponseProto.parseDelimitedFrom(in);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDataTransferProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDataTransferProtocol.java
index 244603eac62..bcb68e9ce71 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDataTransferProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDataTransferProtocol.java
@@ -125,17 +125,16 @@ private void sendRecvData(String testDescription,
         throw eof;
       }
 
-      LOG.info("Received: " +new String(retBuf));
-      LOG.info("Expected: " + StringUtils.byteToHexString(recvBuf.toByteArray()));
+      String received = StringUtils.byteToHexString(retBuf);
+      String expected = StringUtils.byteToHexString(recvBuf.toByteArray());
+      LOG.info("Received: " + received);
+      LOG.info("Expected: " + expected);
       
       if (eofExpected) {
         throw new IOException("Did not recieve IOException when an exception " +
                               "is expected while reading from " + datanode); 
       }
-      
-      byte[] needed = recvBuf.toByteArray();
-      assertEquals(StringUtils.byteToHexString(needed),
-          StringUtils.byteToHexString(retBuf));
+      assertEquals(expected, received);
     } finally {
       IOUtils.closeSocket(sock);
     }
@@ -184,10 +183,7 @@ private void testWrite(ExtendedBlock block, BlockConstructionStage stage, long n
       String description, Boolean eofExcepted) throws IOException {
     sendBuf.reset();
     recvBuf.reset();
-    sender.writeBlock(block, BlockTokenSecretManager.DUMMY_TOKEN, "cl",
-        new DatanodeInfo[1], null, stage,
-        0, block.getNumBytes(), block.getNumBytes(), newGS,
-        DEFAULT_CHECKSUM, CachingStrategy.newDefaultStrategy());
+    writeBlock(block, stage, newGS, DEFAULT_CHECKSUM);
     if (eofExcepted) {
       sendResponse(Status.ERROR, null, null, recvOut);
       sendRecvData(description, true);
@@ -343,10 +339,7 @@ public void testDataTransferProtocol() throws IOException {
     MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).numDataNodes(numDataNodes).build();
     try {
     cluster.waitActive();
-    DFSClient dfsClient = new DFSClient(
-                 new InetSocketAddress("localhost", cluster.getNameNodePort()),
-                 conf);                
-    datanode = dfsClient.datanodeReport(DatanodeReportType.LIVE)[0];
+    datanode = cluster.getFileSystem().getDataNodeStats(DatanodeReportType.LIVE)[0];
     dnAddr = NetUtils.createSocketAddr(datanode.getXferAddr());
     FileSystem fileSys = cluster.getFileSystem();
     
@@ -381,23 +374,14 @@ public void testDataTransferProtocol() throws IOException {
     DataChecksum badChecksum = Mockito.spy(DEFAULT_CHECKSUM);
     Mockito.doReturn(-1).when(badChecksum).getBytesPerChecksum();
 
-    sender.writeBlock(new ExtendedBlock(poolId, newBlockId),
-        BlockTokenSecretManager.DUMMY_TOKEN, "cl",
-        new DatanodeInfo[1], null,
-        BlockConstructionStage.PIPELINE_SETUP_CREATE,
-        0, 0L, 0L, 0L,
-        badChecksum, CachingStrategy.newDefaultStrategy());
+    writeBlock(poolId, newBlockId, badChecksum);
     recvBuf.reset();
     sendResponse(Status.ERROR, null, null, recvOut);
     sendRecvData("wrong bytesPerChecksum while writing", true);
 
     sendBuf.reset();
     recvBuf.reset();
-    sender.writeBlock(new ExtendedBlock(poolId, ++newBlockId),
-        BlockTokenSecretManager.DUMMY_TOKEN, "cl",
-        new DatanodeInfo[1], null,
-        BlockConstructionStage.PIPELINE_SETUP_CREATE, 0, 0L, 0L, 0L,
-        DEFAULT_CHECKSUM, CachingStrategy.newDefaultStrategy());
+    writeBlock(poolId, ++newBlockId, DEFAULT_CHECKSUM);
 
     PacketHeader hdr = new PacketHeader(
       4,     // size of packet
@@ -416,11 +400,7 @@ public void testDataTransferProtocol() throws IOException {
     // test for writing a valid zero size block
     sendBuf.reset();
     recvBuf.reset();
-    sender.writeBlock(new ExtendedBlock(poolId, ++newBlockId),
-        BlockTokenSecretManager.DUMMY_TOKEN, "cl",
-        new DatanodeInfo[1], null,
-        BlockConstructionStage.PIPELINE_SETUP_CREATE, 0, 0L, 0L, 0L,
-        DEFAULT_CHECKSUM, CachingStrategy.newDefaultStrategy());
+    writeBlock(poolId, ++newBlockId, DEFAULT_CHECKSUM);
 
     hdr = new PacketHeader(
       8,     // size of packet
@@ -532,4 +512,18 @@ public void testPacketHeader() throws IOException {
     assertTrue(hdr.sanityCheck(99));
     assertFalse(hdr.sanityCheck(100));
   }
+
+  void writeBlock(String poolId, long blockId, DataChecksum checksum) throws IOException {
+    writeBlock(new ExtendedBlock(poolId, blockId),
+        BlockConstructionStage.PIPELINE_SETUP_CREATE, 0L, checksum);
+  }
+
+  void writeBlock(ExtendedBlock block, BlockConstructionStage stage,
+      long newGS, DataChecksum checksum) throws IOException {
+    sender.writeBlock(block, StorageType.DEFAULT,
+        BlockTokenSecretManager.DUMMY_TOKEN, "cl",
+        new DatanodeInfo[1], new StorageType[1], null, stage,
+        0, block.getNumBytes(), block.getNumBytes(), newGS,
+        checksum, CachingStrategy.newDefaultStrategy());
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/protocolPB/TestPBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/protocolPB/TestPBHelper.java
index e527439bc28..6c8547ebf8d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/protocolPB/TestPBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/protocolPB/TestPBHelper.java
@@ -550,8 +550,10 @@ public void testConvertBlockCommand() {
     dnInfos[1][0] = DFSTestUtil.getLocalDatanodeInfo();
     dnInfos[1][1] = DFSTestUtil.getLocalDatanodeInfo();
     String[][] storageIDs = {{"s00"}, {"s10", "s11"}};
+    StorageType[][] storageTypes = {{StorageType.DEFAULT},
+        {StorageType.DEFAULT, StorageType.DEFAULT}};
     BlockCommand bc = new BlockCommand(DatanodeProtocol.DNA_TRANSFER, "bp1",
-        blocks, dnInfos, storageIDs);
+        blocks, dnInfos, storageTypes, storageIDs);
     BlockCommandProto bcProto = PBHelper.convert(bc);
     BlockCommand bc2 = PBHelper.convert(bcProto);
     assertEquals(bc.getAction(), bc2.getAction());
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/BlockReportTestBase.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/BlockReportTestBase.java
index d2f58a877eb..9ea6c5186a1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/BlockReportTestBase.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/BlockReportTestBase.java
@@ -43,6 +43,7 @@
 import org.apache.hadoop.hdfs.DFSTestUtil;
 import org.apache.hadoop.hdfs.DistributedFileSystem;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.BlockListAsLongs;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
@@ -324,7 +325,7 @@ public void blockReport_02() throws IOException {
   public void blockReport_03() throws IOException {
     final String METHOD_NAME = GenericTestUtils.getMethodName();
     Path filePath = new Path("/" + METHOD_NAME + ".dat");
-    ArrayList<Block> blocks = writeFile(METHOD_NAME, FILE_SIZE, filePath);
+    writeFile(METHOD_NAME, FILE_SIZE, filePath);
 
     // all blocks belong to the same file, hence same BP
     DataNode dn = cluster.getDataNodes().get(DN_N0);
@@ -363,7 +364,7 @@ public void blockReport_04() throws IOException {
     // Create a bogus new block which will not be present on the namenode.
     ExtendedBlock b = new ExtendedBlock(
         poolId, rand.nextLong(), 1024L, rand.nextLong());
-    dn.getFSDataset().createRbw(b);
+    dn.getFSDataset().createRbw(StorageType.DEFAULT, b);
 
     DatanodeRegistration dnR = dn.getDNRegistrationForBP(poolId);
     StorageBlockReport[] reports = getBlockReports(dn, poolId, false, false);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/SimulatedFSDataset.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/SimulatedFSDataset.java
index baf046af847..e3db5350029 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/SimulatedFSDataset.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/SimulatedFSDataset.java
@@ -744,14 +744,14 @@ public synchronized ReplicaInPipelineInterface recoverRbw(ExtendedBlock b,
   }
 
   @Override // FsDatasetSpi
-  public synchronized ReplicaInPipelineInterface createRbw(ExtendedBlock b) 
-  throws IOException {
-    return createTemporary(b);
+  public synchronized ReplicaInPipelineInterface createRbw(
+      StorageType storageType, ExtendedBlock b) throws IOException {
+    return createTemporary(storageType, b);
   }
 
   @Override // FsDatasetSpi
-  public synchronized ReplicaInPipelineInterface createTemporary(ExtendedBlock b)
-      throws IOException {
+  public synchronized ReplicaInPipelineInterface createTemporary(
+      StorageType storageType, ExtendedBlock b) throws IOException {
     if (isValidBlock(b)) {
           throw new ReplicaAlreadyExistsException("Block " + b + 
               " is valid, and cannot be written to.");
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockRecovery.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockRecovery.java
index 4ff942b1f8e..a3622a465ad 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockRecovery.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockRecovery.java
@@ -57,6 +57,7 @@
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.hadoop.hdfs.MiniDFSNNTopology;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.DatanodeID;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
@@ -531,7 +532,7 @@ public void testNoReplicaUnderRecovery() throws IOException {
     if(LOG.isDebugEnabled()) {
       LOG.debug("Running " + GenericTestUtils.getMethodName());
     }
-    dn.data.createRbw(block);
+    dn.data.createRbw(StorageType.DEFAULT, block);
     try {
       dn.syncBlock(rBlock, initBlockRecords(dn));
       fail("Sync should fail");
@@ -554,7 +555,8 @@ public void testNotMatchedReplicaID() throws IOException {
     if(LOG.isDebugEnabled()) {
       LOG.debug("Running " + GenericTestUtils.getMethodName());
     }
-    ReplicaInPipelineInterface replicaInfo = dn.data.createRbw(block);
+    ReplicaInPipelineInterface replicaInfo = dn.data.createRbw(
+        StorageType.DEFAULT, block);
     ReplicaOutputStreams streams = null;
     try {
       streams = replicaInfo.createStreams(true,
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java
index 02faa595e4c..478b6d1546b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java
@@ -42,6 +42,7 @@
 import org.apache.hadoop.hdfs.DFSTestUtil;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
@@ -264,7 +265,8 @@ private boolean replaceBlock( ExtendedBlock block, DatanodeInfo source,
     sock.setKeepAlive(true);
     // sendRequest
     DataOutputStream out = new DataOutputStream(sock.getOutputStream());
-    new Sender(out).replaceBlock(block, BlockTokenSecretManager.DUMMY_TOKEN,
+    new Sender(out).replaceBlock(block, StorageType.DEFAULT,
+        BlockTokenSecretManager.DUMMY_TOKEN,
         source.getDatanodeUuid(), sourceProxy);
     out.flush();
     // receiveResponse
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDiskError.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDiskError.java
index f75bf2465ff..798b7b7c705 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDiskError.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDiskError.java
@@ -35,6 +35,7 @@
 import org.apache.hadoop.hdfs.DFSTestUtil;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.LocatedBlock;
 import org.apache.hadoop.hdfs.protocol.LocatedBlocks;
@@ -147,9 +148,9 @@ public void testReplicationError() throws Exception {
 
     DataChecksum checksum = DataChecksum.newDataChecksum(
         DataChecksum.Type.CRC32, 512);
-    new Sender(out).writeBlock(block.getBlock(),
+    new Sender(out).writeBlock(block.getBlock(), StorageType.DEFAULT,
         BlockTokenSecretManager.DUMMY_TOKEN, "",
-        new DatanodeInfo[0], null,
+        new DatanodeInfo[0], new StorageType[0], null,
         BlockConstructionStage.PIPELINE_SETUP_CREATE, 1, 0L, 0L, 0L,
         checksum, CachingStrategy.newDefaultStrategy());
     out.flush();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestSimulatedFSDataset.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestSimulatedFSDataset.java
index d03e5ea0252..bd6c3de2266 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestSimulatedFSDataset.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestSimulatedFSDataset.java
@@ -29,6 +29,7 @@
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.BlockListAsLongs;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
@@ -65,7 +66,8 @@ int addSomeBlocks(SimulatedFSDataset fsdataset, int startingBlockId)
       ExtendedBlock b = new ExtendedBlock(bpid, i, 0, 0); 
       // we pass expected len as zero, - fsdataset should use the sizeof actual
       // data written
-      ReplicaInPipelineInterface bInfo = fsdataset.createRbw(b);
+      ReplicaInPipelineInterface bInfo = fsdataset.createRbw(
+          StorageType.DEFAULT, b);
       ReplicaOutputStreams out = bInfo.createStreams(true,
           DataChecksum.newDataChecksum(DataChecksum.Type.CRC32, 512));
       try {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/TestWriteToReplica.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/TestWriteToReplica.java
index dfefc1e8437..b8246c31913 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/TestWriteToReplica.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/TestWriteToReplica.java
@@ -21,6 +21,7 @@
 
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.server.datanode.DataNode;
 import org.apache.hadoop.hdfs.server.datanode.DataNodeTestUtils;
@@ -147,7 +148,7 @@ private ExtendedBlock[] setup(String bpid, FsDatasetImpl dataSet) throws IOExcep
     };
     
     ReplicaMap replicasMap = dataSet.volumeMap;
-    FsVolumeImpl vol = dataSet.volumes.getNextVolume(0);
+    FsVolumeImpl vol = dataSet.volumes.getNextVolume(StorageType.DEFAULT, 0);
     ReplicaInfo replicaInfo = new FinalizedReplica(
         blocks[FINALIZED].getLocalBlock(), vol, vol.getCurrentDir().getParentFile());
     replicasMap.add(bpid, replicaInfo);
@@ -357,7 +358,7 @@ private void testWriteToRbw(FsDatasetImpl dataSet, ExtendedBlock[] blocks) throw
     }
  
     try {
-      dataSet.createRbw(blocks[FINALIZED]);
+      dataSet.createRbw(StorageType.DEFAULT, blocks[FINALIZED]);
       Assert.fail("Should not have created a replica that's already " +
       		"finalized " + blocks[FINALIZED]);
     } catch (ReplicaAlreadyExistsException e) {
@@ -375,7 +376,7 @@ private void testWriteToRbw(FsDatasetImpl dataSet, ExtendedBlock[] blocks) throw
     }
 
     try {
-      dataSet.createRbw(blocks[TEMPORARY]);
+      dataSet.createRbw(StorageType.DEFAULT, blocks[TEMPORARY]);
       Assert.fail("Should not have created a replica that had created as " +
       		"temporary " + blocks[TEMPORARY]);
     } catch (ReplicaAlreadyExistsException e) {
@@ -385,7 +386,7 @@ private void testWriteToRbw(FsDatasetImpl dataSet, ExtendedBlock[] blocks) throw
         0L, blocks[RBW].getNumBytes());  // expect to be successful
     
     try {
-      dataSet.createRbw(blocks[RBW]);
+      dataSet.createRbw(StorageType.DEFAULT, blocks[RBW]);
       Assert.fail("Should not have created a replica that had created as RBW " +
           blocks[RBW]);
     } catch (ReplicaAlreadyExistsException e) {
@@ -401,7 +402,7 @@ private void testWriteToRbw(FsDatasetImpl dataSet, ExtendedBlock[] blocks) throw
     }
 
     try {
-      dataSet.createRbw(blocks[RWR]);
+      dataSet.createRbw(StorageType.DEFAULT, blocks[RWR]);
       Assert.fail("Should not have created a replica that was waiting to be " +
       		"recovered " + blocks[RWR]);
     } catch (ReplicaAlreadyExistsException e) {
@@ -417,7 +418,7 @@ private void testWriteToRbw(FsDatasetImpl dataSet, ExtendedBlock[] blocks) throw
     }
 
     try {
-      dataSet.createRbw(blocks[RUR]);
+      dataSet.createRbw(StorageType.DEFAULT, blocks[RUR]);
       Assert.fail("Should not have created a replica that was under recovery " +
           blocks[RUR]);
     } catch (ReplicaAlreadyExistsException e) {
@@ -434,45 +435,45 @@ private void testWriteToRbw(FsDatasetImpl dataSet, ExtendedBlock[] blocks) throw
           e.getMessage().contains(ReplicaNotFoundException.NON_EXISTENT_REPLICA));
     }
     
-    dataSet.createRbw(blocks[NON_EXISTENT]);
+    dataSet.createRbw(StorageType.DEFAULT, blocks[NON_EXISTENT]);
   }
   
   private void testWriteToTemporary(FsDatasetImpl dataSet, ExtendedBlock[] blocks) throws IOException {
     try {
-      dataSet.createTemporary(blocks[FINALIZED]);
+      dataSet.createTemporary(StorageType.DEFAULT, blocks[FINALIZED]);
       Assert.fail("Should not have created a temporary replica that was " +
       		"finalized " + blocks[FINALIZED]);
     } catch (ReplicaAlreadyExistsException e) {
     }
  
     try {
-      dataSet.createTemporary(blocks[TEMPORARY]);
+      dataSet.createTemporary(StorageType.DEFAULT, blocks[TEMPORARY]);
       Assert.fail("Should not have created a replica that had created as" +
       		"temporary " + blocks[TEMPORARY]);
     } catch (ReplicaAlreadyExistsException e) {
     }
     
     try {
-      dataSet.createTemporary(blocks[RBW]);
+      dataSet.createTemporary(StorageType.DEFAULT, blocks[RBW]);
       Assert.fail("Should not have created a replica that had created as RBW " +
           blocks[RBW]);
     } catch (ReplicaAlreadyExistsException e) {
     }
     
     try {
-      dataSet.createTemporary(blocks[RWR]);
+      dataSet.createTemporary(StorageType.DEFAULT, blocks[RWR]);
       Assert.fail("Should not have created a replica that was waiting to be " +
       		"recovered " + blocks[RWR]);
     } catch (ReplicaAlreadyExistsException e) {
     }
     
     try {
-      dataSet.createTemporary(blocks[RUR]);
+      dataSet.createTemporary(StorageType.DEFAULT, blocks[RUR]);
       Assert.fail("Should not have created a replica that was under recovery " +
           blocks[RUR]);
     } catch (ReplicaAlreadyExistsException e) {
     }
     
-    dataSet.createTemporary(blocks[NON_EXISTENT]);
+    dataSet.createTemporary(StorageType.DEFAULT, blocks[NON_EXISTENT]);
   }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFavoredNodesEndToEnd.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFavoredNodesEndToEnd.java
index ea5bb7a91ed..4f110372be8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFavoredNodesEndToEnd.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFavoredNodesEndToEnd.java
@@ -18,32 +18,41 @@
  */
 package org.apache.hadoop.hdfs.server.namenode;
 
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
-import java.util.ArrayList;
-import java.util.Random;
-import java.io.IOException;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.UnknownHostException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Random;
 
+import org.apache.commons.logging.LogFactory;
+import org.apache.commons.logging.impl.Log4JLogger;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.BlockLocation;
 import org.apache.hadoop.fs.FSDataOutputStream;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsPermission;
-import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.hadoop.hdfs.DFSTestUtil;
 import org.apache.hadoop.hdfs.DistributedFileSystem;
-import org.apache.hadoop.hdfs.client.HdfsDataOutputStream;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
+import org.apache.hadoop.hdfs.server.blockmanagement.BlockPlacementPolicy;
 import org.apache.hadoop.hdfs.server.datanode.DataNode;
-import org.junit.Test;
+import org.apache.log4j.Level;
 import org.junit.AfterClass;
+import org.junit.Assert;
 import org.junit.BeforeClass;
+import org.junit.Test;
 
 
 public class TestFavoredNodesEndToEnd {
+  {
+    ((Log4JLogger)LogFactory.getLog(BlockPlacementPolicy.class)).getLogger().setLevel(Level.ALL);
+  }
+
   private static MiniDFSCluster cluster;
   private static Configuration conf;
   private final static int NUM_DATA_NODES = 10;
@@ -79,7 +88,7 @@ public void testFavoredNodesEndToEnd() throws Exception {
       InetSocketAddress datanode[] = getDatanodes(rand);
       Path p = new Path("/filename"+i);
       FSDataOutputStream out = dfs.create(p, FsPermission.getDefault(), true,
-          4096, (short)3, (long)4096, null, datanode);
+          4096, (short)3, 4096L, null, datanode);
       out.write(SOME_BYTES);
       out.close();
       BlockLocation[] locations = getBlockLocations(p);
@@ -98,14 +107,13 @@ public void testWhenFavoredNodesNotPresent() throws Exception {
     //get some other nodes. In other words, the write to hdfs should not fail
     //and if we do getBlockLocations on the file, we should see one blklocation
     //and three hosts for that
-    Random rand = new Random(System.currentTimeMillis());
     InetSocketAddress arbitraryAddrs[] = new InetSocketAddress[3];
     for (int i = 0; i < 3; i++) {
       arbitraryAddrs[i] = getArbitraryLocalHostAddr();
     }
     Path p = new Path("/filename-foo-bar");
     FSDataOutputStream out = dfs.create(p, FsPermission.getDefault(), true,
-        4096, (short)3, (long)4096, null, arbitraryAddrs);
+        4096, (short)3, 4096L, null, arbitraryAddrs);
     out.write(SOME_BYTES);
     out.close();
     getBlockLocations(p);
@@ -113,35 +121,41 @@ public void testWhenFavoredNodesNotPresent() throws Exception {
 
   @Test(timeout=180000)
   public void testWhenSomeNodesAreNotGood() throws Exception {
+    // 4 favored nodes
+    final InetSocketAddress addrs[] = new InetSocketAddress[4];
+    final String[] hosts = new String[addrs.length];
+    for (int i = 0; i < addrs.length; i++) {
+      addrs[i] = datanodes.get(i).getXferAddress();
+      hosts[i] = addrs[i].getAddress().getHostAddress() + ":" + addrs[i].getPort();
+    }
+
     //make some datanode not "good" so that even if the client prefers it,
     //the namenode would not give it as a replica to write to
     DatanodeInfo d = cluster.getNameNode().getNamesystem().getBlockManager()
            .getDatanodeManager().getDatanodeByXferAddr(
-               datanodes.get(0).getXferAddress().getAddress().getHostAddress(), 
-               datanodes.get(0).getXferAddress().getPort());
+               addrs[0].getAddress().getHostAddress(), addrs[0].getPort());
     //set the decommission status to true so that 
     //BlockPlacementPolicyDefault.isGoodTarget returns false for this dn
     d.setDecommissioned();
-    InetSocketAddress addrs[] = new InetSocketAddress[3];
-    for (int i = 0; i < 3; i++) {
-      addrs[i] = datanodes.get(i).getXferAddress();
-    }
     Path p = new Path("/filename-foo-bar-baz");
+    final short replication = (short)3;
     FSDataOutputStream out = dfs.create(p, FsPermission.getDefault(), true,
-        4096, (short)3, (long)4096, null, addrs);
+        4096, replication, 4096L, null, addrs);
     out.write(SOME_BYTES);
     out.close();
     //reset the state
     d.stopDecommission();
+
     BlockLocation[] locations = getBlockLocations(p);
+    Assert.assertEquals(replication, locations[0].getNames().length);;
     //also make sure that the datanode[0] is not in the list of hosts
-    String datanode0 = 
-        datanodes.get(0).getXferAddress().getAddress().getHostAddress()
-        + ":" + datanodes.get(0).getXferAddress().getPort();
-    for (int i = 0; i < 3; i++) {
-      if (locations[0].getNames()[i].equals(datanode0)) {
-        fail(datanode0 + " not supposed to be a replica for the block");
-      }
+    for (int i = 0; i < replication; i++) {
+      final String loc = locations[0].getNames()[i];
+      int j = 0;
+      for(; j < hosts.length && !loc.equals(hosts[j]); j++);
+      Assert.assertTrue("j=" + j, j > 0);
+      Assert.assertTrue("loc=" + loc + " not in host list "
+          + Arrays.asList(hosts) + ", j=" + j, j < hosts.length);
     }
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/net/TestNetworkTopology.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/net/TestNetworkTopology.java
index 2e6383cc267..faf946004ac 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/net/TestNetworkTopology.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/net/TestNetworkTopology.java
@@ -60,7 +60,14 @@ public void setupDatanodes() {
         DFSTestUtil.getDatanodeDescriptor("10.10.10.10", "/d3/r1"),
         DFSTestUtil.getDatanodeDescriptor("11.11.11.11", "/d3/r1"),
         DFSTestUtil.getDatanodeDescriptor("12.12.12.12", "/d3/r2"),
-        DFSTestUtil.getDatanodeDescriptor("13.13.13.13", "/d3/r2")        
+        DFSTestUtil.getDatanodeDescriptor("13.13.13.13", "/d3/r2"),
+        DFSTestUtil.getDatanodeDescriptor("14.14.14.14", "/d4/r1"),
+        DFSTestUtil.getDatanodeDescriptor("15.15.15.15", "/d4/r1"),
+        DFSTestUtil.getDatanodeDescriptor("16.16.16.16", "/d4/r1"),
+        DFSTestUtil.getDatanodeDescriptor("17.17.17.17", "/d4/r1"),
+        DFSTestUtil.getDatanodeDescriptor("18.18.18.18", "/d4/r1"),
+        DFSTestUtil.getDatanodeDescriptor("19.19.19.19", "/d4/r1"),
+        DFSTestUtil.getDatanodeDescriptor("20.20.20.20", "/d4/r1"),        
     };
     for (int i = 0; i < dataNodes.length; i++) {
       cluster.add(dataNodes[i]);
@@ -107,7 +114,7 @@ public void testCreateInvalidTopology() throws Exception {
 
   @Test
   public void testRacks() throws Exception {
-    assertEquals(cluster.getNumOfRacks(), 5);
+    assertEquals(cluster.getNumOfRacks(), 6);
     assertTrue(cluster.isOnSameRack(dataNodes[0], dataNodes[1]));
     assertFalse(cluster.isOnSameRack(dataNodes[1], dataNodes[2]));
     assertTrue(cluster.isOnSameRack(dataNodes[2], dataNodes[3]));
@@ -133,7 +140,7 @@ public void testSortByDistance() throws Exception {
     testNodes[1] = dataNodes[2];
     testNodes[2] = dataNodes[0];
     cluster.sortByDistance(dataNodes[0], testNodes,
-        testNodes.length, 0xDEADBEEF);
+        testNodes.length, 0xDEADBEEF, false);
     assertTrue(testNodes[0] == dataNodes[0]);
     assertTrue(testNodes[1] == dataNodes[1]);
     assertTrue(testNodes[2] == dataNodes[2]);
@@ -146,7 +153,7 @@ public void testSortByDistance() throws Exception {
     dtestNodes[3] = dataNodes[9];
     dtestNodes[4] = dataNodes[10];
     cluster.sortByDistance(dataNodes[8], dtestNodes,
-        dtestNodes.length - 2, 0xDEADBEEF);
+        dtestNodes.length - 2, 0xDEADBEEF, false);
     assertTrue(dtestNodes[0] == dataNodes[8]);
     assertTrue(dtestNodes[1] == dataNodes[11]);
     assertTrue(dtestNodes[2] == dataNodes[12]);
@@ -158,7 +165,7 @@ public void testSortByDistance() throws Exception {
     testNodes[1] = dataNodes[3];
     testNodes[2] = dataNodes[0];
     cluster.sortByDistance(dataNodes[0], testNodes,
-        testNodes.length, 0xDEADBEEF);
+        testNodes.length, 0xDEADBEEF, false);
     assertTrue(testNodes[0] == dataNodes[0]);
     assertTrue(testNodes[1] == dataNodes[1]);
     assertTrue(testNodes[2] == dataNodes[3]);
@@ -168,7 +175,7 @@ public void testSortByDistance() throws Exception {
     testNodes[1] = dataNodes[3];
     testNodes[2] = dataNodes[1];
     cluster.sortByDistance(dataNodes[0], testNodes,
-        testNodes.length, 0xDEADBEEF);
+        testNodes.length, 0xDEADBEEF, false);
     assertTrue(testNodes[0] == dataNodes[1]);
     assertTrue(testNodes[1] == dataNodes[3]);
     assertTrue(testNodes[2] == dataNodes[5]);
@@ -178,7 +185,7 @@ public void testSortByDistance() throws Exception {
     testNodes[1] = dataNodes[5];
     testNodes[2] = dataNodes[3];
     cluster.sortByDistance(dataNodes[0], testNodes,
-        testNodes.length, 0xDEADBEEF);
+        testNodes.length, 0xDEADBEEF, false);
     assertTrue(testNodes[0] == dataNodes[1]);
     assertTrue(testNodes[1] == dataNodes[3]);
     assertTrue(testNodes[2] == dataNodes[5]);
@@ -188,7 +195,7 @@ public void testSortByDistance() throws Exception {
     testNodes[1] = dataNodes[5];
     testNodes[2] = dataNodes[3];
     cluster.sortByDistance(dataNodes[0], testNodes,
-        testNodes.length, 0xDEAD);
+        testNodes.length, 0xDEAD, false);
     // sortByDistance does not take the "data center" layer into consideration
     // and it doesn't sort by getDistance, so 1, 5, 3 is also valid here
     assertTrue(testNodes[0] == dataNodes[1]);
@@ -204,7 +211,27 @@ public void testSortByDistance() throws Exception {
       testNodes[1] = dataNodes[6];
       testNodes[2] = dataNodes[7];
       cluster.sortByDistance(dataNodes[i], testNodes,
-          testNodes.length, 0xBEADED+i);
+          testNodes.length, 0xBEADED+i, false);
+      if (first == null) {
+        first = testNodes[0];
+      } else {
+        if (first != testNodes[0]) {
+          foundRandom = true;
+          break;
+        }
+      }
+    }
+    assertTrue("Expected to find a different first location", foundRandom);
+    // Array of rack local nodes with randomizeBlockLocationsPerBlock set to
+    // true
+    // Expect random order of block locations for same block
+    first = null;
+    for (int i = 1; i <= 4; i++) {
+      testNodes[0] = dataNodes[13];
+      testNodes[1] = dataNodes[14];
+      testNodes[2] = dataNodes[15];
+      cluster.sortByDistance(dataNodes[15 + i], testNodes, testNodes.length,
+          0xBEADED, true);
       if (first == null) {
         first = testNodes[0];
       } else {

From ef9b6a45c437a56f9ebf198cba902e06e875f27c Mon Sep 17 00:00:00 2001
From: Haohui Mai <wheat9@apache.org>
Date: Thu, 24 Jul 2014 17:28:31 +0000
Subject: [PATCH 046/354] HDFS-6657. Remove link to 'Legacy UI' in trunk's
 Namenode UI. Contributed by Vinayakumar B.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613195 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt         |  3 +++
 .../src/main/webapps/hdfs/dfshealth.html            |  1 -
 .../hadoop-hdfs/src/main/webapps/hdfs/index.html    | 13 +------------
 .../src/main/webapps/secondary/index.html           | 11 -----------
 4 files changed, 4 insertions(+), 24 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index bbeebd19843..217bf4df094 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -252,6 +252,9 @@ Trunk (Unreleased)
     HDFS-5794. Fix the inconsistency of layout version number of 
     ADD_DATANODE_AND_STORAGE_UUIDS between trunk and branch-2. (jing9)
 
+    HDFS-6657. Remove link to 'Legacy UI' in trunk's Namenode UI.
+    (Vinayakumar B via wheat 9)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html b/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
index fadba070721..8fdf73ba19c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
@@ -66,7 +66,6 @@
 <div class="row">
   <hr />
   <div class="col-xs-2"><p>Hadoop, 2014.</p></div>
-  <div class="col-xs-1 pull-right"><a style="color: #ddd" href="dfshealth.jsp">Legacy UI</a></div>
 </div>
 </div>
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/index.html b/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/index.html
index 99bb13b326c..aa62a372396 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/index.html
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/index.html
@@ -18,18 +18,7 @@
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
-<meta http-equiv="REFRESH" content="1;url=dfshealth.jsp" />
+<meta http-equiv="REFRESH" content="0;url=dfshealth.html" />
 <title>Hadoop Administration</title>
 </head>
-<body>
-<script type="text/javascript">
-//<![CDATA[
-window.location.href='dfshealth.html';
-//]]>
-</script>
-<h1>Hadoop Administration</h1>
-<ul>
-<li><a href="dfshealth.jsp">DFS Health/Status</a></li>
-</ul>
-</body>
 </html>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/index.html b/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/index.html
index 97e0207e06f..f7ef858b9e3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/index.html
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/index.html
@@ -21,15 +21,4 @@
   <meta http-equiv="REFRESH" content="0;url=status.html" />
   <title>Hadoop Administration</title>
 </head>
-<body>
-<script type="text/javascript">
-//<![CDATA[
-window.location.href='status.html';
-//]]>
-</script>
-<h1>Hadoop Administration</h1>
-<ul>
-  <li><a href="status.jsp">Status</a></li>
-</ul>
-</body>
 </html>
\ No newline at end of file

From f2137d7c0e19176d5ad7e28c6abcfc03eac49ec3 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Thu, 24 Jul 2014 17:47:08 +0000
Subject: [PATCH 047/354] HADOOP-10894. Fix dead link in ToolRunner
 documentation. (Contributed by Akira Ajisaka)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613200 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt                | 3 +++
 .../src/main/java/org/apache/hadoop/util/ToolRunner.java       | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 491daf04e9f..5ea931c649e 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -819,6 +819,9 @@ Release 2.5.0 - UNRELEASED
     HADOOP-10890. TestDFVariations.testMount fails intermittently. (Yongjun
     Zhang via Arpit Agarwal)
 
+    HADOOP-10894. Fix dead link in ToolRunner documentation. (Akira Ajisaka
+    via Arpit Agarwal)
+
 Release 2.4.1 - 2014-06-23 
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/ToolRunner.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/ToolRunner.java
index 49581000ca3..16872d0891e 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/ToolRunner.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/ToolRunner.java
@@ -30,7 +30,7 @@
  * <p><code>ToolRunner</code> can be used to run classes implementing 
  * <code>Tool</code> interface. It works in conjunction with 
  * {@link GenericOptionsParser} to parse the 
- * <a href="{@docRoot}/org/apache/hadoop/util/GenericOptionsParser.html#GenericOptions">
+ * <a href="{@docRoot}/../hadoop-project-dist/hadoop-common/CommandsManual.html#Generic_Options">
  * generic hadoop command line arguments</a> and modifies the 
  * <code>Configuration</code> of the <code>Tool</code>. The 
  * application-specific options are passed along without being modified.

From a7855e1c3376fee23eb2ed61f9ae4ad3c9754722 Mon Sep 17 00:00:00 2001
From: Haohui Mai <wheat9@apache.org>
Date: Thu, 24 Jul 2014 17:59:45 +0000
Subject: [PATCH 048/354] HDFS-6723. New NN webUI no longer displays
 decommissioned state for dead node. Contributed by Ming Ma.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613220 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                    | 3 +++
 .../hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html           | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 217bf4df094..45109896397 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -983,6 +983,9 @@ Release 2.5.0 - UNRELEASED
     HDFS-6622. Rename and AddBlock may race and produce invalid edits (kihwal
     via cmccabe)
 
+    HDFS-6723. New NN webUI no longer displays decommissioned state for dead node.
+    (Ming Ma via wheat9)
+
 Release 2.4.1 - 2014-06-23 
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html b/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
index 8fdf73ba19c..25895261982 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
@@ -282,7 +282,7 @@
   <tr class="danger">
     <td>{name} ({xferaddr})</td>
     <td>{lastContact}</td>
-    <td>Dead{?decomissioned}, Decomissioned{/decomissioned}</td>
+    <td>Dead{?decommissioned}, Decommissioned{/decommissioned}</td>
     <td>-</td>
     <td>-</td>
     <td>-</td>

From 8c6e172a0ad8f06a4f9b70d61d9f3f7789405815 Mon Sep 17 00:00:00 2001
From: Jing Zhao <jing9@apache.org>
Date: Thu, 24 Jul 2014 18:28:00 +0000
Subject: [PATCH 049/354] HDFS-6715. Webhdfs wont fail over when it gets
 java.io.IOException: Namenode is in startup mode. Contributed by Jing Zhao.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613237 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +
 .../web/resources/NamenodeWebHdfsMethods.java |  3 +-
 .../apache/hadoop/hdfs/web/TestWebHDFS.java   | 39 +++++++++-
 .../hadoop/hdfs/web/TestWebHDFSForHA.java     | 76 +++++++++++++++++--
 4 files changed, 112 insertions(+), 9 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 45109896397..376c272a576 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -367,6 +367,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6455. NFS: Exception should be added in NFS log for invalid separator in
     nfs.exports.allowed.hosts. (Abhiraj Butala via brandonli)
 
+    HDFS-6715. Webhdfs wont fail over when it gets java.io.IOException: Namenode
+    is in startup mode. (jing9)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/web/resources/NamenodeWebHdfsMethods.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/web/resources/NamenodeWebHdfsMethods.java
index 92a58f9822e..d7235b38727 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/web/resources/NamenodeWebHdfsMethods.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/web/resources/NamenodeWebHdfsMethods.java
@@ -113,6 +113,7 @@
 import org.apache.hadoop.hdfs.web.resources.XAttrSetFlagParam;
 import org.apache.hadoop.hdfs.web.resources.XAttrValueParam;
 import org.apache.hadoop.io.Text;
+import org.apache.hadoop.ipc.RetriableException;
 import org.apache.hadoop.ipc.Server;
 import org.apache.hadoop.net.NetworkTopology.InvalidTopologyException;
 import org.apache.hadoop.net.Node;
@@ -190,7 +191,7 @@ private static NamenodeProtocols getRPCServer(NameNode namenode)
       throws IOException {
      final NamenodeProtocols np = namenode.getRpcServer();
      if (np == null) {
-       throw new IOException("Namenode is in startup mode");
+       throw new RetriableException("Namenode is in startup mode");
      }
      return np;
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHDFS.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHDFS.java
index e9c74c6de30..14312110aa6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHDFS.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHDFS.java
@@ -39,14 +39,18 @@
 import org.apache.hadoop.hdfs.DistributedFileSystem;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.TestDFSClientRetries;
+import org.apache.hadoop.hdfs.server.namenode.NameNode;
 import org.apache.hadoop.hdfs.server.namenode.snapshot.SnapshotTestHelper;
 import org.apache.hadoop.hdfs.server.namenode.web.resources.NamenodeWebHdfsMethods;
-import org.apache.hadoop.hdfs.TestDFSClientRetries;
+import org.apache.hadoop.hdfs.server.protocol.NamenodeProtocols;
+import org.apache.hadoop.ipc.RetriableException;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.test.GenericTestUtils;
 import org.apache.log4j.Level;
 import org.junit.Assert;
 import org.junit.Test;
+import org.mockito.internal.util.reflection.Whitebox;
 
 /** Test WebHDFS */
 public class TestWebHDFS {
@@ -445,4 +449,37 @@ public void testWebHdfsRenameSnapshot() throws Exception {
       }
     }
   }
+
+  /**
+   * Make sure a RetriableException is thrown when rpcServer is null in
+   * NamenodeWebHdfsMethods.
+   */
+  @Test
+  public void testRaceWhileNNStartup() throws Exception {
+    MiniDFSCluster cluster = null;
+    final Configuration conf = WebHdfsTestUtil.createConf();
+    try {
+      cluster = new MiniDFSCluster.Builder(conf).numDataNodes(0).build();
+      cluster.waitActive();
+      final NameNode namenode = cluster.getNameNode();
+      final NamenodeProtocols rpcServer = namenode.getRpcServer();
+      Whitebox.setInternalState(namenode, "rpcServer", null);
+
+      final Path foo = new Path("/foo");
+      final FileSystem webHdfs = WebHdfsTestUtil.getWebHdfsFileSystem(conf,
+          WebHdfsFileSystem.SCHEME);
+      try {
+        webHdfs.mkdirs(foo);
+        fail("Expected RetriableException");
+      } catch (RetriableException e) {
+        GenericTestUtils.assertExceptionContains("Namenode is in startup mode",
+            e);
+      }
+      Whitebox.setInternalState(namenode, "rpcServer", rpcServer);
+    } finally {
+      if (cluster != null) {
+        cluster.shutdown();
+      }
+    }
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHDFSForHA.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHDFSForHA.java
index 772e367f93c..0340b952259 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHDFSForHA.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHDFSForHA.java
@@ -18,6 +18,15 @@
 
 package org.apache.hadoop.hdfs.web;
 
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.FS_DEFAULT_NAME_KEY;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.verify;
+
+import java.io.IOException;
+import java.net.URI;
+import java.util.HashMap;
+import java.util.Map;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FSDataInputStream;
 import org.apache.hadoop.fs.FSDataOutputStream;
@@ -29,18 +38,14 @@
 import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.hadoop.hdfs.MiniDFSNNTopology;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
+import org.apache.hadoop.hdfs.server.namenode.NameNode;
 import org.apache.hadoop.hdfs.server.namenode.ha.HATestUtil;
+import org.apache.hadoop.hdfs.server.protocol.NamenodeProtocols;
 import org.apache.hadoop.io.IOUtils;
 import org.apache.hadoop.security.token.Token;
 import org.junit.Assert;
 import org.junit.Test;
-
-import java.io.IOException;
-import java.net.URI;
-
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.FS_DEFAULT_NAME_KEY;
-import static org.mockito.Mockito.spy;
-import static org.mockito.Mockito.verify;
+import org.mockito.internal.util.reflection.Whitebox;
 
 public class TestWebHDFSForHA {
   private static final String LOGICAL_NAME = "minidfs";
@@ -182,4 +187,61 @@ public void testMultipleNamespacesConfigured() throws Exception {
       }
     }
   }
+
+  /**
+   * Make sure the WebHdfsFileSystem will retry based on RetriableException when
+   * rpcServer is null in NamenodeWebHdfsMethods while NameNode starts up.
+   */
+  @Test (timeout=120000)
+  public void testRetryWhileNNStartup() throws Exception {
+    final Configuration conf = DFSTestUtil.newHAConfiguration(LOGICAL_NAME);
+    MiniDFSCluster cluster = null;
+    final Map<String, Boolean> resultMap = new HashMap<String, Boolean>();
+
+    try {
+      cluster = new MiniDFSCluster.Builder(conf).nnTopology(topo)
+          .numDataNodes(0).build();
+      HATestUtil.setFailoverConfigurations(cluster, conf, LOGICAL_NAME);
+      cluster.waitActive();
+      cluster.transitionToActive(0);
+
+      final NameNode namenode = cluster.getNameNode(0);
+      final NamenodeProtocols rpcServer = namenode.getRpcServer();
+      Whitebox.setInternalState(namenode, "rpcServer", null);
+
+      new Thread() {
+        @Override
+        public void run() {
+          boolean result = false;
+          FileSystem fs = null;
+          try {
+            fs = FileSystem.get(WEBHDFS_URI, conf);
+            final Path dir = new Path("/test");
+            result = fs.mkdirs(dir);
+          } catch (IOException e) {
+            result = false;
+          } finally {
+            IOUtils.cleanup(null, fs);
+          }
+          synchronized (TestWebHDFSForHA.this) {
+            resultMap.put("mkdirs", result);
+            TestWebHDFSForHA.this.notifyAll();
+          }
+        }
+      }.start();
+
+      Thread.sleep(1000);
+      Whitebox.setInternalState(namenode, "rpcServer", rpcServer);
+      synchronized (this) {
+        while (!resultMap.containsKey("mkdirs")) {
+          this.wait();
+        }
+        Assert.assertTrue(resultMap.get("mkdirs"));
+      }
+    } finally {
+      if (cluster != null) {
+        cluster.shutdown();
+      }
+    }
+  }
 }

From e171254d56bfff467a67a6cf9160595c941f50c0 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Thu, 24 Jul 2014 23:42:06 +0000
Subject: [PATCH 050/354] Name node cannot start if the path of a file under
 construction contains .snapshot. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613329 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../hdfs/server/namenode/FSImageFormat.java   |  11 ++
 .../hadoop/hdfs/TestDFSUpgradeFromImage.java  | 137 ++++++++++++++++++
 .../test/resources/hadoop-0.23-reserved.tgz   | Bin 0 -> 4558 bytes
 .../src/test/resources/hadoop-1-reserved.tgz  | Bin 0 -> 2572 bytes
 5 files changed, 151 insertions(+)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-0.23-reserved.tgz
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-1-reserved.tgz

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 376c272a576..498454916d8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -908,6 +908,9 @@ Release 2.5.0 - UNRELEASED
     HDFS-6422. getfattr in CLI doesn't throw exception or return non-0 return code 
     when xattr doesn't exist. (Charles Lamb via umamahesh)
 
+    HDFS-6696. Name node cannot start if the path of a file under
+    construction contains ".snapshot". (wang)
+
   BREAKDOWN OF HDFS-2006 SUBTASKS AND RELATED JIRAS
 
     HDFS-6299. Protobuf for XAttr and client-side implementation. (Yi Liu via umamahesh)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSImageFormat.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSImageFormat.java
index 49a035cfff0..5b6d269546b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSImageFormat.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSImageFormat.java
@@ -614,6 +614,16 @@ private void loadFullNameINodes(long numFiles, DataInput in, Counter counter)
     INodeDirectory parentINode = fsDir.rootDir;
     for (long i = 0; i < numFiles; i++) {
       pathComponents = FSImageSerialization.readPathComponents(in);
+      for (int j=0; j < pathComponents.length; j++) {
+        byte[] newComponent = renameReservedComponentOnUpgrade
+            (pathComponents[j], getLayoutVersion());
+        if (!Arrays.equals(newComponent, pathComponents[j])) {
+          String oldPath = DFSUtil.byteArray2PathString(pathComponents);
+          pathComponents[j] = newComponent;
+          String newPath = DFSUtil.byteArray2PathString(pathComponents);
+          LOG.info("Renaming reserved path " + oldPath + " to " + newPath);
+        }
+      }
       final INode newNode = loadINode(
           pathComponents[pathComponents.length-1], false, in, counter);
 
@@ -926,6 +936,7 @@ LayoutVersion.Feature.ADD_INODE_ID, getLayoutVersion())) {
           oldnode = namesystem.dir.getInode(cons.getId()).asFile();
           inSnapshot = true;
         } else {
+          path = renameReservedPathsOnUpgrade(path, getLayoutVersion());
           final INodesInPath iip = fsDir.getLastINodeInPath(path);
           oldnode = INodeFile.valueOf(iip.getINode(0), path);
         }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUpgradeFromImage.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUpgradeFromImage.java
index 1e1f668f210..f5dbdceaa17 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUpgradeFromImage.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUpgradeFromImage.java
@@ -70,6 +70,9 @@ public class TestDFSUpgradeFromImage {
   private static final String HADOOP_DFS_DIR_TXT = "hadoop-dfs-dir.txt";
   private static final String HADOOP22_IMAGE = "hadoop-22-dfs-dir.tgz";
   private static final String HADOOP1_BBW_IMAGE = "hadoop1-bbw.tgz";
+  private static final String HADOOP1_RESERVED_IMAGE = "hadoop-1-reserved.tgz";
+  private static final String HADOOP023_RESERVED_IMAGE =
+      "hadoop-0.23-reserved.tgz";
   private static final String HADOOP2_RESERVED_IMAGE = "hadoop-2-reserved.tgz";
 
   private static class ReferenceFileInfo {
@@ -325,6 +328,140 @@ public void testUpgradeFromCorruptRel22Image() throws IOException {
     }
   }
 
+  /**
+   * Test upgrade from a branch-1.2 image with reserved paths
+   */
+  @Test
+  public void testUpgradeFromRel1ReservedImage() throws Exception {
+    unpackStorage(HADOOP1_RESERVED_IMAGE);
+    MiniDFSCluster cluster = null;
+    // Try it once without setting the upgrade flag to ensure it fails
+    final Configuration conf = new Configuration();
+    // Try it again with a custom rename string
+    try {
+      FSImageFormat.setRenameReservedPairs(
+          ".snapshot=.user-snapshot," +
+              ".reserved=.my-reserved");
+      cluster =
+          new MiniDFSCluster.Builder(conf)
+              .format(false)
+              .startupOption(StartupOption.UPGRADE)
+              .numDataNodes(0).build();
+      DistributedFileSystem dfs = cluster.getFileSystem();
+      // Make sure the paths were renamed as expected
+      // Also check that paths are present after a restart, checks that the
+      // upgraded fsimage has the same state.
+      final String[] expected = new String[] {
+          "/.my-reserved",
+          "/.user-snapshot",
+          "/.user-snapshot/.user-snapshot",
+          "/.user-snapshot/open",
+          "/dir1",
+          "/dir1/.user-snapshot",
+          "/dir2",
+          "/dir2/.user-snapshot",
+          "/user",
+          "/user/andrew",
+          "/user/andrew/.user-snapshot",
+      };
+      for (int i=0; i<2; i++) {
+        // Restart the second time through this loop
+        if (i==1) {
+          cluster.finalizeCluster(conf);
+          cluster.restartNameNode(true);
+        }
+        ArrayList<Path> toList = new ArrayList<Path>();
+        toList.add(new Path("/"));
+        ArrayList<String> found = new ArrayList<String>();
+        while (!toList.isEmpty()) {
+          Path p = toList.remove(0);
+          FileStatus[] statuses = dfs.listStatus(p);
+          for (FileStatus status: statuses) {
+            final String path = status.getPath().toUri().getPath();
+            System.out.println("Found path " + path);
+            found.add(path);
+            if (status.isDirectory()) {
+              toList.add(status.getPath());
+            }
+          }
+        }
+        for (String s: expected) {
+          assertTrue("Did not find expected path " + s, found.contains(s));
+        }
+        assertEquals("Found an unexpected path while listing filesystem",
+            found.size(), expected.length);
+      }
+    } finally {
+      if (cluster != null) {
+        cluster.shutdown();
+      }
+    }
+  }
+
+  /**
+   * Test upgrade from a 0.23.11 image with reserved paths
+   */
+  @Test
+  public void testUpgradeFromRel023ReservedImage() throws Exception {
+    unpackStorage(HADOOP023_RESERVED_IMAGE);
+    MiniDFSCluster cluster = null;
+    // Try it once without setting the upgrade flag to ensure it fails
+    final Configuration conf = new Configuration();
+    // Try it again with a custom rename string
+    try {
+      FSImageFormat.setRenameReservedPairs(
+          ".snapshot=.user-snapshot," +
+              ".reserved=.my-reserved");
+      cluster =
+          new MiniDFSCluster.Builder(conf)
+              .format(false)
+              .startupOption(StartupOption.UPGRADE)
+              .numDataNodes(0).build();
+      DistributedFileSystem dfs = cluster.getFileSystem();
+      // Make sure the paths were renamed as expected
+      // Also check that paths are present after a restart, checks that the
+      // upgraded fsimage has the same state.
+      final String[] expected = new String[] {
+          "/.user-snapshot",
+          "/dir1",
+          "/dir1/.user-snapshot",
+          "/dir2",
+          "/dir2/.user-snapshot"
+      };
+      for (int i=0; i<2; i++) {
+        // Restart the second time through this loop
+        if (i==1) {
+          cluster.finalizeCluster(conf);
+          cluster.restartNameNode(true);
+        }
+        ArrayList<Path> toList = new ArrayList<Path>();
+        toList.add(new Path("/"));
+        ArrayList<String> found = new ArrayList<String>();
+        while (!toList.isEmpty()) {
+          Path p = toList.remove(0);
+          FileStatus[] statuses = dfs.listStatus(p);
+          for (FileStatus status: statuses) {
+            final String path = status.getPath().toUri().getPath();
+            System.out.println("Found path " + path);
+            found.add(path);
+            if (status.isDirectory()) {
+              toList.add(status.getPath());
+            }
+          }
+        }
+        for (String s: expected) {
+          assertTrue("Did not find expected path " + s, found.contains(s));
+        }
+        assertEquals("Found an unexpected path while listing filesystem",
+            found.size(), expected.length);
+      }
+    } finally {
+      if (cluster != null) {
+        cluster.shutdown();
+      }
+    }
+  }
+
   /**
    * Test upgrade from 2.0 image with a variety of .snapshot and .reserved
    * paths to test renaming on upgrade
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-0.23-reserved.tgz b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-0.23-reserved.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..0f53f2adb27e1a8379e4bc0d74a9c98700228559
GIT binary patch
literal 4558
zcmeIzjZ=~b90zc^)~u~`xy*u;?bI}N;Zm9<$Zbsxbv2fyXv%4pQuBq2R1|%h<ZMG?
zz3I~VGRd^aFd3Q@GBagTNJ-!<MU#+Bfer;keRx*4KO=ts!S{3D`~Hy3)vy4m>;P<~
zeptpvWNe1L8OaWZ@A>5u*ZI<Pbll#{d036DEqPlxH9yJipRL|mC~U$x?A_bK6Ff{_
zjLX@TuB8F)-h*XFP-g*HVH4Jg5>eWy?kc0q`jGDp7_P~#A;tABY)SB3$pWoDe^z~n
z@UbVq?de_xxdKiu$QgD2)*Q;zc(1z{x|-t`jrbZ}Ji4-`dV^-LC2`$uhT0F%^$dID
z*<)_RPXUidWHW4v+ZG&T_G7+;yk~W|#m1N7@P|P40EE9&0~yjoq)r-1oAbGPC^Y69
z8*UBLHtxT8w^o18V|(T;gT>RwS5d_GrsdiZBgM9ybh2w)ue`X!X`xyt-rQ$n?F*Pj
zOV^?=_{DSz@iURwnUG0LbjJ-8CLJ4BH~-3ZbK?xeVx1T!iP~+uER+OLLZFgBUsli|
z$oIv4?Tdy*&cHr_=RuB&Nmxu9ZAnQ6S`$(H@2}jdNaHDFq-60XB?4c4RrVKg+Hh$+
zG29<_xad@|PgWUuL;pZDXLxP=g%B=}DkQfLiO%=YzRG?;<|j>etHx!hpD(9jwp_kD
zaKdQNx_^aAR%hm<5XW0a|J|H7{tV%qFWpKK3SE6DoVv2sADd>W=)<f-91}k%OCVh}
zbo>F~X!D#QcSngA(hYnuF&RDD?uM=ITa*`plqUukOJuK}kg|b^0H}}d(-S~nC(zD~
zB4Fd*=CbIYch=R4dGsZQaXhgON%sm(o-s$6KT9ao%7A;PPU7mW6tBOW)?UT#i0U0s
z5BXN{>Wax?n0VL64<TaVYdJ7x)LxlbuI)e0?Q7u2k8U}~&=MJ9P&>BigXXDW<l}*&
zo-%V4kEfr1h)&Fg*HodBMIE>8i_ap%KB|%3S?<|{en!a6?l^L(sQ<axHs;j10_He}
zfJ5Lt6FB|p<LCaz8H3rLO5w#Pe#nXwNfAINzqYe?m2BcktWkC$9nOh_s}aqOL3l=s
zX9neutEpILDW6dJq4Lf8rLao;mxhWP%7)-qEK|NGeJoWczAE*}osmG;xhmU>>%;_m
zLCNwwX1mBVRc@3xjna$Y07YK9J9w$lzb_qy%wqq1QPi}*v?-CMJkZmnOnW>MknJq#
zG2N7P%GE5$hz)IESxXOy?0(g3Ek`FuhEy(jgjOm9v^_CQO_#zjW<l<*n?B<&SeZfn
zr`BCX>hA7PpqQ;9+R-^v6L)y0ibQ&z8N~|R#}8p9>HR|8l?ZOCO&F|uJD~&=HUH92
z;nvdzI5FVIt*zd~Sr(6}nT6OwB(fda-?>x<;=Y@GJKNnLK;BphoqAfs?ttbZ1PKt0
zhuiMlVpmC5)O%cKmn(rC<HYcTkhzV%`UZ3{s1?f48Rg(&4sJTU64?BnHOmp#A>a^z
z!TydX=5Slq?Y>Kko7or1p$FZ{as$T(^VH7ntp>}`#KN`CWB45`g4a4DE0`5{_BCar
z1P@nf8Zcp^d+_jYNRpk~`fCXSIQ2sj!9K{~h0QKk#Z^8?ZFcLc&Hndwge=7vnaJ*F
zY*XmbMM<q~i}&}a_Gt0!I{ES2_PG?`@Rr~7{nE({nU|T82}-O=02|AX1MAP2*5}TQ
z*p~Rc_-3of)}v5P?#C7Uz?r-nr~=OG7?y<$P_0u*{xl=|tyoC$*Qo1LXw6y71F`Cy
zeVOfCV9$tptw}Z4KY}L~*sGeA(3(3|n|PjUEP0~<^%L)=-|B+HKyx6siV>Y9*hIDb
zTGLCRZ3uk#3v%j32*$+I<)L6c>gErz7Sj_;X6Q&#A?i+>-DDQjmUKOORujJyMG_Wf
z9RbY(R-UaKwH+`WrEon~=^6`<paV$+tyNCXpsCf@C#bE%$OwM7nr+pr0O><X2<Rl>
z*{t(|7K}iJSb$>(_t?T%U&Kzm{UGD4^4O^^r`T)f1^15)MPJx2)4Iq7a?CVt$<bJc
dfJ5ND6L|Cc2mfdOJH8)+HGdwH3ELY4`wt8|Nk#ww

literal 0
HcmV?d00001

diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-1-reserved.tgz b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-1-reserved.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..737ad2d38406ba5f7dcb68981f3c21aac274a662
GIT binary patch
literal 2572
zcmeIz{ZrC+0Kjp}TUvJ7YQ>f**Rs>nq|P3ENNKBsw56s7fr+-Q%qJLTq+)*8nTJK#
z%EyJu5}OhlW+5gbxkV%j&QLTJuoxLWp`bWY`D}OlX?MH*1MB@KynlJY>5g_fg*@8M
zerm9b_z8Bi-6+bVw?<MR_nNq!u;<a!2hk@lA2zK#<9T@f+LaDT&sNS4o*lWaRvVlO
zPVN<U2J(KGIv8r{42-Hdy1RSZRSt1DSxOXc92)#0hqWCpn0()(N0tR@1}71vn#Pt$
zZVc*d-N`q3`u3=!FO%<_<L~VZBRk%`Q(7%!5(i&2BF|f@>-thjbEaA;P}gh4_x4|3
z5-@|ZOsf(*j6Kl$`x~uDr$ws^RJ<fL5N&x&to%@0Y>-@Pb^Y-pF%n386994p%`AQe
zFRR5%y*m1Rg7$+@d_Xa%-wc~ThV)~$=-he$7t71_DUqebHsn5jHKbryxA9w>n_4Lo
zig88{5}-583K2DaBrX<L_`dRdWB-;T5hjATKWU+>QvS{;XN1?fUZggJBQ|GLXKt<O
zjb{=0Dna!*p5p+)IGMrBQy~RrlTwwybvzOCuy<TPkr!^nJyz$aK6AEh3QkKSp_y`(
z#Y^VpnU`<Ma!~{&G}#7dB7(-f?aGGHeHL(k8KiEJ0|U#>&jLI=Xy*9U{B9ex3AG5Y
z$mN*?qfS#wos|%?UKi02A+hDAZte-|JolOlMOr%or<gT5LgJukrYVMS`kj8cZNWq9
z6}JUVwatu$;&zGzFtSXkWmHWIm}(m)u~A#f6^EyEorxYc*}f*fy(&7?1922EuUDkr
z16sw$=TF^`=hEB7b3<2rBUU9pRLX~`-vqlibk<e+tIDL6fxAaxo@!=>`PsU%=W1L<
zeNg~)zPBS2{qrveZ_%xnNBSyyrQ9yKR{TW0v$+$^y@VlYTd1V7Ryx!B=7W6H_L>r(
zlo)vaOWIb>u4j^g%+|{Cs?X-*0v@zyS1|T>qslSrSx%08{L9-LV<{DTccQtv2FlzL
z)R=C}ot=iRU+iuL`I9e}d7Glf0Inrns4NU|BcekKzSL#oh3<*HYCYd;M^mJ`{6?<e
zNtG5)Si@L{EeaE15Ii2AV!GEdf*^h;;l3GqL~MVYt+RwZO!46rUm|6=P!QLS4K$6q
zFG%-IEklvtF6^Bs=iBIP{mdd%kp+<3B*KoaF%V+Jd>2yq0OYXuy<;W2c{YI5wiVx^
zZD7I%?ME$u<zoOsYqeU@p{w?=0;eQH&sMrO1I1s5b)_L~9J~`*M3AFa<c>)=1ec^;
zTx^l{^ezi?E*;RoRPz+VVLB?>^_2J9aD2cLxoVZ_rAMFAzYkJAO)5KX_n{95J{<VJ
z9mp&z$xKX3wZMkul?Qz&RBI6?aWMXrRyH7>q~NDI-Wd8mh9#HC>elkZavDdlYeMnI
zmG!01lXf`wM;<?RLZ5LT`RZTH4Of73V!kq`q6hc4puQmVsPmW@vl_SKdc-}NUz^T~
zXa;ccdjrjZ3hxq1Bru^qKf=BJkJK|VKb@a$!anhZgHRVe?IO%Fl6iiUgiPE{gzuaw
zS3|u`D)ud82Sb0DYkW#H!*qYW!H9}j7?u+uuHPW3t3SS$uW#g}WkF<izZ3OJ6^N=t
zL^f%wN$r)}erx=cxxDEzWZ>J!Rjuv&x|S(ec%FR_UvwgfT#vXJbTQ#6BE0p0;qA4p
zz6{|bf1Kw9%Q!o4w(zU`tj}TQ#THHg`zE#w*$!P0mIxefVvO~gcJhKoW`Z5Sy2m*&
z!j5|5RCOV1?ztR}iY=h?W;25J1pAE((@$TX_jgSzXY6ih)kRzH^yhncH&6N}#S~(s
zu~WaBL5EDVD44ES;G{RqNN1dW#>%SUn1RpfC+Z|L%UQtoIC7U9+(3v(`P-tGQU75P
zJR@5&@%o<@379>Bzjoxc4UjGl{RL8Fh%r399%lr3pDWF(Jt@mDbl2;77DfbEx8A5n
z^<vuvO~YtTMVrmcQ2m6w<mNX3Rk#HJ`mT=mNPG4o$P%ou`~Hy`q6wgCyF=^j{shCW
BYajps

literal 0
HcmV?d00001


From 934ba441c1739eb72c6afcb56cd1a56a98aeda97 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Thu, 24 Jul 2014 23:49:22 +0000
Subject: [PATCH 051/354] HADOOP-10891. Add EncryptedKeyVersion factory method
 to KeyProviderCryptoExtension. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613332 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  3 +++
 .../key/KeyProviderCryptoExtension.java       | 24 +++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 5ea931c649e..55914f83197 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -189,6 +189,9 @@ Trunk (Unreleased)
     HADOOP-10720. KMS: Implement generateEncryptedKey and decryptEncryptedKey
     in the REST API. (asuresh via tucu)
 
+    HADOOP-10891. Add EncryptedKeyVersion factory method to
+    KeyProviderCryptoExtension. (wang)
+
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
index 0ba73f1519d..227e19b4841 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
@@ -79,6 +79,30 @@ protected EncryptedKeyVersion(String keyName,
       this.encryptedKeyVersion = encryptedKeyVersion;
     }
 
+    /**
+     * Factory method to create a new EncryptedKeyVersion that can then be
+     * passed into {@link #decryptEncryptedKey}. Note that the fields of the
+     * returned EncryptedKeyVersion will only partially be populated; it is not
+     * necessarily suitable for operations besides decryption.
+     *
+     * @param encryptionKeyVersionName Version name of the encryption key used
+     *                                 to encrypt the encrypted key.
+     * @param encryptedKeyIv           Initialization vector of the encrypted
+     *                                 key. The IV of the encryption key used to
+     *                                 encrypt the encrypted key is derived from
+     *                                 this IV.
+     * @param encryptedKeyMaterial     Key material of the encrypted key.
+     * @return EncryptedKeyVersion suitable for decryption.
+     */
+    public static EncryptedKeyVersion createForDecryption(String
+        encryptionKeyVersionName, byte[] encryptedKeyIv,
+        byte[] encryptedKeyMaterial) {
+      KeyVersion encryptedKeyVersion = new KeyVersion(null, null,
+          encryptedKeyMaterial);
+      return new EncryptedKeyVersion(null, encryptionKeyVersionName,
+          encryptedKeyIv, encryptedKeyVersion);
+    }
+
     /**
      * @return Name of the encryption key used to encrypt the encrypted key.
      */

From 2bb650146ddb36830ea9c0d248fd3df1f6aa7534 Mon Sep 17 00:00:00 2001
From: Vinayakumar B <vinayakumarb@apache.org>
Date: Fri, 25 Jul 2014 07:02:53 +0000
Subject: [PATCH 052/354] HDFS-5919. FileJournalManager doesn't purge empty and
 corrupt inprogress edits files (vinayakumarb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613355 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 ++
 .../server/namenode/FileJournalManager.java   | 31 +++++++++++++++++--
 .../TestNNStorageRetentionManager.java        | 11 +++++--
 3 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 498454916d8..9fb5ba132e1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -370,6 +370,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6715. Webhdfs wont fail over when it gets java.io.IOException: Namenode
     is in startup mode. (jing9)
 
+    HDFS-5919. FileJournalManager doesn't purge empty and corrupt inprogress edits
+    files (vinayakumarb)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FileJournalManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FileJournalManager.java
index a41ff1390c5..362c316cc2c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FileJournalManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FileJournalManager.java
@@ -71,6 +71,8 @@ public class FileJournalManager implements JournalManager {
     NameNodeFile.EDITS.getName() + "_(\\d+)-(\\d+)");
   private static final Pattern EDITS_INPROGRESS_REGEX = Pattern.compile(
     NameNodeFile.EDITS_INPROGRESS.getName() + "_(\\d+)");
+  private static final Pattern EDITS_INPROGRESS_STALE_REGEX = Pattern.compile(
+      NameNodeFile.EDITS_INPROGRESS.getName() + "_(\\d+).*(\\S+)");
 
   private File currentInProgress = null;
 
@@ -162,8 +164,7 @@ public void purgeLogsOlderThan(long minTxIdToKeep)
       throws IOException {
     LOG.info("Purging logs older than " + minTxIdToKeep);
     File[] files = FileUtil.listFiles(sd.getCurrentDir());
-    List<EditLogFile> editLogs = 
-      FileJournalManager.matchEditLogs(files);
+    List<EditLogFile> editLogs = matchEditLogs(files, true);
     for (EditLogFile log : editLogs) {
       if (log.getFirstTxId() < minTxIdToKeep &&
           log.getLastTxId() < minTxIdToKeep) {
@@ -244,8 +245,13 @@ private void discardEditLogSegments(long startTxId) throws IOException {
   public static List<EditLogFile> matchEditLogs(File logDir) throws IOException {
     return matchEditLogs(FileUtil.listFiles(logDir));
   }
-  
+
   static List<EditLogFile> matchEditLogs(File[] filesInStorage) {
+    return matchEditLogs(filesInStorage, false);
+  }
+
+  private static List<EditLogFile> matchEditLogs(File[] filesInStorage,
+      boolean forPurging) {
     List<EditLogFile> ret = Lists.newArrayList();
     for (File f : filesInStorage) {
       String name = f.getName();
@@ -256,6 +262,7 @@ static List<EditLogFile> matchEditLogs(File[] filesInStorage) {
           long startTxId = Long.parseLong(editsMatch.group(1));
           long endTxId = Long.parseLong(editsMatch.group(2));
           ret.add(new EditLogFile(f, startTxId, endTxId));
+          continue;
         } catch (NumberFormatException nfe) {
           LOG.error("Edits file " + f + " has improperly formatted " +
                     "transaction ID");
@@ -270,12 +277,30 @@ static List<EditLogFile> matchEditLogs(File[] filesInStorage) {
           long startTxId = Long.parseLong(inProgressEditsMatch.group(1));
           ret.add(
               new EditLogFile(f, startTxId, HdfsConstants.INVALID_TXID, true));
+          continue;
         } catch (NumberFormatException nfe) {
           LOG.error("In-progress edits file " + f + " has improperly " +
                     "formatted transaction ID");
           // skip
         }
       }
+      if (forPurging) {
+        // Check for in-progress stale edits
+        Matcher staleInprogressEditsMatch = EDITS_INPROGRESS_STALE_REGEX
+            .matcher(name);
+        if (staleInprogressEditsMatch.matches()) {
+          try {
+            long startTxId = Long.valueOf(staleInprogressEditsMatch.group(1));
+            ret.add(new EditLogFile(f, startTxId, HdfsConstants.INVALID_TXID,
+                true));
+            continue;
+          } catch (NumberFormatException nfe) {
+            LOG.error("In-progress stale edits file " + f + " has improperly "
+                + "formatted transaction ID");
+            // skip
+          }
+        }
+      }
     }
     return ret;
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNNStorageRetentionManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNNStorageRetentionManager.java
index 8f08ef39f87..346d94962bd 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNNStorageRetentionManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNNStorageRetentionManager.java
@@ -212,18 +212,25 @@ public void testRetainExtraLogsLimitedSegments() throws IOException {
     tc.addImage("/foo1/current/" + getImageFileName(300), false);
     tc.addImage("/foo1/current/" + getImageFileName(400), false);
 
+    // Segments containing txns upto txId 250 are extra and should be purged.
     tc.addLog("/foo2/current/" + getFinalizedEditsFileName(1, 100), true);
-    // Without lowering the max segments to retain, we'd retain all segments
-    // going back to txid 150 (300 - 150).
     tc.addLog("/foo2/current/" + getFinalizedEditsFileName(101, 175), true);
+    tc.addLog("/foo2/current/" + getInProgressEditsFileName(176) + ".empty",
+        true);
     tc.addLog("/foo2/current/" + getFinalizedEditsFileName(176, 200), true);
     tc.addLog("/foo2/current/" + getFinalizedEditsFileName(201, 225), true);
+    tc.addLog("/foo2/current/" + getInProgressEditsFileName(226) + ".corrupt",
+        true);
     tc.addLog("/foo2/current/" + getFinalizedEditsFileName(226, 240), true);
     // Only retain 2 extra segments. The 301-350 and 351-400 segments are
     // considered required, not extra.
     tc.addLog("/foo2/current/" + getFinalizedEditsFileName(241, 275), false);
     tc.addLog("/foo2/current/" + getFinalizedEditsFileName(276, 300), false);
+    tc.addLog("/foo2/current/" + getInProgressEditsFileName(301) + ".empty",
+        false);
     tc.addLog("/foo2/current/" + getFinalizedEditsFileName(301, 350), false);
+    tc.addLog("/foo2/current/" + getInProgressEditsFileName(351) + ".corrupt",
+        false);
     tc.addLog("/foo2/current/" + getFinalizedEditsFileName(351, 400), false);
     tc.addLog("/foo2/current/" + getInProgressEditsFileName(401), false);
     runTest(tc);

From 1e553858f930e43fac62986549a178cdcf39384c Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Fri, 25 Jul 2014 16:13:07 +0000
Subject: [PATCH 053/354] YARN-2214. FairScheduler: preemptContainerPreCheck()
 in FSParentQueue delays convergence towards fairness. (Ashwin Shankar via
 kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613459 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |  3 +
 .../scheduler/fair/FSLeafQueue.java           | 19 ++++-
 .../scheduler/fair/FSParentQueue.java         |  5 --
 .../scheduler/fair/FSQueue.java               | 13 ----
 .../scheduler/fair/TestFairScheduler.java     | 73 +++++++++++++++++++
 5 files changed, 91 insertions(+), 22 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 1712abeb9e4..99b60b1aeda 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -65,6 +65,9 @@ Release 2.6.0 - UNRELEASED
     YARN-1342. Recover container tokens upon nodemanager restart. (Jason Lowe via
     devaraj)
 
+    YARN-2214. FairScheduler: preemptContainerPreCheck() in FSParentQueue delays 
+    convergence towards fairness. (Ashwin Shankar via kasha)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java
index 8f957382e6a..3b3f6ce2296 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java
@@ -224,16 +224,17 @@ public Resource assignContainer(FSSchedulerNode node) {
   @Override
   public RMContainer preemptContainer() {
     RMContainer toBePreempted = null;
-    if (LOG.isDebugEnabled()) {
-      LOG.debug("Queue " + getName() + " is going to preempt a container " +
-          "from its applications.");
-    }
 
     // If this queue is not over its fair share, reject
     if (!preemptContainerPreCheck()) {
       return toBePreempted;
     }
 
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("Queue " + getName() + " is going to preempt a container " +
+          "from its applications.");
+    }
+
     // Choose the app that is most over fair share
     Comparator<Schedulable> comparator = policy.getComparator();
     AppSchedulable candidateSched = null;
@@ -328,4 +329,14 @@ public void recoverContainer(Resource clusterResource,
       SchedulerApplicationAttempt schedulerAttempt, RMContainer rmContainer) {
     // TODO Auto-generated method stub
   }
+
+  /**
+   * Helper method to check if the queue should preempt containers
+   *
+   * @return true if check passes (can preempt) or false otherwise
+   */
+  private boolean preemptContainerPreCheck() {
+    return parent.getPolicy().checkIfUsageOverFairShare(getResourceUsage(),
+        getFairShare());
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java
index 5ab60afbca2..9af72a511e0 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java
@@ -164,11 +164,6 @@ public Resource assignContainer(FSSchedulerNode node) {
   public RMContainer preemptContainer() {
     RMContainer toBePreempted = null;
 
-    // If this queue is not over its fair share, reject
-    if (!preemptContainerPreCheck()) {
-      return toBePreempted;
-    }
-
     // Find the childQueue which is most over fair share
     FSQueue candidateQueue = null;
     Comparator<Schedulable> comparator = policy.getComparator();
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java
index 716e1ee6874..1e94046100a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java
@@ -187,17 +187,4 @@ protected boolean assignContainerPreCheck(FSSchedulerNode node) {
     }
     return true;
   }
-
-  /**
-   * Helper method to check if the queue should preempt containers
-   *
-   * @return true if check passes (can preempt) or false otherwise
-   */
-  protected boolean preemptContainerPreCheck() {
-    if (this == scheduler.getQueueManager().getRootQueue()) {
-      return true;
-    }
-    return parent.getPolicy()
-        .checkIfUsageOverFairShare(getResourceUsage(), getFairShare());
-  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
index df157e75001..33ec3184a91 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
@@ -1221,6 +1221,79 @@ public void testChoiceOfPreemptedContainers() throws Exception {
         scheduler.getSchedulerApp(app4).getPreemptionContainers().isEmpty());
   }
 
+  @Test
+  public void testPreemptionIsNotDelayedToNextRound() throws Exception {
+    conf.setLong(FairSchedulerConfiguration.PREEMPTION_INTERVAL, 5000);
+    conf.setLong(FairSchedulerConfiguration.WAIT_TIME_BEFORE_KILL, 10000);
+    conf.set(FairSchedulerConfiguration.ALLOCATION_FILE, ALLOC_FILE);
+    conf.set(FairSchedulerConfiguration.USER_AS_DEFAULT_QUEUE, "false");
+
+    MockClock clock = new MockClock();
+    scheduler.setClock(clock);
+
+    PrintWriter out = new PrintWriter(new FileWriter(ALLOC_FILE));
+    out.println("<?xml version=\"1.0\"?>");
+    out.println("<allocations>");
+    out.println("<queue name=\"queueA\">");
+    out.println("<weight>8</weight>");
+    out.println("<queue name=\"queueA1\" />");
+    out.println("<queue name=\"queueA2\" />");
+    out.println("</queue>");
+    out.println("<queue name=\"queueB\">");
+    out.println("<weight>2</weight>");
+    out.println("</queue>");
+    out.print("<fairSharePreemptionTimeout>10</fairSharePreemptionTimeout>");
+    out.println("</allocations>");
+    out.close();
+
+    scheduler.init(conf);
+    scheduler.start();
+    scheduler.reinitialize(conf, resourceManager.getRMContext());
+
+    // Add a node of 8G
+    RMNode node1 = MockNodes.newNodeInfo(1,
+        Resources.createResource(8 * 1024, 8), 1, "127.0.0.1");
+    NodeAddedSchedulerEvent nodeEvent1 = new NodeAddedSchedulerEvent(node1);
+    scheduler.handle(nodeEvent1);
+
+    // Run apps in queueA.A1 and queueB
+    ApplicationAttemptId app1 = createSchedulingRequest(1 * 1024, 1,
+        "queueA.queueA1", "user1", 7, 1);
+    // createSchedulingRequestExistingApplication(1 * 1024, 1, 2, app1);
+    ApplicationAttemptId app2 = createSchedulingRequest(1 * 1024, 1, "queueB",
+        "user2", 1, 1);
+
+    scheduler.update();
+
+    NodeUpdateSchedulerEvent nodeUpdate1 = new NodeUpdateSchedulerEvent(node1);
+    for (int i = 0; i < 8; i++) {
+      scheduler.handle(nodeUpdate1);
+    }
+
+    // verify if the apps got the containers they requested
+    assertEquals(7, scheduler.getSchedulerApp(app1).getLiveContainers().size());
+    assertEquals(1, scheduler.getSchedulerApp(app2).getLiveContainers().size());
+
+    // Now submit an app in queueA.queueA2
+    ApplicationAttemptId app3 = createSchedulingRequest(1 * 1024, 1,
+        "queueA.queueA2", "user3", 7, 1);
+    scheduler.update();
+
+    // Let 11 sec pass
+    clock.tick(11);
+
+    scheduler.update();
+    Resource toPreempt = scheduler.resToPreempt(scheduler.getQueueManager()
+        .getLeafQueue("queueA.queueA2", false), clock.getTime());
+    assertEquals(2980, toPreempt.getMemory());
+
+    // verify if the 3 containers required by queueA2 are preempted in the same
+    // round
+    scheduler.preemptResources(toPreempt);
+    assertEquals(3, scheduler.getSchedulerApp(app1).getPreemptionContainers()
+        .size());
+  }
+
   @Test (timeout = 5000)
   /**
    * Tests the timing of decision to preempt tasks.

From 77363b9d839e47bef2325b8682eabe00d4c83354 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Fri, 25 Jul 2014 17:12:22 +0000
Subject: [PATCH 054/354] YARN-2335. Annotate all hadoop-sls APIs as @Private.
 (Wei Yan via kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613478 13f79535-47bb-0310-9956-ffa450edef68
---
 .../org/apache/hadoop/yarn/sls/RumenToSLSConverter.java   | 4 ++++
 .../main/java/org/apache/hadoop/yarn/sls/SLSRunner.java   | 4 ++++
 .../org/apache/hadoop/yarn/sls/appmaster/AMSimulator.java | 4 ++++
 .../apache/hadoop/yarn/sls/appmaster/MRAMSimulator.java   | 4 ++++
 .../org/apache/hadoop/yarn/sls/conf/SLSConfiguration.java | 5 +++++
 .../apache/hadoop/yarn/sls/nodemanager/NMSimulator.java   | 4 ++++
 .../org/apache/hadoop/yarn/sls/nodemanager/NodeInfo.java  | 8 +++++++-
 .../yarn/sls/scheduler/CapacitySchedulerMetrics.java      | 5 +++++
 .../hadoop/yarn/sls/scheduler/ContainerSimulator.java     | 4 ++++
 .../hadoop/yarn/sls/scheduler/FairSchedulerMetrics.java   | 4 ++++
 .../hadoop/yarn/sls/scheduler/FifoSchedulerMetrics.java   | 4 ++++
 .../sls/scheduler/NodeUpdateSchedulerEventWrapper.java    | 4 ++++
 .../apache/hadoop/yarn/sls/scheduler/RMNodeWrapper.java   | 4 ++++
 .../yarn/sls/scheduler/ResourceSchedulerWrapper.java      | 3 +++
 .../hadoop/yarn/sls/scheduler/SLSCapacityScheduler.java   | 4 ++++
 .../hadoop/yarn/sls/scheduler/SchedulerMetrics.java       | 4 ++++
 .../hadoop/yarn/sls/scheduler/SchedulerWrapper.java       | 4 ++++
 .../org/apache/hadoop/yarn/sls/scheduler/TaskRunner.java  | 6 ++++++
 .../java/org/apache/hadoop/yarn/sls/utils/SLSUtils.java   | 4 ++++
 .../java/org/apache/hadoop/yarn/sls/web/SLSWebApp.java    | 4 ++++
 hadoop-yarn-project/CHANGES.txt                           | 2 ++
 21 files changed, 88 insertions(+), 1 deletion(-)

diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/RumenToSLSConverter.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/RumenToSLSConverter.java
index 567963412b1..2d4b4ae5264 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/RumenToSLSConverter.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/RumenToSLSConverter.java
@@ -21,6 +21,8 @@
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.GnuParser;
 import org.apache.commons.cli.Options;
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.codehaus.jackson.JsonFactory;
 import org.codehaus.jackson.map.ObjectMapper;
 import org.codehaus.jackson.map.ObjectWriter;
@@ -42,6 +44,8 @@
 import java.util.TreeMap;
 import java.util.TreeSet;
 
+@Private
+@Unstable
 public class RumenToSLSConverter {
   private static final String EOL = System.getProperty("line.separator");
 
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/SLSRunner.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/SLSRunner.java
index 501d11e0ccd..9baa73626d5 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/SLSRunner.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/SLSRunner.java
@@ -32,6 +32,8 @@
 import java.util.Random;
 import java.util.Arrays;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.tools.rumen.JobTraceReader;
 import org.apache.hadoop.tools.rumen.LoggedJob;
@@ -66,6 +68,8 @@
 import org.codehaus.jackson.JsonFactory;
 import org.codehaus.jackson.map.ObjectMapper;
 
+@Private
+@Unstable
 public class SLSRunner {
   // RM, Runner
   private ResourceManager rm;
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/AMSimulator.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/AMSimulator.java
index 67c09940120..5af4eaa2de4 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/AMSimulator.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/AMSimulator.java
@@ -29,6 +29,8 @@
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.LinkedBlockingQueue;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.yarn.api.protocolrecords.AllocateRequest;
@@ -70,6 +72,8 @@
 import org.apache.hadoop.yarn.sls.scheduler.TaskRunner;
 import org.apache.hadoop.yarn.sls.utils.SLSUtils;
 
+@Private
+@Unstable
 public abstract class AMSimulator extends TaskRunner.Task {
   // resource manager
   protected ResourceManager rm;
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/MRAMSimulator.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/MRAMSimulator.java
index d789e1ca2aa..d24510ba6fd 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/MRAMSimulator.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/MRAMSimulator.java
@@ -27,6 +27,8 @@
 import java.util.List;
 import java.util.Map;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.yarn.api.protocolrecords.AllocateRequest;
@@ -45,6 +47,8 @@
 import org.apache.hadoop.yarn.sls.SLSRunner;
 import org.apache.log4j.Logger;
 
+@Private
+@Unstable
 public class MRAMSimulator extends AMSimulator {
   /*
   Vocabulary Used: 
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/conf/SLSConfiguration.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/conf/SLSConfiguration.java
index 21785cc67d9..8fd5b3f770a 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/conf/SLSConfiguration.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/conf/SLSConfiguration.java
@@ -18,6 +18,11 @@
 
 package org.apache.hadoop.yarn.sls.conf;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
+
+@Private
+@Unstable
 public class SLSConfiguration {
   // sls
   public static final String PREFIX = "yarn.sls.";
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NMSimulator.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NMSimulator.java
index b0e2e37fa47..4112685e152 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NMSimulator.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NMSimulator.java
@@ -27,6 +27,8 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.DelayQueue;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.Container;
 import org.apache.hadoop.yarn.api.records.ContainerExitStatus;
@@ -54,6 +56,8 @@
 import org.apache.hadoop.yarn.sls.scheduler.TaskRunner;
 import org.apache.hadoop.yarn.sls.utils.SLSUtils;
 
+@Private
+@Unstable
 public class NMSimulator extends TaskRunner.Task {
   // node resource
   private RMNode node;
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NodeInfo.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NodeInfo.java
index 76671572ce8..1d573822d9b 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NodeInfo.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NodeInfo.java
@@ -21,6 +21,8 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.net.Node;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ContainerExitStatus;
@@ -36,6 +38,8 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode
         .UpdatedContainerInfo;
 
+@Private
+@Unstable
 public class NodeInfo {
   private static int NODE_ID = 0;
 
@@ -43,6 +47,8 @@ public static NodeId newNodeID(String host, int port) {
     return NodeId.newInstance(host, port);
   }
 
+  @Private
+  @Unstable
   private static class FakeRMNodeImpl implements RMNode {
     private NodeId nodeId;
     private String hostName;
@@ -164,7 +170,7 @@ public void setResourceOption(ResourceOption resourceOption) {
       perNode = resourceOption;
     }
   }
-  
+
   public static RMNode newNodeInfo(String rackName, String hostName,
                               final ResourceOption resourceOption, int port) {
     final NodeId nodeId = newNodeID(hostName, port);
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/CapacitySchedulerMetrics.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/CapacitySchedulerMetrics.java
index 1d878537061..a73f48c4d7e 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/CapacitySchedulerMetrics.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/CapacitySchedulerMetrics.java
@@ -18,6 +18,11 @@
 
 package org.apache.hadoop.yarn.sls.scheduler;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
+
+@Private
+@Unstable
 public class CapacitySchedulerMetrics extends SchedulerMetrics {
 
   public CapacitySchedulerMetrics() {
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ContainerSimulator.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ContainerSimulator.java
index 27a50d3b00f..86229763e15 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ContainerSimulator.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ContainerSimulator.java
@@ -21,9 +21,13 @@
 import java.util.concurrent.Delayed;
 import java.util.concurrent.TimeUnit;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.api.records.Resource;
 
+@Private
+@Unstable
 public class ContainerSimulator implements Delayed {
   // id
   private ContainerId id;
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/FairSchedulerMetrics.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/FairSchedulerMetrics.java
index b706b3ee6d8..f427dcd557a 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/FairSchedulerMetrics.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/FairSchedulerMetrics.java
@@ -18,6 +18,8 @@
 
 package org.apache.hadoop.yarn.sls.scheduler;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair
         .AppSchedulable;
@@ -28,6 +30,8 @@
 import com.codahale.metrics.Gauge;
 import org.apache.hadoop.yarn.sls.SLSRunner;
 
+@Private
+@Unstable
 public class FairSchedulerMetrics extends SchedulerMetrics {
 
   private int totalMemoryMB = Integer.MAX_VALUE;
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/FifoSchedulerMetrics.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/FifoSchedulerMetrics.java
index 882b3e1215b..6ab2e1d0107 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/FifoSchedulerMetrics.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/FifoSchedulerMetrics.java
@@ -18,12 +18,16 @@
 
 package org.apache.hadoop.yarn.sls.scheduler;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.api.records.QueueInfo;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo
         .FifoScheduler;
 
 import com.codahale.metrics.Gauge;
 
+@Private
+@Unstable
 public class FifoSchedulerMetrics extends SchedulerMetrics {
   
   public FifoSchedulerMetrics() {
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/NodeUpdateSchedulerEventWrapper.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/NodeUpdateSchedulerEventWrapper.java
index 4bf93138053..12dfe8baa16 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/NodeUpdateSchedulerEventWrapper.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/NodeUpdateSchedulerEventWrapper.java
@@ -18,9 +18,13 @@
 
 package org.apache.hadoop.yarn.sls.scheduler;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event
         .NodeUpdateSchedulerEvent;
 
+@Private
+@Unstable
 public class NodeUpdateSchedulerEventWrapper extends NodeUpdateSchedulerEvent {
   
   public NodeUpdateSchedulerEventWrapper(NodeUpdateSchedulerEvent event) {
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/RMNodeWrapper.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/RMNodeWrapper.java
index bbe24c883c7..da9b56fd546 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/RMNodeWrapper.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/RMNodeWrapper.java
@@ -18,6 +18,8 @@
 
 package org.apache.hadoop.yarn.sls.scheduler;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.net.Node;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ContainerId;
@@ -33,6 +35,8 @@
 import java.util.Collections;
 import java.util.List;
 
+@Private
+@Unstable
 public class RMNodeWrapper implements RMNode {
   private RMNode node;
   private List<UpdatedContainerInfo> updates;
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ResourceSchedulerWrapper.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ResourceSchedulerWrapper.java
index 455808543b6..0bd0c87d2d0 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ResourceSchedulerWrapper.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ResourceSchedulerWrapper.java
@@ -36,6 +36,7 @@
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate;
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.conf.Configurable;
@@ -92,6 +93,8 @@
 import com.codahale.metrics.SlidingWindowReservoir;
 import com.codahale.metrics.Timer;
 
+@Private
+@Unstable
 final public class ResourceSchedulerWrapper
     extends AbstractYarnScheduler<SchedulerApplicationAttempt, SchedulerNode>
     implements SchedulerWrapper, ResourceScheduler, Configurable {
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SLSCapacityScheduler.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SLSCapacityScheduler.java
index 6a84e5838c4..44a872198d6 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SLSCapacityScheduler.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SLSCapacityScheduler.java
@@ -17,6 +17,8 @@
  */
 package org.apache.hadoop.yarn.sls.scheduler;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.util.ShutdownHookManager;
 import org.apache.hadoop.yarn.sls.SLSRunner;
 import org.apache.hadoop.yarn.sls.conf.SLSConfiguration;
@@ -100,6 +102,8 @@
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
 
+@Private
+@Unstable
 public class SLSCapacityScheduler extends CapacityScheduler implements
         SchedulerWrapper,Configurable {
   private static final String EOL = System.getProperty("line.separator");
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SchedulerMetrics.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SchedulerMetrics.java
index 814d1334011..ecf516d7c98 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SchedulerMetrics.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SchedulerMetrics.java
@@ -21,6 +21,8 @@
 import java.util.HashSet;
 import java.util.Set;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler
         .ResourceScheduler;
@@ -30,6 +32,8 @@
 import com.codahale.metrics.Gauge;
 import com.codahale.metrics.MetricRegistry;
 
+@Private
+@Unstable
 public abstract class SchedulerMetrics {
   protected ResourceScheduler scheduler;
   protected Set<String> trackedQueues;
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SchedulerWrapper.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SchedulerWrapper.java
index 44629f5347f..524b8bf23e1 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SchedulerWrapper.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SchedulerWrapper.java
@@ -19,11 +19,15 @@
 
 import java.util.Set;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 
 import com.codahale.metrics.MetricRegistry;
 
+@Private
+@Unstable
 public interface SchedulerWrapper {
 
 	public MetricRegistry getMetrics();
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/TaskRunner.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/TaskRunner.java
index efb573c9ec3..c936dd93180 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/TaskRunner.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/TaskRunner.java
@@ -25,9 +25,15 @@
 import java.util.concurrent.ThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.exceptions.YarnException;
 
+@Private
+@Unstable
 public class TaskRunner {
+  @Private
+  @Unstable
   public abstract static class Task implements Runnable, Delayed {
     private long start;
     private long end;
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/utils/SLSUtils.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/utils/SLSUtils.java
index 70ab96d711c..f62f02471b9 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/utils/SLSUtils.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/utils/SLSUtils.java
@@ -17,6 +17,8 @@
  */
 package org.apache.hadoop.yarn.sls.utils;
 
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.tools.rumen.JobTraceReader;
@@ -36,6 +38,8 @@
 import java.util.List;
 import java.util.Iterator;
 
+@Private
+@Unstable
 public class SLSUtils {
 
   public static String[] getRackHostName(String hostname) {
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/web/SLSWebApp.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/web/SLSWebApp.java
index e6dd8467898..45301a18a54 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/web/SLSWebApp.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/web/SLSWebApp.java
@@ -30,6 +30,8 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event
         .SchedulerEventType;
 import org.mortbay.jetty.Handler;
@@ -49,6 +51,8 @@
 import com.codahale.metrics.MetricRegistry;
 import org.mortbay.jetty.handler.ResourceHandler;
 
+@Private
+@Unstable
 public class SLSWebApp extends HttpServlet {
   private static final long serialVersionUID = 1905162041950251407L;
   private transient Server server;
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 99b60b1aeda..69ec1b25a11 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -439,6 +439,8 @@ Release 2.5.0 - UNRELEASED
     YARN-2319. Made the MiniKdc instance start/close before/after the class of
     TestRMWebServicesDelegationTokens. (Wenwu Peng via zjshen)
 
+    YARN-2335. Annotate all hadoop-sls APIs as @Private. (Wei Yan via kasha)
+
 Release 2.4.1 - 2014-06-23 
 
   INCOMPATIBLE CHANGES

From cc0464f4fe793d9894776e062193e6609b7c1689 Mon Sep 17 00:00:00 2001
From: Vinayakumar B <vinayakumarb@apache.org>
Date: Fri, 25 Jul 2014 18:17:50 +0000
Subject: [PATCH 055/354] HDFS-6752. Avoid Address bind errors in
 TestDatanodeConfig#testMemlockLimit (vinayakumarb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613486 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                    | 3 +++
 .../test/java/org/apache/hadoop/hdfs/TestDatanodeConfig.java   | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 9fb5ba132e1..502771a1160 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -373,6 +373,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-5919. FileJournalManager doesn't purge empty and corrupt inprogress edits
     files (vinayakumarb)
 
+    HDFS-6752. Avoid Address bind errors in TestDatanodeConfig#testMemlockLimit
+    (vinayakumarb)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeConfig.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeConfig.java
index cfa14cca41b..9cdb763f032 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeConfig.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeConfig.java
@@ -53,6 +53,8 @@ public static void setUp() throws Exception {
     Configuration conf = new HdfsConfiguration();
     conf.setInt(DFSConfigKeys.DFS_DATANODE_HTTPS_PORT_KEY, 0);
     conf.set(DFSConfigKeys.DFS_DATANODE_ADDRESS_KEY, "localhost:0");
+    conf.set(DFSConfigKeys.DFS_DATANODE_IPC_ADDRESS_KEY, "localhost:0");
+    conf.set(DFSConfigKeys.DFS_DATANODE_HTTP_ADDRESS_KEY, "localhost:0");
     cluster = new MiniDFSCluster.Builder(conf).numDataNodes(0).build();
     cluster.waitActive();
   }

From b9e4be452349317619f8f7641e51f2493f499b29 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 25 Jul 2014 18:33:10 +0000
Subject: [PATCH 056/354] HDFS-6724. Decrypt EDEK before creating
 CryptoInputStream/CryptoOutputStream. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1613490 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |  3 ++
 .../org/apache/hadoop/hdfs/DFSClient.java     | 44 ++++++++++++++++---
 .../java/org/apache/hadoop/hdfs/DFSUtil.java  | 38 ++++++++++++++++
 .../hdfs/server/namenode/FSNamesystem.java    | 42 +++---------------
 .../hadoop/hdfs/TestEncryptionZones.java      |  4 ++
 5 files changed, 90 insertions(+), 41 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index e91ce99acb8..99e2c12adaf 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -59,6 +59,9 @@ fs-encryption (Unreleased)
     HDFS-6738. Remove unnecessary getEncryptionZoneForPath call in
     EZManager#createEncryptionZone. (clamb)
 
+    HDFS-6724. Decrypt EDEK before creating
+    CryptoInputStream/CryptoOutputStream. (wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index a6f02fbfab5..a88a8b10118 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -17,6 +17,9 @@
  */
 package org.apache.hadoop.hdfs;
 
+import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
+import static org.apache.hadoop.crypto.key.KeyProviderCryptoExtension
+    .EncryptedKeyVersion;
 import static org.apache.hadoop.fs.CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT;
 import static org.apache.hadoop.fs.CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_BLOCK_SIZE_DEFAULT;
@@ -76,6 +79,7 @@
 import java.net.SocketAddress;
 import java.net.URI;
 import java.net.UnknownHostException;
+import java.security.GeneralSecurityException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.EnumSet;
@@ -100,6 +104,7 @@
 import org.apache.hadoop.crypto.CryptoCodec;
 import org.apache.hadoop.crypto.CryptoInputStream;
 import org.apache.hadoop.crypto.CryptoOutputStream;
+import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
 import org.apache.hadoop.fs.BlockLocation;
 import org.apache.hadoop.fs.BlockStorageLocation;
 import org.apache.hadoop.fs.CacheFlag;
@@ -256,7 +261,8 @@ public class DFSClient implements java.io.Closeable, RemotePeerFactory,
   private final CryptoCodec codec;
   @VisibleForTesting
   List<CipherSuite> cipherSuites;
-  
+  @VisibleForTesting
+  KeyProviderCryptoExtension provider;
   /**
    * DFSClient configuration 
    */
@@ -591,7 +597,12 @@ public DFSClient(URI nameNodeUri, ClientProtocol rpcNamenode,
     this.codec = CryptoCodec.getInstance(conf);
     this.cipherSuites = Lists.newArrayListWithCapacity(1);
     cipherSuites.add(codec.getCipherSuite());
-    
+    provider = DFSUtil.createKeyProviderCryptoExtension(conf);
+    if (provider == null) {
+      LOG.info("No KeyProvider found.");
+    } else {
+      LOG.info("Found KeyProvider: " + provider.toString());
+    }
     int numResponseToDrop = conf.getInt(
         DFSConfigKeys.DFS_CLIENT_TEST_DROP_NAMENODE_RESPONSE_NUM_KEY,
         DFSConfigKeys.DFS_CLIENT_TEST_DROP_NAMENODE_RESPONSE_NUM_DEFAULT);
@@ -1291,6 +1302,25 @@ public BlockStorageLocation[] getBlockStorageLocations(
     return volumeBlockLocations;
   }
 
+  /**
+   * Decrypts a EDEK by consulting the KeyProvider.
+   */
+  private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
+      feInfo) throws IOException {
+    if (provider == null) {
+      throw new IOException("No KeyProvider is configured, cannot access" +
+          " an encrypted file");
+    }
+    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
+        feInfo.getEzKeyVersionName(), feInfo.getIV(),
+        feInfo.getEncryptedDataEncryptionKey());
+    try {
+      return provider.decryptEncryptedKey(ekv);
+    } catch (GeneralSecurityException e) {
+      throw new IOException(e);
+    }
+  }
+
   /**
    * Wraps the stream in a CryptoInputStream if the underlying file is
    * encrypted.
@@ -1300,13 +1330,14 @@ public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
     final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo();
     if (feInfo != null) {
       // File is encrypted, wrap the stream in a crypto stream.
+      KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
       final CryptoInputStream cryptoIn =
           new CryptoInputStream(dfsis, CryptoCodec.getInstance(conf, 
-              feInfo.getCipherSuite()), feInfo.getEncryptedDataEncryptionKey(),
+              feInfo.getCipherSuite()), decrypted.getMaterial(),
               feInfo.getIV());
       return new HdfsDataInputStream(cryptoIn);
     } else {
-      // No key/IV pair so no encryption.
+      // No FileEncryptionInfo so no encryption.
       return new HdfsDataInputStream(dfsis);
     }
   }
@@ -1329,12 +1360,13 @@ public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos,
     final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo();
     if (feInfo != null) {
       // File is encrypted, wrap the stream in a crypto stream.
+      KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
       final CryptoOutputStream cryptoOut =
           new CryptoOutputStream(dfsos, codec,
-              feInfo.getEncryptedDataEncryptionKey(), feInfo.getIV(), startPos);
+              decrypted.getMaterial(), feInfo.getIV(), startPos);
       return new HdfsDataOutputStream(cryptoOut, statistics, startPos);
     } else {
-      // No key/IV present so no encryption.
+      // No FileEncryptionInfo present so no encryption.
       return new HdfsDataOutputStream(dfsos, statistics, startPos);
     }
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java
index 5e83575d733..10c6ece3c54 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java
@@ -68,6 +68,9 @@
 import org.apache.hadoop.HadoopIllegalArgumentException;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.key.KeyProvider;
+import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
+import org.apache.hadoop.crypto.key.KeyProviderFactory;
 import org.apache.hadoop.fs.BlockLocation;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
@@ -1695,4 +1698,39 @@ public static void assertAllResultsEqual(Collection<?> objects)
       }
     }
   }
+
+  /**
+   * Creates a new KeyProviderCryptoExtension by wrapping the
+   * KeyProvider specified in the given Configuration.
+   *
+   * @param conf Configuration specifying a single, non-transient KeyProvider.
+   * @return new KeyProviderCryptoExtension, or null if no provider was found.
+   * @throws IOException if the KeyProvider is improperly specified in
+   *                             the Configuration
+   */
+  public static KeyProviderCryptoExtension createKeyProviderCryptoExtension(
+      final Configuration conf) throws IOException {
+    final List<KeyProvider> providers = KeyProviderFactory.getProviders(conf);
+    if (providers == null || providers.size() == 0) {
+      return null;
+    }
+    if (providers.size() > 1) {
+      StringBuilder builder = new StringBuilder();
+      builder.append("Found multiple KeyProviders but only one is permitted [");
+      String prefix = " ";
+      for (KeyProvider kp: providers) {
+        builder.append(prefix + kp.toString());
+        prefix = ", ";
+      }
+      builder.append("]");
+      throw new IOException(builder.toString());
+    }
+    KeyProviderCryptoExtension provider = KeyProviderCryptoExtension
+        .createKeyProviderCryptoExtension(providers.get(0));
+    if (provider.isTransient()) {
+      throw new IOException("KeyProvider " + provider.toString()
+          + " was found but it is a transient provider.");
+    }
+    return provider;
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 514ab072d90..60352faafb2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -141,7 +141,6 @@
 import org.apache.hadoop.crypto.CryptoCodec;
 import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
-import org.apache.hadoop.crypto.key.KeyProviderFactory;
 import org.apache.hadoop.fs.BatchedRemoteIterator.BatchedListEntries;
 import org.apache.hadoop.fs.CacheFlag;
 import org.apache.hadoop.fs.ContentSummary;
@@ -766,7 +765,12 @@ static FSNamesystem loadFromDisk(Configuration conf) throws IOException {
    */
   FSNamesystem(Configuration conf, FSImage fsImage, boolean ignoreRetryCache)
       throws IOException {
-    initializeKeyProvider(conf);
+    provider = DFSUtil.createKeyProviderCryptoExtension(conf);
+    if (provider == null) {
+      LOG.info("No KeyProvider found.");
+    } else {
+      LOG.info("Found KeyProvider: " + provider.toString());
+    }
     providerOptions = KeyProvider.options(conf);
     this.codec = CryptoCodec.getInstance(conf);
     if (conf.getBoolean(DFS_NAMENODE_AUDIT_LOG_ASYNC_KEY,
@@ -926,40 +930,8 @@ void addCacheEntry(byte[] clientId, int callId) {
     }
   }
 
-  private void initializeKeyProvider(final Configuration conf) {
-    try {
-      final List<KeyProvider> providers = KeyProviderFactory.getProviders(conf);
-      if (providers == null) {
-        return;
-      }
-
-      if (providers.size() == 0) {
-        LOG.info("No KeyProviders found.");
-        return;
-      }
-
-      if (providers.size() > 1) {
-        final String err =
-            "Multiple KeyProviders found. Only one is permitted.";
-        LOG.error(err);
-        throw new RuntimeException(err);
-      }
-      provider = KeyProviderCryptoExtension
-          .createKeyProviderCryptoExtension(providers.get(0));
-      if (provider.isTransient()) {
-        final String err =
-            "A KeyProvider was found but it is a transient provider.";
-        LOG.error(err);
-        throw new RuntimeException(err);
-      }
-      LOG.info("Found KeyProvider: " + provider.toString());
-    } catch (IOException e) {
-      LOG.error("Exception while initializing KeyProvider", e);
-    }
-  }
-
   @VisibleForTesting
-  public KeyProvider getProvider() {
+  public KeyProviderCryptoExtension getProvider() {
     return provider;
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
index 421396bdf38..a53e47e6e85 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
@@ -90,6 +90,10 @@ public void setup() throws IOException {
     fcWrapper = new FileContextTestWrapper(
         FileContext.getFileContext(cluster.getURI(), conf));
     dfsAdmin = new HdfsAdmin(cluster.getURI(), conf);
+    // Need to set the client's KeyProvider to the NN's for JKS,
+    // else the updates do not get flushed properly
+    fs.getClient().provider = cluster.getNameNode().getNamesystem()
+        .getProvider();
   }
 
   @After

From 79d214121b29104c14bf9d64c444bf75568cc4d4 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 25 Jul 2014 19:02:19 +0000
Subject: [PATCH 057/354] Fix up HDFS CHANGES.txt for 2.5.0

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613494 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt | 43 ++++++++++-----------
 1 file changed, 21 insertions(+), 22 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 502771a1160..65f0665653a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -398,6 +398,15 @@ Release 2.5.0 - UNRELEASED
     HDFS-6406. Add capability for NFS gateway to reject connections from
     unprivileged ports. (atm)
 
+    HDFS-2006. Ability to support storing extended attributes per file.
+
+    HDFS-5978. Create a tool to take fsimage and expose read-only WebHDFS API.
+    (Akira Ajisaka via wheat9)
+
+    HDFS-6278. Create HTML5-based UI for SNN. (wheat9)
+
+    HDFS-6279. Create new index page for JN / DN. (wheat9)
+
   IMPROVEMENTS
 
     HDFS-6007. Update documentation about short-circuit local reads (iwasakims
@@ -415,9 +424,6 @@ Release 2.5.0 - UNRELEASED
 
     HDFS-6158. Clean up dead code for OfflineImageViewer. (wheat9)
 
-    HDFS-5978. Create a tool to take fsimage and expose read-only WebHDFS API.
-    (Akira Ajisaka via wheat9)
-
     HDFS-6164. Remove lsr in OfflineImageViewer. (wheat9)
 
     HDFS-6167. Relocate the non-public API classes in the hdfs.client package.
@@ -445,10 +451,6 @@ Release 2.5.0 - UNRELEASED
 
     HDFS-6265. Prepare HDFS codebase for JUnit 4.11. (cnauroth)
 
-    HDFS-6278. Create HTML5-based UI for SNN. (wheat9)
-
-    HDFS-6279. Create new index page for JN / DN. (wheat9)
-
     HDFS-5693. Few NN metrics data points were collected via JMX when NN
     is under heavy load. (Ming Ma via jing9)
 
@@ -820,9 +822,6 @@ Release 2.5.0 - UNRELEASED
     HDFS-6464. Support multiple xattr.name parameters for WebHDFS getXAttrs.
     (Yi Liu via umamahesh)
 
-    HDFS-6375. Listing extended attributes with the search permission.
-    (Charles Lamb via wang)
-
     HDFS-6539. test_native_mini_dfs is skipped in hadoop-hdfs/pom.xml
     (decstery via cmccabe)
 
@@ -917,6 +916,18 @@ Release 2.5.0 - UNRELEASED
     HDFS-6696. Name node cannot start if the path of a file under
     construction contains ".snapshot". (wang)
 
+    HDFS-6312. WebHdfs HA failover is broken on secure clusters. 
+    (daryn via tucu)
+
+    HDFS-6618. FSNamesystem#delete drops the FSN lock between removing INodes
+    from the tree and deleting them from the inode map (kihwal via cmccabe)
+
+    HDFS-6622. Rename and AddBlock may race and produce invalid edits (kihwal
+    via cmccabe)
+
+    HDFS-6723. New NN webUI no longer displays decommissioned state for dead node.
+    (Ming Ma via wheat9)
+
   BREAKDOWN OF HDFS-2006 SUBTASKS AND RELATED JIRAS
 
     HDFS-6299. Protobuf for XAttr and client-side implementation. (Yi Liu via umamahesh)
@@ -986,18 +997,6 @@ Release 2.5.0 - UNRELEASED
     HDFS-6492. Support create-time xattrs and atomically setting multiple
     xattrs. (wang)
 
-    HDFS-6312. WebHdfs HA failover is broken on secure clusters. 
-    (daryn via tucu)
-
-    HDFS-6618. FSNamesystem#delete drops the FSN lock between removing INodes
-    from the tree and deleting them from the inode map (kihwal via cmccabe)
-
-    HDFS-6622. Rename and AddBlock may race and produce invalid edits (kihwal
-    via cmccabe)
-
-    HDFS-6723. New NN webUI no longer displays decommissioned state for dead node.
-    (Ming Ma via wheat9)
-
 Release 2.4.1 - 2014-06-23 
 
   INCOMPATIBLE CHANGES

From 10286e98ad3e07607b5a368b8f9b75ae99db1062 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 25 Jul 2014 19:06:05 +0000
Subject: [PATCH 058/354] Fix up Common CHANGES.txt for 2.5.0

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613498 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 | 54 +++++++++----------
 1 file changed, 27 insertions(+), 27 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 55914f83197..419d45c6831 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -503,6 +503,9 @@ Release 2.5.0 - UNRELEASED
 
     HADOOP-8943. Support multiple group mapping providers. (Kai Zheng via brandonli)
 
+    HADOOP-9361 Strictly define the expected behavior of filesystem APIs and
+    write tests to verify compliance (stevel)
+
   IMPROVEMENTS
 
     HADOOP-10451. Remove unused field and imports from SaslRpcServer.
@@ -597,9 +600,6 @@ Release 2.5.0 - UNRELEASED
     HADOOP-10747. Support configurable retries on SASL connection failures in
     RPC client. (cnauroth)
 
-    HADOOP-10674. Improve PureJavaCrc32 performance and use java.util.zip.CRC32
-    for Java 7 and above. (szetszwo)
-
     HADOOP-10754. Reenable several HA ZooKeeper-related tests on Windows.
     (cnauroth)
 
@@ -611,9 +611,6 @@ Release 2.5.0 - UNRELEASED
 
     HADOOP-10767. Clean up unused code in Ls shell command. (cnauroth)
 
-    HADOOP-9361 Strictly define the expected behavior of filesystem APIs and
-    write tests to verify compliance (stevel)
-
     HADOOP-9651 Filesystems to throw FileAlreadyExistsException in
     createFile(path, overwrite=false) when the file exists (stevel)
     
@@ -626,6 +623,9 @@ Release 2.5.0 - UNRELEASED
 
   OPTIMIZATIONS
 
+    HADOOP-10674. Improve PureJavaCrc32 performance and use java.util.zip.CRC32
+    for Java 7 and above. (szetszwo)
+
   BUG FIXES 
 
     HADOOP-10378. Typo in help printed by hdfs dfs -help.
@@ -780,27 +780,6 @@ Release 2.5.0 - UNRELEASED
 
     HADOOP-10801 dead link in site.xml (Akira AJISAKA via stevel)
 
-  BREAKDOWN OF HADOOP-10514 SUBTASKS AND RELATED JIRAS
-
-    HADOOP-10520. Extended attributes definition and FileSystem APIs for
-    extended attributes. (Yi Liu via wang)
-
-    HADOOP-10546. Javadoc and other small fixes for extended attributes in
-    hadoop-common. (Charles Lamb via wang)
-
-    HADOOP-10521. FsShell commands for extended attributes. (Yi Liu via wang)
-
-    HADOOP-10548. Improve FsShell xattr error handling and other fixes. (Charles Lamb via umamahesh)
-
-    HADOOP-10567. Shift XAttr value encoding code out for reuse. (Yi Liu via umamahesh)
-
-    HADOOP-10621. Remove CRLF for xattr value base64 encoding for better display.(Yi Liu via umamahesh)
-
-    HADOOP-10575. Small fixes for XAttrCommands and test. (Yi Liu via umamahesh)
-
-    HADOOP-10561. Copy command with preserve option should handle Xattrs.
-    (Yi Liu via cnauroth)
-
     HADOOP-10590. ServiceAuthorizationManager is not threadsafe. (Benoy Antony via vinayakumarb)
 
     HADOOP-10711. Cleanup some extra dependencies from hadoop-auth. (rkanter via tucu)
@@ -825,6 +804,27 @@ Release 2.5.0 - UNRELEASED
     HADOOP-10894. Fix dead link in ToolRunner documentation. (Akira Ajisaka
     via Arpit Agarwal)
 
+  BREAKDOWN OF HADOOP-10514 SUBTASKS AND RELATED JIRAS
+
+    HADOOP-10520. Extended attributes definition and FileSystem APIs for
+    extended attributes. (Yi Liu via wang)
+
+    HADOOP-10546. Javadoc and other small fixes for extended attributes in
+    hadoop-common. (Charles Lamb via wang)
+
+    HADOOP-10521. FsShell commands for extended attributes. (Yi Liu via wang)
+
+    HADOOP-10548. Improve FsShell xattr error handling and other fixes. (Charles Lamb via umamahesh)
+
+    HADOOP-10567. Shift XAttr value encoding code out for reuse. (Yi Liu via umamahesh)
+
+    HADOOP-10621. Remove CRLF for xattr value base64 encoding for better display.(Yi Liu via umamahesh)
+
+    HADOOP-10575. Small fixes for XAttrCommands and test. (Yi Liu via umamahesh)
+
+    HADOOP-10561. Copy command with preserve option should handle Xattrs.
+    (Yi Liu via cnauroth)
+
 Release 2.4.1 - 2014-06-23 
 
   INCOMPATIBLE CHANGES

From d4fec3493351c619a0278929ae2d5c8cd67cbfbe Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Fri, 25 Jul 2014 20:42:37 +0000
Subject: [PATCH 059/354] YARN-2211. Persist AMRMToken master key in
 RMStateStore for RM recovery. Contributed by Xuan Gong

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613515 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../yarn/client/ProtocolHATestBase.java       |   1 +
 .../TestApplicationMasterServiceOnHA.java     |   6 +-
 .../pom.xml                                   |  31 +++++
 .../RMSecretManagerService.java               |   6 +-
 .../resourcemanager/ResourceManager.java      |   3 +
 .../recovery/FileSystemRMStateStore.java      |  55 +++++++-
 .../recovery/MemoryRMStateStore.java          |  15 +++
 .../recovery/NullRMStateStore.java            |   7 +
 .../recovery/RMStateStore.java                |  20 ++-
 .../recovery/ZKRMStateStore.java              |  45 ++++++-
 .../records/AMRMTokenSecretManagerState.java  |  76 +++++++++++
 .../pb/AMRMTokenSecretManagerStatePBImpl.java | 126 ++++++++++++++++++
 .../security/AMRMTokenSecretManager.java      |  48 ++++++-
 ...yarn_server_resourcemanager_recovery.proto |  30 +++++
 .../server/resourcemanager/TestRMRestart.java |   9 +-
 .../recovery/RMStateStoreTestBase.java        |  71 +++++++++-
 .../recovery/TestFSRMStateStore.java          |   2 +-
 .../recovery/TestZKRMStateStore.java          |   1 +
 .../rmapp/TestRMAppTransitions.java           |   2 +-
 .../attempt/TestRMAppAttemptTransitions.java  |   3 +-
 .../scheduler/capacity/TestUtils.java         |   5 +-
 .../security/TestAMRMTokens.java              |   4 +-
 23 files changed, 535 insertions(+), 34 deletions(-)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/AMRMTokenSecretManagerState.java
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/AMRMTokenSecretManagerStatePBImpl.java
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/proto/yarn_server_resourcemanager_recovery.proto

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 69ec1b25a11..e6fbea9350e 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -68,6 +68,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2214. FairScheduler: preemptContainerPreCheck() in FSParentQueue delays 
     convergence towards fairness. (Ashwin Shankar via kasha)
 
+    YARN-2211. Persist AMRMToken master key in RMStateStore for RM recovery.
+    (Xuan Gong via jianhe)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/ProtocolHATestBase.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/ProtocolHATestBase.java
index 15bfa28d20d..72cb1b1684c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/ProtocolHATestBase.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/ProtocolHATestBase.java
@@ -267,6 +267,7 @@ public void run() {
   protected void startHACluster(int numOfNMs, boolean overrideClientRMService,
       boolean overrideRTS, boolean overrideApplicationMasterService)
       throws Exception {
+    conf.setBoolean(YarnConfiguration.RECOVERY_ENABLED, true);
     conf.setBoolean(YarnConfiguration.AUTO_FAILOVER_ENABLED, false);
     cluster =
         new MiniYARNClusterForHATesting(TestRMFailover.class.getName(), 2,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/TestApplicationMasterServiceOnHA.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/TestApplicationMasterServiceOnHA.java
index 4771ccba9db..0b42ac3c6b9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/TestApplicationMasterServiceOnHA.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/TestApplicationMasterServiceOnHA.java
@@ -54,11 +54,9 @@ public void initiate() throws Exception {
     amClient = ClientRMProxy
         .createRMProxy(this.conf, ApplicationMasterProtocol.class);
 
-    AMRMTokenIdentifier id =
-        new AMRMTokenIdentifier(attemptId);
     Token<AMRMTokenIdentifier> appToken =
-        new Token<AMRMTokenIdentifier>(id, this.cluster.getResourceManager()
-            .getRMContext().getAMRMTokenSecretManager());
+        this.cluster.getResourceManager().getRMContext()
+          .getAMRMTokenSecretManager().createAndGetAMRMToken(attemptId);
     appToken.setService(new Text("appToken service"));
     UserGroupInformation.setLoginUser(UserGroupInformation
         .createRemoteUser(UserGroupInformation.getCurrentUser()
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/pom.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/pom.xml
index c2a94ead159..0f89bbe38a2 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/pom.xml
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/pom.xml
@@ -244,6 +244,37 @@
           </execution>
         </executions>
       </plugin>
+
+     <plugin>
+        <groupId>org.apache.hadoop</groupId>
+        <artifactId>hadoop-maven-plugins</artifactId>
+        <executions>
+          <execution>
+            <id>compile-protoc</id>
+            <phase>generate-sources</phase>
+            <goals>
+              <goal>protoc</goal>
+            </goals>
+            <configuration>
+              <protocVersion>${protobuf.version}</protocVersion>
+              <protocCommand>${protoc.path}</protocCommand>
+              <imports>
+                <param>${basedir}/../../../../hadoop-common-project/hadoop-common/src/main/proto</param>
+                <param>${basedir}/../../hadoop-yarn-api/src/main/proto</param>
+                <param>${basedir}/../hadoop-yarn-server-common/src/main/proto</param>
+                <param>${basedir}/src/main/proto</param>
+              </imports>
+              <source>
+                <directory>${basedir}/src/main/proto</directory>
+                <includes>
+		          <include>yarn_server_resourcemanager_recovery.proto</include>
+                </includes>
+              </source>
+              <output>${project.build.directory}/generated-sources/java</output>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMSecretManagerService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMSecretManagerService.java
index 9fdde6589a3..d0d7d16a276 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMSecretManagerService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMSecretManagerService.java
@@ -60,7 +60,7 @@ public RMSecretManagerService(Configuration conf, RMContextImpl rmContext) {
     clientToAMSecretManager = createClientToAMTokenSecretManager();
     rmContext.setClientToAMTokenSecretManager(clientToAMSecretManager);
 
-    amRmTokenSecretManager = createAMRMTokenSecretManager(conf);
+    amRmTokenSecretManager = createAMRMTokenSecretManager(conf, this.rmContext);
     rmContext.setAMRMTokenSecretManager(amRmTokenSecretManager);
 
     rmDTSecretManager =
@@ -115,8 +115,8 @@ protected NMTokenSecretManagerInRM createNMTokenSecretManager(
   }
 
   protected AMRMTokenSecretManager createAMRMTokenSecretManager(
-      Configuration conf) {
-    return new AMRMTokenSecretManager(conf);
+      Configuration conf, RMContext rmContext) {
+    return new AMRMTokenSecretManager(conf, rmContext);
   }
 
   protected ClientToAMTokenSecretManagerInRM createClientToAMTokenSecretManager() {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
index 409ba4893b9..7dceda249da 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
@@ -1026,6 +1026,9 @@ public void recover(RMState state) throws Exception {
     // recover RMdelegationTokenSecretManager
     rmContext.getRMDelegationTokenSecretManager().recover(state);
 
+    // recover AMRMTokenSecretManager
+    rmContext.getAMRMTokenSecretManager().recover(state);
+
     // recover applications
     rmAppManager.recover(state);
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
index 0e605a9b07d..243c7a19912 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
@@ -22,6 +22,7 @@
 import java.io.ByteArrayOutputStream;
 import java.io.DataInputStream;
 import java.io.DataOutputStream;
+import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
@@ -43,16 +44,18 @@
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.AMRMTokenSecretManagerStateProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.EpochProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationAttemptStateDataProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationStateDataProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.RMStateVersionProto;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
+import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationAttemptStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
-
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.Epoch;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
+import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.AMRMTokenSecretManagerStatePBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationAttemptStateDataPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationStateDataPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.EpochPBImpl;
@@ -76,6 +79,8 @@ public class FileSystemRMStateStore extends RMStateStore {
   protected static final String ROOT_DIR_NAME = "FSRMStateRoot";
   protected static final RMStateVersion CURRENT_VERSION_INFO = RMStateVersion
     .newInstance(1, 1);
+  protected static final String AMRMTOKEN_SECRET_MANAGER_NODE =
+      "AMRMTokenSecretManagerNode";
 
   protected FileSystem fs;
 
@@ -89,6 +94,7 @@ public class FileSystemRMStateStore extends RMStateStore {
   @VisibleForTesting
   Path fsWorkingPath;
 
+  Path amrmTokenSecretManagerRoot;
   @Override
   public synchronized void initInternal(Configuration conf)
       throws Exception{
@@ -96,6 +102,8 @@ public synchronized void initInternal(Configuration conf)
     rootDirPath = new Path(fsWorkingPath, ROOT_DIR_NAME);
     rmDTSecretManagerRoot = new Path(rootDirPath, RM_DT_SECRET_MANAGER_ROOT);
     rmAppRoot = new Path(rootDirPath, RM_APP_ROOT);
+    amrmTokenSecretManagerRoot =
+        new Path(rootDirPath, AMRMTOKEN_SECRET_MANAGER_ROOT);
   }
 
   @Override
@@ -113,6 +121,7 @@ protected synchronized void startInternal() throws Exception {
     fs = fsWorkingPath.getFileSystem(conf);
     fs.mkdirs(rmDTSecretManagerRoot);
     fs.mkdirs(rmAppRoot);
+    fs.mkdirs(amrmTokenSecretManagerRoot);
   }
 
   @Override
@@ -180,9 +189,32 @@ public synchronized RMState loadState() throws Exception {
     loadRMDTSecretManagerState(rmState);
     // recover RM applications
     loadRMAppState(rmState);
+    // recover AMRMTokenSecretManager
+    loadAMRMTokenSecretManagerState(rmState);
     return rmState;
   }
 
+  private void loadAMRMTokenSecretManagerState(RMState rmState)
+      throws Exception {
+    checkAndResumeUpdateOperation(amrmTokenSecretManagerRoot);
+    Path amrmTokenSecretManagerStateDataDir =
+        new Path(amrmTokenSecretManagerRoot, AMRMTOKEN_SECRET_MANAGER_NODE);
+    FileStatus status;
+    try {
+      status = fs.getFileStatus(amrmTokenSecretManagerStateDataDir);
+      assert status.isFile();
+    } catch (FileNotFoundException ex) {
+      return;
+    }
+    byte[] data = readFile(amrmTokenSecretManagerStateDataDir, status.getLen());
+    AMRMTokenSecretManagerStatePBImpl stateData =
+        new AMRMTokenSecretManagerStatePBImpl(
+          AMRMTokenSecretManagerStateProto.parseFrom(data));
+    rmState.amrmTokenSecretManagerState =
+        AMRMTokenSecretManagerState.newInstance(
+          stateData.getCurrentMasterKey(), stateData.getNextMasterKey());
+  }
+
   private void loadRMAppState(RMState rmState) throws Exception {
     try {
       List<ApplicationAttemptState> attempts =
@@ -597,4 +629,25 @@ Path getNodePath(Path root, String nodeName) {
     return new Path(root, nodeName);
   }
 
+  @Override
+  public synchronized void storeOrUpdateAMRMTokenSecretManagerState(
+      AMRMTokenSecretManagerState amrmTokenSecretManagerState,
+      boolean isUpdate){
+    Path nodeCreatePath =
+        getNodePath(amrmTokenSecretManagerRoot, AMRMTOKEN_SECRET_MANAGER_NODE);
+    AMRMTokenSecretManagerState data =
+        AMRMTokenSecretManagerState.newInstance(amrmTokenSecretManagerState);
+    byte[] stateData = data.getProto().toByteArray();
+    try {
+      if (isUpdate) {
+        updateFile(nodeCreatePath, stateData);
+      } else {
+        writeFile(nodeCreatePath, stateData);
+      }
+    } catch (Exception ex) {
+      LOG.info("Error storing info for AMRMTokenSecretManager", ex);
+      notifyStoreOperationFailed(ex);
+    }
+  }
+
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/MemoryRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/MemoryRMStateStore.java
index 05cbb09630f..369f89a545e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/MemoryRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/MemoryRMStateStore.java
@@ -32,6 +32,7 @@
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
+import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationAttemptStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
@@ -72,6 +73,10 @@ public synchronized RMState loadState() throws Exception {
       state.rmSecretManagerState.getTokenState());
     returnState.rmSecretManagerState.dtSequenceNumber =
         state.rmSecretManagerState.dtSequenceNumber;
+    returnState.amrmTokenSecretManagerState =
+        state.amrmTokenSecretManagerState == null ? null
+            : AMRMTokenSecretManagerState
+              .newInstance(state.amrmTokenSecretManagerState);
     return returnState;
   }
   
@@ -267,6 +272,16 @@ protected RMStateVersion getCurrentVersion() {
     return null;
   }
 
+  @Override
+  public void storeOrUpdateAMRMTokenSecretManagerState(
+      AMRMTokenSecretManagerState amrmTokenSecretManagerState,
+      boolean isUpdate) {
+    if (amrmTokenSecretManagerState != null) {
+      state.amrmTokenSecretManagerState = AMRMTokenSecretManagerState
+          .newInstance(amrmTokenSecretManagerState);
+    }
+  }
+
   @Override
   public void deleteStore() throws Exception {
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/NullRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/NullRMStateStore.java
index 690f0bef94d..ea7087176c9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/NullRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/NullRMStateStore.java
@@ -25,6 +25,7 @@
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
+import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationAttemptStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
@@ -138,6 +139,12 @@ protected RMStateVersion getCurrentVersion() {
     return null;
   }
 
+  @Override
+  public void storeOrUpdateAMRMTokenSecretManagerState(
+      AMRMTokenSecretManagerState state, boolean isUpdate) {
+    //DO Nothing
+  }
+
   @Override
   public void deleteStore() throws Exception {
     // Do nothing
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java
index 5b75b429697..e2c4e7e47fa 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java
@@ -45,16 +45,14 @@
 import org.apache.hadoop.yarn.event.AsyncDispatcher;
 import org.apache.hadoop.yarn.event.Dispatcher;
 import org.apache.hadoop.yarn.event.EventHandler;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos;
 import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
 import org.apache.hadoop.yarn.server.resourcemanager.RMFatalEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.RMFatalEventType;
+import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationAttemptStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationAttemptStateDataPBImpl;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationStateDataPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppNewSavedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
@@ -85,6 +83,8 @@ public abstract class RMStateStore extends AbstractService {
   protected static final String DELEGATION_TOKEN_PREFIX = "RMDelegationToken_";
   protected static final String DELEGATION_TOKEN_SEQUENCE_NUMBER_PREFIX =
       "RMDTSequenceNumber_";
+  protected static final String AMRMTOKEN_SECRET_MANAGER_ROOT =
+      "AMRMTokenSecretManagerRoot";
   protected static final String VERSION_NODE = "RMVersionNode";
   protected static final String EPOCH_NODE = "EpochNode";
 
@@ -412,6 +412,8 @@ public static class RMState {
 
     RMDTSecretManagerState rmSecretManagerState = new RMDTSecretManagerState();
 
+    AMRMTokenSecretManagerState amrmTokenSecretManagerState = null;
+
     public Map<ApplicationId, ApplicationState> getApplicationState() {
       return appState;
     }
@@ -419,6 +421,10 @@ public Map<ApplicationId, ApplicationState> getApplicationState() {
     public RMDTSecretManagerState getRMDTSecretManagerState() {
       return rmSecretManagerState;
     }
+
+    public AMRMTokenSecretManagerState getAMRMTokenSecretManagerState() {
+      return amrmTokenSecretManagerState;
+    }
   }
     
   private Dispatcher rmDispatcher;
@@ -713,6 +719,14 @@ public synchronized void removeRMDTMasterKey(DelegationKey delegationKey) {
   protected abstract void removeRMDTMasterKeyState(DelegationKey delegationKey)
       throws Exception;
 
+  /**
+   * Blocking API Derived classes must implement this method to store or update
+   * the state of AMRMToken Master Key
+   */
+  public abstract void storeOrUpdateAMRMTokenSecretManagerState(
+      AMRMTokenSecretManagerState amrmTokenSecretManagerState,
+      boolean isUpdate);
+
   /**
    * Non-blocking API
    * ResourceManager services call this to remove an application from the state
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
index 68b4632d3b5..5644ad9e34a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
@@ -44,18 +44,19 @@
 import org.apache.hadoop.yarn.conf.HAUtil;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.AMRMTokenSecretManagerStateProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationAttemptStateDataProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationStateDataProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.RMStateVersionProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.EpochProto;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
 import org.apache.hadoop.yarn.server.resourcemanager.RMZKUtils;
+import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationAttemptStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
-
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.Epoch;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
+import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.AMRMTokenSecretManagerStatePBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationAttemptStateDataPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationStateDataPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.EpochPBImpl;
@@ -128,6 +129,9 @@ public class ZKRMStateStore extends RMStateStore {
    *        |      |----- Key_1
    *        |      |----- Key_2
    *                ....
+   * |--- AMRMTOKEN_SECRET_MANAGER_ROOT
+   *        |----- currentMasterKey
+   *        |----- nextMasterKey
    *
    */
   private String zkRootNodePath;
@@ -136,6 +140,7 @@ public class ZKRMStateStore extends RMStateStore {
   private String dtMasterKeysRootPath;
   private String delegationTokensRootPath;
   private String dtSequenceNumberPath;
+  private String amrmTokenSecretManagerRoot;
 
   @VisibleForTesting
   protected String znodeWorkingPath;
@@ -255,6 +260,8 @@ public synchronized void initInternal(Configuration conf) throws Exception {
         RM_DELEGATION_TOKENS_ROOT_ZNODE_NAME);
     dtSequenceNumberPath = getNodePath(rmDTSecretManagerRoot,
         RM_DT_SEQUENTIAL_NUMBER_ZNODE_NAME);
+    amrmTokenSecretManagerRoot =
+        getNodePath(zkRootNodePath, AMRMTOKEN_SECRET_MANAGER_ROOT);
   }
 
   @Override
@@ -275,6 +282,7 @@ public synchronized void startInternal() throws Exception {
     createRootDir(dtMasterKeysRootPath);
     createRootDir(delegationTokensRootPath);
     createRootDir(dtSequenceNumberPath);
+    createRootDir(amrmTokenSecretManagerRoot);
   }
 
   private void createRootDir(final String rootPath) throws Exception {
@@ -427,9 +435,27 @@ public synchronized RMState loadState() throws Exception {
     loadRMDTSecretManagerState(rmState);
     // recover RM applications
     loadRMAppState(rmState);
+    // recover AMRMTokenSecretManager
+    loadAMRMTokenSecretManagerState(rmState);
     return rmState;
   }
 
+  private void loadAMRMTokenSecretManagerState(RMState rmState)
+      throws Exception {
+    byte[] data = getDataWithRetries(amrmTokenSecretManagerRoot, true);
+    if (data == null) {
+      LOG.warn("There is no data saved");
+      return;
+    }
+    AMRMTokenSecretManagerStatePBImpl stateData =
+        new AMRMTokenSecretManagerStatePBImpl(
+          AMRMTokenSecretManagerStateProto.parseFrom(data));
+    rmState.amrmTokenSecretManagerState =
+        AMRMTokenSecretManagerState.newInstance(
+          stateData.getCurrentMasterKey(), stateData.getNextMasterKey());
+
+  }
+
   private synchronized void loadRMDTSecretManagerState(RMState rmState)
       throws Exception {
     loadRMDelegationKeyState(rmState);
@@ -1112,4 +1138,19 @@ protected synchronized ZooKeeper getNewZooKeeper()
     return zk;
   }
 
+  @Override
+  public synchronized void storeOrUpdateAMRMTokenSecretManagerState(
+      AMRMTokenSecretManagerState amrmTokenSecretManagerState,
+      boolean isUpdate) {
+    AMRMTokenSecretManagerState data =
+        AMRMTokenSecretManagerState.newInstance(amrmTokenSecretManagerState);
+    byte[] stateData = data.getProto().toByteArray();
+    try {
+      setDataWithRetries(amrmTokenSecretManagerRoot, stateData, -1);
+    } catch (Exception ex) {
+      LOG.info("Error storing info for AMRMTokenSecretManager", ex);
+      notifyStoreOperationFailed(ex);
+    }
+  }
+
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/AMRMTokenSecretManagerState.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/AMRMTokenSecretManagerState.java
new file mode 100644
index 00000000000..89b4ff0fc7a
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/AMRMTokenSecretManagerState.java
@@ -0,0 +1,76 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.resourcemanager.recovery.records;
+
+import org.apache.hadoop.classification.InterfaceAudience.Public;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.AMRMTokenSecretManagerStateProto;
+import org.apache.hadoop.yarn.server.api.records.MasterKey;
+import org.apache.hadoop.yarn.server.resourcemanager.security.AMRMTokenSecretManager;
+import org.apache.hadoop.yarn.util.Records;
+
+/**
+ * Contains all the state data that needs to be stored persistently 
+ * for {@link AMRMTokenSecretManager}
+ */
+@Public
+@Unstable
+public abstract class AMRMTokenSecretManagerState {
+  public static AMRMTokenSecretManagerState newInstance(
+      MasterKey currentMasterKey, MasterKey nextMasterKey) {
+    AMRMTokenSecretManagerState data =
+        Records.newRecord(AMRMTokenSecretManagerState.class);
+    data.setCurrentMasterKey(currentMasterKey);
+    data.setNextMasterKey(nextMasterKey);
+    return data;
+  }
+
+  public static AMRMTokenSecretManagerState newInstance(
+      AMRMTokenSecretManagerState state) {
+    AMRMTokenSecretManagerState data =
+        Records.newRecord(AMRMTokenSecretManagerState.class);
+    data.setCurrentMasterKey(state.getCurrentMasterKey());
+    data.setNextMasterKey(state.getNextMasterKey());
+    return data;
+  }
+
+  /**
+   * {@link AMRMTokenSecretManager} current Master key
+   */
+  @Public
+  @Unstable
+  public abstract MasterKey getCurrentMasterKey();
+
+  @Public
+  @Unstable
+  public abstract void setCurrentMasterKey(MasterKey currentMasterKey);
+
+  /**
+   * {@link AMRMTokenSecretManager} next Master key
+   */
+  @Public
+  @Unstable
+  public abstract MasterKey getNextMasterKey();
+
+  @Public
+  @Unstable
+  public abstract void setNextMasterKey(MasterKey nextMasterKey);
+
+  public abstract AMRMTokenSecretManagerStateProto getProto();
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/AMRMTokenSecretManagerStatePBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/AMRMTokenSecretManagerStatePBImpl.java
new file mode 100644
index 00000000000..6ce0c546ada
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/AMRMTokenSecretManagerStatePBImpl.java
@@ -0,0 +1,126 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb;
+
+import org.apache.hadoop.yarn.proto.YarnServerCommonProtos.MasterKeyProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.AMRMTokenSecretManagerStateProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.AMRMTokenSecretManagerStateProtoOrBuilder;
+import org.apache.hadoop.yarn.server.api.records.MasterKey;
+import org.apache.hadoop.yarn.server.api.records.impl.pb.MasterKeyPBImpl;
+import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
+
+public class AMRMTokenSecretManagerStatePBImpl extends AMRMTokenSecretManagerState{
+  AMRMTokenSecretManagerStateProto proto =
+      AMRMTokenSecretManagerStateProto.getDefaultInstance();
+  AMRMTokenSecretManagerStateProto.Builder builder = null;
+  boolean viaProto = false;
+
+  private MasterKey currentMasterKey = null;
+  private MasterKey nextMasterKey = null;
+
+  public AMRMTokenSecretManagerStatePBImpl() {
+    builder = AMRMTokenSecretManagerStateProto.newBuilder();
+  }
+
+  public AMRMTokenSecretManagerStatePBImpl(AMRMTokenSecretManagerStateProto proto) {
+    this.proto = proto;
+    viaProto = true;
+  }
+
+  public AMRMTokenSecretManagerStateProto getProto() {
+      mergeLocalToProto();
+    proto = viaProto ? proto : builder.build();
+    viaProto = true;
+    return proto;
+  }
+
+  private void mergeLocalToBuilder() {
+    if (this.currentMasterKey != null) {
+      builder.setCurrentMasterKey(convertToProtoFormat(this.currentMasterKey));
+    }
+    if (this.nextMasterKey != null) {
+      builder.setNextMasterKey(convertToProtoFormat(this.nextMasterKey));
+    }
+  }
+
+  private void mergeLocalToProto() {
+    if (viaProto)
+      maybeInitBuilder();
+    mergeLocalToBuilder();
+    proto = builder.build();
+    viaProto = true;
+  }
+
+  private void maybeInitBuilder() {
+    if (viaProto || builder == null) {
+      builder = AMRMTokenSecretManagerStateProto.newBuilder(proto);
+    }
+    viaProto = false;
+  }
+
+  @Override
+  public MasterKey getCurrentMasterKey() {
+    AMRMTokenSecretManagerStateProtoOrBuilder p = viaProto ? proto : builder;
+    if (this.currentMasterKey != null) {
+      return this.currentMasterKey;
+    }
+    if (!p.hasCurrentMasterKey()) {
+      return null;
+    }
+    this.currentMasterKey = convertFromProtoFormat(p.getCurrentMasterKey());
+    return this.currentMasterKey;
+  }
+
+  @Override
+  public void setCurrentMasterKey(MasterKey currentMasterKey) {
+    maybeInitBuilder();
+    if (currentMasterKey == null)
+      builder.clearCurrentMasterKey();
+    this.currentMasterKey = currentMasterKey;
+  }
+
+  @Override
+  public MasterKey getNextMasterKey() {
+    AMRMTokenSecretManagerStateProtoOrBuilder p = viaProto ? proto : builder;
+    if (this.nextMasterKey != null) {
+      return this.nextMasterKey;
+    }
+    if (!p.hasNextMasterKey()) {
+      return null;
+    }
+    this.nextMasterKey = convertFromProtoFormat(p.getNextMasterKey());
+    return this.nextMasterKey;
+  }
+
+  @Override
+  public void setNextMasterKey(MasterKey nextMasterKey) {
+    maybeInitBuilder();
+    if (nextMasterKey == null)
+      builder.clearNextMasterKey();
+    this.nextMasterKey = nextMasterKey;
+  }
+
+  private MasterKeyProto convertToProtoFormat(MasterKey t) {
+    return ((MasterKeyPBImpl) t).getProto();
+  }
+
+  private MasterKeyPBImpl convertFromProtoFormat(MasterKeyProto p) {
+    return new MasterKeyPBImpl(p);
+  }
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/AMRMTokenSecretManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/AMRMTokenSecretManager.java
index c498b529bf6..a3132bc19e0 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/AMRMTokenSecretManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/AMRMTokenSecretManager.java
@@ -38,6 +38,10 @@
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
+import org.apache.hadoop.yarn.server.api.records.MasterKey;
+import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
+import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMState;
+import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
 import org.apache.hadoop.yarn.server.security.MasterKeyData;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -66,6 +70,7 @@ public class AMRMTokenSecretManager extends
   private final Timer timer;
   private final long rollingInterval;
   private final long activationDelay;
+  private RMContext rmContext;
 
   private final Set<ApplicationAttemptId> appAttemptSet =
       new HashSet<ApplicationAttemptId>();
@@ -73,7 +78,8 @@ public class AMRMTokenSecretManager extends
   /**
    * Create an {@link AMRMTokenSecretManager}
    */
-  public AMRMTokenSecretManager(Configuration conf) {
+  public AMRMTokenSecretManager(Configuration conf, RMContext rmContext) {
+    this.rmContext = rmContext;
     this.timer = new Timer();
     this.rollingInterval =
         conf
@@ -98,6 +104,11 @@ public AMRMTokenSecretManager(Configuration conf) {
   public void start() {
     if (this.currentMasterKey == null) {
       this.currentMasterKey = createNewMasterKey();
+      AMRMTokenSecretManagerState state =
+          AMRMTokenSecretManagerState.newInstance(
+            this.currentMasterKey.getMasterKey(), null);
+      rmContext.getStateStore().storeOrUpdateAMRMTokenSecretManagerState(state,
+        false);
     }
     this.timer.scheduleAtFixedRate(new MasterKeyRoller(), rollingInterval,
       rollingInterval);
@@ -130,6 +141,12 @@ void rollMasterKey() {
     try {
       LOG.info("Rolling master-key for amrm-tokens");
       this.nextMasterKey = createNewMasterKey();
+      AMRMTokenSecretManagerState state =
+          AMRMTokenSecretManagerState.newInstance(
+            this.currentMasterKey.getMasterKey(),
+            this.nextMasterKey.getMasterKey());
+      rmContext.getStateStore().storeOrUpdateAMRMTokenSecretManagerState(state,
+        true);
       this.timer.schedule(new NextKeyActivator(), this.activationDelay);
     } finally {
       this.writeLock.unlock();
@@ -225,8 +242,8 @@ public byte[] retrievePassword(AMRMTokenIdentifier identifier)
         LOG.debug("Trying to retrieve password for " + applicationAttemptId);
       }
       if (!appAttemptSet.contains(applicationAttemptId)) {
-        throw new InvalidToken("Password not found for ApplicationAttempt "
-            + applicationAttemptId);
+        throw new InvalidToken(applicationAttemptId
+            + " not found in AMRMTokenSecretManager.");
       }
       if (identifier.getKeyId() == this.currentMasterKey.getMasterKey()
         .getKeyId()) {
@@ -238,9 +255,7 @@ public byte[] retrievePassword(AMRMTokenIdentifier identifier)
         return createPassword(identifier.getBytes(),
           this.nextMasterKey.getSecretKey());
       }
-      throw new InvalidToken("Given AMRMToken for application : "
-          + applicationAttemptId.toString()
-          + " seems to have been generated illegally.");
+      throw new InvalidToken("Invalid AMRMToken from " + applicationAttemptId);
     } finally {
       this.readLock.unlock();
     }
@@ -291,4 +306,25 @@ protected byte[] createPassword(AMRMTokenIdentifier identifier) {
       this.readLock.unlock();
     }
   }
+
+  public void recover(RMState state) {
+    if (state.getAMRMTokenSecretManagerState() != null) {
+      // recover the current master key
+      MasterKey currentKey =
+          state.getAMRMTokenSecretManagerState().getCurrentMasterKey();
+      this.currentMasterKey =
+          new MasterKeyData(currentKey, createSecretKey(currentKey.getBytes()
+            .array()));
+
+      // recover the next master key if not null
+      MasterKey nextKey =
+          state.getAMRMTokenSecretManagerState().getNextMasterKey();
+      if (nextKey != null) {
+        this.nextMasterKey =
+            new MasterKeyData(nextKey, createSecretKey(nextKey.getBytes()
+              .array()));
+        this.timer.schedule(new NextKeyActivator(), this.activationDelay);
+      }
+    }
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/proto/yarn_server_resourcemanager_recovery.proto b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/proto/yarn_server_resourcemanager_recovery.proto
new file mode 100644
index 00000000000..ae56b9fd346
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/proto/yarn_server_resourcemanager_recovery.proto
@@ -0,0 +1,30 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+option java_package = "org.apache.hadoop.yarn.proto";
+option java_outer_classname = "YarnServerResourceManagerRecoveryProtos";
+option java_generic_services = true;
+option java_generate_equals_and_hash = true;
+package hadoop.yarn;
+
+import "yarn_server_common_protos.proto";
+
+message AMRMTokenSecretManagerStateProto {
+  optional MasterKeyProto current_master_key = 1;
+  optional MasterKeyProto next_master_key = 2;
+}
\ No newline at end of file
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMRestart.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMRestart.java
index 8966af7e2a5..dc3e9f18178 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMRestart.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMRestart.java
@@ -1250,11 +1250,10 @@ public void testAppAttemptTokensRestoredOnRMRestart() throws Exception {
             .getEncoded());
 
     // assert AMRMTokenSecretManager also knows about the AMRMToken password
-    // TODO: fix this on YARN-2211
-//    Token<AMRMTokenIdentifier> amrmToken = loadedAttempt1.getAMRMToken();
-//    Assert.assertArrayEquals(amrmToken.getPassword(),
-//      rm2.getRMContext().getAMRMTokenSecretManager().retrievePassword(
-//        amrmToken.decodeIdentifier()));
+    Token<AMRMTokenIdentifier> amrmToken = loadedAttempt1.getAMRMToken();
+    Assert.assertArrayEquals(amrmToken.getPassword(),
+      rm2.getRMContext().getAMRMTokenSecretManager().retrievePassword(
+        amrmToken.decodeIdentifier()));
     rm1.stop();
     rm2.stop();
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java
index 04f034818c0..a61f23f5a71 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java
@@ -55,10 +55,12 @@
 import org.apache.hadoop.yarn.event.EventHandler;
 import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
+import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.ApplicationAttemptState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.ApplicationState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMDTSecretManagerState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMState;
+import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
@@ -176,8 +178,12 @@ void testRMAppStateStore(RMStateStoreHelper stateStoreHelper)
     TestDispatcher dispatcher = new TestDispatcher();
     store.setRMDispatcher(dispatcher);
 
-    AMRMTokenSecretManager appTokenMgr = spy(
-        new AMRMTokenSecretManager(conf));
+    RMContext rmContext = mock(RMContext.class);
+    when(rmContext.getStateStore()).thenReturn(store);
+
+    AMRMTokenSecretManager appTokenMgr =
+        spy(new AMRMTokenSecretManager(conf, rmContext));
+
     MasterKeyData masterKeyData = appTokenMgr.createNewMasterKey();
     when(appTokenMgr.getMasterKey()).thenReturn(masterKeyData);
 
@@ -576,4 +582,65 @@ protected void modifyRMDelegationTokenState() throws Exception {
 
   }
 
+  public void testAMRMTokenSecretManagerStateStore(
+      RMStateStoreHelper stateStoreHelper) throws Exception {
+    System.out.println("Start testing");
+    RMStateStore store = stateStoreHelper.getRMStateStore();
+    TestDispatcher dispatcher = new TestDispatcher();
+    store.setRMDispatcher(dispatcher);
+
+    RMContext rmContext = mock(RMContext.class);
+    when(rmContext.getStateStore()).thenReturn(store);
+    Configuration conf = new YarnConfiguration();
+    AMRMTokenSecretManager appTokenMgr =
+        new AMRMTokenSecretManager(conf, rmContext);
+
+    //create and save the first masterkey
+    MasterKeyData firstMasterKeyData = appTokenMgr.createNewMasterKey();
+
+    AMRMTokenSecretManagerState state1 =
+        AMRMTokenSecretManagerState.newInstance(
+          firstMasterKeyData.getMasterKey(), null);
+    rmContext.getStateStore().storeOrUpdateAMRMTokenSecretManagerState(state1,
+      false);
+
+    // load state
+    store = stateStoreHelper.getRMStateStore();
+    store.setRMDispatcher(dispatcher);
+    RMState state = store.loadState();
+    Assert.assertNotNull(state.getAMRMTokenSecretManagerState());
+    Assert.assertEquals(firstMasterKeyData.getMasterKey(), state
+      .getAMRMTokenSecretManagerState().getCurrentMasterKey());
+    Assert.assertNull(state
+      .getAMRMTokenSecretManagerState().getNextMasterKey());
+
+    //create and save the second masterkey
+    MasterKeyData secondMasterKeyData = appTokenMgr.createNewMasterKey();
+    AMRMTokenSecretManagerState state2 =
+        AMRMTokenSecretManagerState
+          .newInstance(firstMasterKeyData.getMasterKey(),
+            secondMasterKeyData.getMasterKey());
+    rmContext.getStateStore().storeOrUpdateAMRMTokenSecretManagerState(state2,
+      true);
+
+    // load state
+    store = stateStoreHelper.getRMStateStore();
+    store.setRMDispatcher(dispatcher);
+    RMState state_2 = store.loadState();
+    Assert.assertNotNull(state_2.getAMRMTokenSecretManagerState());
+    Assert.assertEquals(firstMasterKeyData.getMasterKey(), state_2
+      .getAMRMTokenSecretManagerState().getCurrentMasterKey());
+    Assert.assertEquals(secondMasterKeyData.getMasterKey(), state_2
+      .getAMRMTokenSecretManagerState().getNextMasterKey());
+
+    // re-create the masterKeyData based on the recovered masterkey
+    // should have the same secretKey
+    appTokenMgr.recover(state_2);
+    Assert.assertEquals(appTokenMgr.getCurrnetMasterKeyData().getSecretKey(),
+      firstMasterKeyData.getSecretKey());
+    Assert.assertEquals(appTokenMgr.getNextMasterKeyData().getSecretKey(),
+      secondMasterKeyData.getSecretKey());
+
+    store.close();
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestFSRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestFSRMStateStore.java
index ea90c3d76f3..f5b3e8a8a67 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestFSRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestFSRMStateStore.java
@@ -38,7 +38,6 @@
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationStateDataPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.RMStateVersionPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
@@ -161,6 +160,7 @@ public void testFSRMStateStore() throws Exception {
       testEpoch(fsTester);
       testAppDeletion(fsTester);
       testDeleteStore(fsTester);
+      testAMRMTokenSecretManagerStateStore(fsTester);
     } finally {
       cluster.shutdown();
     }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestZKRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestZKRMStateStore.java
index e56f7757967..1dee533ac05 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestZKRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestZKRMStateStore.java
@@ -123,6 +123,7 @@ public void testZKRMStateStoreRealZK() throws Exception {
     testEpoch(zkTester);
     testAppDeletion(zkTester);
     testDeleteStore(zkTester);
+    testAMRMTokenSecretManagerStateStore(zkTester);
   }
 
   private Configuration createHARMConf(
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/TestRMAppTransitions.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/TestRMAppTransitions.java
index 0fd3c3c5c99..9ea51b120fa 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/TestRMAppTransitions.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/TestRMAppTransitions.java
@@ -193,7 +193,7 @@ public void setUp() throws Exception {
     this.rmContext =
         new RMContextImpl(rmDispatcher,
           containerAllocationExpirer, amLivelinessMonitor, amFinishingMonitor,
-          null, new AMRMTokenSecretManager(conf),
+          null, new AMRMTokenSecretManager(conf, this.rmContext),
           new RMContainerTokenSecretManager(conf),
           new NMTokenSecretManagerInRM(conf),
           new ClientToAMTokenSecretManagerInRM(),
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java
index 1de35fcfa98..01a6973e69c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java
@@ -134,7 +134,8 @@ public class TestRMAppAttemptTransitions {
   private RMAppAttempt applicationAttempt;
 
   private Configuration conf = new Configuration();
-  private AMRMTokenSecretManager amRMTokenManager = spy(new AMRMTokenSecretManager(conf));
+  private AMRMTokenSecretManager amRMTokenManager =
+      spy(new AMRMTokenSecretManager(conf, rmContext));
   private ClientToAMTokenSecretManagerInRM clientToAMTokenManager =
       spy(new ClientToAMTokenSecretManagerInRM());
   private NMTokenSecretManagerInRM nmTokenManager =
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestUtils.java
index db28dcaa558..e5486617bb4 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestUtils.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestUtils.java
@@ -86,13 +86,12 @@ public EventHandler getEventHandler() {
     
     Configuration conf = new Configuration();
     RMApplicationHistoryWriter writer =  mock(RMApplicationHistoryWriter.class);
-    RMContext rmContext =
+    RMContextImpl rmContext =
         new RMContextImpl(nullDispatcher, cae, null, null, null,
-          new AMRMTokenSecretManager(conf),
+          new AMRMTokenSecretManager(conf, null),
           new RMContainerTokenSecretManager(conf),
           new NMTokenSecretManagerInRM(conf),
           new ClientToAMTokenSecretManagerInRM(), writer);
-    
     return rmContext;
   }
   
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestAMRMTokens.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestAMRMTokens.java
index b11aadd7912..14385c4c69b 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestAMRMTokens.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestAMRMTokens.java
@@ -184,8 +184,8 @@ public void testTokenExpiry() throws Exception {
         // The exception will still have the earlier appAttemptId as it picks it
         // up from the token.
         Assert.assertTrue(t.getCause().getMessage().contains(
-            "Password not found for ApplicationAttempt " +
-            applicationAttemptId.toString()));
+          applicationAttemptId.toString()
+          + " not found in AMRMTokenSecretManager."));
       }
 
     } finally {

From 57d8f829d930091d82ec50b2ff7d327d0301e9d6 Mon Sep 17 00:00:00 2001
From: Colin McCabe <cmccabe@apache.org>
Date: Fri, 25 Jul 2014 22:12:37 +0000
Subject: [PATCH 060/354] HDFS-6755. There is an unnecessary sleep in the code
 path where DFSOutputStream#close gives up its attempt to contact the namenode
 (mitdesai21 via cmccabe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613522 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                   | 4 ++++
 .../src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 65f0665653a..2b6f1c6750f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -317,6 +317,10 @@ Release 2.6.0 - UNRELEASED
     HDFS-6701. Make seed optional in NetworkTopology#sortByDistance.
     (Ashwin Shankar via wang)
 
+    HDFS-6755. There is an unnecessary sleep in the code path where
+    DFSOutputStream#close gives up its attempt to contact the namenode
+    (mitdesai21 via cmccabe)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
index a7cb92fa269..debf83ca1ea 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
@@ -2136,12 +2136,12 @@ private void completeFile(ExtendedBlock last) throws IOException {
             throw new IOException(msg);
         }
         try {
-          Thread.sleep(localTimeout);
           if (retries == 0) {
             throw new IOException("Unable to close file because the last block"
                 + " does not have enough number of replicas.");
           }
           retries--;
+          Thread.sleep(localTimeout);
           localTimeout *= 2;
           if (Time.now() - localstart > 5000) {
             DFSClient.LOG.info("Could not complete " + src + " retrying...");

From e85a3fecc68b48a3dc9af5daa466a24f3b39545b Mon Sep 17 00:00:00 2001
From: Colin McCabe <cmccabe@apache.org>
Date: Fri, 25 Jul 2014 23:56:47 +0000
Subject: [PATCH 061/354] HDFS-6750. The DataNode should use its shared memory
 segment to mark short-circuit replicas that have been unlinked as stale
 (cmccabe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613537 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +
 .../server/datanode/ShortCircuitRegistry.java | 29 +++++-
 .../fsdataset/impl/FsDatasetImpl.java         |  8 ++
 .../hdfs/shortcircuit/DfsClientShm.java       | 21 ++--
 .../shortcircuit/DfsClientShmManager.java     | 10 +-
 .../hdfs/shortcircuit/ShortCircuitShm.java    | 10 +-
 .../shortcircuit/TestShortCircuitCache.java   | 98 +++++++++++++++++++
 7 files changed, 163 insertions(+), 16 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 2b6f1c6750f..d3748106f8c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -321,6 +321,9 @@ Release 2.6.0 - UNRELEASED
     DFSOutputStream#close gives up its attempt to contact the namenode
     (mitdesai21 via cmccabe)
 
+    HDFS-6750. The DataNode should use its shared memory segment to mark
+    short-circuit replicas that have been unlinked as stale (cmccabe)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/ShortCircuitRegistry.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/ShortCircuitRegistry.java
index 9dba6a2085d..a252a17855a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/ShortCircuitRegistry.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/ShortCircuitRegistry.java
@@ -74,7 +74,7 @@
  * DN also marks the block's slots as "unanchorable" to prevent additional 
  * clients from initiating these operations in the future.
  * 
- * The counterpart fo this class on the client is {@link DfsClientShmManager}.
+ * The counterpart of this class on the client is {@link DfsClientShmManager}.
  */
 public class ShortCircuitRegistry {
   public static final Log LOG = LogFactory.getLog(ShortCircuitRegistry.class);
@@ -217,7 +217,32 @@ public synchronized boolean processBlockMunlockRequest(
     }
     return allowMunlock;
   }
-  
+
+  /**
+   * Invalidate any slot associated with a blockId that we are invalidating
+   * (deleting) from this DataNode.  When a slot is invalid, the DFSClient will
+   * not use the corresponding replica for new read or mmap operations (although
+   * existing, ongoing read or mmap operations will complete.)
+   *
+   * @param blockId        The block ID.
+   */
+  public synchronized void processBlockInvalidation(ExtendedBlockId blockId) {
+    if (!enabled) return;
+    final Set<Slot> affectedSlots = slots.get(blockId);
+    if (!affectedSlots.isEmpty()) {
+      final StringBuilder bld = new StringBuilder();
+      String prefix = "";
+      bld.append("Block ").append(blockId).append(" has been invalidated.  ").
+          append("Marking short-circuit slots as invalid: ");
+      for (Slot slot : affectedSlots) {
+        slot.makeInvalid();
+        bld.append(prefix).append(slot.toString());
+        prefix = ", ";
+      }
+      LOG.info(bld.toString());
+    }
+  }
+
   public static class NewShmInfo implements Closeable {
     public final ShmId shmId;
     public final FileInputStream stream;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
index b068c664fe3..e8a06aec8ac 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
@@ -44,6 +44,7 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.ExtendedBlockId;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.Block;
@@ -1232,8 +1233,15 @@ public void invalidate(String bpid, Block invalidBlks[]) throws IOException {
         }
         volumeMap.remove(bpid, invalidBlks[i]);
       }
+
+      // If a DFSClient has the replica in its cache of short-circuit file
+      // descriptors (and the client is using ShortCircuitShm), invalidate it.
+      datanode.getShortCircuitRegistry().processBlockInvalidation(
+                new ExtendedBlockId(invalidBlks[i].getBlockId(), bpid));
+
       // If the block is cached, start uncaching it.
       cacheManager.uncacheBlock(bpid, invalidBlks[i].getBlockId());
+
       // Delete the block asynchronously to make sure we can do it fast enough.
       // It's ok to unlink the block file before the uncache operation
       // finishes.
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/DfsClientShm.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/DfsClientShm.java
index 1c9a2e5a742..81cc68da072 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/DfsClientShm.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/DfsClientShm.java
@@ -32,11 +32,16 @@
  * DfsClientShm is a subclass of ShortCircuitShm which is used by the
  * DfsClient.
  * When the UNIX domain socket associated with this shared memory segment
- * closes unexpectedly, we mark the slots inside this segment as stale.
- * ShortCircuitReplica objects that contain stale slots are themselves stale,
+ * closes unexpectedly, we mark the slots inside this segment as disconnected.
+ * ShortCircuitReplica objects that contain disconnected slots are stale,
  * and will not be used to service new reads or mmap operations.
  * However, in-progress read or mmap operations will continue to proceed.
  * Once the last slot is deallocated, the segment can be safely munmapped.
+ *
+ * Slots may also become stale because the associated replica has been deleted
+ * on the DataNode.  In this case, the DataNode will clear the 'valid' bit.
+ * The client will then see these slots as stale (see
+ * #{ShortCircuitReplica#isStale}).
  */
 public class DfsClientShm extends ShortCircuitShm
     implements DomainSocketWatcher.Handler {
@@ -58,7 +63,7 @@ public class DfsClientShm extends ShortCircuitShm
    *
    * {@link DfsClientShm#handle} sets this to true.
    */
-  private boolean stale = false;
+  private boolean disconnected = false;
 
   DfsClientShm(ShmId shmId, FileInputStream stream, EndpointShmManager manager,
       DomainPeer peer) throws IOException {
@@ -76,14 +81,14 @@ public DomainPeer getPeer() {
   }
 
   /**
-   * Determine if the shared memory segment is stale.
+   * Determine if the shared memory segment is disconnected from the DataNode.
    *
    * This must be called with the DfsClientShmManager lock held.
    *
    * @return   True if the shared memory segment is stale.
    */
-  public synchronized boolean isStale() {
-    return stale;
+  public synchronized boolean isDisconnected() {
+    return disconnected;
   }
 
   /**
@@ -97,8 +102,8 @@ public synchronized boolean isStale() {
   public boolean handle(DomainSocket sock) {
     manager.unregisterShm(getShmId());
     synchronized (this) {
-      Preconditions.checkState(!stale);
-      stale = true;
+      Preconditions.checkState(!disconnected);
+      disconnected = true;
       boolean hadSlots = false;
       for (Iterator<Slot> iter = slotIterator(); iter.hasNext(); ) {
         Slot slot = iter.next();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/DfsClientShmManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/DfsClientShmManager.java
index ca9e8e6e0a5..6dbaf84d269 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/DfsClientShmManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/DfsClientShmManager.java
@@ -271,12 +271,12 @@ Slot allocSlot(DomainPeer peer, MutableBoolean usedPeer,
             loading = false;
             finishedLoading.signalAll();
           }
-          if (shm.isStale()) {
+          if (shm.isDisconnected()) {
             // If the peer closed immediately after the shared memory segment
             // was created, the DomainSocketWatcher callback might already have
-            // fired and marked the shm as stale.  In this case, we obviously
-            // don't want to add the SharedMemorySegment to our list of valid
-            // not-full segments.
+            // fired and marked the shm as disconnected.  In this case, we
+            // obviously don't want to add the SharedMemorySegment to our list
+            // of valid not-full segments.
             if (LOG.isDebugEnabled()) {
               LOG.debug(this + ": the UNIX domain socket associated with " +
                   "this short-circuit memory closed before we could make " +
@@ -299,7 +299,7 @@ Slot allocSlot(DomainPeer peer, MutableBoolean usedPeer,
     void freeSlot(Slot slot) {
       DfsClientShm shm = (DfsClientShm)slot.getShm();
       shm.unregisterSlot(slot.getSlotIdx());
-      if (shm.isStale()) {
+      if (shm.isDisconnected()) {
         // Stale shared memory segments should not be tracked here.
         Preconditions.checkState(!full.containsKey(shm.getShmId()));
         Preconditions.checkState(!notFull.containsKey(shm.getShmId()));
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/ShortCircuitShm.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/ShortCircuitShm.java
index d860c8b174c..7b89d0a978d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/ShortCircuitShm.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/ShortCircuitShm.java
@@ -306,6 +306,13 @@ public int getSlotIdx() {
           (slotAddress - baseAddress) / BYTES_PER_SLOT);
     }
 
+    /**
+     * Clear the slot.
+     */
+    void clear() {
+      unsafe.putLongVolatile(null, this.slotAddress, 0);
+    }
+
     private boolean isSet(long flag) {
       long prev = unsafe.getLongVolatile(null, this.slotAddress);
       return (prev & flag) != 0;
@@ -535,6 +542,7 @@ synchronized public final Slot allocAndRegisterSlot(
     }
     allocatedSlots.set(idx, true);
     Slot slot = new Slot(calculateSlotAddress(idx), blockId);
+    slot.clear();
     slot.makeValid();
     slots[idx] = slot;
     if (LOG.isTraceEnabled()) {
@@ -583,7 +591,7 @@ synchronized public final Slot registerSlot(int slotIdx,
     Slot slot = new Slot(calculateSlotAddress(slotIdx), blockId);
     if (!slot.isValid()) {
       throw new InvalidRequestException(this + ": slot " + slotIdx +
-          " has not been allocated.");
+          " is not marked as valid.");
     }
     slots[slotIdx] = slot;
     allocatedSlots.set(slotIdx, true);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/shortcircuit/TestShortCircuitCache.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/shortcircuit/TestShortCircuitCache.java
index a2d2bf830f3..ca30e029942 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/shortcircuit/TestShortCircuitCache.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/shortcircuit/TestShortCircuitCache.java
@@ -23,6 +23,7 @@
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_READ_SHORTCIRCUIT_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_READ_SHORTCIRCUIT_SKIP_CHECKSUM_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DOMAIN_SOCKET_PATH_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_READ_SHORTCIRCUIT_STREAMS_CACHE_EXPIRY_MS_KEY;
 import static org.hamcrest.CoreMatchers.equalTo;
 
 import java.io.DataOutputStream;
@@ -30,7 +31,9 @@
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.Map;
 
 import org.apache.commons.lang.mutable.MutableBoolean;
@@ -462,6 +465,7 @@ public void visit(HashMap<DatanodeInfo, PerDatanodeVisitorInfo> info)
       }
     }, 10, 60000);
     cluster.shutdown();
+    sockDir.close();
   }
 
   @Test(timeout=60000)
@@ -516,4 +520,98 @@ public void visit(int numOutstandingMmaps,
     });
     cluster.shutdown();
   }
+
+  /**
+   * Test unlinking a file whose blocks we are caching in the DFSClient.
+   * The DataNode will notify the DFSClient that the replica is stale via the
+   * ShortCircuitShm.
+   */
+  @Test(timeout=60000)
+  public void testUnlinkingReplicasInFileDescriptorCache() throws Exception {
+    BlockReaderTestUtil.enableShortCircuitShmTracing();
+    TemporarySocketDirectory sockDir = new TemporarySocketDirectory();
+    Configuration conf = createShortCircuitConf(
+        "testUnlinkingReplicasInFileDescriptorCache", sockDir);
+    // We don't want the CacheCleaner to time out short-circuit shared memory
+    // segments during the test, so set the timeout really high.
+    conf.setLong(DFS_CLIENT_READ_SHORTCIRCUIT_STREAMS_CACHE_EXPIRY_MS_KEY,
+        1000000000L);
+    MiniDFSCluster cluster =
+        new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
+    cluster.waitActive();
+    DistributedFileSystem fs = cluster.getFileSystem();
+    final ShortCircuitCache cache =
+        fs.getClient().getClientContext().getShortCircuitCache();
+    cache.getDfsClientShmManager().visit(new Visitor() {
+      @Override
+      public void visit(HashMap<DatanodeInfo, PerDatanodeVisitorInfo> info)
+          throws IOException {
+        // The ClientShmManager starts off empty.
+        Assert.assertEquals(0,  info.size());
+      }
+    });
+    final Path TEST_PATH = new Path("/test_file");
+    final int TEST_FILE_LEN = 8193;
+    final int SEED = 0xFADE0;
+    DFSTestUtil.createFile(fs, TEST_PATH, TEST_FILE_LEN,
+        (short)1, SEED);
+    byte contents[] = DFSTestUtil.readFileBuffer(fs, TEST_PATH);
+    byte expected[] = DFSTestUtil.
+        calculateFileContentsFromSeed(SEED, TEST_FILE_LEN);
+    Assert.assertTrue(Arrays.equals(contents, expected));
+    // Loading this file brought the ShortCircuitReplica into our local
+    // replica cache.
+    final DatanodeInfo datanode =
+        new DatanodeInfo(cluster.getDataNodes().get(0).getDatanodeId());
+    cache.getDfsClientShmManager().visit(new Visitor() {
+      @Override
+      public void visit(HashMap<DatanodeInfo, PerDatanodeVisitorInfo> info)
+          throws IOException {
+        Assert.assertTrue(info.get(datanode).full.isEmpty());
+        Assert.assertFalse(info.get(datanode).disabled);
+        Assert.assertEquals(1, info.get(datanode).notFull.values().size());
+        DfsClientShm shm =
+            info.get(datanode).notFull.values().iterator().next();
+        Assert.assertFalse(shm.isDisconnected());
+      }
+    });
+    // Remove the file whose blocks we just read.
+    fs.delete(TEST_PATH, false);
+
+    // Wait for the replica to be purged from the DFSClient's cache.
+    GenericTestUtils.waitFor(new Supplier<Boolean>() {
+      MutableBoolean done = new MutableBoolean(true);
+      @Override
+      public Boolean get() {
+        try {
+          done.setValue(true);
+          cache.getDfsClientShmManager().visit(new Visitor() {
+            @Override
+            public void visit(HashMap<DatanodeInfo,
+                  PerDatanodeVisitorInfo> info) throws IOException {
+              Assert.assertTrue(info.get(datanode).full.isEmpty());
+              Assert.assertFalse(info.get(datanode).disabled);
+              Assert.assertEquals(1,
+                  info.get(datanode).notFull.values().size());
+              DfsClientShm shm = info.get(datanode).notFull.values().
+                  iterator().next();
+              // Check that all slots have been invalidated.
+              for (Iterator<Slot> iter = shm.slotIterator();
+                   iter.hasNext(); ) {
+                Slot slot = iter.next();
+                if (slot.isValid()) {
+                  done.setValue(false);
+                }
+              }
+            }
+          });
+        } catch (IOException e) {
+          LOG.error("error running visitor", e);
+        }
+        return done.booleanValue();
+      }
+    }, 10, 60000);
+    cluster.shutdown();
+    sockDir.close();
+  }
 }

From 9cfde45b45d6ca0f9665510d687dcd19f4ae3ef3 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Sat, 26 Jul 2014 00:48:42 +0000
Subject: [PATCH 062/354] HADOOP-10896. Update compatibility doc to capture
 visibility of un-annotated classes/ methods. (kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613543 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt          | 3 +++
 .../hadoop-common/src/site/apt/Compatibility.apt.vm      | 9 ++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 419d45c6831..34bd95103cd 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -621,6 +621,9 @@ Release 2.5.0 - UNRELEASED
 
     HADOOP-10782. Fix typo in DataChecksum class. (Jingguo Yao via suresh)
 
+    HADOOP-10896. Update compatibility doc to capture visibility of 
+    un-annotated classes/ methods. (kasha)
+
   OPTIMIZATIONS
 
     HADOOP-10674. Improve PureJavaCrc32 performance and use java.util.zip.CRC32
diff --git a/hadoop-common-project/hadoop-common/src/site/apt/Compatibility.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/Compatibility.apt.vm
index ecf6e75f3bc..98d1f57166f 100644
--- a/hadoop-common-project/hadoop-common/src/site/apt/Compatibility.apt.vm
+++ b/hadoop-common-project/hadoop-common/src/site/apt/Compatibility.apt.vm
@@ -72,10 +72,13 @@ Apache Hadoop Compatibility
     * Private-Stable APIs can change across major releases,
     but not within a major release.
 
+    * Classes not annotated are implicitly "Private". Class members not
+    annotated inherit the annotations of the enclosing class.
+
     * Note: APIs generated from the proto files need to be compatible for
-rolling-upgrades. See the section on wire-compatibility for more details. The
-compatibility policies for APIs and wire-communication need to go
-hand-in-hand to address this.
+    rolling-upgrades. See the section on wire-compatibility for more details.
+    The compatibility policies for APIs and wire-communication need to go
+    hand-in-hand to address this.
 
 ** Semantic compatibility
 

From b0c2c856192e71145c012504511fad172436131b Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Sat, 26 Jul 2014 01:29:25 +0000
Subject: [PATCH 063/354] YARN-1726. ResourceSchedulerWrapper broken due to
 AbstractYarnScheduler. (Wei Yan via kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613547 13f79535-47bb-0310-9956-ffa450edef68
---
 .../yarn/sls/appmaster/AMSimulator.java       | 69 +++++++++----------
 .../yarn/sls/appmaster/MRAMSimulator.java     |  5 +-
 .../yarn/sls/nodemanager/NMSimulator.java     | 68 ++++++++++--------
 .../scheduler/ResourceSchedulerWrapper.java   | 40 +++++++----
 .../sls/scheduler/SLSCapacityScheduler.java   | 22 +++---
 .../hadoop/yarn/sls/scheduler/TaskRunner.java | 16 ++---
 .../apache/hadoop/yarn/sls/TestSLSRunner.java | 30 +++++++-
 hadoop-yarn-project/CHANGES.txt               |  3 +
 8 files changed, 149 insertions(+), 104 deletions(-)

diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/AMSimulator.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/AMSimulator.java
index 5af4eaa2de4..2272e3ed911 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/AMSimulator.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/AMSimulator.java
@@ -63,6 +63,8 @@
 import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
 import org.apache.hadoop.yarn.util.Records;
 import org.apache.log4j.Logger;
 
@@ -133,8 +135,7 @@ public void init(int id, int heartbeatInterval,
    * register with RM
    */
   @Override
-  public void firstStep()
-          throws YarnException, IOException, InterruptedException {
+  public void firstStep() throws Exception {
     simulateStartTimeMS = System.currentTimeMillis() - 
                           SLSRunner.getRunner().getStartTimeMS();
 
@@ -149,8 +150,7 @@ public void firstStep()
   }
 
   @Override
-  public void middleStep()
-          throws InterruptedException, YarnException, IOException {
+  public void middleStep() throws Exception {
     // process responses in the queue
     processResponseQueue();
     
@@ -162,7 +162,7 @@ public void middleStep()
   }
 
   @Override
-  public void lastStep() {
+  public void lastStep() throws Exception {
     LOG.info(MessageFormat.format("Application {0} is shutting down.", appId));
     // unregister tracking
     if (isTracked) {
@@ -173,26 +173,19 @@ public void lastStep() {
                   .newRecordInstance(FinishApplicationMasterRequest.class);
     finishAMRequest.setFinalApplicationStatus(FinalApplicationStatus.SUCCEEDED);
 
-    try {
-      UserGroupInformation ugi =
-              UserGroupInformation.createRemoteUser(appAttemptId.toString());
-      Token<AMRMTokenIdentifier> token =
-              rm.getRMContext().getRMApps().get(appAttemptId.getApplicationId())
-                .getRMAppAttempt(appAttemptId).getAMRMToken();
-      ugi.addTokenIdentifier(token.decodeIdentifier());
-      ugi.doAs(new PrivilegedExceptionAction<Object>() {
-        @Override
-        public Object run() throws Exception {
-          rm.getApplicationMasterService()
-                  .finishApplicationMaster(finishAMRequest);
-          return null;
-        }
-      });
-    } catch (IOException e) {
-      e.printStackTrace();
-    } catch (InterruptedException e) {
-      e.printStackTrace();
-    }
+    UserGroupInformation ugi =
+        UserGroupInformation.createRemoteUser(appAttemptId.toString());
+    Token<AMRMTokenIdentifier> token = rm.getRMContext().getRMApps().get(appId)
+        .getRMAppAttempt(appAttemptId).getAMRMToken();
+    ugi.addTokenIdentifier(token.decodeIdentifier());
+    ugi.doAs(new PrivilegedExceptionAction<Object>() {
+      @Override
+      public Object run() throws Exception {
+        rm.getApplicationMasterService()
+            .finishApplicationMaster(finishAMRequest);
+        return null;
+      }
+    });
 
     simulateFinishTimeMS = System.currentTimeMillis() -
         SLSRunner.getRunner().getStartTimeMS();
@@ -230,11 +223,9 @@ protected AllocateRequest createAllocateRequest(List<ResourceRequest> ask) {
     return createAllocateRequest(ask, new ArrayList<ContainerId>());
   }
 
-  protected abstract void processResponseQueue()
-          throws InterruptedException, YarnException, IOException;
+  protected abstract void processResponseQueue() throws Exception;
   
-  protected abstract void sendContainerRequest()
-          throws YarnException, IOException, InterruptedException;
+  protected abstract void sendContainerRequest() throws Exception;
   
   protected abstract void checkStop();
   
@@ -280,11 +271,18 @@ public Object run() throws YarnException {
     // waiting until application ACCEPTED
     RMApp app = rm.getRMContext().getRMApps().get(appId);
     while(app.getState() != RMAppState.ACCEPTED) {
-      Thread.sleep(50);
+      Thread.sleep(10);
     }
 
-    appAttemptId = rm.getRMContext().getRMApps().get(appId)
-            .getCurrentAppAttempt().getAppAttemptId();
+    // Waiting until application attempt reach LAUNCHED
+    // "Unmanaged AM must register after AM attempt reaches LAUNCHED state"
+    this.appAttemptId = rm.getRMContext().getRMApps().get(appId)
+        .getCurrentAppAttempt().getAppAttemptId();
+    RMAppAttempt rmAppAttempt = rm.getRMContext().getRMApps().get(appId)
+        .getCurrentAppAttempt();
+    while (rmAppAttempt.getAppAttemptState() != RMAppAttemptState.LAUNCHED) {
+      Thread.sleep(10);
+    }
   }
 
   private void registerAM()
@@ -297,10 +295,9 @@ private void registerAM()
     amRegisterRequest.setTrackingUrl("localhost:1000");
 
     UserGroupInformation ugi =
-            UserGroupInformation.createRemoteUser(appAttemptId.toString());
-    Token<AMRMTokenIdentifier> token =
-            rm.getRMContext().getRMApps().get(appAttemptId.getApplicationId())
-                    .getRMAppAttempt(appAttemptId).getAMRMToken();
+        UserGroupInformation.createRemoteUser(appAttemptId.toString());
+    Token<AMRMTokenIdentifier> token = rm.getRMContext().getRMApps().get(appId)
+        .getRMAppAttempt(appAttemptId).getAMRMToken();
     ugi.addTokenIdentifier(token.decodeIdentifier());
 
     ugi.doAs(
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/MRAMSimulator.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/MRAMSimulator.java
index d24510ba6fd..fb702059ade 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/MRAMSimulator.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/appmaster/MRAMSimulator.java
@@ -145,8 +145,7 @@ public void init(int id, int heartbeatInterval,
   }
 
   @Override
-  public void firstStep()
-          throws YarnException, IOException, InterruptedException {
+  public void firstStep() throws Exception {
     super.firstStep();
     
     requestAMContainer();
@@ -390,7 +389,7 @@ protected void checkStop() {
   }
 
   @Override
-  public void lastStep() {
+  public void lastStep() throws Exception {
     super.lastStep();
 
     // clear data structures
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NMSimulator.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NMSimulator.java
index 4112685e152..0947ba8a18b 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NMSimulator.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NMSimulator.java
@@ -27,6 +27,7 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.DelayQueue;
 
+import com.google.common.annotations.VisibleForTesting;
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
@@ -107,12 +108,12 @@ public void init(String nodeIdStr, int memory, int cores,
   }
 
   @Override
-  public void firstStep() throws YarnException, IOException {
+  public void firstStep() {
     // do nothing
   }
 
   @Override
-  public void middleStep() {
+  public void middleStep() throws Exception {
     // we check the lifetime for each running containers
     ContainerSimulator cs = null;
     synchronized(completedContainerList) {
@@ -136,37 +137,31 @@ public void middleStep() {
     ns.setResponseId(RESPONSE_ID ++);
     ns.setNodeHealthStatus(NodeHealthStatus.newInstance(true, "", 0));
     beatRequest.setNodeStatus(ns);
-    try {
-      NodeHeartbeatResponse beatResponse =
-              rm.getResourceTrackerService().nodeHeartbeat(beatRequest);
-      if (! beatResponse.getContainersToCleanup().isEmpty()) {
-        // remove from queue
-        synchronized(releasedContainerList) {
-          for (ContainerId containerId : beatResponse.getContainersToCleanup()){
-            if (amContainerList.contains(containerId)) {
-              // AM container (not killed?, only release)
-              synchronized(amContainerList) {
-                amContainerList.remove(containerId);
-              }
-              LOG.debug(MessageFormat.format("NodeManager {0} releases " +
-                      "an AM ({1}).", node.getNodeID(), containerId));
-            } else {
-              cs = runningContainers.remove(containerId);
-              containerQueue.remove(cs);
-              releasedContainerList.add(containerId);
-              LOG.debug(MessageFormat.format("NodeManager {0} releases a " +
-                      "container ({1}).", node.getNodeID(), containerId));
+    NodeHeartbeatResponse beatResponse =
+        rm.getResourceTrackerService().nodeHeartbeat(beatRequest);
+    if (! beatResponse.getContainersToCleanup().isEmpty()) {
+      // remove from queue
+      synchronized(releasedContainerList) {
+        for (ContainerId containerId : beatResponse.getContainersToCleanup()){
+          if (amContainerList.contains(containerId)) {
+            // AM container (not killed?, only release)
+            synchronized(amContainerList) {
+              amContainerList.remove(containerId);
             }
+            LOG.debug(MessageFormat.format("NodeManager {0} releases " +
+                "an AM ({1}).", node.getNodeID(), containerId));
+          } else {
+            cs = runningContainers.remove(containerId);
+            containerQueue.remove(cs);
+            releasedContainerList.add(containerId);
+            LOG.debug(MessageFormat.format("NodeManager {0} releases a " +
+                "container ({1}).", node.getNodeID(), containerId));
           }
         }
       }
-      if (beatResponse.getNodeAction() == NodeAction.SHUTDOWN) {
-        lastStep();
-      }
-    } catch (YarnException e) {
-      e.printStackTrace();
-    } catch (IOException e) {
-      e.printStackTrace();
+    }
+    if (beatResponse.getNodeAction() == NodeAction.SHUTDOWN) {
+      lastStep();
     }
   }
 
@@ -262,4 +257,19 @@ public void cleanupContainer(ContainerId containerId) {
       completedContainerList.add(containerId);
     }
   }
+
+  @VisibleForTesting
+  Map<ContainerId, ContainerSimulator> getRunningContainers() {
+    return runningContainers;
+  }
+
+  @VisibleForTesting
+  List<ContainerId> getAMContainers() {
+    return amContainerList;
+  }
+
+  @VisibleForTesting
+  List<ContainerId> getCompletedContainers() {
+    return completedContainerList;
+  }
 }
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ResourceSchedulerWrapper.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ResourceSchedulerWrapper.java
index 0bd0c87d2d0..6ccae98bd86 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ResourceSchedulerWrapper.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ResourceSchedulerWrapper.java
@@ -67,6 +67,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.QueueMetrics;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerAppReport;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerApplication;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerApplicationAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerNode;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerNodeReport;
@@ -101,7 +102,6 @@ final public class ResourceSchedulerWrapper
   private static final String EOL = System.getProperty("line.separator");
   private static final int SAMPLING_SIZE = 60;
   private ScheduledExecutorService pool;
-  private RMContext rmContext;
   // counters for scheduler allocate/handle operations
   private Counter schedulerAllocateCounter;
   private Counter schedulerHandleCounter;
@@ -576,7 +576,7 @@ private void registerContainerAppNumMetrics() {
       new Gauge<Integer>() {
         @Override
         public Integer getValue() {
-          if(scheduler == null || scheduler.getRootQueueMetrics() == null) {
+          if (scheduler == null || scheduler.getRootQueueMetrics() == null) {
             return 0;
           } else {
             return scheduler.getRootQueueMetrics().getAppsRunning();
@@ -723,17 +723,18 @@ public void run() {
   public void addAMRuntime(ApplicationId appId,
                            long traceStartTimeMS, long traceEndTimeMS,
                            long simulateStartTimeMS, long simulateEndTimeMS) {
-
-    try {
-      // write job runtime information
-      StringBuilder sb = new StringBuilder();
-      sb.append(appId).append(",").append(traceStartTimeMS).append(",")
-              .append(traceEndTimeMS).append(",").append(simulateStartTimeMS)
-              .append(",").append(simulateEndTimeMS);
-      jobRuntimeLogBW.write(sb.toString() + EOL);
-      jobRuntimeLogBW.flush();
-    } catch (IOException e) {
-      e.printStackTrace();
+    if (metricsON) {
+      try {
+        // write job runtime information
+        StringBuilder sb = new StringBuilder();
+        sb.append(appId).append(",").append(traceStartTimeMS).append(",")
+            .append(traceEndTimeMS).append(",").append(simulateStartTimeMS)
+            .append(",").append(simulateEndTimeMS);
+        jobRuntimeLogBW.write(sb.toString() + EOL);
+        jobRuntimeLogBW.flush();
+      } catch (IOException e) {
+        e.printStackTrace();
+      }
     }
   }
 
@@ -919,4 +920,17 @@ public String moveApplication(ApplicationId appId, String newQueue)
   public Resource getClusterResource() {
     return null;
   }
+
+  @Override
+  public synchronized List<Container> getTransferredContainers(
+      ApplicationAttemptId currentAttempt) {
+    return new ArrayList<Container>();
+  }
+
+  @Override
+  public Map<ApplicationId, SchedulerApplication<SchedulerApplicationAttempt>>
+      getSchedulerApplications() {
+    return new HashMap<ApplicationId,
+        SchedulerApplication<SchedulerApplicationAttempt>>();
+  }
 }
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SLSCapacityScheduler.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SLSCapacityScheduler.java
index 44a872198d6..06addfb28fd 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SLSCapacityScheduler.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/SLSCapacityScheduler.java
@@ -729,16 +729,18 @@ public void addAMRuntime(ApplicationId appId,
                            long traceStartTimeMS, long traceEndTimeMS,
                            long simulateStartTimeMS, long simulateEndTimeMS) {
 
-    try {
-      // write job runtime information
-      StringBuilder sb = new StringBuilder();
-      sb.append(appId).append(",").append(traceStartTimeMS).append(",")
-              .append(traceEndTimeMS).append(",").append(simulateStartTimeMS)
-              .append(",").append(simulateEndTimeMS);
-      jobRuntimeLogBW.write(sb.toString() + EOL);
-      jobRuntimeLogBW.flush();
-    } catch (IOException e) {
-      e.printStackTrace();
+    if (metricsON) {
+      try {
+        // write job runtime information
+        StringBuilder sb = new StringBuilder();
+        sb.append(appId).append(",").append(traceStartTimeMS).append(",")
+            .append(traceEndTimeMS).append(",").append(simulateStartTimeMS)
+            .append(",").append(simulateEndTimeMS);
+        jobRuntimeLogBW.write(sb.toString() + EOL);
+        jobRuntimeLogBW.flush();
+      } catch (IOException e) {
+        e.printStackTrace();
+      }
     }
   }
 
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/TaskRunner.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/TaskRunner.java
index c936dd93180..d35290428c7 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/TaskRunner.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/TaskRunner.java
@@ -99,12 +99,10 @@ public final void run() {
         } else {
           lastStep();
         }
-      } catch (YarnException e) {
-        e.printStackTrace();
-      } catch (IOException e) {
-        e.printStackTrace();
-      } catch (InterruptedException e) {
+      } catch (Exception e) {
         e.printStackTrace();
+        Thread.getDefaultUncaughtExceptionHandler()
+            .uncaughtException(Thread.currentThread(), e);
       }
     }
 
@@ -124,13 +122,11 @@ public int compareTo(Delayed o) {
     }
 
 
-    public abstract void firstStep()
-            throws YarnException, IOException, InterruptedException;
+    public abstract void firstStep() throws Exception;
 
-    public abstract void middleStep()
-            throws YarnException, InterruptedException, IOException;
+    public abstract void middleStep() throws Exception;
 
-    public abstract void lastStep() throws YarnException;
+    public abstract void lastStep() throws Exception;
 
     public void setEndTime(long et) {
       endTime = et;
diff --git a/hadoop-tools/hadoop-sls/src/test/java/org/apache/hadoop/yarn/sls/TestSLSRunner.java b/hadoop-tools/hadoop-sls/src/test/java/org/apache/hadoop/yarn/sls/TestSLSRunner.java
index b05972734f2..9da8ef34a20 100644
--- a/hadoop-tools/hadoop-sls/src/test/java/org/apache/hadoop/yarn/sls/TestSLSRunner.java
+++ b/hadoop-tools/hadoop-sls/src/test/java/org/apache/hadoop/yarn/sls/TestSLSRunner.java
@@ -18,10 +18,13 @@
 
 package org.apache.hadoop.yarn.sls;
 
-import org.apache.commons.io.FileUtils;
+import org.junit.Assert;
 import org.junit.Test;
 
 import java.io.File;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
 import java.util.UUID;
 
 public class TestSLSRunner {
@@ -30,6 +33,15 @@ public class TestSLSRunner {
   @SuppressWarnings("all")
   public void testSimulatorRunning() throws Exception {
     File tempDir = new File("target", UUID.randomUUID().toString());
+    final List<Throwable> exceptionList =
+        Collections.synchronizedList(new ArrayList<Throwable>());
+
+    Thread.setDefaultUncaughtExceptionHandler(new Thread.UncaughtExceptionHandler() {
+      @Override
+      public void uncaughtException(Thread t, Throwable e) {
+        exceptionList.add(e);
+      }
+    });
 
     // start the simulator
     File slsOutputDir = new File(tempDir.getAbsolutePath() + "/slsoutput/");
@@ -38,8 +50,20 @@ public void testSimulatorRunning() throws Exception {
             "-output", slsOutputDir.getAbsolutePath()};
     SLSRunner.main(args);
 
-    // wait for 45 seconds before stop
-    Thread.sleep(45 * 1000);
+    // wait for 20 seconds before stop
+    int count = 20;
+    while (count >= 0) {
+      Thread.sleep(1000);
+
+      if (! exceptionList.isEmpty()) {
+        SLSRunner.getRunner().stop();
+        Assert.fail("TestSLSRunner catched exception from child thread " +
+            "(TaskRunner.Task): " + exceptionList.get(0).getMessage());
+        break;
+      }
+      count--;
+    }
+
     SLSRunner.getRunner().stop();
   }
 
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index e6fbea9350e..3d3429a674e 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -444,6 +444,9 @@ Release 2.5.0 - UNRELEASED
 
     YARN-2335. Annotate all hadoop-sls APIs as @Private. (Wei Yan via kasha)
 
+    YARN-1726. ResourceSchedulerWrapper broken due to AbstractYarnScheduler. 
+    (Wei Yan via kasha)
+
 Release 2.4.1 - 2014-06-23 
 
   INCOMPATIBLE CHANGES

From 5d4677b57b05c1690ab0a825869df9a4f6c173bc Mon Sep 17 00:00:00 2001
From: Aaron Myers <atm@apache.org>
Date: Sat, 26 Jul 2014 01:51:35 +0000
Subject: [PATCH 064/354] YARN-1796. container-executor shouldn't require o-r
 permissions. Contributed by Aaron T. Myers.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613548 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                      |  2 ++
 .../container-executor/impl/container-executor.c     | 12 ++++++------
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 3d3429a674e..fb164f8d303 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -106,6 +106,8 @@ Release 2.6.0 - UNRELEASED
     YARN-2147. client lacks delegation token exception details when
     application submit fails (Chen He via jlowe)
 
+    YARN-1796. container-executor shouldn't require o-r permissions (atm)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
index 9387ba4f1e0..16ede961edc 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
@@ -111,16 +111,16 @@ int check_executor_permissions(char *executable_file) {
     return -1;
   }
 
-  // check others do not have read/write/execute permissions
-  if ((filestat.st_mode & S_IROTH) == S_IROTH || (filestat.st_mode & S_IWOTH)
-      == S_IWOTH || (filestat.st_mode & S_IXOTH) == S_IXOTH) {
+  // check others do not have write/execute permissions
+  if ((filestat.st_mode & S_IWOTH) == S_IWOTH ||
+      (filestat.st_mode & S_IXOTH) == S_IXOTH) {
     fprintf(LOGFILE,
-            "The container-executor binary should not have read or write or"
-            " execute for others.\n");
+            "The container-executor binary should not have write or execute "
+            "for others.\n");
     return -1;
   }
 
-  // Binary should be setuid/setgid executable
+  // Binary should be setuid executable
   if ((filestat.st_mode & S_ISUID) == 0) {
     fprintf(LOGFILE, "The container-executor binary should be set setuid.\n");
     return -1;

From 4625792c20d8e297a34fe9599d9b474a6b1cc77a Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Sat, 26 Jul 2014 02:03:18 +0000
Subject: [PATCH 065/354] YARN-1726. Add missing files.
 ResourceSchedulerWrapper broken due to AbstractYarnScheduler. (Wei Yan via
 kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613552 13f79535-47bb-0310-9956-ffa450edef68
---
 .../yarn/sls/appmaster/TestAMSimulator.java   |  86 +++++++++++++++
 .../yarn/sls/nodemanager/TestNMSimulator.java | 100 ++++++++++++++++++
 2 files changed, 186 insertions(+)
 create mode 100644 hadoop-tools/hadoop-sls/src/test/java/org/apache/hadoop/yarn/sls/appmaster/TestAMSimulator.java
 create mode 100644 hadoop-tools/hadoop-sls/src/test/java/org/apache/hadoop/yarn/sls/nodemanager/TestNMSimulator.java

diff --git a/hadoop-tools/hadoop-sls/src/test/java/org/apache/hadoop/yarn/sls/appmaster/TestAMSimulator.java b/hadoop-tools/hadoop-sls/src/test/java/org/apache/hadoop/yarn/sls/appmaster/TestAMSimulator.java
new file mode 100644
index 00000000000..83482c33686
--- /dev/null
+++ b/hadoop-tools/hadoop-sls/src/test/java/org/apache/hadoop/yarn/sls/appmaster/TestAMSimulator.java
@@ -0,0 +1,86 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.sls.appmaster;
+
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.exceptions.YarnException;
+import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
+import org.apache.hadoop.yarn.sls.conf.SLSConfiguration;
+import org.apache.hadoop.yarn.sls.scheduler.ContainerSimulator;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+public class TestAMSimulator {
+  private ResourceManager rm;
+  private YarnConfiguration conf;
+
+  @Before
+  public void setup() {
+    conf = new YarnConfiguration();
+    conf.set(YarnConfiguration.RM_SCHEDULER,
+        "org.apache.hadoop.yarn.sls.scheduler.ResourceSchedulerWrapper");
+    conf.set(SLSConfiguration.RM_SCHEDULER,
+        "org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler");
+    conf.setBoolean(SLSConfiguration.METRICS_SWITCH, false);
+    rm = new ResourceManager();
+    rm.init(conf);
+    rm.start();
+  }
+
+  class MockAMSimulator extends AMSimulator {
+    @Override
+    protected void processResponseQueue()
+        throws InterruptedException, YarnException, IOException {
+    }
+
+    @Override
+    protected void sendContainerRequest()
+        throws YarnException, IOException, InterruptedException {
+    }
+
+    @Override
+    protected void checkStop() {
+    }
+  }
+
+  @Test
+  public void testAMSimulator() throws Exception {
+    // Register one app
+    MockAMSimulator app = new MockAMSimulator();
+    List<ContainerSimulator> containers = new ArrayList<ContainerSimulator>();
+    app.init(1, 1000, containers, rm, null, 0, 1000000l, "user1", "default",
+        false, "app1");
+    app.firstStep();
+    Assert.assertEquals(1, rm.getRMContext().getRMApps().size());
+    Assert.assertNotNull(rm.getRMContext().getRMApps().get(app.appId));
+
+    // Finish this app
+    app.lastStep();
+  }
+
+  @After
+  public void tearDown() {
+    rm.stop();
+  }
+}
\ No newline at end of file
diff --git a/hadoop-tools/hadoop-sls/src/test/java/org/apache/hadoop/yarn/sls/nodemanager/TestNMSimulator.java b/hadoop-tools/hadoop-sls/src/test/java/org/apache/hadoop/yarn/sls/nodemanager/TestNMSimulator.java
new file mode 100644
index 00000000000..84be2313cf4
--- /dev/null
+++ b/hadoop-tools/hadoop-sls/src/test/java/org/apache/hadoop/yarn/sls/nodemanager/TestNMSimulator.java
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.sls.nodemanager;
+
+import org.apache.hadoop.yarn.api.records.Container;
+import org.apache.hadoop.yarn.api.records.ContainerId;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
+import org.apache.hadoop.yarn.server.utils.BuilderUtils;
+import org.apache.hadoop.yarn.sls.conf.SLSConfiguration;
+import org.apache.hadoop.yarn.util.resource.Resources;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+public class TestNMSimulator {
+  private final int GB = 1024;
+  private ResourceManager rm;
+  private YarnConfiguration conf;
+
+  @Before
+  public void setup() {
+    conf = new YarnConfiguration();
+    conf.set(YarnConfiguration.RM_SCHEDULER,
+        "org.apache.hadoop.yarn.sls.scheduler.ResourceSchedulerWrapper");
+    conf.set(SLSConfiguration.RM_SCHEDULER,
+        "org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler");
+    conf.setBoolean(SLSConfiguration.METRICS_SWITCH, false);
+    rm = new ResourceManager();
+    rm.init(conf);
+    rm.start();
+  }
+
+  @Test
+  public void testNMSimulator() throws Exception {
+    // Register one node
+    NMSimulator node1 = new NMSimulator();
+    node1.init("rack1/node1", GB * 10, 10, 0, 1000, rm);
+    node1.middleStep();
+
+    Assert.assertEquals(1, rm.getResourceScheduler().getNumClusterNodes());
+    Assert.assertEquals(GB * 10,
+        rm.getResourceScheduler().getRootQueueMetrics().getAvailableMB());
+    Assert.assertEquals(10,
+        rm.getResourceScheduler().getRootQueueMetrics()
+            .getAvailableVirtualCores());
+
+    // Allocate one container on node1
+    ContainerId cId1 = newContainerId(1, 1, 1);
+    Container container1 = Container.newInstance(cId1, null, null,
+        Resources.createResource(GB, 1), null, null);
+    node1.addNewContainer(container1, 100000l);
+    Assert.assertTrue("Node1 should have one running container.",
+        node1.getRunningContainers().containsKey(cId1));
+
+    // Allocate one AM container on node1
+    ContainerId cId2 = newContainerId(2, 1, 1);
+    Container container2 = Container.newInstance(cId2, null, null,
+        Resources.createResource(GB, 1), null, null);
+    node1.addNewContainer(container2, -1l);
+    Assert.assertTrue("Node1 should have one running AM container",
+        node1.getAMContainers().contains(cId2));
+
+    // Remove containers
+    node1.cleanupContainer(cId1);
+    Assert.assertTrue("Container1 should be removed from Node1.",
+        node1.getCompletedContainers().contains(cId1));
+    node1.cleanupContainer(cId2);
+    Assert.assertFalse("Container2 should be removed from Node1.",
+        node1.getAMContainers().contains(cId2));
+  }
+
+  private ContainerId newContainerId(int appId, int appAttemptId, int cId) {
+    return BuilderUtils.newContainerId(
+        BuilderUtils.newApplicationAttemptId(
+            BuilderUtils.newApplicationId(System.currentTimeMillis(), appId),
+            appAttemptId), cId);
+  }
+
+  @After
+  public void tearDown() throws Exception {
+    rm.stop();
+  }
+}

From 9bce3eca42b40f9b1f9fc23fc4418ed23b7beda5 Mon Sep 17 00:00:00 2001
From: Chris Nauroth <cnauroth@apache.org>
Date: Sat, 26 Jul 2014 04:18:28 +0000
Subject: [PATCH 066/354] HDFS-6749. FSNamesystem methods should call
 resolvePath. Contributed by Charles Lamb.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613561 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt        |  3 +++
 .../hadoop/hdfs/server/namenode/FSNamesystem.java  |  8 ++++++++
 .../hadoop/hdfs/server/namenode/TestINodeFile.java | 14 ++++++++++++++
 3 files changed, 25 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index d3748106f8c..eb524b209df 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -383,6 +383,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6752. Avoid Address bind errors in TestDatanodeConfig#testMemlockLimit
     (vinayakumarb)
 
+    HDFS-6749. FSNamesystem methods should call resolvePath.
+    (Charles Lamb via cnauroth)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 6ce6a70ce2b..a705f17dd27 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -3720,8 +3720,10 @@ boolean isFileClosed(String src)
       StandbyException, IOException {
     FSPermissionChecker pc = getPermissionChecker();  
     checkOperation(OperationCategory.READ);
+    byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
     readLock();
     try {
+      src = FSDirectory.resolvePath(src, pathComponents, dir);
       checkOperation(OperationCategory.READ);
       if (isPermissionEnabled) {
         checkTraverse(pc, src);
@@ -8183,9 +8185,11 @@ AclStatus getAclStatus(String src) throws IOException {
     nnConf.checkAclsConfigFlag();
     FSPermissionChecker pc = getPermissionChecker();
     checkOperation(OperationCategory.READ);
+    byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
     readLock();
     try {
       checkOperation(OperationCategory.READ);
+      src = FSDirectory.resolvePath(src, pathComponents, dir);
       if (isPermissionEnabled) {
         checkPermission(pc, src, false, null, null, null, null);
       }
@@ -8288,8 +8292,10 @@ List<XAttr> getXAttrs(String src, List<XAttr> xAttrs) throws IOException {
       }
     }
     checkOperation(OperationCategory.READ);
+    byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
     readLock();
     try {
+      src = FSDirectory.resolvePath(src, pathComponents, dir);
       checkOperation(OperationCategory.READ);
       if (isPermissionEnabled) {
         checkPathAccess(pc, src, FsAction.READ);
@@ -8333,8 +8339,10 @@ List<XAttr> listXAttrs(String src) throws IOException {
     nnConf.checkXAttrsConfigFlag();
     final FSPermissionChecker pc = getPermissionChecker();
     checkOperation(OperationCategory.READ);
+    byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
     readLock();
     try {
+      src = FSDirectory.resolvePath(src, pathComponents, dir);
       checkOperation(OperationCategory.READ);
       if (isPermissionEnabled) {
         /* To access xattr names, you need EXECUTE in the owning directory. */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeFile.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeFile.java
index 3cee355840c..704bc1669d0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeFile.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeFile.java
@@ -521,6 +521,7 @@ public void testInodeIdBasedPaths() throws Exception {
     Configuration conf = new Configuration();
     conf.setInt(DFSConfigKeys.DFS_BLOCK_SIZE_KEY,
         DFSConfigKeys.DFS_BYTES_PER_CHECKSUM_DEFAULT);
+    conf.setBoolean(DFSConfigKeys.DFS_NAMENODE_ACLS_ENABLED_KEY, true);
     MiniDFSCluster cluster = null;
     try {
       cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
@@ -568,6 +569,19 @@ public void testInodeIdBasedPaths() throws Exception {
       // ClientProtocol#getPreferredBlockSize
       assertEquals(testFileBlockSize,
           nnRpc.getPreferredBlockSize(testFileInodePath.toString()));
+
+      /*
+       * HDFS-6749 added missing calls to FSDirectory.resolvePath in the
+       * following four methods. The calls below ensure that
+       * /.reserved/.inodes paths work properly. No need to check return
+       * values as these methods are tested elsewhere.
+       */
+      {
+        fs.isFileClosed(testFileInodePath);
+        fs.getAclStatus(testFileInodePath);
+        fs.getXAttrs(testFileInodePath);
+        fs.listXAttrs(testFileInodePath);
+      }
       
       // symbolic link related tests
       

From 549bcc2c02983086ee6694982d5f3503f5f4517f Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Sun, 27 Jul 2014 01:37:51 +0000
Subject: [PATCH 067/354] MAPREDUCE-6002. Made MR task avoid reporting error to
 AM when the task process is shutting down. Contributed by Wangda Tan.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613743 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt          |  3 +++
 .../hadoop/mapred/LocalContainerLauncher.java | 18 ++++++++++-----
 .../org/apache/hadoop/mapred/YarnChild.java   | 22 +++++++++++++------
 .../java/org/apache/hadoop/mapred/Task.java   |  6 +++++
 4 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index c8a83bf64e5..5760cef3060 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -325,6 +325,9 @@ Release 2.5.0 - UNRELEASED
     MAPREDUCE-5952. LocalContainerLauncher#renameMapOutputForReduce incorrectly 
     assumes a single dir for mapOutIndex. (Gera Shegalov via kasha)
 
+    MAPREDUCE-6002. Made MR task avoid reporting error to AM when the task process
+    is shutting down. (Wangda Tan via zjshen)
+
 Release 2.4.1 - 2014-06-23 
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapred/LocalContainerLauncher.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapred/LocalContainerLauncher.java
index c7898ed966f..218ac835d27 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapred/LocalContainerLauncher.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapred/LocalContainerLauncher.java
@@ -31,6 +31,7 @@
 import java.util.concurrent.LinkedBlockingQueue;
 
 import com.google.common.annotations.VisibleForTesting;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.fs.FSError;
@@ -57,6 +58,7 @@
 import org.apache.hadoop.mapreduce.v2.app.launcher.ContainerRemoteLaunchEvent;
 import org.apache.hadoop.service.AbstractService;
 import org.apache.hadoop.util.ExitUtil;
+import org.apache.hadoop.util.ShutdownHookManager;
 import org.apache.hadoop.util.StringUtils;
 import org.apache.hadoop.yarn.api.ApplicationConstants.Environment;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
@@ -406,7 +408,9 @@ private void runSubtask(org.apache.hadoop.mapred.Task task,
       } catch (FSError e) {
         LOG.fatal("FSError from child", e);
         // umbilical:  MRAppMaster creates (taskAttemptListener), passes to us
-        umbilical.fsError(classicAttemptID, e.getMessage());
+        if (!ShutdownHookManager.get().isShutdownInProgress()) {
+          umbilical.fsError(classicAttemptID, e.getMessage());
+        }
         throw new RuntimeException();
 
       } catch (Exception exception) {
@@ -429,11 +433,13 @@ private void runSubtask(org.apache.hadoop.mapred.Task task,
       } catch (Throwable throwable) {
         LOG.fatal("Error running local (uberized) 'child' : "
             + StringUtils.stringifyException(throwable));
-        Throwable tCause = throwable.getCause();
-        String cause = (tCause == null)
-            ? throwable.getMessage()
-                : StringUtils.stringifyException(tCause);
-            umbilical.fatalError(classicAttemptID, cause);
+        if (!ShutdownHookManager.get().isShutdownInProgress()) {
+          Throwable tCause = throwable.getCause();
+          String cause =
+              (tCause == null) ? throwable.getMessage() : StringUtils
+                  .stringifyException(tCause);
+          umbilical.fatalError(classicAttemptID, cause);
+        }
         throw new RuntimeException();
       }
     }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapred/YarnChild.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapred/YarnChild.java
index 9212bfd154a..4ba1991ed9b 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapred/YarnChild.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapred/YarnChild.java
@@ -56,6 +56,7 @@
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.util.DiskChecker.DiskErrorException;
+import org.apache.hadoop.util.ShutdownHookManager;
 import org.apache.hadoop.util.StringUtils;
 import org.apache.hadoop.yarn.YarnUncaughtExceptionHandler;
 import org.apache.hadoop.yarn.api.ApplicationConstants;
@@ -176,7 +177,9 @@ public Object run() throws Exception {
       });
     } catch (FSError e) {
       LOG.fatal("FSError from child", e);
-      umbilical.fsError(taskid, e.getMessage());
+      if (!ShutdownHookManager.get().isShutdownInProgress()) {
+        umbilical.fsError(taskid, e.getMessage());
+      }
     } catch (Exception exception) {
       LOG.warn("Exception running child : "
           + StringUtils.stringifyException(exception));
@@ -201,17 +204,22 @@ public Object run() throws Exception {
       }
       // Report back any failures, for diagnostic purposes
       if (taskid != null) {
-        umbilical.fatalError(taskid, StringUtils.stringifyException(exception));
+        if (!ShutdownHookManager.get().isShutdownInProgress()) {
+          umbilical.fatalError(taskid,
+              StringUtils.stringifyException(exception));
+        }
       }
     } catch (Throwable throwable) {
       LOG.fatal("Error running child : "
     	        + StringUtils.stringifyException(throwable));
       if (taskid != null) {
-        Throwable tCause = throwable.getCause();
-        String cause = tCause == null
-                                 ? throwable.getMessage()
-                                 : StringUtils.stringifyException(tCause);
-        umbilical.fatalError(taskid, cause);
+        if (!ShutdownHookManager.get().isShutdownInProgress()) {
+          Throwable tCause = throwable.getCause();
+          String cause =
+              tCause == null ? throwable.getMessage() : StringUtils
+                  .stringifyException(tCause);
+          umbilical.fatalError(taskid, cause);
+        }
       }
     } finally {
       RPC.stopProxy(umbilical);
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/Task.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/Task.java
index 4815f191f7e..3a4c513f3f1 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/Task.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/Task.java
@@ -66,6 +66,7 @@
 import org.apache.hadoop.util.Progress;
 import org.apache.hadoop.util.Progressable;
 import org.apache.hadoop.util.ReflectionUtils;
+import org.apache.hadoop.util.ShutdownHookManager;
 import org.apache.hadoop.util.StringInterner;
 import org.apache.hadoop.util.StringUtils;
 
@@ -322,6 +323,11 @@ protected void setWriteSkipRecs(boolean writeSkipRecs) {
   protected void reportFatalError(TaskAttemptID id, Throwable throwable, 
                                   String logMsg) {
     LOG.fatal(logMsg);
+    
+    if (ShutdownHookManager.get().isShutdownInProgress()) {
+      return;
+    }
+    
     Throwable tCause = throwable.getCause();
     String cause = tCause == null 
                    ? StringUtils.stringifyException(throwable)

From d6532d3a77abe5a9b1760c1e26a899d49aa661dc Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Sun, 27 Jul 2014 17:55:06 +0000
Subject: [PATCH 068/354] YARN-2247. Made RM web services authenticate users
 via kerberos and delegation token. Contributed by Varun Vasudev.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1613821 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../hadoop/yarn/conf/YarnConfiguration.java   |  11 +
 .../src/main/resources/yarn-default.xml       |   9 +
 .../security/http/RMAuthenticationFilter.java |  63 ++++
 .../RMAuthenticationFilterInitializer.java    | 121 ++++++
 .../resourcemanager/ResourceManager.java      |  61 +++
 .../security/RMAuthenticationHandler.java     | 157 ++++++++
 .../resourcemanager/webapp/RMWebServices.java |  24 +-
 ...ServicesDelegationTokenAuthentication.java | 354 ++++++++++++++++++
 .../webapp/TestRMWebappAuthentication.java    | 272 ++++++++++++++
 .../src/site/apt/ResourceManagerRest.apt.vm   |  21 ++
 11 files changed, 1095 insertions(+), 1 deletion(-)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilter.java
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/RMAuthenticationHandler.java
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokenAuthentication.java
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebappAuthentication.java

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index fb164f8d303..c0405106a01 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -147,6 +147,9 @@ Release 2.5.0 - UNRELEASED
     YARN-2233. Implemented ResourceManager web-services to create, renew and
     cancel delegation tokens. (Varun Vasudev via vinodkv)
 
+    YARN-2247. Made RM web services authenticate users via kerberos and delegation
+    token. (Varun Vasudev via zjshen)
+
   IMPROVEMENTS
 
     YARN-1479. Invalid NaN values in Hadoop REST API JSON response (Chen He via
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
index 59e108a6fb1..ab6b20e574e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
@@ -263,6 +263,17 @@ public class YarnConfiguration extends Configuration {
   public static final String RM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY =
       RM_PREFIX + "webapp.spnego-keytab-file";
 
+  /**
+   * Flag to enable override of the default kerberos authentication filter with
+   * the RM authentication filter to allow authentication using delegation
+   * tokens(fallback to kerberos if the tokens are missing). Only applicable
+   * when the http authentication type is kerberos.
+   */
+  public static final String RM_WEBAPP_DELEGATION_TOKEN_AUTH_FILTER = RM_PREFIX
+      + "webapp.delegation-token-auth-filter.enabled";
+  public static final boolean DEFAULT_RM_WEBAPP_DELEGATION_TOKEN_AUTH_FILTER =
+      true;
+
   /** How long to wait until a container is considered dead.*/
   public static final String RM_CONTAINER_ALLOC_EXPIRY_INTERVAL_MS = 
     RM_PREFIX + "rm.container-allocation.expiry-interval-ms";
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
index 8bc49e69769..edc2f8cab61 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
@@ -194,6 +194,15 @@
     <value>/etc/krb5.keytab</value>
   </property>
 
+  <property>
+    <description>Flag to enable override of the default kerberos authentication
+    filter with the RM authentication filter to allow authentication using
+    delegation tokens(fallback to kerberos if the tokens are missing). Only
+    applicable when the http authentication type is kerberos.</description>
+    <name>yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled</name>
+    <value>true</value>
+  </property>
+
   <property>
     <description>How long to wait until a node manager is considered dead.</description>
     <name>yarn.nm.liveness-monitor.expiry-interval-ms</name>
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilter.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilter.java
new file mode 100644
index 00000000000..651b5b0c762
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilter.java
@@ -0,0 +1,63 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.security.http;
+
+import java.util.Properties;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
+import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+
+@Private
+@Unstable
+public class RMAuthenticationFilter extends AuthenticationFilter {
+
+  public static final String AUTH_HANDLER_PROPERTY =
+      "yarn.resourcemanager.authentication-handler";
+
+  public RMAuthenticationFilter() {
+  }
+
+  @Override
+  protected Properties getConfiguration(String configPrefix,
+      FilterConfig filterConfig) throws ServletException {
+
+    // In yarn-site.xml, we can simply set type to "kerberos". However, we need
+    // to replace the name here to use the customized Kerberos + DT service
+    // instead of the standard Kerberos handler.
+
+    Properties properties = super.getConfiguration(configPrefix, filterConfig);
+    String yarnAuthHandler = properties.getProperty(AUTH_HANDLER_PROPERTY);
+    if (yarnAuthHandler == null || yarnAuthHandler.isEmpty()) {
+      // if http auth type is simple, the default authentication filter
+      // will handle it, else throw an exception
+      if (!properties.getProperty(AUTH_TYPE).equals("simple")) {
+        throw new ServletException("Authentication handler class is empty");
+      }
+    }
+    if (properties.getProperty(AUTH_TYPE).equalsIgnoreCase("kerberos")) {
+      properties.setProperty(AUTH_TYPE, yarnAuthHandler);
+    }
+    return properties;
+  }
+
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java
new file mode 100644
index 00000000000..2227833e7cf
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java
@@ -0,0 +1,121 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.security.http;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.http.FilterContainer;
+import org.apache.hadoop.http.FilterInitializer;
+import org.apache.hadoop.http.HttpServer2;
+import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+
+@Unstable
+public class RMAuthenticationFilterInitializer extends FilterInitializer {
+
+  String configPrefix;
+  String signatureSecretFileProperty;
+  String kerberosPrincipalProperty;
+  String cookiePath;
+
+  public RMAuthenticationFilterInitializer() {
+    this.configPrefix = "hadoop.http.authentication.";
+    this.signatureSecretFileProperty =
+        AuthenticationFilter.SIGNATURE_SECRET + ".file";
+    this.kerberosPrincipalProperty = KerberosAuthenticationHandler.PRINCIPAL;
+    this.cookiePath = "/";
+  }
+
+  protected Map<String, String> createFilterConfig(Configuration conf) {
+    Map<String, String> filterConfig = new HashMap<String, String>();
+
+    // setting the cookie path to root '/' so it is used for all resources.
+    filterConfig.put(AuthenticationFilter.COOKIE_PATH, cookiePath);
+
+    for (Map.Entry<String, String> entry : conf) {
+      String name = entry.getKey();
+      if (name.startsWith(configPrefix)) {
+        String value = conf.get(name);
+        name = name.substring(configPrefix.length());
+        filterConfig.put(name, value);
+      }
+    }
+
+    String signatureSecretFile = filterConfig.get(signatureSecretFileProperty);
+    if (signatureSecretFile != null) {
+      Reader reader = null;
+      try {
+        StringBuilder secret = new StringBuilder();
+        reader =
+            new InputStreamReader(new FileInputStream(signatureSecretFile),
+              "UTF-8");
+        int c = reader.read();
+        while (c > -1) {
+          secret.append((char) c);
+          c = reader.read();
+        }
+        filterConfig.put(AuthenticationFilter.SIGNATURE_SECRET,
+          secret.toString());
+      } catch (IOException ex) {
+        // if running in non-secure mode, this filter only gets added
+        // because the user has not setup his own filter so just generate
+        // a random secret. in secure mode, the user needs to setup security
+        if (UserGroupInformation.isSecurityEnabled()) {
+          throw new RuntimeException(
+            "Could not read HTTP signature secret file: " + signatureSecretFile);
+        }
+      } finally {
+        IOUtils.closeQuietly(reader);
+      }
+    }
+
+    // Resolve _HOST into bind address
+    String bindAddress = conf.get(HttpServer2.BIND_ADDRESS);
+    String principal = filterConfig.get(kerberosPrincipalProperty);
+    if (principal != null) {
+      try {
+        principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
+      } catch (IOException ex) {
+        throw new RuntimeException(
+          "Could not resolve Kerberos principal name: " + ex.toString(), ex);
+      }
+      filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, principal);
+    }
+    return filterConfig;
+  }
+
+  @Override
+  public void initFilter(FilterContainer container, Configuration conf) {
+
+    Map<String, String> filterConfig = createFilterConfig(conf);
+    container.addFilter("YARNAuthenticationFilter",
+      RMAuthenticationFilter.class.getName(), filterConfig);
+  }
+
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
index 7dceda249da..4b5d94875ad 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
@@ -32,11 +32,13 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.ha.HAServiceProtocol;
 import org.apache.hadoop.ha.HAServiceProtocol.HAServiceState;
+import org.apache.hadoop.http.lib.StaticUserWebFilter;
 import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
 import org.apache.hadoop.metrics2.source.JvmMetrics;
 import org.apache.hadoop.security.Groups;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
 import org.apache.hadoop.security.authorize.ProxyUsers;
 import org.apache.hadoop.service.AbstractService;
 import org.apache.hadoop.service.CompositeService;
@@ -88,8 +90,11 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.SchedulerEventType;
 import org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer;
 import org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager;
+import org.apache.hadoop.yarn.server.resourcemanager.security.RMAuthenticationHandler;
 import org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebApp;
 import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
+import org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilter;
+import org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilterInitializer;
 import org.apache.hadoop.yarn.server.webproxy.AppReportFetcher;
 import org.apache.hadoop.yarn.server.webproxy.ProxyUriUtils;
 import org.apache.hadoop.yarn.server.webproxy.WebAppProxy;
@@ -789,6 +794,62 @@ public void handle(RMNodeEvent event) {
   }
   
   protected void startWepApp() {
+
+    // Use the customized yarn filter instead of the standard kerberos filter to
+    // allow users to authenticate using delegation tokens
+    // 3 conditions need to be satisfied -
+    // 1. security is enabled
+    // 2. http auth type is set to kerberos
+    // 3. "yarn.resourcemanager.webapp.use-yarn-filter" override is set to true
+
+    Configuration conf = getConfig();
+    boolean useYarnAuthenticationFilter =
+        conf.getBoolean(
+          YarnConfiguration.RM_WEBAPP_DELEGATION_TOKEN_AUTH_FILTER,
+          YarnConfiguration.DEFAULT_RM_WEBAPP_DELEGATION_TOKEN_AUTH_FILTER);
+    String authPrefix = "hadoop.http.authentication.";
+    String authTypeKey = authPrefix + "type";
+    String initializers = conf.get("hadoop.http.filter.initializers");
+    if (UserGroupInformation.isSecurityEnabled()
+        && useYarnAuthenticationFilter
+        && conf.get(authTypeKey, "").equalsIgnoreCase(
+          KerberosAuthenticationHandler.TYPE)) {
+      LOG.info("Using RM authentication filter(kerberos/delegation-token)"
+          + " for RM webapp authentication");
+      RMAuthenticationHandler
+        .setSecretManager(getClientRMService().rmDTSecretManager);
+      String yarnAuthKey =
+          authPrefix + RMAuthenticationFilter.AUTH_HANDLER_PROPERTY;
+      conf.setStrings(yarnAuthKey, RMAuthenticationHandler.class.getName());
+
+      initializers =
+          initializers == null || initializers.isEmpty() ? "" : ","
+              + initializers;
+      if (!initializers.contains(RMAuthenticationFilterInitializer.class
+        .getName())) {
+        conf.set("hadoop.http.filter.initializers",
+          RMAuthenticationFilterInitializer.class.getName() + initializers);
+      }
+    }
+
+    // if security is not enabled and the default filter initializer has been
+    // set, set the initializer to include the
+    // RMAuthenticationFilterInitializer which in turn will set up the simple
+    // auth filter.
+
+    if (!UserGroupInformation.isSecurityEnabled()) {
+      if (initializers == null || initializers.isEmpty()) {
+        conf.set("hadoop.http.filter.initializers",
+          RMAuthenticationFilterInitializer.class.getName());
+        conf.set(authTypeKey, "simple");
+      } else if (initializers.equals(StaticUserWebFilter.class.getName())) {
+        conf.set("hadoop.http.filter.initializers",
+          RMAuthenticationFilterInitializer.class.getName() + ","
+              + initializers);
+        conf.set(authTypeKey, "simple");
+      }
+    }
+
     Builder<ApplicationMasterService> builder = 
         WebApps
             .$for("cluster", ApplicationMasterService.class, masterService,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/RMAuthenticationHandler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/RMAuthenticationHandler.java
new file mode 100644
index 00000000000..798c479c287
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/RMAuthenticationHandler.java
@@ -0,0 +1,157 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.resourcemanager.security;
+
+import java.io.ByteArrayInputStream;
+import java.io.DataInputStream;
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.server.AuthenticationToken;
+import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
+
+public class RMAuthenticationHandler extends KerberosAuthenticationHandler {
+
+  public static final String TYPE = "kerberos-dt";
+  public static final String HEADER = "Hadoop-YARN-Auth-Delegation-Token";
+
+  static RMDelegationTokenSecretManager secretManager;
+  static boolean secretManagerInitialized = false;
+
+  public RMAuthenticationHandler() {
+    super();
+  }
+
+  /**
+   * Returns authentication type of the handler.
+   * 
+   * @return <code>kerberos-dt</code>
+   */
+  @Override
+  public String getType() {
+    return TYPE;
+  }
+
+  @Override
+  public boolean managementOperation(AuthenticationToken token,
+      HttpServletRequest request, HttpServletResponse response) {
+    return true;
+  }
+
+  /**
+   * Authenticates a request looking for the <code>delegation</code> header and
+   * verifying it is a valid token. If the header is missing, it delegates the
+   * authentication to the {@link KerberosAuthenticationHandler} unless it is
+   * disabled.
+   * 
+   * @param request
+   *          the HTTP client request.
+   * @param response
+   *          the HTTP client response.
+   * 
+   * @return the authentication token for the authenticated request.
+   * @throws IOException
+   *           thrown if an IO error occurred.
+   * @throws AuthenticationException
+   *           thrown if the authentication failed.
+   */
+  @Override
+  public AuthenticationToken authenticate(HttpServletRequest request,
+      HttpServletResponse response) throws IOException, AuthenticationException {
+
+    AuthenticationToken token;
+    String delegationParam = this.getEncodedDelegationTokenFromRequest(request);
+    if (delegationParam != null) {
+      Token<RMDelegationTokenIdentifier> dt =
+          new Token<RMDelegationTokenIdentifier>();
+      ;
+      dt.decodeFromUrlString(delegationParam);
+      UserGroupInformation ugi = this.verifyToken(dt);
+      if (ugi == null) {
+        throw new AuthenticationException("Invalid token");
+      }
+      final String shortName = ugi.getShortUserName();
+      token = new AuthenticationToken(shortName, ugi.getUserName(), getType());
+    } else {
+      token = super.authenticate(request, response);
+      if (token != null) {
+        // create a token with auth type set correctly
+        token =
+            new AuthenticationToken(token.getUserName(), token.getName(),
+              super.getType());
+      }
+    }
+    return token;
+  }
+
+  /**
+   * Verifies a delegation token.
+   * 
+   * @param token
+   *          delegation token to verify.
+   * @return the UGI for the token; null if the verification fails
+   * @throws IOException
+   *           thrown if the token could not be verified.
+   */
+  protected UserGroupInformation verifyToken(
+      Token<RMDelegationTokenIdentifier> token) throws IOException {
+    if (secretManagerInitialized == false) {
+      throw new IllegalStateException("Secret manager not initialized");
+    }
+    ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
+    DataInputStream dis = new DataInputStream(buf);
+    RMDelegationTokenIdentifier id = secretManager.createIdentifier();
+    try {
+      id.readFields(dis);
+      secretManager.verifyToken(id, token.getPassword());
+    } catch (Throwable t) {
+      return null;
+    } finally {
+      dis.close();
+    }
+    return id.getUser();
+  }
+
+  /**
+   * Extract encoded delegation token from request
+   * 
+   * @param req
+   *          HTTPServletRequest object
+   * 
+   * @return String containing the encoded token; null if encoded token not
+   *         found
+   * 
+   */
+  protected String getEncodedDelegationTokenFromRequest(HttpServletRequest req) {
+    String header = req.getHeader(HEADER);
+    return header;
+  }
+
+  public static void setSecretManager(RMDelegationTokenSecretManager manager) {
+    secretManager = manager;
+    secretManagerInitialized = true;
+  }
+
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java
index 0493efdb7d4..a8ec19260ed 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java
@@ -55,6 +55,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeys;
 import org.apache.hadoop.io.DataOutputBuffer;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.Credentials;
@@ -680,6 +681,11 @@ public Response updateAppState(AppState targetState,
       throw new AuthorizationException(msg);
     }
 
+    if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) {
+      String msg = "The default static user cannot carry out this operation.";
+      return Response.status(Status.FORBIDDEN).entity(msg).build();
+    }
+
     String userName = callerUGI.getUserName();
     RMApp app = null;
     try {
@@ -800,6 +806,13 @@ private UserGroupInformation getCallerUserGroupInformation(
     return callerUGI;
   }
 
+  private boolean isStaticUser(UserGroupInformation callerUGI) {
+    String staticUser =
+        conf.get(CommonConfigurationKeys.HADOOP_HTTP_STATIC_USER,
+          CommonConfigurationKeys.DEFAULT_HADOOP_HTTP_STATIC_USER);
+    return staticUser.equals(callerUGI.getUserName());
+  }
+
   /**
    * Generates a new ApplicationId which is then sent to the client
    * 
@@ -822,6 +835,10 @@ public Response createNewApplication(@Context HttpServletRequest hsr)
       throw new AuthorizationException("Unable to obtain user name, "
           + "user not authenticated");
     }
+    if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) {
+      String msg = "The default static user cannot carry out this operation.";
+      return Response.status(Status.FORBIDDEN).entity(msg).build();
+    }
 
     NewApplication appId = createNewApplication();
     return Response.status(Status.OK).entity(appId).build();
@@ -859,6 +876,11 @@ public Response submitApplication(ApplicationSubmissionContextInfo newApp,
           + "user not authenticated");
     }
 
+    if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) {
+      String msg = "The default static user cannot carry out this operation.";
+      return Response.status(Status.FORBIDDEN).entity(msg).build();
+    }
+
     ApplicationSubmissionContext appContext =
         createAppSubmissionContext(newApp);
     final SubmitApplicationRequest req =
@@ -975,7 +997,7 @@ protected Resource createAppSubmissionContextResource(
    * 
    * @param newApp
    *          the information provided by the user
-   * @return
+   * @return created context
    * @throws BadRequestException
    * @throws IOException
    */
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokenAuthentication.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokenAuthentication.java
new file mode 100644
index 00000000000..34a914a7541
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokenAuthentication.java
@@ -0,0 +1,354 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.resourcemanager.webapp;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStream;
+import java.io.StringWriter;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.util.concurrent.Callable;
+
+import javax.ws.rs.core.MediaType;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Marshaller;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.KerberosTestUtils;
+import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler;
+import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.ApplicationSubmissionContextInfo;
+import org.apache.hadoop.yarn.util.ConverterUtils;
+import org.codehaus.jettison.json.JSONObject;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.sun.jersey.api.client.ClientResponse.Status;
+
+public class TestRMWebServicesDelegationTokenAuthentication {
+
+  private static final File testRootDir = new File("target",
+    TestRMWebServicesDelegationTokenAuthentication.class.getName() + "-root");
+  private static File httpSpnegoKeytabFile = new File(
+    KerberosTestUtils.getKeytabFile());
+
+  private static String httpSpnegoPrincipal = KerberosTestUtils
+    .getServerPrincipal();
+
+  private static boolean miniKDCStarted = false;
+  private static MiniKdc testMiniKDC;
+  private static MockRM rm;
+
+  // use published header name
+  final static String DelegationTokenHeader =
+      "Hadoop-YARN-Auth-Delegation-Token";
+
+  @BeforeClass
+  public static void setUp() {
+    try {
+      testMiniKDC = new MiniKdc(MiniKdc.createConf(), testRootDir);
+      setupKDC();
+      setupAndStartRM();
+    } catch (Exception e) {
+      assertTrue("Couldn't create MiniKDC", false);
+    }
+  }
+
+  @AfterClass
+  public static void tearDown() {
+    if (testMiniKDC != null) {
+      testMiniKDC.stop();
+    }
+    if (rm != null) {
+      rm.stop();
+    }
+  }
+
+  public TestRMWebServicesDelegationTokenAuthentication() throws Exception {
+    super();
+  }
+
+  private static void setupAndStartRM() throws Exception {
+    Configuration rmconf = new Configuration();
+    rmconf.setInt(YarnConfiguration.RM_AM_MAX_ATTEMPTS,
+      YarnConfiguration.DEFAULT_RM_AM_MAX_ATTEMPTS);
+    rmconf.setClass(YarnConfiguration.RM_SCHEDULER, FifoScheduler.class,
+      ResourceScheduler.class);
+    rmconf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
+    String httpPrefix = "hadoop.http.authentication.";
+    rmconf.setStrings(httpPrefix + "type", "kerberos");
+    rmconf.set(httpPrefix + KerberosAuthenticationHandler.PRINCIPAL,
+      httpSpnegoPrincipal);
+    rmconf.set(httpPrefix + KerberosAuthenticationHandler.KEYTAB,
+      httpSpnegoKeytabFile.getAbsolutePath());
+    // use any file for signature secret
+    rmconf.set(httpPrefix + AuthenticationFilter.SIGNATURE_SECRET + ".file",
+      httpSpnegoKeytabFile.getAbsolutePath());
+    rmconf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
+      "kerberos");
+    rmconf.setBoolean(YarnConfiguration.RM_WEBAPP_DELEGATION_TOKEN_AUTH_FILTER,
+      true);
+    rmconf.set(YarnConfiguration.RM_WEBAPP_SPNEGO_USER_NAME_KEY,
+      httpSpnegoPrincipal);
+    rmconf.set(YarnConfiguration.RM_KEYTAB,
+      httpSpnegoKeytabFile.getAbsolutePath());
+    rmconf.set(YarnConfiguration.RM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY,
+      httpSpnegoKeytabFile.getAbsolutePath());
+    rmconf.set(YarnConfiguration.NM_WEBAPP_SPNEGO_USER_NAME_KEY,
+      httpSpnegoPrincipal);
+    rmconf.set(YarnConfiguration.NM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY,
+      httpSpnegoKeytabFile.getAbsolutePath());
+    rmconf.setBoolean("mockrm.webapp.enabled", true);
+    UserGroupInformation.setConfiguration(rmconf);
+    rm = new MockRM(rmconf);
+    rm.start();
+
+  }
+
+  private static void setupKDC() throws Exception {
+    if (miniKDCStarted == false) {
+      testMiniKDC.start();
+      getKdc().createPrincipal(httpSpnegoKeytabFile, "HTTP/localhost",
+        "client", UserGroupInformation.getLoginUser().getShortUserName());
+      miniKDCStarted = true;
+    }
+  }
+
+  private static MiniKdc getKdc() {
+    return testMiniKDC;
+  }
+
+  // Test that you can authenticate with only delegation tokens
+  // 1. Get a delegation token using Kerberos auth(this ends up
+  // testing the fallback authenticator)
+  // 2. Submit an app without kerberos or delegation-token
+  // - we should get an UNAUTHORIZED response
+  // 3. Submit same app with delegation-token
+  // - we should get OK response
+  // - confirm owner of the app is the user whose
+  // delegation-token we used
+
+  @Test
+  public void testDelegationTokenAuth() throws Exception {
+    final String token = getDelegationToken("test");
+
+    ApplicationSubmissionContextInfo app =
+        new ApplicationSubmissionContextInfo();
+    String appid = "application_123_0";
+    app.setApplicationId(appid);
+    String requestBody = getMarshalledAppInfo(app);
+
+    URL url = new URL("http://localhost:8088/ws/v1/cluster/apps");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    setupConn(conn, "POST", "application/xml", requestBody);
+
+    // this should fail with unauthorized because only
+    // auth is kerberos or delegation token
+    try {
+      conn.getInputStream();
+      fail("we should not be here");
+    } catch (IOException e) {
+      assertEquals(Status.UNAUTHORIZED.getStatusCode(), conn.getResponseCode());
+    }
+
+    conn = (HttpURLConnection) url.openConnection();
+    conn.setRequestProperty(DelegationTokenHeader, token);
+    setupConn(conn, "POST", MediaType.APPLICATION_XML, requestBody);
+
+    // this should not fail
+    conn.getInputStream();
+    boolean appExists =
+        rm.getRMContext().getRMApps()
+          .containsKey(ConverterUtils.toApplicationId(appid));
+    assertTrue(appExists);
+    RMApp actualApp =
+        rm.getRMContext().getRMApps()
+          .get(ConverterUtils.toApplicationId(appid));
+    String owner = actualApp.getUser();
+    assertEquals("client", owner);
+
+    return;
+  }
+
+  // Test to make sure that cancelled delegation tokens
+  // are rejected
+  @Test
+  public void testCancelledDelegationToken() throws Exception {
+    String token = getDelegationToken("client");
+    cancelDelegationToken(token);
+    ApplicationSubmissionContextInfo app =
+        new ApplicationSubmissionContextInfo();
+    String appid = "application_123_0";
+    app.setApplicationId(appid);
+    String requestBody = getMarshalledAppInfo(app);
+
+    URL url = new URL("http://localhost:8088/ws/v1/cluster/apps");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    conn.setRequestProperty(DelegationTokenHeader, token);
+    setupConn(conn, "POST", MediaType.APPLICATION_XML, requestBody);
+
+    // this should fail with unauthorized because only
+    // auth is kerberos or delegation token
+    try {
+      conn.getInputStream();
+      fail("Authentication should fail with expired delegation tokens");
+    } catch (IOException e) {
+      assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode());
+    }
+    return;
+  }
+
+  // Test to make sure that we can't do delegation token
+  // functions using just delegation token auth
+  @Test
+  public void testDelegationTokenOps() throws Exception {
+    String token = getDelegationToken("client");
+    String createRequest = "{\"renewer\":\"test\"}";
+    String renewRequest = "{\"token\": \"" + token + "\"}";
+
+    // first test create and renew
+    String[] requests = { createRequest, renewRequest };
+    for (String requestBody : requests) {
+      URL url = new URL("http://localhost:8088/ws/v1/cluster/delegation-token");
+      HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+      conn.setRequestProperty(DelegationTokenHeader, token);
+      setupConn(conn, "POST", MediaType.APPLICATION_JSON, requestBody);
+      try {
+        conn.getInputStream();
+        fail("Creation/Renewing delegation tokens should not be "
+            + "allowed with token auth");
+      } catch (IOException e) {
+        assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode());
+      }
+    }
+
+    // test cancel
+    URL url = new URL("http://localhost:8088/ws/v1/cluster/delegation-token");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    conn.setRequestProperty(DelegationTokenHeader, token);
+    conn.setRequestProperty(RMWebServices.DELEGATION_TOKEN_HEADER, token);
+    setupConn(conn, "DELETE", null, null);
+    try {
+      conn.getInputStream();
+      fail("Cancelling delegation tokens should not be allowed with token auth");
+    } catch (IOException e) {
+      assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode());
+    }
+    return;
+  }
+
+  private String getDelegationToken(final String renewer) throws Exception {
+    String token = KerberosTestUtils.doAsClient(new Callable<String>() {
+      @Override
+      public String call() throws Exception {
+        String ret = null;
+        String body = "{\"renewer\":\"" + renewer + "\"}";
+        URL url =
+            new URL("http://localhost:8088/ws/v1/cluster/delegation-token");
+        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+        setupConn(conn, "POST", MediaType.APPLICATION_JSON, body);
+        InputStream response = conn.getInputStream();
+        assertEquals(Status.OK.getStatusCode(), conn.getResponseCode());
+        BufferedReader reader = null;
+        try {
+          reader = new BufferedReader(new InputStreamReader(response, "UTF8"));
+          for (String line; (line = reader.readLine()) != null;) {
+            JSONObject obj = new JSONObject(line);
+            if (obj.has("token")) {
+              reader.close();
+              response.close();
+              ret = obj.getString("token");
+              break;
+            }
+          }
+        } finally {
+          IOUtils.closeQuietly(reader);
+          IOUtils.closeQuietly(response);
+        }
+        return ret;
+      }
+    });
+    return token;
+  }
+
+  private void cancelDelegationToken(final String tokenString) throws Exception {
+
+    KerberosTestUtils.doAsClient(new Callable<Void>() {
+      @Override
+      public Void call() throws Exception {
+        URL url =
+            new URL("http://localhost:8088/ws/v1/cluster/delegation-token");
+        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+        conn.setRequestProperty(RMWebServices.DELEGATION_TOKEN_HEADER,
+          tokenString);
+        setupConn(conn, "DELETE", null, null);
+        InputStream response = conn.getInputStream();
+        assertEquals(Status.OK.getStatusCode(), conn.getResponseCode());
+        response.close();
+        return null;
+      }
+    });
+    return;
+  }
+
+  static String getMarshalledAppInfo(ApplicationSubmissionContextInfo appInfo)
+      throws Exception {
+
+    StringWriter writer = new StringWriter();
+    JAXBContext context =
+        JAXBContext.newInstance(ApplicationSubmissionContextInfo.class);
+    Marshaller m = context.createMarshaller();
+    m.marshal(appInfo, writer);
+    return writer.toString();
+  }
+
+  static void setupConn(HttpURLConnection conn, String method,
+      String contentType, String body) throws Exception {
+    conn.setRequestMethod(method);
+    conn.setDoOutput(true);
+    conn.setRequestProperty("Accept-Charset", "UTF8");
+    if (contentType != null && !contentType.isEmpty()) {
+      conn.setRequestProperty("Content-Type", contentType + ";charset=UTF8");
+      if (body != null && !body.isEmpty()) {
+        OutputStream stream = conn.getOutputStream();
+        stream.write(body.getBytes("UTF8"));
+        stream.close();
+      }
+    }
+  }
+
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebappAuthentication.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebappAuthentication.java
new file mode 100644
index 00000000000..2f6a02287c4
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebappAuthentication.java
@@ -0,0 +1,272 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.resourcemanager.webapp;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.Collection;
+
+import javax.ws.rs.core.MediaType;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeys;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.KerberosTestUtils;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler;
+import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.ApplicationSubmissionContextInfo;
+import org.apache.hadoop.yarn.util.ConverterUtils;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameters;
+
+import com.sun.jersey.api.client.ClientResponse.Status;
+
+/* Just a simple test class to ensure that the RM handles the static web user
+ * correctly for secure and un-secure modes
+ * 
+ */
+@RunWith(Parameterized.class)
+public class TestRMWebappAuthentication {
+
+  private static MockRM rm;
+  private static Configuration simpleConf;
+  private static Configuration kerberosConf;
+
+  private static final File testRootDir = new File("target",
+    TestRMWebServicesDelegationTokenAuthentication.class.getName() + "-root");
+  private static File httpSpnegoKeytabFile = new File(
+    KerberosTestUtils.getKeytabFile());
+
+  private static boolean miniKDCStarted = false;
+  private static MiniKdc testMiniKDC;
+
+  static {
+    simpleConf = new Configuration();
+    simpleConf.setInt(YarnConfiguration.RM_AM_MAX_ATTEMPTS,
+      YarnConfiguration.DEFAULT_RM_AM_MAX_ATTEMPTS);
+    simpleConf.setClass(YarnConfiguration.RM_SCHEDULER, FifoScheduler.class,
+      ResourceScheduler.class);
+    simpleConf.setBoolean("mockrm.webapp.enabled", true);
+    kerberosConf = new Configuration();
+    kerberosConf.setInt(YarnConfiguration.RM_AM_MAX_ATTEMPTS,
+      YarnConfiguration.DEFAULT_RM_AM_MAX_ATTEMPTS);
+    kerberosConf.setClass(YarnConfiguration.RM_SCHEDULER, FifoScheduler.class,
+      ResourceScheduler.class);
+    kerberosConf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
+    kerberosConf.set(
+      CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
+    kerberosConf.set(YarnConfiguration.RM_KEYTAB,
+      httpSpnegoKeytabFile.getAbsolutePath());
+    kerberosConf.setBoolean("mockrm.webapp.enabled", true);
+  }
+
+  @Parameters
+  public static Collection params() {
+    return Arrays.asList(new Object[][] { { 1, simpleConf },
+        { 2, kerberosConf } });
+  }
+
+  public TestRMWebappAuthentication(int run, Configuration conf) {
+    super();
+    setupAndStartRM(conf);
+  }
+
+  @BeforeClass
+  public static void setUp() {
+    try {
+      testMiniKDC = new MiniKdc(MiniKdc.createConf(), testRootDir);
+      setupKDC();
+    } catch (Exception e) {
+      assertTrue("Couldn't create MiniKDC", false);
+    }
+  }
+
+  @AfterClass
+  public static void tearDown() {
+    if (testMiniKDC != null) {
+      testMiniKDC.stop();
+    }
+  }
+
+  private static void setupKDC() throws Exception {
+    if (!miniKDCStarted) {
+      testMiniKDC.start();
+      getKdc().createPrincipal(httpSpnegoKeytabFile, "HTTP/localhost",
+        "client", UserGroupInformation.getLoginUser().getShortUserName());
+      miniKDCStarted = true;
+    }
+  }
+
+  private static MiniKdc getKdc() {
+    return testMiniKDC;
+  }
+
+  private static void setupAndStartRM(Configuration conf) {
+    UserGroupInformation.setConfiguration(conf);
+    rm = new MockRM(conf);
+  }
+
+  // ensure that in a non-secure cluster users can access
+  // the web pages as earlier and submit apps as anonymous
+  // user or by identifying themselves
+  @Test
+  public void testSimpleAuth() throws Exception {
+
+    rm.start();
+
+    // ensure users can access web pages
+    // this should work for secure and non-secure clusters
+    URL url = new URL("http://localhost:8088/cluster");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    try {
+      conn.getInputStream();
+      assertEquals(Status.OK.getStatusCode(), conn.getResponseCode());
+    } catch (Exception e) {
+      fail("Fetching url failed");
+    }
+
+    if (UserGroupInformation.isSecurityEnabled()) {
+      testAnonymousKerberosUser();
+    } else {
+      testAnonymousSimpleUser();
+    }
+
+    rm.stop();
+  }
+
+  private void testAnonymousKerberosUser() throws Exception {
+
+    ApplicationSubmissionContextInfo app =
+        new ApplicationSubmissionContextInfo();
+    String appid = "application_123_0";
+    app.setApplicationId(appid);
+    String requestBody =
+        TestRMWebServicesDelegationTokenAuthentication
+          .getMarshalledAppInfo(app);
+
+    URL url =
+        new URL("http://localhost:8088/ws/v1/cluster/apps/new-application");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    TestRMWebServicesDelegationTokenAuthentication.setupConn(conn, "POST",
+      "application/xml", requestBody);
+
+    try {
+      conn.getInputStream();
+      fail("Anonymous users should not be allowed to get new application ids in secure mode.");
+    } catch (IOException ie) {
+      assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode());
+    }
+
+    url = new URL("http://localhost:8088/ws/v1/cluster/apps");
+    conn = (HttpURLConnection) url.openConnection();
+    TestRMWebServicesDelegationTokenAuthentication.setupConn(conn, "POST",
+      "application/xml", requestBody);
+
+    try {
+      conn.getInputStream();
+      fail("Anonymous users should not be allowed to submit apps in secure mode.");
+    } catch (IOException ie) {
+      assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode());
+    }
+
+    requestBody = "{ \"state\": \"KILLED\"}";
+    url =
+        new URL(
+          "http://localhost:8088/ws/v1/cluster/apps/application_123_0/state");
+    conn = (HttpURLConnection) url.openConnection();
+    TestRMWebServicesDelegationTokenAuthentication.setupConn(conn, "PUT",
+      "application/json", requestBody);
+
+    try {
+      conn.getInputStream();
+      fail("Anonymous users should not be allowed to kill apps in secure mode.");
+    } catch (IOException ie) {
+      assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode());
+    }
+  }
+
+  private void testAnonymousSimpleUser() throws Exception {
+
+    ApplicationSubmissionContextInfo app =
+        new ApplicationSubmissionContextInfo();
+    String appid = "application_123_0";
+    app.setApplicationId(appid);
+    String requestBody =
+        TestRMWebServicesDelegationTokenAuthentication
+          .getMarshalledAppInfo(app);
+
+    URL url = new URL("http://localhost:8088/ws/v1/cluster/apps");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    TestRMWebServicesDelegationTokenAuthentication.setupConn(conn, "POST",
+      "application/xml", requestBody);
+
+    conn.getInputStream();
+    assertEquals(Status.ACCEPTED.getStatusCode(), conn.getResponseCode());
+    boolean appExists =
+        rm.getRMContext().getRMApps()
+          .containsKey(ConverterUtils.toApplicationId(appid));
+    assertTrue(appExists);
+    RMApp actualApp =
+        rm.getRMContext().getRMApps()
+          .get(ConverterUtils.toApplicationId(appid));
+    String owner = actualApp.getUser();
+    assertEquals(
+      rm.getConfig().get(CommonConfigurationKeys.HADOOP_HTTP_STATIC_USER,
+        CommonConfigurationKeys.DEFAULT_HADOOP_HTTP_STATIC_USER), owner);
+
+    appid = "application_123_1";
+    app.setApplicationId(appid);
+    requestBody =
+        TestRMWebServicesDelegationTokenAuthentication
+          .getMarshalledAppInfo(app);
+    url = new URL("http://localhost:8088/ws/v1/cluster/apps?user.name=client");
+    conn = (HttpURLConnection) url.openConnection();
+    TestRMWebServicesDelegationTokenAuthentication.setupConn(conn, "POST",
+      MediaType.APPLICATION_XML, requestBody);
+
+    conn.getInputStream();
+    appExists =
+        rm.getRMContext().getRMApps()
+          .containsKey(ConverterUtils.toApplicationId(appid));
+    assertTrue(appExists);
+    actualApp =
+        rm.getRMContext().getRMApps()
+          .get(ConverterUtils.toApplicationId(appid));
+    owner = actualApp.getUser();
+    assertEquals("client", owner);
+
+  }
+
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ResourceManagerRest.apt.vm b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ResourceManagerRest.apt.vm
index 1952e11176d..9609ba39de9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ResourceManagerRest.apt.vm
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ResourceManagerRest.apt.vm
@@ -2912,3 +2912,24 @@ Accept: application/xml
 +---+
 
   No response body.
+
+** Authentication using delegation tokens
+
+  This feature is in the alpha mode and may change in the future.
+
+  You can use delegation tokens to authenticate yourself when using YARN RM webservices. However, this requires setting the right configurations. The conditions for this are:
+
+    * Hadoop is setup in secure mode with the authentication type set to kerberos.
+
+    * Hadoop HTTP authentication is setup with the authentication type set to kerberos
+
+  Once setup, delegation tokens can be fetched using the web services listed above and used as shown in an example below:
+
++---+
+  PUT http://<rm http address:port>/ws/v1/cluster/apps/application_1399397633663_0003/state
+  Hadoop-YARN-Auth-Delegation-Token: MgASY2xpZW50QEVYQU1QTEUuQ09NDHRlc3QtcmVuZXdlcgCKAUbjqcHHigFHB7ZFxwQCFKWD3znCkDSy6SQIjRCLDydxbxvgE1JNX0RFTEVHQVRJT05fVE9LRU4A
+  Content-Type: application/json; charset=UTF8
+  {
+    "state":"KILLED"
+  }
++---+

From f49c2a1b625948119afd5a867db2101c4b2cfb0e Mon Sep 17 00:00:00 2001
From: Brandon Li <brandonli@apache.org>
Date: Mon, 28 Jul 2014 18:53:47 +0000
Subject: [PATCH 069/354] HDFS-6717. JIRA HDFS-5804 breaks default nfs-gateway
 behavior for unsecured config. Contributed by Brandon Li

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614125 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +
 .../src/site/apt/HdfsNfsGateway.apt.vm        | 60 +++++++------------
 2 files changed, 24 insertions(+), 39 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index eb524b209df..c4930e62217 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -938,6 +938,9 @@ Release 2.5.0 - UNRELEASED
     HDFS-6723. New NN webUI no longer displays decommissioned state for dead node.
     (Ming Ma via wheat9)
 
+    HDFS-6717. JIRA HDFS-5804 breaks default nfs-gateway behavior for unsecured config
+    (brandonli)
+
   BREAKDOWN OF HDFS-2006 SUBTASKS AND RELATED JIRAS
 
     HDFS-6299. Protobuf for XAttr and client-side implementation. (Yi Liu via umamahesh)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
index 54544cff46f..863ba39a739 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
@@ -44,10 +44,13 @@ HDFS NFS Gateway
 
 * {Configuration}
 
-   The user running the NFS-gateway must be able to proxy all the users using the NFS mounts. 
-   For instance, if user 'nfsserver' is running the gateway, and users belonging to the groups 'nfs-users1'
-   and 'nfs-users2' use the NFS mounts, then in core-site.xml of the namenode, the following must be set
-   (NOTE: replace 'nfsserver' with the user name starting the gateway in your cluster):
+   The NFS-gateway uses proxy user to proxy all the users accessing the NFS mounts. 
+   In non-secure mode, the user running the gateway is the proxy user, while in secure mode the
+   user in Kerberos keytab is the proxy user. Suppose the proxy user is 'nfsserver'
+   and users belonging to the groups 'nfs-users1'
+   and 'nfs-users2' use the NFS mounts, then in core-site.xml of the NameNode, the following
+   two properities must be set and only NameNode needs restart after the configuration change
+   (NOTE: replace the string 'nfsserver' with the proxy user name in your cluster):
 
 ----
 <property>
@@ -72,7 +75,9 @@ HDFS NFS Gateway
 ----
 
    The above are the only required configuration for the NFS gateway in non-secure mode. For Kerberized
-   hadoop clusters, the following configurations need to be added to hdfs-site.xml:
+   hadoop clusters, the following configurations need to be added to hdfs-site.xml for the gateway (NOTE: replace 
+   string "nfsserver" with the proxy user name and ensure the user contained in the keytab is
+   also the same proxy user):
 
 ----
   <property>
@@ -87,6 +92,8 @@ HDFS NFS Gateway
     <value>nfsserver/_HOST@YOUR-REALM.COM</value>
   </property>
 ----
+  
+   The rest of the NFS gateway configurations are optional for both secure and non-secure mode.
 
    The AIX NFS client has a {{{https://issues.apache.org/jira/browse/HDFS-6549}few known issues}}
    that prevent it from working correctly by default with the HDFS NFS
@@ -108,7 +115,7 @@ HDFS NFS Gateway
    have been committed.
 
    It's strongly recommended for the users to update a few configuration properties based on their use
-   cases. All the related configuration properties can be added or updated in hdfs-site.xml.
+   cases. All the following configuration properties can be added or updated in hdfs-site.xml.
   
    * If the client mounts the export with access time update allowed, make sure the following 
     property is not disabled in the configuration file. Only NameNode needs to restart after 
@@ -145,36 +152,6 @@ HDFS NFS Gateway
   </property>
 ---- 
 
-   * For optimal performance, it is recommended that rtmax be updated to
-     1MB. However, note that this 1MB is a per client allocation, and not
-     from a shared memory pool, and therefore a larger value may adversely 
-     affect small reads, consuming a lot of memory. The maximum value of 
-     this property is 1MB.
-
-----
-<property>
-  <name>nfs.rtmax</name>
-  <value>1048576</value>
-  <description>This is the maximum size in bytes of a READ request
-    supported by the NFS gateway. If you change this, make sure you
-    also update the nfs mount's rsize(add rsize= # of bytes to the 
-    mount directive).
-  </description>
-</property>
-----
-
-----
-<property>
-  <name>nfs.wtmax</name>
-  <value>65536</value>
-  <description>This is the maximum size in bytes of a WRITE request
-    supported by the NFS gateway. If you change this, make sure you
-    also update the nfs mount's wsize(add wsize= # of bytes to the 
-    mount directive).
-  </description>
-</property>
-----
-
   * By default, the export can be mounted by any client. To better control the access,
     users can update the following property. The value string contains machine name and
     access privilege, separated by whitespace
@@ -238,8 +215,10 @@ HDFS NFS Gateway
 
    [[3]] Start mountd and nfsd.
    
-     No root privileges are required for this command. However, ensure that the user starting
-     the Hadoop cluster and the user starting the NFS gateway are same.
+     No root privileges are required for this command. In non-secure mode, the NFS gateway
+     should be started by the proxy user mentioned at the beginning of this user guide. 
+     While in secure mode, any user can start NFS gateway 
+     as long as the user has read access to the Kerberos keytab defined in "nfs.keytab.file".
 
 -------------------------
      hadoop nfs3
@@ -339,7 +318,10 @@ HDFS NFS Gateway
 -------------------------------------------------------------------
 
   Then the users can access HDFS as part of the local file system except that, 
-  hard link and random write are not supported yet.
+  hard link and random write are not supported yet. To optimize the performance
+  of large file I/O, one can increase the NFS transfer size(rsize and wsize) during mount.
+  By default, NFS gateway supports 1MB as the maximum transfer size. For larger data
+  transfer size, one needs to update "nfs.rtmax" and "nfs.rtmax" in hdfs-site.xml.
 
 * {Allow mounts from unprivileged clients}
 

From 4f9ffc7455ae2182df1da1b7e3f5a55e645fc8a4 Mon Sep 17 00:00:00 2001
From: Tsz-wo Sze <szetszwo@apache.org>
Date: Mon, 28 Jul 2014 23:43:39 +0000
Subject: [PATCH 070/354] HDFS-6739. Add getDatanodeStorageReport to
 ClientProtocol.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614215 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  2 +
 .../org/apache/hadoop/hdfs/DFSClient.java     | 26 +++---
 .../hadoop/hdfs/protocol/ClientProtocol.java  | 12 ++-
 ...amenodeProtocolServerSideTranslatorPB.java | 19 +++-
 .../ClientNamenodeProtocolTranslatorPB.java   | 16 ++++
 ...atanodeProtocolClientSideTranslatorPB.java | 14 +--
 .../hadoop/hdfs/protocolPB/PBHelper.java      | 52 ++++++++++-
 .../blockmanagement/DatanodeDescriptor.java   |  9 ++
 .../blockmanagement/DatanodeStorageInfo.java  |  6 ++
 .../hdfs/server/namenode/FSNamesystem.java    | 28 +++++-
 .../server/namenode/NameNodeRpcServer.java    | 15 +++-
 .../protocol/DatanodeStorageReport.java       | 42 +++++++++
 .../main/proto/ClientNamenodeProtocol.proto   | 15 ++++
 .../src/main/proto/DatanodeProtocol.proto     | 24 -----
 .../hadoop-hdfs/src/main/proto/hdfs.proto     | 24 +++++
 .../hadoop/hdfs/TestDatanodeReport.java       | 90 ++++++++++++++-----
 .../hadoop/hdfs/protocolPB/TestPBHelper.java  | 17 +++-
 17 files changed, 326 insertions(+), 85 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/DatanodeStorageReport.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index c4930e62217..fca7e231045 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -324,6 +324,8 @@ Release 2.6.0 - UNRELEASED
     HDFS-6750. The DataNode should use its shared memory segment to mark
     short-circuit replicas that have been unlinked as stale (cmccabe)
 
+    HDFS-6739. Add getDatanodeStorageReport to ClientProtocol. (szetszwo)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index 9edb3db6585..45a9011a568 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -32,19 +32,21 @@
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_CACHE_DROP_BEHIND_READS;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_CACHE_DROP_BEHIND_WRITES;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_CACHE_READAHEAD;
-import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_DATANODE_RESTART_TIMEOUT_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_CONTEXT;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_CONTEXT_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_DATANODE_RESTART_TIMEOUT_DEFAULT;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_DATANODE_RESTART_TIMEOUT_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_FAILOVER_MAX_ATTEMPTS_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_FAILOVER_MAX_ATTEMPTS_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_FAILOVER_SLEEPTIME_BASE_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_FAILOVER_SLEEPTIME_BASE_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_FAILOVER_SLEEPTIME_MAX_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_FAILOVER_SLEEPTIME_MAX_KEY;
-import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_RETRY_MAX_ATTEMPTS_DEFAULT;
-import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_RETRY_MAX_ATTEMPTS_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_MAX_BLOCK_ACQUIRE_FAILURES_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_MAX_BLOCK_ACQUIRE_FAILURES_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_READ_PREFETCH_SIZE_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_RETRY_MAX_ATTEMPTS_DEFAULT;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_RETRY_MAX_ATTEMPTS_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_RETRY_WINDOW_BASE;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_SOCKET_CACHE_CAPACITY_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_SOCKET_CACHE_CAPACITY_KEY;
@@ -60,8 +62,6 @@
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_SOCKET_WRITE_TIMEOUT_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_REPLICATION_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_REPLICATION_KEY;
-import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_CONTEXT;
-import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_CLIENT_CONTEXT_DEFAULT;
 
 import java.io.BufferedOutputStream;
 import java.io.DataInputStream;
@@ -91,7 +91,6 @@
 
 import javax.net.SocketFactory;
 
-import com.google.common.collect.Lists;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
@@ -112,22 +111,22 @@
 import org.apache.hadoop.fs.MD5MD5CRC32FileChecksum;
 import org.apache.hadoop.fs.MD5MD5CRC32GzipFileChecksum;
 import org.apache.hadoop.fs.Options;
-import org.apache.hadoop.fs.XAttr;
-import org.apache.hadoop.fs.XAttrSetFlag;
 import org.apache.hadoop.fs.Options.ChecksumOpt;
 import org.apache.hadoop.fs.ParentNotDirectoryException;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.RemoteIterator;
 import org.apache.hadoop.fs.UnresolvedLinkException;
 import org.apache.hadoop.fs.VolumeId;
+import org.apache.hadoop.fs.XAttr;
+import org.apache.hadoop.fs.XAttrSetFlag;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.client.HdfsDataInputStream;
 import org.apache.hadoop.hdfs.client.HdfsDataOutputStream;
-import org.apache.hadoop.hdfs.protocol.AclException;
 import org.apache.hadoop.hdfs.net.Peer;
 import org.apache.hadoop.hdfs.net.TcpPeerServer;
+import org.apache.hadoop.hdfs.protocol.AclException;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveEntry;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveInfo;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveIterator;
@@ -158,8 +157,8 @@
 import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair;
 import org.apache.hadoop.hdfs.protocol.datatransfer.Op;
 import org.apache.hadoop.hdfs.protocol.datatransfer.ReplaceDatanodeOnFailure;
-import org.apache.hadoop.hdfs.protocol.datatransfer.TrustedChannelResolver;
 import org.apache.hadoop.hdfs.protocol.datatransfer.Sender;
+import org.apache.hadoop.hdfs.protocol.datatransfer.TrustedChannelResolver;
 import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.DataEncryptionKeyFactory;
 import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.DataTransferSaslUtil;
 import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferClient;
@@ -175,6 +174,7 @@
 import org.apache.hadoop.hdfs.server.datanode.CachingStrategy;
 import org.apache.hadoop.hdfs.server.namenode.NameNode;
 import org.apache.hadoop.hdfs.server.namenode.SafeModeException;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
 import org.apache.hadoop.io.DataOutputBuffer;
 import org.apache.hadoop.io.EnumSetWritable;
 import org.apache.hadoop.io.IOUtils;
@@ -200,6 +200,7 @@
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Joiner;
 import com.google.common.base.Preconditions;
+import com.google.common.collect.Lists;
 import com.google.common.net.InetAddresses;
 
 /********************************************************
@@ -2192,6 +2193,11 @@ public DatanodeInfo[] datanodeReport(DatanodeReportType type)
     return namenode.getDatanodeReport(type);
   }
     
+  public DatanodeStorageReport[] getDatanodeStorageReport(
+      DatanodeReportType type) throws IOException {
+    return namenode.getDatanodeStorageReport(type);
+  }
+
   /**
    * Enter, leave or get safe mode.
    * 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
index 9398c721a68..a2a52fef389 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
@@ -24,6 +24,7 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.fs.BatchedRemoteIterator.BatchedEntries;
 import org.apache.hadoop.fs.CacheFlag;
 import org.apache.hadoop.fs.ContentSummary;
 import org.apache.hadoop.fs.CreateFlag;
@@ -31,11 +32,10 @@
 import org.apache.hadoop.fs.FsServerDefaults;
 import org.apache.hadoop.fs.InvalidPathException;
 import org.apache.hadoop.fs.Options;
-import org.apache.hadoop.fs.XAttr;
-import org.apache.hadoop.fs.BatchedRemoteIterator.BatchedEntries;
 import org.apache.hadoop.fs.Options.Rename;
 import org.apache.hadoop.fs.ParentNotDirectoryException;
 import org.apache.hadoop.fs.UnresolvedLinkException;
+import org.apache.hadoop.fs.XAttr;
 import org.apache.hadoop.fs.XAttrSetFlag;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
@@ -47,6 +47,7 @@
 import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSelector;
 import org.apache.hadoop.hdfs.server.namenode.NotReplicatedYetException;
 import org.apache.hadoop.hdfs.server.namenode.SafeModeException;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
 import org.apache.hadoop.io.EnumSetWritable;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.io.retry.AtMostOnce;
@@ -654,6 +655,13 @@ public void renewLease(String clientName) throws AccessControlException,
   public DatanodeInfo[] getDatanodeReport(HdfsConstants.DatanodeReportType type)
       throws IOException;
 
+  /**
+   * Get a report on the current datanode storages.
+   */
+  @Idempotent
+  public DatanodeStorageReport[] getDatanodeStorageReport(
+      HdfsConstants.DatanodeReportType type) throws IOException;
+
   /**
    * Get the block size for the given file.
    * @param filename The name of the file
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
index 3a312b0d418..df0d1b0006c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
@@ -72,6 +72,7 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.CreateSnapshotResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.CreateSymlinkRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.CreateSymlinkResponseProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.DatanodeStorageReportProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.DeleteRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.DeleteResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.DeleteSnapshotRequestProto;
@@ -93,6 +94,8 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDataEncryptionKeyResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDatanodeReportRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDatanodeReportResponseProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDatanodeStorageReportRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDatanodeStorageReportResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFileInfoRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFileInfoResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFileLinkInfoRequestProto;
@@ -174,7 +177,6 @@
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeIDProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeInfoProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.LocatedBlockProto;
-import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.GetXAttrsRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.GetXAttrsResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.ListXAttrsRequestProto;
@@ -655,6 +657,21 @@ public GetDatanodeReportResponseProto getDatanodeReport(
     }
   }
 
+  @Override
+  public GetDatanodeStorageReportResponseProto getDatanodeStorageReport(
+      RpcController controller, GetDatanodeStorageReportRequestProto req)
+      throws ServiceException {
+    try {
+      List<DatanodeStorageReportProto> reports = PBHelper.convertDatanodeStorageReports(
+          server.getDatanodeStorageReport(PBHelper.convert(req.getType())));
+      return GetDatanodeStorageReportResponseProto.newBuilder()
+          .addAllDatanodeStorageReports(reports)
+          .build();
+    } catch (IOException e) {
+      throw new ServiceException(e);
+    }
+  }
+
   @Override
   public GetPreferredBlockSizeResponseProto getPreferredBlockSize(
       RpcController controller, GetPreferredBlockSizeRequestProto req)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
index d20ae1d14ea..0f8eba970ca 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
@@ -94,6 +94,7 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDataEncryptionKeyRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDataEncryptionKeyResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDatanodeReportRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDatanodeStorageReportRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFileInfoRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFileInfoResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFileLinkInfoRequestProto;
@@ -151,6 +152,7 @@
 import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
 import org.apache.hadoop.hdfs.server.namenode.NotReplicatedYetException;
 import org.apache.hadoop.hdfs.server.namenode.SafeModeException;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
 import org.apache.hadoop.io.EnumSetWritable;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.ipc.ProtobufHelper;
@@ -580,6 +582,20 @@ public DatanodeInfo[] getDatanodeReport(DatanodeReportType type)
     }
   }
 
+  @Override
+  public DatanodeStorageReport[] getDatanodeStorageReport(DatanodeReportType type)
+      throws IOException {
+    final GetDatanodeStorageReportRequestProto req
+        = GetDatanodeStorageReportRequestProto.newBuilder()
+            .setType(PBHelper.convert(type)).build();
+    try {
+      return PBHelper.convertDatanodeStorageReports(
+          rpcProxy.getDatanodeStorageReport(null, req).getDatanodeStorageReportsList());
+    } catch (ServiceException e) {
+      throw ProtobufHelper.getRemoteException(e);
+    }
+  }
+
   @Override
   public long getPreferredBlockSize(String filename) throws IOException,
       UnresolvedLinkException {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/DatanodeProtocolClientSideTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/DatanodeProtocolClientSideTranslatorPB.java
index 5775d6e2634..46023ecaa34 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/DatanodeProtocolClientSideTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/DatanodeProtocolClientSideTranslatorPB.java
@@ -21,18 +21,13 @@
 import java.io.Closeable;
 import java.io.IOException;
 import java.net.InetSocketAddress;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
-import java.util.concurrent.TimeUnit;
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.hdfs.protocol.AlreadyBeingCreatedException;
 import org.apache.hadoop.hdfs.protocol.DatanodeID;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
-import org.apache.hadoop.hdfs.protocol.HdfsConstants;
 import org.apache.hadoop.hdfs.protocol.LocatedBlock;
 import org.apache.hadoop.hdfs.protocol.RollingUpgradeStatus;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.BlockReceivedAndDeletedRequestProto;
@@ -51,7 +46,6 @@
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.StorageBlockReportProto;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.StorageReceivedDeletedBlocksProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.VersionRequestProto;
-import org.apache.hadoop.hdfs.server.namenode.NameNode;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeCommand;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeRegistration;
@@ -61,14 +55,10 @@
 import org.apache.hadoop.hdfs.server.protocol.StorageBlockReport;
 import org.apache.hadoop.hdfs.server.protocol.StorageReceivedDeletedBlocks;
 import org.apache.hadoop.hdfs.server.protocol.StorageReport;
-import org.apache.hadoop.io.retry.RetryPolicies;
-import org.apache.hadoop.io.retry.RetryPolicy;
-import org.apache.hadoop.io.retry.RetryProxy;
 import org.apache.hadoop.ipc.ProtobufHelper;
 import org.apache.hadoop.ipc.ProtobufRpcEngine;
 import org.apache.hadoop.ipc.ProtocolMetaInterface;
 import org.apache.hadoop.ipc.RPC;
-import org.apache.hadoop.ipc.RemoteException;
 import org.apache.hadoop.ipc.RpcClientUtil;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.UserGroupInformation;
@@ -137,9 +127,7 @@ public HeartbeatResponse sendHeartbeat(DatanodeRegistration registration,
         .setRegistration(PBHelper.convert(registration))
         .setXmitsInProgress(xmitsInProgress).setXceiverCount(xceiverCount)
         .setFailedVolumes(failedVolumes);
-    for (StorageReport r : reports) {
-      builder.addReports(PBHelper.convert(r));
-    }
+    builder.addAllReports(PBHelper.convertStorageReports(reports));
     if (cacheCapacity != 0) {
       builder.setCacheCapacity(cacheCapacity);
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
index bd7e5f13918..5706aab062f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
@@ -90,6 +90,7 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.CachePoolStatsProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.CreateFlagProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.DatanodeReportTypeProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.DatanodeStorageReportProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFsStatsResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.RollingUpgradeActionProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.RollingUpgradeInfoProto;
@@ -102,14 +103,11 @@
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.BlockRecoveryCommandProto;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.DatanodeCommandProto;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.DatanodeRegistrationProto;
-import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.DatanodeStorageProto;
-import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.DatanodeStorageProto.StorageState;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.FinalizeCommandProto;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.KeyUpdateCommandProto;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.NNHAStatusHeartbeatProto;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.ReceivedDeletedBlockInfoProto;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.RegisterCommandProto;
-import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.StorageReportProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.BlockKeyProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.BlockProto;
@@ -125,6 +123,8 @@
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeInfoProto.AdminState;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeInfosProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeLocalInfoProto;
+import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeStorageProto;
+import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeStorageProto.StorageState;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DirectoryListingProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.ExportedBlockKeysProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.ExtendedBlockProto;
@@ -149,6 +149,7 @@
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.SnapshottableDirectoryListingProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.SnapshottableDirectoryStatusProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.StorageInfoProto;
+import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.StorageReportProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.StorageTypeProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.StorageTypesProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.StorageUuidsProto;
@@ -182,6 +183,7 @@
 import org.apache.hadoop.hdfs.server.protocol.DatanodeRegistration;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeStorage;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeStorage.State;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
 import org.apache.hadoop.hdfs.server.protocol.FinalizeCommand;
 import org.apache.hadoop.hdfs.server.protocol.JournalInfo;
 import org.apache.hadoop.hdfs.server.protocol.KeyUpdateCommand;
@@ -620,6 +622,41 @@ public static DatanodeInfoProto convert(DatanodeInfo info) {
     return builder.build();
   }
 
+  public static DatanodeStorageReportProto convertDatanodeStorageReport(
+      DatanodeStorageReport report) {
+    return DatanodeStorageReportProto.newBuilder()
+        .setDatanodeInfo(convert(report.getDatanodeInfo()))
+        .addAllStorageReports(convertStorageReports(report.getStorageReports()))
+        .build();
+  }
+
+  public static List<DatanodeStorageReportProto> convertDatanodeStorageReports(
+      DatanodeStorageReport[] reports) {
+    final List<DatanodeStorageReportProto> protos
+        = new ArrayList<DatanodeStorageReportProto>(reports.length);
+    for(int i = 0; i < reports.length; i++) {
+      protos.add(convertDatanodeStorageReport(reports[i]));
+    }
+    return protos;
+  }
+
+  public static DatanodeStorageReport convertDatanodeStorageReport(
+      DatanodeStorageReportProto proto) {
+    return new DatanodeStorageReport(
+        convert(proto.getDatanodeInfo()),
+        convertStorageReports(proto.getStorageReportsList()));
+  }
+
+  public static DatanodeStorageReport[] convertDatanodeStorageReports(
+      List<DatanodeStorageReportProto> protos) {
+    final DatanodeStorageReport[] reports
+        = new DatanodeStorageReport[protos.size()];
+    for(int i = 0; i < reports.length; i++) {
+      reports[i] = convertDatanodeStorageReport(protos.get(i));
+    }
+    return reports;
+  }
+
   public static AdminStates convert(AdminState adminState) {
     switch(adminState) {
     case DECOMMISSION_INPROGRESS:
@@ -1713,6 +1750,15 @@ public static StorageReport[] convertStorageReports(
     return report;
   }
 
+  public static List<StorageReportProto> convertStorageReports(StorageReport[] storages) {
+    final List<StorageReportProto> protos = new ArrayList<StorageReportProto>(
+        storages.length);
+    for(int i = 0; i < storages.length; i++) {
+      protos.add(convert(storages[i]));
+    }
+    return protos;
+  }
+
   public static JournalInfo convert(JournalInfoProto info) {
     int lv = info.hasLayoutVersion() ? info.getLayoutVersion() : 0;
     int nsID = info.hasNamespaceID() ? info.getNamespaceID() : 0;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeDescriptor.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeDescriptor.java
index a645d434985..fcc189d9f9b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeDescriptor.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeDescriptor.java
@@ -259,6 +259,15 @@ DatanodeStorageInfo[] getStorageInfos() {
     }
   }
 
+  public StorageReport[] getStorageReports() {
+    final StorageReport[] reports = new StorageReport[storageMap.size()];
+    final DatanodeStorageInfo[] infos = getStorageInfos();
+    for(int i = 0; i < infos.length; i++) {
+      reports[i] = infos[i].toStorageReport();
+    }
+    return reports;
+  }
+
   boolean hasStaleStorages() {
     synchronized (storageMap) {
       for (DatanodeStorageInfo storage : storageMap.values()) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
index f7bab3ced6a..fa4b0e533bd 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
@@ -291,6 +291,12 @@ public int hashCode() {
   public String toString() {
     return "[" + storageType + "]" + storageID + ":" + state;
   }
+  
+  StorageReport toStorageReport() {
+    return new StorageReport(
+        new DatanodeStorage(storageID, state, storageType),
+        false, capacity, dfsUsed, remaining, blockPoolUsed);
+  }
 
   /** @return the first {@link DatanodeStorageInfo} corresponding to
    *          the given datanode
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index a705f17dd27..f12c4e2cfe1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -62,6 +62,8 @@
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_MAX_OBJECTS_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_MAX_OBJECTS_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_NAME_DIR_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_RANDOMIZE_BLOCK_LOCATIONS_PER_BLOCK;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_RANDOMIZE_BLOCK_LOCATIONS_PER_BLOCK_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_REPLICATION_MIN_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_REPLICATION_MIN_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_REPL_QUEUE_THRESHOLD_PCT_KEY;
@@ -83,9 +85,6 @@
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_REPLICATION_DEFAULT;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_REPLICATION_KEY;
-import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_RANDOMIZE_BLOCK_LOCATIONS_PER_BLOCK;
-import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_RANDOMIZE_BLOCK_LOCATIONS_PER_BLOCK_DEFAULT;
-
 import static org.apache.hadoop.util.Time.now;
 
 import java.io.BufferedWriter;
@@ -231,6 +230,7 @@
 import org.apache.hadoop.hdfs.server.namenode.web.resources.NamenodeWebHdfsMethods;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeCommand;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeRegistration;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
 import org.apache.hadoop.hdfs.server.protocol.HeartbeatResponse;
 import org.apache.hadoop.hdfs.server.protocol.NNHAStatusHeartbeat;
 import org.apache.hadoop.hdfs.server.protocol.NamenodeCommand;
@@ -4916,6 +4916,28 @@ DatanodeInfo[] datanodeReport(final DatanodeReportType type
     }
   }
 
+  DatanodeStorageReport[] getDatanodeStorageReport(final DatanodeReportType type
+      ) throws AccessControlException, StandbyException {
+    checkSuperuserPrivilege();
+    checkOperation(OperationCategory.UNCHECKED);
+    readLock();
+    try {
+      checkOperation(OperationCategory.UNCHECKED);
+      final DatanodeManager dm = getBlockManager().getDatanodeManager();      
+      final List<DatanodeDescriptor> datanodes = dm.getDatanodeListForReport(type);
+
+      DatanodeStorageReport[] reports = new DatanodeStorageReport[datanodes.size()];
+      for (int i = 0; i < reports.length; i++) {
+        final DatanodeDescriptor d = datanodes.get(i);
+        reports[i] = new DatanodeStorageReport(new DatanodeInfo(d),
+            d.getStorageReports());
+      }
+      return reports;
+    } finally {
+      readUnlock();
+    }
+  }
+
   /**
    * Save namespace image.
    * This will save current namespace into fsimage file and empty edits file.
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index f1f67247c26..2c2cd4f2272 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -115,6 +115,7 @@
 import org.apache.hadoop.hdfs.server.protocol.DatanodeCommand;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeRegistration;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
 import org.apache.hadoop.hdfs.server.protocol.FinalizeCommand;
 import org.apache.hadoop.hdfs.server.protocol.HeartbeatResponse;
 import org.apache.hadoop.hdfs.server.protocol.NamenodeCommand;
@@ -830,11 +831,23 @@ public DatanodeInfo[] getDatanodeReport(DatanodeReportType type)
   throws IOException {
     DatanodeInfo results[] = namesystem.datanodeReport(type);
     if (results == null ) {
-      throw new IOException("Cannot find datanode report");
+      throw new IOException("Failed to get datanode report for " + type
+          + " datanodes.");
     }
     return results;
   }
     
+  @Override // ClientProtocol
+  public DatanodeStorageReport[] getDatanodeStorageReport(
+      DatanodeReportType type) throws IOException {
+    final DatanodeStorageReport[] reports = namesystem.getDatanodeStorageReport(type);
+    if (reports == null ) {
+      throw new IOException("Failed to get datanode storage report for " + type
+          + " datanodes.");
+    }
+    return reports;
+  }
+
   @Override // ClientProtocol
   public boolean setSafeMode(SafeModeAction action, boolean isChecked)
       throws IOException {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/DatanodeStorageReport.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/DatanodeStorageReport.java
new file mode 100644
index 00000000000..6a956a0fac1
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/DatanodeStorageReport.java
@@ -0,0 +1,42 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.server.protocol;
+
+import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
+
+/**
+ * Class captures information of a datanode and its storages.
+ */
+public class DatanodeStorageReport {
+  final DatanodeInfo datanodeInfo;
+  final StorageReport[] storageReports;
+
+  public DatanodeStorageReport(DatanodeInfo datanodeInfo,
+      StorageReport[] storageReports) {
+    this.datanodeInfo = datanodeInfo;
+    this.storageReports = storageReports;
+  }
+
+  public DatanodeInfo getDatanodeInfo() {
+    return datanodeInfo;
+  }
+
+  public StorageReport[] getStorageReports() {
+    return storageReports;
+  }
+}
\ No newline at end of file
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
index 5a75c41fb54..d2f92d64d0e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
@@ -281,6 +281,19 @@ message GetDatanodeReportResponseProto {
   repeated DatanodeInfoProto di = 1;
 }
 
+message GetDatanodeStorageReportRequestProto {
+  required DatanodeReportTypeProto type = 1;
+}
+
+message DatanodeStorageReportProto {
+  required DatanodeInfoProto datanodeInfo = 1;
+  repeated StorageReportProto storageReports = 2;
+}
+
+message GetDatanodeStorageReportResponseProto {
+  repeated DatanodeStorageReportProto datanodeStorageReports = 1;
+}
+
 message GetPreferredBlockSizeRequestProto {
   required string filename = 1;
 }
@@ -672,6 +685,8 @@ service ClientNamenodeProtocol {
   rpc getFsStats(GetFsStatusRequestProto) returns(GetFsStatsResponseProto);
   rpc getDatanodeReport(GetDatanodeReportRequestProto)
       returns(GetDatanodeReportResponseProto);
+  rpc getDatanodeStorageReport(GetDatanodeStorageReportRequestProto)
+      returns(GetDatanodeStorageReportResponseProto);
   rpc getPreferredBlockSize(GetPreferredBlockSizeRequestProto)
       returns(GetPreferredBlockSizeResponseProto);
   rpc setSafeMode(SetSafeModeRequestProto)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/DatanodeProtocol.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/DatanodeProtocol.proto
index 2afcf057f70..187761a4502 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/DatanodeProtocol.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/DatanodeProtocol.proto
@@ -44,20 +44,6 @@ message DatanodeRegistrationProto {
   required string softwareVersion = 4;        // Software version of the DN, e.g. "2.0.0"
 }
 
-/**
- * Represents a storage available on the datanode
- */
-message DatanodeStorageProto {
-  enum StorageState {
-    NORMAL = 0;
-    READ_ONLY_SHARED = 1;
-  }
-
-  required string storageUuid = 1;
-  optional StorageState state = 2 [default = NORMAL];
-  optional StorageTypeProto storageType = 3 [default = DISK];
-}
-
 /**
  * Commands sent from namenode to the datanodes
  */
@@ -196,16 +182,6 @@ message HeartbeatRequestProto {
   optional uint64 cacheUsed = 7 [default = 0 ];
 }
 
-message StorageReportProto {
-  required string storageUuid = 1 [ deprecated = true ];
-  optional bool failed = 2 [ default = false ];
-  optional uint64 capacity = 3 [ default = 0 ];
-  optional uint64 dfsUsed = 4 [ default = 0 ];
-  optional uint64 remaining = 5 [ default = 0 ];
-  optional uint64 blockPoolUsed = 6 [ default = 0 ];
-  optional DatanodeStorageProto storage = 7; // supersedes StorageUuid
-}
-
 /**
  * state - State the NN is in when returning response to the DN
  * txid - Highest transaction ID this NN has seen
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
index 8f15be6e92e..04fcc500e84 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
@@ -99,6 +99,30 @@ message DatanodeInfoProto {
   optional uint64 cacheUsed = 12 [default = 0];
 }
 
+/**
+ * Represents a storage available on the datanode
+ */
+message DatanodeStorageProto {
+  enum StorageState {
+    NORMAL = 0;
+    READ_ONLY_SHARED = 1;
+  }
+
+  required string storageUuid = 1;
+  optional StorageState state = 2 [default = NORMAL];
+  optional StorageTypeProto storageType = 3 [default = DISK];
+}
+
+message StorageReportProto {
+  required string storageUuid = 1 [ deprecated = true ];
+  optional bool failed = 2 [ default = false ];
+  optional uint64 capacity = 3 [ default = 0 ];
+  optional uint64 dfsUsed = 4 [ default = 0 ];
+  optional uint64 remaining = 5 [ default = 0 ];
+  optional uint64 blockPoolUsed = 6 [ default = 0 ];
+  optional DatanodeStorageProto storage = 7; // supersedes StorageUuid
+}
+
 /**
  * Summary of a file or directory
  */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeReport.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeReport.java
index d5802b0b54c..1e6db21d8af 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeReport.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeReport.java
@@ -21,19 +21,26 @@
 import static org.apache.hadoop.test.MetricsAsserts.getMetrics;
 import static org.junit.Assert.assertEquals;
 
-import java.net.InetSocketAddress;
-import java.util.ArrayList;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.Comparator;
+import java.util.List;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
 import org.apache.hadoop.hdfs.server.datanode.DataNode;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
+import org.apache.hadoop.hdfs.server.protocol.StorageReport;
 import org.junit.Test;
 
 /**
  * This test ensures the all types of data node report work correctly.
  */
 public class TestDatanodeReport {
+  static final Log LOG = LogFactory.getLog(TestDatanodeReport.class);
   final static private Configuration conf = new HdfsConfiguration();
   final static private int NUM_OF_DATANODES = 4;
     
@@ -50,20 +57,18 @@ public void testDatanodeReport() throws Exception {
     try {
       //wait until the cluster is up
       cluster.waitActive();
+      final String bpid = cluster.getNamesystem().getBlockPoolId();
+      final List<DataNode> datanodes = cluster.getDataNodes();
+      final DFSClient client = cluster.getFileSystem().dfs;
 
-      InetSocketAddress addr = new InetSocketAddress("localhost",
-          cluster.getNameNodePort());
-      DFSClient client = new DFSClient(addr, conf);
-
-      assertEquals(client.datanodeReport(DatanodeReportType.ALL).length,
-                   NUM_OF_DATANODES);
-      assertEquals(client.datanodeReport(DatanodeReportType.LIVE).length,
-                   NUM_OF_DATANODES);
-      assertEquals(client.datanodeReport(DatanodeReportType.DEAD).length, 0);
+      assertReports(NUM_OF_DATANODES, DatanodeReportType.ALL, client, datanodes, bpid);
+      assertReports(NUM_OF_DATANODES, DatanodeReportType.LIVE, client, datanodes, bpid);
+      assertReports(0, DatanodeReportType.DEAD, client, datanodes, bpid);
 
       // bring down one datanode
-      ArrayList<DataNode> datanodes = cluster.getDataNodes();
-      datanodes.remove(datanodes.size()-1).shutdown();
+      final DataNode last = datanodes.get(datanodes.size() - 1);
+      LOG.info("XXX shutdown datanode " + last.getDatanodeUuid());
+      last.shutdown();
 
       DatanodeInfo[] nodeInfo = client.datanodeReport(DatanodeReportType.DEAD);
       while (nodeInfo.length != 1) {
@@ -74,22 +79,59 @@ public void testDatanodeReport() throws Exception {
         nodeInfo = client.datanodeReport(DatanodeReportType.DEAD);
       }
 
-      assertEquals(client.datanodeReport(DatanodeReportType.LIVE).length,
-                   NUM_OF_DATANODES-1);
-      assertEquals(client.datanodeReport(DatanodeReportType.ALL).length,
-                   NUM_OF_DATANODES);
+      assertReports(NUM_OF_DATANODES, DatanodeReportType.ALL, client, datanodes, null);
+      assertReports(NUM_OF_DATANODES - 1, DatanodeReportType.LIVE, client, datanodes, null);
+      assertReports(1, DatanodeReportType.DEAD, client, datanodes, null);
 
       Thread.sleep(5000);
       assertGauge("ExpiredHeartbeats", 1, getMetrics("FSNamesystem"));
-    }finally {
+    } finally {
       cluster.shutdown();
     }
   }
- 
-  public static void main(String[] args) throws Exception {
-    new TestDatanodeReport().testDatanodeReport();
+  
+  final static Comparator<StorageReport> CMP = new Comparator<StorageReport>() {
+    @Override
+    public int compare(StorageReport left, StorageReport right) {
+      return left.getStorage().getStorageID().compareTo(
+            right.getStorage().getStorageID());
+    }
+  };
+
+  static void assertReports(int numDatanodes, DatanodeReportType type,
+      DFSClient client, List<DataNode> datanodes, String bpid) throws IOException {
+    final DatanodeInfo[] infos = client.datanodeReport(type);
+    assertEquals(numDatanodes, infos.length);
+    final DatanodeStorageReport[] reports = client.getDatanodeStorageReport(type);
+    assertEquals(numDatanodes, reports.length);
+    
+    for(int i = 0; i < infos.length; i++) {
+      assertEquals(infos[i], reports[i].getDatanodeInfo());
+      
+      final DataNode d = findDatanode(infos[i].getDatanodeUuid(), datanodes);
+      if (bpid != null) {
+        //check storage
+        final StorageReport[] computed = reports[i].getStorageReports();
+        Arrays.sort(computed, CMP);
+        final StorageReport[] expected = d.getFSDataset().getStorageReports(bpid);
+        Arrays.sort(expected, CMP);
+  
+        assertEquals(expected.length, computed.length);
+        for(int j = 0; j < expected.length; j++) {
+          assertEquals(expected[j].getStorage().getStorageID(),
+                       computed[j].getStorage().getStorageID());
+        }
+      }
+    }
   }
   
-}
-
-
+  static DataNode findDatanode(String id, List<DataNode> datanodes) {
+    for(DataNode d : datanodes) {
+      if (d.getDatanodeUuid().equals(id)) {
+        return d;
+      }
+    }
+    throw new IllegalStateException("Datnode " + id + " not in datanode list: "
+        + datanodes);
+  }
+}
\ No newline at end of file
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/protocolPB/TestPBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/protocolPB/TestPBHelper.java
index 6c8547ebf8d..440b4f3a6cc 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/protocolPB/TestPBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/protocolPB/TestPBHelper.java
@@ -31,25 +31,25 @@
 import org.apache.hadoop.fs.permission.AclEntryType;
 import org.apache.hadoop.fs.permission.AclStatus;
 import org.apache.hadoop.fs.permission.FsAction;
-import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.DFSTestUtil;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.DatanodeID;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo.AdminStates;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.LocatedBlock;
-import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.BlockCommandProto;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.BlockRecoveryCommandProto;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.DatanodeRegistrationProto;
-import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.DatanodeStorageProto;
+import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.BlockKeyProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.BlockProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.BlockWithLocationsProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.BlocksWithLocationsProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.CheckpointSignatureProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeIDProto;
+import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeStorageProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.ExportedBlockKeysProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.ExtendedBlockProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.LocatedBlockProto;
@@ -67,9 +67,18 @@
 import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.NodeType;
 import org.apache.hadoop.hdfs.server.common.StorageInfo;
 import org.apache.hadoop.hdfs.server.namenode.CheckpointSignature;
-import org.apache.hadoop.hdfs.server.protocol.*;
+import org.apache.hadoop.hdfs.server.protocol.BlockCommand;
+import org.apache.hadoop.hdfs.server.protocol.BlockRecoveryCommand;
 import org.apache.hadoop.hdfs.server.protocol.BlockRecoveryCommand.RecoveringBlock;
+import org.apache.hadoop.hdfs.server.protocol.BlocksWithLocations;
 import org.apache.hadoop.hdfs.server.protocol.BlocksWithLocations.BlockWithLocations;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeRegistration;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorage;
+import org.apache.hadoop.hdfs.server.protocol.NamenodeRegistration;
+import org.apache.hadoop.hdfs.server.protocol.NamespaceInfo;
+import org.apache.hadoop.hdfs.server.protocol.RemoteEditLog;
+import org.apache.hadoop.hdfs.server.protocol.RemoteEditLogManifest;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.proto.SecurityProtos.TokenProto;
 import org.apache.hadoop.security.token.Token;

From c6cddce752bf537ea6567101000d93cbbc18aa16 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 29 Jul 2014 00:44:12 +0000
Subject: [PATCH 071/354] HADOOP-10876. The constructor of Path should not take
 an empty URL as a parameter. Contributed by Zhihai Xu.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614230 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  3 +++
 .../main/java/org/apache/hadoop/fs/Path.java  | 16 ++++++++++++-
 .../java/org/apache/hadoop/fs/TestPath.java   | 24 +++++++++++++++++++
 3 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 34bd95103cd..b13598f9aa8 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -491,6 +491,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10830. Missing lock in JavaKeyStoreProvider.createCredentialEntry.
     (Benoy Antony via umamahesh)
 
+    HADOOP-10876. The constructor of Path should not take an empty URL as a
+    parameter. (Zhihai Xu via wang)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Path.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Path.java
index 54ddedaff1d..0e8db1df11e 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Path.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Path.java
@@ -128,7 +128,20 @@ private void checkPathArg( String path ) throws IllegalArgumentException {
            "Can not create a Path from an empty string");
     }   
   }
-  
+
+  /** check URI parameter of Path constructor. */
+  private void checkPathArg(URI aUri) throws IllegalArgumentException {
+    // disallow construction of a Path from an empty URI
+    if (aUri == null) {
+      throw new IllegalArgumentException(
+          "Can not create a Path from a null URI");
+    }
+    if (aUri.toString().isEmpty()) {
+      throw new IllegalArgumentException(
+          "Can not create a Path from an empty URI");
+    }
+  }
+
   /** Construct a path from a String.  Path strings are URIs, but with
    * unescaped elements and some additional normalization. */
   public Path(String pathString) throws IllegalArgumentException {
@@ -176,6 +189,7 @@ public Path(String pathString) throws IllegalArgumentException {
    * Construct a path from a URI
    */
   public Path(URI aUri) {
+    checkPathArg(aUri);
     uri = aUri.normalize();
   }
   
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestPath.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestPath.java
index 94908da7a38..54d25c995bd 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestPath.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestPath.java
@@ -26,11 +26,13 @@
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.io.AvroTestUtil;
+import org.apache.hadoop.test.GenericTestUtils;
 import org.apache.hadoop.util.Shell;
 
 import com.google.common.base.Joiner;
 
 import junit.framework.TestCase;
+import static org.junit.Assert.fail;
 
 public class TestPath extends TestCase {
   /**
@@ -305,6 +307,28 @@ public void testURI() throws URISyntaxException, IOException {
     // if the child uri is absolute path
     assertEquals("foo://bar/fud#boo", new Path(new Path(new URI(
         "foo://bar/baz#bud")), new Path(new URI("/fud#boo"))).toString());
+
+    // empty URI
+    URI uri3 = new URI("");
+    assertEquals("", uri3.toString());
+    try {
+      path = new Path(uri3);
+      fail("Expected exception for empty URI");
+    } catch (IllegalArgumentException e) {
+      // expect to receive an IllegalArgumentException
+      GenericTestUtils.assertExceptionContains("Can not create a Path"
+          + " from an empty URI", e);
+    }
+    // null URI
+    uri3 = null;
+    try {
+      path = new Path(uri3);
+      fail("Expected exception for null URI");
+    } catch (IllegalArgumentException e) {
+      // expect to receive an IllegalArgumentException
+      GenericTestUtils.assertExceptionContains("Can not create a Path"
+          + " from a null URI", e);
+    }
   }
 
   /** Test URIs created from Path objects */

From 260fd25568322c575b08b89d7ca60e75f000de41 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Tue, 29 Jul 2014 02:55:27 +0000
Subject: [PATCH 072/354] HADOOP-8069. Enable TCP_NODELAY by default for IPC.
 (Contributed by Todd Lipcon)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614242 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  3 +++
 .../fs/CommonConfigurationKeysPublic.java     |  4 ++--
 .../src/main/resources/core-default.xml       | 19 -------------------
 3 files changed, 5 insertions(+), 21 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index b13598f9aa8..c2f6f91edaf 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -460,6 +460,9 @@ Release 2.6.0 - UNRELEASED
 
     HADOOP-10882. Move DirectBufferPool into common util. (todd)
 
+    HADOOP-8069. Enable TCP_NODELAY by default for IPC. (Todd Lipcon via
+    Arpit Agarwal)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
index 57d4eec23be..59c08143bf4 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
@@ -207,7 +207,7 @@ public class CommonConfigurationKeysPublic {
   public static final String  IPC_CLIENT_TCPNODELAY_KEY =
     "ipc.client.tcpnodelay";
   /** Defalt value for IPC_CLIENT_TCPNODELAY_KEY */
-  public static final boolean IPC_CLIENT_TCPNODELAY_DEFAULT = false;
+  public static final boolean IPC_CLIENT_TCPNODELAY_DEFAULT = true;
   /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
   public static final String  IPC_SERVER_LISTEN_QUEUE_SIZE_KEY =
     "ipc.server.listen.queue.size";
@@ -226,7 +226,7 @@ public class CommonConfigurationKeysPublic {
   public static final String  IPC_SERVER_TCPNODELAY_KEY =
     "ipc.server.tcpnodelay";
   /** Default value for IPC_SERVER_TCPNODELAY_KEY */
-  public static final boolean IPC_SERVER_TCPNODELAY_DEFAULT = false;
+  public static final boolean IPC_SERVER_TCPNODELAY_DEFAULT = true;
 
   /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
   public static final String  HADOOP_RPC_SOCKET_FACTORY_CLASS_DEFAULT_KEY =
diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
index 46bcf895a52..eeb2bb20fa8 100644
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -807,25 +807,6 @@ for ldap providers in the same way as above does.
   </description>
 </property>
 
-<property>
-  <name>ipc.server.tcpnodelay</name>
-  <value>false</value>
-  <description>Turn on/off Nagle's algorithm for the TCP socket connection on 
-  the server. Setting to true disables the algorithm and may decrease latency
-  with a cost of more/smaller packets. 
-  </description>
-</property>
-
-<property>
-  <name>ipc.client.tcpnodelay</name>
-  <value>false</value>
-  <description>Turn on/off Nagle's algorithm for the TCP socket connection on 
-  the client. Setting to true disables the algorithm and may decrease latency
-  with a cost of more/smaller packets. 
-  </description>
-</property>
-
-
 <!-- Proxy Configuration -->
 
 <property>

From c0b49ff10728bb70bb60e6cb5973976f0466d247 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Tue, 29 Jul 2014 17:41:52 +0000
Subject: [PATCH 073/354] YARN-2328. FairScheduler: Verify update and
 continuous scheduling threads are stopped when the scheduler is stopped.
 (kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614432 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |  3 +
 .../scheduler/fair/FairScheduler.java         | 62 +++++++++++--------
 .../scheduler/fair/TestFairScheduler.java     | 25 ++++++++
 3 files changed, 65 insertions(+), 25 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index c0405106a01..d3efd1cf7b8 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -71,6 +71,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2211. Persist AMRMToken master key in RMStateStore for RM recovery.
     (Xuan Gong via jianhe)
 
+    YARN-2328. FairScheduler: Verify update and continuous scheduling threads are
+    stopped when the scheduler is stopped. (kasha)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
index 27a0075c1b2..4e1c244730a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
@@ -139,8 +139,11 @@ public class FairScheduler extends
   private final int UPDATE_DEBUG_FREQUENCY = 5;
   private int updatesToSkipForDebug = UPDATE_DEBUG_FREQUENCY;
 
-  private Thread updateThread;
-  private Thread schedulingThread;
+  @VisibleForTesting
+  Thread updateThread;
+
+  @VisibleForTesting
+  Thread schedulingThread;
   // timeout to join when we stop this service
   protected final long THREAD_JOIN_TIMEOUT_MS = 1000;
 
@@ -243,16 +246,21 @@ public QueueManager getQueueManager() {
   }
 
   /**
-   * A runnable which calls {@link FairScheduler#update()} every
+   * Thread which calls {@link FairScheduler#update()} every
    * <code>updateInterval</code> milliseconds.
    */
-  private class UpdateThread implements Runnable {
+  private class UpdateThread extends Thread {
+
+    @Override
     public void run() {
-      while (true) {
+      while (!Thread.currentThread().isInterrupted()) {
         try {
           Thread.sleep(updateInterval);
           update();
           preemptTasksIfNecessary();
+        } catch (InterruptedException ie) {
+          LOG.warn("Update thread interrupted. Exiting.");
+          return;
         } catch (Exception e) {
           LOG.error("Exception in fair scheduler UpdateThread", e);
         }
@@ -260,6 +268,26 @@ public void run() {
     }
   }
 
+  /**
+   * Thread which attempts scheduling resources continuously,
+   * asynchronous to the node heartbeats.
+   */
+  private class ContinuousSchedulingThread extends Thread {
+
+    @Override
+    public void run() {
+      while (!Thread.currentThread().isInterrupted()) {
+        try {
+          continuousSchedulingAttempt();
+          Thread.sleep(getContinuousSchedulingSleepMs());
+        } catch (InterruptedException e) {
+          LOG.warn("Continuous scheduling thread interrupted. Exiting.", e);
+          return;
+        }
+      }
+    }
+  }
+
   /**
    * Recompute the internal variables used by the scheduler - per-job weights,
    * fair shares, deficits, minimum slot allocations, and amount of used and
@@ -970,7 +998,7 @@ private synchronized void nodeUpdate(RMNode nm) {
     }
   }
 
-  void continuousSchedulingAttempt() {
+  void continuousSchedulingAttempt() throws InterruptedException {
     List<NodeId> nodeIdList = new ArrayList<NodeId>(nodes.keySet());
     // Sort the nodes by space available on them, so that we offer
     // containers on emptier nodes first, facilitating an even spread. This
@@ -1229,30 +1257,14 @@ private synchronized void initScheduler(Configuration conf)
       throw new IOException("Failed to start FairScheduler", e);
     }
 
-    updateThread = new Thread(new UpdateThread());
+    updateThread = new UpdateThread();
     updateThread.setName("FairSchedulerUpdateThread");
     updateThread.setDaemon(true);
 
     if (continuousSchedulingEnabled) {
       // start continuous scheduling thread
-      schedulingThread = new Thread(
-          new Runnable() {
-            @Override
-            public void run() {
-              while (!Thread.currentThread().isInterrupted()) {
-                try {
-                  continuousSchedulingAttempt();
-                  Thread.sleep(getContinuousSchedulingSleepMs());
-                } catch (InterruptedException e) {
-                  LOG.error("Continuous scheduling thread interrupted. Exiting. ",
-                      e);
-                  return;
-                }
-              }
-            }
-          }
-      );
-      schedulingThread.setName("ContinuousScheduling");
+      schedulingThread = new ContinuousSchedulingThread();
+      schedulingThread.setName("FairSchedulerContinuousScheduling");
       schedulingThread.setDaemon(true);
     }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
index 33ec3184a91..23c928c8f37 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
@@ -20,6 +20,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertSame;
@@ -3341,4 +3342,28 @@ public void testLowestCommonAncestorDeeperHierarchy() throws Exception {
         scheduler.findLowestCommonAncestorQueue(a1Queue, b1Queue);
     assertEquals(ancestorQueue, queue1);
   }
+
+  @Test
+  public void testThreadLifeCycle() throws InterruptedException {
+    conf.setBoolean(
+        FairSchedulerConfiguration.CONTINUOUS_SCHEDULING_ENABLED, true);
+    scheduler.init(conf);
+    scheduler.start();
+
+    Thread updateThread = scheduler.updateThread;
+    Thread schedulingThread = scheduler.schedulingThread;
+
+    assertTrue(updateThread.isAlive());
+    assertTrue(schedulingThread.isAlive());
+
+    scheduler.stop();
+
+    int numRetries = 100;
+    while (numRetries-- > 0 &&
+        (updateThread.isAlive() || schedulingThread.isAlive())) {
+      Thread.sleep(50);
+    }
+
+    assertNotEquals("One of the threads is still alive", 0, numRetries);
+  }
 }

From 407bb3d3e452c8277c498dd14e0cc5b7762a7091 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 29 Jul 2014 21:11:26 +0000
Subject: [PATCH 074/354] HDFS-6509. Create a special /.reserved/raw directory
 for raw access to encrypted data. Contributed by Charles Lamb.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1614490 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   3 +
 .../hdfs/server/namenode/FSDirectory.java     | 128 ++++++---
 .../hdfs/server/namenode/FSEditLogLoader.java |   3 +-
 .../hdfs/server/namenode/FSNamesystem.java    | 257 +++++++++++-------
 .../org/apache/hadoop/hdfs/DFSTestUtil.java   |  48 ++++
 .../hadoop/hdfs/TestEncryptionZones.java      |  19 +-
 6 files changed, 308 insertions(+), 150 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 99e2c12adaf..d6b4e5b1f10 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -62,6 +62,9 @@ fs-encryption (Unreleased)
     HDFS-6724. Decrypt EDEK before creating
     CryptoInputStream/CryptoOutputStream. (wang)
 
+    HDFS-6509. Create a special /.reserved/raw directory for raw access to
+    encrypted data. (clamb via wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index d20f3b991bc..f3ef5c3226b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -120,6 +120,8 @@ private static INodeDirectory createRoot(FSNamesystem namesystem) {
       + DOT_RESERVED_STRING;
   public final static byte[] DOT_RESERVED = 
       DFSUtil.string2Bytes(DOT_RESERVED_STRING);
+  private final static String RAW_STRING = "raw";
+  private final static byte[] RAW = DFSUtil.string2Bytes(RAW_STRING);
   public final static String DOT_INODES_STRING = ".inodes";
   public final static byte[] DOT_INODES = 
       DFSUtil.string2Bytes(DOT_INODES_STRING);
@@ -1315,6 +1317,7 @@ private static void checkSnapshot(INode target,
   DirectoryListing getListing(String src, byte[] startAfter,
       boolean needLocation) throws UnresolvedLinkException, IOException {
     String srcs = normalizePath(src);
+    final boolean isRawPath = isReservedRawName(src);
 
     readLock();
     try {
@@ -1330,7 +1333,7 @@ DirectoryListing getListing(String src, byte[] startAfter,
       if (!targetNode.isDirectory()) {
         return new DirectoryListing(
             new HdfsFileStatus[]{createFileStatus(HdfsFileStatus.EMPTY_NAME,
-                targetNode, needLocation, snapshot)}, 0);
+                targetNode, needLocation, snapshot, isRawPath)}, 0);
       }
 
       final INodeDirectory dirInode = targetNode.asDirectory();
@@ -1344,7 +1347,7 @@ DirectoryListing getListing(String src, byte[] startAfter,
       for (int i=0; i<numOfListing && locationBudget>0; i++) {
         INode cur = contents.get(startChild+i);
         listing[i] = createFileStatus(cur.getLocalNameBytes(), cur,
-            needLocation, snapshot);
+            needLocation, snapshot, isRawPath);
         listingCnt++;
         if (needLocation) {
             // Once we  hit lsLimit locations, stop.
@@ -1395,7 +1398,7 @@ private DirectoryListing getSnapshotsListing(String src, byte[] startAfter)
     for (int i = 0; i < numOfListing; i++) {
       Root sRoot = snapshots.get(i + skipSize).getRoot();
       listing[i] = createFileStatus(sRoot.getLocalNameBytes(), sRoot,
-          Snapshot.CURRENT_STATE_ID);
+          Snapshot.CURRENT_STATE_ID, false);
     }
     return new DirectoryListing(
         listing, snapshots.size() - skipSize - numOfListing);
@@ -1403,12 +1406,13 @@ private DirectoryListing getSnapshotsListing(String src, byte[] startAfter)
 
   /** Get the file info for a specific file.
    * @param src The string representation of the path to the file
-   * @param resolveLink whether to throw UnresolvedLinkException 
+   * @param resolveLink whether to throw UnresolvedLinkException
+   * @param isRawPath true if a /.reserved/raw pathname was passed by the user
    * @return object containing information regarding the file
    *         or null if file not found
    */
-  HdfsFileStatus getFileInfo(String src, boolean resolveLink)
-    throws UnresolvedLinkException, IOException {
+  HdfsFileStatus getFileInfo(String src, boolean resolveLink, boolean isRawPath)
+    throws IOException {
     String srcs = normalizePath(src);
     readLock();
     try {
@@ -1418,9 +1422,8 @@ HdfsFileStatus getFileInfo(String src, boolean resolveLink)
       final INodesInPath inodesInPath = getLastINodeInPath(srcs, resolveLink);
       final INode i = inodesInPath.getINode(0);
 
-      final int snapshotId = inodesInPath.getPathSnapshotId();
       return i == null? null: createFileStatus(HdfsFileStatus.EMPTY_NAME, i,
-          inodesInPath.getPathSnapshotId());
+          inodesInPath.getPathSnapshotId(), isRawPath);
     } finally {
       readUnlock();
     }
@@ -2259,22 +2262,25 @@ void reset() {
    * @param path the local name
    * @param node inode
    * @param needLocation if block locations need to be included or not
+   * @param isRawPath true if this is being called on behalf of a path in
+   *                  /.reserved/raw
    * @return a file status
    * @throws IOException if any error occurs
    */
   private HdfsFileStatus createFileStatus(byte[] path, INode node,
-      boolean needLocation, int snapshot) throws IOException {
+      boolean needLocation, int snapshot, boolean isRawPath)
+      throws IOException {
     if (needLocation) {
-      return createLocatedFileStatus(path, node, snapshot);
+      return createLocatedFileStatus(path, node, snapshot, isRawPath);
     } else {
-      return createFileStatus(path, node, snapshot);
+      return createFileStatus(path, node, snapshot, isRawPath);
     }
   }
   /**
    * Create FileStatus by file INode 
    */
    HdfsFileStatus createFileStatus(byte[] path, INode node,
-       int snapshot) throws IOException {
+       int snapshot, boolean isRawPath) throws IOException {
      long size = 0;     // length is zero for directories
      short replication = 0;
      long blocksize = 0;
@@ -2287,7 +2293,8 @@ HdfsFileStatus createFileStatus(byte[] path, INode node,
      int childrenNum = node.isDirectory() ? 
          node.asDirectory().getChildrenNum(snapshot) : 0;
 
-     FileEncryptionInfo feInfo = getFileEncryptionInfo(node, snapshot);
+     FileEncryptionInfo feInfo = isRawPath ? null :
+         getFileEncryptionInfo(node, snapshot);
 
      return new HdfsFileStatus(
         size, 
@@ -2310,12 +2317,14 @@ HdfsFileStatus createFileStatus(byte[] path, INode node,
    * Create FileStatus with location info by file INode
    */
   private HdfsLocatedFileStatus createLocatedFileStatus(byte[] path,
-      INode node, int snapshot) throws IOException {
+      INode node, int snapshot, boolean isRawPath) throws IOException {
     assert hasReadLock();
     long size = 0; // length is zero for directories
     short replication = 0;
     long blocksize = 0;
     LocatedBlocks loc = null;
+    final FileEncryptionInfo feInfo = isRawPath ? null :
+        getFileEncryptionInfo(node, snapshot);
     if (node.isFile()) {
       final INodeFile fileNode = node.asFile();
       size = fileNode.computeFileSize(snapshot);
@@ -2326,7 +2335,6 @@ private HdfsLocatedFileStatus createLocatedFileStatus(byte[] path,
       final boolean isUc = !inSnapshot && fileNode.isUnderConstruction();
       final long fileSize = !inSnapshot && isUc ? 
           fileNode.computeFileSizeNotIncludingLastUcBlock() : size;
-      final FileEncryptionInfo feInfo = getFileEncryptionInfo(node, snapshot);
 
       loc = getFSNamesystem().getBlockManager().createLocatedBlocks(
           fileNode.getBlocks(), fileSize, isUc, 0L, size, false,
@@ -2338,8 +2346,6 @@ private HdfsLocatedFileStatus createLocatedFileStatus(byte[] path,
     int childrenNum = node.isDirectory() ? 
         node.asDirectory().getChildrenNum(snapshot) : 0;
 
-    final FileEncryptionInfo feInfo = getFileEncryptionInfo(node, snapshot);
-
     HdfsLocatedFileStatus status =
         new HdfsLocatedFileStatus(size, node.isDirectory(), replication,
           blocksize, node.getModificationTime(snapshot),
@@ -2894,27 +2900,73 @@ public static boolean isReservedName(String src) {
     return src.startsWith(DOT_RESERVED_PATH_PREFIX);
   }
 
+  static boolean isReservedRawName(String src) {
+    return src.startsWith(DOT_RESERVED_PATH_PREFIX +
+        Path.SEPARATOR + RAW_STRING);
+  }
+
   /**
-   * Resolve the path of /.reserved/.inodes/<inodeid>/... to a regular path
+   * Resolve a /.reserved/... path to a non-reserved path.
+   * <p/>
+   * There are two special hierarchies under /.reserved/:
+   * <p/>
+   * /.reserved/.inodes/<inodeid> performs a path lookup by inodeid,
+   * <p/>
+   * /.reserved/raw/... returns the encrypted (raw) bytes of a file in an
+   * encryption zone. For instance, if /ezone is an encryption zone, then
+   * /ezone/a refers to the decrypted file and /.reserved/raw/ezone/a refers to
+   * the encrypted (raw) bytes of /ezone/a.
+   * <p/>
+   * Pathnames in the /.reserved/raw directory that resolve to files not in an
+   * encryption zone are equivalent to the corresponding non-raw path. Hence,
+   * if /a/b/c refers to a file that is not in an encryption zone, then
+   * /.reserved/raw/a/b/c is equivalent (they both refer to the same
+   * unencrypted file).
    * 
    * @param src path that is being processed
    * @param pathComponents path components corresponding to the path
    * @param fsd FSDirectory
-   * @return if the path indicates an inode, return path after replacing upto
+   * @return if the path indicates an inode, return path after replacing up to
    *         <inodeid> with the corresponding path of the inode, else the path
-   *         in {@code src} as is.
+   *         in {@code src} as is. If the path refers to a path in the "raw"
+   *         directory, return the non-raw pathname.
    * @throws FileNotFoundException if inodeid is invalid
    */
-  static String resolvePath(String src, byte[][] pathComponents, FSDirectory fsd)
+  static String resolvePath(String src, byte[][] pathComponents,
+      FSDirectory fsd) throws FileNotFoundException {
+    final int nComponents = (pathComponents == null) ?
+        0 : pathComponents.length;
+    if (nComponents <= 2) {
+      return src;
+    }
+    if (!Arrays.equals(DOT_RESERVED, pathComponents[1])) {
+      /* This is not a /.reserved/ path so do nothing. */
+      return src;
+    }
+
+    if (Arrays.equals(DOT_INODES, pathComponents[2])) {
+      /* It's a /.reserved/.inodes path. */
+      if (nComponents > 3) {
+        return resolveDotInodesPath(src, pathComponents, fsd);
+      } else {
+        return src;
+      }
+    } else if (Arrays.equals(RAW, pathComponents[2])) {
+      /* It's /.reserved/raw so strip off the /.reserved/raw prefix. */
+      if (nComponents == 3) {
+        return Path.SEPARATOR;
+      } else {
+        return constructRemainingPath("", pathComponents, 3);
+      }
+    } else {
+      /* It's some sort of /.reserved/<unknown> path. Ignore it. */
+      return src;
+    }
+  }
+
+  private static String resolveDotInodesPath(String src,
+      byte[][] pathComponents, FSDirectory fsd)
       throws FileNotFoundException {
-    if (pathComponents == null || pathComponents.length <= 3) {
-      return src;
-    }
-    // Not /.reserved/.inodes
-    if (!Arrays.equals(DOT_RESERVED, pathComponents[1])
-        || !Arrays.equals(DOT_INODES, pathComponents[2])) { // Not .inodes path
-      return src;
-    }
     final String inodeId = DFSUtil.bytes2String(pathComponents[3]);
     final long id;
     try {
@@ -2943,10 +2995,20 @@ static String resolvePath(String src, byte[][] pathComponents, FSDirectory fsd)
       }
     }
 
-    StringBuilder path = id == INodeId.ROOT_INODE_ID ? new StringBuilder()
-        : new StringBuilder(inode.getFullPathName());
-    for (int i = 4; i < pathComponents.length; i++) {
-      path.append(Path.SEPARATOR).append(DFSUtil.bytes2String(pathComponents[i]));
+    String path = "";
+    if (id != INodeId.ROOT_INODE_ID) {
+      path = inode.getFullPathName();
+    }
+    return constructRemainingPath(path, pathComponents, 4);
+  }
+
+  private static String constructRemainingPath(String pathPrefix,
+      byte[][] pathComponents, int startAt) {
+
+    StringBuilder path = new StringBuilder(pathPrefix);
+    for (int i = startAt; i < pathComponents.length; i++) {
+      path.append(Path.SEPARATOR).append(
+          DFSUtil.bytes2String(pathComponents[i]));
     }
     if (NameNode.LOG.isDebugEnabled()) {
       NameNode.LOG.debug("Resolved path is " + path);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSEditLogLoader.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSEditLogLoader.java
index a721491948d..d522e51bc23 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSEditLogLoader.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSEditLogLoader.java
@@ -364,7 +364,8 @@ private long applyEditLogOp(FSEditLogOp op, FSDirectory fsDir,
         // add the op into retry cache if necessary
         if (toAddRetryCache) {
           HdfsFileStatus stat = fsNamesys.dir.createFileStatus(
-              HdfsFileStatus.EMPTY_NAME, newFile, Snapshot.CURRENT_STATE_ID);
+              HdfsFileStatus.EMPTY_NAME, newFile, Snapshot.CURRENT_STATE_ID,
+              false);
           fsNamesys.addCacheEntryWithPayload(addCloseOp.rpcClientId,
               addCloseOp.rpcCallId, stat);
         }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 49fd82b00bf..7b29cedf9f4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -338,7 +338,7 @@ public boolean isAuditEnabled() {
   private HdfsFileStatus getAuditFileInfo(String path, boolean resolveSymlink)
       throws IOException {
     return (isAuditEnabled() && isExternalInvocation())
-        ? dir.getFileInfo(path, resolveSymlink) : null;
+        ? dir.getFileInfo(path, resolveSymlink, false) : null;
   }
   
   private void logAuditEvent(boolean succeeded, String cmd, String src)
@@ -1663,9 +1663,10 @@ void setPermission(String src, FsPermission permission)
     }
   }
 
-  private void setPermissionInt(String src, FsPermission permission)
+  private void setPermissionInt(final String srcArg, FsPermission permission)
       throws AccessControlException, FileNotFoundException, SafeModeException,
       UnresolvedLinkException, IOException {
+    String src = srcArg;
     HdfsFileStatus resultingStat = null;
     FSPermissionChecker pc = getPermissionChecker();
     checkOperation(OperationCategory.WRITE);
@@ -1674,7 +1675,7 @@ private void setPermissionInt(String src, FsPermission permission)
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot set permission for " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       checkOwner(pc, src);
       dir.setPermission(src, permission);
       getEditLog().logSetPermissions(src, permission);
@@ -1683,7 +1684,7 @@ private void setPermissionInt(String src, FsPermission permission)
       writeUnlock();
     }
     getEditLog().logSync();
-    logAuditEvent(true, "setPermission", src, null, resultingStat);
+    logAuditEvent(true, "setPermission", srcArg, null, resultingStat);
   }
 
   /**
@@ -1701,9 +1702,10 @@ void setOwner(String src, String username, String group)
     } 
   }
 
-  private void setOwnerInt(String src, String username, String group)
+  private void setOwnerInt(final String srcArg, String username, String group)
       throws AccessControlException, FileNotFoundException, SafeModeException,
       UnresolvedLinkException, IOException {
+    String src = srcArg;
     HdfsFileStatus resultingStat = null;
     FSPermissionChecker pc = getPermissionChecker();
     checkOperation(OperationCategory.WRITE);
@@ -1712,7 +1714,7 @@ private void setOwnerInt(String src, String username, String group)
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot set owner for " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       checkOwner(pc, src);
       if (!pc.isSuperUser()) {
         if (username != null && !pc.getUser().equals(username)) {
@@ -1729,7 +1731,7 @@ private void setOwnerInt(String src, String username, String group)
       writeUnlock();
     }
     getEditLog().logSync();
-    logAuditEvent(true, "setOwner", src, null, resultingStat);
+    logAuditEvent(true, "setOwner", srcArg, null, resultingStat);
   }
 
   /**
@@ -1812,10 +1814,11 @@ private LocatedBlocks getBlockLocationsInt(String src, long offset,
    * Get block locations within the specified range, updating the
    * access times if necessary. 
    */
-  private LocatedBlocks getBlockLocationsUpdateTimes(String src, long offset,
-      long length, boolean doAccessTime, boolean needBlockToken)
+  private LocatedBlocks getBlockLocationsUpdateTimes(final String srcArg,
+      long offset, long length, boolean doAccessTime, boolean needBlockToken)
       throws FileNotFoundException,
       UnresolvedLinkException, IOException {
+    String src = srcArg;
     FSPermissionChecker pc = getPermissionChecker();
     byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
     for (int attempt = 0; attempt < 2; attempt++) {
@@ -1827,7 +1830,7 @@ private LocatedBlocks getBlockLocationsUpdateTimes(String src, long offset,
         checkOperation(OperationCategory.WRITE);
         writeLock(); // writelock is needed to set accesstime
       }
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       try {
         if (isReadOp) {
           checkOperation(OperationCategory.READ);
@@ -1872,8 +1875,9 @@ && doAccessTime && isAccessTimeSupported()) {
           isUc = false;
         }
 
-        final FileEncryptionInfo feInfo = dir.getFileEncryptionInfo(inode,
-            iip.getPathSnapshotId());
+        final FileEncryptionInfo feInfo =
+          FSDirectory.isReservedRawName(srcArg) ?
+          null : dir.getFileEncryptionInfo(inode, iip.getPathSnapshotId());
 
         final LocatedBlocks blocks =
           blockManager.createLocatedBlocks(inode.getBlocks(), fileSize,
@@ -2098,8 +2102,9 @@ void setTimes(String src, long mtime, long atime)
     }
   }
 
-  private void setTimesInt(String src, long mtime, long atime) 
+  private void setTimesInt(final String srcArg, long mtime, long atime)
     throws IOException, UnresolvedLinkException {
+    String src = srcArg;
     HdfsFileStatus resultingStat = null;
     FSPermissionChecker pc = getPermissionChecker();
     checkOperation(OperationCategory.WRITE);
@@ -2108,7 +2113,7 @@ private void setTimesInt(String src, long mtime, long atime)
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot set times " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
 
       // Write access is required to set access and modification times
       if (isPermissionEnabled) {
@@ -2129,7 +2134,7 @@ private void setTimesInt(String src, long mtime, long atime)
     } finally {
       writeUnlock();
     }
-    logAuditEvent(true, "setTimes", src, null, resultingStat);
+    logAuditEvent(true, "setTimes", srcArg, null, resultingStat);
   }
 
   /**
@@ -2160,9 +2165,10 @@ void createSymlink(String target, String link,
     }
   }
 
-  private void createSymlinkInt(String target, String link,
+  private void createSymlinkInt(String target, final String linkArg,
       PermissionStatus dirPerms, boolean createParent, boolean logRetryCache) 
       throws IOException, UnresolvedLinkException {
+    String link = linkArg;
     if (NameNode.stateChangeLog.isDebugEnabled()) {
       NameNode.stateChangeLog.debug("DIR* NameSystem.createSymlink: target="
           + target + " link=" + link);
@@ -2175,7 +2181,7 @@ private void createSymlinkInt(String target, String link,
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot create symlink " + link);
-      link = FSDirectory.resolvePath(link, pathComponents, dir);
+      link = resolvePath(link, pathComponents);
       if (!createParent) {
         verifyParentDir(link);
       }
@@ -2196,7 +2202,7 @@ private void createSymlinkInt(String target, String link,
       writeUnlock();
     }
     getEditLog().logSync();
-    logAuditEvent(true, "createSymlink", link, target, resultingStat);
+    logAuditEvent(true, "createSymlink", linkArg, target, resultingStat);
   }
 
   /**
@@ -2222,8 +2228,9 @@ boolean setReplication(final String src, final short replication)
     }
   }
 
-  private boolean setReplicationInt(String src, final short replication)
-      throws IOException {
+  private boolean setReplicationInt(final String srcArg,
+      final short replication) throws IOException {
+    String src = srcArg;
     blockManager.verifyReplication(src, replication, null);
     final boolean isFile;
     FSPermissionChecker pc = getPermissionChecker();
@@ -2234,7 +2241,7 @@ private boolean setReplicationInt(String src, final short replication)
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot set replication for " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       if (isPermissionEnabled) {
         checkPathAccess(pc, src, FsAction.WRITE);
       }
@@ -2252,7 +2259,7 @@ private boolean setReplicationInt(String src, final short replication)
 
     getEditLog().logSync();
     if (isFile) {
-      logAuditEvent(true, "setReplication", src);
+      logAuditEvent(true, "setReplication", srcArg);
     }
     return isFile;
   }
@@ -2265,7 +2272,7 @@ long getPreferredBlockSize(String filename)
     readLock();
     try {
       checkOperation(OperationCategory.READ);
-      filename = FSDirectory.resolvePath(filename, pathComponents, dir);
+      filename = resolvePath(filename, pathComponents);
       if (isPermissionEnabled) {
         checkTraverse(pc, filename);
       }
@@ -2395,13 +2402,14 @@ HdfsFileStatus startFile(String src, PermissionStatus permissions,
     return status;
   }
 
-  private HdfsFileStatus startFileInt(String src, PermissionStatus permissions,
-      String holder, String clientMachine, EnumSet<CreateFlag> flag,
-      boolean createParent, short replication, long blockSize,
-      List<CipherSuite> cipherSuites, boolean logRetryCache)
+  private HdfsFileStatus startFileInt(final String srcArg,
+      PermissionStatus permissions, String holder, String clientMachine,
+      EnumSet<CreateFlag> flag, boolean createParent, short replication,
+      long blockSize, List<CipherSuite> cipherSuites, boolean logRetryCache)
       throws AccessControlException, SafeModeException,
       FileAlreadyExistsException, UnresolvedLinkException,
       FileNotFoundException, ParentNotDirectoryException, IOException {
+    String src = srcArg;
     if (NameNode.stateChangeLog.isDebugEnabled()) {
       StringBuilder builder = new StringBuilder();
       builder.append("DIR* NameSystem.startFile: src=" + src
@@ -2467,7 +2475,7 @@ private HdfsFileStatus startFileInt(String src, PermissionStatus permissions,
         String ezKeyName = null;
         readLock();
         try {
-          src = FSDirectory.resolvePath(src, pathComponents, dir);
+          src = resolvePath(src, pathComponents);
           INodesInPath iip = dir.getINodesInPath4Write(src);
           // Nothing to do if the path is not within an EZ
           if (dir.isInAnEZ(iip)) {
@@ -2496,11 +2504,12 @@ private HdfsFileStatus startFileInt(String src, PermissionStatus permissions,
         try {
           checkOperation(OperationCategory.WRITE);
           checkNameNodeSafeMode("Cannot create file" + src);
-          src = FSDirectory.resolvePath(src, pathComponents, dir);
+          src = resolvePath(src, pathComponents);
           startFileInternal(pc, src, permissions, holder, clientMachine, create,
               overwrite, createParent, replication, blockSize, suite, edek,
               logRetryCache);
-          stat = dir.getFileInfo(src, false);
+          stat = dir.getFileInfo(src, false,
+              FSDirectory.isReservedRawName(srcArg));
         } catch (StandbyException se) {
           skipSync = true;
           throw se;
@@ -2522,7 +2531,7 @@ private HdfsFileStatus startFileInt(String src, PermissionStatus permissions,
       }
     }
 
-    logAuditEvent(true, "create", src, null, stat);
+    logAuditEvent(true, "create", srcArg, null, stat);
     return stat;
   }
 
@@ -2767,7 +2776,7 @@ boolean recoverLease(String src, String holder, String clientMachine)
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot recover the lease of " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       final INodeFile inode = INodeFile.valueOf(dir.getINode(src), src);
       if (!inode.isUnderConstruction()) {
         return true;
@@ -2894,11 +2903,12 @@ LocatedBlock appendFile(String src, String holder, String clientMachine)
     }
   }
 
-  private LocatedBlock appendFileInt(String src, String holder,
+  private LocatedBlock appendFileInt(final String srcArg, String holder,
       String clientMachine, boolean logRetryCache)
       throws AccessControlException, SafeModeException,
       FileAlreadyExistsException, FileNotFoundException,
       ParentNotDirectoryException, IOException {
+    String src = srcArg;
     if (NameNode.stateChangeLog.isDebugEnabled()) {
       NameNode.stateChangeLog.debug("DIR* NameSystem.appendFile: src=" + src
           + ", holder=" + holder
@@ -2913,7 +2923,7 @@ private LocatedBlock appendFileInt(String src, String holder,
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot append to file" + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       lb = appendFileInternal(pc, src, holder, clientMachine, logRetryCache);
     } catch (StandbyException se) {
       skipSync = true;
@@ -2934,7 +2944,7 @@ private LocatedBlock appendFileInt(String src, String holder,
             +" block size " + lb.getBlock().getNumBytes());
       }
     }
-    logAuditEvent(true, "append", src);
+    logAuditEvent(true, "append", srcArg);
     return lb;
   }
 
@@ -2979,7 +2989,7 @@ LocatedBlock getAdditionalBlock(String src, long fileId, String clientName,
     readLock();
     try {
       checkOperation(OperationCategory.READ);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       LocatedBlock[] onRetryBlock = new LocatedBlock[1];
       FileState fileState = analyzeFileState(
           src, fileId, clientName, previous, onRetryBlock);
@@ -3202,7 +3212,7 @@ LocatedBlock getAdditionalDatanode(String src, long fileId,
       checkOperation(OperationCategory.READ);
       //check safe mode
       checkNameNodeSafeMode("Cannot add datanode; src=" + src + ", blk=" + blk);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
 
       //check lease
       final INode inode;
@@ -3255,7 +3265,7 @@ boolean abandonBlock(ExtendedBlock b, long fileId, String src, String holder)
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot abandon block " + b + " for file" + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
 
       final INode inode;
       if (fileId == INodeId.GRANDFATHER_INODE_ID) {
@@ -3337,9 +3347,10 @@ private INodeFile checkLease(String src, String holder, INode inode,
    *         (e.g if not all blocks have reached minimum replication yet)
    * @throws IOException on error (eg lease mismatch, file not open, file deleted)
    */
-  boolean completeFile(String src, String holder,
+  boolean completeFile(final String srcArg, String holder,
                        ExtendedBlock last, long fileId)
     throws SafeModeException, UnresolvedLinkException, IOException {
+    String src = srcArg;
     if (NameNode.stateChangeLog.isDebugEnabled()) {
       NameNode.stateChangeLog.debug("DIR* NameSystem.completeFile: " +
           src + " for " + holder);
@@ -3353,7 +3364,7 @@ boolean completeFile(String src, String holder,
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot complete file " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       success = completeFileInternal(src, holder,
         ExtendedBlock.getLocalBlock(last), fileId);
     } finally {
@@ -3361,7 +3372,7 @@ boolean completeFile(String src, String holder,
     }
     getEditLog().logSync();
     if (success) {
-      NameNode.stateChangeLog.info("DIR* completeFile: " + src
+      NameNode.stateChangeLog.info("DIR* completeFile: " + srcArg
           + " is closed by " + holder);
     }
     return success;
@@ -3529,8 +3540,11 @@ boolean renameTo(String src, String dst)
     return ret;
   }
 
-  private boolean renameToInt(String src, String dst, boolean logRetryCache) 
+  private boolean renameToInt(final String srcArg, final String dstArg,
+    boolean logRetryCache)
     throws IOException, UnresolvedLinkException {
+    String src = srcArg;
+    String dst = dstArg;
     if (NameNode.stateChangeLog.isDebugEnabled()) {
       NameNode.stateChangeLog.debug("DIR* NameSystem.renameTo: " + src +
           " to " + dst);
@@ -3549,8 +3563,8 @@ private boolean renameToInt(String src, String dst, boolean logRetryCache)
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot rename " + src);
       waitForLoadingFSImage();
-      src = FSDirectory.resolvePath(src, srcComponents, dir);
-      dst = FSDirectory.resolvePath(dst, dstComponents, dir);
+      src = resolvePath(src, srcComponents);
+      dst = resolvePath(dst, dstComponents);
       checkOperation(OperationCategory.WRITE);
       status = renameToInternal(pc, src, dst, logRetryCache);
       if (status) {
@@ -3561,7 +3575,7 @@ private boolean renameToInt(String src, String dst, boolean logRetryCache)
     }
     getEditLog().logSync();
     if (status) {
-      logAuditEvent(true, "rename", src, dst, resultingStat);
+      logAuditEvent(true, "rename", srcArg, dstArg, resultingStat);
     }
     return status;
   }
@@ -3599,8 +3613,10 @@ private boolean renameToInternal(FSPermissionChecker pc, String src,
   
 
   /** Rename src to dst */
-  void renameTo(String src, String dst, Options.Rename... options)
-      throws IOException, UnresolvedLinkException {
+  void renameTo(final String srcArg, final String dstArg,
+      Options.Rename... options) throws IOException, UnresolvedLinkException {
+    String src = srcArg;
+    String dst = dstArg;
     if (NameNode.stateChangeLog.isDebugEnabled()) {
       NameNode.stateChangeLog.debug("DIR* NameSystem.renameTo: with options - "
           + src + " to " + dst);
@@ -3623,8 +3639,8 @@ void renameTo(String src, String dst, Options.Rename... options)
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot rename " + src);
-      src = FSDirectory.resolvePath(src, srcComponents, dir);
-      dst = FSDirectory.resolvePath(dst, dstComponents, dir);
+      src = resolvePath(src, srcComponents);
+      dst = resolvePath(dst, dstComponents);
       renameToInternal(pc, src, dst, cacheEntry != null, options);
       resultingStat = getAuditFileInfo(dst, false);
       success = true;
@@ -3638,7 +3654,7 @@ void renameTo(String src, String dst, Options.Rename... options)
       for (Rename option : options) {
         cmd.append(option.value()).append(" ");
       }
-      logAuditEvent(true, cmd.toString(), src, dst, resultingStat);
+      logAuditEvent(true, cmd.toString(), srcArg, dstArg, resultingStat);
     }
   }
 
@@ -3736,7 +3752,7 @@ private boolean deleteInternal(String src, boolean recursive,
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot delete " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       if (!recursive && dir.isNonEmptyDirectory(src)) {
         throw new PathIsNotEmptyDirectoryException(src + " is non empty");
       }
@@ -3880,7 +3896,7 @@ private boolean isSafeModeTrackingBlocks() {
   /**
    * Get the file info for a specific file.
    *
-   * @param src The string representation of the path to the file
+   * @param srcArg The string representation of the path to the file
    * @param resolveLink whether to throw UnresolvedLinkException 
    *        if src refers to a symlink
    *
@@ -3891,9 +3907,10 @@ private boolean isSafeModeTrackingBlocks() {
    *         or null if file not found
    * @throws StandbyException 
    */
-  HdfsFileStatus getFileInfo(String src, boolean resolveLink) 
+  HdfsFileStatus getFileInfo(final String srcArg, boolean resolveLink)
     throws AccessControlException, UnresolvedLinkException,
            StandbyException, IOException {
+    String src = srcArg;
     if (!DFSUtil.isValidName(src)) {
       throw new InvalidPathException("Invalid file name: " + src);
     }
@@ -3904,34 +3921,36 @@ HdfsFileStatus getFileInfo(String src, boolean resolveLink)
     readLock();
     try {
       checkOperation(OperationCategory.READ);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       if (isPermissionEnabled) {
         checkPermission(pc, src, false, null, null, null, null, false,
             resolveLink);
       }
-      stat = dir.getFileInfo(src, resolveLink);
+      stat = dir.getFileInfo(src, resolveLink,
+          FSDirectory.isReservedRawName(srcArg));
     } catch (AccessControlException e) {
-      logAuditEvent(false, "getfileinfo", src);
+      logAuditEvent(false, "getfileinfo", srcArg);
       throw e;
     } finally {
       readUnlock();
     }
-    logAuditEvent(true, "getfileinfo", src);
+    logAuditEvent(true, "getfileinfo", srcArg);
     return stat;
   }
   
   /**
    * Returns true if the file is closed
    */
-  boolean isFileClosed(String src) 
+  boolean isFileClosed(final String srcArg)
       throws AccessControlException, UnresolvedLinkException,
       StandbyException, IOException {
+    String src = srcArg;
     FSPermissionChecker pc = getPermissionChecker();  
     checkOperation(OperationCategory.READ);
     byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
     readLock();
     try {
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       checkOperation(OperationCategory.READ);
       if (isPermissionEnabled) {
         checkTraverse(pc, src);
@@ -3939,7 +3958,7 @@ boolean isFileClosed(String src)
       return !INodeFile.valueOf(dir.getINode(src), src).isUnderConstruction();
     } catch (AccessControlException e) {
       if (isAuditEnabled() && isExternalInvocation()) {
-        logAuditEvent(false, "isFileClosed", src);
+        logAuditEvent(false, "isFileClosed", srcArg);
       }
       throw e;
     } finally {
@@ -3962,8 +3981,9 @@ boolean mkdirs(String src, PermissionStatus permissions,
     return ret;
   }
 
-  private boolean mkdirsInt(String src, PermissionStatus permissions,
+  private boolean mkdirsInt(final String srcArg, PermissionStatus permissions,
       boolean createParent) throws IOException, UnresolvedLinkException {
+    String src = srcArg;
     if(NameNode.stateChangeLog.isDebugEnabled()) {
       NameNode.stateChangeLog.debug("DIR* NameSystem.mkdirs: " + src);
     }
@@ -3979,7 +3999,7 @@ private boolean mkdirsInt(String src, PermissionStatus permissions,
     try {
       checkOperation(OperationCategory.WRITE);   
       checkNameNodeSafeMode("Cannot create directory " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       status = mkdirsInternal(pc, src, permissions, createParent);
       if (status) {
         resultingStat = getAuditFileInfo(src, false);
@@ -3989,7 +4009,7 @@ private boolean mkdirsInt(String src, PermissionStatus permissions,
     }
     getEditLog().logSync();
     if (status) {
-      logAuditEvent(true, "mkdirs", src, null, resultingStat);
+      logAuditEvent(true, "mkdirs", srcArg, null, resultingStat);
     }
     return status;
   }
@@ -4147,7 +4167,8 @@ private boolean mkdirsRecursively(String src, PermissionStatus permissions,
    * @return object containing information regarding the file
    *         or null if file not found
    */
-  ContentSummary getContentSummary(String src) throws IOException {
+  ContentSummary getContentSummary(final String srcArg) throws IOException {
+    String src = srcArg;
     FSPermissionChecker pc = getPermissionChecker();
     checkOperation(OperationCategory.READ);
     byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
@@ -4155,7 +4176,7 @@ ContentSummary getContentSummary(String src) throws IOException {
     boolean success = true;
     try {
       checkOperation(OperationCategory.READ);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       if (isPermissionEnabled) {
         checkPermission(pc, src, false, null, null, null, FsAction.READ_EXECUTE);
       }
@@ -4166,7 +4187,7 @@ ContentSummary getContentSummary(String src) throws IOException {
       throw ace;
     } finally {
       readUnlock();
-      logAuditEvent(success, "contentSummary", src);
+      logAuditEvent(success, "contentSummary", srcArg);
     }
   }
 
@@ -4217,7 +4238,7 @@ void fsync(String src, long fileId, String clientName, long lastBlockLength)
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot fsync file " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       final INode inode;
       if (fileId == INodeId.GRANDFATHER_INODE_ID) {
         // Older clients may not have given us an inode ID to work with.
@@ -4657,9 +4678,10 @@ DirectoryListing getListing(String src, byte[] startAfter,
     }
   }
 
-  private DirectoryListing getListingInt(String src, byte[] startAfter,
-      boolean needLocation) 
+  private DirectoryListing getListingInt(final String srcArg, byte[] startAfter,
+      boolean needLocation)
     throws AccessControlException, UnresolvedLinkException, IOException {
+    String src = srcArg;
     DirectoryListing dl;
     FSPermissionChecker pc = getPermissionChecker();
     checkOperation(OperationCategory.READ);
@@ -4668,7 +4690,7 @@ private DirectoryListing getListingInt(String src, byte[] startAfter,
     readLock();
     try {
       checkOperation(OperationCategory.READ);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
 
       // Get file name when startAfter is an INodePath
       if (FSDirectory.isReservedName(startAfterString)) {
@@ -4692,7 +4714,7 @@ private DirectoryListing getListingInt(String src, byte[] startAfter,
           checkTraverse(pc, src);
         }
       }
-      logAuditEvent(true, "listStatus", src);
+      logAuditEvent(true, "listStatus", srcArg);
       dl = dir.getListing(src, startAfter, needLocation);
     } finally {
       readUnlock();
@@ -6085,6 +6107,28 @@ private void checkTraverse(FSPermissionChecker pc, String path)
     checkPermission(pc, path, false, null, null, null, null);
   }
 
+  /**
+   * This is a wrapper for FSDirectory.resolvePath(). If the path passed
+   * is prefixed with /.reserved/raw, then it checks to ensure that the caller
+   * has super user privs.
+   *
+   * @param path The path to resolve.
+   * @param pathComponents path components corresponding to the path
+   * @return if the path indicates an inode, return path after replacing up to
+   *         <inodeid> with the corresponding path of the inode, else the path
+   *         in {@code src} as is. If the path refers to a path in the "raw"
+   *         directory, return the non-raw pathname.
+   * @throws FileNotFoundException
+   * @throws AccessControlException
+   */
+  private String resolvePath(String path, byte[][] pathComponents)
+      throws FileNotFoundException, AccessControlException {
+    if (FSDirectory.isReservedRawName(path)) {
+      checkSuperuserPrivilege();
+    }
+    return FSDirectory.resolvePath(path, pathComponents, dir);
+  }
+
   @Override
   public void checkSuperuserPrivilege()
       throws AccessControlException {
@@ -8279,7 +8323,9 @@ public BatchedListEntries<CachePoolEntry> listCachePools(String prevKey)
     return results;
   }
 
-  void modifyAclEntries(String src, List<AclEntry> aclSpec) throws IOException {
+  void modifyAclEntries(final String srcArg, List<AclEntry> aclSpec)
+      throws IOException {
+    String src = srcArg;
     nnConf.checkAclsConfigFlag();
     HdfsFileStatus resultingStat = null;
     FSPermissionChecker pc = getPermissionChecker();
@@ -8289,7 +8335,7 @@ void modifyAclEntries(String src, List<AclEntry> aclSpec) throws IOException {
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot modify ACL entries on " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       checkOwner(pc, src);
       List<AclEntry> newAcl = dir.modifyAclEntries(src, aclSpec);
       getEditLog().logSetAcl(src, newAcl);
@@ -8298,10 +8344,12 @@ void modifyAclEntries(String src, List<AclEntry> aclSpec) throws IOException {
       writeUnlock();
     }
     getEditLog().logSync();
-    logAuditEvent(true, "modifyAclEntries", src, null, resultingStat);
+    logAuditEvent(true, "modifyAclEntries", srcArg, null, resultingStat);
   }
 
-  void removeAclEntries(String src, List<AclEntry> aclSpec) throws IOException {
+  void removeAclEntries(final String srcArg, List<AclEntry> aclSpec)
+      throws IOException {
+    String src = srcArg;
     nnConf.checkAclsConfigFlag();
     HdfsFileStatus resultingStat = null;
     FSPermissionChecker pc = getPermissionChecker();
@@ -8311,7 +8359,7 @@ void removeAclEntries(String src, List<AclEntry> aclSpec) throws IOException {
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot remove ACL entries on " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       checkOwner(pc, src);
       List<AclEntry> newAcl = dir.removeAclEntries(src, aclSpec);
       getEditLog().logSetAcl(src, newAcl);
@@ -8320,10 +8368,11 @@ void removeAclEntries(String src, List<AclEntry> aclSpec) throws IOException {
       writeUnlock();
     }
     getEditLog().logSync();
-    logAuditEvent(true, "removeAclEntries", src, null, resultingStat);
+    logAuditEvent(true, "removeAclEntries", srcArg, null, resultingStat);
   }
 
-  void removeDefaultAcl(String src) throws IOException {
+  void removeDefaultAcl(final String srcArg) throws IOException {
+    String src = srcArg;
     nnConf.checkAclsConfigFlag();
     HdfsFileStatus resultingStat = null;
     FSPermissionChecker pc = getPermissionChecker();
@@ -8333,7 +8382,7 @@ void removeDefaultAcl(String src) throws IOException {
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot remove default ACL entries on " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       checkOwner(pc, src);
       List<AclEntry> newAcl = dir.removeDefaultAcl(src);
       getEditLog().logSetAcl(src, newAcl);
@@ -8342,10 +8391,11 @@ void removeDefaultAcl(String src) throws IOException {
       writeUnlock();
     }
     getEditLog().logSync();
-    logAuditEvent(true, "removeDefaultAcl", src, null, resultingStat);
+    logAuditEvent(true, "removeDefaultAcl", srcArg, null, resultingStat);
   }
 
-  void removeAcl(String src) throws IOException {
+  void removeAcl(final String srcArg) throws IOException {
+    String src = srcArg;
     nnConf.checkAclsConfigFlag();
     HdfsFileStatus resultingStat = null;
     FSPermissionChecker pc = getPermissionChecker();
@@ -8355,7 +8405,7 @@ void removeAcl(String src) throws IOException {
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot remove ACL on " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       checkOwner(pc, src);
       dir.removeAcl(src);
       getEditLog().logSetAcl(src, AclFeature.EMPTY_ENTRY_LIST);
@@ -8364,10 +8414,11 @@ void removeAcl(String src) throws IOException {
       writeUnlock();
     }
     getEditLog().logSync();
-    logAuditEvent(true, "removeAcl", src, null, resultingStat);
+    logAuditEvent(true, "removeAcl", srcArg, null, resultingStat);
   }
 
-  void setAcl(String src, List<AclEntry> aclSpec) throws IOException {
+  void setAcl(final String srcArg, List<AclEntry> aclSpec) throws IOException {
+    String src = srcArg;
     nnConf.checkAclsConfigFlag();
     HdfsFileStatus resultingStat = null;
     FSPermissionChecker pc = getPermissionChecker();
@@ -8377,7 +8428,7 @@ void setAcl(String src, List<AclEntry> aclSpec) throws IOException {
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot set ACL on " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       checkOwner(pc, src);
       List<AclEntry> newAcl = dir.setAcl(src, aclSpec);
       getEditLog().logSetAcl(src, newAcl);
@@ -8386,7 +8437,7 @@ void setAcl(String src, List<AclEntry> aclSpec) throws IOException {
       writeUnlock();
     }
     getEditLog().logSync();
-    logAuditEvent(true, "setAcl", src, null, resultingStat);
+    logAuditEvent(true, "setAcl", srcArg, null, resultingStat);
   }
 
   AclStatus getAclStatus(String src) throws IOException {
@@ -8397,7 +8448,7 @@ AclStatus getAclStatus(String src) throws IOException {
     readLock();
     try {
       checkOperation(OperationCategory.READ);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       if (isPermissionEnabled) {
         checkPermission(pc, src, false, null, null, null, null);
       }
@@ -8485,7 +8536,7 @@ private void createEncryptionZoneInt(final String srcArg, String keyName,
       checkSuperuserPrivilege();
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot create encryption zone on " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
 
       final XAttr ezXAttr = dir.createEncryptionZone(src, keyName);
       List<XAttr> xAttrs = Lists.newArrayListWithCapacity(1);
@@ -8496,7 +8547,7 @@ private void createEncryptionZoneInt(final String srcArg, String keyName,
       writeUnlock();
     }
     getEditLog().logSync();
-    logAuditEvent(true, "createEncryptionZone", src, null, resultingStat);
+    logAuditEvent(true, "createEncryptionZone", srcArg, null, resultingStat);
   }
 
   /**
@@ -8583,8 +8634,9 @@ void setXAttr(String src, XAttr xAttr, EnumSet<XAttrSetFlag> flag)
     }
   }
   
-  private void setXAttrInt(String src, XAttr xAttr, EnumSet<XAttrSetFlag> flag,
-      boolean logRetryCache) throws IOException {
+  private void setXAttrInt(final String srcArg, XAttr xAttr,
+      EnumSet<XAttrSetFlag> flag, boolean logRetryCache) throws IOException {
+    String src = srcArg;
     nnConf.checkXAttrsConfigFlag();
     checkXAttrSize(xAttr);
     HdfsFileStatus resultingStat = null;
@@ -8596,7 +8648,7 @@ private void setXAttrInt(String src, XAttr xAttr, EnumSet<XAttrSetFlag> flag,
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot set XAttr on " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       checkXAttrChangeAccess(src, xAttr, pc);
       List<XAttr> xAttrs = Lists.newArrayListWithCapacity(1);
       xAttrs.add(xAttr);
@@ -8607,7 +8659,7 @@ private void setXAttrInt(String src, XAttr xAttr, EnumSet<XAttrSetFlag> flag,
       writeUnlock();
     }
     getEditLog().logSync();
-    logAuditEvent(true, "setXAttr", src, null, resultingStat);
+    logAuditEvent(true, "setXAttr", srcArg, null, resultingStat);
   }
 
   /**
@@ -8630,7 +8682,9 @@ private void checkXAttrSize(XAttr xAttr) {
     }
   }
   
-  List<XAttr> getXAttrs(String src, List<XAttr> xAttrs) throws IOException {
+  List<XAttr> getXAttrs(final String srcArg, List<XAttr> xAttrs)
+      throws IOException {
+    String src = srcArg;
     nnConf.checkXAttrsConfigFlag();
     FSPermissionChecker pc = getPermissionChecker();
     boolean getAll = xAttrs == null || xAttrs.isEmpty();
@@ -8638,7 +8692,7 @@ List<XAttr> getXAttrs(String src, List<XAttr> xAttrs) throws IOException {
       try {
         XAttrPermissionFilter.checkPermissionForApi(pc, xAttrs);
       } catch (AccessControlException e) {
-        logAuditEvent(false, "getXAttrs", src);
+        logAuditEvent(false, "getXAttrs", srcArg);
         throw e;
       }
     }
@@ -8646,7 +8700,7 @@ List<XAttr> getXAttrs(String src, List<XAttr> xAttrs) throws IOException {
     byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
     readLock();
     try {
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       checkOperation(OperationCategory.READ);
       if (isPermissionEnabled) {
         checkPathAccess(pc, src, FsAction.READ);
@@ -8679,7 +8733,7 @@ List<XAttr> getXAttrs(String src, List<XAttr> xAttrs) throws IOException {
         return toGet;
       }
     } catch (AccessControlException e) {
-      logAuditEvent(false, "getXAttrs", src);
+      logAuditEvent(false, "getXAttrs", srcArg);
       throw e;
     } finally {
       readUnlock();
@@ -8693,7 +8747,7 @@ List<XAttr> listXAttrs(String src) throws IOException {
     byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
     readLock();
     try {
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       checkOperation(OperationCategory.READ);
       if (isPermissionEnabled) {
         /* To access xattr names, you need EXECUTE in the owning directory. */
@@ -8740,8 +8794,9 @@ void removeXAttr(String src, XAttr xAttr) throws IOException {
     }
   }
 
-  void removeXAttrInt(String src, XAttr xAttr, boolean logRetryCache)
+  void removeXAttrInt(final String srcArg, XAttr xAttr, boolean logRetryCache)
       throws IOException {
+    String src = srcArg;
     nnConf.checkXAttrsConfigFlag();
     HdfsFileStatus resultingStat = null;
     FSPermissionChecker pc = getPermissionChecker();
@@ -8752,7 +8807,7 @@ void removeXAttrInt(String src, XAttr xAttr, boolean logRetryCache)
     try {
       checkOperation(OperationCategory.WRITE);
       checkNameNodeSafeMode("Cannot remove XAttr entry on " + src);
-      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      src = resolvePath(src, pathComponents);
       checkXAttrChangeAccess(src, xAttr, pc);
 
       List<XAttr> xAttrs = Lists.newArrayListWithCapacity(1);
@@ -8769,7 +8824,7 @@ void removeXAttrInt(String src, XAttr xAttr, boolean logRetryCache)
       writeUnlock();
     }
     getEditLog().logSync();
-    logAuditEvent(true, "removeXAttr", src, null, resultingStat);
+    logAuditEvent(true, "removeXAttr", srcArg, null, resultingStat);
   }
 
   private void checkXAttrChangeAccess(String src, XAttr xAttr,
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java
index 949713e6f44..0eb0965695b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java
@@ -83,6 +83,7 @@
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SERVICE_RPC_ADDRESS_KEY;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 /** Utilities for HDFS tests */
 public class DFSTestUtil {
@@ -1300,4 +1301,51 @@ public void close() throws IOException {
       sockDir.close();
     }
   }
+
+  /**
+   * Verify that two files have the same contents.
+   *
+   * @param fs The file system containing the two files.
+   * @param p1 The path of the first file.
+   * @param p2 The path of the second file.
+   * @param len The length of the two files.
+   * @throws IOException
+   */
+  public static void verifyFilesEqual(FileSystem fs, Path p1, Path p2, int len)
+      throws IOException {
+    final FSDataInputStream in1 = fs.open(p1);
+    final FSDataInputStream in2 = fs.open(p2);
+    for (int i = 0; i < len; i++) {
+      assertEquals("Mismatch at byte " + i, in1.read(), in2.read());
+    }
+    in1.close();
+    in2.close();
+  }
+
+  /**
+   * Verify that two files have different contents.
+   *
+   * @param fs The file system containing the two files.
+   * @param p1 The path of the first file.
+   * @param p2 The path of the second file.
+   * @param len The length of the two files.
+   * @throws IOException
+   */
+  public static void verifyFilesNotEqual(FileSystem fs, Path p1, Path p2,
+      int len)
+          throws IOException {
+    final FSDataInputStream in1 = fs.open(p1);
+    final FSDataInputStream in2 = fs.open(p2);
+    try {
+      for (int i = 0; i < len; i++) {
+        if (in1.read() != in2.read()) {
+          return;
+        }
+      }
+      fail("files are equal, but should not be");
+    } finally {
+      in1.close();
+      in2.close();
+    }
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
index a53e47e6e85..c7229228606 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
@@ -30,7 +30,6 @@
 import org.apache.hadoop.crypto.key.JavaKeyStoreProvider;
 import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.crypto.key.KeyProviderFactory;
-import org.apache.hadoop.fs.FSDataInputStream;
 import org.apache.hadoop.fs.FSTestWrapper;
 import org.apache.hadoop.fs.FileContext;
 import org.apache.hadoop.fs.FileContextTestWrapper;
@@ -52,7 +51,7 @@
 import org.junit.Before;
 import org.junit.Test;
 
-
+import static org.apache.hadoop.hdfs.DFSTestUtil.verifyFilesEqual;
 import static org.apache.hadoop.test.GenericTestUtils.assertExceptionContains;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@@ -316,16 +315,6 @@ public void testRenameFileContext() throws Exception {
     doRenameEncryptionZone(fcWrapper);
   }
 
-  private void validateFiles(Path p1, Path p2, int len) throws Exception {
-    FSDataInputStream in1 = fs.open(p1);
-    FSDataInputStream in2 = fs.open(p2);
-    for (int i = 0; i < len; i++) {
-      assertEquals("Mismatch at byte " + i, in1.read(), in2.read());
-    }
-    in1.close();
-    in2.close();
-  }
-
   private FileEncryptionInfo getFileEncryptionInfo(Path path) throws Exception {
     LocatedBlocks blocks = fs.getClient().getLocatedBlocks(path.toString(), 0);
     return blocks.getFileEncryptionInfo();
@@ -346,14 +335,14 @@ public void testReadWrite() throws Exception {
     final Path encFile1 = new Path(zone, "myfile");
     DFSTestUtil.createFile(fs, encFile1, len, (short) 1, 0xFEED);
     // Read them back in and compare byte-by-byte
-    validateFiles(baseFile, encFile1, len);
+    verifyFilesEqual(fs, baseFile, encFile1, len);
     // Roll the key of the encryption zone
     List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
     assertEquals("Expected 1 EZ", 1, zones.size());
     String keyName = zones.get(0).getKeyName();
     cluster.getNamesystem().getProvider().rollNewVersion(keyName);
     // Read them back in and compare byte-by-byte
-    validateFiles(baseFile, encFile1, len);
+    verifyFilesEqual(fs, baseFile, encFile1, len);
     // Write a new enc file and validate
     final Path encFile2 = new Path(zone, "myfile2");
     DFSTestUtil.createFile(fs, encFile2, len, (short) 1, 0xFEED);
@@ -366,7 +355,7 @@ public void testReadWrite() throws Exception {
     assertNotEquals("Key was rolled, versions should be different",
         feInfo1.getEzKeyVersionName(), feInfo2.getEzKeyVersionName());
     // Contents still equal
-    validateFiles(encFile1, encFile2, len);
+    verifyFilesEqual(fs, encFile1, encFile2, len);
   }
 
   @Test(timeout = 60000)

From 3a90228c30da198cfc705eb41e06f38053f9ff0e Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 29 Jul 2014 21:11:52 +0000
Subject: [PATCH 075/354] HDFS-6509 addendum, extra file

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1614491 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop/hdfs/TestReservedRawPaths.java     | 348 ++++++++++++++++++
 1 file changed, 348 insertions(+)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestReservedRawPaths.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestReservedRawPaths.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestReservedRawPaths.java
new file mode 100644
index 00000000000..c49e88b5460
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestReservedRawPaths.java
@@ -0,0 +1,348 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.key.JavaKeyStoreProvider;
+import org.apache.hadoop.crypto.key.KeyProviderFactory;
+import org.apache.hadoop.fs.FileContext;
+import org.apache.hadoop.fs.FileContextTestWrapper;
+import org.apache.hadoop.fs.FileStatus;
+import org.apache.hadoop.fs.FileSystemTestHelper;
+import org.apache.hadoop.fs.FileSystemTestWrapper;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.hdfs.client.HdfsAdmin;
+import org.apache.hadoop.hdfs.server.namenode.EncryptionZoneManager;
+import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.apache.hadoop.hdfs.DFSTestUtil.verifyFilesEqual;
+import static org.apache.hadoop.hdfs.DFSTestUtil.verifyFilesNotEqual;
+import static org.apache.hadoop.test.GenericTestUtils.assertExceptionContains;
+import static org.apache.hadoop.test.GenericTestUtils.assertMatches;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+public class TestReservedRawPaths {
+
+  private Configuration conf;
+  private FileSystemTestHelper fsHelper;
+
+  private MiniDFSCluster cluster;
+  private HdfsAdmin dfsAdmin;
+  private DistributedFileSystem fs;
+
+  protected FileSystemTestWrapper fsWrapper;
+  protected FileContextTestWrapper fcWrapper;
+
+  @Before
+  public void setup() throws IOException {
+    conf = new HdfsConfiguration();
+    fsHelper = new FileSystemTestHelper();
+    // Set up java key store
+    String testRoot = fsHelper.getTestRootDir();
+    File testRootDir = new File(testRoot).getAbsoluteFile();
+    conf.set(KeyProviderFactory.KEY_PROVIDER_PATH,
+        JavaKeyStoreProvider.SCHEME_NAME + "://file" + testRootDir + "/test.jks"
+    );
+    cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
+    Logger.getLogger(EncryptionZoneManager.class).setLevel(Level.TRACE);
+    fs = cluster.getFileSystem();
+    fsWrapper = new FileSystemTestWrapper(cluster.getFileSystem());
+    fcWrapper = new FileContextTestWrapper(
+        FileContext.getFileContext(cluster.getURI(), conf));
+    dfsAdmin = new HdfsAdmin(cluster.getURI(), conf);
+    // Need to set the client's KeyProvider to the NN's for JKS,
+    // else the updates do not get flushed properly
+    fs.getClient().provider = cluster.getNameNode().getNamesystem()
+        .getProvider();
+  }
+
+  @After
+  public void teardown() {
+    if (cluster != null) {
+      cluster.shutdown();
+    }
+  }
+
+  /**
+   * Basic read/write tests of raw files.
+   * Create a non-encrypted file
+   * Create an encryption zone
+   * Verify that non-encrypted file contents and decrypted file in EZ are equal
+   * Compare the raw encrypted bytes of the file with the decrypted version to
+   *   ensure they're different
+   * Compare the raw and non-raw versions of the non-encrypted file to ensure
+   *   they're the same.
+   */
+  @Test(timeout = 120000)
+  public void testReadWriteRaw() throws Exception {
+    // Create a base file for comparison
+    final Path baseFile = new Path("/base");
+    final int len = 8192;
+    DFSTestUtil.createFile(fs, baseFile, len, (short) 1, 0xFEED);
+    // Create the first enc file
+    final Path zone = new Path("/zone");
+    fs.mkdirs(zone);
+    dfsAdmin.createEncryptionZone(zone, null);
+    final Path encFile1 = new Path(zone, "myfile");
+    DFSTestUtil.createFile(fs, encFile1, len, (short) 1, 0xFEED);
+    // Read them back in and compare byte-by-byte
+    verifyFilesEqual(fs, baseFile, encFile1, len);
+    // Raw file should be different from encrypted file
+    final Path encFile1Raw = new Path(zone, "/.reserved/raw/zone/myfile");
+    verifyFilesNotEqual(fs, encFile1Raw, encFile1, len);
+    // Raw file should be same as /base which is not in an EZ
+    final Path baseFileRaw = new Path(zone, "/.reserved/raw/base");
+    verifyFilesEqual(fs, baseFile, baseFileRaw, len);
+  }
+
+  private void assertPathEquals(Path p1, Path p2) throws IOException {
+    final FileStatus p1Stat = fs.getFileStatus(p1);
+    final FileStatus p2Stat = fs.getFileStatus(p2);
+
+    /*
+     * Use accessTime and modificationTime as substitutes for INode to check
+     * for resolution to the same underlying file.
+     */
+    assertEquals("Access times not equal", p1Stat.getAccessTime(),
+        p2Stat.getAccessTime());
+    assertEquals("Modification times not equal", p1Stat.getModificationTime(),
+        p2Stat.getModificationTime());
+    assertEquals("pathname1 not equal", p1,
+        Path.getPathWithoutSchemeAndAuthority(p1Stat.getPath()));
+    assertEquals("pathname1 not equal", p2,
+            Path.getPathWithoutSchemeAndAuthority(p2Stat.getPath()));
+  }
+
+  /**
+   * Tests that getFileStatus on raw and non raw resolve to the same
+   * file.
+   */
+  @Test(timeout = 120000)
+  public void testGetFileStatus() throws Exception {
+    final Path zone = new Path("zone");
+    final Path slashZone = new Path("/", zone);
+    fs.mkdirs(slashZone);
+    dfsAdmin.createEncryptionZone(slashZone, null);
+
+    final Path base = new Path("base");
+    final Path reservedRaw = new Path("/.reserved/raw");
+    final Path baseRaw = new Path(reservedRaw, base);
+    final int len = 8192;
+    DFSTestUtil.createFile(fs, baseRaw, len, (short) 1, 0xFEED);
+    assertPathEquals(new Path("/", base), baseRaw);
+
+    /* Repeat the test for a file in an ez. */
+    final Path ezEncFile = new Path(slashZone, base);
+    final Path ezRawEncFile =
+        new Path(new Path(reservedRaw, zone), base);
+    DFSTestUtil.createFile(fs, ezEncFile, len, (short) 1, 0xFEED);
+    assertPathEquals(ezEncFile, ezRawEncFile);
+  }
+
+  @Test(timeout = 120000)
+  public void testReservedRoot() throws Exception {
+    final Path root = new Path("/");
+    final Path rawRoot = new Path("/.reserved/raw");
+    final Path rawRootSlash = new Path("/.reserved/raw/");
+    assertPathEquals(root, rawRoot);
+    assertPathEquals(root, rawRootSlash);
+  }
+
+  /* Verify mkdir works ok in .reserved/raw directory. */
+  @Test(timeout = 120000)
+  public void testReservedRawMkdir() throws Exception {
+    final Path zone = new Path("zone");
+    final Path slashZone = new Path("/", zone);
+    fs.mkdirs(slashZone);
+    dfsAdmin.createEncryptionZone(slashZone, null);
+    final Path rawRoot = new Path("/.reserved/raw");
+    final Path dir1 = new Path("dir1");
+    final Path rawDir1 = new Path(rawRoot, dir1);
+    fs.mkdirs(rawDir1);
+    assertPathEquals(rawDir1, new Path("/", dir1));
+    fs.delete(rawDir1, true);
+    final Path rawZone = new Path(rawRoot, zone);
+    final Path rawDir1EZ = new Path(rawZone, dir1);
+    fs.mkdirs(rawDir1EZ);
+    assertPathEquals(rawDir1EZ, new Path(slashZone, dir1));
+    fs.delete(rawDir1EZ, true);
+  }
+
+  @Test(timeout = 120000)
+  public void testRelativePathnames() throws Exception {
+    final Path baseFileRaw = new Path("/.reserved/raw/base");
+    final int len = 8192;
+    DFSTestUtil.createFile(fs, baseFileRaw, len, (short) 1, 0xFEED);
+
+    final Path root = new Path("/");
+    final Path rawRoot = new Path("/.reserved/raw");
+    assertPathEquals(root, new Path(rawRoot, "../raw"));
+    assertPathEquals(root, new Path(rawRoot, "../../.reserved/raw"));
+    assertPathEquals(baseFileRaw, new Path(rawRoot, "../raw/base"));
+    assertPathEquals(baseFileRaw, new Path(rawRoot,
+        "../../.reserved/raw/base"));
+    assertPathEquals(baseFileRaw, new Path(rawRoot,
+        "../../.reserved/raw/base/../base"));
+    assertPathEquals(baseFileRaw, new Path(
+        "/.reserved/../.reserved/raw/../raw/base"));
+  }
+
+  @Test(timeout = 120000)
+  public void testAdminAccessOnly() throws Exception {
+    final Path zone = new Path("zone");
+    final Path slashZone = new Path("/", zone);
+    fs.mkdirs(slashZone);
+    dfsAdmin.createEncryptionZone(slashZone, null);
+    final Path base = new Path("base");
+    final Path reservedRaw = new Path("/.reserved/raw");
+    final int len = 8192;
+
+    /* Test failure of create file in reserved/raw as non admin */
+    final UserGroupInformation user = UserGroupInformation.
+        createUserForTesting("user", new String[] { "mygroup" });
+    user.doAs(new PrivilegedExceptionAction<Object>() {
+      @Override
+      public Object run() throws Exception {
+        final DistributedFileSystem fs = cluster.getFileSystem();
+        try {
+          final Path ezRawEncFile =
+              new Path(new Path(reservedRaw, zone), base);
+          DFSTestUtil.createFile(fs, ezRawEncFile, len, (short) 1, 0xFEED);
+          fail("access to /.reserved/raw is superuser-only operation");
+        } catch (AccessControlException e) {
+          assertExceptionContains("Superuser privilege is required", e);
+        }
+        return null;
+      }
+    });
+
+    /* Test failure of getFileStatus in reserved/raw as non admin */
+    final Path ezRawEncFile = new Path(new Path(reservedRaw, zone), base);
+    DFSTestUtil.createFile(fs, ezRawEncFile, len, (short) 1, 0xFEED);
+    user.doAs(new PrivilegedExceptionAction<Object>() {
+      @Override
+      public Object run() throws Exception {
+        final DistributedFileSystem fs = cluster.getFileSystem();
+        try {
+          fs.getFileStatus(ezRawEncFile);
+          fail("access to /.reserved/raw is superuser-only operation");
+        } catch (AccessControlException e) {
+          assertExceptionContains("Superuser privilege is required", e);
+        }
+        return null;
+      }
+    });
+
+    /* Test failure of listStatus in reserved/raw as non admin */
+    user.doAs(new PrivilegedExceptionAction<Object>() {
+      @Override
+      public Object run() throws Exception {
+        final DistributedFileSystem fs = cluster.getFileSystem();
+        try {
+          fs.listStatus(ezRawEncFile);
+          fail("access to /.reserved/raw is superuser-only operation");
+        } catch (AccessControlException e) {
+          assertExceptionContains("Superuser privilege is required", e);
+        }
+        return null;
+      }
+    });
+
+    fs.setPermission(new Path("/"), new FsPermission((short) 0777));
+    /* Test failure of mkdir in reserved/raw as non admin */
+    user.doAs(new PrivilegedExceptionAction<Object>() {
+      @Override
+      public Object run() throws Exception {
+        final DistributedFileSystem fs = cluster.getFileSystem();
+        final Path d1 = new Path(reservedRaw, "dir1");
+        try {
+          fs.mkdirs(d1);
+          fail("access to /.reserved/raw is superuser-only operation");
+        } catch (AccessControlException e) {
+          assertExceptionContains("Superuser privilege is required", e);
+        }
+        return null;
+      }
+    });
+  }
+
+  @Test(timeout = 120000)
+  public void testListDotReserved() throws Exception {
+    // Create a base file for comparison
+    final Path baseFileRaw = new Path("/.reserved/raw/base");
+    final int len = 8192;
+    DFSTestUtil.createFile(fs, baseFileRaw, len, (short) 1, 0xFEED);
+
+    /*
+     * Ensure that you can't list /.reserved. Ever.
+     */
+    try {
+      fs.listStatus(new Path("/.reserved"));
+      fail("expected FNFE");
+    } catch (FileNotFoundException e) {
+      assertExceptionContains("/.reserved does not exist", e);
+    }
+
+    try {
+      fs.listStatus(new Path("/.reserved/.inodes"));
+      fail("expected FNFE");
+    } catch (FileNotFoundException e) {
+      assertExceptionContains(
+              "/.reserved/.inodes does not exist", e);
+    }
+
+    final FileStatus[] fileStatuses = fs.listStatus(new Path("/.reserved/raw"));
+    assertEquals("expected 1 entry", fileStatuses.length, 1);
+    assertMatches(fileStatuses[0].getPath().toString(), "/.reserved/raw/base");
+  }
+
+  @Test(timeout = 120000)
+  public void testListRecursive() throws Exception {
+    Path rootPath = new Path("/");
+    Path p = rootPath;
+    for (int i = 0; i < 3; i++) {
+      p = new Path(p, "dir" + i);
+      fs.mkdirs(p);
+    }
+
+    Path curPath = new Path("/.reserved/raw");
+    int cnt = 0;
+    FileStatus[] fileStatuses = fs.listStatus(curPath);
+    while (fileStatuses != null && fileStatuses.length > 0) {
+      FileStatus f = fileStatuses[0];
+      assertMatches(f.getPath().toString(), "/.reserved/raw");
+      curPath = Path.getPathWithoutSchemeAndAuthority(f.getPath());
+      cnt++;
+      fileStatuses = fs.listStatus(curPath);
+    }
+    assertEquals(3, cnt);
+  }
+}

From 415223548d84cd17979a0cff05f87f1fc3beb7f2 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 29 Jul 2014 23:39:38 +0000
Subject: [PATCH 076/354] HDFS-6771. Require specification of an encryption key
 when creating an encryption zone. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1614519 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |  3 +
 .../apache/hadoop/hdfs/client/HdfsAdmin.java  | 22 ++---
 .../hdfs/server/namenode/FSNamesystem.java    | 93 +++++--------------
 .../apache/hadoop/hdfs/tools/CryptoAdmin.java |  8 +-
 ...CryptoCLI.java => TestCryptoAdminCLI.java} |  2 +-
 .../hadoop/hdfs/TestEncryptionZones.java      | 50 +++++++---
 .../src/test/resources/testCryptoConf.xml     | 66 ++++++-------
 7 files changed, 106 insertions(+), 138 deletions(-)
 rename hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/{TestCryptoCLI.java => TestCryptoAdminCLI.java} (98%)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index d6b4e5b1f10..2531a4e4049 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -65,6 +65,9 @@ fs-encryption (Unreleased)
     HDFS-6509. Create a special /.reserved/raw directory for raw access to
     encrypted data. (clamb via wang)
 
+    HDFS-6771. Require specification of an encryption key when creating
+    an encryption zone. (wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
index be3ac51cfe7..0a22d9dd3f4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
@@ -231,22 +231,16 @@ public RemoteIterator<CachePoolEntry> listCachePools() throws IOException {
   }
 
   /**
-   * Create an encryption zone rooted at an empty existing directory. An
-   * encryption zone has an associated encryption key used when reading and
-   * writing files within the zone. An existing key can be specified,
-   * else a new key will be generated for the encryption zone.
-   *
-   * @param path The path of the root of the encryption zone. Must refer to
-   *             an empty, existing directory.
-   *
-   * @param keyName Optional name of key available at the KeyProvider. If null,
-   *                then a key is generated.
-   *
-   * @throws IOException if there was a general IO exception
+   * Create an encryption zone rooted at an empty existing directory, using the
+   * specified encryption key. An encryption zone has an associated encryption
+   * key used when reading and writing files within the zone.
    *
+   * @param path    The path of the root of the encryption zone. Must refer to
+   *                an empty, existing directory.
+   * @param keyName Name of key available at the KeyProvider.
+   * @throws IOException            if there was a general IO exception
    * @throws AccessControlException if the caller does not have access to path
-   *
-   * @throws FileNotFoundException if the path does not exist
+   * @throws FileNotFoundException  if the path does not exist
    */
   public void createEncryptionZone(Path path, String keyName)
     throws IOException, AccessControlException, FileNotFoundException {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 7b29cedf9f4..dde19b9bd21 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -8457,24 +8457,19 @@ AclStatus getAclStatus(String src) throws IOException {
       readUnlock();
     }
   }
-  
+
   /**
-   * Create an encryption zone on directory src. If provided,
-   * will use an existing key, else will generate a new key.
-   *
-   * @param src the path of a directory which will be the root of the
-   * encryption zone. The directory must be empty.
-   *
-   * @param keyNameArg an optional name of a key in the configured
-   * KeyProvider. If this is null, then a a new key is generated.
-   *
-   * @throws AccessControlException if the caller is not the superuser.
+   * Create an encryption zone on directory src using the specified key.
    *
+   * @param src     the path of a directory which will be the root of the
+   *                encryption zone. The directory must be empty.
+   * @param keyName name of a key which must be present in the configured
+   *                KeyProvider.
+   * @throws AccessControlException  if the caller is not the superuser.
    * @throws UnresolvedLinkException if the path can't be resolved.
-   *
-   * @throws SafeModeException if the Namenode is in safe mode.
+   * @throws SafeModeException       if the Namenode is in safe mode.
    */
-  void createEncryptionZone(final String src, String keyNameArg)
+  void createEncryptionZone(final String src, final String keyName)
     throws IOException, UnresolvedLinkException,
       SafeModeException, AccessControlException {
     final CacheEntry cacheEntry = RetryCache.waitForCompletion(retryCache);
@@ -8482,8 +8477,6 @@ void createEncryptionZone(final String src, String keyNameArg)
       return; // Return previous response
     }
 
-    boolean createdKey = false;
-    String keyName = keyNameArg;
     boolean success = false;
     try {
       if (provider == null) {
@@ -8492,22 +8485,20 @@ void createEncryptionZone(final String src, String keyNameArg)
             " since no key provider is available.");
       }
       if (keyName == null || keyName.isEmpty()) {
-        keyName = UUID.randomUUID().toString();
-        createNewKey(keyName, src);
-        createdKey = true;
-      } else {
-        KeyVersion keyVersion = provider.getCurrentKey(keyName);
-        if (keyVersion == null) {
-          /*
-           * It would be nice if we threw something more specific than
-           * IOException when the key is not found, but the KeyProvider API
-           * doesn't provide for that. If that API is ever changed to throw
-           * something more specific (e.g. UnknownKeyException) then we can
-           * update this to match it, or better yet, just rethrow the
-           * KeyProvider's exception.
-           */
-          throw new IOException("Key " + keyName + " doesn't exist.");
-        }
+        throw new IOException("Must specify a key name when creating an " +
+            "encryption zone");
+      }
+      KeyVersion keyVersion = provider.getCurrentKey(keyName);
+      if (keyVersion == null) {
+        /*
+         * It would be nice if we threw something more specific than
+         * IOException when the key is not found, but the KeyProvider API
+         * doesn't provide for that. If that API is ever changed to throw
+         * something more specific (e.g. UnknownKeyException) then we can
+         * update this to match it, or better yet, just rethrow the
+         * KeyProvider's exception.
+         */
+        throw new IOException("Key " + keyName + " doesn't exist.");
       }
       createEncryptionZoneInt(src, keyName, cacheEntry != null);
       success = true;
@@ -8516,10 +8507,6 @@ void createEncryptionZone(final String src, String keyNameArg)
       throw e;
     } finally {
       RetryCache.setState(cacheEntry, success);
-      if (!success && createdKey) {
-        /* Unwind key creation. */
-        provider.deleteKey(keyName);
-      }
     }
   }
 
@@ -8550,40 +8537,6 @@ private void createEncryptionZoneInt(final String srcArg, String keyName,
     logAuditEvent(true, "createEncryptionZone", srcArg, null, resultingStat);
   }
 
-  /**
-   * Create a new key on the KeyProvider for an encryption zone.
-   *
-   * @param keyNameArg name of the key
-   * @param src path of the encryption zone.
-   * @return KeyVersion of the created key
-   * @throws IOException
-   */
-  private KeyVersion createNewKey(String keyNameArg, String src)
-    throws IOException {
-    Preconditions.checkNotNull(keyNameArg);
-    Preconditions.checkNotNull(src);
-    final StringBuilder sb = new StringBuilder("hdfs://");
-    if (nameserviceId != null) {
-      sb.append(nameserviceId);
-    }
-    sb.append(src);
-    if (!src.endsWith("/")) {
-      sb.append('/');
-    }
-    sb.append(keyNameArg);
-    final String keyName = sb.toString();
-    providerOptions.setDescription(keyName);
-    providerOptions.setBitLength(codec.getCipherSuite()
-        .getAlgorithmBlockSize()*8);
-    KeyVersion version = null;
-    try {
-      version = provider.createKey(keyNameArg, providerOptions);
-    } catch (NoSuchAlgorithmException e) {
-      throw new IOException(e);
-    }
-    return version;
-  }
-
   List<EncryptionZone> listEncryptionZones() throws IOException {
     boolean success = false;
     checkSuperuserPrivilege();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
index c0155fcb72b..28aaef2e455 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
@@ -124,7 +124,7 @@ public String getName() {
 
     @Override
     public String getShortUsage() {
-      return "[" + getName() + " [-keyName <keyName>] -path <path> " + "]\n";
+      return "[" + getName() + " -keyName <keyName> -path <path> " + "]\n";
     }
 
     @Override
@@ -133,7 +133,7 @@ public String getLongUsage() {
       listing.addRow("<path>", "The path of the encryption zone to create. " +
         "It must be an empty directory.");
       listing.addRow("<keyName>", "Name of the key to use for the " +
-          "encryption zone. A new key will be generated if unspecified.");
+          "encryption zone.");
       return getShortUsage() + "\n" +
         "Create a new encryption zone.\n\n" +
         listing.toString();
@@ -149,6 +149,10 @@ public int run(Configuration conf, List<String> args) throws IOException {
 
       final String keyName =
           StringUtils.popOptionWithArgument("-keyName", args);
+      if (keyName == null) {
+        System.err.println("You must specify a key name with -keyName.");
+        return 1;
+      }
 
       if (!args.isEmpty()) {
         System.err.println("Can't understand argument: " + args.get(0));
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoCLI.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoAdminCLI.java
similarity index 98%
rename from hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoCLI.java
rename to hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoAdminCLI.java
index 1b4468e545b..1c83829102a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoCLI.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestCryptoAdminCLI.java
@@ -48,7 +48,7 @@
 import org.junit.Test;
 import org.xml.sax.SAXException;
 
-public class TestCryptoCLI  extends CLITestHelperDFS {
+public class TestCryptoAdminCLI extends CLITestHelperDFS {
   protected MiniDFSCluster dfsCluster = null;
   protected FileSystem fs = null;
   protected String namenode = null;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
index c7229228606..e1fb878139b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
@@ -68,12 +68,13 @@ public class TestEncryptionZones {
   private HdfsAdmin dfsAdmin;
   private DistributedFileSystem fs;
   private File testRootDir;
+  private final String TEST_KEY = "testKey";
 
   protected FileSystemTestWrapper fsWrapper;
   protected FileContextTestWrapper fcWrapper;
 
   @Before
-  public void setup() throws IOException {
+  public void setup() throws Exception {
     conf = new HdfsConfiguration();
     fsHelper = new FileSystemTestHelper();
     // Set up java key store
@@ -93,6 +94,8 @@ public void setup() throws IOException {
     // else the updates do not get flushed properly
     fs.getClient().provider = cluster.getNameNode().getNamesystem()
         .getProvider();
+    // Create a test key
+    createKey(TEST_KEY);
   }
 
   @After
@@ -143,6 +146,8 @@ private void createKey(String keyName)
       throws NoSuchAlgorithmException, IOException {
     KeyProvider provider = cluster.getNameNode().getNamesystem().getProvider();
     final KeyProvider.Options options = KeyProvider.options(conf);
+    options.setDescription(keyName);
+    options.setBitLength(128);
     provider.createKey(keyName, options);
     provider.flush();
   }
@@ -155,7 +160,7 @@ public void testBasicOperations() throws Exception {
     /* Test failure of create EZ on a directory that doesn't exist. */
     final Path zone1 = new Path("/zone1");
     try {
-      dfsAdmin.createEncryptionZone(zone1, null);
+      dfsAdmin.createEncryptionZone(zone1, TEST_KEY);
       fail("expected /test doesn't exist");
     } catch (IOException e) {
       assertExceptionContains("cannot find", e);
@@ -163,13 +168,13 @@ public void testBasicOperations() throws Exception {
 
     /* Normal creation of an EZ */
     fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true);
-    dfsAdmin.createEncryptionZone(zone1, null);
+    dfsAdmin.createEncryptionZone(zone1, TEST_KEY);
     assertNumZones(++numZones);
     assertZonePresent(null, zone1.toString());
 
     /* Test failure of create EZ on a directory which is already an EZ. */
     try {
-      dfsAdmin.createEncryptionZone(zone1, null);
+      dfsAdmin.createEncryptionZone(zone1, TEST_KEY);
     } catch (IOException e) {
       assertExceptionContains("already in an encryption zone", e);
     }
@@ -178,7 +183,7 @@ public void testBasicOperations() throws Exception {
     final Path zone1Child = new Path(zone1, "child");
     fsWrapper.mkdir(zone1Child, FsPermission.getDirDefault(), false);
     try {
-      dfsAdmin.createEncryptionZone(zone1Child, null);
+      dfsAdmin.createEncryptionZone(zone1Child, TEST_KEY);
       fail("EZ in an EZ");
     } catch (IOException e) {
       assertExceptionContains("already in an encryption zone", e);
@@ -189,7 +194,7 @@ public void testBasicOperations() throws Exception {
     final Path notEmptyChild = new Path(notEmpty, "child");
     fsWrapper.mkdir(notEmptyChild, FsPermission.getDirDefault(), true);
     try {
-      dfsAdmin.createEncryptionZone(notEmpty, null);
+      dfsAdmin.createEncryptionZone(notEmpty, TEST_KEY);
       fail("Created EZ on an non-empty directory with folder");
     } catch (IOException e) {
       assertExceptionContains("create an encryption zone", e);
@@ -199,7 +204,7 @@ public void testBasicOperations() throws Exception {
     /* create EZ on a folder with a file fails */
     fsWrapper.createFile(notEmptyChild);
     try {
-      dfsAdmin.createEncryptionZone(notEmpty, null);
+      dfsAdmin.createEncryptionZone(notEmpty, TEST_KEY);
       fail("Created EZ on an non-empty directory with file");
     } catch (IOException e) {
       assertExceptionContains("create an encryption zone", e);
@@ -215,6 +220,21 @@ public void testBasicOperations() throws Exception {
     } catch (IOException e) {
       assertExceptionContains("doesn't exist.", e);
     }
+
+    /* Test failure of empty and null key name */
+    try {
+      dfsAdmin.createEncryptionZone(zone2, "");
+      fail("created a zone with empty key name");
+    } catch (IOException e) {
+      assertExceptionContains("Must specify a key name when creating", e);
+    }
+    try {
+      dfsAdmin.createEncryptionZone(zone2, null);
+      fail("created a zone with null key name");
+    } catch (IOException e) {
+      assertExceptionContains("Must specify a key name when creating", e);
+    }
+
     assertNumZones(1);
 
     /* Test success of creating an EZ when they key exists. */
@@ -235,7 +255,7 @@ public Object run() throws Exception {
         final HdfsAdmin userAdmin =
             new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
         try {
-          userAdmin.createEncryptionZone(nonSuper, null);
+          userAdmin.createEncryptionZone(nonSuper, TEST_KEY);
           fail("createEncryptionZone is superuser-only operation");
         } catch (AccessControlException e) {
           assertExceptionContains("Superuser privilege is required", e);
@@ -247,7 +267,7 @@ public Object run() throws Exception {
     // Test success of creating an encryption zone a few levels down.
     Path deepZone = new Path("/d/e/e/p/zone");
     fsWrapper.mkdir(deepZone, FsPermission.getDirDefault(), true);
-    dfsAdmin.createEncryptionZone(deepZone, null);
+    dfsAdmin.createEncryptionZone(deepZone, TEST_KEY);
     assertNumZones(++numZones);
     assertZonePresent(null, deepZone.toString());
   }
@@ -266,10 +286,10 @@ public void testListEncryptionZonesAsNonSuperUser() throws Exception {
     final Path allPath = new Path(testRoot, "accessall");
 
     fsWrapper.mkdir(superPath, new FsPermission((short) 0700), true);
-    dfsAdmin.createEncryptionZone(superPath, null);
+    dfsAdmin.createEncryptionZone(superPath, TEST_KEY);
 
     fsWrapper.mkdir(allPath, new FsPermission((short) 0707), true);
-    dfsAdmin.createEncryptionZone(allPath, null);
+    dfsAdmin.createEncryptionZone(allPath, TEST_KEY);
 
     user.doAs(new PrivilegedExceptionAction<Object>() {
       @Override
@@ -294,7 +314,7 @@ private void doRenameEncryptionZone(FSTestWrapper wrapper) throws Exception {
     final Path pathFoo = new Path(testRoot, "foo");
     final Path pathFooBaz = new Path(pathFoo, "baz");
     wrapper.mkdir(pathFoo, FsPermission.getDirDefault(), true);
-    dfsAdmin.createEncryptionZone(pathFoo, null);
+    dfsAdmin.createEncryptionZone(pathFoo, TEST_KEY);
     wrapper.mkdir(pathFooBaz, FsPermission.getDirDefault(), true);
     try {
       wrapper.rename(pathFooBaz, testRoot);
@@ -331,7 +351,7 @@ public void testReadWrite() throws Exception {
     // Create the first enc file
     final Path zone = new Path("/zone");
     fs.mkdirs(zone);
-    dfsAdmin.createEncryptionZone(zone, null);
+    dfsAdmin.createEncryptionZone(zone, TEST_KEY);
     final Path encFile1 = new Path(zone, "myfile");
     DFSTestUtil.createFile(fs, encFile1, len, (short) 1, 0xFEED);
     // Read them back in and compare byte-by-byte
@@ -364,7 +384,7 @@ public void testCipherSuiteNegotiation() throws Exception {
         new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
     final Path zone = new Path("/zone");
     fs.mkdirs(zone);
-    dfsAdmin.createEncryptionZone(zone, null);
+    dfsAdmin.createEncryptionZone(zone, TEST_KEY);
     // Create a file in an EZ, which should succeed
     DFSTestUtil
         .createFile(fs, new Path(zone, "success1"), 0, (short) 1, 0xFEED);
@@ -434,7 +454,7 @@ public void testCreateEZWithNoProvider() throws Exception {
     /* Normal creation of an EZ */
     fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true);
     try {
-      dfsAdmin.createEncryptionZone(zone1, null);
+      dfsAdmin.createEncryptionZone(zone1, TEST_KEY);
       fail("expected exception");
     } catch (IOException e) {
       assertExceptionContains("since no key provider is available", e);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
index 2ff2f20ae41..ebbf773b133 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testCryptoConf.xml
@@ -50,7 +50,7 @@
       <description>Test create ez, dir doesn't exist</description>
       <test-commands>
         <command>-fs NAMENODE -ls /test</command>-
-        <crypto-admin-command>-createZone -path /test</crypto-admin-command>
+        <crypto-admin-command>-createZone -path /test -keyName myKey</crypto-admin-command>
       </test-commands>
       <cleanup-commands>
       </cleanup-commands>
@@ -67,8 +67,8 @@
       <test-commands>
         <command>-fs NAMENODE -mkdir /foo</command>
         <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
-        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
+        <crypto-admin-command>-createZone -path /foo -keyName myKey</crypto-admin-command>
+        <crypto-admin-command>-createZone -path /foo -keyName myKey</crypto-admin-command>
       </test-commands>
       <cleanup-commands>
         <command>-fs NAMENODE -rmdir /foo</command>
@@ -81,32 +81,14 @@
       </comparators>
     </test>
 
-    <test>
-      <description>Test success of create ez in which a key is created</description>
-      <test-commands>
-        <command>-fs NAMENODE -mkdir /foo</command>
-        <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
-      </test-commands>
-      <cleanup-commands>
-        <command>-fs NAMENODE -rmdir /foo</command>
-      </cleanup-commands>
-      <comparators>
-        <comparator>
-          <type>SubstringComparator</type>
-          <expected-output>Added encryption zone /foo</expected-output>
-        </comparator>
-      </comparators>
-    </test>
-
     <test>
       <description>Test failure of Create EZ operation in an existing EZ.</description>
       <test-commands>
         <command>-fs NAMENODE -mkdir /foo</command>
         <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
+        <crypto-admin-command>-createZone -keyName myKey -path /foo</crypto-admin-command>
         <command>-fs NAMENODE -mkdir /foo/bar</command>
-        <crypto-admin-command>-createZone -path /foo/bar</crypto-admin-command>
+        <crypto-admin-command>-createZone -keyName myKey -path /foo/bar</crypto-admin-command>
       </test-commands>
       <cleanup-commands>
         <command>-fs NAMENODE -rmdir /foo/bar</command>
@@ -126,7 +108,7 @@
         <command>-fs NAMENODE -mkdir /foo</command>
         <command>-fs NAMENODE -touchz /foo/bar</command>
         <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
+        <crypto-admin-command>-createZone -keyName myKey -path /foo</crypto-admin-command>
       </test-commands>
       <cleanup-commands>
         <command>-fs NAMENODE -rm /foo/bar</command>
@@ -159,19 +141,31 @@
     </test>
 
     <test>
-      <description>Test success of creating an EZ when the key exists.</description>
+      <description>Test failure of creating an EZ no path is specified.</description>
       <test-commands>
-        <command>-fs NAMENODE -mkdir /foo</command>
-        <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-createZone -path /foo -keyName mykey</crypto-admin-command>
+        <crypto-admin-command>-createZone -keyName blahKey</crypto-admin-command>
       </test-commands>
       <cleanup-commands>
-        <command>-fs NAMENODE -rmdir /foo</command>
       </cleanup-commands>
       <comparators>
         <comparator>
           <type>SubstringComparator</type>
-          <expected-output>Added encryption zone /foo</expected-output>
+          <expected-output>You must specify a path</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test>
+      <description>Test failure of creating an EZ no key is specified.</description>
+      <test-commands>
+        <crypto-admin-command>-createZone -path /foo</crypto-admin-command>
+      </test-commands>
+      <cleanup-commands>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>You must specify a key name</expected-output>
         </comparator>
       </comparators>
     </test>
@@ -183,7 +177,7 @@
         <command>-fs NAMENODE -mkdir /foo/bar</command>
         <command>-fs NAMENODE -mkdir /foo/bar/baz</command>
         <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-createZone -path /foo/bar/baz</crypto-admin-command>
+        <crypto-admin-command>-createZone -path /foo/bar/baz -keyName myKey</crypto-admin-command>
       </test-commands>
       <cleanup-commands>
         <command>-fs NAMENODE -rmdir /foo/bar/baz</command>
@@ -204,8 +198,8 @@
         <command>-fs NAMENODE -mkdir /src</command>
         <command>-fs NAMENODE -mkdir /dst</command>
         <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-createZone -path /src</crypto-admin-command>
-        <crypto-admin-command>-createZone -path /dst</crypto-admin-command>
+        <crypto-admin-command>-createZone -path /src -keyName myKey</crypto-admin-command>
+        <crypto-admin-command>-createZone -path /dst -keyName myKey</crypto-admin-command>
         <command>-fs NAMENODE -mkdir /src/subdir</command>
         <command>-fs NAMENODE -mv /src/subdir /dst</command>-
       </test-commands>
@@ -228,7 +222,7 @@
         <command>-fs NAMENODE -mkdir /src</command>
         <command>-fs NAMENODE -mkdir /dst</command>
         <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-createZone -path /dst</crypto-admin-command>
+        <crypto-admin-command>-createZone -path /dst -keyName myKey</crypto-admin-command>
         <command>-fs NAMENODE -mv /src /dst</command>-
       </test-commands>
       <cleanup-commands>
@@ -249,7 +243,7 @@
         <command>-fs NAMENODE -mkdir /src</command>
         <command>-fs NAMENODE -mkdir /dst</command>
         <command>-fs NAMENODE -ls /</command>-
-        <crypto-admin-command>-createZone -path /src</crypto-admin-command>
+        <crypto-admin-command>-createZone -path /src -keyName myKey</crypto-admin-command>
         <command>-fs NAMENODE -mv /src /dst</command>-
       </test-commands>
       <cleanup-commands>
@@ -268,7 +262,7 @@
       <description>Test success of renaming file intra-EZ</description>
       <test-commands>
         <command>-fs NAMENODE -mkdir /src</command>
-        <crypto-admin-command>-createZone -path /src</crypto-admin-command>
+        <crypto-admin-command>-createZone -path /src -keyName myKey</crypto-admin-command>
         <command>-fs NAMENODE -mkdir /src/subdir1</command>
         <command>-fs NAMENODE -mkdir /src/subdir2</command>
         <command>-fs NAMENODE -mv /src/subdir1 /src/subdir2</command>-

From 9ca2f34c8fb03227e7364ced5183562e9f805400 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Wed, 30 Jul 2014 01:35:04 +0000
Subject: [PATCH 077/354] HDFS-6730. Create a .RAW extended attribute
 namespace. (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1614535 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   2 +
 .../main/java/org/apache/hadoop/fs/XAttr.java |  13 +-
 .../org/apache/hadoop/hdfs/XAttrHelper.java   |   8 +-
 .../hadoop/hdfs/protocol/ClientProtocol.java  |   6 +-
 .../server/common/HdfsServerConstants.java    |   4 +-
 .../hdfs/server/namenode/FSNamesystem.java    |  14 +-
 .../namenode/XAttrPermissionFilter.java       |  30 ++-
 .../hadoop-hdfs/src/main/proto/xattr.proto    |   1 +
 .../src/site/apt/ExtendedAttributes.apt.vm    |   4 +-
 .../java/org/apache/hadoop/fs/TestXAttr.java  |  11 +-
 .../hdfs/server/namenode/FSXAttrBaseTest.java | 179 +++++++++++++++++-
 .../hdfs/server/namenode/TestFSDirectory.java |  15 +-
 .../src/test/resources/testXAttrConf.xml      |  58 +++++-
 13 files changed, 313 insertions(+), 32 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 2531a4e4049..34a86e39db7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -68,6 +68,8 @@ fs-encryption (Unreleased)
     HDFS-6771. Require specification of an encryption key when creating
     an encryption zone. (wang)
 
+    HDFS-6730. Create a .RAW extended attribute namespace. (clamb)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/XAttr.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/XAttr.java
index 99f629afdfe..968ee00ce76 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/XAttr.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/XAttr.java
@@ -26,8 +26,8 @@
 /**
  * XAttr is the POSIX Extended Attribute model similar to that found in
  * traditional Operating Systems.  Extended Attributes consist of one
- * or more name/value pairs associated with a file or directory. Four
- * namespaces are defined: user, trusted, security and system.
+ * or more name/value pairs associated with a file or directory. Five
+ * namespaces are defined: user, trusted, security, system and raw.
  *   1) USER namespace attributes may be used by any user to store
  *   arbitrary information. Access permissions in this namespace are
  *   defined by a file directory's permission bits. For sticky directories,
@@ -43,6 +43,12 @@
  * <br>
  *   4) SECURITY namespace attributes are used by the fs kernel for
  *   security features. It is not visible to users.
+ * <br>
+ *   5) RAW namespace attributes are used for internal system attributes that
+ *   sometimes need to be exposed. Like SYSTEM namespace attributes they are
+ *   not visible to the user except when getXAttr/getXAttrs is called on a file
+ *   or directory in the /.reserved/raw HDFS directory hierarchy.  These
+ *   attributes can only be accessed by the superuser.
  * <p/>
  * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
  * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
@@ -55,7 +61,8 @@ public static enum NameSpace {
     USER,
     TRUSTED,
     SECURITY,
-    SYSTEM;
+    SYSTEM,
+    RAW;
   }
   
   private final NameSpace ns;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/XAttrHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/XAttrHelper.java
index abcd47ae16a..04364ccf7e7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/XAttrHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/XAttrHelper.java
@@ -49,9 +49,9 @@ public static XAttr buildXAttr(String name, byte[] value) {
     Preconditions.checkNotNull(name, "XAttr name cannot be null.");
     
     final int prefixIndex = name.indexOf(".");
-    if (prefixIndex < 4) {// Prefix length is at least 4.
+    if (prefixIndex < 3) {// Prefix length is at least 3.
       throw new HadoopIllegalArgumentException("An XAttr name must be " +
-          "prefixed with user/trusted/security/system, followed by a '.'");
+          "prefixed with user/trusted/security/system/raw, followed by a '.'");
     } else if (prefixIndex == name.length() - 1) {
       throw new HadoopIllegalArgumentException("XAttr name cannot be empty.");
     }
@@ -66,9 +66,11 @@ public static XAttr buildXAttr(String name, byte[] value) {
       ns = NameSpace.SYSTEM;
     } else if (prefix.equals(NameSpace.SECURITY.toString().toLowerCase())) {
       ns = NameSpace.SECURITY;
+    } else if (prefix.equals(NameSpace.RAW.toString().toLowerCase())) {
+      ns = NameSpace.RAW;
     } else {
       throw new HadoopIllegalArgumentException("An XAttr name must be " +
-          "prefixed with user/trusted/security/system, followed by a '.'");
+          "prefixed with user/trusted/security/system/raw, followed by a '.'");
     }
     XAttr xAttr = (new XAttr.Builder()).setNameSpace(ns).setName(name.
         substring(prefixIndex + 1)).setValue(value).build();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
index 734240f06fa..6ff4ffbbaa1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
@@ -1335,7 +1335,6 @@ public List<XAttr> getXAttrs(String src, List<XAttr> xAttrs)
    * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
    * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
    * @param src file or directory
-   * @param xAttrs xAttrs to get
    * @return List<XAttr> <code>XAttr</code> list
    * @throws IOException
    */
@@ -1345,12 +1344,15 @@ public List<XAttr> listXAttrs(String src)
   
   /**
    * Remove xattr of a file or directory.Value in xAttr parameter is ignored.
-   * Name must be prefixed with user/trusted/security/system.
+   * Name must be prefixed with user/trusted/security/system/raw.
    * <p/>
    * A regular user only can remove xattr of "user" namespace.
    * A super user can remove xattr of "user" and "trusted" namespace.
    * XAttr of "security" and "system" namespace is only used/exposed 
    * internally to the FS impl.
+   * The xattrs of the "raw" namespace are only used/exposed when accessed in
+   * the /.reserved/raw HDFS directory hierarchy. These attributes can only be
+   * accessed by the superuser.
    * <p/>
    * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
    * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HdfsServerConstants.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HdfsServerConstants.java
index 5e4d1f0e5ba..98c6398c2cb 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HdfsServerConstants.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HdfsServerConstants.java
@@ -296,8 +296,8 @@ static public enum BlockUCState {
   public static final long NAMENODE_LEASE_RECHECK_INTERVAL = 2000;
 
   public static final String CRYPTO_XATTR_ENCRYPTION_ZONE =
-      "system.hdfs.crypto.encryption.zone";
+      "raw.hdfs.crypto.encryption.zone";
   public static final String CRYPTO_XATTR_FILE_ENCRYPTION_INFO =
-      "system.hdfs.crypto.file.encryption.info";
+      "raw.hdfs.crypto.file.encryption.info";
 }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index dde19b9bd21..8350225d8ea 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -8594,7 +8594,8 @@ private void setXAttrInt(final String srcArg, XAttr xAttr,
     checkXAttrSize(xAttr);
     HdfsFileStatus resultingStat = null;
     FSPermissionChecker pc = getPermissionChecker();
-    XAttrPermissionFilter.checkPermissionForApi(pc, xAttr);
+    XAttrPermissionFilter.checkPermissionForApi(pc, xAttr,
+        FSDirectory.isReservedRawName(src));
     checkOperation(OperationCategory.WRITE);
     byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
     writeLock();
@@ -8640,10 +8641,11 @@ List<XAttr> getXAttrs(final String srcArg, List<XAttr> xAttrs)
     String src = srcArg;
     nnConf.checkXAttrsConfigFlag();
     FSPermissionChecker pc = getPermissionChecker();
+    final boolean isRawPath = FSDirectory.isReservedRawName(src);
     boolean getAll = xAttrs == null || xAttrs.isEmpty();
     if (!getAll) {
       try {
-        XAttrPermissionFilter.checkPermissionForApi(pc, xAttrs);
+        XAttrPermissionFilter.checkPermissionForApi(pc, xAttrs, isRawPath);
       } catch (AccessControlException e) {
         logAuditEvent(false, "getXAttrs", srcArg);
         throw e;
@@ -8660,7 +8662,7 @@ List<XAttr> getXAttrs(final String srcArg, List<XAttr> xAttrs)
       }
       List<XAttr> all = dir.getXAttrs(src);
       List<XAttr> filteredAll = XAttrPermissionFilter.
-          filterXAttrsForApi(pc, all);
+          filterXAttrsForApi(pc, all, isRawPath);
       if (getAll) {
         return filteredAll;
       } else {
@@ -8696,6 +8698,7 @@ List<XAttr> getXAttrs(final String srcArg, List<XAttr> xAttrs)
   List<XAttr> listXAttrs(String src) throws IOException {
     nnConf.checkXAttrsConfigFlag();
     final FSPermissionChecker pc = getPermissionChecker();
+    final boolean isRawPath = FSDirectory.isReservedRawName(src);
     checkOperation(OperationCategory.READ);
     byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
     readLock();
@@ -8708,7 +8711,7 @@ List<XAttr> listXAttrs(String src) throws IOException {
       }
       final List<XAttr> all = dir.getXAttrs(src);
       final List<XAttr> filteredAll = XAttrPermissionFilter.
-        filterXAttrsForApi(pc, all);
+        filterXAttrsForApi(pc, all, isRawPath);
       return filteredAll;
     } catch (AccessControlException e) {
       logAuditEvent(false, "listXAttrs", src);
@@ -8753,7 +8756,8 @@ void removeXAttrInt(final String srcArg, XAttr xAttr, boolean logRetryCache)
     nnConf.checkXAttrsConfigFlag();
     HdfsFileStatus resultingStat = null;
     FSPermissionChecker pc = getPermissionChecker();
-      XAttrPermissionFilter.checkPermissionForApi(pc, xAttr);
+    XAttrPermissionFilter.checkPermissionForApi(pc, xAttr,
+        FSDirectory.isReservedRawName(src));
     checkOperation(OperationCategory.WRITE);
     byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
     writeLock();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/XAttrPermissionFilter.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/XAttrPermissionFilter.java
index 98730142fbd..237f9d3d5ee 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/XAttrPermissionFilter.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/XAttrPermissionFilter.java
@@ -47,15 +47,27 @@
  * <br>
  * SYSTEM - extended system attributes: these are used by the HDFS
  * core and are not available through admin/user API.
+ * <br>
+ * RAW - extended system attributes: these are used for internal system
+ *   attributes that sometimes need to be exposed. Like SYSTEM namespace
+ *   attributes they are not visible to the user except when getXAttr/getXAttrs
+ *   is called on a file or directory in the /.reserved/raw HDFS directory
+ *   hierarchy. These attributes can only be accessed by the superuser.
+ * </br>
  */
 @InterfaceAudience.Private
 public class XAttrPermissionFilter {
   
-  static void checkPermissionForApi(FSPermissionChecker pc, XAttr xAttr) 
+  static void checkPermissionForApi(FSPermissionChecker pc, XAttr xAttr,
+      boolean isRawPath)
       throws AccessControlException {
+    final boolean isSuperUser = pc.isSuperUser();
     if (xAttr.getNameSpace() == XAttr.NameSpace.USER || 
-        (xAttr.getNameSpace() == XAttr.NameSpace.TRUSTED && 
-        pc.isSuperUser())) {
+        (xAttr.getNameSpace() == XAttr.NameSpace.TRUSTED && isSuperUser)) {
+      return;
+    }
+    if (xAttr.getNameSpace() == XAttr.NameSpace.RAW &&
+        isRawPath && isSuperUser) {
       return;
     }
     throw new AccessControlException("User doesn't have permission for xattr: "
@@ -63,30 +75,34 @@ static void checkPermissionForApi(FSPermissionChecker pc, XAttr xAttr)
   }
 
   static void checkPermissionForApi(FSPermissionChecker pc,
-                                    List<XAttr> xAttrs) throws AccessControlException {
+      List<XAttr> xAttrs, boolean isRawPath) throws AccessControlException {
     Preconditions.checkArgument(xAttrs != null);
     if (xAttrs.isEmpty()) {
       return;
     }
 
     for (XAttr xAttr : xAttrs) {
-      checkPermissionForApi(pc, xAttr);
+      checkPermissionForApi(pc, xAttr, isRawPath);
     }
   }
 
   static List<XAttr> filterXAttrsForApi(FSPermissionChecker pc,
-      List<XAttr> xAttrs) {
+      List<XAttr> xAttrs, boolean isRawPath) {
     assert xAttrs != null : "xAttrs can not be null";
     if (xAttrs == null || xAttrs.isEmpty()) {
       return xAttrs;
     }
     
     List<XAttr> filteredXAttrs = Lists.newArrayListWithCapacity(xAttrs.size());
+    final boolean isSuperUser = pc.isSuperUser();
     for (XAttr xAttr : xAttrs) {
       if (xAttr.getNameSpace() == XAttr.NameSpace.USER) {
         filteredXAttrs.add(xAttr);
       } else if (xAttr.getNameSpace() == XAttr.NameSpace.TRUSTED && 
-          pc.isSuperUser()) {
+          isSuperUser) {
+        filteredXAttrs.add(xAttr);
+      } else if (xAttr.getNameSpace() == XAttr.NameSpace.RAW &&
+          isSuperUser && isRawPath) {
         filteredXAttrs.add(xAttr);
       }
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/xattr.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/xattr.proto
index cb86ff27731..acdc28ebb88 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/xattr.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/xattr.proto
@@ -27,6 +27,7 @@ message XAttrProto {
     TRUSTED   = 1;
     SECURITY  = 2;
     SYSTEM    = 3;
+    RAW       = 4;
   }
   
   required XAttrNamespaceProto namespace = 1;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/ExtendedAttributes.apt.vm b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/ExtendedAttributes.apt.vm
index 56aec0ca288..0a99fe50ee6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/ExtendedAttributes.apt.vm
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/ExtendedAttributes.apt.vm
@@ -30,7 +30,7 @@ Extended Attributes in HDFS
 
 ** {Namespaces and Permissions}
 
-  In HDFS, as in Linux, there are four valid namespaces: <<<user>>>, <<<trusted>>>, <<<system>>>, and <<<security>>>. Each of these namespaces have different access restrictions.
+  In HDFS, there are five valid namespaces: <<<user>>>, <<<trusted>>>, <<<system>>>, <<<security>>>, and <<<raw>>>. Each of these namespaces have different access restrictions.
 
   The <<<user>>> namespace is the namespace that will commonly be used by client applications. Access to extended attributes in the user namespace is controlled by the corresponding file permissions.
 
@@ -40,6 +40,8 @@ Extended Attributes in HDFS
 
   The <<<security>>> namespace is reserved for internal HDFS use. This namespace is not accessible through userspace methods. It is currently unused.
 
+ The <<<raw>>> namespace is reserved for internal system attributes that sometimes need to be exposed. Like <<<system>>> namespace attributes they are not visible to the user except when <<<getXAttr>>>/<<<getXAttrs>>> is called on a file or directory in the <<</.reserved/raw>>> HDFS directory hierarchy. These attributes can only be accessed by the superuser. An example of where <<<raw>>> namespace extended attributes are used is the <<<distcp>>> utility. Encryption zone meta data is stored in <<<raw.*>>> extended attributes, so as long as the administrator uses <<</.reserved/raw>>> pathnames in source and target, the encrypted files in the encryption zones are transparently copied.
+
 * {Interacting with extended attributes}
 
   The Hadoop shell has support for interacting with extended attributes via <<<hadoop fs -getfattr>>> and <<<hadoop fs -setfattr>>>. These commands are styled after the Linux {{{http://www.bestbits.at/acl/man/man1/getfattr.txt}getfattr(1)}} and {{{http://www.bestbits.at/acl/man/man1/setfattr.txt}setfattr(1)}} commands.
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestXAttr.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestXAttr.java
index 032a8dfead0..e47658dd6a8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestXAttr.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestXAttr.java
@@ -29,7 +29,7 @@
  * Tests for <code>XAttr</code> objects.
  */
 public class TestXAttr {
-  private static XAttr XATTR, XATTR1, XATTR2, XATTR3, XATTR4;
+  private static XAttr XATTR, XATTR1, XATTR2, XATTR3, XATTR4, XATTR5;
   
   @BeforeClass
   public static void setUp() throws Exception {
@@ -58,6 +58,11 @@ public static void setUp() throws Exception {
       .setName("name")
       .setValue(value)
       .build();
+    XATTR5 = new XAttr.Builder()
+      .setNameSpace(XAttr.NameSpace.RAW)
+      .setName("name")
+      .setValue(value)
+      .build();
   }
   
   @Test
@@ -65,14 +70,17 @@ public void testXAttrEquals() {
     assertNotSame(XATTR1, XATTR2);
     assertNotSame(XATTR2, XATTR3);
     assertNotSame(XATTR3, XATTR4);
+    assertNotSame(XATTR4, XATTR5);
     assertEquals(XATTR, XATTR1);
     assertEquals(XATTR1, XATTR1);
     assertEquals(XATTR2, XATTR2);
     assertEquals(XATTR3, XATTR3);
     assertEquals(XATTR4, XATTR4);
+    assertEquals(XATTR5, XATTR5);
     assertFalse(XATTR1.equals(XATTR2));
     assertFalse(XATTR2.equals(XATTR3));
     assertFalse(XATTR3.equals(XATTR4));
+    assertFalse(XATTR4.equals(XATTR5));
   }
   
   @Test
@@ -81,5 +89,6 @@ public void testXAttrHashCode() {
     assertFalse(XATTR1.hashCode() == XATTR2.hashCode());
     assertFalse(XATTR2.hashCode() == XATTR3.hashCode());
     assertFalse(XATTR3.hashCode() == XATTR4.hashCode());
+    assertFalse(XATTR4.hashCode() == XATTR5.hashCode());
   }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSXAttrBaseTest.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSXAttrBaseTest.java
index 636ecc2417f..0c7b8070b44 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSXAttrBaseTest.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSXAttrBaseTest.java
@@ -69,6 +69,7 @@ public class FSXAttrBaseTest {
   protected static Configuration conf;
   private static int pathCount = 0;
   protected static Path path;
+  protected static Path rawPath;
   
   // XAttrs
   protected static final String name1 = "user.a1";
@@ -78,6 +79,8 @@ public class FSXAttrBaseTest {
   protected static final byte[] value2 = {0x37, 0x38, 0x39};
   protected static final String name3 = "user.a3";
   protected static final String name4 = "user.a4";
+  protected static final String raw1 = "raw.a1";
+  protected static final String raw2 = "raw.a2";
 
   protected FileSystem fs;
 
@@ -107,6 +110,7 @@ public static void shutdown() {
   public void setUp() throws Exception {
     pathCount += 1;
     path = new Path("/p" + pathCount);
+    rawPath = new Path("/.reserved/raw/p" + pathCount);
     initFileSystem();
   }
 
@@ -395,7 +399,8 @@ public void testGetXAttrs() throws Exception {
       Assert.fail("expected IOException");
     } catch (Exception e) {
       GenericTestUtils.assertExceptionContains
-          ("An XAttr name must be prefixed with user/trusted/security/system, " +
+          ("An XAttr name must be prefixed with " +
+           "user/trusted/security/system/raw, " +
            "followed by a '.'",
           e);
     }
@@ -582,7 +587,7 @@ public void testRemoveXAttrPermissions() throws Exception {
 
     /* Unknown namespace should throw an exception. */
     final String expectedExceptionString = "An XAttr name must be prefixed " +
-        "with user/trusted/security/system, followed by a '.'";
+        "with user/trusted/security/system/raw, followed by a '.'";
     try {
       fs.removeXAttr(path, "wackynamespace.foo");
       Assert.fail("expected IOException");
@@ -918,6 +923,176 @@ public void testXAttrAcl() throws Exception {
     fsAsDiana.removeXAttr(path, name2);
   }
   
+  @Test(timeout = 120000)
+  public void testRawXAttrs() throws Exception {
+    final UserGroupInformation user = UserGroupInformation.
+      createUserForTesting("user", new String[] {"mygroup"});
+
+    FileSystem.mkdirs(fs, path, FsPermission.createImmutable((short) 0750));
+    fs.setXAttr(rawPath, raw1, value1, EnumSet.of(XAttrSetFlag.CREATE,
+        XAttrSetFlag.REPLACE));
+
+    {
+      // getXAttr
+      final byte[] value = fs.getXAttr(rawPath, raw1);
+      Assert.assertArrayEquals(value, value1);
+    }
+
+    {
+      // getXAttrs
+      final Map<String, byte[]> xattrs = fs.getXAttrs(rawPath);
+      Assert.assertEquals(xattrs.size(), 1);
+      Assert.assertArrayEquals(value1, xattrs.get(raw1));
+      fs.removeXAttr(rawPath, raw1);
+    }
+
+    {
+      // replace and re-get
+      fs.setXAttr(rawPath, raw1, value1, EnumSet.of(XAttrSetFlag.CREATE));
+      fs.setXAttr(rawPath, raw1, newValue1, EnumSet.of(XAttrSetFlag.CREATE,
+          XAttrSetFlag.REPLACE));
+
+      final Map<String,byte[]> xattrs = fs.getXAttrs(rawPath);
+      Assert.assertEquals(xattrs.size(), 1);
+      Assert.assertArrayEquals(newValue1, xattrs.get(raw1));
+
+      fs.removeXAttr(rawPath, raw1);
+    }
+
+    {
+      // listXAttrs on rawPath ensuring raw.* xattrs are returned
+      fs.setXAttr(rawPath, raw1, value1, EnumSet.of(XAttrSetFlag.CREATE));
+      fs.setXAttr(rawPath, raw2, value2, EnumSet.of(XAttrSetFlag.CREATE));
+
+      final List<String> xattrNames = fs.listXAttrs(rawPath);
+      assertTrue(xattrNames.contains(raw1));
+      assertTrue(xattrNames.contains(raw2));
+      assertTrue(xattrNames.size() == 2);
+      fs.removeXAttr(rawPath, raw1);
+      fs.removeXAttr(rawPath, raw2);
+    }
+
+    {
+      // listXAttrs on non-rawPath ensuring no raw.* xattrs returned
+      fs.setXAttr(rawPath, raw1, value1, EnumSet.of(XAttrSetFlag.CREATE));
+      fs.setXAttr(rawPath, raw2, value2, EnumSet.of(XAttrSetFlag.CREATE));
+
+      final List<String> xattrNames = fs.listXAttrs(path);
+      assertTrue(xattrNames.size() == 0);
+      fs.removeXAttr(rawPath, raw1);
+      fs.removeXAttr(rawPath, raw2);
+    }
+
+    {
+      /*
+       * Test non-root user operations in the "raw.*" namespace.
+       */
+      user.doAs(new PrivilegedExceptionAction<Object>() {
+        @Override
+        public Object run() throws Exception {
+          final FileSystem userFs = dfsCluster.getFileSystem();
+          // Test that non-root can not set xattrs in the "raw.*" namespace
+          try {
+            // non-raw path
+            userFs.setXAttr(path, raw1, value1);
+            fail("setXAttr should have thrown");
+          } catch (AccessControlException e) {
+            // ignore
+          }
+
+          try {
+            // raw path
+            userFs.setXAttr(rawPath, raw1, value1);
+            fail("setXAttr should have thrown");
+          } catch (AccessControlException e) {
+            // ignore
+          }
+
+          // Test that non-root can not do getXAttrs in the "raw.*" namespace
+          try {
+            // non-raw path
+            userFs.getXAttrs(rawPath);
+            fail("getXAttrs should have thrown");
+          } catch (AccessControlException e) {
+            // ignore
+          }
+
+          try {
+            // raw path
+            userFs.getXAttrs(path);
+            fail("getXAttrs should have thrown");
+          } catch (AccessControlException e) {
+            // ignore
+          }
+
+          // Test that non-root can not do getXAttr in the "raw.*" namespace
+          try {
+            // non-raw path
+            userFs.getXAttr(rawPath, raw1);
+            fail("getXAttr should have thrown");
+          } catch (AccessControlException e) {
+            // ignore
+          }
+
+          try {
+            // raw path
+            userFs.getXAttr(path, raw1);
+            fail("getXAttr should have thrown");
+          } catch (AccessControlException e) {
+            // ignore
+          }
+          return null;
+        }
+        });
+    }
+
+    {
+      /*
+       * Test that non-root can not do getXAttr in the "raw.*" namespace
+       */
+      fs.setXAttr(rawPath, raw1, value1);
+      user.doAs(new PrivilegedExceptionAction<Object>() {
+          @Override
+          public Object run() throws Exception {
+            final FileSystem userFs = dfsCluster.getFileSystem();
+            try {
+              // non-raw path
+              userFs.getXAttr(rawPath, raw1);
+              fail("getXAttr should have thrown");
+            } catch (AccessControlException e) {
+              // ignore
+            }
+
+            try {
+              // raw path
+              userFs.getXAttr(path, raw1);
+              fail("getXAttr should have thrown");
+            } catch (AccessControlException e) {
+              // ignore
+            }
+
+            /*
+             * Test that only root can see raw.* xattrs returned from listXAttr
+             * and non-root can't do listXAttrs on /.reserved/raw.
+             */
+            // non-raw path
+            final List<String> xattrNames = userFs.listXAttrs(path);
+            assertTrue(xattrNames.size() == 0);
+            try {
+              // raw path
+              userFs.listXAttrs(rawPath);
+              fail("listXAttrs on raw path should have thrown");
+            } catch (AccessControlException e) {
+              // ignore
+            }
+
+            return null;
+          }
+        });
+      fs.removeXAttr(rawPath, raw1);
+    }
+  }
+
   /**
    * Creates a FileSystem for the super-user.
    *
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSDirectory.java
index 011901ddfa7..ad067cfa197 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSDirectory.java
@@ -191,14 +191,19 @@ public void testINodeXAttrsLimit() throws Exception {
     existingXAttrs.add(xAttr1);
     existingXAttrs.add(xAttr2);
     
-    // Adding a system namespace xAttr, isn't affected by inode xAttrs limit.
-    XAttr newXAttr = (new XAttr.Builder()).setNameSpace(XAttr.NameSpace.SYSTEM).
+    // Adding system and raw namespace xAttrs aren't affected by inode
+    // xAttrs limit.
+    XAttr newSystemXAttr = (new XAttr.Builder()).
+        setNameSpace(XAttr.NameSpace.SYSTEM).setName("a3").
+        setValue(new byte[]{0x33, 0x33, 0x33}).build();
+    XAttr newRawXAttr = (new XAttr.Builder()).setNameSpace(XAttr.NameSpace.RAW).
         setName("a3").setValue(new byte[]{0x33, 0x33, 0x33}).build();
-    List<XAttr> newXAttrs = Lists.newArrayListWithCapacity(1);
-    newXAttrs.add(newXAttr);
+    List<XAttr> newXAttrs = Lists.newArrayListWithCapacity(2);
+    newXAttrs.add(newSystemXAttr);
+    newXAttrs.add(newRawXAttr);
     List<XAttr> xAttrs = fsdir.setINodeXAttrs(existingXAttrs, newXAttrs,
         EnumSet.of(XAttrSetFlag.CREATE, XAttrSetFlag.REPLACE));
-    assertEquals(xAttrs.size(), 3);
+    assertEquals(xAttrs.size(), 4);
     
     // Adding a trusted namespace xAttr, is affected by inode xAttrs limit.
     XAttr newXAttr1 = (new XAttr.Builder()).setNameSpace(
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testXAttrConf.xml b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testXAttrConf.xml
index 7b7f866ac38..3414f5719dd 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testXAttrConf.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testXAttrConf.xml
@@ -64,7 +64,7 @@
       <comparators>
         <comparator>
           <type>SubstringComparator</type>
-          <expected-output>name must be prefixed with user/trusted/security/system, followed by a '.'</expected-output>
+          <expected-output>name must be prefixed with user/trusted/security/system/raw, followed by a '.'</expected-output>
         </comparator>
       </comparators>
     </test>
@@ -125,6 +125,42 @@
       </comparators>
     </test>
     
+    <test>
+      <description>setfattr : Add an xattr of raw namespace</description>
+      <test-commands>
+          <command>-fs NAMENODE -touchz /file1</command>
+          <command>-fs NAMENODE -setfattr -n raw.a1 -v 123456 /file1</command>
+      </test-commands>
+      <cleanup-commands>
+          <command>-fs NAMENODE -rm /file1</command>
+      </cleanup-commands>
+      <comparators>
+          <comparator>
+              <type>SubstringComparator</type>
+              <expected-output>setfattr: User doesn't have permission for xattr: raw.a1</expected-output>
+          </comparator>
+      </comparators>
+
+    </test>
+
+    <test>
+        <description>setfattr : Add an xattr of raw namespace</description>
+        <test-commands>
+            <command>-fs NAMENODE -touchz /file1</command>
+            <command>-fs NAMENODE -setfattr -n raw.a1 -v 123456 /.reserved/raw/file1</command>
+            <command>-fs NAMENODE -getfattr -n raw.a1 /.reserved/raw/file1</command>
+        </test-commands>
+        <cleanup-commands>
+            <command>-fs NAMENODE -rm /file1</command>
+        </cleanup-commands>
+        <comparators>
+            <comparator>
+                <type>SubstringComparator</type>
+                <expected-output>raw.a1="123456"</expected-output>
+            </comparator>
+        </comparators>
+    </test>
+
     <test>
       <description>setfattr : Add an xattr, and encode is text</description>
       <test-commands>
@@ -256,6 +292,26 @@
         </comparator>
       </comparators>
     </test>
+
+    <test>
+        <description>setfattr : Remove an xattr of raw namespace</description>
+        <test-commands>
+            <command>-fs NAMENODE -touchz /file1</command>
+            <command>-fs NAMENODE -setfattr -n raw.a1 -v 123456 /.reserved/raw/file1</command>
+            <command>-fs NAMENODE -setfattr -n raw.a2 -v 123456 /.reserved/raw/file1</command>
+            <command>-fs NAMENODE -setfattr -x raw.a2 /.reserved/raw/file1</command>
+            <command>-fs NAMENODE -getfattr -d /.reserved/raw/file1</command>
+        </test-commands>
+        <cleanup-commands>
+            <command>-fs NAMENODE -rm /file1</command>
+        </cleanup-commands>
+        <comparators>
+            <comparator>
+                <type>SubstringComparator</type>
+		<expected-output># file: /.reserved/raw/file1#LF#raw.a1="123456"#LF#</expected-output>
+            </comparator>
+        </comparators>
+    </test>
     
     <test>
       <description>getfattr : Get an xattr</description>

From 7e54b1c6d9dc3a7fb07df36347130d605bd0a718 Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Wed, 30 Jul 2014 03:58:59 +0000
Subject: [PATCH 078/354] YARN-2354. DistributedShell may allocate more
 containers than client specified after AM restarts. Contributed by Li Lu

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614538 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                       |  3 +++
 .../distributedshell/ApplicationMaster.java           | 11 ++++++-----
 .../distributedshell/TestDSFailedAppMaster.java       |  6 ++++--
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index d3efd1cf7b8..ad368cc95e8 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -111,6 +111,9 @@ Release 2.6.0 - UNRELEASED
 
     YARN-1796. container-executor shouldn't require o-r permissions (atm)
 
+    YARN-2354. DistributedShell may allocate more containers than client
+    specified after AM restarts. (Li Lu via jianhe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/ApplicationMaster.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/ApplicationMaster.java
index 5e1cbbcd932..9051d31089f 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/ApplicationMaster.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/ApplicationMaster.java
@@ -208,7 +208,8 @@ public static enum DSEntity {
 
   // App Master configuration
   // No. of containers to run shell command on
-  private int numTotalContainers = 1;
+  @VisibleForTesting
+  protected int numTotalContainers = 1;
   // Memory to request for the container on which the shell command will run
   private int containerMemory = 10;
   // VirtualCores to request for the container on which the shell command will run
@@ -594,8 +595,8 @@ public void run() throws YarnException, IOException {
 
     List<Container> previousAMRunningContainers =
         response.getContainersFromPreviousAttempts();
-    LOG.info("Received " + previousAMRunningContainers.size()
-        + " previous AM's running containers on AM registration.");
+    LOG.info(appAttemptID + " received " + previousAMRunningContainers.size()
+      + " previous attempts' running containers on AM registration.");
     numAllocatedContainers.addAndGet(previousAMRunningContainers.size());
 
     int numTotalContainersToRequest =
@@ -610,7 +611,7 @@ public void run() throws YarnException, IOException {
       ContainerRequest containerAsk = setupContainerAskForRM();
       amRMClient.addContainerRequest(containerAsk);
     }
-    numRequestedContainers.set(numTotalContainersToRequest);
+    numRequestedContainers.set(numTotalContainers);
     try {
       publishApplicationAttemptEvent(timelineClient, appAttemptID.toString(),
           DSEvent.DS_APP_ATTEMPT_END);
@@ -689,7 +690,7 @@ public void onContainersCompleted(List<ContainerStatus> completedContainers) {
       LOG.info("Got response from RM for container ask, completedCnt="
           + completedContainers.size());
       for (ContainerStatus containerStatus : completedContainers) {
-        LOG.info("Got container status for containerID="
+        LOG.info(appAttemptID + " got container status for containerID="
             + containerStatus.getContainerId() + ", state="
             + containerStatus.getState() + ", exitStatus="
             + containerStatus.getExitStatus() + ", diagnostics="
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/test/java/org/apache/hadoop/yarn/applications/distributedshell/TestDSFailedAppMaster.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/test/java/org/apache/hadoop/yarn/applications/distributedshell/TestDSFailedAppMaster.java
index db7419bc8e6..f3ab4b7538b 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/test/java/org/apache/hadoop/yarn/applications/distributedshell/TestDSFailedAppMaster.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/test/java/org/apache/hadoop/yarn/applications/distributedshell/TestDSFailedAppMaster.java
@@ -36,9 +36,11 @@ public void run() throws YarnException, IOException {
     if (appAttemptID.getAttemptId() == 2) {
       // should reuse the earlier running container, so numAllocatedContainers
       // should be set to 1. And should ask no more containers, so
-      // numRequestedContainers should be set to 0.
+      // numRequestedContainers should be the same as numTotalContainers.
+      // The only container is the container requested by the AM in the first
+      // attempt.
       if (numAllocatedContainers.get() != 1
-          || numRequestedContainers.get() != 0) {
+          || numRequestedContainers.get() != numTotalContainers) {
         LOG.info("NumAllocatedContainers is " + numAllocatedContainers.get()
             + " and NumRequestedContainers is " + numAllocatedContainers.get()
             + ".Application Master failed. exiting");

From 12241908ad5b9a38068241a22d3d29e4a9184e98 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Wed, 30 Jul 2014 05:53:20 +0000
Subject: [PATCH 079/354] HDFS-6665. Add tests for XAttrs in combination with
 viewfs. Contributed by Stephen Chu.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614545 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../viewfs/TestViewFileSystemWithXAttrs.java  | 151 ++++++++++++++++++
 .../fs/viewfs/TestViewFsWithXAttrs.java       | 148 +++++++++++++++++
 3 files changed, 302 insertions(+)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/viewfs/TestViewFileSystemWithXAttrs.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/viewfs/TestViewFsWithXAttrs.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index fca7e231045..df7052425a1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -326,6 +326,9 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-6739. Add getDatanodeStorageReport to ClientProtocol. (szetszwo)
 
+    HDFS-6665. Add tests for XAttrs in combination with viewfs.
+    (Stephen Chu via wang)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/viewfs/TestViewFileSystemWithXAttrs.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/viewfs/TestViewFileSystemWithXAttrs.java
new file mode 100644
index 00000000000..227548de99d
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/viewfs/TestViewFileSystemWithXAttrs.java
@@ -0,0 +1,151 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.fs.viewfs;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.FileSystemTestHelper;
+import org.apache.hadoop.fs.FsConstants;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.MiniDFSNNTopology;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.io.IOException;
+
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+
+/**
+ * Verify XAttrs through ViewFileSystem functionality.
+ */
+public class TestViewFileSystemWithXAttrs {
+
+  private static MiniDFSCluster cluster;
+  private static Configuration clusterConf = new Configuration();
+  private static FileSystem fHdfs;
+  private static FileSystem fHdfs2;
+  private FileSystem fsView;
+  private Configuration fsViewConf;
+  private FileSystem fsTarget, fsTarget2;
+  private Path targetTestRoot, targetTestRoot2, mountOnNn1, mountOnNn2;
+  private FileSystemTestHelper fileSystemTestHelper =
+      new FileSystemTestHelper("/tmp/TestViewFileSystemWithXAttrs");
+
+  // XAttrs
+  protected static final String name1 = "user.a1";
+  protected static final byte[] value1 = {0x31, 0x32, 0x33};
+  protected static final String name2 = "user.a2";
+  protected static final byte[] value2 = {0x37, 0x38, 0x39};
+
+  @BeforeClass
+  public static void clusterSetupAtBeginning() throws IOException {
+    cluster = new MiniDFSCluster.Builder(clusterConf)
+        .nnTopology(MiniDFSNNTopology.simpleFederatedTopology(2))
+        .numDataNodes(2)
+        .build();
+    cluster.waitClusterUp();
+
+    fHdfs = cluster.getFileSystem(0);
+    fHdfs2 = cluster.getFileSystem(1);
+  }
+
+  @AfterClass
+  public static void ClusterShutdownAtEnd() throws Exception {
+    cluster.shutdown();
+  }
+
+  @Before
+  public void setUp() throws Exception {
+    fsTarget = fHdfs;
+    fsTarget2 = fHdfs2;
+    targetTestRoot = fileSystemTestHelper.getAbsoluteTestRootPath(fsTarget);
+    targetTestRoot2 = fileSystemTestHelper.getAbsoluteTestRootPath(fsTarget2);
+
+    fsTarget.delete(targetTestRoot, true);
+    fsTarget2.delete(targetTestRoot2, true);
+    fsTarget.mkdirs(targetTestRoot);
+    fsTarget2.mkdirs(targetTestRoot2);
+
+    fsViewConf = ViewFileSystemTestSetup.createConfig();
+    setupMountPoints();
+    fsView = FileSystem.get(FsConstants.VIEWFS_URI, fsViewConf);
+  }
+
+  private void setupMountPoints() {
+    mountOnNn1 = new Path("/mountOnNn1");
+    mountOnNn2 = new Path("/mountOnNn2");
+    ConfigUtil.addLink(fsViewConf, mountOnNn1.toString(),
+        targetTestRoot.toUri());
+    ConfigUtil.addLink(fsViewConf, mountOnNn2.toString(),
+        targetTestRoot2.toUri());
+  }
+
+  @After
+  public void tearDown() throws Exception {
+    fsTarget.delete(fileSystemTestHelper.getTestRootPath(fsTarget), true);
+    fsTarget2.delete(fileSystemTestHelper.getTestRootPath(fsTarget2), true);
+  }
+
+  /**
+   * Verify a ViewFileSystem wrapped over multiple federated NameNodes will
+   * dispatch the XAttr operations to the correct NameNode.
+   */
+  @Test
+  public void testXAttrOnMountEntry() throws Exception {
+    // Set XAttrs on the first namespace and verify they are correct
+    fsView.setXAttr(mountOnNn1, name1, value1);
+    fsView.setXAttr(mountOnNn1, name2, value2);
+    assertEquals(2, fsView.getXAttrs(mountOnNn1).size());
+    assertArrayEquals(value1, fsView.getXAttr(mountOnNn1, name1));
+    assertArrayEquals(value2, fsView.getXAttr(mountOnNn1, name2));
+    // Double-check by getting the XAttrs using FileSystem
+    // instead of ViewFileSystem
+    assertArrayEquals(value1, fHdfs.getXAttr(targetTestRoot, name1));
+    assertArrayEquals(value2, fHdfs.getXAttr(targetTestRoot, name2));
+
+    // Paranoid check: verify the other namespace does not
+    // have XAttrs set on the same path.
+    assertEquals(0, fsView.getXAttrs(mountOnNn2).size());
+    assertEquals(0, fHdfs2.getXAttrs(targetTestRoot2).size());
+
+    // Remove the XAttr entries on the first namespace
+    fsView.removeXAttr(mountOnNn1, name1);
+    fsView.removeXAttr(mountOnNn1, name2);
+    assertEquals(0, fsView.getXAttrs(mountOnNn1).size());
+    assertEquals(0, fHdfs.getXAttrs(targetTestRoot).size());
+
+    // Now set XAttrs on the second namespace
+    fsView.setXAttr(mountOnNn2, name1, value1);
+    fsView.setXAttr(mountOnNn2, name2, value2);
+    assertEquals(2, fsView.getXAttrs(mountOnNn2).size());
+    assertArrayEquals(value1, fsView.getXAttr(mountOnNn2, name1));
+    assertArrayEquals(value2, fsView.getXAttr(mountOnNn2, name2));
+    assertArrayEquals(value1, fHdfs2.getXAttr(targetTestRoot2, name1));
+    assertArrayEquals(value2, fHdfs2.getXAttr(targetTestRoot2, name2));
+
+    fsView.removeXAttr(mountOnNn2, name1);
+    fsView.removeXAttr(mountOnNn2, name2);
+    assertEquals(0, fsView.getXAttrs(mountOnNn2).size());
+    assertEquals(0, fHdfs2.getXAttrs(targetTestRoot2).size());
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/viewfs/TestViewFsWithXAttrs.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/viewfs/TestViewFsWithXAttrs.java
new file mode 100644
index 00000000000..431f851406b
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/viewfs/TestViewFsWithXAttrs.java
@@ -0,0 +1,148 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.fs.viewfs;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileContext;
+import org.apache.hadoop.fs.FileContextTestHelper;
+import org.apache.hadoop.fs.FsConstants;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.MiniDFSNNTopology;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.io.IOException;
+
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+
+/**
+ * Verify XAttrs through ViewFs functionality.
+ */
+public class TestViewFsWithXAttrs {
+
+  private static MiniDFSCluster cluster;
+  private static Configuration clusterConf = new Configuration();
+  private static FileContext fc, fc2;
+  private FileContext fcView, fcTarget, fcTarget2;
+  private Configuration fsViewConf;
+  private Path targetTestRoot, targetTestRoot2, mountOnNn1, mountOnNn2;
+  private FileContextTestHelper fileContextTestHelper =
+      new FileContextTestHelper("/tmp/TestViewFsWithXAttrs");
+
+  // XAttrs
+  protected static final String name1 = "user.a1";
+  protected static final byte[] value1 = {0x31, 0x32, 0x33};
+  protected static final String name2 = "user.a2";
+  protected static final byte[] value2 = {0x37, 0x38, 0x39};
+
+  @BeforeClass
+  public static void clusterSetupAtBeginning() throws IOException {
+    cluster = new MiniDFSCluster.Builder(clusterConf)
+        .nnTopology(MiniDFSNNTopology.simpleFederatedTopology(2))
+        .numDataNodes(2)
+        .build();
+    cluster.waitClusterUp();
+
+    fc = FileContext.getFileContext(cluster.getURI(0), clusterConf);
+    fc2 = FileContext.getFileContext(cluster.getURI(1), clusterConf);
+  }
+
+  @AfterClass
+  public static void ClusterShutdownAtEnd() throws Exception {
+    cluster.shutdown();
+  }
+
+  @Before
+  public void setUp() throws Exception {
+    fcTarget = fc;
+    fcTarget2 = fc2;
+    targetTestRoot = fileContextTestHelper.getAbsoluteTestRootPath(fc);
+    targetTestRoot2 = fileContextTestHelper.getAbsoluteTestRootPath(fc2);
+
+    fcTarget.delete(targetTestRoot, true);
+    fcTarget2.delete(targetTestRoot2, true);
+    fcTarget.mkdir(targetTestRoot, new FsPermission((short) 0750), true);
+    fcTarget2.mkdir(targetTestRoot2, new FsPermission((short) 0750), true);
+
+    fsViewConf = ViewFileSystemTestSetup.createConfig();
+    setupMountPoints();
+    fcView = FileContext.getFileContext(FsConstants.VIEWFS_URI, fsViewConf);
+  }
+
+  private void setupMountPoints() {
+    mountOnNn1 = new Path("/mountOnNn1");
+    mountOnNn2 = new Path("/mountOnNn2");
+    ConfigUtil.addLink(fsViewConf, mountOnNn1.toString(), targetTestRoot.toUri());
+    ConfigUtil.addLink(fsViewConf, mountOnNn2.toString(), targetTestRoot2.toUri());
+  }
+
+  @After
+  public void tearDown() throws Exception {
+    fcTarget.delete(fileContextTestHelper.getTestRootPath(fcTarget), true);
+    fcTarget2.delete(fileContextTestHelper.getTestRootPath(fcTarget2), true);
+  }
+
+  /**
+   * Verify a ViewFs wrapped over multiple federated NameNodes will
+   * dispatch the XAttr operations to the correct NameNode.
+   */
+  @Test
+  public void testXAttrOnMountEntry() throws Exception {
+    // Set XAttrs on the first namespace and verify they are correct
+    fcView.setXAttr(mountOnNn1, name1, value1);
+    fcView.setXAttr(mountOnNn1, name2, value2);
+    assertEquals(2, fcView.getXAttrs(mountOnNn1).size());
+    assertArrayEquals(value1, fcView.getXAttr(mountOnNn1, name1));
+    assertArrayEquals(value2, fcView.getXAttr(mountOnNn1, name2));
+    // Double-check by getting the XAttrs using FileSystem
+    // instead of ViewFs
+    assertArrayEquals(value1, fc.getXAttr(targetTestRoot, name1));
+    assertArrayEquals(value2, fc.getXAttr(targetTestRoot, name2));
+
+    // Paranoid check: verify the other namespace does not
+    // have XAttrs set on the same path.
+    assertEquals(0, fcView.getXAttrs(mountOnNn2).size());
+    assertEquals(0, fc2.getXAttrs(targetTestRoot2).size());
+
+    // Remove the XAttr entries on the first namespace
+    fcView.removeXAttr(mountOnNn1, name1);
+    fcView.removeXAttr(mountOnNn1, name2);
+    assertEquals(0, fcView.getXAttrs(mountOnNn1).size());
+    assertEquals(0, fc.getXAttrs(targetTestRoot).size());
+
+    // Now set XAttrs on the second namespace
+    fcView.setXAttr(mountOnNn2, name1, value1);
+    fcView.setXAttr(mountOnNn2, name2, value2);
+    assertEquals(2, fcView.getXAttrs(mountOnNn2).size());
+    assertArrayEquals(value1, fcView.getXAttr(mountOnNn2, name1));
+    assertArrayEquals(value2, fcView.getXAttr(mountOnNn2, name2));
+    assertArrayEquals(value1, fc2.getXAttr(targetTestRoot2, name1));
+    assertArrayEquals(value2, fc2.getXAttr(targetTestRoot2, name2));
+
+    fcView.removeXAttr(mountOnNn2, name1);
+    fcView.removeXAttr(mountOnNn2, name2);
+    assertEquals(0, fcView.getXAttrs(mountOnNn2).size());
+    assertEquals(0, fc2.getXAttrs(targetTestRoot2).size());
+  }
+}

From 09e7ff05df5abf43bafe40ff24c3a39a5df80070 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Wed, 30 Jul 2014 05:57:55 +0000
Subject: [PATCH 080/354] HDFS-6778. The extended attributes javadoc should
 simply refer to the user docs. Contributed by Charles Lamb.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614547 13f79535-47bb-0310-9956-ffa450edef68
---
 .../apache/hadoop/fs/AbstractFileSystem.java  | 90 +++---------------
 .../org/apache/hadoop/fs/FileContext.java     | 91 +++---------------
 .../java/org/apache/hadoop/fs/FileSystem.java | 92 +++----------------
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +
 .../hadoop/hdfs/protocol/ClientProtocol.java  | 52 ++++-------
 5 files changed, 64 insertions(+), 264 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AbstractFileSystem.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AbstractFileSystem.java
index b82ea7ffe43..5b456b1eff7 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AbstractFileSystem.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AbstractFileSystem.java
@@ -1040,21 +1040,10 @@ public AclStatus getAclStatus(Path path) throws IOException {
 
   /**
    * Set an xattr of a file or directory.
-   * The name must be prefixed with user/trusted/security/system and
-   * followed by ".". For example, "user.attr".
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * A regular user can only set an xattr for the "user" namespace.
-   * The super user can set an xattr of either the "user" or "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * The access permissions of an xattr in the "user" namespace are
-   * defined by the file and directory permission bits.
-   * An xattr can only be set when the logged-in user has the correct permissions.
-   * If the xattr exists, it will be replaced.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to modify
    * @param name xattr name.
@@ -1069,21 +1058,10 @@ public void setXAttr(Path path, String name, byte[] value)
 
   /**
    * Set an xattr of a file or directory.
-   * The name must be prefixed with user/trusted/security/system and
-   * followed by ".". For example, "user.attr".
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * A regular user can only set an xattr for the "user" namespace.
-   * The super user can set an xattr of either the "user" or "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * The access permissions of an xattr in the "user" namespace are
-   * defined by the file and directory permission bits.
-   * An xattr can only be set when the logged-in user has the correct permissions.
-   * If the xattr exists, it will be replaced.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to modify
    * @param name xattr name.
@@ -1099,18 +1077,10 @@ public void setXAttr(Path path, String name, byte[] value,
 
   /**
    * Get an xattr for a file or directory.
-   * The name must be prefixed with user/trusted/security/system and
-   * followed by ".". For example, "user.attr".
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * A regular user can only get an xattr for the "user" namespace.
-   * The super user can get an xattr of either the "user" or "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * An xattr will only be returned when the logged-in user has the correct permissions.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to get extended attribute
    * @param name xattr name.
@@ -1127,13 +1097,7 @@ public byte[] getXAttr(Path path, String name) throws IOException {
    * Only those xattrs for which the logged-in user has permissions to view
    * are returned.
    * <p/>
-   * A regular user can only get xattrs for the "user" namespace.
-   * The super user can only get xattrs for "user" and "trusted" namespaces.
-   * The xattr of "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to get extended attributes
    * @return Map<String, byte[]> describing the XAttrs of the file or directory
@@ -1149,13 +1113,7 @@ public Map<String, byte[]> getXAttrs(Path path) throws IOException {
    * Only those xattrs for which the logged-in user has permissions to view
    * are returned.
    * <p/>
-   * A regular user can only get xattrs for the "user" namespace.
-   * The super user can only get xattrs for "user" and "trusted" namespaces.
-   * The xattr of "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to get extended attributes
    * @param names XAttr names.
@@ -1173,14 +1131,7 @@ public Map<String, byte[]> getXAttrs(Path path, List<String> names)
    * Only the xattr names for which the logged-in user has permissions to view
    * are returned.
    * <p/>
-   * A regular user can only get xattr names for the "user" namespace.
-   * The super user can only get xattr names for the "user" and "trusted"
-   * namespaces.
-   * The xattr names in the "security" and "system" namespaces are only
-   * used/exposed internally by/to the FS impl.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to get extended attributes
    * @return Map<String, byte[]> describing the XAttrs of the file or directory
@@ -1194,21 +1145,10 @@ public List<String> listXAttrs(Path path)
 
   /**
    * Remove an xattr of a file or directory.
-   * The name must be prefixed with user/trusted/security/system and
-   * followed by ".". For example, "user.attr".
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * A regular user can only remove an xattr for the "user" namespace.
-   * The super user can remove an xattr of either the "user" or "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * The access permissions of an xattr in the "user" namespace are
-   * defined by the file and directory permission bits.
-   * An xattr can only be set when the logged-in user has the correct permissions.
-   * If the xattr exists, it will be replaced.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to remove extended attribute
    * @param name xattr name
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileContext.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileContext.java
index 2bfcbdccebd..808709859a9 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileContext.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileContext.java
@@ -2297,21 +2297,10 @@ public AclStatus next(final AbstractFileSystem fs, final Path p)
 
   /**
    * Set an xattr of a file or directory.
-   * The name must be prefixed with user/trusted/security/system and
-   * followed by ".". For example, "user.attr".
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * A regular user can only set an xattr for the "user" namespace.
-   * The super user can set an xattr of either the "user" or "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * The access permissions of an xattr in the "user" namespace are
-   * defined by the file and directory permission bits.
-   * An xattr can only be set when the logged-in user has the correct permissions.
-   * If the xattr exists, it will be replaced.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to modify
    * @param name xattr name.
@@ -2326,21 +2315,10 @@ public void setXAttr(Path path, String name, byte[] value)
 
   /**
    * Set an xattr of a file or directory.
-   * The name must be prefixed with user/trusted/security/system and
-   * followed by ".". For example, "user.attr".
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * A regular user can only set an xattr for the "user" namespace.
-   * The super user can set an xattr of either the "user" or "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * The access permissions of an xattr in the "user" namespace are
-   * defined by the file and directory permission bits.
-   * An xattr can only be set when the logged-in user has the correct permissions.
-   * If the xattr exists, it will be replaced.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to modify
    * @param name xattr name.
@@ -2363,19 +2341,10 @@ public Void next(final AbstractFileSystem fs, final Path p)
 
   /**
    * Get an xattr for a file or directory.
-   * The name must be prefixed with user/trusted/security/system and
-   * followed by ".". For example, "user.attr".
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * 
-   * A regular user can only get an xattr for the "user" namespace.
-   * The super user can get an xattr of either the "user" or "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * An xattr will only be returned when the logged-in user has the correct permissions.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to get extended attribute
    * @param name xattr name.
@@ -2398,13 +2367,7 @@ public byte[] next(final AbstractFileSystem fs, final Path p)
    * Only those xattrs for which the logged-in user has permissions to view
    * are returned.
    * <p/>
-   * A regular user can only get xattrs for the "user" namespace.
-   * The super user can only get xattrs for "user" and "trusted" namespaces.
-   * The xattr of "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to get extended attributes
    * @return Map<String, byte[]> describing the XAttrs of the file or directory
@@ -2426,13 +2389,7 @@ public Map<String, byte[]> next(final AbstractFileSystem fs, final Path p)
    * Only those xattrs for which the logged-in user has permissions to view
    * are returned.
    * <p/>
-   * A regular user can only get xattrs for the "user" namespace.
-   * The super user can only get xattrs for "user" and "trusted" namespaces.
-   * The xattr of "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to get extended attributes
    * @param names XAttr names.
@@ -2453,21 +2410,10 @@ public Map<String, byte[]> next(final AbstractFileSystem fs, final Path p)
 
   /**
    * Remove an xattr of a file or directory.
-   * The name must be prefixed with user/trusted/security/system and
-   * followed by ".". For example, "user.attr".
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * A regular user can only remove an xattr for the "user" namespace.
-   * The super user can remove an xattr of either the "user" or "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * The access permissions of an xattr in the "user" namespace are
-   * defined by the file and directory permission bits.
-   * An xattr can only be set when the logged-in user has the correct permissions.
-   * If the xattr exists, it will be replaced.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to remove extended attribute
    * @param name xattr name
@@ -2490,14 +2436,7 @@ public Void next(final AbstractFileSystem fs, final Path p)
    * Only those xattr names which the logged-in user has permissions to view
    * are returned.
    * <p/>
-   * A regular user can only get xattr names for the "user" namespace.
-   * The super user can only get xattr names for "user" and "trusted"
-   * namespaces.
-   * The xattrs of the "security" and "system" namespaces are only
-   * used/exposed internally by/to the FS impl.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to get extended attributes
    * @return List<String> of the XAttr names of the file or directory
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java
index cb921c88424..1eb54d16a9b 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java
@@ -2364,21 +2364,10 @@ public AclStatus getAclStatus(Path path) throws IOException {
 
   /**
    * Set an xattr of a file or directory.
-   * The name must be prefixed with user/trusted/security/system and
-   * followed by ".". For example, "user.attr".
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * A regular user can only set an xattr for the "user" namespace.
-   * The super user can set an xattr of either the "user" or "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * The access permissions of an xattr in the "user" namespace are
-   * defined by the file and directory permission bits.
-   * An xattr can only be set when the logged-in user has the correct permissions.
-   * If the xattr exists, it will be replaced.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to modify
    * @param name xattr name.
@@ -2393,21 +2382,10 @@ public void setXAttr(Path path, String name, byte[] value)
 
   /**
    * Set an xattr of a file or directory.
-   * The name must be prefixed with user/trusted/security/system and
-   * followed by ".". For example, "user.attr".
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * A regular user can only set an xattr for the "user" namespace.
-   * The super user can set an xattr of either the "user" or "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * The access permissions of an xattr in the "user" namespace are
-   * defined by the file and directory permission bits.
-   * An xattr can only be set if the logged-in user has the correct permissions.
-   * If the xattr exists, it is replaced.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to modify
    * @param name xattr name.
@@ -2423,20 +2401,10 @@ public void setXAttr(Path path, String name, byte[] value,
 
   /**
    * Get an xattr name and value for a file or directory.
-   * The name must be prefixed with user/trusted/security/system and
-   * followed by ".". For example, "user.attr".
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * 
-   * A regular user can only get an xattr for the "user" namespace.
-   * The super user can get an xattr of either the "user" or "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * An xattr will only be returned if the logged-in user has the
-   * correct permissions.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to get extended attribute
    * @param name xattr name.
@@ -2453,13 +2421,7 @@ public byte[] getXAttr(Path path, String name) throws IOException {
    * Only those xattrs which the logged-in user has permissions to view
    * are returned.
    * <p/>
-   * A regular user can only get xattrs for the "user" namespace.
-   * The super user can only get xattrs for "user" and "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed
-   * internally by/to the FS impl.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to get extended attributes
    * @return Map<String, byte[]> describing the XAttrs of the file or directory
@@ -2475,13 +2437,7 @@ public Map<String, byte[]> getXAttrs(Path path) throws IOException {
    * Only those xattrs which the logged-in user has permissions to view
    * are returned.
    * <p/>
-   * A regular user can only get xattrs for the "user" namespace.
-   * The super user can only get xattrs for "user" and "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed
-   * internally by/to the FS impl.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to get extended attributes
    * @param names XAttr names.
@@ -2499,14 +2455,7 @@ public Map<String, byte[]> getXAttrs(Path path, List<String> names)
    * Only those xattr names which the logged-in user has permissions to view
    * are returned.
    * <p/>
-   * A regular user can only get xattr names for the "user" namespace.
-   * The super user can only get xattr names for "user" and "trusted"
-   * namespaces.
-   * The xattrs of the "security" and "system" namespaces are only
-   * used/exposed internally by/to the FS impl.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to get extended attributes
    * @return List<String> of the XAttr names of the file or directory
@@ -2519,21 +2468,10 @@ public List<String> listXAttrs(Path path) throws IOException {
 
   /**
    * Remove an xattr of a file or directory.
-   * The name must be prefixed with user/trusted/security/system and
-   * followed by ".". For example, "user.attr".
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * A regular user can only remove an xattr for the "user" namespace.
-   * The super user can remove an xattr of either the "user" or "trusted" namespaces.
-   * The xattrs of the "security" and "system" namespaces are only used/exposed 
-   * internally by/to the FS impl.
-   * <p/>
-   * The access permissions of an xattr in the "user" namespace are
-   * defined by the file and directory permission bits.
-   * An xattr can only be set when the logged-in user has the correct permissions.
-   * If the xattr exists, it will be replaced.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
    *
    * @param path Path to remove extended attribute
    * @param name xattr name
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index df7052425a1..d9751c87598 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -329,6 +329,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6665. Add tests for XAttrs in combination with viewfs.
     (Stephen Chu via wang)
 
+    HDFS-6778. The extended attributes javadoc should simply refer to the
+    user docs. (clamb via wang)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
index a2a52fef389..74eca82fbe0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
@@ -1267,17 +1267,11 @@ public void removeAclEntries(String src, List<AclEntry> aclSpec)
   
   /**
    * Set xattr of a file or directory.
-   * A regular user only can set xattr of "user" namespace.
-   * A super user can set xattr of "user" and "trusted" namespace.
-   * XAttr of "security" and "system" namespace is only used/exposed 
-   * internally to the FS impl.
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * For xattr of "user" namespace, its access permissions are 
-   * defined by the file or directory permission bits.
-   * XAttr will be set only when login user has correct permissions.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
+   *
    * @param src file or directory
    * @param xAttr <code>XAttr</code> to set
    * @param flag set flag
@@ -1288,18 +1282,13 @@ public void setXAttr(String src, XAttr xAttr, EnumSet<XAttrSetFlag> flag)
       throws IOException;
   
   /**
-   * Get xattrs of file or directory. Values in xAttrs parameter are ignored.
-   * If xattrs is null or empty, equals getting all xattrs of the file or 
-   * directory.
-   * Only xattrs which login user has correct permissions will be returned. 
+   * Get xattrs of a file or directory. Values in xAttrs parameter are ignored.
+   * If xAttrs is null or empty, this is the same as getting all xattrs of the
+   * file or directory.  Only those xattrs for which the logged-in user has
+   * permissions to view are returned.
    * <p/>
-   * A regular user only can get xattr of "user" namespace.
-   * A super user can get xattr of "user" and "trusted" namespace.
-   * XAttr of "security" and "system" namespace is only used/exposed 
-   * internally to the FS impl.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
+   *
    * @param src file or directory
    * @param xAttrs xAttrs to get
    * @return List<XAttr> <code>XAttr</code> list 
@@ -1314,13 +1303,8 @@ public List<XAttr> getXAttrs(String src, List<XAttr> xAttrs)
    * Only the xattr names for which the logged in user has the permissions to
    * access will be returned.
    * <p/>
-   * A regular user only can get xattr names from the "user" namespace.
-   * A super user can get xattr names of the "user" and "trusted" namespace.
-   * XAttr names of the "security" and "system" namespaces are only used/exposed
-   * internally by the file system impl.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
+   *
    * @param src file or directory
    * @param xAttrs xAttrs to get
    * @return List<XAttr> <code>XAttr</code> list
@@ -1332,15 +1316,11 @@ public List<XAttr> listXAttrs(String src)
   
   /**
    * Remove xattr of a file or directory.Value in xAttr parameter is ignored.
-   * Name must be prefixed with user/trusted/security/system.
+   * The name must be prefixed with the namespace followed by ".". For example,
+   * "user.attr".
    * <p/>
-   * A regular user only can remove xattr of "user" namespace.
-   * A super user can remove xattr of "user" and "trusted" namespace.
-   * XAttr of "security" and "system" namespace is only used/exposed 
-   * internally to the FS impl.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
+   * Refer to the HDFS extended attributes user documentation for details.
+   *
    * @param src file or directory
    * @param xAttr <code>XAttr</code> to remove
    * @throws IOException

From f6436c0720a56da29d582ebec855854ccd6e7c28 Mon Sep 17 00:00:00 2001
From: Steve Loughran <stevel@apache.org>
Date: Wed, 30 Jul 2014 14:05:59 +0000
Subject: [PATCH 081/354] HDFS-4629. Using
 com.sun.org.apache.xml.internal.serialize.* in XmlEditsVisitor.java is JVM
 vendor specific. Breaks IBM JAVA.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614663 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                 | 4 ++++
 hadoop-hdfs-project/hadoop-hdfs/pom.xml                     | 5 +++++
 .../hdfs/tools/offlineEditsViewer/XmlEditsVisitor.java      | 4 ++--
 hadoop-project/pom.xml                                      | 6 ++++++
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index d9751c87598..f750178561a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -394,6 +394,10 @@ Release 2.6.0 - UNRELEASED
     HDFS-6749. FSNamesystem methods should call resolvePath.
     (Charles Lamb via cnauroth)
 
+    HDFS-4629. Using com.sun.org.apache.xml.internal.serialize.* in
+    XmlEditsVisitor.java is JVM vendor specific. Breaks IBM JAVA.
+    (Amir Sanjar via stevel)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/pom.xml b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
index 846c46fb3d0..2d48918d6ae 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/pom.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
@@ -176,6 +176,11 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
       <artifactId>netty</artifactId>
       <scope>compile</scope>
     </dependency>
+    <dependency>
+      <groupId>xerces</groupId>
+      <artifactId>xercesImpl</artifactId>
+      <scope>compile</scope>
+    </dependency>
   </dependencies>
 
   <build>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/offlineEditsViewer/XmlEditsVisitor.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/offlineEditsViewer/XmlEditsVisitor.java
index b4fa791e741..7a39ba6072b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/offlineEditsViewer/XmlEditsVisitor.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/offlineEditsViewer/XmlEditsVisitor.java
@@ -29,8 +29,8 @@
 import org.xml.sax.SAXException;
 import org.xml.sax.helpers.AttributesImpl;
 
-import com.sun.org.apache.xml.internal.serialize.OutputFormat;
-import com.sun.org.apache.xml.internal.serialize.XMLSerializer;
+import org.apache.xml.serialize.OutputFormat;
+import org.apache.xml.serialize.XMLSerializer;
 
 /**
  * An XmlEditsVisitor walks over an EditLog structure and writes out
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index 2dc83dd4f92..bbe334565ed 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -790,6 +790,12 @@
         <artifactId>microsoft-windowsazure-storage-sdk</artifactId>
         <version>0.6.0</version>
     </dependency>
+
+    <dependency>
+       <groupId>xerces</groupId>
+       <artifactId>xercesImpl</artifactId>
+       <version>2.9.1</version>
+    </dependency>
       
     </dependencies>
   </dependencyManagement>

From 9b2bfc7c28f6648bbaf7675c6e708237eb654db0 Mon Sep 17 00:00:00 2001
From: Steve Loughran <stevel@apache.org>
Date: Wed, 30 Jul 2014 14:49:06 +0000
Subject: [PATCH 082/354] HDFS-4629. Using
 com.sun.org.apache.xml.internal.serialize.* in XmlEditsVisitor.java is JVM
 vendor specific. Breaks IBM JAVA -pom indentation

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614673 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-project/pom.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index bbe334565ed..63705e94568 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -789,13 +789,13 @@
         <groupId>com.microsoft.windowsazure.storage</groupId>
         <artifactId>microsoft-windowsazure-storage-sdk</artifactId>
         <version>0.6.0</version>
-    </dependency>
+     </dependency>
 
-    <dependency>
+     <dependency>
        <groupId>xerces</groupId>
        <artifactId>xercesImpl</artifactId>
        <version>2.9.1</version>
-    </dependency>
+     </dependency>
       
     </dependencies>
   </dependencyManagement>

From 535fe14dedbf919442ec03ac573315c7a16a6dbe Mon Sep 17 00:00:00 2001
From: Chris Nauroth <cnauroth@apache.org>
Date: Wed, 30 Jul 2014 17:49:09 +0000
Subject: [PATCH 083/354] HDFS-6570. add api that enables checking if a user
 has certain permissions on a file. Contributed by Jitendra Pandey.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614723 13f79535-47bb-0310-9956-ffa450edef68
---
 .../apache/hadoop/fs/AbstractFileSystem.java  | 13 ++++
 .../org/apache/hadoop/fs/FileContext.java     | 50 ++++++++++++
 .../java/org/apache/hadoop/fs/FileSystem.java | 67 ++++++++++++++++
 .../apache/hadoop/fs/FilterFileSystem.java    |  7 ++
 .../java/org/apache/hadoop/fs/FilterFs.java   |  8 ++
 .../hadoop/fs/viewfs/ChRootedFileSystem.java  |  8 ++
 .../apache/hadoop/fs/viewfs/ChRootedFs.java   |  7 ++
 .../hadoop/fs/viewfs/ViewFileSystem.java      | 10 ++-
 .../org/apache/hadoop/fs/viewfs/ViewFs.java   |  9 +++
 .../apache/hadoop/fs/TestHarFileSystem.java   |  3 +
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +
 .../main/java/org/apache/hadoop/fs/Hdfs.java  |  6 ++
 .../org/apache/hadoop/hdfs/DFSClient.java     | 12 +++
 .../hadoop/hdfs/DistributedFileSystem.java    | 20 +++++
 .../hadoop/hdfs/protocol/ClientProtocol.java  | 19 +++++
 ...amenodeProtocolServerSideTranslatorPB.java | 16 ++++
 .../ClientNamenodeProtocolTranslatorPB.java   | 13 ++++
 .../hadoop/hdfs/protocolPB/PBHelper.java      |  4 +-
 .../hdfs/server/namenode/FSNamesystem.java    | 23 ++++++
 .../server/namenode/NameNodeRpcServer.java    |  6 ++
 .../web/resources/NamenodeWebHdfsMethods.java | 23 ++++--
 .../hadoop/hdfs/web/WebHdfsFileSystem.java    |  7 ++
 .../hdfs/web/resources/FsActionParam.java     | 58 ++++++++++++++
 .../hadoop/hdfs/web/resources/GetOpParam.java |  4 +-
 .../main/proto/ClientNamenodeProtocol.proto   | 10 +++
 .../hadoop-hdfs/src/site/apt/WebHDFS.apt.vm   | 44 +++++++++++
 .../apache/hadoop/hdfs/TestDFSPermission.java | 77 +++++++++++++++++++
 .../org/apache/hadoop/hdfs/TestSafeMode.java  | 23 +++++-
 .../hdfs/server/namenode/FSAclBaseTest.java   | 28 +++++++
 .../hdfs/server/namenode/TestINodeFile.java   |  2 +
 .../snapshot/TestAclWithSnapshot.java         |  9 +++
 .../web/TestWebHdfsFileSystemContract.java    | 33 ++++++++
 .../hadoop/hdfs/web/TestWebHdfsUrl.java       | 24 ++++++
 .../security/TestPermissionSymlinks.java      | 35 +++++++++
 34 files changed, 670 insertions(+), 11 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/FsActionParam.java

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AbstractFileSystem.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AbstractFileSystem.java
index 5b456b1eff7..a9a19cdc29b 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AbstractFileSystem.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AbstractFileSystem.java
@@ -43,6 +43,7 @@
 import org.apache.hadoop.fs.Options.Rename;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.fs.InvalidPathException;
 import org.apache.hadoop.security.AccessControlException;
@@ -803,6 +804,18 @@ public abstract FileStatus getFileStatus(final Path f)
       throws AccessControlException, FileNotFoundException,
       UnresolvedLinkException, IOException;
 
+  /**
+   * The specification of this method matches that of
+   * {@link FileContext#access(Path, FsAction)}
+   * except that an UnresolvedLinkException may be thrown if a symlink is
+   * encountered in the path.
+   */
+  @InterfaceAudience.LimitedPrivate({"HDFS", "Hive"})
+  public void access(Path path, FsAction mode) throws AccessControlException,
+      FileNotFoundException, UnresolvedLinkException, IOException {
+    FileSystem.checkAccessPermissions(this.getFileStatus(path), mode);
+  }
+
   /**
    * The specification of this method matches that of
    * {@link FileContext#getFileLinkStatus(Path)}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileContext.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileContext.java
index 808709859a9..c9c8fa8ffdd 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileContext.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileContext.java
@@ -44,6 +44,7 @@
 import org.apache.hadoop.fs.Options.CreateOpts;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.FS_DEFAULT_NAME_KEY;
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.FS_DEFAULT_NAME_DEFAULT;
@@ -1108,6 +1109,55 @@ public FileStatus next(final AbstractFileSystem fs, final Path p)
     }.resolve(this, absF);
   }
 
+  /**
+   * Checks if the user can access a path.  The mode specifies which access
+   * checks to perform.  If the requested permissions are granted, then the
+   * method returns normally.  If access is denied, then the method throws an
+   * {@link AccessControlException}.
+   * <p/>
+   * The default implementation of this method calls {@link #getFileStatus(Path)}
+   * and checks the returned permissions against the requested permissions.
+   * Note that the getFileStatus call will be subject to authorization checks.
+   * Typically, this requires search (execute) permissions on each directory in
+   * the path's prefix, but this is implementation-defined.  Any file system
+   * that provides a richer authorization model (such as ACLs) may override the
+   * default implementation so that it checks against that model instead.
+   * <p>
+   * In general, applications should avoid using this method, due to the risk of
+   * time-of-check/time-of-use race conditions.  The permissions on a file may
+   * change immediately after the access call returns.  Most applications should
+   * prefer running specific file system actions as the desired user represented
+   * by a {@link UserGroupInformation}.
+   *
+   * @param path Path to check
+   * @param mode type of access to check
+   * @throws AccessControlException if access is denied
+   * @throws FileNotFoundException if the path does not exist
+   * @throws UnsupportedFileSystemException if file system for <code>path</code>
+   *   is not supported
+   * @throws IOException see specific implementation
+   * 
+   * Exceptions applicable to file systems accessed over RPC:
+   * @throws RpcClientException If an exception occurred in the RPC client
+   * @throws RpcServerException If an exception occurred in the RPC server
+   * @throws UnexpectedServerException If server implementation throws 
+   *           undeclared exception to RPC server
+   */
+  @InterfaceAudience.LimitedPrivate({"HDFS", "Hive"})
+  public void access(final Path path, final FsAction mode)
+      throws AccessControlException, FileNotFoundException,
+      UnsupportedFileSystemException, IOException {
+    final Path absPath = fixRelativePart(path);
+    new FSLinkResolver<Void>() {
+      @Override
+      public Void next(AbstractFileSystem fs, Path p) throws IOException,
+          UnresolvedLinkException {
+        fs.access(p, mode);
+        return null;
+      }
+    }.resolve(this, absPath);
+  }
+
   /**
    * Return a file status object that represents the path. If the path 
    * refers to a symlink then the FileStatus of the symlink is returned.
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java
index 1eb54d16a9b..1d2270b37ed 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java
@@ -25,6 +25,7 @@
 import java.net.URISyntaxException;
 import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -50,6 +51,7 @@
 import org.apache.hadoop.fs.Options.Rename;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.io.MultipleIOException;
 import org.apache.hadoop.io.Text;
@@ -2072,6 +2074,71 @@ public short getDefaultReplication(Path path) {
    */
   public abstract FileStatus getFileStatus(Path f) throws IOException;
 
+  /**
+   * Checks if the user can access a path.  The mode specifies which access
+   * checks to perform.  If the requested permissions are granted, then the
+   * method returns normally.  If access is denied, then the method throws an
+   * {@link AccessControlException}.
+   * <p/>
+   * The default implementation of this method calls {@link #getFileStatus(Path)}
+   * and checks the returned permissions against the requested permissions.
+   * Note that the getFileStatus call will be subject to authorization checks.
+   * Typically, this requires search (execute) permissions on each directory in
+   * the path's prefix, but this is implementation-defined.  Any file system
+   * that provides a richer authorization model (such as ACLs) may override the
+   * default implementation so that it checks against that model instead.
+   * <p>
+   * In general, applications should avoid using this method, due to the risk of
+   * time-of-check/time-of-use race conditions.  The permissions on a file may
+   * change immediately after the access call returns.  Most applications should
+   * prefer running specific file system actions as the desired user represented
+   * by a {@link UserGroupInformation}.
+   *
+   * @param path Path to check
+   * @param mode type of access to check
+   * @throws AccessControlException if access is denied
+   * @throws FileNotFoundException if the path does not exist
+   * @throws IOException see specific implementation
+   */
+  @InterfaceAudience.LimitedPrivate({"HDFS", "Hive"})
+  public void access(Path path, FsAction mode) throws AccessControlException,
+      FileNotFoundException, IOException {
+    checkAccessPermissions(this.getFileStatus(path), mode);
+  }
+
+  /**
+   * This method provides the default implementation of
+   * {@link #access(Path, FsAction)}.
+   *
+   * @param stat FileStatus to check
+   * @param mode type of access to check
+   * @throws IOException for any error
+   */
+  @InterfaceAudience.Private
+  static void checkAccessPermissions(FileStatus stat, FsAction mode)
+      throws IOException {
+    FsPermission perm = stat.getPermission();
+    UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+    String user = ugi.getShortUserName();
+    List<String> groups = Arrays.asList(ugi.getGroupNames());
+    if (user.equals(stat.getOwner())) {
+      if (perm.getUserAction().implies(mode)) {
+        return;
+      }
+    } else if (groups.contains(stat.getGroup())) {
+      if (perm.getGroupAction().implies(mode)) {
+        return;
+      }
+    } else {
+      if (perm.getOtherAction().implies(mode)) {
+        return;
+      }
+    }
+    throw new AccessControlException(String.format(
+      "Permission denied: user=%s, path=\"%s\":%s:%s:%s%s", user, stat.getPath(),
+      stat.getOwner(), stat.getGroup(), stat.isDirectory() ? "d" : "-", perm));
+  }
+
   /**
    * See {@link FileContext#fixRelativePart}
    */
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFileSystem.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFileSystem.java
index 139e1430f8b..52706f4049a 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFileSystem.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFileSystem.java
@@ -30,6 +30,7 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.fs.Options.ChecksumOpt;
 import org.apache.hadoop.security.AccessControlException;
@@ -397,6 +398,12 @@ public FileStatus getFileStatus(Path f) throws IOException {
     return fs.getFileStatus(f);
   }
 
+  @Override
+  public void access(Path path, FsAction mode) throws AccessControlException,
+      FileNotFoundException, IOException {
+    fs.access(path, mode);
+  }
+
   public void createSymlink(final Path target, final Path link,
       final boolean createParent) throws AccessControlException,
       FileAlreadyExistsException, FileNotFoundException,
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFs.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFs.java
index 6ffe9214b37..b6e1d96e038 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFs.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFs.java
@@ -29,6 +29,7 @@
 import org.apache.hadoop.fs.FileSystem.Statistics;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.fs.Options.ChecksumOpt;
 import org.apache.hadoop.security.AccessControlException;
@@ -119,6 +120,13 @@ public FileStatus getFileStatus(Path f)
     return myFs.getFileStatus(f);
   }
 
+  @Override
+  public void access(Path path, FsAction mode) throws AccessControlException,
+      FileNotFoundException, UnresolvedLinkException, IOException {
+    checkPath(path);
+    myFs.access(path, mode);
+  }
+
   @Override
   public FileStatus getFileLinkStatus(final Path f) 
     throws IOException, UnresolvedLinkException {
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFileSystem.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFileSystem.java
index 4480da20f39..9650a374d18 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFileSystem.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFileSystem.java
@@ -41,7 +41,9 @@
 import org.apache.hadoop.fs.XAttrSetFlag;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.util.Progressable;
 
 /**
@@ -222,6 +224,12 @@ public FileStatus getFileStatus(final Path f)
     return super.getFileStatus(fullPath(f));
   }
 
+  @Override
+  public void access(Path path, FsAction mode) throws AccessControlException,
+      FileNotFoundException, IOException {
+    super.access(fullPath(path), mode);
+  }
+
   @Override
   public FsStatus getStatus(Path p) throws IOException {
     return super.getStatus(fullPath(p));
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFs.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFs.java
index 5d53eb79d0a..9569e1089bb 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFs.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFs.java
@@ -41,7 +41,9 @@
 import org.apache.hadoop.fs.XAttrSetFlag;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.util.Progressable;
 
@@ -200,6 +202,11 @@ public FileStatus getFileStatus(final Path f)
     return myFs.getFileStatus(fullPath(f));
   }
 
+  public void access(Path path, FsAction mode) throws AccessControlException,
+      FileNotFoundException, UnresolvedLinkException, IOException {
+    myFs.access(fullPath(path), mode);
+  }
+
   @Override
   public FileStatus getFileLinkStatus(final Path f) 
     throws IOException, UnresolvedLinkException {
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFileSystem.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFileSystem.java
index b4ac18eb1af..963289f4373 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFileSystem.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFileSystem.java
@@ -51,6 +51,7 @@
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
 import org.apache.hadoop.fs.permission.AclUtil;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.fs.viewfs.InodeTree.INode;
 import org.apache.hadoop.fs.viewfs.InodeTree.INodeLink;
@@ -359,7 +360,14 @@ public FileStatus getFileStatus(final Path f) throws AccessControlException,
     return new ViewFsFileStatus(status, this.makeQualified(f));
   }
   
-  
+  @Override
+  public void access(Path path, FsAction mode) throws AccessControlException,
+      FileNotFoundException, IOException {
+    InodeTree.ResolveResult<FileSystem> res =
+      fsState.resolve(getUriPath(path), true);
+    res.targetFileSystem.access(res.remainingPath, mode);
+  }
+
   @Override
   public FileStatus[] listStatus(final Path f) throws AccessControlException,
       FileNotFoundException, IOException {
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFs.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFs.java
index 5cdccd29975..014f4881275 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFs.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFs.java
@@ -54,6 +54,7 @@
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclUtil;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.fs.viewfs.InodeTree.INode;
 import org.apache.hadoop.fs.viewfs.InodeTree.INodeLink;
@@ -352,6 +353,14 @@ public FileStatus getFileStatus(final Path f) throws AccessControlException,
     return new ViewFsFileStatus(status, this.makeQualified(f));
   }
 
+  @Override
+  public void access(Path path, FsAction mode) throws AccessControlException,
+      FileNotFoundException, UnresolvedLinkException, IOException {
+    InodeTree.ResolveResult<AbstractFileSystem> res =
+      fsState.resolve(getUriPath(path), true);
+    res.targetFileSystem.access(res.remainingPath, mode);
+  }
+
   @Override
   public FileStatus getFileLinkStatus(final Path f)
      throws AccessControlException, FileNotFoundException,
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestHarFileSystem.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestHarFileSystem.java
index 24e712c051c..1e86439785b 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestHarFileSystem.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestHarFileSystem.java
@@ -23,6 +23,7 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.token.Token;
@@ -201,6 +202,8 @@ public Map<String, byte[]> getXAttrs(Path path, List<String> names)
     public void removeXAttr(Path path, String name) throws IOException;
 
     public AclStatus getAclStatus(Path path) throws IOException;
+
+    public void access(Path path, FsAction mode) throws IOException;
   }
 
   @Test
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index f750178561a..1e33c194b54 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -332,6 +332,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6778. The extended attributes javadoc should simply refer to the
     user docs. (clamb via wang)
 
+    HDFS-6570. add api that enables checking if a user has certain permissions on
+    a file. (Jitendra Pandey via cnauroth)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java
index 6e4b66f71e6..a0e75f81d3b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java
@@ -33,6 +33,7 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.fs.Options.ChecksumOpt;
 import org.apache.hadoop.hdfs.CorruptFileBlockIterator;
@@ -448,6 +449,11 @@ public void removeXAttr(Path path, String name) throws IOException {
     dfs.removeXAttr(getUriPath(path), name);
   }
 
+  @Override
+  public void access(Path path, final FsAction mode) throws IOException {
+    dfs.checkAccess(getUriPath(path), mode);
+  }
+
   /**
    * Renew an existing delegation token.
    * 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index 45a9011a568..b9af35ea255 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -122,6 +122,7 @@
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
 import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.hdfs.client.HdfsDataInputStream;
 import org.apache.hadoop.hdfs.client.HdfsDataOutputStream;
 import org.apache.hadoop.hdfs.net.Peer;
@@ -2832,6 +2833,17 @@ public void removeXAttr(String src, String name) throws IOException {
     }
   }
 
+  public void checkAccess(String src, FsAction mode) throws IOException {
+    checkOpen();
+    try {
+      namenode.checkAccess(src, mode);
+    } catch (RemoteException re) {
+      throw re.unwrapRemoteException(AccessControlException.class,
+          FileNotFoundException.class,
+          UnresolvedPathException.class);
+    }
+  }
+
   @Override // RemotePeerFactory
   public Peer newConnectedPeer(InetSocketAddress addr,
       Token<BlockTokenIdentifier> blockToken, DatanodeID datanodeId)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
index 5ae39d69747..e20c61f5185 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
@@ -59,6 +59,7 @@
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
 import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.hdfs.client.HdfsAdmin;
 import org.apache.hadoop.hdfs.client.HdfsDataInputStream;
 import org.apache.hadoop.hdfs.client.HdfsDataOutputStream;
@@ -1898,4 +1899,23 @@ public Void next(final FileSystem fs, final Path p) throws IOException {
       }
     }.resolve(this, absF);
   }
+
+  @Override
+  public void access(Path path, final FsAction mode) throws IOException {
+    final Path absF = fixRelativePart(path);
+    new FileSystemLinkResolver<Void>() {
+      @Override
+      public Void doCall(final Path p) throws IOException {
+        dfs.checkAccess(getPathName(p), mode);
+        return null;
+      }
+
+      @Override
+      public Void next(final FileSystem fs, final Path p)
+          throws IOException {
+        fs.access(p, mode);
+        return null;
+      }
+    }.resolve(this, absF);
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
index 74eca82fbe0..8dbe1f7609f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
@@ -39,6 +39,7 @@
 import org.apache.hadoop.fs.XAttrSetFlag;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.RollingUpgradeAction;
@@ -1327,4 +1328,22 @@ public List<XAttr> listXAttrs(String src)
    */
   @AtMostOnce
   public void removeXAttr(String src, XAttr xAttr) throws IOException;
+
+  /**
+   * Checks if the user can access a path.  The mode specifies which access
+   * checks to perform.  If the requested permissions are granted, then the
+   * method returns normally.  If access is denied, then the method throws an
+   * {@link AccessControlException}.
+   * In general, applications should avoid using this method, due to the risk of
+   * time-of-check/time-of-use race conditions.  The permissions on a file may
+   * change immediately after the access call returns.
+   *
+   * @param path Path to check
+   * @param mode type of access to check
+   * @throws AccessControlException if access is denied
+   * @throws FileNotFoundException if the path does not exist
+   * @throws IOException see specific implementation
+   */
+  @Idempotent
+  public void checkAccess(String path, FsAction mode) throws IOException;
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
index df0d1b0006c..c4211b1d795 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
@@ -174,6 +174,8 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdateBlockForPipelineResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdatePipelineRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdatePipelineResponseProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.CheckAccessRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.CheckAccessResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeIDProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeInfoProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.LocatedBlockProto;
@@ -320,6 +322,9 @@ public class ClientNamenodeProtocolServerSideTranslatorPB implements
   private static final RemoveXAttrResponseProto
     VOID_REMOVEXATTR_RESPONSE = RemoveXAttrResponseProto.getDefaultInstance();
 
+  private static final CheckAccessResponseProto
+    VOID_CHECKACCESS_RESPONSE = CheckAccessResponseProto.getDefaultInstance();
+
   /**
    * Constructor
    * 
@@ -1338,4 +1343,15 @@ public RemoveXAttrResponseProto removeXAttr(RpcController controller,
     }
     return VOID_REMOVEXATTR_RESPONSE;
   }
+
+  @Override
+  public CheckAccessResponseProto checkAccess(RpcController controller,
+     CheckAccessRequestProto req) throws ServiceException {
+    try {
+      server.checkAccess(req.getPath(), PBHelper.convert(req.getMode()));
+    } catch (IOException e) {
+      throw new ServiceException(e);
+    }
+    return VOID_CHECKACCESS_RESPONSE;
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
index 0f8eba970ca..85dbb7d7184 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
@@ -39,6 +39,7 @@
 import org.apache.hadoop.fs.XAttrSetFlag;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.protocol.AlreadyBeingCreatedException;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveEntry;
@@ -144,6 +145,7 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.SetTimesRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdateBlockForPipelineRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdatePipelineRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.CheckAccessRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.GetXAttrsRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.ListXAttrsRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.RemoveXAttrRequestProto;
@@ -1346,4 +1348,15 @@ public void removeXAttr(String src, XAttr xAttr) throws IOException {
       throw ProtobufHelper.getRemoteException(e);
     }
   }
+
+  @Override
+  public void checkAccess(String path, FsAction mode) throws IOException {
+    CheckAccessRequestProto req = CheckAccessRequestProto.newBuilder()
+        .setPath(path).setMode(PBHelper.convert(mode)).build();
+    try {
+      rpcProxy.checkAccess(null, req);
+    } catch (ServiceException e) {
+      throw ProtobufHelper.getRemoteException(e);
+    }
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
index 5706aab062f..9ca93a5ae29 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
@@ -2107,11 +2107,11 @@ private static XAttr.NameSpace convert(XAttrNamespaceProto v) {
     return castEnum(v, XATTR_NAMESPACE_VALUES);
   }
 
-  private static FsActionProto convert(FsAction v) {
+  public static FsActionProto convert(FsAction v) {
     return FsActionProto.valueOf(v != null ? v.ordinal() : 0);
   }
 
-  private static FsAction convert(FsActionProto v) {
+  public static FsAction convert(FsActionProto v) {
     return castEnum(v, FSACTION_VALUES);
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index f12c4e2cfe1..37f8c4b23d0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -8458,6 +8458,29 @@ private void checkXAttrChangeAccess(String src, XAttr xAttr,
     }
   }
 
+  void checkAccess(String src, FsAction mode) throws AccessControlException,
+      FileNotFoundException, UnresolvedLinkException, IOException {
+    checkOperation(OperationCategory.READ);
+    byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
+    readLock();
+    try {
+      checkOperation(OperationCategory.READ);
+      src = FSDirectory.resolvePath(src, pathComponents, dir);
+      if (dir.getINode(src) == null) {
+        throw new FileNotFoundException("Path not found");
+      }
+      if (isPermissionEnabled) {
+        FSPermissionChecker pc = getPermissionChecker();
+        checkPathAccess(pc, src, mode);
+      }
+    } catch (AccessControlException e) {
+      logAuditEvent(false, "checkAccess", src);
+      throw e;
+    } finally {
+      readUnlock();
+    }
+  }
+
   /**
    * Default AuditLogger implementation; used when no access logger is
    * defined in the config file. It can also be explicitly listed in the
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index 2c2cd4f2272..6800fcde174 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -54,6 +54,7 @@
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
 import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.PermissionStatus;
 import org.apache.hadoop.ha.HAServiceStatus;
 import org.apache.hadoop.ha.HealthCheckFailedException;
@@ -1443,5 +1444,10 @@ public List<XAttr> listXAttrs(String src) throws IOException {
   public void removeXAttr(String src, XAttr xAttr) throws IOException {
     namesystem.removeXAttr(src, xAttr);
   }
+
+  @Override
+  public void checkAccess(String path, FsAction mode) throws IOException {
+    namesystem.checkAccess(path, mode);
+  }
 }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/web/resources/NamenodeWebHdfsMethods.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/web/resources/NamenodeWebHdfsMethods.java
index d7235b38727..991885b2e40 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/web/resources/NamenodeWebHdfsMethods.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/web/resources/NamenodeWebHdfsMethods.java
@@ -57,6 +57,7 @@
 import org.apache.hadoop.fs.Options;
 import org.apache.hadoop.fs.XAttr;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.XAttrHelper;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
@@ -112,6 +113,7 @@
 import org.apache.hadoop.hdfs.web.resources.XAttrNameParam;
 import org.apache.hadoop.hdfs.web.resources.XAttrSetFlagParam;
 import org.apache.hadoop.hdfs.web.resources.XAttrValueParam;
+import org.apache.hadoop.hdfs.web.resources.FsActionParam;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.ipc.RetriableException;
 import org.apache.hadoop.ipc.Server;
@@ -755,10 +757,12 @@ public Response getRoot(
       @QueryParam(XAttrEncodingParam.NAME) @DefaultValue(XAttrEncodingParam.DEFAULT) 
           final XAttrEncodingParam xattrEncoding,
       @QueryParam(ExcludeDatanodesParam.NAME) @DefaultValue(ExcludeDatanodesParam.DEFAULT)
-          final ExcludeDatanodesParam excludeDatanodes          
+          final ExcludeDatanodesParam excludeDatanodes,
+      @QueryParam(FsActionParam.NAME) @DefaultValue(FsActionParam.DEFAULT)
+          final FsActionParam fsAction
       ) throws IOException, InterruptedException {
     return get(ugi, delegation, username, doAsUser, ROOT, op, offset, length,
-        renewer, bufferSize, xattrNames, xattrEncoding, excludeDatanodes);
+        renewer, bufferSize, xattrNames, xattrEncoding, excludeDatanodes, fsAction);
   }
 
   /** Handle HTTP GET request. */
@@ -789,11 +793,13 @@ public Response get(
       @QueryParam(XAttrEncodingParam.NAME) @DefaultValue(XAttrEncodingParam.DEFAULT) 
           final XAttrEncodingParam xattrEncoding,
       @QueryParam(ExcludeDatanodesParam.NAME) @DefaultValue(ExcludeDatanodesParam.DEFAULT)
-          final ExcludeDatanodesParam excludeDatanodes
+          final ExcludeDatanodesParam excludeDatanodes,
+      @QueryParam(FsActionParam.NAME) @DefaultValue(FsActionParam.DEFAULT)
+          final FsActionParam fsAction
       ) throws IOException, InterruptedException {
 
     init(ugi, delegation, username, doAsUser, path, op, offset, length,
-        renewer, bufferSize, xattrEncoding, excludeDatanodes);
+        renewer, bufferSize, xattrEncoding, excludeDatanodes, fsAction);
 
     return ugi.doAs(new PrivilegedExceptionAction<Response>() {
       @Override
@@ -801,7 +807,7 @@ public Response run() throws IOException, URISyntaxException {
         try {
           return get(ugi, delegation, username, doAsUser,
               path.getAbsolutePath(), op, offset, length, renewer, bufferSize,
-              xattrNames, xattrEncoding, excludeDatanodes);
+              xattrNames, xattrEncoding, excludeDatanodes, fsAction);
         } finally {
           reset();
         }
@@ -822,7 +828,8 @@ private Response get(
       final BufferSizeParam bufferSize,
       final List<XAttrNameParam> xattrNames,
       final XAttrEncodingParam xattrEncoding,
-      final ExcludeDatanodesParam excludeDatanodes
+      final ExcludeDatanodesParam excludeDatanodes,
+      final FsActionParam fsAction
       ) throws IOException, URISyntaxException {
     final NameNode namenode = (NameNode)context.getAttribute("name.node");
     final NamenodeProtocols np = getRPCServer(namenode);
@@ -919,6 +926,10 @@ private Response get(
       final String js = JsonUtil.toJsonString(xAttrs);
       return Response.ok(js).type(MediaType.APPLICATION_JSON).build();
     }
+    case CHECKACCESS: {
+      np.checkAccess(fullpath, FsAction.getFsAction(fsAction.getValue()));
+      return Response.ok().build();
+    }
     default:
       throw new UnsupportedOperationException(op + " is not supported");
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
index 78062ad0b5f..cf6233f5a35 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
@@ -54,6 +54,7 @@
 import org.apache.hadoop.fs.XAttrSetFlag;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.DFSUtil;
@@ -1356,6 +1357,12 @@ BlockLocation[] decodeResponse(Map<?,?> json) throws IOException {
     }.run();
   }
 
+  @Override
+  public void access(final Path path, final FsAction mode) throws IOException {
+    final HttpOpParam.Op op = GetOpParam.Op.CHECKACCESS;
+    new FsPathRunner(op, path, new FsActionParam(mode)).run();
+  }
+
   @Override
   public ContentSummary getContentSummary(final Path p) throws IOException {
     statistics.incrementReadOps(1);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/FsActionParam.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/FsActionParam.java
new file mode 100644
index 00000000000..c8401960034
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/FsActionParam.java
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.web.resources;
+
+import org.apache.hadoop.fs.permission.FsAction;
+
+import java.util.regex.Pattern;
+
+/** {@link FsAction} Parameter */
+public class FsActionParam extends StringParam {
+
+  /** Parameter name. */
+  public static final String NAME = "fsaction";
+
+  /** Default parameter value. */
+  public static final String DEFAULT = NULL;
+
+  private static String FS_ACTION_PATTERN = "[rwx-]{3}";
+
+  private static final Domain DOMAIN = new Domain(NAME,
+      Pattern.compile(FS_ACTION_PATTERN));
+
+  /**
+   * Constructor.
+   * @param str a string representation of the parameter value.
+   */
+  public FsActionParam(final String str) {
+    super(DOMAIN, str == null || str.equals(DEFAULT)? null: str);
+  }
+
+  /**
+   * Constructor.
+   * @param value the parameter value.
+   */
+  public FsActionParam(final FsAction value) {
+    super(DOMAIN, value == null? null: value.SYMBOL);
+  }
+
+  @Override
+  public String getName() {
+    return NAME;
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/GetOpParam.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/GetOpParam.java
index bf5a6a23e57..f63ed443924 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/GetOpParam.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/GetOpParam.java
@@ -39,7 +39,9 @@ public static enum Op implements HttpOpParam.Op {
     GETXATTRS(false, HttpURLConnection.HTTP_OK),
     LISTXATTRS(false, HttpURLConnection.HTTP_OK),
 
-    NULL(false, HttpURLConnection.HTTP_NOT_IMPLEMENTED);
+    NULL(false, HttpURLConnection.HTTP_NOT_IMPLEMENTED),
+
+    CHECKACCESS(false, HttpURLConnection.HTTP_OK);
 
     final boolean redirect;
     final int expectedHttpResponseCode;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
index d2f92d64d0e..cd291a68604 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
@@ -654,6 +654,14 @@ message DeleteSnapshotRequestProto {
 message DeleteSnapshotResponseProto { // void response
 }
 
+message CheckAccessRequestProto {
+  required string path = 1;
+  required AclEntryProto.FsActionProto mode = 2;
+}
+
+message CheckAccessResponseProto { // void response
+}
+
 service ClientNamenodeProtocol {
   rpc getBlockLocations(GetBlockLocationsRequestProto)
       returns(GetBlockLocationsResponseProto);
@@ -783,4 +791,6 @@ service ClientNamenodeProtocol {
       returns(ListXAttrsResponseProto);
   rpc removeXAttr(RemoveXAttrRequestProto)
       returns(RemoveXAttrResponseProto);
+  rpc checkAccess(CheckAccessRequestProto)
+      returns(CheckAccessResponseProto);
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/WebHDFS.apt.vm b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/WebHDFS.apt.vm
index 51bc574095d..c3f6a6b813b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/WebHDFS.apt.vm
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/WebHDFS.apt.vm
@@ -82,6 +82,9 @@ WebHDFS REST API
     * {{{List all XAttrs}<<<LISTXATTRS>>>}}
         (see  {{{../../api/org/apache/hadoop/fs/FileSystem.html}FileSystem}}.listXAttrs)
 
+    * {{{Check access}<<<CHECKACCESS>>>}}
+        (see  {{{../../api/org/apache/hadoop/fs/FileSystem.html}FileSystem}}.access)
+
   * HTTP PUT
 
     * {{{Create and Write to a File}<<<CREATE>>>}}
@@ -927,6 +930,28 @@ Transfer-Encoding: chunked
   {{{../../api/org/apache/hadoop/fs/FileSystem.html}FileSystem}}.getAclStatus
 
 
+** {Check access}
+
+  * Submit a HTTP GET request.
+  
++---------------------------------
+curl -i -X PUT "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?op=CHECKACCESS
+                              &fsaction=<FSACTION>
++---------------------------------
+
+  The client receives a response with zero content length:
+
++---------------------------------
+HTTP/1.1 200 OK
+Content-Length: 0
++---------------------------------
+
+  []
+
+  See also:
+  {{{../../api/org/apache/hadoop/fs/FileSystem.html}FileSystem}}.access
+    
+
 * {Extended Attributes(XAttrs) Operations}
 
 ** {Set XAttr}
@@ -2166,6 +2191,25 @@ var tokenProperties =
   {{Proxy Users}}
 
 
+** {Fs Action}
+
+*----------------+-------------------------------------------------------------------+
+|| Name          | <<<fsaction>>> |
+*----------------+-------------------------------------------------------------------+
+|| Description   | File system operation read/write/execute |
+*----------------+-------------------------------------------------------------------+
+|| Type          | String |
+*----------------+-------------------------------------------------------------------+
+|| Default Value | null (an invalid value) |
+*----------------+-------------------------------------------------------------------+
+|| Valid Values  | Strings matching regex pattern \"[rwx-]\{3\}\" |
+*----------------+-------------------------------------------------------------------+
+|| Syntax        | \"[rwx-]\{3\}\" |
+*----------------+-------------------------------------------------------------------+
+
+  See also:
+  {{{Check access}<<<CHECKACCESS>>>}},
+
 ** {Group}
 
 *----------------+-------------------------------------------------------------------+
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSPermission.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSPermission.java
index 7d2b0ff7040..68349a2ac67 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSPermission.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSPermission.java
@@ -20,8 +20,11 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
+import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Random;
@@ -36,6 +39,7 @@
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.util.Time;
@@ -421,6 +425,79 @@ public void testPermissionChecking() throws Exception {
     }
   }
 
+  @Test
+  public void testAccessOwner() throws IOException, InterruptedException {
+    FileSystem rootFs = FileSystem.get(conf);
+    Path p1 = new Path("/p1");
+    rootFs.mkdirs(p1);
+    rootFs.setOwner(p1, USER1_NAME, GROUP1_NAME);
+    fs = USER1.doAs(new PrivilegedExceptionAction<FileSystem>() {
+      @Override
+      public FileSystem run() throws Exception {
+        return FileSystem.get(conf);
+      }
+    });
+    fs.setPermission(p1, new FsPermission((short) 0444));
+    fs.access(p1, FsAction.READ);
+    try {
+      fs.access(p1, FsAction.WRITE);
+      fail("The access call should have failed.");
+    } catch (AccessControlException e) {
+      // expected
+    }
+
+    Path badPath = new Path("/bad/bad");
+    try {
+      fs.access(badPath, FsAction.READ);
+      fail("The access call should have failed");
+    } catch (FileNotFoundException e) {
+      // expected
+    }
+  }
+
+  @Test
+  public void testAccessGroupMember() throws IOException, InterruptedException {
+    FileSystem rootFs = FileSystem.get(conf);
+    Path p2 = new Path("/p2");
+    rootFs.mkdirs(p2);
+    rootFs.setOwner(p2, UserGroupInformation.getCurrentUser().getShortUserName(), GROUP1_NAME);
+    rootFs.setPermission(p2, new FsPermission((short) 0740));
+    fs = USER1.doAs(new PrivilegedExceptionAction<FileSystem>() {
+      @Override
+      public FileSystem run() throws Exception {
+        return FileSystem.get(conf);
+      }
+    });
+    fs.access(p2, FsAction.READ);
+    try {
+      fs.access(p2, FsAction.EXECUTE);
+      fail("The access call should have failed.");
+    } catch (AccessControlException e) {
+      // expected
+    }
+  }
+
+  @Test
+  public void testAccessOthers() throws IOException, InterruptedException {
+    FileSystem rootFs = FileSystem.get(conf);
+    Path p3 = new Path("/p3");
+    rootFs.mkdirs(p3);
+    rootFs.setPermission(p3, new FsPermission((short) 0774));
+    fs = USER1.doAs(new PrivilegedExceptionAction<FileSystem>() {
+      @Override
+      public FileSystem run() throws Exception {
+        return FileSystem.get(conf);
+      }
+    });
+    fs.access(p3, FsAction.READ);
+    try {
+      fs.access(p3, FsAction.READ_WRITE);
+      fail("The access call should have failed.");
+    } catch (AccessControlException e) {
+      // expected
+    }
+  }
+
   /* Check if namenode performs permission checking correctly 
    * for the given user for operations mkdir, open, setReplication, 
    * getFileInfo, isDirectory, exists, getContentLength, list, rename,
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSafeMode.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSafeMode.java
index 25ec8c9eb0e..bda95c07525 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSafeMode.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSafeMode.java
@@ -26,6 +26,7 @@
 import static org.junit.Assert.fail;
 
 import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
 import java.util.List;
 
 import org.apache.commons.logging.Log;
@@ -36,6 +37,7 @@
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.AclEntry;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.MiniDFSCluster.DataNodeProperties;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.SafeModeAction;
@@ -47,6 +49,8 @@
 import org.apache.hadoop.hdfs.server.namenode.SafeModeException;
 import org.apache.hadoop.io.IOUtils;
 import org.apache.hadoop.ipc.RemoteException;
+import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.test.GenericTestUtils;
 import org.junit.After;
 import org.junit.Before;
@@ -297,7 +301,8 @@ public void runFsFun(String msg, FSRun f) {
    * assert that they are either allowed or fail as expected.
    */
   @Test
-  public void testOperationsWhileInSafeMode() throws IOException {
+  public void testOperationsWhileInSafeMode() throws IOException,
+      InterruptedException {
     final Path file1 = new Path("/file1");
 
     assertFalse(dfs.setSafeMode(SafeModeAction.SAFEMODE_GET));
@@ -407,6 +412,22 @@ public void run(FileSystem fs) throws IOException {
       fail("getAclStatus failed while in SM");
     }
 
+    // Test access
+    UserGroupInformation ugiX = UserGroupInformation.createRemoteUser("userX");
+    FileSystem myfs = ugiX.doAs(new PrivilegedExceptionAction<FileSystem>() {
+      @Override
+      public FileSystem run() throws IOException {
+        return FileSystem.get(conf);
+      }
+    });
+    myfs.access(file1, FsAction.READ);
+    try {
+      myfs.access(file1, FsAction.WRITE);
+      fail("The access call should have failed.");
+    } catch (AccessControlException e) {
+      // expected
+    }
+
     assertFalse("Could not leave SM",
         dfs.setSafeMode(SafeModeAction.SAFEMODE_LEAVE));
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
index f36483e642d..1ddc774c842 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
@@ -34,6 +34,7 @@
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
 import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.DFSTestUtil;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
@@ -1256,6 +1257,33 @@ public void testGetAclStatusRequiresTraverseOrSuper() throws Exception {
     fsAsDiana.getAclStatus(bruceFile);
   }
 
+  @Test
+  public void testAccess() throws IOException, InterruptedException {
+    Path p1 = new Path("/p1");
+    fs.mkdirs(p1);
+    fs.setOwner(p1, BRUCE.getShortUserName(), "groupX");
+    fsAsBruce.setAcl(p1, Lists.newArrayList(
+        aclEntry(ACCESS, USER, READ),
+        aclEntry(ACCESS, USER, "bruce", READ),
+        aclEntry(ACCESS, GROUP, NONE),
+        aclEntry(ACCESS, OTHER, NONE)));
+    fsAsBruce.access(p1, FsAction.READ);
+    try {
+      fsAsBruce.access(p1, FsAction.WRITE);
+      fail("The access call should have failed.");
+    } catch (AccessControlException e) {
+      // expected
+    }
+
+    Path badPath = new Path("/bad/bad");
+    try {
+      fsAsBruce.access(badPath, FsAction.READ);
+      fail("The access call should have failed");
+    } catch (FileNotFoundException e) {
+      // expected
+    }
+  }
+
   /**
    * Creates a FileSystem for the super-user.
    *
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeFile.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeFile.java
index 704bc1669d0..a739b7aa6ed 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeFile.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeFile.java
@@ -45,6 +45,7 @@
 import org.apache.hadoop.fs.PathIsNotDirectoryException;
 import org.apache.hadoop.fs.RemoteIterator;
 import org.apache.hadoop.fs.XAttr;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.fs.permission.PermissionStatus;
 import org.apache.hadoop.hdfs.DFSClient;
@@ -581,6 +582,7 @@ public void testInodeIdBasedPaths() throws Exception {
         fs.getAclStatus(testFileInodePath);
         fs.getXAttrs(testFileInodePath);
         fs.listXAttrs(testFileInodePath);
+        fs.access(testFileInodePath, FsAction.READ_WRITE);
       }
       
       // symbolic link related tests
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/snapshot/TestAclWithSnapshot.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/snapshot/TestAclWithSnapshot.java
index 3deb47ff3af..3be1d36ca51 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/snapshot/TestAclWithSnapshot.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/snapshot/TestAclWithSnapshot.java
@@ -30,6 +30,7 @@
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclStatus;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.DFSTestUtil;
@@ -674,6 +675,13 @@ private static void assertDirPermissionDenied(FileSystem fs,
     } catch (AccessControlException e) {
       // expected
     }
+
+    try {
+      fs.access(pathToCheck, FsAction.READ);
+      fail("The access call should have failed for "+pathToCheck);
+    } catch (AccessControlException e) {
+      // expected
+    }
   }
 
   /**
@@ -689,6 +697,7 @@ private static void assertDirPermissionGranted(FileSystem fs,
       UserGroupInformation user, Path pathToCheck) throws Exception {
     try {
       fs.listStatus(pathToCheck);
+      fs.access(pathToCheck, FsAction.READ);
     } catch (AccessControlException e) {
       fail("expected permission granted for user " + user + ", path = " +
         pathToCheck);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsFileSystemContract.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsFileSystemContract.java
index 09f025c65ac..46e433d6df8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsFileSystemContract.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsFileSystemContract.java
@@ -39,6 +39,7 @@
 import org.apache.hadoop.fs.FileStatus;
 import org.apache.hadoop.fs.FileSystemContractBaseTest;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.AppendTestUtil;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
@@ -49,6 +50,7 @@
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.junit.Assert;
+import org.junit.Test;
 
 public class TestWebHdfsFileSystemContract extends FileSystemContractBaseTest {
   private static final Configuration conf = new Configuration();
@@ -530,4 +532,35 @@ public void testResponseCode() throws IOException {
       }
     }
   }
+
+  @Test
+  public void testAccess() throws IOException, InterruptedException {
+    Path p1 = new Path("/pathX");
+    try {
+      UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alpha",
+          new String[]{"beta"});
+      WebHdfsFileSystem fs = WebHdfsTestUtil.getWebHdfsFileSystemAs(ugi, conf,
+          WebHdfsFileSystem.SCHEME);
+
+      fs.mkdirs(p1);
+      fs.setPermission(p1, new FsPermission((short) 0444));
+      fs.access(p1, FsAction.READ);
+      try {
+        fs.access(p1, FsAction.WRITE);
+        fail("The access call should have failed.");
+      } catch (AccessControlException e) {
+        // expected
+      }
+
+      Path badPath = new Path("/bad");
+      try {
+        fs.access(badPath, FsAction.READ);
+        fail("The access call should have failed");
+      } catch (FileNotFoundException e) {
+        // expected
+      }
+    } finally {
+      fs.delete(p1, true);
+    }
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java
index a84918e13d1..45cd8fe3afb 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java
@@ -31,6 +31,7 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
 import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager;
 import org.apache.hadoop.hdfs.server.namenode.FSNamesystem;
@@ -40,6 +41,7 @@
 import org.apache.hadoop.hdfs.web.resources.PutOpParam;
 import org.apache.hadoop.hdfs.web.resources.TokenArgumentParam;
 import org.apache.hadoop.hdfs.web.resources.UserParam;
+import org.apache.hadoop.hdfs.web.resources.FsActionParam;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.SecurityUtil;
@@ -283,6 +285,28 @@ public void testSecureProxyAuthParamsInUrl() throws IOException {
         },
         fileStatusUrl);    
   }
+
+  @Test(timeout=60000)
+  public void testCheckAccessUrl() throws IOException {
+    Configuration conf = new Configuration();
+
+    UserGroupInformation ugi =
+        UserGroupInformation.createRemoteUser("test-user");
+    UserGroupInformation.setLoginUser(ugi);
+
+    WebHdfsFileSystem webhdfs = getWebHdfsFileSystem(ugi, conf);
+    Path fsPath = new Path("/p1");
+
+    URL checkAccessUrl = webhdfs.toUrl(GetOpParam.Op.CHECKACCESS,
+        fsPath, new FsActionParam(FsAction.READ_WRITE));
+    checkQueryParams(
+        new String[]{
+            GetOpParam.Op.CHECKACCESS.toQueryString(),
+            new UserParam(ugi.getShortUserName()).toString(),
+            FsActionParam.NAME + "=" + FsAction.READ_WRITE.SYMBOL
+        },
+        checkAccessUrl);
+  }
   
   private void checkQueryParams(String[] expected, URL url) {
     Arrays.sort(expected);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/security/TestPermissionSymlinks.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/security/TestPermissionSymlinks.java
index 13a9610a346..bc41edc1107 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/security/TestPermissionSymlinks.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/security/TestPermissionSymlinks.java
@@ -27,6 +27,7 @@
 import static org.junit.Assert.fail;
 
 import java.io.IOException;
+import java.io.FileNotFoundException;
 import java.security.PrivilegedExceptionAction;
 import java.util.Arrays;
 
@@ -39,6 +40,7 @@
 import org.apache.hadoop.fs.FileSystemTestWrapper;
 import org.apache.hadoop.fs.Options.Rename;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.DFSTestUtil;
@@ -393,4 +395,37 @@ public Object run() throws IOException {
       GenericTestUtils.assertExceptionContains("Permission denied", e);
     }
   }
+
+  @Test
+  public void testAccess() throws Exception {
+    fs.setPermission(target, new FsPermission((short) 0002));
+    fs.setAcl(target, Arrays.asList(
+        aclEntry(ACCESS, USER, ALL),
+        aclEntry(ACCESS, GROUP, NONE),
+        aclEntry(ACCESS, USER, user.getShortUserName(), WRITE),
+        aclEntry(ACCESS, OTHER, WRITE)));
+    FileContext myfc = user.doAs(new PrivilegedExceptionAction<FileContext>() {
+      @Override
+      public FileContext run() throws IOException {
+        return FileContext.getFileContext(conf);
+      }
+    });
+
+    // Path to targetChild via symlink
+    myfc.access(link, FsAction.WRITE);
+    try {
+      myfc.access(link, FsAction.ALL);
+      fail("The access call should have failed.");
+    } catch (AccessControlException e) {
+      // expected
+    }
+
+    Path badPath = new Path(link, "bad");
+    try {
+      myfc.access(badPath, FsAction.READ);
+      fail("The access call should have failed");
+    } catch (FileNotFoundException e) {
+      // expected
+    }
+  }
 }

From bda9c584c828fdd18e9c066747d58dbf751a585d Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Wed, 30 Jul 2014 17:54:10 +0000
Subject: [PATCH 084/354] HADOOP-10756. KMS audit log should consolidate
 successful similar requests. (asuresh via tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614725 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   3 +
 .../hadoop/crypto/key/kms/server/KMS.java     |  82 ++++---
 .../crypto/key/kms/server/KMSAudit.java       | 205 ++++++++++++++++--
 .../kms/server/KMSAuthenticationFilter.java   |   6 +-
 .../key/kms/server/KMSConfiguration.java      |   7 +-
 .../key/kms/server/KMSExceptionsProvider.java |  10 +-
 .../crypto/key/kms/server/KMSWebApp.java      |  11 +
 .../hadoop-kms/src/site/apt/index.apt.vm      |  19 ++
 .../crypto/key/kms/server/TestKMSAudit.java   | 134 ++++++++++++
 .../test/resources/log4j-kmsaudit.properties  |  25 +++
 10 files changed, 443 insertions(+), 59 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
 create mode 100644 hadoop-common-project/hadoop-kms/src/test/resources/log4j-kmsaudit.properties

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index c2f6f91edaf..9805a01bd7b 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -192,6 +192,9 @@ Trunk (Unreleased)
     HADOOP-10891. Add EncryptedKeyVersion factory method to
     KeyProviderCryptoExtension. (wang)
 
+    HADOOP-10756. KMS audit log should consolidate successful similar requests. 
+    (asuresh via tucu)
+
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
index 2b663368737..9c4e7940929 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
@@ -20,6 +20,7 @@
 import org.apache.commons.codec.binary.Base64;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.crypto.key.KeyProvider;
+import org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
 import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
 import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
@@ -27,7 +28,6 @@
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authorize.AuthorizationException;
 import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
-import org.apache.hadoop.util.StringUtils;
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
@@ -59,22 +59,25 @@
 @Path(KMSRESTConstants.SERVICE_VERSION)
 @InterfaceAudience.Private
 public class KMS {
-  private static final String CREATE_KEY = "CREATE_KEY";
-  private static final String DELETE_KEY = "DELETE_KEY";
-  private static final String ROLL_NEW_VERSION = "ROLL_NEW_VERSION";
-  private static final String GET_KEYS = "GET_KEYS";
-  private static final String GET_KEYS_METADATA = "GET_KEYS_METADATA";
-  private static final String GET_KEY_VERSION = "GET_KEY_VERSION";
-  private static final String GET_CURRENT_KEY = "GET_CURRENT_KEY";
-  private static final String GET_KEY_VERSIONS = "GET_KEY_VERSIONS";
-  private static final String GET_METADATA = "GET_METADATA";
-  private static final String GENERATE_EEK = "GENERATE_EEK";
-  private static final String DECRYPT_EEK = "DECRYPT_EEK";
+  public static final String CREATE_KEY = "CREATE_KEY";
+  public static final String DELETE_KEY = "DELETE_KEY";
+  public static final String ROLL_NEW_VERSION = "ROLL_NEW_VERSION";
+  public static final String GET_KEYS = "GET_KEYS";
+  public static final String GET_KEYS_METADATA = "GET_KEYS_METADATA";
+  public static final String GET_KEY_VERSIONS = "GET_KEY_VERSIONS";
+  public static final String GET_METADATA = "GET_METADATA";
 
+  public static final String GET_KEY_VERSION = "GET_KEY_VERSION";
+  public static final String GET_CURRENT_KEY = "GET_CURRENT_KEY";
+  public static final String GENERATE_EEK = "GENERATE_EEK";
+  public static final String DECRYPT_EEK = "DECRYPT_EEK";
+  
   private KeyProviderCryptoExtension provider;
+  private KMSAudit kmsAudit;
 
   public KMS() throws Exception {
     provider = KMSWebApp.getKeyProvider();
+    kmsAudit= KMSWebApp.getKMSAudit();
   }
 
   private static Principal getPrincipal(SecurityContext securityContext)
@@ -86,13 +89,26 @@ private static Principal getPrincipal(SecurityContext securityContext)
     return user;
   }
 
-  private static void assertAccess(KMSACLs.Type aclType, Principal principal,
+
+  private static final String UNAUTHORIZED_MSG_WITH_KEY = 
+      "User:{0} not allowed to do ''{1}'' on ''{2}''";
+  
+  private static final String UNAUTHORIZED_MSG_WITHOUT_KEY = 
+      "User:{0} not allowed to do ''{1}''";
+
+  private void assertAccess(KMSACLs.Type aclType, Principal principal,
+      String operation) throws AccessControlException {
+    assertAccess(aclType, principal, operation, null);
+  }
+
+  private void assertAccess(KMSACLs.Type aclType, Principal principal,
       String operation, String key) throws AccessControlException {
     if (!KMSWebApp.getACLs().hasAccess(aclType, principal.getName())) {
       KMSWebApp.getUnauthorizedCallsMeter().mark();
-      KMSAudit.unauthorized(principal, operation, key);
+      kmsAudit.unauthorized(principal, operation, key);
       throw new AuthorizationException(MessageFormat.format(
-          "User:{0} not allowed to do ''{1}'' on ''{2}''",
+          (key != null) ? UNAUTHORIZED_MSG_WITH_KEY 
+                        : UNAUTHORIZED_MSG_WITHOUT_KEY,
           principal.getName(), operation, key));
     }
   }
@@ -149,7 +165,7 @@ public Response createKey(@Context SecurityContext securityContext,
 
     provider.flush();
 
-    KMSAudit.ok(user, CREATE_KEY, name, "UserProvidedMaterial:" +
+    kmsAudit.ok(user, CREATE_KEY, name, "UserProvidedMaterial:" +
         (material != null) + " Description:" + description);
 
     if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user.getName())) {
@@ -175,7 +191,7 @@ public Response deleteKey(@Context SecurityContext securityContext,
     provider.deleteKey(name);
     provider.flush();
 
-    KMSAudit.ok(user, DELETE_KEY, name, "");
+    kmsAudit.ok(user, DELETE_KEY, name, "");
 
     return Response.ok().build();
   }
@@ -203,7 +219,7 @@ public Response rolloverKey(@Context SecurityContext securityContext,
 
     provider.flush();
 
-    KMSAudit.ok(user, ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
+    kmsAudit.ok(user, ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
         (material != null) + " NewVersion:" + keyVersion.getVersionName());
 
     if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user.getName())) {
@@ -222,11 +238,10 @@ public Response getKeysMetadata(@Context SecurityContext securityContext,
     KMSWebApp.getAdminCallsMeter().mark();
     Principal user = getPrincipal(securityContext);
     String[] keyNames = keyNamesList.toArray(new String[keyNamesList.size()]);
-    String names = StringUtils.arrayToString(keyNames);
-    assertAccess(KMSACLs.Type.GET_METADATA, user, GET_KEYS_METADATA, names);
+    assertAccess(KMSACLs.Type.GET_METADATA, user, GET_KEYS_METADATA);
     KeyProvider.Metadata[] keysMeta = provider.getKeysMetadata(keyNames);
     Object json = KMSServerJSONUtils.toJSON(keyNames, keysMeta);
-    KMSAudit.ok(user, GET_KEYS_METADATA, names, "");
+    kmsAudit.ok(user, GET_KEYS_METADATA, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
 
@@ -237,9 +252,9 @@ public Response getKeyNames(@Context SecurityContext securityContext)
       throws Exception {
     KMSWebApp.getAdminCallsMeter().mark();
     Principal user = getPrincipal(securityContext);
-    assertAccess(KMSACLs.Type.GET_KEYS, user, GET_KEYS, "*");
+    assertAccess(KMSACLs.Type.GET_KEYS, user, GET_KEYS);
     Object json = provider.getKeys();
-    KMSAudit.ok(user, GET_KEYS, "*", "");
+    kmsAudit.ok(user, GET_KEYS, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
 
@@ -263,7 +278,7 @@ public Response getMetadata(@Context SecurityContext securityContext,
     KMSWebApp.getAdminCallsMeter().mark();
     assertAccess(KMSACLs.Type.GET_METADATA, user, GET_METADATA, name);
     Object json = KMSServerJSONUtils.toJSON(name, provider.getMetadata(name));
-    KMSAudit.ok(user, GET_METADATA, name, "");
+    kmsAudit.ok(user, GET_METADATA, name, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
 
@@ -279,7 +294,7 @@ public Response getCurrentVersion(@Context SecurityContext securityContext,
     KMSWebApp.getKeyCallsMeter().mark();
     assertAccess(KMSACLs.Type.GET, user, GET_CURRENT_KEY, name);
     Object json = KMSServerJSONUtils.toJSON(provider.getCurrentKey(name));
-    KMSAudit.ok(user, GET_CURRENT_KEY, name, "");
+    kmsAudit.ok(user, GET_CURRENT_KEY, name, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
 
@@ -292,9 +307,12 @@ public Response getKeyVersion(@Context SecurityContext securityContext,
     Principal user = getPrincipal(securityContext);
     KMSClientProvider.checkNotEmpty(versionName, "versionName");
     KMSWebApp.getKeyCallsMeter().mark();
-    assertAccess(KMSACLs.Type.GET, user, GET_KEY_VERSION, versionName);
-    Object json = KMSServerJSONUtils.toJSON(provider.getKeyVersion(versionName));
-    KMSAudit.ok(user, GET_KEY_VERSION, versionName, "");
+    KeyVersion keyVersion = provider.getKeyVersion(versionName);
+    assertAccess(KMSACLs.Type.GET, user, GET_KEY_VERSION);
+    if (keyVersion != null) {
+      kmsAudit.ok(user, GET_KEY_VERSION, keyVersion.getName(), "");
+    }
+    Object json = KMSServerJSONUtils.toJSON(keyVersion);
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
 
@@ -327,7 +345,7 @@ public Response generateEncryptedKeys(
       } catch (Exception e) {
         throw new IOException(e);
       }
-      KMSAudit.ok(user, GENERATE_EEK, name, "");
+      kmsAudit.ok(user, GENERATE_EEK, name, "");
       retJSON = new ArrayList();
       for (EncryptedKeyVersion edek : retEdeks) {
         ((ArrayList)retJSON).add(KMSServerJSONUtils.toJSON(edek));
@@ -362,7 +380,7 @@ public Response decryptEncryptedKey(@Context SecurityContext securityContext,
         (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
     Object retJSON;
     if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
-      assertAccess(KMSACLs.Type.DECRYPT_EEK, user, DECRYPT_EEK, versionName);
+      assertAccess(KMSACLs.Type.DECRYPT_EEK, user, DECRYPT_EEK, keyName);
       KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
       byte[] iv = Base64.decodeBase64(ivStr);
       KMSClientProvider.checkNotNull(encMaterialStr,
@@ -373,7 +391,7 @@ public Response decryptEncryptedKey(@Context SecurityContext securityContext,
               new KMSClientProvider.KMSEncryptedKeyVersion(keyName, versionName,
                   iv, KeyProviderCryptoExtension.EEK, encMaterial));
       retJSON = KMSServerJSONUtils.toJSON(retKeyVersion);
-      KMSAudit.ok(user, DECRYPT_EEK, versionName, "");
+      kmsAudit.ok(user, DECRYPT_EEK, keyName, "");
     } else {
       throw new IllegalArgumentException("Wrong " + KMSRESTConstants.EEK_OP +
           " value, it must be " + KMSRESTConstants.EEK_GENERATE + " or " +
@@ -396,7 +414,7 @@ public Response getKeyVersions(@Context SecurityContext securityContext,
     KMSWebApp.getKeyCallsMeter().mark();
     assertAccess(KMSACLs.Type.GET, user, GET_KEY_VERSIONS, name);
     Object json = KMSServerJSONUtils.toJSON(provider.getKeyVersions(name));
-    KMSAudit.ok(user, GET_KEY_VERSIONS, name, "");
+    kmsAudit.ok(user, GET_KEY_VERSIONS, name, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
 
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
index e212d7d97a1..3d387eb354b 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
@@ -20,43 +20,202 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.google.common.base.Joiner;
+import com.google.common.base.Strings;
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.google.common.cache.RemovalListener;
+import com.google.common.cache.RemovalNotification;
+import com.google.common.collect.Sets;
+import com.google.common.util.concurrent.ThreadFactoryBuilder;
+
 import java.security.Principal;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Set;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicLong;
 
 /**
  * Provides convenience methods for audit logging consistently the different
  * types of events.
  */
 public class KMSAudit {
+
+  private static class AuditEvent {
+    private final AtomicLong accessCount = new AtomicLong(-1);
+    private final String keyName;
+    private final String user;
+    private final String op;
+    private final String extraMsg;
+    private final long startTime = System.currentTimeMillis();
+
+    private AuditEvent(String keyName, String user, String op, String msg) {
+      this.keyName = keyName;
+      this.user = user;
+      this.op = op;
+      this.extraMsg = msg;
+    }
+
+    public String getExtraMsg() {
+      return extraMsg;
+    }
+
+    public AtomicLong getAccessCount() {
+      return accessCount;
+    }
+
+    public String getKeyName() {
+      return keyName;
+    }
+
+    public String getUser() {
+      return user;
+    }
+
+    public String getOp() {
+      return op;
+    }
+
+    public long getStartTime() {
+      return startTime;
+    }
+  }
+
+  public static enum OpStatus {
+    OK, UNAUTHORIZED, UNAUTHENTICATED, ERROR;
+  }
+
+  private static Set<String> AGGREGATE_OPS_WHITELIST = Sets.newHashSet(
+    KMS.GET_KEY_VERSION, KMS.GET_CURRENT_KEY, KMS.DECRYPT_EEK, KMS.GENERATE_EEK
+  );
+
+  private Cache<String, AuditEvent> cache;
+
+  private ScheduledExecutorService executor;
+
   public static final String KMS_LOGGER_NAME = "kms-audit";
 
   private static Logger AUDIT_LOG = LoggerFactory.getLogger(KMS_LOGGER_NAME);
 
-  private static void op(String status, String op, Principal user, String key,
-      String extraMsg) {
-    AUDIT_LOG.info("Status:{} User:{} Op:{} Name:{}{}", status, user.getName(),
-        op, key, extraMsg);
+  KMSAudit(long delay) {
+    cache = CacheBuilder.newBuilder()
+        .expireAfterWrite(delay, TimeUnit.MILLISECONDS)
+        .removalListener(
+            new RemovalListener<String, AuditEvent>() {
+              @Override
+              public void onRemoval(
+                  RemovalNotification<String, AuditEvent> entry) {
+                AuditEvent event = entry.getValue();
+                if (event.getAccessCount().get() > 0) {
+                  KMSAudit.this.logEvent(event);
+                  event.getAccessCount().set(0);
+                  KMSAudit.this.cache.put(entry.getKey(), event);
+                }
+              }
+            }).build();
+    executor = Executors.newScheduledThreadPool(1, new ThreadFactoryBuilder()
+        .setDaemon(true).setNameFormat(KMS_LOGGER_NAME + "_thread").build());
+    executor.scheduleAtFixedRate(new Runnable() {
+      @Override
+      public void run() {
+        cache.cleanUp();
+      }
+    }, delay / 10, delay / 10, TimeUnit.MILLISECONDS);
   }
 
-  public static void ok(Principal user, String op, String key,
-      String extraMsg) {
-    op("OK", op, user, key, extraMsg);
-  }
-
-  public static void unauthorized(Principal user, String op, String key) {
-    op("UNAUTHORIZED", op, user, key, "");
-  }
-
-  public static void error(Principal user, String method, String url,
-      String extraMsg) {
-    AUDIT_LOG.info("Status:ERROR User:{} Method:{} URL:{} Exception:'{}'",
-        user.getName(), method, url, extraMsg);
-  }
-
-  public static void unauthenticated(String remoteHost, String method,
-      String url, String extraMsg) {
+  private void logEvent(AuditEvent event) {
     AUDIT_LOG.info(
-        "Status:UNAUTHENTICATED RemoteHost:{} Method:{} URL:{} ErrorMsg:'{}'",
-        remoteHost, method, url, extraMsg);
+        "OK[op={}, key={}, user={}, accessCount={}, interval={}ms] {}",
+        event.getOp(), event.getKeyName(), event.getUser(),
+        event.getAccessCount().get(),
+        (System.currentTimeMillis() - event.getStartTime()),
+        event.getExtraMsg());
   }
 
+  private void op(OpStatus opStatus, final String op, final String user,
+      final String key, final String extraMsg) {
+    if (!Strings.isNullOrEmpty(user) && !Strings.isNullOrEmpty(key)
+        && !Strings.isNullOrEmpty(op)
+        && AGGREGATE_OPS_WHITELIST.contains(op)) {
+      String cacheKey = createCacheKey(user, key, op);
+      if (opStatus == OpStatus.UNAUTHORIZED) {
+        cache.invalidate(cacheKey);
+        AUDIT_LOG.info("UNAUTHORIZED[op={}, key={}, user={}] {}", op, key, user,
+            extraMsg);
+      } else {
+        try {
+          AuditEvent event = cache.get(cacheKey, new Callable<AuditEvent>() {
+            @Override
+            public AuditEvent call() throws Exception {
+              return new AuditEvent(key, user, op, extraMsg);
+            }
+          });
+          // Log first access (initialized as -1 so
+          // incrementAndGet() == 0 implies first access)
+          if (event.getAccessCount().incrementAndGet() == 0) {
+            event.getAccessCount().incrementAndGet();
+            logEvent(event);
+          }
+        } catch (ExecutionException ex) {
+          throw new RuntimeException(ex);
+        }
+      }
+    } else {
+      List<String> kvs = new LinkedList<String>();
+      if (!Strings.isNullOrEmpty(op)) {
+        kvs.add("op=" + op);
+      }
+      if (!Strings.isNullOrEmpty(key)) {
+        kvs.add("key=" + key);
+      }
+      if (!Strings.isNullOrEmpty(user)) {
+        kvs.add("user=" + user);
+      }
+      if (kvs.size() == 0) {
+        AUDIT_LOG.info("{} {}", opStatus.toString(), extraMsg);
+      } else {
+        String join = Joiner.on(", ").join(kvs);
+        AUDIT_LOG.info("{}[{}] {}", opStatus.toString(), join, extraMsg);
+      }
+    }
+  }
+
+  public void ok(Principal user, String op, String key,
+      String extraMsg) {
+    op(OpStatus.OK, op, user.getName(), key, extraMsg);
+  }
+
+  public void ok(Principal user, String op, String extraMsg) {
+    op(OpStatus.OK, op, user.getName(), null, extraMsg);
+  }
+
+  public void unauthorized(Principal user, String op, String key) {
+    op(OpStatus.UNAUTHORIZED, op, user.getName(), key, "");
+  }
+
+  public void error(Principal user, String method, String url,
+      String extraMsg) {
+    op(OpStatus.ERROR, null, user.getName(), null, "Method:'" + method
+        + "' Exception:'" + extraMsg + "'");
+  }
+
+  public void unauthenticated(String remoteHost, String method,
+      String url, String extraMsg) {
+    op(OpStatus.UNAUTHENTICATED, null, null, null, "RemoteHost:"
+        + remoteHost + " Method:" + method
+        + " URL:" + url + " ErrorMsg:'" + extraMsg + "'");
+  }
+
+  private static String createCacheKey(String user, String key, String op) {
+    return user + "#" + key + "#" + op;
+  }
+
+  public void shutdown() {
+    executor.shutdownNow();
+  }
 }
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
index f1872a24e8b..db60b097ee7 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
@@ -115,8 +115,10 @@ public void doFilter(ServletRequest request, ServletResponse response,
       if (queryString != null) {
         requestURL.append("?").append(queryString);
       }
-      KMSAudit.unauthenticated(request.getRemoteHost(), method,
-          requestURL.toString(), kmsResponse.msg);
+
+      KMSWebApp.getKMSAudit().unauthenticated(
+          request.getRemoteHost(), method, requestURL.toString(),
+          kmsResponse.msg);
     }
   }
 
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
index e2b8fc4c093..30d742e7fe8 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
@@ -43,12 +43,17 @@ public class KMSConfiguration {
   // TImeout for the Current Key cache
   public static final String CURR_KEY_CACHE_TIMEOUT_KEY = CONFIG_PREFIX +
       "current.key.cache.timeout.ms";
-
+  // Delay for Audit logs that need aggregation
+  public static final String KMS_AUDIT_AGGREGATION_DELAY = CONFIG_PREFIX +
+      "aggregation.delay.ms";
+  
   public static final boolean KEY_CACHE_ENABLE_DEFAULT = true;
   // 10 mins
   public static final long KEY_CACHE_TIMEOUT_DEFAULT = 10 * 60 * 1000;
   // 30 secs
   public static final long CURR_KEY_CACHE_TIMEOUT_DEFAULT = 30 * 1000;
+  // 10 secs
+  public static final long KMS_AUDIT_AGGREGATION_DELAY_DEFAULT = 10000;
 
   static Configuration getConfiguration(boolean loadHadoopDefaults,
       String ... resources) {
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java
index 1c4c32ddb7f..bf24ed8a108 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java
@@ -20,9 +20,11 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 
 import com.sun.jersey.api.container.ContainerException;
+
 import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authorize.AuthorizationException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -30,6 +32,7 @@
 import javax.ws.rs.core.Response;
 import javax.ws.rs.ext.ExceptionMapper;
 import javax.ws.rs.ext.Provider;
+
 import java.io.IOException;
 import java.security.Principal;
 import java.util.LinkedHashMap;
@@ -83,6 +86,10 @@ public Response toResponse(Exception exception) {
       status = Response.Status.FORBIDDEN;
       // we don't audit here because we did it already when checking access
       doAudit = false;
+    } else if (throwable instanceof AuthorizationException) {
+      status = Response.Status.UNAUTHORIZED;
+      // we don't audit here because we did it already when checking access
+      doAudit = false;
     } else if (throwable instanceof AccessControlException) {
       status = Response.Status.FORBIDDEN;
     } else if (exception instanceof IOException) {
@@ -95,7 +102,8 @@ public Response toResponse(Exception exception) {
       status = Response.Status.INTERNAL_SERVER_ERROR;
     }
     if (doAudit) {
-      KMSAudit.error(KMSMDCFilter.getPrincipal(), KMSMDCFilter.getMethod(),
+      KMSWebApp.getKMSAudit().error(KMSMDCFilter.getPrincipal(),
+          KMSMDCFilter.getMethod(),
           KMSMDCFilter.getURL(), getOneLineMessage(exception));
     }
     return createResponse(status, throwable);
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java
index d794463ac32..571ab965351 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java
@@ -76,6 +76,7 @@ public class KMSWebApp implements ServletContextListener {
   private static Meter decryptEEKCallsMeter;
   private static Meter generateEEKCallsMeter;
   private static Meter invalidCallsMeter;
+  private static KMSAudit kmsAudit;
   private static KeyProviderCryptoExtension keyProviderCryptoExtension;
 
   static {
@@ -144,6 +145,11 @@ public void contextInitialized(ServletContextEvent sce) {
       unauthenticatedCallsMeter = metricRegistry.register(
           UNAUTHENTICATED_CALLS_METER, new Meter());
 
+      kmsAudit =
+          new KMSAudit(kmsConf.getLong(
+              KMSConfiguration.KMS_AUDIT_AGGREGATION_DELAY,
+              KMSConfiguration.KMS_AUDIT_AGGREGATION_DELAY_DEFAULT));
+
       // this is required for the the JMXJsonServlet to work properly.
       // the JMXJsonServlet is behind the authentication filter,
       // thus the '*' ACL.
@@ -199,6 +205,7 @@ public void contextInitialized(ServletContextEvent sce) {
 
   @Override
   public void contextDestroyed(ServletContextEvent sce) {
+    kmsAudit.shutdown();
     acls.stopReloader();
     jmxReporter.stop();
     jmxReporter.close();
@@ -245,4 +252,8 @@ public static Meter getUnauthenticatedCallsMeter() {
   public static KeyProviderCryptoExtension getKeyProvider() {
     return keyProviderCryptoExtension;
   }
+
+  public static KMSAudit getKMSAudit() {
+    return kmsAudit;
+  }
 }
diff --git a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
index 41a2cd968af..557cafa2f8a 100644
--- a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
+++ b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
@@ -104,6 +104,25 @@ Hadoop Key Management Server (KMS) - Documentation Sets ${project.version}
   </property>
 +---+
 
+** KMS Aggregated Audit logs
+
+Audit logs are aggregated for API accesses to the GET_KEY_VERSION, 
+GET_CURRENT_KEY, DECRYPT_EEK, GENERATE_EEK operations.
+
+Entries are grouped by the (user,key,operation) combined key for a configurable
+aggregation interval after which the number of accesses to the specified
+end-point by the user for a given key is flushed to the audit log.
+
+The Aggregation interval is configured via the property :
+
++---+
+  <property>
+    <name>hadoop.kms.aggregation.delay.ms</name>
+    <value>10000</value>
+  </property>
++---+
+ 
+
 ** Start/Stop the KMS
 
   To start/stop KMS use KMS's bin/kms.sh script. For example:
diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
new file mode 100644
index 00000000000..b5d9a36d198
--- /dev/null
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
@@ -0,0 +1,134 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.key.kms.server;
+
+import java.io.ByteArrayOutputStream;
+import java.io.FilterOutputStream;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.security.Principal;
+
+import org.apache.log4j.LogManager;
+import org.apache.log4j.PropertyConfigurator;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+public class TestKMSAudit {
+
+  private PrintStream originalOut;
+  private ByteArrayOutputStream memOut;
+  private FilterOut filterOut;
+  private PrintStream capturedOut;
+  
+  private KMSAudit kmsAudit; 
+
+  private static class FilterOut extends FilterOutputStream {
+    public FilterOut(OutputStream out) {
+      super(out);
+    }
+
+    public void setOutputStream(OutputStream out) {
+      this.out = out;
+    }
+  }
+
+  @Before
+  public void setUp() {
+    originalOut = System.err;
+    memOut = new ByteArrayOutputStream();
+    filterOut = new FilterOut(memOut);
+    capturedOut = new PrintStream(filterOut);
+    System.setErr(capturedOut);
+    PropertyConfigurator.configure(Thread.currentThread().
+        getContextClassLoader()
+        .getResourceAsStream("log4j-kmsaudit.properties"));
+    this.kmsAudit = new KMSAudit(1000);
+  }
+
+  @After
+  public void cleanUp() {
+    System.setErr(originalOut);
+    LogManager.resetConfiguration();
+    kmsAudit.shutdown();
+  }
+
+  private String getAndResetLogOutput() {
+    capturedOut.flush();
+    String logOutput = new String(memOut.toByteArray());
+    memOut = new ByteArrayOutputStream();
+    filterOut.setOutputStream(memOut);
+    return logOutput;
+  }
+
+  @Test
+  public void testAggregation() throws Exception {
+    Principal luser = Mockito.mock(Principal.class);
+    Mockito.when(luser.getName()).thenReturn("luser");
+    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
+    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
+    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
+    kmsAudit.ok(luser, KMS.DELETE_KEY, "k1", "testmsg");
+    kmsAudit.ok(luser, KMS.ROLL_NEW_VERSION, "k1", "testmsg");
+    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
+    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
+    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
+    Thread.sleep(1500);
+    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
+    Thread.sleep(1500);
+    String out = getAndResetLogOutput();
+    System.out.println(out);
+    Assert.assertTrue(
+        out.matches(
+            "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
+            // Not aggregated !!
+            + "OK\\[op=DELETE_KEY, key=k1, user=luser\\] testmsg"
+            + "OK\\[op=ROLL_NEW_VERSION, key=k1, user=luser\\] testmsg"
+            // Aggregated
+            + "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=6, interval=[^m]{1,4}ms\\] testmsg"
+            + "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"));
+  }
+
+  @Test
+  public void testAggregationUnauth() throws Exception {
+    Principal luser = Mockito.mock(Principal.class);
+    Mockito.when(luser.getName()).thenReturn("luser");
+    kmsAudit.unauthorized(luser, KMS.GENERATE_EEK, "k2");
+    Thread.sleep(1000);
+    kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
+    kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
+    kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
+    kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
+    kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
+    kmsAudit.unauthorized(luser, KMS.GENERATE_EEK, "k3");
+    kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
+    Thread.sleep(2000);
+    String out = getAndResetLogOutput();
+    System.out.println(out);
+    Assert.assertTrue(
+        out.matches(
+            "UNAUTHORIZED\\[op=GENERATE_EEK, key=k2, user=luser\\] "
+            + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
+            + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=5, interval=[^m]{1,4}ms\\] testmsg"
+            + "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser\\] "
+            + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"));
+  }
+
+}
diff --git a/hadoop-common-project/hadoop-kms/src/test/resources/log4j-kmsaudit.properties b/hadoop-common-project/hadoop-kms/src/test/resources/log4j-kmsaudit.properties
new file mode 100644
index 00000000000..cca6941d14b
--- /dev/null
+++ b/hadoop-common-project/hadoop-kms/src/test/resources/log4j-kmsaudit.properties
@@ -0,0 +1,25 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# LOG Appender
+log4j.appender.kms-audit=org.apache.log4j.ConsoleAppender
+log4j.appender.kms-audit.Target=System.err
+log4j.appender.kms-audit.layout=org.apache.log4j.PatternLayout
+log4j.appender.kms-audit.layout.ConversionPattern=%m
+
+log4j.rootLogger=INFO, kms-audit
\ No newline at end of file

From 18360e71f1d993ad28be8a7ca8966bc40b8290b5 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Wed, 30 Jul 2014 18:37:41 +0000
Subject: [PATCH 085/354] HDFS-6768. Fix a few unit tests that use hard-coded
 port numbers. (Arpit Agarwal)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614732 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 ++
 .../org/apache/hadoop/TestGenericRefresh.java | 29 +++++++++-----
 .../apache/hadoop/TestRefreshCallQueue.java   | 40 ++++++++++++++-----
 .../server/datanode/TestBlockRecovery.java    |  1 -
 4 files changed, 51 insertions(+), 22 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 1e33c194b54..61e48af5819 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -956,6 +956,9 @@ Release 2.5.0 - UNRELEASED
     HDFS-6717. JIRA HDFS-5804 breaks default nfs-gateway behavior for unsecured config
     (brandonli)
 
+    HDFS-6768. Fix a few unit tests that use hard-coded port numbers. (Arpit
+    Agarwal)
+
   BREAKDOWN OF HDFS-2006 SUBTASKS AND RELATED JIRAS
 
     HDFS-6299. Protobuf for XAttr and client-side implementation. (Yi Liu via umamahesh)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/TestGenericRefresh.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/TestGenericRefresh.java
index 664a478f27a..3c73c28c2a6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/TestGenericRefresh.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/TestGenericRefresh.java
@@ -47,7 +47,6 @@
 public class TestGenericRefresh {
   private static MiniDFSCluster cluster;
   private static Configuration config;
-  private static final int NNPort = 54222;
 
   private static RefreshHandler firstHandler;
   private static RefreshHandler secondHandler;
@@ -57,8 +56,8 @@ public static void setUpBeforeClass() throws Exception {
     config = new Configuration();
     config.set("hadoop.security.authorization", "true");
 
-    FileSystem.setDefaultUri(config, "hdfs://localhost:" + NNPort);
-    cluster = new MiniDFSCluster.Builder(config).nameNodePort(NNPort).build();
+    FileSystem.setDefaultUri(config, "hdfs://localhost:0");
+    cluster = new MiniDFSCluster.Builder(config).build();
     cluster.waitActive();
   }
 
@@ -103,7 +102,8 @@ public void testInvalidCommand() throws Exception {
   @Test
   public void testInvalidIdentifier() throws Exception {
     DFSAdmin admin = new DFSAdmin(config);
-    String [] args = new String[]{"-refresh", "localhost:" + NNPort, "unregisteredIdentity"};
+    String [] args = new String[]{"-refresh", "localhost:" + 
+        cluster.getNameNodePort(), "unregisteredIdentity"};
     int exitCode = admin.run(args);
     assertEquals("DFSAdmin should fail due to no handler registered", -1, exitCode);
   }
@@ -111,7 +111,8 @@ public void testInvalidIdentifier() throws Exception {
   @Test
   public void testValidIdentifier() throws Exception {
     DFSAdmin admin = new DFSAdmin(config);
-    String[] args = new String[]{"-refresh", "localhost:" + NNPort, "firstHandler"};
+    String[] args = new String[]{"-refresh",
+        "localhost:" + cluster.getNameNodePort(), "firstHandler"};
     int exitCode = admin.run(args);
     assertEquals("DFSAdmin should succeed", 0, exitCode);
 
@@ -124,11 +125,13 @@ public void testValidIdentifier() throws Exception {
   @Test
   public void testVariableArgs() throws Exception {
     DFSAdmin admin = new DFSAdmin(config);
-    String[] args = new String[]{"-refresh", "localhost:" + NNPort, "secondHandler", "one"};
+    String[] args = new String[]{"-refresh", "localhost:" +
+        cluster.getNameNodePort(), "secondHandler", "one"};
     int exitCode = admin.run(args);
     assertEquals("DFSAdmin should return 2", 2, exitCode);
 
-    exitCode = admin.run(new String[]{"-refresh", "localhost:" + NNPort, "secondHandler", "one", "two"});
+    exitCode = admin.run(new String[]{"-refresh", "localhost:" +
+        cluster.getNameNodePort(), "secondHandler", "one", "two"});
     assertEquals("DFSAdmin should now return 3", 3, exitCode);
 
     Mockito.verify(secondHandler).handleRefresh("secondHandler", new String[]{"one"});
@@ -141,7 +144,8 @@ public void testUnregistration() throws Exception {
 
     // And now this should fail
     DFSAdmin admin = new DFSAdmin(config);
-    String[] args = new String[]{"-refresh", "localhost:" + NNPort, "firstHandler"};
+    String[] args = new String[]{"-refresh", "localhost:" +
+        cluster.getNameNodePort(), "firstHandler"};
     int exitCode = admin.run(args);
     assertEquals("DFSAdmin should return -1", -1, exitCode);
   }
@@ -161,7 +165,8 @@ public void testMultipleRegistration() throws Exception {
 
     // this should trigger both
     DFSAdmin admin = new DFSAdmin(config);
-    String[] args = new String[]{"-refresh", "localhost:" + NNPort, "sharedId", "one"};
+    String[] args = new String[]{"-refresh", "localhost:" +
+        cluster.getNameNodePort(), "sharedId", "one"};
     int exitCode = admin.run(args);
     assertEquals(-1, exitCode); // -1 because one of the responses is unregistered
 
@@ -189,7 +194,8 @@ public void testMultipleReturnCodeMerging() throws Exception {
 
     // We refresh both
     DFSAdmin admin = new DFSAdmin(config);
-    String[] args = new String[]{"-refresh", "localhost:" + NNPort, "shared"};
+    String[] args = new String[]{"-refresh", "localhost:" +
+        cluster.getNameNodePort(), "shared"};
     int exitCode = admin.run(args);
     assertEquals(-1, exitCode); // We get -1 because of our logic for melding non-zero return codes
 
@@ -215,7 +221,8 @@ public void testExceptionResultsInNormalError() throws Exception {
     RefreshRegistry.defaultRegistry().register("exceptional", otherExceptionalHandler);
 
     DFSAdmin admin = new DFSAdmin(config);
-    String[] args = new String[]{"-refresh", "localhost:" + NNPort, "exceptional"};
+    String[] args = new String[]{"-refresh", "localhost:" +
+        cluster.getNameNodePort(), "exceptional"};
     int exitCode = admin.run(args);
     assertEquals(-1, exitCode); // Exceptions result in a -1
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/TestRefreshCallQueue.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/TestRefreshCallQueue.java
index 9b0acbc8ca6..f66f9b6105f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/TestRefreshCallQueue.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/TestRefreshCallQueue.java
@@ -24,6 +24,8 @@
 import static org.junit.Assert.fail;
 
 import java.io.IOException;
+import java.net.BindException;
+import java.util.Random;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.LinkedBlockingQueue;
 
@@ -42,24 +44,42 @@ public class TestRefreshCallQueue {
   private FileSystem fs;
   static int mockQueueConstructions;
   static int mockQueuePuts;
-  private static final int NNPort = 54222;
-  private static String CALLQUEUE_CONFIG_KEY = "ipc." + NNPort + ".callqueue.impl";
+  private String callQueueConfigKey = "";
+  private final Random rand = new Random();
 
   @Before
   public void setUp() throws Exception {
     // We want to count additional events, so we reset here
     mockQueueConstructions = 0;
     mockQueuePuts = 0;
+    int portRetries = 5;
+    int nnPort;
 
-    config = new Configuration();
-    config.setClass(CALLQUEUE_CONFIG_KEY,
-        MockCallQueue.class, BlockingQueue.class);
-    config.set("hadoop.security.authorization", "true");
+    for (; portRetries > 0; --portRetries) {
+      // Pick a random port in the range [30000,60000).
+      nnPort = 30000 + rand.nextInt(30000);  
+      config = new Configuration();
+      callQueueConfigKey = "ipc." + nnPort + ".callqueue.impl";
+      config.setClass(callQueueConfigKey,
+          MockCallQueue.class, BlockingQueue.class);
+      config.set("hadoop.security.authorization", "true");
 
-    FileSystem.setDefaultUri(config, "hdfs://localhost:" + NNPort);
-    fs = FileSystem.get(config);
-    cluster = new MiniDFSCluster.Builder(config).nameNodePort(NNPort).build();
-    cluster.waitActive();
+      FileSystem.setDefaultUri(config, "hdfs://localhost:" + nnPort);
+      fs = FileSystem.get(config);
+      
+      try {
+        cluster = new MiniDFSCluster.Builder(config).nameNodePort(nnPort).build();
+        cluster.waitActive();
+        break;
+      } catch (BindException be) {
+        // Retry with a different port number.
+      }
+    }
+    
+    if (portRetries == 0) {
+      // Bail if we get very unlucky with our choice of ports.
+      fail("Failed to pick an ephemeral port for the NameNode RPC server.");
+    }
   }
 
   @After
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockRecovery.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockRecovery.java
index a3622a465ad..67805c08f63 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockRecovery.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockRecovery.java
@@ -590,7 +590,6 @@ public void testRaceBetweenReplicaRecoveryAndFinalizeBlock() throws Exception {
     Configuration conf = new HdfsConfiguration();
     conf.set(DFSConfigKeys.DFS_DATANODE_XCEIVER_STOP_TIMEOUT_MILLIS_KEY, "1000");
     MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf)
-        .nnTopology(MiniDFSNNTopology.simpleSingleNN(8020, 50070))
         .numDataNodes(1).build();
     try {
       cluster.waitClusterUp();

From 74059536928beafed48a6a55a3b0146256d51f90 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Wed, 30 Jul 2014 18:39:48 +0000
Subject: [PATCH 086/354] HDFS-6692. Add more HDFS encryption tests. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1614735 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   2 +
 .../namenode/EncryptionFaultInjector.java     |  22 +++
 .../hdfs/server/namenode/FSNamesystem.java    |   2 +-
 .../hadoop/hdfs/TestEncryptionZones.java      | 185 +++++++++++++++++-
 4 files changed, 208 insertions(+), 3 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionFaultInjector.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 34a86e39db7..560eb5e9ad5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -70,6 +70,8 @@ fs-encryption (Unreleased)
 
     HDFS-6730. Create a .RAW extended attribute namespace. (clamb)
 
+    HDFS-6692. Add more HDFS encryption tests. (wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionFaultInjector.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionFaultInjector.java
new file mode 100644
index 00000000000..2e65a892046
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionFaultInjector.java
@@ -0,0 +1,22 @@
+package org.apache.hadoop.hdfs.server.namenode;
+
+import java.io.IOException;
+
+import com.google.common.annotations.VisibleForTesting;
+
+/**
+ * Used to inject certain faults for testing.
+ */
+public class EncryptionFaultInjector {
+  @VisibleForTesting
+  public static EncryptionFaultInjector instance =
+      new EncryptionFaultInjector();
+
+  @VisibleForTesting
+  public static EncryptionFaultInjector getInstance() {
+    return instance;
+  }
+
+  @VisibleForTesting
+  public void startFileAfterGenerateKey() throws IOException {}
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 3ad238bffc1..e4c7509ea02 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -2498,7 +2498,7 @@ private HdfsFileStatus startFileInt(final String srcArg,
         // Generate EDEK if necessary while not holding the lock
         EncryptedKeyVersion edek =
             generateEncryptedDataEncryptionKey(ezKeyName);
-
+        EncryptionFaultInjector.getInstance().startFileAfterGenerateKey();
         // Try to create the file with the computed cipher suite and EDEK
         writeLock();
         try {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
index e1fb878139b..c0551f2896e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
@@ -23,6 +23,12 @@
 import java.security.PrivilegedExceptionAction;
 import java.util.Arrays;
 import java.util.List;
+import java.util.concurrent.Callable;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
 
 import com.google.common.collect.Lists;
 import org.apache.hadoop.conf.Configuration;
@@ -42,6 +48,7 @@
 import org.apache.hadoop.hdfs.client.HdfsAdmin;
 import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.LocatedBlocks;
+import org.apache.hadoop.hdfs.server.namenode.EncryptionFaultInjector;
 import org.apache.hadoop.hdfs.server.namenode.EncryptionZoneManager;
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.UserGroupInformation;
@@ -103,6 +110,7 @@ public void teardown() {
     if (cluster != null) {
       cluster.shutdown();
     }
+    EncryptionFaultInjector.instance = new EncryptionFaultInjector();
   }
 
   public void assertNumZones(final int numZones) throws IOException {
@@ -158,7 +166,8 @@ public void testBasicOperations() throws Exception {
     int numZones = 0;
 
     /* Test failure of create EZ on a directory that doesn't exist. */
-    final Path zone1 = new Path("/zone1");
+    final Path zoneParent = new Path("/zones");
+    final Path zone1 = new Path(zoneParent, "zone1");
     try {
       dfsAdmin.createEncryptionZone(zone1, TEST_KEY);
       fail("expected /test doesn't exist");
@@ -189,6 +198,14 @@ public void testBasicOperations() throws Exception {
       assertExceptionContains("already in an encryption zone", e);
     }
 
+    /* create EZ on parent of an EZ should fail */
+    try {
+      dfsAdmin.createEncryptionZone(zoneParent, TEST_KEY);
+      fail("EZ over an EZ");
+    } catch (IOException e) {
+      assertExceptionContains("encryption zone for a non-empty directory", e);
+    }
+
     /* create EZ on a folder with a folder fails */
     final Path notEmpty = new Path("/notEmpty");
     final Path notEmptyChild = new Path(notEmpty, "child");
@@ -449,6 +466,7 @@ public void testCreateEZWithNoProvider() throws Exception {
     final Configuration clusterConf = cluster.getConfiguration(0);
     clusterConf.set(KeyProviderFactory.KEY_PROVIDER_PATH, "");
     cluster.restartNameNode(true);
+    cluster.waitActive();
     /* Test failure of create EZ on a directory that doesn't exist. */
     final Path zone1 = new Path("/zone1");
     /* Normal creation of an EZ */
@@ -462,6 +480,169 @@ public void testCreateEZWithNoProvider() throws Exception {
     clusterConf.set(KeyProviderFactory.KEY_PROVIDER_PATH,
         JavaKeyStoreProvider.SCHEME_NAME + "://file" + testRootDir + "/test.jks"
     );
-    cluster.restartNameNode(true);
+    // Try listing EZs as well
+    List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
+    assertEquals("Expected no zones", 0, zones.size());
+  }
+
+  private class MyInjector extends EncryptionFaultInjector {
+    int generateCount;
+    CountDownLatch ready;
+    CountDownLatch wait;
+
+    public MyInjector() {
+      this.ready = new CountDownLatch(1);
+      this.wait = new CountDownLatch(1);
+    }
+
+    @Override
+    public void startFileAfterGenerateKey() throws IOException {
+      ready.countDown();
+      try {
+        wait.await();
+      } catch (InterruptedException e) {
+        throw new IOException(e);
+      }
+      generateCount++;
+    }
+  }
+
+  private class CreateFileTask implements Callable<Void> {
+    private FileSystemTestWrapper fsWrapper;
+    private Path name;
+
+    CreateFileTask(FileSystemTestWrapper fsWrapper, Path name) {
+      this.fsWrapper = fsWrapper;
+      this.name = name;
+    }
+
+    @Override
+    public Void call() throws Exception {
+      fsWrapper.createFile(name);
+      return null;
+    }
+  }
+
+  private class InjectFaultTask implements Callable<Void> {
+    final Path zone1 = new Path("/zone1");
+    final Path file = new Path(zone1, "file1");
+    final ExecutorService executor = Executors.newSingleThreadExecutor();
+
+    MyInjector injector;
+
+    @Override
+    public Void call() throws Exception {
+      // Set up the injector
+      injector = new MyInjector();
+      EncryptionFaultInjector.instance = injector;
+      Future<Void> future =
+          executor.submit(new CreateFileTask(fsWrapper, file));
+      injector.ready.await();
+      // Do the fault
+      doFault();
+      // Allow create to proceed
+      injector.wait.countDown();
+      future.get();
+      // Cleanup and postconditions
+      doCleanup();
+      return null;
+    }
+
+    public void doFault() throws Exception {}
+
+    public void doCleanup() throws Exception {}
+  }
+
+  /**
+   * Tests the retry logic in startFile. We release the lock while generating
+   * an EDEK, so tricky things can happen in the intervening time.
+   */
+  @Test(timeout = 120000)
+  public void testStartFileRetry() throws Exception {
+    final Path zone1 = new Path("/zone1");
+    final Path file = new Path(zone1, "file1");
+    fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true);
+    ExecutorService executor = Executors.newSingleThreadExecutor();
+
+    // Test when the parent directory becomes an EZ
+    executor.submit(new InjectFaultTask() {
+      @Override
+      public void doFault() throws Exception {
+        dfsAdmin.createEncryptionZone(zone1, TEST_KEY);
+      }
+      @Override
+      public void doCleanup() throws Exception {
+        assertEquals("Expected a startFile retry", 2, injector.generateCount);
+        fsWrapper.delete(file, false);
+      }
+    }).get();
+
+    // Test when the parent directory unbecomes an EZ
+    executor.submit(new InjectFaultTask() {
+      @Override
+      public void doFault() throws Exception {
+        fsWrapper.delete(zone1, true);
+      }
+      @Override
+      public void doCleanup() throws Exception {
+        assertEquals("Expected no startFile retries", 1, injector.generateCount);
+        fsWrapper.delete(file, false);
+      }
+    }).get();
+
+    // Test when the parent directory becomes a different EZ
+    fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true);
+    final String otherKey = "otherKey";
+    createKey(otherKey);
+    dfsAdmin.createEncryptionZone(zone1, TEST_KEY);
+
+    executor.submit(new InjectFaultTask() {
+      @Override
+      public void doFault() throws Exception {
+        fsWrapper.delete(zone1, true);
+        fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true);
+        dfsAdmin.createEncryptionZone(zone1, otherKey);
+      }
+      @Override
+      public void doCleanup() throws Exception {
+        assertEquals("Expected a startFile retry", 2, injector.generateCount);
+        fsWrapper.delete(zone1, true);
+      }
+    }).get();
+
+    // Test that the retry limit leads to an error
+    fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true);
+    final String anotherKey = "anotherKey";
+    createKey(anotherKey);
+    dfsAdmin.createEncryptionZone(zone1, anotherKey);
+    String keyToUse = otherKey;
+
+    MyInjector injector = new MyInjector();
+    EncryptionFaultInjector.instance = injector;
+    Future<?> future = executor.submit(new CreateFileTask(fsWrapper, file));
+
+    // Flip-flop between two EZs to repeatedly fail
+    for (int i=0; i<10; i++) {
+      injector.ready.await();
+      fsWrapper.delete(zone1, true);
+      fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true);
+      dfsAdmin.createEncryptionZone(zone1, keyToUse);
+      if (keyToUse == otherKey) {
+        keyToUse = anotherKey;
+      } else {
+        keyToUse = otherKey;
+      }
+      injector.wait.countDown();
+      injector = new MyInjector();
+      EncryptionFaultInjector.instance = injector;
+    }
+    try {
+      future.get();
+      fail("Expected exception from too many retries");
+    } catch (ExecutionException e) {
+      assertExceptionContains(
+          "Too many retries because of encryption zone operations",
+          e.getCause());
+    }
   }
 }

From ab47b666d0b6580230afda951eec60c555c4c3d4 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Wed, 30 Jul 2014 20:00:24 +0000
Subject: [PATCH 087/354] HDFS-6785. Should not be able to create encryption
 zone using path to a non-directory file. (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1614755 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt | 3 +++
 .../hdfs/server/namenode/EncryptionZoneManager.java       | 5 +++++
 .../java/org/apache/hadoop/hdfs/TestEncryptionZones.java  | 8 ++++++++
 3 files changed, 16 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 560eb5e9ad5..743873ea744 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -78,3 +78,6 @@ fs-encryption (Unreleased)
 
     HDFS-6733. Creating encryption zone results in NPE when
     KeyProvider is null. (clamb)
+
+    HDFS-6785. Should not be able to create encryption zone using path
+    to a non-directory file. (clamb)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
index 7b1331d1496..a083ea3a87c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
@@ -213,6 +213,11 @@ XAttr createEncryptionZone(String src, String keyName)
     }
 
     final INodesInPath srcIIP = dir.getINodesInPath4Write(src, false);
+    if (srcIIP != null &&
+        srcIIP.getLastINode() != null &&
+        !srcIIP.getLastINode().isDirectory()) {
+      throw new IOException("Attempt to create an encryption zone for a file.");
+    }
     EncryptionZoneInt ezi = getEncryptionZoneForPath(srcIIP);
     if (ezi != null) {
       throw new IOException("Directory " + src + " is already in an " +
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
index c0551f2896e..78f8d8ef3a5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
@@ -227,6 +227,14 @@ public void testBasicOperations() throws Exception {
       assertExceptionContains("create an encryption zone", e);
     }
 
+    /* Test failure of create EZ on a file. */
+    try {
+      dfsAdmin.createEncryptionZone(notEmptyChild, TEST_KEY);
+      fail("Created EZ on a file");
+    } catch (IOException e) {
+      assertExceptionContains("create an encryption zone for a file.", e);
+    }
+
     /* Test failure of creating an EZ passing a key that doesn't exist. */
     final Path zone2 = new Path("/zone2");
     fsWrapper.mkdir(zone2, FsPermission.getDirDefault(), false);

From 4996bf8257a64b876e0f3ace5597c6778db2801a Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Wed, 30 Jul 2014 22:16:40 +0000
Subject: [PATCH 088/354] HADOOP-10910. Increase findbugs maxHeap size. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614779 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt | 2 ++
 hadoop-project-dist/pom.xml                     | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 9805a01bd7b..08c16fe16c9 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -816,6 +816,8 @@ Release 2.5.0 - UNRELEASED
     HADOOP-10894. Fix dead link in ToolRunner documentation. (Akira Ajisaka
     via Arpit Agarwal)
 
+    HADOOP-10910. Increase findbugs maxHeap size. (wang)
+
   BREAKDOWN OF HADOOP-10514 SUBTASKS AND RELATED JIRAS
 
     HADOOP-10520. Extended attributes definition and FileSystem APIs for
diff --git a/hadoop-project-dist/pom.xml b/hadoop-project-dist/pom.xml
index dcb3875a12c..7b25508edbe 100644
--- a/hadoop-project-dist/pom.xml
+++ b/hadoop-project-dist/pom.xml
@@ -100,6 +100,8 @@
         <artifactId>findbugs-maven-plugin</artifactId>
         <configuration>
           <excludeFilterFile>${basedir}/dev-support/findbugsExcludeFile.xml</excludeFilterFile>
+          <fork>true</fork>
+          <maxHeap>2048</maxHeap>
         </configuration>
       </plugin>
       <plugin>

From b8b8f3f5e7214d6fcfc30e1b94ff097e52868f4f Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Thu, 31 Jul 2014 06:02:46 +0000
Subject: [PATCH 089/354] HDFS-6441. Add ability to exclude/include specific
 datanodes while balancing. (Contributed by Benoy Antony and Yu Li)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614812 13f79535-47bb-0310-9956-ffa450edef68
---
 .../org/apache/hadoop/util/StringUtils.java   |  14 +
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../hadoop/hdfs/server/balancer/Balancer.java | 151 +++++-
 .../hdfs/server/balancer/TestBalancer.java    | 469 +++++++++++++++++-
 .../balancer/TestBalancerWithHANameNodes.java |   4 +-
 .../TestBalancerWithMultipleNameNodes.java    |   4 +-
 .../balancer/TestBalancerWithNodeGroup.java   |   4 +-
 7 files changed, 609 insertions(+), 40 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/StringUtils.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/StringUtils.java
index e7f983ac668..4e2783df88d 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/StringUtils.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/StringUtils.java
@@ -27,6 +27,7 @@
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.LinkedHashSet;
 import java.util.List;
@@ -377,6 +378,19 @@ public static String[] getTrimmedStrings(String str){
     return str.trim().split("\\s*,\\s*");
   }
 
+  /**
+   * Trims all the strings in a Collection<String> and returns a Set<String>.
+   * @param strings
+   * @return
+   */
+  public static Set<String> getTrimmedStrings(Collection<String> strings) {
+    Set<String> trimmedStrings = new HashSet<String>();
+    for (String string: strings) {
+      trimmedStrings.add(string.trim());
+    }
+    return trimmedStrings;
+  }
+
   final public static String[] emptyStringArray = {};
   final public static char COMMA = ',';
   final public static String COMMA_STR = ",";
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 61e48af5819..880e209f97e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -335,6 +335,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6570. add api that enables checking if a user has certain permissions on
     a file. (Jitendra Pandey via cnauroth)
 
+    HDFS-6441. Add ability to exclude/include specific datanodes while
+    balancing. (Benoy Antony and Yu Li via Arpit Agarwal)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
index 5dbdd643cdf..1ddb3a41993 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
@@ -45,6 +45,7 @@
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
@@ -83,6 +84,7 @@
 import org.apache.hadoop.net.NetworkTopology;
 import org.apache.hadoop.net.Node;
 import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.util.HostsFileReader;
 import org.apache.hadoop.util.StringUtils;
 import org.apache.hadoop.util.Time;
 import org.apache.hadoop.util.Tool;
@@ -203,12 +205,20 @@ public class Balancer {
       + "\n\t[-policy <policy>]\tthe balancing policy: "
       + BalancingPolicy.Node.INSTANCE.getName() + " or "
       + BalancingPolicy.Pool.INSTANCE.getName()
-      + "\n\t[-threshold <threshold>]\tPercentage of disk capacity";
+      + "\n\t[-threshold <threshold>]\tPercentage of disk capacity"
+      + "\n\t[-exclude [-f <hosts-file> | comma-sperated list of hosts]]"
+      + "\tExcludes the specified datanodes."
+      + "\n\t[-include [-f <hosts-file> | comma-sperated list of hosts]]"
+      + "\tIncludes only the specified datanodes.";
   
   private final NameNodeConnector nnc;
   private final BalancingPolicy policy;
   private final SaslDataTransferClient saslClient;
   private final double threshold;
+  // set of data nodes to be excluded from balancing operations.
+  Set<String> nodesToBeExcluded;
+  //Restrict balancing to the following nodes.
+  Set<String> nodesToBeIncluded;
   
   // all data node lists
   private final Collection<Source> overUtilizedDatanodes
@@ -869,6 +879,8 @@ private static void checkReplicationPolicyCompatibility(Configuration conf
   Balancer(NameNodeConnector theblockpool, Parameters p, Configuration conf) {
     this.threshold = p.threshold;
     this.policy = p.policy;
+    this.nodesToBeExcluded = p.nodesToBeExcluded;
+    this.nodesToBeIncluded = p.nodesToBeIncluded;
     this.nnc = theblockpool;
     cluster = NetworkTopology.getInstance(conf);
 
@@ -905,8 +917,13 @@ private static void checkReplicationPolicyCompatibility(Configuration conf
   private long initNodes(DatanodeInfo[] datanodes) {
     // compute average utilization
     for (DatanodeInfo datanode : datanodes) {
-      if (datanode.isDecommissioned() || datanode.isDecommissionInProgress()) {
-        continue; // ignore decommissioning or decommissioned nodes
+     // ignore decommissioning or decommissioned nodes or
+      // ignore nodes in exclude list
+      // or nodes not in the include list (if include list is not empty)
+      if (datanode.isDecommissioned() || datanode.isDecommissionInProgress() ||
+          Util.shouldBeExcluded(nodesToBeExcluded, datanode) ||
+          !Util.shouldBeIncluded(nodesToBeIncluded, datanode)) {
+        continue;
       }
       policy.accumulateSpaces(datanode);
     }
@@ -919,8 +936,16 @@ private long initNodes(DatanodeInfo[] datanodes) {
      */  
     long overLoadedBytes = 0L, underLoadedBytes = 0L;
     for (DatanodeInfo datanode : DFSUtil.shuffle(datanodes)) {
-      if (datanode.isDecommissioned() || datanode.isDecommissionInProgress()) {
-        continue; // ignore decommissioning or decommissioned nodes
+      // ignore decommissioning or decommissioned nodes or
+      // ignore nodes in exclude list
+      // or nodes not in the include list (if include list is not empty)
+      if (datanode.isDecommissioned() || datanode.isDecommissionInProgress() ||
+          Util.shouldBeExcluded(nodesToBeExcluded, datanode) ||
+          !Util.shouldBeIncluded(nodesToBeIncluded, datanode)) {
+        if (LOG.isTraceEnabled()) {
+          LOG.trace("Excluding datanode " + datanode);
+        }
+        continue;
       }
       cluster.add(datanode);
       BalancerDatanode datanodeS;
@@ -1526,21 +1551,101 @@ private static String time2Str(long elapsedTime) {
   }
 
   static class Parameters {
-    static final Parameters DEFALUT = new Parameters(
-        BalancingPolicy.Node.INSTANCE, 10.0);
+    static final Parameters DEFAULT = new Parameters(
+        BalancingPolicy.Node.INSTANCE, 10.0,
+        Collections.<String> emptySet(), Collections.<String> emptySet());
 
     final BalancingPolicy policy;
     final double threshold;
+    // exclude the nodes in this set from balancing operations
+    Set<String> nodesToBeExcluded;
+    //include only these nodes in balancing operations
+    Set<String> nodesToBeIncluded;
 
-    Parameters(BalancingPolicy policy, double threshold) {
+    Parameters(BalancingPolicy policy, double threshold,
+        Set<String> nodesToBeExcluded, Set<String> nodesToBeIncluded) {
       this.policy = policy;
       this.threshold = threshold;
+      this.nodesToBeExcluded = nodesToBeExcluded;
+      this.nodesToBeIncluded = nodesToBeIncluded;
     }
 
     @Override
     public String toString() {
       return Balancer.class.getSimpleName() + "." + getClass().getSimpleName()
-          + "[" + policy + ", threshold=" + threshold + "]";
+          + "[" + policy + ", threshold=" + threshold +
+          ", number of nodes to be excluded = "+ nodesToBeExcluded.size() +
+          ", number of nodes to be included = "+ nodesToBeIncluded.size() +"]";
+    }
+  }
+
+  static class Util {
+
+    /**
+     * @param datanode
+     * @return returns true if data node is part of the excludedNodes.
+     */
+    static boolean shouldBeExcluded(Set<String> excludedNodes, DatanodeInfo datanode) {
+      return isIn(excludedNodes, datanode);
+    }
+
+    /**
+     * @param datanode
+     * @return returns true if includedNodes is empty or data node is part of the includedNodes.
+     */
+    static boolean shouldBeIncluded(Set<String> includedNodes, DatanodeInfo datanode) {
+      return (includedNodes.isEmpty() ||
+          isIn(includedNodes, datanode));
+    }
+    /**
+     * Match is checked using host name , ip address with and without port number.
+     * @param datanodeSet
+     * @param datanode
+     * @return true if the datanode's transfer address matches the set of nodes.
+     */
+    private static boolean isIn(Set<String> datanodeSet, DatanodeInfo datanode) {
+      return isIn(datanodeSet, datanode.getPeerHostName(), datanode.getXferPort()) ||
+          isIn(datanodeSet, datanode.getIpAddr(), datanode.getXferPort()) ||
+          isIn(datanodeSet, datanode.getHostName(), datanode.getXferPort());
+    }
+
+    /**
+     * returns true if nodes contains host or host:port
+     * @param nodes
+     * @param host
+     * @param port
+     * @return
+     */
+    private static boolean isIn(Set<String> nodes, String host, int port) {
+      if (host == null) {
+        return false;
+      }
+      return (nodes.contains(host) || nodes.contains(host +":"+ port));
+    }
+
+    /**
+     * parse a comma separated string to obtain set of host names
+     * @param string
+     * @return
+     */
+    static Set<String> parseHostList(String string) {
+      String[] addrs = StringUtils.getTrimmedStrings(string);
+      return new HashSet<String>(Arrays.asList(addrs));
+    }
+
+    /**
+     * read set of host names from a file
+     * @param fileName
+     * @return
+     */
+    static Set<String> getHostListFromFile(String fileName) {
+      Set<String> nodes = new HashSet <String> ();
+      try {
+        HostsFileReader.readFileToSet("nodes", fileName, nodes);
+        return StringUtils.getTrimmedStrings(nodes);
+      } catch (IOException e) {
+        throw new IllegalArgumentException("Unable to open file: " + fileName);
+      }
     }
   }
 
@@ -1578,8 +1683,10 @@ public int run(String[] args) {
 
     /** parse command line arguments */
     static Parameters parse(String[] args) {
-      BalancingPolicy policy = Parameters.DEFALUT.policy;
-      double threshold = Parameters.DEFALUT.threshold;
+      BalancingPolicy policy = Parameters.DEFAULT.policy;
+      double threshold = Parameters.DEFAULT.threshold;
+      Set<String> nodesTobeExcluded = Parameters.DEFAULT.nodesToBeExcluded;
+      Set<String> nodesTobeIncluded = Parameters.DEFAULT.nodesToBeIncluded;
 
       if (args != null) {
         try {
@@ -1608,18 +1715,38 @@ static Parameters parse(String[] args) {
                 System.err.println("Illegal policy name: " + args[i]);
                 throw e;
               }
+            } else if ("-exclude".equalsIgnoreCase(args[i])) {
+              i++;
+              if ("-f".equalsIgnoreCase(args[i])) {
+                nodesTobeExcluded = Util.getHostListFromFile(args[++i]);
+              } else {
+                nodesTobeExcluded = Util.parseHostList(args[i]);
+              }
+            } else if ("-include".equalsIgnoreCase(args[i])) {
+              i++;
+              if ("-f".equalsIgnoreCase(args[i])) {
+                nodesTobeIncluded = Util.getHostListFromFile(args[++i]);
+               } else {
+                nodesTobeIncluded = Util.parseHostList(args[i]);
+              }
             } else {
               throw new IllegalArgumentException("args = "
                   + Arrays.toString(args));
             }
           }
+          if (!nodesTobeExcluded.isEmpty() && !nodesTobeIncluded.isEmpty()) {
+            System.err.println(
+                "-exclude and -include options cannot be specified together.");
+            throw new IllegalArgumentException(
+                "-exclude and -include options cannot be specified together.");
+          }
         } catch(RuntimeException e) {
           printUsage(System.err);
           throw e;
         }
       }
       
-      return new Parameters(policy, threshold);
+      return new Parameters(policy, threshold, nodesTobeExcluded, nodesTobeIncluded);
     }
 
     private static void printUsage(PrintStream out) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
index fe774aaac9f..e9c86dfe3f0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
@@ -18,17 +18,23 @@
 package org.apache.hadoop.hdfs.server.balancer;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
+import java.io.File;
 import java.io.IOException;
+import java.io.PrintWriter;
 import java.net.URI;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Random;
+import java.util.Set;
 import java.util.concurrent.TimeoutException;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.commons.logging.impl.Log4JLogger;
@@ -48,6 +54,8 @@
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
 import org.apache.hadoop.hdfs.protocol.LocatedBlock;
 import org.apache.hadoop.hdfs.server.balancer.Balancer.Cli;
+import org.apache.hadoop.hdfs.server.balancer.Balancer.Parameters;
+import org.apache.hadoop.hdfs.server.datanode.DataNode;
 import org.apache.hadoop.hdfs.server.datanode.SimulatedFSDataset;
 import org.apache.hadoop.util.Time;
 import org.apache.hadoop.util.Tool;
@@ -255,6 +263,18 @@ static void waitForHeartBeat(long expectedUsedSpace,
       }
     }
   }
+
+  /**
+   * Wait until balanced: each datanode gives utilization within
+   * BALANCE_ALLOWED_VARIANCE of average
+   * @throws IOException
+   * @throws TimeoutException
+   */
+  static void waitForBalancer(long totalUsedSpace, long totalCapacity,
+      ClientProtocol client, MiniDFSCluster cluster, Balancer.Parameters p)
+  throws IOException, TimeoutException {
+    waitForBalancer(totalUsedSpace, totalCapacity, client, cluster, p, 0);
+  }
   
   /**
    * Wait until balanced: each datanode gives utilization within 
@@ -263,11 +283,17 @@ static void waitForHeartBeat(long expectedUsedSpace,
    * @throws TimeoutException
    */
   static void waitForBalancer(long totalUsedSpace, long totalCapacity,
-      ClientProtocol client, MiniDFSCluster cluster)
-  throws IOException, TimeoutException {
+      ClientProtocol client, MiniDFSCluster cluster, Balancer.Parameters p,
+      int expectedExcludedNodes) throws IOException, TimeoutException {
     long timeout = TIMEOUT;
     long failtime = (timeout <= 0L) ? Long.MAX_VALUE
         : Time.now() + timeout;
+    if (!p.nodesToBeIncluded.isEmpty()) {
+      totalCapacity = p.nodesToBeIncluded.size() * CAPACITY;
+    }
+    if (!p.nodesToBeExcluded.isEmpty()) {
+        totalCapacity -= p.nodesToBeExcluded.size() * CAPACITY;
+    }
     final double avgUtilization = ((double)totalUsedSpace) / totalCapacity;
     boolean balanced;
     do {
@@ -275,9 +301,20 @@ static void waitForBalancer(long totalUsedSpace, long totalCapacity,
           client.getDatanodeReport(DatanodeReportType.ALL);
       assertEquals(datanodeReport.length, cluster.getDataNodes().size());
       balanced = true;
+      int actualExcludedNodeCount = 0;
       for (DatanodeInfo datanode : datanodeReport) {
         double nodeUtilization = ((double)datanode.getDfsUsed())
             / datanode.getCapacity();
+        if (Balancer.Util.shouldBeExcluded(p.nodesToBeExcluded, datanode)) {
+          assertTrue(nodeUtilization == 0);
+          actualExcludedNodeCount++;
+          continue;
+        }
+        if (!Balancer.Util.shouldBeIncluded(p.nodesToBeIncluded, datanode)) {
+          assertTrue(nodeUtilization == 0);
+          actualExcludedNodeCount++;
+          continue;
+        }
         if (Math.abs(avgUtilization - nodeUtilization) > BALANCE_ALLOWED_VARIANCE) {
           balanced = false;
           if (Time.now() > failtime) {
@@ -294,6 +331,7 @@ static void waitForBalancer(long totalUsedSpace, long totalCapacity,
           break;
         }
       }
+      assertEquals(expectedExcludedNodes,actualExcludedNodeCount);
     } while (!balanced);
   }
 
@@ -307,22 +345,118 @@ String long2String(long[] array) {
     }
     return b.append("]").toString();
   }
-  /** This test start a cluster with specified number of nodes, 
+  /**
+   * Class which contains information about the
+   * new nodes to be added to the cluster for balancing.
+   */
+  static abstract class NewNodeInfo {
+
+    Set<String> nodesToBeExcluded = new HashSet<String>();
+    Set<String> nodesToBeIncluded = new HashSet<String>();
+
+     abstract String[] getNames();
+     abstract int getNumberofNewNodes();
+     abstract int getNumberofIncludeNodes();
+     abstract int getNumberofExcludeNodes();
+
+     public Set<String> getNodesToBeIncluded() {
+       return nodesToBeIncluded;
+     }
+     public Set<String> getNodesToBeExcluded() {
+       return nodesToBeExcluded;
+     }
+  }
+
+  /**
+   * The host names of new nodes are specified
+   */
+  static class HostNameBasedNodes extends NewNodeInfo {
+    String[] hostnames;
+
+    public HostNameBasedNodes(String[] hostnames,
+        Set<String> nodesToBeExcluded, Set<String> nodesToBeIncluded) {
+      this.hostnames = hostnames;
+      this.nodesToBeExcluded = nodesToBeExcluded;
+      this.nodesToBeIncluded = nodesToBeIncluded;
+    }
+
+    @Override
+    String[] getNames() {
+      return hostnames;
+    }
+    @Override
+    int getNumberofNewNodes() {
+      return hostnames.length;
+    }
+    @Override
+    int getNumberofIncludeNodes() {
+      return nodesToBeIncluded.size();
+    }
+    @Override
+    int getNumberofExcludeNodes() {
+      return nodesToBeExcluded.size();
+    }
+  }
+
+  /**
+   * The number of data nodes to be started are specified.
+   * The data nodes will have same host name, but different port numbers.
+   *
+   */
+  static class PortNumberBasedNodes extends NewNodeInfo {
+    int newNodes;
+    int excludeNodes;
+    int includeNodes;
+
+    public PortNumberBasedNodes(int newNodes, int excludeNodes, int includeNodes) {
+      this.newNodes = newNodes;
+      this.excludeNodes = excludeNodes;
+      this.includeNodes = includeNodes;
+    }
+
+    @Override
+    String[] getNames() {
+      return null;
+    }
+    @Override
+    int getNumberofNewNodes() {
+      return newNodes;
+    }
+    @Override
+    int getNumberofIncludeNodes() {
+      return includeNodes;
+    }
+    @Override
+    int getNumberofExcludeNodes() {
+      return excludeNodes;
+    }
+  }
+
+  private void doTest(Configuration conf, long[] capacities, String[] racks,
+      long newCapacity, String newRack, boolean useTool) throws Exception {
+    doTest(conf, capacities, racks, newCapacity, newRack, null, useTool, false);
+  }
+
+  /** This test start a cluster with specified number of nodes,
    * and fills it to be 30% full (with a single file replicated identically
    * to all datanodes);
    * It then adds one new empty node and starts balancing.
-   * 
+   *
    * @param conf - configuration
    * @param capacities - array of capacities of original nodes in cluster
    * @param racks - array of racks for original nodes in cluster
    * @param newCapacity - new node's capacity
    * @param newRack - new node's rack
+   * @param nodes - information about new nodes to be started.
    * @param useTool - if true run test via Cli with command-line argument 
    *   parsing, etc.   Otherwise invoke balancer API directly.
+   * @param useFile - if true, the hosts to included or excluded will be stored in a
+   *   file and then later read from the file.
    * @throws Exception
    */
-  private void doTest(Configuration conf, long[] capacities, String[] racks, 
-      long newCapacity, String newRack, boolean useTool) throws Exception {
+  private void doTest(Configuration conf, long[] capacities,
+      String[] racks, long newCapacity, String newRack, NewNodeInfo nodes,
+      boolean useTool, boolean useFile) throws Exception {
     LOG.info("capacities = " +  long2String(capacities)); 
     LOG.info("racks      = " +  Arrays.asList(racks)); 
     LOG.info("newCapacity= " +  newCapacity); 
@@ -346,17 +480,75 @@ private void doTest(Configuration conf, long[] capacities, String[] racks,
       long totalUsedSpace = totalCapacity*3/10;
       createFile(cluster, filePath, totalUsedSpace / numOfDatanodes,
           (short) numOfDatanodes, 0);
-      // start up an empty node with the same capacity and on the same rack
-      cluster.startDataNodes(conf, 1, true, null,
-          new String[]{newRack}, new long[]{newCapacity});
 
-      totalCapacity += newCapacity;
+      if (nodes == null) { // there is no specification of new nodes.
+        // start up an empty node with the same capacity and on the same rack
+        cluster.startDataNodes(conf, 1, true, null,
+            new String[]{newRack}, null,new long[]{newCapacity});
+        totalCapacity += newCapacity;
+      } else {
+        //if running a test with "include list", include original nodes as well
+        if (nodes.getNumberofIncludeNodes()>0) {
+          for (DataNode dn: cluster.getDataNodes())
+            nodes.getNodesToBeIncluded().add(dn.getDatanodeId().getHostName());
+        }
+        String[] newRacks = new String[nodes.getNumberofNewNodes()];
+        long[] newCapacities = new long[nodes.getNumberofNewNodes()];
+        for (int i=0; i < nodes.getNumberofNewNodes(); i++) {
+          newRacks[i] = newRack;
+          newCapacities[i] = newCapacity;
+        }
+        // if host names are specified for the new nodes to be created.
+        if (nodes.getNames() != null) {
+          cluster.startDataNodes(conf, nodes.getNumberofNewNodes(), true, null,
+              newRacks, nodes.getNames(), newCapacities);
+          totalCapacity += newCapacity*nodes.getNumberofNewNodes();
+        } else {  // host names are not specified
+          cluster.startDataNodes(conf, nodes.getNumberofNewNodes(), true, null,
+              newRacks, null, newCapacities);
+          totalCapacity += newCapacity*nodes.getNumberofNewNodes();
+          //populate the include nodes
+          if (nodes.getNumberofIncludeNodes() > 0) {
+            int totalNodes = cluster.getDataNodes().size();
+            for (int i=0; i < nodes.getNumberofIncludeNodes(); i++) {
+              nodes.getNodesToBeIncluded().add (cluster.getDataNodes().get(
+                  totalNodes-1-i).getDatanodeId().getXferAddr());
+            }
+          }
+          //polulate the exclude nodes
+          if (nodes.getNumberofExcludeNodes() > 0) {
+            int totalNodes = cluster.getDataNodes().size();
+            for (int i=0; i < nodes.getNumberofExcludeNodes(); i++) {
+              nodes.getNodesToBeExcluded().add (cluster.getDataNodes().get(
+                  totalNodes-1-i).getDatanodeId().getXferAddr());
+            }
+          }
+        }
+      }
+      // run balancer and validate results
+      Balancer.Parameters p = Balancer.Parameters.DEFAULT;
+      if (nodes != null) {
+        p = new Balancer.Parameters(
+            Balancer.Parameters.DEFAULT.policy,
+            Balancer.Parameters.DEFAULT.threshold,
+            nodes.getNodesToBeExcluded(), nodes.getNodesToBeIncluded());
+      }
+
+      int expectedExcludedNodes = 0;
+      if (nodes != null) {
+        if (!nodes.getNodesToBeExcluded().isEmpty()) {
+          expectedExcludedNodes = nodes.getNodesToBeExcluded().size();
+        } else if (!nodes.getNodesToBeIncluded().isEmpty()) {
+          expectedExcludedNodes =
+              cluster.getDataNodes().size() - nodes.getNodesToBeIncluded().size();
+        }
+      }
 
       // run balancer and validate results
       if (useTool) {
-        runBalancerCli(conf, totalUsedSpace, totalCapacity);
+        runBalancerCli(conf, totalUsedSpace, totalCapacity, p, useFile, expectedExcludedNodes);
       } else {
-        runBalancer(conf, totalUsedSpace, totalCapacity);
+        runBalancer(conf, totalUsedSpace, totalCapacity, p, expectedExcludedNodes);
       }
     } finally {
       cluster.shutdown();
@@ -365,11 +557,17 @@ private void doTest(Configuration conf, long[] capacities, String[] racks,
 
   private void runBalancer(Configuration conf,
       long totalUsedSpace, long totalCapacity) throws Exception {
+    runBalancer(conf, totalUsedSpace, totalCapacity, Balancer.Parameters.DEFAULT, 0);
+  }
+
+  private void runBalancer(Configuration conf,
+     long totalUsedSpace, long totalCapacity, Balancer.Parameters p,
+     int excludedNodes) throws Exception {
     waitForHeartBeat(totalUsedSpace, totalCapacity, client, cluster);
 
     // start rebalancing
     Collection<URI> namenodes = DFSUtil.getNsServiceRpcUris(conf);
-    final int r = Balancer.run(namenodes, Balancer.Parameters.DEFALUT, conf);
+    final int r = Balancer.run(namenodes, p, conf);
     if (conf.getInt(DFSConfigKeys.DFS_DATANODE_BALANCE_MAX_NUM_CONCURRENT_MOVES_KEY, 
         DFSConfigKeys.DFS_DATANODE_BALANCE_MAX_NUM_CONCURRENT_MOVES_DEFAULT) ==0) {
       assertEquals(Balancer.ReturnStatus.NO_MOVE_PROGRESS.code, r);
@@ -379,22 +577,66 @@ private void runBalancer(Configuration conf,
     }
     waitForHeartBeat(totalUsedSpace, totalCapacity, client, cluster);
     LOG.info("Rebalancing with default ctor.");
-    waitForBalancer(totalUsedSpace, totalCapacity, client, cluster);
+    waitForBalancer(totalUsedSpace, totalCapacity, client, cluster, p, excludedNodes);
   }
-  
-  private void runBalancerCli(Configuration conf,
-      long totalUsedSpace, long totalCapacity) throws Exception {
-    waitForHeartBeat(totalUsedSpace, totalCapacity, client, cluster);
 
-    final String[] args = { "-policy", "datanode" };
+  private void runBalancerCli(Configuration conf,
+      long totalUsedSpace, long totalCapacity,
+      Balancer.Parameters p, boolean useFile, int expectedExcludedNodes) throws Exception {
+    waitForHeartBeat(totalUsedSpace, totalCapacity, client, cluster);
+    List <String> args = new ArrayList<String>();
+    args.add("-policy");
+    args.add("datanode");
+
+    File excludeHostsFile = null;
+    if (!p.nodesToBeExcluded.isEmpty()) {
+      args.add("-exclude");
+      if (useFile) {
+        excludeHostsFile = new File ("exclude-hosts-file");
+        PrintWriter pw = new PrintWriter(excludeHostsFile);
+        for (String host: p.nodesToBeExcluded) {
+          pw.write( host + "\n");
+        }
+        pw.close();
+        args.add("-f");
+        args.add("exclude-hosts-file");
+      } else {
+        args.add(StringUtils.join(p.nodesToBeExcluded, ','));
+      }
+    }
+
+    File includeHostsFile = null;
+    if (!p.nodesToBeIncluded.isEmpty()) {
+      args.add("-include");
+      if (useFile) {
+        includeHostsFile = new File ("include-hosts-file");
+        PrintWriter pw = new PrintWriter(includeHostsFile);
+        for (String host: p.nodesToBeIncluded){
+          pw.write( host + "\n");
+        }
+        pw.close();
+        args.add("-f");
+        args.add("include-hosts-file");
+      } else {
+        args.add(StringUtils.join(p.nodesToBeIncluded, ','));
+      }
+    }
+
     final Tool tool = new Cli();    
     tool.setConf(conf);
-    final int r = tool.run(args); // start rebalancing
+    final int r = tool.run(args.toArray(new String[0])); // start rebalancing
     
     assertEquals("Tools should exit 0 on success", 0, r);
     waitForHeartBeat(totalUsedSpace, totalCapacity, client, cluster);
     LOG.info("Rebalancing with default ctor.");
-    waitForBalancer(totalUsedSpace, totalCapacity, client, cluster);
+    waitForBalancer(totalUsedSpace, totalCapacity, client, cluster, p, expectedExcludedNodes);
+
+    if (excludeHostsFile != null && excludeHostsFile.exists()) {
+      excludeHostsFile.delete();
+    }
+    if (includeHostsFile != null && includeHostsFile.exists()) {
+      includeHostsFile.delete();
+    }
   }
   
   /** one-node cluster test*/
@@ -440,7 +682,7 @@ public void testBalancerCliParseWithThresholdOutOfBoundaries() {
     }
   }
   
-  /** Test a cluster with even distribution, 
+  /** Test a cluster with even distribution,
    * then a new empty node is added to the cluster*/
   @Test(timeout=100000)
   public void testBalancer0() throws Exception {
@@ -554,7 +796,13 @@ public void testBalancerCliParseWithWrongParams() {
     } catch (IllegalArgumentException e) {
 
     }
+    parameters = new String[] {"-include",  "testnode1", "-exclude", "testnode2"};
+    try {
+      Balancer.Cli.parse(parameters);
+      fail("IllegalArgumentException is expected when both -exclude and -include are specified");
+    } catch (IllegalArgumentException e) {
 
+    }
   }
 
   /**
@@ -569,6 +817,183 @@ public void testExitZeroOnSuccess() throws Exception {
     oneNodeTest(conf, true);
   }
   
+  /**
+   * Test a cluster with even distribution,
+   * then three nodes are added to the cluster,
+   * runs balancer with two of the nodes in the exclude list
+   */
+  @Test(timeout=100000)
+  public void testBalancerWithExcludeList() throws Exception {
+    final Configuration conf = new HdfsConfiguration();
+    initConf(conf);
+    Set<String> excludeHosts = new HashSet<String>();
+    excludeHosts.add( "datanodeY");
+    excludeHosts.add( "datanodeZ");
+    doTest(conf, new long[]{CAPACITY, CAPACITY}, new String[]{RACK0, RACK1}, CAPACITY, RACK2,
+        new HostNameBasedNodes(new String[] {"datanodeX", "datanodeY", "datanodeZ"},
+        excludeHosts, Parameters.DEFAULT.nodesToBeIncluded), false, false);
+  }
+
+  /**
+   * Test a cluster with even distribution,
+   * then three nodes are added to the cluster,
+   * runs balancer with two of the nodes in the exclude list
+   */
+  @Test(timeout=100000)
+  public void testBalancerWithExcludeListWithPorts() throws Exception {
+    final Configuration conf = new HdfsConfiguration();
+    initConf(conf);
+    doTest(conf, new long[]{CAPACITY, CAPACITY}, new String[]{RACK0, RACK1},
+        CAPACITY, RACK2, new PortNumberBasedNodes(3, 2, 0), false, false);
+  }
+
+  /**
+   * Test a cluster with even distribution,
+   * then three nodes are added to the cluster,
+   * runs balancer with two of the nodes in the exclude list
+   */
+  @Test(timeout=100000)
+  public void testBalancerCliWithExcludeList() throws Exception {
+    final Configuration conf = new HdfsConfiguration();
+    initConf(conf);
+    Set<String> excludeHosts = new HashSet<String>();
+    excludeHosts.add( "datanodeY");
+    excludeHosts.add( "datanodeZ");
+    doTest(conf, new long[]{CAPACITY, CAPACITY}, new String[]{RACK0, RACK1}, CAPACITY, RACK2,
+      new HostNameBasedNodes(new String[] {"datanodeX", "datanodeY", "datanodeZ"}, excludeHosts,
+      Parameters.DEFAULT.nodesToBeIncluded), true, false);
+  }
+
+  /**
+   * Test a cluster with even distribution,
+   * then three nodes are added to the cluster,
+   * runs balancer with two of the nodes in the exclude list
+   */
+  @Test(timeout=100000)
+  public void testBalancerCliWithExcludeListWithPorts() throws Exception {
+    final Configuration conf = new HdfsConfiguration();
+    initConf(conf);
+    doTest(conf, new long[]{CAPACITY, CAPACITY}, new String[]{RACK0, RACK1},
+        CAPACITY, RACK2, new PortNumberBasedNodes(3, 2, 0), true, false);
+  }
+
+  /**
+   * Test a cluster with even distribution,
+   * then three nodes are added to the cluster,
+   * runs balancer with two of the nodes in the exclude list in a file
+   */
+  @Test(timeout=100000)
+  public void testBalancerCliWithExcludeListInAFile() throws Exception {
+    final Configuration conf = new HdfsConfiguration();
+    initConf(conf);
+    Set<String> excludeHosts = new HashSet<String>();
+    excludeHosts.add( "datanodeY");
+    excludeHosts.add( "datanodeZ");
+    doTest(conf, new long[]{CAPACITY, CAPACITY}, new String[]{RACK0, RACK1}, CAPACITY, RACK2,
+        new HostNameBasedNodes(new String[] {"datanodeX", "datanodeY", "datanodeZ"},
+        excludeHosts, Parameters.DEFAULT.nodesToBeIncluded), true, true);
+  }
+
+  /**
+   * Test a cluster with even distribution,G
+   * then three nodes are added to the cluster,
+   * runs balancer with two of the nodes in the exclude list
+   */
+  @Test(timeout=100000)
+  public void testBalancerCliWithExcludeListWithPortsInAFile() throws Exception {
+    final Configuration conf = new HdfsConfiguration();
+    initConf(conf);
+    doTest(conf, new long[]{CAPACITY, CAPACITY}, new String[]{RACK0, RACK1},
+        CAPACITY, RACK2, new PortNumberBasedNodes(3, 2, 0), true, true);
+  }
+
+  /**
+   * Test a cluster with even distribution,
+   * then three nodes are added to the cluster,
+   * runs balancer with two of the nodes in the include list
+   */
+  @Test(timeout=100000)
+  public void testBalancerWithIncludeList() throws Exception {
+    final Configuration conf = new HdfsConfiguration();
+    initConf(conf);
+    Set<String> includeHosts = new HashSet<String>();
+    includeHosts.add( "datanodeY");
+    doTest(conf, new long[]{CAPACITY, CAPACITY}, new String[]{RACK0, RACK1}, CAPACITY, RACK2,
+        new HostNameBasedNodes(new String[] {"datanodeX", "datanodeY", "datanodeZ"},
+        Parameters.DEFAULT.nodesToBeExcluded, includeHosts), false, false);
+  }
+
+  /**
+   * Test a cluster with even distribution,
+   * then three nodes are added to the cluster,
+   * runs balancer with two of the nodes in the include list
+   */
+  @Test(timeout=100000)
+  public void testBalancerWithIncludeListWithPorts() throws Exception {
+    final Configuration conf = new HdfsConfiguration();
+    initConf(conf);
+    doTest(conf, new long[]{CAPACITY, CAPACITY}, new String[]{RACK0, RACK1},
+        CAPACITY, RACK2, new PortNumberBasedNodes(3, 0, 1), false, false);
+  }
+
+  /**
+   * Test a cluster with even distribution,
+   * then three nodes are added to the cluster,
+   * runs balancer with two of the nodes in the include list
+   */
+  @Test(timeout=100000)
+  public void testBalancerCliWithIncludeList() throws Exception {
+    final Configuration conf = new HdfsConfiguration();
+    initConf(conf);
+    Set<String> includeHosts = new HashSet<String>();
+    includeHosts.add( "datanodeY");
+    doTest(conf, new long[]{CAPACITY, CAPACITY}, new String[]{RACK0, RACK1}, CAPACITY, RACK2,
+        new HostNameBasedNodes(new String[] {"datanodeX", "datanodeY", "datanodeZ"},
+        Parameters.DEFAULT.nodesToBeExcluded, includeHosts), true, false);
+  }
+
+  /**
+   * Test a cluster with even distribution,
+   * then three nodes are added to the cluster,
+   * runs balancer with two of the nodes in the include list
+   */
+  @Test(timeout=100000)
+  public void testBalancerCliWithIncludeListWithPorts() throws Exception {
+    final Configuration conf = new HdfsConfiguration();
+    initConf(conf);
+    doTest(conf, new long[]{CAPACITY, CAPACITY}, new String[]{RACK0, RACK1},
+        CAPACITY, RACK2, new PortNumberBasedNodes(3, 0, 1), true, false);
+  }
+
+  /**
+   * Test a cluster with even distribution,
+   * then three nodes are added to the cluster,
+   * runs balancer with two of the nodes in the include list
+   */
+  @Test(timeout=100000)
+  public void testBalancerCliWithIncludeListInAFile() throws Exception {
+    final Configuration conf = new HdfsConfiguration();
+    initConf(conf);
+    Set<String> includeHosts = new HashSet<String>();
+    includeHosts.add( "datanodeY");
+    doTest(conf, new long[]{CAPACITY, CAPACITY}, new String[]{RACK0, RACK1}, CAPACITY, RACK2,
+        new HostNameBasedNodes(new String[] {"datanodeX", "datanodeY", "datanodeZ"},
+        Parameters.DEFAULT.nodesToBeExcluded, includeHosts), true, true);
+  }
+
+  /**
+   * Test a cluster with even distribution,
+   * then three nodes are added to the cluster,
+   * runs balancer with two of the nodes in the include list
+   */
+  @Test(timeout=100000)
+  public void testBalancerCliWithIncludeListWithPortsInAFile() throws Exception {
+    final Configuration conf = new HdfsConfiguration();
+    initConf(conf);
+    doTest(conf, new long[]{CAPACITY, CAPACITY}, new String[]{RACK0, RACK1},
+        CAPACITY, RACK2, new PortNumberBasedNodes(3, 0, 1), true, true);
+  }
+
   /**
    * @param args
    */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithHANameNodes.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithHANameNodes.java
index 1a309910eb9..9652f8636a0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithHANameNodes.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithHANameNodes.java
@@ -97,10 +97,10 @@ public void testBalancerWithHANameNodes() throws Exception {
       Collection<URI> namenodes = DFSUtil.getNsServiceRpcUris(conf);
       assertEquals(1, namenodes.size());
       assertTrue(namenodes.contains(HATestUtil.getLogicalUri(cluster)));
-      final int r = Balancer.run(namenodes, Balancer.Parameters.DEFALUT, conf);
+      final int r = Balancer.run(namenodes, Balancer.Parameters.DEFAULT, conf);
       assertEquals(Balancer.ReturnStatus.SUCCESS.code, r);
       TestBalancer.waitForBalancer(totalUsedSpace, totalCapacity, client,
-          cluster);
+          cluster, Balancer.Parameters.DEFAULT);
     } finally {
       cluster.shutdown();
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithMultipleNameNodes.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithMultipleNameNodes.java
index f5848041bcf..1a7ddd331b1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithMultipleNameNodes.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithMultipleNameNodes.java
@@ -159,7 +159,7 @@ static void runBalancer(Suite s,
 
     // start rebalancing
     final Collection<URI> namenodes = DFSUtil.getNsServiceRpcUris(s.conf);
-    final int r = Balancer.run(namenodes, Balancer.Parameters.DEFALUT, s.conf);
+    final int r = Balancer.run(namenodes, Balancer.Parameters.DEFAULT, s.conf);
     Assert.assertEquals(Balancer.ReturnStatus.SUCCESS.code, r);
 
     LOG.info("BALANCER 2");
@@ -195,7 +195,7 @@ static void runBalancer(Suite s,
       balanced = true;
       for(int d = 0; d < used.length; d++) {
         final double p = used[d]*100.0/cap[d];
-        balanced = p <= avg + Balancer.Parameters.DEFALUT.threshold;
+        balanced = p <= avg + Balancer.Parameters.DEFAULT.threshold;
         if (!balanced) {
           if (i % 100 == 0) {
             LOG.warn("datanodes " + d + " is not yet balanced: "
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithNodeGroup.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithNodeGroup.java
index 667204c0c9b..153ced3a243 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithNodeGroup.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithNodeGroup.java
@@ -175,7 +175,7 @@ private void runBalancer(Configuration conf,
 
     // start rebalancing
     Collection<URI> namenodes = DFSUtil.getNsServiceRpcUris(conf);
-    final int r = Balancer.run(namenodes, Balancer.Parameters.DEFALUT, conf);
+    final int r = Balancer.run(namenodes, Balancer.Parameters.DEFAULT, conf);
     assertEquals(Balancer.ReturnStatus.SUCCESS.code, r);
 
     waitForHeartBeat(totalUsedSpace, totalCapacity);
@@ -189,7 +189,7 @@ private void runBalancerCanFinish(Configuration conf,
 
     // start rebalancing
     Collection<URI> namenodes = DFSUtil.getNsServiceRpcUris(conf);
-    final int r = Balancer.run(namenodes, Balancer.Parameters.DEFALUT, conf);
+    final int r = Balancer.run(namenodes, Balancer.Parameters.DEFAULT, conf);
     Assert.assertTrue(r == Balancer.ReturnStatus.SUCCESS.code ||
         (r == Balancer.ReturnStatus.NO_MOVE_PROGRESS.code));
     waitForHeartBeat(totalUsedSpace, totalCapacity);

From 1d6e178144e9e3915ceea92d8c5de8b14cd02714 Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Thu, 31 Jul 2014 09:27:43 +0000
Subject: [PATCH 090/354] YARN-2347. Consolidated RMStateVersion and
 NMDBSchemaVersion into Version in yarn-server-common. Contributed by Junping
 Du.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614838 13f79535-47bb-0310-9956-ffa450edef68
---
 .../apache/hadoop/mapred/ShuffleHandler.java  | 28 +++----
 .../hadoop/mapred/TestShuffleHandler.java     |  8 +-
 hadoop-yarn-project/CHANGES.txt               |  3 +
 ...erver_resourcemanager_service_protos.proto |  5 --
 .../hadoop/yarn/server/records/Version.java}  | 24 +++---
 .../records/impl/pb/VersionPBImpl.java}       | 29 +++----
 .../proto/yarn_server_common_protos.proto     |  8 +-
 .../recovery/NMLeveldbStateStoreService.java  | 28 +++----
 .../impl/pb/NMDBSchemaVersionPBImpl.java      | 81 -------------------
 .../yarn_server_nodemanager_recovery.proto    |  5 --
 .../TestNMLeveldbStateStoreService.java       | 12 +--
 .../recovery/FileSystemRMStateStore.java      | 18 ++---
 .../recovery/MemoryRMStateStore.java          |  6 +-
 .../recovery/NullRMStateStore.java            |  6 +-
 .../recovery/RMStateStore.java                | 10 +--
 .../recovery/ZKRMStateStore.java              | 18 ++---
 .../recovery/records/RMStateVersion.java      | 80 ------------------
 .../recovery/RMStateStoreTestBase.java        | 16 ++--
 .../recovery/TestFSRMStateStore.java          | 12 +--
 .../recovery/TestZKRMStateStore.java          | 12 +--
 20 files changed, 126 insertions(+), 283 deletions(-)
 rename hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/{hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/records/NMDBSchemaVersion.java => hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/records/Version.java} (74%)
 rename hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/{hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/RMStateVersionPBImpl.java => hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/records/impl/pb/VersionPBImpl.java} (62%)
 delete mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/records/impl/pb/NMDBSchemaVersionPBImpl.java
 delete mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/RMStateVersion.java

diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-shuffle/src/main/java/org/apache/hadoop/mapred/ShuffleHandler.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-shuffle/src/main/java/org/apache/hadoop/mapred/ShuffleHandler.java
index 1d781be1451..33220c6cbdb 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-shuffle/src/main/java/org/apache/hadoop/mapred/ShuffleHandler.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-shuffle/src/main/java/org/apache/hadoop/mapred/ShuffleHandler.java
@@ -82,13 +82,13 @@
 import org.apache.hadoop.util.Shell;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
-import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.NMDBSchemaVersionProto;
+import org.apache.hadoop.yarn.proto.YarnServerCommonProtos.VersionProto;
 import org.apache.hadoop.yarn.server.api.ApplicationInitializationContext;
 import org.apache.hadoop.yarn.server.api.ApplicationTerminationContext;
 import org.apache.hadoop.yarn.server.api.AuxiliaryService;
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.ContainerLocalizer;
-import org.apache.hadoop.yarn.server.nodemanager.recovery.records.NMDBSchemaVersion;
-import org.apache.hadoop.yarn.server.nodemanager.recovery.records.impl.pb.NMDBSchemaVersionPBImpl;
+import org.apache.hadoop.yarn.server.records.Version;
+import org.apache.hadoop.yarn.server.records.impl.pb.VersionPBImpl;
 import org.apache.hadoop.yarn.server.utils.LeveldbIterator;
 import org.apache.hadoop.yarn.util.ConverterUtils;
 import org.fusesource.leveldbjni.JniDBFactory;
@@ -151,8 +151,8 @@ public class ShuffleHandler extends AuxiliaryService {
 
   private static final String STATE_DB_NAME = "mapreduce_shuffle_state";
   private static final String STATE_DB_SCHEMA_VERSION_KEY = "shuffle-schema-version";
-  protected static final NMDBSchemaVersion CURRENT_VERSION_INFO = 
-      NMDBSchemaVersion.newInstance(1, 0);
+  protected static final Version CURRENT_VERSION_INFO = 
+      Version.newInstance(1, 0);
 
   private int port;
   private ChannelFactory selector;
@@ -491,21 +491,21 @@ private void startStore(Path recoveryRoot) throws IOException {
   }
   
   @VisibleForTesting
-  NMDBSchemaVersion loadVersion() throws IOException {
+  Version loadVersion() throws IOException {
     byte[] data = stateDb.get(bytes(STATE_DB_SCHEMA_VERSION_KEY));
     // if version is not stored previously, treat it as 1.0.
     if (data == null || data.length == 0) {
-      return NMDBSchemaVersion.newInstance(1, 0);
+      return Version.newInstance(1, 0);
     }
-    NMDBSchemaVersion version =
-        new NMDBSchemaVersionPBImpl(NMDBSchemaVersionProto.parseFrom(data));
+    Version version =
+        new VersionPBImpl(VersionProto.parseFrom(data));
     return version;
   }
 
-  private void storeSchemaVersion(NMDBSchemaVersion version) throws IOException {
+  private void storeSchemaVersion(Version version) throws IOException {
     String key = STATE_DB_SCHEMA_VERSION_KEY;
     byte[] data = 
-        ((NMDBSchemaVersionPBImpl) version).getProto().toByteArray();
+        ((VersionPBImpl) version).getProto().toByteArray();
     try {
       stateDb.put(bytes(key), data);
     } catch (DBException e) {
@@ -519,11 +519,11 @@ private void storeVersion() throws IOException {
   
   // Only used for test
   @VisibleForTesting
-  void storeVersion(NMDBSchemaVersion version) throws IOException {
+  void storeVersion(Version version) throws IOException {
     storeSchemaVersion(version);
   }
 
-  protected NMDBSchemaVersion getCurrentVersion() {
+  protected Version getCurrentVersion() {
     return CURRENT_VERSION_INFO;
   }
   
@@ -538,7 +538,7 @@ protected NMDBSchemaVersion getCurrentVersion() {
    *    upgrade shuffle info or remove incompatible old state.
    */
   private void checkVersion() throws IOException {
-    NMDBSchemaVersion loadedVersion = loadVersion();
+    Version loadedVersion = loadVersion();
     LOG.info("Loaded state DB schema version info " + loadedVersion);
     if (loadedVersion.equals(getCurrentVersion())) {
       return;
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-shuffle/src/test/java/org/apache/hadoop/mapred/TestShuffleHandler.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-shuffle/src/test/java/org/apache/hadoop/mapred/TestShuffleHandler.java
index 0974cc6ab1f..70536536617 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-shuffle/src/test/java/org/apache/hadoop/mapred/TestShuffleHandler.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-shuffle/src/test/java/org/apache/hadoop/mapred/TestShuffleHandler.java
@@ -75,7 +75,7 @@
 import org.apache.hadoop.yarn.server.api.ApplicationInitializationContext;
 import org.apache.hadoop.yarn.server.api.ApplicationTerminationContext;
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.ContainerLocalizer;
-import org.apache.hadoop.yarn.server.nodemanager.recovery.records.NMDBSchemaVersion;
+import org.apache.hadoop.yarn.server.records.Version;
 import org.jboss.netty.channel.Channel;
 import org.jboss.netty.channel.ChannelFuture;
 import org.jboss.netty.channel.ChannelHandlerContext;
@@ -764,11 +764,11 @@ public void testRecoveryFromOtherVersions() throws IOException {
       // verify we are still authorized to shuffle to the old application
       rc = getShuffleResponseCode(shuffle, jt);
       Assert.assertEquals(HttpURLConnection.HTTP_OK, rc);
-      NMDBSchemaVersion version = NMDBSchemaVersion.newInstance(1, 0);
+      Version version = Version.newInstance(1, 0);
       Assert.assertEquals(version, shuffle.getCurrentVersion());
     
       // emulate shuffle handler restart with compatible version
-      NMDBSchemaVersion version11 = NMDBSchemaVersion.newInstance(1, 1);
+      Version version11 = Version.newInstance(1, 1);
       // update version info before close shuffle
       shuffle.storeVersion(version11);
       Assert.assertEquals(version11, shuffle.loadVersion());
@@ -785,7 +785,7 @@ public void testRecoveryFromOtherVersions() throws IOException {
       Assert.assertEquals(HttpURLConnection.HTTP_OK, rc);
     
       // emulate shuffle handler restart with incompatible version
-      NMDBSchemaVersion version21 = NMDBSchemaVersion.newInstance(2, 1);
+      Version version21 = Version.newInstance(2, 1);
       shuffle.storeVersion(version21);
       Assert.assertEquals(version21, shuffle.loadVersion());
       shuffle.close();
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index ad368cc95e8..50ae2aff6ec 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -74,6 +74,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2328. FairScheduler: Verify update and continuous scheduling threads are
     stopped when the scheduler is stopped. (kasha)
 
+    YARN-2347. Consolidated RMStateVersion and NMDBSchemaVersion into Version in
+    yarn-server-common. (Junping Du via zjshen)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/server/yarn_server_resourcemanager_service_protos.proto b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/server/yarn_server_resourcemanager_service_protos.proto
index 2eb61487504..08c937f68d0 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/server/yarn_server_resourcemanager_service_protos.proto
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/server/yarn_server_resourcemanager_service_protos.proto
@@ -130,11 +130,6 @@ message ApplicationAttemptStateDataProto {
   optional int32 am_container_exit_status = 9 [default = -1000];
 }
 
-message RMStateVersionProto {
-  optional int32 major_version = 1;
-  optional int32 minor_version = 2;
-}
-
 message EpochProto {
   optional int64 epoch = 1;
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/records/NMDBSchemaVersion.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/records/Version.java
similarity index 74%
rename from hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/records/NMDBSchemaVersion.java
rename to hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/records/Version.java
index 1ee59ea4d83..66042ea8ad2 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/records/NMDBSchemaVersion.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/records/Version.java
@@ -15,21 +15,26 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.hadoop.yarn.server.nodemanager.recovery.records;
 
-import org.apache.hadoop.classification.InterfaceAudience.Private;
+package org.apache.hadoop.yarn.server.records;
+
+import org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate;
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.util.Records;
 
 /**
- * The version information of DB Schema for NM.
+ * The version information for state get stored in YARN components,
+ * i.e. RMState, NMState, etc., which include: majorVersion and 
+ * minorVersion.
+ * The major version update means incompatible changes happen while
+ * minor version update indicates compatible changes.
  */
-@Private
+@LimitedPrivate({"YARN", "MapReduce"})
 @Unstable
-public abstract class NMDBSchemaVersion {
+public abstract class Version {
 
-  public static NMDBSchemaVersion newInstance(int majorVersion, int minorVersion) {
-    NMDBSchemaVersion version = Records.newRecord(NMDBSchemaVersion.class);
+  public static Version newInstance(int majorVersion, int minorVersion) {
+    Version version = Records.newRecord(Version.class);
     version.setMajorVersion(majorVersion);
     version.setMinorVersion(minorVersion);
     return version;
@@ -47,7 +52,7 @@ public String toString() {
     return getMajorVersion() + "." + getMinorVersion();
   }
 
-  public boolean isCompatibleTo(NMDBSchemaVersion version) {
+  public boolean isCompatibleTo(Version version) {
     return getMajorVersion() == version.getMajorVersion();
   }
 
@@ -68,7 +73,7 @@ public boolean equals(Object obj) {
       return false;
     if (getClass() != obj.getClass())
       return false;
-    NMDBSchemaVersion other = (NMDBSchemaVersion) obj;
+    Version other = (Version) obj;
     if (this.getMajorVersion() == other.getMajorVersion()
         && this.getMinorVersion() == other.getMinorVersion()) {
       return true;
@@ -76,5 +81,4 @@ public boolean equals(Object obj) {
       return false;
     }
   }
-
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/RMStateVersionPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/records/impl/pb/VersionPBImpl.java
similarity index 62%
rename from hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/RMStateVersionPBImpl.java
rename to hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/records/impl/pb/VersionPBImpl.java
index f960413ce64..a99f22af5ce 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/RMStateVersionPBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/records/impl/pb/VersionPBImpl.java
@@ -16,28 +16,29 @@
  * limitations under the License.
  */
 
-package org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb;
+package org.apache.hadoop.yarn.server.records.impl.pb;
 
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.RMStateVersionProto;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.RMStateVersionProtoOrBuilder;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
+import org.apache.hadoop.yarn.proto.YarnServerCommonProtos.VersionProto;
+import org.apache.hadoop.yarn.proto.YarnServerCommonProtos.VersionProtoOrBuilder;
 
-public class RMStateVersionPBImpl extends RMStateVersion {
+import org.apache.hadoop.yarn.server.records.Version;
 
-  RMStateVersionProto proto = RMStateVersionProto.getDefaultInstance();
-  RMStateVersionProto.Builder builder = null;
+public class VersionPBImpl extends Version {
+
+  VersionProto proto = VersionProto.getDefaultInstance();
+  VersionProto.Builder builder = null;
   boolean viaProto = false;
 
-  public RMStateVersionPBImpl() {
-    builder = RMStateVersionProto.newBuilder();
+  public VersionPBImpl() {
+    builder = VersionProto.newBuilder();
   }
 
-  public RMStateVersionPBImpl(RMStateVersionProto proto) {
+  public VersionPBImpl(VersionProto proto) {
     this.proto = proto;
     viaProto = true;
   }
 
-  public RMStateVersionProto getProto() {
+  public VersionProto getProto() {
     proto = viaProto ? proto : builder.build();
     viaProto = true;
     return proto;
@@ -45,14 +46,14 @@ public RMStateVersionProto getProto() {
 
   private void maybeInitBuilder() {
     if (viaProto || builder == null) {
-      builder = RMStateVersionProto.newBuilder(proto);
+      builder = VersionProto.newBuilder(proto);
     }
     viaProto = false;
   }
 
   @Override
   public int getMajorVersion() {
-    RMStateVersionProtoOrBuilder p = viaProto ? proto : builder;
+    VersionProtoOrBuilder p = viaProto ? proto : builder;
     return p.getMajorVersion();
   }
 
@@ -64,7 +65,7 @@ public void setMajorVersion(int major) {
 
   @Override
   public int getMinorVersion() {
-    RMStateVersionProtoOrBuilder p = viaProto ? proto : builder;
+    VersionProtoOrBuilder p = viaProto ? proto : builder;
     return p.getMinorVersion();
   }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/proto/yarn_server_common_protos.proto b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/proto/yarn_server_common_protos.proto
index 4f5d16895be..01fac329a12 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/proto/yarn_server_common_protos.proto
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/proto/yarn_server_common_protos.proto
@@ -47,4 +47,10 @@ message NodeHealthStatusProto {
   optional bool is_node_healthy = 1;
   optional string health_report = 2;
   optional int64 last_health_report_time = 3;
-}
\ No newline at end of file
+}
+
+message VersionProto {
+  optional int32 major_version = 1;
+  optional int32 minor_version = 2;
+}
+
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMLeveldbStateStoreService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMLeveldbStateStoreService.java
index 008da7a2b8a..cc7656c0826 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMLeveldbStateStoreService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMLeveldbStateStoreService.java
@@ -41,13 +41,13 @@
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.proto.YarnProtos.LocalResourceProto;
 import org.apache.hadoop.yarn.proto.YarnServerCommonProtos.MasterKeyProto;
+import org.apache.hadoop.yarn.proto.YarnServerCommonProtos.VersionProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.DeletionServiceDeleteTaskProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.LocalizedResourceProto;
-import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.NMDBSchemaVersionProto;
 import org.apache.hadoop.yarn.server.api.records.MasterKey;
 import org.apache.hadoop.yarn.server.api.records.impl.pb.MasterKeyPBImpl;
-import org.apache.hadoop.yarn.server.nodemanager.recovery.records.NMDBSchemaVersion;
-import org.apache.hadoop.yarn.server.nodemanager.recovery.records.impl.pb.NMDBSchemaVersionPBImpl;
+import org.apache.hadoop.yarn.server.records.Version;
+import org.apache.hadoop.yarn.server.records.impl.pb.VersionPBImpl;
 import org.apache.hadoop.yarn.server.utils.LeveldbIterator;
 import org.apache.hadoop.yarn.util.ConverterUtils;
 import org.fusesource.leveldbjni.JniDBFactory;
@@ -68,7 +68,7 @@ public class NMLeveldbStateStoreService extends NMStateStoreService {
   private static final String DB_NAME = "yarn-nm-state";
   private static final String DB_SCHEMA_VERSION_KEY = "nm-schema-version";
   
-  private static final NMDBSchemaVersion CURRENT_VERSION_INFO = NMDBSchemaVersion
+  private static final Version CURRENT_VERSION_INFO = Version
       .newInstance(1, 0);
 
   private static final String DELETION_TASK_KEY_PREFIX =
@@ -617,14 +617,14 @@ public void log(String message) {
   }
 
 
-  NMDBSchemaVersion loadVersion() throws IOException {
+  Version loadVersion() throws IOException {
     byte[] data = db.get(bytes(DB_SCHEMA_VERSION_KEY));
     // if version is not stored previously, treat it as 1.0.
     if (data == null || data.length == 0) {
-      return NMDBSchemaVersion.newInstance(1, 0);
+      return Version.newInstance(1, 0);
     }
-    NMDBSchemaVersion version =
-        new NMDBSchemaVersionPBImpl(NMDBSchemaVersionProto.parseFrom(data));
+    Version version =
+        new VersionPBImpl(VersionProto.parseFrom(data));
     return version;
   }
 
@@ -634,14 +634,14 @@ private void storeVersion() throws IOException {
   
   // Only used for test
   @VisibleForTesting
-  void storeVersion(NMDBSchemaVersion state) throws IOException {
+  void storeVersion(Version state) throws IOException {
     dbStoreVersion(state);
   }
   
-  private void dbStoreVersion(NMDBSchemaVersion state) throws IOException {
+  private void dbStoreVersion(Version state) throws IOException {
     String key = DB_SCHEMA_VERSION_KEY;
     byte[] data = 
-        ((NMDBSchemaVersionPBImpl) state).getProto().toByteArray();
+        ((VersionPBImpl) state).getProto().toByteArray();
     try {
       db.put(bytes(key), data);
     } catch (DBException e) {
@@ -649,7 +649,7 @@ private void dbStoreVersion(NMDBSchemaVersion state) throws IOException {
     }
   }
 
-  NMDBSchemaVersion getCurrentVersion() {
+  Version getCurrentVersion() {
     return CURRENT_VERSION_INFO;
   }
   
@@ -664,9 +664,9 @@ NMDBSchemaVersion getCurrentVersion() {
    *    upgrade NM state or remove incompatible old state.
    */
   private void checkVersion() throws IOException {
-    NMDBSchemaVersion loadedVersion = loadVersion();
+    Version loadedVersion = loadVersion();
     LOG.info("Loaded NM state version info " + loadedVersion);
-    if (loadedVersion != null && loadedVersion.equals(getCurrentVersion())) {
+    if (loadedVersion.equals(getCurrentVersion())) {
       return;
     }
     if (loadedVersion.isCompatibleTo(getCurrentVersion())) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/records/impl/pb/NMDBSchemaVersionPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/records/impl/pb/NMDBSchemaVersionPBImpl.java
deleted file mode 100644
index f42c1bee331..00000000000
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/records/impl/pb/NMDBSchemaVersionPBImpl.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.yarn.server.nodemanager.recovery.records.impl.pb;
-
-import org.apache.hadoop.classification.InterfaceAudience.Private;
-import org.apache.hadoop.classification.InterfaceStability.Evolving;
-import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.NMDBSchemaVersionProto;
-import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.NMDBSchemaVersionProtoOrBuilder;
-
-import org.apache.hadoop.yarn.server.nodemanager.recovery.records.NMDBSchemaVersion;
-
-@Private
-@Evolving
-public class NMDBSchemaVersionPBImpl extends NMDBSchemaVersion {
-
-  NMDBSchemaVersionProto proto = NMDBSchemaVersionProto.getDefaultInstance();
-  NMDBSchemaVersionProto.Builder builder = null;
-  boolean viaProto = false;
-
-  public NMDBSchemaVersionPBImpl() {
-    builder = NMDBSchemaVersionProto.newBuilder();
-  }
-
-  public NMDBSchemaVersionPBImpl(NMDBSchemaVersionProto proto) {
-    this.proto = proto;
-    viaProto = true;
-  }
-
-  public NMDBSchemaVersionProto getProto() {
-    proto = viaProto ? proto : builder.build();
-    viaProto = true;
-    return proto;
-  }
-
-  private void maybeInitBuilder() {
-    if (viaProto || builder == null) {
-      builder = NMDBSchemaVersionProto.newBuilder(proto);
-    }
-    viaProto = false;
-  }
-  
-  @Override
-  public int getMajorVersion() {
-    NMDBSchemaVersionProtoOrBuilder p = viaProto ? proto : builder;
-    return p.getMajorVersion();
-  }
-
-  @Override
-  public void setMajorVersion(int majorVersion) {
-    maybeInitBuilder();
-    builder.setMajorVersion(majorVersion);
-  }
-
-  @Override
-  public int getMinorVersion() {
-    NMDBSchemaVersionProtoOrBuilder p = viaProto ? proto : builder;
-    return p.getMinorVersion();
-  }
-
-  @Override
-  public void setMinorVersion(int minorVersion) {
-    maybeInitBuilder();
-    builder.setMinorVersion(minorVersion);
-  }
-
-}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/proto/yarn_server_nodemanager_recovery.proto b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/proto/yarn_server_nodemanager_recovery.proto
index a07e7ad6b2d..460c4932342 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/proto/yarn_server_nodemanager_recovery.proto
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/proto/yarn_server_nodemanager_recovery.proto
@@ -39,8 +39,3 @@ message LocalizedResourceProto {
   optional int64 size = 3;
 }
 
-message NMDBSchemaVersionProto {
-  optional int32 majorVersion = 1;
-  optional int32 minorVersion = 2;
-}
-
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/TestNMLeveldbStateStoreService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/TestNMLeveldbStateStoreService.java
index 833a062d3b8..294f424b0f8 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/TestNMLeveldbStateStoreService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/TestNMLeveldbStateStoreService.java
@@ -49,7 +49,7 @@
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredLocalizationState;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredNMTokensState;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredUserResources;
-import org.apache.hadoop.yarn.server.nodemanager.recovery.records.NMDBSchemaVersion;
+import org.apache.hadoop.yarn.server.records.Version;
 import org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager;
 import org.apache.hadoop.yarn.server.security.BaseNMTokenSecretManager;
 import org.apache.hadoop.yarn.server.utils.BuilderUtils;
@@ -114,12 +114,12 @@ public void testEmptyState() throws IOException {
   @Test
   public void testCheckVersion() throws IOException {
     // default version
-    NMDBSchemaVersion defaultVersion = stateStore.getCurrentVersion();
+    Version defaultVersion = stateStore.getCurrentVersion();
     Assert.assertEquals(defaultVersion, stateStore.loadVersion());
 
     // compatible version
-    NMDBSchemaVersion compatibleVersion =
-        NMDBSchemaVersion.newInstance(defaultVersion.getMajorVersion(),
+    Version compatibleVersion =
+        Version.newInstance(defaultVersion.getMajorVersion(),
           defaultVersion.getMinorVersion() + 2);
     stateStore.storeVersion(compatibleVersion);
     Assert.assertEquals(compatibleVersion, stateStore.loadVersion());
@@ -128,8 +128,8 @@ public void testCheckVersion() throws IOException {
     Assert.assertEquals(defaultVersion, stateStore.loadVersion());
 
     // incompatible version
-    NMDBSchemaVersion incompatibleVersion =
-      NMDBSchemaVersion.newInstance(defaultVersion.getMajorVersion() + 1,
+    Version incompatibleVersion =
+      Version.newInstance(defaultVersion.getMajorVersion() + 1,
           defaultVersion.getMinorVersion());
     stateStore.storeVersion(incompatibleVersion);
     try {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
index 243c7a19912..2f8a944f666 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
@@ -44,22 +44,22 @@
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.proto.YarnServerCommonProtos.VersionProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.AMRMTokenSecretManagerStateProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.EpochProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationAttemptStateDataProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationStateDataProto;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.RMStateVersionProto;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
+import org.apache.hadoop.yarn.server.records.Version;
+import org.apache.hadoop.yarn.server.records.impl.pb.VersionPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationAttemptStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.Epoch;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.AMRMTokenSecretManagerStatePBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationAttemptStateDataPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationStateDataPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.EpochPBImpl;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.RMStateVersionPBImpl;
 import org.apache.hadoop.yarn.util.ConverterUtils;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -77,7 +77,7 @@ public class FileSystemRMStateStore extends RMStateStore {
   public static final Log LOG = LogFactory.getLog(FileSystemRMStateStore.class);
 
   protected static final String ROOT_DIR_NAME = "FSRMStateRoot";
-  protected static final RMStateVersion CURRENT_VERSION_INFO = RMStateVersion
+  protected static final Version CURRENT_VERSION_INFO = Version
     .newInstance(1, 1);
   protected static final String AMRMTOKEN_SECRET_MANAGER_NODE =
       "AMRMTokenSecretManagerNode";
@@ -130,18 +130,18 @@ protected synchronized void closeInternal() throws Exception {
   }
 
   @Override
-  protected RMStateVersion getCurrentVersion() {
+  protected Version getCurrentVersion() {
     return CURRENT_VERSION_INFO;
   }
 
   @Override
-  protected synchronized RMStateVersion loadVersion() throws Exception {
+  protected synchronized Version loadVersion() throws Exception {
     Path versionNodePath = getNodePath(rootDirPath, VERSION_NODE);
     if (fs.exists(versionNodePath)) {
       FileStatus status = fs.getFileStatus(versionNodePath);
       byte[] data = readFile(versionNodePath, status.getLen());
-      RMStateVersion version =
-          new RMStateVersionPBImpl(RMStateVersionProto.parseFrom(data));
+      Version version =
+          new VersionPBImpl(VersionProto.parseFrom(data));
       return version;
     }
     return null;
@@ -151,7 +151,7 @@ protected synchronized RMStateVersion loadVersion() throws Exception {
   protected synchronized void storeVersion() throws Exception {
     Path versionNodePath = getNodePath(rootDirPath, VERSION_NODE);
     byte[] data =
-        ((RMStateVersionPBImpl) CURRENT_VERSION_INFO).getProto().toByteArray();
+        ((VersionPBImpl) CURRENT_VERSION_INFO).getProto().toByteArray();
     if (fs.exists(versionNodePath)) {
       updateFile(versionNodePath, data);
     } else {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/MemoryRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/MemoryRMStateStore.java
index 369f89a545e..f56517cd828 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/MemoryRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/MemoryRMStateStore.java
@@ -32,10 +32,10 @@
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
+import org.apache.hadoop.yarn.server.records.Version;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationAttemptStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
 
 import com.google.common.annotations.VisibleForTesting;
 
@@ -259,7 +259,7 @@ public synchronized void removeRMDTMasterKeyState(DelegationKey delegationKey)
   }
 
   @Override
-  protected RMStateVersion loadVersion() throws Exception {
+  protected Version loadVersion() throws Exception {
     return null;
   }
 
@@ -268,7 +268,7 @@ protected void storeVersion() throws Exception {
   }
 
   @Override
-  protected RMStateVersion getCurrentVersion() {
+  protected Version getCurrentVersion() {
     return null;
   }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/NullRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/NullRMStateStore.java
index ea7087176c9..e910c19629e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/NullRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/NullRMStateStore.java
@@ -25,10 +25,10 @@
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
+import org.apache.hadoop.yarn.server.records.Version;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationAttemptStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
 
 @Unstable
 public class NullRMStateStore extends RMStateStore {
@@ -123,7 +123,7 @@ public void checkVersion() throws Exception {
   }
 
   @Override
-  protected RMStateVersion loadVersion() throws Exception {
+  protected Version loadVersion() throws Exception {
     // Do nothing
     return null;
   }
@@ -134,7 +134,7 @@ protected void storeVersion() throws Exception {
   }
 
   @Override
-  protected RMStateVersion getCurrentVersion() {
+  protected Version getCurrentVersion() {
     // Do nothing
     return null;
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java
index e2c4e7e47fa..da08d80466d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java
@@ -47,12 +47,12 @@
 import org.apache.hadoop.yarn.event.EventHandler;
 import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
+import org.apache.hadoop.yarn.server.records.Version;
 import org.apache.hadoop.yarn.server.resourcemanager.RMFatalEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.RMFatalEventType;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationAttemptStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppNewSavedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
@@ -493,14 +493,14 @@ protected void serviceStop() throws Exception {
    *    upgrade RM state.
    */
   public void checkVersion() throws Exception {
-    RMStateVersion loadedVersion = loadVersion();
+    Version loadedVersion = loadVersion();
     LOG.info("Loaded RM state version info " + loadedVersion);
     if (loadedVersion != null && loadedVersion.equals(getCurrentVersion())) {
       return;
     }
     // if there is no version info, treat it as 1.0;
     if (loadedVersion == null) {
-      loadedVersion = RMStateVersion.newInstance(1, 0);
+      loadedVersion = Version.newInstance(1, 0);
     }
     if (loadedVersion.isCompatibleTo(getCurrentVersion())) {
       LOG.info("Storing RM state version info " + getCurrentVersion());
@@ -516,7 +516,7 @@ public void checkVersion() throws Exception {
    * Derived class use this method to load the version information from state
    * store.
    */
-  protected abstract RMStateVersion loadVersion() throws Exception;
+  protected abstract Version loadVersion() throws Exception;
 
   /**
    * Derived class use this method to store the version information.
@@ -526,7 +526,7 @@ public void checkVersion() throws Exception {
   /**
    * Get the current version of the underlying state store.
    */
-  protected abstract RMStateVersion getCurrentVersion();
+  protected abstract Version getCurrentVersion();
 
 
   /**
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
index 5644ad9e34a..bb379c5b8b9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
@@ -44,23 +44,23 @@
 import org.apache.hadoop.yarn.conf.HAUtil;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
+import org.apache.hadoop.yarn.proto.YarnServerCommonProtos.VersionProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.AMRMTokenSecretManagerStateProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationAttemptStateDataProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationStateDataProto;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.RMStateVersionProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.EpochProto;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
+import org.apache.hadoop.yarn.server.records.impl.pb.VersionPBImpl;
+import org.apache.hadoop.yarn.server.records.Version;
 import org.apache.hadoop.yarn.server.resourcemanager.RMZKUtils;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationAttemptStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.Epoch;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.AMRMTokenSecretManagerStatePBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationAttemptStateDataPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationStateDataPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.EpochPBImpl;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.RMStateVersionPBImpl;
 import org.apache.hadoop.yarn.util.ConverterUtils;
 import org.apache.zookeeper.CreateMode;
 import org.apache.zookeeper.KeeperException;
@@ -86,7 +86,7 @@ public class ZKRMStateStore extends RMStateStore {
   private final SecureRandom random = new SecureRandom();
 
   protected static final String ROOT_ZNODE_NAME = "ZKRMStateRoot";
-  protected static final RMStateVersion CURRENT_VERSION_INFO = RMStateVersion
+  protected static final Version CURRENT_VERSION_INFO = Version
       .newInstance(1, 1);
   private static final String RM_DELEGATION_TOKENS_ROOT_ZNODE_NAME =
       "RMDelegationTokensRoot";
@@ -377,7 +377,7 @@ protected synchronized void closeInternal() throws Exception {
   }
 
   @Override
-  protected RMStateVersion getCurrentVersion() {
+  protected Version getCurrentVersion() {
     return CURRENT_VERSION_INFO;
   }
 
@@ -385,7 +385,7 @@ protected RMStateVersion getCurrentVersion() {
   protected synchronized void storeVersion() throws Exception {
     String versionNodePath = getNodePath(zkRootNodePath, VERSION_NODE);
     byte[] data =
-        ((RMStateVersionPBImpl) CURRENT_VERSION_INFO).getProto().toByteArray();
+        ((VersionPBImpl) CURRENT_VERSION_INFO).getProto().toByteArray();
     if (existsWithRetries(versionNodePath, true) != null) {
       setDataWithRetries(versionNodePath, data, -1);
     } else {
@@ -394,13 +394,13 @@ protected synchronized void storeVersion() throws Exception {
   }
 
   @Override
-  protected synchronized RMStateVersion loadVersion() throws Exception {
+  protected synchronized Version loadVersion() throws Exception {
     String versionNodePath = getNodePath(zkRootNodePath, VERSION_NODE);
 
     if (existsWithRetries(versionNodePath, true) != null) {
       byte[] data = getDataWithRetries(versionNodePath, true);
-      RMStateVersion version =
-          new RMStateVersionPBImpl(RMStateVersionProto.parseFrom(data));
+      Version version =
+          new VersionPBImpl(VersionProto.parseFrom(data));
       return version;
     }
     return null;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/RMStateVersion.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/RMStateVersion.java
deleted file mode 100644
index cfee512b5d4..00000000000
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/RMStateVersion.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.yarn.server.resourcemanager.recovery.records;
-
-import org.apache.hadoop.classification.InterfaceAudience.Private;
-import org.apache.hadoop.classification.InterfaceStability.Unstable;
-import org.apache.hadoop.yarn.util.Records;
-
-/**
- * The version information of RM state.
- */
-@Private
-@Unstable
-public abstract class RMStateVersion {
-
-  public static RMStateVersion newInstance(int majorVersion, int minorVersion) {
-    RMStateVersion version = Records.newRecord(RMStateVersion.class);
-    version.setMajorVersion(majorVersion);
-    version.setMinorVersion(minorVersion);
-    return version;
-  }
-
-  public abstract int getMajorVersion();
-
-  public abstract void setMajorVersion(int majorVersion);
-
-  public abstract int getMinorVersion();
-
-  public abstract void setMinorVersion(int minorVersion);
-
-  public String toString() {
-    return getMajorVersion() + "." + getMinorVersion();
-  }
-
-  public boolean isCompatibleTo(RMStateVersion version) {
-    return getMajorVersion() == version.getMajorVersion();
-  }
-
-  @Override
-  public int hashCode() {
-    final int prime = 31;
-    int result = 1;
-    result = prime * result + getMajorVersion();
-    result = prime * result + getMinorVersion();
-    return result;
-  }
-
-  @Override
-  public boolean equals(Object obj) {
-    if (this == obj)
-      return true;
-    if (obj == null)
-      return false;
-    if (getClass() != obj.getClass())
-      return false;
-    RMStateVersion other = (RMStateVersion) obj;
-    if (this.getMajorVersion() == other.getMajorVersion()
-        && this.getMinorVersion() == other.getMinorVersion()) {
-      return true;
-    } else {
-      return false;
-    }
-  }
-}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java
index a61f23f5a71..5d3e51a398e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java
@@ -55,13 +55,13 @@
 import org.apache.hadoop.yarn.event.EventHandler;
 import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
+import org.apache.hadoop.yarn.server.records.Version;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.ApplicationAttemptState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.ApplicationState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMDTSecretManagerState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMState;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
@@ -111,8 +111,8 @@ public EventHandler getEventHandler() {
   interface RMStateStoreHelper {
     RMStateStore getRMStateStore() throws Exception;
     boolean isFinalStateValid() throws Exception;
-    void writeVersion(RMStateVersion version) throws Exception;
-    RMStateVersion getCurrentVersion() throws Exception;
+    void writeVersion(Version version) throws Exception;
+    Version getCurrentVersion() throws Exception;
     boolean appExists(RMApp app) throws Exception;
   }
 
@@ -477,13 +477,13 @@ public void testCheckVersion(RMStateStoreHelper stateStoreHelper)
     store.setRMDispatcher(new TestDispatcher());
 
     // default version
-    RMStateVersion defaultVersion = stateStoreHelper.getCurrentVersion();
+    Version defaultVersion = stateStoreHelper.getCurrentVersion();
     store.checkVersion();
     Assert.assertEquals(defaultVersion, store.loadVersion());
 
     // compatible version
-    RMStateVersion compatibleVersion =
-        RMStateVersion.newInstance(defaultVersion.getMajorVersion(),
+    Version compatibleVersion =
+        Version.newInstance(defaultVersion.getMajorVersion(),
           defaultVersion.getMinorVersion() + 2);
     stateStoreHelper.writeVersion(compatibleVersion);
     Assert.assertEquals(compatibleVersion, store.loadVersion());
@@ -492,8 +492,8 @@ public void testCheckVersion(RMStateStoreHelper stateStoreHelper)
     Assert.assertEquals(defaultVersion, store.loadVersion());
 
     // incompatible version
-    RMStateVersion incompatibleVersion =
-        RMStateVersion.newInstance(defaultVersion.getMajorVersion() + 2,
+    Version incompatibleVersion =
+        Version.newInstance(defaultVersion.getMajorVersion() + 2,
           defaultVersion.getMinorVersion());
     stateStoreHelper.writeVersion(incompatibleVersion);
     try {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestFSRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestFSRMStateStore.java
index f5b3e8a8a67..88e5393f14d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestFSRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestFSRMStateStore.java
@@ -36,9 +36,9 @@
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.records.impl.pb.VersionPBImpl;
+import org.apache.hadoop.yarn.server.records.Version;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.RMStateVersionPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
 import org.apache.hadoop.yarn.util.ConverterUtils;
@@ -70,7 +70,7 @@ public Path getVersionNode() {
         return new Path(new Path(workingDirPathURI, ROOT_DIR_NAME), VERSION_NODE);
       }
 
-      public RMStateVersion getCurrentVersion() {
+      public Version getCurrentVersion() {
         return CURRENT_VERSION_INFO;
       }
 
@@ -111,13 +111,13 @@ public boolean isFinalStateValid() throws Exception {
     }
 
     @Override
-    public void writeVersion(RMStateVersion version) throws Exception {
-      store.updateFile(store.getVersionNode(), ((RMStateVersionPBImpl) version)
+    public void writeVersion(Version version) throws Exception {
+      store.updateFile(store.getVersionNode(), ((VersionPBImpl) version)
         .getProto().toByteArray());
     }
 
     @Override
-    public RMStateVersion getCurrentVersion() throws Exception {
+    public Version getCurrentVersion() throws Exception {
       return store.getCurrentVersion();
     }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestZKRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestZKRMStateStore.java
index 1dee533ac05..3c7170adaeb 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestZKRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestZKRMStateStore.java
@@ -32,9 +32,9 @@
 import org.apache.hadoop.service.Service;
 import org.apache.hadoop.yarn.conf.HAUtil;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.records.Version;
+import org.apache.hadoop.yarn.server.records.impl.pb.VersionPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
-import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.RMStateVersionPBImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
 import org.apache.zookeeper.ZooKeeper;
 import org.apache.zookeeper.data.Stat;
@@ -69,7 +69,7 @@ public String getVersionNode() {
         return znodeWorkingPath + "/" + ROOT_ZNODE_NAME + "/" + VERSION_NODE;
       }
 
-      public RMStateVersion getCurrentVersion() {
+      public Version getCurrentVersion() {
         return CURRENT_VERSION_INFO;
       }
 
@@ -96,13 +96,13 @@ public boolean isFinalStateValid() throws Exception {
     }
 
     @Override
-    public void writeVersion(RMStateVersion version) throws Exception {
-      client.setData(store.getVersionNode(), ((RMStateVersionPBImpl) version)
+    public void writeVersion(Version version) throws Exception {
+      client.setData(store.getVersionNode(), ((VersionPBImpl) version)
         .getProto().toByteArray(), -1);
     }
 
     @Override
-    public RMStateVersion getCurrentVersion() throws Exception {
+    public Version getCurrentVersion() throws Exception {
       return store.getCurrentVersion();
     }
 

From e52f67e3897a67a0b6d29e557a31cfa881738821 Mon Sep 17 00:00:00 2001
From: Xuan Gong <xgong@apache.org>
Date: Thu, 31 Jul 2014 20:06:02 +0000
Subject: [PATCH 091/354]     YARN-1994. Expose YARN/MR endpoints on multiple
 interfaces. Contributed by Craig Welch, Milan Potocnik,and Arpit Agarwal

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1614981 13f79535-47bb-0310-9956-ffa450edef68
---
 .../org/apache/hadoop/conf/Configuration.java |  66 +++++++++
 hadoop-mapreduce-project/CHANGES.txt          |   3 +
 .../mapred/TaskAttemptListenerImpl.java       |   4 +-
 .../hadoop/mapreduce/v2/app/AppContext.java   |   1 +
 .../hadoop/mapreduce/v2/app/MRAppMaster.java  |   5 +
 .../v2/app/client/MRClientService.java        |   3 +-
 .../mapred/TestTaskAttemptListenerImpl.java   |  13 +-
 .../mapreduce/v2/app/MockAppContext.java      |   5 +
 .../v2/app/TestRuntimeEstimators.java         |   5 +
 .../v2/jobhistory/JHAdminConfig.java          |   4 +-
 .../mapreduce/v2/util/MRWebAppUtil.java       |   9 +-
 .../mapreduce/v2/hs/HistoryClientService.java |  11 +-
 .../hadoop/mapreduce/v2/hs/JobHistory.java    |   5 +
 .../mapreduce/v2/hs/server/HSAdminServer.java |   5 +-
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../hadoop/yarn/conf/YarnConfiguration.java   |  12 ++
 .../hadoop/yarn/webapp/util/WebAppUtils.java  |  32 +++++
 .../src/main/resources/yarn-default.xml       |  34 +++++
 .../yarn/conf/TestYarnConfiguration.java      | 128 ++++++++++++++++++
 .../ApplicationHistoryClientService.java      |  16 ++-
 .../ApplicationHistoryServer.java             |   4 +-
 .../ContainerManagerImpl.java                 |  19 ++-
 .../ResourceLocalizationService.java          |   6 +-
 .../server/nodemanager/webapp/WebServer.java  |   4 +-
 .../server/resourcemanager/AdminService.java  |  16 ++-
 .../ApplicationMasterService.java             |   5 +-
 .../resourcemanager/ClientRMService.java      |   8 +-
 .../resourcemanager/ResourceManager.java      |   7 +-
 .../ResourceTrackerService.java               |   8 +-
 .../yarn/server/resourcemanager/TestRMHA.java |  23 +++-
 30 files changed, 429 insertions(+), 35 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java
index 22ccf63e9bd..31c40f60f30 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java
@@ -1843,6 +1843,38 @@ protected char[] getPasswordFromConfig(String name) {
     return pass;
   }
 
+  /**
+   * Get the socket address for <code>hostProperty</code> as a
+   * <code>InetSocketAddress</code>. If <code>hostProperty</code> is
+   * <code>null</code>, <code>addressProperty</code> will be used. This
+   * is useful for cases where we want to differentiate between host
+   * bind address and address clients should use to establish connection.
+   *
+   * @param hostProperty bind host property name.
+   * @param addressProperty address property name.
+   * @param defaultAddressValue the default value
+   * @param defaultPort the default port
+   * @return InetSocketAddress
+   */
+  public InetSocketAddress getSocketAddr(
+      String hostProperty,
+      String addressProperty,
+      String defaultAddressValue,
+      int defaultPort) {
+
+    InetSocketAddress bindAddr = getSocketAddr(
+      addressProperty, defaultAddressValue, defaultPort);
+
+    final String host = get(hostProperty);
+
+    if (host == null || host.isEmpty()) {
+      return bindAddr;
+    }
+
+    return NetUtils.createSocketAddr(
+        host, bindAddr.getPort(), hostProperty);
+  }
+
   /**
    * Get the socket address for <code>name</code> property as a
    * <code>InetSocketAddress</code>.
@@ -1864,6 +1896,40 @@ public InetSocketAddress getSocketAddr(
   public void setSocketAddr(String name, InetSocketAddress addr) {
     set(name, NetUtils.getHostPortString(addr));
   }
+
+  /**
+   * Set the socket address a client can use to connect for the
+   * <code>name</code> property as a <code>host:port</code>.  The wildcard
+   * address is replaced with the local host's address. If the host and address
+   * properties are configured the host component of the address will be combined
+   * with the port component of the addr to generate the address.  This is to allow
+   * optional control over which host name is used in multi-home bind-host
+   * cases where a host can have multiple names
+   * @param hostProperty the bind-host configuration name
+   * @param addressProperty the service address configuration name
+   * @param defaultAddressValue the service default address configuration value
+   * @param addr InetSocketAddress of the service listener
+   * @return InetSocketAddress for clients to connect
+   */
+  public InetSocketAddress updateConnectAddr(
+      String hostProperty,
+      String addressProperty,
+      String defaultAddressValue,
+      InetSocketAddress addr) {
+
+    final String host = get(hostProperty);
+    final String connectHostPort = getTrimmed(addressProperty, defaultAddressValue);
+
+    if (host == null || host.isEmpty() || connectHostPort == null || connectHostPort.isEmpty()) {
+      //not our case, fall back to original logic
+      return updateConnectAddr(addressProperty, addr);
+    }
+
+    final String connectHost = connectHostPort.split(":")[0];
+    // Create connect address using client address hostname and server port.
+    return updateConnectAddr(addressProperty, NetUtils.createSocketAddrForHost(
+        connectHost, addr.getPort()));
+  }
   
   /**
    * Set the socket address a client can use to connect for the
diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 5760cef3060..86ae7139b8c 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -83,6 +83,9 @@ Trunk (Unreleased)
     MAPREDUCE-5912. Task.calculateOutputSize does not handle Windows files after
     MAPREDUCE-5196. (Remus Rusanu via cnauroth)
 
+    MAPREDUCE-6019. MapReduce changes for exposing YARN/MR endpoints on multiple
+    interfaces. (Craig Welch, Milan Potocnik, Arpit Agarwal via xgong)
+
   BUG FIXES
 
     MAPREDUCE-5714. Removed forceful JVM exit in shutDownJob.  
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapred/TaskAttemptListenerImpl.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapred/TaskAttemptListenerImpl.java
index 074e3f0fbb8..5f39edd72e8 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapred/TaskAttemptListenerImpl.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapred/TaskAttemptListenerImpl.java
@@ -141,7 +141,9 @@ protected void startRpcServer() {
       }
 
       server.start();
-      this.address = NetUtils.getConnectAddress(server);
+      this.address = NetUtils.createSocketAddrForHost(
+          context.getNMHostname(),
+          server.getListenerAddress().getPort());
     } catch (IOException e) {
       throw new YarnRuntimeException(e);
     }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/AppContext.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/AppContext.java
index 6f036c4a74a..31e282a63e9 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/AppContext.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/AppContext.java
@@ -66,4 +66,5 @@ public interface AppContext {
 
   boolean hasSuccessfullyUnregistered();
 
+  String getNMHostname();
 }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/MRAppMaster.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/MRAppMaster.java
index 8c1892af392..59e72490496 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/MRAppMaster.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/MRAppMaster.java
@@ -1018,6 +1018,11 @@ public void markSuccessfulUnregistration() {
     public void resetIsLastAMRetry() {
       isLastAMRetry = false;
     }
+
+    @Override
+    public String getNMHostname() {
+      return nmHost;
+    }
   }
 
   @SuppressWarnings("unchecked")
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/client/MRClientService.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/client/MRClientService.java
index 3c0e100b5cc..11235322f6a 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/client/MRClientService.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/client/MRClientService.java
@@ -131,7 +131,8 @@ protected void serviceStart() throws Exception {
     }
 
     server.start();
-    this.bindAddress = NetUtils.getConnectAddress(server);
+    this.bindAddress = NetUtils.createSocketAddrForHost(appContext.getNMHostname(),
+        server.getListenerAddress().getPort());
     LOG.info("Instantiated MRClientService at " + this.bindAddress);
     try {
       // Explicitly disabling SSL for map reduce task as we can't allow MR users
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapred/TestTaskAttemptListenerImpl.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapred/TestTaskAttemptListenerImpl.java
index 256f0b7bb7a..2c81cf06d2d 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapred/TestTaskAttemptListenerImpl.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapred/TestTaskAttemptListenerImpl.java
@@ -61,6 +61,13 @@ public class TestTaskAttemptListenerImpl {
   public static class MockTaskAttemptListenerImpl
       extends TaskAttemptListenerImpl {
 
+    public MockTaskAttemptListenerImpl(AppContext context,
+        JobTokenSecretManager jobTokenSecretManager,
+        RMHeartbeatHandler rmHeartbeatHandler, AMPreemptionPolicy policy) {
+
+      super(context, jobTokenSecretManager, rmHeartbeatHandler, policy);
+    }
+
     public MockTaskAttemptListenerImpl(AppContext context,
         JobTokenSecretManager jobTokenSecretManager,
         RMHeartbeatHandler rmHeartbeatHandler,
@@ -210,7 +217,7 @@ public void testGetMapCompletionEvents() throws IOException {
     when(appCtx.getEventHandler()).thenReturn(ea);
     CheckpointAMPreemptionPolicy policy = new CheckpointAMPreemptionPolicy();
     policy.init(appCtx);
-    TaskAttemptListenerImpl listener = new TaskAttemptListenerImpl(
+    TaskAttemptListenerImpl listener = new MockTaskAttemptListenerImpl(
         appCtx, secret, rmHeartbeatHandler, policy) {
       @Override
       protected void registerHeartbeatHandler(Configuration conf) {
@@ -271,7 +278,7 @@ public void testCommitWindow() throws IOException {
     when(appCtx.getEventHandler()).thenReturn(ea);
     CheckpointAMPreemptionPolicy policy = new CheckpointAMPreemptionPolicy();
     policy.init(appCtx);
-    TaskAttemptListenerImpl listener = new TaskAttemptListenerImpl(
+    TaskAttemptListenerImpl listener = new MockTaskAttemptListenerImpl(
         appCtx, secret, rmHeartbeatHandler, policy) {
       @Override
       protected void registerHeartbeatHandler(Configuration conf) {
@@ -326,7 +333,7 @@ public void testCheckpointIDTracking()
     when(appCtx.getEventHandler()).thenReturn(ea);
     CheckpointAMPreemptionPolicy policy = new CheckpointAMPreemptionPolicy();
     policy.init(appCtx);
-    TaskAttemptListenerImpl listener = new TaskAttemptListenerImpl(
+    TaskAttemptListenerImpl listener = new MockTaskAttemptListenerImpl(
         appCtx, secret, rmHeartbeatHandler, policy) {
       @Override
       protected void registerHeartbeatHandler(Configuration conf) {
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/MockAppContext.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/MockAppContext.java
index 511731a9ba1..dae0aa77fc0 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/MockAppContext.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/MockAppContext.java
@@ -143,4 +143,9 @@ public boolean hasSuccessfullyUnregistered() {
     return true;
   }
 
+@Override
+  public String getNMHostname() {
+    // bogus - Not Required
+    return null;
+  }
 }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/TestRuntimeEstimators.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/TestRuntimeEstimators.java
index 6fadf350f82..c25cf5060e9 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/TestRuntimeEstimators.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/TestRuntimeEstimators.java
@@ -879,5 +879,10 @@ public boolean hasSuccessfullyUnregistered() {
       return true;
     }
 
+    @Override
+    public String getNMHostname() {
+      // bogus - Not Required
+      return null;
+    }
   }
 }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/jobhistory/JHAdminConfig.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/jobhistory/JHAdminConfig.java
index 2e1a22e4310..9fa8a090a4b 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/jobhistory/JHAdminConfig.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/jobhistory/JHAdminConfig.java
@@ -38,7 +38,9 @@ public class JHAdminConfig {
   public static final int DEFAULT_MR_HISTORY_PORT = 10020;
   public static final String DEFAULT_MR_HISTORY_ADDRESS = "0.0.0.0:" +
       DEFAULT_MR_HISTORY_PORT;
-  
+  public static final String MR_HISTORY_BIND_HOST = MR_HISTORY_PREFIX
+      + "bind-host";
+
   /** The address of the History server admin interface. */
   public static final String JHS_ADMIN_ADDRESS = MR_HISTORY_PREFIX
       + "admin.address";
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/util/MRWebAppUtil.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/util/MRWebAppUtil.java
index 2d453f1d308..cac01191fcd 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/util/MRWebAppUtil.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/util/MRWebAppUtil.java
@@ -29,6 +29,7 @@
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.ipc.RPCUtil;
 
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
@@ -105,11 +106,15 @@ public static String getJHSWebappURLWithScheme(Configuration conf) {
   
   public static InetSocketAddress getJHSWebBindAddress(Configuration conf) {
     if (httpPolicyInJHS == Policy.HTTPS_ONLY) {
-      return conf.getSocketAddr(JHAdminConfig.MR_HISTORY_WEBAPP_HTTPS_ADDRESS,
+      return conf.getSocketAddr(
+          JHAdminConfig.MR_HISTORY_BIND_HOST,
+          JHAdminConfig.MR_HISTORY_WEBAPP_HTTPS_ADDRESS,
           JHAdminConfig.DEFAULT_MR_HISTORY_WEBAPP_HTTPS_ADDRESS,
           JHAdminConfig.DEFAULT_MR_HISTORY_WEBAPP_HTTPS_PORT);
     } else {
-      return conf.getSocketAddr(JHAdminConfig.MR_HISTORY_WEBAPP_ADDRESS,
+      return conf.getSocketAddr(
+          JHAdminConfig.MR_HISTORY_BIND_HOST,
+          JHAdminConfig.MR_HISTORY_WEBAPP_ADDRESS,
           JHAdminConfig.DEFAULT_MR_HISTORY_WEBAPP_ADDRESS,
           JHAdminConfig.DEFAULT_MR_HISTORY_WEBAPP_PORT);
     }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java
index 96b81054460..001608b2596 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java
@@ -83,6 +83,7 @@
 import org.apache.hadoop.service.AbstractService;
 import org.apache.hadoop.yarn.factories.RecordFactory;
 import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
+import org.apache.hadoop.yarn.ipc.RPCUtil;
 import org.apache.hadoop.yarn.ipc.YarnRPC;
 import org.apache.hadoop.yarn.util.Records;
 import org.apache.hadoop.yarn.webapp.WebApp;
@@ -119,6 +120,7 @@ protected void serviceStart() throws Exception {
     YarnRPC rpc = YarnRPC.create(conf);
     initializeWebApp(conf);
     InetSocketAddress address = conf.getSocketAddr(
+        JHAdminConfig.MR_HISTORY_BIND_HOST,
         JHAdminConfig.MR_HISTORY_ADDRESS,
         JHAdminConfig.DEFAULT_MR_HISTORY_ADDRESS,
         JHAdminConfig.DEFAULT_MR_HISTORY_PORT);
@@ -137,9 +139,11 @@ protected void serviceStart() throws Exception {
     }
     
     server.start();
-    this.bindAddress = conf.updateConnectAddr(JHAdminConfig.MR_HISTORY_ADDRESS,
+    this.bindAddress = conf.updateConnectAddr(JHAdminConfig.MR_HISTORY_BIND_HOST,
+                                              JHAdminConfig.MR_HISTORY_ADDRESS,
+                                              JHAdminConfig.DEFAULT_MR_HISTORY_ADDRESS,
                                               server.getListenerAddress());
-    LOG.info("Instantiated MRClientService at " + this.bindAddress);
+    LOG.info("Instantiated HistoryClientService at " + this.bindAddress);
 
     super.serviceStart();
   }
@@ -158,8 +162,9 @@ protected void initializeWebApp(Configuration conf) {
             JHAdminConfig.MR_WEBAPP_SPNEGO_USER_NAME_KEY)
         .at(NetUtils.getHostPortString(bindAddress)).start(webApp);
     
+    String connectHost = MRWebAppUtil.getJHSWebappURLWithoutScheme(conf).split(":")[0];
     MRWebAppUtil.setJHSWebappURLWithoutScheme(conf,
-        NetUtils.getHostPortString(webApp.getListenerAddress()));
+        connectHost + ":" + webApp.getListenerAddress().getPort());
   }
 
   @Override
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/JobHistory.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/JobHistory.java
index b7823a0c50d..194b85a5a29 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/JobHistory.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/JobHistory.java
@@ -394,4 +394,9 @@ public boolean hasSuccessfullyUnregistered() {
     return true;
   }
 
+  @Override
+  public String getNMHostname() {
+    // bogus - Not Required
+    return null;
+  }
 }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/server/HSAdminServer.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/server/HSAdminServer.java
index 23a34a47b94..858d945dfe1 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/server/HSAdminServer.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/server/HSAdminServer.java
@@ -34,6 +34,7 @@
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authorize.AccessControlList;
 import org.apache.hadoop.security.authorize.ProxyUsers;
+import org.apache.hadoop.yarn.ipc.RPCUtil;
 import org.apache.hadoop.yarn.logaggregation.AggregatedLogDeletionService;
 import org.apache.hadoop.security.proto.RefreshUserMappingsProtocolProtos.RefreshUserMappingsProtocolService;
 import org.apache.hadoop.security.protocolPB.RefreshUserMappingsProtocolPB;
@@ -94,7 +95,9 @@ public void serviceInit(Configuration conf) throws Exception {
 
     WritableRpcEngine.ensureInitialized();
 
-    clientRpcAddress = conf.getSocketAddr(JHAdminConfig.JHS_ADMIN_ADDRESS,
+    clientRpcAddress = conf.getSocketAddr(
+        JHAdminConfig.MR_HISTORY_BIND_HOST,
+        JHAdminConfig.JHS_ADMIN_ADDRESS,
         JHAdminConfig.DEFAULT_JHS_ADMIN_ADDRESS,
         JHAdminConfig.DEFAULT_JHS_ADMIN_PORT);
     clientRpcServer = new RPC.Builder(conf)
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 50ae2aff6ec..7b7fa0ddbad 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -77,6 +77,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2347. Consolidated RMStateVersion and NMDBSchemaVersion into Version in
     yarn-server-common. (Junping Du via zjshen)
 
+    YARN-1994. Expose YARN/MR endpoints on multiple interfaces. (Craig Welch,
+    Milan Potocnik, Arpit Agarwal via xgong)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
index ab6b20e574e..9e08ef52008 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
@@ -126,6 +126,10 @@ public class YarnConfiguration extends Configuration {
   public static final String DEFAULT_RM_ADDRESS =
     "0.0.0.0:" + DEFAULT_RM_PORT;
 
+  /** The actual bind address for the RM.*/
+  public static final String RM_BIND_HOST =
+    RM_PREFIX + "bind-host";
+
   /** The number of threads used to handle applications manager requests.*/
   public static final String RM_CLIENT_THREAD_COUNT =
     RM_PREFIX + "client.thread-count";
@@ -545,6 +549,10 @@ public class YarnConfiguration extends Configuration {
   public static final String DEFAULT_NM_ADDRESS = "0.0.0.0:"
       + DEFAULT_NM_PORT;
   
+  /** The actual bind address or the NM.*/
+  public static final String NM_BIND_HOST =
+    NM_PREFIX + "bind-host";
+
   /** who will execute(launch) the containers.*/
   public static final String NM_CONTAINER_EXECUTOR = 
     NM_PREFIX + "container-executor.class";
@@ -1132,6 +1140,10 @@ public class YarnConfiguration extends Configuration {
   public static final String DEFAULT_TIMELINE_SERVICE_ADDRESS = "0.0.0.0:"
       + DEFAULT_TIMELINE_SERVICE_PORT;
 
+  /** The listening endpoint for the timeline service application.*/
+  public static final String TIMELINE_SERVICE_BIND_HOST =
+      TIMELINE_SERVICE_PREFIX + "bind-host";
+
   /** The number of threads to handle client RPC API requests. */
   public static final String TIMELINE_SERVICE_HANDLER_THREAD_COUNT =
       TIMELINE_SERVICE_PREFIX + "handler-thread-count";
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/util/WebAppUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/util/WebAppUtils.java
index 29fd8c14e6d..6cbe6f94d6f 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/util/WebAppUtils.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/util/WebAppUtils.java
@@ -34,6 +34,7 @@
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.conf.HAUtil;
+import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.util.RMHAUtils;
 
 @Private
@@ -170,6 +171,37 @@ private static String getResolvedAddress(InetSocketAddress address) {
     return sb.toString();
   }
   
+  /**
+   * Get the URL to use for binding where bind hostname can be specified
+   * to override the hostname in the webAppURLWithoutScheme. Port specified in the
+   * webAppURLWithoutScheme will be used.
+   *
+   * @param conf the configuration
+   * @param hostProperty bind host property name
+   * @param webAppURLWithoutScheme web app URL without scheme String
+   * @return String representing bind URL
+   */
+  public static String getWebAppBindURL(
+      Configuration conf,
+      String hostProperty,
+      String webAppURLWithoutScheme) {
+
+    // If the bind-host setting exists then it overrides the hostname
+    // portion of the corresponding webAppURLWithoutScheme
+    String host = conf.getTrimmed(hostProperty);
+    if (host != null && !host.isEmpty()) {
+      if (webAppURLWithoutScheme.contains(":")) {
+        webAppURLWithoutScheme = host + ":" + webAppURLWithoutScheme.split(":")[1];
+      }
+      else {
+        throw new YarnRuntimeException("webAppURLWithoutScheme must include port specification but doesn't: " +
+                                       webAppURLWithoutScheme);
+      }
+    }
+
+    return webAppURLWithoutScheme;
+  }
+
   public static String getNMWebAppURLWithoutScheme(Configuration conf) {
     if (YarnConfiguration.useHttps(conf)) {
       return conf.get(YarnConfiguration.NM_WEBAPP_HTTPS_ADDRESS,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
index edc2f8cab61..94b4d7f20ec 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
@@ -70,6 +70,17 @@
     <value>${yarn.resourcemanager.hostname}:8032</value>
   </property>
 
+  <property>
+    <description>
+      The actual address the server will bind to. If this optional address is
+      set, the RPC and webapp servers will bind to this address and the port specified in
+      yarn.resourcemanager.address and yarn.resourcemanager.webapp.address, respectively. This
+      is most useful for making RM listen to all interfaces by setting to 0.0.0.0.
+    </description>
+    <name>yarn.resourcemanager.bind-host</name>
+    <value></value>
+  </property>
+
   <property>
     <description>The number of threads used to handle applications manager requests.</description>
     <name>yarn.resourcemanager.client.thread-count</name>
@@ -635,6 +646,17 @@
     <value>${yarn.nodemanager.hostname}:0</value>
   </property>
 
+  <property>
+    <description>
+      The actual address the server will bind to. If this optional address is
+      set, the RPC and webapp servers will bind to this address and the port specified in
+      yarn.nodemanager.address and yarn.nodemanager.webapp.address, respectively. This is
+      most useful for making NM listen to all interfaces by setting to 0.0.0.0.
+    </description>
+    <name>yarn.nodemanager.bind-host</name>
+    <value></value>
+  </property>
+
   <property>
     <description>Environment variables that should be forwarded from the NodeManager's environment to the container's.</description>
     <name>yarn.nodemanager.admin-env</name>
@@ -1172,6 +1194,18 @@
     <value>${yarn.timeline-service.hostname}:8190</value>
   </property>
 
+  <property>
+    <description>
+      The actual address the server will bind to. If this optional address is
+      set, the RPC and webapp servers will bind to this address and the port specified in
+      yarn.timeline-service.address and yarn.timeline-service.webapp.address, respectively.
+      This is most useful for making the service listen to all interfaces by setting to
+      0.0.0.0.
+    </description>
+    <name>yarn.timeline-service.bind-host</name>
+    <value></value>
+  </property>
+
   <property>
     <description>Store class name for timeline store.</description>
     <name>yarn.timeline-service.store-class</name>
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/conf/TestYarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/conf/TestYarnConfiguration.java
index 5e40e5d5000..1d925a733d6 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/conf/TestYarnConfiguration.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/conf/TestYarnConfiguration.java
@@ -28,6 +28,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertFalse;
 
 public class TestYarnConfiguration {
 
@@ -75,4 +76,131 @@ public void testGetSocketAddressForNMWithHA() {
         YarnConfiguration.DEFAULT_NM_PORT);
     assertEquals(1234, addr.getPort());
   }
+
+  @Test
+  public void testGetSocketAddr() throws Exception {
+
+    YarnConfiguration conf;
+    InetSocketAddress resourceTrackerAddress;
+
+    //all default
+    conf = new YarnConfiguration();
+    resourceTrackerAddress = conf.getSocketAddr(
+        YarnConfiguration.RM_BIND_HOST,
+        YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_PORT);
+    assertEquals(
+      new InetSocketAddress(
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS.split(":")[0],
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_PORT),
+        resourceTrackerAddress);
+
+    //with address
+    conf.set(YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS, "10.0.0.1");
+    resourceTrackerAddress = conf.getSocketAddr(
+        YarnConfiguration.RM_BIND_HOST,
+        YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_PORT);
+    assertEquals(
+      new InetSocketAddress(
+        "10.0.0.1",
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_PORT),
+        resourceTrackerAddress);
+
+    //address and socket
+    conf.set(YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS, "10.0.0.2:5001");
+    resourceTrackerAddress = conf.getSocketAddr(
+        YarnConfiguration.RM_BIND_HOST,
+        YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_PORT);
+    assertEquals(
+      new InetSocketAddress(
+        "10.0.0.2",
+        5001),
+        resourceTrackerAddress);
+
+    //bind host only
+    conf = new YarnConfiguration();
+    conf.set(YarnConfiguration.RM_BIND_HOST, "10.0.0.3");
+    resourceTrackerAddress = conf.getSocketAddr(
+        YarnConfiguration.RM_BIND_HOST,
+        YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_PORT);
+    assertEquals(
+      new InetSocketAddress(
+        "10.0.0.3",
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_PORT),
+        resourceTrackerAddress);
+
+    //bind host and address no port
+    conf.set(YarnConfiguration.RM_BIND_HOST, "0.0.0.0");
+    conf.set(YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS, "10.0.0.2");
+    resourceTrackerAddress = conf.getSocketAddr(
+        YarnConfiguration.RM_BIND_HOST,
+        YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_PORT);
+    assertEquals(
+      new InetSocketAddress(
+        "0.0.0.0",
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_PORT),
+        resourceTrackerAddress);
+
+    //bind host and address with port
+    conf.set(YarnConfiguration.RM_BIND_HOST, "0.0.0.0");
+    conf.set(YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS, "10.0.0.2:5003");
+    resourceTrackerAddress = conf.getSocketAddr(
+        YarnConfiguration.RM_BIND_HOST,
+        YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_PORT);
+    assertEquals(
+      new InetSocketAddress(
+        "0.0.0.0",
+        5003),
+        resourceTrackerAddress);
+
+  }
+
+  @Test
+  public void testUpdateConnectAddr() throws Exception {
+    YarnConfiguration conf;
+    InetSocketAddress resourceTrackerConnectAddress;
+    InetSocketAddress serverAddress;
+
+    //no override, old behavior.  Won't work on a host named "yo.yo.yo"
+    conf = new YarnConfiguration();
+    conf.set(YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS, "yo.yo.yo");
+    serverAddress = new InetSocketAddress(
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS.split(":")[0],
+        Integer.valueOf(YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS.split(":")[1]));
+
+    resourceTrackerConnectAddress = conf.updateConnectAddr(
+        YarnConfiguration.RM_BIND_HOST,
+        YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS,
+        serverAddress);
+
+    assertFalse(resourceTrackerConnectAddress.toString().startsWith("yo.yo.yo"));
+
+    //cause override with address
+    conf = new YarnConfiguration();
+    conf.set(YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS, "yo.yo.yo");
+    conf.set(YarnConfiguration.RM_BIND_HOST, "0.0.0.0");
+    serverAddress = new InetSocketAddress(
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS.split(":")[0],
+        Integer.valueOf(YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS.split(":")[1]));
+
+    resourceTrackerConnectAddress = conf.updateConnectAddr(
+        YarnConfiguration.RM_BIND_HOST,
+        YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS,
+        YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS,
+        serverAddress);
+
+    assertTrue(resourceTrackerConnectAddress.toString().startsWith("yo.yo.yo"));
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryClientService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryClientService.java
index e15198b13f0..6372056cb5d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryClientService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryClientService.java
@@ -56,6 +56,7 @@
 import org.apache.hadoop.yarn.exceptions.ApplicationNotFoundException;
 import org.apache.hadoop.yarn.exceptions.ContainerNotFoundException;
 import org.apache.hadoop.yarn.exceptions.YarnException;
+import org.apache.hadoop.yarn.ipc.RPCUtil;
 import org.apache.hadoop.yarn.ipc.YarnRPC;
 
 public class ApplicationHistoryClientService extends AbstractService {
@@ -75,10 +76,11 @@ public ApplicationHistoryClientService(ApplicationHistoryManager history) {
   protected void serviceStart() throws Exception {
     Configuration conf = getConfig();
     YarnRPC rpc = YarnRPC.create(conf);
-    InetSocketAddress address =
-        conf.getSocketAddr(YarnConfiguration.TIMELINE_SERVICE_ADDRESS,
-          YarnConfiguration.DEFAULT_TIMELINE_SERVICE_ADDRESS,
-          YarnConfiguration.DEFAULT_TIMELINE_SERVICE_PORT);
+    InetSocketAddress address = conf.getSocketAddr(
+        YarnConfiguration.TIMELINE_SERVICE_BIND_HOST,
+        YarnConfiguration.TIMELINE_SERVICE_ADDRESS,
+        YarnConfiguration.DEFAULT_TIMELINE_SERVICE_ADDRESS,
+        YarnConfiguration.DEFAULT_TIMELINE_SERVICE_PORT);
 
     server =
         rpc.getServer(ApplicationHistoryProtocol.class, protocolHandler,
@@ -88,8 +90,10 @@ protected void serviceStart() throws Exception {
 
     server.start();
     this.bindAddress =
-        conf.updateConnectAddr(YarnConfiguration.TIMELINE_SERVICE_ADDRESS,
-          server.getListenerAddress());
+        conf.updateConnectAddr(YarnConfiguration.TIMELINE_SERVICE_BIND_HOST,
+                               YarnConfiguration.TIMELINE_SERVICE_ADDRESS,
+                               YarnConfiguration.DEFAULT_TIMELINE_SERVICE_ADDRESS,
+                               server.getListenerAddress());
     LOG.info("Instantiated ApplicationHistoryClientService at "
         + this.bindAddress);
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
index 02a3bb12fc0..ce05d503986 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
@@ -192,7 +192,9 @@ protected void startWebApp() {
           TimelineAuthenticationFilterInitializer.class.getName()
               + initializers);
     }
-    String bindAddress = WebAppUtils.getAHSWebAppURLWithoutScheme(conf);
+    String bindAddress = WebAppUtils.getWebAppBindURL(conf,
+                          YarnConfiguration.TIMELINE_SERVICE_BIND_HOST,
+                          WebAppUtils.getAHSWebAppURLWithoutScheme(conf));
     LOG.info("Instantiating AHSWebApp at " + bindAddress);
     try {
       AHSWebApp ahsWebApp = AHSWebApp.getInstance();
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
index 1e155d27b84..0625df0edde 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
@@ -275,6 +275,7 @@ protected void serviceStart() throws Exception {
     YarnRPC rpc = YarnRPC.create(conf);
 
     InetSocketAddress initialAddress = conf.getSocketAddr(
+        YarnConfiguration.NM_BIND_HOST,
         YarnConfiguration.NM_ADDRESS,
         YarnConfiguration.DEFAULT_NM_ADDRESS,
         YarnConfiguration.DEFAULT_NM_PORT);
@@ -296,7 +297,22 @@ protected void serviceStart() throws Exception {
     		" server is still starting.");
     this.setBlockNewContainerRequests(true);
     server.start();
-    InetSocketAddress connectAddress = NetUtils.getConnectAddress(server);
+    
+    InetSocketAddress connectAddress;
+    String bindHost = conf.get(YarnConfiguration.NM_BIND_HOST);
+    String nmAddress = conf.getTrimmed(YarnConfiguration.NM_ADDRESS);
+    if (bindHost == null || bindHost.isEmpty() ||
+	nmAddress == null || nmAddress.isEmpty()) {
+      connectAddress = NetUtils.getConnectAddress(server);
+    } else {
+      //a bind-host case with an address, to support overriding the first hostname
+      //found when querying for our hostname with the specified address, combine
+      //the specified address with the actual port listened on by the server
+      connectAddress = NetUtils.getConnectAddress(
+	new InetSocketAddress(nmAddress.split(":")[0],
+			      server.getListenerAddress().getPort()));
+    }
+
     NodeId nodeId = NodeId.newInstance(
         connectAddress.getAddress().getCanonicalHostName(),
         connectAddress.getPort());
@@ -304,6 +320,7 @@ protected void serviceStart() throws Exception {
     this.context.getNMTokenSecretManager().setNodeId(nodeId);
     this.context.getContainerTokenSecretManager().setNodeId(nodeId);
     LOG.info("ContainerManager started at " + connectAddress);
+    LOG.info("ContainerManager bound to " + initialAddress);
     super.serviceStart();
   }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ResourceLocalizationService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ResourceLocalizationService.java
index 554b368dd5f..64a0b37cc31 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ResourceLocalizationService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ResourceLocalizationService.java
@@ -81,6 +81,7 @@
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.factories.RecordFactory;
 import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
+import org.apache.hadoop.yarn.ipc.RPCUtil;
 import org.apache.hadoop.yarn.ipc.YarnRPC;
 import org.apache.hadoop.yarn.proto.YarnProtos.LocalResourceProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.LocalizedResourceProto;
@@ -251,6 +252,7 @@ public void serviceInit(Configuration conf) throws Exception {
     cacheCleanupPeriod =
       conf.getLong(YarnConfiguration.NM_LOCALIZER_CACHE_CLEANUP_INTERVAL_MS, YarnConfiguration.DEFAULT_NM_LOCALIZER_CACHE_CLEANUP_INTERVAL_MS);
     localizationServerAddress = conf.getSocketAddr(
+        YarnConfiguration.NM_BIND_HOST,
         YarnConfiguration.NM_LOCALIZER_ADDRESS,
         YarnConfiguration.DEFAULT_NM_LOCALIZER_ADDRESS,
         YarnConfiguration.DEFAULT_NM_LOCALIZER_PORT);
@@ -341,7 +343,9 @@ public void serviceStart() throws Exception {
     server = createServer();
     server.start();
     localizationServerAddress =
-        getConfig().updateConnectAddr(YarnConfiguration.NM_LOCALIZER_ADDRESS,
+        getConfig().updateConnectAddr(YarnConfiguration.NM_BIND_HOST,
+                                      YarnConfiguration.NM_LOCALIZER_ADDRESS,
+                                      YarnConfiguration.DEFAULT_NM_LOCALIZER_ADDRESS,
                                       server.getListenerAddress());
     LOG.info("Localizer started on port " + server.getPort());
     super.serviceStart();
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/WebServer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/WebServer.java
index 2f78ec4cb27..ca2f239e223 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/WebServer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/WebServer.java
@@ -55,7 +55,9 @@ public WebServer(Context nmContext, ResourceView resourceView,
 
   @Override
   protected void serviceStart() throws Exception {
-    String bindAddress = WebAppUtils.getNMWebAppURLWithoutScheme(getConfig());
+    String bindAddress = WebAppUtils.getWebAppBindURL(getConfig(),
+                          YarnConfiguration.NM_BIND_HOST,
+                          WebAppUtils.getNMWebAppURLWithoutScheme(getConfig()));
     
     LOG.info("Instantiating NMWebApp at " + bindAddress);
     try {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
index 1d2f376d325..c47f49e207e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
@@ -90,7 +90,9 @@ public class AdminService extends CompositeService implements
   private EmbeddedElectorService embeddedElector;
 
   private Server server;
-  private InetSocketAddress masterServiceAddress;
+
+  // Address to use for binding. May be a wildcard address.
+  private InetSocketAddress masterServiceBindAddress;
   private AccessControlList adminAcl;
 
   private final RecordFactory recordFactory = 
@@ -114,10 +116,12 @@ public void serviceInit(Configuration conf) throws Exception {
       }
     }
 
-    masterServiceAddress = conf.getSocketAddr(
+    masterServiceBindAddress = conf.getSocketAddr(
+        YarnConfiguration.RM_BIND_HOST,
         YarnConfiguration.RM_ADMIN_ADDRESS,
         YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS,
         YarnConfiguration.DEFAULT_RM_ADMIN_PORT);
+
     adminAcl = new AccessControlList(conf.get(
         YarnConfiguration.YARN_ADMIN_ACL,
         YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
@@ -141,7 +145,7 @@ protected void startServer() throws Exception {
     Configuration conf = getConfig();
     YarnRPC rpc = YarnRPC.create(conf);
     this.server = (Server) rpc.getServer(
-        ResourceManagerAdministrationProtocol.class, this, masterServiceAddress,
+        ResourceManagerAdministrationProtocol.class, this, masterServiceBindAddress,
         conf, null,
         conf.getInt(YarnConfiguration.RM_ADMIN_CLIENT_THREAD_COUNT,
             YarnConfiguration.DEFAULT_RM_ADMIN_CLIENT_THREAD_COUNT));
@@ -170,8 +174,10 @@ protected void startServer() throws Exception {
     }
 
     this.server.start();
-    conf.updateConnectAddr(YarnConfiguration.RM_ADMIN_ADDRESS,
-        server.getListenerAddress());
+    conf.updateConnectAddr(YarnConfiguration.RM_BIND_HOST,
+                           YarnConfiguration.RM_ADMIN_ADDRESS,
+                           YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS,
+                           server.getListenerAddress());
   }
 
   protected void stopServer() throws Exception {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ApplicationMasterService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ApplicationMasterService.java
index e60add44bb1..eda4c7b658e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ApplicationMasterService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ApplicationMasterService.java
@@ -127,6 +127,7 @@ protected void serviceStart() throws Exception {
     YarnRPC rpc = YarnRPC.create(conf);
 
     InetSocketAddress masterServiceAddress = conf.getSocketAddr(
+        YarnConfiguration.RM_BIND_HOST,
         YarnConfiguration.RM_SCHEDULER_ADDRESS,
         YarnConfiguration.DEFAULT_RM_SCHEDULER_ADDRESS,
         YarnConfiguration.DEFAULT_RM_SCHEDULER_PORT);
@@ -159,7 +160,9 @@ protected void serviceStart() throws Exception {
     
     this.server.start();
     this.bindAddress =
-        conf.updateConnectAddr(YarnConfiguration.RM_SCHEDULER_ADDRESS,
+        conf.updateConnectAddr(YarnConfiguration.RM_BIND_HOST,
+                               YarnConfiguration.RM_SCHEDULER_ADDRESS,
+                               YarnConfiguration.DEFAULT_RM_SCHEDULER_ADDRESS,
                                server.getListenerAddress());
     super.serviceStart();
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java
index 974376091b0..71f873c26a4 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java
@@ -199,7 +199,9 @@ protected void serviceStart() throws Exception {
     }
     
     this.server.start();
-    clientBindAddress = conf.updateConnectAddr(YarnConfiguration.RM_ADDRESS,
+    clientBindAddress = conf.updateConnectAddr(YarnConfiguration.RM_BIND_HOST,
+                                               YarnConfiguration.RM_ADDRESS,
+                                               YarnConfiguration.DEFAULT_RM_ADDRESS,
                                                server.getListenerAddress());
     super.serviceStart();
   }
@@ -213,7 +215,9 @@ protected void serviceStop() throws Exception {
   }
 
   InetSocketAddress getBindAddress(Configuration conf) {
-    return conf.getSocketAddr(YarnConfiguration.RM_ADDRESS,
+    return conf.getSocketAddr(
+            YarnConfiguration.RM_BIND_HOST,
+            YarnConfiguration.RM_ADDRESS,
             YarnConfiguration.DEFAULT_RM_ADDRESS,
             YarnConfiguration.DEFAULT_RM_PORT);
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
index 4b5d94875ad..40e346c680a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
@@ -155,7 +155,8 @@ public class ResourceManager extends CompositeService implements Recoverable {
   private AppReportFetcher fetcher = null;
   protected ResourceTrackerService resourceTracker;
 
-  private String webAppAddress;
+  @VisibleForTesting
+  protected String webAppAddress;
   private ConfigurationProvider configurationProvider = null;
   /** End of Active services */
 
@@ -230,7 +231,9 @@ protected void serviceInit(Configuration conf) throws Exception {
     }
     createAndInitActiveServices();
 
-    webAppAddress = WebAppUtils.getRMWebAppURLWithoutScheme(this.conf);
+    webAppAddress = WebAppUtils.getWebAppBindURL(this.conf,
+                      YarnConfiguration.RM_BIND_HOST,
+                      WebAppUtils.getRMWebAppURLWithoutScheme(this.conf));
 
     this.rmLoginUGI = UserGroupInformation.getCurrentUser();
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceTrackerService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceTrackerService.java
index f2a83763bc8..6eebb4d7bff 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceTrackerService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceTrackerService.java
@@ -42,6 +42,7 @@
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.factories.RecordFactory;
 import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
+import org.apache.hadoop.yarn.ipc.RPCUtil;
 import org.apache.hadoop.yarn.ipc.YarnRPC;
 import org.apache.hadoop.yarn.server.api.ResourceTracker;
 import org.apache.hadoop.yarn.server.api.protocolrecords.NMContainerStatus;
@@ -121,6 +122,7 @@ public ResourceTrackerService(RMContext rmContext,
   @Override
   protected void serviceInit(Configuration conf) throws Exception {
     resourceTrackerAddress = conf.getSocketAddr(
+        YarnConfiguration.RM_BIND_HOST,
         YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS,
         YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS,
         YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_PORT);
@@ -175,9 +177,11 @@ protected void serviceStart() throws Exception {
       }
       refreshServiceAcls(conf, RMPolicyProvider.getInstance());
     }
-
+ 
     this.server.start();
-    conf.updateConnectAddr(YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS,
+    conf.updateConnectAddr(YarnConfiguration.RM_BIND_HOST,
+			   YarnConfiguration.RM_RESOURCE_TRACKER_ADDRESS,
+			   YarnConfiguration.DEFAULT_RM_RESOURCE_TRACKER_ADDRESS,
                            server.getListenerAddress());
   }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMHA.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMHA.java
index 610023b73dc..b8290de5127 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMHA.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMHA.java
@@ -380,7 +380,19 @@ public void testHAIDLookup() {
   }
 
   @Test
-  public void testHAWithRMHostName() {
+  public void testHAWithRMHostName() throws Exception {
+    innerTestHAWithRMHostName(false);
+    configuration.clear();
+    setUp();
+    innerTestHAWithRMHostName(true);
+  }
+
+  public void innerTestHAWithRMHostName(boolean includeBindHost) {
+    //this is run two times, with and without a bind host configured
+    if (includeBindHost) {
+      configuration.set(YarnConfiguration.RM_BIND_HOST, "9.9.9.9");
+    }
+
     //test if both RM_HOSTBANE_{rm_id} and RM_RPCADDRESS_{rm_id} are set
     //We should only read rpc addresses from RM_RPCADDRESS_{rm_id} configuration
     configuration.set(HAUtil.addSuffix(YarnConfiguration.RM_HOSTNAME,
@@ -400,6 +412,15 @@ public void testHAWithRMHostName() {
             RM2_ADDRESS, conf.get(HAUtil.addSuffix(confKey, RM2_NODE_ID)));
         assertEquals("RPC address not set for " + confKey,
             RM3_ADDRESS, conf.get(HAUtil.addSuffix(confKey, RM3_NODE_ID)));
+        if (includeBindHost) {
+          assertEquals("Web address misconfigured WITH bind-host",
+                       rm.webAppAddress.substring(0, 7), "9.9.9.9");
+        } else {
+          //YarnConfiguration tries to figure out which rm host it's on by binding to it,
+          //which doesn't happen for any of these fake addresses, so we end up with 0.0.0.0
+          assertEquals("Web address misconfigured WITHOUT bind-host",
+                       rm.webAppAddress.substring(0, 7), "0.0.0.0");
+        }
       }
     } catch (YarnRuntimeException e) {
       fail("Should not throw any exceptions.");

From beebb36595317153b240ab7aa6bc46ead8112560 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Thu, 31 Jul 2014 22:45:08 +0000
Subject: [PATCH 092/354] Fix some merge errors that slipped through.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1615013 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop/hdfs/protocol/ClientProtocol.java    | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
index b3b9573d462..effc10d9fe5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
@@ -1336,28 +1336,11 @@ public List<XAttr> listXAttrs(String src)
   
   /**
    * Remove xattr of a file or directory.Value in xAttr parameter is ignored.
-<<<<<<< .working
-   * Name must be prefixed with user/trusted/security/system/raw.
-=======
    * The name must be prefixed with the namespace followed by ".". For example,
    * "user.attr".
->>>>>>> .merge-right.r1614550
    * <p/>
-<<<<<<< .working
-   * A regular user only can remove xattr of "user" namespace.
-   * A super user can remove xattr of "user" and "trusted" namespace.
-   * XAttr of "security" and "system" namespace is only used/exposed 
-   * internally to the FS impl.
-   * The xattrs of the "raw" namespace are only used/exposed when accessed in
-   * the /.reserved/raw HDFS directory hierarchy. These attributes can only be
-   * accessed by the superuser.
-   * <p/>
-   * @see <a href="http://en.wikipedia.org/wiki/Extended_file_attributes">
-   * http://en.wikipedia.org/wiki/Extended_file_attributes</a>
-=======
    * Refer to the HDFS extended attributes user documentation for details.
    *
->>>>>>> .merge-right.r1614550
    * @param src file or directory
    * @param xAttr <code>XAttr</code> to remove
    * @throws IOException

From b8597e6a10b2e8df1bee4e8ce0c8be345f7e007d Mon Sep 17 00:00:00 2001
From: Tsz-wo Sze <szetszwo@apache.org>
Date: Fri, 1 Aug 2014 01:05:33 +0000
Subject: [PATCH 093/354] HDFS-6685. Balancer should preserve storage type of
 replicas.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615015 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   2 +
 .../org/apache/hadoop/hdfs/StorageType.java   |  10 +
 .../hadoop/hdfs/protocolPB/PBHelper.java      |   8 +-
 .../hadoop/hdfs/server/balancer/Balancer.java | 682 ++++++++++--------
 .../hdfs/server/balancer/BalancingPolicy.java |  86 ++-
 .../server/blockmanagement/BlockManager.java  |   5 +-
 .../server/protocol/BlocksWithLocations.java  |  25 +-
 .../apache/hadoop/hdfs/util/EnumCounters.java |   9 +-
 .../apache/hadoop/hdfs/util/EnumDoubles.java  | 128 ++++
 .../hadoop-hdfs/src/main/proto/hdfs.proto     |   1 +
 .../hadoop/hdfs/protocolPB/TestPBHelper.java  |   4 +-
 11 files changed, 619 insertions(+), 341 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/util/EnumDoubles.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 880e209f97e..72268d30554 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -338,6 +338,8 @@ Release 2.6.0 - UNRELEASED
     HDFS-6441. Add ability to exclude/include specific datanodes while
     balancing. (Benoy Antony and Yu Li via Arpit Agarwal)
 
+    HDFS-6685. Balancer should preserve storage type of replicas.  (szetszwo)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/StorageType.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/StorageType.java
index 408f678d650..3d8133c7ce5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/StorageType.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/StorageType.java
@@ -18,6 +18,9 @@
 
 package org.apache.hadoop.hdfs;
 
+import java.util.Arrays;
+import java.util.List;
+
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 
@@ -32,4 +35,11 @@ public enum StorageType {
   SSD;
 
   public static final StorageType DEFAULT = DISK;
+  public static final StorageType[] EMPTY_ARRAY = {};
+  
+  private static final StorageType[] VALUES = values();
+  
+  public static List<StorageType> asList() {
+    return Arrays.asList(VALUES);
+  }
 }
\ No newline at end of file
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
index 9ca93a5ae29..7e98a88bf72 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
@@ -352,15 +352,19 @@ public static BlockWithLocationsProto convert(BlockWithLocations blk) {
     return BlockWithLocationsProto.newBuilder()
         .setBlock(convert(blk.getBlock()))
         .addAllDatanodeUuids(Arrays.asList(blk.getDatanodeUuids()))
-        .addAllStorageUuids(Arrays.asList(blk.getStorageIDs())).build();
+        .addAllStorageUuids(Arrays.asList(blk.getStorageIDs()))
+        .addAllStorageTypes(convertStorageTypes(blk.getStorageTypes()))
+        .build();
   }
 
   public static BlockWithLocations convert(BlockWithLocationsProto b) {
     final List<String> datanodeUuids = b.getDatanodeUuidsList();
     final List<String> storageUuids = b.getStorageUuidsList();
+    final List<StorageTypeProto> storageTypes = b.getStorageTypesList();
     return new BlockWithLocations(convert(b.getBlock()),
         datanodeUuids.toArray(new String[datanodeUuids.size()]),
-        storageUuids.toArray(new String[storageUuids.size()]));
+        storageUuids.toArray(new String[storageUuids.size()]),
+        convertStorageTypes(storageTypes, storageUuids.size()));
   }
 
   public static BlocksWithLocationsProto convert(BlocksWithLocations blks) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
index 1ddb3a41993..dad39494861 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
@@ -38,6 +38,7 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
+import java.util.EnumMap;
 import java.util.Formatter;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -79,6 +80,8 @@
 import org.apache.hadoop.hdfs.server.common.HdfsServerConstants;
 import org.apache.hadoop.hdfs.server.namenode.UnsupportedActionException;
 import org.apache.hadoop.hdfs.server.protocol.BlocksWithLocations.BlockWithLocations;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
+import org.apache.hadoop.hdfs.server.protocol.StorageReport;
 import org.apache.hadoop.io.IOUtils;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.net.NetworkTopology;
@@ -90,6 +93,8 @@
 import org.apache.hadoop.util.Tool;
 import org.apache.hadoop.util.ToolRunner;
 
+import com.google.common.base.Preconditions;
+
 /** <p>The balancer is a tool that balances disk space usage on an HDFS cluster
  * when some datanodes become full or when new empty nodes join the cluster.
  * The tool is deployed as an application program that can be run by the 
@@ -190,7 +195,9 @@
 @InterfaceAudience.Private
 public class Balancer {
   static final Log LOG = LogFactory.getLog(Balancer.class);
-  final private static long MAX_BLOCKS_SIZE_TO_FETCH = 2*1024*1024*1024L; //2GB
+  final private static long GB = 1L << 30; //1GB
+  final private static long MAX_SIZE_TO_MOVE = 10*GB;
+  final private static long MAX_BLOCKS_SIZE_TO_FETCH = 2*GB;
   private static long WIN_WIDTH = 5400*1000L; // 1.5 hour
 
   /** The maximum number of concurrent blocks moves for 
@@ -221,26 +228,22 @@ public class Balancer {
   Set<String> nodesToBeIncluded;
   
   // all data node lists
-  private final Collection<Source> overUtilizedDatanodes
-                               = new LinkedList<Source>();
-  private final Collection<Source> aboveAvgUtilizedDatanodes
-                               = new LinkedList<Source>();
-  private final Collection<BalancerDatanode> belowAvgUtilizedDatanodes
-                               = new LinkedList<BalancerDatanode>();
-  private final Collection<BalancerDatanode> underUtilizedDatanodes
-                               = new LinkedList<BalancerDatanode>();
+  private final Collection<Source> overUtilized = new LinkedList<Source>();
+  private final Collection<Source> aboveAvgUtilized = new LinkedList<Source>();
+  private final Collection<BalancerDatanode.StorageGroup> belowAvgUtilized
+      = new LinkedList<BalancerDatanode.StorageGroup>();
+  private final Collection<BalancerDatanode.StorageGroup> underUtilized
+      = new LinkedList<BalancerDatanode.StorageGroup>();
   
-  private final Collection<Source> sources
-                               = new HashSet<Source>();
-  private final Collection<BalancerDatanode> targets
-                               = new HashSet<BalancerDatanode>();
+  private final Collection<Source> sources = new HashSet<Source>();
+  private final Collection<BalancerDatanode.StorageGroup> targets
+      = new HashSet<BalancerDatanode.StorageGroup>();
   
   private final Map<Block, BalancerBlock> globalBlockList
                  = new HashMap<Block, BalancerBlock>();
   private final MovedBlocks movedBlocks = new MovedBlocks();
-  /** Map (datanodeUuid -> BalancerDatanodes) */
-  private final Map<String, BalancerDatanode> datanodeMap
-      = new HashMap<String, BalancerDatanode>();
+  /** Map (datanodeUuid,storageType -> StorageGroup) */
+  private final StorageGroupMap storageGroupMap = new StorageGroupMap();
   
   private NetworkTopology cluster;
 
@@ -248,12 +251,39 @@ public class Balancer {
   private final ExecutorService dispatcherExecutor;
   private final int maxConcurrentMovesPerNode;
 
+
+  private static class StorageGroupMap {
+    private static String toKey(String datanodeUuid, StorageType storageType) {
+      return datanodeUuid + ":" + storageType;
+    }
+
+    private final Map<String, BalancerDatanode.StorageGroup> map
+        = new HashMap<String, BalancerDatanode.StorageGroup>();
+    
+    BalancerDatanode.StorageGroup get(String datanodeUuid, StorageType storageType) {
+      return map.get(toKey(datanodeUuid, storageType));
+    }
+    
+    void put(BalancerDatanode.StorageGroup g) {
+      final String key = toKey(g.getDatanode().getDatanodeUuid(), g.storageType);
+      final BalancerDatanode.StorageGroup existing = map.put(key, g);
+      Preconditions.checkState(existing == null);
+    }
+    
+    int size() {
+      return map.size();
+    }
+    
+    void clear() {
+      map.clear();
+    }
+  }
   /* This class keeps track of a scheduled block move */
   private class PendingBlockMove {
     private BalancerBlock block;
     private Source source;
     private BalancerDatanode proxySource;
-    private BalancerDatanode target;
+    private BalancerDatanode.StorageGroup target;
     
     /** constructor */
     private PendingBlockMove() {
@@ -264,7 +294,7 @@ public String toString() {
       final Block b = block.getBlock();
       return b + " with size=" + b.getNumBytes() + " from "
           + source.getDisplayName() + " to " + target.getDisplayName()
-          + " through " + proxySource.getDisplayName();
+          + " through " + proxySource.datanode;
     }
 
     /* choose a block & a proxy source for this pendingMove 
@@ -316,20 +346,20 @@ private boolean chooseProxySource() {
       final DatanodeInfo targetDN = target.getDatanode();
       // if node group is supported, first try add nodes in the same node group
       if (cluster.isNodeGroupAware()) {
-        for (BalancerDatanode loc : block.getLocations()) {
+        for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
           if (cluster.isOnSameNodeGroup(loc.getDatanode(), targetDN) && addTo(loc)) {
             return true;
           }
         }
       }
       // check if there is replica which is on the same rack with the target
-      for (BalancerDatanode loc : block.getLocations()) {
+      for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
         if (cluster.isOnSameRack(loc.getDatanode(), targetDN) && addTo(loc)) {
           return true;
         }
       }
       // find out a non-busy replica
-      for (BalancerDatanode loc : block.getLocations()) {
+      for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
         if (addTo(loc)) {
           return true;
         }
@@ -337,8 +367,9 @@ private boolean chooseProxySource() {
       return false;
     }
     
-    // add a BalancerDatanode as proxy source for specific block movement
-    private boolean addTo(BalancerDatanode bdn) {
+    /** add to a proxy source for specific block movement */
+    private boolean addTo(BalancerDatanode.StorageGroup g) {
+      final BalancerDatanode bdn = g.getBalancerDatanode();
       if (bdn.addPendingBlock(this)) {
         proxySource = bdn;
         return true;
@@ -354,7 +385,7 @@ private void dispatch() {
       DataInputStream in = null;
       try {
         sock.connect(
-            NetUtils.createSocketAddr(target.datanode.getXferAddr()),
+            NetUtils.createSocketAddr(target.getDatanode().getXferAddr()),
             HdfsServerConstants.READ_TIMEOUT);
         /* Unfortunately we don't have a good way to know if the Datanode is
          * taking a really long time to move a block, OR something has
@@ -371,7 +402,7 @@ private void dispatch() {
         ExtendedBlock eb = new ExtendedBlock(nnc.blockpoolID, block.getBlock());
         Token<BlockTokenIdentifier> accessToken = nnc.getAccessToken(eb);
         IOStreamPair saslStreams = saslClient.socketSend(sock, unbufOut,
-          unbufIn, nnc, accessToken, target.datanode);
+          unbufIn, nnc, accessToken, target.getDatanode());
         unbufOut = saslStreams.out;
         unbufIn = saslStreams.in;
         out = new DataOutputStream(new BufferedOutputStream(unbufOut,
@@ -391,14 +422,14 @@ private void dispatch() {
          * gets out of sync with work going on in datanode.
          */
         proxySource.activateDelay(DELAY_AFTER_ERROR);
-        target.activateDelay(DELAY_AFTER_ERROR);
+        target.getBalancerDatanode().activateDelay(DELAY_AFTER_ERROR);
       } finally {
         IOUtils.closeStream(out);
         IOUtils.closeStream(in);
         IOUtils.closeSocket(sock);
         
         proxySource.removePendingBlock(this);
-        target.removePendingBlock(this);
+        target.getBalancerDatanode().removePendingBlock(this);
 
         synchronized (this ) {
           reset();
@@ -414,7 +445,7 @@ private void sendRequest(DataOutputStream out, ExtendedBlock eb,
         StorageType storageType, 
         Token<BlockTokenIdentifier> accessToken) throws IOException {
       new Sender(out).replaceBlock(eb, storageType, accessToken,
-          source.getStorageID(), proxySource.getDatanode());
+          source.getDatanode().getDatanodeUuid(), proxySource.datanode);
     }
     
     /* Receive a block copy response from the input stream */ 
@@ -454,8 +485,9 @@ public void run() {
   /* A class for keeping track of blocks in the Balancer */
   static private class BalancerBlock {
     private final Block block; // the block
-    private final List<BalancerDatanode> locations
-            = new ArrayList<BalancerDatanode>(3); // its locations
+    /** The locations of the replicas of the block. */
+    private final List<BalancerDatanode.StorageGroup> locations
+        = new ArrayList<BalancerDatanode.StorageGroup>(3);
     
     /* Constructor */
     private BalancerBlock(Block block) {
@@ -468,20 +500,19 @@ private synchronized void clearLocations() {
     }
     
     /* add a location */
-    private synchronized void addLocation(BalancerDatanode datanode) {
-      if (!locations.contains(datanode)) {
-        locations.add(datanode);
+    private synchronized void addLocation(BalancerDatanode.StorageGroup g) {
+      if (!locations.contains(g)) {
+        locations.add(g);
       }
     }
     
-    /* Return if the block is located on <code>datanode</code> */
-    private synchronized boolean isLocatedOnDatanode(
-        BalancerDatanode datanode) {
-      return locations.contains(datanode);
+    /** @return if the block is located on the given storage group. */
+    private synchronized boolean isLocatedOn(BalancerDatanode.StorageGroup g) {
+      return locations.contains(g);
     }
     
     /* Return its locations */
-    private synchronized List<BalancerDatanode> getLocations() {
+    private synchronized List<BalancerDatanode.StorageGroup> getLocations() {
       return locations;
     }
     
@@ -498,37 +529,84 @@ private long getNumBytes() {
   
   /* The class represents a desired move of bytes between two nodes 
    * and the target.
-   * An object of this class is stored in a source node. 
+   * An object of this class is stored in a source. 
    */
-  static private class NodeTask {
-    private final BalancerDatanode datanode; //target node
+  static private class Task {
+    private final BalancerDatanode.StorageGroup target;
     private long size;  //bytes scheduled to move
     
     /* constructor */
-    private NodeTask(BalancerDatanode datanode, long size) {
-      this.datanode = datanode;
+    private Task(BalancerDatanode.StorageGroup target, long size) {
+      this.target = target;
       this.size = size;
     }
-    
-    /* Get the node */
-    private BalancerDatanode getDatanode() {
-      return datanode;
-    }
-    
-    /* Get the number of bytes that need to be moved */
-    private long getSize() {
-      return size;
-    }
   }
   
   
   /* A class that keeps track of a datanode in Balancer */
   private static class BalancerDatanode {
-    final private static long MAX_SIZE_TO_MOVE = 10*1024*1024*1024L; //10GB
+    
+    /** A group of storages in a datanode with the same storage type. */
+    private class StorageGroup {
+      final StorageType storageType;
+      final double utilization;
+      final long maxSize2Move;
+      private long scheduledSize = 0L;
+
+      private StorageGroup(StorageType storageType, double utilization,
+          long maxSize2Move) {
+        this.storageType = storageType;
+        this.utilization = utilization;
+        this.maxSize2Move = maxSize2Move;
+      }
+      
+      BalancerDatanode getBalancerDatanode() {
+        return BalancerDatanode.this;
+      }
+
+      DatanodeInfo getDatanode() {
+        return BalancerDatanode.this.datanode;
+      }
+
+      /** Decide if still need to move more bytes */
+      protected synchronized boolean hasSpaceForScheduling() {
+        return availableSizeToMove() > 0L;
+      }
+
+      /** @return the total number of bytes that need to be moved */
+      synchronized long availableSizeToMove() {
+        return maxSize2Move - scheduledSize;
+      }
+      
+      /** increment scheduled size */
+      synchronized void incScheduledSize(long size) {
+        scheduledSize += size;
+      }
+      
+      /** @return scheduled size */
+      synchronized long getScheduledSize() {
+        return scheduledSize;
+      }
+      
+      /** Reset scheduled size to zero. */
+      synchronized void resetScheduledSize() {
+        scheduledSize = 0L;
+      }
+
+      /** @return the name for display */
+      String getDisplayName() {
+        return datanode + ":" + storageType;
+      }
+      
+      @Override
+      public String toString() {
+        return "" + utilization;
+      }
+    }
+
     final DatanodeInfo datanode;
-    final double utilization;
-    final long maxSize2Move;
-    private long scheduledSize = 0L;
+    final EnumMap<StorageType, StorageGroup> storageMap
+        = new EnumMap<StorageType, StorageGroup>(StorageType.class);
     protected long delayUntil = 0L;
     //  blocks being moved but not confirmed yet
     private final List<PendingBlockMove> pendingBlocks;
@@ -536,78 +614,38 @@ private static class BalancerDatanode {
     
     @Override
     public String toString() {
-      return getClass().getSimpleName() + "[" + datanode
-          + ", utilization=" + utilization + "]";
+      return getClass().getSimpleName() + ":" + datanode + ":" + storageMap;
     }
 
     /* Constructor 
      * Depending on avgutil & threshold, calculate maximum bytes to move 
      */
-    private BalancerDatanode(DatanodeInfo node, BalancingPolicy policy, double threshold,
-        int maxConcurrentMoves) {
-      datanode = node;
-      utilization = policy.getUtilization(node);
-      final double avgUtil = policy.getAvgUtilization();
-      long maxSizeToMove;
-
-      if (utilization >= avgUtil+threshold
-          || utilization <= avgUtil-threshold) { 
-        maxSizeToMove = (long)(threshold*datanode.getCapacity()/100);
-      } else {
-        maxSizeToMove = 
-          (long)(Math.abs(avgUtil-utilization)*datanode.getCapacity()/100);
-      }
-      if (utilization < avgUtil ) {
-        maxSizeToMove = Math.min(datanode.getRemaining(), maxSizeToMove);
-      }
-      this.maxSize2Move = Math.min(MAX_SIZE_TO_MOVE, maxSizeToMove);
+    private BalancerDatanode(DatanodeStorageReport report,
+        double threshold, int maxConcurrentMoves) {
+      this.datanode = report.getDatanodeInfo();
       this.maxConcurrentMoves = maxConcurrentMoves;
       this.pendingBlocks = new ArrayList<PendingBlockMove>(maxConcurrentMoves);
     }
     
-    /** Get the datanode */
-    protected DatanodeInfo getDatanode() {
-      return datanode;
-    }
-    
-    /** Get the name of the datanode */
-    protected String getDisplayName() {
-      return datanode.toString();
-    }
-    
-    /* Get the storage id of the datanode */
-    protected String getStorageID() {
-      return datanode.getDatanodeUuid();
-    }
-    
-    /** Decide if still need to move more bytes */
-    protected synchronized boolean hasSpaceForScheduling() {
-      return scheduledSize<maxSize2Move;
+    private void put(StorageType storageType, StorageGroup g) {
+      final StorageGroup existing = storageMap.put(storageType, g);
+      Preconditions.checkState(existing == null);
     }
 
-    /** Return the total number of bytes that need to be moved */
-    protected synchronized long availableSizeToMove() {
-      return maxSize2Move-scheduledSize;
+    StorageGroup addStorageGroup(StorageType storageType, double utilization,
+        long maxSize2Move) {
+      final StorageGroup g = new StorageGroup(storageType, utilization,
+          maxSize2Move);
+      put(storageType, g);
+      return g;
     }
-    
-    /** increment scheduled size */
-    protected synchronized void incScheduledSize(long size) {
-      scheduledSize += size;
-    }
-    
-    /** decrement scheduled size */
-    protected synchronized void decScheduledSize(long size) {
-      scheduledSize -= size;
-    }
-    
-    /** get scheduled size */
-    protected synchronized long getScheduledSize(){
-      return scheduledSize;
-    }
-    
-    /** get scheduled size */
-    protected synchronized void setScheduledSize(long size){
-      scheduledSize = size;
+
+    Source addSource(StorageType storageType, double utilization,
+        long maxSize2Move, Balancer balancer) {
+      final Source s = balancer.new Source(storageType, utilization,
+          maxSize2Move, this);
+      put(storageType, s);
+      return s;
     }
 
     synchronized private void activateDelay(long delta) {
@@ -650,9 +688,9 @@ private synchronized boolean  removePendingBlock(
       return pendingBlocks.remove(pendingBlock);
     }
   }
-  
+
   /** A node that can be the sources of a block move */
-  private class Source extends BalancerDatanode {
+  private class Source extends BalancerDatanode.StorageGroup {
     
     /* A thread that initiates a block move 
      * and waits for block move to complete */
@@ -663,7 +701,7 @@ public void run() {
       }
     }
     
-    private final ArrayList<NodeTask> nodeTasks = new ArrayList<NodeTask>(2);
+    private final List<Task> tasks = new ArrayList<Task>(2);
     private long blocksToReceive = 0L;
     /* source blocks point to balancerBlocks in the global list because
      * we want to keep one copy of a block in balancer and be aware that
@@ -673,17 +711,17 @@ public void run() {
             = new ArrayList<BalancerBlock>();
     
     /* constructor */
-    private Source(DatanodeInfo node, BalancingPolicy policy, double threshold,
-        int maxConcurrentMoves) {
-      super(node, policy, threshold, maxConcurrentMoves);
+    private Source(StorageType storageType, double utilization,
+        long maxSize2Move, BalancerDatanode dn) {
+      dn.super(storageType, utilization, maxSize2Move);
     }
     
-    /** Add a node task */
-    private void addNodeTask(NodeTask task) {
-      assert (task.datanode != this) :
-        "Source and target are the same " + datanode;
-      incScheduledSize(task.getSize());
-      nodeTasks.add(task);
+    /** Add a task */
+    private void addTask(Task task) {
+      Preconditions.checkState(task.target != this,
+          "Source and target are the same storage group " + getDisplayName());
+      incScheduledSize(task.size);
+      tasks.add(task);
     }
     
     /* Return an iterator to this source's blocks */
@@ -696,8 +734,10 @@ private Iterator<BalancerBlock> getBlockIterator() {
      * Return the total size of the received blocks in the number of bytes.
      */
     private long getBlockList() throws IOException {
-      BlockWithLocations[] newBlocks = nnc.namenode.getBlocks(datanode, 
-        Math.min(MAX_BLOCKS_SIZE_TO_FETCH, blocksToReceive)).getBlocks();
+      final long size = Math.min(MAX_BLOCKS_SIZE_TO_FETCH, blocksToReceive);
+      final BlockWithLocations[] newBlocks = nnc.namenode.getBlocks(
+          getDatanode(), size).getBlocks();
+
       long bytesReceived = 0;
       for (BlockWithLocations blk : newBlocks) {
         bytesReceived += blk.getBlock().getNumBytes();
@@ -713,10 +753,13 @@ private long getBlockList() throws IOException {
         
           synchronized (block) {
             // update locations
-            for (String datanodeUuid : blk.getDatanodeUuids()) {
-              final BalancerDatanode d = datanodeMap.get(datanodeUuid);
-              if (d != null) { // not an unknown datanode
-                block.addLocation(d);
+            final String[] datanodeUuids = blk.getDatanodeUuids();
+            final StorageType[] storageTypes = blk.getStorageTypes();
+            for (int i = 0; i < datanodeUuids.length; i++) {
+              final BalancerDatanode.StorageGroup g = storageGroupMap.get(
+                  datanodeUuids[i], storageTypes[i]);
+              if (g != null) { // not unknown
+                block.addLocation(g);
               }
             }
           }
@@ -731,8 +774,8 @@ private long getBlockList() throws IOException {
 
     /* Decide if the given block is a good candidate to move or not */
     private boolean isGoodBlockCandidate(BalancerBlock block) {
-      for (NodeTask nodeTask : nodeTasks) {
-        if (Balancer.this.isGoodBlockCandidate(this, nodeTask.datanode, block)) {
+      for (Task t : tasks) {
+        if (Balancer.this.isGoodBlockCandidate(this, t.target, block)) {
           return true;
         }
       }
@@ -747,20 +790,20 @@ private boolean isGoodBlockCandidate(BalancerBlock block) {
      * The block should be dispatched immediately after this method is returned.
      */
     private PendingBlockMove chooseNextBlockToMove() {
-      for ( Iterator<NodeTask> tasks=nodeTasks.iterator(); tasks.hasNext(); ) {
-        NodeTask task = tasks.next();
-        BalancerDatanode target = task.getDatanode();
+      for (Iterator<Task> i = tasks.iterator(); i.hasNext();) {
+        final Task task = i.next();
+        final BalancerDatanode target = task.target.getBalancerDatanode();
         PendingBlockMove pendingBlock = new PendingBlockMove();
         if (target.addPendingBlock(pendingBlock)) { 
           // target is not busy, so do a tentative block allocation
           pendingBlock.source = this;
-          pendingBlock.target = target;
+          pendingBlock.target = task.target;
           if ( pendingBlock.chooseBlockAndProxy() ) {
             long blockSize = pendingBlock.block.getNumBytes();
-            decScheduledSize(blockSize);
+            incScheduledSize(-blockSize);
             task.size -= blockSize;
             if (task.size == 0) {
-              tasks.remove();
+              i.remove();
             }
             return pendingBlock;
           } else {
@@ -834,7 +877,7 @@ private void dispatchBlocks() {
           // in case no blocks can be moved for source node's task,
           // jump out of while-loop after 5 iterations.
           if (noPendingBlockIteration >= MAX_NO_PENDING_BLOCK_ITERATIONS) {
-            setScheduledSize(0);
+            resetScheduledSize();
           }
         }
         
@@ -901,108 +944,154 @@ private static void checkReplicationPolicyCompatibility(Configuration conf
         IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT));
   }
   
-  /* Given a data node set, build a network topology and decide
-   * over-utilized datanodes, above average utilized datanodes, 
-   * below average utilized datanodes, and underutilized datanodes. 
-   * The input data node set is shuffled before the datanodes 
-   * are put into the over-utilized datanodes, above average utilized
-   * datanodes, below average utilized datanodes, and
-   * underutilized datanodes lists. This will add some randomness
-   * to the node matching later on.
-   * 
+  
+  private static long getCapacity(DatanodeStorageReport report, StorageType t) {
+    long capacity = 0L;
+    for(StorageReport r : report.getStorageReports()) {
+      if (r.getStorage().getStorageType() == t) {
+        capacity += r.getCapacity();
+      }
+    }
+    return capacity;
+  }
+
+  private static long getRemaining(DatanodeStorageReport report, StorageType t) {
+    long remaining = 0L;
+    for(StorageReport r : report.getStorageReports()) {
+      if (r.getStorage().getStorageType() == t) {
+        remaining += r.getRemaining();
+      }
+    }
+    return remaining;
+  }
+
+  private boolean shouldIgnore(DatanodeInfo dn) {
+    //ignore decommissioned nodes
+    final boolean decommissioned = dn.isDecommissioned();
+    //ignore decommissioning nodes
+    final boolean decommissioning = dn.isDecommissionInProgress();
+    // ignore nodes in exclude list
+    final boolean excluded = Util.shouldBeExcluded(nodesToBeExcluded, dn);
+    // ignore nodes not in the include list (if include list is not empty)
+    final boolean notIncluded = !Util.shouldBeIncluded(nodesToBeIncluded, dn);
+    
+    if (decommissioned || decommissioning || excluded || notIncluded) {
+      if (LOG.isTraceEnabled()) {
+        LOG.trace("Excluding datanode " + dn + ": " + decommissioned + ", "
+            + decommissioning + ", " + excluded + ", " + notIncluded);
+      }
+      return true;
+    }
+    return false;
+  }
+
+  /**
+   * Given a datanode storage set, build a network topology and decide
+   * over-utilized storages, above average utilized storages, 
+   * below average utilized storages, and underutilized storages. 
+   * The input datanode storage set is shuffled in order to randomize
+   * to the storage matching later on.
+   *
    * @return the total number of bytes that are 
    *                needed to move to make the cluster balanced.
-   * @param datanodes a set of datanodes
+   * @param reports a set of datanode storage reports
    */
-  private long initNodes(DatanodeInfo[] datanodes) {
+  private long init(DatanodeStorageReport[] reports) {
     // compute average utilization
-    for (DatanodeInfo datanode : datanodes) {
-     // ignore decommissioning or decommissioned nodes or
-      // ignore nodes in exclude list
-      // or nodes not in the include list (if include list is not empty)
-      if (datanode.isDecommissioned() || datanode.isDecommissionInProgress() ||
-          Util.shouldBeExcluded(nodesToBeExcluded, datanode) ||
-          !Util.shouldBeIncluded(nodesToBeIncluded, datanode)) {
-        continue;
+    for (DatanodeStorageReport r : reports) {
+      if (shouldIgnore(r.getDatanodeInfo())) {
+        continue; 
       }
-      policy.accumulateSpaces(datanode);
+      policy.accumulateSpaces(r);
     }
     policy.initAvgUtilization();
 
-    /*create network topology and all data node lists: 
-     * overloaded, above-average, below-average, and underloaded
-     * we alternates the accessing of the given datanodes array either by
-     * an increasing order or a decreasing order.
-     */  
+    // create network topology and classify utilization collections: 
+    //   over-utilized, above-average, below-average and under-utilized.
     long overLoadedBytes = 0L, underLoadedBytes = 0L;
-    for (DatanodeInfo datanode : DFSUtil.shuffle(datanodes)) {
-      // ignore decommissioning or decommissioned nodes or
-      // ignore nodes in exclude list
-      // or nodes not in the include list (if include list is not empty)
-      if (datanode.isDecommissioned() || datanode.isDecommissionInProgress() ||
-          Util.shouldBeExcluded(nodesToBeExcluded, datanode) ||
-          !Util.shouldBeIncluded(nodesToBeIncluded, datanode)) {
-        if (LOG.isTraceEnabled()) {
-          LOG.trace("Excluding datanode " + datanode);
-        }
-        continue;
+    for(DatanodeStorageReport r : DFSUtil.shuffle(reports)) {
+      final DatanodeInfo datanode = r.getDatanodeInfo();
+      if (shouldIgnore(datanode)) {
+        continue; // ignore decommissioning or decommissioned nodes
       }
       cluster.add(datanode);
-      BalancerDatanode datanodeS;
-      final double avg = policy.getAvgUtilization();
-      if (policy.getUtilization(datanode) >= avg) {
-        datanodeS = new Source(datanode, policy, threshold, maxConcurrentMovesPerNode);
-        if (isAboveAvgUtilized(datanodeS)) {
-          this.aboveAvgUtilizedDatanodes.add((Source)datanodeS);
-        } else {
-          assert(isOverUtilized(datanodeS)) :
-            datanodeS.getDisplayName()+ "is not an overUtilized node";
-          this.overUtilizedDatanodes.add((Source)datanodeS);
-          overLoadedBytes += (long)((datanodeS.utilization-avg
-              -threshold)*datanodeS.datanode.getCapacity()/100.0);
+
+      final BalancerDatanode dn = new BalancerDatanode(r, underLoadedBytes,
+          maxConcurrentMovesPerNode);
+      for(StorageType t : StorageType.asList()) {
+        final Double utilization = policy.getUtilization(r, t);
+        if (utilization == null) { // datanode does not have such storage type 
+          continue;
         }
-      } else {
-        datanodeS = new BalancerDatanode(datanode, policy, threshold,
-            maxConcurrentMovesPerNode);
-        if ( isBelowOrEqualAvgUtilized(datanodeS)) {
-          this.belowAvgUtilizedDatanodes.add(datanodeS);
+        
+        final long capacity = getCapacity(r, t);
+        final double utilizationDiff = utilization - policy.getAvgUtilization(t);
+        final double thresholdDiff = Math.abs(utilizationDiff) - threshold;
+        final long maxSize2Move = computeMaxSize2Move(capacity,
+            getRemaining(r, t), utilizationDiff, threshold);
+
+        final BalancerDatanode.StorageGroup g;
+        if (utilizationDiff > 0) {
+          final Source s = dn.addSource(t, utilization, maxSize2Move, this);
+          if (thresholdDiff <= 0) { // within threshold
+            aboveAvgUtilized.add(s);
+          } else {
+            overLoadedBytes += precentage2bytes(thresholdDiff, capacity);
+            overUtilized.add(s);
+          }
+          g = s;
         } else {
-          assert isUnderUtilized(datanodeS) : "isUnderUtilized("
-              + datanodeS.getDisplayName() + ")=" + isUnderUtilized(datanodeS)
-              + ", utilization=" + datanodeS.utilization; 
-          this.underUtilizedDatanodes.add(datanodeS);
-          underLoadedBytes += (long)((avg-threshold-
-              datanodeS.utilization)*datanodeS.datanode.getCapacity()/100.0);
+          g = dn.addStorageGroup(t, utilization, maxSize2Move);
+          if (thresholdDiff <= 0) { // within threshold
+            belowAvgUtilized.add(g);
+          } else {
+            underLoadedBytes += precentage2bytes(thresholdDiff, capacity);
+            underUtilized.add(g);
+          }
         }
+        storageGroupMap.put(g);
       }
-      datanodeMap.put(datanode.getDatanodeUuid(), datanodeS);
     }
 
-    //logging
-    logNodes();
+    logUtilizationCollections();
     
-    assert (this.datanodeMap.size() == 
-      overUtilizedDatanodes.size()+underUtilizedDatanodes.size()+
-      aboveAvgUtilizedDatanodes.size()+belowAvgUtilizedDatanodes.size())
-      : "Mismatched number of datanodes";
+    Preconditions.checkState(storageGroupMap.size() == overUtilized.size()
+        + underUtilized.size() + aboveAvgUtilized.size() + belowAvgUtilized.size(),
+        "Mismatched number of storage groups");
     
     // return number of bytes to be moved in order to make the cluster balanced
     return Math.max(overLoadedBytes, underLoadedBytes);
   }
 
-  /* log the over utilized & under utilized nodes */
-  private void logNodes() {
-    logNodes("over-utilized", overUtilizedDatanodes);
-    if (LOG.isTraceEnabled()) {
-      logNodes("above-average", aboveAvgUtilizedDatanodes);
-      logNodes("below-average", belowAvgUtilizedDatanodes);
+  private static long computeMaxSize2Move(final long capacity, final long remaining,
+      final double utilizationDiff, final double threshold) {
+    final double diff = Math.min(threshold, Math.abs(utilizationDiff));
+    long maxSizeToMove = precentage2bytes(diff, capacity);
+    if (utilizationDiff < 0) {
+      maxSizeToMove = Math.min(remaining, maxSizeToMove);
     }
-    logNodes("underutilized", underUtilizedDatanodes);
+    return Math.min(MAX_SIZE_TO_MOVE, maxSizeToMove);
   }
 
-  private static <T extends BalancerDatanode> void logNodes(
-      String name, Collection<T> nodes) {
-    LOG.info(nodes.size() + " " + name + ": " + nodes);
+  private static long precentage2bytes(double precentage, long capacity) {
+    Preconditions.checkArgument(precentage >= 0,
+        "precentage = " + precentage + " < 0");
+    return (long)(precentage * capacity / 100.0);
+  }
+
+  /* log the over utilized & under utilized nodes */
+  private void logUtilizationCollections() {
+    logUtilizationCollection("over-utilized", overUtilized);
+    if (LOG.isTraceEnabled()) {
+      logUtilizationCollection("above-average", aboveAvgUtilized);
+      logUtilizationCollection("below-average", belowAvgUtilized);
+    }
+    logUtilizationCollection("underutilized", underUtilized);
+  }
+
+  private static <T extends BalancerDatanode.StorageGroup>
+      void logUtilizationCollection(String name, Collection<T> items) {
+    LOG.info(items.size() + " " + name + ": " + items);
   }
 
   /** A matcher interface for matching nodes. */
@@ -1038,26 +1127,24 @@ public boolean match(NetworkTopology cluster, Node left, Node right) {
   /**
    * Decide all <source, target> pairs and
    * the number of bytes to move from a source to a target
-   * Maximum bytes to be moved per node is
-   * Min(1 Band worth of bytes,  MAX_SIZE_TO_MOVE).
-   * Return total number of bytes to move in this iteration
+   * Maximum bytes to be moved per storage group is
+   * min(1 Band worth of bytes,  MAX_SIZE_TO_MOVE).
+   * @return total number of bytes to move in this iteration
    */
-  private long chooseNodes() {
+  private long chooseStorageGroups() {
     // First, match nodes on the same node group if cluster is node group aware
     if (cluster.isNodeGroupAware()) {
-      chooseNodes(SAME_NODE_GROUP);
+      chooseStorageGroups(SAME_NODE_GROUP);
     }
     
     // Then, match nodes on the same rack
-    chooseNodes(SAME_RACK);
+    chooseStorageGroups(SAME_RACK);
     // At last, match all remaining nodes
-    chooseNodes(ANY_OTHER);
+    chooseStorageGroups(ANY_OTHER);
     
-    assert (datanodeMap.size() >= sources.size()+targets.size())
-      : "Mismatched number of datanodes (" +
-      datanodeMap.size() + " total, " +
-      sources.size() + " sources, " +
-      targets.size() + " targets)";
+    Preconditions.checkState(storageGroupMap.size() >= sources.size() + targets.size(),
+        "Mismatched number of datanodes (" + storageGroupMap.size() + " < "
+            + sources.size() + " sources, " + targets.size() + " targets)");
 
     long bytesToMove = 0L;
     for (Source src : sources) {
@@ -1067,25 +1154,25 @@ private long chooseNodes() {
   }
 
   /** Decide all <source, target> pairs according to the matcher. */
-  private void chooseNodes(final Matcher matcher) {
+  private void chooseStorageGroups(final Matcher matcher) {
     /* first step: match each overUtilized datanode (source) to
      * one or more underUtilized datanodes (targets).
      */
-    chooseDatanodes(overUtilizedDatanodes, underUtilizedDatanodes, matcher);
+    chooseStorageGroups(overUtilized, underUtilized, matcher);
     
     /* match each remaining overutilized datanode (source) to 
      * below average utilized datanodes (targets).
      * Note only overutilized datanodes that haven't had that max bytes to move
      * satisfied in step 1 are selected
      */
-    chooseDatanodes(overUtilizedDatanodes, belowAvgUtilizedDatanodes, matcher);
+    chooseStorageGroups(overUtilized, belowAvgUtilized, matcher);
 
     /* match each remaining underutilized datanode (target) to 
      * above average utilized datanodes (source).
      * Note only underutilized datanodes that have not had that max bytes to
      * move satisfied in step 1 are selected.
      */
-    chooseDatanodes(underUtilizedDatanodes, aboveAvgUtilizedDatanodes, matcher);
+    chooseStorageGroups(underUtilized, aboveAvgUtilized, matcher);
   }
 
   /**
@@ -1093,13 +1180,14 @@ private void chooseNodes(final Matcher matcher) {
    * datanodes or the candidates are source nodes with (utilization > Avg), and
    * the others are target nodes with (utilization < Avg).
    */
-  private <D extends BalancerDatanode, C extends BalancerDatanode> void 
-      chooseDatanodes(Collection<D> datanodes, Collection<C> candidates,
+  private <G extends BalancerDatanode.StorageGroup,
+           C extends BalancerDatanode.StorageGroup>
+      void chooseStorageGroups(Collection<G> groups, Collection<C> candidates,
           Matcher matcher) {
-    for (Iterator<D> i = datanodes.iterator(); i.hasNext();) {
-      final D datanode = i.next();
-      for(; chooseForOneDatanode(datanode, candidates, matcher); );
-      if (!datanode.hasSpaceForScheduling()) {
+    for(final Iterator<G> i = groups.iterator(); i.hasNext();) {
+      final G g = i.next();
+      for(; choose4One(g, candidates, matcher); );
+      if (!g.hasSpaceForScheduling()) {
         i.remove();
       }
     }
@@ -1109,18 +1197,19 @@ private void chooseNodes(final Matcher matcher) {
    * For the given datanode, choose a candidate and then schedule it.
    * @return true if a candidate is chosen; false if no candidates is chosen.
    */
-  private <C extends BalancerDatanode> boolean chooseForOneDatanode(
-      BalancerDatanode dn, Collection<C> candidates, Matcher matcher) {
+  private <C extends BalancerDatanode.StorageGroup>
+      boolean choose4One(BalancerDatanode.StorageGroup g,
+          Collection<C> candidates, Matcher matcher) {
     final Iterator<C> i = candidates.iterator();
-    final C chosen = chooseCandidate(dn, i, matcher);
-
+    final C chosen = chooseCandidate(g, i, matcher);
+  
     if (chosen == null) {
       return false;
     }
-    if (dn instanceof Source) {
-      matchSourceWithTargetToMove((Source)dn, chosen);
+    if (g instanceof Source) {
+      matchSourceWithTargetToMove((Source)g, chosen);
     } else {
-      matchSourceWithTargetToMove((Source)chosen, dn);
+      matchSourceWithTargetToMove((Source)chosen, g);
     }
     if (!chosen.hasSpaceForScheduling()) {
       i.remove();
@@ -1128,27 +1217,28 @@ private <C extends BalancerDatanode> boolean chooseForOneDatanode(
     return true;
   }
   
-  private void matchSourceWithTargetToMove(
-      Source source, BalancerDatanode target) {
+  private void matchSourceWithTargetToMove(Source source,
+      BalancerDatanode.StorageGroup target) {
     long size = Math.min(source.availableSizeToMove(), target.availableSizeToMove());
-    NodeTask nodeTask = new NodeTask(target, size);
-    source.addNodeTask(nodeTask);
-    target.incScheduledSize(nodeTask.getSize());
+    final Task task = new Task(target, size);
+    source.addTask(task);
+    target.incScheduledSize(task.size);
     sources.add(source);
     targets.add(target);
     LOG.info("Decided to move "+StringUtils.byteDesc(size)+" bytes from "
-        +source.datanode.getName() + " to " + target.datanode.getName());
+        + source.getDisplayName() + " to " + target.getDisplayName());
   }
   
   /** Choose a candidate for the given datanode. */
-  private <D extends BalancerDatanode, C extends BalancerDatanode>
-      C chooseCandidate(D dn, Iterator<C> candidates, Matcher matcher) {
-    if (dn.hasSpaceForScheduling()) {
+  private <G extends BalancerDatanode.StorageGroup,
+           C extends BalancerDatanode.StorageGroup>
+      C chooseCandidate(G g, Iterator<C> candidates, Matcher matcher) {
+    if (g.hasSpaceForScheduling()) {
       for(; candidates.hasNext(); ) {
         final C c = candidates.next();
         if (!c.hasSpaceForScheduling()) {
           candidates.remove();
-        } else if (matcher.match(cluster, dn.getDatanode(), c.getDatanode())) {
+        } else if (matcher.match(cluster, g.getDatanode(), c.getDatanode())) {
           return c;
         }
       }
@@ -1202,9 +1292,10 @@ private void waitForMoveCompletion() {
     boolean shouldWait;
     do {
       shouldWait = false;
-      for (BalancerDatanode target : targets) {
-        if (!target.isPendingQEmpty()) {
+      for (BalancerDatanode.StorageGroup target : targets) {
+        if (!target.getBalancerDatanode().isPendingQEmpty()) {
           shouldWait = true;
+          break;
         }
       }
       if (shouldWait) {
@@ -1273,12 +1364,15 @@ synchronized private void cleanup() {
    * 3. doing the move does not reduce the number of racks that the block has
    */
   private boolean isGoodBlockCandidate(Source source, 
-      BalancerDatanode target, BalancerBlock block) {
+      BalancerDatanode.StorageGroup target, BalancerBlock block) {
+    if (source.storageType != target.storageType) {
+      return false;
+    }
     // check if the block is moved or not
     if (movedBlocks.contains(block)) {
-        return false;
+      return false;
     }
-    if (block.isLocatedOnDatanode(target)) {
+    if (block.isLocatedOn(target)) {
       return false;
     }
     if (cluster.isNodeGroupAware() && 
@@ -1293,8 +1387,8 @@ private boolean isGoodBlockCandidate(Source source,
     } else {
       boolean notOnSameRack = true;
       synchronized (block) {
-        for (BalancerDatanode loc : block.locations) {
-          if (cluster.isOnSameRack(loc.datanode, target.datanode)) {
+        for (BalancerDatanode.StorageGroup loc : block.locations) {
+          if (cluster.isOnSameRack(loc.getDatanode(), target.getDatanode())) {
             notOnSameRack = false;
             break;
           }
@@ -1305,9 +1399,9 @@ private boolean isGoodBlockCandidate(Source source,
         goodBlock = true;
       } else {
         // good if source is on the same rack as on of the replicas
-        for (BalancerDatanode loc : block.locations) {
+        for (BalancerDatanode.StorageGroup loc : block.locations) {
           if (loc != source && 
-              cluster.isOnSameRack(loc.datanode, source.datanode)) {
+              cluster.isOnSameRack(loc.getDatanode(), source.getDatanode())) {
             goodBlock = true;
             break;
           }
@@ -1328,25 +1422,26 @@ private boolean isGoodBlockCandidate(Source source,
    * @return true if there are any replica (other than source) on the same node
    * group with target
    */
-  private boolean isOnSameNodeGroupWithReplicas(BalancerDatanode target,
+  private boolean isOnSameNodeGroupWithReplicas(BalancerDatanode.StorageGroup target,
       BalancerBlock block, Source source) {
-    for (BalancerDatanode loc : block.locations) {
+    final DatanodeInfo targetDn = target.getDatanode();
+    for (BalancerDatanode.StorageGroup loc : block.locations) {
       if (loc != source && 
-        cluster.isOnSameNodeGroup(loc.getDatanode(), target.getDatanode())) {
-          return true;
-        }
+          cluster.isOnSameNodeGroup(loc.getDatanode(), targetDn)) {
+        return true;
       }
+    }
     return false;
   }
 
   /* reset all fields in a balancer preparing for the next iteration */
   private void resetData(Configuration conf) {
     this.cluster = NetworkTopology.getInstance(conf);
-    this.overUtilizedDatanodes.clear();
-    this.aboveAvgUtilizedDatanodes.clear();
-    this.belowAvgUtilizedDatanodes.clear();
-    this.underUtilizedDatanodes.clear();
-    this.datanodeMap.clear();
+    this.overUtilized.clear();
+    this.aboveAvgUtilized.clear();
+    this.belowAvgUtilized.clear();
+    this.underUtilized.clear();
+    this.storageGroupMap.clear();
     this.sources.clear();
     this.targets.clear();  
     this.policy.reset();
@@ -1366,32 +1461,6 @@ private void cleanGlobalBlockList() {
       }
     }
   }
-  
-  /* Return true if the given datanode is overUtilized */
-  private boolean isOverUtilized(BalancerDatanode datanode) {
-    return datanode.utilization > (policy.getAvgUtilization()+threshold);
-  }
-  
-  /* Return true if the given datanode is above or equal to average utilized
-   * but not overUtilized */
-  private boolean isAboveAvgUtilized(BalancerDatanode datanode) {
-    final double avg = policy.getAvgUtilization();
-    return (datanode.utilization <= (avg+threshold))
-        && (datanode.utilization >= avg);
-  }
-  
-  /* Return true if the given datanode is underUtilized */
-  private boolean isUnderUtilized(BalancerDatanode datanode) {
-    return datanode.utilization < (policy.getAvgUtilization()-threshold);
-  }
-
-  /* Return true if the given datanode is below average utilized 
-   * but not underUtilized */
-  private boolean isBelowOrEqualAvgUtilized(BalancerDatanode datanode) {
-    final double avg = policy.getAvgUtilization();
-    return (datanode.utilization >= (avg-threshold))
-             && (datanode.utilization <= avg);
-  }
 
   // Exit status
   enum ReturnStatus {
@@ -1419,7 +1488,8 @@ private ReturnStatus run(int iteration, Formatter formatter,
       /* get all live datanodes of a cluster and their disk usage
        * decide the number of bytes need to be moved
        */
-      final long bytesLeftToMove = initNodes(nnc.client.getDatanodeReport(DatanodeReportType.LIVE));
+      final long bytesLeftToMove = init(
+          nnc.client.getDatanodeStorageReport(DatanodeReportType.LIVE));
       if (bytesLeftToMove == 0) {
         System.out.println("The cluster is balanced. Exiting...");
         return ReturnStatus.SUCCESS;
@@ -1433,7 +1503,7 @@ private ReturnStatus run(int iteration, Formatter formatter,
        * in this iteration. Maximum bytes to be moved per node is
        * Min(1 Band worth of bytes,  MAX_SIZE_TO_MOVE).
        */
-      final long bytesToMove = chooseNodes();
+      final long bytesToMove = chooseStorageGroups();
       if (bytesToMove == 0) {
         System.out.println("No block can be moved. Exiting...");
         return ReturnStatus.NO_MOVE_BLOCK;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/BalancingPolicy.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/BalancingPolicy.java
index 3297a250a4e..646abd4ef48 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/BalancingPolicy.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/BalancingPolicy.java
@@ -18,7 +18,11 @@
 package org.apache.hadoop.hdfs.server.balancer;
 
 import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
+import org.apache.hadoop.hdfs.StorageType;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
+import org.apache.hadoop.hdfs.server.protocol.StorageReport;
+import org.apache.hadoop.hdfs.util.EnumCounters;
+import org.apache.hadoop.hdfs.util.EnumDoubles;
 
 /**
  * Balancing policy.
@@ -28,31 +32,43 @@
  */
 @InterfaceAudience.Private
 abstract class BalancingPolicy {
-  long totalCapacity;
-  long totalUsedSpace;
-  private double avgUtilization;
+  final EnumCounters<StorageType> totalCapacities
+      = new EnumCounters<StorageType>(StorageType.class);
+  final EnumCounters<StorageType> totalUsedSpaces
+      = new EnumCounters<StorageType>(StorageType.class);
+  final EnumDoubles<StorageType> avgUtilizations
+      = new EnumDoubles<StorageType>(StorageType.class);
 
   void reset() {
-    totalCapacity = 0L;
-    totalUsedSpace = 0L;
-    avgUtilization = 0.0;
+    totalCapacities.reset();
+    totalUsedSpaces.reset();
+    avgUtilizations.reset();
   }
 
   /** Get the policy name. */
   abstract String getName();
 
   /** Accumulate used space and capacity. */
-  abstract void accumulateSpaces(DatanodeInfo d);
+  abstract void accumulateSpaces(DatanodeStorageReport r);
 
   void initAvgUtilization() {
-    this.avgUtilization = totalUsedSpace*100.0/totalCapacity;
-  }
-  double getAvgUtilization() {
-    return avgUtilization;
+    for(StorageType t : StorageType.asList()) {
+      final long capacity = totalCapacities.get(t);
+      if (capacity > 0L) {
+        final double avg  = totalUsedSpaces.get(t)*100.0/capacity;
+        avgUtilizations.set(t, avg);
+      }
+    }
   }
 
-  /** Return the utilization of a datanode */
-  abstract double getUtilization(DatanodeInfo d);
+  double getAvgUtilization(StorageType t) {
+    return avgUtilizations.get(t);
+  }
+
+  /** @return the utilization of a particular storage type of a datanode;
+   *          or return null if the datanode does not have such storage type.
+   */
+  abstract Double getUtilization(DatanodeStorageReport r, StorageType t);
   
   @Override
   public String toString() {
@@ -84,14 +100,25 @@ String getName() {
     }
 
     @Override
-    void accumulateSpaces(DatanodeInfo d) {
-      totalCapacity += d.getCapacity();
-      totalUsedSpace += d.getDfsUsed();  
+    void accumulateSpaces(DatanodeStorageReport r) {
+      for(StorageReport s : r.getStorageReports()) {
+        final StorageType t = s.getStorage().getStorageType();
+        totalCapacities.add(t, s.getCapacity());
+        totalUsedSpaces.add(t, s.getDfsUsed());
+      }
     }
     
     @Override
-    double getUtilization(DatanodeInfo d) {
-      return d.getDfsUsed()*100.0/d.getCapacity();
+    Double getUtilization(DatanodeStorageReport r, final StorageType t) {
+      long capacity = 0L;
+      long dfsUsed = 0L;
+      for(StorageReport s : r.getStorageReports()) {
+        if (s.getStorage().getStorageType() == t) {
+          capacity += s.getCapacity();
+          dfsUsed += s.getDfsUsed();
+        }
+      }
+      return capacity == 0L? null: dfsUsed*100.0/capacity;
     }
   }
 
@@ -108,14 +135,25 @@ String getName() {
     }
 
     @Override
-    void accumulateSpaces(DatanodeInfo d) {
-      totalCapacity += d.getCapacity();
-      totalUsedSpace += d.getBlockPoolUsed();  
+    void accumulateSpaces(DatanodeStorageReport r) {
+      for(StorageReport s : r.getStorageReports()) {
+        final StorageType t = s.getStorage().getStorageType();
+        totalCapacities.add(t, s.getCapacity());
+        totalUsedSpaces.add(t, s.getBlockPoolUsed());
+      }
     }
 
     @Override
-    double getUtilization(DatanodeInfo d) {
-      return d.getBlockPoolUsed()*100.0/d.getCapacity();
+    Double getUtilization(DatanodeStorageReport r, final StorageType t) {
+      long capacity = 0L;
+      long blockPoolUsed = 0L;
+      for(StorageReport s : r.getStorageReports()) {
+        if (s.getStorage().getStorageType() == t) {
+          capacity += s.getCapacity();
+          blockPoolUsed += s.getBlockPoolUsed();
+        }
+      }
+      return capacity == 0L? null: blockPoolUsed*100.0/capacity;
     }
   }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
index 4fe6de3246e..c4837db4d81 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
@@ -2826,12 +2826,15 @@ private long addBlock(Block block, List<BlockWithLocations> results) {
     } else {
       final String[] datanodeUuids = new String[locations.size()];
       final String[] storageIDs = new String[datanodeUuids.length];
+      final StorageType[] storageTypes = new StorageType[datanodeUuids.length];
       for(int i = 0; i < locations.size(); i++) {
         final DatanodeStorageInfo s = locations.get(i);
         datanodeUuids[i] = s.getDatanodeDescriptor().getDatanodeUuid();
         storageIDs[i] = s.getStorageID();
+        storageTypes[i] = s.getStorageType();
       }
-      results.add(new BlockWithLocations(block, datanodeUuids, storageIDs));
+      results.add(new BlockWithLocations(block, datanodeUuids, storageIDs,
+          storageTypes));
       return block.getNumBytes();
     }
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/BlocksWithLocations.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/BlocksWithLocations.java
index bc446ac7541..c907f3be5b4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/BlocksWithLocations.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/BlocksWithLocations.java
@@ -17,10 +17,9 @@
  */
 package org.apache.hadoop.hdfs.server.protocol;
 
-import java.util.Arrays;
-
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.Block;
 
 /**
@@ -39,12 +38,15 @@ public static class BlockWithLocations {
     final Block block;
     final String[] datanodeUuids;
     final String[] storageIDs;
+    final StorageType[] storageTypes;
     
     /** constructor */
-    public BlockWithLocations(Block block, String[] datanodeUuids, String[] storageIDs) {
+    public BlockWithLocations(Block block, String[] datanodeUuids,
+        String[] storageIDs, StorageType[] storageTypes) {
       this.block = block;
       this.datanodeUuids = datanodeUuids;
       this.storageIDs = storageIDs;
+      this.storageTypes = storageTypes;
     }
     
     /** get the block */
@@ -61,7 +63,12 @@ public String[] getDatanodeUuids() {
     public String[] getStorageIDs() {
       return storageIDs;
     }
-    
+
+    /** @return the storage types */
+    public StorageType[] getStorageTypes() {
+      return storageTypes;
+    }
+
     @Override
     public String toString() {
       final StringBuilder b = new StringBuilder();
@@ -70,12 +77,18 @@ public String toString() {
         return b.append("[]").toString();
       }
       
-      b.append(storageIDs[0]).append('@').append(datanodeUuids[0]);
+      appendString(0, b.append("["));
       for(int i = 1; i < datanodeUuids.length; i++) {
-        b.append(", ").append(storageIDs[i]).append("@").append(datanodeUuids[i]);
+        appendString(i, b.append(","));
       }
       return b.append("]").toString();
     }
+    
+    private StringBuilder appendString(int i, StringBuilder b) {
+      return b.append("[").append(storageTypes[i]).append("]")
+              .append(storageIDs[i])
+              .append("@").append(datanodeUuids[i]);
+    }
   }
 
   private final BlockWithLocations[] blocks;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/util/EnumCounters.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/util/EnumCounters.java
index e3975f6d68a..8bdea1fd59e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/util/EnumCounters.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/util/EnumCounters.java
@@ -37,7 +37,7 @@
 public class EnumCounters<E extends Enum<E>> {
   /** The class of the enum. */
   private final Class<E> enumClass;
-  /** The counter array, counters[i] corresponds to the enumConstants[i]. */
+  /** An array of longs corresponding to the enum type. */
   private final long[] counters;
 
   /**
@@ -75,6 +75,13 @@ public final void set(final EnumCounters<E> that) {
     }
   }
 
+  /** Reset all counters to zero. */
+  public final void reset() {
+    for(int i = 0; i < counters.length; i++) {
+      this.counters[i] = 0L;
+    }
+  }
+
   /** Add the given value to counter e. */
   public final void add(final E e, final long value) {
     counters[e.ordinal()] += value;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/util/EnumDoubles.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/util/EnumDoubles.java
new file mode 100644
index 00000000000..126070aa016
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/util/EnumDoubles.java
@@ -0,0 +1,128 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.util;
+
+import java.util.Arrays;
+
+import com.google.common.base.Preconditions;
+
+/**
+ * Similar to {@link EnumCounters} except that the value type is double.
+ *
+ * @param <E> the enum type
+ */
+public class EnumDoubles<E extends Enum<E>> {
+  /** The class of the enum. */
+  private final Class<E> enumClass;
+  /** An array of doubles corresponding to the enum type. */
+  private final double[] doubles;
+
+  /**
+   * Construct doubles for the given enum constants.
+   * @param enumClass the enum class.
+   */
+  public EnumDoubles(final Class<E> enumClass) {
+    final E[] enumConstants = enumClass.getEnumConstants();
+    Preconditions.checkNotNull(enumConstants);
+    this.enumClass = enumClass;
+    this.doubles = new double[enumConstants.length];
+  }
+  
+  /** @return the value corresponding to e. */
+  public final double get(final E e) {
+    return doubles[e.ordinal()];
+  }
+
+  /** Negate all values. */
+  public final void negation() {
+    for(int i = 0; i < doubles.length; i++) {
+      doubles[i] = -doubles[i];
+    }
+  }
+  
+  /** Set e to the given value. */
+  public final void set(final E e, final double value) {
+    doubles[e.ordinal()] = value;
+  }
+
+  /** Set the values of this object to that object. */
+  public final void set(final EnumDoubles<E> that) {
+    for(int i = 0; i < doubles.length; i++) {
+      this.doubles[i] = that.doubles[i];
+    }
+  }
+
+  /** Reset all values to zero. */
+  public final void reset() {
+    for(int i = 0; i < doubles.length; i++) {
+      this.doubles[i] = 0.0;
+    }
+  }
+
+  /** Add the given value to e. */
+  public final void add(final E e, final double value) {
+    doubles[e.ordinal()] += value;
+  }
+
+  /** Add the values of that object to this. */
+  public final void add(final EnumDoubles<E> that) {
+    for(int i = 0; i < doubles.length; i++) {
+      this.doubles[i] += that.doubles[i];
+    }
+  }
+
+  /** Subtract the given value from e. */
+  public final void subtract(final E e, final double value) {
+    doubles[e.ordinal()] -= value;
+  }
+
+  /** Subtract the values of this object from that object. */
+  public final void subtract(final EnumDoubles<E> that) {
+    for(int i = 0; i < doubles.length; i++) {
+      this.doubles[i] -= that.doubles[i];
+    }
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (obj == this) {
+      return true;
+    } else if (obj == null || !(obj instanceof EnumDoubles)) {
+      return false;
+    }
+    final EnumDoubles<?> that = (EnumDoubles<?>)obj;
+    return this.enumClass == that.enumClass
+        && Arrays.equals(this.doubles, that.doubles);
+  }
+
+  @Override
+  public int hashCode() {
+    return Arrays.hashCode(doubles);
+  }
+
+  @Override
+  public String toString() {
+    final E[] enumConstants = enumClass.getEnumConstants();
+    final StringBuilder b = new StringBuilder();
+    for(int i = 0; i < doubles.length; i++) {
+      final String name = enumConstants[i].name();
+      b.append(name).append("=").append(doubles[i]).append(", ");
+    }
+    return b.substring(0, b.length() - 2);
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
index 04fcc500e84..32c54b00b3e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/hdfs.proto
@@ -404,6 +404,7 @@ message BlockWithLocationsProto {
   required BlockProto block = 1;   // Block
   repeated string datanodeUuids = 2; // Datanodes with replicas of the block
   repeated string storageUuids = 3;  // Storages with replicas of the block
+  repeated StorageTypeProto storageTypes = 4;
 }
 
 /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/protocolPB/TestPBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/protocolPB/TestPBHelper.java
index 440b4f3a6cc..cb85c7deb61 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/protocolPB/TestPBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/protocolPB/TestPBHelper.java
@@ -184,8 +184,10 @@ public void testConvertBlock() {
   private static BlockWithLocations getBlockWithLocations(int bid) {
     final String[] datanodeUuids = {"dn1", "dn2", "dn3"};
     final String[] storageIDs = {"s1", "s2", "s3"};
+    final StorageType[] storageTypes = {
+        StorageType.DISK, StorageType.DISK, StorageType.DISK};
     return new BlockWithLocations(new Block(bid, 0, 1),
-        datanodeUuids, storageIDs);
+        datanodeUuids, storageIDs, storageTypes);
   }
 
   private void compare(BlockWithLocations locs1, BlockWithLocations locs2) {

From b5b862e3afd0797dc8f940204622e174c1382f5e Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Fri, 1 Aug 2014 01:13:42 +0000
Subject: [PATCH 094/354] HDFS-6797. DataNode logs wrong layoutversion during
 upgrade. (Contributed by Benoy Antony)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615017 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                    | 3 +++
 .../hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java     | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 72268d30554..d6253c2c939 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -406,6 +406,9 @@ Release 2.6.0 - UNRELEASED
     XmlEditsVisitor.java is JVM vendor specific. Breaks IBM JAVA.
     (Amir Sanjar via stevel)
 
+    HDFS-6797. DataNode logs wrong layoutversion during upgrade. (Benoy Antony
+    via Arpit Agarwal)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
index c8c3a7ec822..dec0d55004d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
@@ -312,7 +312,7 @@ void doUpgrade(StorageDirectory bpSd, NamespaceInfo nsInfo) throws IOException {
     }
     LOG.info("Upgrading block pool storage directory " + bpSd.getRoot()
         + ".\n   old LV = " + this.getLayoutVersion() + "; old CTime = "
-        + this.getCTime() + ".\n   new LV = " + nsInfo.getLayoutVersion()
+        + this.getCTime() + ".\n   new LV = " + HdfsConstants.DATANODE_LAYOUT_VERSION
         + "; new CTime = " + nsInfo.getCTime());
     // get <SD>/previous directory
     String dnRoot = getDataNodeStorageRoot(bpSd.getRoot().getCanonicalPath());

From 8bca3c689ae77c39bf1065b6fb78508a24ebf537 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Fri, 1 Aug 2014 01:16:06 +0000
Subject: [PATCH 095/354] HDFS-3482. Update CHANGES.txt.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615019 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index d6253c2c939..785c82523e6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -184,9 +184,6 @@ Trunk (Unreleased)
 
     HDFS-3549. Fix dist tar build fails in hadoop-hdfs-raid project. (Jason Lowe via daryn)
 
-    HDFS-3482. hdfs balancer throws ArrayIndexOutOfBoundsException 
-    if option is specified without values. ( Madhukara Phatak via umamahesh) 
-
     HDFS-3614. Revert unused MiniDFSCluster constructor from HDFS-3049.
     (acmurthy via eli)
 
@@ -406,6 +403,9 @@ Release 2.6.0 - UNRELEASED
     XmlEditsVisitor.java is JVM vendor specific. Breaks IBM JAVA.
     (Amir Sanjar via stevel)
 
+    HDFS-3482. hdfs balancer throws ArrayIndexOutOfBoundsException 
+    if option is specified without values. ( Madhukara Phatak via umamahesh) 
+
     HDFS-6797. DataNode logs wrong layoutversion during upgrade. (Benoy Antony
     via Arpit Agarwal)
 

From 1141edc424a2975ab48871108e5da4bc3def49f6 Mon Sep 17 00:00:00 2001
From: Junping Du <junping_du@apache.org>
Date: Fri, 1 Aug 2014 04:16:08 +0000
Subject: [PATCH 096/354] YARN-2051. Fix bug in PBimpls and add more unit tests
 with reflection. (Contributed by Binglin Chang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615025 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../GetApplicationsRequest.java               |  18 +
 .../yarn/api/records/ResourceOption.java      |   2 +
 .../impl/pb/GetApplicationsRequestPBImpl.java |  10 +
 .../impl/pb/ApplicationReportPBImpl.java      |   1 +
 .../ApplicationSubmissionContextPBImpl.java   |   1 +
 .../pb/ResourceBlacklistRequestPBImpl.java    |  13 +-
 .../records/impl/pb/ResourceOptionPBImpl.java |  15 +
 .../yarn/api/records/impl/pb/TokenPBImpl.java |   2 +-
 .../pb/UpdateNodeResourceRequestPBImpl.java   |  16 +-
 .../hadoop/yarn/api/TestPBImplRecords.java    | 895 ++++++++++++++++++
 11 files changed, 972 insertions(+), 4 deletions(-)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/api/TestPBImplRecords.java

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 7b7fa0ddbad..3458b2ceba7 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -120,6 +120,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2354. DistributedShell may allocate more containers than client
     specified after AM restarts. (Li Lu via jianhe)
 
+    YARN-2051. Fix bug in PBimpls and add more unit tests with reflection. 
+    (Binglin Chang via junping_du)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/GetApplicationsRequest.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/GetApplicationsRequest.java
index 4cc0b70e4af..7fc58d67aef 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/GetApplicationsRequest.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/GetApplicationsRequest.java
@@ -305,6 +305,15 @@ public static GetApplicationsRequest newInstance(
   @Unstable
   public abstract LongRange getStartRange();
 
+  /**
+   * Set the range of start times to filter applications on
+   *
+   * @param range
+   */
+  @Private
+  @Unstable
+  public abstract void setStartRange(LongRange range);
+
   /**
    * Set the range of start times to filter applications on
    *
@@ -326,6 +335,15 @@ public abstract void setStartRange(long begin, long end)
   @Unstable
   public abstract LongRange getFinishRange();
 
+  /**
+   * Set the range of finish times to filter applications on
+   *
+   * @param range
+   */
+  @Private
+  @Unstable
+  public abstract void setFinishRange(LongRange range);
+
   /**
    * Set the range of finish times to filter applications on
    *
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ResourceOption.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ResourceOption.java
index d6393505f81..380f38d74a1 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ResourceOption.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ResourceOption.java
@@ -31,6 +31,8 @@ public static ResourceOption newInstance(Resource resource,
       int overCommitTimeout){
     ResourceOption resourceOption = Records.newRecord(ResourceOption.class);
     resourceOption.setResource(resource);
+    resourceOption.setOverCommitTimeout(overCommitTimeout);
+    resourceOption.build();
     return resourceOption;
   }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/GetApplicationsRequestPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/GetApplicationsRequestPBImpl.java
index 4fd49bcee8d..a8996f0298a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/GetApplicationsRequestPBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/GetApplicationsRequestPBImpl.java
@@ -326,6 +326,11 @@ public LongRange getStartRange() {
     return this.start;
   }
 
+  @Override
+  public void setStartRange(LongRange range) {
+    this.start = range;
+  }
+
   @Override
   public void setStartRange(long begin, long end)
       throws IllegalArgumentException {
@@ -349,6 +354,11 @@ public LongRange getFinishRange() {
     return this.finish;
   }
 
+  @Override
+  public void setFinishRange(LongRange range) {
+    this.finish = range;
+  }
+
   @Override
   public void setFinishRange(long begin, long end) {
     if (begin > end) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ApplicationReportPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ApplicationReportPBImpl.java
index 7e19d8fa2f8..dd3e2bc2136 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ApplicationReportPBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ApplicationReportPBImpl.java
@@ -479,6 +479,7 @@ private void mergeLocalToBuilder() {
       builder.setAmRmToken(convertToProtoFormat(this.amRmToken));
     }
     if (this.applicationTags != null && !this.applicationTags.isEmpty()) {
+      builder.clearApplicationTags();
       builder.addAllApplicationTags(this.applicationTags);
     }
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ApplicationSubmissionContextPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ApplicationSubmissionContextPBImpl.java
index c4a3a721990..c2f3268073e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ApplicationSubmissionContextPBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ApplicationSubmissionContextPBImpl.java
@@ -107,6 +107,7 @@ private void mergeLocalToBuilder() {
       builder.setResource(convertToProtoFormat(this.resource));
     }
     if (this.applicationTags != null && !this.applicationTags.isEmpty()) {
+      builder.clearApplicationTags();
       builder.addAllApplicationTags(this.applicationTags);
     }
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ResourceBlacklistRequestPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ResourceBlacklistRequestPBImpl.java
index 743e5d12c3f..45d89488ac2 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ResourceBlacklistRequestPBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ResourceBlacklistRequestPBImpl.java
@@ -90,7 +90,7 @@ private void addBlacklistAdditionsToProto() {
 
   private void addBlacklistRemovalsToProto() {
     maybeInitBuilder();
-    builder.clearBlacklistAdditions();
+    builder.clearBlacklistRemovals();
     if (this.blacklistRemovals == null) { 
       return;
     }
@@ -159,5 +159,14 @@ public void setBlacklistRemovals(List<String> resourceNames) {
   public int hashCode() {
     return getProto().hashCode();
   }
-  
+
+  @Override
+  public boolean equals(Object other) {
+    if (other == null)
+      return false;
+    if (other.getClass().isAssignableFrom(this.getClass())) {
+      return this.getProto().equals(this.getClass().cast(other).getProto());
+    }
+    return false;
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ResourceOptionPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ResourceOptionPBImpl.java
index 5440a8491e7..79f479ee99d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ResourceOptionPBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ResourceOptionPBImpl.java
@@ -86,4 +86,19 @@ protected void build() {
     builder = null;
   }
 
+  @Override
+  public int hashCode() {
+    return getProto().hashCode();
+  }
+
+  @Override
+  public boolean equals(Object other) {
+    if (other == null)
+      return false;
+    if (other.getClass().isAssignableFrom(this.getClass())) {
+      return this.getProto().equals(this.getClass().cast(other).getProto());
+    }
+    return false;
+  }
+
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/TokenPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/TokenPBImpl.java
index 2835cbb65f6..7aeb460d525 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/TokenPBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/TokenPBImpl.java
@@ -48,7 +48,7 @@ public TokenPBImpl(TokenProto proto) {
   }
 
   public synchronized TokenProto getProto() {
-      mergeLocalToProto();
+    mergeLocalToProto();
     proto = viaProto ? proto : builder.build();
     viaProto = true;
     return proto;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/server/api/protocolrecords/impl/pb/UpdateNodeResourceRequestPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/server/api/protocolrecords/impl/pb/UpdateNodeResourceRequestPBImpl.java
index 413e4a00c15..d44599664a2 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/server/api/protocolrecords/impl/pb/UpdateNodeResourceRequestPBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/server/api/protocolrecords/impl/pb/UpdateNodeResourceRequestPBImpl.java
@@ -162,5 +162,19 @@ public void remove() {
     };
     this.builder.addAllNodeResourceMap(values);
   }
-  
+
+  @Override
+  public int hashCode() {
+    return getProto().hashCode();
+  }
+
+  @Override
+  public boolean equals(Object other) {
+    if (other == null)
+      return false;
+    if (other.getClass().isAssignableFrom(this.getClass())) {
+      return this.getProto().equals(this.getClass().cast(other).getProto());
+    }
+    return false;
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/api/TestPBImplRecords.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/api/TestPBImplRecords.java
new file mode 100644
index 00000000000..c6572e9f387
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/api/TestPBImplRecords.java
@@ -0,0 +1,895 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.api;
+import java.io.IOException;
+import java.lang.reflect.Array;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Method;
+import java.lang.reflect.Modifier;
+import java.lang.reflect.ParameterizedType;
+import java.lang.reflect.Type;
+import java.nio.ByteBuffer;
+import java.util.EnumSet;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Random;
+import java.util.Set;
+
+import org.apache.commons.lang.math.LongRange;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.proto.SecurityProtos.*;
+import org.apache.hadoop.yarn.api.protocolrecords.*;
+import org.apache.hadoop.yarn.api.protocolrecords.impl.pb.*;
+import org.apache.hadoop.yarn.api.records.*;
+import org.apache.hadoop.yarn.api.records.impl.pb.*;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.*;
+import org.apache.hadoop.yarn.proto.YarnProtos.*;
+import org.apache.hadoop.yarn.proto.YarnServiceProtos.*;
+import org.apache.hadoop.yarn.server.api.protocolrecords.impl.pb.*;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+
+public class TestPBImplRecords {
+  static final Log LOG = LogFactory.getLog(TestPBImplRecords.class);
+
+  private static HashMap<Type, Object> typeValueCache = new HashMap<Type, Object>();
+  private static Random rand = new Random();
+  private static byte [] bytes = new byte[] {'1', '2', '3', '4'};
+
+  @SuppressWarnings({"rawtypes", "unchecked"})
+  private static Object genTypeValue(Type type) {
+    Object ret = typeValueCache.get(type);
+    if (ret != null) {
+      return ret;
+    }
+    // only use positive primitive values
+    if (type.equals(boolean.class)) {
+      return rand.nextBoolean();
+    } else if (type.equals(byte.class)) {
+      return bytes[rand.nextInt(4)];
+    } else if (type.equals(int.class)) {
+      return rand.nextInt(1000000);
+    } else if (type.equals(long.class)) {
+      return Long.valueOf(rand.nextInt(1000000));
+    } else if (type.equals(float.class)) {
+      return rand.nextFloat();
+    } else if (type.equals(double.class)) {
+      return rand.nextDouble();
+    } else if (type.equals(String.class)) {
+      return String.format("%c%c%c",
+          'a' + rand.nextInt(26),
+          'a' + rand.nextInt(26),
+          'a' + rand.nextInt(26));
+    } else if (type instanceof Class) {
+      Class clazz = (Class)type;
+      if (clazz.isArray()) {
+        Class compClass = clazz.getComponentType();
+        if (compClass != null) {
+          ret = Array.newInstance(compClass, 2);
+          Array.set(ret, 0, genTypeValue(compClass));
+          Array.set(ret, 1, genTypeValue(compClass));
+        }
+      } else if (clazz.isEnum()) {
+        Object [] values = clazz.getEnumConstants();
+        ret = values[rand.nextInt(values.length)];
+      } else if (clazz.equals(ByteBuffer.class)) {
+        // return new ByteBuffer every time
+        // to prevent potential side effects
+        ByteBuffer buff = ByteBuffer.allocate(4);
+        rand.nextBytes(buff.array());
+        return buff;
+      }
+    } else if (type instanceof ParameterizedType) {
+      ParameterizedType pt = (ParameterizedType)type;
+      Type rawType = pt.getRawType();
+      Type [] params = pt.getActualTypeArguments();
+      // only support EnumSet<T>, List<T>, Set<T>, Map<K,V>
+      if (rawType.equals(EnumSet.class)) {
+        if (params[0] instanceof Class) {
+          Class c = (Class)(params[0]);
+          return EnumSet.allOf(c);
+        }
+      } if (rawType.equals(List.class)) {
+        ret = Lists.newArrayList(genTypeValue(params[0]));
+      } else if (rawType.equals(Set.class)) {
+        ret = Sets.newHashSet(genTypeValue(params[0]));
+      } else if (rawType.equals(Map.class)) {
+        Map<Object, Object> map = Maps.newHashMap();
+        map.put(genTypeValue(params[0]), genTypeValue(params[1]));
+        ret = map;
+      }
+    }
+    if (ret == null) {
+      throw new IllegalArgumentException("type " + type + " is not supported");
+    }
+    typeValueCache.put(type, ret);
+    return ret;
+  }
+
+  /**
+   * this method generate record instance by calling newIntance
+   * using reflection, add register the generated value to typeValueCache
+   */
+  @SuppressWarnings("rawtypes")
+  private static Object generateByNewInstance(Class clazz) throws Exception {
+    Object ret = typeValueCache.get(clazz);
+    if (ret != null) {
+      return ret;
+    }
+    Method newInstance = null;
+    Type [] paramTypes = new Type[0];
+    // get newInstance method with most parameters
+    for (Method m : clazz.getMethods()) {
+      int mod = m.getModifiers();
+      if (m.getDeclaringClass().equals(clazz) &&
+          Modifier.isPublic(mod) &&
+          Modifier.isStatic(mod) &&
+          m.getName().equals("newInstance")) {
+        Type [] pts = m.getGenericParameterTypes();
+        if (newInstance == null
+            || (pts.length > paramTypes.length)) {
+          newInstance = m;
+          paramTypes = pts;
+        }
+      }
+    }
+    if (newInstance == null) {
+      throw new IllegalArgumentException("type " + clazz.getName() +
+          " does not have newInstance method");
+    }
+    Object [] args = new Object[paramTypes.length];
+    for (int i=0;i<args.length;i++) {
+      args[i] = genTypeValue(paramTypes[i]);
+    }
+    ret = newInstance.invoke(null, args);
+    typeValueCache.put(clazz, ret);
+    return ret;
+  }
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    typeValueCache.put(LongRange.class, new LongRange(1000, 2000));
+    typeValueCache.put(URL.class, URL.newInstance(
+        "http", "localhost", 8080, "file0"));
+    typeValueCache.put(SerializedException.class,
+        SerializedException.newInstance(new IOException("exception for test")));
+    generateByNewInstance(ApplicationId.class);
+    generateByNewInstance(ApplicationAttemptId.class);
+    generateByNewInstance(ContainerId.class);
+    generateByNewInstance(Resource.class);
+    generateByNewInstance(ResourceBlacklistRequest.class);
+    generateByNewInstance(ResourceOption.class);
+    generateByNewInstance(LocalResource.class);
+    generateByNewInstance(Priority.class);
+    generateByNewInstance(NodeId.class);
+    generateByNewInstance(NodeReport.class);
+    generateByNewInstance(Token.class);
+    generateByNewInstance(NMToken.class);
+    generateByNewInstance(ResourceRequest.class);
+    generateByNewInstance(ApplicationAttemptReport.class);
+    generateByNewInstance(ApplicationResourceUsageReport.class);
+    generateByNewInstance(ApplicationReport.class);
+    generateByNewInstance(Container.class);
+    generateByNewInstance(ContainerLaunchContext.class);
+    generateByNewInstance(ApplicationSubmissionContext.class);
+    generateByNewInstance(ContainerReport.class);
+    generateByNewInstance(ContainerResourceDecrease.class);
+    generateByNewInstance(ContainerResourceIncrease.class);
+    generateByNewInstance(ContainerResourceIncreaseRequest.class);
+    generateByNewInstance(ContainerStatus.class);
+    generateByNewInstance(PreemptionContainer.class);
+    generateByNewInstance(PreemptionResourceRequest.class);
+    generateByNewInstance(PreemptionContainer.class);
+    generateByNewInstance(PreemptionContract.class);
+    generateByNewInstance(StrictPreemptionContract.class);
+    generateByNewInstance(PreemptionMessage.class);
+    generateByNewInstance(StartContainerRequest.class);
+    // genByNewInstance does not apply to QueueInfo, cause
+    // it is recursive(has sub queues)
+    typeValueCache.put(QueueInfo.class, QueueInfo.newInstance(
+        "root", 1.0f, 1.0f, 0.1f, null, null, QueueState.RUNNING));
+    generateByNewInstance(QueueUserACLInfo.class);
+    generateByNewInstance(YarnClusterMetrics.class);
+  }
+
+  private class GetSetPair {
+    public String propertyName;
+    public Method getMethod;
+    public Method setMethod;
+    public Type type;
+    public Object testValue;
+
+    @Override
+    public String toString() {
+      return String.format("{ name=%s, class=%s, value=%s }", propertyName,
+          type, testValue);
+    }
+  }
+
+  private <R> Map<String, GetSetPair> getGetSetPairs(Class<R> recordClass)
+      throws Exception {
+    Map<String, GetSetPair> ret = new HashMap<String, GetSetPair>();
+    Method [] methods = recordClass.getDeclaredMethods();
+    // get all get methods
+    for (int i = 0; i < methods.length; i++) {
+      Method m = methods[i];
+      int mod = m.getModifiers();
+      if (m.getDeclaringClass().equals(recordClass) &&
+          Modifier.isPublic(mod) &&
+          (!Modifier.isStatic(mod))) {
+        String name = m.getName();
+        if (name.equals("getProto")) {
+          continue;
+        }
+        if ((name.length() > 3) && name.startsWith("get") &&
+            (m.getParameterTypes().length == 0)) {
+          String propertyName = name.substring(3);
+          Type valueType = m.getGenericReturnType();
+          GetSetPair p = ret.get(propertyName);
+          if (p == null) {
+            p = new GetSetPair();
+            p.propertyName = propertyName;
+            p.type = valueType;
+            p.getMethod = m;
+            ret.put(propertyName, p);
+          } else {
+            Assert.fail("Multiple get method with same name: " + recordClass
+                + p.propertyName);
+          }
+        }
+      }
+    }
+    // match get methods with set methods
+    for (int i = 0; i < methods.length; i++) {
+      Method m = methods[i];
+      int mod = m.getModifiers();
+      if (m.getDeclaringClass().equals(recordClass) &&
+          Modifier.isPublic(mod) &&
+          (!Modifier.isStatic(mod))) {
+        String name = m.getName();
+        if (name.startsWith("set") && (m.getParameterTypes().length == 1)) {
+          String propertyName = name.substring(3);
+          Type valueType = m.getGenericParameterTypes()[0];
+          GetSetPair p = ret.get(propertyName);
+          if (p != null && p.type.equals(valueType)) {
+            p.setMethod = m;
+          }
+        }
+      }
+    }
+    // exclude incomplete get/set pair, and generate test value
+    Iterator<Entry<String, GetSetPair>> itr = ret.entrySet().iterator();
+    while (itr.hasNext()) {
+      Entry<String, GetSetPair> cur = itr.next();
+      GetSetPair gsp = cur.getValue();
+      if ((gsp.getMethod == null) ||
+          (gsp.setMethod == null)) {
+        LOG.info(String.format("Exclude protential property: %s\n", gsp.propertyName));
+        itr.remove();
+      } else {
+        LOG.info(String.format("New property: %s type: %s", gsp.toString(), gsp.type));
+        gsp.testValue = genTypeValue(gsp.type);
+        LOG.info(String.format(" testValue: %s\n", gsp.testValue));
+      }
+    }
+    return ret;
+  }
+
+  private <R, P> void validatePBImplRecord(Class<R> recordClass,
+      Class<P> protoClass)
+      throws Exception {
+    LOG.info(String.format("Validate %s %s\n", recordClass.getName(),
+        protoClass.getName()));
+    Constructor<R> emptyConstructor = recordClass.getConstructor();
+    Constructor<R> pbConstructor = recordClass.getConstructor(protoClass);
+    Method getProto = recordClass.getDeclaredMethod("getProto");
+    Map<String, GetSetPair> getSetPairs = getGetSetPairs(recordClass);
+    R origRecord = emptyConstructor.newInstance();
+    for (GetSetPair gsp : getSetPairs.values()) {
+      gsp.setMethod.invoke(origRecord, gsp.testValue);
+    }
+    Object ret = getProto.invoke(origRecord);
+    Assert.assertNotNull(recordClass.getName() + "#getProto returns null", ret);
+    if (!(protoClass.isAssignableFrom(ret.getClass()))) {
+      Assert.fail("Illegal getProto method return type: " + ret.getClass());
+    }
+    R deserRecord = pbConstructor.newInstance(ret);
+    Assert.assertEquals("whole " + recordClass + " records should be equal",
+        origRecord, deserRecord);
+    for (GetSetPair gsp : getSetPairs.values()) {
+      Object origValue = gsp.getMethod.invoke(origRecord);
+      Object deserValue = gsp.getMethod.invoke(deserRecord);
+      Assert.assertEquals("property " + recordClass.getName() + "#"
+          + gsp.propertyName + " should be equal", origValue, deserValue);
+    }
+  }
+
+  @Test
+  public void testAllocateRequestPBImpl() throws Exception {
+    validatePBImplRecord(AllocateRequestPBImpl.class, AllocateRequestProto.class);
+  }
+
+  @Test
+  public void testAllocateResponsePBImpl() throws Exception {
+    validatePBImplRecord(AllocateResponsePBImpl.class, AllocateResponseProto.class);
+  }
+
+  @Test
+  public void testCancelDelegationTokenRequestPBImpl() throws Exception {
+    validatePBImplRecord(CancelDelegationTokenRequestPBImpl.class,
+        CancelDelegationTokenRequestProto.class);
+  }
+
+  @Test
+  public void testCancelDelegationTokenResponsePBImpl() throws Exception {
+    validatePBImplRecord(CancelDelegationTokenResponsePBImpl.class,
+        CancelDelegationTokenResponseProto.class);
+  }
+
+  @Test
+  public void testFinishApplicationMasterRequestPBImpl() throws Exception {
+    validatePBImplRecord(FinishApplicationMasterRequestPBImpl.class,
+        FinishApplicationMasterRequestProto.class);
+  }
+
+  @Test
+  public void testFinishApplicationMasterResponsePBImpl() throws Exception {
+    validatePBImplRecord(FinishApplicationMasterResponsePBImpl.class,
+        FinishApplicationMasterResponseProto.class);
+  }
+
+  @Test
+  public void testGetApplicationAttemptReportRequestPBImpl() throws Exception {
+    validatePBImplRecord(GetApplicationAttemptReportRequestPBImpl.class,
+        GetApplicationAttemptReportRequestProto.class);
+  }
+
+  @Test
+  public void testGetApplicationAttemptReportResponsePBImpl() throws Exception {
+    validatePBImplRecord(GetApplicationAttemptReportResponsePBImpl.class,
+        GetApplicationAttemptReportResponseProto.class);
+  }
+
+  @Test
+  public void testGetApplicationAttemptsRequestPBImpl() throws Exception {
+    validatePBImplRecord(GetApplicationAttemptsRequestPBImpl.class,
+        GetApplicationAttemptsRequestProto.class);
+  }
+
+  @Test
+  public void testGetApplicationAttemptsResponsePBImpl() throws Exception {
+    validatePBImplRecord(GetApplicationAttemptsResponsePBImpl.class,
+        GetApplicationAttemptsResponseProto.class);
+  }
+
+  @Test
+  public void testGetApplicationReportRequestPBImpl() throws Exception {
+    validatePBImplRecord(GetApplicationReportRequestPBImpl.class,
+        GetApplicationReportRequestProto.class);
+  }
+
+  @Test
+  public void testGetApplicationReportResponsePBImpl() throws Exception {
+    validatePBImplRecord(GetApplicationReportResponsePBImpl.class,
+        GetApplicationReportResponseProto.class);
+  }
+
+  @Test
+  public void testGetApplicationsRequestPBImpl() throws Exception {
+    validatePBImplRecord(GetApplicationsRequestPBImpl.class,
+        GetApplicationsRequestProto.class);
+  }
+
+  @Test
+  public void testGetApplicationsResponsePBImpl() throws Exception {
+    validatePBImplRecord(GetApplicationsResponsePBImpl.class,
+        GetApplicationsResponseProto.class);
+  }
+
+  @Test
+  public void testGetClusterMetricsRequestPBImpl() throws Exception {
+    validatePBImplRecord(GetClusterMetricsRequestPBImpl.class,
+        GetClusterMetricsRequestProto.class);
+  }
+
+  @Test
+  public void testGetClusterMetricsResponsePBImpl() throws Exception {
+    validatePBImplRecord(GetClusterMetricsResponsePBImpl.class,
+        GetClusterMetricsResponseProto.class);
+  }
+
+  @Test
+  public void testGetClusterNodesRequestPBImpl() throws Exception {
+    validatePBImplRecord(GetClusterNodesRequestPBImpl.class,
+        GetClusterNodesRequestProto.class);
+  }
+
+  @Test
+  public void testGetClusterNodesResponsePBImpl() throws Exception {
+    validatePBImplRecord(GetClusterNodesResponsePBImpl.class,
+        GetClusterNodesResponseProto.class);
+  }
+
+  @Test
+  public void testGetContainerReportRequestPBImpl() throws Exception {
+    validatePBImplRecord(GetContainerReportRequestPBImpl.class,
+        GetContainerReportRequestProto.class);
+  }
+
+  @Test
+  public void testGetContainerReportResponsePBImpl() throws Exception {
+    validatePBImplRecord(GetContainerReportResponsePBImpl.class,
+        GetContainerReportResponseProto.class);
+  }
+
+  @Test
+  public void testGetContainersRequestPBImpl() throws Exception {
+    validatePBImplRecord(GetContainersRequestPBImpl.class,
+        GetContainersRequestProto.class);
+  }
+
+  @Test
+  public void testGetContainersResponsePBImpl() throws Exception {
+    validatePBImplRecord(GetContainersResponsePBImpl.class,
+        GetContainersResponseProto.class);
+  }
+
+  @Test
+  public void testGetContainerStatusesRequestPBImpl() throws Exception {
+    validatePBImplRecord(GetContainerStatusesRequestPBImpl.class,
+        GetContainerStatusesRequestProto.class);
+  }
+
+  @Test
+  public void testGetContainerStatusesResponsePBImpl() throws Exception {
+    validatePBImplRecord(GetContainerStatusesResponsePBImpl.class,
+        GetContainerStatusesResponseProto.class);
+  }
+
+  @Test
+  public void testGetDelegationTokenRequestPBImpl() throws Exception {
+    validatePBImplRecord(GetDelegationTokenRequestPBImpl.class,
+        GetDelegationTokenRequestProto.class);
+  }
+
+  @Test
+  public void testGetDelegationTokenResponsePBImpl() throws Exception {
+    validatePBImplRecord(GetDelegationTokenResponsePBImpl.class,
+        GetDelegationTokenResponseProto.class);
+  }
+
+  @Test
+  public void testGetNewApplicationRequestPBImpl() throws Exception {
+    validatePBImplRecord(GetNewApplicationRequestPBImpl.class,
+        GetNewApplicationRequestProto.class);
+  }
+
+  @Test
+  public void testGetNewApplicationResponsePBImpl() throws Exception {
+    validatePBImplRecord(GetNewApplicationResponsePBImpl.class,
+        GetNewApplicationResponseProto.class);
+  }
+
+  @Test
+  public void testGetQueueInfoRequestPBImpl() throws Exception {
+    validatePBImplRecord(GetQueueInfoRequestPBImpl.class,
+        GetQueueInfoRequestProto.class);
+  }
+
+  @Test
+  public void testGetQueueInfoResponsePBImpl() throws Exception {
+    validatePBImplRecord(GetQueueInfoResponsePBImpl.class,
+        GetQueueInfoResponseProto.class);
+  }
+
+  @Test
+  public void testGetQueueUserAclsInfoRequestPBImpl() throws Exception {
+    validatePBImplRecord(GetQueueUserAclsInfoRequestPBImpl.class,
+        GetQueueUserAclsInfoRequestProto.class);
+  }
+
+  @Test
+  public void testGetQueueUserAclsInfoResponsePBImpl() throws Exception {
+    validatePBImplRecord(GetQueueUserAclsInfoResponsePBImpl.class,
+        GetQueueUserAclsInfoResponseProto.class);
+  }
+
+  @Test
+  public void testKillApplicationRequestPBImpl() throws Exception {
+    validatePBImplRecord(KillApplicationRequestPBImpl.class,
+        KillApplicationRequestProto.class);
+  }
+
+  @Test
+  public void testKillApplicationResponsePBImpl() throws Exception {
+    validatePBImplRecord(KillApplicationResponsePBImpl.class,
+        KillApplicationResponseProto.class);
+  }
+
+  @Test
+  public void testMoveApplicationAcrossQueuesRequestPBImpl() throws Exception {
+    validatePBImplRecord(MoveApplicationAcrossQueuesRequestPBImpl.class,
+        MoveApplicationAcrossQueuesRequestProto.class);
+  }
+
+  @Test
+  public void testMoveApplicationAcrossQueuesResponsePBImpl() throws Exception {
+    validatePBImplRecord(MoveApplicationAcrossQueuesResponsePBImpl.class,
+        MoveApplicationAcrossQueuesResponseProto.class);
+  }
+
+  @Test
+  public void testRegisterApplicationMasterRequestPBImpl() throws Exception {
+    validatePBImplRecord(RegisterApplicationMasterRequestPBImpl.class,
+        RegisterApplicationMasterRequestProto.class);
+  }
+
+  @Test
+  public void testRegisterApplicationMasterResponsePBImpl() throws Exception {
+    validatePBImplRecord(RegisterApplicationMasterResponsePBImpl.class,
+        RegisterApplicationMasterResponseProto.class);
+  }
+
+  @Test
+  public void testRenewDelegationTokenRequestPBImpl() throws Exception {
+    validatePBImplRecord(RenewDelegationTokenRequestPBImpl.class,
+        RenewDelegationTokenRequestProto.class);
+  }
+
+  @Test
+  public void testRenewDelegationTokenResponsePBImpl() throws Exception {
+    validatePBImplRecord(RenewDelegationTokenResponsePBImpl.class,
+        RenewDelegationTokenResponseProto.class);
+  }
+
+  @Test
+  public void testStartContainerRequestPBImpl() throws Exception {
+    validatePBImplRecord(StartContainerRequestPBImpl.class,
+        StartContainerRequestProto.class);
+  }
+
+  @Test
+  public void testStartContainersRequestPBImpl() throws Exception {
+    validatePBImplRecord(StartContainersRequestPBImpl.class,
+        StartContainersRequestProto.class);
+  }
+
+  @Test
+  public void testStartContainersResponsePBImpl() throws Exception {
+    validatePBImplRecord(StartContainersResponsePBImpl.class,
+        StartContainersResponseProto.class);
+  }
+
+  @Test
+  public void testStopContainersRequestPBImpl() throws Exception {
+    validatePBImplRecord(StopContainersRequestPBImpl.class,
+        StopContainersRequestProto.class);
+  }
+
+  @Test
+  public void testStopContainersResponsePBImpl() throws Exception {
+    validatePBImplRecord(StopContainersResponsePBImpl.class,
+        StopContainersResponseProto.class);
+  }
+
+  @Test
+  public void testSubmitApplicationRequestPBImpl() throws Exception {
+    validatePBImplRecord(SubmitApplicationRequestPBImpl.class,
+        SubmitApplicationRequestProto.class);
+  }
+
+  @Test
+  public void testSubmitApplicationResponsePBImpl() throws Exception {
+    validatePBImplRecord(SubmitApplicationResponsePBImpl.class,
+        SubmitApplicationResponseProto.class);
+  }
+
+  @Test
+  @Ignore
+  // ignore cause ApplicationIdPBImpl is immutable
+  public void testApplicationAttemptIdPBImpl() throws Exception {
+    validatePBImplRecord(ApplicationAttemptIdPBImpl.class,
+        ApplicationAttemptIdProto.class);
+  }
+
+  @Test
+  public void testApplicationAttemptReportPBImpl() throws Exception {
+    validatePBImplRecord(ApplicationAttemptReportPBImpl.class,
+        ApplicationAttemptReportProto.class);
+  }
+
+  @Test
+  @Ignore
+  // ignore cause ApplicationIdPBImpl is immutable
+  public void testApplicationIdPBImpl() throws Exception {
+    validatePBImplRecord(ApplicationIdPBImpl.class, ApplicationIdProto.class);
+  }
+
+  @Test
+  public void testApplicationReportPBImpl() throws Exception {
+    validatePBImplRecord(ApplicationReportPBImpl.class,
+        ApplicationReportProto.class);
+  }
+
+  @Test
+  public void testApplicationResourceUsageReportPBImpl() throws Exception {
+    validatePBImplRecord(ApplicationResourceUsageReportPBImpl.class,
+        ApplicationResourceUsageReportProto.class);
+  }
+
+  @Test
+  public void testApplicationSubmissionContextPBImpl() throws Exception {
+    validatePBImplRecord(ApplicationSubmissionContextPBImpl.class,
+        ApplicationSubmissionContextProto.class);
+  }
+
+  @Test
+  @Ignore
+  // ignore cause ApplicationIdPBImpl is immutable
+  public void testContainerIdPBImpl() throws Exception {
+    validatePBImplRecord(ContainerIdPBImpl.class, ContainerIdProto.class);
+  }
+
+  @Test
+  public void testContainerLaunchContextPBImpl() throws Exception {
+    validatePBImplRecord(ContainerLaunchContextPBImpl.class,
+        ContainerLaunchContextProto.class);
+  }
+
+  @Test
+  public void testContainerPBImpl() throws Exception {
+    validatePBImplRecord(ContainerPBImpl.class, ContainerProto.class);
+  }
+
+  @Test
+  public void testContainerReportPBImpl() throws Exception {
+    validatePBImplRecord(ContainerReportPBImpl.class, ContainerReportProto.class);
+  }
+
+  @Test
+  public void testContainerResourceDecreasePBImpl() throws Exception {
+    validatePBImplRecord(ContainerResourceDecreasePBImpl.class,
+        ContainerResourceDecreaseProto.class);
+  }
+
+  @Test
+  public void testContainerResourceIncreasePBImpl() throws Exception {
+    validatePBImplRecord(ContainerResourceIncreasePBImpl.class,
+        ContainerResourceIncreaseProto.class);
+  }
+
+  @Test
+  public void testContainerResourceIncreaseRequestPBImpl() throws Exception {
+    validatePBImplRecord(ContainerResourceIncreaseRequestPBImpl.class,
+        ContainerResourceIncreaseRequestProto.class);
+  }
+
+  @Test
+  public void testContainerStatusPBImpl() throws Exception {
+    validatePBImplRecord(ContainerStatusPBImpl.class, ContainerStatusProto.class);
+  }
+
+  @Test
+  public void testLocalResourcePBImpl() throws Exception {
+    validatePBImplRecord(LocalResourcePBImpl.class, LocalResourceProto.class);
+  }
+
+  @Test
+  public void testNMTokenPBImpl() throws Exception {
+    validatePBImplRecord(NMTokenPBImpl.class, NMTokenProto.class);
+  }
+
+  @Test
+  @Ignore
+  // ignore cause ApplicationIdPBImpl is immutable
+  public void testNodeIdPBImpl() throws Exception {
+    validatePBImplRecord(NodeIdPBImpl.class, NodeIdProto.class);
+  }
+
+  @Test
+  public void testNodeReportPBImpl() throws Exception {
+    validatePBImplRecord(NodeReportPBImpl.class, NodeReportProto.class);
+  }
+
+  @Test
+  public void testPreemptionContainerPBImpl() throws Exception {
+    validatePBImplRecord(PreemptionContainerPBImpl.class,
+        PreemptionContainerProto.class);
+  }
+
+  @Test
+  public void testPreemptionContractPBImpl() throws Exception {
+    validatePBImplRecord(PreemptionContractPBImpl.class,
+        PreemptionContractProto.class);
+  }
+
+  @Test
+  public void testPreemptionMessagePBImpl() throws Exception {
+    validatePBImplRecord(PreemptionMessagePBImpl.class,
+        PreemptionMessageProto.class);
+  }
+
+  @Test
+  public void testPreemptionResourceRequestPBImpl() throws Exception {
+    validatePBImplRecord(PreemptionResourceRequestPBImpl.class,
+        PreemptionResourceRequestProto.class);
+  }
+
+  @Test
+  public void testPriorityPBImpl() throws Exception {
+    validatePBImplRecord(PriorityPBImpl.class, PriorityProto.class);
+  }
+
+  @Test
+  public void testQueueInfoPBImpl() throws Exception {
+    validatePBImplRecord(QueueInfoPBImpl.class, QueueInfoProto.class);
+  }
+
+  @Test
+  public void testQueueUserACLInfoPBImpl() throws Exception {
+    validatePBImplRecord(QueueUserACLInfoPBImpl.class,
+        QueueUserACLInfoProto.class);
+  }
+
+  @Test
+  public void testResourceBlacklistRequestPBImpl() throws Exception {
+    validatePBImplRecord(ResourceBlacklistRequestPBImpl.class,
+        ResourceBlacklistRequestProto.class);
+  }
+
+  @Test
+  @Ignore
+  // ignore as ResourceOptionPBImpl is immutable
+  public void testResourceOptionPBImpl() throws Exception {
+    validatePBImplRecord(ResourceOptionPBImpl.class, ResourceOptionProto.class);
+  }
+
+  @Test
+  public void testResourcePBImpl() throws Exception {
+    validatePBImplRecord(ResourcePBImpl.class, ResourceProto.class);
+  }
+
+  @Test
+  public void testResourceRequestPBImpl() throws Exception {
+    validatePBImplRecord(ResourceRequestPBImpl.class, ResourceRequestProto.class);
+  }
+
+  @Test
+  public void testSerializedExceptionPBImpl() throws Exception {
+    validatePBImplRecord(SerializedExceptionPBImpl.class,
+        SerializedExceptionProto.class);
+  }
+
+  @Test
+  public void testStrictPreemptionContractPBImpl() throws Exception {
+    validatePBImplRecord(StrictPreemptionContractPBImpl.class,
+        StrictPreemptionContractProto.class);
+  }
+
+  @Test
+  public void testTokenPBImpl() throws Exception {
+    validatePBImplRecord(TokenPBImpl.class, TokenProto.class);
+  }
+
+  @Test
+  public void testURLPBImpl() throws Exception {
+    validatePBImplRecord(URLPBImpl.class, URLProto.class);
+  }
+
+  @Test
+  public void testYarnClusterMetricsPBImpl() throws Exception {
+    validatePBImplRecord(YarnClusterMetricsPBImpl.class,
+        YarnClusterMetricsProto.class);
+  }
+
+  @Test
+  public void testRefreshAdminAclsRequestPBImpl() throws Exception {
+    validatePBImplRecord(RefreshAdminAclsRequestPBImpl.class,
+        RefreshAdminAclsRequestProto.class);
+  }
+
+  @Test
+  public void testRefreshAdminAclsResponsePBImpl() throws Exception {
+    validatePBImplRecord(RefreshAdminAclsResponsePBImpl.class,
+        RefreshAdminAclsResponseProto.class);
+  }
+
+  @Test
+  public void testRefreshNodesRequestPBImpl() throws Exception {
+    validatePBImplRecord(RefreshNodesRequestPBImpl.class,
+        RefreshNodesRequestProto.class);
+  }
+
+  @Test
+  public void testRefreshNodesResponsePBImpl() throws Exception {
+    validatePBImplRecord(RefreshNodesResponsePBImpl.class,
+        RefreshNodesResponseProto.class);
+  }
+
+  @Test
+  public void testRefreshQueuesRequestPBImpl() throws Exception {
+    validatePBImplRecord(RefreshQueuesRequestPBImpl.class,
+        RefreshQueuesRequestProto.class);
+  }
+
+  @Test
+  public void testRefreshQueuesResponsePBImpl() throws Exception {
+    validatePBImplRecord(RefreshQueuesResponsePBImpl.class,
+        RefreshQueuesResponseProto.class);
+  }
+
+  @Test
+  public void testRefreshServiceAclsRequestPBImpl() throws Exception {
+    validatePBImplRecord(RefreshServiceAclsRequestPBImpl.class,
+        RefreshServiceAclsRequestProto.class);
+  }
+
+  @Test
+  public void testRefreshServiceAclsResponsePBImpl() throws Exception {
+    validatePBImplRecord(RefreshServiceAclsResponsePBImpl.class,
+        RefreshServiceAclsResponseProto.class);
+  }
+
+  @Test
+  public void testRefreshSuperUserGroupsConfigurationRequestPBImpl()
+      throws Exception {
+    validatePBImplRecord(RefreshSuperUserGroupsConfigurationRequestPBImpl.class,
+        RefreshSuperUserGroupsConfigurationRequestProto.class);
+  }
+
+  @Test
+  public void testRefreshSuperUserGroupsConfigurationResponsePBImpl()
+      throws Exception {
+    validatePBImplRecord(RefreshSuperUserGroupsConfigurationResponsePBImpl.class,
+        RefreshSuperUserGroupsConfigurationResponseProto.class);
+  }
+
+  @Test
+  public void testRefreshUserToGroupsMappingsRequestPBImpl() throws Exception {
+    validatePBImplRecord(RefreshUserToGroupsMappingsRequestPBImpl.class,
+        RefreshUserToGroupsMappingsRequestProto.class);
+  }
+
+  @Test
+  public void testRefreshUserToGroupsMappingsResponsePBImpl() throws Exception {
+    validatePBImplRecord(RefreshUserToGroupsMappingsResponsePBImpl.class,
+        RefreshUserToGroupsMappingsResponseProto.class);
+  }
+
+  @Test
+  public void testUpdateNodeResourceRequestPBImpl() throws Exception {
+    validatePBImplRecord(UpdateNodeResourceRequestPBImpl.class,
+        UpdateNodeResourceRequestProto.class);
+  }
+
+  @Test
+  public void testUpdateNodeResourceResponsePBImpl() throws Exception {
+    validatePBImplRecord(UpdateNodeResourceResponsePBImpl.class,
+        UpdateNodeResourceResponseProto.class);
+  }
+}

From 397c88236233ad037234315dbb1f96a8948ea13d Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Fri, 1 Aug 2014 07:12:39 +0000
Subject: [PATCH 097/354] HDFS-6798. Add test case for incorrect data node
 condition during balancing. (Contributed by Benoy Antony)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615044 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +
 .../hdfs/server/balancer/TestBalancer.java    | 65 +++++++++++++++++++
 2 files changed, 68 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 785c82523e6..daf4fd31ed3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -337,6 +337,9 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-6685. Balancer should preserve storage type of replicas.  (szetszwo)
 
+    HDFS-6798. Add test case for incorrect data node condition during
+    balancing. (Benoy Antony via Arpit Agarwal)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
index e9c86dfe3f0..39abdc50fc9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
@@ -658,6 +658,71 @@ public void integrationTest(Configuration conf) throws Exception {
     oneNodeTest(conf, false);
   }
   
+  /* we first start a cluster and fill the cluster up to a certain size.
+   * then redistribute blocks according the required distribution.
+   * Then we start an empty datanode.
+   * Afterwards a balancer is run to balance the cluster.
+   * A partially filled datanode is excluded during balancing.
+   * This triggers a situation where one of the block's location is unknown.
+   */
+  @Test(timeout=100000)
+  public void testUnknownDatanode() throws Exception {
+    Configuration conf = new HdfsConfiguration();
+    initConf(conf);
+    long distribution[] = new long[] {50*CAPACITY/100, 70*CAPACITY/100, 0*CAPACITY/100};
+    long capacities[] = new long[]{CAPACITY, CAPACITY, CAPACITY};
+    String racks[] = new String[] {RACK0, RACK1, RACK1};
+
+    int numDatanodes = distribution.length;
+    if (capacities.length != numDatanodes || racks.length != numDatanodes) {
+      throw new IllegalArgumentException("Array length is not the same");
+    }
+
+    // calculate total space that need to be filled
+    final long totalUsedSpace = sum(distribution);
+
+    // fill the cluster
+    ExtendedBlock[] blocks = generateBlocks(conf, totalUsedSpace,
+        (short) numDatanodes);
+
+    // redistribute blocks
+    Block[][] blocksDN = distributeBlocks(
+        blocks, (short)(numDatanodes-1), distribution);
+
+    // restart the cluster: do NOT format the cluster
+    conf.set(DFSConfigKeys.DFS_NAMENODE_SAFEMODE_THRESHOLD_PCT_KEY, "0.0f");
+    cluster = new MiniDFSCluster.Builder(conf).numDataNodes(numDatanodes)
+        .format(false)
+        .racks(racks)
+        .simulatedCapacities(capacities)
+        .build();
+    try {
+      cluster.waitActive();
+      client = NameNodeProxies.createProxy(conf, cluster.getFileSystem(0).getUri(),
+          ClientProtocol.class).getProxy();
+
+      for(int i = 0; i < 3; i++) {
+        cluster.injectBlocks(i, Arrays.asList(blocksDN[i]), null);
+      }
+
+      cluster.startDataNodes(conf, 1, true, null,
+          new String[]{RACK0}, null,new long[]{CAPACITY});
+      cluster.triggerHeartbeats();
+
+      Collection<URI> namenodes = DFSUtil.getNsServiceRpcUris(conf);
+      Set<String>  datanodes = new HashSet<String>();
+      datanodes.add(cluster.getDataNodes().get(0).getDatanodeId().getHostName());
+      Balancer.Parameters p = new Balancer.Parameters(
+          Balancer.Parameters.DEFAULT.policy,
+          Balancer.Parameters.DEFAULT.threshold,
+          datanodes, Balancer.Parameters.DEFAULT.nodesToBeIncluded);
+      final int r = Balancer.run(namenodes, p, conf);
+      assertEquals(Balancer.ReturnStatus.SUCCESS.code, r);
+    } finally {
+      cluster.shutdown();
+    }
+  }
+
   /**
    * Test parse method in Balancer#Cli class with threshold value out of
    * boundaries.

From 7e12b1912f8cdbe6d88ac0b8eb71d7c4dc1bf78e Mon Sep 17 00:00:00 2001
From: Tsz-wo Sze <szetszwo@apache.org>
Date: Fri, 1 Aug 2014 14:12:35 +0000
Subject: [PATCH 098/354] HDFS-6796. Improve the argument check during balancer
 command line parsing.  Contributed by Benoy Antony

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615107 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 ++
 .../hadoop/hdfs/server/balancer/Balancer.java | 33 +++++++++++--------
 .../hdfs/server/balancer/TestBalancer.java    | 31 ++++++++++++++++-
 3 files changed, 53 insertions(+), 14 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index daf4fd31ed3..75833efbb1b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -340,6 +340,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6798. Add test case for incorrect data node condition during
     balancing. (Benoy Antony via Arpit Agarwal)
 
+    HDFS-6796. Improve the argument check during balancer command line parsing.
+    (Benoy Antony via szetszwo)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
index dad39494861..e5ff544ee75 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
@@ -1761,9 +1761,9 @@ static Parameters parse(String[] args) {
       if (args != null) {
         try {
           for(int i = 0; i < args.length; i++) {
-            checkArgument(args.length >= 2, "args = " + Arrays.toString(args));
             if ("-threshold".equalsIgnoreCase(args[i])) {
-              i++;
+              checkArgument(++i < args.length,
+                "Threshold value is missing: args = " + Arrays.toString(args));
               try {
                 threshold = Double.parseDouble(args[i]);
                 if (threshold < 1 || threshold > 100) {
@@ -1778,7 +1778,8 @@ static Parameters parse(String[] args) {
                 throw e;
               }
             } else if ("-policy".equalsIgnoreCase(args[i])) {
-              i++;
+              checkArgument(++i < args.length,
+                "Policy value is missing: args = " + Arrays.toString(args));
               try {
                 policy = BalancingPolicy.parse(args[i]);
               } catch(IllegalArgumentException e) {
@@ -1786,16 +1787,26 @@ static Parameters parse(String[] args) {
                 throw e;
               }
             } else if ("-exclude".equalsIgnoreCase(args[i])) {
-              i++;
+              checkArgument(++i < args.length,
+                  "List of nodes to exclude | -f <filename> is missing: args = "
+                  + Arrays.toString(args));
               if ("-f".equalsIgnoreCase(args[i])) {
-                nodesTobeExcluded = Util.getHostListFromFile(args[++i]);
+                checkArgument(++i < args.length,
+                    "File containing nodes to exclude is not specified: args = "
+                    + Arrays.toString(args));
+                nodesTobeExcluded = Util.getHostListFromFile(args[i]);
               } else {
                 nodesTobeExcluded = Util.parseHostList(args[i]);
               }
             } else if ("-include".equalsIgnoreCase(args[i])) {
-              i++;
+              checkArgument(++i < args.length,
+                "List of nodes to include | -f <filename> is missing: args = "
+                + Arrays.toString(args));
               if ("-f".equalsIgnoreCase(args[i])) {
-                nodesTobeIncluded = Util.getHostListFromFile(args[++i]);
+                checkArgument(++i < args.length,
+                    "File containing nodes to include is not specified: args = "
+                    + Arrays.toString(args));
+                nodesTobeIncluded = Util.getHostListFromFile(args[i]);
                } else {
                 nodesTobeIncluded = Util.parseHostList(args[i]);
               }
@@ -1804,12 +1815,8 @@ static Parameters parse(String[] args) {
                   + Arrays.toString(args));
             }
           }
-          if (!nodesTobeExcluded.isEmpty() && !nodesTobeIncluded.isEmpty()) {
-            System.err.println(
-                "-exclude and -include options cannot be specified together.");
-            throw new IllegalArgumentException(
-                "-exclude and -include options cannot be specified together.");
-          }
+          checkArgument(nodesTobeExcluded.isEmpty() || nodesTobeIncluded.isEmpty(),
+              "-exclude and -include options cannot be specified together.");
         } catch(RuntimeException e) {
           printUsage(System.err);
           throw e;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
index 39abdc50fc9..5da3cd177a2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
@@ -854,13 +854,42 @@ public void testBalancerCliParseWithWrongParams() {
     } catch (IllegalArgumentException e) {
 
     }
-    parameters = new String[] { "-threshold 1 -policy" };
+    parameters = new String[] {"-threshold", "1", "-policy"};
     try {
       Balancer.Cli.parse(parameters);
       fail(reason);
     } catch (IllegalArgumentException e) {
 
     }
+    parameters = new String[] {"-threshold", "1", "-include"};
+    try {
+      Balancer.Cli.parse(parameters);
+      fail(reason);
+    } catch (IllegalArgumentException e) {
+
+    }
+    parameters = new String[] {"-threshold", "1", "-exclude"};
+    try {
+      Balancer.Cli.parse(parameters);
+      fail(reason);
+    } catch (IllegalArgumentException e) {
+
+    }
+    parameters = new String[] {"-include",  "-f"};
+    try {
+      Balancer.Cli.parse(parameters);
+      fail(reason);
+    } catch (IllegalArgumentException e) {
+
+    }
+    parameters = new String[] {"-exclude",  "-f"};
+    try {
+      Balancer.Cli.parse(parameters);
+      fail(reason);
+    } catch (IllegalArgumentException e) {
+
+    }
+
     parameters = new String[] {"-include",  "testnode1", "-exclude", "testnode2"};
     try {
       Balancer.Cli.parse(parameters);

From 45db4d204b796eee6dd0e39d3cc94b70c47028d4 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Fri, 1 Aug 2014 16:58:06 +0000
Subject: [PATCH 099/354] HDFS-6794. Update BlockManager methods to use
 DatanodeStorageInfo where possible. (Arpit Agarwal)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615169 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../server/blockmanagement/BlockManager.java  | 159 ++++++++++--------
 .../blockmanagement/DatanodeStorageInfo.java  |   2 +-
 .../PendingDataNodeMessages.java              |  30 ++--
 .../hdfs/server/namenode/FSNamesystem.java    |   9 +-
 .../server/namenode/NameNodeRpcServer.java    |   4 +-
 .../blockmanagement/TestBlockManager.java     |  10 +-
 .../TestDatanodeDescriptor.java               |   6 +-
 .../TestPendingDataNodeMessages.java          |   7 +-
 .../TestReplicationPolicy.java                |   5 +-
 10 files changed, 129 insertions(+), 106 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 75833efbb1b..9ae0002260e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -343,6 +343,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6796. Improve the argument check during balancer command line parsing.
     (Benoy Antony via szetszwo)
 
+    HDFS-6794. Update BlockManager methods to use DatanodeStorageInfo
+    where possible (Arpit Agarwal)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
index c4837db4d81..41118183658 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
@@ -1079,6 +1079,7 @@ private void addToInvalidates(Block b) {
    * Mark the block belonging to datanode as corrupt
    * @param blk Block to be marked as corrupt
    * @param dn Datanode which holds the corrupt replica
+   * @param storageID if known, null otherwise.
    * @param reason a textual reason why the block should be marked corrupt,
    * for logging purposes
    */
@@ -1095,19 +1096,29 @@ public void findAndMarkBlockAsCorrupt(final ExtendedBlock blk,
           + blk + " not found");
       return;
     }
-    markBlockAsCorrupt(new BlockToMarkCorrupt(storedBlock,
-        blk.getGenerationStamp(), reason, Reason.CORRUPTION_REPORTED),
-        dn, storageID);
-  }
 
-  private void markBlockAsCorrupt(BlockToMarkCorrupt b,
-      DatanodeInfo dn, String storageID) throws IOException {
     DatanodeDescriptor node = getDatanodeManager().getDatanode(dn);
     if (node == null) {
-      throw new IOException("Cannot mark " + b
+      throw new IOException("Cannot mark " + blk
           + " as corrupt because datanode " + dn + " (" + dn.getDatanodeUuid()
           + ") does not exist");
     }
+    
+    markBlockAsCorrupt(new BlockToMarkCorrupt(storedBlock,
+            blk.getGenerationStamp(), reason, Reason.CORRUPTION_REPORTED),
+        storageID == null ? null : node.getStorageInfo(storageID),
+        node);
+  }
+
+  /**
+   * 
+   * @param b
+   * @param storageInfo storage that contains the block, if known. null otherwise.
+   * @throws IOException
+   */
+  private void markBlockAsCorrupt(BlockToMarkCorrupt b,
+      DatanodeStorageInfo storageInfo,
+      DatanodeDescriptor node) throws IOException {
 
     BlockCollection bc = b.corrupted.getBlockCollection();
     if (bc == null) {
@@ -1118,7 +1129,9 @@ private void markBlockAsCorrupt(BlockToMarkCorrupt b,
     } 
 
     // Add replica to the data-node if it is not already there
-    node.addBlock(storageID, b.stored);
+    if (storageInfo != null) {
+      storageInfo.addBlock(b.stored);
+    }
 
     // Add this replica to corruptReplicas Map
     corruptReplicas.addToCorruptReplicasMap(b.corrupted, node, b.reason,
@@ -1457,7 +1470,7 @@ int computeReplicationWorkForBlocks(List<List<Block>> blocksToReplicate) {
    * @throws IOException
    *           if the number of targets < minimum replication.
    * @see BlockPlacementPolicy#chooseTarget(String, int, Node,
-   *      List, boolean, Set, long)
+   *      List, boolean, Set, long, StorageType)
    */
   public DatanodeStorageInfo[] chooseTarget(final String src,
       final int numOfReplicas, final DatanodeDescriptor client,
@@ -1694,7 +1707,7 @@ public String toString() {
    * @throws IOException
    */
   public boolean processReport(final DatanodeID nodeID,
-      final DatanodeStorage storage, final String poolId,
+      final DatanodeStorage storage,
       final BlockListAsLongs newReport) throws IOException {
     namesystem.writeLock();
     final long startTime = Time.now(); //after acquiring write lock
@@ -1726,9 +1739,9 @@ public boolean processReport(final DatanodeID nodeID,
       if (storageInfo.numBlocks() == 0) {
         // The first block report can be processed a lot more efficiently than
         // ordinary block reports.  This shortens restart times.
-        processFirstBlockReport(node, storage.getStorageID(), newReport);
+        processFirstBlockReport(storageInfo, newReport);
       } else {
-        processReport(node, storage, newReport);
+        processReport(storageInfo, newReport);
       }
       
       // Now that we have an up-to-date block report, we know that any
@@ -1790,9 +1803,8 @@ private void rescanPostponedMisreplicatedBlocks() {
     }
   }
   
-  private void processReport(final DatanodeDescriptor node,
-      final DatanodeStorage storage,
-      final BlockListAsLongs report) throws IOException {
+  private void processReport(final DatanodeStorageInfo storageInfo,
+                             final BlockListAsLongs report) throws IOException {
     // Normal case:
     // Modify the (block-->datanode) map, according to the difference
     // between the old and new block report.
@@ -1802,19 +1814,20 @@ private void processReport(final DatanodeDescriptor node,
     Collection<Block> toInvalidate = new LinkedList<Block>();
     Collection<BlockToMarkCorrupt> toCorrupt = new LinkedList<BlockToMarkCorrupt>();
     Collection<StatefulBlockInfo> toUC = new LinkedList<StatefulBlockInfo>();
-    reportDiff(node, storage, report,
+    reportDiff(storageInfo, report,
         toAdd, toRemove, toInvalidate, toCorrupt, toUC);
-
+   
+    DatanodeDescriptor node = storageInfo.getDatanodeDescriptor();
     // Process the blocks on each queue
     for (StatefulBlockInfo b : toUC) { 
-      addStoredBlockUnderConstruction(b, node, storage.getStorageID());
+      addStoredBlockUnderConstruction(b, storageInfo);
     }
     for (Block b : toRemove) {
       removeStoredBlock(b, node);
     }
     int numBlocksLogged = 0;
     for (BlockInfo b : toAdd) {
-      addStoredBlock(b, node, storage.getStorageID(), null, numBlocksLogged < maxNumBlocksToLog);
+      addStoredBlock(b, storageInfo, null, numBlocksLogged < maxNumBlocksToLog);
       numBlocksLogged++;
     }
     if (numBlocksLogged > maxNumBlocksToLog) {
@@ -1828,7 +1841,7 @@ private void processReport(final DatanodeDescriptor node,
       addToInvalidates(b, node);
     }
     for (BlockToMarkCorrupt b : toCorrupt) {
-      markBlockAsCorrupt(b, node, storage.getStorageID());
+      markBlockAsCorrupt(b, storageInfo, node);
     }
   }
 
@@ -1839,16 +1852,16 @@ private void processReport(final DatanodeDescriptor node,
    * a toRemove list (since there won't be any).  It also silently discards 
    * any invalid blocks, thereby deferring their processing until 
    * the next block report.
-   * @param node - DatanodeDescriptor of the node that sent the report
+   * @param storageInfo - DatanodeStorageInfo that sent the report
    * @param report - the initial block report, to be processed
    * @throws IOException 
    */
-  private void processFirstBlockReport(final DatanodeDescriptor node,
-      final String storageID,
+  private void processFirstBlockReport(
+      final DatanodeStorageInfo storageInfo,
       final BlockListAsLongs report) throws IOException {
     if (report == null) return;
     assert (namesystem.hasWriteLock());
-    assert (node.getStorageInfo(storageID).numBlocks() == 0);
+    assert (storageInfo.numBlocks() == 0);
     BlockReportIterator itBR = report.getBlockReportIterator();
 
     while(itBR.hasNext()) {
@@ -1857,7 +1870,7 @@ private void processFirstBlockReport(final DatanodeDescriptor node,
       
       if (shouldPostponeBlocksFromFuture &&
           namesystem.isGenStampInFuture(iblk)) {
-        queueReportedBlock(node, storageID, iblk, reportedState,
+        queueReportedBlock(storageInfo, iblk, reportedState,
             QUEUE_REASON_FUTURE_GENSTAMP);
         continue;
       }
@@ -1869,15 +1882,16 @@ private void processFirstBlockReport(final DatanodeDescriptor node,
       // If block is corrupt, mark it and continue to next block.
       BlockUCState ucState = storedBlock.getBlockUCState();
       BlockToMarkCorrupt c = checkReplicaCorrupt(
-          iblk, reportedState, storedBlock, ucState, node);
+          iblk, reportedState, storedBlock, ucState,
+          storageInfo.getDatanodeDescriptor());
       if (c != null) {
         if (shouldPostponeBlocksFromFuture) {
           // In the Standby, we may receive a block report for a file that we
           // just have an out-of-date gen-stamp or state for, for example.
-          queueReportedBlock(node, storageID, iblk, reportedState,
+          queueReportedBlock(storageInfo, iblk, reportedState,
               QUEUE_REASON_CORRUPT_STATE);
         } else {
-          markBlockAsCorrupt(c, node, storageID);
+          markBlockAsCorrupt(c, storageInfo, storageInfo.getDatanodeDescriptor());
         }
         continue;
       }
@@ -1885,7 +1899,7 @@ private void processFirstBlockReport(final DatanodeDescriptor node,
       // If block is under construction, add this replica to its list
       if (isBlockUnderConstruction(storedBlock, ucState, reportedState)) {
         ((BlockInfoUnderConstruction)storedBlock).addReplicaIfNotPresent(
-            node.getStorageInfo(storageID), iblk, reportedState);
+            storageInfo, iblk, reportedState);
         // OpenFileBlocks only inside snapshots also will be added to safemode
         // threshold. So we need to update such blocks to safemode
         // refer HDFS-5283
@@ -1898,12 +1912,12 @@ private void processFirstBlockReport(final DatanodeDescriptor node,
       }      
       //add replica if appropriate
       if (reportedState == ReplicaState.FINALIZED) {
-        addStoredBlockImmediate(storedBlock, node, storageID);
+        addStoredBlockImmediate(storedBlock, storageInfo);
       }
     }
   }
 
-  private void reportDiff(DatanodeDescriptor dn, DatanodeStorage storage, 
+  private void reportDiff(DatanodeStorageInfo storageInfo, 
       BlockListAsLongs newReport, 
       Collection<BlockInfo> toAdd,              // add to DatanodeDescriptor
       Collection<Block> toRemove,           // remove from DatanodeDescriptor
@@ -1911,8 +1925,6 @@ private void reportDiff(DatanodeDescriptor dn, DatanodeStorage storage,
       Collection<BlockToMarkCorrupt> toCorrupt, // add to corrupt replicas list
       Collection<StatefulBlockInfo> toUC) { // add to under-construction list
 
-    final DatanodeStorageInfo storageInfo = dn.getStorageInfo(storage.getStorageID());
-
     // place a delimiter in the list which separates blocks 
     // that have been reported from those that have not
     BlockInfo delimiter = new BlockInfo(new Block(), 1);
@@ -1929,7 +1941,7 @@ private void reportDiff(DatanodeDescriptor dn, DatanodeStorage storage,
     while(itBR.hasNext()) {
       Block iblk = itBR.next();
       ReplicaState iState = itBR.getCurrentReplicaState();
-      BlockInfo storedBlock = processReportedBlock(dn, storage.getStorageID(),
+      BlockInfo storedBlock = processReportedBlock(storageInfo,
           iblk, iState, toAdd, toInvalidate, toCorrupt, toUC);
 
       // move block to the head of the list
@@ -1966,7 +1978,7 @@ private void reportDiff(DatanodeDescriptor dn, DatanodeStorage storage,
    * BlockInfoUnderConstruction's list of replicas.</li>
    * </ol>
    * 
-   * @param dn descriptor for the datanode that made the report
+   * @param storageInfo DatanodeStorageInfo that sent the report.
    * @param block reported block replica
    * @param reportedState reported replica state
    * @param toAdd add to DatanodeDescriptor
@@ -1978,14 +1990,16 @@ private void reportDiff(DatanodeDescriptor dn, DatanodeStorage storage,
    * @return the up-to-date stored block, if it should be kept.
    *         Otherwise, null.
    */
-  private BlockInfo processReportedBlock(final DatanodeDescriptor dn,
-      final String storageID,
+  private BlockInfo processReportedBlock(
+      final DatanodeStorageInfo storageInfo,
       final Block block, final ReplicaState reportedState, 
       final Collection<BlockInfo> toAdd, 
       final Collection<Block> toInvalidate, 
       final Collection<BlockToMarkCorrupt> toCorrupt,
       final Collection<StatefulBlockInfo> toUC) {
     
+    DatanodeDescriptor dn = storageInfo.getDatanodeDescriptor();
+
     if(LOG.isDebugEnabled()) {
       LOG.debug("Reported block " + block
           + " on " + dn + " size " + block.getNumBytes()
@@ -1994,7 +2008,7 @@ private BlockInfo processReportedBlock(final DatanodeDescriptor dn,
   
     if (shouldPostponeBlocksFromFuture &&
         namesystem.isGenStampInFuture(block)) {
-      queueReportedBlock(dn, storageID, block, reportedState,
+      queueReportedBlock(storageInfo, block, reportedState,
           QUEUE_REASON_FUTURE_GENSTAMP);
       return null;
     }
@@ -2034,7 +2048,7 @@ private BlockInfo processReportedBlock(final DatanodeDescriptor dn,
         // TODO: Pretty confident this should be s/storedBlock/block below,
         // since we should be postponing the info of the reported block, not
         // the stored block. See HDFS-6289 for more context.
-        queueReportedBlock(dn, storageID, storedBlock, reportedState,
+        queueReportedBlock(storageInfo, storedBlock, reportedState,
             QUEUE_REASON_CORRUPT_STATE);
       } else {
         toCorrupt.add(c);
@@ -2063,17 +2077,17 @@ private BlockInfo processReportedBlock(final DatanodeDescriptor dn,
    * standby node. @see PendingDataNodeMessages.
    * @param reason a textual reason to report in the debug logs
    */
-  private void queueReportedBlock(DatanodeDescriptor dn, String storageID, Block block,
+  private void queueReportedBlock(DatanodeStorageInfo storageInfo, Block block,
       ReplicaState reportedState, String reason) {
     assert shouldPostponeBlocksFromFuture;
     
     if (LOG.isDebugEnabled()) {
       LOG.debug("Queueing reported block " + block +
           " in state " + reportedState + 
-          " from datanode " + dn + " for later processing " +
-          "because " + reason + ".");
+          " from datanode " + storageInfo.getDatanodeDescriptor() +
+          " for later processing because " + reason + ".");
     }
-    pendingDNMessages.enqueueReportedBlock(dn, storageID, block, reportedState);
+    pendingDNMessages.enqueueReportedBlock(storageInfo, block, reportedState);
   }
 
   /**
@@ -2096,7 +2110,7 @@ private void processQueuedMessages(Iterable<ReportedBlockInfo> rbis)
       if (LOG.isDebugEnabled()) {
         LOG.debug("Processing previouly queued message " + rbi);
       }
-      processAndHandleReportedBlock(rbi.getNode(), rbi.getStorageID(), 
+      processAndHandleReportedBlock(rbi.getStorageInfo(), 
           rbi.getBlock(), rbi.getReportedState(), null);
     }
   }
@@ -2216,19 +2230,20 @@ private boolean isBlockUnderConstruction(BlockInfo storedBlock,
   }
 
   void addStoredBlockUnderConstruction(StatefulBlockInfo ucBlock,
-      DatanodeDescriptor node, String storageID) throws IOException {
+      DatanodeStorageInfo storageInfo) throws IOException {
     BlockInfoUnderConstruction block = ucBlock.storedBlock;
-    block.addReplicaIfNotPresent(node.getStorageInfo(storageID),
-        ucBlock.reportedBlock, ucBlock.reportedState);
+    block.addReplicaIfNotPresent(
+        storageInfo, ucBlock.reportedBlock, ucBlock.reportedState);
 
-    if (ucBlock.reportedState == ReplicaState.FINALIZED && block.findDatanode(node) < 0) {
-      addStoredBlock(block, node, storageID, null, true);
+    if (ucBlock.reportedState == ReplicaState.FINALIZED &&
+        block.findDatanode(storageInfo.getDatanodeDescriptor()) < 0) {
+      addStoredBlock(block, storageInfo, null, true);
     }
   } 
 
   /**
    * Faster version of
-   * {@link #addStoredBlock(BlockInfo, DatanodeDescriptor, String, DatanodeDescriptor, boolean)}
+   * {@link #addStoredBlock(BlockInfo, DatanodeStorageInfo, DatanodeDescriptor, boolean)}
    * , intended for use with initial block report at startup. If not in startup
    * safe mode, will call standard addStoredBlock(). Assumes this method is
    * called "immediately" so there is no need to refresh the storedBlock from
@@ -2239,17 +2254,17 @@ void addStoredBlockUnderConstruction(StatefulBlockInfo ucBlock,
    * @throws IOException
    */
   private void addStoredBlockImmediate(BlockInfo storedBlock,
-      DatanodeDescriptor node, String storageID)
+      DatanodeStorageInfo storageInfo)
   throws IOException {
     assert (storedBlock != null && namesystem.hasWriteLock());
     if (!namesystem.isInStartupSafeMode() 
         || namesystem.isPopulatingReplQueues()) {
-      addStoredBlock(storedBlock, node, storageID, null, false);
+      addStoredBlock(storedBlock, storageInfo, null, false);
       return;
     }
 
     // just add it
-    node.addBlock(storageID, storedBlock);
+    storageInfo.addBlock(storedBlock);
 
     // Now check for completion of blocks and safe block count
     int numCurrentReplica = countLiveNodes(storedBlock);
@@ -2271,13 +2286,13 @@ private void addStoredBlockImmediate(BlockInfo storedBlock,
    * @return the block that is stored in blockMap.
    */
   private Block addStoredBlock(final BlockInfo block,
-                               DatanodeDescriptor node,
-                               String storageID,
+                               DatanodeStorageInfo storageInfo,
                                DatanodeDescriptor delNodeHint,
                                boolean logEveryBlock)
   throws IOException {
     assert block != null && namesystem.hasWriteLock();
     BlockInfo storedBlock;
+    DatanodeDescriptor node = storageInfo.getDatanodeDescriptor();
     if (block instanceof BlockInfoUnderConstruction) {
       //refresh our copy in case the block got completed in another thread
       storedBlock = blocksMap.getStoredBlock(block);
@@ -2297,7 +2312,7 @@ private Block addStoredBlock(final BlockInfo block,
     assert bc != null : "Block must belong to a file";
 
     // add block to the datanode
-    boolean added = node.addBlock(storageID, storedBlock);
+    boolean added = storageInfo.addBlock(storedBlock);
 
     int curReplicaDelta;
     if (added) {
@@ -2843,8 +2858,9 @@ private long addBlock(Block block, List<BlockWithLocations> results) {
    * The given node is reporting that it received a certain block.
    */
   @VisibleForTesting
-  void addBlock(DatanodeDescriptor node, String storageID, Block block, String delHint)
+  void addBlock(DatanodeStorageInfo storageInfo, Block block, String delHint)
       throws IOException {
+    DatanodeDescriptor node = storageInfo.getDatanodeDescriptor();
     // Decrement number of blocks scheduled to this datanode.
     // for a retry request (of DatanodeProtocol#blockReceivedAndDeleted with 
     // RECEIVED_BLOCK), we currently also decrease the approximate number. 
@@ -2864,12 +2880,12 @@ void addBlock(DatanodeDescriptor node, String storageID, Block block, String del
     // Modify the blocks->datanode map and node's map.
     //
     pendingReplications.decrement(block, node);
-    processAndHandleReportedBlock(node, storageID, block, ReplicaState.FINALIZED,
+    processAndHandleReportedBlock(storageInfo, block, ReplicaState.FINALIZED,
         delHintNode);
   }
   
-  private void processAndHandleReportedBlock(DatanodeDescriptor node,
-      String storageID, Block block,
+  private void processAndHandleReportedBlock(
+      DatanodeStorageInfo storageInfo, Block block,
       ReplicaState reportedState, DatanodeDescriptor delHintNode)
       throws IOException {
     // blockReceived reports a finalized block
@@ -2877,7 +2893,9 @@ private void processAndHandleReportedBlock(DatanodeDescriptor node,
     Collection<Block> toInvalidate = new LinkedList<Block>();
     Collection<BlockToMarkCorrupt> toCorrupt = new LinkedList<BlockToMarkCorrupt>();
     Collection<StatefulBlockInfo> toUC = new LinkedList<StatefulBlockInfo>();
-    processReportedBlock(node, storageID, block, reportedState,
+    final DatanodeDescriptor node = storageInfo.getDatanodeDescriptor();
+
+    processReportedBlock(storageInfo, block, reportedState,
                               toAdd, toInvalidate, toCorrupt, toUC);
     // the block is only in one of the to-do lists
     // if it is in none then data-node already has it
@@ -2885,11 +2903,11 @@ private void processAndHandleReportedBlock(DatanodeDescriptor node,
       : "The block should be only in one of the lists.";
 
     for (StatefulBlockInfo b : toUC) { 
-      addStoredBlockUnderConstruction(b, node, storageID);
+      addStoredBlockUnderConstruction(b, storageInfo);
     }
     long numBlocksLogged = 0;
     for (BlockInfo b : toAdd) {
-      addStoredBlock(b, node, storageID, delHintNode, numBlocksLogged < maxNumBlocksToLog);
+      addStoredBlock(b, storageInfo, delHintNode, numBlocksLogged < maxNumBlocksToLog);
       numBlocksLogged++;
     }
     if (numBlocksLogged > maxNumBlocksToLog) {
@@ -2903,7 +2921,7 @@ private void processAndHandleReportedBlock(DatanodeDescriptor node,
       addToInvalidates(b, node);
     }
     for (BlockToMarkCorrupt b : toCorrupt) {
-      markBlockAsCorrupt(b, node, storageID);
+      markBlockAsCorrupt(b, storageInfo, node);
     }
   }
 
@@ -2930,13 +2948,15 @@ public void processIncrementalBlockReport(final DatanodeID nodeID,
           "Got incremental block report from unregistered or dead node");
     }
 
-    if (node.getStorageInfo(srdb.getStorage().getStorageID()) == null) {
+    DatanodeStorageInfo storageInfo =
+        node.getStorageInfo(srdb.getStorage().getStorageID());
+    if (storageInfo == null) {
       // The DataNode is reporting an unknown storage. Usually the NN learns
       // about new storages from heartbeats but during NN restart we may
       // receive a block report or incremental report before the heartbeat.
       // We must handle this for protocol compatibility. This issue was
       // uncovered by HDFS-6094.
-      node.updateStorage(srdb.getStorage());
+      storageInfo = node.updateStorage(srdb.getStorage());
     }
 
     for (ReceivedDeletedBlockInfo rdbi : srdb.getBlocks()) {
@@ -2946,14 +2966,13 @@ public void processIncrementalBlockReport(final DatanodeID nodeID,
         deleted++;
         break;
       case RECEIVED_BLOCK:
-        addBlock(node, srdb.getStorage().getStorageID(),
-            rdbi.getBlock(), rdbi.getDelHints());
+        addBlock(storageInfo, rdbi.getBlock(), rdbi.getDelHints());
         received++;
         break;
       case RECEIVING_BLOCK:
         receiving++;
-        processAndHandleReportedBlock(node, srdb.getStorage().getStorageID(),
-            rdbi.getBlock(), ReplicaState.RBW, null);
+        processAndHandleReportedBlock(storageInfo, rdbi.getBlock(),
+                                      ReplicaState.RBW, null);
         break;
       default:
         String msg = 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
index fa4b0e533bd..791fc3157d9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
@@ -207,7 +207,7 @@ long getBlockPoolUsed() {
     return blockPoolUsed;
   }
 
-  boolean addBlock(BlockInfo b) {
+  public boolean addBlock(BlockInfo b) {
     if(!b.addStorage(this))
       return false;
     // add to the head of the data-node list
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/PendingDataNodeMessages.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/PendingDataNodeMessages.java
index 0a1ba65f125..5f59f0267a6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/PendingDataNodeMessages.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/PendingDataNodeMessages.java
@@ -25,6 +25,7 @@
 import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.ReplicaState;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorage;
 
 /**
  * In the Standby Node, we can receive messages about blocks
@@ -41,14 +42,12 @@ class PendingDataNodeMessages {
     
   static class ReportedBlockInfo {
     private final Block block;
-    private final DatanodeDescriptor dn;
-    private final String storageID;
+    private final DatanodeStorageInfo storageInfo;
     private final ReplicaState reportedState;
 
-    ReportedBlockInfo(DatanodeDescriptor dn, String storageID, Block block,
+    ReportedBlockInfo(DatanodeStorageInfo storageInfo, Block block,
         ReplicaState reportedState) {
-      this.dn = dn;
-      this.storageID = storageID;
+      this.storageInfo = storageInfo;
       this.block = block;
       this.reportedState = reportedState;
     }
@@ -57,21 +56,18 @@ Block getBlock() {
       return block;
     }
 
-    DatanodeDescriptor getNode() {
-      return dn;
-    }
-    
-    String getStorageID() {
-      return storageID;
-    }
-
     ReplicaState getReportedState() {
       return reportedState;
     }
+    
+    DatanodeStorageInfo getStorageInfo() {
+      return storageInfo;
+    }
 
     @Override
     public String toString() {
-      return "ReportedBlockInfo [block=" + block + ", dn=" + dn
+      return "ReportedBlockInfo [block=" + block + ", dn="
+          + storageInfo.getDatanodeDescriptor()
           + ", reportedState=" + reportedState + "]";
     }
   }
@@ -87,7 +83,7 @@ void removeAllMessagesForDatanode(DatanodeDescriptor dn) {
       Queue<ReportedBlockInfo> oldQueue = entry.getValue();
       while (!oldQueue.isEmpty()) {
         ReportedBlockInfo rbi = oldQueue.remove();
-        if (!rbi.getNode().equals(dn)) {
+        if (!rbi.getStorageInfo().getDatanodeDescriptor().equals(dn)) {
           newQueue.add(rbi);
         } else {
           count--;
@@ -97,11 +93,11 @@ void removeAllMessagesForDatanode(DatanodeDescriptor dn) {
     }
   }
   
-  void enqueueReportedBlock(DatanodeDescriptor dn, String storageID, Block block,
+  void enqueueReportedBlock(DatanodeStorageInfo storageInfo, Block block,
       ReplicaState reportedState) {
     block = new Block(block);
     getBlockQueue(block).add(
-        new ReportedBlockInfo(dn, storageID, block, reportedState));
+        new ReportedBlockInfo(storageInfo, block, reportedState));
     count++;
   }
   
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 37f8c4b23d0..edfdfc1c894 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -4355,8 +4355,11 @@ void commitBlockSynchronization(ExtendedBlock lastblock,
           // Otherwise fsck will report these blocks as MISSING, especially if the
           // blocksReceived from Datanodes take a long time to arrive.
           for (int i = 0; i < trimmedTargets.size(); i++) {
-            trimmedTargets.get(i).addBlock(
-              trimmedStorages.get(i), storedBlock);
+            DatanodeStorageInfo storageInfo =
+                trimmedTargets.get(i).getStorageInfo(trimmedStorages.get(i));
+            if (storageInfo != null) {
+              storageInfo.addBlock(storedBlock);
+            }
           }
         }
 
@@ -5835,7 +5838,7 @@ NamenodeCommand startCheckpoint(NamenodeRegistration backupNode,
   }
 
   public void processIncrementalBlockReport(final DatanodeID nodeID,
-      final String poolId, final StorageReceivedDeletedBlocks srdb)
+      final StorageReceivedDeletedBlocks srdb)
       throws IOException {
     writeLock();
     try {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index 6800fcde174..199d7288897 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -1065,7 +1065,7 @@ public DatanodeCommand blockReport(DatanodeRegistration nodeReg,
       // for the same node and storage, so the value returned by the last
       // call of this loop is the final updated value for noStaleStorage.
       //
-      noStaleStorages = bm.processReport(nodeReg, r.getStorage(), poolId, blocks);
+      noStaleStorages = bm.processReport(nodeReg, r.getStorage(), blocks);
       metrics.incrStorageBlockReportOps();
     }
 
@@ -1101,7 +1101,7 @@ public void blockReceivedAndDeleted(DatanodeRegistration nodeReg, String poolId,
           +" blocks.");
     }
     for(StorageReceivedDeletedBlocks r : receivedAndDeletedBlocks) {
-      namesystem.processIncrementalBlockReport(nodeReg, poolId, r);
+      namesystem.processIncrementalBlockReport(nodeReg, r);
     }
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockManager.java
index e632ed1ca97..41af2370d14 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockManager.java
@@ -368,7 +368,7 @@ private void fulfillPipeline(BlockInfo blockInfo,
       DatanodeStorageInfo[] pipeline) throws IOException {
     for (int i = 1; i < pipeline.length; i++) {
       DatanodeStorageInfo storage = pipeline[i];
-      bm.addBlock(storage.getDatanodeDescriptor(), storage.getStorageID(), blockInfo, null);
+      bm.addBlock(storage, blockInfo, null);
       blockInfo.addStorage(storage);
     }
   }
@@ -549,12 +549,12 @@ public void testSafeModeIBR() throws Exception {
     // send block report, should be processed
     reset(node);
     
-    bm.processReport(node, new DatanodeStorage(ds.getStorageID()), "pool", 
+    bm.processReport(node, new DatanodeStorage(ds.getStorageID()),
         new BlockListAsLongs(null, null));
     assertEquals(1, ds.getBlockReportCount());
     // send block report again, should NOT be processed
     reset(node);
-    bm.processReport(node, new DatanodeStorage(ds.getStorageID()), "pool",
+    bm.processReport(node, new DatanodeStorage(ds.getStorageID()),
         new BlockListAsLongs(null, null));
     assertEquals(1, ds.getBlockReportCount());
 
@@ -566,7 +566,7 @@ public void testSafeModeIBR() throws Exception {
     assertEquals(0, ds.getBlockReportCount()); // ready for report again
     // send block report, should be processed after restart
     reset(node);
-    bm.processReport(node, new DatanodeStorage(ds.getStorageID()), "pool",
+    bm.processReport(node, new DatanodeStorage(ds.getStorageID()),
         new BlockListAsLongs(null, null));
     assertEquals(1, ds.getBlockReportCount());
   }
@@ -595,7 +595,7 @@ public void testSafeModeIBRAfterIncremental() throws Exception {
     // send block report while pretending to already have blocks
     reset(node);
     doReturn(1).when(node).numBlocks();
-    bm.processReport(node, new DatanodeStorage(ds.getStorageID()), "pool",
+    bm.processReport(node, new DatanodeStorage(ds.getStorageID()),
         new BlockListAsLongs(null, null));
     assertEquals(1, ds.getBlockReportCount());
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestDatanodeDescriptor.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestDatanodeDescriptor.java
index 12674eb318a..2d7eaf3dcfe 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestDatanodeDescriptor.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestDatanodeDescriptor.java
@@ -63,16 +63,16 @@ public void testBlocksCounter() throws Exception {
     assertTrue(storages.length > 0);
     final String storageID = storages[0].getStorageID();
     // add first block
-    assertTrue(dd.addBlock(storageID, blk));
+    assertTrue(storages[0].addBlock(blk));
     assertEquals(1, dd.numBlocks());
     // remove a non-existent block
     assertFalse(dd.removeBlock(blk1));
     assertEquals(1, dd.numBlocks());
     // add an existent block
-    assertFalse(dd.addBlock(storageID, blk));
+    assertFalse(storages[0].addBlock(blk));
     assertEquals(1, dd.numBlocks());
     // add second block
-    assertTrue(dd.addBlock(storageID, blk1));
+    assertTrue(storages[0].addBlock(blk1));
     assertEquals(2, dd.numBlocks());
     // remove first block
     assertTrue(dd.removeBlock(blk));
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestPendingDataNodeMessages.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestPendingDataNodeMessages.java
index a17d32e6672..981ae76a10a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestPendingDataNodeMessages.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestPendingDataNodeMessages.java
@@ -26,6 +26,7 @@
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.server.blockmanagement.PendingDataNodeMessages.ReportedBlockInfo;
 import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.ReplicaState;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorage;
 import org.junit.Test;
 
 import com.google.common.base.Joiner;
@@ -43,8 +44,10 @@ public class TestPendingDataNodeMessages {
   @Test
   public void testQueues() {
     DatanodeDescriptor fakeDN = DFSTestUtil.getLocalDatanodeDescriptor();
-    msgs.enqueueReportedBlock(fakeDN, "STORAGE_ID", block1Gs1, ReplicaState.FINALIZED);
-    msgs.enqueueReportedBlock(fakeDN, "STORAGE_ID", block1Gs2, ReplicaState.FINALIZED);
+    DatanodeStorage storage = new DatanodeStorage("STORAGE_ID");
+    DatanodeStorageInfo storageInfo = new DatanodeStorageInfo(fakeDN, storage);
+    msgs.enqueueReportedBlock(storageInfo, block1Gs1, ReplicaState.FINALIZED);
+    msgs.enqueueReportedBlock(storageInfo, block1Gs2, ReplicaState.FINALIZED);
 
     assertEquals(2, msgs.count());
     
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestReplicationPolicy.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestReplicationPolicy.java
index 73c3ec86498..e575ceeb7ab 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestReplicationPolicy.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestReplicationPolicy.java
@@ -82,7 +82,7 @@ public class TestReplicationPolicy {
   private static NameNode namenode;
   private static BlockPlacementPolicy replicator;
   private static final String filename = "/dummyfile.txt";
-  private static DatanodeDescriptor dataNodes[];
+  private static DatanodeDescriptor[] dataNodes;
   private static DatanodeStorageInfo[] storages;
   // The interval for marking a datanode as stale,
   private static final long staleInterval =
@@ -1118,8 +1118,7 @@ public void testAddStoredBlockDoesNotCauseSkippedReplication()
     // Adding this block will increase its current replication, and that will
     // remove it from the queue.
     bm.addStoredBlockUnderConstruction(new StatefulBlockInfo(info, info,
-              ReplicaState.FINALIZED), TestReplicationPolicy.dataNodes[0],
-            "STORAGE");
+              ReplicaState.FINALIZED), TestReplicationPolicy.storages[0]);
 
     // Choose 1 block from UnderReplicatedBlocks. Then it should pick 1 block
     // from QUEUE_VERY_UNDER_REPLICATED.

From 0d66f1f19ce176885120de1666cce12801b1f9b7 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 1 Aug 2014 17:13:37 +0000
Subject: [PATCH 100/354] HADOOP-10902. Deletion of directories with snapshots
 will not output reason for trash move failure. Contributed by Stephen Chu.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615171 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt             | 3 +++
 .../src/main/java/org/apache/hadoop/fs/shell/Delete.java    | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 08c16fe16c9..0df665a3a9f 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -466,6 +466,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-8069. Enable TCP_NODELAY by default for IPC. (Todd Lipcon via
     Arpit Agarwal)
 
+    HADOOP-10902. Deletion of directories with snapshots will not output
+    reason for trash move failure. (Stephen Chu via wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/Delete.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/Delete.java
index fcb0690d8d4..6798fbee438 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/Delete.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/Delete.java
@@ -118,7 +118,11 @@ private boolean moveToTrash(PathData item) throws IOException {
         } catch(FileNotFoundException fnfe) {
           throw fnfe;
         } catch (IOException ioe) {
-            throw new IOException(ioe.getMessage() + ". Consider using -skipTrash option", ioe);
+          String msg = ioe.getMessage();
+          if (ioe.getCause() != null) {
+            msg += ": " + ioe.getCause().getMessage();
+	  }
+          throw new IOException(msg + ". Consider using -skipTrash option", ioe);
         }
       }
       return success;

From 5918e991512658aa9d2af45a15862a8d405590fb Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 1 Aug 2014 17:43:17 +0000
Subject: [PATCH 101/354] HADOOP-10900. CredentialShell args should use
 single-dash style. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615177 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  2 +
 .../security/alias/CredentialShell.java       | 40 +++++++++----------
 .../hadoop/security/alias/TestCredShell.java  | 20 +++++-----
 3 files changed, 32 insertions(+), 30 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 0df665a3a9f..9397d578f2d 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -469,6 +469,8 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10902. Deletion of directories with snapshots will not output
     reason for trash move failure. (Stephen Chu via wang)
 
+    HADOOP-10900. CredentialShell args should use single-dash style. (wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialShell.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialShell.java
index bb35ce51d48..2c1a792d5a3 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialShell.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialShell.java
@@ -79,9 +79,9 @@ public int run(String[] args) throws Exception {
   /**
    * Parse the command line arguments and initialize the data
    * <pre>
-   * % hadoop alias create alias [--provider providerPath]
+   * % hadoop alias create alias [-provider providerPath]
    * % hadoop alias list [-provider providerPath]
-   * % hadoop alias delete alias [--provider providerPath] [-i]
+   * % hadoop alias delete alias [-provider providerPath] [-i]
    * </pre>
    * @param args
    * @return
@@ -92,28 +92,28 @@ private int init(String[] args) throws IOException {
       if (args[i].equals("create")) {
         String alias = args[++i];
         command = new CreateCommand(alias);
-        if (alias.equals("--help")) {
+        if (alias.equals("-help")) {
           printCredShellUsage();
           return -1;
         }
       } else if (args[i].equals("delete")) {
         String alias = args[++i];
         command = new DeleteCommand(alias);
-        if (alias.equals("--help")) {
+        if (alias.equals("-help")) {
           printCredShellUsage();
           return -1;
         }
       } else if (args[i].equals("list")) {
         command = new ListCommand();
-      } else if (args[i].equals("--provider")) {
+      } else if (args[i].equals("-provider")) {
         userSuppliedProvider = true;
         getConf().set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, 
             args[++i]);
-      } else if (args[i].equals("-i") || (args[i].equals("--interactive"))) {
+      } else if (args[i].equals("-i") || (args[i].equals("-interactive"))) {
         interactive = true;
-      } else if (args[i].equals("-v") || (args[i].equals("--value"))) {
+      } else if (args[i].equals("-v") || (args[i].equals("-value"))) {
         value = args[++i];
-      } else if (args[i].equals("--help")) {
+      } else if (args[i].equals("-help")) {
         printCredShellUsage();
         return -1;
       } else {
@@ -188,20 +188,20 @@ protected void warnIfTransientProvider() {
   }
 
   private class ListCommand extends Command {
-    public static final String USAGE = "list <alias> [--provider] [--help]";
+    public static final String USAGE = "list <alias> [-provider] [-help]";
     public static final String DESC =
         "The list subcommand displays the aliases contained within \n" +
         "a particular provider - as configured in core-site.xml or " +
-        "indicated\nthrough the --provider argument.";
+        "indicated\nthrough the -provider argument.";
 
     public boolean validate() {
       boolean rc = true;
       provider = getCredentialProvider();
       if (provider == null) {
         out.println("There are no non-transient CredentialProviders configured.\n"
-            + "Consider using the --provider option to indicate the provider\n"
+            + "Consider using the -provider option to indicate the provider\n"
             + "to use. If you want to list a transient provider then you\n"
-            + "you MUST use the --provider argument.");
+            + "you MUST use the -provider argument.");
         rc = false;
       }
       return rc;
@@ -229,11 +229,11 @@ public String getUsage() {
   }
 
   private class DeleteCommand extends Command {
-    public static final String USAGE = "delete <alias> [--provider] [--help]";
+    public static final String USAGE = "delete <alias> [-provider] [-help]";
     public static final String DESC =
         "The delete subcommand deletes the credenital\n" +
         "specified as the <alias> argument from within the provider\n" +
-        "indicated through the --provider argument";
+        "indicated through the -provider argument";
 
     String alias = null;
     boolean cont = true;
@@ -248,13 +248,13 @@ public boolean validate() {
       if (provider == null) {
         out.println("There are no valid CredentialProviders configured.\n"
             + "Nothing will be deleted.\n"
-            + "Consider using the --provider option to indicate the provider"
+            + "Consider using the -provider option to indicate the provider"
             + " to use.");
         return false;
       }
       if (alias == null) {
         out.println("There is no alias specified. Please provide the" +
-            "mandatory <alias>. See the usage description with --help.");
+            "mandatory <alias>. See the usage description with -help.");
         return false;
       }
       if (interactive) {
@@ -299,11 +299,11 @@ public String getUsage() {
   }
 
   private class CreateCommand extends Command {
-    public static final String USAGE = "create <alias> [--provider] [--help]";
+    public static final String USAGE = "create <alias> [-provider] [-help]";
     public static final String DESC =
         "The create subcommand creates a new credential for the name specified\n" +
         "as the <alias> argument within the provider indicated through\n" +
-        "the --provider argument.";
+        "the -provider argument.";
 
     String alias = null;
 
@@ -317,13 +317,13 @@ public boolean validate() {
       if (provider == null) {
         out.println("There are no valid CredentialProviders configured." +
         		"\nCredential will not be created.\n"
-            + "Consider using the --provider option to indicate the provider" +
+            + "Consider using the -provider option to indicate the provider" +
             " to use.");
         rc = false;
       }
       if (alias == null) {
         out.println("There is no alias specified. Please provide the" +
-        		"mandatory <alias>. See the usage description with --help.");
+            "mandatory <alias>. See the usage description with -help.");
         rc = false;
       }
       return rc;
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/alias/TestCredShell.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/alias/TestCredShell.java
index c48b69f2149..05eb7b8c2a0 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/alias/TestCredShell.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/alias/TestCredShell.java
@@ -45,7 +45,7 @@ public void setup() throws Exception {
   @Test
   public void testCredentialSuccessfulLifecycle() throws Exception {
     outContent.reset();
-    String[] args1 = {"create", "credential1", "--value", "p@ssw0rd", "--provider", 
+    String[] args1 = {"create", "credential1", "-value", "p@ssw0rd", "-provider",
         "jceks://file" + tmpDir + "/credstore.jceks"};
     int rc = 0;
     CredentialShell cs = new CredentialShell();
@@ -56,14 +56,14 @@ public void testCredentialSuccessfulLifecycle() throws Exception {
     		"created."));
 
     outContent.reset();
-    String[] args2 = {"list", "--provider", 
+    String[] args2 = {"list", "-provider",
         "jceks://file" + tmpDir + "/credstore.jceks"};
     rc = cs.run(args2);
     assertEquals(0, rc);
     assertTrue(outContent.toString().contains("credential1"));
 
     outContent.reset();
-    String[] args4 = {"delete", "credential1", "--provider", 
+    String[] args4 = {"delete", "credential1", "-provider",
         "jceks://file" + tmpDir + "/credstore.jceks"};
     rc = cs.run(args4);
     assertEquals(0, rc);
@@ -71,7 +71,7 @@ public void testCredentialSuccessfulLifecycle() throws Exception {
     		"deleted."));
 
     outContent.reset();
-    String[] args5 = {"list", "--provider", 
+    String[] args5 = {"list", "-provider",
         "jceks://file" + tmpDir + "/credstore.jceks"};
     rc = cs.run(args5);
     assertEquals(0, rc);
@@ -80,7 +80,7 @@ public void testCredentialSuccessfulLifecycle() throws Exception {
 
   @Test
   public void testInvalidProvider() throws Exception {
-    String[] args1 = {"create", "credential1", "--value", "p@ssw0rd", "--provider", 
+    String[] args1 = {"create", "credential1", "-value", "p@ssw0rd", "-provider",
       "sdff://file/tmp/credstore.jceks"};
     
     int rc = 0;
@@ -94,7 +94,7 @@ public void testInvalidProvider() throws Exception {
 
   @Test
   public void testTransientProviderWarning() throws Exception {
-    String[] args1 = {"create", "credential1", "--value", "p@ssw0rd", "--provider", 
+    String[] args1 = {"create", "credential1", "-value", "p@ssw0rd", "-provider",
       "user:///"};
     
     int rc = 0;
@@ -105,7 +105,7 @@ public void testTransientProviderWarning() throws Exception {
     assertTrue(outContent.toString().contains("WARNING: you are modifying a " +
     		"transient provider."));
 
-    String[] args2 = {"delete", "credential1", "--provider", "user:///"};
+    String[] args2 = {"delete", "credential1", "-provider", "user:///"};
     rc = cs.run(args2);
     assertEquals(outContent.toString(), 0, rc);
     assertTrue(outContent.toString().contains("credential1 has been successfully " +
@@ -129,7 +129,7 @@ public void testTransientProviderOnlyConfig() throws Exception {
   
   @Test
   public void testPromptForCredentialWithEmptyPasswd() throws Exception {
-    String[] args1 = {"create", "credential1", "--provider", 
+    String[] args1 = {"create", "credential1", "-provider",
         "jceks://file" + tmpDir + "/credstore.jceks"};
     ArrayList<String> passwords = new ArrayList<String>();
     passwords.add(null);
@@ -145,7 +145,7 @@ public void testPromptForCredentialWithEmptyPasswd() throws Exception {
 
   @Test
   public void testPromptForCredential() throws Exception {
-    String[] args1 = {"create", "credential1", "--provider", 
+    String[] args1 = {"create", "credential1", "-provider",
         "jceks://file" + tmpDir + "/credstore.jceks"};
     ArrayList<String> passwords = new ArrayList<String>();
     passwords.add("p@ssw0rd");
@@ -159,7 +159,7 @@ public void testPromptForCredential() throws Exception {
     assertTrue(outContent.toString().contains("credential1 has been successfully " +
         "created."));
     
-    String[] args2 = {"delete", "credential1", "--provider", 
+    String[] args2 = {"delete", "credential1", "-provider",
         "jceks://file" + tmpDir + "/credstore.jceks"};
     rc = shell.run(args2);
     assertEquals(0, rc);

From c4a3a29541e1c385af20494984b072b6fd67f2e5 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 1 Aug 2014 17:45:45 +0000
Subject: [PATCH 102/354] HADOOP-10793. KeyShell args should use single-dash
 style. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615180 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  2 +
 .../apache/hadoop/crypto/key/KeyShell.java    | 84 +++++++++----------
 .../hadoop/crypto/key/TestKeyShell.java       | 48 +++++------
 3 files changed, 68 insertions(+), 66 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 9397d578f2d..8d19ef49675 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -195,6 +195,8 @@ Trunk (Unreleased)
     HADOOP-10756. KMS audit log should consolidate successful similar requests. 
     (asuresh via tucu)
 
+    HADOOP-10793. KeyShell args should use single-dash style. (wang)
+
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyShell.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyShell.java
index fb01e5f7c5b..6d50c9168d8 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyShell.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyShell.java
@@ -38,9 +38,9 @@
  */
 public class KeyShell extends Configured implements Tool {
   final static private String USAGE_PREFIX = "Usage: hadoop key " +
-  		"[generic options]\n";
+      "[generic options]\n";
   final static private String COMMANDS =
-      "   [--help]\n" +
+      "   [-help]\n" +
       "   [" + CreateCommand.USAGE + "]\n" +
       "   [" + RollCommand.USAGE + "]\n" +
       "   [" + DeleteCommand.USAGE + "]\n" +
@@ -90,11 +90,11 @@ public int run(String[] args) throws Exception {
   /**
    * Parse the command line arguments and initialize the data
    * <pre>
-   * % hadoop key create keyName [--size size] [--cipher algorithm]
-   *    [--provider providerPath]
-   * % hadoop key roll keyName [--provider providerPath]
+   * % hadoop key create keyName [-size size] [-cipher algorithm]
+   *    [-provider providerPath]
+   * % hadoop key roll keyName [-provider providerPath]
    * % hadoop key list [-provider providerPath]
-   * % hadoop key delete keyName [--provider providerPath] [-i]
+   * % hadoop key delete keyName [-provider providerPath] [-i]
    * </pre>
    * @param args Command line arguments.
    * @return 0 on success, 1 on failure.
@@ -107,47 +107,47 @@ private int init(String[] args) throws IOException {
     for (int i = 0; i < args.length; i++) { // parse command line
       boolean moreTokens = (i < args.length - 1);
       if (args[i].equals("create")) {
-        String keyName = "--help";
+        String keyName = "-help";
         if (moreTokens) {
           keyName = args[++i];
         }
 
         command = new CreateCommand(keyName, options);
-        if ("--help".equals(keyName)) {
+        if ("-help".equals(keyName)) {
           printKeyShellUsage();
           return 1;
         }
       } else if (args[i].equals("delete")) {
-        String keyName = "--help";
+        String keyName = "-help";
         if (moreTokens) {
           keyName = args[++i];
         }
 
         command = new DeleteCommand(keyName);
-        if ("--help".equals(keyName)) {
+        if ("-help".equals(keyName)) {
           printKeyShellUsage();
           return 1;
         }
       } else if (args[i].equals("roll")) {
-        String keyName = "--help";
+        String keyName = "-help";
         if (moreTokens) {
           keyName = args[++i];
         }
 
         command = new RollCommand(keyName);
-        if ("--help".equals(keyName)) {
+        if ("-help".equals(keyName)) {
           printKeyShellUsage();
           return 1;
         }
       } else if ("list".equals(args[i])) {
         command = new ListCommand();
-      } else if ("--size".equals(args[i]) && moreTokens) {
+      } else if ("-size".equals(args[i]) && moreTokens) {
         options.setBitLength(Integer.parseInt(args[++i]));
-      } else if ("--cipher".equals(args[i]) && moreTokens) {
+      } else if ("-cipher".equals(args[i]) && moreTokens) {
         options.setCipher(args[++i]);
-      } else if ("--description".equals(args[i]) && moreTokens) {
+      } else if ("-description".equals(args[i]) && moreTokens) {
         options.setDescription(args[++i]);
-      } else if ("--attr".equals(args[i]) && moreTokens) {
+      } else if ("-attr".equals(args[i]) && moreTokens) {
         final String attrval[] = args[++i].split("=", 2);
         final String attr = attrval[0].trim();
         final String val = attrval[1].trim();
@@ -164,14 +164,14 @@ private int init(String[] args) throws IOException {
           return 1;
         }
         attributes.put(attr, val);
-      } else if ("--provider".equals(args[i]) && moreTokens) {
+      } else if ("-provider".equals(args[i]) && moreTokens) {
         userSuppliedProvider = true;
         getConf().set(KeyProviderFactory.KEY_PROVIDER_PATH, args[++i]);
-      } else if ("--metadata".equals(args[i])) {
+      } else if ("-metadata".equals(args[i])) {
         getConf().setBoolean(LIST_METADATA, true);
-      } else if ("-i".equals(args[i]) || ("--interactive".equals(args[i]))) {
+      } else if ("-i".equals(args[i]) || ("-interactive".equals(args[i]))) {
         interactive = true;
-      } else if ("--help".equals(args[i])) {
+      } else if ("-help".equals(args[i])) {
         printKeyShellUsage();
         return 1;
       } else {
@@ -258,11 +258,11 @@ protected void warnIfTransientProvider() {
 
   private class ListCommand extends Command {
     public static final String USAGE =
-        "list [--provider <provider>] [--metadata] [--help]";
+        "list [-provider <provider>] [-metadata] [-help]";
     public static final String DESC =
         "The list subcommand displays the keynames contained within\n" +
         "a particular provider as configured in core-site.xml or\n" +
-        "specified with the --provider argument. --metadata displays\n" +
+        "specified with the -provider argument. -metadata displays\n" +
         "the metadata.";
 
     private boolean metadata = false;
@@ -272,9 +272,9 @@ public boolean validate() {
       provider = getKeyProvider();
       if (provider == null) {
         out.println("There are no non-transient KeyProviders configured.\n"
-          + "Use the --provider option to specify a provider. If you\n"
+          + "Use the -provider option to specify a provider. If you\n"
           + "want to list a transient provider then you must use the\n"
-          + "--provider argument.");
+          + "-provider argument.");
         rc = false;
       }
       metadata = getConf().getBoolean(LIST_METADATA, false);
@@ -310,10 +310,10 @@ public String getUsage() {
   }
 
   private class RollCommand extends Command {
-    public static final String USAGE = "roll <keyname> [--provider <provider>] [--help]";
+    public static final String USAGE = "roll <keyname> [-provider <provider>] [-help]";
     public static final String DESC =
       "The roll subcommand creates a new version for the specified key\n" +
-      "within the provider indicated using the --provider argument\n";
+      "within the provider indicated using the -provider argument\n";
 
     String keyName = null;
 
@@ -326,13 +326,13 @@ public boolean validate() {
       provider = getKeyProvider();
       if (provider == null) {
         out.println("There are no valid KeyProviders configured. The key\n" +
-          "has not been rolled. Use the --provider option to specify\n" +
+          "has not been rolled. Use the -provider option to specify\n" +
           "a provider.");
         rc = false;
       }
       if (keyName == null) {
         out.println("Please provide a <keyname>.\n" +
-          "See the usage description by using --help.");
+          "See the usage description by using -help.");
         rc = false;
       }
       return rc;
@@ -367,11 +367,11 @@ public String getUsage() {
   }
 
   private class DeleteCommand extends Command {
-    public static final String USAGE = "delete <keyname> [--provider <provider>] [--help]";
+    public static final String USAGE = "delete <keyname> [-provider <provider>] [-help]";
     public static final String DESC =
         "The delete subcommand deletes all versions of the key\n" +
         "specified by the <keyname> argument from within the\n" +
-        "provider specified --provider.";
+        "provider specified -provider.";
 
     String keyName = null;
     boolean cont = true;
@@ -385,12 +385,12 @@ public boolean validate() {
       provider = getKeyProvider();
       if (provider == null) {
         out.println("There are no valid KeyProviders configured. Nothing\n"
-          + "was deleted. Use the --provider option to specify a provider.");
+          + "was deleted. Use the -provider option to specify a provider.");
         return false;
       }
       if (keyName == null) {
         out.println("There is no keyName specified. Please specify a " +
-            "<keyname>. See the usage description with --help.");
+            "<keyname>. See the usage description with -help.");
         return false;
       }
       if (interactive) {
@@ -436,19 +436,19 @@ public String getUsage() {
 
   private class CreateCommand extends Command {
     public static final String USAGE =
-      "create <keyname> [--cipher <cipher>] [--size <size>]\n" +
-      "                     [--description <description>]\n" +
-      "                     [--attr <attribute=value>]\n" +
-      "                     [--provider <provider>] [--help]";
+      "create <keyname> [-cipher <cipher>] [-size <size>]\n" +
+      "                     [-description <description>]\n" +
+      "                     [-attr <attribute=value>]\n" +
+      "                     [-provider <provider>] [-help]";
     public static final String DESC =
       "The create subcommand creates a new key for the name specified\n" +
       "by the <keyname> argument within the provider specified by the\n" +
-      "--provider argument. You may specify a cipher with the --cipher\n" +
+      "-provider argument. You may specify a cipher with the -cipher\n" +
       "argument. The default cipher is currently \"AES/CTR/NoPadding\".\n" +
       "The default keysize is 256. You may specify the requested key\n" +
-      "length using the --size argument. Arbitrary attribute=value\n" +
-      "style attributes may be specified using the --attr argument.\n" +
-      "--attr may be specified multiple times, once per attribute.\n";
+      "length using the -size argument. Arbitrary attribute=value\n" +
+      "style attributes may be specified using the -attr argument.\n" +
+      "-attr may be specified multiple times, once per attribute.\n";
 
     final String keyName;
     final Options options;
@@ -463,13 +463,13 @@ public boolean validate() {
       provider = getKeyProvider();
       if (provider == null) {
         out.println("There are no valid KeyProviders configured. No key\n" +
-          " was created. You can use the --provider option to specify\n" +
+          " was created. You can use the -provider option to specify\n" +
           " a provider to use.");
         rc = false;
       }
       if (keyName == null) {
         out.println("Please provide a <keyname>. See the usage description" +
-          " with --help.");
+          " with -help.");
         rc = false;
       }
       return rc;
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyShell.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyShell.java
index 154579b567d..5981a2a6a38 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyShell.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyShell.java
@@ -73,7 +73,7 @@ public void cleanUp() throws Exception {
   private void deleteKey(KeyShell ks, String keyName) throws Exception {
     int rc;
     outContent.reset();
-    final String[] delArgs = {"delete", keyName, "--provider", jceksProvider};
+    final String[] delArgs = {"delete", keyName, "-provider", jceksProvider};
     rc = ks.run(delArgs);
     assertEquals(0, rc);
     assertTrue(outContent.toString().contains(keyName + " has been " +
@@ -90,8 +90,8 @@ private void deleteKey(KeyShell ks, String keyName) throws Exception {
   private String listKeys(KeyShell ks, boolean wantMetadata) throws Exception {
     int rc;
     outContent.reset();
-    final String[] listArgs = {"list", "--provider", jceksProvider };
-    final String[] listArgsM = {"list", "--metadata", "--provider", jceksProvider };
+    final String[] listArgs = {"list", "-provider", jceksProvider };
+    final String[] listArgsM = {"list", "-metadata", "-provider", jceksProvider };
     rc = ks.run(wantMetadata ? listArgsM : listArgs);
     assertEquals(0, rc);
     return outContent.toString();
@@ -106,7 +106,7 @@ public void testKeySuccessfulKeyLifecycle() throws Exception {
     ks.setConf(new Configuration());
 
     outContent.reset();
-    final String[] args1 = {"create", keyName, "--provider", jceksProvider};
+    final String[] args1 = {"create", keyName, "-provider", jceksProvider};
     rc = ks.run(args1);
     assertEquals(0, rc);
     assertTrue(outContent.toString().contains(keyName + " has been " +
@@ -121,7 +121,7 @@ public void testKeySuccessfulKeyLifecycle() throws Exception {
     assertTrue(listOut.contains("created"));
 
     outContent.reset();
-    final String[] args2 = {"roll", keyName, "--provider", jceksProvider};
+    final String[] args2 = {"roll", keyName, "-provider", jceksProvider};
     rc = ks.run(args2);
     assertEquals(0, rc);
     assertTrue(outContent.toString().contains("key1 has been successfully " +
@@ -137,8 +137,8 @@ public void testKeySuccessfulKeyLifecycle() throws Exception {
   @Test
   public void testKeySuccessfulCreationWithDescription() throws Exception {
     outContent.reset();
-    final String[] args1 = {"create", "key1", "--provider", jceksProvider,
-                      "--description", "someDescription"};
+    final String[] args1 = {"create", "key1", "-provider", jceksProvider,
+                      "-description", "someDescription"};
     int rc = 0;
     KeyShell ks = new KeyShell();
     ks.setConf(new Configuration());
@@ -154,7 +154,7 @@ public void testKeySuccessfulCreationWithDescription() throws Exception {
 
   @Test
   public void testInvalidKeySize() throws Exception {
-    final String[] args1 = {"create", "key1", "--size", "56", "--provider",
+    final String[] args1 = {"create", "key1", "-size", "56", "-provider",
             jceksProvider};
 
     int rc = 0;
@@ -167,7 +167,7 @@ public void testInvalidKeySize() throws Exception {
 
   @Test
   public void testInvalidCipher() throws Exception {
-    final String[] args1 = {"create", "key1", "--cipher", "LJM", "--provider",
+    final String[] args1 = {"create", "key1", "-cipher", "LJM", "-provider",
             jceksProvider};
 
     int rc = 0;
@@ -180,7 +180,7 @@ public void testInvalidCipher() throws Exception {
 
   @Test
   public void testInvalidProvider() throws Exception {
-    final String[] args1 = {"create", "key1", "--cipher", "AES", "--provider",
+    final String[] args1 = {"create", "key1", "-cipher", "AES", "-provider",
       "sdff://file/tmp/keystore.jceks"};
     
     int rc = 0;
@@ -194,7 +194,7 @@ public void testInvalidProvider() throws Exception {
 
   @Test
   public void testTransientProviderWarning() throws Exception {
-    final String[] args1 = {"create", "key1", "--cipher", "AES", "--provider",
+    final String[] args1 = {"create", "key1", "-cipher", "AES", "-provider",
       "user:///"};
     
     int rc = 0;
@@ -224,8 +224,8 @@ public void testTransientProviderOnlyConfig() throws Exception {
   @Test
   public void testFullCipher() throws Exception {
     final String keyName = "key1";
-    final String[] args1 = {"create", keyName, "--cipher", "AES/CBC/pkcs5Padding",
-        "--provider", jceksProvider};
+    final String[] args1 = {"create", keyName, "-cipher", "AES/CBC/pkcs5Padding",
+        "-provider", jceksProvider};
     
     int rc = 0;
     KeyShell ks = new KeyShell();
@@ -245,8 +245,8 @@ public void testAttributes() throws Exception {
     ks.setConf(new Configuration());
 
     /* Simple creation test */
-    final String[] args1 = {"create", "keyattr1", "--provider", jceksProvider,
-            "--attr", "foo=bar"};
+    final String[] args1 = {"create", "keyattr1", "-provider", jceksProvider,
+            "-attr", "foo=bar"};
     rc = ks.run(args1);
     assertEquals(0, rc);
     assertTrue(outContent.toString().contains("keyattr1 has been " +
@@ -259,8 +259,8 @@ public void testAttributes() throws Exception {
 
     /* Negative tests: no attribute */
     outContent.reset();
-    final String[] args2 = {"create", "keyattr2", "--provider", jceksProvider,
-            "--attr", "=bar"};
+    final String[] args2 = {"create", "keyattr2", "-provider", jceksProvider,
+            "-attr", "=bar"};
     rc = ks.run(args2);
     assertEquals(1, rc);
 
@@ -288,10 +288,10 @@ public void testAttributes() throws Exception {
 
     /* Test several attrs together... */
     outContent.reset();
-    final String[] args3 = {"create", "keyattr3", "--provider", jceksProvider,
-            "--attr", "foo = bar",
-            "--attr", " glarch =baz  ",
-            "--attr", "abc=def"};
+    final String[] args3 = {"create", "keyattr3", "-provider", jceksProvider,
+            "-attr", "foo = bar",
+            "-attr", " glarch =baz  ",
+            "-attr", "abc=def"};
     rc = ks.run(args3);
     assertEquals(0, rc);
 
@@ -304,9 +304,9 @@ public void testAttributes() throws Exception {
 
     /* Negative test - repeated attributes should fail */
     outContent.reset();
-    final String[] args4 = {"create", "keyattr4", "--provider", jceksProvider,
-            "--attr", "foo=bar",
-            "--attr", "foo=glarch"};
+    final String[] args4 = {"create", "keyattr4", "-provider", jceksProvider,
+            "-attr", "foo=bar",
+            "-attr", "foo=glarch"};
     rc = ks.run(args4);
     assertEquals(1, rc);
 

From ce9aae4a52ce0817a17f52d3eac6acbdd30f75b4 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 1 Aug 2014 17:53:05 +0000
Subject: [PATCH 103/354] HADOOP-10920. site plugin couldn't parse hadoop-kms
 index.apt.vm. Contributed by Akira Ajisaka.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615181 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt      |  3 +++
 .../hadoop-kms/src/site/apt/index.apt.vm             | 12 ++++++------
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 8d19ef49675..0dbfc6e1348 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -410,6 +410,9 @@ Trunk (Unreleased)
     HADOOP-10881. Clarify usage of encryption and encrypted encryption
     key in KeyProviderCryptoExtension. (wang)
 
+    HADOOP-10920. site plugin couldn't parse hadoop-kms index.apt.vm.
+    (Akira Ajisaka via wang)
+
   OPTIMIZATIONS
 
     HADOOP-7761. Improve the performance of raw comparisons. (todd)
diff --git a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
index 557cafa2f8a..ebfe8e2c170 100644
--- a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
+++ b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
@@ -106,14 +106,14 @@ Hadoop Key Management Server (KMS) - Documentation Sets ${project.version}
 
 ** KMS Aggregated Audit logs
 
-Audit logs are aggregated for API accesses to the GET_KEY_VERSION, 
-GET_CURRENT_KEY, DECRYPT_EEK, GENERATE_EEK operations.
+  Audit logs are aggregated for API accesses to the GET_KEY_VERSION,
+  GET_CURRENT_KEY, DECRYPT_EEK, GENERATE_EEK operations.
 
-Entries are grouped by the (user,key,operation) combined key for a configurable
-aggregation interval after which the number of accesses to the specified
-end-point by the user for a given key is flushed to the audit log.
+  Entries are grouped by the (user,key,operation) combined key for a
+  configurable aggregation interval after which the number of accesses to the
+  specified end-point by the user for a given key is flushed to the audit log.
 
-The Aggregation interval is configured via the property :
+  The Aggregation interval is configured via the property :
 
 +---+
   <property>

From da2ce46fbe01d394d5b4b358d4d2e53f6a38d350 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 1 Aug 2014 17:58:14 +0000
Subject: [PATCH 104/354] HDFS-6802. Some tests in TestDFSClientFailover are
 missing @Test annotation. Contributed by Akira Ajisaka.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615183 13f79535-47bb-0310-9956-ffa450edef68
---
 .../java/org/apache/hadoop/security/SecurityUtil.java |  3 ++-
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt           |  3 +++
 .../org/apache/hadoop/hdfs/TestDFSClientFailover.java | 11 +++++++++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
index b71fbda6301..b5bf26fa084 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
@@ -77,7 +77,8 @@ public class SecurityUtil {
    * For use only by tests and initialization
    */
   @InterfaceAudience.Private
-  static void setTokenServiceUseIp(boolean flag) {
+  @VisibleForTesting
+  public static void setTokenServiceUseIp(boolean flag) {
     useIpForTokenService = flag;
     hostResolver = !useIpForTokenService
         ? new QualifiedHostResolver()
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 9ae0002260e..158f7c18ff2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -346,6 +346,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6794. Update BlockManager methods to use DatanodeStorageInfo
     where possible (Arpit Agarwal)
 
+    HDFS-6802. Some tests in TestDFSClientFailover are missing @Test
+    annotation. (Akira Ajisaka via wang)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientFailover.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientFailover.java
index d2a03d698d7..d33d7562cf6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientFailover.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSClientFailover.java
@@ -52,6 +52,7 @@
 import org.apache.hadoop.io.retry.FailoverProxyProvider;
 import org.apache.hadoop.net.ConnectTimeoutException;
 import org.apache.hadoop.net.StandardSocketFactory;
+import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.test.GenericTestUtils;
 import org.apache.hadoop.util.StringUtils;
@@ -89,6 +90,11 @@ public void tearDownCluster() throws IOException {
     cluster.shutdown();
   }
 
+  @After
+  public void clearConfig() {
+    SecurityUtil.setTokenServiceUseIp(true);
+  }
+
   /**
    * Make sure that client failover works when an active NN dies and the standby
    * takes over.
@@ -323,6 +329,7 @@ public void close() throws IOException {
   /**
    * Test to verify legacy proxy providers are correctly wrapped.
    */
+  @Test
   public void testWrappedFailoverProxyProvider() throws Exception {
     // setup the config with the dummy provider class
     Configuration config = new HdfsConfiguration(conf);
@@ -332,6 +339,9 @@ public void testWrappedFailoverProxyProvider() throws Exception {
         DummyLegacyFailoverProxyProvider.class.getName());
     Path p = new Path("hdfs://" + logicalName + "/");
 
+    // not to use IP address for token service
+    SecurityUtil.setTokenServiceUseIp(false);
+
     // Logical URI should be used.
     assertTrue("Legacy proxy providers should use logical URI.",
         HAUtil.useLogicalUri(config, p.toUri()));
@@ -340,6 +350,7 @@ public void testWrappedFailoverProxyProvider() throws Exception {
   /**
    * Test to verify IPFailoverProxyProvider is not requiring logical URI.
    */
+  @Test
   public void testIPFailoverProxyProviderLogicalUri() throws Exception {
     // setup the config with the IP failover proxy provider class
     Configuration config = new HdfsConfiguration(conf);

From 3d9e39e51f8532716965dbafb16d9f0dbf3b79c5 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Fri, 1 Aug 2014 18:36:32 +0000
Subject: [PATCH 105/354] HDFS-6807. Fix TestReservedRawPaths. (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1615188 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |  2 ++
 .../org/apache/hadoop/hdfs/DFSTestUtil.java   | 20 ++++++++++++++++++
 .../hadoop/hdfs/TestEncryptionZones.java      | 21 ++++---------------
 .../hadoop/hdfs/TestReservedRawPaths.java     | 12 ++++++-----
 4 files changed, 33 insertions(+), 22 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 743873ea744..63edafd4bcc 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -81,3 +81,5 @@ fs-encryption (Unreleased)
 
     HDFS-6785. Should not be able to create encryption zone using path
     to a non-directory file. (clamb)
+
+    HDFS-6807. Fix TestReservedRawPaths. (clamb)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java
index 0eb0965695b..6dc80d39114 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java
@@ -27,6 +27,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.fs.*;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.FileSystem.Statistics;
@@ -75,6 +76,7 @@
 import java.io.*;
 import java.net.*;
 import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
 import java.security.PrivilegedExceptionAction;
 import java.util.*;
 import java.util.concurrent.TimeoutException;
@@ -1348,4 +1350,22 @@ public static void verifyFilesNotEqual(FileSystem fs, Path p1, Path p2,
       in2.close();
     }
   }
+
+  /**
+   * Helper function to create a key in the Key Provider.
+   *
+   * @param keyName The name of the key to create
+   * @param cluster The cluster to create it in
+   * @param conf Configuration to use
+   */
+  public static void createKey(String keyName, MiniDFSCluster cluster,
+                                Configuration conf)
+          throws NoSuchAlgorithmException, IOException {
+    KeyProvider provider = cluster.getNameNode().getNamesystem().getProvider();
+    final KeyProvider.Options options = KeyProvider.options(conf);
+    options.setDescription(keyName);
+    options.setBitLength(128);
+    provider.createKey(keyName, options);
+    provider.flush();
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
index 78f8d8ef3a5..9a3456fb3bb 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
@@ -102,7 +102,7 @@ public void setup() throws Exception {
     fs.getClient().provider = cluster.getNameNode().getNamesystem()
         .getProvider();
     // Create a test key
-    createKey(TEST_KEY);
+    DFSTestUtil.createKey(TEST_KEY, cluster, conf);
   }
 
   @After
@@ -147,19 +147,6 @@ public void assertZonePresent(String keyName, String path) throws IOException {
     );
   }
 
-  /**
-   * Helper function to create a key in the Key Provider.
-   */
-  private void createKey(String keyName)
-      throws NoSuchAlgorithmException, IOException {
-    KeyProvider provider = cluster.getNameNode().getNamesystem().getProvider();
-    final KeyProvider.Options options = KeyProvider.options(conf);
-    options.setDescription(keyName);
-    options.setBitLength(128);
-    provider.createKey(keyName, options);
-    provider.flush();
-  }
-
   @Test(timeout = 60000)
   public void testBasicOperations() throws Exception {
 
@@ -263,7 +250,7 @@ public void testBasicOperations() throws Exception {
     assertNumZones(1);
 
     /* Test success of creating an EZ when they key exists. */
-    createKey(myKeyName);
+    DFSTestUtil.createKey(myKeyName, cluster, conf);
     dfsAdmin.createEncryptionZone(zone2, myKeyName);
     assertNumZones(++numZones);
     assertZonePresent(myKeyName, zone2.toString());
@@ -601,7 +588,7 @@ public void doCleanup() throws Exception {
     // Test when the parent directory becomes a different EZ
     fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true);
     final String otherKey = "otherKey";
-    createKey(otherKey);
+    DFSTestUtil.createKey(otherKey, cluster, conf);
     dfsAdmin.createEncryptionZone(zone1, TEST_KEY);
 
     executor.submit(new InjectFaultTask() {
@@ -621,7 +608,7 @@ public void doCleanup() throws Exception {
     // Test that the retry limit leads to an error
     fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true);
     final String anotherKey = "anotherKey";
-    createKey(anotherKey);
+    DFSTestUtil.createKey(anotherKey, cluster, conf);
     dfsAdmin.createEncryptionZone(zone1, anotherKey);
     String keyToUse = otherKey;
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestReservedRawPaths.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestReservedRawPaths.java
index c49e88b5460..2a20954a391 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestReservedRawPaths.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestReservedRawPaths.java
@@ -57,12 +57,13 @@ public class TestReservedRawPaths {
   private MiniDFSCluster cluster;
   private HdfsAdmin dfsAdmin;
   private DistributedFileSystem fs;
+  private final String TEST_KEY = "testKey";
 
   protected FileSystemTestWrapper fsWrapper;
   protected FileContextTestWrapper fcWrapper;
 
   @Before
-  public void setup() throws IOException {
+  public void setup() throws Exception {
     conf = new HdfsConfiguration();
     fsHelper = new FileSystemTestHelper();
     // Set up java key store
@@ -82,6 +83,7 @@ public void setup() throws IOException {
     // else the updates do not get flushed properly
     fs.getClient().provider = cluster.getNameNode().getNamesystem()
         .getProvider();
+    DFSTestUtil.createKey(TEST_KEY, cluster, conf);
   }
 
   @After
@@ -110,7 +112,7 @@ public void testReadWriteRaw() throws Exception {
     // Create the first enc file
     final Path zone = new Path("/zone");
     fs.mkdirs(zone);
-    dfsAdmin.createEncryptionZone(zone, null);
+    dfsAdmin.createEncryptionZone(zone, TEST_KEY);
     final Path encFile1 = new Path(zone, "myfile");
     DFSTestUtil.createFile(fs, encFile1, len, (short) 1, 0xFEED);
     // Read them back in and compare byte-by-byte
@@ -150,7 +152,7 @@ public void testGetFileStatus() throws Exception {
     final Path zone = new Path("zone");
     final Path slashZone = new Path("/", zone);
     fs.mkdirs(slashZone);
-    dfsAdmin.createEncryptionZone(slashZone, null);
+    dfsAdmin.createEncryptionZone(slashZone, TEST_KEY);
 
     final Path base = new Path("base");
     final Path reservedRaw = new Path("/.reserved/raw");
@@ -182,7 +184,7 @@ public void testReservedRawMkdir() throws Exception {
     final Path zone = new Path("zone");
     final Path slashZone = new Path("/", zone);
     fs.mkdirs(slashZone);
-    dfsAdmin.createEncryptionZone(slashZone, null);
+    dfsAdmin.createEncryptionZone(slashZone, TEST_KEY);
     final Path rawRoot = new Path("/.reserved/raw");
     final Path dir1 = new Path("dir1");
     final Path rawDir1 = new Path(rawRoot, dir1);
@@ -220,7 +222,7 @@ public void testAdminAccessOnly() throws Exception {
     final Path zone = new Path("zone");
     final Path slashZone = new Path("/", zone);
     fs.mkdirs(slashZone);
-    dfsAdmin.createEncryptionZone(slashZone, null);
+    dfsAdmin.createEncryptionZone(slashZone, TEST_KEY);
     final Path base = new Path("base");
     final Path reservedRaw = new Path("/.reserved/raw");
     final int len = 8192;

From 70c99278a9ffb8a22059c20357b435c7b576b3db Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 1 Aug 2014 18:47:01 +0000
Subject: [PATCH 106/354] HDFS-6780. Batch the encryption zones listing API.
 (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1615189 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |  2 +
 .../org/apache/hadoop/hdfs/DFSClient.java     | 10 ++-
 .../org/apache/hadoop/hdfs/DFSConfigKeys.java |  4 +-
 .../hadoop/hdfs/DistributedFileSystem.java    |  3 +-
 .../apache/hadoop/hdfs/client/HdfsAdmin.java  | 19 +++---
 .../hadoop/hdfs/protocol/ClientProtocol.java  | 15 ++---
 .../hdfs/protocol/EncryptionZoneIterator.java | 51 +++++++++++++++
 .../hdfs/protocol/EncryptionZoneWithId.java   | 64 +++++++++++++++++++
 .../EncryptionZoneWithIdIterator.java         | 53 +++++++++++++++
 ...amenodeProtocolServerSideTranslatorPB.java | 11 +++-
 .../ClientNamenodeProtocolTranslatorPB.java   | 26 ++++++--
 .../hadoop/hdfs/protocolPB/PBHelper.java      | 57 +++++------------
 .../namenode/EncryptionZoneManager.java       | 51 +++++++++++----
 .../hdfs/server/namenode/FSDirectory.java     | 10 +--
 .../hdfs/server/namenode/FSNamesystem.java    |  7 +-
 .../server/namenode/NameNodeRpcServer.java    |  7 +-
 .../apache/hadoop/hdfs/tools/CryptoAdmin.java |  6 +-
 .../src/main/proto/encryption.proto           |  7 +-
 .../src/main/resources/hdfs-default.xml       |  9 +++
 .../hadoop/hdfs/TestEncryptionZones.java      | 41 ++++++++----
 20 files changed, 342 insertions(+), 111 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneIterator.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneWithId.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneWithIdIterator.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 63edafd4bcc..f8289ac66cb 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -72,6 +72,8 @@ fs-encryption (Unreleased)
 
     HDFS-6692. Add more HDFS encryption tests. (wang)
 
+    HDFS-6780. Batch the encryption zones listing API. (wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index d90c7076e1b..04acb037665 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -150,6 +150,7 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
 import org.apache.hadoop.hdfs.protocol.EncryptionZone;
+import org.apache.hadoop.hdfs.protocol.EncryptionZoneIterator;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.HdfsBlocksMetadata;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
@@ -2857,13 +2858,10 @@ public void createEncryptionZone(String src, String keyName)
     }
   }
 
-  public List<EncryptionZone> listEncryptionZones() throws IOException {
+  public RemoteIterator<EncryptionZone> listEncryptionZones()
+      throws IOException {
     checkOpen();
-    try {
-      return namenode.listEncryptionZones();
-    } catch (RemoteException re) {
-      throw re.unwrapRemoteException(AccessControlException.class);
-    }
+    return new EncryptionZoneIterator(namenode);
   }
 
   public void setXAttr(String src, String name, byte[] value, 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
index c16c15d34b0..d884e5f7c88 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
@@ -566,7 +566,9 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
   public static final String DFS_TRUSTEDCHANNEL_RESOLVER_CLASS = "dfs.trustedchannel.resolver.class";
   public static final String DFS_DATA_TRANSFER_PROTECTION_KEY = "dfs.data.transfer.protection";
   public static final String DFS_DATA_TRANSFER_SASL_PROPS_RESOLVER_CLASS_KEY = "dfs.data.transfer.saslproperties.resolver.class";
-  
+  public static final int    DFS_NAMENODE_LIST_ENCRYPTION_ZONES_NUM_RESPONSES_DEFAULT = 100;
+  public static final String DFS_NAMENODE_LIST_ENCRYPTION_ZONES_NUM_RESPONSES = "dfs.namenode.list.encryption.zones.num.responses";
+
   // Journal-node related configs. These are read on the JN side.
   public static final String  DFS_JOURNALNODE_EDITS_DIR_KEY = "dfs.journalnode.edits.dir";
   public static final String  DFS_JOURNALNODE_EDITS_DIR_DEFAULT = "/tmp/hadoop/dfs/journalnode/";
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
index eccd563b270..52721962531 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
@@ -1805,7 +1805,8 @@ public void createEncryptionZone(Path path, String keyName)
   }
 
   /* HDFS only */
-  public List<EncryptionZone> listEncryptionZones() throws IOException {
+  public RemoteIterator<EncryptionZone> listEncryptionZones()
+      throws IOException {
     return dfs.listEncryptionZones();
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
index 0a22d9dd3f4..1a8dce3acbf 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
@@ -248,16 +248,17 @@ public void createEncryptionZone(Path path, String keyName)
   }
 
   /**
-   * Return a list of all {@link EncryptionZone}s in the HDFS hierarchy which
-   * are visible to the caller. If the caller is an HDFS superuser,
-   * then the key name of each encryption zone will also be provided.
-   *
-   * @throws IOException if there was a general IO exception
-   *
-   * @return List<EncryptionZone> the list of Encryption Zones that the caller has
-   * access to.
+   * Returns a RemoteIterator which can be used to list the encryption zones
+   * in HDFS. For large numbers of encryption zones, the iterator will fetch
+   * the list of zones in a number of small batches.
+   * <p/>
+   * Since the list is fetched in batches, it does not represent a
+   * consistent snapshot of the entire list of encryption zones.
+   * <p/>
+   * This method can only be called by HDFS superusers.
    */
-  public List<EncryptionZone> listEncryptionZones() throws IOException {
+  public RemoteIterator<EncryptionZone> listEncryptionZones()
+      throws IOException {
     return dfs.listEncryptionZones();
   }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
index effc10d9fe5..a571ac6e389 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
@@ -1275,16 +1275,15 @@ public void createEncryptionZone(String src, String keyName)
     throws IOException;
 
   /**
-   * Return a list of all {@EncryptionZone}s in the HDFS hierarchy which are
-   * visible to the caller. If the caller is the HDFS admin, then the returned
-   * EncryptionZone instances will have the key id field filled in. If the
-   * caller is not the HDFS admin, then the EncryptionZone instances will only
-   * have the path field filled in and only those zones that are visible to the
-   * user are returned.
+   * Used to implement cursor-based batched listing of {@EncryptionZone}s.
+   *
+   * @param prevId ID of the last item in the previous batch. If there is no
+   *               previous batch, a negative value can be used.
+   * @return Batch of encryption zones.
    */
   @Idempotent
-  public List<EncryptionZone> listEncryptionZones()
-    throws IOException;
+  public BatchedEntries<EncryptionZoneWithId> listEncryptionZones(
+      long prevId) throws IOException;
 
   /**
    * Set xattr of a file or directory.
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneIterator.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneIterator.java
new file mode 100644
index 00000000000..ff308dabf77
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneIterator.java
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.protocol;
+
+import java.io.IOException;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.fs.RemoteIterator;
+
+/**
+ * EncryptionZoneIterator is a remote iterator that iterates over encryption
+ * zones. It supports retrying in case of namenode failover.
+ */
+@InterfaceAudience.Private
+@InterfaceStability.Evolving
+public class EncryptionZoneIterator implements RemoteIterator<EncryptionZone> {
+
+  private final EncryptionZoneWithIdIterator iterator;
+
+  public EncryptionZoneIterator(ClientProtocol namenode) {
+    iterator = new EncryptionZoneWithIdIterator(namenode);
+  }
+
+  @Override
+  public boolean hasNext() throws IOException {
+    return iterator.hasNext();
+  }
+
+  @Override
+  public EncryptionZone next() throws IOException {
+    EncryptionZoneWithId ezwi = iterator.next();
+    return ezwi.toEncryptionZone();
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneWithId.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneWithId.java
new file mode 100644
index 00000000000..7ed4884bbd5
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneWithId.java
@@ -0,0 +1,64 @@
+package org.apache.hadoop.hdfs.protocol;
+
+import org.apache.commons.lang.builder.HashCodeBuilder;
+import org.apache.hadoop.classification.InterfaceAudience;
+
+/**
+ * Internal class similar to an {@link EncryptionZone} which also holds a
+ * unique id. Used to implement batched listing of encryption zones.
+ */
+@InterfaceAudience.Private
+public class EncryptionZoneWithId extends EncryptionZone {
+
+  final long id;
+
+  public EncryptionZoneWithId(String path, String keyName, long id) {
+    super(path, keyName);
+    this.id = id;
+  }
+
+  public long getId() {
+    return id;
+  }
+
+  EncryptionZone toEncryptionZone() {
+    return new EncryptionZone(getPath(), getKeyName());
+  }
+
+  @Override
+  public int hashCode() {
+    return new HashCodeBuilder(17, 29)
+        .append(super.hashCode())
+        .append(id)
+        .toHashCode();
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (o == null || getClass() != o.getClass()) {
+      return false;
+    }
+    if (!super.equals(o)) {
+      return false;
+    }
+
+    EncryptionZoneWithId that = (EncryptionZoneWithId) o;
+
+    if (id != that.id) {
+      return false;
+    }
+
+    return true;
+  }
+
+  @Override
+  public String toString() {
+    return "EncryptionZoneWithId [" +
+        "id=" + id +
+        ", " + super.toString() +
+        ']';
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneWithIdIterator.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneWithIdIterator.java
new file mode 100644
index 00000000000..78c7b620535
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneWithIdIterator.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.protocol;
+
+import java.io.IOException;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.fs.BatchedRemoteIterator;
+
+/**
+ * Used on the client-side to iterate over the list of encryption zones
+ * stored on the namenode.
+ */
+@InterfaceAudience.Private
+@InterfaceStability.Evolving
+public class EncryptionZoneWithIdIterator
+    extends BatchedRemoteIterator<Long, EncryptionZoneWithId> {
+
+  private final ClientProtocol namenode;
+
+  EncryptionZoneWithIdIterator(ClientProtocol namenode) {
+    super(Long.valueOf(0));
+    this.namenode = namenode;
+  }
+
+  @Override
+  public BatchedEntries<EncryptionZoneWithId> makeRequest(Long prevId)
+      throws IOException {
+    return namenode.listEncryptionZones(prevId);
+  }
+
+  @Override
+  public Long elementToPrevKey(EncryptionZoneWithId entry) {
+    return entry.getId();
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
index 7f7fa185ec8..acb0294eee2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
@@ -32,6 +32,7 @@
 import org.apache.hadoop.hdfs.protocol.ClientProtocol;
 import org.apache.hadoop.hdfs.protocol.CorruptFileBlocks;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
+import org.apache.hadoop.hdfs.protocol.EncryptionZoneWithId;
 import org.apache.hadoop.hdfs.protocol.HdfsFileStatus;
 import org.apache.hadoop.hdfs.protocol.LocatedBlock;
 import org.apache.hadoop.hdfs.protocol.LocatedBlocks;
@@ -1317,7 +1318,15 @@ public ListEncryptionZonesResponseProto listEncryptionZones(
     RpcController controller, ListEncryptionZonesRequestProto req)
     throws ServiceException {
     try {
-      return PBHelper.convertListEZResponse(server.listEncryptionZones());
+      BatchedEntries<EncryptionZoneWithId> entries = server
+          .listEncryptionZones(req.getId());
+      ListEncryptionZonesResponseProto.Builder builder =
+          ListEncryptionZonesResponseProto.newBuilder();
+      builder.setHasMore(entries.hasMore());
+      for (int i=0; i<entries.size(); i++) {
+        builder.addZones(PBHelper.convert(entries.get(i)));
+      }
+      return builder.build();
     } catch (IOException e) {
       throw new ServiceException(e);
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
index 50a438e96a5..24f722bca3b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
@@ -24,6 +24,7 @@
 import java.util.EnumSet;
 import java.util.List;
 
+import com.google.common.collect.Lists;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.crypto.CipherSuite;
@@ -52,7 +53,7 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeID;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
-import org.apache.hadoop.hdfs.protocol.EncryptionZone;
+import org.apache.hadoop.hdfs.protocol.EncryptionZoneWithId;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.RollingUpgradeAction;
@@ -146,6 +147,7 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.SetTimesRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdateBlockForPipelineRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.UpdatePipelineRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.CreateEncryptionZoneRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.ListEncryptionZonesRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.GetXAttrsRequestProto;
@@ -174,6 +176,11 @@
 import com.google.protobuf.ByteString;
 import com.google.protobuf.ServiceException;
 
+
+import static org.apache.hadoop.fs.BatchedRemoteIterator.BatchedListEntries;
+import static org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos
+    .EncryptionZoneWithIdProto;
+
 /**
  * This class forwards NN's ClientProtocol calls as RPC calls to the NN server
  * while translating from the parameter types used in ClientProtocol to the
@@ -1317,11 +1324,22 @@ public void createEncryptionZone(String src, String keyName)
   }
 
   @Override
-  public List<EncryptionZone> listEncryptionZones() throws IOException {
+  public BatchedEntries<EncryptionZoneWithId> listEncryptionZones(long id)
+      throws IOException {
     final ListEncryptionZonesRequestProto req =
-      ListEncryptionZonesRequestProto.newBuilder().build();
+      ListEncryptionZonesRequestProto.newBuilder()
+          .setId(id)
+          .build();
     try {
-      return PBHelper.convert(rpcProxy.listEncryptionZones(null, req));
+      EncryptionZonesProtos.ListEncryptionZonesResponseProto response =
+          rpcProxy.listEncryptionZones(null, req);
+      List<EncryptionZoneWithId> elements =
+          Lists.newArrayListWithCapacity(response.getZonesCount());
+      for (EncryptionZoneWithIdProto p : response.getZonesList()) {
+        elements.add(PBHelper.convert(p));
+      }
+      return new BatchedListEntries<EncryptionZoneWithId>(elements,
+          response.getHasMore());
     } catch (ServiceException e) {
       throw ProtobufHelper.getRemoteException(e);
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
index e6de79cbffb..230f5455198 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
@@ -18,6 +18,8 @@
 package org.apache.hadoop.hdfs.protocolPB;
 
 import static com.google.common.base.Preconditions.checkNotNull;
+import static org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos
+    .EncryptionZoneWithIdProto;
 
 import java.io.EOFException;
 import java.io.IOException;
@@ -59,7 +61,7 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo.AdminStates;
 import org.apache.hadoop.hdfs.protocol.DatanodeLocalInfo;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
-import org.apache.hadoop.hdfs.protocol.EncryptionZone;
+import org.apache.hadoop.hdfs.protocol.EncryptionZoneWithId;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.fs.FileEncryptionInfo;
 import org.apache.hadoop.hdfs.protocol.FsAclPermission;
@@ -111,8 +113,6 @@
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.NNHAStatusHeartbeatProto;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.ReceivedDeletedBlockInfoProto;
 import org.apache.hadoop.hdfs.protocol.proto.DatanodeProtocolProtos.RegisterCommandProto;
-import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.ListEncryptionZonesResponseProto;
-import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.EncryptionZoneProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.BlockKeyProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.BlockProto;
@@ -2264,45 +2264,6 @@ public static List<XAttr> convertXAttrs(List<XAttrProto> xAttrSpec) {
     }
     return xAttrs;
   }
-  
-  public static List<EncryptionZone> convert(ListEncryptionZonesResponseProto a) {
-    final List<EncryptionZoneProto> ezs = a.getPathsAndKeysList();
-    return convertEZ(ezs);
-  }
-
-  public static ListEncryptionZonesResponseProto convertListEZResponse(
-    List<EncryptionZone> ezs) {
-    final ListEncryptionZonesResponseProto.Builder builder =
-      ListEncryptionZonesResponseProto.newBuilder();
-    builder.addAllPathsAndKeys(convertEZProto(ezs));
-    return builder.build();
-  }
-
-  public static List<EncryptionZoneProto> convertEZProto(
-      List<EncryptionZone> ezs) {
-    final ArrayList<EncryptionZoneProto> ret =
-      Lists.newArrayListWithCapacity(ezs.size());
-    for (EncryptionZone a : ezs) {
-      final EncryptionZoneProto.Builder builder =
-        EncryptionZoneProto.newBuilder();
-      builder.setPath(a.getPath());
-      builder.setKeyName(a.getKeyName());
-      ret.add(builder.build());
-    }
-    return ret;
-  }
-
-  public static List<EncryptionZone> convertEZ(
-    List<EncryptionZoneProto> ezs) {
-    final ArrayList<EncryptionZone> ret =
-      Lists.newArrayListWithCapacity(ezs.size());
-    for (EncryptionZoneProto a : ezs) {
-      final EncryptionZone ez =
-        new EncryptionZone(a.getPath(), a.getKeyName());
-      ret.add(ez);
-    }
-    return ret;
-  }
 
   public static List<XAttr> convert(GetXAttrsResponseProto a) {
     List<XAttrProto> xAttrs = a.getXAttrsList();
@@ -2334,6 +2295,18 @@ public static ListXAttrsResponseProto convertListXAttrsResponse(
     return builder.build();
   }
 
+  public static EncryptionZoneWithIdProto convert(EncryptionZoneWithId zone) {
+    return EncryptionZoneWithIdProto.newBuilder()
+        .setId(zone.getId())
+        .setKeyName(zone.getKeyName())
+        .setPath(zone.getPath()).build();
+  }
+
+  public static EncryptionZoneWithId convert(EncryptionZoneWithIdProto proto) {
+    return new EncryptionZoneWithId(proto.getPath(), proto.getKeyName(),
+        proto.getId());
+  }
+
   public static ShortCircuitShmSlotProto convert(SlotId slotId) {
     return ShortCircuitShmSlotProto.newBuilder().
         setShmId(convert(slotId.getShmId())).
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
index a083ea3a87c..143cc66c3ea 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
@@ -2,22 +2,25 @@
 
 import java.io.IOException;
 import java.util.EnumSet;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
+import java.util.NavigableMap;
+import java.util.TreeMap;
 
 import com.google.common.base.Preconditions;
 import com.google.common.collect.Lists;
+import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.UnresolvedLinkException;
 import org.apache.hadoop.fs.XAttr;
 import org.apache.hadoop.fs.XAttrSetFlag;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.XAttrHelper;
-import org.apache.hadoop.hdfs.protocol.EncryptionZone;
+import org.apache.hadoop.hdfs.protocol.EncryptionZoneWithId;
 import org.apache.hadoop.hdfs.protocol.SnapshotAccessControlException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 
+import static org.apache.hadoop.fs.BatchedRemoteIterator.BatchedListEntries;
 import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants
     .CRYPTO_XATTR_ENCRYPTION_ZONE;
 
@@ -57,17 +60,26 @@ long getINodeId() {
 
   }
 
-  private final Map<Long, EncryptionZoneInt> encryptionZones;
+  private final TreeMap<Long, EncryptionZoneInt> encryptionZones;
   private final FSDirectory dir;
+  private final int maxListEncryptionZonesResponses;
 
   /**
    * Construct a new EncryptionZoneManager.
    *
    * @param dir Enclosing FSDirectory
    */
-  public EncryptionZoneManager(FSDirectory dir) {
+  public EncryptionZoneManager(FSDirectory dir, Configuration conf) {
     this.dir = dir;
-    encryptionZones = new HashMap<Long, EncryptionZoneInt>();
+    encryptionZones = new TreeMap<Long, EncryptionZoneInt>();
+    maxListEncryptionZonesResponses = conf.getInt(
+        DFSConfigKeys.DFS_NAMENODE_LIST_ENCRYPTION_ZONES_NUM_RESPONSES,
+        DFSConfigKeys.DFS_NAMENODE_LIST_ENCRYPTION_ZONES_NUM_RESPONSES_DEFAULT
+    );
+    Preconditions.checkArgument(maxListEncryptionZonesResponses >= 0,
+        DFSConfigKeys.DFS_NAMENODE_LIST_ENCRYPTION_ZONES_NUM_RESPONSES + " " +
+            "must be a positive integer."
+    );
   }
 
   /**
@@ -236,17 +248,30 @@ XAttr createEncryptionZone(String src, String keyName)
   }
 
   /**
-   * Return the current list of encryption zones.
+   * Cursor-based listing of encryption zones.
    * <p/>
    * Called while holding the FSDirectory lock.
    */
-  List<EncryptionZone> listEncryptionZones() throws IOException {
+  BatchedListEntries<EncryptionZoneWithId> listEncryptionZones(long prevId)
+      throws IOException {
     assert dir.hasReadLock();
-    final List<EncryptionZone> ret =
-        Lists.newArrayListWithExpectedSize(encryptionZones.size());
-    for (EncryptionZoneInt ezi : encryptionZones.values()) {
-      ret.add(new EncryptionZone(getFullPathName(ezi), ezi.getKeyName()));
+    NavigableMap<Long, EncryptionZoneInt> tailMap = encryptionZones.tailMap
+        (prevId, false);
+    final int numResponses = Math.min(maxListEncryptionZonesResponses,
+        tailMap.size());
+    final List<EncryptionZoneWithId> zones =
+        Lists.newArrayListWithExpectedSize(numResponses);
+
+    int count = 0;
+    for (EncryptionZoneInt ezi : tailMap.values()) {
+      zones.add(new EncryptionZoneWithId(getFullPathName(ezi),
+          ezi.getKeyName(), ezi.getINodeId()));
+      count++;
+      if (count >= numResponses) {
+        break;
+      }
     }
-    return ret;
+    final boolean hasMore = (numResponses < tailMap.size());
+    return new BatchedListEntries<EncryptionZoneWithId>(zones, hasMore);
   }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index f3ef5c3226b..bb687d7940d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.hdfs.server.namenode;
 
+import static org.apache.hadoop.fs.BatchedRemoteIterator.BatchedListEntries;
 import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants.CRYPTO_XATTR_ENCRYPTION_ZONE;
 import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants.CRYPTO_XATTR_FILE_ENCRYPTION_INFO;
 import static org.apache.hadoop.util.Time.now;
@@ -58,7 +59,7 @@
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.ClientProtocol;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
-import org.apache.hadoop.hdfs.protocol.EncryptionZone;
+import org.apache.hadoop.hdfs.protocol.EncryptionZoneWithId;
 import org.apache.hadoop.hdfs.protocol.FSLimitException.MaxDirectoryItemsExceededException;
 import org.apache.hadoop.hdfs.protocol.FSLimitException.PathComponentTooLongException;
 import org.apache.hadoop.hdfs.protocol.FsAclPermission;
@@ -227,7 +228,7 @@ public int getWriteHoldCount() {
     nameCache = new NameCache<ByteArray>(threshold);
     namesystem = ns;
 
-    ezManager = new EncryptionZoneManager(this);
+    ezManager = new EncryptionZoneManager(this, conf);
   }
     
   private FSNamesystem getFSNamesystem() {
@@ -2646,10 +2647,11 @@ XAttr createEncryptionZone(String src, String keyName)
     }
   }
 
-  List<EncryptionZone> listEncryptionZones() throws IOException {
+  BatchedListEntries<EncryptionZoneWithId> listEncryptionZones(long prevId)
+      throws IOException {
     readLock();
     try {
-      return ezManager.listEncryptionZones();
+      return ezManager.listEncryptionZones(prevId);
     } finally {
       readUnlock();
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index e4c7509ea02..da9dcfd1f9a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -183,6 +183,7 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
 import org.apache.hadoop.hdfs.protocol.EncryptionZone;
+import org.apache.hadoop.hdfs.protocol.EncryptionZoneWithId;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
@@ -8559,7 +8560,8 @@ private void createEncryptionZoneInt(final String srcArg, String keyName,
     logAuditEvent(true, "createEncryptionZone", srcArg, null, resultingStat);
   }
 
-  List<EncryptionZone> listEncryptionZones() throws IOException {
+  BatchedListEntries<EncryptionZoneWithId> listEncryptionZones(long prevId)
+      throws IOException {
     boolean success = false;
     checkSuperuserPrivilege();
     checkOperation(OperationCategory.READ);
@@ -8567,7 +8569,8 @@ List<EncryptionZone> listEncryptionZones() throws IOException {
     try {
       checkSuperuserPrivilege();
       checkOperation(OperationCategory.READ);
-      final List<EncryptionZone> ret = dir.listEncryptionZones();
+      final BatchedListEntries<EncryptionZoneWithId> ret =
+          dir.listEncryptionZones(prevId);
       success = true;
       return ret;
     } finally {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index ac721dff7f1..9fb0c33b6b7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -77,7 +77,7 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeID;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
-import org.apache.hadoop.hdfs.protocol.EncryptionZone;
+import org.apache.hadoop.hdfs.protocol.EncryptionZoneWithId;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.FSLimitException;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
@@ -1432,8 +1432,9 @@ public void createEncryptionZone(String src, String keyName)
   }
 
   @Override
-  public List<EncryptionZone> listEncryptionZones() throws IOException {
-    return namesystem.listEncryptionZones();
+  public BatchedEntries<EncryptionZoneWithId> listEncryptionZones(
+      long prevId) throws IOException {
+    return namesystem.listEncryptionZones(prevId);
   }
 
   @Override
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
index 28aaef2e455..fcad730075e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
@@ -26,6 +26,7 @@
 import org.apache.hadoop.conf.Configured;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.RemoteIterator;
 import org.apache.hadoop.hdfs.DistributedFileSystem;
 import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.tools.TableListing;
@@ -201,8 +202,9 @@ public int run(Configuration conf, List<String> args) throws IOException {
         final TableListing listing = new TableListing.Builder()
           .addField("").addField("", true)
           .wrapWidth(MAX_LINE_WIDTH).hideHeaders().build();
-        final List<EncryptionZone> ezs = dfs.listEncryptionZones();
-        for (EncryptionZone ez : ezs) {
+        final RemoteIterator<EncryptionZone> it = dfs.listEncryptionZones();
+        while (it.hasNext()) {
+          EncryptionZone ez = it.next();
           listing.addRow(ez.getPath(), ez.getKeyName());
         }
         System.out.println(listing.toString());
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
index 391b0aa5ff5..fadaef1b9d7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
@@ -42,13 +42,16 @@ message CreateEncryptionZoneResponseProto {
 }
 
 message ListEncryptionZonesRequestProto {
+  required int64 id = 1;
 }
 
-message EncryptionZoneProto {
+message EncryptionZoneWithIdProto {
   required string path = 1;
   required string keyName = 2;
+  required int64 id = 3;
 }
 
 message ListEncryptionZonesResponseProto {
-  repeated EncryptionZoneProto pathsAndKeys = 1;
+  repeated EncryptionZoneWithIdProto zones = 1;
+  required bool hasMore = 2;
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
index fea88166c24..961c214c855 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
@@ -2052,4 +2052,13 @@
   </description>
 </property>
 
+<property>
+  <name>dfs.namenode.list.encryption.zones.num.responses</name>
+  <value>false</value>
+  <description>When listing encryption zones, the maximum number of zones
+    that will be returned in a batch. Fetching the list incrementally in
+    batches improves namenode performance.
+  </description>
+</property>
+
 </configuration>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
index 9a3456fb3bb..b48978c97ca 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
@@ -44,6 +44,7 @@
 import org.apache.hadoop.fs.FileSystemTestHelper;
 import org.apache.hadoop.fs.FileSystemTestWrapper;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.RemoteIterator;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.client.HdfsAdmin;
 import org.apache.hadoop.hdfs.protocol.EncryptionZone;
@@ -90,6 +91,9 @@ public void setup() throws Exception {
     conf.set(KeyProviderFactory.KEY_PROVIDER_PATH,
         JavaKeyStoreProvider.SCHEME_NAME + "://file" + testRootDir + "/test.jks"
     );
+    // Lower the batch size for testing
+    conf.setInt(DFSConfigKeys.DFS_NAMENODE_LIST_ENCRYPTION_ZONES_NUM_RESPONSES,
+        2);
     cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
     Logger.getLogger(EncryptionZoneManager.class).setLevel(Level.TRACE);
     fs = cluster.getFileSystem();
@@ -114,9 +118,13 @@ public void teardown() {
   }
 
   public void assertNumZones(final int numZones) throws IOException {
-    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
-    assertEquals("Unexpected number of encryption zones!", numZones,
-        zones.size());
+    RemoteIterator<EncryptionZone> it = dfsAdmin.listEncryptionZones();
+    int count = 0;
+    while (it.hasNext()) {
+      count++;
+      it.next();
+    }
+    assertEquals("Unexpected number of encryption zones!", numZones, count);
   }
 
   /**
@@ -126,9 +134,10 @@ public void assertNumZones(final int numZones) throws IOException {
    * @throws IOException if a matching zone could not be found
    */
   public void assertZonePresent(String keyName, String path) throws IOException {
-    final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
+    final RemoteIterator<EncryptionZone> it = dfsAdmin.listEncryptionZones();
     boolean match = false;
-    for (EncryptionZone zone : zones) {
+    while (it.hasNext()) {
+      EncryptionZone zone = it.next();
       boolean matchKey = (keyName == null);
       boolean matchPath = (path == null);
       if (keyName != null && zone.getKeyName().equals(keyName)) {
@@ -282,6 +291,16 @@ public Object run() throws Exception {
     dfsAdmin.createEncryptionZone(deepZone, TEST_KEY);
     assertNumZones(++numZones);
     assertZonePresent(null, deepZone.toString());
+
+    // Create and list some zones to test batching of listEZ
+    for (int i=1; i<6; i++) {
+      final Path zonePath = new Path("/listZone" + i);
+      fsWrapper.mkdir(zonePath, FsPermission.getDirDefault(), false);
+      dfsAdmin.createEncryptionZone(zonePath, TEST_KEY);
+      numZones++;
+      assertNumZones(numZones);
+      assertZonePresent(null, zonePath.toString());
+    }
   }
 
   /**
@@ -369,9 +388,8 @@ public void testReadWrite() throws Exception {
     // Read them back in and compare byte-by-byte
     verifyFilesEqual(fs, baseFile, encFile1, len);
     // Roll the key of the encryption zone
-    List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
-    assertEquals("Expected 1 EZ", 1, zones.size());
-    String keyName = zones.get(0).getKeyName();
+    assertNumZones(1);
+    String keyName = dfsAdmin.listEncryptionZones().next().getKeyName();
     cluster.getNamesystem().getProvider().rollNewVersion(keyName);
     // Read them back in and compare byte-by-byte
     verifyFilesEqual(fs, baseFile, encFile1, len);
@@ -457,14 +475,12 @@ public void testCipherSuiteNegotiation() throws Exception {
 
   @Test(timeout = 120000)
   public void testCreateEZWithNoProvider() throws Exception {
-
+    // Unset the key provider and make sure EZ ops don't work
     final Configuration clusterConf = cluster.getConfiguration(0);
     clusterConf.set(KeyProviderFactory.KEY_PROVIDER_PATH, "");
     cluster.restartNameNode(true);
     cluster.waitActive();
-    /* Test failure of create EZ on a directory that doesn't exist. */
     final Path zone1 = new Path("/zone1");
-    /* Normal creation of an EZ */
     fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true);
     try {
       dfsAdmin.createEncryptionZone(zone1, TEST_KEY);
@@ -476,8 +492,7 @@ public void testCreateEZWithNoProvider() throws Exception {
         JavaKeyStoreProvider.SCHEME_NAME + "://file" + testRootDir + "/test.jks"
     );
     // Try listing EZs as well
-    List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
-    assertEquals("Expected no zones", 0, zones.size());
+    assertNumZones(0);
   }
 
   private class MyInjector extends EncryptionFaultInjector {

From 07860b1c9ee3e1d77d39a52d41c3243fdcc10c45 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 1 Aug 2014 18:56:06 +0000
Subject: [PATCH 107/354] HDFS-6788. Improve synchronization in BPOfferService
 with read write lock. Contributed by Yongjun Zhang.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615190 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../hdfs/server/datanode/BPOfferService.java  | 299 +++++++++++-------
 2 files changed, 189 insertions(+), 113 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 158f7c18ff2..2a10d5b5b53 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -349,6 +349,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6802. Some tests in TestDFSClientFailover are missing @Test
     annotation. (Akira Ajisaka via wang)
 
+    HDFS-6788. Improve synchronization in BPOfferService with read write lock.
+    (Yongjun Zhang via wang)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPOfferService.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPOfferService.java
index 0a6549de8f9..39e842ccfd4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPOfferService.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPOfferService.java
@@ -21,6 +21,7 @@
 import com.google.common.base.Preconditions;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
+
 import org.apache.commons.logging.Log;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.ha.HAServiceProtocol.HAServiceState;
@@ -38,6 +39,8 @@
 import java.util.List;
 import java.util.Set;
 import java.util.concurrent.CopyOnWriteArrayList;
+import java.util.concurrent.locks.Lock;
+import java.util.concurrent.locks.ReentrantReadWriteLock;
 
 /**
  * One instance per block-pool/namespace on the DN, which handles the
@@ -91,6 +94,28 @@ class BPOfferService {
    */
   private long lastActiveClaimTxId = -1;
 
+  private final ReentrantReadWriteLock mReadWriteLock =
+      new ReentrantReadWriteLock();
+  private final Lock mReadLock  = mReadWriteLock.readLock();
+  private final Lock mWriteLock = mReadWriteLock.writeLock();
+
+  // utility methods to acquire and release read lock and write lock
+  void readLock() {
+    mReadLock.lock();
+  }
+
+  void readUnlock() {
+    mReadLock.unlock();
+  }
+
+  void writeLock() {
+    mWriteLock.lock();
+  }
+
+  void writeUnlock() {
+    mWriteLock.unlock();
+  }
+
   BPOfferService(List<InetSocketAddress> nnAddrs, DataNode dn) {
     Preconditions.checkArgument(!nnAddrs.isEmpty(),
         "Must pass at least one NN.");
@@ -135,14 +160,19 @@ boolean isAlive() {
     }
     return false;
   }
-  
-  synchronized String getBlockPoolId() {
-    if (bpNSInfo != null) {
-      return bpNSInfo.getBlockPoolID();
-    } else {
-      LOG.warn("Block pool ID needed, but service not yet registered with NN",
-          new Exception("trace"));
-      return null;
+
+  String getBlockPoolId() {
+    readLock();
+    try {
+      if (bpNSInfo != null) {
+        return bpNSInfo.getBlockPoolID();
+      } else {
+        LOG.warn("Block pool ID needed, but service not yet registered with NN",
+            new Exception("trace"));
+        return null;
+      }
+    } finally {
+      readUnlock();
     }
   }
 
@@ -150,27 +180,37 @@ boolean hasBlockPoolId() {
     return getNamespaceInfo() != null;
   }
 
-  synchronized NamespaceInfo getNamespaceInfo() {
-    return bpNSInfo;
+  NamespaceInfo getNamespaceInfo() {
+    readLock();
+    try {
+      return bpNSInfo;
+    } finally {
+      readUnlock();
+    }
   }
 
   @Override
-  public synchronized String toString() {
-    if (bpNSInfo == null) {
-      // If we haven't yet connected to our NN, we don't yet know our
-      // own block pool ID.
-      // If _none_ of the block pools have connected yet, we don't even
-      // know the DatanodeID ID of this DN.
-      String datanodeUuid = dn.getDatanodeUuid();
+  public String toString() {
+    readLock();
+    try {
+      if (bpNSInfo == null) {
+        // If we haven't yet connected to our NN, we don't yet know our
+        // own block pool ID.
+        // If _none_ of the block pools have connected yet, we don't even
+        // know the DatanodeID ID of this DN.
+        String datanodeUuid = dn.getDatanodeUuid();
 
-      if (datanodeUuid == null || datanodeUuid.isEmpty()) {
-        datanodeUuid = "unassigned";
+        if (datanodeUuid == null || datanodeUuid.isEmpty()) {
+          datanodeUuid = "unassigned";
+        }
+        return "Block pool <registering> (Datanode Uuid " + datanodeUuid + ")";
+      } else {
+        return "Block pool " + getBlockPoolId() +
+            " (Datanode Uuid " + dn.getDatanodeUuid() +
+            ")";
       }
-      return "Block pool <registering> (Datanode Uuid " + datanodeUuid + ")";
-    } else {
-      return "Block pool " + getBlockPoolId() +
-          " (Datanode Uuid " + dn.getDatanodeUuid() +
-          ")";
+    } finally {
+      readUnlock();
     }
   }
   
@@ -266,32 +306,37 @@ DataNode getDataNode() {
    * verifies that this namespace matches (eg to prevent a misconfiguration
    * where a StandbyNode from a different cluster is specified)
    */
-  synchronized void verifyAndSetNamespaceInfo(NamespaceInfo nsInfo) throws IOException {
-    if (this.bpNSInfo == null) {
-      this.bpNSInfo = nsInfo;
-      boolean success = false;
+  void verifyAndSetNamespaceInfo(NamespaceInfo nsInfo) throws IOException {
+    writeLock();
+    try {
+      if (this.bpNSInfo == null) {
+        this.bpNSInfo = nsInfo;
+        boolean success = false;
 
-      // Now that we know the namespace ID, etc, we can pass this to the DN.
-      // The DN can now initialize its local storage if we are the
-      // first BP to handshake, etc.
-      try {
-        dn.initBlockPool(this);
-        success = true;
-      } finally {
-        if (!success) {
-          // The datanode failed to initialize the BP. We need to reset
-          // the namespace info so that other BPService actors still have
-          // a chance to set it, and re-initialize the datanode.
-          this.bpNSInfo = null;
+        // Now that we know the namespace ID, etc, we can pass this to the DN.
+        // The DN can now initialize its local storage if we are the
+        // first BP to handshake, etc.
+        try {
+          dn.initBlockPool(this);
+          success = true;
+        } finally {
+          if (!success) {
+            // The datanode failed to initialize the BP. We need to reset
+            // the namespace info so that other BPService actors still have
+            // a chance to set it, and re-initialize the datanode.
+            this.bpNSInfo = null;
+          }
         }
+      } else {
+        checkNSEquality(bpNSInfo.getBlockPoolID(), nsInfo.getBlockPoolID(),
+            "Blockpool ID");
+        checkNSEquality(bpNSInfo.getNamespaceID(), nsInfo.getNamespaceID(),
+            "Namespace ID");
+        checkNSEquality(bpNSInfo.getClusterID(), nsInfo.getClusterID(),
+            "Cluster ID");
       }
-    } else {
-      checkNSEquality(bpNSInfo.getBlockPoolID(), nsInfo.getBlockPoolID(),
-          "Blockpool ID");
-      checkNSEquality(bpNSInfo.getNamespaceID(), nsInfo.getNamespaceID(),
-          "Namespace ID");
-      checkNSEquality(bpNSInfo.getClusterID(), nsInfo.getClusterID(),
-          "Cluster ID");
+    } finally {
+      writeUnlock();
     }
   }
 
@@ -300,22 +345,27 @@ synchronized void verifyAndSetNamespaceInfo(NamespaceInfo nsInfo) throws IOExcep
    * NN, it calls this function to verify that the NN it connected to
    * is consistent with other NNs serving the block-pool.
    */
-  synchronized void registrationSucceeded(BPServiceActor bpServiceActor,
+  void registrationSucceeded(BPServiceActor bpServiceActor,
       DatanodeRegistration reg) throws IOException {
-    if (bpRegistration != null) {
-      checkNSEquality(bpRegistration.getStorageInfo().getNamespaceID(),
-          reg.getStorageInfo().getNamespaceID(), "namespace ID");
-      checkNSEquality(bpRegistration.getStorageInfo().getClusterID(),
-          reg.getStorageInfo().getClusterID(), "cluster ID");
-    } else {
-      bpRegistration = reg;
-    }
-    
-    dn.bpRegistrationSucceeded(bpRegistration, getBlockPoolId());
-    // Add the initial block token secret keys to the DN's secret manager.
-    if (dn.isBlockTokenEnabled) {
-      dn.blockPoolTokenSecretManager.addKeys(getBlockPoolId(),
-          reg.getExportedKeys());
+    writeLock();
+    try {
+      if (bpRegistration != null) {
+        checkNSEquality(bpRegistration.getStorageInfo().getNamespaceID(),
+            reg.getStorageInfo().getNamespaceID(), "namespace ID");
+        checkNSEquality(bpRegistration.getStorageInfo().getClusterID(),
+            reg.getStorageInfo().getClusterID(), "cluster ID");
+      } else {
+        bpRegistration = reg;
+      }
+
+      dn.bpRegistrationSucceeded(bpRegistration, getBlockPoolId());
+      // Add the initial block token secret keys to the DN's secret manager.
+      if (dn.isBlockTokenEnabled) {
+        dn.blockPoolTokenSecretManager.addKeys(getBlockPoolId(),
+            reg.getExportedKeys());
+      }
+    } finally {
+      writeUnlock();
     }
   }
 
@@ -333,25 +383,35 @@ private static void checkNSEquality(
     }
   }
 
-  synchronized DatanodeRegistration createRegistration() {
-    Preconditions.checkState(bpNSInfo != null,
-        "getRegistration() can only be called after initial handshake");
-    return dn.createBPRegistration(bpNSInfo);
+  DatanodeRegistration createRegistration() {
+    writeLock();
+    try {
+      Preconditions.checkState(bpNSInfo != null,
+          "getRegistration() can only be called after initial handshake");
+      return dn.createBPRegistration(bpNSInfo);
+    } finally {
+      writeUnlock();
+    }
   }
 
   /**
    * Called when an actor shuts down. If this is the last actor
    * to shut down, shuts down the whole blockpool in the DN.
    */
-  synchronized void shutdownActor(BPServiceActor actor) {
-    if (bpServiceToActive == actor) {
-      bpServiceToActive = null;
-    }
+  void shutdownActor(BPServiceActor actor) {
+    writeLock();
+    try {
+      if (bpServiceToActive == actor) {
+        bpServiceToActive = null;
+      }
 
-    bpServices.remove(actor);
+      bpServices.remove(actor);
 
-    if (bpServices.isEmpty()) {
-      dn.shutdownBlockPool(this);
+      if (bpServices.isEmpty()) {
+        dn.shutdownBlockPool(this);
+      }
+    } finally {
+      writeUnlock();
     }
   }
 
@@ -392,11 +452,16 @@ void reportRemoteBadBlock(DatanodeInfo dnInfo, ExtendedBlock block) {
    * @return a proxy to the active NN, or null if the BPOS has not
    * acknowledged any NN as active yet.
    */
-  synchronized DatanodeProtocolClientSideTranslatorPB getActiveNN() {
-    if (bpServiceToActive != null) {
-      return bpServiceToActive.bpNamenode;
-    } else {
-      return null;
+  DatanodeProtocolClientSideTranslatorPB getActiveNN() {
+    readLock();
+    try {
+      if (bpServiceToActive != null) {
+        return bpServiceToActive.bpNamenode;
+      } else {
+        return null;
+      }
+    } finally {
+      readUnlock();
     }
   }
 
@@ -424,45 +489,50 @@ void signalRollingUpgrade(boolean inProgress) {
    * @param actor the actor which received the heartbeat
    * @param nnHaState the HA-related heartbeat contents
    */
-  synchronized void updateActorStatesFromHeartbeat(
+  void updateActorStatesFromHeartbeat(
       BPServiceActor actor,
       NNHAStatusHeartbeat nnHaState) {
-    final long txid = nnHaState.getTxId();
-    
-    final boolean nnClaimsActive =
-      nnHaState.getState() == HAServiceState.ACTIVE;
-    final boolean bposThinksActive = bpServiceToActive == actor;
-    final boolean isMoreRecentClaim = txid > lastActiveClaimTxId; 
-    
-    if (nnClaimsActive && !bposThinksActive) {
-      LOG.info("Namenode " + actor + " trying to claim ACTIVE state with " +
-          "txid=" + txid);
-      if (!isMoreRecentClaim) {
-        // Split-brain scenario - an NN is trying to claim active
-        // state when a different NN has already claimed it with a higher
-        // txid.
-        LOG.warn("NN " + actor + " tried to claim ACTIVE state at txid=" +
-            txid + " but there was already a more recent claim at txid=" +
-            lastActiveClaimTxId);
-        return;
-      } else {
-        if (bpServiceToActive == null) {
-          LOG.info("Acknowledging ACTIVE Namenode " + actor);
+    writeLock();
+    try {
+      final long txid = nnHaState.getTxId();
+
+      final boolean nnClaimsActive =
+          nnHaState.getState() == HAServiceState.ACTIVE;
+      final boolean bposThinksActive = bpServiceToActive == actor;
+      final boolean isMoreRecentClaim = txid > lastActiveClaimTxId;
+
+      if (nnClaimsActive && !bposThinksActive) {
+        LOG.info("Namenode " + actor + " trying to claim ACTIVE state with " +
+            "txid=" + txid);
+        if (!isMoreRecentClaim) {
+          // Split-brain scenario - an NN is trying to claim active
+          // state when a different NN has already claimed it with a higher
+          // txid.
+          LOG.warn("NN " + actor + " tried to claim ACTIVE state at txid=" +
+              txid + " but there was already a more recent claim at txid=" +
+              lastActiveClaimTxId);
+          return;
         } else {
-          LOG.info("Namenode " + actor + " taking over ACTIVE state from " +
-              bpServiceToActive + " at higher txid=" + txid);
+          if (bpServiceToActive == null) {
+            LOG.info("Acknowledging ACTIVE Namenode " + actor);
+          } else {
+            LOG.info("Namenode " + actor + " taking over ACTIVE state from " +
+                bpServiceToActive + " at higher txid=" + txid);
+          }
+          bpServiceToActive = actor;
         }
-        bpServiceToActive = actor;
+      } else if (!nnClaimsActive && bposThinksActive) {
+        LOG.info("Namenode " + actor + " relinquishing ACTIVE state with " +
+            "txid=" + nnHaState.getTxId());
+        bpServiceToActive = null;
       }
-    } else if (!nnClaimsActive && bposThinksActive) {
-      LOG.info("Namenode " + actor + " relinquishing ACTIVE state with " +
-          "txid=" + nnHaState.getTxId());
-      bpServiceToActive = null;
-    }
-    
-    if (bpServiceToActive == actor) {
-      assert txid >= lastActiveClaimTxId;
-      lastActiveClaimTxId = txid;
+
+      if (bpServiceToActive == actor) {
+        assert txid >= lastActiveClaimTxId;
+        lastActiveClaimTxId = txid;
+      }
+    } finally {
+      writeUnlock();
     }
   }
 
@@ -533,12 +603,15 @@ boolean processCommandFromActor(DatanodeCommand cmd,
       actor.reRegister();
       return true;
     }
-    synchronized (this) {
+    writeLock();
+    try {
       if (actor == bpServiceToActive) {
         return processCommandFromActive(cmd, actor);
       } else {
         return processCommandFromStandby(cmd, actor);
       }
+    } finally {
+      writeUnlock();
     }
   }
 

From 1ba3f8971433cdbc3e43fd3605065d811dab5b16 Mon Sep 17 00:00:00 2001
From: Colin McCabe <cmccabe@apache.org>
Date: Fri, 1 Aug 2014 20:41:05 +0000
Subject: [PATCH 108/354] HDFS-6482. Use block ID-based block layout on
 datanodes (James Thomas via Colin Patrick McCabe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615223 13f79535-47bb-0310-9956-ffa450edef68
---
 .../apache/hadoop/io/nativeio/NativeIO.java   |  12 +
 .../org/apache/hadoop/util/DiskChecker.java   |  14 ++
 .../org/apache/hadoop/io/nativeio/NativeIO.c  |  37 +++
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../org/apache/hadoop/hdfs/DFSConfigKeys.java |   6 +-
 .../apache/hadoop/hdfs/protocol/Block.java    |  14 +-
 .../datanode/BlockPoolSliceStorage.java       |  18 +-
 .../datanode/DataNodeLayoutVersion.java       |   5 +-
 .../hdfs/server/datanode/DataStorage.java     | 144 +++++++++--
 .../hdfs/server/datanode/DatanodeUtil.java    |  36 +++
 .../hdfs/server/datanode/ReplicaInfo.java     |  62 ++---
 .../fsdataset/impl/BlockPoolSlice.java        |  96 +++++---
 .../fsdataset/impl/FsDatasetImpl.java         |   7 -
 .../datanode/fsdataset/impl/FsVolumeImpl.java |  11 +-
 .../server/datanode/fsdataset/impl/LDir.java  | 228 ------------------
 .../src/main/resources/hdfs-default.xml       |   8 +
 .../apache/hadoop/hdfs/MiniDFSCluster.java    |  34 ++-
 .../apache/hadoop/hdfs/TestDFSFinalize.java   |   9 +-
 .../apache/hadoop/hdfs/TestDFSRollback.java   |   2 +-
 .../hdfs/TestDFSStorageStateRecovery.java     |  16 +-
 .../apache/hadoop/hdfs/TestDFSUpgrade.java    |  12 +-
 .../hadoop/hdfs/TestDFSUpgradeFromImage.java  |  21 +-
 .../hadoop/hdfs/TestDatanodeBlockScanner.java |  15 +-
 .../hdfs/TestDatanodeLayoutUpgrade.java       |  48 ++++
 .../hadoop/hdfs/TestFileCorruption.java       |  40 +--
 .../apache/hadoop/hdfs/UpgradeUtilities.java  |  44 ++--
 .../datanode/TestDataNodeVolumeFailure.java   |  24 +-
 .../server/datanode/TestDeleteBlockPool.java  |   7 +-
 .../hadoop/hdfs/server/namenode/TestFsck.java |  17 +-
 .../namenode/TestListCorruptFileBlocks.java   | 159 ++++++------
 .../test/resources/hadoop-24-datanode-dir.tgz | Bin 0 -> 637608 bytes
 .../test/resources/hadoop-datanode-dir.txt    |  23 ++
 32 files changed, 627 insertions(+), 545 deletions(-)
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/LDir.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeLayoutUpgrade.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-24-datanode-dir.tgz
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-datanode-dir.txt

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/nativeio/NativeIO.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/nativeio/NativeIO.java
index 976a93f91b1..fafa29543e0 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/nativeio/NativeIO.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/nativeio/NativeIO.java
@@ -33,6 +33,7 @@
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
+import org.apache.hadoop.fs.HardLink;
 import org.apache.hadoop.io.SecureIOUtils.AlreadyExistsException;
 import org.apache.hadoop.util.NativeCodeLoader;
 import org.apache.hadoop.util.Shell;
@@ -823,6 +824,14 @@ public static void renameTo(File src, File dst)
     }
   }
 
+  public static void link(File src, File dst) throws IOException {
+    if (!nativeLoaded) {
+      HardLink.createHardLink(src, dst);
+    } else {
+      link0(src.getAbsolutePath(), dst.getAbsolutePath());
+    }
+  }
+
   /**
    * A version of renameTo that throws a descriptive exception when it fails.
    *
@@ -833,4 +842,7 @@ public static void renameTo(File src, File dst)
    */
   private static native void renameTo0(String src, String dst)
       throws NativeIOException;
+
+  private static native void link0(String src, String dst)
+      throws NativeIOException;
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DiskChecker.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DiskChecker.java
index 72a4d1b70e9..f2ee446b4ab 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DiskChecker.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DiskChecker.java
@@ -78,6 +78,20 @@ public static boolean mkdirsWithExistsCheck(File dir) {
            (mkdirsWithExistsCheck(new File(parent)) &&
                                       (canonDir.mkdir() || canonDir.exists()));
   }
+
+  /**
+   * Recurse down a directory tree, checking all child directories.
+   * @param dir
+   * @throws DiskErrorException
+   */
+  public static void checkDirs(File dir) throws DiskErrorException {
+    checkDir(dir);
+    for (File child : dir.listFiles()) {
+      if (child.isDirectory()) {
+        checkDirs(child);
+      }
+    }
+  }
   
   /**
    * Create the directory if it doesn't exist and check that dir is readable,
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c
index 95bb987602f..f3885d7499a 100644
--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c
@@ -1054,6 +1054,43 @@ done:
 #endif
 }
 
+JNIEXPORT void JNICALL
+Java_org_apache_hadoop_io_nativeio_NativeIO_link0(JNIEnv *env,
+jclass clazz, jstring jsrc, jstring jdst)
+{
+#ifdef UNIX
+  const char *src = NULL, *dst = NULL;
+
+  src = (*env)->GetStringUTFChars(env, jsrc, NULL);
+  if (!src) goto done; // exception was thrown
+  dst = (*env)->GetStringUTFChars(env, jdst, NULL);
+  if (!dst) goto done; // exception was thrown
+  if (link(src, dst)) {
+    throw_ioe(env, errno);
+  }
+
+done:
+  if (src) (*env)->ReleaseStringUTFChars(env, jsrc, src);
+  if (dst) (*env)->ReleaseStringUTFChars(env, jdst, dst);
+#endif
+
+#ifdef WINDOWS
+  LPCTSTR src = NULL, dst = NULL;
+
+  src = (LPCTSTR) (*env)->GetStringChars(env, jsrc, NULL);
+  if (!src) goto done; // exception was thrown
+  dst = (LPCTSTR) (*env)->GetStringChars(env, jdst, NULL);
+  if (!dst) goto done; // exception was thrown
+  if (!CreateHardLink(dst, src)) {
+    throw_ioe(env, GetLastError());
+  }
+
+done:
+  if (src) (*env)->ReleaseStringChars(env, jsrc, src);
+  if (dst) (*env)->ReleaseStringChars(env, jdst, dst);
+#endif
+}
+
 JNIEXPORT jlong JNICALL
 Java_org_apache_hadoop_io_nativeio_NativeIO_getMemlockLimit0(
 JNIEnv *env, jclass clazz)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 2a10d5b5b53..b13797ae06d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -130,6 +130,9 @@ Trunk (Unreleased)
     HDFS-6609. Use DirectorySnapshottableFeature to represent a snapshottable
     directory. (Jing Zhao via wheat9)
 
+    HDFS-6482. Use block ID-based block layout on datanodes (James Thomas via
+    Colin Patrick McCabe)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
index c16c15d34b0..4fb5ca49c5b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
@@ -381,8 +381,6 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
   public static final String  DFS_DATANODE_HTTP_ADDRESS_DEFAULT = "0.0.0.0:" + DFS_DATANODE_HTTP_DEFAULT_PORT;
   public static final String  DFS_DATANODE_MAX_RECEIVER_THREADS_KEY = "dfs.datanode.max.transfer.threads";
   public static final int     DFS_DATANODE_MAX_RECEIVER_THREADS_DEFAULT = 4096;
-  public static final String  DFS_DATANODE_NUMBLOCKS_KEY = "dfs.datanode.numblocks";
-  public static final int     DFS_DATANODE_NUMBLOCKS_DEFAULT = 64;
   public static final String  DFS_DATANODE_SCAN_PERIOD_HOURS_KEY = "dfs.datanode.scan.period.hours";
   public static final int     DFS_DATANODE_SCAN_PERIOD_HOURS_DEFAULT = 0;
   public static final String  DFS_DATANODE_TRANSFERTO_ALLOWED_KEY = "dfs.datanode.transferTo.allowed";
@@ -666,4 +664,8 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
    public static final String DFS_DATANODE_SLOW_IO_WARNING_THRESHOLD_KEY =
      "dfs.datanode.slow.io.warning.threshold.ms";
    public static final long DFS_DATANODE_SLOW_IO_WARNING_THRESHOLD_DEFAULT = 300;
+
+   public static final String DFS_DATANODE_BLOCK_ID_LAYOUT_UPGRADE_THREADS_KEY =
+       "dfs.datanode.block.id.layout.upgrade.threads";
+   public static final int DFS_DATANODE_BLOCK_ID_LAYOUT_UPGRADE_THREADS = 12;
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/Block.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/Block.java
index 680d73b7f94..b35365aa7a2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/Block.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/Block.java
@@ -50,6 +50,9 @@ public class Block implements Writable, Comparable<Block> {
   public static final Pattern metaFilePattern = Pattern
       .compile(BLOCK_FILE_PREFIX + "(-??\\d++)_(\\d++)\\" + METADATA_EXTENSION
           + "$");
+  public static final Pattern metaOrBlockFilePattern = Pattern
+      .compile(BLOCK_FILE_PREFIX + "(-??\\d++)(_(\\d++)\\" + METADATA_EXTENSION
+          + ")?$");
 
   public static boolean isBlockFilename(File f) {
     String name = f.getName();
@@ -65,6 +68,11 @@ public static boolean isMetaFilename(String name) {
     return metaFilePattern.matcher(name).matches();
   }
 
+  public static File metaToBlockFile(File metaFile) {
+    return new File(metaFile.getParent(), metaFile.getName().substring(
+        0, metaFile.getName().lastIndexOf('_')));
+  }
+
   /**
    * Get generation stamp from the name of the metafile name
    */
@@ -75,10 +83,10 @@ public static long getGenerationStamp(String metaFile) {
   }
 
   /**
-   * Get the blockId from the name of the metafile name
+   * Get the blockId from the name of the meta or block file
    */
-  public static long getBlockId(String metaFile) {
-    Matcher m = metaFilePattern.matcher(metaFile);
+  public static long getBlockId(String metaOrBlockFile) {
+    Matcher m = metaOrBlockFilePattern.matcher(metaOrBlockFile);
     return m.matches() ? Long.parseLong(m.group(1)) : 0;
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
index dec0d55004d..d065b5736e6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
@@ -152,7 +152,7 @@ void recoverTransitionRead(DataNode datanode, NamespaceInfo nsInfo,
     // During startup some of them can upgrade or roll back
     // while others could be up-to-date for the regular startup.
     for (int idx = 0; idx < getNumStorageDirs(); idx++) {
-      doTransition(getStorageDir(idx), nsInfo, startOpt);
+      doTransition(datanode, getStorageDir(idx), nsInfo, startOpt);
       assert getCTime() == nsInfo.getCTime() 
           : "Data-node and name-node CTimes must be the same.";
     }
@@ -242,7 +242,7 @@ protected void setFieldsFromProperties(Properties props, StorageDirectory sd)
    * @param startOpt startup option
    * @throws IOException
    */
-  private void doTransition(StorageDirectory sd,
+  private void doTransition(DataNode datanode, StorageDirectory sd,
       NamespaceInfo nsInfo, StartupOption startOpt) throws IOException {
     if (startOpt == StartupOption.ROLLBACK) {
       doRollback(sd, nsInfo); // rollback if applicable
@@ -275,7 +275,7 @@ private void doTransition(StorageDirectory sd,
     }
     if (this.layoutVersion > HdfsConstants.DATANODE_LAYOUT_VERSION
         || this.cTime < nsInfo.getCTime()) {
-      doUpgrade(sd, nsInfo); // upgrade
+      doUpgrade(datanode, sd, nsInfo); // upgrade
       return;
     }
     // layoutVersion == LAYOUT_VERSION && this.cTime > nsInfo.cTime
@@ -304,7 +304,8 @@ private void doTransition(StorageDirectory sd,
    * @param nsInfo Namespace Info from the namenode
    * @throws IOException on error
    */
-  void doUpgrade(StorageDirectory bpSd, NamespaceInfo nsInfo) throws IOException {
+  void doUpgrade(DataNode datanode, StorageDirectory bpSd, NamespaceInfo nsInfo)
+      throws IOException {
     // Upgrading is applicable only to release with federation or after
     if (!DataNodeLayoutVersion.supports(
         LayoutVersion.Feature.FEDERATION, layoutVersion)) {
@@ -340,7 +341,7 @@ void doUpgrade(StorageDirectory bpSd, NamespaceInfo nsInfo) throws IOException {
     rename(bpCurDir, bpTmpDir);
     
     // 3. Create new <SD>/current with block files hardlinks and VERSION
-    linkAllBlocks(bpTmpDir, bpCurDir);
+    linkAllBlocks(datanode, bpTmpDir, bpCurDir);
     this.layoutVersion = HdfsConstants.DATANODE_LAYOUT_VERSION;
     assert this.namespaceID == nsInfo.getNamespaceID() 
         : "Data-node and name-node layout versions must be the same.";
@@ -517,14 +518,15 @@ public String toString() {
    * @param toDir the current data directory
    * @throws IOException if error occurs during hardlink
    */
-  private void linkAllBlocks(File fromDir, File toDir) throws IOException {
+  private void linkAllBlocks(DataNode datanode, File fromDir, File toDir)
+      throws IOException {
     // do the link
     int diskLayoutVersion = this.getLayoutVersion();
     // hardlink finalized blocks in tmpDir
     HardLink hardLink = new HardLink();
-    DataStorage.linkBlocks(new File(fromDir, DataStorage.STORAGE_DIR_FINALIZED), 
+    DataStorage.linkBlocks(datanode, new File(fromDir, DataStorage.STORAGE_DIR_FINALIZED),
       new File(toDir,DataStorage.STORAGE_DIR_FINALIZED), diskLayoutVersion, hardLink);
-    DataStorage.linkBlocks(new File(fromDir, DataStorage.STORAGE_DIR_RBW), 
+    DataStorage.linkBlocks(datanode, new File(fromDir, DataStorage.STORAGE_DIR_RBW),
         new File(toDir, DataStorage.STORAGE_DIR_RBW), diskLayoutVersion, hardLink);
     LOG.info( hardLink.linkStats.report() );
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNodeLayoutVersion.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNodeLayoutVersion.java
index 26c7457645c..23e7cfe7184 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNodeLayoutVersion.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNodeLayoutVersion.java
@@ -62,7 +62,10 @@ public static boolean supports(final LayoutFeature f, final int lv) {
    * </ul>
    */
   public static enum Feature implements LayoutFeature {
-    FIRST_LAYOUT(-55, -53, "First datanode layout", false);
+    FIRST_LAYOUT(-55, -53, "First datanode layout", false),
+    BLOCKID_BASED_LAYOUT(-56,
+        "The block ID of a finalized block uniquely determines its position " +
+            "in the directory structure");
    
     private final FeatureInfo info;
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataStorage.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataStorage.java
index 5c5cecd58f0..5a55d094e11 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataStorage.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataStorage.java
@@ -18,13 +18,19 @@
 
 package org.apache.hadoop.hdfs.server.datanode;
 
+import com.google.common.collect.Lists;
+import com.google.common.util.concurrent.Futures;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.*;
+import org.apache.hadoop.fs.FileUtil;
+import org.apache.hadoop.fs.HardLink;
+import org.apache.hadoop.fs.LocalFileSystem;
+import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
+import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
 import org.apache.hadoop.hdfs.protocol.LayoutVersion;
 import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.NodeType;
@@ -35,13 +41,30 @@
 import org.apache.hadoop.hdfs.server.protocol.DatanodeStorage;
 import org.apache.hadoop.hdfs.server.protocol.NamespaceInfo;
 import org.apache.hadoop.io.IOUtils;
+import org.apache.hadoop.io.nativeio.NativeIO;
 import org.apache.hadoop.util.Daemon;
 import org.apache.hadoop.util.DiskChecker;
 
-import java.io.*;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.RandomAccessFile;
 import java.nio.channels.FileLock;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import java.util.concurrent.Callable;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
 
 /** 
  * Data storage information file.
@@ -261,6 +284,7 @@ void recoverTransitionRead(DataNode datanode, String bpID, NamespaceInfo nsInfo,
           STORAGE_DIR_CURRENT));
       bpDataDirs.add(bpRoot);
     }
+
     // mkdir for the list of BlockPoolStorage
     makeBlockPoolDataDir(bpDataDirs, null);
     BlockPoolSliceStorage bpStorage = new BlockPoolSliceStorage(
@@ -488,7 +512,7 @@ private void doTransition( DataNode datanode,
     
     // do upgrade
     if (this.layoutVersion > HdfsConstants.DATANODE_LAYOUT_VERSION) {
-      doUpgrade(sd, nsInfo);  // upgrade
+      doUpgrade(datanode, sd, nsInfo);  // upgrade
       return;
     }
     
@@ -523,7 +547,8 @@ private void doTransition( DataNode datanode,
    * @param sd  storage directory
    * @throws IOException on error
    */
-  void doUpgrade(StorageDirectory sd, NamespaceInfo nsInfo) throws IOException {
+  void doUpgrade(DataNode datanode, StorageDirectory sd, NamespaceInfo nsInfo)
+      throws IOException {
     // If the existing on-disk layout version supportes federation, simply
     // update its layout version.
     if (DataNodeLayoutVersion.supports(
@@ -568,7 +593,8 @@ void doUpgrade(StorageDirectory sd, NamespaceInfo nsInfo) throws IOException {
     BlockPoolSliceStorage bpStorage = new BlockPoolSliceStorage(nsInfo.getNamespaceID(), 
         nsInfo.getBlockPoolID(), nsInfo.getCTime(), nsInfo.getClusterID());
     bpStorage.format(curDir, nsInfo);
-    linkAllBlocks(tmpDir, bbwDir, new File(curBpDir, STORAGE_DIR_CURRENT));
+    linkAllBlocks(datanode, tmpDir, bbwDir, new File(curBpDir,
+        STORAGE_DIR_CURRENT));
     
     // 4. Write version file under <SD>/current
     layoutVersion = HdfsConstants.DATANODE_LAYOUT_VERSION;
@@ -746,22 +772,22 @@ void finalizeUpgrade(String bpID) throws IOException {
    *
    * @throws IOException If error occurs during hardlink
    */
-  private void linkAllBlocks(File fromDir, File fromBbwDir, File toDir)
-      throws IOException {
+  private void linkAllBlocks(DataNode datanode, File fromDir, File fromBbwDir,
+      File toDir) throws IOException {
     HardLink hardLink = new HardLink();
     // do the link
     int diskLayoutVersion = this.getLayoutVersion();
     if (DataNodeLayoutVersion.supports(
         LayoutVersion.Feature.APPEND_RBW_DIR, diskLayoutVersion)) {
       // hardlink finalized blocks in tmpDir/finalized
-      linkBlocks(new File(fromDir, STORAGE_DIR_FINALIZED), 
+      linkBlocks(datanode, new File(fromDir, STORAGE_DIR_FINALIZED),
           new File(toDir, STORAGE_DIR_FINALIZED), diskLayoutVersion, hardLink);
       // hardlink rbw blocks in tmpDir/rbw
-      linkBlocks(new File(fromDir, STORAGE_DIR_RBW), 
+      linkBlocks(datanode, new File(fromDir, STORAGE_DIR_RBW),
           new File(toDir, STORAGE_DIR_RBW), diskLayoutVersion, hardLink);
     } else { // pre-RBW version
       // hardlink finalized blocks in tmpDir
-      linkBlocks(fromDir, new File(toDir, STORAGE_DIR_FINALIZED), 
+      linkBlocks(datanode, fromDir, new File(toDir, STORAGE_DIR_FINALIZED),
           diskLayoutVersion, hardLink);      
       if (fromBbwDir.exists()) {
         /*
@@ -770,15 +796,67 @@ private void linkAllBlocks(File fromDir, File fromBbwDir, File toDir)
          * NOT underneath the 'current' directory in those releases.  See
          * HDFS-3731 for details.
          */
-        linkBlocks(fromBbwDir,
+        linkBlocks(datanode, fromBbwDir,
             new File(toDir, STORAGE_DIR_RBW), diskLayoutVersion, hardLink);
       }
     } 
     LOG.info( hardLink.linkStats.report() );
   }
+
+  private static class LinkArgs {
+    public File src;
+    public File dst;
+
+    public LinkArgs(File src, File dst) {
+      this.src = src;
+      this.dst = dst;
+    }
+  }
+
+  static void linkBlocks(DataNode datanode, File from, File to, int oldLV,
+      HardLink hl) throws IOException {
+    boolean upgradeToIdBasedLayout = false;
+    // If we are upgrading from a version older than the one where we introduced
+    // block ID-based layout AND we're working with the finalized directory,
+    // we'll need to upgrade from the old flat layout to the block ID-based one
+    if (oldLV > DataNodeLayoutVersion.Feature.BLOCKID_BASED_LAYOUT.getInfo().
+        getLayoutVersion() && to.getName().equals(STORAGE_DIR_FINALIZED)) {
+      upgradeToIdBasedLayout = true;
+    }
+
+    final List<LinkArgs> idBasedLayoutSingleLinks = Lists.newArrayList();
+    linkBlocksHelper(from, to, oldLV, hl, upgradeToIdBasedLayout, to,
+        idBasedLayoutSingleLinks);
+    int numLinkWorkers = datanode.getConf().getInt(
+        DFSConfigKeys.DFS_DATANODE_BLOCK_ID_LAYOUT_UPGRADE_THREADS_KEY,
+        DFSConfigKeys.DFS_DATANODE_BLOCK_ID_LAYOUT_UPGRADE_THREADS);
+    ExecutorService linkWorkers = Executors.newFixedThreadPool(numLinkWorkers);
+    final int step = idBasedLayoutSingleLinks.size() / numLinkWorkers + 1;
+    List<Future<Void>> futures = Lists.newArrayList();
+    for (int i = 0; i < idBasedLayoutSingleLinks.size(); i += step) {
+      final int iCopy = i;
+      futures.add(linkWorkers.submit(new Callable<Void>() {
+        @Override
+        public Void call() throws IOException {
+          int upperBound = Math.min(iCopy + step,
+              idBasedLayoutSingleLinks.size());
+          for (int j = iCopy; j < upperBound; j++) {
+            LinkArgs cur = idBasedLayoutSingleLinks.get(j);
+            NativeIO.link(cur.src, cur.dst);
+          }
+          return null;
+        }
+      }));
+    }
+    linkWorkers.shutdown();
+    for (Future<Void> f : futures) {
+      Futures.get(f, IOException.class);
+    }
+  }
   
-  static void linkBlocks(File from, File to, int oldLV, HardLink hl) 
-  throws IOException {
+  static void linkBlocksHelper(File from, File to, int oldLV, HardLink hl,
+  boolean upgradeToIdBasedLayout, File blockRoot,
+      List<LinkArgs> idBasedLayoutSingleLinks) throws IOException {
     if (!from.exists()) {
       return;
     }
@@ -805,9 +883,6 @@ static void linkBlocks(File from, File to, int oldLV, HardLink hl)
     // from is a directory
     hl.linkStats.countDirs++;
     
-    if (!to.mkdirs())
-      throw new IOException("Cannot create directory " + to);
-    
     String[] blockNames = from.list(new java.io.FilenameFilter() {
       @Override
       public boolean accept(File dir, String name) {
@@ -815,12 +890,36 @@ public boolean accept(File dir, String name) {
       }
     });
 
+    // If we are upgrading to block ID-based layout, we don't want to recreate
+    // any subdirs from the source that contain blocks, since we have a new
+    // directory structure
+    if (!upgradeToIdBasedLayout || !to.getName().startsWith(
+        BLOCK_SUBDIR_PREFIX)) {
+      if (!to.mkdirs())
+        throw new IOException("Cannot create directory " + to);
+    }
+
     // Block files just need hard links with the same file names
     // but a different directory
     if (blockNames.length > 0) {
-      HardLink.createHardLinkMult(from, blockNames, to);
-      hl.linkStats.countMultLinks++;
-      hl.linkStats.countFilesMultLinks += blockNames.length;
+      if (upgradeToIdBasedLayout) {
+        for (String blockName : blockNames) {
+          long blockId = Block.getBlockId(blockName);
+          File blockLocation = DatanodeUtil.idToBlockDir(blockRoot, blockId);
+          if (!blockLocation.exists()) {
+            if (!blockLocation.mkdirs()) {
+              throw new IOException("Failed to mkdirs " + blockLocation);
+            }
+          }
+          idBasedLayoutSingleLinks.add(new LinkArgs(new File(from, blockName),
+              new File(blockLocation, blockName)));
+          hl.linkStats.countSingleLinks++;
+        }
+      } else {
+        HardLink.createHardLinkMult(from, blockNames, to);
+        hl.linkStats.countMultLinks++;
+        hl.linkStats.countFilesMultLinks += blockNames.length;
+      }
     } else {
       hl.linkStats.countEmptyDirs++;
     }
@@ -834,8 +933,9 @@ public boolean accept(File dir, String name) {
         }
       });
     for(int i = 0; i < otherNames.length; i++)
-      linkBlocks(new File(from, otherNames[i]), 
-          new File(to, otherNames[i]), oldLV, hl);
+      linkBlocksHelper(new File(from, otherNames[i]),
+          new File(to, otherNames[i]), oldLV, hl, upgradeToIdBasedLayout,
+          blockRoot, idBasedLayoutSingleLinks);
   }
 
   /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DatanodeUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DatanodeUtil.java
index 0a0d57bd6e3..bd1ba2f0908 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DatanodeUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DatanodeUtil.java
@@ -30,6 +30,8 @@ public class DatanodeUtil {
 
   public static final String DISK_ERROR = "Possible disk error: ";
 
+  private static final String SEP = System.getProperty("file.separator");
+
   /** Get the cause of an I/O exception if caused by a possible disk error
    * @param ioe an I/O exception
    * @return cause if the I/O exception is caused by a possible disk error;
@@ -78,4 +80,38 @@ public static String getMetaName(String blockName, long generationStamp) {
   public static File getUnlinkTmpFile(File f) {
     return new File(f.getParentFile(), f.getName()+UNLINK_BLOCK_SUFFIX);
   }
+
+  /**
+   * Checks whether there are any files anywhere in the directory tree rooted
+   * at dir (directories don't count as files). dir must exist
+   * @return true if there are no files
+   * @throws IOException if unable to list subdirectories
+   */
+  public static boolean dirNoFilesRecursive(File dir) throws IOException {
+    File[] contents = dir.listFiles();
+    if (contents == null) {
+      throw new IOException("Cannot list contents of " + dir);
+    }
+    for (File f : contents) {
+      if (!f.isDirectory() || (f.isDirectory() && !dirNoFilesRecursive(f))) {
+        return false;
+      }
+    }
+    return true;
+  }
+
+  /**
+   * Get the directory where a finalized block with this ID should be stored.
+   * Do not attempt to create the directory.
+   * @param root the root directory where finalized blocks are stored
+   * @param blockId
+   * @return
+   */
+  public static File idToBlockDir(File root, long blockId) {
+    int d1 = (int)((blockId >> 16) & 0xff);
+    int d2 = (int)((blockId >> 8) & 0xff);
+    String path = DataStorage.BLOCK_SUBDIR_PREFIX + d1 + SEP +
+        DataStorage.BLOCK_SUBDIR_PREFIX + d2;
+    return new File(root, path);
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/ReplicaInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/ReplicaInfo.java
index 738e16df78f..0dcdf0573e0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/ReplicaInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/ReplicaInfo.java
@@ -54,10 +54,10 @@ abstract public class ReplicaInfo extends Block implements Replica {
   private File baseDir;
   
   /**
-   * Ints representing the sub directory path from base dir to the directory
-   * containing this replica.
+   * Whether or not this replica's parent directory includes subdirs, in which
+   * case we can generate them based on the replica's block ID
    */
-  private int[] subDirs;
+  private boolean hasSubdirs;
   
   private static final Map<String, File> internedBaseDirs = new HashMap<String, File>();
 
@@ -151,18 +151,8 @@ public String getStorageUuid() {
    * @return the parent directory path where this replica is located
    */
   File getDir() {
-    if (subDirs == null) {
-      return null;
-    }
-
-    StringBuilder sb = new StringBuilder();
-    for (int i : subDirs) {
-      sb.append(DataStorage.BLOCK_SUBDIR_PREFIX);
-      sb.append(i);
-      sb.append("/");
-    }
-    File ret = new File(baseDir, sb.toString());
-    return ret;
+    return hasSubdirs ? DatanodeUtil.idToBlockDir(baseDir,
+        getBlockId()) : baseDir;
   }
 
   /**
@@ -175,54 +165,46 @@ public void setDir(File dir) {
 
   private void setDirInternal(File dir) {
     if (dir == null) {
-      subDirs = null;
       baseDir = null;
       return;
     }
 
-    ReplicaDirInfo replicaDirInfo = parseSubDirs(dir);
-    this.subDirs = replicaDirInfo.subDirs;
+    ReplicaDirInfo dirInfo = parseBaseDir(dir);
+    this.hasSubdirs = dirInfo.hasSubidrs;
     
     synchronized (internedBaseDirs) {
-      if (!internedBaseDirs.containsKey(replicaDirInfo.baseDirPath)) {
+      if (!internedBaseDirs.containsKey(dirInfo.baseDirPath)) {
         // Create a new String path of this file and make a brand new File object
         // to guarantee we drop the reference to the underlying char[] storage.
-        File baseDir = new File(replicaDirInfo.baseDirPath);
-        internedBaseDirs.put(replicaDirInfo.baseDirPath, baseDir);
+        File baseDir = new File(dirInfo.baseDirPath);
+        internedBaseDirs.put(dirInfo.baseDirPath, baseDir);
       }
-      this.baseDir = internedBaseDirs.get(replicaDirInfo.baseDirPath);
+      this.baseDir = internedBaseDirs.get(dirInfo.baseDirPath);
     }
   }
-  
+
   @VisibleForTesting
   public static class ReplicaDirInfo {
-    @VisibleForTesting
     public String baseDirPath;
-    
-    @VisibleForTesting
-    public int[] subDirs;
+    public boolean hasSubidrs;
+
+    public ReplicaDirInfo (String baseDirPath, boolean hasSubidrs) {
+      this.baseDirPath = baseDirPath;
+      this.hasSubidrs = hasSubidrs;
+    }
   }
   
   @VisibleForTesting
-  public static ReplicaDirInfo parseSubDirs(File dir) {
-    ReplicaDirInfo ret = new ReplicaDirInfo();
+  public static ReplicaDirInfo parseBaseDir(File dir) {
     
     File currentDir = dir;
-    List<Integer> subDirList = new ArrayList<Integer>();
+    boolean hasSubdirs = false;
     while (currentDir.getName().startsWith(DataStorage.BLOCK_SUBDIR_PREFIX)) {
-      // Prepend the integer into the list.
-      subDirList.add(0, Integer.parseInt(currentDir.getName().replaceFirst(
-          DataStorage.BLOCK_SUBDIR_PREFIX, "")));
+      hasSubdirs = true;
       currentDir = currentDir.getParentFile();
     }
-    ret.subDirs = new int[subDirList.size()];
-    for (int i = 0; i < subDirList.size(); i++) {
-      ret.subDirs[i] = subDirList.get(i);
-    }
     
-    ret.baseDirPath = currentDir.getAbsolutePath();
-    
-    return ret;
+    return new ReplicaDirInfo(currentDir.getAbsolutePath(), hasSubdirs);
   }
 
   /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/BlockPoolSlice.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/BlockPoolSlice.java
index 6093339bdcb..af467b93f09 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/BlockPoolSlice.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/BlockPoolSlice.java
@@ -59,7 +59,8 @@ class BlockPoolSlice {
   private final String bpid;
   private final FsVolumeImpl volume; // volume to which this BlockPool belongs to
   private final File currentDir; // StorageDirectory/current/bpid/current
-  private final LDir finalizedDir; // directory store Finalized replica
+  // directory where finalized replicas are stored
+  private final File finalizedDir;
   private final File rbwDir; // directory store RBW replica
   private final File tmpDir; // directory store Temporary replica
   private static final String DU_CACHE_FILE = "dfsUsed";
@@ -82,8 +83,13 @@ class BlockPoolSlice {
     this.bpid = bpid;
     this.volume = volume;
     this.currentDir = new File(bpDir, DataStorage.STORAGE_DIR_CURRENT); 
-    final File finalizedDir = new File(
+    this.finalizedDir = new File(
         currentDir, DataStorage.STORAGE_DIR_FINALIZED);
+    if (!this.finalizedDir.exists()) {
+      if (!this.finalizedDir.mkdirs()) {
+        throw new IOException("Failed to mkdirs " + this.finalizedDir);
+      }
+    }
 
     // Files that were being written when the datanode was last shutdown
     // are now moved back to the data directory. It is possible that
@@ -95,10 +101,6 @@ class BlockPoolSlice {
       FileUtil.fullyDelete(tmpDir);
     }
     this.rbwDir = new File(currentDir, DataStorage.STORAGE_DIR_RBW);
-    final int maxBlocksPerDir = conf.getInt(
-        DFSConfigKeys.DFS_DATANODE_NUMBLOCKS_KEY,
-        DFSConfigKeys.DFS_DATANODE_NUMBLOCKS_DEFAULT);
-    this.finalizedDir = new LDir(finalizedDir, maxBlocksPerDir);
     if (!rbwDir.mkdirs()) {  // create rbw directory if not exist
       if (!rbwDir.isDirectory()) {
         throw new IOException("Mkdirs failed to create " + rbwDir.toString());
@@ -131,7 +133,7 @@ File getDirectory() {
   }
 
   File getFinalizedDir() {
-    return finalizedDir.dir;
+    return finalizedDir;
   }
   
   File getRbwDir() {
@@ -239,25 +241,56 @@ File createRbwFile(Block b) throws IOException {
   }
 
   File addBlock(Block b, File f) throws IOException {
-    File blockFile = finalizedDir.addBlock(b, f);
+    File blockDir = DatanodeUtil.idToBlockDir(finalizedDir, b.getBlockId());
+    if (!blockDir.exists()) {
+      if (!blockDir.mkdirs()) {
+        throw new IOException("Failed to mkdirs " + blockDir);
+      }
+    }
+    File blockFile = FsDatasetImpl.moveBlockFiles(b, f, blockDir);
     File metaFile = FsDatasetUtil.getMetaFile(blockFile, b.getGenerationStamp());
     dfsUsage.incDfsUsed(b.getNumBytes()+metaFile.length());
     return blockFile;
   }
     
   void checkDirs() throws DiskErrorException {
-    finalizedDir.checkDirTree();
+    DiskChecker.checkDirs(finalizedDir);
     DiskChecker.checkDir(tmpDir);
     DiskChecker.checkDir(rbwDir);
   }
     
   void getVolumeMap(ReplicaMap volumeMap) throws IOException {
     // add finalized replicas
-    finalizedDir.getVolumeMap(bpid, volumeMap, volume);
+    addToReplicasMap(volumeMap, finalizedDir, true);
     // add rbw replicas
     addToReplicasMap(volumeMap, rbwDir, false);
   }
 
+  /**
+   * Recover an unlinked tmp file on datanode restart. If the original block
+   * does not exist, then the tmp file is renamed to be the
+   * original file name and the original name is returned; otherwise the tmp
+   * file is deleted and null is returned.
+   */
+  File recoverTempUnlinkedBlock(File unlinkedTmp) throws IOException {
+    File blockFile = FsDatasetUtil.getOrigFile(unlinkedTmp);
+    if (blockFile.exists()) {
+      // If the original block file still exists, then no recovery is needed.
+      if (!unlinkedTmp.delete()) {
+        throw new IOException("Unable to cleanup unlinked tmp file " +
+            unlinkedTmp);
+      }
+      return null;
+    } else {
+      if (!unlinkedTmp.renameTo(blockFile)) {
+        throw new IOException("Unable to rename unlinked tmp file " +
+            unlinkedTmp);
+      }
+      return blockFile;
+    }
+  }
+
+
   /**
    * Add replicas under the given directory to the volume map
    * @param volumeMap the replicas map
@@ -267,23 +300,34 @@ void getVolumeMap(ReplicaMap volumeMap) throws IOException {
    */
   void addToReplicasMap(ReplicaMap volumeMap, File dir, boolean isFinalized
       ) throws IOException {
-    File blockFiles[] = FileUtil.listFiles(dir);
-    for (File blockFile : blockFiles) {
-      if (!Block.isBlockFilename(blockFile))
+    File files[] = FileUtil.listFiles(dir);
+    for (File file : files) {
+      if (file.isDirectory()) {
+        addToReplicasMap(volumeMap, file, isFinalized);
+      }
+
+      if (isFinalized && FsDatasetUtil.isUnlinkTmpFile(file)) {
+        file = recoverTempUnlinkedBlock(file);
+        if (file == null) { // the original block still exists, so we cover it
+          // in another iteration and can continue here
+          continue;
+        }
+      }
+      if (!Block.isBlockFilename(file))
         continue;
       
       long genStamp = FsDatasetUtil.getGenerationStampFromFile(
-          blockFiles, blockFile);
-      long blockId = Block.filename2id(blockFile.getName());
+          files, file);
+      long blockId = Block.filename2id(file.getName());
       ReplicaInfo newReplica = null;
       if (isFinalized) {
         newReplica = new FinalizedReplica(blockId, 
-            blockFile.length(), genStamp, volume, blockFile.getParentFile());
+            file.length(), genStamp, volume, file.getParentFile());
       } else {
 
         boolean loadRwr = true;
-        File restartMeta = new File(blockFile.getParent()  +
-            File.pathSeparator + "." + blockFile.getName() + ".restart");
+        File restartMeta = new File(file.getParent()  +
+            File.pathSeparator + "." + file.getName() + ".restart");
         Scanner sc = null;
         try {
           sc = new Scanner(restartMeta);
@@ -291,8 +335,8 @@ void addToReplicasMap(ReplicaMap volumeMap, File dir, boolean isFinalized
           if (sc.hasNextLong() && (sc.nextLong() > Time.now())) {
             // It didn't expire. Load the replica as a RBW.
             newReplica = new ReplicaBeingWritten(blockId,
-                validateIntegrityAndSetLength(blockFile, genStamp), 
-                genStamp, volume, blockFile.getParentFile(), null);
+                validateIntegrityAndSetLength(file, genStamp),
+                genStamp, volume, file.getParentFile(), null);
             loadRwr = false;
           }
           sc.close();
@@ -301,7 +345,7 @@ void addToReplicasMap(ReplicaMap volumeMap, File dir, boolean isFinalized
               restartMeta.getPath());
           }
         } catch (FileNotFoundException fnfe) {
-          // nothing to do here
+          // nothing to do hereFile dir =
         } finally {
           if (sc != null) {
             sc.close();
@@ -310,15 +354,15 @@ void addToReplicasMap(ReplicaMap volumeMap, File dir, boolean isFinalized
         // Restart meta doesn't exist or expired.
         if (loadRwr) {
           newReplica = new ReplicaWaitingToBeRecovered(blockId,
-              validateIntegrityAndSetLength(blockFile, genStamp), 
-              genStamp, volume, blockFile.getParentFile());
+              validateIntegrityAndSetLength(file, genStamp),
+              genStamp, volume, file.getParentFile());
         }
       }
 
       ReplicaInfo oldReplica = volumeMap.add(bpid, newReplica);
       if (oldReplica != null) {
         FsDatasetImpl.LOG.warn("Two block files with the same block id exist " +
-            "on disk: " + oldReplica.getBlockFile() + " and " + blockFile );
+            "on disk: " + oldReplica.getBlockFile() + " and " + file );
       }
     }
   }
@@ -405,10 +449,6 @@ private long validateIntegrityAndSetLength(File blockFile, long genStamp) {
     }
   }
     
-  void clearPath(File f) {
-    finalizedDir.clearPath(f);
-  }
-    
   @Override
   public String toString() {
     return currentDir.getAbsolutePath();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
index e8a06aec8ac..b133f60534a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
@@ -1224,13 +1224,6 @@ public void invalidate(String bpid, Block invalidBlks[]) throws IOException {
               +  ". Parent not found for file " + f);
           continue;
         }
-        ReplicaState replicaState = info.getState();
-        if (replicaState == ReplicaState.FINALIZED || 
-            (replicaState == ReplicaState.RUR && 
-                ((ReplicaUnderRecovery)info).getOriginalReplica().getState() == 
-                  ReplicaState.FINALIZED)) {
-          v.clearPath(bpid, parent);
-        }
         volumeMap.remove(bpid, invalidBlks[i]);
       }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeImpl.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeImpl.java
index 795fab1f3a5..adfc896f7f2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeImpl.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeImpl.java
@@ -37,6 +37,7 @@
 import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.server.datanode.DataStorage;
+import org.apache.hadoop.hdfs.server.datanode.DatanodeUtil;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.FsVolumeSpi;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeStorage;
 import org.apache.hadoop.util.DiskChecker.DiskErrorException;
@@ -235,10 +236,6 @@ void addToReplicasMap(String bpid, ReplicaMap volumeMap,
     // dfsUsage.incDfsUsed(b.getNumBytes()+metaFile.length());
     bp.addToReplicasMap(volumeMap, dir, isFinalized);
   }
-  
-  void clearPath(String bpid, File f) throws IOException {
-    getBlockPoolSlice(bpid).clearPath(f);
-  }
 
   @Override
   public String toString() {
@@ -274,7 +271,8 @@ boolean isBPDirEmpty(String bpid) throws IOException {
     File finalizedDir = new File(bpCurrentDir,
         DataStorage.STORAGE_DIR_FINALIZED);
     File rbwDir = new File(bpCurrentDir, DataStorage.STORAGE_DIR_RBW);
-    if (finalizedDir.exists() && FileUtil.list(finalizedDir).length != 0) {
+    if (finalizedDir.exists() && !DatanodeUtil.dirNoFilesRecursive(
+        finalizedDir)) {
       return false;
     }
     if (rbwDir.exists() && FileUtil.list(rbwDir).length != 0) {
@@ -301,7 +299,8 @@ void deleteBPDirectories(String bpid, boolean force) throws IOException {
       if (!rbwDir.delete()) {
         throw new IOException("Failed to delete " + rbwDir);
       }
-      if (!finalizedDir.delete()) {
+      if (!DatanodeUtil.dirNoFilesRecursive(finalizedDir) ||
+          !FileUtil.fullyDelete(finalizedDir)) {
         throw new IOException("Failed to delete " + finalizedDir);
       }
       FileUtil.fullyDelete(tmpDir);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/LDir.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/LDir.java
deleted file mode 100644
index 991b58b3ae2..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/LDir.java
+++ /dev/null
@@ -1,228 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.hdfs.server.datanode.fsdataset.impl;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
-import org.apache.hadoop.fs.FileUtil;
-import org.apache.hadoop.hdfs.DFSUtil;
-import org.apache.hadoop.hdfs.protocol.Block;
-import org.apache.hadoop.hdfs.server.datanode.DataStorage;
-import org.apache.hadoop.util.DiskChecker;
-import org.apache.hadoop.util.DiskChecker.DiskErrorException;
-
-/**
- * A node type that can be built into a tree reflecting the
- * hierarchy of replicas on the local disk.
- */
-class LDir {
-  final File dir;
-  final int maxBlocksPerDir;
-
-  private int numBlocks = 0;
-  private LDir[] children = null;
-  private int lastChildIdx = 0;
-
-  LDir(File dir, int maxBlocksPerDir) throws IOException {
-    this.dir = dir;
-    this.maxBlocksPerDir = maxBlocksPerDir;
-
-    if (!dir.exists()) {
-      if (!dir.mkdirs()) {
-        throw new IOException("Failed to mkdirs " + dir);
-      }
-    } else {
-      File[] files = FileUtil.listFiles(dir); 
-      List<LDir> dirList = new ArrayList<LDir>();
-      for (int idx = 0; idx < files.length; idx++) {
-        if (files[idx].isDirectory()) {
-          dirList.add(new LDir(files[idx], maxBlocksPerDir));
-        } else if (Block.isBlockFilename(files[idx])) {
-          numBlocks++;
-        }
-      }
-      if (dirList.size() > 0) {
-        children = dirList.toArray(new LDir[dirList.size()]);
-      }
-    }
-  }
-      
-  File addBlock(Block b, File src) throws IOException {
-    //First try without creating subdirectories
-    File file = addBlock(b, src, false, false);          
-    return (file != null) ? file : addBlock(b, src, true, true);
-  }
-
-  private File addBlock(Block b, File src, boolean createOk, boolean resetIdx
-      ) throws IOException {
-    if (numBlocks < maxBlocksPerDir) {
-      final File dest = FsDatasetImpl.moveBlockFiles(b, src, dir);
-      numBlocks += 1;
-      return dest;
-    }
-          
-    if (lastChildIdx < 0 && resetIdx) {
-      //reset so that all children will be checked
-      lastChildIdx = DFSUtil.getRandom().nextInt(children.length);              
-    }
-          
-    if (lastChildIdx >= 0 && children != null) {
-      //Check if any child-tree has room for a block.
-      for (int i=0; i < children.length; i++) {
-        int idx = (lastChildIdx + i)%children.length;
-        File file = children[idx].addBlock(b, src, false, resetIdx);
-        if (file != null) {
-          lastChildIdx = idx;
-          return file; 
-        }
-      }
-      lastChildIdx = -1;
-    }
-          
-    if (!createOk) {
-      return null;
-    }
-          
-    if (children == null || children.length == 0) {
-      children = new LDir[maxBlocksPerDir];
-      for (int idx = 0; idx < maxBlocksPerDir; idx++) {
-        final File sub = new File(dir, DataStorage.BLOCK_SUBDIR_PREFIX+idx);
-        children[idx] = new LDir(sub, maxBlocksPerDir);
-      }
-    }
-          
-    //now pick a child randomly for creating a new set of subdirs.
-    lastChildIdx = DFSUtil.getRandom().nextInt(children.length);
-    return children[ lastChildIdx ].addBlock(b, src, true, false); 
-  }
-
-  void getVolumeMap(String bpid, ReplicaMap volumeMap, FsVolumeImpl volume
-      ) throws IOException {
-    if (children != null) {
-      for (int i = 0; i < children.length; i++) {
-        children[i].getVolumeMap(bpid, volumeMap, volume);
-      }
-    }
-
-    recoverTempUnlinkedBlock();
-    volume.addToReplicasMap(bpid, volumeMap, dir, true);
-  }
-      
-  /**
-   * Recover unlinked tmp files on datanode restart. If the original block
-   * does not exist, then the tmp file is renamed to be the
-   * original file name; otherwise the tmp file is deleted.
-   */
-  private void recoverTempUnlinkedBlock() throws IOException {
-    File files[] = FileUtil.listFiles(dir);
-    for (File file : files) {
-      if (!FsDatasetUtil.isUnlinkTmpFile(file)) {
-        continue;
-      }
-      File blockFile = FsDatasetUtil.getOrigFile(file);
-      if (blockFile.exists()) {
-        // If the original block file still exists, then no recovery  is needed.
-        if (!file.delete()) {
-          throw new IOException("Unable to cleanup unlinked tmp file " + file);
-        }
-      } else {
-        if (!file.renameTo(blockFile)) {
-          throw new IOException("Unable to cleanup detached file " + file);
-        }
-      }
-    }
-  }
-  
-  /**
-   * check if a data diretory is healthy
-   * @throws DiskErrorException
-   */
-  void checkDirTree() throws DiskErrorException {
-    DiskChecker.checkDir(dir);
-          
-    if (children != null) {
-      for (int i = 0; i < children.length; i++) {
-        children[i].checkDirTree();
-      }
-    }
-  }
-      
-  void clearPath(File f) {
-    String root = dir.getAbsolutePath();
-    String dir = f.getAbsolutePath();
-    if (dir.startsWith(root)) {
-      String[] dirNames = dir.substring(root.length()).
-        split(File.separator + DataStorage.BLOCK_SUBDIR_PREFIX);
-      if (clearPath(f, dirNames, 1))
-        return;
-    }
-    clearPath(f, null, -1);
-  }
-      
-  /**
-   * dirNames is an array of string integers derived from
-   * usual directory structure data/subdirN/subdirXY/subdirM ...
-   * If dirName array is non-null, we only check the child at 
-   * the children[dirNames[idx]]. This avoids iterating over
-   * children in common case. If directory structure changes 
-   * in later versions, we need to revisit this.
-   */
-  private boolean clearPath(File f, String[] dirNames, int idx) {
-    if ((dirNames == null || idx == dirNames.length) &&
-        dir.compareTo(f) == 0) {
-      numBlocks--;
-      return true;
-    }
-        
-    if (dirNames != null) {
-      //guess the child index from the directory name
-      if (idx > (dirNames.length - 1) || children == null) {
-        return false;
-      }
-      int childIdx; 
-      try {
-        childIdx = Integer.parseInt(dirNames[idx]);
-      } catch (NumberFormatException ignored) {
-        // layout changed? we could print a warning.
-        return false;
-      }
-      return (childIdx >= 0 && childIdx < children.length) ?
-        children[childIdx].clearPath(f, dirNames, idx+1) : false;
-    }
-
-    //guesses failed. back to blind iteration.
-    if (children != null) {
-      for(int i=0; i < children.length; i++) {
-        if (children[i].clearPath(f, null, -1)){
-          return true;
-        }
-      }
-    }
-    return false;
-  }
-
-  @Override
-  public String toString() {
-    return "FSDir{dir=" + dir + ", children="
-        + (children == null ? null : Arrays.asList(children)) + "}";
-  }
-}
\ No newline at end of file
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
index fea88166c24..c1eb49f4493 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
@@ -2052,4 +2052,12 @@
   </description>
 </property>
 
+<property>
+  <name>dfs.datanode.block.id.layout.upgrade.threads</name>
+  <value>12</value>
+  <description>The number of threads to use when creating hard links from
+    current to previous blocks during upgrade of a DataNode to block ID-based
+    block layout (see HDFS-6482 for details on the layout).</description>
+</property>
+
 </configuration>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java
index c316684138b..fe298d33118 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java
@@ -2353,8 +2353,8 @@ public static File getFinalizedDir(File storageDir, String bpid) {
    * @return data file corresponding to the block
    */
   public static File getBlockFile(File storageDir, ExtendedBlock blk) {
-    return new File(getFinalizedDir(storageDir, blk.getBlockPoolId()), 
-        blk.getBlockName());
+    return new File(DatanodeUtil.idToBlockDir(getFinalizedDir(storageDir,
+        blk.getBlockPoolId()), blk.getBlockId()), blk.getBlockName());
   }
 
   /**
@@ -2364,10 +2364,32 @@ public static File getBlockFile(File storageDir, ExtendedBlock blk) {
    * @return metadata file corresponding to the block
    */
   public static File getBlockMetadataFile(File storageDir, ExtendedBlock blk) {
-    return new File(getFinalizedDir(storageDir, blk.getBlockPoolId()), 
-        blk.getBlockName() + "_" + blk.getGenerationStamp() +
-        Block.METADATA_EXTENSION);
-    
+    return new File(DatanodeUtil.idToBlockDir(getFinalizedDir(storageDir,
+        blk.getBlockPoolId()), blk.getBlockId()), blk.getBlockName() + "_" +
+        blk.getGenerationStamp() + Block.METADATA_EXTENSION);
+  }
+
+  /**
+   * Return all block metadata files in given directory (recursive search)
+   */
+  public static List<File> getAllBlockMetadataFiles(File storageDir) {
+    List<File> results = new ArrayList<File>();
+    File[] files = storageDir.listFiles();
+    if (files == null) {
+      return null;
+    }
+    for (File f : files) {
+      if (f.getName().startsWith("blk_") && f.getName().endsWith(
+          Block.METADATA_EXTENSION)) {
+        results.add(f);
+      } else if (f.isDirectory()) {
+        List<File> subdirResults = getAllBlockMetadataFiles(f);
+        if (subdirResults != null) {
+          results.addAll(subdirResults);
+        }
+      }
+    }
+    return results;
   }
 
   /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSFinalize.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSFinalize.java
index 6a994494c6d..01bfb0d2fef 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSFinalize.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSFinalize.java
@@ -79,8 +79,8 @@ static void checkResult(String[] nameNodeDirs, String[] dataNodeDirs,
     File dnCurDirs[] = new File[dataNodeDirs.length];
     for (int i = 0; i < dataNodeDirs.length; i++) {
       dnCurDirs[i] = new File(dataNodeDirs[i],"current");
-      assertEquals(UpgradeUtilities.checksumContents(DATA_NODE, dnCurDirs[i]),
-                   UpgradeUtilities.checksumMasterDataNodeContents());
+      assertEquals(UpgradeUtilities.checksumContents(DATA_NODE, dnCurDirs[i],
+              false), UpgradeUtilities.checksumMasterDataNodeContents());
     }
     for (int i = 0; i < nameNodeDirs.length; i++) {
       assertFalse(new File(nameNodeDirs[i],"previous").isDirectory());
@@ -96,8 +96,9 @@ static void checkResult(String[] nameNodeDirs, String[] dataNodeDirs,
         assertFalse(new File(bpRoot,"previous").isDirectory());
         
         File bpCurFinalizeDir = new File(bpRoot,"current/"+DataStorage.STORAGE_DIR_FINALIZED);
-        assertEquals(UpgradeUtilities.checksumContents(DATA_NODE, bpCurFinalizeDir),
-                     UpgradeUtilities.checksumMasterBlockPoolFinalizedContents());
+        assertEquals(UpgradeUtilities.checksumContents(DATA_NODE,
+                bpCurFinalizeDir, true),
+                UpgradeUtilities.checksumMasterBlockPoolFinalizedContents());
       }
     }
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSRollback.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSRollback.java
index 7a541e6622c..68687edea1b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSRollback.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSRollback.java
@@ -81,7 +81,7 @@ void checkResult(NodeType nodeType, String[] baseDirs) throws Exception {
         break;
       case DATA_NODE:
         assertEquals(
-            UpgradeUtilities.checksumContents(nodeType, curDir),
+            UpgradeUtilities.checksumContents(nodeType, curDir, false),
             UpgradeUtilities.checksumMasterDataNodeContents());
         break;
       }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSStorageStateRecovery.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSStorageStateRecovery.java
index e4d22cdd76a..176e9cc26cd 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSStorageStateRecovery.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSStorageStateRecovery.java
@@ -239,7 +239,7 @@ void checkResultNameNode(String[] baseDirs,
         assertTrue(new File(baseDirs[i],"previous").isDirectory());
         assertEquals(
                      UpgradeUtilities.checksumContents(
-                                                       NAME_NODE, new File(baseDirs[i],"previous")),
+                     NAME_NODE, new File(baseDirs[i],"previous"), false),
                      UpgradeUtilities.checksumMasterNameNodeContents());
       }
     }
@@ -259,7 +259,8 @@ void checkResultDataNode(String[] baseDirs,
     if (currentShouldExist) {
       for (int i = 0; i < baseDirs.length; i++) {
         assertEquals(
-                     UpgradeUtilities.checksumContents(DATA_NODE, new File(baseDirs[i],"current")),
+                     UpgradeUtilities.checksumContents(DATA_NODE,
+                     new File(baseDirs[i],"current"), false),
                      UpgradeUtilities.checksumMasterDataNodeContents());
       }
     }
@@ -267,7 +268,8 @@ void checkResultDataNode(String[] baseDirs,
       for (int i = 0; i < baseDirs.length; i++) {
         assertTrue(new File(baseDirs[i],"previous").isDirectory());
         assertEquals(
-                     UpgradeUtilities.checksumContents(DATA_NODE, new File(baseDirs[i],"previous")),
+                     UpgradeUtilities.checksumContents(DATA_NODE,
+                     new File(baseDirs[i],"previous"), false),
                      UpgradeUtilities.checksumMasterDataNodeContents());
       }
     }
@@ -290,8 +292,8 @@ void checkResultBlockPool(String[] baseDirs, boolean currentShouldExist,
     if (currentShouldExist) {
       for (int i = 0; i < baseDirs.length; i++) {
         File bpCurDir = new File(baseDirs[i], Storage.STORAGE_DIR_CURRENT);
-        assertEquals(UpgradeUtilities.checksumContents(DATA_NODE, bpCurDir),
-                     UpgradeUtilities.checksumMasterBlockPoolContents());
+        assertEquals(UpgradeUtilities.checksumContents(DATA_NODE, bpCurDir,
+                false), UpgradeUtilities.checksumMasterBlockPoolContents());
       }
     }
     if (previousShouldExist) {
@@ -299,8 +301,8 @@ void checkResultBlockPool(String[] baseDirs, boolean currentShouldExist,
         File bpPrevDir = new File(baseDirs[i], Storage.STORAGE_DIR_PREVIOUS);
         assertTrue(bpPrevDir.isDirectory());
         assertEquals(
-                     UpgradeUtilities.checksumContents(DATA_NODE, bpPrevDir),
-                     UpgradeUtilities.checksumMasterBlockPoolContents());
+                     UpgradeUtilities.checksumContents(DATA_NODE, bpPrevDir,
+                     false), UpgradeUtilities.checksumMasterBlockPoolContents());
       }
     }
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUpgrade.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUpgrade.java
index ee9e91dc733..104b043f1d4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUpgrade.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUpgrade.java
@@ -100,7 +100,7 @@ void checkNameNode(String[] baseDirs, long imageTxId) throws IOException {
       
       File previous = new File(baseDir, "previous");
       assertExists(previous);
-      assertEquals(UpgradeUtilities.checksumContents(NAME_NODE, previous),
+      assertEquals(UpgradeUtilities.checksumContents(NAME_NODE, previous, false),
           UpgradeUtilities.checksumMasterNameNodeContents());
     }
   }
@@ -114,23 +114,25 @@ void checkNameNode(String[] baseDirs, long imageTxId) throws IOException {
   void checkDataNode(String[] baseDirs, String bpid) throws IOException {
     for (int i = 0; i < baseDirs.length; i++) {
       File current = new File(baseDirs[i], "current/" + bpid + "/current");
-      assertEquals(UpgradeUtilities.checksumContents(DATA_NODE, current),
+      assertEquals(UpgradeUtilities.checksumContents(DATA_NODE, current, false),
         UpgradeUtilities.checksumMasterDataNodeContents());
       
       // block files are placed under <sd>/current/<bpid>/current/finalized
       File currentFinalized = 
         MiniDFSCluster.getFinalizedDir(new File(baseDirs[i]), bpid);
-      assertEquals(UpgradeUtilities.checksumContents(DATA_NODE, currentFinalized),
+      assertEquals(UpgradeUtilities.checksumContents(DATA_NODE,
+          currentFinalized, true),
           UpgradeUtilities.checksumMasterBlockPoolFinalizedContents());
       
       File previous = new File(baseDirs[i], "current/" + bpid + "/previous");
       assertTrue(previous.isDirectory());
-      assertEquals(UpgradeUtilities.checksumContents(DATA_NODE, previous),
+      assertEquals(UpgradeUtilities.checksumContents(DATA_NODE, previous, false),
           UpgradeUtilities.checksumMasterDataNodeContents());
       
       File previousFinalized = 
         new File(baseDirs[i], "current/" + bpid + "/previous"+"/finalized");
-      assertEquals(UpgradeUtilities.checksumContents(DATA_NODE, previousFinalized),
+      assertEquals(UpgradeUtilities.checksumContents(DATA_NODE,
+          previousFinalized, true),
           UpgradeUtilities.checksumMasterBlockPoolFinalizedContents());
       
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUpgradeFromImage.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUpgradeFromImage.java
index f5dbdceaa17..88ad0cc2dac 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUpgradeFromImage.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUpgradeFromImage.java
@@ -24,6 +24,7 @@
 
 import java.io.BufferedReader;
 import java.io.File;
+import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.FileReader;
 import java.io.IOException;
@@ -80,7 +81,7 @@ private static class ReferenceFileInfo {
     long checksum;
   }
   
-  private static final Configuration upgradeConf;
+  static final Configuration upgradeConf;
   
   static {
     upgradeConf = new HdfsConfiguration();
@@ -95,7 +96,7 @@ private static class ReferenceFileInfo {
   
   boolean printChecksum = false;
   
-  private void unpackStorage(String tarFileName)
+  void unpackStorage(String tarFileName, String referenceName)
       throws IOException {
     String tarFile = System.getProperty("test.cache.data", "build/test/cache")
         + "/" + tarFileName;
@@ -110,7 +111,7 @@ private void unpackStorage(String tarFileName)
     
     BufferedReader reader = new BufferedReader(new FileReader(
         System.getProperty("test.cache.data", "build/test/cache")
-            + "/" + HADOOP_DFS_DIR_TXT));
+            + "/" + referenceName));
     String line;
     while ( (line = reader.readLine()) != null ) {
       
@@ -285,7 +286,7 @@ public void testFailOnPreUpgradeImage() throws IOException {
    */
   @Test
   public void testUpgradeFromRel22Image() throws IOException {
-    unpackStorage(HADOOP22_IMAGE);
+    unpackStorage(HADOOP22_IMAGE, HADOOP_DFS_DIR_TXT);
     upgradeAndVerify(new MiniDFSCluster.Builder(upgradeConf).
         numDataNodes(4));
   }
@@ -296,7 +297,7 @@ public void testUpgradeFromRel22Image() throws IOException {
    */
   @Test
   public void testUpgradeFromCorruptRel22Image() throws IOException {
-    unpackStorage(HADOOP22_IMAGE);
+    unpackStorage(HADOOP22_IMAGE, HADOOP_DFS_DIR_TXT);
     
     // Overwrite the md5 stored in the VERSION files
     File baseDir = new File(MiniDFSCluster.getBaseDirectory());
@@ -333,7 +334,7 @@ public void testUpgradeFromCorruptRel22Image() throws IOException {
    */
   @Test
   public void testUpgradeFromRel1ReservedImage() throws Exception {
-    unpackStorage(HADOOP1_RESERVED_IMAGE);
+    unpackStorage(HADOOP1_RESERVED_IMAGE, HADOOP_DFS_DIR_TXT);
     MiniDFSCluster cluster = null;
     // Try it once without setting the upgrade flag to ensure it fails
     final Configuration conf = new Configuration();
@@ -403,7 +404,7 @@ public void testUpgradeFromRel1ReservedImage() throws Exception {
    */
   @Test
   public void testUpgradeFromRel023ReservedImage() throws Exception {
-    unpackStorage(HADOOP023_RESERVED_IMAGE);
+    unpackStorage(HADOOP023_RESERVED_IMAGE, HADOOP_DFS_DIR_TXT);
     MiniDFSCluster cluster = null;
     // Try it once without setting the upgrade flag to ensure it fails
     final Configuration conf = new Configuration();
@@ -468,7 +469,7 @@ public void testUpgradeFromRel023ReservedImage() throws Exception {
    */
   @Test
   public void testUpgradeFromRel2ReservedImage() throws Exception {
-    unpackStorage(HADOOP2_RESERVED_IMAGE);
+    unpackStorage(HADOOP2_RESERVED_IMAGE, HADOOP_DFS_DIR_TXT);
     MiniDFSCluster cluster = null;
     // Try it once without setting the upgrade flag to ensure it fails
     final Configuration conf = new Configuration();
@@ -572,7 +573,7 @@ static void recoverAllLeases(DFSClient dfs,
     } while (dirList.hasMore());
   }
   
-  private void upgradeAndVerify(MiniDFSCluster.Builder bld)
+  void upgradeAndVerify(MiniDFSCluster.Builder bld)
       throws IOException {
     MiniDFSCluster cluster = null;
     try {
@@ -601,7 +602,7 @@ private void upgradeAndVerify(MiniDFSCluster.Builder bld)
    */
   @Test
   public void testUpgradeFromRel1BBWImage() throws IOException {
-    unpackStorage(HADOOP1_BBW_IMAGE);
+    unpackStorage(HADOOP1_BBW_IMAGE, HADOOP_DFS_DIR_TXT);
     Configuration conf = new Configuration(upgradeConf);
     conf.set(DFSConfigKeys.DFS_DATANODE_DATA_DIR_KEY, 
         System.getProperty("test.build.data") + File.separator + 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeBlockScanner.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeBlockScanner.java
index a2899eec9c7..1b4b3172394 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeBlockScanner.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeBlockScanner.java
@@ -445,19 +445,14 @@ private static void waitForBlockDeleted(ExtendedBlock blk, int dnIndex,
   
   @Test
   public void testReplicaInfoParsing() throws Exception {
-    testReplicaInfoParsingSingle(BASE_PATH, new int[0]);
-    testReplicaInfoParsingSingle(BASE_PATH + "/subdir1", new int[]{1});
-    testReplicaInfoParsingSingle(BASE_PATH + "/subdir43", new int[]{43});
-    testReplicaInfoParsingSingle(BASE_PATH + "/subdir1/subdir2/subdir3", new int[]{1, 2, 3});
-    testReplicaInfoParsingSingle(BASE_PATH + "/subdir1/subdir2/subdir43", new int[]{1, 2, 43});
-    testReplicaInfoParsingSingle(BASE_PATH + "/subdir1/subdir23/subdir3", new int[]{1, 23, 3});
-    testReplicaInfoParsingSingle(BASE_PATH + "/subdir13/subdir2/subdir3", new int[]{13, 2, 3});
+    testReplicaInfoParsingSingle(BASE_PATH);
+    testReplicaInfoParsingSingle(BASE_PATH + "/subdir1");
+    testReplicaInfoParsingSingle(BASE_PATH + "/subdir1/subdir2/subdir3");
   }
   
-  private static void testReplicaInfoParsingSingle(String subDirPath, int[] expectedSubDirs) {
+  private static void testReplicaInfoParsingSingle(String subDirPath) {
     File testFile = new File(subDirPath);
-    assertArrayEquals(expectedSubDirs, ReplicaInfo.parseSubDirs(testFile).subDirs);
-    assertEquals(BASE_PATH, ReplicaInfo.parseSubDirs(testFile).baseDirPath);
+    assertEquals(BASE_PATH, ReplicaInfo.parseBaseDir(testFile).baseDirPath);
   }
 
   @Test
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeLayoutUpgrade.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeLayoutUpgrade.java
new file mode 100644
index 00000000000..0966301cb4e
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDatanodeLayoutUpgrade.java
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs;
+
+import org.apache.hadoop.conf.Configuration;
+import org.junit.Test;
+
+import java.io.File;
+import java.io.IOException;
+
+public class TestDatanodeLayoutUpgrade {
+  private static final String HADOOP_DATANODE_DIR_TXT =
+      "hadoop-datanode-dir.txt";
+  private static final String HADOOP24_DATANODE = "hadoop-24-datanode-dir.tgz";
+
+  @Test
+  // Upgrade from LDir-based layout to block ID-based layout -- change described
+  // in HDFS-6482
+  public void testUpgradeToIdBasedLayout() throws IOException {
+    TestDFSUpgradeFromImage upgrade = new TestDFSUpgradeFromImage();
+    upgrade.unpackStorage(HADOOP24_DATANODE, HADOOP_DATANODE_DIR_TXT);
+    Configuration conf = new Configuration(TestDFSUpgradeFromImage.upgradeConf);
+    conf.set(DFSConfigKeys.DFS_DATANODE_DATA_DIR_KEY,
+        System.getProperty("test.build.data") + File.separator +
+            "dfs" + File.separator + "data");
+    conf.set(DFSConfigKeys.DFS_NAMENODE_NAME_DIR_KEY,
+        System.getProperty("test.build.data") + File.separator +
+            "dfs" + File.separator + "name");
+    upgrade.upgradeAndVerify(new MiniDFSCluster.Builder(conf).numDataNodes(1)
+    .manageDataDfsDirs(false).manageNameDfsDirs(false));
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileCorruption.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileCorruption.java
index 81077c5fd8b..a7c6a69ac9b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileCorruption.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileCorruption.java
@@ -27,6 +27,7 @@
 import java.io.File;
 import java.io.FileOutputStream;
 import java.util.ArrayList;
+import java.util.List;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -35,6 +36,7 @@
 import org.apache.hadoop.fs.ChecksumException;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.server.common.GenerationStamp;
@@ -137,13 +139,15 @@ public void testArrayOutOfBoundsException() throws Exception {
       final String bpid = cluster.getNamesystem().getBlockPoolId();
       File storageDir = cluster.getInstanceStorageDir(0, 0);
       File dataDir = MiniDFSCluster.getFinalizedDir(storageDir, bpid);
+      assertTrue("Data directory does not exist", dataDir.exists());
       ExtendedBlock blk = getBlock(bpid, dataDir);
       if (blk == null) {
         storageDir = cluster.getInstanceStorageDir(0, 1);
         dataDir = MiniDFSCluster.getFinalizedDir(storageDir, bpid);
         blk = getBlock(bpid, dataDir);
       }
-      assertFalse(blk==null);
+      assertFalse("Data directory does not contain any blocks or there was an "
+          + "IO error", blk==null);
 
       // start a third datanode
       cluster.startDataNodes(conf, 1, true, null, null);
@@ -174,33 +178,15 @@ public void testArrayOutOfBoundsException() throws Exception {
     
   }
   
-  private ExtendedBlock getBlock(String bpid, File dataDir) {
-    assertTrue("data directory does not exist", dataDir.exists());
-    File[] blocks = dataDir.listFiles();
-    assertTrue("Blocks do not exist in dataDir", (blocks != null) && (blocks.length > 0));
-
-    int idx = 0;
-    String blockFileName = null;
-    for (; idx < blocks.length; idx++) {
-      blockFileName = blocks[idx].getName();
-      if (blockFileName.startsWith("blk_") && !blockFileName.endsWith(".meta")) {
-        break;
-      }
-    }
-    if (blockFileName == null) {
+  public static ExtendedBlock getBlock(String bpid, File dataDir) {
+    List<File> metadataFiles = MiniDFSCluster.getAllBlockMetadataFiles(dataDir);
+    if (metadataFiles == null || metadataFiles.isEmpty()) {
       return null;
     }
-    long blockId = Long.parseLong(blockFileName.substring("blk_".length()));
-    long blockTimeStamp = GenerationStamp.GRANDFATHER_GENERATION_STAMP;
-    for (idx=0; idx < blocks.length; idx++) {
-      String fileName = blocks[idx].getName();
-      if (fileName.startsWith(blockFileName) && fileName.endsWith(".meta")) {
-        int startIndex = blockFileName.length()+1;
-        int endIndex = fileName.length() - ".meta".length();
-        blockTimeStamp = Long.parseLong(fileName.substring(startIndex, endIndex));
-        break;
-      }
-    }
-    return new ExtendedBlock(bpid, blockId, blocks[idx].length(), blockTimeStamp);
+    File metadataFile = metadataFiles.get(0);
+    File blockFile = Block.metaToBlockFile(metadataFile);
+    return new ExtendedBlock(bpid, Block.getBlockId(blockFile.getName()),
+        blockFile.length(), Block.getGenerationStamp(metadataFile.getName()));
   }
+
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/UpgradeUtilities.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/UpgradeUtilities.java
index 4f26e087cc8..bbaf3ed0e3e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/UpgradeUtilities.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/UpgradeUtilities.java
@@ -158,21 +158,23 @@ public static void initialize() throws Exception {
       FileUtil.fullyDelete(new File(datanodeStorage,"in_use.lock"));
     }
     namenodeStorageChecksum = checksumContents(NAME_NODE, 
-        new File(namenodeStorage, "current"));
+        new File(namenodeStorage, "current"), false);
     File dnCurDir = new File(datanodeStorage, "current");
-    datanodeStorageChecksum = checksumContents(DATA_NODE, dnCurDir);
+    datanodeStorageChecksum = checksumContents(DATA_NODE, dnCurDir, false);
     
     File bpCurDir = new File(BlockPoolSliceStorage.getBpRoot(bpid, dnCurDir),
         "current");
-    blockPoolStorageChecksum = checksumContents(DATA_NODE, bpCurDir);
+    blockPoolStorageChecksum = checksumContents(DATA_NODE, bpCurDir, false);
     
     File bpCurFinalizeDir = new File(BlockPoolSliceStorage.getBpRoot(bpid, dnCurDir),
         "current/"+DataStorage.STORAGE_DIR_FINALIZED);
-    blockPoolFinalizedStorageChecksum = checksumContents(DATA_NODE, bpCurFinalizeDir);
+    blockPoolFinalizedStorageChecksum = checksumContents(DATA_NODE,
+        bpCurFinalizeDir, true);
     
     File bpCurRbwDir = new File(BlockPoolSliceStorage.getBpRoot(bpid, dnCurDir),
         "current/"+DataStorage.STORAGE_DIR_RBW);
-    blockPoolRbwStorageChecksum = checksumContents(DATA_NODE, bpCurRbwDir);
+    blockPoolRbwStorageChecksum = checksumContents(DATA_NODE, bpCurRbwDir,
+        false);
   }
   
   // Private helper method that writes a file to the given file system.
@@ -266,36 +268,47 @@ public static long checksumMasterBlockPoolRbwContents() {
   
   /**
    * Compute the checksum of all the files in the specified directory.
-   * The contents of subdirectories are not included. This method provides
-   * an easy way to ensure equality between the contents of two directories.
+   * This method provides an easy way to ensure equality between the contents
+   * of two directories.
    *
    * @param nodeType if DATA_NODE then any file named "VERSION" is ignored.
    *    This is because this file file is changed every time
    *    the Datanode is started.
-   * @param dir must be a directory. Subdirectories are ignored.
+   * @param dir must be a directory
+   * @param recursive whether or not to consider subdirectories
    *
    * @throws IllegalArgumentException if specified directory is not a directory
    * @throws IOException if an IOException occurs while reading the files
    * @return the computed checksum value
    */
-  public static long checksumContents(NodeType nodeType, File dir) throws IOException {
+  public static long checksumContents(NodeType nodeType, File dir,
+      boolean recursive) throws IOException {
+    CRC32 checksum = new CRC32();
+    checksumContentsHelper(nodeType, dir, checksum, recursive);
+    return checksum.getValue();
+  }
+
+  public static void checksumContentsHelper(NodeType nodeType, File dir,
+      CRC32 checksum, boolean recursive) throws IOException {
     if (!dir.isDirectory()) {
       throw new IllegalArgumentException(
-                                         "Given argument is not a directory:" + dir);
+          "Given argument is not a directory:" + dir);
     }
     File[] list = dir.listFiles();
     Arrays.sort(list);
-    CRC32 checksum = new CRC32();
     for (int i = 0; i < list.length; i++) {
       if (!list[i].isFile()) {
+        if (recursive) {
+          checksumContentsHelper(nodeType, list[i], checksum, recursive);
+        }
         continue;
       }
 
       // skip VERSION and dfsUsed file for DataNodes
-      if (nodeType == DATA_NODE && 
-         (list[i].getName().equals("VERSION") || 
-         list[i].getName().equals("dfsUsed"))) {
-        continue; 
+      if (nodeType == DATA_NODE &&
+          (list[i].getName().equals("VERSION") ||
+              list[i].getName().equals("dfsUsed"))) {
+        continue;
       }
 
       FileInputStream fis = null;
@@ -312,7 +325,6 @@ public static long checksumContents(NodeType nodeType, File dir) throws IOExcept
         }
       }
     }
-    return checksum.getValue();
   }
   
   /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDataNodeVolumeFailure.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDataNodeVolumeFailure.java
index 38403eb8258..b1172a0806f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDataNodeVolumeFailure.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDataNodeVolumeFailure.java
@@ -25,6 +25,7 @@
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.Socket;
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -384,7 +385,7 @@ private int countRealBlocks(Map<String, BlockLocs> map) {
           continue;
         }
       
-        String [] res = metaFilesInDir(dir);
+        List<File> res = MiniDFSCluster.getAllBlockMetadataFiles(dir);
         if(res == null) {
           System.out.println("res is null for dir = " + dir + " i=" + i + " and j=" + j);
           continue;
@@ -392,7 +393,8 @@ private int countRealBlocks(Map<String, BlockLocs> map) {
         //System.out.println("for dn" + i + "." + j + ": " + dir + "=" + res.length+ " files");
       
         //int ii = 0;
-        for(String s: res) {
+        for(File f: res) {
+          String s = f.getName();
           // cut off "blk_-" at the beginning and ".meta" at the end
           assertNotNull("Block file name should not be null", s);
           String bid = s.substring(s.indexOf("_")+1, s.lastIndexOf("_"));
@@ -408,25 +410,9 @@ private int countRealBlocks(Map<String, BlockLocs> map) {
         //System.out.println("dir1="+dir.getPath() + "blocks=" + res.length);
         //System.out.println("dir2="+dir2.getPath() + "blocks=" + res2.length);
 
-        total += res.length;
+        total += res.size();
       }
     }
     return total;
   }
-
-  /*
-   * count how many files *.meta are in the dir
-   */
-  private String [] metaFilesInDir(File dir) {
-    String [] res = dir.list(
-        new FilenameFilter() {
-          @Override
-          public boolean accept(File dir, String name) {
-            return name.startsWith("blk_") &&
-            name.endsWith(Block.METADATA_EXTENSION);
-          }
-        }
-    );
-    return res;
-  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDeleteBlockPool.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDeleteBlockPool.java
index d16a4bb9e06..755d49922c1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDeleteBlockPool.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDeleteBlockPool.java
@@ -103,9 +103,10 @@ public void testDeleteBlockPool() throws Exception {
       fs1.delete(new Path("/alpha"), true);
       
       // Wait till all blocks are deleted from the dn2 for bpid1.
-      while ((MiniDFSCluster.getFinalizedDir(dn2StorageDir1, 
-          bpid1).list().length != 0) || (MiniDFSCluster.getFinalizedDir(
-              dn2StorageDir2, bpid1).list().length != 0)) {
+      File finalDir1 = MiniDFSCluster.getFinalizedDir(dn2StorageDir1, bpid1);
+      File finalDir2 = MiniDFSCluster.getFinalizedDir(dn2StorageDir1, bpid2);
+      while ((!DatanodeUtil.dirNoFilesRecursive(finalDir1)) ||
+          (!DatanodeUtil.dirNoFilesRecursive(finalDir2))) {
         try {
           Thread.sleep(3000);
         } catch (Exception ignored) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
index 08f98d4bd48..1a4af42b00c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
@@ -41,6 +41,7 @@
 import java.nio.channels.FileChannel;
 import java.security.PrivilegedExceptionAction;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Random;
 import java.util.Set;
@@ -63,6 +64,7 @@
 import org.apache.hadoop.hdfs.DistributedFileSystem;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.CorruptFileBlocks;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.HdfsFileStatus;
@@ -750,15 +752,14 @@ public void testFsckListCorruptFilesBlocks() throws Exception {
         for (int j=0; j<=1; j++) {
           File storageDir = cluster.getInstanceStorageDir(i, j);
           File data_dir = MiniDFSCluster.getFinalizedDir(storageDir, bpid);
-          File[] blocks = data_dir.listFiles();
-          if (blocks == null)
+          List<File> metadataFiles = MiniDFSCluster.getAllBlockMetadataFiles(
+              data_dir);
+          if (metadataFiles == null)
             continue;
-  
-          for (int idx = 0; idx < blocks.length; idx++) {
-            if (!blocks[idx].getName().startsWith("blk_")) {
-              continue;
-            }
-            assertTrue("Cannot remove file.", blocks[idx].delete());
+          for (File metadataFile : metadataFiles) {
+            File blockFile = Block.metaToBlockFile(metadataFile);
+            assertTrue("Cannot remove file.", blockFile.delete());
+            assertTrue("Cannot remove file.", metadataFile.delete());
           }
         }
       }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestListCorruptFileBlocks.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestListCorruptFileBlocks.java
index 18f83ef8691..7e36acb48c3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestListCorruptFileBlocks.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestListCorruptFileBlocks.java
@@ -25,6 +25,7 @@
 import java.nio.ByteBuffer;
 import java.nio.channels.FileChannel;
 import java.util.Collection;
+import java.util.List;
 import java.util.Random;
 
 import org.apache.commons.logging.Log;
@@ -39,7 +40,11 @@
 import org.apache.hadoop.hdfs.DistributedFileSystem;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.TestFileCorruption;
+import org.apache.hadoop.hdfs.protocol.Block;
+import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
+import org.apache.hadoop.hdfs.server.datanode.DatanodeUtil;
 import org.apache.hadoop.util.StringUtils;
 import org.junit.Test;
 
@@ -87,36 +92,29 @@ public void testListCorruptFilesCorruptedBlock() throws Exception {
       File storageDir = cluster.getInstanceStorageDir(0, 1);
       File data_dir = MiniDFSCluster.getFinalizedDir(storageDir, bpid);
       assertTrue("data directory does not exist", data_dir.exists());
-      File[] blocks = data_dir.listFiles();
-      assertTrue("Blocks do not exist in data-dir", (blocks != null) && (blocks.length > 0));
-      for (int idx = 0; idx < blocks.length; idx++) {
-        if (blocks[idx].getName().startsWith("blk_") &&
-            blocks[idx].getName().endsWith(".meta")) {
-          //
-          // shorten .meta file
-          //
-          RandomAccessFile file = new RandomAccessFile(blocks[idx], "rw");
-          FileChannel channel = file.getChannel();
-          long position = channel.size() - 2;
-          int length = 2;
-          byte[] buffer = new byte[length];
-          random.nextBytes(buffer);
-          channel.write(ByteBuffer.wrap(buffer), position);
-          file.close();
-          LOG.info("Deliberately corrupting file " + blocks[idx].getName() +
-              " at offset " + position + " length " + length);
+      List<File> metaFiles = MiniDFSCluster.getAllBlockMetadataFiles(data_dir);
+      assertTrue("Data directory does not contain any blocks or there was an "
+          + "IO error", metaFiles != null && !metaFiles.isEmpty());
+      File metaFile = metaFiles.get(0);
+      RandomAccessFile file = new RandomAccessFile(metaFile, "rw");
+      FileChannel channel = file.getChannel();
+      long position = channel.size() - 2;
+      int length = 2;
+      byte[] buffer = new byte[length];
+      random.nextBytes(buffer);
+      channel.write(ByteBuffer.wrap(buffer), position);
+      file.close();
+      LOG.info("Deliberately corrupting file " + metaFile.getName() +
+          " at offset " + position + " length " + length);
 
-          // read all files to trigger detection of corrupted replica
-          try {
-            util.checkFiles(fs, "/srcdat10");
-          } catch (BlockMissingException e) {
-            System.out.println("Received BlockMissingException as expected.");
-          } catch (IOException e) {
-            assertTrue("Corrupted replicas not handled properly. Expecting BlockMissingException " +
-                " but received IOException " + e, false);
-          }
-          break;
-        }
+      // read all files to trigger detection of corrupted replica
+      try {
+        util.checkFiles(fs, "/srcdat10");
+      } catch (BlockMissingException e) {
+        System.out.println("Received BlockMissingException as expected.");
+      } catch (IOException e) {
+        assertTrue("Corrupted replicas not handled properly. Expecting BlockMissingException " +
+            " but received IOException " + e, false);
       }
 
       // fetch bad file list from namenode. There should be one file.
@@ -174,38 +172,30 @@ public void testListCorruptFileBlocksInSafeMode() throws Exception {
       File data_dir = MiniDFSCluster.getFinalizedDir(storageDir, 
           cluster.getNamesystem().getBlockPoolId());
       assertTrue("data directory does not exist", data_dir.exists());
-      File[] blocks = data_dir.listFiles();
-      assertTrue("Blocks do not exist in data-dir", (blocks != null) &&
-                 (blocks.length > 0));
-      for (int idx = 0; idx < blocks.length; idx++) {
-        if (blocks[idx].getName().startsWith("blk_") &&
-            blocks[idx].getName().endsWith(".meta")) {
-          //
-          // shorten .meta file
-          //
-          RandomAccessFile file = new RandomAccessFile(blocks[idx], "rw");
-          FileChannel channel = file.getChannel();
-          long position = channel.size() - 2;
-          int length = 2;
-          byte[] buffer = new byte[length];
-          random.nextBytes(buffer);
-          channel.write(ByteBuffer.wrap(buffer), position);
-          file.close();
-          LOG.info("Deliberately corrupting file " + blocks[idx].getName() +
-              " at offset " + position + " length " + length);
+      List<File> metaFiles = MiniDFSCluster.getAllBlockMetadataFiles(data_dir);
+      assertTrue("Data directory does not contain any blocks or there was an "
+          + "IO error", metaFiles != null && !metaFiles.isEmpty());
+      File metaFile = metaFiles.get(0);
+      RandomAccessFile file = new RandomAccessFile(metaFile, "rw");
+      FileChannel channel = file.getChannel();
+      long position = channel.size() - 2;
+      int length = 2;
+      byte[] buffer = new byte[length];
+      random.nextBytes(buffer);
+      channel.write(ByteBuffer.wrap(buffer), position);
+      file.close();
+      LOG.info("Deliberately corrupting file " + metaFile.getName() +
+          " at offset " + position + " length " + length);
 
-          // read all files to trigger detection of corrupted replica
-          try {
-            util.checkFiles(fs, "/srcdat10");
-          } catch (BlockMissingException e) {
-            System.out.println("Received BlockMissingException as expected.");
-          } catch (IOException e) {
-            assertTrue("Corrupted replicas not handled properly. " +
-                       "Expecting BlockMissingException " +
-                       " but received IOException " + e, false);
-          }
-          break;
-        }
+      // read all files to trigger detection of corrupted replica
+      try {
+        util.checkFiles(fs, "/srcdat10");
+      } catch (BlockMissingException e) {
+        System.out.println("Received BlockMissingException as expected.");
+      } catch (IOException e) {
+        assertTrue("Corrupted replicas not handled properly. " +
+                   "Expecting BlockMissingException " +
+                   " but received IOException " + e, false);
       }
 
       // fetch bad file list from namenode. There should be one file.
@@ -295,17 +285,18 @@ public void testlistCorruptFileBlocks() throws Exception {
         for (int j = 0; j <= 1; j++) {
           File storageDir = cluster.getInstanceStorageDir(i, j);
           File data_dir = MiniDFSCluster.getFinalizedDir(storageDir, bpid);
-          File[] blocks = data_dir.listFiles();
-          if (blocks == null)
+          List<File> metadataFiles = MiniDFSCluster.getAllBlockMetadataFiles(
+              data_dir);
+          if (metadataFiles == null)
             continue;
           // assertTrue("Blocks do not exist in data-dir", (blocks != null) &&
           // (blocks.length > 0));
-          for (int idx = 0; idx < blocks.length; idx++) {
-            if (!blocks[idx].getName().startsWith("blk_")) {
-              continue;
-            }
-            LOG.info("Deliberately removing file " + blocks[idx].getName());
-            assertTrue("Cannot remove file.", blocks[idx].delete());
+          for (File metadataFile : metadataFiles) {
+            File blockFile = Block.metaToBlockFile(metadataFile);
+            LOG.info("Deliberately removing file " + blockFile.getName());
+            assertTrue("Cannot remove file.", blockFile.delete());
+            LOG.info("Deliberately removing file " + metadataFile.getName());
+            assertTrue("Cannot remove file.", metadataFile.delete());
             // break;
           }
         }
@@ -405,17 +396,18 @@ public void testlistCorruptFileBlocksDFS() throws Exception {
       for (int i = 0; i < 2; i++) {
         File storageDir = cluster.getInstanceStorageDir(0, i);
         File data_dir = MiniDFSCluster.getFinalizedDir(storageDir, bpid);
-        File[] blocks = data_dir.listFiles();
-        if (blocks == null)
+        List<File> metadataFiles = MiniDFSCluster.getAllBlockMetadataFiles(
+            data_dir);
+        if (metadataFiles == null)
           continue;
         // assertTrue("Blocks do not exist in data-dir", (blocks != null) &&
         // (blocks.length > 0));
-        for (int idx = 0; idx < blocks.length; idx++) {
-          if (!blocks[idx].getName().startsWith("blk_")) {
-            continue;
-          }
-          LOG.info("Deliberately removing file " + blocks[idx].getName());
-          assertTrue("Cannot remove file.", blocks[idx].delete());
+        for (File metadataFile : metadataFiles) {
+          File blockFile = Block.metaToBlockFile(metadataFile);
+          LOG.info("Deliberately removing file " + blockFile.getName());
+          assertTrue("Cannot remove file.", blockFile.delete());
+          LOG.info("Deliberately removing file " + metadataFile.getName());
+          assertTrue("Cannot remove file.", metadataFile.delete());
           // break;
         }
       }
@@ -482,15 +474,14 @@ public void testMaxCorruptFiles() throws Exception {
           File storageDir = cluster.getInstanceStorageDir(i, j);
           File data_dir = MiniDFSCluster.getFinalizedDir(storageDir, bpid);
           LOG.info("Removing files from " + data_dir);
-          File[] blocks = data_dir.listFiles();
-          if (blocks == null)
+          List<File> metadataFiles = MiniDFSCluster.getAllBlockMetadataFiles(
+              data_dir);
+          if (metadataFiles == null)
             continue;
-  
-          for (int idx = 0; idx < blocks.length; idx++) {
-            if (!blocks[idx].getName().startsWith("blk_")) {
-              continue;
-            }
-            assertTrue("Cannot remove file.", blocks[idx].delete());
+          for (File metadataFile : metadataFiles) {
+            File blockFile = Block.metaToBlockFile(metadataFile);
+            assertTrue("Cannot remove file.", blockFile.delete());
+            assertTrue("Cannot remove file.", metadataFile.delete());
           }
         }
       }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-24-datanode-dir.tgz b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-24-datanode-dir.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..9f666fed090ec1ba463c568e69fbbe23658c1c89
GIT binary patch
literal 637608
zcmYgXc|4Tw*Z#Ih5)~nPLbi~7CrkF-jC~0qBYQ(8OGHw3jeXx|29sq78IdJ~Fk{P7
z3K{z{vd{a7exLVm=X36Ju5+F1ocn$T`<sjZl{tMd`S0A)H*#|mGZOh)ILFoVoVm|$
zs$FL(<9hgC_vJHTOGVPJ?j&&B{M3YjqGciY@dis5Oe_QgL6xH{7qf%#4T~Na3}l@>
zws~l?5ltFW49ba}53*eyN{>I-37%>ClR4qrhk56(m-}0I>Q}KI3M?hhUjvZ|F3ix(
zyKL+>%M@XWxY|Wm%)^wRduSH&?qzvJu_W5^HZ6RPD2UvRX_$USYJMUh&Puv8WVei#
zr#Sk!Zq^OA99lOk1#g&jl2%896^_WDc>H}jOh|jcn#Opuc7X^h>88_H)K5~~V_{ZO
zdVc;T$K{WStxElmq(3sn5Ts(8H>P8oE%QKc9&RYDa<0{p)_<bo4~BBS<F^ewgfXPY
zL9mw`+`Ika!RSMBzUyU&C}u1PtnL04wN3JWTrRfw`XL2$Ry5$9Zr&v-<8XdV6)sgb
zZScu;E-DvwJ+Q5E0>^D#Mw&t+q{OA7!rY0Pq1Q+~^ulG4qw#nZ_<~Y>Ge4Js;~pnh
zzY^Mz_7}RV-{b-V;*BnOV_o6R>OxPWRBK}sD~l{M>$ftcNZva#{92y6`cVTq8$AM)
z-AI0c9=(JC#8Gk5J;5s!$>eSablUFE<?mg~z1zfVMwVfFW%vRrjC(fV1^*(X`VG=e
zn_r;y0H1C)IT}*iggbgR@^(vtm80Nbc3DXRNKwjqiSk>sdbx2EgcQ<A&rX|Ruld?U
zye|8LBkp14)=PK~l|WkQq~?$_2ZKZvn}qQlI{$Z)N$J@&SE2D1ZwmYEnSZF{C@|DD
za7xlfwcSdHz<j>{@Gu|yBT5spXW@K_MoM0!TC%#5Ud}wR$<@<+?j{0(;ztTqRFt7)
z??~d8#3CfttCGyQU2afyRq`3TFt`a@MHS`c6~yz~$Ty{HKK^{A<A!PjpJ*?ts7+=#
zzO?_YGk53jAt+xLW7>j6gYHnujeu{q4p|8-@bqgriF_FG!zJFz0;P;w4vs~VLSweQ
zTza<Q#fy%_g}sMaQ(KMd!aPwyFKtsQ`o(YG=hkRn7}9I+czNFDt&lBg@r|ia&<7T-
z7`+M(nZ8s;x~$TahDK1j-)ch0-p<j~w(-6&{~biRNHPcnHlsIVz~c^-SVL#7Fg4?k
zz$C?^l#Grj?Rsrg0RD&++l!mnmXL2qJ@UMajzT^8BPAtoaalOE>FFzRTCH<#dvov<
z@*7Y-gbWo=<L3zw`+T5#%f0Q-!L#?}G~BH}y!|lMfm{6Dt)n}iv2gaL3?ILQ4SQ12
z5c45ji*^jZChhfn34S$6VeFyaH0hS>*TjkuwvNs(0oAjFp`(3v^$e9SIdSg<lhU%K
zTRO#g*ax>{Ub}M-$qz8ouO0RBee;`m<OEaif6$XcQgL9ql@19`TFQY%?ioprx}N8D
zW_EdYxg(ZNdU{ub<ym!0)N`paJHIcbV)&(qty>$=b>DSLVpCOXvN<M{#@ByZ$KE_b
zhkerub;10hBR(0OevK%{)P?J-9r|VNewmwoUtb{h0iGK7%@yA-Ymd)Hr_&PYV;&-B
z5ec4-7>c*%*ladQCX}(^>g51qQAU*BE|Sd1lf<-(N)PxkM^h$yPpjbf&wYh=go}hp
z-%o<UACa_n7%l=Ua0uMR#h?Qs##^avr6h0()vMg(zwFUWZ4RA7#k_*0sEbN?EUw)*
zhlbL)1w3h&E^7#bg%o(dP%yPx0}JF&6(szAoJd8tWG}^A$%qvuNt;e82i^U#mThA0
z-ep!E1<O$v#V9(=S(L%<MLpE>Bbk~L&lC5zv&;lLk<sY!tHd)g4+)DKVg8llm$V-T
z_1}<mz*FMb)%ldhUgC!X!78{_S1ywt<4%JX2s5wi!G}*)HkAY_!Y7XLR8Di^4^*w%
zVW_$&{@I2!qv<!5sL9CHzS?$(oFV(6s6+8})bcLGF<-GTLASTuOt%$6&RePETTYZH
z+Y8%s>@Ok0&51uzeriE#oN0S2Lxn}=#K^?k<m%L<8>ln6M>y2uK@D@NU#M-h!vp{d
z*P~~&@AxBWTq#jWMdlG`(alcB;rB70kcntX4uXMrBEn90EZ{6k*>F(Yw|ner8S>s?
zfQI>fAya%HSR2;~7_k1iz48fpL7SyRCK!4ZWoel6H1P4%B~(iwhR-OZI6;@{jhtsB
z{wlBcW$S{}aJ->mPG6AM!7Wp{4KR7WVjdv*4dtd^ePorRhK43|+RdrX5iO2Xo1@IB
z=25X~LE4;Y4QsCNa#LPCPjt?Roi?(UpuyQ?%D-T6ka&%jy+&jNh_lhRrD`7YGI8$c
zb$v`F@*F1k=Rui{dCU(~@2fpZpdc;Gb<OQaHtoz$je!ZFcyq%XgLiN;M~PUpBo9O(
z<{<>NZW>w1bcI`};}55^BYthBMWqmS*M-8Ab_XeDlryARyeDUVY1_+%*V~=IUPF$G
z%6;v=A#|k!LSqMYHMFyql~NOh9(eEfnd`kwq;Hh0p=yO(Ds>j9(8shv`0b$F{7siU
zTX02Zj6BTsUeMGjM9x__NU(x7MS><J?Im8IYj5%&cEuoG{(>`=Ijcl9sy=PiD{~Ho
zh?MrvQkwV9p*+-zKGFLZTQ*fbRy1wAr`5y8>{#c35hzXWcjCWNHn#@$&$s-lSxnvZ
zoA>?p>IH5#<m#$_3&h`$nK5PVmpz8u&Rq+n1N6v%nSes&IIXt)w?0e97`(M%`35-H
z>K)`4icPKPoTNdqDOS=n3U6z8ODFr_NVaS)6yol|CiMPN|2!&N4U?as3s$laqeYP!
z4r=2b;hoA_38)CYoiBZ1*EFu#!LQ-d)kUG7Ra|9FpQ%QTRMyL7IAU&qx>Q`)TYe+2
z*ty>a$x0I)2zTQWJRLCSwJoo#N9lfo@RimIb&zYB3;smes=<Lo^x17|=}@zVgU-uQ
z3*Rco8E_rbe$}pT@RzXT>7}&*`AC-5zoYTmyzAJ9)?N%KaPIiBT*JM)s$b*KwH*Ac
zubzoP$F&=`&C6fXu&;^*AuBI!n$m9vRk2Tegb3OZZzEZO(l=ucnd~vt+T##E<YDDF
zJMOl{vkv}uvd__bSMk|ECM`b#u;#26xtALXS+Eg!<y`IZ3vH602oJF1$)!&Q^H^mw
zs^%_juU+MJUEOP65j1DL1R46es7zid8;!2zM7~we9{{&L2bEDrCQ_3(<Y>1NE*i4V
z(f#uHNYKQNXP4@^auE*QzmP3MufN?<eDXnp6;+@N&D_xo`~H~elbPIAxc<8xQK)(s
zmGU!IO77sQH>{BkL<z$zq&}KG20yZk6gFZ7R7Lo4gU}=N&)l}=d=T?1{CckBzBep^
z8U=8e-6-o3S3}rX#x{j1kBZhk&Ss;=cd`_?xiS6WuzE~aAU>z`i74N5#H8OYCDyn2
zp4Nlv@J&xgD1T|6lVhY!J3$=FbPqQNfS$pyIu?pwFuX;YF?1I-b$Lz@Rov_IF2lB%
zor@yqa;7m=u7`ae54ru8_jWtg<0!mEZi9!c><BfgdKZ~l`ea781=mkF%yxuQzvXSr
z=4%ecODVe#+}SshFrD83lNs3nsr;cPaa~7wDr<c`oJn)5l)VC~OJlPQvvp9k1Jhv0
zfU=Rt356wB|ECRdcV2j69>fg#LsM7n@~$Bsec>8hp9Yy~`5uMJO?gVLjVof~GcLnY
zLVEf)uCRV2+`=MnA>{xUwr#j8?;37siwARa0In%Y*#btU=%S^QH^34`R)d<wSlYcq
z-ZG&VH129it^8$Ja->V#5l?sJo}wKdD9S5Hn&o6KRKhexRm*E-GlJb7N>(aLytJ%Y
zR`CmEnGXY8P?K<a?;_2VwO-Y%#GuS=s2~E1@xNKhDt@3^)Zhb}#ZwE4Fey`|=ZRk@
z>ueb^_1u(+mRN<a<fz3R$VH=tU!J@KZhBUltxxPKTAfYRa(fS;3Z>;5sJgxu!UZgo
zHb|JM3)I{nc>Zurop<5a=>G7TGLN&E-g^OCVr9W?W^yzb2_V<tp6yuk$;;gK3Z8Z$
zlqjov#0qw4xyvZ_O}xHZ5$&YCF0?$*h0?T6Me9Ax$x_g?E|ie8zvL}$s`LY8uSNuv
zyvY`3;Wb&qs(mYvT5`LcKyCPq{;fe;96l>hBC}KxpaxA8CRgL&y7nz}|C`E>1ee@e
zx#p122MR6>b}={kvv6?_A>X^qTbMdMc%v*iVi>+$4Wx$b>&QrvEy~!f;WhJX3lek{
z_Vv;A=9A~R2VRtHn@8iDa{XTIIhO%m*zIC&L7o8uwwe9snFCbm?eEy`l#6@C=W_Q}
zva*cA@WQ(gaifK^FJlp}uX%vY6)tj%#Q2SjJ|JE#4YnULOLHU&V3C|iVPGP>;?|#j
zK)n0*_fIO$2798L;bE3dE7=H*#t!7N(cvR5lXIq2jnVi5LmIi=HLjMWSrNl?lER;_
zMpwjcf)$Jw9Q5v_hm!6EUPbZba;;?1@sI@#X&Ij5k=(u(&1JBTH_yNDRkLP%4ey`w
z4#uQCv*>#eZLV+*d9bxD5N5P#fo0Ob-D8UCEB?Y9rVvQ2eR(mq>%7?7yfWCDn8R^n
zDCm>f&nRt%;>)_M-^L(prX(_M3NkHZP9^LNs3^EytmX0N`&h_LWSF`r(c+5%LnVwt
zTh?yU$to7_sZ7<dNi454Z~9_J`w9u{3hv__Hh0g3kZIG<z4qm-gwcWEn-ram=1m=D
za<p)vR&G)J&S)irDOy!)@RfT>tUd8UDS^>5gzXhRBTyotlpnxck~SqM3JlxVtlAU~
z_+j2ehE)I2aElIAw+o>$!i&=okB0iJTlkxbZnZlEm&lh*k%7NGZQZ3XZ|XEl0y1GS
zNkul5OvHg<8Oj9jKNgFXd;j6SKjVuEvshT&g<LYi00fc?+0KdqH*94~diG7|m<L^i
zd>)|W2xHvQ2$X=Awg47J%=&Si{5G-rQsxGJtptPIm!|&x*UKd3=TNR{MQ>0GzhmF#
z?r@b2a*s#ru;VWdFJwO-U(fq_qoups1e>mpGh~Wd!FHM7dL;8?Ow^>@u8J1b{CvC%
zyL+`IwIUnsd=<k9&;#y@B5OKt)7``5^K{w0@b!<NH}A-c=<PVccji!OYDJV?7P^z(
zf@91Ghds)%qHjvpFTuWspN3YF%i57-cD=VCH-M)5<y3SY^`xt$C)c+w=K<zg>9yHU
zllzYN*Jx*2iA-R$^rnirS8AsyH#F=>u7-n|4LRLjF28*MZZ&JXDgl%hny@I-!d9$v
zPG;<lCCGu!qrB#oHrDt14b$Zvh*`e+pym^d<odZl>Ng8d0_sL?EzR3wC`t$Xb*AiM
zz<hSS9FXfk80vWL53;<)CZ8uY?z@}EfXNM^Id;Ykj`#$$A16dSMs5BbC~P(C`j9K0
z&0>-AR^|9*T<V$t`FR%;U+j2RsVq?beR9DOd$_*D_7lpACv8Z|(mg?xl}86sz;0O?
zcLOlcl9T*S=OL06+*8gNT+D{@$n9vTL5)X({juXorCZLgtc!=;<;q(5vl2zOeHa@r
zqS$gf0z4}pzXls%({*s>fRFn5@%Ikk3*1eQ)l6)F1sb=L>e}b{j?iuvqZR{5!z2br
z-GBAf0`9);MB4y`x%)Y!eY{JsR2gg&Z>v@$75qyCx>2%t!5&UMzv&{=+cGUPQ=5A`
zGi|z!83iE5W<&*0h?djoDMnd0@;zCWX|j9=gxpY$IW7wu2DZbd8{p0ZaX5^nh`rN}
z42qEQQS2C@aR@P_P04zz*ADs5PVgpwQ&&+uVmT*hiURe77qm51spoAT5n}uxL0r(^
zMB0=t5EEY-1)Ot^y+Y&@KP%f-U;k^_Nc>I1q;vh*v8~A0X!>gsQR?~oy6i0Lo%~G?
zg;p4TDbk~u3{6;QhQG8UlhNC^`J3`eZcMt!a)QFaFvc;BhJ8zMQ`LKVF@cu56sD@X
z5D_DjM_jTQk6(~IOSQFx|6;<ry~gY37E=kh8HMBTV#gy(5kL?cS^88!S5EL|`5=!j
znVzZCB+X4dr#FxJh2jPf6NZc84}$gSO&83(#-h$O?m0>@;iAFxWKY!%%6_7X)bvUK
z;g<_KyjM1eF7oky_2Rpw$`y!n`qN+zQ^#EhqmdY}SCmM4?^BcwRy25aUx+(2k0F;>
ze9Pg@Xi61`$t+C+qL^=Wk936l+0nVP3wpl5_vJcYk;W13n9}Y-?DCxlG;7kQz3(xZ
zx+YbCdIQDJqt-kt1RJ=vzO;$KX0Br`m2r=Ossv3kTyE!A=tWgX6Rl(M;)abCsib-u
z)IuO8v2?4rhX2WO&Q|(m)YjKOR`qw6`Ao%>d()iue+ZU2ujBdi{fZKPGYud^ZkR5t
zl(KOResjc7mQI3(`ubZTX4vt#QW+pns}7rI(O^qs--n&1=S&+z$Ab=SzuhVGn@8aR
zw7%o-N-Q>H<<4$BPqgeQGzJudr&M9a|L|%k-WqGEidz9(c(C@KZwkMrO^{t(KIAlg
z7COE;Q!5Z`-un}UQ7Z~bkS&HS$=Jr?19=xb>-715b6>jG8xx%xABtDOT55n`)%GF9
zwi8X(k@#D@jNiRQU8zl<y@0UPZZl$4t*pP8?bAvC*I2wqRK;0TQ0~L;7jt?M=7MK1
zDJF0Y&$8qV{28?(a`&4i?Hop73f336UtCAkr8#0)a38iAdi)$P!gj2hI9ni4&pV2O
z9T2j&myb;AO}!++Vd+YF?*>ZD%V$t8UZrbr8VL^&^^}z+u4uos)_JmX9fi-Ozf-SJ
zeF-HI2)%2xKp}fRCjCX^rM(}Pyo|_+`bE<3hSeRG{@N?wD>kvwxQcBf?U?cEa-;HL
z-q*EplgM)I^6@;=m!Cx)B3{Acox;`1uC{51si`=e=is7YH2wT8VCqj`+)ss&k@?Nc
z5Ms`zZ=h1sq|EA~Y`<g8J*XtYG4hvQt-Q{c0Tg9nw^kt~+)~cXR1``2N)s8eoS11?
z1kv-I$a3!-G|Vb7W6*})i3Abs6e~B4vJ7-sl+q>qsgRVKhdl^;pQ}hpBJu@jH*VnC
z6jxK6d3FZNqbQTHIOf~=1Wm#YJM{&bTtcB4Yf(2vwf@?$we-g-PT3)v`H)D3Z58M>
z1g#`d`aLU{p^3nSUuQ8!{Gb&M2`4yMR(&46DaHymGv;||t+4P4nPCe}=J%9;^LFpx
z#f=cqq-#`9Q7O%bACmH#S)gJP+c~g7Q-dZllVvF%SE55sbstJ0XdypR^J$;Okq?oS
z<@Tj+iKb@@`3A(}tywhOt+ajx+2b0uxH2!brr5c5i@3UrvG&VrP(cd;=Tuc_vwjU0
zHoe0n;2LFB{0aP_U&J&)wrF~skZj|Cv4z6<c~lx(m^FBMdS6$*Onxr~vq1|Zrwa82
zOGT$Q{4l2I1}*3%0JU$i$yQvBtb*&0>YO;7r*9}0>gznIcpQ*qjW(Ms>Q>@q(=Hb+
z>kk42xkk<B@~w;*PTnItAqmq8diF9Ck&z&og>ST2y^`R{z}AdMU5V*3I+KQzx`gQG
z?va8#=dHGoC7=>t&7u|ED{T<Sr?})h3QGM~#6DjRF?M<V(oC>~!-`0tL2Sg$8yDT?
zx$;FB$}DIxT=$T9PUps%!oG2dgC{zmb3}qM!Y6EBv?!RtTbd1j)3PeiWPveN*#3MH
zWZLs{oq`e70IH`@_Km7a?Zn&9>!ltg+_q+BvJbG~l`n8(BS=Lb4QPq2jSx84aLpKL
z!>ThER{18mOgdPRg9dMCJpaXF{(uHQ3B&6kGru&S^&_Px-=T86B51)#zw%<NT>S=u
zbYR`^UI_UE28{sCdjTcNTullm*jiR~S8A2Sma50g`gf*zCz~t;!JtK;-MmM1@@Yp+
zK2*qk*DiwaS#0`q!WrZFa%S^(pR*x`=!!&s2B9)j!gLIMg&OgypoQ;hqk3wdyIP`b
zvkmgaZ0(PCwl;$J0Dy8yDr`sLglm>Fht)kX8Kvq84G)@0LOs3RMokUs$b<iWmxJQo
zS0y)RI@UZaCtYsbE@k6^+ONi(yHlq*0K;1$tqUtn5%X@z)k`!ykGdLujTCj}!4g4{
zePY3PA_;s=4W>v+nL^`E@Myzz{7_9>$sd;?ja=AEkOpaHj+Dz(U^b!!XZH(w+t9UQ
zdKXz)^YHL%y&xIVyHJ)anwjw>!J>)42^P|{K;vX+n>$#}{$vqcU;drO^nwszoV8yh
zr>H7ni>^pP(gK7#X!T1rkPc0LoGLgtTmTEj-8b2L>lq8lw<W@nVv!(72_rUn{s)(3
zmB_=*c9BwBE<Cr$5n8#_b`Zr}*zih~pZLiMVQ&AJYba6gOqv*ZUb+flCX@Y=;2)V3
zB0(L|02Busvc_r(x?%RHYfc7y?%mn$_u5Fe<?LC&W@L+S8?mAD#koj5aI#n!iKuy~
z6RBr!zU*YpgLgNXwF)w7$}^MFfm6oR@=9PMGiF_vZwsz3`tK)+mKG-vro1iM7)qxG
zQC5Y74i5NuZI4dR=9;_Z%=Gf3IF8cdB!bc0P^vs=^*2}vu|b*9Z0w0U{JJ3@n3DY1
zoqm)-EGGK0u|j9v``Z8Tx=jROun=+_iEA&A-Bu&A364qDx=MXPidJdbh;Erb_zyV-
zgQ7qRKy_&48X5~=ImzeM)TwJHsORDvw!o2v-%95Qcz5I3l%fBMZnGSkNrCFyO&+i|
zvKATk@<7L07bNa9Ke@66c@C<7e#a0IGdN}0cddTe$gmYvpR8M;Q7Gh}lV!gP4k<G`
zSJV)#$`4f;b8#`8HNDs3F|;fwH9=MgTMl+(k0h8hF>!%|uU#=ENWrC=?!&+R41Xf%
zeZ+!SF*XCGn*F?pybqHwM_S)uI14pn|5cdVE$CQ##T?2kKp#V6Y!;mM=g%Wh&LaLQ
zqT+kJp}z#;>~JdMgu0VP#z0IZ=kxVM9602NZI~5r27@+&cE8$_2WDL2w@|eA5Ud*F
zXqNF)x;qu$0Q*&6BUp;XqvQ&^BSPiighQ@RbYPFVN`Ws}UqR4xQp4P&aHOd6A-gha
z<t+h1jlfM+Dr73tT@a+OF+93!>T*dL>Ax__WK=r7MG!)4oYCRMg<ptVR)&8QU7`*V
z$)iISY1!-_J-pz2;k77C0)(_aUvGuj-K>SHz^&+(x>99^&)|IuD>CNC*rqGOvuq~?
z@fe^>Q9Wi??!$Zjd`hm-Yq{iTlnu&ZrhBP(9}{Lf$q81}y<|eD(N0?b#`V5XA@JvO
zID=8S8ey-jw|s3`8#IivH=Yga_bO`8g-%8Brv$7XE<hX)sNWz9_mWweVtCHas5UVP
z;fX9X$gnvNUUj%m4(Au6-gPyDuOYou(;Ym~Dn!So1~X)!7kwTsAANf^zkBxMzOezc
zqe%<I1O3^d$njL=rs4qVn(^$+aFBLT?JC_|%SEAt$<<#^HUyCpT9Y8um&;2+T#9(q
zeqlp`DnCYF8{A_@of5-#(Z-fc%vjCcSZcaX(BdV*1qN*f?Z&S?H{Lhf`%<NY%i|`m
z?!mP#F{j<xY$hZtZXT{}8RLdf<Uo}^ki%t5*Cwuk7Kaj5L&a`e_(k<=5uY7Y+$G0f
zfDv;+bzYjEzY58Gf5D$Jaet-!2pR-pP9TH?Amy@cUw6QW@u1y%;xttQLF%jkz+b6(
z=D8gD;vQ)ehD%>n@|8*sp%RRV^YPk;^{p3sc)k=_XdIMew$dsLgyG!Th{$9OOp&d^
z9eg=Zq>+(MYh`#3JU^K417ufn;O-5vT<<lNXQ1Y<D2>AI$Y!H=I=U9lW0CdY^N)nl
z6y{lc*jp0s9C|+70Db$7=S5ub(k!JYmmaUWQdh*?DJjRceINd^H&wYm1Jpirb-)(Q
z28Y}PRPOsP*V{;Ig13Cp?|WyFteRBWBC^zSbgw<P2qK6L<v-p<wHH5Ji{(#IQqx$b
zHMhSbo5+-yN%z`@vE3g=d=IL>p}<r%s}d&IuV+o;<uDI7+B95NBWy=*FU%V)mzfn5
zF|`8XBU2IQq_L!;qp$CUIATWHXibXT-JS6Qg?vTv0O{=U`~WpLBQ!xW&;w9`PmaSC
z(Sa;nmPw;}ecre#I{Pg@!&HtjAt^LwEzsOcmbl=M(@j>o%>^|xeoPPmJzKz=7*BR_
zz|;MAuV!DN)E7|{%hw8Z^4yEUeYLeMlFi?%wp9=WV?Rn4fP6_8<=N>o{g|t{%2)1!
zNP2{oplsp2f^iLWb^^Z?<0~VA!O(^8yYIe(aHG|SRu6z!;&2MsqGI!G?!86)4aCY^
zd^}hJ>v#>Bna${;(}bnRhZeqsdI`=(5^gpz34pO>Q6`Y>)NI#MpYEA4{%an|O$$=S
zpL9aRnLWR>J!oR$0eh5snIdM}R%k#nF{=~N75a2WtSW@5mX?H&d|41W8xE0<4EId(
zOr52j!_{tP(K^SdL8TGblE$-YKMciuMa>s>GnmZ(*cvPl@cVW>bA^tyHnN^q8hZ<B
z7pV614zhqq2tfF3zIyup=UVjBSl|-@m;GSxbfv6GGzXNF>Klp9+bgk+Ng*gwQ%L01
ztBUw4ds%*s_+6aMR~pMneD3MM@S&F>WC4F3vB5n-_P!CaFW~HYQ6H{#=i(EaaKd@x
zE5UQMY`(#5YE3X@B)N2<G3w~)Dm^k&G4WT%A)RyKtFA(}*OImrAkr`@%2?quhy9<`
zIlEW<B_M0-+NVrF)FxUn)*oQpb3Re7FbOSW;E$(9h#BAgCm@;L?}K+Ymux^T@vx^`
z-(`18`*0|RqHaB9A?04}Mn0j^4d8oJrvS}%0mOiiaLt7WqYSOJZQ{az0-9%AKlo`5
z=Z>r_cSUy=yU}4JuC#8l`zVZH-IRU@jJ4JaWeNKOzuT;}Mz=hRu!mBC=96Ggly`M(
zONG9o_>5;S@TR~Ct2yqwJwM!f1dKQ@vE>o&5i0M))6J(AScn8C1lw$UJoBL7bd}B;
zcnY77lNu<MO@ajyr&jMYw%uxi-A4u{1cDLm{nY&`_=sfd{Ram$U)bs2XvG{=xs$|7
z8whxm@vO7($Xm;!fG=L4-EJPtOK-Bx$Ot(E5C3_IkJdsz^32d$66wGiakMuqW;p8>
zzv!D&+j?MM8IDWB*FJl2^v)b<W>N$TQ*D)TXirWyNJU@psIfC--;8YcF*d;L?J>?>
zp%iX{*&umjxF%9}4`USq$k<b+zw~*;?S69LMwFN>{ptL2uTmR56;I#;Mvy^=DTxxS
zsG{F9T5}n2!(`ll9(wQ}5LTUS6CZwvg$Da+j(G`lXUCjq+DP%~Zismqr-bvv5|?Dp
zq&Qo>Bz~#&`XXGx2<5t;;hNFUWwNvvA|d8GiA>Le^i_L2`z|!WbdVxIjd=WtA7lRu
zi<=%qkvRdWjH*E<CR~~ThmVI*bw%A>R~Ni8*pGT|fOa(r`iP-U;4eD~u-eYlRl$Cm
zBbbB@a^l_ZSYu&3-4<q#N_g@_*3-?ek3n?_u!<IRc}^}<uGy+4@%X-#*o0;;=+<Ch
zjM=|$p?@(<Q^AhY@6j{R3nIY=;WMLgVItLLw^9OmAe&?H_WH}QatArYx<*6rBr~2B
zCZUR)$mBCYlw7ds(SX}|uTteq9p6jd;KKX-{DE~Ik4iI+nUD9nFtoj2UAp0Bmpngn
z-`8kTl@Kv{DaU-JqIHX)fbdDwNjC2M6)Zsk4yNmlt=??C>|U9IYvZY~J!c4XvxV`j
zI%rJW-PeEgCTN%V9cwPr@1ycA2UmzKT5;$ok<K-%E=vE*@k3InQ3Tixf*<xF(ntQ=
zyw=WPEZk>}skn&OY=YS#GruMk;2Jy_f>q({oW3O^nspOHtQ<t+N!Sa)KTnKc5*o;f
zCjtyuJ!s;coV!Yvv(OFw%FK`KoD%iGH(EJR+#=o@VLKDAJ!y!{o^_63m)c+lM{lYT
z&m;IczY*J6&Uzc8=d|ESDI4%{0fC8^{G{_r(&n>ZJ&-{XOok(9^aiN^H$D*I^P-Ym
zo62u_>Js?K0=CoH<ecmhWp0cPOrw957J5q`tr$;m0vJc$O!{yGJcVS(WRG4%?X<}l
zqt#*Gton5O7x9tCO~CAEK#qO8UAnPNeDAUdZZg!nNwg#qB)k%1-shUJYr!)R3Z?|y
z@SE=Z?vO!)3q<|0SO^UQ(JOycn;Bt;L&X)rVpLU%ji$AF4QJ5-p>BiHUo@_Z=M8)a
z#x7<glotQS^BB(-)|`F1%`WOjjXW?QiDUQG02?#SCZo3>&X;VzLcuWikQ34?eDa*8
zz8x}8!<1rOBs^pvDCTQ&6X$a6s%>+DYpWuhKm}x^vdTZ&2wqEUeN`z$Wz?hvvD99c
zoX$-zHp|h1)2?00yIr$}nH8R=7vy8A3w}PEwIYeAOAkzZE|GW322HOG&-g{hhp}6{
z)g$B`nS5Oetw4kN)ox?#DM#`~Q6d>(7)|7Xl5rW%&V=9?>5`zOqg|{EaTw!XNl3Sq
zk~`}bbU)cvFqxl+Ihj{N9Qv!X)OjdzK9<hek#yTT2PcPd>73Az&_E|^!kN!1ni1j>
z$mMd=b#!cT0o647Qc?28tK+MX@WTu>tZk4G_(<c~nfW6@PQjeJakm4<Li!w*rn%S>
z(+Bpyg^o6B$q%B03t=g$Dl4;jrZ0?Uy@Sx!J|k9GJp;|&FK<?k-Gtf(@!>C1Q#7^-
zhnR2Mv)TU{pDbbA_N3|8Z1OJ-;+^Ast<toojZ7o48#hVRnM1}R-#qHdIP=rio^;zt
z7cwm6e!()ETYHP(hVY?TU@kf`{XQ4UA1C|FYEg><@FT3*t62FFpSZbcjK%^Z92SVe
zB@4M*=63&Vo*G+S3Omebb2DBY3CM}WbI!!r1_^+V90SQc6WM}*wMCw0@o?u2rY>(U
z7MHm<Bx&VSKedSWH=Ye2`?EHjNgFOVLxRRH8h7);YhCKuOC?|6CgRj5gfHN??Ot|O
z?b#w_06kMjFq@-23I?=ZR#sGsVNu^6&7jgo#0Qx7uZ|w|w3)TUf_#C?Q2{H@0|Q&;
z7+TS`IE`Vyd+@pD^j#fT^QUQ+jNl^_$9!}8@l85%x=H#Kf6S=J<G3FE4zU}|y&)3p
zAj$L!Wv~(nAHQkW8%RyjEE9}>H&PYT(RX96?!HEoQPD1X?vsNUV-EM@y<POnOcF%#
zd%PFzo@%*Y=^!tCK~0k*S9bZ>qa)Pr@4k(dCPRFGh{Uf0vrUf3@JUk1*sM{}I+uD{
zlW+r-#&KYAS=|zcOyI)<Gu1xeeBil<?YG;=e_*CD`?pkE`<MH5-Ni}xz>OEHUQ0LJ
zhEAP{0FoO&oF@HgRNe7Tv`<Nib9=rv5OEm4-l11mnBHjuJisi`BVV;tv}am=Fe=#J
z-Cpf=oMuj~{6;Pl@-zW@;Ep^s2@bf86kqwc^8j}s6_RfmiF2`?Zv1(k>>p$X0J1?Z
zrc+cgY=V3t1v{6qTH}Ny%h7lH5FQY5(~e382otyi%gSwYF5Po2sNGSIc<qGzVO1Ri
zq<P=JLBGvoSn@Q_;}-_GVc>DG=`oIfs&v#nfORRzv0xYNyneOuQRa%nX`<D@4Ik6<
zOChH~dwD2EyZ5L6g}mcD6H{zcRE<udtxi>KT~U&#Ka0c}Pn1sB`(N7@uNnX#571q{
z`u}`|0~gu{MV^a!+U~V6{Pn$&Qp(2_5N0aDbW+^^7g`SRK2;pFQGX7JgN>ImRh6@E
zBdajnM5o@IMt8M;)L;MzL`81R6vK~klvK=|tlz%`as_J6PjC>(G<^84PTWA9=J{;i
z=?|(4zK(&^F|f8vX&qO<E@Xba>de0iV1Z$vH_iar?a8Zc>d^2L<N0|4o9B#mv|=e?
zzM07fa1QJ#_y9<}Q_62$9mSPh2l?&fYA6SBc`AzCaa!kJp**FzGHv_H?^5I0A9Xb!
zsg4AxyMQI!|8t&rc5h+O>X8wQ>ZYFMBV$zxZZ)nmZ)3OgpFjBBe&ebkGHk2(V*btC
zn>R<>Uk+Zo&a9^#(A8O&_G4nc^Jo?}BD*@#)5$Y0<FY#Dn-%*x;=<c&B>YtG?*5I;
zXRZfF0ssMy40KeKX4*JL>zp6{;+s`cRJ<Tp6SISsY?^6%%$t3qnWWtpg7L?2ZE>o9
zcpc=X-tpWxw6}Wth~A_<WcD)qA?Uo^=jiDW?)m2NCxR3LYeOmFiuQ~#T4eo09+_mW
zZ6Qv3Xg#GGkC?wUQ%ZgtB<>$vkbai;B*;T+E;?kD!=|Aw9SP3<S_xA5;>*sVna`0x
zQgXOdY&(@V3IF-xeSYi1$NKW^E`Tqw8Y6;ID&db^*Dkt@M0qfR_Hb`IG@}(rxh|9B
zrUZPjTDKeP^BBBhaF6kC=uSaVXGqX7N7S*aQia!}RXfss9uhOnqAopqihgxWCsru#
zyvST%p@|R)(cswE!A~I8w#PAvd1SAHxr+Dx##EggP8SyY;@FX<B){KG)}VCK$SYEJ
zn(dvn3;**JWPgrCbjDl<Tv7OFtt$u!*nYyPX$9>-W?6$o@T<*<n|3lu$(N1mYNx{Y
z(dz2{Mp16F+TR-+t^pXxU{^o-=@R$RfB*%X>s&y%^vJ&ktU4@=x@hEpukzlUM*=Qv
z=Kez^|4<Mv`QB`6DMj|jE++bE{^ztbr4ET3$5y-0ogJ1_t4s@>R*F*2!{gvbIbmh{
z%PI@0{D4uf41~W=Tr`*j&m?tQ)I5wI=jyLMF3t6;3fa$|Dq35K%{2Se%KC3+eFU8%
zdX1bU;h9kOUhdIDd20CH_FO&xUtb|k6Hhb2PJf97uXfcMZRD3ee;ihH-XQtV_K$P~
zkfLwdp~Sw|X^MRn+%Is^j&|*bW}J?o(l6<@dLxd=9dzcV^TE2%zYO0{e{XhHZ06dc
z=y`OF|JiH`{d;<kwvbtkIF@fQLsw4N=c6ykSh&(CcIo)QZ@E4gb^rcQL=u;T*>oxz
z?STACzl{P*nw6t{wo8Xi`UyJSE|241Wqr79VeA`M-=MVRzVR3LVKVwPyXwp%?yW!k
zj*O+PDV=qWBUM1?n_SbS5lz+|CpD}CYM7CpqZ)!1MLy>ja<BEjTKt;S9k86O<ei_j
z{?}Ds0rw9I=SPj_Qu#aoAO>SDTX@xG9(yXUfM<pyPEc=1J%6-#bd64>S;nU@i{B1b
zvFUnDzD;3^KUehm#ZRnuYq-iH=4B2zin~QTk;cF^@NG%-4%+&`#COF~))N}f9$3=&
zZL-ToWPMPNRW!j@o~y{Ka-!FSw9NVY{+PJ>^Q3PmUA{MWD1omvCdaUl7nf2=g-kt1
z09DS@`FZ<)R@R09`zGU-+AWyWV?P^XA}#6K^lbrNG3ZBIGBoI%^eMw&qB5Ztnxz^d
z<Ma3}GGw#QXvtC%@ReZZR;#-F^~7rN7RL_SU!yHzg+}04BGa1!YUoECJdw$$+}(F+
z_LO}00rKrlf7!LOC%E}^(UzoR=^Au^_PRf$D8vB!x%L;(*sqDo{QdR8<R-J9S@8#4
z8*#kHP`z<q7%reW?bF3D-W_yGh`@7N#~2pX0?Q0+x9_=QwVH`E*$#ewf;yqEvmOXN
z!YD!|=N(IL{`maNrLuO=x?O!+b3oknjuWoW&RB|SvL5c^{)m8M1&p$gk<~A;dO&(z
z9tbzDxu%mU54YQ`+5OyPzcLv)d+`dsyz<#I&*P{#Bd?dySc;u=vk(HHdRBo><jN<x
zUx_^ZwYqJ#LI9jflBmxKfBp%BF#vj<WO56ixOyziu&I2XJTKZFpn7L@2R&tZ#Qt9)
zT2ztRL7Oz&1z$9o-8qL>l3(WPOFnK>gkH{-p3?-o<J`J#LTBRURr>XOxSlfw202?Q
z9Y>{8BKal!R_#gXLPgwpDQ^9od2%zs^@a9RSvfOlbiVhDdq54TSNh9N<lo5#M@}Lx
zhtK^EXL4mNQC~L*zG}&Fl?3mZV;ghhIE6iBAo1Obo#gthVr@Bz`~6RsndRR+1VZ=m
zwCRm?NjU9N3qcB2zC|>BC&*Q#xTF2eTdK(nz-U9lFC?yd_Qa^l<H2)M!}_DV$Ep18
zb+}(0IdxX{fGSx3s8-<iawt0u9nJki_tDe`0THmJ5n`dSf9lR(7Pr5_`-f+9pQw<)
zBdt-2nACSHCPfNK>D*Z*UkOEkBg8`Os;Z~iY5!TAJ96te%UJ7(thr;nsmx~(xpG|N
zS&??Bh$*ha<2eZza0Sp@P8HA*0gvzeMwD?*zxsI07VUamOJ1GxUuB%_wgk4f`Cy8m
z*1>Ug!TceqaMSMq?~uC)uisgHe`Ui$s`z7w;9hgIG{vZ9BLhZPFOa05t00IlYBW}l
zFjYMX8wKgQNvwAZ`H6G%H5GD&lj8VB^W6KiAQ%UK8t)5fCkVtIH{VjqEyLGhgY;_U
zO3{zvObU)Q;c#Y|d$i|Nh@rI92P3NPzIm@*YQV+46Za=gM8F4T6$5V1zA2wdthJ3!
ztN!mKl)nSAHm;^=r=2b{&>1KTk7C)iG)j{b2;3fNz26@>@}MY&=-mG@-RL*-Rtg~S
z$cM(_O_5VUAEwe+vy<use+xy7JAbVJ!SkhkTYx6U+=2yNw}fy1ZQ=?9w>^(|F^j&j
zXajKyyV_W9+lgaNv~1iV)~N`rom2%=!?m=x@kdGoTvs6X;g7j`X3=pY$R=szTw0bq
z)s;E^9kfzW%{_y`-}LUC6X*%*<)J82H&jgWDOXMP%wM^))&P16EQF=s>ltwG8U1wF
zJ%i&tZoGh!KKxg?tiOZ7#|D@lxA9Xf4LZL~ZA;ST*{9DU25XZ;7oApN46Cn(Pm7n>
z64Dg3EL!o>{7~tMt#mV9`?#eRJ$FT@R*z1M>a&5tAa+>&AIYZNWA{ngwvM88XdS?(
z7d695KZUbS<e-9-`_PL9I>7Z|-)i#00u1rp6LVY^4{4raz7<LH6GC0Eq#4$&*1H_k
z+8}YYPH|Z`<oGydcO@G#7ok&|mw-f-V-D=)_1vNLAHKbREM@utXcm^kM}dEcr}drC
z1TYAINp)KEn5M-4OnO=Ok?yI$k$_aiK0YDr)QF{=`-j|Psq%J^jcE|<(=TqlzXADt
z&*0DVOge$d@p#DYtw6=2%Y`KTn&SiP6^|pzkhBY4&^zUTM?Ro*KbbcwT0u6!&z$ua
zHJ8Mzfc&d<BAkQ5PKVz3<ugZaxZ&W<yWo^USQ&3hxDD78NdM?l*_QmjsC9v;OO$ki
zSxw&ba8rb6#C+U+RU2NYNSvCA&wX&h$_zl}B%HpfZ*i3i*>GVu`)*{$Jp!7Jeu!VF
zWA|U-n3X<;C~QNqS46;e^UtVxC9ckMS_19sgdlP#x18*Ebzc*`^hNzF)phY^6SnL^
z`k(A%0gUP_18TYa3Qy5awxsFPGGzy`nGi8(|D!W8>t>U{)Gu$e**OEaJlT-keSn>F
zZ8lr_#~1<iwc6Xo(JMa-fa%+1#v3oHk!2@Xx(QM!D7jSS-hNCZey?{5no^DF0$jN(
zHCxlTY@E27l?1A*;N`t_OBb&(r?~lhp6__o>O4>^rc{)&I6dz784^aNd(dA5%+9%g
z6o9$tH*F3iH;FBv^d7D{AzbW0;+i{ut^5|nVga}r{L?r8_G191?JjQ@uYWecXZIJl
z2*#IeA3;GAzm=Bq72Y6dT3NM^#OrRHs=V7K%??^msE`ze*rS!tohY~bBqCvHEZ3n}
zdEQ0&G-zrdXd9AB_LaNfkmL(fy*@HqcQ}BkJrK#MuTBZT3S22(J`p^SFD8`3zSi<F
z#2znx6NoQ6Spxs2p(#**ogR0^R|wcX)4}8qYVNy0i>%0V9{zGYCEH3N5OOxW`F$8-
zkLU295-gMW*JfjT(@OMo>+^8|Slbte*t}Lu7zxz;VeBUL_bklj-rm#N)9SmKFzukz
zW^UQFfDR3mYKDqqo}MLO`<@9)c-&hy{hygXK5;ENb>CNhxrjxGDuW&)OnJQZO~x(@
z!e5`J=6yw5QB%*r?M4g&*0rYX%T(I|j0zcSZ!c>3?#T_nf_d#@NG~+V@wc$XD2Qo&
zwU9w|^~p^0#!%xCtdRN?>`s8&#D#8@s(%!lPuFKwsT4pc&ucB)K6W0cI&G3N(k)<{
z3zAu4)?MaHiEc<faQiI;fUQ(5{B5o8pHc72@68p5lKbwubUumdIZf{<4enV06w%nI
zirzehdzVp=0yWquG^1<lbi?(_FL`&_<EfkJ#l3g7Pow5UmiO4H4n~~mgd-H~^C(=G
zN_v>{o;m<LYV*YEw*PB48D*ewJbt%-lsV1rJ+fANsSgMUP+VWoyqq-qz)8FDK(yZL
z)KoAvT%okr_(^%&ri0cHP=FQU79yDQG$f1W-0#hEh&9#Uit;K#X=_~*mQKf_v~t+d
zh5K3^{<o2;Boo3&<I8AT>1+28V(HQnCPeS!CQ-7IFCXLk$CGk^Cp2A6+m6UJySGn@
zj70U7-T`>~CT*tJMVuCHuk+&3;=)2ZurjGQ3=~=w8L+n;5BdJ7h5qQ4)9a6WDj7+F
zFc|Zd)w{}Cbho!Cz{~Cs`|F7?#&dN*gm>&zC=@Me8pLnMwxv;O^9;O|+r9LC3JyrX
zemn5<5J=ofPYyF**+GAMz1=p%*-c^OGs|e<?a~gg>Cp2J!QmeS882EwChHHz8FlF#
zB8&AyW@J}TR_k^F9}72<RQ)MV2F20wX)E*x=S?EA@)%^<UaM6O0gld@@W+h(qa`c}
z2;8$PkRp};I%Sbs8%RA12iUx*#jZd5E%f8$ZV>bJd$S~;)B<o?c6f16$QGC1)bVLv
zv586l+n8P)uj(F7FOn|7mvR@_J+odaoCiu5tVrn1$dl4KQKds=K$Ud9IAwO1Mw9i9
zjyj(0yIBn&9)I3MY-@Pw<T$-)fV??75?d6M%lE{Dvu}j4<^Z19#uWr*YgE4fHIi2Y
z*c1}@rAP$){#-gy4K*cgwSv|35{8bFHq5BYU!E=laXdR{VfKbGRui)>?&><$=uV-S
zeUrV_BI;G~_oj^hHk1qgYj&MzzSl0B&^wB~3pT!z+iAck2xuEVvtMuudcb>NhPy=v
zUEhE31SH=pSm!T$V)StA^MT2~%CKMm7~-DcB&g3YxV|7Ryw{8@EdiP;0QUv+bM0Zq
zX^owO*X-(?lo%rsqQ;qXb#{_h_jSv6(DE>iUY4h?`%ju7ZV>pt0@?T77j@wx-?nDn
zs*qO-PXNVnY_PVu_HS<*j=Z&IXAsTzhPLX-mUvO{_RO`VoexT^d$xqpqp0SWrr%FS
zBJum#9rSELaA_z)G&aqaKk-mQoWBe>a^>fnA=O5zlTLQTa6Ng{JhmaM3%}O>w${;#
zYdhk&(t(S;%PMjLr|te9&=E(%W)Vj|4<8E)YCZ~NEwMPZYVCtAsx)ezSiv;U9gGBw
z)rGIn?EgxPfX5c|JRk&XWxa1+&whL=LGs6%z)ktEjn#v7Ra<zq>@G^+SUI&QBAY)Z
z{XAW;*!@~U4n-WSMRef_B{h%qdOXFBHAo)uECv5md+G$N#n9_(b|`(_m{t(uIqf%B
zuvY8;9lJ`ZJK8=AG{;FxXdUlG{(OSRuLio7q9|>O%o}ciQt=7vy?@;_cyeGs6;S9-
zMJuH(`8z*vEx_LkO6(nPPnj%GH$Eo1Q=`{_kzDx=SsD|k@LNsehntMc$10R<`QS5W
z-XY7$c@KdhgH1ZpHq$+{6ta*Nt6Kc~gk&czwE=mg)OoT%+Btj-Ih6DHp{ENsdRDWv
zwl}JDJg)Q?Y|tQ`e++%0{=K=+ot+V8nY8X(6S$Z&?<M*M(2f$;iAm&z)7en+2)K|u
zeH{07^Ii1A0=j3;E1&qpf!4_mZhU+={cp_JjeZQVu?^Dr9k3H^UA3V``1adoGKb4g
z7}_zDPq%g_@sy;h;P1_Bk1>}Ov{)zaqih8~F!OXAH^p3ffcI1St`pq*fy+0cth+s@
z4aDejAFTkdlBtp7Jrd}j`GRl$^zU^@hKvO58+Olws<Ezb?WHxae!T>2e;Z4PfqB*D
zC#QsYe)(Xet$#*!@s;fMBPfxxi`Vb?xW3W32-Rl7iBUD?VZ5b`|B|^b-sqlN$NhfF
zWv@4+ZeO`z$tyg|CslR|I)02ocqz!AAwH1rV_s!vi5x0BZm(4sYP0mxi5NR6+#x?&
z{FNWG=YWijwrJeN4F0w`?$o0a9=i_Oj?*$9FYe^r?vGw0WYwJ}*QtS@*&Y*yA!R$R
z9qYAtqFBd|QMYZ)8TP`VHJ|r>tzz%#jRM?5ppFDXS8`9`d=dJ+Irz|Sb1xP7Q&O_V
z)35Yqaj_0T=PiyY=F-U}NFNV?NeoB4A31n%zP+QX)2_7|`=>;0V&7$aG7`z{c=BRZ
zCG_q&$x>W(IwBS6$SBz^`Km*olb!@;7}f0*`e(xycAkWpj0^G_pL=0MmO<GxN#BSx
zKQOaRWidJb$9MEE_X0wb!~bLo+7;R(*`}vOm-fn`$5XP|dSldZqTl{Rv~6_Hl89{`
zz0dA~<7zzhtl!VEAMf`JbZ_e3=X^RX-gnxA5zEf>A_pYf=2WeMS#9SrhiwC0#?H$7
zx1Sijsp0y7BH_-N3A3{VO=V+K)g6&XzFnb@UG^XR%PcdLH10Q0+%E!-JJ-A$@?_HG
z2_2rE+^dh`*||^#SZN;Dpw92tXSl@43VAP@TE6>ll~3>LTbg^<*R)KY8W(Droaf8q
z<q%&8H!KXleg0y&p^9fHPh`-_!ThIP@g9uxGHJtS_2JwX#eK6h%Gl%Ux~t`g$TaY{
zQ%6EZleGPO1$NNr>qxV!Cd>3=@PgsuANwpcBzSR&2aNoWO~SVja7RdyYi(hQY{>U(
z)54t|%r^Mi**80ik!>MGjP_RZ<!%35C0soi>1k#m+Hh-k^LcYi;#>a6^!v#j`DQXQ
zG+)~1{=D4G|Fb!9@-yYpBA%L~GL=cFq%7DMsyYo;IWXI+d@$)aDy-~50yC1}&f|%;
zkZix8bykfBJ(KClTK3WdvA~HIvkby5!4y9G=<Xf#Lk6{$klwQ0Pnx=zZ(oN^@4#Va
zfk&>Qv4L}zKiR}ijKq7Aw~WQ;4gLhR`ne4^tSH&B#Q`sUgPFoYYI*+mPmlYS_%*>;
zwZsuQS+TXBZfOuWeH(ykCCY=<YxQRRp_$WxS=F27@6EMS1Ks|twN_7$%*XPtZR^DE
zpv719$LXz`xK04|b=MMxPUVwf7rg{!oDL%wZ`(JYk0NO+%{I_S_+C80U{Ky_P^W1y
zL`2d1d@ZcataO(X`{Ve)qtS?k_npxbM<~%Ffw2gWHM<fot)<JCABT)yJ#^irIcBS1
z>5Xe|1lE3S+riiEx;)f@cd3Hh8`D8alQi*bup@(lV_mj1e>5vNA*Xqg9{p(I*DmHw
z%<Ah=L;W%7de_4^;KmaBhCU*@Q(@xNlMvwrNmkCDS-UKBcwLX@4;cLyr<qj^gIAsZ
zYW!1S2kkkr%ZwkpCr6x%AL;(i>;cdvxT0Ll+f(rbD9gt>FvRkOtqwk9DE&`C$_noN
z3g9tmP*}hUbh-7^(>B?K9W=8_iGK&^n_nZwbNxZ)q&8rbIOk5i_3__vpa0uIkN5}q
zpEGe6Amk8>@9G=hTDMymNnIA+U*SH1NwAW;2`7^w_U8f8y???_xSuMM=|13TP%uV7
z=%1%;C#oHER$XT?U}P~79Pm+e8lwfkw7v7dWg^4i1g52XWNUV2cb3v#A!=hhJ4XjR
zamTlog*xs@XY32aiBa+xaEU~c5>{zz%iZPb=3tBGj^!cQ;Dh(TAKm$rs$f&kk|bPq
z%)C<}-<tgB(s7sMK4(K89{O4v1$|6OOC_9`QOEs9!q~w>_wQm*nN`mm%<YzDVZ%jR
z{ob=z>Ur!}xlaML*J+h?Kry<A;A_d2U13lUCScZUqa4DX#r_XZZk8Ri7A?=uE$lti
zm#NIjl!{M4?0hSM1v|y3=efcK7mAJ&jpta3$F~#OQrB9gHR6D#!t2#>|L?HZ)!aV_
zAwS9|Qz2IT+eDAS>y1{&NNrj~?(+Q$9P4$S1YQ13CmkyK)j3}LSr5G6n40BTih0{-
zbfG8R85su1wtK7a`<|O?gdh@r&ZWa15+YM!6<@@${W0l8S}=gLq^BO-UJ;@E5UXfN
z`s}{+73hQoe>QNDQgOpc=Lwqu`~Uhjb>=h1r}v+&?X$JKcT4~RS9-Y`a5eI@FiZad
zD-rNB#~=H%qa(?Y`6b+>h~q}zYmvjOruF?5pFwuuxba05r)h92wtHW|Kl@XG2=qP6
z&u7$^0o^+7JBBWx(HEqzyVPB<^<?c!RS-UYJ1?SY^awt>YBG7!oc6-sn}tGb{5wJW
z-SeNv+~d5_!a$!>_&ch!ir`O9yI@5lTjOR8iA8Knd>%-ERt1M2N7V7gCU`mgG;Es3
zTIL$oPsaXGd^0=Oxn0rE_BZO{<_h-vtFKQYa<Ae3;U0{O<4A?1^d#woGZ?fTEBR*0
z;m@z7H&28o<1rvSE5(Odckx0T?8191ESX(8z+uUKaoTxCr?M*fEpd%Cd-K+%#!x3b
zZB)<RcWPdseQW!gLvVlGPgON?=Q#=a5~mn}@I$QsS`$_Es$&2$3;92yt~xC0<$GTf
zMS-gbN?$J`4blzQ0trF7S!n?Q>0B@f1p#T0l9pUTI+hTYkWNVvmu^^c+5OFjUB16R
zd7feB%sKCQ&zUo4J}b-BvwD;;djegnJOCx~ZmBJGrLs=@Y@XJYRx!^zI8IwS-J0>M
zrwB;6-QdeWg+0%()(|nc7$}GqhHyJB@`LwJP3$WIN=T?d2u!y;<6LP~p18G_QAAU4
z&n1-JEiw6#+&!WmT>)Jd=oU%u9+AZGbSK7%H&#6O2gkW8ndcSwJof}hEaUrUaLb>h
zo39w>!V_f@Bv4;FAxN%T3ySAcoC2vi9^{^q%spq6%EBtyuZ(!Fc~yh`yV^gUz|au~
zjhQPp(f;@zsB&*edN*l#<j>8W!Y5emv4Q7qA!h&EnE@!KjV%o?$5}J^caNwTyf2Lb
zUNWZtWwR;y)Jw?I&f;B^2I9Z+U0|dD7ps{`_Wu82wG|A?;5WyZ3AAg4fE4-CJ&P}E
zOn+|hTkdW76S3(A_>BK2Hks5fq%tSfN6OW+72!8gN!4gC6;>Q43j^}r_q}8Sv?Ca*
zFW{D=rb~~cjlFDK7JGL0yg4@j0B~2%m1v(5xIDl=EuYNLo<+-)U55Xf0-j8r@{jwM
zpCNmFr${RIxQrd4>yt{mH-x)fKXLd(O*G3cX13A#@!^+KAg#RS+kh#?FkTDF+3is~
z{5D^*zs3SQ@?lL-SmVzE!rm6YfW6hn9Ka^dP*rNc#J&lRC_!9_^DKk2PJhlJFu+3~
zlAeRN2BT70EFy227dJ%*d0X?MypY2bEiv{s4+4D)?xJIXOc@C7BVnQI&>-d`I^pdC
z|C$q;5QpN9%RtPZW{o2uq%@aYf*hnuh629B4U$uv2xq>*S7TKTY?R9IJ2XRb!bSl(
zfq&e&+!kujpBk401t4kRQtBFKEfY#-*(_ck0^C+@t3>{T=)(kpOEQ##s59q6uF|OC
z)zL-0O+E8S0w5_=`w7omfp6`ERL8afT!d$nW8g@7WA&i|rg5J+uPg~G6;by?CEnB3
z0{^_he-<teSm$uiQ?5#in(*bx!r2bUz+RE;#Ss!PGHlpuyr=Ciu|%y0mgp!6b)TX7
zyhlODFbPI!sZ-pRKn1S3)gzfiX_W`cxizr0H2|1}x5xK*@+*V9NQg2qTmr}0bnoMm
z=eg#$){}xir%<W${#5bA`Z^8~qb2RW9FY5P1n!+ulzDj_U+e84r}VS}|B;iQ#E_Ud
z9<I=BegjyF#Q(cCbGH*Cb?XMr`jN0<DSqSNBGo=QfhLz_U?S|7wLd6cfsYs~j!MyQ
z>BX!=nX-b%ZD#5^P6Fe+;RUyqPN>?Y8uIA~bw=*wgdG})DCUKyY5$)n5}q{rJ_R4Z
zIh&=o#3fLM{h$C@H_5)lCkHW)A}E|;2W)Q8vEs_}Tr`p~3|~1f3;~WO(aX5gg{bg1
zOw9WTsV3C^S_0PxjG652yf2g&vtvfnhU$%Y2y9wzOpP5;4XK`?+Wg5?5uocF)7x^P
zNG>ee&!847?|}6+CydJh;5~HuLt}t8NsavGDUfz=O~;HTLoSwFX7LRkv9b#*+k~z9
z%e}*Y&eY-4NYfR)U4UwtZ<<mB2blhg-pN!)!=tN6>se$!3m`f4;_QZeg#T#Y{cHC{
z9O^y*h<A?IFeU~;!GaF_$4mJILC?_(DW7#mX_7E&m`eusCO~$nN@W&rx0aJZLq=vo
z`-tsMIR903f0Mp%cCYRfiWKi7oHGXl$O<4z1*@r51J|4i`tt(RxE^hPl0!L&2nFL6
zv;&duf8*zh#(jrC+Rq7*g@MC8Y59^*4C3Rc0a<Vv2jnhn!PowEI;za~nczMmhx@K@
ztA;U`^X`NcvVqYZ8U^DVhBHB=YKzsbwoq)UV7Dq+r=%XcKmQ(ABcgoH6bL@sP+6M_
z`6f`)A|#XR*xrTRh2mEv;_m&uYn2s^wN&uWp6T{$yhVYpLFg66<sHxFH2QMaY|<r?
zn2Pr&Cr6b2*DCS#w?k#dloDgF&ArnljR76hSo*%-yUu00=~5WtNk7G00`!olfo%66
z>Y@Ls{`G46`u$7UOhq4qM(~Hb%ZQDfc%b+3D`}rsPG~a(Z*6}A>@n=2GNwU;CZ+Hp
z&mAq4d;=Gbb8^OyR1u2ykO6J=uNUIP=7pOzXxIy#rj2&&6Fq+b0-pTZ=0;)y!W5)a
ziSj$npD@;;l#)8FFPA0F|E>5Pc?W2IFVtvk;40)bV25?={lAd)G8wDeaUAK{E>lL^
zZokw8Mj{4}=1B??{E1*#`x#-hv@<`i32G6j{Oy7e@$i#8h2*IK#c{~#pm8whhmeqi
z-KEa=CP^|qvDZZDlED4~^?$!rFeOM;Ci0pVJ2E8~dgvp@U#@*~RQ%W7siV?;#Lm|>
zdkXzi*#iL{#{QYVHm&)aMJ)5zsGJH=6`g{$MS@%5%!H!r5n>GdOB*<EvHFuebo)ft
z&YpS@^zpHAELaaUq8!#x6-)GpuEL9W%(VYIfOhjgIXoEw4ELQ9!6;Uev5C4cqU?-7
zcIy?(o0~cD=2yS+OqhE|mqR{p+3xZ32Eg=*Mvv!(4HcR~TS~3!Rdi%cm;Tkv5d=QC
z3DX_2N`ABal(67AkzG)ZC=$5k7Fzl-c<`}6_K55vSkPR`eEll$A>hp+_`{W)87q0-
zvd3LnrF@#QY)dA4J-&6<K%hZ?!8~=^IibD~e8(=b!PjuqZqb*otS(WlR$(C_8ai`z
zkL4T7szNLS)bJ+o)&`6>Bt@N6-Fz^aJUG73=N43;`^M+>bCw8ru{`d}$dMlpX76dX
z_AFi(i|qMrXAL~3s#Ap9_aw0gi<v1ltz(Q3DfcvGOBN&iM_5;&77ej+uNJzijnFwM
z1W)V!{2X3r*S8t<-1??irbbH2?^m*<ZqcT@p3xkzX2PJ3pCCcRxG$L`@;35UE5`cd
zEQwDPw}DGZatun}h3F5CP^xw8WA;Wdj$=08+5ONS`Fn*9$n<W$RwGZ0;94UM&FuS#
z$ak`utr|3&8O)#kYD1Tw0(Y3_61jJwOPBxz`j?7L$-QwZH?lfLnU5#@eq5`Z`VN*W
zjD!a#wGf38vz1@aS6nDLuWo+h6OWViuZojFTgWx({oNDBhIC2dumP(nZ0EbIZY~+h
zqc3QBZ!OCLC?R9EH;RL(%mWxer?^c^_GTOhv#E0xy?Uo1lqHL~_2jAB854kx{u^v>
z)$14PavX=LhVwy~wB!eYHc%$&-hME@D^Hy298};UhnokiQ^xfDTm9fC=MhLVK}9rn
zH@f=`5uDqj5gSS)#Z1Z^W;7M4oKtIitlcrQ#*RNkkm$T~r|L9<IN?Icfe)hCQ6Y0u
zb<g1}OV}q<T;;g^Vg1t+z7{HKIEz~@!Yu-%aJ?%uaFn~S^2Z!px%`)~T-q05d1B&@
z15j5eJ50MVy{;)swZMT8;&^A+2~>V_qRRCj<rLzm3oqp>-^u$h(`9w+!VSyphTBEs
z{Q-P?88JbJYf2~VV)L92<ae6caDfn=@^8y+L6g@VNXbA|(SMBh;Je$+wG%QH8w74V
ztuU$-$1z^(QbsZ_)1YhwaBu~&cyNc8NU=O-fMSns9$9D>zl0ADX~X*|Yhn&0#HeYG
zp0ALfdV;^e28>y~L!?pTCwab&cO2h0Qpgh?bCN$bJULZ^z!p3TT-`setT>KC-^`^8
zZfnxVXbf~P8X-R9t$mrGgU3*9#papBG_PEF$dX>mFft&i7Sh4`GbcHR)8!sN0GAud
zKHA1hTw<BKbS_iPh33iJs3H`%a{5{mA&v$^thm2Xe1XrUFj0-w*O}#{2F26I?%==v
zq4|W*9pgYa+GTe`?UmmzpIDqPjiLi*O#tBbIOTCwH)De9>HH09y{(<bqv@y;vZu&i
zOq+-(JQ=85t+Cj==t{(i%9l%rhO<Gwc$ro4P}=zC=gei<dXd^2kQOpidd8_Gq<@|)
zNqe?AYDewe=Mdagb@Q4CpUu9Q^^;1JnD^2irnn}WXu!>z*pW7j1jwm=Hl?SpwP-(q
z?&!q+m42xzK~zJJR!j=8ph(K4J;Ollc6JO$MSWO|BrtPNok69oA#oTz6eOq3a!M|#
zo96`<PTMZqCR#yW8voQ5*+gzjaOF2pC2D;)iP0~o<oLeGCB{B?F-Umx8b*a?J7>Zm
zgI2Jf(^VzRq)2<rU&m_UPAspqsKA2gDO>(466=I5I_d%sl+tF4Z5j-5RA^4;6o1(?
z_|%ar#c@twW0Q~yU8Kf<^ZvIQRd59|?7$#}_OF0*o(DqttHT-7{%RxGuoH?71=l8-
z?`e+ZxTI%Y(VMLm0tn?Kuamk^_K+x4BM{1FLBH}`P-cscNWGeS)%qAXr)pQ<WC|%^
z1_uXQ>`23vtKd?}jq^iIoz9q@OJsFy&F>#x&{WH1%g>6<2<VH34%oi~B$=M)eoI@*
zI#+`uq52yP%8Np1{dD7<IdPk+5&#-I1F1`voyFfQmn=BdeK!h>fT}c+MpUa_)ga-8
z2rX6!Truj%k9zd<mwbgKGt>;Z*@Dvp^K5b++AG5OWRSrS5S@atHmK&R&e;AAXTqUi
zTmXc>vcdKB{p8OlSm2Z!1LY{|<h3Ke%(AB<O!%Sz`wK>(wJBMN8Q$YeAeapkQtU`F
z0~GGRc`Z_}*Tc#gvyx*>LmG><;d!?S>db@GSzloX3SE|eqGH;u9`|O?mOAEp{F;I%
zej=on(Kf(Mmm;hE9q#ff>VNVP%4kzw=><$&rFEd>uOLWNr=sWvEH;JLnO@yCPbn`T
z693)K87RtzH$>v&fC9nB(q7Gb;QUZ+vqYbm)=>`6a5+F8rmCR8{*pc|`F_E55yY|?
zk9dVialX!aw#YW;1!Y+Y$DuQDd3;LYQ4k_mujw!HbKQFVj~-pCeDYt=g+hOe^N%i_
zf0XOY67?kfpNn_=cpi&?-J$lpV)*$VmK#=Q6-dr3zW2|4ufsOgX=0ILFO$y-D_=hH
zko;-6US=@|%liJKPPD-9<PuRx6jZq|`yu_J$FIwNeCb9<yn7XK9RM1!Vn5FHjdS(n
zHpD<S)~|Yl$!MQ9YpKs`vWhNnW{|C(9sjZZaDF?L!JTk3rtRGRWNBVeC8j|`D%6Kl
z%zEq$bTEMx{1g**9wS`xHqLPDBd*}|XQ{K6uG!WN4Cn=PFM@ur60eR>(xiOC6)!SZ
zQC5v}M1kxWy-;j^ti%vAdlH{J>vr^N{@2Q-Yk1w-N4AGzl4XYtaUY%1|H?Y*#;45L
zEiX=~H%a`2_T6{y%r;=l6NS=bY9Y8QWON@BLe#@R-#d1UM8eZV`_pNUAy_bWiZi6X
zx{o<Uwir2`chY0%?@3lV<Htqlr^SBep^*=XcO`|pq@(@`3ASk47l8-@G4i75{Bi=J
zr}1Lo+%M#CxBFetf7AD0r0YX&S1wwB9h2-;R8f8V$^Mq#Q63yAHVusV`R_9bR~zDX
zs}1mti`%jQ(#~Ig-_)5lBX%_|MT8H2Bfq)n+`B-%B|$gd^(d?vblLG$xILcvc!MC;
z{WqX~>{4Qp5SUY4FeYg1$hsp6H3y0vi=ZA%-zAvlmLY${;ozH{c+h4?J4<T59>N$1
z`jhjnGHzT_UK1wV<wU#4f31(Nv$&YGw5wlAOSbo1qznu)4bBQiv7?FlG`X|^Q=eOH
zjF*+I$oMSc>)_1^898r`CVu(eX+H}j_a6q;(tAP*JXWfQ@$91ZU1b6jDh0y=nA`dG
z#7<yMm-Z*t#bp$h4H}cxFMiq%KUvWc1XqZ3#pdEB@W>O>jC|Puch39jc|~)mg=KGS
zn&Y_*5fsqDkgq{J#i`b}=&H@`lxZ5=mbATh7<6P8fRl32iUzVzzjW{t85SYD5kN12
zZy5Q-Ob3=3$ij~F;3HPoq!n)g<Fx+q;x+x>f^8SDBT4hZ>3_Z0(fo?Z7|#)X(+?ID
zie<_Eok2oSy1~O(zqKDQYS2mymwG`tQp4z~P6tuME?td7u0H`)g*gCK(>0Fgj|x9Z
z^H&r^i|9XwbY*ihZ2CqZp%;br#?EWJ_^a<Wqi*Iqd|P!ld8X+<LIjv39q0+_t_1Uq
zRp0SWNM-|<k(j<*!_F9A2B>CVWtVv?*ol|$;=+*um{@OZ=3xTp4imYqh4sq(D{F~)
zMt|O|yp@KXXuaPo8!&`XNKF9f>YBjy9~^V?l|^I>)9L3^t}PI?RN*ZD)$Z5~qop*I
zlDP--5;R=U1$S44_{P$QeJ=$FSit~aw=Sr*DZV(hP*D946~*;+7gA+o4|hVUB%vi$
zh;8sJzHD$H>?KO04i4Y=ljAZE)kW-dR!uHzloK4r@tomx<?UeSdOy(El@#Z3tU?E!
zGwcR46}kQ=Qb6?`jdYaq1ZYMRTHl9Pjj{cN7Tes9mg}3ncOnt(4XEh#O&NJZX$X%=
zYAp!8Uxpft9lRTyoD9HDu!vp0Vv~SLGKDH$_|U=o){#=W6m-@?CW*Q5deRegRP_P4
zxvl7d_tmT=mLx<-iVSq$hIW&#O7<c?5wUsp8r(A<`ZAIqqc0^W$Ro<vs6DeOL4Txc
zo%0$K@qXV&F7{&vPSp=|b<H`-$7U?cf8C9vj-Yk3_)!2my|~9e1jSm+(ebpgb*(`J
zcIy%8Bq%YWE#QuszgDz}9$pOE>VGQp;;yLsCuS60SQA2=<Y?Op?+`<$9qbms129dk
zxpMb3Z^<t0dX`s#6Bp3qruQsY>1ihmKKl*cv+h}RFDsYeZI>S5=Vu7)gr<bKp^~YH
z%NeumBkF{czO&oQR!T29aH!}ljDvIng(wW)zD?NN2#IFGUaViuqiDX=qoTiE2e;kx
zoEIE`Q4S{A#}8*}g$Q%y!=7!x21wnmOa?~&i7?V-U6DIsu!6Cdi;SKzC(ZsNU*6xq
zj!fg%KEKX+kfgdE=gkU?3S3~h^kFP0&=UYx00oy%Gy3JvL1WiW-}d?)0y~Y@CcALz
zZ4qpzi@ycxXE;Iborybls4*Uy-Za6GGmTHFYx{mU^|&8z@t++Fj2A*jwRskgX1+)a
z-78DUs29n8Xe~)(u!<oT<{YZX`XhREf8{hEbP4wJO$Y_9k!y?wVMLKUXV2h;+zPw=
z?`ewOUh;+SP`EeQ0^|8DtR<8i6K=mRwlso*Wy-U8`Yh7ohfLbsF*kdh06kCm3@EOH
zcM^onU51R;nzHO*l7G!L;NnNIQj(KVSfA(!X3A6R*_Zr6+PV8^Dk@P0`Cm-7E}|q%
zb=#r&VQLMbN$#RQXzVhAi#wN?__3zmucC;)1?5v)Bu7RbygRPwlW;z9A0Sg&>yC4f
zncvEn#`yaEzw+#XP>JrQKJ~o`8H9E_+!s)f<t-Oq%8<Qvg|@%GLnrZ*IoMvPfMd$#
zI-!#{3O3Jn$Z*Rckwf5hMK8JFw~hJ_qGUe+TP9_Z8{QhbO?b_*_7xCep50UKw>eD=
zy+!&ia?dZs$MfVc#q?AQe4``uZ|BP-|3Yf*XI%?2vB)yuubo|t*5Ng_khh+9kUw&G
z5JL<H4Gh?kcflfGk}b@*q(kD=v4;7v5LnbqvMpaVl@k1XEno3LnE@)A6;wD{23TX&
zD2t7nfK-M)A8;ZUiGA*v`)9BtDQp^5&&|BW;bZuTP0%$AdUSl4ZJou4F#i(AgdLf<
ztC4AJmLUokw%+(FA9_^gIFj*O2AsSJ>}&>@*RynWfd`zo%dN~>oLknQW~K?-CUjw{
zq1DMCb2uB|LhbCC9+TXU$yuslSA+H5=H%TeJ8DY4G4^H;YM3AS;s7MVnb$-^#V)0E
zl{u~tRAV43SPNgA{@!c#j?ho+29^_le%ymJ&i%-i#V3Dd?+*%!2J`QQU;)Zngwz3Z
z1~e+TPFr3&Mz@U`(MqJt8zoBH1M3;Ja~e@3{d)ktFtO>)0NvTDku1)!qjzFI*0{3W
z<oL&;G-FqJBtyEop2&x>fDajP3yHD!Fq~Cp-j0jz&TuG$>iekPw{S>!kz@`Zy#TrZ
zyG>PqP?DLK3zjuTKR}+Bk|SjE>okM9|B!SaK^dv=oa{|F-xoo?*^jG>kjmE*+?S8}
zi49~F)rM=lU`4OhOh8lVd{*GAF|KvceW4?=V(d?A{2oy*1dwYIkBfpjqk=QqBejwg
zP9FB)L$>A9iTwI*jt(5^KFWZHFyYsNqWE3hf>j~L_x0wQF<6i!bZaqzf-Vf?M+*ho
zMd?lSF^XBW*XpiHd;uOI`Q^FETCYba!6WLwzs8SYtN6iV1=-a;jZ(*Ru3q3FqQ|eq
zG_Sx@hYtZ=UDVbSygT3S&d$Hk`^^+zZUWFC$u_(4)0fy2v-KYYnSa;p7CdxhOZs+<
zOlhA&r(2I#&L7fSPGbYq)Wxli`_Q|+p<89vI@>&3)ZdmEIe0rnz;2w_Urj5h3GQ)H
z)%+zu6}9HYoW$a?i6)f!1eP<_(8I+EG%WcDa(KfGUk{~d2Q5LHwjGYtf%{;+(cKl+
zzHDMlKXfF;+01x|Jve$V{@cn`<BiM00JJ@KrP&{;F!2){lhL+;faQsrPK7^W@DiM#
zYxH}T84k8*Vmq;(3UeWN#0=mwmuJcPqpHTvH+m;rLdN}+D*=6~w9;F>(;_C_!#6?2
z3)#uXz*>5XAxvOBeIVTzDrOxFTz3)JYa%!o*=KZvFI;%!LgE8cXEP=1K;AuLR2tZy
zOlLVdy^4q#Y!1(5xV9npZX69mI=_r!nVRUe2H@|^39b{p6hwb_835jeKv<B%o5c0Z
z?q?#>91h=rndHhOYx4LA#BbAk>k`gpo$jWCT56vI-4!_@ZXbGeeDq+SzFrqQX%4Z2
zEQ;r{(0Oex+}!AnV|$v#K^}#_hGK;H-K7Te#C97(cc#lbkVnqT8i<DGh{qUj7I8-E
zL*3|-yWeL}YNznL`(y*AKUDR$=em|071z&U3-6OBfheJ*5;99}Lhl>A*Vw~XezcEs
zf0ssSX!kfXI6dvv)Mt=LqNY6@?;D@C6L#I%fb~#uza3D>FaPFS&t5Lltq(Qg`f)#0
zPLp^+IPSgJKaUqu9I^*~TJFKCIN^AHuL)|SD}G);yWeU|5S?`)VnbPb@0E<w(C|F^
z!jxpFx<&yuk`*n(kVJW^%~{ae$LJAkvYI*M`in{=)H`^<KOfBGF))tV3~4@TCA8_C
z0FXjN3GJI%mpyhxkFUavple1)1?SMPo2QR8&A>s9*Iopi_FjxH<f^bHL(f-0hhvG5
zwn`%0l&H=~KxhJwmqE-tKu7Qj&sPRemb{G0P`1T49tEE2Q`QI+ITCNZ|6Ih)7MssF
z=xK7&B(E~=#4hFfAK@JZI;SxrJbOdHH=W9?3~kp{d3C(F8|siAu*W=EI(@iOeVY`w
zT=-P%nM&zcz%IILn)6q!5O^li6DRG4y>l8KtZ1+!tNx{d(#E!3dNqY!mlG>20M6q}
z6%5@O2%5s&m)kjJNp&=y?WKv!T~$~fJJt}~fhr-E$9P21Sz^YqJjV-e>^RmhO$L_v
zTfzh7Ba3;U&fwCN58c569t9^1bdhWfT#~bCNIEm|u*bgCNqEL!2|WSv=x%hp`D(A9
z*uOc<lIryb@pfO?vTTTXwWqWg4zX;qzD&-YZoP6s%2C}10(ZW#DOkn&sJV4<+o$C-
z6STjY0~<;~YT|lb3!sK`yfWYG6j^@$C2g@sdnZJn*=yFSSKWRQ25m_iUKjsTXnAS!
z8Z1^(c!b{fT6WKPP=vUQhu47t(L?hS4u2s-xmBGwv#b~QW3J*4E?8cKT0t8V$Z}U(
zh|W&C-so%lGyT|BX~=O2vAc(?VT7_S|5%C}Mxn&4>k4%8827b92IT0O)RyUsk)FIP
ze9UlnvO$@K*u6<|3lz5#5|8<mhDye5gZCJIghE-+@5}1^#@e4wx;ICjLycGCCfoMk
zHMk#7`qXzU-hxhNu^H&Z)6`VkC?8}ls3C>5;2gc=s`R$u`EIC4UMo1=Mh7}K2+h6}
zHlRNoZ*e#Oc9C95W$EBVVX7B+27$%rkysL66Odix0LQ$A1E*s?&CdP$!s%a;Iwy<4
zD{D!|1_`us;A9Bi6?XE1hxOdH<I(d<NEBo@Bcqyz;8ZsP|C&pIuB)=9elB0r+!(Lb
zDNTn7T_szd9L~a?kcXBn1h2a%c@{g8E3oeUF^3x+Ayu}=^ZkRXu#uX!mXt1>g9tc8
zFGz8(RQ%Bk%F(0Vd8%;0C<>nffXnL-MKp-36BQZw>K79CX}$ewTy7@+G^1{0E!4Px
z=Iscz4sqHcyl}esj=#Y-DY^1Sww?|*6ZlPo@wqezB?x7YiQn{6gqg7ZJeS?@e(y%d
zpO<BrO!r?_2d}4rx<`J{jnXYE5ujAUDEbyJ{;&GZ1EnGUcgIZTyk(b8mdpEY&{9oo
z&24=4_XbP=$4ct;pn$QC$=$(Gu)DTGKBBsOJoUpuKJi@!FDNc7$&gWiqevdAkA&BZ
zE13$K$^}Jx{H8nT1OnQ_&6*%Rpbu#@g5}A53!E}=`<we5Z~}yV4Dz30e**uKT?C2n
z;lk2EDw1BRTvGCw>@#%y+6oZ!Q1+WzB;;Eo%Mq`VBR|oCcZI4`;pg;AQ;T05DOiu?
zig}$r-Y}PXauHuPzvug$Bx;p6mL8t!q%yGwUJP!vCaRV?oXsS{a`ehR;+zUai<pd7
zn0Gzro_n}Dq)mHI*Pp8SvK0jPrE`&AARW6E=H!#l_>Mlf#{D|yIl$w!RXZI#qKm}0
zPWJsQ#!SV}f_qu><<6m)6v5ZtKLKK$ia1zw79DCLu!a3Fz`^pcWN74Wfn99MD0aMD
z5P~LBFKWzKlmM3HcR6C<xMzp>Y@cps>T>1a$Tr0V^}!XIY;4^h*>Otc+MrMo7|e^R
zdzCky%UZgp_qx;`1clmyd8ftGViZ{b=)KZgst6I?>tE8E&9SJMi-F?4$I;~eI(QsU
z*x<M`*x(`fib}2>GKr^dg^!@B&`PF}86_hkI$Qn*{b_Vjei0!<+&KdNVZ%)XnSTE3
z0b9^*I&sf;ZytlUC&!`;LyQs+dBpTh?af!BiUn9O%R5vmGZ`d=scO|hhV)rJj}@$E
zn3&!%^gsd><F^VON#<rXt`L{=X973Y4k7}|7R86+zPN@DSvn-908^9dv@cnSA>p|w
z<vya!D_f~q1Kv{CTQ{`QJ01-*z^YPDuTMP5c~tOR_PTc<Uie)DzItTb?$-^x0?cFI
zE$wkRdyn|sj~l!$#B{_+gHT;hYFPUTLE(A<G_xO!Pck3<As+k5E~<jYn)2ljY)V5T
z@0fzKu2QW24H6$OO2@f|_&p-8=!0yNcKc})b6jrN51Hs%FK4Jnt>cK6>_xD^I??s0
zK_RNz*#Y?$3<{SKY189!RtEi7>%LzHCwj#Q&u1?_tN@;_c{mFY6{dy!!$40p_U0x&
znxdB9&6kCkh)f{>XF5q8`7D?{W)k6nC)L~;ZXA6Y;rYts&9|-7c+jHw3%RzxE2&kX
zcYL{Cl0Us5I0q)blxkCR^UJC^Az8U~?;>t_TamG~%0SCErceX7t#eX}l1_Aj8Rq{f
zBOoOZ3JA-}SXS`D@X$JIDzG@c3G7ZzmV)ud81YrUG{oa69Yt3;zZFc?7q-NPpge2<
zdZiB?13F)L5j0K~kORsiG06LkQ%fm37<`}0yo0!wEq#Lr&)RmPX#)SQ%f}?M?C{1<
zEM_lOy6y?+M#QlzZjP~Mq@`9E8Qo#g<<yAat~29Iy{9W1L!($8zf#MDa`EulW17d;
zEblFDO72a7Puo`2=WKSpn$r7pti2xgz-k+AGh>GrdJg__W2aHz?nNq`&FUDzZlUCG
zA(4!4SCF28JkH$jDc#-@hN*n+2Udu<9+GVK47Z3d2ucc8=YC5firJ`7kxhTf0IpWf
zEF-09=|Pcd;j0w-o~CqYp2|9$!pjGmOioSzMoV(amvLV*9sH047fY(5DI9xEDO$0x
zOIe=gZ4MZ-ID(;G(Ic-u9(j#{Nm+pwFPFJ+mwFg^Y0jIKxk&26sl`!W436s)o_z&P
zN*KmO)($$V;`Wl(c^ndX+u6Uy&T0hzx~wd9xVWKr09_Ve%*QXa<1g(a7ApeN?$S%P
z$6^OuSFTMPz6E>Nnd0OIhbV$nkrod(V4RbjiSKiilrI+U@!+VHRmn>5OAPjjqpvQ2
zt64}eCbILOMHhvoV*o|3Ryx&q(;|U;ZMZzQwC&b&qIJ9ryRdV^zL-DITSi+Cy94Mg
zqdmEzLJLpZKSv0o)?a!|zVE?R_lfTPqONAT!amV|$Z5h%>N#eotdD;OQ#tP4tN~~C
z6R|LT8$c|%y}ZR5@R$*NYWPE7w+Y7)VhU!-vGXWU;&i<$Aax}1s5n|{{^{MG6rR)Q
z9oGS-%5{zogZErNH6m#Bl5%!O2`N!6t*oh6Z2$TY1f-f;#9w8YSw3(e8WC#tV(o1G
zEg%171GXoQ-=IpaAq9#^`XCOozD`tx)B)dHJS~#{mzUl3>&re$hb)O|jAp>Nd9oCn
z7{@B28NrK27t9n_EwglD?y%%dboJh(j$})=lasYYlIzT<O#UR!rr{95KNtbdT!^ui
z-*Fwz*U?6X>zdx$BLEe;2NbL(_#$xYXm+g4tF92BX5)s4B2ka0O#5#u2q#KsxV<mE
zKC!ir-4~Gq_hcowyjT{NhdE?;otg{k@uRoLH20Ye-t~d0=JRgKqj1KnyRde!U_)es
z?^FEUnX_5^5)VB(l3oP9eQSXqs@bs7xg)Lkq5`h~%-F36zVQIBa=M~q9^}8}%D8j2
zu)t~;Ru^0$Z4h|eJhqCAz`*LRsDUrPw1=oB4gHAxBr@L=+j1`&pljVIbD-E)hal8d
zPEZC<KdcC9(YPz|q)zPkY+<}Lm`U-RMgI3wp{Az86aqXm>oiU8Mblg%O=i&CF;p@K
zLQQ;Ge7?doY=@5qa5jtpSCgMBn)WUWtp4Y@h>obFF8t|>DLk(o)o?l!e_S+Z5$0!a
zZPu70Z~I8AR>YANGdq}<qD>d@Ke;*8_@nfkTea~`gO}>>OecL5-@lu~`D&@mptv0a
zbzec7%L9Wvj~?`N$90%)vilC91U3qEOYuwQ(@WwaXFy{Wr!HPIpcg#dwy|+*cB20*
z*P{Lg$7FQ%IY6mVH?qUILClk=sF#3iCh45gB(k>lojG(ibk-Fil<xJUFg^Z7FGaA7
zQD~H3jc<a7d-?tCCk`AMbNco|Spa>8J-rTWYy`tZzo`Kqw&~+wt})>V`<YcF)unaU
z6!MCY2HtV-(SZ{aPq~2QR`o33w`wp-Jq>%RSMyakYj}Pzq3h85Lm`3ysr3NhgFJM{
z)321!4nKC>Uxv82tI2}>P3nEZu~yd;BsZ_T2P*x)UEjdtI+%lUHbTT!H=e3Nqj<t&
zC|IS4aIuqbe`dX1W$BHiXB=0Y5jyhqv+w#0pwJCtGHA}BCaPf^(tFX<n021MkG$*=
z&c@{3ZwI@?Fl&i?ma3-xCsyWo7X`XW9w+Hb2ITO0%lGLYo>!iLP`pPwktlthp!cB~
zPL@<AzCtU(tgSY6ju@dGl9k?JXwW;}Nx2Yt0`%Ne6duT!98VY9Ki$6dj6>SxJ{|DD
zpT3$^xWfbcm45~Zu$qjGC_0PWdc96L*B7Vp+xPJp9^&QP36y6yoQ$v_W`=q7T}0}j
z$ExWoyykZ06As-!tJ12F5lKHv9a6Y{vN~}b&8o~hwGQ68f9=79!k%TQg`pF_TRjJw
zc<f*pDFU^Yvn(S!UcUsdIeeyRCVYn+yyX{DYO6;(Gl5(lTCLs33`A(PD_-44_+K%b
z!R5`VdTGq9()5X50jkg4(&C;vQ=?yYGFPso+I7!Mt(eAR?XKDRuPZQ#?7I*EI}*fs
zP5yz}Y5*}@J;%BMletCp;Rx|ru0*w}vy)=3RRi?h>m|sLpU%YL0lu>3;@r+qiO)US
zVnNI3Ink?ZE<REwV|>vMo@o*Q&kmp!vJm?Qn#oP|J5%4$rXlFj&2=6w@f597A^N;D
zSTAtS=M1EU(lk;JYCDuX1<-=|m{k0|3#S|G1WjMOPe-Mg)IGjaKIY*azcun)@Cd;%
z&3i7Z3~E;cOr$BR06wzykpl?jv2sn*``BcT7BGV*+Wu2i5G5Ny2_2u@Kx4e+K(0Ao
zwA>lh%z$&sGh?4E@S0R?Zfk?yP-_YxQ5N3c&>PU+G|8+jclum!A?BBYz`t@y?P&SA
z&k=>9`V>**rdh+jhO}m+d8o-hwe;R53rMc{;&+`y2$37izev5oiwo_#0Ru|P`sao+
z9dyY<Qu!Z`vC~f8C-}1hH3LW;YPU~-^{<BQ`sBI;w*k-<V~u<5u?o>yIg|jkFVnw#
z3p9$deTLz0&(kwr5><xRnyz;&pDySw0~XwPr(8e1e7-(I)+|JD<<AhMSlKJ=Vs*Ve
zc=`fh#i9Egd?KSmCK!&?X6*b=2*G6i!LSp^PF4TsyYdQ};9t3<itW#q3YR*)!6?oD
zRJ=zrDa9wC9p3r9&3_Vo!Ca&o|ACJitf^XXXKii5bIW+Kce`_jfK#MVT4xDDZQYP<
zN}#W7Ic<KZM~Zo8BqdKAE}1x23LPPGM+3+_c!_AwO;fu*+?1e<zo>o?Co<$C$?8i7
z>56Jyz`FaSyAjytKFuZU2(3_mQKa^EpJncLQ>DR7oOpt|;+-UkaFSENG|}uMNGOj?
zMoQ*p8#MOnK5krvW{RE=|C7{5)MqY~Tdeg|ex!60WD3vp)I3Z?DI0a+@;HWa9eJk>
zn@-sM!k2$QRAP<VI(FP2Wg9}4*Istzw%LVgE{22$KT{zvL#`S00x@d;)wH3>8Cd_X
zz>W}w=SvTixz)do=>1Qh3XncG{Pkm>gJ0Lnm|5-S_IA4rX8P%ZB0rcCoj8dTMP%R&
z=&Fi{a*GD|-Hi}_x@ezs>cHdCQ$BW&WljNlCG8h-7oW479oK>C{kr*W)l%3P_;N0`
zT{kHUO4op8^k&9lu4a-i4NUG`-tOb_wDv+d-Gss}m4l?41{cxe8~z2B>9X~5GvQ#;
zPW!rXya(F8fKdJp>eVtIKpF<(X|5U6_Vuoh(tFQXy6NH5CarJY*CC<84X?b!6vS7b
za7XSxAgKtUym+wIY_lJcUBQxJ%o___OVfbrV^h2=f!Qyp-Uhjv(u($V^@Fb@LP<W)
z8<il-Xyy)M)9kq?PIMm4<@^q>_iM{1DqE1r_sc@$x^}a!CWJhXvGPsPJOu)I<lX@b
zjyP%^Bq!`Y`AeuKLMs0(<fgg#A38mlh)`&_1u8QuiCXm%zb)!BJXRm8%*IpI`K#y6
z)i{#&<P*Y@X319yoK2*w1$&m`vS`^Y{jzd<|JPu>0^{HLrl)wxjq-EB8wgn%b5y9S
z{|IuS+T@CW_J{wq!yp-)L7=@?^nhSc`(zGr9o(&h{Py=I-Rw>9nnRcLRnLWx68&BH
zUW0FebJ`JITnG5Xmi6?icNJt9&FzW#BQm04a&Ln#Y%L5(kw53CNb484qDIwS3(~z@
zR^eFtRj(NEh6#AXo7cb_z8<=~`nP6oSIK(v=ul{Si3I>bYq~|q+g_V!zS4^z)pik2
zJDXNz9zOOhsjUA*C@C74Oyl0&#gkkhHwL(a)-qQ2Zk8h*Q&~aGtr0TF#${KY#?O1%
z5ORV0VPHLl8fx&;$Idq0^<4MfMnMB0s-;2h2((wW6M;VI)B$};_DYkfS4{>d8w%7m
zn=46m=eSI#2>q;}{Y_Xd6f9?v<(uN4L*p%fR9#`zOl}L0P+xv*o>d3+W&+%CG*E(b
z^xn~^Ezr~b!I_V^^VzZ>xzs%Fx(RDF;yKmk45;+Ue4*(6XP}>BU~^kOFBA%Fx%Zb<
zL^PnzX^4R^nRizFsM{Z)loXHJoDzIF`Yu7cBkOszvP^_IM;sMMVMJbbKURv42~s|i
zu@d?l8WYlwG>~LGrIrBjh9jKa6nw<y8_jpMmMfx8_kjXvMHqFbD>w)e<%UQ3CH3OY
zy^4s4DcI{~&`xgqKKN1@&awWJx}M7YL?Eil;0E7SJ*VCCO3~nwa@)pomWvFKPtc)Y
zRhE54Bf$|~7QV$FVz(qk`;<GWSGUQgyXMEUP4SvSAMzc>D@qBf<WK;CL1eA|&k?$<
z+<c;)Z&6f80mzgrZ4m6e4m$B5RX(8sr)aSiKX438;a#l89x`R$j@GYo%*mpP;gY$K
z(@I?M&O7`VT<&^uwa^xm^AS(xdF78n0Cfu=!u2<P1cCDpK;4iASTJ^tUE++od1v;~
z&BywnRt(Hi`V@v}6yPLGb-|1o+@ch;>4xT%koB96#D{!+eG3fQ_RkA`40Znlijp3j
zVgxWKw{->_)j9lM5BodhQV5h%QRBH&{M>xOlRt10$*qd=V<>H*bcpV3bM!#iY0Kz;
zfCj~71z#~9DIo~eI1iwSx$O1qFToPOiJH!jYT)}GMfhAj>bwJ{#9ziI^omJ+x%UMW
z!_qm^U0;~#V*Eu=tF!^oTv|8tSPr1RXo&Chq&W`Q%D%T-Ltoj<;q#H}c1_%QKI*I4
zQ=3>xE#VPzB0cFhIq)@tE`xiN>gEUB#xo;1pnM0dxGoOA1U~Obh_zM$f8kxG5|P5j
zxm@y?gTv=fqq468bau%!YyZ-aCGM~cs3B|ayhGr4)V$&$<4<)O%`->V+y9iUB29&j
zV*?0#yng{?ytD(%uet`?`XB#Z5gtN8C*9o1o5<Dgp*IL~DbRw?ZLRL@)#k-<AhzXg
z$>mJl@{IACQa07xjcato1(U#ncPZMZ!B-5aL=O62bF-O3);XdvSAUf`TzSIie+7Zq
zP;;T@cSl(GNd3)(A3j&9{%*$QE!|5S)bNfJBq%GR9bBn(A<cht#D;69`ZRaOG?Lpw
zqxK)@(RkYk6Gn+Y0l_bynG!^&TE-pxRx{U%oFLHq{Mrr0MtOfCW`e<OSs)`a7+eg?
z&7BEeD`@n21Wok~T~I69*h~;BB7kuN#%jkAbXXCNYI`F??QM4+;(e0=T04|3EnzB6
zR`$!&Sqd}YX$E6~k*B4j5(^Y(T#OEWYKtB>5N2usX^Bnb*KyID-nQA+FMbh|J}nyL
zs)nRmqM=gfi7p|?3p{6Sbi*``!}l$0cks(CrI4Ayc^KY9`v#G#m;MEj$a>aWlHK%A
zPyes!l98ii762CqO1F__DtCg)-@XPXz|{x~mgl(>xv+Q<*GcH)s_D`taBzc^l&}~R
zX*&2JIkn{g&Gtr(DmYoYUE&qXP8wjCik7OZRB8f>HC>{?31jlH=d74Kv&>?uCFO64
zlkk5eC$RqIBXLlJIygI+>|0B+TK%y}?q7ICzROGtW(rfCyy!)YX$nx$%J6foGfh^9
z419^MXZkyp6eTK0Y8;C=FK$6pB?bHCp7%qZ1<e`<qDIFiJ&y^dGqN-dNHw(}<SnnX
zL7d(0PjXN0Zeu}QF!G{zqk~}XmUeKy?BOXg!FRVNH=O*|W1C-ckR8FXTGJ8?M~Ef=
zDu2&ec?}{oD*!Z&xYat{Vi%fYui|@GCWCU|VnX#(@5$Z4uTh;q^S^QcP0SBEOFp3w
zyfh9ke^k`hoCha@+pE^+lXv-v$o%;?RvYfHMXqEHzPq)??&5h3!pUL2Qc!cGEpc;i
z!D`8#mJ3!&<^kbGFrWH~VCb;6RC65YVhGj8z!Cq#Dkx0|1lRpO@{7NlA)<Vjx|K=_
z;8LL$^F3@7Zc5~qOV}@Wc8t2)l0$QTV8E|$>_wkcs}z>XoLQ7Zh(cY@yfeWf>%Cq>
zAz&<*PN$@kazc22qTb&f4SPXQ=4%s>M8NxWrs3|lU|Wcf+9XscK(Ir>1Dv>p)7a1Q
zGy{B@cYWnuwg8#BrJ%)72yT@RWD!HW_+PIQGt3B6)v>Y6IL}q+vIWu1Az!TQh9FJk
zf&d#}V95s;Ple*RB>)2LVKe=-6J?|h_^f%Vn;k?f)(!b1+q0)6r9f-Z=$qu`oWC9_
zn#@ZhBU2@`OObFnQM_n%kl%`kDC^fipXGK=zGt%dlO9p}ba_%A1(E?9XU?>cm`r~r
z5ZRk-Kx8FU0-N5U#>(&S_P3p1VG;&xaGzuz-BK?^gv)2}@h$H9eHY0T)40)8`A#3)
zEy7&rc?#@YjUoXGv``u-Hr~Gh=5h_V8y2k4f-?rjp{;d>xlGg$)Xvc+{04sr-}G>o
zM%`<9puPkyXpWl$j<qoz8OaGC4<}>^{g=S~YgJKVYFvlp<+}KRSG2nnbU^W++R~8+
zQ-ws8Lf$^}I7<ix3RMdQ0>vanzN3Km17cPyzn`X4XM@0vgGeB2-P@cWI=zDx)Wc0D
zQYkFH0!7RM@FW4?Dq0W@o@YAcAl4}@#@=Kd8`PaWSx?h?>DRq!(l;j&B=-jUWy>Et
z$Us((t4<_>b$>nwjLN*EezlZ$gi{%b|Ic2mz!p2T>Q;e~40!b<^kJ?_E3<RkhS-OW
zPyBai)cC2<8IMxMvfH0=SZOKr`OQ^j2xhC^AiKkq)FGMZ9J)F-byPLHr!!nKTsDQ7
zusJ^V@|vEO!tP2YrQSZkY13g5s>ycI__C!`a*E|##4nb*00TV*SlJWVH0!)__~%7B
zGx>V_&_#S+*txY1e6@o+lG9l;v8AF8;bR{>^-}SdFQ%YoXE{&gON2K*j|`_h%^|J!
zbP6V>W8cmyN@btItqV_|`VEZ>t11xs_LHxD4>|VBHzdtH4~rP@k;slI4BB4Yt)lk#
zs$R(5KpqOG(<K%r@t-c+jP1aCI!4nm4Qe{5O-SRNBRerq)6e6y@%s&XwAR^55$nEX
zjrgVU?{c|0xt^ug3%R1Dwy?O3pRd!MHTPl1lq!r>91k<Mj}gNAFgW&E1{R^B#iXgF
z-LhykZaKpIZl@sEj5N2rK<uS#K*RhI%oYeyS@{Kvm?W>cKOOtzRp`&%0`Fg9w&E&a
z7ptx*m3#xXZ6~|H*v>KsYt}f!ik@k=d@wos-B8VqaY==wGn-9NFcaq_C|TO)FAdxX
zwO4lsw!QJE(Kuo^QF~|3{VYDu*Sfbr#<KbeaU72o8{Vdhg9_2BIX}yCtY{#5AL#MQ
zGt44l4y%|D8A(twUc=k0*m`}dE~K#f5--iY7sn)HW|0j*3nPVNkEdf4w}`tf0!j|k
z8bhoru!?$E!<P8U66$H<z(9#_^hd}47z$0}t>58?Q2sa2z6?goJwPio&m>-{gphmA
zvA)3%xve;^+=X|E6O4vo_zkuTo6r*8rfjuRI@*d8D%jy}1KXXpGKy8rUdSbEquvyV
zw=^fK&Yu$Kz|&9exzb9q!v%s!-nw@Qtbp|#aU0X@(j_{W*goWf$A|N*H&%be%=>(`
z_r41Zz@wRrWFF`tuA2m@In1}>TXO6Z;a@BdW$mAOE<<1`%<~HE*l{}D?)7vmf~+Gs
zZJy<N;#lcJWIjx7+U_Z^+GL^8pq{<Pol`Z_vg2+116$3d3uds14B*=+X0|2rU|i2i
zj;@w{7;#*^KD3W=YB~Y1kBBaE-_$N6c%%r>3*KoqD-e@)3clH!!f4+D??34Hp62n*
zh-)%s`v%kY3a($Q_t+)IMus$r=rhPw!;M&Qcjf~yS9jL)9}n<ij<X>BrOS0Xzb^bt
zz;X>rjyg|Eat*@_e66&EdEM5HZGgcKKeQ(~TXTf$J)I8gn2SZAk6;lq?>D~>e2or%
z3>F2usJq(*7uXgtBzo=@GvK*%HG2Z|e92Ot7{B1*rK6{pv55LTZh^vfY(X+%Rj(GX
zs;l_yY@W-IJLwDO<0^dt20P$Er3@VQ$9mdb1jug&S8gE-rCdDe426<WGy{A61B5-`
zCs@^|1}RfcJ-5@b1AjOY#JS^Yab2agb~tCo^w0<7EqT5^mMtw9=OH4N4Im{;Xh#oB
zHQq^9rKy28Z4<{CJK`h8TBH6DeDV@Q6yBu^g%*&Rao01O_^x2ML(tv4?uY`cRGA0@
zgR8*RT(4*^lFi;p9(O-pjOSfEdfI+lW7SJJI}&5|oT%iZ?_j&awRKTzLfIF2Jxs9|
zt^i5(&T7I8+&1js2VBJcUMph5FaJ?=t<TMCExkIMqVr5og*Fpl&nFwdUsAsnGe@M1
z^Ep@qa&0Pa9h<SK(dc&tAtkS(2@S+ivX1l}CkhgLZ7(=XW7_F(l21)LWci44T^#FD
zXPnrCUm~H`&3wBypFzZE(;c)gyhJ6_(q*W!UwZM-LWZkPbH*3LYq((zpX`x8h15RS
z?imuT&|b~i&wGDTz38mAHAwM!OqJ#B*KH+~2*ZvQH^Y}|4(I8F>Xc@ewiA|_Ds}bC
z)vzPT+P&q9<z=GdO1~9A`%X&Fd}FA#HX!j)^vTUcL}!34+#jhp(1EQfpDt>ri5r=m
zSIYaE*Gl!X0yX?O^+=2zi}2Y9>Qr3qBjWS;%YK{5(9U5%yo{KGt#gOEI^*DR;tia(
z%%56CiiOTeD<VKYJv)He>{PLD^Ei+i@nf)^>qEzh-{^D6;Z=urQoP}(8g2t@HpI9l
zuB*)*7OP|f@8XMhy9@wY6db$LzkQuJ9TP26&fRYbxUXLHRt8lGxP~g1o_<Jk%~vqK
zL;o8V_MgT9%$~<(MIY?-VS?&bWR8~$6foY;Nhu#bIfZ*OL_KtM?#^?p^xCBsM)1xb
z9@QLJ1TLDcLwLyIBhjj1@53}G*#lihlm`V1IlE|UO&-iuTn1Zp#P_}}fBiqB!hn8p
znEoF}uMB45rM#`J!1jRc<>2lHOiy_S2rePRFRixfw<{&FEp2dtH{Qvx>w>4zzyA0k
zq+X%(z{siR$Z$aP*&$A~BN8fD==sBiQ+tWr4YIvdR->eC>l322&QEsW^)MwkPyTx$
z%M{z6_g-d;d{hTJjf>D9u{oP^s@{)<ScD=E?%(Yy_QLZ&?D3kJz9$iRgr`7Cmah0z
zxVs?0Z%t|ayB(@S#;beJcbGZEd5H6w%gYhotm(8o;%t{N(RfUoUD^C%u7k7p%$ttA
z1v)bbA`?H#g8_M;GVv5AewmjuK`K43)nVx|_%3>(!~__I!<3M)!qZP@bJz@T$tAJD
zduJBX%6*(()UEcKs{`uAw{GO9BqC0SjW#^Pjr3bGO+L^LF|7z*9~=60*N_TW0axG7
zfN2>e8VkjI4kQ&LxX9@~%~`gkn#_b@0m!C44<>U_=F*Bp!r6otl{?<wzi%iMYRU7n
z$o~7Yli3`m6IqS=Pg(foFd&FG?-s?uC@vnuvDxP*qRCiI{*)U$^#!=(SCCP#l1=(N
z0it=YhgdCNIa$&Xm1^^Ok*E$IHSdf=+bsz|aiU}8FMC853r?`sRVDYM!#lf^z`(_P
znOH=+ifCG1AuXyd1~!JhA$31S_`y&GuHUru|G~x>2DD*oPL9jXn+l1|kE<z7Ohzjt
zd|4V--{b8qjV1bvFQ>Gc!*^5|43XDb{3ZHn*c3jz5TGbUZLcO*-GxZgObM?#@ME};
zl2w->QI68w{$IXsBam0A$97F-cikdRmU5j*H-D*IX$&yKX84dxg<&26Yu~bNx()wt
z%@p9HQ^ysBcwOxfW-6PtL_=AXiY!1hi<s8qBIQ%(E1vm^MWA|es=+YRi#A>`Vf>X7
z3z!}<Q>^^Y0+OU@SVXgtjHW$JMllA5OS7^E9<QIi^dmViv`=8;RJLnCwlVi3@jBC(
zR@a^CbQRyHDlf9Zs=AiaKT`uv!>_56<^gQo-r(56P^kRHNDqDQfA(CEa6e~xZ;fl7
z3b*-J&=ztx!U3>bv29iA0en(s2vUgC63qSKoCGoYrZ9j-57&kPRed0LZ*L_%s#YG+
zlt^2e_&kZ|s6EBn=o2m62tyarHapL?RZ-a1#`*c16C+d{Z3x8t&s`Y3RB<Efj4M9D
zg|zz83ED78pURVA_`XjPVW)Y<aqa#Sp;Y*&)S-e0?f5@TN_tv&VMuSt=bIZ34?nvQ
zL*P70jw5t*Z|#SQX!*tRmCCK%N7{g8c(IFLlLt;&2KkS)n#*=q%Ffd%!QWdHJ=0qA
zpP(gS&iaU+*#9Bd7>eRE$cfaNcUF(um<&ai63kDqo20edS6*#RpnBL1rW~I@5|!bK
zn1T126>GJrZ>L@>0Hp<cMXkgi*me+ejQ3$%Nab81-;_dH)!Fh*rsTYeIyJypHF85%
zaR(Btgiy*G8pfqHxly53-JB$g-QE0so0no3GJ)b<ZbW{UI??W7&3^-Tw?Ly9`!$&(
z4$ZcEf^VK=kC||LMEC($I3fR;ZTuJQYv|cr^tpQJQmxrhZBkxJzb5Sd&|bZj&$8WV
zuFM+(7G>~UbCz09k##OM#lH*Y_xlUz_9doq%Xj3I73i_R`7k3a*^9ZG%h+zxY5V>W
z1!xOf)V9l71E<3zyTN&cPW$RuW?n0zvc}U8E;~0)1*oVcdHbUEtUS?DvA|Lnw`Dtr
zs;#kOdsgW`Wy%JjjdF(N^zSR4iiWy<6YXoe?SACtJhZR5P@3Lzq&)qPA{dvK+kLP`
z{=ab#H9$njc^Dr6rt>WFnstu6eIDR@=v*H8paqJ^l87KkyZvjaaxO#r;Ro9+>(f;a
zA$%Zcq+Ai@I$1;tC*J{QmS{=|;eO3oRGSncN&N0WHaJuuj#F2v;-ycsP`QdIe3><>
zn@sV;gnz4iP_xSxen+GwC{EAZRRy`QhbM2eM%fE-WoVfM{j|sH{J8V|R~UUP{JR>t
zOXLkURMZ>M4u?EB1vT>f;qD!LBL4)chAvC=ex!1G;r@FvO2$#?>=OmCwZ*oXDBoc0
zrH;PwSY~#VKfPFxBb#Q1AbMfAvoC6P4*YP9*!SCxT<8TP3RW)TXiywJ%NEG^Ff^N<
z!G-<d!R<e+X4}(vH@pb1V%2@0f6@CbF*54pLvIoviB(T+-Ry9XkX6p2Cpm7uFPW4c
z#*Jn}3EdKlc1$dY-HJ*V;HF|j!Efd~5eqHt#6Jr)DovCX<0*f_(&6ydKslR!(p2o7
z<HYlD0d`cXtyr+*&O7wW4!j?hzQaLT52qj|UhBw%u8jOQnjO_=CKl$n^Ahdd;c)PX
z=L>!In@m#lLQ}^y8;YB<>XRdVLv%2k985D;&4~P<B`PHdd%dHR85!j`K^NZ1hT>B{
zfOYg8MRl^HE`;y9bux)5yW)23@5+g&7k;4^xt}497FA-`Rtv>t7(5m$^nOCt;ozfc
ztri-ZKA1-DCh^C*!@=xXVJf}UqpBE3gWsQ)*--3KIZwr^-#SX6D+_MBu%Q}7a}>o6
zy&cb?D`RepsD+lkaHK>pOtg1J&EotA)9F#jKhzz4!I6hivuXYl3J25SB4280x5n9!
zXAf4RwB>wA&<nBcNl~*)eu5eF^Fe=jI{MB;%0|tG`hg!Yk@NUt*U>i+aW`s~-*4if
zm~u~BT~xXv%bseeK82$UTD0h2if5tqk&;iu3Pql%cR0vC`m7qN93lBgY>lt2IcntL
zRHEZfK*j}hWzj!j&q5>r-lFK}TMdtinzeW<sUSwq^n|mc4;eljHS7LbQdVsED3c7m
z(AG8^CGr4w9vu>1kx4H_Z6)VH`A0=9RMXZY$kF-fAFGbyHLg{5)PoY|FZA%g7oUj5
zcxF<fb!wu!qtZ)n8?vF6a-B2jJ2U%39CtYW&~y}kVaI3Cb4K+iIXW|Ckf3!QMkPm?
zsy_2n4fO%PGFL0KWyy{bPn47s6F<KtiPm9{yvc^@kKIY7{{cHx3vFTd2zSgEmY3<c
zznLk6)}e?v6J`2F&M1xE!04jd)U|`oD7OdF@3*?!NYq0$DQF&u#qgQ2p`Xw5e{|#$
zY<tyF?D!8e8wpvgHXCZR{$mFHI}Cr2<A$wAwByz6&KDhg(mbYYB*if!Y^Y1+A2aD6
z_Vb52-h1JZ<am{~lP=2ihEA(Gc`g?v8%nf5DTDqTg8zf#E0cI7u>e{0(+<92c6(Lw
zElzv&(7q?}55xj)nscC^SMi59Uj3`Xxq~l_Re+7@jrU#jEvHD`sIW)U362|D@ejoU
zs?2!Mw<;n$qTYS!@b2I%xpRdL^(>q#gI-C4S~awh-XqZQV|SZL$9*xhVF#bjzlv<A
z*YCM9=_k~t(&-;kmwa^mc)!iD<Nm+q7tps@K1D~R|K!bMBhil<ib^-;v0;-_)E`zO
z*JE2(4=pdsPp1#j*HsbI%PV=~C@5pjjDDfgaku0D*n97&CbxB8*n(mMREi2ltbi0z
z=|Mn2P(V<mhF*-J*U(FrqJYv=NN541D}>%d6A=)Q(4_ZHK#263<eR~@)>(J2eeNFP
z8|U70#vR+ge3NI+_bI=p&X+fBx5JymlWMs+A64$z1VH5qW4dbeV&_t0o8`OA@T4=B
z`+4q_DM+WDWnkTW;aG6%iR7fY(pSdDHqke+;ro9yU2A+cG^yUW7qp~}&$8iSlY71`
zNlf1Ul;^)x__gZ&S;_ZHsPLNP^G1&=&uwal+ug2=a4b17VH9pBTN&#3!=llr(M0mi
z{&2fH6p_iE@^CvI|Ek-SDPDX_B%b<fDP9jHg6Nj^PsX38zFnICic0jNUy8pv{A%Y^
zV=jq@ntHZtkHq~=#8*_xS&ksb07thyzikFeY*byK8112oUE!gpihZFT9ijSdp!V(z
zAEyfbM&%fz9{7op+o{?^u?wJ{`b1?|r0)A;#eX3&l~T1@C9#O2r`@LP<kweJN!o3P
zpV2sAq%q@4<Ev^vRc!JXpOB5Js}FaXC(*e2wemk*^o0uOFHruANGIPg|IQCzD0Y{r
zf4aYVu;cGS#LR~K{#}xPy6B$^{r{I#o8eET&i?O|8hmxv_&`Y(vj0s=4SxHFQmvl<
zZ<N~c_D`h}{?96vD)VE|d4Q#JSjNW%6PuEJAo(u7mv~0$wyx~s+r$OiN5@%MP7oix
z!7RL6z#Kn(m8fthd5&J+zo~znATq7*L$@RClRYgnv_3N3TvFyVh3%F=)ZJU6?rEZW
zU#2qU><s_o#ce?s>;!c$hPr*9!nyGR!o7+5ZIUYej!LgXAzk|WMdjjz_@A4Jy*-QA
ztP1^ez43qh#p#xiupOCCODN6;>VD>4hyPTL-zC&j4$1#hDRT`Dzx43mFUKzqo)!KO
z2XgRJ*Wd2Q<i!1J<1qilIIge%rx{1Q`Y*;w>-ks4q3%#aZxNPIuXgdJd{W{+{=bW5
zql>%nJh`i(2moK8w7a`lzp`s~L7+5%gx{C{7cU9OCN%&7n)s>U&VtG`JHatj<;&Cv
z7zNze=qZgCRMaFDut)oX_!VI5_pej9>;E~?f4chr+!qoMN!362oLu>rV!Zr|7_1lm
z=ZH~y{4Zi${Fh=l|3!?>OaFt!VEl_19{*B|iob~AEej$UaEYpKyO6)xL<L^(J3Rky
zf8n^BRDNe6K4<)2z&H3W{vf=YQvMg$`4_AIiL?C|t(aW=iv_sz{*@S+SN;P?1#z_C
z`#(gC-7NBZbn4FkS7OAT{|_;cyE){4h#1U&vBtyPe<4PT>2?(@wLe@!ZEi}wy6lLZ
zr26bS#Cq6{kq-rP;m->Ys^cf9OUvsAe?bXc0O*ndh~ldb2mE;fqmZ~at9Et<rFY>)
zy8x~x(?Fe^wwt@~#|2RHwjxDP21RAu4g9o=KiJ@K2B~8Af*O!bq@@q~-Az%COzRaX
zoKJT7sGhc~xUh+Ov&-)9-~Zh7v~GVp4(b3<+<aX^p*$RSHe)P6%KNqE&hAY)y(n2{
z{@nBT4dSb${3fWs6Z~-plJDQ|z+w3J?Fejt-|pqhf7tH#y&u%mk~?4yXvCMeTY3Ew
z?oURxU;K4t)o}^Rjtv(`%XvG)MlWdY0u*08P2&D1yxsddZ;U7Yk+=WlcE2uw;-vq+
zbc*pGm&R8G`u>$U8Yi+excUClxz283{Bv{r=HGWac<k41*>b<|Mjcsp)%{LODgYvX
z*fG8;<@rC}V44(r{!fBG_>H;z_dD1g`a8e#&;Guh-QTz4IP>Rr)zDpmT849PFHw!9
zXl4JOxap$%`yJ>LPSGkZnmK_IP_iL1sQkTuYUFoAw+w57-Olg23(b%Zmw@=iOmF@~
z!Y}=8?0E0{Wobb0i<&z3a&^LOf^V{6@oPk7*!bIQICuReBdlu3y~;l9*-)=dafx%A
z9`=s6mJSR}Y%EVNh3!zYBaFj-xdAo%lp<}B2NzgW_W&%q76le1+yILjO~9g*PhfW|
zPq6!`xp#oD@(LhSRR)C87(iIf2MCX70m3UEX@n1GguyhzeOKz^Wi;a^sHh6nFhDta
z1yCv}(YAa`qlC~X1!<HDm%)~X_raEiZvf%m^MB}ToCbgDYP6)I*F})fso({u_W;$m
zU_dp<4z`mO2HT<GU_0g7uZv&1ecq106`Z;Vwu_YqgafYuA(;gbKIZ|1tg19Z42|$S
zjgXf{c;zl2{NWD>Axwbq^I6)CqBKGTjqvjuKxlgb5N65(!krg@Q0g!s+;@VuBj?11
zE)4;w3NGKXMzp4hnysxuTjP5ktm(cD);xL!)=cgNYaZ_dYYO**&3(y0`g<gxd8T?`
zE>5F|A@`(>;{YMuEs09*R-A2<-~4z1sVCK>tZrV{)p|T;AjheV<KeQHC|hV*`()Hl
z$1iVBpLpme$Z;t_^kZMCj4~VK#?5A&Txk&*c3I&Vm2}lNKE>_Wo`3)Qw+8;Lfq!e@
z-x~P02L9jDz)z#L_iEd>GG~jdBh!59UFO+~X5XZ#ZKn#%iQ4K&vRrd*I;aqY8X;1<
zgjdt38vK`5P}DQkH_dp`pXyvtZ)4!A3zN|lky607%4{|zW|(a=I`^k2pGxWtV@jx~
zud3f(rrskm%<82Z7%_?17by5yn5TDrEowf<z-nO8`t@-Ke0}527xzvC6E!2P8|90K
z%ucyKL)GUi-(q>awS`(j{Mgc#>kAuyZTbRtnn+PIV>Y15R8cNfQK#prM>iznys4NA
zOJqL3^jn)05lyw9<f>yP!>G6Gj#8zEIWE*Q_CCEPU+C!X$XANyrkBH$CrWI3@sJ85
z#eyvAo6QvpHM#0H5*5DTKaBF#TJ8Uy)t%@}o+^|SvF<KV>)3LZ6t)@Ubq(wab}F{$
z&gmGYFt$+QEqO2sm8j0v__MN9(v^Vai6%Rp^A+rmSM)FNX@6Bsn{gMB$~KwwTGC7o
zjm?tlz&xa2y|>fN<j>j+<aCC$WWr;(Q74ZOA2JHt{9K_H2rFw_cdC+LUEmLDJMwr1
ztUMx|^_!r{xTkOO{Fd#)8LqBaGqmKr9@ARuZKLXGwcUp`Z;3TZe_UG6OC2-Nau&#F
zXL=Tw*(jmcT!>R>Ocy0Len%zY<fQ5DO?n-|Tft&|4l$A&3&3ZxC}Z|%`llrr5p&p9
z?<}^Zt5D^Ud5m!wQ?;5n=krP3u0(_~su()W=VW8a(*B)?Fx>xwJEgpzt~$>pAl$qC
zu?NQ4#xgvIEyxh=x2~D$H_#|8xrJ)M7?v|mkFoM`EOu=4YqKp~o9lc2vEabbw!FS7
zb&Mfn^!ns`yl4=w&FSXjSFJp$C+V6j3skOyjXMiXG(<ck%vT&oc24T+T^GTbB)b}R
zZu2tpXLPJ}E!kRXbo;5LFeE9JapGOq<(zF!cjgdI+EfdZ*dFBIWM$}LmoJnQ74zEI
zscfNpvDx3ih8EqbNfEx)rDydy6wsnUjHPan&h4>I{eHUOqQh+S+%L+jZdT_VAzO=(
zTC|*On1$Q9c#aT*C8J&K^l?AJ7C9vJ>dPuR^<&tB*Q#fF`^xiK`K&Tl_?9c(4m9Z&
zsMw3c4fL)D7Z^XRtD3Nekk+(t*7p;%qo%yk7Fi5Q3LFZtK5(vSK4#tw^A%Ss`$ix;
zyTxhNSf3)U>3mjRj<!A2%md^4j9K%U3jKP)luyS9Ob>9lJE+5K(-9+mK~@E4v}bxP
zv9$ZPaYoi`UMU%Z2>Vk`9@|nLDJYhOU&6mZl`VU$S0lS^^Hs~54^~L(3?VYghL9^c
z&t%Bf653HZu-f<9QIp<iVwM<03Wrk8zS%)jt5y4O<~+HKl|Q3hI&yT7zQe!{>Y=lB
zr|M?xGP-mKg7k20ow;AXvcP{BqiLa@<S8bCpBucxG#A`)Bb%`K>=io2=6SOPGqStP
zSCzyFB|nS8az;Lay>y9zs20OqD<o%D7T$NTeVZsSHic_K+i#SYH9v<#9E(CeOXzjS
zgs9p<dC6C1utv|pBEM&h+{eD}vOsq?hP|T<H|o)G<EzR&O>^T~;tlpJS9;$eh<SG1
z=!)gB?zOJ>^O^E7?EX$grf}!2vchsyv7eQYZR?}j<l_7NWe1q~I1=GDhOq9Z1Mizl
z<Rq1`cQtT0_QZyh+-Ac1F%C8F;VN5Ys|(x#Xw9#5&)CNv96z1aTyiJI!9&nVeEnuk
zp^5Nk=w?Cw6DMi9+&rj&l>^Oq2W{+}Jr<*}f!*MHbME211_1Jf&PZTv#e9c8n4@^?
zmE61wfkP14q2>}|-%xZxMJKUW7n=|8suIoL=1%V~L^8$~89&w0l8cFc<Enm1OG|S`
z@R?99eD~9u``762tyZ3W&@Eb>Z1Y^PgQ>qP%nol@{#3_Dxt@`#1k+4u7Ee1MWFTl5
zW>_vNzyX4QLV*-&`?z=&U2cBi45@38GN_wn^IX244j_evlnoFid&)u_E6<LxQa5Y6
zRs9~KwyUFz)`nC5LYo&oijc`>?x7I=ZojrfhD!{%v#Q2dv_zk@J;gc+<^$&m1U@^@
z?~th6RA^H0nOy-Yu32t3gR$cLmgs#wFwQ1`W(OkDuO^C+1GLL$-MgQBTwI7^3TKVU
zdN?w0Q2-bsZ$?uARg8V2h_en*SP<oQEY|l7($e97(B$}3kslBwy3)t2S&EB6s`Cy)
z<okxq==%%L6xVnJ38#(>Aguv&j8=BUil8u`05n7I3a@&3_RW64kVTDot6}gYxvbED
zLqXE|g=*N9{_TbHTB3J7$3@e`Y|Dy@MQ!W^wt5}e6?W+_TDH!#FI6u0WeG&8=w8=M
zsc;~il&)W;pL#LaY7z4(%GF*UWvtpmx3|I#LJHKz;Y{Zy<PN!0Z6V#9k<4s++oU7M
z2kD&v5o0VmwWA(j7fHJyKa(i1N^_%rqHAgo?4HsGzsFSZ?QofV`w9FyHsqw^_LaM5
z$$B;S%UoVhPae+|6)fkssh%-at@r%Kaf9cOAjg{WdsliAnpf%TJYS&rRx#7FtPHhV
z**9yQCGfHlNqj4g_T_@~S0>h!1HiXy7|N%!Eu4|Yu$QULA+CM6l526=pV?aa3#_IG
zzw=~e46x!G4HEcrA*83b5*ZHjWwg4}qu1;z$~d3HS@B%Mi-uv@C0UNzpS4P3R{R$1
zrRll@Bd*=kZqRtkz7)rMlApuToZ97iBW(<S)*zv&jWzJ;_)y>&OZVi=5rdGd){pM>
zo|c9=)^}T0>>~ElLe}?I&4nYu0}#?zg93hoS(2OJ>M7bTH6I*(jI#tz8-!)Ix*OJe
z#%UMu4{naRk-Sa_DA(MsmprDSAF;(}qD&?_BI`X5DuLB|#@z&eQv)wN<U!Iuqak=G
zP?)YM{fSg0`;s9Omp(?}_K@TumhRxgN<BXGc-w(RL$R!qh4YVQ827!*`r=ZqZ5oJ4
z5u${w2UU&XeQzfKV*HDiQ7?Fw<e~5!2%RWo!C|X7OPS1y|8A6!aScM6dF)^?o86j1
zIRbl}=vN*Q&XZ-e1T+P{{p~DC^Y-hxXs?%94caqXdi9><%rV+GfFQ=_5LPeQxc9h?
zr3NXr&iP}NED#2HDs8+XP#s7zGVdn%GeqYttCrT$xq$Y(AwAfErgZjZ=JHccN8$x4
z5<KnH)b!USd5~4Uvh<G_5qqxaU>15D%U!LnW^F^lb8J|U`R~RnV2U{)h#5t#3uDLd
zH|`{GFl)SAtE*U-KZ4Pm5jCmzjLD&Wez>1B(h7e%q%Qv)-g%sS+^tHlyG*X9jt;-4
zZqabhC0&dy+}X`2YEFgQx@x~c$by^TJ?%gAEcRSth@<*NQ#(_&q`BtrpRy+oG8x94
z*U(DPgF#g9eRrmRcCzS3b;96N(p?RQ!8`9;A#_IuS4Q3JwjR;!i2PWU-WvJ5ql#5P
zx!cFy&+`v8s>_G0YrOqKZ&2kix0ZK@Fq$IJ_R(YO`rQ+JNR`UpP0i9>yL`mpR(5(p
z#pJP_15JK2lb?wEr2yhHWA2(sXD+4H&-@Ncd`R1(Vf}}aEDr6@UBMl(gCXk#+v+^a
z0ALrx;5kR+O91MbC&lAZy_qH8zn>$LI`SvKN$&n1lhj{uVA)6X<rv;pKVhy;GuV(3
zOL#Z8&+dxXp!oc-WBb$GymVQAPi#<|^RwcUMW6Ii$a<tJS7<&YU%NPzco8Tx&#7Fj
z_iEN$9XiK(92pfgUh(Zg0l#;^i*fSt!@s+42Jd{Z)92f{d9PJS@F6RiKm15%Wo*^(
zrhtwXLmSgGW_6lJ&hWa{CPetIo2t^pFf7Nu5~$8&7icOamH_yD?w;rv&Rmy<wB<39
zuh^#w(KYoIoSFWnRCaAud*(3;L^O61Yi1&xb!-2!kI!>sSZyj|j=V!x>umO1R*dTd
zdqrcp*mZ!Kvwh#)vKzE%*fZINoQ1w#@xcZd!!(mFK}a?%iEvGiMaP4btbQIE26-zQ
z#g7_;nr(%Cs^ZEchr!r{*1<FB3N08RWuODf$;1JQ*#yH!iO!$$?0sRJOa{pb?I9md
z!tV(~;S6{V)j-E<@6ZfZr{mFA7?R|p9XbQ@&V;JMI^S3I^GGVUUCn44Dme+ay9KEG
z9=0a_;JzEqVDxbbc+f}Fx8Bh76O+=hGvS>UcKX42V&`J>L}OjACt+O!RAHKF>v=rf
zMLNAXWi|PE6AQ*22J%|rN6VAcwM2*&{Eb6y$VS})6X8Vb)8M0|^_wD%o@e+tTsqvf
zv{K*@-7Z?qVAUG(fo+#r74~eRTAfwfRjalI|1<D)Uo=CRyfmM(?OXPF-;Zi*)rsm|
zpwO!=Ykbj|&Nbh8x0Fdrmvdi~um+lkn*r9F!?BeQss>PmNSw-k1Pk;jI!FQqpH&C0
zF6d^43A|?M1p=-Z_dbk4<RRVzoBiMePHvfwukqFeAi783cempE33;M}*KOrX8?Ncb
z3qa&8)j}?UeIHH2U?<Zfk*3O_j;4Gxt?p3>b=>;^*_e)u(|+X`CkBO!gt^QoVuhc;
zYc9SAccDuTtHq|XPnr^d>SlWGj0QozH1;8t-?L6)KFxR^n&4AUqEQ?8Uq(Wb5;{0M
z!Z*PmAEmR+-%u!B6b1Wj4KRr`PW#+V!zoTTt?*1Y>A<=#95y&-(c!PHrzV|#1<>?e
zPcQdV`+!s2E{0~K_|`7865iDk`Cn$A@Ycm-op7Ex7S1|(Oas|yxkAXWUnn27x(iSc
z>*dRsB0_kii^HkJAAu{Bp5WI-D4#kzt9DI1NEL=wSWpUo>sinkEew0@sC|NO4(jrL
z&dxc^WhrTZbUZeXOCW>F2ZzKmrX&sYHaFs3mWY-nfw%_kV4m)Ydl~%Ab-_IOi!<TQ
z=5^-sQ8yIQaCc<%=8ZP3ZSo$=izMlP{M?9VRGd+=4igQ6W}C3^TD4_-8!>>(!Zm#v
zRg(s|&c^038mO4amqtHFJ3}N}Cuc+rE?Fv+DgZ<~_rV@Z&<ehT^AmGe)k+;$;KKRq
zNdtF2HR3}cGtpkbAxI6v{d+i^;<$(}bM`B=Gk;&kD@O^BmBx2(Lm-n$`+*{J_YX!I
zx4|qfHNuE9;UY6ZRp%yyP(V*mNQC^Rj-NR?Wj_in^z#(oT<f`{+PNDvh8K<nubpN!
z3{}hFpZAq7oxKUTVK1=6zSjiZgN$DAdM}O2@Fe=$oMxha7e{O!I|xPWlY|9x^cAMN
zkI_7w0W83OY)%WP)|{@CpR|C1P?o5UJ&1U%4)`rLo>Q}}4pD{CZlk(;n@%1ON_Akd
zbu7HxsfUKsmT~-$+ig#-eo@2#I6XN$97f4><pi~+Vm%`i@#Fl)h1NjrQT_7Kve$9w
z6e}5X(Q{)@#!cZ6_PxE>L-&7LJ8vlmI5r>)2pE^UHmdi8y_mk|=a~pSLcR{`ARh+}
zPqUIjcnmsGT`R4M4!y2?oKLyfI74m0>s1#*+28XBqU2QNi61Z+^je2Su|#8VG4R&*
zp%MZyI1t@wfl!=8(ilTZMV^`TxUSXZtgld<NkoohgLq~NSAkA-N|+f|=cm{ie^2x}
zXGR0&iD;$p?N%79n{aaQ&{Gg$8@30Jpq;-a<;Lw)mZJ`jZa2kYQns6rTgQz>8vXa&
zOT#IoiL(+|(nfl9S6n$JeVIXUNm<klV9q{_Nii`FU_R()m*=U4QCKKA&>=1msRKh3
z<ax2B_rZ;|qv}c<zcgARMP7b}shp_n_zC>GRvroU&3~$h!zpQJU&VG>Jx3@D8pgUV
z9zl!D4Bi<ZfPm7{HlIKg^|veb(!#7+n)_rpF6rgwu^D(++GFBgqdR9R!Q=DZZ`*j4
zr<*hgUa*b04g}mHTOlp!D^I-DDS(C8p2y<MdO!;vMO#&lMU0RHJ?sfQz;DrEu51<i
z`OenhV)nrc8Fx$Nfd4y(UAr9MxZiB0u^r8eT`e|+Ge9r5iOaqFIauG)7`?)m<TQf~
z`CtsgM|=rz6jY?eqWdSujwu3GDK-HeRSd(=$vFOoI+f_*S?rD$4yQ1znS6IME0Gq<
zIUh`}R_n`I<MaCyoMzY%j0QmVOXpuQ?|o@^8l{CfrilC_w%n1S3tqo)2(3xHIB^_t
z!f|75Ee&2%RNRrz;6MP|DyE4u5Lgf!S(_m26~nqM=vXGr>=QLH1j!FrcY2_sL2qk?
z(rs}lT*Y^dInk?iFW+2W6@w>okHP0Od(6*Q=uUGx{n3@W11*?xVRZ)i&Gv7AN8;2Y
zk;di(9L|a=`r{5g@*^rB|GN<mCr_Vt5Mj@&)%8B`jR@i56VNEe27VWJdOO<k&<)t8
zju=$+Ico6~NGuY_SRwywAlEdVV<F_xSLY!w+zH5kbAHEysio0RpgSRAKgpF(qbr%?
zv@_wL0*EQzRlaPKzST+UU5Szm3<TAhp9u9^e9F*7QSV2YXC~Dj((+iW7rLY26u)xS
z&6n%w!vOXl5*=h&X<&G4YL5wjA@hD5fXZ0}$sUrgt((IS0pL?h)`9u1Sqd9wD}2Do
zn;r3GRu4cs&)Bz&9b5m*$-RW*H^`Dhyw@Nc3kQVKzo`Z;?M1fnW_0AKNi#x$>hRKc
zrg0Asp_Cf(^N`7Mt}a&C*um#;;;rnusA*PyWo{#3!bBi|dKSI9_+0gu#%Sb)XVtL#
z$0-lcX>g*DCO=f!6!d&w8q-%&lk9Dw0Eq0SbJ*j0IGpM(WWmtFxAOMgz@-Bhakx4A
zP-z_np_#20Je=6mv3YE<W5VL<STIw-KhYiKk7C<7ZZ4E%AHDc<x)UhK-*bhx!%aKt
z5zIfenT^|q4QSu!dENGvL+C={p}~ou)|&XNWt?@-*u_4ZDO~Dt5LXR@Yl)o!Xb}ro
ztTqS~Y-_FO!s=Mmr1Jn$MDS?MQENDm>y!l#=%Jr;?rW}-!&(m@ArVnXd!_iNsS2CI
z`7_~#=6%+nRs^2C8?Njj#8y|Ai~^NIi+ywndF(c)H4STcG_=y>EYL#XfUCBU57oo~
zzbca*7;Nj70$xI6)S3|tdO9eX4a8yK$3#<Abbe$95+WIiTza`6r!BtSdZ4NOxa60^
zxwVa!!WwGg2}&DQUGeA?4rcSbWczm@7x6+CUW(U90WK6P8x@xTeOeNqnlwZz(RxF9
zG#-;8__Es^p*Ttlj_gQ>w{<Z6%UWFtVvs<mj>D*{JHVt-XS}fib?(>z9axxO&q3}l
zZ2ZcC^s!D70f49R7!AUB%x5DLD!|E81-rM<X|}7t0|X-LEP$ykk%!|y!#*QQ*X%NL
z1bS9dYoa<p+6Fyej8F?7%~OPh2^Sff3NKl<Q3Sjf{6D)d_=Bvnc3K3anV;Y%w|HLW
z(<^}xQ1j_H_pt)~?P9ihQ7}asDKwUai?FBjU?0f?GTD8;`EPCmydZW&2tieoeN~0#
zc34&RbgZHr&Ce~&?OoW9#0d-*rP>!|zCw!-wNsZXZzkkH=WnEA&m~RvaTL!W56%bc
zVTVd|V8H}Qp4|w+1;Nf@t3T?%VzQ12OYrR%=vJ*{6}_Cmxo`SeyeVA7qeIP243e9l
zlAsj8oE`um#jX~Xub=@~62h?%gmC=bxxVt<eQlke*%5^~zzNnYWy@)av(HA$Z4h)4
zpey{`TT4?}b4i^=olQ5W1d8%wRIMGPK@{g2^v`lyO9(_4vOr@KJlCt~Wazf8Yrb5*
zuG#OLY!>!5M9x!$Elv9pSf78H9f7$E!chD<3;VcpSGBa#E)+G=uo1mt?L5?r4{5T7
zzD{P=JBTn<20?c>sJ=oM&b&M6o1Y98s>Xj#bBz0pC}Ujzk<+X+;dos<Mw({BgG!^{
zZXb>lsAxPkq{-z5#zQr|hqwSt;xlWvtqtzI6*V}g=yW|e%on6N^<{R1r6I5wecA=W
zh{lH>VQQzn`}QN$u=CK@1;i$L5R~j`L5Z>AEdS6XXd;t3&KyBN<p2YAZ+S^<S2em)
zo6bD|VX@zt#iB#)^5CZr4x-nA2bg<i{Or?903{e0#C7o>_Bn)f`q0>W*0L<*q75`x
zzT+u6OcZ4M8ReJZJVv~rqG1HZl!GW2@a36hOJTyYCD31>D!ZRJL(&{iJ7a&YyjZWp
zS_EJ_P*@gtGstCsl-q1%Yn36y9CRSRrYN(`RtRB}uLJYvQfA|Zo#e}C@2xnFaCr!{
zZFVG#S^bbt5%RVA<O2t2R?>a$AElhg7lbn#fgm;Q;r(*vHUQj=Ft#qrkC`u{&3XI?
zVz6Y!|8|*6c^)A54{;~{h^vkoq;(uRI^$nHgWx&!C^%o@y8~oF0>qRSt<l&_9oS1u
zCl#HCT#}!BPzeT=#B#X+A<{@mNYh#91?6cZKLHy8Tt~I?1GeE*ZXWx*4-a<1f5iWG
zv2hGmpob<}M;jQY)jO9=x85@pU$JH-^d14)VzYjke}EQj#r)H;%?Z!p7UijqV<Pp=
z`cthHo&{&R-I_}t!GdkK9_`{GdL{Q5bUOD~$lRXB1igJ0N1rb0UI%_5SI@X&qRu{T
zq7EDb+O8&k2~uC!|Kml4M0lJ4LMD5>uh8i;G!c3Kv%7gHC@xevIj}@CklJE}zn60}
zTq;7e=bgAm6}7k@U%vr<frmIGHRwr-o9S)$j3RmqG7BiXvPKP+y}l?K=^v4zr!mvT
z+v#bAHir4S$Ow}b{EcBThVayNO)ed+G<EP-`rpfE5X$j98E!IaT1QKr=P!m(1okDu
zE4qV^VhV||-7A&LpyMSD-dU`aJcQ}Ah<U%%2S%nTOa|KJocME#$w@!+Odhts&*%oj
z&F3J`F%AA4^1r5wS#WKwSf?$S37cjmakt!i@Zx1e3e)=}WhLb99Do7Z-d1rB3Z~lt
z@#Xj4K8HKw>y4I&#s$5Kz${Km`Q#0b(}oyT*0vzEMZ)O=O?|=-uU9OC<CKF2ZRzgW
z=B!{GZ}gn7eWhfz?otTF#(N)x=q95sU%+3noL(-OtpoEwTa;&jHc_R_g)7^NTchi}
zx_tDyhT7eetcDornCA;UH!EDN4`T`~_^mza0iv9tr1u^zyId<@V<AQ8-@Ww%TF&qN
z?qKZsM-|+M=$hC;Z9G+R4ji8-<g<epv7g|#>WKWj5^|NUDY~HF`X|2GHtB0X66$C!
zF-)RjT%;`z%)^(U%Ah&gLSHSXHLZ6f6QOCB(n~@vvf@YH*yagUi1i-EbP}Noot}^+
zU?8r|RM&Tcx)>J>zbXP$wF<*SS#DJoQezggqwtz3q&auIlOWAWvLB3kgSLwSzb3bA
zxP3tvL%_}s38kHow5(}rSGyc5s9rJM1V#_S<VWH}kTF1yi&X7a1^(zMaxhIhsf2Nz
z1+Z337d@o651h^*s}n{mMjqwh6l2(9yT2bocM5MQUzY$g^1PLV@bq=LtCvK@fECRQ
z*^gQc<>nZ}V!`aBB4P`S3?-jvk|23B1VpN@8-BaG)!U9JupDYJ4|dyU<JOxK>sPQn
zT4AD}gOiJ452S4_LVR;~8Wg-BSnpSNleykK8YkO*qg^WP^?ICob)Klfq^(D`<0&aU
zyp77@P!X72rZ!`*KLYN4)#PDlGGeYm{~loV-diYw<*F{GGNI0MH5#z=t4#Zm59T>9
zyEACy$ZyKK{T=8_%<TrIR_kgT+k@Jso&=e~ZTet0-D9tST4ONsy_?;GfF3mtL(H|%
zWHXR_r)ZUhvq<VXo*fL5yqoc3<Y?#7yp{Y_!!C{+AxA-k8$CCuo8n=Yc@iACxf`NE
zzIH1r*iNv=bAql7f1`S7DDwQ)h1Od6^!2gC0D1vGn)bGA#cQ_*?E&<+&Z_lqOC&xA
zHXOdQK14d+=Jz6kq5sLfaS=i+n4v4m=*6zn;tyy=CRZ#$bHEUkzJ5@lI*(CGFVM9p
zt42!X2ZRoJuyNbs>2ol30OP9d&BNd*a@t*!a0~cA%(YRWiin@`{9%U#m5tVv1Pude
zjZx=J(tZunJ^DkK!kKd4>L}OaxAdS>n&M`LpdcT#_~1bj4sx?r1%^9CY%je}LO%oC
z;yDOwLk!#=MJszD>FfKUV1l+{!Gu}wICs&ooWoG`2P|SGe=^x65e^On8bD>kj!eHl
z{(u$aPvX(L4@jp14q-%y9@k^@&pmL4EPMn}J8jCD@Vy*FWZQDh3bCOhm_l%-`jb}t
z9SnXcqRNj030VWr5pq!LAa~A55c}`pErvpo;Dod7B^@u~!ZWZmOG8b9PxDJ76nQCf
zvf>24>711t4BDd1xzE}|hE693r+TW<68jQ>lekA|lHvUez!%HMMTNJrAojTAh?~(j
zJC~%jjh=%jSz!|jfX)~d9}wPvWPb;tDnj@MDx0v~`?u@gd&_QcQ$<}eEUb@KAL&ZQ
z=69)r7U4D#yBAdcvEVQ@4IF;@d+PRFd;)zv!7oLFkY`jwX#}7LCAUMg11Pm1*l18N
zjr6uRD@CtAO$i`|{>(#eMP_{w73Tw`$n451z4UeFVh~e=ZMq~ZXgSpfE=uBaf-G1d
zc~m%&#vU>=w*mNTZpShod<~NRZZZPp!eB1kozz1^<Fl&9GaFVQbp~hIqy`2G6UHtA
z(|Rktnk9#ytj^<tY|LSwRe{WxCN2WH@hRv)$4q1dXg?(8ssYaY)FwrMe-JD0cX}En
z8^gj>UFNV2wt)HF0%r>P`umKT{mfwX*dT<a&<oG%VE51KVElO5xiwDkE7Mch5hH?H
zU8(t=T%ZPU0@FC8ENJgk4DIy6;O^8Z7`7IS+KEf|1M_b^22<br?1+|+BM4<q;!}5-
zc9jmGYu%nhvC?#r`L_DN6XNYZc*=}ED&U{zK3(nu&Oc)rLBF*}$rU0$YjU)lIQa=C
zcI}U<`~;s>yX*1OL!|S^1(d-E18ZXi4n3o}KVWa&aRucnP_}el&yvrRT$*GxM6884
z4fl86JGdM_6epm9L8|5@gM!H!DxTtM=<75M%-FtKd=NnfB}NS4HVk`)2Q09u6Hyhq
zri01a_gEt1H)MD9M^#Q=xnI2;Xzdd<$8qLhWt(XANa0~wFm5_%2_hJcV_-$?y+o|$
zZBw`a-lKU0XUGgH{(I)SL!qrKAg35TZ=iKwBIYsgm;2~w8`qbwT=nu>SKk0$CwxLg
z;?)O$pEBR-GRXjRN@#hjL}>YOzKo6vPj&<;ZUHLZNyG`O$Ox-$T>whqd|tbK{6(WK
z^7*Hc2gd{A1m<rzigJO1OxV0r{7%L$`B^Br5jmvIrO}lbiWDm6By!Ob3OhDRoz_`v
z1QOge0vCYUi6h}YMQp!DvnTKkXA(g4@9z><CLfTY108}}g#&QjSiuhQWjKCrM1zTA
zx!sUqcTU(Eq&B`Abhmn=%UiTQ;8eBM&9R*<exS@eq}TtzS8Lbn<OS({X^oQz7}Gc`
z>Fu^<)rw1?L`Mp~s_s=bEn!p*&Jpu(w-w@U0E2?I&6~bLMzoUqR2tz|n-Jy)MYOlt
zL*&^_eAS`X#_6;`zl<+z9I?)%1(8W8JEAlM=r1jN2AdWR^ssW^V*2{gyTUcj_Li+M
z3+T^oiTx-bx53R!C(MJRn3QEkcEr$~9Dai{9~`s}z6MowUQ9kqqdf%6jvRT&xsc{`
zZh>1DBPs%%3b?E4S6%F37#LX)Ki0xLEJ3no08lzw?o8NcmzyUlrMGM(p$A^FKeJng
zGI~$EtaYDw2{_V>fFe3mMxn2TXGX%G2C;FQu>c8ibrVlSKyeB!OLKU-PS=77X*xzI
zdGOO3%<RUUG5TPr0>QSQK?Mtq1D{L$)xLml8B?7cuY(TB8@z#x?C~+czW`K)OiPLR
z?NEdk7$D#Il|2DM;Pa>yoMJwEY#3<j3yJSehUF)Jp-E>VSeelD%`Mg|0l2;!!%!`l
zxV#^~87p>;SyB)GtZl^FSQvCSPkVUYF{<t=jZH=7*e>i+8Il?-PJ_8n(cyz>Dj>u3
zJ&(e&eM5rq2U4=wb0RhvJm$avy^!I=^#pX?!<lv4gRi|0tu$bv(+${E0E^`OcI045
z!>(&5=6fClp#&U)Dpb4cg52htrO^f=KZsT;&Fl#Ed?L^qai1M@s&F@t9USD#bXrpa
zec{Yw9^ZTx&><@>)A@#R0}uB`{#Nad{EY||7Xf%as3p3aUD_IKeT8}jK-6k-en4=9
z(0a?wL?@TZNDxQELRyJmFx62#CxNG`RyGqSXgfdk^36YEL>nnbVWq*W@^_vdbgLzU
ziExKQRKpn%`kl=!5e|<f0hHHohPi^`P1&_F5*sTB+KAl&NC$vjd+jn(@l`GC@kOn!
z<O@XvT2l&6sKnfxOL}_SVJCfsluhv=7n^guXTXSH8;n8Q)1*#g)1-i>5Tm_f^SJ;U
z4Eq^WPxAl)0>>T@62*7-l|XL!vBxg^u>;^4>@jm>`vepKf?#>|$K7L=x~k>gcBVVi
zUWYJqBj1ncg{aEVscM04IU#hoSUhwX%*r~R#?YF^LW}aJ4r3xsfZH~}1^rWSKn-Ge
zqIg(74@iT-zwxWmfyqen(PAXwvp^H*OxsRCy+_g-+(*)kVeIOW*hpDmgmuXoESV83
z%y@E)knsfA&*wRT$gKmE92nAS!96^N1m3Q@k}u*G58|zdpb&Vx1TY`_?52d!BMg8A
zjY)b6HYE+XHPqsR6Bh$O*#ekxm5Bo!P0ny3B*17khH;&rVBg{hk=He8YO_$Ud36m0
z5#gMh;?K}JFy#b@+C1>W=sqI$J23VF%w)NI#aiNR8CaR6kt@DiQxxFH*<ef+U}G<9
z-Q-+?Xd{{hii$9%eLMk9rqZM$f&LF+z%y12R;OQr3MBYLE$kBSMsGX(=|MzP)FkMP
zKc73MTIPZ+fC0(VULPZ9yaoHKevPKZ2c~DXTREU%<nMNflK1y4V0yZ=1!gvo=;1yv
z^aTTwOTsFIOTs{=!TN)U^<0py{oC0PJT|-I2mj=@?4W#mFsG0+YA|syY`6f5&k7NV
z`AiT<QtQTqMT+L^TT&&<h&|O~v=c1df{!;ORD$QB?YYF73}Q_xKcOZSsQ)`*D%pjW
ziDuhJaCi`KI)+Lbh{63?mmreX$#S0Kpn5WeLp+MQXp`^3{cwl1+h81!n^XJhCEyKL
zH}wSE>V7>V$L+RYW30h4ux&rjF+xAj-KO>hdT_D<5cv$<a2RL3JGv=~TC;O^1;b_G
z6NTchz!V&sX67)31e~CGxezI@jbU5i7GcZb7X8k9;2jQUVtMn#X$SKbNDJ^l4M2j5
z3_pl4AmZo0YwpEe24bsRcei;Cn(fpYsjZ2Nfy)!1+F=}2Hg#Bg2hv@In*;|l2%8JS
z1>%wnHr;!}Rp=iHa}<mBmVn3kF4)KM@abTDibQ{9wR<*t*n2idL6mSStaW!QoQM9F
zNBnlx;J&dV+eu(;Qcs>ZD6&8p$S<Uz^PSCW%$M20{CNdJ$2JY23z;kVmN0%3f2)0r
zKa{4-6bcvOV->IoeJc!0-}(vzrk$!X)eaDOs7WX!N#Hbs6A#LT+4d=*e17HKVbwTj
z&agSvSG`Xzh4srHyTia<*s?rvY<BA7aIQg_UnX?o>XKnrTK~3O2qdpr|Fz{L<D?dN
zT(jr!3+tw?`CAOSop$PFhJjtHG2IK_a|}8ZROY(pTML{s1_X4)2;_qHVM<6VbLvMK
z@^lAx;m$Bh`jnhIUXABT`a??d>4Y?kuoIUI?yty<q1qN3>U*vk;7>P$2VQ%I#)rqr
zo75!A=sI<0m~Bfk&ZqjJ!m#OZ)!IY}`^^Ve6rke=sKqkABr0l?62H@uQDE2eX`3`+
zNKIF*M2S2Z-9lYGHh7a?XmGhdkiA`GSu>uw{1$b5bvVlqL6JJIJ5LScK;8G=>T@ih
z3f53J$l3y0xsN|CO_oy`4Y$Et`*xpOB~w&b=c&qX6CCUPh)S;3Z$lVveJ{UoWzbWe
zFU=Er{#C~;5rvGwuX12`b#FTta1X!!_`zXT+Xs62aIJe6)vg2Y9LSC0UCDpdk!ai9
z1(DRS>B%C8Rm(op_d7AINnNK>2dQpkG4N}jwt=aG?4m#MNAD()wfUPo`lz1m0(Z8l
zH+QUtQ59^>R`({DUS|?f+mhn*RVOLrxoCJI8Fhvi&DS+sw<?g<*ty`6;kHgN=(r3~
ztN1)%i%u0&vcASsoM@VX9-nw+(9OcHUbs-%-_O0#PQH~;*P0NMWy>G8Ik-*k7`Xa<
zHFm#bAt(3clGvZVJCZGNjcY#d*3i-Ds{Zu#%wtyxNTr>A!pP@(5}YDGmux$uy|Xr=
zW8m_|pr3cOluqoNH;SiWVZ$P?mLfG=xL@S)Id4JN=c}y6=6uxF*rx9OE!QVD%-d6K
zF=AX?4P@hXPiHiN)vj{+j$aE(+8*VNBO8^kd34DxFU^ryl;0G7YV#qNoe@j+pF>fS
zn$c$D)so@$vl{b*hPif=szpUV2W((#VjtW+25XaG+mwwDE%S%%(r_}jnw?RvWUlEy
zM6QO}wS2ePR3McYWOZkF+b)kEi|X=TT6|LyZ?qvG=Ua~AkrB}K=ps53zj9bbuMe)Z
z{bu{JZ?d-_t7a18g8N>0&M=4=6kB-f`qtb)@oSYRasK-AbAj!S*(-&i*XC~JYGx{T
z=AVkQFT9s`%(-L2vm@QnW^E*BZb3Q1^ugCYBw?{U?X`4dWa0fRkxghQ>`@ju!B9D5
zDk$E1X6OwBvD3rQ+(^DIy&b8_*I^@|{$ab*BCO~ON|G|jk&x~Hy>bh>L|$wfs_L6t
zoh(~U*;ro5K7(f{yJ6iQv#Lx!Src(fvD__c+bcrUbu@k~!ky)-eX(cKRKsidHzRY`
z(Bh*R!6{;OF6=J6A)@xRMKR>9vwX-LN{S$%$~&X?XemWy&aNsKWlsjrh}(nbvsqo|
zVRP}za}#R5GEEvIl#zjA>91Wy%5gSU1gcj~uU+%_gxkQHZxh1GvWDvciMqX3Baor8
zkzBVC8*6qfwu`FUma#oM80u_CeL)smy-UK8d@@bThPS$g-q<v3c{q@48$W3AYrh{~
zEmSmhjv7oR)*p?=VdHt>S@EH(3l+=787X1s`up;JixQpgLNb#wZ7OqSD`im{{pn|W
z9DjD)d=;I%f$NGPj*FCgnmn20wVc~&NVm14lAoUzGK|Ts6LeNFT<cjJHyXmd%@3`>
z4Yw$^8ye~4eIk1aylWZI^d!eutw=wOO}Eb+n-;5l_}G1ibP4}3Gw+66>ExB~YgJjW
zIGf?=MW_1)Q)K<gnNP0DnyzdvlAcpxGLAjEo!$N#&@djez+);A5XqRF+ndV$^cBue
zRuT=`hhQ#0)O;u42fhUjhAiZt+Ir_IrP-FXI9-sO7BXQ}<-LX{UYS?tCQZTga#}wr
z<gPWK{gCdrR-T56WTd#Ye~PNAJb^GD)CFhB*X)iRK87o>wC}`KaV<O^S(saOVl&YD
zIWL$N?D>6RW&TzyCQEF7)hJY$LzO{9Dkp0!*eWAkmBTfC<f_DXE6X3x)J+XSocYbF
zw9xe|WfEDPV;t_DqKfKHn{}poD9)Y5a#r+^RV3GP;goW*vj=G_&U1Q8<y)bUcKYhP
zkl@Firqc1uMhr)k7m6e8X&)?XH9YvSQM0?-%#ac1)af=<-MhO8HnvFJEw2XD{FdEt
zuAy)0{IS}UOQ*?{_$<Hc6x3D2``dQC4=E4jS_bn>{P8#FmW<>t4OeYW(EF}YQ+_Jm
zFui{R`qb0uQ-(CN+X2et+VFQu@tP5X6mjEaob;0$FV?^x0IXM0t8D2W#=9=BkOCB_
z@!r&@_ZbpE@T)XjwW@2UH_e1-d>ES9(w)BD&8A>KF{Rc$E~vaUJ!57-Uw5uxwR!8n
z`ohPY_m)xXb=>g=V)fnV`UL@li$fa>XF@4D4wFMSuEu0HVk}5R45tyK|LMfK%Io{}
zPANUYS5>ohY%tRSx!mfw0)~ZoL)7`r75AmD88I@dQ+lz9FluXaQS;-=TR(>i7yA{m
zjoA2xiOPYhh|I{TA4AVY*j79xo%|n?eBOzy+AdFjfmp72U-wq+60$Qo9c%gcz17e`
zSNv4Wt*gzUmVLgnV_6ca{K1|#r?TQZR3%8+hWM{9asJ#X(i*c5D(*#`nt*Q2`#ThA
zD9Kn4mbQOnTbJbEUT>G(?y6kfYOPg={*WkLA4pMg^06D7Lw2+`L-~)Md6hryQ$jHz
zUn}J1Ug#l_+xPpoNZC>=eb%x3O`;?VpJEquCP(*tChHFoibAfy<k03#_hQ|bb}CA6
z#^@N7!g$X(iKQLKo1|_aKFY#Zsnl08(v$dY(rm%nLt1?<(m?l1KgU4tQq57)L8eSx
zr3AXNOgFAvl8ryqvqJTw3daJ|PLgk|byMYQGhG#|tAkutzqc4lO5!@PEBRI7wxwj4
zw@Z>^q1d_0oFevmYbOc*^eEe&ly9XkjHdO_#x9t+qb|~M1MjDDS;3ow<M?ZemSKff
zQA>jr;HRZ^yJlHxR^vm@T1Jv~-ZHB{onI*AUF}lKXtMbTEy&7NiasIpaA(KgXNhTl
z`h%Fb$-aJf%et0WZr3<jxNfnfeyT;rl;Dim+K;X7)#+|YGUEP?f~vuzvW*=Pb@lhP
zrw+un4Bx7v^cUI=R?q#aOAO7o?Zma_)A|GBndnAjrr}=Hw$oIpD(W0>9ZK-tmkq(m
z5r^TbS)pgzd)83{RHK0nK^BibN=ylril_)8QR4@wtU*+xkbrH}x3k@K<^Mscznv{*
zL7hLoK&2W8j&D=B*HJ&Ho{AS2sMFiQ={xBybcTBes18(=!+aH`fUIp#rII|(3{z$B
z)Js&91fWaG6C>@?Jv${uU0)%M=u;QwP&w4;6m#mr8(AS<Z;JEC<MiGb-_oY8$Wz&>
z@$s1W7WcbZo+b{Joc@fOm2=_5C-2y51FeIck~b%YXNAkfaO10Cb2xO>(7Cg7W2Q;=
zZ3J$TEvLwY&gwj~W37ruo>Dwo!0)WBgv9jb4V77K&OChgZ}3X+%6~ya$HkGxzV>Vn
zn1%k!y(o-@!H?j!nxbx$jG?_@oGkbExBXW0!PzK}N|&y-;bD~_xMHRf;l%3tHR7Br
zbYOF-R9v2o$rgihc*d67mx{+H|6r4<!(e@@%1VBG#kn&X3bKxyW4G;GGKH241*f!g
zp000@XY({;hoo-`t-j_R#xz9Q6FO@YLIMpkLN+toxE*74T&rR?5b2b|O+M`@L)JFE
zD^1+Pef>rpm=W1`bk7b>Vy2|Xod^eRm2W@$B%7?HzCNbnWKheoQNtYV3H3U|vzX9S
zPKXxVW=KNSk0i?)7}O_hyuGwqi=X7wvp3E#Vv57AnuFJv+b9poY!J$$jl9&wV5FNJ
zGGC>Hw!fKpOG_J>{zx$CJvU5QUfdE<=1bvh-&SJJFvoABWvt_H$d@<D4sPYMs_Dj^
zTWMNX<}O}v%u{<!k#XL3k&8!PO%u&P;T{zA@6Ru^EgPSjIr8%L_lF#5D=$V3>W6gQ
z>b7{h`h-N(v+%cUo>pwAoUCvXvnx7zHT%n%N^Xmq0@kg}%_s6C7_$@Ag?})YtwBNN
zmQUIM0VYx<pf2F#-w$&Qb$1grB30N0wMb8E$gfb_sHkU~p=-iahgK@J1%OUwib|=u
zxJ3=CEHXrOBKBqPS)i6st4h{}-TEjQ0PC(ataA=hbE(wHfD-D%MOMY1Gz338<wch1
z|GXKxBy*sf+H^hd$NR<zh57B32$w;H1@?CrZE$Qd(uT++pCFm`p}FYuF6gLfCJ|Cj
zih0mxrscUIe7~4EWpVM$$$DE?eD|ba$Lgj+pIf^1^^Wjmp^o6DN8*NwWx?!RL1;%y
zU))Q{2l%#SvhciQJ@{La&N0moaIvF=nKBt2leKo_QAVy?`nN_An;cm!L)J>^)mI9#
z>$uN4h&9K_dMcy@w|%gCRw7ebHC|z4YrT<!YR}fNXnTDQji9a|DtyDXy(P^S2*vMk
zjZ#U5VRwZh3L2tJteY#D$hE7Z%||)sVV4cco9pYew{LA`#yiDZKSsg{H<MhaUM)7@
zgt<dCUW<s-6qH`suGn6kUJa>~S>5{dkwHv#;q8<9500Jr*EXP|DTn9TU8}Y~=zhkV
zMN<Y4CfS_~9jk-4D$J`Gs)SMBlQ+Ixh-yir+N%2w<m0E$#Akl-eH4FGF)*1^&CDkU
zLEe7W7XL#qa<%C~M%g*4xKI6%#my8Q&7YYU;5*|t>sqM&tK&sc<vY#(ls1=^6MB`+
zuC>_Cg2!t;eaR~OGisw^Hp(u=$IoCdHUt-^6)PddRwzFhytlUYm-RbSz1O;z7lzNS
zgO@|AJ2DQqySm_+##SD#*AE!TBc=sgm+_A&jWeFrXJl%BIF&k#Vwt;CE5#=!g09ti
zW}YcXXw9ixukz{H{6r?Sx4-R=_R6!cdNss>BYX4;A^N-Ya$MbJV-HhHBAw?{=XGaS
zyPr>b^eFG^O*0JGPMoI3QR*lStJGxW-{z=S?qiYg#$;{QjKT7@nv-^Y>x=#`XZz$|
zS9(@@fCsun*DA>7&r6GRmMlA~9t=t~d}Gp@D(kck8P@ScEx20s8}we!{T?+HJ1nh{
zIf_+Yd>9@wShikviThl+^jJ%gj1B+b%+KCXW?_`K-G}aKlA~Ar&bQ()6u+=Zfx3)y
zm_c9|x>75}#xIP6{YS|uKGnWhyTSk``}vZkP+kI`g?7~Ty<YsVMyQhnB_}4rG*-sG
z_;%mTt5(xP!)tS`R{q@D0#R4hYj4R23cBZPC!cnX=7;6wsctseUG~_qy6@pl*?x61
z{MsYCv0z44X&vb&N(td&bwTM)ZVsd&Nxx2U{r7N+g~6#hC5s35Be`u>nO<A}u&>l^
z&oX$|m~R?B|MP=uVRRE$YGB!1{`>q2x7-sh%O0B<+Pa)hu8YOY*rrqC(<hskR3#sK
z=m(psAB>Oe`?3Czi-^{(xN%-N79x}{+|xGwbE+)E|8lg)#N&p&DUZYNd*pxW^RhzN
zVmLa{>BB)$Tz2W%3upURo$%ioqP^lXy9MQC@9AX^4m30jRhiCZm#LDUYLBZTW*1;R
zBWq(v9;Y+xpZ&5R@!qD}#=EN%CRH+5D!BGw8?M_jP{B=y$`t5Mw+@PzERBdR^QvI>
z82>oT6pfznJ;L2FpbHa7vQr&U_Jxv$Pf&viGCq3dGY!7Z>aOVqaG$|31KVbzc;%FD
znUTe|nDpu4`Q=3`$8R>UQnOSDLm&&GFI8hHW2)|~pg7fu2BtPLXE#-OG=`=44qn>*
z8uoPl#itFM_oTf9igeH4d24&+xm>;t6tT{a%5#YIw5x;UY!oJSm~o#CPf)3k(wm0g
zcS&0(%T5-vc;!D1>92XGn(n>Y-?wU+Mc5jRAM~%h;bXVX$mFA!s858I=x&|qR?qaF
z>kDO)fo+VAvd0LOcV1c;X}Blknm$mb=uq*kc+Qelap`G_3dOi_wm73@YxI#{M-nF@
zuDi3xnt?Lo?DTcWESMeD&)vDiY_)PF^IcuK1ixogc1T40&E@S#$^6P~<st*^O3UJe
zX<zorikR?MaJGnRkc^ScFLP{0WZp%@?6)KaOo7Z!buB?t?^Ms*nV)UJ3?V5tH;73=
ziqjD)NW9v|`C@uetD<zdqEU`UgQz9t_Qj0HEF5pnKg?rf;zO4jUDe>NpU|0KlDYq8
z>GOC~SpQk5_^352yzYYv(Fx_kMQz+0i}>M@KR|L;H;Q_kY@12yGJGgyZ(cZ2cuxYn
zmnhC=Uc`uPel(@?=$wlUo7L#Rdgn#&cLQI&hWgx=`d3wskn9$<0;4irG|chTu4)ky
zf1kRU@str`ag?*We)H>f>^`_B*XhNYX_?9}cy;@l)PlaAW4Y0A_kw7t>uA$0v+N%w
z8+W?J9?Iwoo4Ut04H8s2Vm&oC4|1%<;Wv7VgtVtZ=G8`)=U#QNZC?NGq_wI-&vuzI
zI(E|2J~Nare%PMap3Rr`tzo&}?~<NEg}M{$^I};yi_Nx6_R*uk&n~sIT12_^grD-J
zQm4tN394Z22Vc1KpiGx7YGke0cf4E0rJ$hFqef-AY&6AoszL*?z9=cT|DIpHve?oC
zsv>70R()etE(*0Z^ZEG|sjSr5viHbs@ovuK4PK`qPL4S1ye<17#=vZXqW8q@e3vVE
za2dXAo)Nu%%KA|fC2vF5Pt0dEhTF%ZB%%KO*rd`tHcW)*(5r1G=g*mkRnin~UPIG2
zW!pHEM`wRoJ+PdiS>zwuj5o0;mUEh8!mX%G+T`*U@^5vLJ5!Wq)U)XYSp~N1bOn6I
z_fq(p#p(hyx4TQ}yK2EtPp_nZR<1Pf@PbXI3QXHHSukWm&9%+H{7k<wUQCL%oole*
z?q}#lUQ=o4Tb}0sXgHC9E#&-Oo<n}V(or0E?Lo`&s<9CM)%0s6$d#^%Sw0!bwL6&>
zowKnko&AHz+_z-e7_&mF3Kw4Z^xC$kR^($82_ZGaAIaaFPT5ZPYU8n^-Yzr_n~V)>
zi6(ajlQ4q|1#2zhDx5z`VlMt%$Z`#2(-oQTd27^uPHTQMCT(6xdLfwMO4DVWSXZ2`
z)8`=vBUG4u(WY8gRQ4q0r}f9vp|g<F;s|WENlJ5m9Yd+7M&PDxQT_qR`BGuYrUVxG
zZn%s)^)~)>y~jC&3PF<HnRA#-yxI5{zKmiv!l`AGvWpe;56M3A_~-k>&{ma>LrJVg
zY|{O!Bjih&*`nu&eAkyk>#ZCY1e`0WoMIee8A*2AKkgh%ag7hMTR0sr-aWvPo5lul
zl6W}v<)u2rE4RC9sb!m5LNR(B)lrs~*=_ujo{!n9Pt+&T_JET2NxRh{DMa9pMx_00
zsgseo+5gAXS4G9ubwS2}1PK8W2p%j15AJkucb7nLch?4jYjAgWcMb0D*0@9C&_MT{
z{PWGjyzh0_d8oBdRqeWG-;?SobX-3ZRm5_PGBd#1Uq68aGMuE^r=DA~_7Az{IrlVH
z=#DC;YpB~ZS^-ju$D2w!Yj}2nWU%Sb2V3E@s$;l@1BB>AA+oef?(puQ)VQcf?U0Xs
zHUQ^u@1UWabeyR{|H~$7N`BZE)wq7oE=#?eIuZsU$j{E!Z#Jd!v(at1mO{A&j@q&i
zPs%ixFQfH5MXs0@fAZ84Kd%=a9cV?`sE`3LX$lrR-K%PknH9Z%O!TJJKNNXjtnQa$
z3j>bJPZ<|u(ciJ+coA^MGv5{WD9Vb5l?mf46H>JUJoDvPCf5jab(7-TyP1gfvZlK;
zfkbora;(+uf3de^?|hXjUc-TWhClY#r+cD?RmpYNI#3~;l{KK%vIuuQUrU(uUPj}n
z35(gXz(S?!VsJ+Zp+PlR1hwwWI5$Z{hxvG#IyKln>*3W+;L)aBc1OtjKsdRN@^1zc
zqc)b|XF<lDL#&i1#er?_e@>UpRn_<$`H?bxB!2dY>jRSzEnctcmLYTwJa;DYDKzJ)
zpqw2JU~pYthWtUZ>KAwD;_(f$G?Mt39^YMEEw$JJG1uuc6rU+eEARAqFC!549{r)@
zyq7G2^Pm*g2|Vk-8aCIG+f3yplUXJ+LrJN?6p~T)4KASL#F|5>u*HEJgl`G4(4I~O
zEz)?_A4J^SEKVw)#SI3>o}Mffh|QF)OBIyN=U;pu1N0G4BmqFSq(UPq5Y`2hCtbpU
zJQ(PoyyPa|2N*Z#5X1l1h0(pZ1x`i30L4J`2~coIvc~<~^vT#JsS}4&vu9>_$25Zf
z{;-c-D%Rr&*UMW0P8H}~r7<XP>$<8#DPG3gTc+FTNO8V=juK|eh*hOQYT5rsqa-2n
zw)Rx|&QQkkF#t2lo3(i%{l1g1iC66Y)1rYbU8)6iYU|yC6-#5Z6sd=4e&XOal~U97
zu)zUz>DAifp!yDRDLO`PR<FTW%z9paY(4GPV&lrCYa1VyZ-}|Gw%EH<_O%p#zN7O-
zRu@Z59<^C&XWh=*t@daR3?jGM9^aLc6;&`_i=hX5Z@d<B{e9u&MuR3p8l7<KIHAC4
zZP~*-BPTUFNRN8<3_Izo4si{wb19Wt8HuCg0RME|@=-XXsl20L|0v2_?}_I^IFrX@
zD~xr{g&J8t47@kAT^Bz1wSon#k26T?LbESE%#k_jZ7j0^bF6cDax;Q454RCPGz#1y
zC3+YVwHJBHmn5WIJQhMZ3mFG04V}q*0AD}hL{`68Rk=nJIIcCXaQB_eSfgj5Q}(Dl
zsk)DsSxwh&Vyf}XzIKzDYbn*qKJ_;)yP1_EZHMQN?VRQ&7J1r7MAx>R4F{v%+@&NZ
zE_M^i6|Y(Dy&tTj{M>QTi55A}_Dfbz4&X=oL=4fett@DH#Jw6FxF^uQbNG|z{1R1Y
zTL0mN@Wf~917ufR?XCldgbheX<KE4%YQIbSM$Pdh{Q{FA<GyW-feQ3}2HxIAm&f1j
z&-}+@8BK5v_?xQ!&$k|{CXkFZ?Sgw!-m&#VAP)dut%9G99&L%?!2iP=0<-{h5MjXq
z4!S#bum6e0ZnR85ISWC2_)jk)NfUpbHhn723E$A7#^as0g61gdWjd-w$yeJZAe^6k
z0v%xTHxFhTmsu8UHks8r$54x^^DEu$24x883ggC7O@ewfJ)65ndrnq^t|B#TZH1vo
zHRHSWQvKKYH1$y()-77cpSOvN(hK7o`#xdkIdJFbg{r38AEWnDryI?!mR0A5oe%oY
z#jh@*^{MOng4lGK9CXr%va+uS!??B=DPH`+ld{^}s}G!C1%?`0pWqH%O_M87VFsTK
zrNzcZ`qXB1GtVq$hFKT07JHA#Nt<=ayPCwSbzbVdzR+OCm6h$DlZ080N~gA829R!D
zs@MuQPq_k^wIQ1okB>-bJ(}a#WBuvmEp7R;xo8`o>cl<jEz?x7@eFh$Yxa57T7B|9
zOO;o*;}s`eM(Oq6b9lil10zc<5bNqd4Oy#_JD={SR@HU<q1RHX*p_Jsmio7?eTJ&w
zCIK(G&QjiLfzh0GZ+2et^s*$lu|uuwy4zWN8<!5T5M76|2vO*8zZDu4m~6_msWv>Z
zaz;cbmi*><SmaJoYgh(f`NYbmMKP4Q+qh_!Yz4i;heTaJX7Xy<s8{QCX*sL(CbFZM
z2ncjE%{g|rAmNRW!dUkF2!t7-(Ddx(+Kv7yaPy|v#@#5+9pAFyZexutJ?zXSFYBp+
zOW((vX2Y-Sb<t-SXocoPQrwgaOum#qvPN1}VcTi170akT@@=`Qf>60&uLA3qiG%px
zYM7GsR;aj6tB-|76IsUfjTk@*2k;)AQLc}!^;B;FpiXz-9*}<o+z^A(*waAOADh`T
zb?>hisO_7GF4zt9fg1kLT65=quXmVyspZdM`Q9pZ{v;TUZh+_%+%&|*tlcNj<}g3s
z29E|qDm!gY@3NInuIp42e~zp|@3EQ)osamw=*7(Z+@_RNy0@Y=SAKtMQ9L?mi_3Lu
zvhkIdC)JY`LPL@CS-m=sziHJIL^K)ewz?(4$=iOd82v=YgtwgFFd#1eK7)?`NpQN}
zxQICI=3$|rCo~#&0<bLL6|P&0f6v)vr!SJbRzZE!C}7=Y=41BUENHG&_^>-Nt^u-+
z@_vx|;+Vp6^u+O$^HiiMzOP$@*v>-f#AmU9XRMV?mfO<b>$Y+OK`l>LHmQo|i^q$j
zS)&P?(J~ne&zF*cI7nL7)@l+0T|A>Ryw^(ft?U8|saHFVxTpN0RXncpCG{D!&RVJ_
zw<#$ttln+Hp`NFQm-H~Y$n&YTe|gZIOgdf5zgInIrrxlLOr;{)eXk1jGGU1GYL>}j
z<g=!hb=34kvR8uwL>9lPs|!9&O}vkLxU!d&<y{mtSHcJd46Hj)Fh=XGfUSzWgX=;j
zAJ0}blYw*}Z-S)aIZKalVomvu1%(s6HLa!nR9n{_-K@z_NdC%;lkujm^aL}lzdU6q
zAJ6AH_hFXHgz~mJcY=F3va#&puxyFF^)_4vT1_A_cwjehSm5;0c%fHXT2EVr#S^++
z#h<xe)Kdh5XE8>%I6d?w@TSQ!#o9^UopFYLJzl$(Z5dorecC9!t6aIheoT{BId->|
zLj3q0*eQdFlkm7XR5KmNI063qkDuLe-bD`pLx64=Cu^`x)?`zMcT0tLmGdFnAfozi
zjEsVodYr`4GIiQ|qdetM3%+goRc?)|0f0By${~J<B{Jaeo*NJ1Uhhe9@R^qqOjx27
zdZk`B*OqI;WcS2BW@^b*&hL8+oA06UH>=F4pRHz@dh6UejhK^?X3oNku1FKD*K2Oa
zNeK%q8@(pAG2{wtFU)INCSn^@#X2@T`_J9F(xp0@JadvATTPokKJJh0Bwk*hv#dC2
zU#R_s`i!uwrC!*SO{6%g{N(&0aPQsT<T!5Sd83<U4U$cbyE@1)7jQdR%wkfl^19CZ
z+H_4llBjP}N{0j`3R}N$XeVr`A|9gm*1GoRX&yx+gW2TTZ;R4o<*M#o%@()Ee(FV*
zAI#KS$5-FR=N_OTR-C&_+KYG}>oy>rXFW?Pd3AD`9h<~-YG;d%m>bLFCylHX;s+4o
zrA+3o<(4yzEFZXq-7ucs$0d!f>6NlNX{*y|@P;M-{+vWt9b#)WRKRATOy+Wu1p-CP
z|K_>oXm6o39Dj+&`f+Lcv@a`(<7@3#YaL$bLS9*pr8a7Y-1j}7k};SV<fr|;OQ%);
zK$q^}bgB_eqmGW<d9U0Fgn#-jEse9Z?<f1_Qb>gR)%{Y7mGYTOL79=FhkEJaWfQV1
zQ^oOu`7nyR4TF#8MCmf`z_53NI74tmNLB@;5LWSIo1O+-%e47CbiiS8d8U}|73vca
z4X$TD5l5Xhph<7&(r%RiX2kJ{<s#b-sqmFbnf-Ud0pK&x)eR%vIeL!vzXZSwqYnsR
z`kC|*_}@qYybte_)xAyWrt^IQodZnO@WsqZVBoq7(e}Sa7k&P((E+1a_CVIdG|!Q0
z*1PssOl|-av;jolf|v$lW+@Knqn>siq1b(gtl$vUn}P9)*Bs@M%05z&8@9$zrM(n`
zfc>5h&J1T}eADKZ&oB?%g=wq*t33`Q;BL8+uPR59(Lm$U=uto?L+H(a+YU-)q~Xuo
z4H)Z?CmG^#^X`;Qs_pD-+w7+d21_WD?KEGDhr_w_mHgzD69}Gq112B`r>vgJ%K>d|
zlwAn8Yl5=e1mwIT5J}zzqn<Rz!76&uMz8d8=%F7{CKz?((IAvC`E{bc{u-|#oKaiV
zZOW5S{i{d)x78`R&<%bKSG%r-+d72X<{6dR;5F-4Vz>G;{T)|_c2An<2Dic-HpZtT
zUkv3kux?>rgwFNBxmjJ_EmIP9Igj4<WScS*CCq!EP5pju0^+#Xz9NcQkKgiGMiab2
z!+U6zm;2ZKb<tXS?Kfbo?X?yq^ipuvwJR*``EntLkk*K=evNSnKD0xgXZsaeU1--d
zsSKT1CSM-Y5_PGpTB?#S_N>4u!PT+hYJWH$W)(`X1ZNytl!`|Nt1D!H4iX3&$~235
z=ma`ueI6@*jyr%^XWX5*reNWd`{}11*H3YAtW124F2nMeb*d$+4`Z1vUG$x8Y<D{`
z#$C;t276B_1ej6~_hHO5Tw<HFgC`~wDR6pQEwqWa31w|<DrbDnmH>l0?&3!gW@7<k
zORmr_^|W5?uWRF-H>ZfanNnoo4aDYFX$%4vL%flD$pWz#@Dt3lX1IJeX_FLH^K1n_
zhr}PLRfrYFVXPJ<ua!@!|HtOCfQK8nJnaT>3%O<K1n+_Y{eM)BAPda9`yb-&9x>rN
zx1d9yiwMdDu>;LpB8|$xoPWSY>eNW!j~$&SNzaMU3TRk+hP5sXCW-2;`LGbtdw0|j
zs8q!TIPVcFD`Uv<=i7%m`7Q5HDA^BI5ZhA^XOm$%>Pg-1bToGyY^bKEfQUM$%_hk_
zZ#u{&Ne=j3G>F^wmUcW!iX{6@P_8r0eJU0+mXs|QVTI>eudhk8R7>4Lvjm>ty4xbR
zRY5lVofkpQMLHwOZRvEbX-=v8Puq*(n6(v=pP(wg6gpI45I#F-G_zc`XoSIVaAsOP
zc(&l(JWm#Xiq}+!p6Bk#jrjf%$ZF+6v&2F56yoqG&n5@VVrFH4uX|rtsi$%vp6J`~
z=4IjT=QnVHCpVuU&Hal#L@a1GOWDVN`F@0HoRyST;fq|flCgpD`IB=Z=_0iN=-WmZ
zTX2$X>g?5ApE%}%@$+nQ+!x{LH^CtOTaUEYRa8(MFX;|X6W2Xf24r;ir5v~8#wXKq
zZDof3XHV6;qwpf?v*yFco3xbu8=AJ3zv=9e(er%C_6w^60*-x6$_`zZ)8+H5S3Zd)
zj(*#cofgkx{oPOQPfSm&y}ZUju2rzjqPDy+X?GVr-iy^o6;AC&#%3Ms_Cm;6E*-W?
zc{QzC?Ve|<Nmv8#))B3BP}BO|x<lUGBKJ;1>9mncOkfgD=GxULeCz%zk(^?K_M{9o
z$;U3(G^3~5Nmb_|BfQjE`Ut3A<&}QwBU$_o&26D^sIuYPK+lX(?{GEIIB562--CM(
z)v*4DwkPmo93l%>2mnAQ1zrG<|F4z(>xCi!utJKm;r4&ULpTWlg7YF20n!t&UYLwK
zYFCXdxHegK(tEkf<sf#rwJ^ey$z`$xv<x=F=c)g3)oxg-BJ<N_G}XH)NiM~~S+KEk
z2W<@4Q8cO3F0}5yzImdb&7&`wD2KwveXAUb+%&Alq8#g1-mhOT#1oaFG_li~FEX0a
zAhZX%qgHl0TbcRdX37`qe|Ov)O#;(X!gxEUX)`%eS;PmBPOid%Vsg^VQyso>)7KWZ
zFstM)k*%XRNK{JsujlB>Th3G$If&`s&^Hjq;RdeTa&GI#!U-%>SeCb`l|=m4f$D-!
zw0z|%oD)ke_^3AL9<CevMC`Td#miN>L|%4=;Ry?sx0ie9`$IOPCQM93W%tp8opN*4
zA~{F1wOJjW;?a85&h0|`6%cjKF-@MQ9tW`%56o5P_89gfPH>+W7_miiwlJ<~X!glP
zSDM*7AE6DC^ByT6{Xi|2@&s#BPhF@#Nyb*!GKL<W9^G1oM`9{rbm?qL&G$%0MLw^$
zCRxuvNyZYdyO_dqzlugcNHK==m;~d*SXnA6V!d{rXH~Ck*5Sj;{LGzoi)>A`a~13d
z4du+1x?SomJ2`vmQVWOE&f(ZYo}IRd(=+j9p`3|7HLnU|Yo%IbYX+X(e7d#4DqQQ{
zc3tVzC$2V{Tt~dF(E|i?l>;|CaXah`;O7I@!3DnO+?h7G&A-U63iz4p+}70)m+w(<
z`KpV6>Xevsrc#d?vC4_l<&y0%?JA`sx%SUIWS*_8?;_>0?LWs2zU$&VY8qpDgptaF
z4T0UqK}1&4&i$@9+DA>zTCd-T^%(}3{om%}&|uXr_<lQPTSr6T$`p_IPW?4$7c0W+
zk*y`ll{C(Fv*}5!-$u_|BkmJ3xcM-?YO2^ZQfpLBXOfG4tN8VO0SgrBk$2VHsvSFM
zm6C5aY<#lO+^{7WAu|FDZn%Sb@qN(vLa;@`57|95%jK|tI@KtWdq6wH>O&aIwBJmN
zR@G>z$vgRf=?Qu>9hz9UVQX_9?YcjaT*KlBnFLi&j=5*uUuRzPdA^tAx5W!BAC8?7
z;sfUvJJ`Vz-_LHX473GrVJ05)gR$Ham6-~He4UIP-zo~oIPutMNA)F&v5_s8=p}s?
zU)lQev8Md2`{Pp_N9fNtkpZ-PFaZ+L@z(Lwyt{_eJ9DCr{W_yZEU<>yX}-2b_t7=x
z`b@TJRdnTep2Aln#2;L6aT0PKZ5~P^-_X`s_OPOT;9SvdgGkQVi&NiUKd+qsR($9y
z#;i5sWYD91ick>=KUuwHRyw8&t%H=j3HzW|dFCb|O5RB@*uJ%sC$qHH6dJ+r<|_Ut
z`M0r6Tu+YP1+$|+1>yUK+S{_A2rVM!@Mh1e&#%0Ljy*wDIJMORyr+w;gd$SBKKJ%X
zXwl(Q3fJ-o9@Qct{r%rB(#)n_;`5T30pAo+rahM)0+X%Jp2&Y|SXZ7%gw^j}t4-c(
z+Bo`GxmP`4(V(j_o{e5kSt-%{IdFyzVdu=u9bU2R&wmM`T2iGwa~5=Puv-=!DX(5R
zMiJbcX-PafTkIExrhSU5-`>>0wd++@o^l(&#ILP<b*Uzbbkvs5(jyjN`U8Qv3*fl{
z!l#pPCbBR8QXzuk&y#Tg8tN;AI2!mGh}HDJ9o2o;P4(h|^a2pQ10()LU0)*p)k!~3
zDg!9{Kz48!0^CtT0bZti+5F}O@EY-tJ63@oLBIVF5P<P81Za82Ob7D*l~EJ^ylFX2
zc%k#k7kCNi{Q}fuKyW=j1n9rAW1t%jzPSKhgV0-*7(J<8B)!-KcLR7Dz^7+N1l{`w
zAPb5366Fd2CwC!G@OEy0-buY+eAx~70!$Zhrptq8^*0v)2#seO%m}=Ofjk~g!12|W
z3&vG%HnCqkV?F?{AV4m71L%J40^>RL0Xhhje=(JR2g7p=a`^u~=73nudeSrS1pv({
zEWi;)+6+XKARd8lNbkk~7%+qc1=oPOF8`@^paVd;fJfsF4Q}Dq)~+|OYO;n1UWgY_
zos(}1-@QMlG+Wa?vD9du(U!4FuO!Ols#K!?Zm_Li!lw|?gYgt=<U(|7Ep_jI)1II|
z=#O#n6m4nooqB5?&+QTETdReY$h{<$pJ0g`*Xzi*J=6;6w3dS=onra*=#OdH-Al2%
z4mj+%L^JAL9(u9Zb7IvZy0_TJ!lkkLD;KIHNCtxfWqD}Ce$-TlpH>}0s67%V440se
z2KWOcellzhQC<_N-|=PUgTw9(@;!qzPJ0Af-VaQ@B}A9k3X_-;%SAd5;p|XoAx;Fx
zN;c1=380WRsF4=R5qvtkLsFD<Ho5ooL7#tD?|mX5>PHESlAjTk#N8)tSfUMHXU&O_
zIehe{Re#ms9I)lZ_hEPN=8u;jO<-O>hKZa^TayKkAokGfaO){^j$rh;zn%IYkwvfX
z<cS%4QndEys4YBZu1Ax4^V6z3=7(9Dmg5-0?;rP-Vb;>CZ6*2+S%rF9aWP)Lr-SKJ
zaMb+!+oAwA4N+0nF#}&|gRvF!`ZrScs;Pq(jRoFjH&<GB<ZT=$nCoObos5vgS3b@x
zGG$k)F%g~%xU{$<mR2;VxK8=!k<Pb#3qSK?6L&4-mO{)3X1}idVO1W$k$P+{bMH;&
zd$??x|DO7%h_I}y3a36|m^DlrYTeGQHgM-+zPnD=y7>$|UxWSrf#H2+Zr`==XFjJ-
zd4G4&_nS(wuy-&kSNl?J!Rb-k6^G7B`aLxXU)Y>B6J;^Pmk<Z;LMvtGhIuxP$r&*N
z;p?U*rR2XPEpy8KCf$ne-W`+QeNM~gf1O=!d?j*z?R-t~DMzQTNX{?M!l1OnSbzF~
zJd(3YBH&@i#!Cc!XZ07Z809X|di!=w(H`(|*L>Mi(Z;o9bJ8tWpVauOa{n!wYTJcN
z+lUt30E_Bl@nk+j<E$c$_gWoZ$LoZtQ&XD7+D4jj$FI6;bEkhnXM&1vM`4H!1}lp1
zMepwh)kWAV2v_pkx|F72`?s0M;^(-#9(>v#__%^Yy1it^f6V?-+sbRt`8hH=^LS*x
zQy>2lE<1)({rG246<qcc|Hy{=LV9iZ6U)8&kTZL<crnr|OXr2M0aw-~cFSJ{Hgns3
zCg{!fiED4dFC)oQI-tACm4w*52|IPmLBy*|$(_va4_La^KS`L%cjqtsvO2$P8<F*4
zL(UI#C|tFJ-5dwy#jZwEV6}X}y)M=c5<&gCTu6~$lP2~cmbF0%aV`9;L@7{FsD(a?
z()*1h<zar#Lb(q@O7HonQTz16b6D=!RHK^hFR^)Ly~@e`jFB%bQ7P;36Sz1*tTX(i
zN`rY*Nu)JSMgETg4OyEsthf-)zfMAtT(1ahGX?C>#)JHcT#Y1NoFLr;9}w3O8J56n
zI573fa~Xw%6Qv+VNtD@8!}oHyiKz`maFFHf&6?Xf%K|;wcEpO)OFQ%d$~#F{RIM!v
zCcE(im=K~AkN3pEmAE?R+c@S?^Du8|O0)Xs(fz8tC@vz2G~3Zl^P?8uu*<>ykJm-)
zsW=yAPWT&*Z=7X90%kz@T)ua<(Qoxnhl(G3&=Mh<iar`NZ|(a9m>(i|_*44q-G?k=
zXtKE3Y2}!W=UUJHU>n@k?#k-j`0^uGuTpvw2px~qys^Gp?L;wW)dljWIJobVpex`c
zFJ~8o=O2vDDg43R$G42s8Pa&e6l2nKvMoKoW@kTYCZPtFrLk}}%A%xoP)I<Wvg(F?
zIHT?g@cu+GypUXXKVzyEp*KWevSJjBf?@QOW`~qea<H-{wD$&7eTs4bsTMb|&W~&e
z>WP~nC>J1^7_C)WprZ-g#+=w&7I4hL#WUMIPh=|)OHj9y5Cv7t*=&Qf6z~$BJka0g
zVN)hWobQ@c`M+`fmnRgUep>DsUqUU}GWWXQS9lYTXlV?|-hS7pr=&S=iN<l=QN@Bz
zi`#dJ4d1$%omMx3c=I;uHjY&O`ssLR%G^$7wby7>WF%?xMXr<W%$T>@C#VQLEwUYD
zFu7^$cD*yq=_3KN4(n;58p+nFSM=DRCx?O;XVq1GRA$TDTzJs^zMU4sn$@_xe&E^d
zKSX?d{0|Y=z?6SpBL?Sh|BNB#F-clRBl4Yw7vAzitNlu!{&o~)ijhRyY3zd>jj-7#
z&E%KL9ZlvbO#kjuSEgd>%~j}D1Y)wj+0dUgpLi<}s98!nQ$j&?^&zi^OVE?lhx!Ts
z!T#ZwIgTB+s}k=y;i6qpbhlIm&g(NVBDb`w62%_ZmEPbVSi3h`9?>T<VP-Kdo78(z
zI`aO%zIhsrqOC|R3c-ySfw6C&#!_*X(?al_l?H~k`nT=&pIBKlSV}DYpr$iO8x|5P
zIbXZ#y!+2Rkh-u$5Kl6WpG~$@I&9*oN^abW=y0+~PU|vFXO8!Tx{dXc*G8<}sm~fY
zmBq^%Ds_5yW->ULjcNO~C_z7$q76Uqjmve3&3eUhq+M*t857FwHpDZli4DBNb0M56
z%G5OUd6&?N(gHVZTk}%Q^%Pb=<}M9&N@u-!>6Q1{F!tn+u`3UmZUiOOa(HfcCi%`g
z-q84-(8VK6fv&Wbt!Jx{!;6c_V{7}`M0Mri?u9T(KjX1<MT}bZ^;|ih+rVj}OSiD&
zL{&OT*?4wnHg~WHeBpv%AqC|<ek4Q7<nvE6dk8B}+uY5JC^erq3E?_{R>RL4Ftwmp
zw#8KfS3+Q0%(y0-)e59%s%hHq%h_V^1J9n8RSD^UEu=94-Mlsh!^MiWek+H=Z0+~W
zXFREebXziI-$#(bKcfu_dZ}EU%=H~Of&7o&OaT7|qziz(4DM!92ez;DrvC}}APYcy
z22dC-%0FUSc{H&xOl*;0A(g)~w+Ed&7NeM>*pSfn3!!jVb7NfhKdvjwt`6}fcIQi$
zR<CgPqTpAt@H7;W;dsIE>;7hEz%y_Xr6@~TKkVeuIJR{s$dl3**2>k)2+u#v%dwpg
z`20=ce-_Q%YD=f|{qEpG7|E#4!9|fODj+bA$M(rmRY!A!iCQ}9d@5zsa4dkG%8r#B
zyMo?MTH-XflVeQaAo$^MoqMJdb1F}2X!?xM&Q=4x(N|0hqV4ywj87XYJf!85da1;n
zr&-B1GU-;@;9a&!v7D&77;)2WsIo=lZ~dy$+;C!Br=EJBx$R!)Vi=|UZNew(1e?p&
z$Aq*CdN(W2+4(gav4LRi(PwH~+$m~dbm`snYC;h6N)BGR1zyF9=iC<eLQTo(<WD6X
zU}$Ulcwf!Zd_DEWLV(;m9p<)n+jp8D2Cwp`_b1qpY818CKC8uGTDxe~#=Is&o7~DE
zi|{1H4wOKuGUmFS2F+1TmS|=(s+@#ZJNVBKXw$pO(Nk8N5Sexg-w9oO{{DDt8h?Mu
zzm}qMZhOl9+pcR;n%5vw&~v%ZdJE$CO(90UPMoku<$#OJRLuO?YefeuQj}+ui8<21
zSgyGDY#_MkjY1#>D<KnRgLK&lm<%j*uY1A#ZaA>$etSl3)v0_}dCL)+GGV+mtMA>s
zi2xl`0WY6O8J0ef+4aeDn}->}k<J4YU=>E;H9;;mYeVmn@}b#Vx9yS}8^80KjlP#u
zK<L9Pb5$kENA<*D*jO(yiKTe2BCTThKA>6KpX-$IJIHJ;^yT(mc=yB&LE2a~`IC;A
zaUZ{<AU&quZ~Z(OUH>B<h$U(>7!w%!iZYtsd@Nb_ohOzuQqwh;o968vqY1sK55C^)
z%+$cw6x#I^TW1@tO<DxOrdRfz=7K~tu@d{104|+m@rbT-v=Lc|G-_RB=|O=^g6!?b
zPln9>cF}%keJh^&5<+(tybLnvS3KS`HJcXeAp*8^v#+V|FY60p{<vc|AKu%Ica}^I
z{5<4G4jZ1>v{{?VUO2w^rgUu2Q+i~WVVoe3waR5}evi9yM_)U7#9J_|L)#T(pPZal
z-x%-?V*>dL-CicE<%oZ!_X0yq2=5DL{*1+z0uO+`0VMGwbiR0Kw45R3s-ctohG2-8
zLdAs|a`)znqeJ(>Xnr_yT3dp>xeu2E&WgMETWW4lobB7|Dnc&;1Ef`6n^JQRdD2p1
z!*UQwBEy7=-Ld>dS^2JX_QCV--2O(Ct9`D?Kk?dE_wM(B^3~xQ0jAbeDHA$HdnM;W
z+#dUp`{Pd@{dX77sA-xTUMU2T?O%UrZ@WBl$e)cQylTTe4j{oqZm1xm@4LTj^jq{q
z$Bpg3dgepMYX>Iz0p$<Pz;E24kausl{>~-L*`qFK;p<1}B!}<uPg*-$;?v=_Hl><A
zja;1Ct=HW+^tzO%m%)3}@<<*_$G+|J>`3&3Z+gNW@u$$HKWWSD=lkg_Li)2=Z`4Te
z+*b10P#n7K+Y0TEi)akvheBYhk*r-~-}NPzU7n~5D)(FCFSE!|^i94?4nP;Gh+$$$
z73E!#1J^1x`VwO-SzGa%;^bVD`6VFO*hWTk1%tAkp_<hJS>&7f*}NIPlFa!cORs!X
z9aLzZBICgA2s5Ml9tC?3Tf!)pnkWlb7O_fg1<~k3#1gf<X!_pcz?;)q*|xE%57QR&
zCW94bA*w+r%^#KsYI_@aMbS^z@qfks^~q<kFh&|(OU1Mo6N+vtE6K|@$&ud3=M4PV
zuFJKJ@)HtP@x%JVg87<<ovc~pkDh%EDV-ld0|gT)Bu))c&F`pKa*DiaPgG_*d1`(K
zQW`Mza%jA-(bg_cTpyi^Wt}~=iboy?x%BQXGjx}vS!%?$On7`@ifr2SMkaoKE@{?Z
z%MDY}cQ}H{lbxC$f@@rHbrikzNKFsLgnk^w6VR9+i4pzKQu-5XqYywQCc+bBlOH7a
zvcS{#<x#xak5=JbpxFzh90{@Dv44$xu4xHzycdAf-QRn-+9zil&kzIEd5b3JLmb>~
zJVSKis%+G=?NcQeW0{uCqZ0*b<~mC%KlL`&vp9aJ?B$AHlGR4M3PMiblbmpZ4O{At
z2v%{b`pza340EoS`{_&I0528Rh~Fo^?ppgGu`Rijr1wDFl;bxC{CR|6_yE8d_=@}h
z479C@Jy#U~WKh5+xa%=%Nx3Bq+<{FA_!8a$ZFg``EpYEL6>dNiQTKz{>RXQ7bw3wD
zpTH95>F{fbN*@MPXM2M}1IX^wTC;1BNG%eROZB>%Nv9Z;1plSL$R{}FhN#!I@1$V#
z#I#46D(bFx!s|q`U;M0sjGhYF?5O7k6|fgH%mj?#CQnQy<KAjT7~MaJ=Ps>=Oy5l5
zsTF6-UD!t|8|i`6+`o5@1bq_`YJl%R#r((d(aud3CpIdA4F&8audA?K$4kype1<@F
z-v>)v>dJHw1LGnHd}YnHHF#L>#g{ZPhLKTsjfRiEx&zMS2lvlserv1OJQZ3-seQjf
z3kQ#(VNmG|?f%f_`_zxQ$lOkT&vB5)voKHayh(N;xz|ISP3qhKplG*gsdE}FPPhNm
z{^j4xJY3wST@iK!$u;tGty`tR0M|VFB0gyvxnleH1T6)Rk$g4V4O+>2>r-E*+s7RI
z16--f&^1w_6aoF%W0`(@GV?+0jGe3AGuN>dD%{IE4_oag=N%7N5-%)U7=KbOljNhp
z&B(sSK9x^fFl6UXGj8q-1=cHpan9{GU3N<ApxW^;!3!nVZ(}-Yz(~k7{gpqO%4pdq
zHb_#l|NJsln#2(m-Q1xMRAXLeK0wnE!SzV;nWXONuezr}XD1OKol2w&`rBU(Al|>&
zZWsd3A3|j(l;mogL&bkhNMN!===ET;sicrdDvn|ZE&xN10CE@51Af+vLHzr7$c6&3
zSOUOe9wBEJO^Ct4k<RNXb^l#b-!Wk58T|VZ6G95$<pWS~(rO6cd<DW(0@{cX`v4d9
z3<}^uC4qR!*$z~JfZsPj`=^<}sU~D3F|kDAI(j^JZZZx5J0M0~Ige!^^($WSC)_lU
zvJCMeR-WL3<D@uSzavcTiImpJ@}>Vrw)gWY6R_VCKR0$OaY|<KNQn>b+PY+%Hpkvs
zvKRE}S^4pQGh$2jF8k__+Z;2_q9MQ@#rf^s@0w6i{UpjnBT%Ag&QI*qGhM+=?46GU
z!CDM0;f#%yG?O-VBYu2Ab^W<DrY;ps0ZMMj8})_x1_WOjyc4uwms}V4`yxL=#-ttR
z;vPR_tLc(2x0xRe-c~mr+Ox?c|B~kG4M0{YNPFM9rx^b#mbbsudPz2K#r&(m%V~8?
zt5b%qf}<N&?0l0FQ=R~@{Y;thBLCme(E!i5In#NGKYmid7Ax}ep}LJ}%O}ayELZDg
z%et<H_Y?Q_1>u2_kMw0|e5i}@oWsSDmx@ugn#^%EnLM22o5LGiOu8@6zxijRUz?d1
zJWYl%&xjTbpWg~Qr#r^7g*zX1v{+o9i=}m&`c^*nLdb{M9IxKbu)5sj;^RwI@}ZkW
z^8QAzWuKX$Xw@D>|GvWMEB^Q9_SFF@8M&6Gg#qYf+R3!+t>}7?#6AIoRY`SyTBiQZ
z{0GV6+jst)wZrHw)|=+fJ!Ns-?A;$}^>F(s-#z<G;j~C@Iwsr{Fp$1PIujWY>^VbY
z`bzX+_>Vtdpw?d|rE9`-psNu;xk5l)h93G%a}8jPl(*Z5A3CJ5V!N$0!_N*Dx^l=Q
z;fH?Z@roX(`OU8$uO%;#K6v|;11|zGCCvOfnZ)ESQa2tLhDLNfWb7J|L~q|*Bk(!i
z5C86b*)uvenmFeTV7(Xe6u@wZOt}3iQqQ0zd=)PdtIcLVPeMUd<bzBK5^A#0CppK>
zVG$rBkPfdVGXXC6=s5_GWGL*(-H?S@T@+)&iI+wUPSzvuZI~+63$+(Cj8D*1&MAG^
z5XvGyjMV1IEIT%(#JeQr(Y*&SEX9^9k_d#dX<epqpG#Nz&<j*H=N9X>{XL6ZoPxlk
zhLyG6M#k|te+q6$I9x!EX2mwpwlZ36;z%4o#j<rpY5L1sKV?wl9(^(Kmy_{-tGISh
zcTmZMPJ#Ja8M&1utPr%nvMQX2SIUQ0CNHr|Z{)lQFyRI%DBfnXI*;C^LO35wx6Y=y
z8;oA(I_)ai+>A>t4kD$}##<<HmD>zGG;$DLR449PpWP?Ric8G#A&71x+F>+#``7gw
z#g!bTf>Kh$=Il+>M|4?PpW~?W%G8$Wyq<hg|Ck=Vyk9DL;k8~zSEaO00;4@1CL`t(
z6IyDcXZ*Xh4q;Ol)vjLamA9W+&}#rLe=Vm@D4v@-BMzVHw<X1Tr1MfPDAoj|wa_9*
ziL`8IIL$B%?H=_yL(r7YXvjMC;qtqaye=8==sCa!C5JLvaO)1KsaTRplDn@vqg`C&
zh~_3Ew!iq4(m(lR@N~26MK5>iv=%Z}8lL9*@4?3D+M@ifn)7<Yr#byJpFW4nkFu!i
z6bH<`cg|r6<IAbt=Te`Cu*H}t3TJsfoP>6E(<>>_Pg0J^=$$Bf6@48OsSG$2`uqmO
zq>1?BfemGj?}k$*OAqlU47eXSONrJds<eNa9>tO)J4>{GE!JYb<6)lIZ+P-?fH#U-
zzJPgpPzw)hRv&S}k;JaVs~?Y+l%Lpsd~^Qt%I!<ahRR<<Npz^yeqqM^HfgqV^N5d`
zO8sy(MKy}o1LNy8ry0fTQu(Ql#F-!;z0VB|8j!U^;{hF3dp?x?>RLJyqX{jW-VXx}
zVMSq>W>}uNTu_!PbXFZ#+OL=O2qe<BnMU*l{Gv}ifv}5jZ_9!`dhY&=`he^baJ-wx
zQqKQ=x_|AFk?|78(f%d*a<QXH5cjPDNW5K4|69fU+Cmf?Nq<scx;P4QSgGuFDUYu$
zmf)!fcG7QmbGOIO30<Ro%MwvILroKtU#-gS1;tvBquoA4w9@VLwBDP(XdGl5os2pO
zjB_)y_q?)>?30Dw1^FbD^kCE+T9&w6e9tF6R?ofK&}j@3X|Sf6PNh7jY1~vXsR572
zb6P*llVx=(ysd?azI%NueN7i{f>u=@63n_C`{fptk8u5sumvN4vEX*#3F<(2*%gHd
zJ_Wj{5Xay!@%E$tccZ|8EYM`L96b8;-(_Q9kDh~DCSO1o8aq*Gu%^ie#&M!8|7E9*
zF3Z*Gs2Hp+G+X@2n_}Iir+Qa7l%Ld1eC1_NYkpqTgE^Nyu8?EdQv{sgnRc7i$7Np7
zqCI~^WIO@}-3!GHIG{3MyVE>jb5F&XHv1EmkrW<P`+ZWnwK$LCEC`F0yNqwRdn80m
z)cyDv?`G72_Qj}FJ6p^NNr`v+_xi%|@GoBU({t(~v=odViX3-!{;XH@^2u31`yMp^
z$mfq1!SDa#m<#^K;=#bTfo9ck$fi2(e!aV70#9c`Ng5~-R;&4+i>5aj_I&A{uPO-w
zh1B##e*EAqbD;3ft7mnh<gHK|93L6__;N0R2ky`bDrEdqCOsuXdwO59A!lt(g{1ls
z*o7%4E07bTclhVBe%wPsK%MYJBQ$*%`0tY)l77p6HtL<9P_6lHKyXa1HFa6)ch4>E
zy`27$BOBths;#-r4_Eu!uW9&+Ds3U{>UaVR>Zo#)phDf4{f67Kh;n(uk(J;V>Upp*
z8NZZC1np|?P}y`XKW<Kgav9S8d(c91w3*cR9ksTHk>ldt7+s-bx=#v&FCTuII9=~`
zoRdeK4-#j!4Xz@E=&n_Hp*yf>^`=@T>Kd22F<+TuG}3C{5S|V=ZgjTiN_o9X>?LS?
zo=8)PwEHlk9xF3#^}faF=$<WqGSB2c*7Ef>>)$kL2$lsfHemrLbHH=^KZZj0TmeAq
zawrbK2#~|<0q_quYVgVEHK0i_<!(Ls<DC()I{Ta9p?*Ye$Wj{1Xe10h(3n|<wX+Ed
zS!d2W|I7*9OzfdRTIN?=My|nnbzY5Qy~AUN6d9Lj0G-&<Fj=L$?W2t&Fhg@1;dnD5
z)@VOHAh%goeUJyw4H*7?t<>fv_BCkxi^;W^<l|#LQS3>GkdD>SA~~p-KlNR1&fDwJ
zwYEPAP2x-+Pl`0qZvGZU1JK=X1hg(53R>oEk}7rro}c~Z8&DahC^%4W)#2qG1gu@e
zvhn19*aXi+URn!Jw)7HLn?VEMU%D#`$xIhE8<c)sgyG20$9i|B>yHuly+|4vSAkGP
z^j+SVXeI^5`%-VxzxNdQ(nh1ypPp~Dy`I^ZJu5-zZl7Y*Mg@k+lBrP@od>9OP4j$S
zg5+a|C%}V;6?T$(N{gVc!gil6M93+<sj?rvnSSqnOJd0WdZ0^6l3=C5a7B1bJ)Gp@
zO5~zCHD!_r`hu!x$L9Ir!-k%RRPNEJ->*!nDWsA}=7sKiOg%zF4$}Qj+>4Rg4r&<j
z+YlYpf~lXQ3^AW}L+Fn?K7?8F<*=~n2sM3k!6?mUmo)}S37Tc*55LlDyCICYw=2W#
z08=614lzrZ+q>Hi&^D0&=9nPc{>Z*!t<=0}gCHXXMo){vBwIdP-q~GR?=jU-=9=u5
zUeo^$K$(g+P%}qE6TJH;eL6b-(UE^BX*So9>7nXydi5oPB`%8ZNh_zwO>{P8DGwx;
zo49w8cX{#?F1UI*QL)#-k0F2;jsK>sTBTf1>1Q*}tW_nXNS|Fsz!0;@ntUTyNEP}b
z-}a2dOz?c@*$MpFM3~t99hr$EDk)1#8>&w-Ccc5V%#Cm^0kW!V({ba}TdqB<gBa~N
zRA^Xj-+Z&<?PbXAVv_crg$m={w_Lr#)RQBxiq*2Tc-XMo#tkoQzIZ)=FD09l?o-de
z^E=wIwfnNGeFOi2V-D}1{&v67P5fj&t@<k+u=rR@AFkM5ze#8Lpi`)7>E7s}M!j8r
z^(~;043Ccvc;$U(I8>VE)VZrYtnTz!z8^o$K5OOZ%`cURdDgBGC@e})vWJfC&|4iK
z0694S2xd5AF(;VO7Kn;F6+fo?qsz7YK=`-ka}0H#$8qw=mfqKhqB0z97#*oNx45Jc
z$~njmTYW5plwo{SB`<v9@%!ADthu8fU{x=-&mR4|{d`5NXQ=pEOPW(=G~Efe&H{_3
zv68A0wtEt@L2cL^n+_d0M^7fiJm=T2-SbALH&)-XP?3YX1kcXKdJ5-N{$3;>)NJ??
zs=JO~@npQWG1Kkubg#*4FyQDAqSC$5tQ0ZrFbSKsr+Q$lnSbG&HnnxE{H}VsaNJvf
zz$7E)m2YxF@!g(*uT~Tn7c%I10^<NUc><F?fo%d)ILiZibqAu&>u|bM4Z^C@LZl^9
zUrF_(%KAc<+lf|)!@k~XCCQUvjPV_FKWMJWG_*avMPAug_ViE4@cTaP*^qUrKq92Z
z-RRFL-WJws>iz*!lLB%h6t2e{$bZUx?9bQ!%HhXW9P(o&F?Z$xM$0EdURTTwFnizC
z4^4Yfnn;omJ=EHbs#w(_@?$1El6bE~`?ps_T06v*O-$m4&o>6$m2MV!B*2Ari&f5B
zW>dAnIQa0WVb~-!x*xuqpS|Ab?$MPLjb3!o{QDSu?a4{t4jH%l_32cCw}aw?0!f=E
zyZi@CqkRW@W;sYl#0cN~xVnw3TdlL=deb_;U2Fv<I|K3OwJe2PDMF+bs$^<7si*1k
zr@h5M`yZ4Al$1zs%<bL=tGy9xjXBQ=vZ18RZxfbOB*-`Yb;x)m_VFE3KK{p`D@_5P
z*9)%@O#AmpCRGhk)<uEEWz#IhoLv=lIs;yT)1FZKbA`#^y+pf*(Kjh?kh1VononD;
zAWSioRdJKtt>-6d#?{Ee7}^CJBNDw<8_pH!T`%!La?*37&VM$mx9Cr-d59yB0wP~L
zbQOk|HbZz>HIhC;zTI!n3otr!Ww>>wez&%XSG*sI9UlHm*7b$%i(eiQY!0nOA!q9T
z%N+OWL{jCA-<8lu(eL@VYdi+Kf$r6=k7~0XkfRQM1v4wR#Kq7_8@wi3Bdo^z1aYX`
zTt#HPsH(d}P|To^fO(G%owgRy*t&FihtZRh0!mJ~TKwGglR3~?Nx-UW5%AjggYOR*
z_!|H{MgT9{!En;Kr!3%SB?XXl3AiaDAh#EjfTMm6Y1fg2!rF^(aPcERbpj0M1tKvE
z{)HF*S2zQndjc=^g5aFouQ}G7D8Jdfh)3kz0JIP=unLSv&j0}ZVhkXC1R4RlNDxQh
z<Oi<>S#keu<mT;10FZuAIsg}61C}otS>ZmVAGx?&g=?YR(O=DFD!)@JWNQcteBs|M
zjcQ)}H5NGJgB>3Cwz!ZAD>Go$!i_uWGu$9_se5VBxMV8ikNeTu(X(cbfF9z3T^(E3
zBA2frz~|ts!X+b}$|5<g%M^a@-y-6MR$|&tl=ZlHPQ+*R?UQuY=Hy?_6;v^sFGobb
z1m4QC?nzJR>XEe;URhL9ke3fUQWdG5%g-xkGdeaKi5J&)l|5C3Y24#X9^iCk9OR@)
zv>k-AVo5#iloddSZ`d*}uqIrke31z;mj+mhj@1bzUJKL?(L~aY$?_xH$$usNZuRa7
zClMiI0-0Wm$qmrw-@#oiC$}|vKUmE=YgjN4CLqkpYBe}CRj&pUiN}l&?06e9CS=IS
zc@ux?^D@CFo{XM&wTRO|_<Otf7&EKgML9WRR=SCS^RWj1q{;hAXcj$3vsmNZaKp5$
z5ew%?20!3pXc%bQGu`*$S%A%1HFdNanS$5dR~W3Ql<VQ2e5cA$h%WZP<j=gDlTD;y
z^^Ud1svu2^yh_a3QBs7BM8#cPls2F+?NdmG4xKU;dngLhx5QQNAK+cTL}9GtRwwM7
z-{t&c-J4Vd&}Qe-=Oy`gTROMjs+T2YylYafkX3&$sQWF5ZHKie7nqwe4HH-|4~V9w
zlYW^-7!pYleH*Ik7*x2l(Nz3MstV|B!6qTFDxu=1uK$4e&)ZQr_y@4A$1W{U|4t!=
zp#5u|%f~J!cyub@&cCbA`Ro0PSM}e>{&<NV@58m^&Wkjfk#}+Pp*uM@Yoy<kcnEXE
zyr@qU3>?2SopdI!Q_ZDsSCW!Abml0hO<H=cI%K^Xg{=Sf@VolRA`Bvy{UD!v{hLua
z`Ap}x2NBrHoI5_!oH@X*vaG_Aqr-qk^73#4hXNP*lg!4q#3Q(*L{dunf;Oq3uVmBo
z9|&7hP4|cD#0i@##ugnPrl*?IJ9!3WvzMJIHEct2W7bmwO8#lC+2hEo$%;mDOhME{
zKe=co5?J1of8o$XMtlyT%TJqR=(p<Z3403?{XUYh8)7M4U?C&tJD1j%NagL;{w2XN
z6f;Ck+sfsS&h(FwgSL;`{qD-VK{d{&Gg6;dLkS!h;u?RrjkrEsTTFR`$u^4K!Pm~K
zc@w1S9)6Ineb^1}bfP**&s=0}G~R`HW8J<aki*(vCGzPnd#54rRp5U8t+=oy=@Xi0
zh#(IJl=90v{$XP8*8#g`B?Pa&NOD-l(td>Q+cGdxyKukc%4Ns71|Ko%v1!rMyL-L;
zX>vWfjKM0~EyYn<a~ugfydHEA0XI8iL!5|x25Hr$<x3QvUuor!36(?_Z+8t=oTB3O
zN(QhwN)yzdFn;)St35cBusMsiF=*=_>H0-*)cu|KAZ{cGzaXZcyt*@l0rzbK5{o9q
z84B9`&y$2sab0yj06GH)itoWyD5<G;5Uwbel+@3+_!^&)<s}JGk<BQ=jo)X@ms7}x
zz9wC3m}L2kxH9kba!hzKi+jIAY_KWk7BECkL!)6<pv#B?lF4VSJ^2^T^1T0|tkVA>
z%h(gT6{!|soy+bkf=(c|XsVy`SuP2kDoAO~(={tz(3>->Ll1gnBvmR>{`|GneqXV5
zlLJv4`(p>0c7`9M+dcSx$R)5KG~8!>Pf9yt%qPj7j(dF>BRcY;&DF2#u^&4-1+}=^
z=DrBWD_5gT#O9x!BDjG(rKYL><Z}KJxq0fgdk$aw#a-nRj;PkGYOt!F)EKwkK;)!_
z@TiKI!JdiG!*8W1mGWRX=@=>ZrD4O{wYv>MnuittXWzPK=5FJE*6TYsvqbvd`s5L3
zipu2WkLl!T2Q<M~$pR>N$olfxjZ$seF9comwD(E#n)Q~HQ)B=5QOhdMqQTGlKeLJ@
zkcSB$9*m(2)`hd#jbY+Mot~1}!ne#C9cSM>Q}i4Yj0+vSPZ6ZnuDw~$MeZ>*kyAR5
z6K3`z{Z=S0fE2B1wO5BiksE#4S@+`KwltD`*HSHRjQz@hJjaQh_mkM+nuC=%bOGE*
zHR7PUD<IdX@Z^vAuJ}8~bdP((*r7S`x6nUo83@dr<vdp9ai5ot-f{Bwet6Z#<?VsJ
z9Cn9lnwn*}egm(>_i%o)8tr^K0rn2S+53PFniMUohw2V5p9thkX<zL}WU#$FbXoSH
zVfgJ(fOmKaiII{>778=#Tb9<DIjxgQ_B8?YBg#-V4D(%nMWV5SFvaDn8D)~4w!lb%
zRiYzf(5*Hv(#qeq&+SQGBo>N~AJd{O8jPPl1?wJ_ExfE<`28uP{{Z)rU+1bWrHM$J
zxpW(q9VVI7Fh?i_eZKnQIe9OZr-7}JZd`sOoN3UkEXXQzfp$I4`*uTEPDu!^HG<@J
z`XSxJ;x71C%bul2+v()o)z2$wo!cts+N)s)%JlWKq+1mxwe%2W>xpMWGc&FT&0X)k
z&KDFEET{&VjV|hkhliA2r+f-pyQrtK{aF<p#nQeY9YU5EZ?lQ+2IkbiAN4mVzUko1
zmkj(#p#QC+o|tTSy)(nt<CA>BgES>~Bes)qBm}Rx`RjlwwcikNPgRuM2mWGVBpmRv
z&^i~Ds4492=ik!%k}{sc6iHT5z7vLwiWrtc8Ksi*)x~(@ygzHKm*b-)i?cEvs!^wV
z$NaD>$-~V2I!bT!NpGfT0~Y)n{*XYV?B*v})xQgig;Lp3bno@ESiM7iP&htH&+A_|
zyj*6B`Q>OZBd5KTRwQdEjSLoHrK_Ot;Qvy(re&YX?GxclAY=q7o}61XymXFAFRH(C
zkMR>7CAvd0VQ1LYov_t6&F)Ub_`xE&w_HWn2@F2n6Sn;$B>P}JG*OJ?0!vASHnMc`
zZyqi!?61{w_Hxd%!&WfWF<!~vohg%J`je+zIqN4TMl(&dN*tf;ST)g#CZf<-ewo8~
z^YlwT=feieo>svcK1EPST}MbEX$#qT(aGKAfUqeGHlOgcL=k-`-s|AO7n7l!9d^cN
zC}F`?vHyptw+yPI>zal`a1Rc_-GaLZ3GVLh?hYroyE_DTcMXsL!QI{69nO4Q_w!bL
zKc{NfOik6AHQj6P?nb^J6_c5P(xKDNg~W|p5<A!6GAS>CJu!?e=Cd5PIz<}xV{7?$
zi-MZHIUL)M2WfJ0<D6T+uaI}Jk1mZb-*BRrd&M<~uUvv4o49$|fSIOgKjtTM4y((G
zTy6RF;<*K1=o9(S!l-xOI;W2VNmdG-d0*Oe(pc<0Wo8Dw{%Nx6>zlZhctiZgzw-U-
z?NOy9=lMV9te>CN&R$^ow6uQ>c=_-k68-vvLVN{o>J1~mk0g3{=dKEN>|w_0=5F+V
z7D!UaTXVu?_de4}ch^mE<lkkkq=@R2V9bJ2I>`7XQ2LmVV5UY>Ye-pWQHk!oIfpqK
z){HFOQ?`m@AM*ltYKhF1O15I_0EBGWWYWXFdf@u}l>7V~JB%^Ir0rs5TKX57-cL$n
zBAx%<W~n6`Iv{rSCTDM{xXQSt`;HU+$!?{p_&``<<=><6Z*@=k4P|wI2<6GSs8DS$
zr|xdXmd~&|Rm%RUrtmv>gT?93h&n}zJ4t5(B9LmC+jxlZu^$;}n4!fu3;A!LWB`=%
zC<JT*0XHAYSzQ@0(<~5l0(29Bp8<+E9RKzI5bV!NLE!ZjKdk~#0t3yCn#(krP2Kd%
z&+iu}mhAob+N)=`n(?m@hu2+2r0Ndoo@PD<0kP#v`2s(DwxL%b+Y&}pDkK_AYoS&e
z$3~Wqur3-pXoIl)*>sra?P{X2%Fh)EjdPnqGt&Pi$B|Ct49W0#;MWlbr%MH%q;8p+
z>4?`4+$TIzZs}kb`~DHi_~$jzNo=A1V+|ToC!>vz@<N9o9PY=G&{@5IrzJ5Q`KK*y
z60&!g>e+lFSjg~K@ggV&A-DtbyRo4OUtFo99@i3Iph(bBaPsb!BnP?G)BfmjMp+ZV
zYqpxioS?&<qE;;r8j+w(xteC|Ja_Nsds2CS+Nb~nT?Ydk+bT}@7xiMwz*^bZ3I4!q
zp>j<OX7X!tIg3o10L_y{%AD3qB_hzjRoPNa97w3CpiKd<aixG}l|gbCV($YtB8~_O
zqw#a2zf~lT9%qk@`&rulj9v(Zjf9wPiNCDOnmd-ba`rRc_^Sq-6VAM8WVvaik}?(x
zr03Vz&iOJR@ua+w1B0gY?*%UwQTvDd=mlv_lnivMG1vzKqmrR(SN^V7goAa7HspNh
zDrAZS^)n6+_<L|Ah6x#j?4KYk1<1h5SC7v<CNA$%JsIW;EpKmj11P=djPf|$3+`d0
zEl?JmU*H#w9M_F|oa@O=Glz{iPRJ`wjwOjoa0!{Z6zr*t@pmH+ft&aDzl_abrQ6;b
z=-RGBp(_<+)MebNW5;y<YA><jwW-8`=<@F{{5DnBdY`vw)vKS+$l@?Dx((v%F6_JX
zn}p(CB)(jC)$lSN?Io1fva=tez1QkF2AZ;#HE;;b?V%UPsz-@;-&?7L3H0=0UcG&R
zu(O!F4n2R%AKo*d<v#d<h=|Z?yCuhnW_UmlefNbvvu)h|G=a`5aadtaq<10&r;Nqs
znI>CiYt1t(*NVZ~LD1=%FFC2VD?2n~P$T1CYt!^xzS-U{Rvf|9C$(yWybZYmf|$Cm
z4!qYtUW&}<k2Fbbu72jDh$O!c23Koqe;gxjsqFrYr=KGl^SSAFDa+SZ$qjZIzgk->
zP5&&@$o$tX0fU;3)NRJ#H2JlDmJX*%P;Z;SBC-q?A3}EFo<Y2t==)!17hZywZ}-mw
z+TPN+2V8TL8n-8%{CG!wu`}qT#CB#rDSX!E(c`{&qP#Y@wj@*xpLkE&cBWfa+wqGk
z7#Wj{4MX4;_bfxKJZ}Xk_+Y~1#iZqD72`rv1pZnW*v3W_AooSMA&uzzNJB3KY!YT=
z=+6B9ieRs09CDvQcW206t!HOj;FQhgo_ih2`*o@0(Q`wxD)V09C`tqN1ol+|13ICa
zr|tB03oFsiR;bSCaxN`9asn>AD_D0$9-$^W>-UFSlSp;TkIuhR3cm2&r0y)T=*@t{
zIZ!(Tymtbk<G|CUGvRaZ9GG|>013RU0`%DX*&F|BBlP+}S}maTF0}X=o0O~ysY4Vs
zCjvOZV%WA&z9Bn(O#M{^5nu96t1}^NhGu*@tsBs5`=kz8O}#?nFU_Rs=dpgQGdrM4
zQ$`z%M90l)od3)lG5y<2yqbYdJOET6LiLZ@b+oa0>v)<O!-Y`(64Avt%kt6F2;v-4
z(o$Qp<Ba&B6)?Hv@7(t8WUdj1pZ);{Q%DiL;p2doqcoFD!V4TxdPi)Ci@~E!uQD5n
z-SJwxk_Jali=(1b=2Fvd_Gu4CJ^KYTF0LGA+obtiX88<@_3}ZbdA~UBSTK6e43;I9
z$G4=uhpv!$e6NTmWEPSr*x_`;!bsjn^EeOKwdus1IpbmR$vlrt>q$^;yF^7p+~hc}
zc9yt-E}9_VTQ3vm6yAx5SH_%9RESa4u-%sS6IY49!?~`tXHfZV6<gc&w}dMuZac^^
ztqaC&jT#==Y|foIuH-cVksr^M+6=X*`6jbXQBnOEeW_D~>x7@bnBuvZ<}lU)<qrxP
z)<(FYH{XF?(|XeBKTP9<?NiR#a?hWN&9A#mL^}AcJ9sd*-+n36t=SvWxA}w8gE4F7
z-dlKuiL1~FV}~I?Lg|>q@%35^hoxlLb4BXmqqaCS*dJn3F+%zhu^$q>;`nY59DD5@
zo2h7##LT$+n>G+bym>orkPY7i`h{jhmVFhh*>B+q^8_EB+v+U({lkc(=3<4OAyqC}
zQ!TnBW(6X)F%QlLNm`Z}AoIUlUk8=^SY%@Tj9s;aW-zQu`Wqw1L`UMP$?CrPIc53z
zkE?-2p>QvTPAaqPTU^A4G8!PirUnnJ0oRw#c;FB7*SHLzodWz92;7%^uWW%D!1_52
ziUu2Ofy0FEiT!2YFE{sD-#|p~heLZn+JM13HCWC0w1VNcBedZiaUp<{4!kb|bm7bY
zZEbzrPy;|M{NK7fxLT)PYZ+!;2pmEH@cP^S0!qIHrHNGU^AoG<LN@ft$tv%iGN`|7
znsP0Q_<jDuiueleC$w5j=6fVA`>Cp5fO4R}OmH1F3XZRrYYmI*AMEWDQOEkMMOiUT
zr-Gf&dS*c&Oa}JU>0jp+ik2K8XEAPW))<43QeklB#l07jQHES7=e3GQDIsaRBICTk
zN?Wf;Q3(aL@qFRELf1{+dj@{@VzW~31_AH6JW1EqcFS(qu%jn;<}vH+%F{<5lT7&`
zQ)g0RSMFQNVatQ8i*uVh%aN$S1{G=UTiL)bRcU#22*JM2=XeNqWm7_9WXU}c6e;zo
zF$t88G9BloFGj+ke*(62#~2KzRhE_pl14PYfT16D8pgn{kW*fsU65S?T6r&;E9_Gb
znu3X!_wCtxs92=nGdCpImVEzp1FOW6$l$c}dAHCYG<^y3%#S>%(7}&t&2sF4std!o
zOQNBWM<XqzWK!Iz8*@Rl0oU{;oFlBYa`lv<&rJ+^i93E)L;SNR^x*kiJ6;4Ooy-aL
zbZ^wUB9d*|w>-I-BzLU}x8fcv=zX6QtC#4>V@^-yX@fOqo0@-1jJVLURqATy#Mvw|
z+7(AQnZjq|=6f5Fv53;4DL3ANGsaa9`2n24ZKd9Votv(oBJb3(0_46#`(V9l+nznG
z$nv%Fa}&x8foA>irMnjhQ9uN*CdHz5Zh2#;SAmb9YyfO9_68Kk&z?OsRJ1eRir3Zr
zLgq?b(Hkx2fm5>8G8AKmz>xaU>_<#N2c{bH+LOfzO;fC>&NX5)8>a?wO{LohcK#4^
zJ1E}FQ4;jP)#iBezQWhA|7APgicp_g$|*N$;iB`pG(A$nPP@O-r7)%CzCG*!75y)@
z&;j9T&vfTZuKW9$ik0IMZ$eb=iAToIK6B@XR>>S65#BH+NA@^(Xloq$;RslgfrIHC
z){(rp9ie1uGgY(HRKiXL$SatLW+VR?S3Ncpug})n_=}cp5DlK!#W&P~QlD9fIz~Hh
zq=fzJa{ulZ^4w_&2Nrq8N0lHEE$AP&QHHyjb|-$Qy19BLJv=LDVB$(izc2wB_l(EH
z&Ec=gT8-B6XI7A^M7?OKX6Ikta(N<yhmHhD`f%)36Rn+U!~PheK0bWz{N}R?TFfKV
zs)_hb*g&T?<FTw@QXp&4WxhZ|?EUB!*s>8->#=PAVm?y)eBodb<c_S-M!ETi+uN<W
zqzD9;Bf*VKg9duZu^M(uD!?KrGr_c?G215k)P|3v5Jc%R1i)=YAaT*?aFuhwPSJLs
zRW*;GtK%0kQS4|V)8_tCI+~Z4zHw;njXmdIc`H*<jwi22NHB30D$_5jPHqu1aU3c5
zgC6!P=GVo@E1KyWtm%)T%-spXb!g>V5vH8Zual)u8VZ$6p5Vi`N09Lyplq2*^O_@W
zl(h1I1P!xQMb`&|KIn1nB$1`TEsOoj@hkTr`5SK1kaAqkshdRRsieLGM`Q+He|VP1
zjxE$i@OJA7*28H^rAjEAa4X(OfN?O%pU&ma$?~I!g%6<{R@GuwOIu?V=e~PHMZ;&O
zBlc@e=__CgORH3U<*EjW&e}d`;r2AcN@vueh`UD2LiB&m#H5`xt$0FuaScmTELZ61
zG=i%KNUX3*Q$ng{$-G7(bsbZ~w$S}Z-^Za`9L&@EMHF2g38_X>c|5c+EN|314d4W+
zHJcRatLm5c|8YBFN8IWSqRJzj5{rJJamKc^z5H_!Uio#RQ#BS^TZ;v!d0@wx?6P(x
z^(&afLfPM3vN~f(hr85TYiuRC5-lxD%4ML&rh3imuD-;y3H~I_IW^OR?O(?<F50<Y
z;8X}F#WctZru~2*a@@2d@x3o;&4Dm5=BAwPuslABf*9%d=Zy*DeLoT@S+on>$XR@m
z2^NmwO+l=>!Mo*7Rk1}NG*xHy>o%kucx{_egUpB^F_l)HZ<;M*qkDP0{ImeYAfQ<<
z($qumRH%jVYOWzE#7<1XGR)SLS3U}!eM04U12Z^-Wfa<vTawaFuDV9XK=OA6@&1Ng
z!-YG7%Iz)x)?yu!>ww$zl)|udv23KEK%LbJ8X*}opGgt9eVZSw3NSDSFfxNN-WmZl
z0u|uZq8$mys|1H-d^je2$PZFo0u^dk(2+Dgi32PzAAZYu!+AjO#|5CpH~^%BH-*Lw
z-h082IbQRrhHal2+W-&ni;y|^QTa=<iK8tY^-bVaRdB;04k}SnA?pezTTIV#v1TR=
zq5y1EqBu|Z58@eb?7zj41FbXS$Xien)?$xm)cXt7zqie)oF<czLhzq;_#LnxBpSH3
z7HYITcq<pQ@3oayh;AyUHyJD4cbw$JXvET*l55x!=M&#KD`~1(nj+tY-@Tw}?o|H#
z6jx7b^fj0%?FvZ@1mhYMXO4|&PLjX>v|8BlZx_id1np6;u$A82?<=~Qg6Ml&-oPBf
z<Y7U11RR|xg@wW=c#;CcR{G<laguiBTTkL8$5#CWqBl*?dk<d{8DLnPr&i6mJwsn(
zvKT!4N6yO;yu(8~Lz>ID^|RBVY%x(zmtb+_f1|*siA?IdQkwi04ZepbKcA-x?-Ta5
zQ3>T0Jjl1*D(Jt;FrUxl;Jr1x(3X75O2E`Ar-mPAxQBP&s5LKfX-MDA@V=DQC?1Ze
zan4m@8K<X27KB`!O1+G-Pq&+jMx3?5v+|y0{bUkSU4Fhi4q%{29+R~;mfy`w@;hnR
zR_CBC?7()QNeajd`cNgEifuh4u>M5o-v6{>`=&_NL`f=x<D@aupFi?5gbJQ+GkYNK
zs=;_z?o+OM+SI0H|4Nudn4QOw5*2A646)2G&098D$&}4vpX3bov2t2zed%kBeom9$
z{gUwGJV6|9T-+1q`)y($;=+eI_HwEH1i*do#WctNRuf?G&zahhBDFSO4Q09!GIgC&
zZ%kAUHR(K`(xBekRPC1h7exEd(q#%>%?c9B23yIVx;(my9^)k|w>5FsZxlDOxQWrk
z+2*q@ejH6EKQ$$K6t)h@YNcF?a1kc|E<|1Di~r^0;+8_JD+GVl;ulJ+ek-i{%OxVL
zy$CAL+Dnx|i}l$<L+uNzaAHmm_b~cquGfiWsH55Cj9m<GvzL?Gq<m?p@8a^vjnLM)
z7O`2X)zfRpn+qWZnwg7ON_jAlI-$tz$B<L8#-ycskC)Wutyv?m%S;tUJ3l$ZnFnPi
z!Xu<*Ahi6Js<FlKy%>en7@P7lzRnZQkj?H8<v%B%Z)7^H&D2DzWcfya;1ka3{uw_l
z0)etsA?Mi6Rx_lA-0Q$^#Z<G>B;cqTvZ)>E36rUJyZ#@CUrWi>K%L3$C7rHUDt{r@
z*ZLyZM8va&Pv7z=4^}|io*~s}Qk{l*M92>lb(P+)BXewI6;*fEH0}8wm<C8fPz-xh
zEr<T~rnOX&q=*-Y<agxLRVO4Ji0tnbC6$)S^U|}idX7S8P+!TVq}!Z*Xu8R>tdBdi
z0aOI{>Y&^iZwYRbe8D_l3LyV?sv1O6OOK(HZe1;h2lOfmocU5Ab5%?h%S1u@yD=;_
zsT(WIF_WBbQFXbAO^LzqL$UwQgFKnRJs|xJ=m!I2=pw)*AV$gj3<!;yJpugBLR8>h
zijSkd|G4x1*8JCN`k+C;p&&pW&I7p6K6zDdKN20*3YJgExM(N*QNy>Kj{=ox`6M^&
zE5Bu>Hh^iDhuBr;sGHGQr?hS&9RidW<-{#HA>1n({%FC*or7pM7YE<iKEHn-*)gTO
zZ15$c($7LT{%S{$V1joRWv+PNzjnI8a{CQqSM$^JpsgIDU1M~OpZ`1m1EHk53q6=p
zxz}34BA1wcU`$JmrDIl>Qkto^oDl86XqxGg>&kp2hQVqQ)j;d&*<bZc(Q|t;i%PRu
z?~<-_tV8tTTIbK#Y+RUc$<0<$ctKs!pG;SEd{X|dwDRIejTA(1vBJ*%LqUjbSIgY*
z>yg0!rm)0`S6<T?<PtyE!`v@mt-oiB_xP4t=vmQ3+Ptz`Vx&=K<LC0%sV{8|v;VOi
z%g_ul8FyXp8y@1w;2;tNbk4le9HeIyuK$@p4!U{eK|NeEEu+@Q5yt%fguK4TxuA-e
zxvpQ!BYygMBTDx?c)qP<cE7mvdWk13(=`LF-b)>d94aC;;OBWP6JlX=e$H=y3AtOV
zBVP?`@cT2TBdU@?pqN$LQ)!51c>gqWB8?`y>CZ)~NX*!A*SX;x)A7}q(2rh5gtkC4
zOwGoePGK73AsxH;j3yK0F-ZLq;&aIN_(-syT~y#VHC*T_f$<|2o@xuf?-o+vTTy8O
ztFajGiAt45j%3_b30k=f8F3E#QQ#|Z*b5*w0=vpTQOt0y30dN6{r@7?T;me`<Fxtd
zV4ce3yNZ{a-+idHiI(*GRt-wAxh6N~Ea0wTplw9C^th|oTS#G(mLw*Ek@qpkdB*Z~
zA&*)xaPopN^AihF8du9BE<3A>I1Sdo%aLyBU!?JD(4otH)8>vE?O&9U^FVoGP+rec
z801FzrurR2DV;dcGbwj3E@tOE@q)H8bv&|#wiW4z$<R}!qnzK*CBXMMb+S0OJ+S*8
z(g#7v-CVrH@>F#v^_Ggdxs^-fICS=bRCw6E+|AJBzBceI5~!+c$@sNq=8CN0PuV;E
z2^2kl!X8ppuyB=?{OZ)HZ3lIbZ1ra~aBWEWyHZl%w@CQV^;3s)tLEF1N}QfKtSt98
zgs4&E@x<?}vk1$g>a-*wniFxj?tdxuhrZR_RW9Y?mC&}!5aV`yp;G`$?%sJx!yQ6G
z;wMoH?Avp|7rJ6`2hs?QtY5wLb9|QoccZU|#=-hQ&!!84)eMZR|Fw|g3y%r1Ul0lw
z%9U`W-`ZGM?>5dZN`xR?Gt-Qq-b+!}lm@&raaD=O6nx>Bv`?<U6bM%gic}`=@-Af6
zM%X05M~zpjFyv=PYA<-NFx?BkE^cKMj4;w3nhrDAcysp3(G`J7nfXD=#PIHL{vOxe
zXjpL*wZKgn1_M7W8m8=glqy*C6aDjy*%Tq!I^hh7ljJc9ypj_4&p_8OS423_4N4lS
zqec35-<lW5U`vnfbp3VtblK+8Ph#9%3W>)jJN<Ubygxsk{xraGF$tkbLQbLE8b6$-
zMhoy_0@u^Wfbs!Y(qVF$CLBzdGSp1Gt5No!8U0+4eg%qjmeQp#P#j>n0veirnt?@2
zzPOVh6^6f579`3i1)oOf<D9#QANh64kgqGQM~<P{+16Y*Bmdnw{vp`tY8lf?oMiN~
zSO-Zjyw|oQ$L>sD+b>Sn^T`)X8U_CKL)j#9`Q0o%9E4Slb0;fkDH`226wia?`c?*q
zT-$i)mXoAn6}E@oO>4JQowAyTa2WY&H8RTS?Yv42LfxbCkH4!=qR_7X_vl{WJ$BXe
zO?ws*GEPD;3vxx@uux3pc4=$_$w7=T4jr0RfY*R&adUdYB7;oLsjEFtgEH*!u`rzZ
zaQm>7likfF+ab?G`vm(hG7$Pgz>`pH@pgkHE`fiBn#^?pf?%{iDxrcmRQFM|C8_$3
zl(+2qt2DM9ppFalEfe}X_^To7p*HGci(vK!KfB}YRaxC$k;=NRzC+gW$Nhk^`ujD7
z)Ss&CI87SLhkq5#v1mioGludUPLM){l+tt-Zt+P$`69<Ky{~<k`$rDS)}6g^z^~%V
zFG7J?_Zi}+BQmA6yw+uua8cQpg|?V}>P}SqYo-q!_%m<ugkHv5!()v>$wbcF*k9PT
zHSsW^$$841Nc~#3w3{n1EDdkT6}g|Q0yxUYsc@G?jMd?&gzxqU=zn(XrS-sC?F5HI
zNmN8~@~o|mHo{#2pMcA+o1m@UHXsE53b1Dg9|lrhKtErIS#)1Ok<LvbT!ip_$e)gc
z@`1%;;OqCN=YU5c2PU`?K<xqe-?9@>q0tF2w2Zt3e4YY*2Wsnq+nqORAxH4zLtyxu
zK{*)q1@vX07>xK(9r`hW{KVDg_5rG&{{DA^>yHoj&;4=LZ)s{3JsUBP)O*(;pg%+<
zw<MDm%VnA&hoZb&0a5#Ug#b8>qbzY`db8y?rreAUIQ)HM-S72EJXS{$SPDu13P#$T
z9*mYX9j0ohOX_)JeP_1}gMP1}O$@LhtBK0h;;q?&Lq5V7AZN=Effq*kp|aa`Sq4gH
zSK+avZ82awqWL1f#=dE8Cf<66z#&JgruHWzU*2oCAxcQ8C+O=S&(FUL^~)kWVjI;q
zQ@F(2lK0cPV-4#+@=6`*&35eE52EtD=1%;@3-q+yO>|a1n{>FHcW&$pN-|O_LAG2=
zQx<vZMP~yPnp-#e=5|tiE|cK-YRvAeNi1tq&%n;gKE3q0TpDdLJerU_)dTGtvJrR0
z(wCyM_22E2LQCO+O<X5=Aq2~P+bP0UhcLAe)B-$&8d=qO?68H>ELv!th7URNe81es
zQ_bC}lH<#Elh<nlRROohtiphvClvc`ss=H-ylX~+AUiM_$`ZxRHC}yi^_>(cUhuih
z+&513kTM+qV%|Qm(-pEYA`eNDqi0bQ_Qv%;%9P}@+__TZFkyjSqDKxtH@f?`0sqte
zvx`s&dH!12qO~xq^~#mc$ff3H%|XV5!3-r+j=1_Gw!&0F^+z}w`YhR$FpmCfw(-u@
zyGAPF(4J1%9JO7wyYsWYaBh7W8wxRxqcK{2FT|RF!S3^9)H^X;9pK?3EC#M^0v|%(
z5tHiH00LB1E)KltKk+~PUx9&xbk~5-U4YyF))fKY0aW9*IZ*TETjKx9)p7hC<cqV}
zmIw@?MuWr*^{!cr={2~f_yyZ^7j5UGnm;SV8e;wkN#<>EMPKK4s%ie=8MBz4Cv3w|
zRM@5eZ|5=Us8pM$Q%i~6p@Ba~r13p7X%NwpH&E!X{U5pjrvU5x?Vei*-ie1mbi=~P
z)xpYyF{X0%68d{7Qw4{0fv<eiP5f6En*8hq&N_s&IRCxmPR9f+q2utgnvwp7^DmY%
z^LgzpAPX;{$gSPl1Z!VTY?Y1N9H|`Qez1ONqvzUuw1Jua3SzK0IljPy({W-{v!X$`
zd7{7~p@82P?;$U%uZ0VjcwB38VuVyH7ncL@ICCnqPctjJ9(gUB&3?O+KWqBXSju9w
z78sy078LIlhNy>i+cHr`2(oN=0@d7|rr;I&zRXFm@~BiroL<e3f7vvWhiDa{1%d^Q
zh<fc-YJCi~(J5=+=#Ro$67=LDD$2w=q2Yv-xM1FeIXYkwHRj5!Jx#&zDDq+ysrDT^
z-cl8@Hs9=2YcS<vhBaW2+Lf-kS@N3G`MMVj#9-t1ct8oPrNk^Kxp@MJd@tDh$}$lF
zC;Ef)>c>d2*b~z3snnrQ5eIifAY*>^8ggFbq-Z^I#q9k9-4r@4YdkW?A?l6Eu@is6
z*RQ^ds)CBsyG1{Gz+b@mo>UyFVdKyg5f^Vt+n9VFQ6j^IYr1lvM|jroD8bGLtZ~>~
zt>)Vun+u@*<=vp~NdhjB^PT2IJLf*+8UME{`mp-K%JN~>b)sg%Z_7Ei*Qo0(OQ+?%
z-?t6H9`|-@5#70dspn3lX1kwK22aEOkXC2!kO}*gi<Rm7AIFN$VizD(D|Sk>;_<&_
z8k7#l1XO<!Z>4_S{#nPq>6)0a+ECUhI^!QaSsXazw|Pb0do(&%UcA?{5IW|zO~UB`
z8Ra4_x{7Sz6hL0A_;@fG=_OY&9@kUOo3dhvb~||8X=HYr>e*tS&`3HC@0)uTRb28!
zZWK=^q(1pi`W)!|Da$eB^Zg}mAE&nmN7y$Mr8{bweQ@UYkmgxYiWzMApF|PDTOM3h
za)sZOtTu8@Mq+lxda^_JvsDPkI~;6F^C2ov`a1OJrzDZ;<@@hu(w8uDbE!(_`zhph
zMQUO0BY7@RUn$VYBB~Aavc*m#t8kzMH92k`*z+}@no%TGuM}#x7BZi}tJpGxy0dpk
zghaVmzu6W4<mxU)O6pvg%`=@-Q|yL{X&)K-J-iKwlfy7wH8U9EGa5Jimc_VpFj{L4
z>mPTWmr9FCO*y~WLc407hWgW#vbNBSI#S1sYQ1J?93!>BV^E>KWBn(`=%|kt+DR9}
zr_}q?fO79xO9|Sf4uWH$<x_H7k~tA&uz+Prg8gxdG-_CL*-|au8oR8P=G10-ds=OB
zDY{OjK}95(Tvn;a9=P23Py;=E*iMi^`D|?6&@NJbgHT6K(%<#gIdqO^?Vce_5h-Ne
zcl;gW?HEU%WIq?>)zi;rMnNxJNAF?&fxVZdMu^-+E^<>z5^lab!1esj?mcoZ^_O|)
z_gqEcDfv>a8MSQmRXVXxN}fDnEY@yXU+||EE<syY@u++h2Ie004<7S~v79U7--;6}
zepLR4MC+2DYtoat53bTmIdy|-ydt`OdydGvcpmbW{9YX!^&huM|1nVCt;?6^R?^W7
zCrlA>`1`$Hk+i^g@+b1TABYDpX3J%*m+p@H+(!_JzEmOiP;mVWhuw!0Y!he*!!Oik
z+5XGfd^We~Sf<4qy(=o?ZcE2I+DaBz)|DmsnVyY46LLA@)O>9H3gs;(1BGQbSv&|G
z6Tag51u(sJOTkfADZ%?!)ZFYf5q(~aQc|?Ba>sfr>hB}XwQ3aP_QP<SG&XxQZ%dVe
zl{LRMHI<4X2F2p0>j{`vFVWzj>#}J~INdK-8BlGZ%oW;?J#{4Ci!P|-0~xQa5=%8)
z5tWa$mD!h4yfO+lVoV2ltOsANRECf%mdM)9<1yeMf0tXxZuF~DQK1{+j*eX4;Y#0!
zW;Iy8KH=-u>^#|YAZ%KdPNUaS(%FtZN*zWm9fu{gsadR(?2b3nv8d4-Q&p+2@>SDD
zI*lKM7r+}zPVOi@Y({^1gv5-7c>?_eJp68jm}()!e&V-%<f{IMTt)!M1t5HT<|DW`
z)uQ8A@{|3~k2cc%^4i<?ng>_Fq!G*j%!>w=g(fb`8#q@UPH3%iB0fm!{jFu#i%)54
z$6K8-8S=1N%`Jy|^0$`f=nXn&9=kYyUFrx<gLow$x*Uh3lRl8W*B8ziv&L;x8+!}!
zgH3(<d{ektlpQ0Q#eKU#HPV7Vt)^3WaYg!c8P}E7?AXQL<q|7uErL_<v}-rVg4S~I
z=4ov**NU2!{!k=Rm%G?aDL}w_^ULtAIw=0zj9`ifT~JzpqrhR*Ddn$ZG1N!R&StP|
z|G0EyM^0~0{)w6R`lRl!NJIo&i|I=Yp@DQ!^B>z;VAW2;6nV*U$Rx+T7lz=b_D3U*
zkSqA88<WF*4uH7g66Nu_PqJ&x>%efvl96MxE53waS7?P;FY-OrMf`H9DYwiwELd4w
z{I+R9psyoOO}CoX*&gjZDk!h|fDh<vMA$`tcAs;Lm%jc|JtPaSJ-%&B`ZbGNV0_(M
zFx5eu?fHq`Eqk+ZmwLL5N~?$EPq|%-jl-nk_rv|?=&b+@f=qRELHMQjrJcVcOCnLn
zVYpDZrzLBka_YIhhO)QY0>s=GKp%_9(U^98VhGW@y5=$7sz2EDyKk+F&9M{mUAMIz
z<OT!vbN`w!mUO5D0aKdhs>c$3Mfn_q)IkOXJdLdeHqzh}a>a!)Ub?ue#(Yb6#Q^3E
zE4-Kf+g;dXm3tf)qp#I=$0NY_e~bz&0VhXuo4!eE4?#~*A~YF<&K;zTrL?GUIRLqv
zj;z(|u~f;3xziwO=50uNoXVpkU2P>e!(DM{wSeG6|I}E)U!m#t{MF|#+3Q72VsJ}i
zZ3;F;4?DWQarbQNWG)Z!=tOzK1o>3pZ<!kPK2|e#&|O%y6+_Rb)(P_Jy&RC<!I>5M
zkCvN>dVCw?gFUDoVqJd(?xjw2oH-*#8_&@MCB@i+mDy=!Ji1C^H>{^#glXL4>xP-d
z>iSrD>~BH6qPs>hReC@|T5l<z^f<iMVaI9qy@pUJ*_WQ}`xlj(sy}O-<T&f;ipeeg
z#>2Vr9$0ssOER6!<tRC4W6~L6oW8={(+);UyWHDDD7&hgVO8SAJ!jBnx1bnM&^ViZ
zqIpYTvcYCp@gMs`uA~rbMB}gQDcJj>IKPJKgRwQ4)#T!2J5wt5o3t`;Z<UVn18GQ}
zGD|eoyc-a(|80tS&@1eqcVb%OJ^y*_Q1D1&Hx{sq{O)9wgQ%Y5$FMQ-TfCX(E&j8+
z(a2h7mi+woac#u@m8I3+39t{aNmuRQdgxz-u!$tttF7;yU+a4Fx!m^eE6%%CSBD{$
z5JsG;g3(GdvZGo2>X|}=0#RFP!RKVG@=bO4bGEl~x@aq(JCy0Ee&Z6GLGl$|sgk;L
zA}gQ;sdAX-VE9`QTlv06<30~=-5Tr(C?DM0^PCrU`U}9|{(neT6@Yw+!(}`Lh}n^P
z?f-uu>jXUZ10kQlz&SM9b8jLT^1U~FTNyB$6=L1|k0^c02Y!MLcHbs%dv8AoSSxn$
z9zgekx&{Q`GT!I?wsSu$A%|##`1B5Y2Yh`uxQKct_5^PK>s^p9ps4ma;3Wg)Eh`pk
z3+B@u@f2Wl2JCgV0Rf0pfDR(r4T$m`_60!uU}k(dKa~IXz&?&wkVfx+)|il_`8brb
z&oj?RZ$JKCkD2&>ukDr@Raz8PsONoXQz@+>73mj<?HO|{#?xltS{k7bk#>-JecHx3
z@A^CJ%LRj&02vxKAG|L4Sej{C{AUWRL=gM_mT#6`U>V#kq<&A@okaO#w+n`VUcPYI
z_@4g&LRi>bJRl)s1()uR^e8!zalppc`tI&xTyYbXx8I8tmlz!B%=M`527tuWW(J5q
z4WWTect8O`Rp!I`tDbq)U|;VW%Sh9f$|haB#tx{;HvPhxN!`3)TvRZCsfmd0i^Yk`
zT_d!OCd+O-l)8JUxBU5w&{>X~hU(?wU-%SzD6wPAW86$8p1vtPbn?W&qMw7GK8u$A
zA`wN9lnx7~Aw(ffL_r|?xQZIQeYz#A!-fQ9PvUd?R15gj*j&1NL@H!p9XeO>HI;Kl
zpG3hJU1$GtZI|>X5BIu6Z@5q@_idr48*UdpJ90c4fEveIE?DHIYBk7?>CBZG?pB#V
z;QWIZ5{x?EJA;{<i=skDVrsxEvdUhdcW(WQoYKY5n9gt4HO_qJOlXhRwXG@aCf0!r
zS;9SUm)`)MbD+hOZb<{H$S09A{YUgrwMRPCYtMJj*Aih&<D{Z=``W|r$jC0qA20ER
z`@2nHkmTSu^+1JczD`HO`6tAo=C1|Mm~0`O+&PJ|Wd|oqKN4H-Asx6mnmN*+?}FkZ
zXRn#sIgV(u&Bqbdlst;A4W2wH7LvD#?z-x4CKP{{WUbx{Z0}M~;810?;iP^~tpr!T
zL3#%l%zUbRQ7|dTs<)L|E{eV6$pdhnU-9`=-XSjm7Lhp_7;=f5$Rb11#jt;Ba4+K_
z@n_4+sbd$!z4&h}pKqKKcdW3{`lm^6P|LWrwf4hSy9=;-t`7c&yPJp?qYI7Lh`wb$
ze@pfzVuLVENX&tjT<$w)S>1*8+=vz?kVH!gU<%G*Cz}waNm<gw0fn|D=tB)I&Wjd&
zUAa7bf^;8ivM)n$GC_$tL>@9@twM<GqvNJZv_=*USgI$}y?m3FAf#H9N}EyE-V$wn
zM8CADdj2A-uzZTWelK@7xKG!_8~v+Hs|=4^U673anaHt03uQxLD&R+b#2JcUBWnut
z2;-Z};WWXfW7zJQ$amQX<HSKG-><ue3;Btf$RYa@QArFn)uq+%QT+^C`Tu&v3ulk2
z30<FqLepgrN#FfJ1$g7-gL@eB0s0+oVmd!JN;Go#kZrr5ETGIE>-!NF6TAI2XvGG4
zS+Fsq4z0ehY|v<JoAet9Gc&73y74Xz=+ZxZ>a9*xI1oHe)vzH)A!lD0pK6gM(f}|X
zAV-H6xj*M`UYL!|-f#o;DSY%)YIY6TJ?JaD&<czBXSKT`vG&I`^on?=y_JIBe^y0{
z{zw#BRq9KMG^31ATKBIz&Cj_m*9xZe=_Mkf#T{+VA?YnMC`x#__kCIwfAa9s8tHRu
zxrvk&vO;i6yhD*3S(FV}voZZVN1J+js$X>F@&H)Wf(*f7Xy(7FXx=X4){+-E44tp}
zX*NIv&*C1HLo&=Z-do<PM+l(#H&r+8TSEASk~V}}@=FQ3@l=<0SIXHl-Jn}XG5p(5
zE31Uy)3oFs9o7mBCDd1%?s9Hq<>;!qK~m%VK7K?BVHXl<*`aMErgNNjH5i#oqwFH*
z@{(`GO2wgz?icuvsj>{mde1IG2)A>asbz1fyBzV~CVUm>)5)z8H$s=#-f&bUGk>?+
zWea7AP-p8k4pbm2q|b@?2u*A<Shm-7%U<&N{-d;9jUIM<Lp-a<BpO#I=kU2RS^hma
zL0V0<J0H<R&%TIh7*2_fd&ADfj<tHKIiWOYBtM^(GCuI(zh!PL;x*ruRwN3CEJfcL
zu^{7?M#fDVzHaWRmTyjt#uwbf%6^-YH9h;=im0SjPPMf!i`$z(WCyJ1l$TCQa+5(z
ze>q%}blYO<zcYk`SIDX#D7p)-+VNTgHxUh6Wldza<qV7dN*8Q^UL>b4O;-&47T^jg
z+7*Ay?UIH6CKs7q@<yo{DRhKm9eIm!n!%5^yW8ugJ#b*EjvcdJo$exk^KXQ3JPb-h
z^dyG7kWj=}<;~(q<7t3n3(`eD$jN$kM2*vCj93D@Z#T&|RN)U_lTZ(m6(+SFH<=d#
zn28#!09lq2iI!|1r0+IxDmFL%EU9C~hU%Bxx%hV!dJOpayvg$-BxOVDB*kI~_OSXb
z2A*UEATNNyFTeq4(K77|&c`Sc+Hv9%pacYWzk!L%Kw~6i6?@1Us=_<Ldkeh}HeeJJ
z1<TE4>F-=UZj5Lhth{w{VAe0+;%xZs_|xcCJUdnRuGK1k*{Q#b_{wVb)k|kST|CkL
zF8qN~?K4u;_1jfq6XqK=YLGl3d3HK|7nVBKNNJzaw?L5vFc_xk(yZ@wXDTT#Fa9J(
zaiG<+BIrq^weYOCVl!rYLB;zg)(372x*QW!vP{*Fermj*k{`|6EhI_v9i0&``EL3m
z?P_v7qUx|Pd}eZx5sWhtHAPeqc8W0&yxkdsTI)6%T6PVKu0mxZLrHeKWSJn|EJ~RQ
zhpoftDuLr+>|bU2>Fgs50au22x7&|YG7GEyPinn%VO%o)*w9-BP_>FSs+kmVh&sxA
zp6yA=6K`ZtcF#ZnzS$xs-F>bq^`|35QA@IaKr4=rPReAf+N_Pney5m}9Pj8}U38Ke
zAYbo|DCSAY{j5L`Hj}rPCJ<nRh{L{*Ccmd#W#B&a?Wj{M2aFVnK%AjJI>A7uRvf2B
zNqJ-^3D8(AdZD9(^?ypM`Z`5>{3$6P9T&An+oxGe6Zosp+lHF<)I4hO=`eq;T_(zn
z60SIOx26*<N`!IV@sA&V4Wa+__tFzm&7m`vW5T#M5j7aX-KRT;trYE=jZZvb!+Fp&
zxA<SZ9XR;tI2QKZ#eX4*zgPEZBlTM33^t8Jkx5Ln12`YY;vo-!G#qlZ@ZnR`cy#_E
z;ye<sf6^^Tc76^84~p>W3a7RTAEx_}5TUkVVl=`5d*}b+m$rDR>%yV}%<1H8-nOy$
z#X|=6Awtzwh}<G_JS%zEZX#|X&dMUny3?uu$W*m{B;(+f*fw>gm89~<%n3d(yV(V3
zZ=#WA&be6ot%c9#k}7UEeu)UPH7P#Fy!h_6$w++$(IfA&-inl-c;llGgrRbNmX>Qi
z$43<w)g-T*(8d(&TkN-JdM!30SX9H~O5MvbZ0$#FFF<~p_>$b{?VU=8y)rySK%xH;
zKpotxmh)tFXD?W}Ba^IhkHPczoah^6cvr0^1ebQnvR!Or#1+i#;3&nJePO+#x57B@
z38@;F;5SaUo}Q$Uc38WyxMh@Xickkdb4LQ^@C4#I@xiSTgjYQc6EeIwA*IFk7kipQ
z=o~IRdp#Zmyu{~rPLSaYaf3^%sb`Iq_w}=B^P!Qqny$Mxv2c4tD$=!O&VH1J)AR%P
z@ti9PjsJP6_zyB+SlZo4<~q+C8q(37@62o6$r7*lT6}?c2Q2dn+AY$gGMe<(xA>K+
z5`ND{Ib(f_1&t~aex6a40~~^o98)gxyL*{^mgKBuEQgJQ1?;7o!FK@>COLWaKWekl
zi#N}|)xmb^5nAVccrnWlD5_HeGUAf<Nvnfn>tQz~etiDl@uvQB9_D!f{Q^!uurn|d
znD7R92x4RcUO=4+ZyHP=;2ZIOQ{>5d0ONi0S>Zdt#DF^jXx)9-o#U{*&4R8OcZB|5
zr@03`-1hc?g`$71+FyyE&1W}~vG;J%(xnf#SnicMlj*U9Iy6k)w@Pr=tbbdMDYsb`
zUFCu#gK4~Y%ARV3T1<tLn%TCb<yuJ9r(EC-aV*8tm5PzG3Gl(F$CGEcjPDSqq&rtw
z5-+;dJiEBepQ&rfC7&(zKS0t_yiyET?hhC19{-38LD9=TtDi%NVw|)j!XYqk4n_bK
z@J>iedM09c%L-@Mvg5kO54Y$KS_kO*)oWde?M^giM364;=mCZKc8VlNHph?VIJcgS
zI+zk@{O3$UmxRbi5p}^D{#IpBE)x4<DeJ4kRf=p*o?d#ZS2HAFqwq1Q-9lxO+%f*}
zh-09@HVnfz&uGwk`ul!Ss957qi=i)XRQJM*_ynTG3W1&<sv1N36A$J>ks6q|IW*S9
zT&VuXPKXJ3b87|a7@itFrsy-jF0{rgDb5kfeHwCs{%b<D^#x+*gc1Beb}R$8Fafwd
z**H(v_p@@R?2A=9`5B)2^uHE2C&vkmR9@Mva27rSQtqf2coW*b2BCmyEq|dhsWS1p
zg(>#)s73jd!AS`33!+FL+i=2X9BrHwX$zWj5>ZpTF?WK5y@u)%xJmbQf-8lCmHG@7
zfeTtcDPj)21g`8;BqKdmN`gqk9uYdj3fRP*dJyB0=<`e1ZE&~C_F&Sko5iD3U7%n<
z+g`H+6YC5F@ZqKJ(gi@@J%VwzUVBFosct~n029&&AHxGbgR0kKhoe5o)@Sa+7o7Lk
z=*FiHF32K^6sAHkOE2nv$$a9Qn#r$pQ#-WZvn$s5By8_8Jun*)u-C7K5{!Ce^osmv
z)8kK7CumADsS`i=SGk?V-H<XI4;<@UCzn<1cBn!I8ZT*2(`Zoub7(;Ol%#?FZI?3#
zwou)2H@&nJq6vizYK%<UNN0pXqQ9dp)YRo_q^F2YJnd~KR!EFyN?CBnqtTN5->Hme
z-7f+YQ+{l{1M_!Z=EVPn{_Eg<g?pdux`<rOzItsgQW35P%~&|FM)$TK`1y)G@4Kw8
z$C)VaiD%QFnKHJrUJezR=HJ|Jq6$Aj9}08%{Rjz4<20#>4S%xj$ncGwn9HDxKV&4!
z&GOUl#jf!V!jqe--!gwBnZzjRrjkQadcDZ+qEEb*u$B_g`4>2FX19H78atH+dF5?t
z2Gt5t`O`<xZC0a`tc9L0{-|WLA+ZvQe`7XiUZ$h>p)97Q+V>ku^JCy(UT7kSeg(Cq
zUcvP3eElo^23PZg>O;*}2zh52?got>M^{-L;w%6<rvLElvKHq@x;;rj^a_JgX>oE~
zGP_&nPRi|D$5$JL^smX}4?Sv+PPb*2sF`PW^fP%^H9f>(1|g#<J)(q0gwALz#^r=m
zYZYt$3k(#sT5S(zR?v1bzg4jG*IS9PZ@CNX^c(mdt+_D-wR)>(|BX)U#5cIVOE*tw
zOL{^)aBqDCKY(IyiLZNa4bb`k18wGnkBA2Y;}3aP{mrkE|5eTZDEjRi_!R(vKLPJ~
zX*jZbz_%CFGobGaaA!bK%lYu@gYAF%AKNFG1Oe*+4SW~S*=0xuSeyU>w?gULd0-4!
zMq<5>*#S=9^Fr^{@*@ah6EF_mcS4_BU+3Y}2{uJ44OCx~IQCC2!SHLfLX#1YjGH2*
zU0X#nkE$+`pkj15y*y%2aCYPFOoRE&!)%Rda%MLVvX=FM>QpO05VyN?AmK}$>Ydj~
z&LYKMU?W><KvX4i7Af(p#lzOEBfscf99N&!`esfh&+>y`oT7-qM5DtucT9<O2$cfK
z1>4Snbx<zG>(Ay%WE;^oqa_wmb=}{R6uZ?=ClZy1iW`QLQZt_iLgQ#J-nS3T$dxp)
z2hiD^?KbJ2d~qtuX0*rDfdw`USFQ;XBj@j#CfdJMjgaTfr{j5V6R`yql*9CPjP?FJ
zwPCdX-~=nF%g?XV=FJp|67IB4yaksOw25a%ij?pzm;|i^4Q4O7(A$rtkh2L7#=jRl
zN9+{Xl1E{Hi@;L3p=;iu%mO)`O=ELb8S+9rQLNE6S|EJs+wz_EEj5`1Rt|E+=h~Z$
zZiDcR-X-K^crRa$(oAU_bmAY+dBPP8Wzpo1k9x(Zz0wGhyWGCpl@$EJ<x8&$9s0$i
zB5DRPF9U38I|Mh|JX%`jaS8ENi|-R?)95qT0<>3|*LPjN@;>h)&25_y*XY2)IO7w-
z@w{zUFuh_bXx}U-67W>McQih?v*j?pP8v&j;hs+Fghy0Vc=j3-D?4(5R~$7{3(MXW
z>N>Ex_fw#)_o(jB1`)14;zERmK3ojm70~;@wg2l~RKQ1Z4I%+=y@9K)8$TpIJ3@SV
zK|KO^CP0JW2~hB-_ui)eifab6^@eKxR0^>FyZicozs8z-CMx)sj~+J$1P6SO`OgE8
zVgG4*f-<!`1!7%A!^rbVx}|F&J|oQVp_R|r9FcTOG0g;jl1}*gS-A*qrdT>&U*N8S
zjIdl8smr_jvdiUQ<8_-G*74xrkv3^$Oh2g^@TtDvob>0+Roq<)FW8(L>kj<PqB{Zw
zYH5D-OffFpK)^612tGpdkiMmrPHGe#TS>o!vOxP@YdN4h%7%3ZT|HcbKp)%PrCjUO
z;%DY0+_6le&MZ5lnu`^2#N+NWD(5O~PUN&tm6n}ShedQtU`u8o0wGnE6u{8QMxUI=
z*iWv^0+Iua*t_`5S&&kvZd3OZ=4sEWlRFe<R=-`3wuJnJ_~Z7beeTS7_CpzaL7Yz&
z>8e{!>@pUW_gne|5#xf>QHBg}qzr|$=`7~$Q-TadWBZ)uoJ)E@rMwHoby%_oE>YmB
z6ie{0?x5C;FHEYa3SGexDVO9~GDBuPP$`a{2<xW8o5WQ#rCGfvD5545jnbZ&uuk)H
zL{{vlEPsz~TsM*vf7;k(`gmAU#p}teXeKZ(Ipss}I0>al+%oKptmvUw_A_AU)?Ddn
z$84OBYj)!|jx*&!Q~685U@w_*LCBSgVbe62r81y*7)s&BAN|y$)obiUy9=N0ls|R=
zp%YQ3#INGjk>9!G=ZAw4gvtMsPYvVRNCx#PSf)x1I0g~)*|$Gi4kfCt-r(^wf@Ec+
zMH1<<HxP{A&@iC=g6U^%N~}V!7(t?aRu{Kj^XA!kG_gxoMFxq23$9G?OLegFvW#j9
zq~}-{^;|}biWKK*(y`0l3|BUcxOl^g*Y(+r0APR)rUZ!HfJ+gQ_}pt}4^F#$MsebM
z9|h%uP9S2_>jm?qLFrlz()H`5lb>^gjnT~U(!Xu2f$$ZEPu~=D-URuL=s_Ag_P!n}
zEtgVl&uqNRuN0lzzBtd#=XI%<LPN6D`{;stp-ht^@H?GmA~lZv4ZFTx%W+uR-Of%`
zSk56fagaH6g~a8~XhKdcrMTE5Xa6FQ?Wn8xy8JBu-0&zQCwo&4ZMUI1eD-SF{5OX{
z(r8u_(=E_WG&_)9Gn?9WtC#fUCIFu$`n@B|q|lC#dPVySk#ou6+_}sb)SBZkCbi;h
zG>GfQT$7Es)K6=O9`hls5BdKXS}Rqx!*`iY^knAma2Aoe;9Smz2^XvT9;~6GR>MQL
zm8kNuTkZY{->c|L2HafZ=&*sM!I=;17%}Ml7lxVDMNN9p*BM*p!v!r8#5G1X_4X<A
zB^>1nh<fHXdHNa=8^Ib&bS-GEm)wo`7xpvV-th$8Ch431w%02~gq4pxDCRDI75<tu
z=8xLMWt>|!GwiJYTwyWa7^M?t*c>t+fYAhrv8?^lWRv-Rpls&E@MMf7IC<?o+O2Gd
z0%|YjJ^bR{ZAnJnLvH0Ow;#eT$6W1erkr=;<MeB>%l7wFvTYeBj>-Nx+}P0z^$mwD
z+pXrd+kwTD7Q+$V-U<D6W;H#h#dST{SeH0hTc`{BqFXK`6HvMZcm#nFhcW7Yroc=9
zq{B!C^s)kl3xNI?p+kV-EQ>RZ5I$1olNz9O4-jkuWOutSaUc0f2LCNo{ZLPD{<&%d
zyM$Yx8@N-@FhZ!lOU(ZV?C5WH!L=k6V4y`;3=Ap;-xeMKQQH>pLO#V`JeCvk+n_$U
zCUAcU3RZgQh1=sTvg&Nzxqp<2erK5?|FZ(Cs}<(uXbMw}Vm-rAE`=&|%vP2abyfO>
zWiS=@Xs7qA1~n}}5tobE_bD7Td|b1qAyN0#DIEL7-md(e{60#2|GQKZw4ES$v3?r)
z$K81nBlB|gOptxjo?j((+<bbP^<cl`0t5<mTpe7MnEM%8fGl$eeylgGd+t$m_78=w
zB(&C*UB9pTYt;@jXtkgG9Nlcg8tuqm1-~x&_!k{AdVN956q;{Rj5p{WnpVwTjL3U-
z)Kq&bA3vVGx(E^FP%7sn@5VF2uVl3Go=@t4`It|L-;BpS)AC!M*eA$;N2Mv}%Q*hE
z)uP@HL7so%e^37Tcs*K|4WvWK9$oYfVfC}kV%+nW*$Y(neN84iiTSmwEJVZNcg#UJ
zU$X=l%kE|-{IH<I&CNm^Hk+qFt;!?YmK!T?5&1vOSI!$bK|9(VD{@Ikj^mWp@E^*`
z`p<L<{n?f(L@J^LL1Cz)U(bZ0eqrAUkkI>{Xol1^Gh(Q8C*$YKyB1gYY-4)e$HyK>
zP;<2-x}Ba^9s5H5&|;zDQf5{|WTUtm_}zShe=8`d0cZdJ0mMK%zdB=4y#L}tmZMR;
ziJVwTPG&W)9`)4`4bCd*T0fCO$^G4t0k$4pg%_?Q6w;CFeqeFpYQL45d}+HC8C$Ve
zPVs$tB>t;x!e2(lQT;!v|3An6@5lZxBB=d;eqSyk|0w_OH|A&mA8FHIec6$qxCG8u
z{{p}M{%_R#KQDyweqi-rYQHdsnMvwtazykEQk_2tn8~I?s+#=7Hsy_sdc~7!%Kh&5
zrL(du<5QY&IqTXZafnL#5&14SVoN6Fw+(7-qZ}SR<G4*9;=AP^)lAs4$JLn@aFWKD
zc!U&AN-@3%Co|%-x>29I%HjCfQlng6_BkmrgErR<IG?eQnVI6BXTdl%h}VC}tZ%Yq
zwv~!lPfJKx#%d&Hauhs8gKkScKiQ90Qgn~aOCrgtZ31iR$&$C{M`GD90d~qQ<2#;-
z=u&H3%`c1JO$5Y7N&+mN0ytM<z{%>>w;=b16a{iU!h5lkI2hw_sTKiD#S{<80fQ#b
zYdE(W<a(VF3+R@`##RK4`{4qO**L6mud&&--4+;vlxxJ-c1)D~_3E)XDd_JFrz#Qm
z+x2u1T6xC>6Hj#zXn~CABlhuHL#IBxUFO6QakJ1;+A$hrYD(B#iIPpUZ0I7LoS~yX
z5LwQ%D#^7_gYLT_a*oa0(_^<q?M@d`mD00lO>=B!(vqKp$yHrMg=Zx@zw8`S9jA}A
zb5>8N&&ChEHuu4fBPYwIJv9o)95`7XA~n2;t?VKgnXL<eqQ9N|)>_XE>h2#xmmkhz
zm|^!7cwYx1Qc9SD@Ehnd6Cz)*+t6(oh)KDIm=X~=PdgPW+~iJ*+KkKQ;G@X<{O$2L
zER?xR0@eSc`v3D>|NX=N6-M>{zbzM$|6l6=QTzW~3_tt-+6Z#UWk-VI68OjT{~y`&
zi3oj{{dW=n`?CKx^v?$b0>A5D2na;!|6=&5e@EED%gc@g#U=0$*MEL~p8t7_9}))w
zh5m2-|7ZUHZ~Y7M^9rER30=e=@c&%@=W_iQ6#2_B{)Yea@B9n$qSk+02o_3Lc8W=!
zpP=EcabkYUfqDzbD<($W71lAA79cMkkx&}|Yv)#FMPBn5k{x<d1t<Di+3W4myz1Vo
zdt#Zk1#+CLNz#bWa_XC+UB>?u5Iul6O2u<OlVGG4ErhbQZS*#eR$>n7f)xjc^<7lj
zNh>>YJ4hBvCEZOT8-@<^hjJN0Lj`hsz?c%Yd%!w$ty~u!5pFYq)7+ZCQoEiB9Q~Io
znjxQdDI3)LnUX*str*CR+k}Hnu*)mGR~4VjIva&2+6Dkq4l{ed={(qp|KRqR>}kJR
zMK+enOPqC)&Je(z1p_&m{j)P#iffAf2LiaCC(6e&3t7t(kqRN#2H#?}4Xg_+a*=Y-
zs%tjiQ3*}V^IE`*4sZIR6*YIvXAJhjS$|)3{UyMx%tJH2Z_*df!{3Bp?$b?R%w)(b
zmvq)$&(QlF$xo00PUaQ##m!@1q1_zA-y)0c*TM*f*Jg~0YLlhNDnK%JFDT9=52lab
zl{WY6t!qZlQy-o3vmj}0jv@=`R_K?`Gz%K%dMWgk)zu7cZa25qj@8r`$4-)?k#EBq
zL`l-vRiBw#hQA+m-_`M4yWyW{anEn_E|GnQw5*HvpC&k^FA@v%7K^1=stTT2cc;t%
z4m)gfAX<RWqE@=$Nk`7nY8(M%dOC*0;u`eIt*!_oK-v;J8%$^JeEL7Zzno*gq<_@@
zFBbw!(KAFYrfHzMwT#=i)+rOIbQ>sqENqEctCY}{GgZcj>@L}B%LDB!d8yROLVyS3
z$Fq9;I(-_-PW|i~D!NpIu4q^K$=O3d*#vIMEOcb^LBU}Fnf)8|@rMij&R;tEf|~ls
zMFXR~z2qFzA2j#U%oo$?7kJ|A>eAlU*p0G9vW3%hT<K-A=njK=%egJc_xr(cq<E<*
zTDwlXSGyZ`_I9{r>1pM9Jxg+|KS#-YfU5Be9YM%L%o}%arElkNGX@ms=^7U~yQI`q
zLPXe;p}y09$UnPlwED0_ldW;iL`Neg2vM<MUcb1)=b6l5POT9X#M&QNOaBMHW?bl3
zQVS1CxfBUmS+dD0I_^BGF6`rOmFwP(_{Z$b9fq237#tS<#C;&c+pWd))f_lC>5;}G
zksTW-Xtu5JF!xQ8lqvQqk}_!|m7i85a%xW!f$)r2K}KBN*QN>SkcT{zs;p*R)F?Fa
zN_%MD7=)>b=g_QQmEBq!47+A{AH$s!&1$#`OzC?_y4(-PeVIY4H?8Pdt4)Kxv#WxL
zJW6<0L~^HWU2cVi6Vq$B57W3R=BB}>^hnP!WrIA%Jk3K)h_51RA$TiZa!^md<ZP#f
zVE1XnyA4eIA!u(XrtWI8&(5L8$En5rhutb6?7+cO<;Pcj4&+~7?@xZqF8J{XZgejC
z2MT@vD8%>c^Plkd?@;=`5Pr^oulO3NFFO(xm%zE`pC9;_W1#B)?~7VS_T53VMkIVn
z4eHW60_?JuGy(}~x-EmpWYE+HB0E~6<1>ZrIpsQ})DTQvuVA{B`q9IWjM~p2*ae<W
z>1loDE03oeCZMCCGs$8cN+h*n_DI!ih|6{LG8}ZQG6>+R_@2%i+4iZn3GwGaqcm@s
zn1KN7GbdNDR0LoA6QcSTlG7vI{ll8e6Xw2OJ)Nh;R`G^lxq{NolP>|3TO0yN(JPCe
zu{^8I`6xp?1AU}#>^GVAScH_6y_3Irjkm=P5<;<8sp!a|F#w!)EuZTEN3OJPmg~RS
zI~q}zZFGXI(SC^GSOrpLEDoVt9z_GSGu@?*GS)XOX{p~O6oPAF@V#FP&==sXaLxA7
zy%P(G9H}GJc0-!oQW>(E)O&!NQLhTzPKm`gNxfaX_JviD4iZd3-UGT1j-_hR@KM>o
z$H&g1{QRx7jm90`o+nHFR)*loT{?u-K+c;^L}BKB`fTZ-(p;FMynL8lXb#_$fm#3j
z7XC09txF*GG}pHfo>?kC&N)2axj9#_Bo15nl&Y0)a!n3r;Th&s!LqMA8-~aefO$|8
zX`UJEQ<lZsdOTj1RG355hkAN%t+3PZC8&|PoIAMpdC;Dk&ez())e0ZzBJ(2Ca0`ui
zi$(Cs2pwnbtv3~p4`gZkK%#Ic1*mR>LU&WhsV-=pP5U4Ae|Y~F`{(cYKm5GBLO=A+
z_e1|E|L6Sq$MgS}?LU6{K!1Pzj}TA*<^Nm=_ZsV@Z8r$l=zO79!w1V~sEg!Mjm;ZV
zml`R@o(((JZ7f*wj82*cbw0;O(qr9Nm|#$1U_tCUP+^)`2fXnPqse&9>9b~6v|-aN
zvr#UO^j7~UD-|TP>D`0h9aJ0KR|^+q<yNtu;)sw|@gs52m)vpQ^E3VPP_84JDS<5y
z%QG|dF<`O;EM5Q#Wh<M6eJTe@)Ewa7t0&R8E>5fI)tU9!P^PCXfC}N{{U!FZGtYE8
z0lR#`1KM}A!S@rRrS$hpM28+Yv5-XV$y&C$wAQI`Q<*xsyFBUdtt_z~J^WN3Y$*_N
zG~fE=8~fn6mu)mcL`msoByfDipLq0sj~LZDG$Oy;5fX^uJ}ecTS~%)MM1fypj{&D~
zC=^h!#KLce|BJn|e2cQ(+BhjSfP{1njpP6#h%^E!BHbM`f(XdaLrUjEHv-b#B@z-M
zNSAbu42`5T@7|C5+xuZ3kNW`qFu#A`UdOTS^E&T!-D_PJ$zA>on$N-8qGf~qr!nUR
zR6hvz9co8rH^r-;!gGYGIzK+eew7R)F6D@!ey3vjqnxi6%fJ`9+H{T=eJqiBAFEff
ze35!Clr-8~UvesY#C-ZNL;(NZ1G$aP*2FLL>7j>{V%Q@MIilXmgW9V*^EmXn3fWKh
zLnT?`1Gxt21T8zXE9uld9jv5B;hX9Ar%3!O=U0r9LVX%)jdfXk2}vxegiN{vpir0z
zhdb*ad9ZZ67peanYzfEi0$^_Er;lW$h%6<whFXJ_KrA-cf`jkmMxZqXFTQa;b@;XF
zU+Cuw{?GJ(@2CEe=l|abs{JHSo~mVfnx~zI&U*F12AhKzle$7L6j6M9PTAWQBeIWR
z7oA;K9#}9b&OqRxq+61Ns-~};etnfY;(qYV64Z$BxVJ|aXmR<jA}2jMN_cLH!N<Sc
z8pVZ+AjR?<{OEB_Tx04y`P7>^K$2J%+%|7@e#6Z0MG*&SU|(m&x)k%{w~9wuq#>vt
zN17}<E32M}M36JW`YZ4AGskfLBI0vOwR;Gj@1ZI21<+ZqOMAN4XnXV8^QY6OlFov=
zFcJL{>!1MIHepl9{GtngyI}!1Xi1E%ZbV3WLlD#AJ%D(m<zc`Dp{oIV78B*O^oO2)
z8g9AHJEb#Hq9z8UBw&<!OEN-z@>&ye5IlLri|2&~16!psZ!a4TJ~(GI48?FGs*K8%
z&IaU|!yrGe)SAkW><^0z_Dc}$C$boBWxYS#*eYjjdp<}==dmB~Rx>8Ao!ksne*0wL
z>P!6&S6em^7Ay9IsIHQyBLFl76m~v8Ox3Qj0NiJOFEYh5U*k<tlvb`^Ak8!*0+T9=
zo7sHnWYKgKSjnGq>uSE(1A>60g)LUscaV8<`vhcmY_w!-DFoSj&#b*CeRsC}5N0=M
zAq`5jHZ(toa>4OGcH@BLpFtwWtJgtbW=e@;USa`^-EY%;rXW9cO)p%C=sR7NS(Z-~
zx&d4aaHEgcs(%sC-|yHj=^wfOb0d7mFJZE!Y{XoS*WA!3s&abcTndBsWNNc=V!dY3
zuIm#4X1{rIGH+m5H({ee)GJ6yv?e3bw<WVfWSlM|$qUG9qWBO{g|QGDXmK!4674r+
z?^YaFsc9fgTT~p*GS_RuKwD7sc>)tE!5l{wHl>Yw0eS)5oP3>MxfK>(F3)#Ss7lAK
zS0<sQ`2GW<q7&|{%a(QbN$JV3gkz8#*BA{y^}7IFo7;IrsKTQ&<U(WN;&h!-sX#TJ
zEs5QdfjON)cgg9*>daIf;xEl$MPLg(Br0LM-o$OpW$N8WN0G|?096u4xvJD;d&$<V
zyQ`~MU@K02GxFPZ9`PH7zUhWF6s3Ux3$)%Y)JZ?@qa;6y#JqxXW9#v4bWh4mLGAvc
zRd?T3a?~D>l3m(rBRB7~G?XYWc~lrgFaE)))$X%oo8@yRn_+JU9u$eF01D4e7w4H=
zdG3BY$#E@{XP+kSHTXu2Q^T6>kQ@pV24kW)5g)xTOQ+C;dYMA9q~6TIL9^i&Pj;*q
z8#iOaA<e38GrAgkFoHZU<5o2&6rVp^JqxlPTh~$x$4*VbIW2R#K!D21aruij)`$;d
zihW$q>!Tqr5nQF=hoR%^ouFRyxioa;ZJSaGM86n9^V4au>hv)H&yJ91B@w8Uf6#!k
zeBP(OKsU<PG3qE~``2~q|2`l8-|yJ3=pT9i&&_Z|AGDJLwhSEEa<^eg<e0*sq#b_1
z1lN*^(1#S<FTuPtBM5ioYU;#2)_eLTC&gjW$53KTN=uCH6gW!<?bB0lUDA>|an!ry
z8sC?W=xjgL5$ZqJ%CL(Q=C)aVL1E1)!O=nWRo(jFFHZ%ZlAI9PnA0?<cYnzMQ~X{u
zS^FGORU^gm{<bFY?jrMRj7Y{#^*&-&u<DVOSUU&0P;x9jo)`<4x?UP8sjY~_XhH$i
zlea!oO{Q$Fcgc!!q#=~X-d4AR(`W@KYYCF+54_DI-zk$(0@e%Iz3cGjd0SBhqPF7@
z_<bZ#B`{KOdZ=>4y?oNRPrl20v%LZv8Yz~Fg5Cr7+7tHU&BC$KEr-N_(}>Jlim17N
z#REP&OoSMR`YtEA@RdcvF%EaR%4Rm%b}cRa0jmT7QWd_K1D6n9XvqqNPqq!i;5f?B
zJyZQ4LYF*<&~~;WZ%FtcqDM~l*|UcNWveW%z7#_TbC04AYScdqI-pek2s|rjY{=%S
z&+mV93x4NrsRe*RgLrbahGvgjX@zS-Jv$1VLZ6Jsob2)35{}?&D#CF*_A&cpHAUk+
zMQ6PB;R1%4w6y_Uz$O=&LPYfrW)g^rUPAEi43ptkdaRlyx6;<syQ_FUXc~}b(pQHM
zHox3QJ9a0>sT$GeKIJso%j_Cx1UlketN-8smHPib{*RphzY$o1#&9QGy1^gW^DN*!
zDVgn1>X;n8%|sm-ileLl$+I=Dvq7p)E#N7VuUV#l6;+e14S2e_&Ujfz<Yz>BsiMEx
zr;v4t>52ucJYHLgdzHT=sS!2JWRt+^dpnIyhsff>bwybB4PRZ?+USmibj660OT*B2
zMd?>TJQ0$o6T;T*X)qlRqPEf&|2d<TOO@>rr@RS0on=P~q9p{vELu9}vFw`aQ2pdR
zoy;l`A0xL&JdSDfzHy>mT<%35jfo_Z?{58F>5t5m+>09@QhO?IEI#VhdqpY;Fd1A=
zcE6%IEjg=9OTcRHj;I*16X-KW!6{yrDv;?<R>4k*UFpHke3Of2zjl8{E%oW9p@P=;
z;p2IOCA{w4&-&U~>3mWQuae4NFlY_$os=f+mUz62-7s`2EBSIatCWF!?FmuE*~+5Y
z=+@Ko!DrRAxcRgnt5+V?(zXlde#m2CPyr56)kw?a=Pv=fl&QO{piS!R@1N^CuCk%t
zv#Rpf#Brv6?XN3LqHy%Z@SrZPu*Aq*&TcDW+p<;6$AC2*Oe+e?V!I<Mq?2oC+~=IY
za!<bv+(N4*<zdf6qZai{KBMf=s+m`gIo!1V>~eR9^s}5o4}sHH$r!TyWlLAD^d`r3
zt>-T<#ND;)kMIYUnQXQUZqYXTPE|`ixbj<@QB~VeiAeY}=70GA|NIXKIsbDLT<`vm
zpb<z|kPkWj^XGCC`Tqy~AOG=xAwdxG|L@K4v;X5(2wUs#js(eX;9B)B{6BpEBj^8b
zgaX`bBLkH=AB74%Kj4FEYOQKRa>T(-usQi8T}Pb6b|&jrwmYB69R%}J$xga7gfN|C
zf8Y(MPE(jDo02Al-O9>U!CQK%9E_H)OMn(UvSsxeV6C75;{WDRitDPqlz*CP$i%4T
z#eF=U^gy(TECandT$Dp_pK(xcj>redo-HqrIWiE$(8Z^{O?&%%hpHY6tRu;*o$}_`
zEMA>jdPCbxO-XQ-T}|;yW^j>z)urgPYrYXXLByU~yvxQWOm{_9r`8iHb0F<kKaR$E
zTlYe*Ot94%<H4Mo;I1jnormfHrwi{iuY5<%H862Vo2uC?Yj;5B_4Wp~!xnH$+?+jy
zUI918M?<vF>!hfn#}-#~BQnrq^p{ID#S;ldgO>WJ`S43qu<uFR3nk7y2eaFwP0jAT
z^|2l3JMpFgSVVlRX^RZpzS2;MW!~e=Fa?3n+p0ZaN%5ZOxztzrFOsGm@Li-**>erf
z^?KqnY6m?ZFu)o#eH0^}#ms)*Uu%r2!e#MqV(u_o5B_Fy_c=#Sk*9UT3#RDIJ|zfU
z;dHK;%LO|VMivgG_#-e3PdE3#z1pv7=xZxJHq)lyaMK)(x@dks!ybnYil;4flrh4K
z{@4r*8N;s}iwz$hJ$Fp@bW?dxs)o~t`PhwcraQLb$5G+PqNa@cz({!L4=>c~)&I{v
z@L$qD^8f#hkR#xHXI%ct*}z^AU3cM2_VWXdR{<9<>$Zya6uR8gpFY+sv9WgzrhAc!
zkLQuo?C=fR>Li?LKyQ3R%UqJx`E7GzDXtuXL1804-m}|m%pIRPTIqz6O=b%y%$C@e
zdn-%7t;?hi&%!AuZljy<@<zM{Ehtf%eUyxq_*j^k>{=o?pF(L;s^pu|kQXha<#zs~
z(#TI#$u}Ki0j-FYfK(RM=XJD4)ZDGDcabH%r-FS<vn)vk<41A^R)3w$HbB;MNxdJ{
zey7}BHNZ-+g*n|_$mA#Prc)RgG~Z#Li(r(DK^gO3<YK!-%ZBfFe+oB8h4Xu}mqAB;
zd#{SE67eR5&m`_#625#ih2~F1Roa`<BsF0}73THelD~FDft>*hZ(Rd#`Pij=PZ1(L
zI27<eQmf)2IWDQqfgTU!+`;U%T6Xbe1~_J+mZ`^Cc4+|JA_}cxM%H)+<hukS`1*E)
zvc?O3G}ZuK!&N>V6DyuJIds1il()Y8F5}4rVE2cqDPr4z=U9%TnJ6o>&wAggH5_kp
z^=Rz>pg<LwqQ_Ok{^WoD;e}0!c>N@;UB-7KGl`hGhfx7F%Y|n&k-6V(XM%_ecf{-c
z0<cbA%{!N@n5mrfJMoCJhZOC6WcCOOo8mL#Fy!WP=^2aA{Klu)SLGJs9$9VOJ5(&q
z6Jn1**8j-*{~Fi-f7O3N$ol^e<|gw0OZ7i;{{Lq9S^rCP;UIo@BuIV(NdHIr|Mm5M
z3H*EgM;`zC2Xhno{}un|N1p$CGyL@bXwhoe?~Vk?Zvg54NdLdK{!h@q>pu}>{r?AZ
z6Z!w8`XAZ<e>42_{{{2D=HDF&lHUN*|B?QGjq~6CTK@%**MI)O+(iEWng1j2|G80q
z`v0&-kK6B#1j%pUn)m<ye#U>%KeGSlH<F{^=~XG#{DVu5v>_kV&CoTZ#ok6NZZGd$
zXw64rM)bA<fBB9<OmhFr(k^!)6<qPYejcnBj2?z-*e^FS0e9^;MCfq1t7!sk_?#FZ
z2<SaGpJUH?WwFZiIOU~Xw$3&~vG`0^ngoXr<CCHVb?3Z<)Y0cHHr%H%VKo%EnPzpA
zufRvO8Caa^I%e%gF@x-A7~E%8)*r-CA$)P$fzHR`K?B1*f&2}mIXr%pS1)2+Q~MJm
zWGlj1G&82*{O^c~KBR1AVIA9E$(}I*Naz7+xXDC?jWh&CIn4o;;_<dXt0TlGRU%fR
zCtTfcu&|xk5Jk}hN|_<=SMd0k9J%+hn=aP4J5Y8z7q+;^<L%`c&~63f-cAj6&;tT2
zP=~snZymk`!l_%kLIlK?@sdO7XUAa!A%*$<!#Jw6pOdBmu!Y^*RR)xesG>_fxE)H9
z>ZTqgz5SV-b1iZ>(H<4}K*cYv-A;g9vP8V7=>X4a>sj_1PJ?gbV@6#ra2Z;gEgWV3
z;B!0G;-qfe6QXrjaWV{RGnGUg($GV~m8~E7?l|iv`s=&J_@gA7s{6w#?Rt+81IF_Z
z!ZDI;nWpK1aH!0}`y$@(6{vJ1UWoT9-$gFAm?DEZ^`W}Vb55N}VDvNG&Cm|$t#0c!
z2{%nVF&Uu>UA#R2YXn1DU*q-8|NgrEk@tV!46p`Sg+02(4Zh}a02%of^`Xw5!ZSyG
zLA&paLv;MdC*I})I^XilABX+W3^G$6kJn=Dj=HPUEX@{dPTsex7Vw#Or@GvPJ<<t|
z>fLdAe4mfhba=J;dGXg}&lR+M={oF9rnQz+GA?{O;V|wHwwG@#cv!s-!!H<Hd`LAK
z_F6f&Re_os|Hs~0ens7HZJd^p&Y=Ve6+sz<p+SkEyGwfL8|fHAkQz#wK}JeMLPEM@
z=x%9IKtKegWhBn>_IdxT<5_?&=JOBCUTe=@*Shv^@BMXP%)Y;ySILiS;TrG5uablq
z;4w1pr>nQm$vKOkhYa%d4-ZczU}I02qRynH+}{gm3A7&Y_2g7Co;A&U)sC#VwYUI1
z6->)68yl#HC7K!(jxLSF`<cnD;<tu^aH#M!4(5I+a}#8~MPzX5WQ6j>NecMjSR6(O
zCXfV(c8xPTnu?nWK}WB>m66Cx9w83O4SeqHqK`?R)~@KLZ;9Gp0j{igpHH=KE!Fc(
z;=S=FeZ3WMo9OJeCurgxo=J;mC>_kMdqm8DC0LrV)ua4YPdFt7J;8B~lx(OyfP0?6
zbm0)<NF}YM9nhX3`t&rHkmU{MXB*0_DgHTsVpXisf}e((*obZoisdX%@*)D&tjSK1
zZ}VRQUm4n_A`14aM1wGHduwRQEriMi)^-;K&`Mz^Gj!git6k#2?MrTQyKS93TStg+
zYFA^;>u+|eA@-Y&BekQ3Qe{M{f9bggNf;epGhPQ8Y~v43zO5=CXj^DMUsQ-SKe*Wa
zpWhYy-_`%``(Hrx{LiHTTzHfcN$d@^ScmFvFYWPtMXC7R!0@?a5tYOHGKa6)Irn-u
z6Uj|mZ1ZD5S`~GNy8!ybsJD6C*wH}iNT6U4ebFXP5aQ0QDI*@8tQui2@ASa#$E^<}
zmcw=}Gx3K%GT_z`<nu|`TTrORWIg3P`T$jk@==V;_0Z)Xv&Bq4j?~_Ljcn|+8@jp2
zz#1=?QK9;hq)TSjt{$svhMUrUviHTfYtweM4IsmrE*LYurh|a3zbc`bqo-|g`~X28
zeq-hY+^mn4#QmMNyjdJ$;3e0$IJwx=3f<uDLI15K59jH=xwp$63cRDo&2aM3h&5fi
zi0OlGQ{N+P`(stujPu|`cFecdSK`wl?)hM%PrALK$iTUNYt1koICt615k*(g*LZ03
z#?juE3TH$HeYQWZNLBBoSL)iU1ozd*$Qvfddcy2xXCDiU`|@YQ7n@4jjOVbf&FMpY
z9iw@OECMO;3r+4$6WcRFMASD&j}-{3qcYFSANoEtNR=tY!ZPc7hzFN3+!xW5&&{ko
z?91vhO}0phY`kVx4Zu%v-jLxX$AP#3%B*%XzL#fY5fp#hz*w+0@-%hI8QywS!FQ9O
zed_S_9UT{_O6Qnw$*zZJ<Jpi1RX?rS>ot~~@rE2-tr?Yrx&(^_?U?%*yAhjFqKI|M
zR#jczKzV;E@_cmv58eN}IRE#n{{uqz|NdewBmaN${SSz~|8Y6|?*D<7_K;T{37RY5
zV(<U_`TZ|`^#1>)P_01C7df|RU?}Ti;p}Foc<!%HLYA@v!F)4Xdir_kcwxwvq*Oj4
zQlTksy;MrOCfvwv8<{!nXJ3TW5V2^YF%)5HCA6T5hX$FbyjT3BY48;J9<R&cz+j`Q
z+rg*2Yx%}3x8TeC!W1W_V<CDuE+gg%6}t9dDW!rmtn&y}VSpmJ;E(ViC|{y)X3CFF
z9c_e;w`=J$*A$rK&)1IF>`s23K(XO#lGA*jipv0lAKTQr`m;0<BqP*y#0)pUYf$2Y
z`i7X9;SFMeACDao%&O|v-Nk*7-S!C%v9dVkhYHtpTH+YnSk(x4&+AmqU%I995wX)A
z-L-}+9;+c$lX@gph}t31AvwrUhUga!DT-sk*6vtklXPT7L;acrknP$BQ%<#Eyau2_
z?}%Yc@0VK{<F?Frhjc%k*+!AbJT(#T`I$ht<9aVJ*^p5du@Vda{4ls8KJ00tq*(^y
zhk(;Zp+^y`Ja<M-JU-l>cWGB{aPp8pm7rn0$%`G<{mL*Q=?j}^KQekxlgy)M!Opu$
zQh}A~NI|%9NjPPG&Mb%78gP;}TiKfk;};CgRlwY3JDafJ;*C)PS29R+6i_0UzY$G_
zm$=UgY!Rj~@W&0kg0OlDimg%&)j{vmDMR>&tVc9;c<G*x7AC1$dAUqNwqC!Tm`fc|
zI~wQ8nZH>57ykD@_9ylK06qV6DTq&U`RG)meCo9L+!~a}((C+Dyys!-Zg{<GMje=Y
zDe>KYU*6~HEO)>Nco(ayMDlJg;v9*V9`R<wV4rzh?cg=XxZk=hF~a<gaeN2&w<py)
z)cs9TPLdA+bi|+^RkXO}!f948P(?}vF6oEtu7%8RbMkM$!3zA^yIj0W64Z{2;v#av
zjY;?@#H(gZtL5G?BKqlVAj-x|vyu)<PyX=snyyM&rYzW6N1+xOD?fMwf@yrlu(>U{
z17k&4q`uhcAu7>ln28d<hAiOg;B<@5FdJg13vVQj)ykd@<S8ph;)LlS_)y&Ay3Iti
zkBjheF{UVP>$#<{Nx4Hmdn~1@9n<t&hXBr#>&Oz<@$n!Nl4%cdPBU64hPk{vA4hrb
z9JM5cOKSHOOg*8^s)QM>hsx9dnyH-<v8o1qavpA!Nb3)0-y1)WUg9o?)AzM_?TX<N
zs4|~7E@Qhr4J3aEI2svqR_ewX?z-z-qVU*4q=CTGro>B)fA~803)P?dxZxxXW7Hae
z&oIe@Ma^ll;7;y1Nvm*~o88%xEZLf(DD_RByQuiJ)vrk+F}3(XaT7aYM6Wd|nM}dy
zMf>-WKNlIKh2E{0v4DePo`*NlQ?y3P6~=|N3WF<<^OT*NzB25Ds#4IJX%-{QN5b|&
zPmij^V;^+K#Q^N<y)JhD?|-=ei`M^3AqWx8ZmXJ(>XxY!WsZ)2H8>ccd%D-&aVSeF
z*-4nuT}NVNg%ckYsyt5zx>x<f+oPoU)2#)ACzRjzOojv1vYnd2EN^PP<Ol^;4wz`(
za%e55yT^ZM4T&>o{4oBLr6he#qGgL(Q6mT!v|;Oz4@nFf3j_@dp5{jcOV-wiTOisN
zPN$W`iQJB(7XJBhiakDY>lx8a<(>CG>&=44eW<yM9szTDm!`WWMd&JBdq@(b*hz-_
zJnxCV+E|{1TXKqT1TuXoeBPJq8X^?du50L$q6{MqQW01n+}PHWRjKO?Xfs(LjnIIZ
zHIhflJ6ox7Jqi~4@Z9~)VF9(QfYRDPd?Pm<oO;uiZHn+(+TIDIv;x2-)G_W1@}_W4
z?qky+tig@QtELMrt}J(P;kfP<8`1lWqm+M?P9`ReaV{yjtEEkEH74T;l11^^lMxRx
zU6oD1s(b6FGE(OBb<*bKPT!B}KKk6#aagP#$GlRCLhVo9b*B-fJ7t~T2N(dsEgcC_
z(w(=mT@}H=z{Brc)misdsTBe>`sk|wQT8C2Iq>jqgYgGZ*`Kwjvct{Ax#<0!tvIqo
z6f`LTLuUi`$#u<s+tq!2CS_FzX@$p0Qw@&Owk;7b0nFM@V>(df#w8&LS?Iat=1|V$
z(nuz`ICL)E5Deu0+&5cjQgejv|DpST7x(=a^q5abh#%em`+K>J{QpV+4?X{PN&N2r
z(U4tNxavsITmfkPN9+H^&3^!Y&3_A__5bhXGV+hs|G${u`tSGiIQXg~L30J5^&hSO
z7q|Z{@N55@53T=yFPD-3Khl5n{Qu?fTmLsx(j=}r5;Ru;TL01de{ueg@0b4rq4odo
z<udaB-|7GV?f;|S|GXT2>pv?rhvljxL30J5^&hSO7dQX;%m0DU{{JuLGV=c?{vU{*
z|GON1>%Rx%VBA$lg60ai*!maz_c#8Z`bWS2eTC?8XVt613ax9dVbfHAX|R&8&bB^c
zc%JNQzS0TbkDGIi9wIGfW8vg^xWti~tYT3)%MMnuYbq?yWhXX^@JKbJRxe=_)=GFx
z)?u%z^?baPKYv-bAPN#pp;cgB-6pP$zqR3K*gC=Em!;=B{t7&oA4t-^N`4ftJ%=*3
zRO%tUM{l9*w%SZ<?dd}D<ee9G0CTFjZFnwY(G~z{-^I&p=rwwnE!0BO(V)Gg91%*m
zpy|(QRJ#^n$A*H0|LlW1=P%<Nq|x6nSM3+Ep=kpZXZJC??gWP_YLrr9Z>*!T)W9%K
z5ry+?>0m>WTHypo50UQ{DQOiLD9IZd5sR_vHAM9T!a5qvxD)Bxyb+%EN*W`p;5~2N
zB;5{SnGc`I<+Mjbwk7*mli-zZy7bd!XM*jJ?@w33bcl@idx_i5k$2u1gZhkj*sQzt
zLJK~fwN8daciacXl@NHsJi%;|OSD=kCS&~EJp#0${3o%+L)98wRJ7wP1HBS5z3a+V
zMUJBe1iH;6A_ZKZ@V<8|q4+RiG&Azy%cTM<f(~clO)Bl9w28T2{q~f_r{UC(&Sa%C
zGASsB=}jxeET+v(ehfV`HpJEYYP+~=OHUnz+{rz8!RFf6E8GAJPW7Y7gIf$3W6K5!
zisQf0Az8!xATCs_p>#)0=;()vYaH-m`~UyL{U7xGk4vGQ^c-ROf>bJWGl-7=oGTie
zfSqo5mk5wrFlPgXw!3^dv|-ZOj`?S+x1wbsOpmO;(l#iQFN25@w3PiQlihJ#Jb<qs
zrW4sXkM(`33|RTki_`?9nPPICTYvG7k^!62*>VQIwhDz!)SXCedHqR`;{^4DgPcOb
zC1IYykYVm)pRDbVzzw-K&<t~Ds@93S-x(bAieMw#GLOaWrk`?L<JA@3fZAOvrzHU9
zADuK)vEjqBo_#Z`%v`(|4qyFzJ{@M84;J2Yd%FDzD};M?C;EsnK+e54vq-8#QcwJB
zKfnafn%FfIbN$`NqQ{6yBg?`!H@TJI#FJ<H|5%y&I6OaneNzmFUNC*R)$pbJ*F(9K
zm2b*lt#ZzD3rtva@cdo1c0MqTXDPF0)yOQEq4K^Ye6~;%5aDojDRHZsHmP0BlbSG>
zWwN19_Ki(lGKZrYh5FSH@>Y^~Ipdp(;tM0UK<{~$W>GV}&@WR~>&ExP4oqq34&O{0
z10wIQNVcB1Seob?#Pe}>g4h+y^tYnsU)#6I2m!o9o~(!!X!U9zy)`MMj8NtD<fcok
zKfbfBYzMJ)tswi!P&PnS&XQbV7(!Al-=sq$nJ(t@y)Mq?dY3b;!F|kmkDFFmc*7rS
zY%rjhtY%bP?<U0eb6jY)JkL*OI0xE_=L|!rN{Z0_AMO7yuKz3e>-~2i+W-H(Tt@!?
z#Q&q;|GOl9`+u2m4y>z=1kDw2vHQOQ|Nh1w`G0i%Ukbh;+xl!A4rKVfKzK`wKhfBU
zdhg*1yt>*&^|}>J_vW@Eg_8b9SgLcevF}EL0|8UgGDGo=jz&#s-}%?C%(vvOktuLf
zF}0X;noW^bCG3r0y?n<RveU}tD8US3EtB&-<@Y7%iSwg*UmasXYNVvwDjkGFT<uqR
z10xg~8!}usP!Bz6PI<XwIp+j6im9eSsJ9r8WY`BMj~;w-e?rf*Ar=BS1H5=?tIqNu
zPeP1{gw-WU*kGP(CvlRMAS`*<^`qY4SevENs@vA}@bDv7&n?j?2*a@n4S8~B<?7uT
zStWAc8FjoF^NKM}ulHP{eJ11~sK!GxKJvUy!oda#`<UU_lPF8c0@6nZ0Erp6Tf0M2
z2y3#@c!GSGO%!3MBeD!{9g8=YAo$!PBr%yTqijcI@QVlQdT;FHQJtcLgMt+h)x9;H
z&dW2h8D4VIlF{_tF`!{pb(Jm$sQu=PwjE6(aQErGL4?_CW6lozL4$Pcn}Eq_-kPtu
zs-#9=zcy=ZRL{cJbMP54;+{6llgq2*-(P{dh4p%!)x<toV>bbEu-rl>4Ex$Y_jigg
z$Mez*wPZZ6>%!eXb!<J>*Z$JR|HQQ@gOp;6!O1%JKkS`#SC!2ghv^RK?iT45knXNc
zr-XolG;Dg)Dr`ZdyBnlYI-~@N4Vy+v8k9!rocHy70?z{cV_%<O)|#2;TEAyz?z^Y?
zCQV(Cm0<;6roB3=CS})M+>W5ftsL`U9q$-H#FOW;9F7Oszs}@)rPxpsMEiE@|NI~O
zA9nxmPKdxcH-3aaaeCD4Z=;m@;THxsU%Jq6`%;CL`^#*ScEQ04X2XHeFqhB6$MFGc
zfUoUHgcd}@kVbLYIEvi0W|C#s%h8sp#{R^T%mVA+f`k;^lCc}cHk`a+0p{nB1sxoH
zH<Iw8<!fkH)Sl;e@~d}=D2)>q;Tz{TFWgxh-bXCZ1?1Y4Gv#S-`5H)wx9glgX-`t^
zhrf!#o5sC*+{1#|lMyD%uhC|tB~A0)M2eu){UyJ@?kn<4E~8c*YC~1#I-)2_(6vYI
zgMC(W{~vz&!EZ1TjOxecJ_x-WT&a(wjy~9Ab&~Bk?2EzbqEu0NeeAbK)`JMgPuSZ5
zy2!5f4b40dB>vS)D17=#p?u(dR^69WJ%I`ta&cM;i}fzUYhBk0@b35uNL(O@*@`G3
z*J`M4GnzffU|g_Q31co&O)s<=hoWe;16}=PZOBQj9N@T^pJVV+qn{FU!Zjzxhu{M^
zPKI25FhN-GS*mfg;a)lV7h(V5#>fY8oeiCmL0>)h7?FH=i3n)wx_EfQvv>tmx=0+)
zT`USZq?c9K4B#DxgBWIK7*e9njrWujHrUt}Z+OWqJ~$~q$uG0%9WV4v5wQ&~U6|sL
zF^K5Sc}kmbNqyv^|6qa{@!?I=7r56A*$j`!T0ToRkaC(?hqy5kJng2bq??k+nyIMa
zzk=m|SpL7o@Be@Ep8)Lq|1ah)<{y^-|6+dUf5lj4vilwhjC%m)f0+Mo@BEkhpZYI?
zF#rF(+{OI=k^f=$|L=z1{%>1yX}Rx_z_<rs{)hSh_VV99{T~Ei{XhO<?qdG`#Q(f7
z|KAP2{r@eKROP-$0^=Tl`5)&0+sl6<|I~jGfcgLL<u2y`kNgii|Gyi4`yb8;EAYNY
z0^=UI-TL2u-v5UW*8k^Ds1cJyYwyn27!`Lr)sEhqI<ZUA&(V4`<|?l_ent;hH-If-
zzx_2_Kk%S;EP_Zbz5P01O(F^X$FWBAbrEBK1<itu4F6Ex3MWK$!us_*x3!&D27+?z
zgn9~r0$1JYR#5#<=QoT#pDYS8)7_r>rlwvGaY&q*Z!{3On>#(mT>1h+?V#F-E7O#N
zprJ>Na^NW8(WSrfF;DT@+t~YdD)wE@T(AvgSJaf2daT5-e^k0vc|Iq1Tqbls0GN^M
z9CoR<oszvVVO2D)!`550I-pEhf;k=O^L)y3ZZOsR6w|qykSsXm;yd{sPOY}v<9r+}
zleVT1d2m*WLiK_;?x#9R;{|>Fv||ynLgGj&To92o?Kj1qGe4Oh2zyWvz4xKUh$ezy
zgfbYAM}>+tXB=o;aY`HA0-@Z|UY-Sdc6}Q3e!%g*F;xv;sy&)AWg5`x${u@|`~XgC
zNf_<|z*w&AaKp|f`lOx_L9PRtc>obS&utV74Am@C9y@L9hbDJOh$7C_`2`Z}7_hn?
z;PY&4V~Q3RqZUiU4S?T5)?L|GKa!usIODqzepM~i*O(2UM*$!d9Tcx|K5ErR1si|a
zmFr|+6T#Nscqdw05MQ?_3qK4>c9iJioFiQ`Flk6C8hKPlngE!io4;Ay3Hb1Hi_gZQ
z#37-zko%y|=lXW{|DW{#{@?pQ*!%xG0mJOOr7!g6kq9d&3d5jHeNBnI-y!d9daN=a
zj{hnuN7H)xGAI$PPIx%yKqjqnGRGL5N@>k?t%86)Zw^t-{$*>E(^hfeHfkM^=~Yne
zgvFslYe;Leke&SKiebPD$}V^NLeoHAET5LuA#4I4D+lA9av4i^VrA|_KF%r<!c;bH
zQ_cP!ry9fJX=FYKR8yen)grO4LQ|aZf?n-2dm3KnlhfMsPSxUgPD3ve`#x5ZU!O!Y
zF}v()462v};Ip%I8@bX@no>t+ou>G0ll;^;6api#+K)tw!d;om%*sG<D_D5(sIFYT
zWc$iROzbj4@gGzpCs@IDp?q}oa9#+)Ucie0xzQQ-7z?Lb2V#vUPllWv6o^<@;`59Q
z(z=41Y8$t`Q`GRl8v|nA7d&-59bmt2V-8jyz}bgK+PfsX(Fr+Pm@nB~h^x)>Dw8&<
z<sr`=_9x&#JkxE4y{HtbTEHRHEjZOOHEvBy9Zy6gy-vb26_-5%+q7z!bmt-cmNa>#
zz&2l53H{hj$+t^49NJVT$?Q_B^`~1lA#wtEl-Rl=0{xK`g{i7;9$9z;OUMEBo<tuV
z_Y2KTGy{{31lMW%id6D`I-X9|)rXutJTzA%l@;??G~d#%NFHf(k6}2{4%m)yAg$T{
zg4;&D36)_B*M!vTqGE6>t;6y^EdSr$_n-ft^IvXQ{{MTqi~0YP{Ld`}^Z%XjJO2mO
zd5+%qNMPIpF#p5+e|zV@|9t-iVE+G$xr_P#6aT~R|J@P4{eK~%@%_F>0^=UI-S_|h
zNBuuo|F1j2iTw>Snr((C;OY%YA_;Cu;g$KvqqaRZ=iU>8Z_}5|3#;z_>H80xXGe~|
z6e^5I=R`}>ayFp%S^6oL@gG;0QVzGDD(xn|Gao}r(K@T16+Rm8lisEoPnO<!j^PnD
zg}<0q1X@MT8)CP6Hc>Dz>owoUJnuYq)ABOIg}ZNmv+pMMA;xtbN;RXqNFtM&o=r?F
zn#%zFB*0&)c>pa-fVucJZ4FRT=Sn=&zBjl)7n-w>*wYI+T~i`3NkG;#Bdl&ljUax-
z-rs+Lt{q)nmHK+sS8udEtt}E5_1W}PDMMxAr#pHPpI&9DG~W9%V4Kl&mLKv{A4jo0
z7FQ0<wsVgYUpFNj)^>LitI2O(HxB6)2n)QrB+qv?5moVNw4_p?4fF=Sjr>d9>lk4K
z$$ifKLs!qOT7Dd%fcpc;&D7I8x3I$}yk_SoNVcrVFsqoDl6_mEmt}V~t}j2DQL52l
zxoIxR($9RJ30_%w6QVi9Py(bN0;_GfIc`WjbEY*lLLx}$E!3J;#Cc$&hlH>5W`>4P
zV9{#bg%NO;zijK`2SwOtPW=r33T{m$*pfQ&Q=JxqQG7{JlQ1jY2ISKjz8X3Ra>O7i
z4Zkuwc5qpN70V^otv2*BKUfOC>IhW7n8B4ufK{>rB?^tBTN7{6`dAeosckCFr`9et
zl6=ek|NdQLfAs$!mjCYrz$UR;!7fiGq(>5O9)(XK6}UY)=tqTUtHZXMBSwJdr1Fy%
zPF4@s10Oxe_S3lqace7qRg(`NPU!^|hGzFx=V|bvu>W^<qY2sQd`FTxeqs65;So!^
zHPeAEKZ^ICK@~Me!CT)dr>_0FDr(-nNwZz(WOPzNIrgge$m(Qb0pYzL?yD$NHF6+z
zi><kCwv)V3D11>qV!?`GkQ{;Cq~Wj1j7b#K>$Hj*3sB}D>lM2s92jQ*8LECkh!@-G
z?%H0?Pya&?ua4;&+pV8|M#SS8&NX|_v2BV|y=1~(0Id=`ufGihbZ*C$uMr{ay(?AY
z?56PRaRsmnb?{tmS<=vDK|-*GykhPX#QG5i6}JB5>pb67A5lU?JcXQ$dN1SQPJRoE
zZ#yBs)`|&s1H+sP^8g#P>K%y)+-zB3EWWhy0i`F>5BB*L&n6KBwSo|uoaB+5O^467
z_{<xu-wMdJAtb6h`*7KlkAMQfU^frS5ia_~@(SyV!aeRvTCT(AWm+l{kysv97%i!6
zF|iL!Itr!Qk4tW98?Mw*y5*gz9OUtwxFu0u`>Drj)yR07tyVWYYIIb+G<mp6cp4K^
z3CEHxN)n~^b_#bO@~c6GC+}n8D&Y+=K8$QTP3X+_yn*@k=f<!M(~WFj>lzQ+O%o2C
z-XDcnTAY--bB?!M|Lfm1_DBAQ-T%20hLt>bBrbQ@E}HV7oS}S2AS0SQ=MDy}4q|Bh
z5Y<xtIYvvXD$k2WBqq(!F}@Em=V>U`b-Fy`f!>OKKCk7Q?Uez7pr=d{XY?2X1%=#L
zl#?@1sH_#sdrFeocK#vNulXGpO<?@^g+}BJ%XBh^ZimhGcS_%*{5(j|7#$3=&vX!f
zt+nI!m{g_`8~Y^fiaNhEp4?0Pil%Lp9vYyZC^0QTT7gh{dNiJi$-$Jr4y3fR+l~$m
zt{TZRRs(pK<ZPNst~}d$Ew1aSGCFJ`VWv8oOt%BwP>}_efI@Of5Vn(sq;^F5-(!Ns
z))yT!uY0Who=$!xEZ(&p9R9q|l1tXT5W%W$4)kJBFZG_(i?B?@U37(mchM96(erWT
zT0!oIK~vr$vT*^T35D~z?Sl!SPgVE>TMUru_BE1Mtce9W=<+|OytpH=kChM1a_~nj
zk%CK}RrSUF%#}T(pcH<hH^_%77BlS=4G!P$si&}Q$RA67-0sZv$&q_b{#9U!_9k`%
zpg>{sMIB<j$U*56vAxlynY`r%;R^x0hGPFIF;;idHEK#d-sIzP@!B_7q0PL@-8|dh
zWFcHMhNVpN%Zt|n)I=)s4sYAircSC;n-z=cP;9@}i#KdJPpYr#lzf^vds#XpmL(O(
zXzTUeC!&&708Sfy<{{LH+T_LU=6{}l*BH$Ie=i$UeMuM54K%<n0s2HOV|jaUCk009
zn-U*z{en-FJn{>*A_$N1#*vQ~>_SH1qr;}@o2;_)@;z4fzL*1pLQ|g{trTSLV?uO`
zSLfm=XdaGh3SOt9KJ0(we&r45=M%+=Bz_S1S|}RdHv&9gBc{*-_lwg?JOS7BkkED*
z)S!QmGD()CKju=!?g@BLWlF7%1f@JfSBBSi9q=ENSn&z^rA=)m?SY&g^{|Z3*vZ`y
zeQOL8q-c}Y(pk0;)$10d;8@cer}CD79()k6P)VIbe!!Y8qTBHqGe<>n`b0P;JWp)O
zZ5z&CPLl#~9pR;}p~B-<<bLwJs&ArGy%4f|FrF(8urpHo70o$c6M!RZs`A81$Xb9(
z{!95bOE|%d_cAq&+^b&sUg*K~4T8==iel=yPw`N8cK(=U$Syg2+2k6Ceg%;MNLF1x
z$1W$MI)Y4=yaWs_&d@{C?fD2*BEK9>?`8O*&igb{I6wA?B~(Kz>ms2hrt+Cr8<+Q`
z>@2dRPPp-MlswL;g0MfMdnmtt3lhgu#|v>G8o)wwMLZ|al!2K+$>OkViH@(azvsc;
zsJ%L)o<M?T3cGzRT_FkMmR1HJ#XIlg6BC3@wC!)(CFZsz*uR9t5Or)=7?aMY@U1|i
zYZ~qwvWAlxrkD~eV7D;R%)rv4FuK}X?*IAk8vCRD53B!wCqRl{Ll5PJ3*S}hu6Y8>
zcEyuIx!EZMBQp_rI82RuR+xEqe(CuzYn_Mn(mZ3}dw!BH58oxnq8dt{z0;SqfxSTC
zzr@zc@0<&nt|+$;G1mXA?CG6$aU9g=0_E+k{ZN+gyT$o*HK0?#xbwi0R%{@}@d)XP
ziQnbMzA>GdaS|=lyPG&U$P^`|-!of?3NVv&Hm(M2%D|bTe-ms!_ANK(vb^fR0+`Y2
zKZ|1G>b1Jo!DOg7xxUjQl!tZx6^H(($w%&CR3q7p@Q507Mx7UZ=CT*yu|W>fm|n?Q
z{$mw%Qiyiw2i(Y#w5#S_MCgkpP{y-KzIvZiw_&6T@c=qF6=Exrm@cLe6T2>gX@!;A
z+(e?*P+dpMmgvXNJqE{xg)1p>_?=iLv{{^YLg$vf0{_F#S#U+!Zef^iq+y0sKtdRD
zknWZ)6_F05Yv``Q0SS?oZbTHMTT(g&MjE8M8$9Rx{0E)|y4IQN54_J>`<=Ppd*A!n
zQnhO(CnL!+SuD(p=~uEqD_71G9J_-?%2x>)^>I}@F@oO}EP)`$2#bQ^^-*hF%D5i9
zhZmw{mNn{%fS{z}DVfR20yV9OXB4a_{dCGx8U!C-eUfWp2s;PrscFppDE4`2`LWj1
zL4xxwa9!IUZTZ+y9)@4u3nz6FZaQ@owY((uGy?$*;l=nFi4;cuKfOdEwMVx?T%=Vo
z`31e&qjY>>J=qKWG&%KVuHVqn_q6d3`Fsxm6tu(pe7Gn<gTnETq?<6PYfUK+7ZLd%
zBLBO&|9}2}?tkzi^1r{A+o=C<<$s9p|J&hL{)f%fU-hR?g5VEuv;9B*f1mMN{XfM1
zzgxk`h1<659CkE*oRNKv|9vT=hE!&w3AC7I$!Jf&#sF0+L6(eaCq*VHpa0ZSmV3@0
zd1^e6u2E<?p1Z&lrf;f}H^edoxfWl{LBg4Lcytavhi9|8a-Uu4haH7#@|>zmFYbEA
zf{=YMFUZ_5`++Z{TA~$5^)XnGy&JyJTh{CS96=u?0p6t>QFt{h`)SCXCnp1wxOw<n
z>M7K(ns}9EP0En2oP?!Nzpe5NhO05TQ}<58hd|nCF?K?I18FD$byN{FAW>vrcsGg`
z*|y<ulX{K*(2hh{5lLeO$fC6dQZ6?}%_#Iy>$5#;7=3buA)%lX9#nd<l4Awws@Lcv
z`nGm7cQLh)f-M==>l4|Sqhzh;KL1(hYi_~LEF}RB`UCzJ1x>#D({JFc?%kn`abO}5
z_7jss=p@^eu7|j*Zb@lr$wd*SkM#R&ptWQ{Cl-B!rWj*sKpiY{8du^wX)w>gg>@5v
z%E+42a$~L0F;+t**!i9$eZ5`<of0^@H~uj2>8SGy&rJPOU}aqsH44Y**tTsu=~x}x
z9ox?C*ha^;Z5tiiw(aac@ALiVobSF?t$i_8?V7V{jIjjcl}y<9WBKKNRh6@hKbUPE
z6l@)eguAfPTz{w;S=Mc+I!(;@(V|6ooSuwJqPA?bDkcUrP~W&`-;@V8CI}GnB{c!E
zue1uQtfwSpnf5OOO2Fya!F;b)*F;(0y#JzC{Hp0QcE7csy+AQaNxp1`?hQN3P94|>
z>^A8+1fskGtB5-WGRXtu`#)6e;T@h~TaO7t%FQp$i{a`|lBCVDt?fx@LO@g9C@AsE
zUf;*Kzzui0u>jcrKDtV)4Zh{k8|2$vdSLg<VP3|TB6c+NK05`o$Rt{w=S~-PC!QNp
z5B*<45{`Au8oRld-D^b!f|)RKp%CQgUZ<HYp{PQYd9Yf^ZfwM)GUrR1o1doL>am|s
z&EU|sL&Egqy|Yb*KTq1AN7GdCsIY23X?aA+vqIM3PYRXUS)-0VV&q9X!7WUmO;-to
zNaEJX$2#vDFV}Qs?L@MJJ7-JLdJX2xLu2x+EpsP^4~(YUhj&+4uvd|xue2rv&}ySa
zFx>)RjG*bwUee|p`Qr!TT}NZ+SZeA|b=Rl|eC;Ur<lT<<nQi%yaC(zB`wYe2i2dXa
zI2=DdD=UyEVFJ=Lb@_FeheT>}6Q<BSp8K7xdFw2&3=rzT4yp!_TBC8Sk4=eKGz)aS
ze6?S#MqJSLRuHbWnpU*H!x1h7;7(0a5CcYKBnI(q$mYdR*9U0B>zodEK5?Jm(9hcz
zO=(dSQ8Bc8RtFblJq<XD!4f_lPNQcly(A%Ix(J25wBPIojb38ZrPGHHZD;q}z0xYA
zm>T+fm!{`6w|{TAXqW4yxC%OG6HA(*cXFJ1h<WLsc+yka-2P$JnXCJotZB2o+&yq@
zzUCFqNYM`@`v6WJ3ISh)1cQLzhv4WpU<^=l1K363_X;p8!I}m>NF#rM+PQr_KOX~;
z--YZ#q1^6G*t?+o@4hE}rPxU_qHy8pY*lPcBMccbei)tzQ-l-->m|214(t_RbJ&!X
zBG=@BY}IGtt=a88N)+Zq4monML-Ih)nCH2?MY9IRHlhbzi_EwiVSx4(J*_9xzunBv
zu~+X<UO~?#^yn}3DXQBU-_w@re{o}qrQ(y7KZ`f|b6;&#Lw?Ax=63{6>?Ee#jt3sA
zq?4`L!MDwOcm)lCsGPLSdR)`|Ch@nJ2Vt13+}kNNtmDjoe?j4-7TOWw+GjzN*Lb`U
z@M`Bn(gkT&Wz}^|aU%yo3b|BQW1-a#ne3#dVi*yA<ecm(ko7~m_X1p^)j7mOm_ATz
z7i(sWzj6|6zVXcbE)5v6kxwlvHu70lUEER}n91Iu+-XOEw!!=?>wZF{*4qN@bS>^a
zvtD(}p#;tjY4we|aZM_ohp*oAdn61e<6fCJare7ck<QL}PELkjqZp73DZW!qksoV5
z^cql!ADD<2=Ujz}X&t^xsTo*?6e9m<(7xRK`$c`4@62Np&h{&&!_N;gu!41R%FKy6
zxEx!~ci*g5$1%>y_U;+1d758^08qMcsL?yp9Zdf`u9O$!BLVrcm$#Mu7bl2uVflAW
z%LhlizGDMqit-P|Ry|Y0p(Me9I~OV}yeR>REs^6%mH^|1siWCndQ7%v1}S!nf{j>Q
z=Rg493yB5j%oj8~p^~x=&koQl{DGXx9iCH>Gia~sxz&yn&N_OEOHY}=(-e5R>-b<|
zo!%gtflrEO>cv@MBygf2a{b|Tr3`y6(oWmNEU-28$yL*<l;ii)_3?}!SB@(Bvj6<2
zvcZ*MHX;s!nSRYzDYl)Yo_6wmcF9-FP!Qu(fvPhX?7A(l{%@*|3vx%t?85rT3qJSr
zqTk!M$-I1tph%S(@me2|U|{A}RN1q}iCNqC<DJ*Q(p+t<)l9x^RoJrTj)p8zzNch`
zE)0&Ie8i0x8LWw1<cYo%Mc3?%#24R*+I*3d{C|`sNZ$+b0)eKzR)LYP1LB&P(E;ye
zNa*I#u0v{)=>hnIZs{?zopR=4d$hifyNpF?e~l*R4)J^r(mr@1a<*evJEdp5B1WUM
zpEVk2+vWHNU3c>SM5?*-8b-P+)BU!cobE1^Uux|Ld365K9r1{Z=Ivqe&YqNAXKs`+
zQ(kEiKOC^!F>GvRN&)seQ@I)VWLSHBWx+?=pchsCZ{4pHtFX&Z{tP~nfQ&SF`iE$g
z1{R5;Cc0Tm8*1Q`v>PvDO@7t7w6oOT>(3$s7gQhwt4_kdW|aw}IAw-c*lnGiyrNmf
zC3F|?-(-FNWGvOG0e6Fz&lM+Y_KO!oy`lDGfff&mOYg8cESQ61vdq}ITO=JZHPi@<
z8$`c});qSped4b9o^;+~U%q-UG{=>TS^f%MY=>sWA(sz9A!H9K49{jLG(d*ypFEsD
z)=M3t<F*!9KUWQ^rQy!qPX~jsoojxsya`=aZxyI}{Cs4UFO$3_b}XeC&#oGhV8HZd
z#~Aq<sfRSvpXcm@Yli47$+-U4jt#l+30e$0U(QGIq9a{850)l*%l<x3X-D;ulqA+@
zYR|W*p#CQ&T@;qBWZ4uG_o71R3<iSDXRCR-d@&V4`k{(Powfaj<$WpGa2|QjYzl|m
zY?JP5PnpWtgLhTSr#E-_q=^kIETD_{*~)q$SzGV~GwSHB&)Ad|qiUgriZK?nnCn1*
zi;Yae8eN@`YbN__3Z{k6C5=eI+vbtGf>O3M_OKy^K0I5g-cda|N8gxiwy#gvcGl5#
z--r!YFODmhX6W9#n=+Oev1Jw&VT88Ogvp+j`X*~ul}Y9#gjBr8dY?Q(*rO?*d+Tr2
zfGvw~5%eePITV{xVQ@g$=Q6iLyk+NVfMl*rGQqy}S1kiiM87D(z(Wzvrxm%;Ri%EP
zk;JR-YBKz5sIls9p+}XTh-*5b|0J4ga|fo+cxasO+FgtD=31+{v2FkKU5|cw%W*LT
zwoia(yNOPyav%aY2)Wy^!nxX;Jf^RKE>%F+Y~1*iFh2B#gtYsXZ5}29N~30lq8g;8
zWraMNaKuR9q&s1vac~pa8zAg!d-AXccmaSWd-~SG+>rQ0`RwUQHTV?z=2T_@-pFCT
zKwv&4Pk@uJLfL?)9$4as?|~2J8IbR7I=c0{tbEJ?$w|ltzjA<*$ZxSTz>En%+c)!J
z=lhZE3EKr=%L7q7a1*iTp{HB8`%N(iqL1iXofH5>dKKDx2dXpwtSM+<r<Jqiep2>v
zK<Y3Sy<vn^#AB)~=rL>W0rVE7)h<O83YnA9d`kVjx^P`W2`0$|AhV|82q?<dDRUuz
zJl;bAQ837kO&jwiMfeKtR|6{3b(8R$0!4F2;*`Qqow8)qv1dZgUJj|ErR^DJu?{Ac
z8l(v_FcjK`bw&2|0@Y(%{`x$3N9E-N<pv%0{}SJhI&tv7s7}4zUTGVH{iRNlmo!`n
zNxN~}eFNSF5sA^lLK~SwYg&)%y;HXvGI(nuw@Z9@0Z?~$Xc9iHoVX-tpD8{j0%vNl
zi2*YzS*Y3+WufFg4vt^OUDk%n<CM@a$-PE<nH?xf*z-<-mUnLsqJp8xF@$j@Fp04*
zp;`Ye(sG-d+VM(C#815PWJqy|gX%F0W^10wv&#;gUJ`AA#(@&;<7cu2=QyCKu=Nm!
z8u5gQgHYL~x|6tylD|{V7_@)(&xCRG9T!oEg!gXF)(l08OyDGv_{BdB;F+-2HHM&w
z8;Gv;v1E<VU<#m8di;m}28u>MpF0yD3+hieTSGR+v^Y90VU>j!wOHB955}oks!nj1
z`twLysZq9bd4okbT3mE$ky9{uj0_QE_fok|(v&^*<9^VBgl7p>Dst?owno4lu9YOa
zZp;cj!Pu$nwKO4@x79|^Rx(?JzlF7mGEsSYue^S3@|yyI^xlK~4E$DE>7`|67q@fj
zo<NE9l76L*1>IMT^poQ{vN3r5g=4)0L&>vq)VN|bvPaYqDH`e$JVg7r0Qa+py}Gue
z{45Flg(X4}6r?@Moctf+FAHT?cMA8x70Z2A$hnJEZ;w>!@K8Ma*<g{kC-E>^ux@S(
zmEn}MLbv5>8cK_<X(xv$2ljFC6c^|cebOpW(F13)#ba4+_KF9H!$T`ir!sVnji-8+
zVo^yB3lnUW`hKZyigeX--eF77gIjRDLtg8K8jcb{StZLty&%PJDVS;IOf-ht)wTZO
z#(H_@;VE}ss`&~ATyc?&0Wc~vJ$&oGvOlLVU8NnghWZ5%8HBn`TAk{JiwZZUtXD2f
zCj$+^E2IQXV@FKnCC;i@?>&vnK=ay{R|((A;OWT~>+c17xKA<?nhBCek)k>Z#)oQk
zx~?xTFYrgjBOXaK;mWaCdI${_uXT75uq6`ia|w?-=-Q@&%OVn)g<LztT?!!2u|8G$
zKHy-`mPe)EV~_Hx;y;Bi;<sX0<g>goo)8xAuuwyz6DGdI3pqzHFnFsf?=><|cl&8e
z&dz?BMu0*}bV&8#wCr`TvxZNqWyauTv{Ub|O=%_Yz2ESpc1b=6PaJfSV0cSPzECB9
zabIt~ypN-%#&SETNoFU7nl_rkOFZPoSw~&t`i2PBp9F>}5`PHw1Gja*Cf*HzBXnUm
z-#2qDN`U`$yRU~pmi9Qe|9^}7^bF*C7wQXp2ewGL-|T7?Cw@!?n9SWipnD)M@tRKQ
z_Z1i)SP(i;&MqNP_Z|j{PPrpF!qr%;Zjp`^p!19nybS+PN&vf?fI*cSHVLg3kNNZ>
zmWHU$S4|GT?Z)eB)^{UYE>A9*mfk_?OD7n>=V{7i;W-K4O;oR^SlfGZ2j3VT(;yOj
zDdy!@f1LiK;4au;#%ci&(Ki%K$Vi*ngNpKfBzl@^ryIA38~{T_Bq64eDh*-}bAgYR
zk`5)_l;UxL9c6B0XLX5cl#-TOh73tbswOGqyS{rvXob6p_3ZBLSYEpp?CE-5J<inM
z7N)D9ITH@d#UA8W@_tTe5zx;HHNZP~yz1{LaoSeZGdbMyyLC&?O4c7kI&6TDvPCoE
zd*}0G6gwtU8e7FO(;Oyu0|f7^d32gnMl{&U{WZ5vevyEfyheA|!V%ZgZ6E9?@k|Wt
zE#zVs_O)!W%W~>#-%Ct}j#*HgM<zpMJXIEuf?lG1|Cd;KHX9mniB`g-bSBY7PtI{@
z(#zo9?em;M&xVW7KKZ66*Gl8|a!CEC5Ul9S9%}4p*ZUzAk~H$JQF4gM{e#q3R1N!$
z7fj(7XGO>9U7w;*IXsoT4-7?WQT;5V9NHxXv4`35pDP)0M{bIyYO-+k7GjJeJwXOD
zznRHRS#=R@Z|yC^RoKQ00o%K*o*GjLDQt3Z<E*7ZzhxJQ4?k#oMODSLlMPN|O9qWs
zyMVy4M)m6`BEs~mouaAh${Jkc=&xC7^nby98)yw9equ+}zS&Wkc_;UOMSZv@%$6&G
z!1s}A)&Eh9?I0Fmm04CI(EI1Z{H2NC&Gno#qv;x1AnmHLi$XKBC+PdHB$o_QFKC$k
z{EJtOO9y>iBw|;+QP5xrV-)v2n!3MT5W>ReS&JQrZhqKAl;vQunZ1~uH`*+|wANIe
z@@#UO3CqpwT4Eii06q|D$#lZ(+u-$|PbD<0K}jYOkHttdIl%3WrGD~Mys1*VO2PCC
z=$~Ms(e8l^byrZi5i)X^S)LyMeV3py1#x$vIdkG=+Fenx4DR_!A(l!75=v*~5A|=A
zHD<_=bY)asSj0fV(3+^NXEYaV$o|}26t3RU(8Qi_F6PY;ce86!N|1oIe3&Z0dB9ff
za){R=&8!VMQ~}yXffY1r!refF=d?IR(CzC)@;B}BH;b$!x(AW1M3YxRb??U?$kq^V
zd+bRh^as2!$%nzJo$Fq!(v(Hiesq(i6q!zf2qpIp{g1WVnPAP9_Lf5sPEA|rekuSW
z<56Uo1t^6Vn45RB=s{IN1ciq1-~w)-MKOH5O%yGB`|IE1ES}<6!VNYb!h;U_(;z8b
zAHnOjA$jj_eL0-@gT@QhxDHOi#WQ=&$saDoVa&<%*CH74V8I<lGK+i>^QxZg`+PkL
zmaA3q>oH!65-M{%0S(FI^xr<)$@$>`CA@6b!Ty6B2nVrJ+f`9)*5>j1d{F@=Gz@xM
zeva^(7T_~rQ0VUCI(i40_@6z>LM?-g6fR!TEJcv>&)-~$HfM~5)_iyfP`+@d>@7vy
zMAXt=F(aT1pwQJL!rBEHIaBn`In%8+Q}Qm<=>qI@b@f*$bY*DRbSUPTkeXCYtybps
zZ=a*l8IMF?jS07<elghmXiKTvTk6z?HJe~g6O)4V=r@no+V$P&YCehI_3@u=2Gu`{
z)K30C6gmr(IXypqjq5(7ZQY+Yh~ri__y1AVwLck3TQq_HdDqoFh3?xvgA_sF!*)Hm
zoxP_^?ZrQIa<?{^ABbiB-rLbLJ4=J<9BW>h+XB^9xOE~pbM5Ykq|U3b3B%hJ$>(%(
zkD3a}Q$vPzp(<lHnkg7*w;Yvnk$fwG#0o7&@j}Sr{~;uWar22Tn2FwmG?9DKoO%i7
zV<MD`Bhti-Kgwk6jggY}^nP$2J~|VbF841=x6x3B^Ll_P$3I|jP{fIlBo)OPO1(AQ
z;66lCv!M&VP+vhPp$v+Mp9c&A8E+Z~sv;f1!OeKZQ|eo}H>KEQpsmfb0{4pzUr5P8
zOS$ob@4idv%Flh+ozXfcJO||QuSr{=iqYRcgmmg1oQSk<Rb^6@jUCorEW8OF217o!
zlY4(lWslHFl_}Z`Q`VV2OQ2wOu+sUPO{yvIOc(t2|G_b+e0bKg#qzoi7&18{6zM=j
z(RR$E{qZnaH4&=j_<F7J19IJc)?|Pp409MOm3sWFQuO{}(cVv87Gs>*nu%Fho6KBe
zMiRJBP>_2t=|ISY7_o-oP4;)fXBxf90~yAuH&()$7M{AW%Z;@yxRPbP6DO~h3oj!V
zK-5c$%4ef5w3~N_(uwk4R48|=b=st*W<w-be5oFLr|{z5i?(SB2*sBeEUcFXi;`8^
ze+f<&PwOw=o!%4VkyYN3`Ig8<Hl)lbdyHA4D2+H&p;~V~mmu+L%3H`rG{%_RYa&q1
z<pq%Ev@3@MD9ey)(o9A%uKWXkI#>1WWv5e+GFG5Td{Bvx3xo0n?d<ysdab|-^pb8H
zU}0~ZOSh3)&>Gno^W)Z0?CXr4TQuV(ds&b?HWCoEa)&7psmln0e~cS)MxNhi&u<DQ
zC_&rzASs%|3|$ypqY9-RfADm*o;2|$kk2x542~WDvc74C?aHxc@f4CzR7w93b-wu5
zv4pzWF^4$oYRhhsj|!?r$zTifYZrW*BFVk5f#BBByOYN#8mmWLhcW@3rYi7L(o4&B
z__@90Jkh=FWVODLd&Jf<dRXHF^VU{mm@bRI57+6G88*z(z~2;i;w^G;x9L-I7v1o}
zdkDj-wUs<vz%6Ygflywv;NOOVAWG@+^I;Ofc7fx88xnq_w@9MlpETZJK_Uc=8Mkia
z2(b}fXB%p+p{Yh#!7$Ko0=VQ8u*UvtfBJ)q>6>6qbVT{_tzs<X1pMZjuLF;<5pTO~
zW#cx$q&_9jfE?Yxr{fQ<|0j;(Q*sH&HDK^b#JN7v`TvDIRslZ%Q-ChvGhokz{L8of
z;B;^$&_1N+O~|D&-fKODxDB%Ue>JHS7#Ib_Gium!f0@sMgwDO0Z}=&gYxOg-wrLv=
zU7&^33Vc#ZDf^$F)sUo0;G9Gj)#=)R+f&GT=c;DqvA|FyH#8o9ox`4&X&&jt_4Vy%
zUR_?)PWWr|K)l>5Q7uAJoUwfnf3qy>?<6XvR#67~AE9a<c4ZS(dFtA_qdXjhoWRYY
zn#)}3!@%i4LAH*7T5n2*9zRGTDZU9qZc(PEAGw4pZa&umw>PZH<{_xCfz-dQP~FsM
z2V`~p#I$#K1Ql?-Y)_$d^nbodYa=Fh!s$y;&-v0f)<iJU*+lPb?`=3O^{LgUxY7;Y
z{uSx5P|P-0O7qUv>8FZmqHS);mb(i>V-u+~_>+Nv%mY<gz?#GRmg{jm0GGb_aw(lg
zypc0ve6#d}x$Q0CQ0}(=pVg3^WAA!?5Zs`be}@h2&mtOr=!<JsCSi=>l>q9Ztgb)V
zcJ0H0ktd%qfE%)c-V8-uvjpk@nOl+f1ieD0LK(|gh}pj;uv7uHP=gfl6?~Z11a+4r
zZpQ0oXBFKg*ws(Gf5p{rAEUx-;@2-WsKhl(2rj37v7eBv%og|Y$0O6m-c#C}Qti$W
zGtY-Qc#>usiQF*&wmrHTLR0Ep?wBsFp8wR`tasLnbG#%y&bdCCZCO`P>Ah8=Q^0d5
zh#3X2zY~Pk{9u(debz~k8oyti7)7dn{v!GUewt{61CMn_UwU9&oLSHUoh6dyisf*t
z&PLX8=a0v3MkA(4g&=K=2@)3FK?X9wyD=>Gj}~oh{d}l-m-tKc)rz&^ZlyWoCfm<~
zDb(Z_bLG_O6FbPABQhE#|NPnWc|GV%ABOro8v8q>Dnh&6ZCgbM<}T^lho3myvC#C^
zDE{y<*&MvSNZFwWo>O<dm;yvr9<tmmgP&!k&&N~{C2>GCI?hni@i};F8l<9@uH6qu
z<m(WO6(XY9aaK4Oo^L6dYR?i1*e4<4=1^#aqp*l^FOU#x2{GKx9HEn|)4v_$kkT&w
zg{KWJc6;TTYvEaQEa-wWk%(R7E<w;3J}f-(ZwA~261tT+Mq5E4o@FSS<F%pG&L*8d
zQI;?hxH#$e<j)1Qq0z=Ivvb4_*$qIwSsy#X8I2X6&i7-<7(tzvy3i1PESFc?olx$l
zxh?vY&i0WsnTW5$U5q3VH(Lh-gd4UnBK(#2Z=HjB3bh7P<O_L79oc#B7L!&pKdh!e
z19t0^#5!&0UP0xQF0g<l&`(@+aw<sw>Ls)k0wiaYR)%77hM$Qv6hE?~5O(+vlxBqU
zSO5uE(Y@@yU6oj<tFBnHn(cH93V?m7hs3P4&?2X3_NMU4wmYpdlq^SJZKRc{EpH1~
z+|!Jvv=ROk(Jz~>aI*~d<T5oB1973L+RF;z3@*+hbh$Z^|1>b(t^lvjKsuzmuWdkT
z#*I+@7clfy2WT=!BVxCXO5OsZ42*vR_?`<*=RD@Xl>vc_T)RNJ)9+4ad-6sDSO((r
z)?y2rpaW6{l=|%H{>%}&H|QLF?fG9apxQ$Y+A6RI=j#kWrl+!Fs}pd5*}C-sJbMRh
zjD7$mq{@A1av0eAvMEIs=Bo6HPB`8X9>I85_21}k2VMO#kwL#*oadKs8jd2IsS;!a
z{g7+AIZ=KvdByR@&ceeT7)CeS3$8e$dls^nyx~>s2T0x+b%@8uFL^I^#SO1%H-B}$
zq5q5Wqjl{<JW00zPSN6vxs~Z58~(MRx5ng|J=odG+O}g5QPepHYxObEtHo$zQn#z4
z@k$%*$*9mtm(W64EN;82Ug+FF_-pCs2Yu09bFA>|F~&+gTZBxM_Pw&_f?ROM@ulMC
zsH5KC!!1$l4Zr^IVzRmMvrtk?aLnIs?iYbIuzjoe6$|XOsgeRKXnJuczj-!U60a2A
z!jg~zOt21QQA}W)CQ@(%e^DGi#Z^_|10H0I&5|(7!FjB7Ik3sy_}I!hQMfD`^9p5E
zxhI!ouUDbWaE7L4w$LSX`PP%K2>WN@VRWHWU6Jfw*7e0xijQ-`F2+nsfr_z%`%A^b
zQL}%90|<fH#+U;($g>m*msl*$t-su8j<9qkD)!d9K;WS*?M|e?mTyfQ1WJMKy~Nsh
zjgS3Dua&2by()f;1b|#p>MY+g1vQSy#g>5vMS;agWMRJ%`nThClidZxh)8E15>bWh
zq5mAhkF~xj1hv`{*#4#Bs)Yu}vmf3m7l?;u6PbOKlf@{gjfW{FbMimt1a;Rl0u|$5
zg;;?--5;_0ieDpv|A0U}yMCa?`2Qfs_Av?cwz|pt4_!N6_uuQ`zWcPVK<9&ZBCdYZ
zq1-{=f2`x)FL+iE@o)GdT2FW9n<raiHU8le`lzzx&`^r8W-5s}@fkiDq+POQ1EV>T
z1wYHaoz8q|Pk|_vlA^?o3_SoE8<FVz%}&w#vTcU$NDIX#Qr)v4vD~aNZnpX`&*qQN
z1YP$N4XBI+?D<DY8PKSZ-srjriu&WwTNtx)S0l9_ZI{_H8d{L-#?6%w!bT_IxoG9n
zLpW3!P+XVf3~9kE`7RUcbv^ZWmDFRsL0{pcnj5h1AvGR%eu1BD5hdTsm>%6<$TPC8
zZw(y#+DjWZ+ykl*QY%nYzZh^`N<E}L2*n{6y7%)xzkDv-lb&Yl1o7fIOR`?hByp&M
zse|HI;o;$WY*gB?w!V&34Y*SKD2^G3I=ETNyah#ertSbBbnvZqXGqq@B05+(EpYP_
z!`+5i@Eef)UGEMMW^^T0X>LISn)j)&hP<gvH_pZ!CX=jm-Y?%P%W;KD6&mIBj^5c$
zLcb_A&hpViFLmVU<5?OlPF)M<R}~gc1Wsjhh&uPWv8@(!(%Xe)0wNFV&7$m|$!^PT
z_y_`ts8y{-c_)ahHA3=<Xa~|W{o(79D!x2-iZ0rm4EWO2-x1Lf)o-q|co3YJ4SRB%
zLy`A<b^`dQFO(*_q_P9MLb?;imLfSn4W6dn@uu9)_jyr7UGjhagd>TX#qmrE%SPr<
zBHV<S4Ww4e7tbg~$%mK~$D$w)JL$q3H2gV6?8R5J|9Pu-{;f7*R_VT(12BBj_O5>K
zm~g%93YPob?~alaXB9YydR!^O_ikAtFzx<zEYu2w%LFtMOHU6MHWrYttZ`GE`#Y=f
z?kCeP$($VK@Q0^l=jZ%rU#s@ORoIk!PM-OB0NWfp4r4*g4MhyEdEGg9hD!nmi`*4Q
z=H6Of=oD2ckYJdX_49m*zC&7NRb{KL@3(c%@U{YX$U>}{PhxIpHd8nMNF+WU;Zu64
zUwWav=FX&JkS&Y8R)?8v7rOQDCZjB0d6s4zbozfaF#YOwC$X~+@V6!92wB_fRotk1
zl)AoL9Fwd;C)C}|S34g3*eMk%;3^*%OtmwFVTR*_4bKa@#jEHku)b0%p_7~ojN99@
zW?ocI+H^z34JjV%$bv7d_E^E9qWkG{Z>M?s9oOMhw|=j=h1lUZ>wMt9wVTPx$FF>%
z{<@qFb>-Rc|9<DY7-Mbg_(G*+VYmVHr)`O)>!&))LuvMF-j%;b4J;Pt|I)qf3`Z=*
z)DL8&y|?6QeOz{CZ8zyiTT?DV_{C_@6X5ri5`L+=&R31iufv#9vGjR%20<i8Xj(C$
zxTUS&lUeB9I1~L1HG&qL{w?t_=}qfhCZ0IUIp13auRyV8V$QCv;q}`p{P3UzMy;~*
zpTW%!%PnKODJVBkaRC`fXjyFFbWfT432@n>bd`p4-!^8{pMSABa-ho!d{s!mbn;s}
z&c0|Dq6C=3gV%%Q_os0aFr;fvYhtr_xpIh5r~m%X(Ddt*h;RNC`UqG6NwS(QgwL9?
zaMQG)o5GxG#A(GlJ#~aLC$+vke)biZyXgHX5+^`7YJlJ=y*0tV*eO)=jO$0TNaie7
zwQvyEYa4VLS;WU0z8>8v?{v^`aXM@igdal`w_W#|^!&W)gLcaIAcQa<waKyH9Et-u
z8x0?UNjGt9E3i(F{?bg&T6^R58J}v#NeDY~@OFTIui-je^!71mgDauF*mhQiqiFwO
zzs?L!*dlw0EGF{Fi$37<A+qzi-8sb0=13%f*L6o-)h~qNeZhcH@5?I9a^cqEY1B*d
z{$}@Q(Cy**Ky|46?6Cy4=O`%)aFS>p`HFSd)T{{|(TPX%7E@YMF0-fYb)HHYa}GKy
z^{sqac?$DZzYRyzI6vws__yA{*<^xp-r!adQepX0q>^cD$|QVGozOtA4b~AhMy;}~
zSzU+5deBjeiLGf<I!)T`b6{fGJmG310aK#5f0k@LJ8azJ(Yg6wq|Q4VYI}eM?8Bq;
zYeku8BR;EYFjoft)-XI<Mgn~SCa)jHm$O3Eda#L3!rod<&<xD8&oLSQF^T(U?iTK^
zXSBN2HZm=uN3A`4Hk252?#jh4H<hfpzufX`WsXfo!!f`7M|Tyk3(2U*jFf#K^?C@D
zw=SI%aCRnc7mlOZ)EgO+*SWb<=zFu#v8dq2DlUFb|HJcFyM=@=#`|A=IE5AbM#LSU
z5t+9L?gyQzz#q&`dzN`hIB8kc<-<G}FJmNqn5yzkLe?(SNEmTOrZU^z_RUzF7I;KN
zZ|XU`lEuxu+A(pn_VVPrwPgXbgdn`DM-S8Du!9j<2hkH(|12jJ1TnN6pPVVmR?Aq#
zqSOIDB}EDfKV+F?|6ZE9PsP#)s$=9Z%X69R*m7=09Z~fJ6)43uC)9T(7=SLIXH+wJ
z0>a(%udGTGT{Vf=%(a#nHDt7^UU<%~Rn@15tz!LfuWyVVqK}uE-xY;6K`fVtmh>!V
zE6mK{Z?5QbDVUBelV(zATF93JyPN0e-!sr~dPOz;XysuqGBv~t`!V~`hL!fuc5SLr
z<@^a<q+-8ZG>NXM(9dP~TBwCU5&d0Weom!dwko_XKG`lsSrxl%|Hx_e>g@u0ZPJhD
z488nOmc|c}6ORsdV47H)s12PY5PmR@8KNjWv7<~T=68N|@ZjX4>1B}P?zX!8K!H0z
zCI}*6;3fmFcM{mIp<xKKH2h~MOv74IU}0bL#T_>(>X}EhCtxBeqeorCLBgCS4l%N}
zkv<Am^+GD>`EL(FYqCXiPO?ZBr>rBrJhy%>R%O0yVr-w*G>DySQf|o8uB&gO?ks7D
zj}?RH%dA8uwH;aKtlV5WyE``wxBLD>?U?>#GC4TqH$C|4b=!FCq0F<L^{Ef{_u%vW
z75dxL6dI39$lA94WEFPl6ITtEfXGbY4JX3fO1GcM{XA=nt@Sne*<TXO_?i5G$frfq
zwbk)N?sxC{QI7;a>nWbgv*CGy^m~JP;CAd><q>RNc{a_F#3x{lo1F`s>%!h-eq>1)
z9jaGjVbs-{lEbuZAK-WCT$`+cd~ygEH`i39rLSgoaa@DHg?mlvBByZ{3P6sGibK5e
zU4QM6cZai4IJtHoQ5av<R3jMqQurH}o3-%h)LQ?pc<b5EXC~?9$dMMLI9E$_C3*6v
zKp+wk`lOj1YwTK6h0~qfBT>lozU?%8-EEbGUJaRp%Sm@`L&|{WFOlgTX(M|aHKz!3
zFZ+EvsHSt%m+fuD?NaPBwfK~3Y(L|G5$(3qI?{D^)sYf1K<01alb+dlm6BcAWYr!2
zS_L-E?2@YES$<+jE7Y3rCYTo7{(<9-_;Syw?NB&^_sgGR6Y>#;K_nftZDf5q`^MQ%
z*~I{-ke~klNY1ZoOPzRZ%(_4;R=1kag%sAQvXruXbi^aHc{#;#YHNdzvUF~rR8a#+
z<4F;grG)pon}o!NJ+#N08S0TzeMSs$f|GDZuZer8hNMh2i6jRN+0+|S@o8}JfTU}i
zuM`pedxexI;fWG^!Y^d%x9K-bJdgE$e)LXp_u8Kty|*tfE~)|;t=$r2!vN}@<YIj$
zi)@?|An0e$eFZT49{>{k9>BzWas$+Q0|fMbAw4*(0lybeK0_>JL701AkAT2jAoK!o
zMzmQLM4kT*dZ<<9=SZ@McD%0-M~`c?Y$&USjZBIdHkK=7c9?d<bsHvSTvK}OZ1-<e
zbh~70eU1uv4kQvW-9QSFcvigvS_bhrBJcZay(<(!-HPhTM^wvht|b)`T506G6Jg{(
z&;d`b_Nhd%+=9*FK5r&$*N3E-+bRCB`A)o4bu&g(JT7e%_7o4jzk~G@ayPY?Q}=v}
zQeqY)&K8AT^{q6pO1J&YQ3nke&z%~4McgaW+x#^VJ-up)ikAP%F6AvOZvUKHwL36b
z?M8{ywtr_PPTIB8mojTJi3H0iJUtU&o>X*Abvv+s(|w`GTRH~|rOW$J8O0p!2uQWv
zGGl38rhbS%CO6v&>mx7LR5}2_c8G09>B^G=JO}W!3|LwpmD9JP)4EYUIP`;kcJsKx
zqhl%qF&pfq4r(6++G}MKk9vH3*GO%+x>uYw9*ttk=vCLYm4CffgXbjdXUTUx-&b!`
z=xW^+_^%;X_7*K0gallymf0C7$WBtM5qr(HR5vbrO*8RXt_F*Jn;|NR4C~a(on+x8
zUqa7fO&r<L;20J5hy1mn5=c7V;0`6?iDQ}C?g&aOX<?u2ySQ!*c{vJZ?l~I8mH+6Z
z)Rj)#3|Kd>8aZ?R(8vhtcBBWsJ2GAEgqKa2VVLfR#+?5(Qo>1%q(mNi>dPS~R7MR2
zzZF6T=InpQCO+p76Myxz<_-YOBY^(TLMOZIUp?i$bAkT{H(Njf?++%JL7+umH`@g+
z-(ML3giJp~@s~y;ZWW8W*J=*kRa9$rmYX{BCC%KZHT&;`4g5^wG;*FE*h+>Qa>>Fb
z^BWJXkU1%>7q&17zS56h|BPJWmk-K3&C5!ms2Y$|7PEsSk0(?xdWMF|DsN%nmbVE#
ziXXVUZG1*}cb7?_Gm!s<ct<PaO{>94vbmdP4_Y63d?A#Om88tBcc-#~g^*TRk(+qx
zQ;RpLxa2Aj9@Y`mtgYOV`fq%xDk7jJjAg4cQHy-eYzxLK&sm76K<TU1O1;K6%g^?x
z1XVDWS;nbn*D~Fb4S3l_T$6AFN@}j_#WRW1hM=p!PS&Ol?p(ICj9p4lU9pK2S+25a
z1)M)h${N_kJz3b5qtS^Z+w~He=0ZVZ6rOKKXoMdUI2^veKzD^5{z-t0Op*o`HnZ7Y
zkh}5Y3&;5-{N9Jp)`=**a*y4pz!n?#>-c&65}KY?f*T^Qfv#3=m(D=EGR~=!Z1s<R
zvBf*=!qxFiiOQ)>?S{q8+NC5fFR=_o;S?<8gfV#I$}mM?8d{zxdRz}zWvW0q#>L7b
zzKz1f>ws|`8IDi8F^e<6x68C7zwQs<*(^@yaFgL=zT|#J&{K~kg=!Ww!}wKko9yTN
z!?2cHp-U7MByl-Oh?PtxWcOkWo6O=kX7_GDQi9Oqlj`4_uyc>_;aAT;FGOL$>6$NR
zWgrIB84wHG<pn5rD+DtGXmr2@woE~-7_Xs%z=NC!<pPhNKB03i0HC1n0LK57B|r&K
zwB#D#|3M^>c?Q^&XhSV#0PO|&^9B9}@O#}J``|J%{Mv?uBKQ(g`9j+G=8~1X)s!m{
z1pN<(Ai3WT-Z=)q=ik6c>RRA2SRf)WM;!Q_O#VBWh?PD5|CQ|BK=G+3?EiUh+5-{%
ziI6t;A`r8R#YavD><{RFwz(g7J&9j6)HA@I-f!#+e*(dr%Yj8O=fGG4u0KGC|6aKL
zS@XZ|W9Rewf4>WO{Qv}913{mGvjb&c`?T#neT@_#*gHPwfB@iEG|=HY;<=~yRT9n!
zqluyFZy(q8$%>|`mUO4yJz42E{)QdaLmGqtbL+CmZ$&mkiB*Zk+FE+m0ku{W*UFW7
zG^@<6zj)&3x(8TZd;?icuD>+J){Rxk3WMEKS;gj99a;9HN6!pV6>RdZHT@c`8Ne;C
zr6h*~zcR|17P(V=3p;T5htr9qI*a*#apf{wPdqNa>gZ&`)PXae@M~(8U8-uGMMW0x
z&+CW``Pk!o5=vG7ldBI^9NCE$&rG#r8NazgF~MfM-&$EYJm*_9dE_x*i{ck7cMb??
zx%<@eD*vDk6Y@(`wi_*-Z1z>V(5l}cIf!>DZ7N`v>eY%wD|fUY@6OWuoH?d^(f<cd
zpN8ifb&l56I?NrYK%OEdsyVG5`}<@N{K*uZv^5;;ujPciM$+yLcmegd9Ev+`2pdKI
zye{#5lq_uW`KepcE=5kCG3;vB`I=g!LeD-;r;qax1Jw(yDdn*nQIh_l;((crIhD!I
z*(<fO9Y>{tGae{sMCl_bGFCU~uXA_)%jlWQA8wz`@`=(zR@ZaF_~jmvQ7fpt0nCL9
z8E$m<Hnnr0kh@_9bW3V9Ix7w@d|Y;2<M~%61$AUYqQ!-%F}H?=PX<=M1%iewBQKN0
zgDWg+|8&gJ*b&V8_$F{>wwj45S;lIJBnR$?g~3CTeaW361=#D4Cq(hx4~}Fo{+|lF
z{b4=>90Z6O3x5C{MM8o8Z`+VZ>|ctXD7pXrG5;T6Z@(kuC4SbpgM9v<LOcrqH3UL?
zePb39H(4^Z83F|SKR4djNr1o@uvhpC;QyU#Itd8=2zYQP2iiQ~TmD~Bn?U~8uSk%$
z|Dyaq{zEpvYsHz_78V4Gd-<N}1?dS0_AWF7cCH(ue|?Yy_S}*;*?Lo$pK#R_xCrA5
z9(o%6F)}eyP=yiTV@VN{!G};!;KbIK!!gt#h&Sr1=o~dU-B@P{|9SHP=l4lkp(@;g
zZD3vWx;?q|B)6sEqZK4hA3Bh!jTWfRlo85;;6P_v=s|wT-{gT>C;k>^XmgB1|K{r~
z$|lP<eQsx#-5OYFi#>)=<a@vJVeX_+aD`5(^t=}uV|$!@p`>6KsoJ75xn1LWESNoF
zzLpaCI{^)8#Wt7U&3JX|(q5ka<ALda+breHaQnmz@KI7Fa}1l@e{Pszq+|<}=SX0r
zWZVN`WTXOJ{t?qe&lN>Qu_F=$G~O{j;@vPp0l9ma9KJ7UrgWFPu6>`DhEM6tc<?M$
zILmi8j`5#bxiIbDAhkePwzpZr5OJCd9e90sh%1R7z_kI7l)hxc+y`&&B&RKT(Oh~^
zn(Qy)@)x|zem|#O{SQc~YB*)g=5+VBcYR{wHBvZMRK2a^ojae)I!C9HRTyd3hb&84
zMrsu2PhdI6ox}dEzev+EcqN`@s=kq{v1oL&{T8V+fAckTvL!(=a#y$!0&tNZnEj0B
zwADKK?R)N(qJ<ojFk>*Oc5^{%77w4XI<<I3%vqh8()pEO1$uvQ0#8G|@wzmE$lkxt
zo{f(i(pTC%tVk<n&GZ-mif_$j3-T`2d(hZ-s(TWv7>IL}!h&e$TH-3$QNdbt#>R##
z(k_z59g!%9R6ofy5i{y_@3S=2r3?SWsdto4U<)(amiUfHRp!XjW!0Mihqkmv_@BAC
z(Ie69_UCrLFc2sN&wGdT0tBS?d=X_R^1s)AyOu-zSAO^2gaFq76sRZQ$3QL_@OTbj
z_(kOPQUNSFNUi_&Z0)6RsCxv&3r%xtd?KX+gE29~bl(cKuo7!kd2u%4JkNCM<k|;j
z379W-BDTU;F)i!*r5VI4eNno^P_%GkUie}!J0tCSOQmhJSDuQoi`d5$DcrmqsH556
zUL8c++k)GjiQlvAbGY}E%w$+pDt1gwvq(@JszPR2hazb4WM_^|&}xQaU}(aqB9im#
zc7(@VmbZ9%^;Qhl%<k1%!GA2Hpdh$<dNz3-TMBV5PcZSy@)JtSm6unLm_K9DOJ89I
zsV}BAxwB3fr>L{>(*x1fZ4x<l_So{}7l*mGQBc~!w9MCae-P0P<ILv&Bz+{OeA;^s
z>O~l)@(|=e>W7aWd^|YW{XwahH$ig2>W7LN>~DqvIwkd%#Dy3bs+*q_Tcr~`#}6ZQ
zGsFh%P4Il=i{HuZDbL#eD^wA956QETvl(-NefXCJ+f4?Ax4?|#d6G-xZ2k7p#Ij(i
zS0K$62iN<PkQ`jn%)T-%Xd()#Qc)TX&MHUPox`%5$+}35Hb)?eZ}ypT4MPyhU2*WL
zbf|*LXVL36;h0&*wvgwK^8Q0M#9tdO21wA9gn3tQl_K;ZrsWd#21oK(%4XMPW_{hP
zn1N@$&$052d6KsLK2W&V$H=(AH_Z}~VanfQY1Te@eZOkmCE;|S7_r1$al6Tq4LL3J
zZu}OE*mIuu^OKuQ@0db331yPQM;OvsFa7|bKY&B8LSNfois(1rQ=yYlVB3e#3^0`N
z>kY^vq`muXfVqPT@<22Lj64T^2>_MQQ-QBYfiWLBl0ZoRccF*x>5+7T@c|<r>K|E<
z8Gta5sTO$u`~|)90sJrQ{DbL#&B8Yf<H+N${!8~QxwpNYKIeG_4Epm0XcRU!_bV(v
zI~eX08(lI=n#tj*+!s;4y8n%pgn7IapK;}S4!sUj0_w;nQ__TM)LyZBp|$hO`#QMq
z;Hs8Nrp87{vZBrVPLU!L?xV*8QTW#7j42+Ti{!@(5^~I8V#8~=Q5`xrwUVSaxn7v1
zq-8EoXhNKyR{@w0FA_8l&7(n-K1qG7vCs{L1=45XS4U(Yjg>mAaCHd%iRRE_Eh4jf
zs%Dh3l@pK_p?FGOW(Nc><BuEuITT9JaFOvrSzu}gJJXZ>QFC8&@rdG6hrXHA+hAOo
z?PXKtnN)k=k^2wq2`hErLus!cJNW`;v6#VtfpBk_S+9St-A~}rw;%Tdx-F?`>n=eQ
z)X|nb!5YRYkHCZjzT^0p#45ED|4kVYxaFGzKRnY_sC7dT!vN>Th=TDX2zcOw9?20o
z{R!NN*+`4@g5CKh<8zDr;lVN=Ddb*tw;xD#z3a^CU21-XeiomMY%dk5N0)$J&E?S`
zW3)zky1irSzFP&U<Ju!5Sy4`w+GyFY@n{cREtRzN-;d38?TdE)wj}qJWt&`(c$n=8
zCL$`X;;!7^_hIS0I%+%}qzkVS=DV{E_Ur=X<{WN(3R2KYFfHQ|KRFUaD^bnXK>ccH
zR_p@*n#Tda{qOu*UYrobKv+I-EGfFjYujj40A4lWSmY~a*ool{7&pK_z@AnhaQl7x
z=bujikoo`M@Yi?C3i#|<!h|^gzsg)U@XZ%U2EXxb^7_9r*A4`q0-o&Fd^OxwW9fYp
zh5q&qT>(*m_fgJ^z(21*3;(l_c@rT|@)Ut*rCasR3Fr3C$xgeT#I)aS^EExW%)3Pr
zG?UUw(4cJM5T4_JzAzUu-Hz<p?-l<3y93>sQKj)zhb9M3Irqe^kK*cGn|BUVt$W4t
za4ANeiK4y(Hw22{C*n_9f7QBBNrGXfby)db!|5FhyJ&T^s!yNx*xxxc_srbzlsNg4
zwUT>R>BYVl|DxJr^N{>ZfvY!!=OlUl`gQ?YpG(P8I|kO=DR!!gOXlthTWdZ9V#F^)
zZrhIK8a(jh*M`d$hWD6VEkgqqg=&fT_~C-NWEz1f)$hG{*4-o)`BG5uIHPWlR%<27
z*PHBY_0M&{v2lH`oZi*h65=zzO}m|va@F_KQ?=lqN00Vzq<W%1b$wPPGzj5z8IY6l
z+T7)vi~}(aCjh8wcT*&#_aY?r5#1iwBku_?8!DJ=v5?mhcF>=xroSL)c$VpQH;BXn
zt;U{OhkRcT^)**YC2eKqS86g7Qmwe@D$7zEaI4ehKmLe9tJxK^Iqr8VeHB+`(}Iz$
zax@#jd3EBWuc@}!a9l+{42#bSKr1z-CM~J=Z60&zW|XF9d)3B@L<RDPV5aBx(69N8
z2NAgW8Rillhwaq*ZbovMD4k`J&uyQ^ZwkI&c-5J_BU*PG060yeL0TOCNXGu0%96Z|
zbR>D;x*)aQ=HlHB*l6llx$jxY`Cjke0_?mKH6jbyrDkIRo7vRnv;Rf0iGnvNDFqJR
zYc2X}P7g5uOqU{ElX_vGiG%Ec?0A+))nW`*ta)Szxj?>>>igG(ZeUVy?WtM5@_UuR
zL>sn8!9~-YKqpTzJdByFh*tnw=$OySPsgqONQo)dp!HY!!yC9wPN*B8ZeSh42a;%u
z$L~H#A}TbLJ1lvcTokTgvW}*%y^~%ZzRb@|mxnb&u^WD(2&KN^*h!2Z7Eh>=)P_d6
zztyyiHYd~N$)Z9M{qf4Q!z|G*s_G-I{dhGEcUtQ$I_t%CYpFcMZgEBOdg=Fs7TO%E
z8bE!!OgQr_1ot^PQCjEQ&|zJcm@hEt$d}4`uTmJLpp;s@b&v+9DhuV}R?1D}V5pB@
zV(ZG5M>qK|0q4hT8P)D%#5dQ^N7fHT`{`^J?Hz(8VT$tCq#_bxWadajfP16<V&ASu
zDuSftBAYK$+E)cvR6t<IGLNc~{thTgCiN&yp(Py7Xh*1uF9C*#+dTE5K8`O0`I{KE
z&Luc!e<mM_S-roi)6caP4lrEQ_PeZu7!Tu17dokeBcf)-%euUK`+?TUCFBcsIX{-t
zHQOjR{3&DFWx<rF*NeK;g?5?l&oa@7opS7s^%#H1K?+S{(nq+KN<)vb%T(I85hr?h
zjMjl~X^T8F(hQ2Ycg<wzU&b*7_L>F-Du3>U9KL$KmC?Pw3b>hp_e4+xuR_bOIYi$_
z@0;h3>$uqgpVfE}U9kVo(~ge@@!O9Epx+&s-b_63{-g)w7f=!j@MthZT6FMVbz<}Y
zZs(Y1R(wG}d{3GjBi1QWbm~J}ws*5>7^3<=ZBYAE<Wc+j&^yGQh4phRJV_pXh-#5;
zh+^1#Vdv@IJ8RlPsXMiEQrgoJI0NdL7Z9rVhT6ySu$#S7%VvJ@m#>#N_0W?In64q3
zf33PG{KmD2n>QBKXiVzXSZvL-5--^{v8=h$KGj2gJ*vZE=laz`p=bp|R3;VvlSKm>
zcQ+x9Gg@N}lS^LB%js~c_|lJR-b-nV808r8{wy%1ow(YCq7s5qu&h|JmFjbiPob0J
z)fZ2ZFU?}#pWx}^jRvz*Y+AvV3WAa4XPu!!S)T%H1CC-J79?y<z_CsZ=T@=q_q`ZL
zTD;MP;NbqIy0di<`N<iz%<fQSiQTNHyK|}d_D=A$LejKsEcG#uGLs7r)V9Nii;jYZ
z<Ak$lV@S=r0&U*cGp6;N57hUnJqb8Y-*2>S0i3F{oQZ<`G?&(A1<5qTrNSkjvPMyJ
zGy(5leZl(Fj)$%Sny=@a8E(M9AoF}8?vl+AYy{713A1FL{-k*_J>|8#^cn^>Kd5)M
z0QnM+)$l|@2@I!su37AQ=x2<eT9Mq3ARE@xdgc(^Y^+^Zf2buS+#CU|yq^2U=u(5(
zRr(0IcN6ut>A?+iw-5;V=@%8Nna~WV)F(&Pgt4qB*`{4D^>9qdHtUV;tteuz2FY`-
z`!{+vo8u2q;CG`Q`K>1_0Mvp{1%Ce54}HVqM9Ayq9GKzTEB*g=<^JDYc`Ok64LBpF
z=EXX4Y{5G_o2vJz5NB<rz{>sbQ~)_Ac3*Afd{pt<2znNFv8)<O!*|u@^<Z8x2T(hi
z6OXN%x$yeZ6fXA$HE8+31LrjNSzXv&c9f+09LZkO{LRK2Z=36ETLi!6naH;S{?THx
zDC~9X7w+((LkRigb|$!NqJG+I0i&k#;E*$Fq>>VLI1B$N<9I2<vY>w;J<b*rUzrWz
z1LS))O*4cGJ~cRcQa=xl5HY21@iC}@+mU1)FS92I$(%L&iNMB`TB-Ic*sYwkLlfn+
z3-P#Wif85gGeM}`vjcegP;-#^aHV<5q~nW5kDnYZXMYy?O1<jV+$=OT!%fmRn%z$@
zq^UAGVLPY5*Y5f>)<`fyR_6oM#@Da+WUxXO2j{_gKc(H^mRn8(*GI4JTK_Vm+{x?G
z?Z*Ht42)dyS8ws=nN(G@UYcen6TG2G3b5xaf%VD6K)5I8>l^IypVrrL#*~Q+j>)~s
z;4nz2tD{A(EWt89#ZzbaF*;gYVPz)SWd1Ew&DOb?H1h5JAOkd7h8<85xC-}$5a*p6
z5w`kqbHMDzBUowISMqi=XDO1b<pBj5QxO56-=blM`&Xy3>;xFOq`&%yTZ3NDFj8hE
zC7DvI5~4jltb0L+Sjsqi@>%cErNqDz+Ze$#4rMJuet;|Brqoy~!fz^3^xqn91A!($
ztnW4))8fFo`L|76SL$sB;t&$4jugCVSW0-iNFFPAxS!WG24N%)s*M$3Mt^p4kjW9n
z%p}40$FwsQ%tL$>6QY67%Llr6MFMyv6akZJ##cRwIvxYvaMUS4`&X$*G%Tr`@gG1|
zT(&0*j}=K>fF?5_dD;Xf9o1pp^XLksO=L)E?-iv-)fpDx-FAnd=wuHgf4+rbkt)a4
zTK3JK%(bixa;PINFbBWw-m3G(%ek(x3nYO=^1B2XxCx3SrtQmVq6O2L%%$$4o1%jn
zBLaJ2;GMe!&*<SxntJ^IQT2||fksQPXeOGN6Ki7IwkNjjiS0}{v2EM7olI=oHoup1
z&Ry%>`@eto+SR+OtIBO?H?)^y?mn6}uf8@>U8Tbi&dj4|lpUp?|H7!ILwpl4BW2?`
z%RVj%$Iff%`wOI^(dgm$(t@E-(y6!0fM|plf{GOyujAkz#1<|#HtSqeh}!RNy*z|m
zytUQeG-Z<|i}aJ4tAoEracPoJ!&i$I=w>Ch%W1M#YIe6`;!V~ECG~TE8|kP2es40!
znHRu)QvYU<#P1}MuZ)BM896Lv2K7$^<Kl-WFhCT`3y;kBJI&W+wf?I9Y1DpNvy-*s
zk)dV<sg^9SLaRqasC;UMNuz&k6<aR3oExli4My_BheXpzE%HzDts-Bkp|C`~h+LXp
z>-m5sqr;FC?pW#72>KiU*N%m@tjTIGClE!L9c7kq<0r~2ks`al-@G3SC}^MjEFs}6
z<p%uN&kY@-i=S|;EMY7i)y-2FZf*#Wz;ZWz&60gZr&;Dv#hGTg&)njBvRB;aF0FFY
zewO3O@7&(N?+?e>xkF`cL+h>oc)T7n{`=uWJMG>&;t%`=08joA?|Nmx_h;Yz>tW!o
z%0yDzl>}s|XW>g38uCey1H=kl$?A?0`^$PkTA86Pj3kV`pdYviQ&q=vM^p?anZ6Fo
z5E&xD`72(kJN-BuZG+k^!a>!pcfM@wP_KXIbFI9is|lpw<5*o#wb|i~D~Q}m#H#HU
z|C#tAKh*VHj(22p+_y668AJ!_23^>~{zA~oJj%`t{+H~_%YZXuROPM<S)u%nC9ikq
zR_Q0UGzI}5I)Q7$EW0{qp0Zk$D-^B1aED!MCuhf|^?R9Od-TM@hKq?qKrLCesWmFT
z`-nr7O{^qCR1nh0KIi8@ex?^F&p^pSKNeVAOS>}e4z>^kNxhtVn;g7g<lLqh7H{+v
z?Ljp($}-$1pD<LJ(9`WtZA5L>kqJg6JbwPj=lhcb`{`dhmIo1;7S8q|g7*qY>ue2=
z%;~Hhf(bITk%yA*!VmE?_<F6JntiGIdJF0-J8qhYX*t-QoDi06^f|<_5N2BWk4jUy
zwy8|!!Ny^m)Zi6Wko|!gPxh0TG=#^Fk4|`2{Pl70$Ha!kNP|QXa42NoN?9GTZ0;2J
zpjY<GMdKLD@igd$w7ZrofBG`0H03b6uYi)G8m}^$X`6&okaZ{PT`aw@+qpG8f~D1J
zJ-lMZ*|(@biC4K(tr<(YE4~;=T}@Iw6&0yE)28%HZIsPZmEE?Na9c!AjA`DaexNNK
zqZudyG4-1<Hpi~SlFp#_U))2r4KR20LQmB5p52XUybmb85-bCMa6gZI!=6_X&c3z;
z*dV9;^8cypzj~SS?|HxaU)=*i3lNR_Iqw^RLFTmdwS{5@nfJ~4)Z2KO`dT_*ez6#g
zBO`#x>DMrZDEVFrNRgw6{<qAo@iiORGSmKQPcJ~?n=deWtaIbl^*c4iNg7XEUS2@i
z&x)k@<5ho6dntzP)r0@zN7E&LuCz9^QGDjy0<wq@_FV+#Io2K-Bs|~XEaRPN=RrrW
zt=S-+-hvgn=p)u|nI2-7irt<+#U9qDwyXIKQ@Z^V!{q&BG}EHWrkHL${&*Eb6R%><
zC~1w4G^PJwe!O#W$^<n~U<5nq?0H_hzJNC9p{$;~;&dL5I1?4YAusPT*<C8o4*i2D
zMLIn9YEgc-bYodG_DTN5)D~qePr>4-!l1CnEs0ply}Ug-8XAIk+_I|{RFhRob4hFE
zP9ZFM6c)czLg)VA(*N|Ds|)i|OPh+!VfI-drGogfBms8#HCNrifC@{BxZZx-6Z)Ac
zZuf7`{)we(rKgrnCYGQiWoxEz$0t_QDnfg>-fZmeLr`fu9<st(P9qU>Q2RvL5!<Np
z!jxEo8?JDn9(hX3{wx>!+v#j)EecIw0m_?-r%X&?&S+Pqbt&l~ry@=cs6~GDKjF@V
z%??#<JbnY6_Rgtq(%`MM$(+z#{Fe2JbKF~-m8d#ki8hv~UA@d9Rnf(6-^)&Qe;t>5
zbRdvzA*Q)wJhFVR9Na=r%V>*XYE#%3k9w>Tl+LNiClg!ao1t?X-KeaJX;dCB>wBmL
zAUFB2ZA~3>b6x~SZZ##4zS5G%%2}?Y0Vv*_FJj);xf|#{;)nWn_hnWb6AMUx1@xT*
z0tjE8k0-%DH=M;m?chNk2uc7o*UvjwAcWu;_!#_2{57+GU_2`Ue_pajcKF};=}<Ox
z{`1a#jqrb7eVvc^ec$+zd%nc*U!}>nK+gxk{&n%^u#3-q>!k!p)gS5wz(08fAO^Vy
zVxZWc7iN;*#;?w_5NcE+tyI$I@;FhQh@m;%7wy;{)EeF_xS)p<QD@ncZLc{5px<jd
zhSwy=^U;_MaS(a)GPVg=>i!j9#xE9=2FZP&4tyk$P|3H+jl7Lr2+Wd`cUiGO)dCo5
zn10^C+A1`ezl%X|T3Ju$>nx<lP@QV1()cyx{<fVkKupZp6rWnX|1gZ0DW}|J81uQ}
zdlL_{mG0PR`W@pPX~KvZd2GH-)E@I?K6A>!NFUxGWb@Mhy)Z57bA13}wb^@iPqh-0
zAyG05ZlkOR`pbO-buUUf=RmcxB~7ixA-bgs6o<U8pn=|IymnP(6?3s4`?rLcH0g`J
zDYD^025#mNm@NEgtovp&l0XUj)iC<i{Yk`7lQjhhZ9z<Vs|%H%ODSi!5~Uri|Ho{u
z;MEG@QQVI8mNBkT_Q&rb+XE*Kr*8~OpHI50;jnx$NVGahv|^U=V|Ayj#7~e3G_mQi
zdF@g2{HHX^Hi2HkjbV*gHpV5ZAr(LJO)yjqmPZC};fyJRIt~J_!4pIxk5fj^Ik#}>
z4z9HA-4!bzD)=u)l@>Q}@jK!>+!&h>!(BS#sm>u<N$B$%hQv>J@%xGqHXTOaF{ddP
zglBRJp9+3TTW&h~-)-JR)s2)mBHlJ}a%MV>@($qy$nxMJVQvoIVaHB|(L$qt4AHwZ
z9{JLB19BkOfCOPn2nyM?$et>sjb^I!gXiQJuVJJ$#8y=SYeStRm(;OF732h!p~DlL
z=fvo(vTz~sj;Gtdv3$XMbBEOuBYFN8C0@g5+~~MY^r>jPU{sZpB)zB`I0b9^1Q9ix
z?tA-O%8a10INKZ9<pIZds>NpP^x*t~VuctkC>+P5A<0&}lcUbR?455AgBM0OuSEx<
zuBK-7hW&(jY2q$3dK*S8Qmd(_;=b-~?FH`}*(~%Cmz@laF15}9H$ejrl=Ld4@omO>
zH7aQl4YuOA1E`_X_=Ut08R3cMGWJ(?f4hihXlu6IkWIL-R!5#n1AGA0<_ZnO^}3-4
zNoG_7TNIpE)4aLG)rvC3SW0D@Lz_0proPgeBk<%0d|v;-15fAqrTz)p%k#Nxl_nef
zsKf1~bc(LZx|5g>Unw}zq|rz10g21?do}rHdo0uCjtidDJ7=H26pFr5x{6cvd`>ex
z6HAp$g>&I0AcaJh{;Y*WiBzw;d|JJd3gO$|HjzSOF~)>9L9JaBb<szR8Fzm-F{Xr$
z2<uLUAJ0tG%$~-Jsch8B^!ahasn{lP;Xop26d=2!5`PN*uKzB1r#}1I&Q7w+SK>Ag
z#lJg7$A$ae!s0AX2-XxqbX2ahAEKM!Ht3Y>JpG0>ENd@aTguZC(w?)Zt4&>p6i(#5
z$7jK~ocaBK`^&biul;3q(4UX3|3TV2{}&#{_7eczA(N<{8(*sgFts({jo{H2><NhJ
zi_6|gf6ru6M9?^Oyngp-*4nzTCEH;e>YKHKp?qaI(O4ZI3C%S8X4>DE8WD-Gy`xN@
zf2;q{Z?_cs9!JtkWVde<<ntR+61%fRPYG-$!`iy~?rjJ`#_C5E$yzub6cOA^WM}{I
zb(&aRl=^$%OQfi6e4v=v>XIZjg400#dRj|xi5xXj{8X@*i37YDG7OQl-q(v$s&uN)
z`|K8YR_UhHMmMtT%^4(Afvz+?xp_6O$W-w1xRkB1ia}PnU?OXX7_ku%#b|)Tv-LgW
zY@gG}b)HrN`Yw1r6#)##%lyZ}_tBQsnZy2yJZSBk)N3}4iQ{#Gh@bK|jyT2;3>7sP
zT1J~=$UG6rqH71|*p(WL1XyE!&OEcT1geK{{?1k@6mE1IRC+0)9mtBUHFz~Ov2ys$
zryG5(Y|Ktu_O&3xUGtHEu-e!@#7YN%F~cJ#K}mSRJu#hwkIUudW%u)Loc6Xr9Ul&%
zj1P9Mg8{W|9h|`Q*Z1o4xPDl#V@U)rS-^Y0e6m^S3L@j=c}PHH823!SIK|-dvl)WK
z8%|?Kob{Dgc*_ay*J^Q2|3=tpLFJH^SO|JubykBw*>7=w_InzSW&X2!BvkZRe3ZUP
z9+j=~))Gein@RnAY1@2WYZ9KocC^%dsw^m*>QyYSdmTx|pELWxiy`Bk*xYuI{~N46
z^GAR)eue+6mOB3fKr=wkyDiC$IDncHg!O;s@mJq2-)wuz55zA70zH4zW=#qF2sE!@
zm>5VHExNHcKFMjbIe{O{m}A~~NO;-p`6g{HKzHxRJPGybN=EJOUzghYIq=3Cnf<ib
zX4ybPEP<itI2d0zqlnGxgIu}vV{@@$RL|7>SkP8|<NKNfKf~W;-6gxa8-z;Z9PMxR
zMHH2LBBKdgnd->LG*64Koce)1hKy{&%Im~sl@$F;p`w`%ZiJN%GbpO7H2iv_ueHyq
zW-Nq%=G|eY46`9+kyI^XBK0B_S}2uDq=vo`j8`A2?}E+gHSY_Sjw8{=kmgymAmbkA
z(=|wvVyhI+%8s3Z=0i+X^sODip*kT_xG&$zCnG)XKd1J38jyr4{5b1FRz?l(QhLbk
zICbD{{p80WfVM%={ymQpYZd)~PezA-Q#FNr8IZ%i7o3I0O$~qO9oChTb@4_fl{Em^
z_n(^4C1)$OST!iUf&2)6T*RyrW^jZz_SQ7wY%f_y6CY#Mph>xR?1{Y9jaC|RHQ6s5
zS5LU<XrM1W-dz_aN<7_C!bhm<zbxqZ(2kvTVBj5#au`And9_Rye}9Q1_s~R3JVngE
z6#EycCtGLm%~<1s%A2&3mWlce4*QmtNf(}rh!2R-=8=%B)Tm2uTt}QjzWupYl(s5e
zC@VU@7`OgoSBlLKw`<M2X;=KmzRa-GsUx)+S6$@c{d0dp`T*J#@bZM$KJhd~4(A1o
zfGm6}<zhFtd2iJf89N|XJ?Y!l6>Ff1!5(sYfRX3RR!bCUst^D8cILH~)>sF5V(R-%
zQ#S-II;PBB$HH}N@?7*L86~&v@>eL44s=D_AIIW8<N0vH;V??U^{cL5=0UR>;E7ww
zHV*db@r|aGr;2&>^9?`co0(lF{S(0h-lB!WW=S)Cku@707CXedZK<GdpR(R~Q!F{L
z%TWwJ*s0GY_!&2Ncf~~LYI=o^Z`pmH7dgXpdE<dAd?j~}94KGPiSr^Fcva-^p?X*D
zSA)6RZ6!UK!V_dAR5;*V06l_3kS{3zP=qtW`V2JvBOdGc`5l`tpwl({b*lA-UF5{I
zBDJJ+Cb|fs?O`~?pE`o>p9gL;0}Nat=g8!)85`&s<$kHkfco(y+BP<EXJ#DnPDkyr
zuq=HNJ;fl4dg)&jy&wE4l3a36quF?}m*H1@!xPa8da8cSA|1M$+P`sSjnLTnZ0!ak
z%JrL3wO?*SOSi{m-ob_6RWkHZj}|mZt2@kA0zrk`nimXrm(wOCw9(-h#sA6ZBA|LW
z?_CZ0qB#~RT}qxG`R(o?wjHGHu-B5Y`TYnv*w-H~)H$&&;l4*;2%$LNmivnIOc36r
z*l#eU{IUnQt7VE~)Z;y}%gZ2c1SuSmJcfN9^5+FrX2f0K8(XRyMt2yDl8YXM4*T{=
za1E#x13p^-66huH{@+>l2Ivs@5J&KR=STI@zHj?F6@aXIe80+eJ?)+Y08Rk*91w(=
zb8(y~B`9c#AQzy|kgd<4#h}tkuRqG7FAy2pfzpIG5V?t+sac<`?|wsf-1R^G1%v%S
z4VR{Mygl6dGxoCHJNPDxugYr9faru+&Tk*lObRCtsYuy&vrpUfK<Gg4jQ8iFX9U;+
zXX@1lp6fpYYo?pU&6*AT-pnsiriVtW*@_{x^grTr^Js$L!G_9<bUWPEl_GRJB^0Tp
z;qapg$kz`F=??_Olc%O!h)7;y2N2&uawW|=)VUZAcRa^Oi(8G~L!4Dl{5LFGZuOha
z*r6}3<kIyk?jC9vP(`HCt@jkihq7I$<UOx_YdiD*$vYMkZFTX^P;NseDG)AA{T3`%
zP?(;JYbhY5_@jVSloUMn5>l{0&;lI%M72%2AQ<Uz!7<B>mmuru!;UAUw{i2uJMG2k
zs`2ro`*Cxr>(P5g!#ce-0-MdK)0%cd@6>mbOV?BT$sIGC*(zMAyD%m%`?SD7_3=#c
zus3QyfMhka$+#o41c|v{@b}CzorlvmQ!8%7#9~CU-0|0oK@xPl;43*g&sk_iShsX)
zH-iI(xxbgctxIKt7zxnpW0S+`pdbZ9-lS~PNa^5;@D7V6Qdgag$#~F+6mHVEH04_x
zQb-^HlEyYgjTrp;8JA2$y+G<M#%QGgrC=VWMD%@5-c&4sz|y|$!WNqsQh&NMA9knx
z`m71{JiIDH+B?@<#%|hU%|w=vOEk1(wQ<X!0_UjXas1!j3b~*1!q#BK;~q+4W>X*@
zroV&75B!D$6@QIdogmmk;@cr#WZbK-27@Ry{YPhEdk-ia`Ns6Y{30OXOzc3INbm6x
zV#Ea9c87c}@WmG9;#IE>urPW_Y_+o)y}nqN5cOqVe)>hnjb-f>b@(}Z7GMcip%D6M
zO3d%u{v+|MZvhrj2gCik3WGO^m}&OQjo(rx5<|3AnSWYU7;}7!9Qk8W5-J0ZW%ATD
zpWVvm;et6!cZ!(cyfY>qTsqWwrQF1%|F2rZ=qIDB_Nz96O$&4aCo+-wVjujLlZf@L
zZl}IMnho8MwT^oh_hxY!4g(4bl@n@A#e3*6pXXU8t1Wj&lTH8m#ua!2TJAYz^lM1h
zYE;ML$7k1|QpnsqWaX2M=+($(0~40U@{)(NgO)E(UgsqhGHPv;t7RtX#~S+<t88KH
zJ~v(EkJ$(O#lD+_Tpw4E`7%mu%tNMy4q4}`om5DR_HAj)<S?aU)QUjt8kR8p!-{BS
zPxn}oC4GX8v9}S2k)tf-8Z#edQ1incil2@LGer|)v&WS4lwRT<)5i6n81+~CcqEwp
za$fx&?(0VC*_wz#>}1p9qn(q49lB?@Dw^nMX~N7VlIz;mTi_J-OC&94RLutJClK{l
zF4&E-OlU0!x;SmBuVEP3ZJc7H3~Q_jrJ<#-X>m0m9yw)~zj{%P#+u#RXt3FaSbGsv
z6m(@<%RM`#9}yg*@9|1z1GV)WFPWTEk+~D;>tJXeC3nX(GO9m;p^vSSPXfgl+3Euv
zR9Rm!fA9K5y;DdZjlIYpX=Ah2CyFalu+5ST1x$%Y7i3djA(0fWF13uPb2Pzp8N1dQ
zELpE3mG#ZAWV(h8p>@Uw{Yzn*T}n;;iGF2|UU2u!f9l=+at0Wr9u;Jos;uw=?;)8A
zqxDlVr5#|uYj?&YF`1SHJJ%&w{uV=*BJdx1oY4p_(~-&V0&OiaR!wyl<O6#|6vcGQ
zc#<<#r^Lk~{!!?sw+3s8@DJPC)aF>H{XtjEw`+pl4_|d+JkK+mRvpqd!C;Hqdf>KA
zIy93ZKHPb1{uh3s!>f(L5lj*ZSM4>zuv?!~H!)Gjn>ptOCui``wuUQ`0kt%#2yY$K
zA4+FEZUHAUojg%$Q)~0M?1oryihSdiWQ$M1Rd;$Br=d4DmNG(eFv1VI0YcLx2ib~b
zpA!A64L(5Lh9#aO^VbvxThP$>$#q|c$|<)-^QznkbCojdW-L_p#_e?($TB+wgaf3L
znOP7Oyho#~i}ubYb?AhAVho%l(yS$8>?H;UUbX>_aStv`1s1ep*uiXJQw>3zQiR*4
zZe)BQG&Fn5(=Q?xxmW0c82!JOa~l0fddm4DC$Ok(GW7RS<_uk#!pnTT?jM?r!dM<Z
zF}yXC4H;y_32xLqu_=`2N~c=kjUE$Rd0f|hB<z1xz3en_ZG^C0vmL(kSNQt;-16-<
z;uobOA$j&)0)QEQc?pT*kWUB!5FZvXL1U<Gp!E|l0ASzgF99?Fcn-hiXL=6#poe<(
zeEt4W`xVp(=p&5*Bim2Mz%}3sd=ESYeg^pJ0stk5ACW*$bar0}<n$FR(>t*A%Fn;#
z%g~Kf1_a=Ko&yXB$Yy#Cq!e_1jtkv2BLo-%??E5gz6XH5AIRxDx#F@9jRvZs4H|Fv
zgoNhVTE*7R7*2Thy%^lq<$?Gp{ai1>okfHz0~%gw&}QIQo*lu#B~^m_+qAb&7yjZf
zTy$nHf8t$Xb*Nc#xi^Ttk*}}XS&PVp#&^(j%rbeRS1kA(t<0l2IWBYnliXLErgw8D
z8$_m>i!Ox!y-mkmH7~oVSrAIM!k9Db%TBgfOh&;J`l-rNmKAh}+@XaBggM&1Hb}AS
zQe;Va6ldSw4n6mV^L04Y%*^9k2)N(IjyfFCnMRYc$=hZtx1a+m$?s^2!nSy<?|Aq2
zUI<MqwivcrHV&aeeQ;^q&v|5YlaRJx<#$%r`B#GcLB}$2TkB8QF77*ve&Y=o&8&S;
zANr^;AQ$6%1%E<A%4pJEJFS|-#xq(9qV}p!8T`$qjO|UN3b-IHl^V_4!}J#RMlODJ
zW#d~V6Mh=ZEf0Rk2Qii<D@#ppe@K&WdN1vmdHtRd{gCT7@s@h4p<>kv<1{bW6UxBy
zZyru*iI=-z!&P<=^1gOlTFHw<P!(qtA`5|Lp^X}XJf%hGfAiR!y_47|iLi=k&m`Gh
z9d*%0mRMH>ym<MiM?Z$z*NAUjt33%pyc*BjUzAJTx7;>7{py+Hz+9Jg4=GXDNBI6F
z_J;QuWI|I%BL}o3+m<43dy;$jn>}b&Q*LGD&7^*0=^jiwWzd9=0SYg`%YiSbzx+?6
zz*ms{|F#nBOE(Az+SkuM`=wjesiQ|!%YPSCV9;0joqza&;MwToJ525_VEdo0lYa9p
zx$6EI!oTO+v%Fgw-UL1fVb}F~1mp+3VLSq#l|Z&Ms1zWf{}(y}eJiA<=z{^|Q1_mF
zCqf%<gK#t3YX-4pUT#@VfEt4IgNZk;LrXr*e~luZYr>PJj_#;?F7Hi2E1yG~$MWEh
z90cllxP*p>`zO{veX!KY*Hvg-2LT(VntXZGzoCR++DhZuQZ?;NiX<G`O7YgnR)5`k
zm*jU{1UyJOpT61nNUU7;I-Bm8+In59JVIZRaqQxKp6?5L*%*$EA6MHOKL}am@6`#(
zv6ef84ZVJ-T;zZc27<$DL;bTX8D2GUXELqh^^(>aD_>$Fr|`f_#Iw-TKY=o_+CVyj
zZ_1LAQOw8pMO!i@JN1V~wAKt~hbNtBkt1ja!Z5+uVQxfZSX7~V%NQ=cIltLqCUFhY
zUl|jD$S;xV#YQhk5o&tZ<giefXmzYnrsaYCWDH<qD-q-D54f|jZ_aA^6Qw-v+Rg@5
zeYBds_T0%F%B>kp>Og11=;kfL?$GBBMPek*p>5kHZUGgEhs;=r=%{vhmKaaCe%qYs
zj>k&OI>iaKX6lsA@_CMVVjl;yuWPYcKg$rM)R{y`ZcW+j-G&l^wwGLg#n3HKl)-D?
zNmfJmbwVLx<Rq|jvQ5oxV!?TqMBDF>B6~!n)odWOoRp|aS`fNwk%F}Zk-R;&deZ-9
zt{l6z?1$vopO^8iQmh(E5*_g*Per0*JWTl`?RC_B3E<zV)tlwF`~;(H8R@z~gPm=7
zRaH;}!#5yFuRhDA&jyz14vP_*uj<iUnrO>mjc|%2lnjm=tb1m6Mzw>hr1&Do)EyKi
zP&E(j{Lg+NSQh-9VX16!Yvacj4@@%Yo=;Vcc8AxPgUn6zfcSn;obb#?Uw5iu{4iZt
zmrLhNmUek*#E2Es-a5HE^;7N7Lk}%Y9LHHph~qUkGbh-_1q44keO?%+Z;%)gZLkr|
z;N&J@i|2mfEywr5C!OXtjc#cc*`^XWmzN~0(Fb}*b4WO&%l?tS>qKDP7`Jh@yN`dm
zkP>Nep+UaAj7kM?xRZrqPgq2gSDIL_bmy$Wc;HIhD+Y6shlrKE+&&s}ouom~=*JY(
zHQT~9c0^4)8&icd%MTWONhOTS6~q;zr;3xyESylnunL?;y)5?6bdo@sLt>h#)!P>%
zZW`!wqwz)g^O62JDG{#EkJBjgBBcg@8_Svgi+z)@0Eu~N#4rWZWknF^Ae=?o^jwu_
z-=n7WFCrlz@@U6#_|#>V%P8@xU8Y3IL|htr$;}U+D#0Zn^$m;OpxiX#t){j(L6D0%
z>X&2KVF5ybf41q2Ic+4NRaf99jnGhH=LU%=vxbY~@v;|FIyWrckm2I)M?`6ihGmko
z1?<lEf*@7xzZK0kiMZo39&O+>BC*9c8c=hgSMUUomq$^SMafC|r@qP`zELj($KoH~
zk;E2&ZrYJ+fPMiedHy2PDgY%(XGr>0lph#9FQ)|e!ywDm`vA!N$CZR&br#J1#h&8I
zAGZD{j$|l3_w`9OkL5OuDV3JI9t9PLgYbB&Bg|+yScrde0?n1iF4bwc=x6<MesPW(
zYwPoBJJ3Yf16(MzcRHonNZdlC2ZNeKt=hOUrzTzW2JgFk!|FyLL;?p~d+7Ux+`~%C
zE8o7%-jZp9m6Ju$66@B*lbGq@u&Rw6CdC^=Jy&f13|c+^D%w)v$-hwdxbv~j_LpbQ
z`#raf-_K*>Uy7Pn(~tHosML?!HQ+20?J;%R^&YG*h#x~7$7sY;G@#m!C<mgEerTp@
zyH&S6Z>J)<7P^$s#yb&Po0M$^7D%$s)5NbwUNDC2qDA|GBc7$`c!Y&VLnveI_Lm)Y
z7#+h?IA_^00Kbptuiz%KQy{NiIqOSYLlkG|#1nD*3`TBb;30C~#E3MN>5{eflSNu8
zyNy}E?aK^x13_O(ZY{oMg;>2g=Z9?(cqb=cdSz)4gF8N@YkZ~wSkntWVOEvvzN*O#
zUPF1oaZ=Sj$6zSUFR0m8g)nUw&(77?$-pl0cAfow0m@Sx2~S?bzgJP`qb9ttQW;MM
zzifZP$@p03rRKM|JAY-jua?nDD!&y&?jACrIbZ4Ia%vVyY^5OI+F(w%mr-oP>eJnS
z#^ZqFaWAK{K+L=Cn^kRI#>R%vhoB&5z^X@qpQt5^oeHIR3J9u~yb~k>*;}uOAOH^l
zFLdy~-q9NY0Pjx>X8^YDnHi9)hx_!INy=#fk-s581Ey*}-#7tM|1{vuTQC^#HTdE-
z{9Zp{9iEv#lk0Zlwf{3IfhfO=4+4%E0OVH#${+dq>c#8;dSO7xD*@-b)#p)A&BcGA
zkmKqTm@<2p0ucYs@+)F0SgG`66jJr<21?S$8N(^mV{Njn@G8+5MjLwwIU8zX>4I+M
zq1-)~zJnx5rUs^chi=Jt#eQ(oYK=@xG6(A`UCF|`F5KI*=Xrc|V=_U%V3Ng6PPpVw
zIP5DYe8)E<a~aL#g|FH^9FU&o5EAk(B}Q8;&tv<Cp4^kYZEB&i_3z-6Qj?#_H}QBu
zXDGTtFzsj1>6@64N2DG<p7;dy^*RV&tPk@k%K5RH?q351+(x&25L$WaDNn=u(!7<z
zg9P;aPkij+nPe{NRJyQ)A4F_H#toB_v;CJ!2S$2C-lxq4`>lWU3FQ(`OFlr|&&*Ib
zEm7lx_w1vu6wF@Gcb!TtJ9_44h;BI(S@mp?P{o%b;goZ3on%_fc-?j6;HY)2(8gR_
zj4AwjL_!L-PnMu>oFYv-B57%5GSvhzMU;)}qrP*=dq3n7!E<hMm(g!MSvBW{G|V=U
zQ1L-UW-AaGH(N?p9`IMD{k-i6w{k+Xmt)Cjf)a9I8UBU8--GjD?boN&UYKqYEu1xY
zGFh2YI%?+*mEnXphrNFA<F3J5BWoSCiFq`wT<*xPq!SlZI%0R|Ahc;qf0kzYn1vyQ
zzm-HfWt*kCf<qt~HaZ)@3%5FBR4QWBXS_aE$-Tza{`F6s*zPqQd#G2wV2I%$LhWcT
zP~(~<C}XpMFAgQj73L>MIU7n5NJYrPsV{&SNG5effp>yb;3|@KZ*$BlfeiZh9@|4j
z==;e}nN#kg4(6x14~NV@j)$^7*;&z^rdJOYouB2uqe3&E^QReo7*A%Un|x!t|1I0D
z@K=2vNvX#Zr53XJeKQTjoWm4B>7v`GTu#3p9`z#O@kl_e#Ukze;_2{p5z@hvm2194
z@9n9L7CyHeROE$5CKC7OaF9N=@kOBt+~uCdwx4mvpp<gx$hg%JFi~4S;EKOH9*9!G
z?u3LWn{6zHoc-u(fbQY8b<g%jxxYX!p2X?Ij~5{ofUyny8G91Vx)Ai!luE{{0v_sh
zKGybF{7)SzW9H<<SwAIMX?SuG?poA@H*<gw8zi0Ef|%vg6S{sW6pmf;{k7RQ$$l`E
zbF662JRO=afs7V-e1i92#P<>xkK8pwE?QsBE!rb1G(V-SLWR$5O7ohoEXJ5c3W`-@
zp(HP{Y$LG`1CJlI$Th|8R6m(#qfuLk#&C-V_>(%U(Rq&uZ6uEb)|n=WGT!yEt=G4O
z43Wu|UNUwU96bwl&l8MA$|G>KzbBH07QENDu#+uszs2IL^cv3T*x*0UyY`>K&wh%<
z2&`P&i?YfyWoS_Cb3^MHc03%FJ{GPP@^mQ{9k|RDD=-P{n5_{`w%1)Y%)OjC7v#gf
zVRR_nlB&v4`ecZPOdr7T*ZO|*%qWsBicguM7}A3$9^3i|h-W-cq4kcA<9QfL4zJ|p
zu<9a$W90jJo_5{1>!DmuFqalmg*xS;7%khioHGhVEZ^0CkpEzw1Di-K9WZ3S&y04O
zAiW5D;)4KMkI`p9JBp9<v{yw>2fG<fgbR{@>p4BC@_Hgc^(yB`PTldU5^u%|sJRdB
z=<&`$KRqxAgYmDTXuHG(hf^Xj=#TRP+bs1CCFuon<;TV`Eac6(@+ZU;Bzn);6Zqm<
zDs5Xo@d+nX(*<Sp_s*Mw;#hM#^j>?Mr+Ih80Z-Y7NADlFC>3vkD5gb)7w=fl%obC5
z{)Q9x(;oUve~sj#Ti+Kaa17^$l99JnJ<Dw#ZYlaJ;jfBD6fk?v)vVuB4UJt2gAHCI
zOMe#QwJJ3uAJ_#oH)ZagIj>aJTlAY^tv@LzKS!22S)!jxvzpvd9LUt76beCkJr^WH
znL6Ksl^!rXwK1u}g>Q7yE~c8V%x|Gg5lY_}7c6j0{z{4G+*2-Ibm_biqtNXcGmCdx
zd6PIH&*=z2R@C%bX}!b3ScFz*Jg0eY+$pwpLR75&tvM6j3B`{z<4Uq1Uy8)k+s8b9
z2cpn+W-$^hBCJ$bS5(}~C+oD9G)VCjnEk#<JUi&1`7tInQlKwO@!X4^%Nm({b$rHp
zdhQSAd(4Z#nD=~uMrn!@UPos`=LmBeNdBvB<^FVxF09X~t3Hv*`@Zatf_)!U9ACDS
z@T^g$vi@(mLT&c-5hbz>SQQc{{=$>PY`scw-lpa<gz|u;wd9mlW{`AKVG$y>#4esp
zn|4im#uttc#9~0l@MBo-HJU;eczbd{djou@fzRU4?-A*MBkQ{wFy|`#ZX3U5|L%Jf
z_vQ=WQ$1)s`Dz0|;`FgK@iV^tFA(CZcGY{ycoyoK=hh#;R5vKf>0=8jz(?d!OUdV&
zZIoAewq!|};r=0^SR<Q!=h@{>ltq2Xw?g}UnA2*nztciK-`99Tv;V8-QKKM*Ix32Z
z{Kg6g1Dq*VT(fsPZk#sODw8D=THS65EEo=#Ai%Scn94-}Z7(|nU-ST7bcpBRC(DlS
z!olnzfQdTZAbM=26U|;`q03yb!DC3%Et6M#80n?PV}Yi5FfDGyK|tM*`O@_+U)N@~
zKkfA);YIB#iJ-LfQJY%^!(sWmIV08|Qy3?^(q?NjJ=cP}M>7wRuVE0=V~3gS1k5$V
zqXpkoh~BUnsnp@*%*pFo&L-U&3q9SfuD^0L?Pr<4n}kL-qg8-cv;&n0N`-s6P9RAs
z*M{xAs#gVc{PXDY36Hx-L;vn<7~g2~x(+*&an(S?1?Rkc$#{@;W#zh0Z%b(2%m=*t
zpM8R*wqo#iGDyFC>1z%l&yFOFN0`apAYrFz&LBSXF34Fp-g$^kmGHyx^(Ei@+M0oe
zncI(|h3f%b-neeVwsbft=H4vT@drZYL0A_VdA!56lV2LSlkX|B_idx<V3R1n!GLcd
z?JQj}=1yTgu}ij3q6W_jrW-H=m1Fh)0?jYT*>4k`qgmyC%QsIC%+l1M=~EI+!WvBJ
z$hI%AQ9F&^09R}OMHP-dI2)HPrNCReP_MbU{K&+_cNewf);<j<qh&#lt{Vw<{qCzD
zg;Woz1nn!BI-n2SNH(#XsS}u)QIby1mV7d(_l8YB+()MGZ(tX-ri<mY(&FkRkgF%%
zwmwbDnIGpH;&Sy!Ow#Dzc^keBPCCi0y+_@sf!|c!F~Oa;ewyugG_6W1SheLH!(c@7
zl<f463bEG^ak^O?i@)Nt1inW6HPWZu=$daY+iT3~Uu=nMcYmsK4zU+_ku~XI5g^8F
z?EAI@#?tlVa>t~Z6Bg<tij3WL;daHh$)n+o`%P?I^@26l>$e}OBXj2+wslug93t7-
z%if+;z^#FPN5_|N+~X~|VVTQ0iEWg)Zt<f(OqCbeb$b-K3&D3UaBO5Fiya}a4q8e6
z*I8K$3+~}4=XqBP{YphmgEAle0a*5udi&gK6}_@AYwaKAR>LFf@8aOTH>~mjKD}+F
zxBoo%y`$8n_I1#q<Vw~L@4-YZ>k7L-0?cL>>98>8FIY^QRzYCOW9l4wQg|E73Rs5T
zc!WMN7qU-9JLG=w{R&8)-Ha8lj}knFF8!OjHPVnW1wDoM9&@ToQB{+cs1<w=>&fPN
zSgAkddiJ+f-tfL9%3paO+Y;@eamVmEL?~3%4LW%<c3}7KfN0l`(BG=KQx44j44@BG
zTleXUd7oCz*4ppU;Q&43Cm8S$diHfK`=4h->xTdG)0g#~{qw4Jd-S7N&3}&o<Os0;
z1W>kokze0{=sN(=tTG0C`vKV9TR^S<OTi{L?)Q}|h=L1%Bv$}{bzgTraI?4h1yq=l
z*^pnK0ymgG@=e8%8VQ4ByjHPn&ga7)8>ce7g{L626u6ta63|22FK>q_5>6pA#TLHP
zq%RL0GY@TdQrOiCxfhcH>CD;i7=QLgtz--Q|Cv{N%uK4{mETziuy+R~?O?Vj=mRWC
zwre!U1(m;omN#ng?=*gUA+d6J;aOwGyzv=PyxePgEm$Huhl;0L6xP~IvkdqWOE!2b
z^z}xsH=7F>lj?n-tq6G;KhnyDwH9l8q9o!<9Pf1Gix&i@ARh0;+g;Tqo3gX!9FVT&
zE)7B*^r(|Vgf%wCE{N)PtUvvI2f19MQ!x$cg?KT@1<y6(=YtRZ(-@5Gm8Ij<2!>Ce
z5l!l~sx!#4(xrnmDu}t92R-T#X(1EVms6ieu>T0L2SK!ByjN<D!@TPqQH}vJFHZY$
zF>-8&mWE=ya9i;efV;sbA#sYWrZgIOFPBLCL1V;3!f{14xjWF4taSJYMVn8?u_AB9
z-c!SMM9#4C*L&zwn%{?iF)aw4g9jVaI<044chZbZtjD9fnc{-;4L<ZQO~-mwdd$D4
zb<aSN!x0h6raf2IDdsgk-{unojnXjNr@m!IZ;`N)zbuDs7V6eT(L%>kDfw`Wh$l7;
zEMfytCTv4=d`1wt#$Y+HA{6w;ojgi$Gq)L$*&eyV+$Z=+_2At-F8eG|$?E{|>k?M~
z0r1&5t$9`KZN9{Ou6R?yo8aYC<L?&L6jAqK%(G@vzKh5V@(Xvz`7dV4BwiLpI@kbs
zuYrcyWYRrZ!<~FG#0G!sW@ljmzpE?!QB5btrR3@jv;09DW4pADMs4n&p^9fgKB3^E
z)?f$GUxuU2UA{q`9}QZ>WTCVh)0#~Qbiw0O27a+&vU7+pA^zGJDHR8WyDs_aYgBC(
z5rh1rrcc|Ebg3K+tc<ra+|%obx!e@CiHqRO9d&P0FR9`6-CEAkL0h2udNI_NKa_n(
zO)Y~!&2O3p)P-~Sn!vL9(5SzoI-KU7B3`V5N^SVOx=l7)_I4<78+eQ{2Ob}sy||2)
zn6^=IVKCN;$(dsoOSvw@UwKI*-Mp&%Z{M_1Dew<7#3BCSxdnOZ;qP6-SgY{z<%x~_
z4VGlS*|=<uDOED9e<UN`CH$l7Pen~>)Q$?y$GxxY$W|ux@C;=I9J`Wl2FR?Y>68Eh
zc#R_`TG9q9SEI`^;eh9cNP6Y`S%#gu3f<zc0D-<R5BJmkk_(AF-jRp2h{K|mH5&DD
zE_P~R7W<BN^`P-6$_HO=_HRq=g?@=nA)iZ!gRhjd;UY+?MQz=omrZf?CzxAt*NVV{
zHwtiJ89fKr84K$9aTU=}N*6r+n3=fUDStf$myPSM1mV<heYr+`s942KMCO(YqiJ9_
z?&Hhw1lYdyRqJ!n)`{gP!7YGWL;28XbN5`y9;K@utt)>Sj=a6E#f&y3U{+^1vClJY
z592>L<K0<YW)WJOW)h`dnn~&J_q4c%HU?ov;~Pu~rs@lpY(RCfm3({SK0~vp`_fij
zkWoPrlFMoYJr|)<@6wDYuISJE&`(D~v%Eb=miTq}{KX2INO=tnwF@`Hjrp7#1bruy
z*71O*9F_Qk0G8&-RYD>dMWs-+p}C7@iXJ6<^d&xM&47Og7g~DSVvRe;nR=v}W}j2l
zSy>_5E1&1@8VtRt#70R}D7-6t$d$5hV98=wtd+oBzWVN;zrgat#lr?kHprZ)bOqid
z8|5*%{N9%x*SZaLa&0G|g;!k@0rI|E)DAkJc?xv+V&Z;D9a<uE%KGC9_t<amuhk;j
z!>}^!9=TZ&|H8ri>WNV1_2plm=RcHnU+(wql+YG@k`hds$0hLXpQTZido0wVjaKCh
z{$+6Vr}ul%A%w{8fBr$t#JHO4Q~6RWe(}DqUNQ2`#dkIyOU$KM&7fI1yS>}$Tur^W
z4MBcxmdnU8lht~C!+)e36KH>1(ra`DAKOwMPc2}K|4K#7?4UlmkZX%w>Fdy|&IEFV
z7z1d9Y%*A{+hui_`(O8)3{PUff2!PeI`8h}dPc^!GqW$;aAITOqI*YXFm8azqxHmi
zHVD=@j=p^934!SHFPKQExLPTlmd@tToYoyc&P4|kD08D{iDa$Q|EWq7n-rbLWE#Ny
zZM-l2$%{5O2L+y1t%UMzaOI5SJ8g7^WEOvQA`;91`7}z3igWUXFSzd-?p7E(;OC8E
zs?NMrw}evYxFL!&)HLK_M(%VMI+@o94;Yl-p%|X-4R~BphPdphW5A5z?gyXdS)C}M
z4~9g2vz?J>^<f-wzu>P~Ar@Z8po<Y44n!kBJ>luHUhi7w=o*(Ozh`swV$kr+#Q!Mr
zX186-Ns?m-w4f@8hRTK7JrU4h4zPHM_+{7j5E8w|{&!pHyY=lz(5(jKHPlT~-;tT|
z@m0*RqKZw;JQ4?=`*|(NxQq+@zK?x0f9aJhOQXY0jCU8>alEKf+$zOIc!8R*+$coG
z`2_F!W%TpPc?c^LxloSEsk@iG^JF|47pc~;B9>xU*thE9L@hKLGBFn)m=RdvQ+A9D
zhF+<Wnw5e-YIZh!_d(Uk<`ndhOwaO^2R^ESzMZQ>ht>NnY);d;^aZFB#CW-HV_WFd
zzplT+ewe7n?AG?2qFF%0B*O0f27VF}!p-`#j7YeKC;Z)(;Brb%m{kN-^lxBrk|y3L
z`RN`#?0NO#u*4<3XlS=__sKWe>^il2<_-X6{BJ9^?0>2&G?Z(}wX2hQY9C0;>&;P3
zs8{>JRmF85$Y<4Ixx!rq#9g(qZ|~xohN!nx(y;$!R!H5#CI-1t43|2?S}F_k@k$hE
ziOv5rywEdw7c6xGIv?bDRZGQAh!;!KrvuXHMI1Qr-8P&4?os4?BF+O-H=o7V)mPmc
zpr?Q@ZOI5gFb@E%0N65+AH4MdKvlcvd^wIF3w)j4^AEpXReog^fZqev5Tq~s;h$i4
z{PO*_AI&%|_Gfutr$r$Dbs@oh@@@WX1;GAS1~`5kVSv8+{--ecpBh8Qu>{B$<@yN3
z=uL6Vz5K^k0>uS&O@rj@BZVnztKNI$qWzXmXv)8VolAYRu*m7ID37d2Yt^m<TV}B$
zbWh7{U-M5!n>ls1(bNWLxca`evvzSGv{=Qn$PyKPRt0!^#-}0TVy&3i!Fi{;uLXDO
zee@GJ3UBLGnkBj1DysiUg7+eg)$+BdM<jD$kt-Lqk4>F~qoj*_@*K=jW{wVCFjP6t
z(ai4ZfZufB$<0iV`H%LnJl$=ZlvRlr+gl2#;Qa!N4$T3qXsp$8=vDRt$eX{zu`Jlq
z({QK854yy1QghzN{fJ@x_U=co)|oH7a;@UlnWLa`6S*aaU;#$CbKIDN&5nB4YcF^;
zOVIM;;n=^(+B9Qsy8jI)hD1#fpBelv&UhN-%wQNkE4D6JQw&bfef9CWYi%YIe7ydA
z>+dV1O-AeN92M8)^qDFrPcY7ceW(k-!dL6&JlHb)a+^+!|FcoCfuZG>kGy6?0m3@o
z+D}P2_QmW75t7mi`E1;#w}#1)i}$#Bp}3na<Cd3#3yBV4fai4+36T7gf}Zn?K!di-
z4-+K*&M9Kv_cq=?%RHl3Ue43PGuYT0<>pp?MF=YzgHKMnQi$;6)prYZ>sMSUyncC{
z82pGQcg)1m77KIgKY<poNc@%r6`-K{R7|grN~aC(pKkl;IB+>K<>PoaRuYlvLhohQ
z%){z=94dUsnGIxnf0BP`s-YPZ%7qUr3p*Ju6a5ls*2N*pMGf-DBKg?YLRs8#0+hn}
zaak8lMUdLx@T^lg-<{5>KCf%ogLr5Zey$v+UCjBRG?XAM^*UeY_rR6ZsOg+TujQK$
z7sI2S%t9WV1%Yuf0FVY2#e{EK$$M!yD`<CpB8Ta=9ct;>*931IYnvnzV6-rXdW<g?
z&t?5~FJ1FV^=>U>qO?25y_%zN?lJk$@NhqxuSffE#;41zs(;yiD9?}Qz7=xeJ@N{1
zRK7+0lN`)ZQc-Np5@}y|m28!}HxN4Qts?zQkb1|15#pk(*VeN#&5mCr8LGDvUH@rl
zxR*?&JVF>?Jr}%H^{L6sw5TdN=KwyWrMJv|ogF;ffq=B^ds2`iy53T~U(?YoFkoJw
zmJ#rery`Os8;v_#MpnIwdkH_)H*^D0YK6Rw%b!#U;lly*`6q7-%GsSX^pwgQ8Bxl!
zKJ5*yViptpOaJM&lI&I~eHvYeqLI3DX6<bIJl5|IcyWPvlOgec$Gp1tf3`dD?67R1
zTk60a`!!2-{=oj$6$r(x$w?WfAI>pn9(G*DapR~dboET1`zo4;s^WtW-`-Z9J-0cn
zXj$w0FzCLV&r55Iw5Q>QGWwE%o;h0g7ncP(aw~~p>IXt>`#1}M3FobDh`DxV3|qd(
z4w;D-y_=x~ckkiG4h-o6=N9lW_mT}b0wKv?ca0Re^;(0hJh^BMJ08w;ESa-Ws5b~S
z`)|Z=0sBo7$7>c9i>XOfUhy6by^5*<Rdq?$SS3>a$=wrB-RY?{vxQxLY*F(%JvtlA
z&HA28W1!?mlrOB4(>v%X^Lyo;pl$FgQ#EKf$8nq?GDIfUY_2JK)=~~>qk^03N?xpZ
zVLO?qL8;Qh7;>}vNuOm-JhZ<geia1xEO6HvyDZdS);liVtKlZPh-H6dwqFN8TV_=R
zJdj9*QYDfkxpadXx&KCwP%w>8R_9sAF{I3*Og$$qwpq5E+;XXiUR|Bcv|SpZ<Vnaa
zv7mZLPZW5hg(21*-^3d+QKQpP*5^{(d(N1SKKe0=A6OD$8#j!TNSy|oYtk1T(EX~P
zmOsn&H~a4)UTF9>uD96H7)OWX6j&L?bqSOaHWZfIKfJNTVpIczdTdc2FL*-ND<wI9
z{V8l#-Ujp3>G=%yj6sbt$T!b9?AZHQjH4Y8z{Gv6Nsz<6R4F9W2bS=e+vUPu(C2vV
znfj$;oqsv$iRwj}8gn*AP?hXixuFZYsml7Q53ZDUpu&Xw_x2hJt;uGki4Pmc!j`Uv
zz;RH~FK92h8V{U{Tg7R}j#xLNq8q-<)vcw{MnP+<dH;(YT|43enMjdJYgGHRS<Mw1
z?T><x<2}d<<NB4LrmSN}1P-0b!M{PEa+w$<z_*8P#}44d>NEf6mtVsb1lkJ_@VeD~
z34ne8B|EMkQ<2V$JO2+7y?6TvfqVc~f})>Od4QJyfN1$#3CN}*00aPTPxoHN5|Et*
zeAs?mp<jRSCu}Q-(j(VPg|o4VYi3=!xpV50I?F7D$oqW8>*c98Q|{c58J?)WkCd2M
zxVLZlYn3HE(CUE%`~JrHJuBgMwt9#^@KoM-kuDkD=_fwGV-=f{oql!9uGKvnO3yuJ
zop$Wqin*V&Wo+_bJl(VvA6w}3lsRBG=kz4`=)YES1pZ`gL{(OF2IuIkF_2fFxJazS
z#{POkI`hgHoRIVosaKNZDb6I%#_7bca@S)u-NLn1hU$%Z-@pfHtq|LH2+6igr2+$1
zfng<gDHf^tqp|Y>e`Rn=8QG<_@Dv7ufA$|=W7>SCyWC7eB8=KUOX#6F<7%y67&^PO
z+#91*GmGW@b_H8QBNtc`W2J3H1V5L^-r1bPpT=r#W^(`BNV1?p$e?Q=!g>o8m)1tS
z{n2U_Wruckm{->GYA`y10;g>wj*+{56{lkz3C?Jy4X~QIi*KEPq)`yR?%5F>jJ4!q
zwmF2#k|c#iQHlX0o;C-gHxA~*{QTS$Yb8^92~l0gkerl>#u9d*@*d409dpMK8$|(|
z6hY+79=xj8Jm_sGw}#tRdAo{BQ)@ao3c?*Lh{##{ey9Jh_tFPpJh^%}K~iT07oxku
z_<H-zjHTX&^i1^XvSfJSlyc?=eR&8xqv}3Zx`<Z3w2Y?+NfHN!>QGmRKeFtw(M+VF
zD^tWkj{ScH(wteq=dCZ&mm;t;hY0Z92L62dD&MUE^yg)Z+D;@O7(JZTK>ZW|y2vjz
z4Lj{FN<3h;E_s9Y8Q`(3&L-qJ6qm}NHfNYl^6miZ>p3;MhWmHQnn?%FgdhCk^^pB4
z8ZBRfOag{Nsp%m#2hAl2`taRZbw<0=F3O4+S6%)t*h#XVdQL-aP3+gXkhb319X!Jp
zW>+taLP4)Ir3{TqE4BXAlLz>%Hcz*oYDU^Igi=Rgj@_v99{lL9GF_)hl?fNM#^>=E
z>S#o9SQHkRcuQu42^Pxri%qzDd%h8dQl<TeEveYOR$Z|_9Ura5iK8fCUPVoUI6shf
ze%n0ro)!x^;&d83ded8a@OZa87nCQZy$`fEGqi8}o4fJi>X2&LRQ0UYx1lQXB{j7b
zUxx2J2!a|;zvQftH^e!^!Rn2#mYET#?PCd_lng1fr0ZA|_{AMTXB0^U=RqZytFe-L
zFpN`+XqIqMhloLBPLOGTXHDNt(GBuZsV)~tlA6+s%i13%ZF_?=aC>olpClpGRNIxF
zK(Cp+O=GMo0m*GVBJ`KRFJwzmqAkUHS=I(G=e1G$g>P%NaZXT!Tw*7IXk#Et`-k0!
zUjAjdlO2DcX@$M?4phlkN-bE_ap8)tF52s_&dABi#SzhO%hG7{<apbQn6zn@DNZ^`
zHxlt}C}T(Clq-973oPlS$6-;8YDoWeBQGMnT`S`s9iOp!bOfoXb*1|Zygc4?nE&<Y
zi+Ui)^?m<w_~odk2TOJ9oAml6X^tlHdGjTqOWFIso~0|_TR!jrcZhHQ=V6iu_Ao#X
zee;61Uin|UnD+nw(*KXBcZ{y<``&nCr?Kq@joGLTo20RA+s<ih+qP}nO=H`(vv0n?
z|GneB+hd$P)_yb3v*wy>&d<Yl3HtB=ZoyxGMZd7OYze^kv!86c`;$;9_D}S4))oAJ
z2uq#|;0e_E8Kc?VI7)lK?-!H_;3x9uTWyv2B>+I<uyG3l@$YVaRvy~{*rU%3tCm~6
zBCW2YK<pr+C5?=+F8s@vVXhL`3}=z#qw1Ei+5qg*tvSk<PWKzP92;|;uVa-=$NSza
z7x40z6brHo=t<A1xL0#+_oBkTr8oE}4d8e53f<<zzy6k%myNy{fDY3|x3X=iv^gn3
zPl`G~TzPV*thbRixBJC+t0I6Wg6R^yw7bg^J6I?iN;WLO3z4)+wvln8rPNx@&M+z|
z4r4kGDr>7`t+S7o#FMQ<Of#3+!5zGNh}E3xML4M6wlpwQr%aqYNf31Eg5zk}PKnLf
zDB$Lcv&ljxZwpMug5Dm_+~LmH8Yc05L8`cNVO?loEk`KuEf>`>Q}W?myK%bCVC~*~
z_lsftlA$)JOdD{74CFbJN{F6u{y>JDoxGCcuF6A{)!r<W=A%vswPCsmj{7_c;;F_q
z{o2O-+9y;5TW=-Q9rTeeZrUyhTKR@~bJvu@&|0;VIGl~7QK>0NJg6hZpTIa_Y53)r
zmVmE@F>g1&Rh`PneRCDZK?Ic%oLlC`$4MAVTE7DF?cv+n-=M#*ELh2uME)66{-}9^
z?dSIpDb=PoA?GS%Lj6jN;td3zvs2`duMKPdN@jj$HRspG-D8Nt!Z&^G;Xwn%+VFh^
z``eES$zS)i3DlQGVAwn^l`ZvEB|Og;P_ikpBGN_P&2WEwpM}|oZODdWZh?LR^#Iw2
zk0hW;5Ejh;8?w{@6Wo!Y<kLCu%xHY5^M6Wr3G{Yn*<%CKh;x8^A2w5n2Mvt)lze<K
z-E=~Ik=&wVJY%3zlyt^)fQ3nPDLMGCT5PUgMwQ^$Z@N|Mmy{b{EM>vYhn|@+BIKc+
z(MP5|rSF5??oOfnWTXR@`Crbyu>K?cI4XfAPHx=gpjurv&VuWcJEf(2tP}bTch=~f
zR_jH(%%lq(j2BDx-Q*gwvfeNbokO@jj$%XB!;5LZ<^?{DN*Lq+_VzP6A5vpg<*^9(
z6T<l1?tdp2G4s1YbT-*NY_5-4*{Muq0cEkQEA?dlK$;2{+7jb|k|B0`yPfmzO!2Sj
zO8=}hGZFGT)^g_ggwd?HCF1h}woLY$>$&w~R;p9<tHq)4$QNee#jnwOQ?y9fc{zQw
zk`$?Oq8O$dU3j((&4T_?EQk8kC0Dr%zFfgyaOy&j<2+dRDTOiw(!PevKZOVh=2bJl
zmDiq{XNGd3VGNQ&50~7JxZMgZlH2xGMNikkbUh|6%3i2G50OipTN$%y*%=M^&oj~E
z@r-oZE7i2i1Vcak79BZ>gMzwg_cUq4%03I?OR9uonOk5z)$i9EhSD#yJ1zN9ezFm@
z6HjX#axO+?LuQpa;G`Y?M5oZ0M@!W)e8DfR5jY~nr$2vjX(kxhG@@0AygbPD(_<=c
zGc_&hlbRgPL_53qGR_+=)u2!3+`1<C2c%QkTxBiw^DKkaG4u8VIJ*V;evl+wQT|2Z
z>Q*u?MjFU^N%?8}vor!bqLW-%kc`j7#Mf6-8CyKQAL?0w0liZf#+%thpv)@5T)a7a
z7fpG0*K}YDZ_Y98ae@sgeTvx}cF|Occ!lCLCw24DFb72Dt=ZtLzA8C!nff+qHYi2D
zucK}4#Fc2!5+^vS#uDF|BvR#PS29}tXg+5Z5wJM(vQr7*cpefVJ-)o#hhnc&<psdi
zg}{|JQ&}a5NCngcY?Xzg|8x@a6N$v;khHo>8y`a#xin5Z5>f9Iq2Ua@oW4(g{<uwl
zp5&-+H@P^xUp(yQXEV({^qz9hI?O0UF|J@B@Id1EBGUH2%k1uQG5;dCSLhP1F;jAI
za)U(~x2c~B8d7yt(fsqQjKk!w-pyPR2-Zh%B|N%t_H*SXo+(|73-%nXT97UurK+eO
zm8sZ=9gh<BB^6CX<(MWixV<u{BZSo>jhJdcx}Mxq)#Anxv)2Rdbf`_wB7VW^3|W=;
zpkirkZy}iyE-)~eHFS;r<q&f>HU=#&HFmW#SfZBq@-d^iy=C$HD7i*;K>ZI66CcT2
zr9{eOqJYV;NOe;b1~WpZ^|9O+b9$fk_|<8?a~^%xvtbM|*W@4)4OhJiSpTB-N2N`=
z39-(vezN9<l8pBzHmoyuTr#VQT*2#A=(#K?m61pr2)~z&u)0ywm<7Z0>~*-q<I1Q7
zQ4Q0_u?>?B+s#g34OdS4GgfI3T~ZO5V->K?!}h2TEe-+@87}?(5Rqes=mp8Uv{PSf
zdgY)M<~F+c@*Pq{l`deP^{l9ps9#s|z}06vMSi06I=q2y9zj3eqA_Bqqxm|PMYvbE
zET{I51O)meB<2|fc#Y6@5L%l%(l=j{2KT(iz1SK`n3N+loQ!xj%AIONju3rCsl%i3
zKdGa$_!(P-1w%H^>d^xu(PhpP^vhuP$G3P;QM_3xa&%DV;|{7Gkl=WiP|-Y1zi(k#
z6&PGPh}I1X;zqyoIPF=agbCrX3W1_VqYPjeXLM+y$Na_2a{YIBM%5{ypx-HT2T!!r
z#k4G{e+~uPY&vV)kof%?xM8wDU+59^`Hi?$=GZaHXf17t5!>gI&HYS{mfbj9;eSpa
zSq=S9f5unHFC}bVRVugrRn!U!vQNE&Tt8=#T2WL|wv<a{h3JNuJJ9rYHRcx*@?*Ux
zqM2flM>Ldzx0vl9r`b5BCwIr@2-3uaxK=So6pa`^vN}Y$xwp{1pu;5}U&6UB#$rtg
zY?odb!DSi+-C@!qZfOdA=AS$`^MwvvQB0q{guRji^r1_{W#r2B=k44oyk_EWlX78C
z<#7H{4tD$eG52+dr)W~FOrTpK(+SCv6{|(cvvo#=vgHFW|CJ!M#(zc<H_#AW74q*w
zNtv-Dh(_}c1sYzc166GX+A=rKCZm?7HZw=D^=*mC7Xxqt*Np^DOc@$hYiZ6OJPP~q
zFpbgta`^izn^vca%LFlnxX<Rd)W>qe91B(qv{Un(OtN4;3rPQ+{{$HhKnCLXBxE@s
zt`@z4fUF#V0S$QwYT0i27(V~PInYc6<_0!?3hZ4A+5xaMIUZ6kKt}q$ytlM6zh&WN
ze=ct0?swHxp1E`2@7ar1Wvo58zvn{s0TSdTUT<iT?%R)v@m4&HNFwW<dR-c_Y;1(p
z0QHLoYw`>d9=3gH$5E;~z5<1vTuYLxkYu)9_j6IK=DsW+)#kxXE?ww>7%JRv7~4X|
zuI{S4FNs7Khbq%L%b0q<tnUrnbyDuJHoa#yXGOyIuqi$+s3}wr-c`!qT(56h)Q4^D
zr$dKMm^;H$@fr#evyxz#NGuH?RJ)rt(mj-9h+BJjWiP){tCCp}mREFNKU{M%Y-HFj
z<$2S2JComzc@#$b6K1wsr%6kk+Q`ejX+lb7)kW)Dx=tDYlKm2-V^|D59(LM1-Ph5E
zGylLBI}5`8OLtO=YKMJeT;JcJkS1ZsyM;9rSM;Xa;A$F6&N@d)<w0x|{(k(hZ0fh5
z%>MU6X>+b#L?t<}5K6P*dutPC<nN9*ir|>#HGEvtkg6zS8-L)mal1lz^9y7)2P#WK
zx3yc9&B1FS`qJ+_rsV}_yk}m`?5#EZenWhAMRYS?7Ms#3vKT`0;TvBP^LXs-`BW&|
zzlWAoi&G@joH4&?L*gTE)0TDk1BPCh5|&23SUivO5o@y-&9h_kOJ!o?<mVBk$~d<2
zx>_f&J3yL41(##2=kAeowF(^&PufskJ+WDlUi_5f_9jIIKEd&ytgS!M0=|#k#W-3|
z0LcIVoCC;rKo9cpH3$q53u!Y6Z0mCZAN+lI=T&wz|B)o`&qua~-8O(R4}iT7BM-kY
z1*@$7Uwr*XIj&6sLW%A{P*Z>mQ_B?)dIQ?}V6x#}0N_T%=(;{_7$E<{Mn(@lPmAB`
z4t#Ew|NAcG3lllSk)X`yduI>IdLNJ7|EsMJ8@#LDUA{2o0L9oDPeAtKXELwbvZDqF
zev=~ltg3+V{aJs~z1h3%_I)9-32E-cR&?Je%O^Digqz}IJli~+ay#b0+0*V7+i5gS
z9OxSd^tGYrys}?3Wx_FVaFf7ZUic5H&Yn*)iI*yfGtG@J{{1vR$F22Za^F|)-_p7%
z>|%hA&P*Q=tdm|acP>vc5?*@!i<Tj~!MJ)|Ga7ui#_HFA%l+kkqFqiU_$Pz|L_6f=
z%#eOpKQ_qNQiDrgin1^*sp|Zq>~Zvu)f}~HrSY+Q1w%ReFvd3{JZE@B0hudwdbTWc
zeG(??P8`50N1iDroy=h|X%AoQB*-U_4(Cpho`~8^3sGgG6m4_lrqzVqk2Ceznw-qc
ze^`E1!|9A~u;K2|SJs#+*P-7PhJs}ReuIJE-!t5&m5i`Vno2eEsh}}IeQ^-a7=H<B
zvFbHR-n1<VSGr(@CQ6w<+kDPx*@QD+eV*$s?OM4J1U*#}X20nn%!#1l+;?WFO|7&G
z*Q7!?HU2WB$i`!0KY6ze<4x#QBOl0k>&^BipjaA%AgCHWCPUXEt|xZPY<v<odA8gM
zzB^@F8T%y{@>cJ({fOqfV!J}*Xru+lOZBmb=_W5!c-!mCDV$a54NfvI;tGdM5n96^
zBfRocgmjV@trXxP^K&f42*<IgcMcYuq7((`r6VeCe1CkW)`xW*ji<Ye$6@??ck$lu
zN=|@Nn?qqwLV=)Fw~r7r1n_+#3BM;9&6nN!m_CNa`4E(Nm&I%W{0X9VLEY;c;9j4u
z9I!PVAAn9DO(-Dx=ZS>o3GsQhya3VH?9ysRYAQJ)KVq)C$vcC^n=yj);pcVPF|vH%
zbaEanT!}5-P|WIlGVw#HPT7~b8|{>xMwN09h}V+NSc)$?8J0hu{<QvH>ILR${iRyJ
z+jwAYc;V6$M2OiN?!>U}Ahs9$rdFPFHKI`HaS^#zEQxU+o;vEv3Q}AtM6m6;-PUe<
z5vY>zU$UEtX8o%;e~n6Px$$ONu^1`#p|CXh04^Uu`0W*Uz};MVVh6p~nPhvW*0z5;
z$t72;uq1uakhmWorDLp|hn562>8;DG05O$NEWZWk1ztKLy*m!SgG(Tz!td=)$$o`i
zgqAg58IwKO=h32&)EWZSV~5|B3tgHV@m440E<rMxB4n=7&pOsT+H2Y=jzDE4pNnT>
zkT+>~Vp`VpF0}(pv{q#XWRqT>;94d@5s1ET%>64jO!7C~KPC5@C9&tr`isj&W97;s
zMh&(LUnO|sh^5I>uD}O~cAiC5^Iy2T8z=pmPdKnCwlrZ=(@!|{STv5~mbvv+1!Zop
z8@kn%f3sGMFXi5>CC1|2*=pFU6{p+BF`x!1r*ryk`>pOl0VUk*M&2Pr33Al6deIb^
ze>@d%yO`wB?WBl9D+{z^)Ft>=hx9vYsUNPu3Cn6SkDHW>$y+dC4ul$pl*P}UZ@CyK
z$o}GzhfRD9Qegf+B|PmGe<$hbdGDS@WPAhVy$JpV5V;740sD72?f-?%fA@GK;qN5T
z2ZHdQ)-3-gaCamlpWKYv4<<_9fd5I-|14>i&VUcWY=uwS+y54Wc*lW;d=|8M+Pv*P
zd?UH~bjKk64;~L<=mG@V05bSBfTwe-4*-4u!0X4S3BhN)-e(I)-V*))lG*vLduH}g
z&ddxv-uWQ{*<S(J1JG8G;d^o$|HdC%DX^>mIeZwh02uGQ|J^gr`C$OrqyWyReNM}^
z8c=Pw4m||`k^j|31hFqcp(OjDo@d~He-imm6EC3uQ_KY|6lFvI|F!G^oOe&)liT~h
zwM0JUm*l^tsOsi?pEm)qnzs+trz5V9?0Wz-1;9XFg6#Yrmgv|LeTHD0Z;{dHV<3lF
z2mh%~i5ZB|`!q^i=`{MdmL*9(HA?+mbIH^7Qk55pZhz*=_95LqgQ!kuty7s8jJ6FZ
zhSP;x`M5&%m#jriY*<<I<{DJeBy3}|Ha;Fdn7&bZo@{zm=r3q`q)Cv8&LUZ)TT)MQ
zgwy6KZ0+{Z-;9;s`D5wfT-h`3$~xMWZ<x0$Mb52}`Ym=IM9*2bzxy`3$zs56>RHI+
z)OYz#m5uxpU#&%+W<_&AP+TWs>dIjhFZYuJrlYy}T=a4hfY?hRIum&(*e=cw>-bL|
z`tBpS+m4$^PU#KTWtI_HlL8%G&*|KxYh7rka>;sDj<?nMN75R`LkIo+LV8D7<6``M
zg@^Q&c%1fhU^AxkhXb|<qNb%f=K@3eKf!wMg13&pn+$a>(44Cmd@{B9BXTLM4*Ak^
zu{SwtN`WJP#mR!Fu1>er)Wrv6Ha_MHdDkve+Fx>p_*^ws@kSelo*7Oknuhbo1OTkt
z`(~(pM0yCdz&(GLd<m-F8nyyl`NbT}y5YSOFMaH0rAOG=^vBrNd07*os_C+MTF%yj
zR>e4<?ysbAX^lraN_3arj#C&_#$}d$Sp#)9u%^TG+3%M1zg<|eVJlO%DABtpPcsHt
z{rZR$5fW?zs0Z=}xE8ibT8DKYZksHV%Q1omlyyC#(eVwQKe|U|KuBspF^<WDj=au?
zf&Cs+CT)BS&5U<E47e#hQ|G}(s+INLbOm~Zg+(zwlAC+^Or|SE`HgGhnj{EJyTCyf
zqF8lBR(JmNm9Al9y9;@Cu4u{}22@k_YW9|6C)ND4W767koTU-b^1!>48mP_Fcs2Pr
zGF=!U0L|eO?Xx-CwcKtAaVpFP)9?b6^_LXmGqf)~((?2rGxlR{{1hvN4eQ$HiWm`C
zuN8j$Zj#1)elWf7$lY4pMR37}oA;EDq(1|_FBYq$8?<!i$9_(ex*1Fp1)ZOOVPXOk
z#){N!>P3t4g%_!=Ev4b#1;y+ucfmovlEAGl=7Nd}Qs#SCbGd&ZsPX*h1X_^2M%M}q
zQ3k45@Tq@u(*8-AD>DARw>h<7ON;+7c>Q;F9*-tWqSxWthFeImZ4<MEEdz5MN`Td{
z3z=4IErQ>I(L@5l#pM2rY@Q894j1|a`;++vvhzkkZQuosHlBnJ>bxApjwiL0h-yGs
z1(oul`=U`CYM}%Pf^^2Hun@n4BZCJwBS%s<seTg%#lOWzLoAI-k-=-VRNh(>#X!O2
z=x^V$WsNCQ(wC1p1*JC7vU9g^x@X3DDs@Yo#nzXrL5kgAM*psJlOprhhFJQxg+m30
zrwGE!(rzJg_RQk`mP8h;eD8+e^i?X0Fsl8z{Mm{ATYJ`3Qyi`=!5W$U&)cU?*0um7
zlc0Er&$EZle<|etr{00q>@olXaigW3|K)S%x83=h+!Ak0P!*sIyDHzAVgy6H?`gow
zQD5-*H<MnMH_Cs@r!p`n--T23{>e-QR~<{`wmvcyH#fC8{J4x9^`&^$Vyr=LYw^0S
zM5{yrJz#4)JNt;_u^oH75bBQ?#^}<<$12D5rcnydM0^;=8|R#V`mZx+S-IjtXi1pT
z`dmjwh97=OCG)G#=ERAA(qV{E+uw`XWV^zC&Ktxw!ev68yEijVh+Wb?#F#!w9O8je
zFQRbm&Vj(2zIy#bH+w*E9(#|yRr*I-)*B<$T33@iB&Ie1$uTEqI<lq4PvFEf2EN#&
zjevN5mgSj(*4Vv7eSo9zbwDT*QIv^ogA-%@`(I6O!%nBDPf4_XqkdI1ny^sV=HeWk
z5x*Izc>o)q$$2B76Gf%QIp)WjYJ-iYZCuS$-sw6q_|j<QOm$8P^l!Ke^!Iw(^LZfW
zX;zfz3p<r3o6Y1w5ukNymb->dh2bv@X;4X`a{Npn4MolTO5lBuowo?L&6RpMc>9u^
zI&#~0NYdhZu)%iAzv+0<`X2D7>fjY4%i^d#{RHC{_rZXM>kH`=*ssmIkCGfet=1pr
zioPO(Flx?!+vv~wzK`xwpr(8J=*IS@i+r;^bB+<sAZtdW;%W6a6cmCd$&HY`*Z##H
z3@~QNUHCEZn)&IVW%jl%)-PmV+snxsNIuIi;mWd$JX=2yaS&kxKZL^}45la4WDP^Q
zJ>oOMO$w&n3Ikctouv&6AgmoN(_XE?hiBG8rZIenNQf6nxsnV;o(29LntxeJGl1q=
zH<eX4AHhafQ$o=cJs$$>007_x9yg!5&wy^!Bn5Pv-oMbZd46z0)6(c+VT|uWre*ut
z&!fg`z9`I{eHhWt=`!;-7#J0gngcF+G2f0>wiD$sxg!@?sW|F<*wW@!TRgrtdf@4F
z4Q}&XE}@va{}qT8=lh2>CrtBw3cd!iW%Z9u*ph#M37S;hs(oXV-7~-Fi1>FS$G@48
z!DZN*x6jl}R&+)2F}$@wQ9f`vD+_LvY?Y=#X@M(-*oKu^R#l!_fgYs{dq?<CR6UQY
z6&R3nf(+LGM0lw8Ey_M(JXVNg#qQ;20wnErqZM=8&s{_7s(%~u1>nNS4_}d;i1uw1
zACOGrDhV+J-)n|r+n1q;mrH4GN(@!ME_S1xaC1Bj1yUiFmG30Gi=f&zG#<9;?y4sY
z5g3uQ8ui)$=CaP^!(nZ-;(f6usflSwjl*w_u;tlSB(c5*Qfy(_&9lWabsmWivA=H1
zMhU-B7QZbFVT2vd(r1#w%T)EQZnm@TaqVHI_z^1TatP{x!m-nh7^S^!w=9rDzNrI!
zPFYXF=ua#5b+V0T`HH@QlPeyWa&y+E{;V49MD7Cm3!0?UI?>IsrqzCYxH!6KzZ$)U
zT&7pQLw3esS-iyUo}@UKJ;O&`<s)ymPhVQ?TAH%LPTeoI{I>iC4ayQ7OzV1_)7iyy
zZ$WycvyX7EZawUAARII}yP6+Cf6jYl1-d6bElWS*Uz7o?{~qhL2A%<x576=_gZC{S
zICQMtdq2<Ay1{wszh-)~jQpglZtmk%nNyY=V6_AacxUK}&7;~%VR*>E+_zZs)Xa$R
zLRuMM3F>;I(nN$m@0IANbk7Stbft2XRuilg&&!h$5-#jV<yY3Gc7}&Trhl7663yhh
z$M(EXcped+`7L+ip7FpY9cJqTfq{%g{3}q?In7%i((v3I_t|iaX^pced+B7B)2`UW
zZ9T5O5M#aP3?Xrtpq75ikWw2)+)I=$OPD+#T&15bs{7CI>|{jykD}kk_6GO%5^E@V
zZLQZ;4?B9rJ$pkG7m9iB_4VtI8a!U{BI21D9><bn1dWmn8V$>&rb5SE%3v*Y%JaQK
zlSqM9bP%!<*T~a#;1CpFUAf5?179Dgaj7bZhqx`~aw2$dVB+0nf=k-%hCBa~I(dh%
zQF%Cl{mb#SBUW~YoK$}k^L@XW^n%*8o~MnvyvZ3t{<$^eBaXysLx?<zAh0#D+^F;Y
z<>n8I0XRim;qjPC6m{(P-`{({jeJdY*I88$4lq7OKMKw@xKEf>BpF=`!WLx+SH*-y
zo)p|V>umcx)?&&&by(=?C|=^(Wo<P5oY$);2uh5KbLTaX9dX*lRACVjStE`RuhVUt
za?C$PX!A4;HMd`waxoWJl(WeS-J!;DC8AGI+{TDXZqW*8d#9UIHSgAlhwv7*Ssk6A
zR#MIMtvjP|FEoEH80BTU2MRv`|99Q)yX?Q8PnQm8hk)h_;PA0HcoqF|spkUu@&CmP
zu=)WQzXJx`MklVfPXZ1cfv^^eB#&2K34`g~O$$A(jo^z#-gq*@$F_JO$3B6It<Dn|
zU_bfj&D}-}5i(6mA0x3+dj^q0uQv{f9#@L9eHLwg8ha})II$WW23@a49V)1GNP^fx
zIi-Z&H1=b&ZqbvDj^`n>4(M2~+H_Za9w3|?P`)aet{Kv>WpU)^dl2YN8X&|<FQ)o%
z?Z&^o3mn#~?(_!@AEyxhxX5Lpet%9b4ecMnmcW=I5k&JR(C>_7RehSnW#hsQf6#WG
zmi^nu!l@ZdvZbRUwtcmo5!0oGh<cQD6lw8F*eQF<GVdRgF-zjOrj35EmN-Z4{KA_W
z;hnTP2+px7+AizZz_<ED+!`HZUdcLNp6L<Wh~&iKD&NxhYFWV?DORM@ZNuYV2f@&7
zcFcU+FJPZaUw6yiKfs+XL7|(ZzW&7?E}L~^l_0UzoB&j?@>P0%Z0zw)!(3`-pk8Qd
z;wkI50G%ctvg7%q(^H{lyCDPwhOn{A%rQ7ZW0`dJ@^3QVv+^j{&&|9Ib-bcis&jjV
zzrT&mS8X53@k@7+c$vsXI#^qfC>cLaH(j@vfOS$G#zSrd8!frTmZCvP!YKy6&c8;;
ztsxo#xr9Uo|BZ--hd*z7b%A<3$+ON}W$!0UL((;<=Rv+L?!^0y5)wIQjnp$m{nCq+
zYF8v#!1XEs3e$Q3bl|Q;JU5}IJ&Ev!FvD&nzOxkD-EvFD4U@QZOPz46P)#o@4opJs
zdplZ>&S{Ufa1j`6;QpqeOvI-_M=+8P5(vv56>~?V>`nDJURAAx{F3e{-Y_csTZAt{
z3QSQ`NBfl+x)Rr)4`X9xq7q!!L3xxf$X)p|omJH-C}`xO=yX7Ga<j7RuAxV^j@85~
z^@DF`q!@FmEsE<I=GYtkua0L^T$7Gbyh;9P{c_KkmTKuLX6-%2NHj9#=RL}xCvmpA
zB@5p|O*-C}Bj+ir#&A6eM&3gHL-LS$2Rn2pYUq(=W9arn#Y^*G7?!NNm%0g_f0v1&
z@M-B!&85M%v<brYu|Fr@vCMHf9iMpXX>nT@p_auWb;zqbjem&hVbD)#LE)N=&Tz!2
zHB=*s5-6yE-y8_P@%<dB@uZsi!WVLi#ZKNnTpe%hX9t%dSa|#8osS`lf<VOyCNr+x
zlZw#wKDkwp$(ybkb<@(*yVeOK)EgJshrp_wR)eTTlaG-cxH}_b9`>AUl5K9OW~Kb{
zOkq2Im;=P{HMq&}9lu6w`fJUah(-p;&D`IVRy$WBq*HiRl-$Ke;rLOV|1;}<{rRF%
zkwM?5@wmq$Z6kSH_;AcVwiV(gPY5T~+m?*SnS#6~VU~8C2}hJL<sdEVeD?jj)|C@H
z$^71)MLPcc`}U_@;U@6*3S92Lb|dQN2Yf^r2t!ac@Oa$Te;ufkr?LUFz*20euKIDX
zp3R(A`%aw|#Bvx>mFNP#m{fjn+NaGtJh!?7yFv#ARW0)`3cql<tumk^WZBjFq+L;J
zQDuBI-SYdDT{&EGsny^@4Su<;f2Ro=W`KJ^?)Ovf`|6d@FNoc&b`Mlg@O=1(Zl2m(
zEpx?DW5+=j<<<1#3>+2(isABrdDuTLoFe8WKiKWE3yri@0g~x(b)O1b8f|%dG~F<B
z3D~IHGzGcTSH*Z|b5pW}ow#4eO=Ex8tLtgi>7;+f_hs{kd~pFk_ASYZxP5F~<fJRB
zdrn0@;3(S5wRO}abfxoCCBS}Z*NvTssN%r^zP9e~Zc~ggf)i^S_E$G|Kd$AVqp^xv
zZdE!&(EZ!k#y+utAPx7U{K*jW7#8+y0}&ZOUYb61+L119q%R3A$6>$`t!Ykn$x|U0
z74Ez!AQNpq(}4&(EAYa6$Clv+|6s7z5&bP24)Dl66W8>_lDTBdKmv^>V?OfQ?PESx
zIW2n?Wyx#!I^1GG`wW{5h#u@1hs%p?5SlXURqoo*n9K({d^m~LC#-gH`~BXA&gX|d
znx~<fiK?Qm*l-=}v_l(cG9HXyEg$8{aibBi!FBvr`saH`t4JE8qqJ3rry9Fxj@F=_
z=8I>gpoh1ERK9lfriq=FNB9E@0DOBmje3`P3)h|kT2PPPWmfroJ6!Vfo))vWQbu0V
zux@JjqGU^Ibufy1B`(MdS6`I=I+HeAQ`0Q3dyXiMc;NHK2wb0(E#{mIAn!WiEq^Q%
zE5BuB5**3v?c@!)`^3_mNy3f4)#oXLmwSZQNTaOe^&<R@Q;_mioM@2JeF*X7ShA)(
zKlp)H@sWEH&hG|BdR}Qxo0RGm!g4L_oR!0J^yT=g7f+}z<gr#hS4*EM8@`=akgNco
zLqb_HNOv}W*E5UOAH|SE&6zi;XokFrt?*$$J~ILe`QaL2ICJQn66}wVcRL3n%9)e~
ztZly~vwNiS5=@D;)4ay7pES>%ww<IrbXRiSne=ZJeet_NP~%M)3X{KXGIgi9zE-Ru
z{A8%J+7k`Z+x5@jNQK2W5pC+xB0RI|qfJ)3k^J&@bd@0P9;6lGi#WVldJ=^sIWWX>
zPEC@M7J_ufB{5*-PJoGkvM|$948C7CWe=rqN8Ri51Rn~iqCR(G8i$6w1#Y`}*m)5d
zin4wf@Go&&RC&;Zda^QlymZLbxnPz9^+iYny{hun2lE!6@o^8<b7?USLkjymV<3b1
zL(;1ssT5ic{N^i~0ZeB#9OTd<r<=lDCM3;glOi<3^SH5`stj`c;G(r2XQ9*L#M>r{
zV}>1u@w^TCI@LV)u*Ci~&8x-!4=$Z>KhiF(7a;iqAh`qebie7&NPSKmjEiOfw$DKF
zJrKT40_Yl^P7Q2sj8cJo1wY5-o-HFcuYo|O_in^qdu6FbOK55HD|czczD9NXA${=v
zvG2<CG?apb4xwNoeVG^G{3uA>lQFT;Q9B2L#w#6X+*73eKFBHYPwv0U2=>2c6EHuQ
zzMJDKE{+)zirQ2sn2El?8?12KNA6DSn4N)RxY_*fD@vW%``ReODYExa->S(Us>)t3
z?`v(CHZa7UUsuJr_F2+j#}2Lk7W<2jl>Qty_taOG^!<akf)>B~AVcoZUJ(i$mtSi=
zsrsqllOj44k{_bu@a@cbi@MBSLPC>CQduJ6mdt{u<aeo-x};!<x(pTK<-F;lg}&ss
z_C+gfyHlc6r&GN>UJjhr`zqHm7$^AXpm+;Jk=D4S!IEEmtq5ISAzrbia??!e_HYk{
zZw{z9O~&Gy2^CgmfBJiWfPT4Ftq%SoVF~p7Gl6(qoe(1Fz5v$}$&!q04asieU?zGt
z%aiQ`BkI~vr<TzZ1$C<<;N{wbxTwvprS27$EkEH!oc8a)SS`M9tuLXvO|dW5OcYK9
zZ|SQTDjIlEne}2mX{_=JCiJ7YgW*vG`Xd;M2Bzsnxt^+Hlp+uAQZ9!06NO>XKPV`c
za;#Wu_=GtLl6gdew}h{Vr<7Dn{BWz4j+-qLJ6*CwC6RnP4|HxkFV?0E21EKZJqb=%
z9!h%4$LXaq)**KFcvCn`x#?j)hp$_D+q0rTFTka)>sj*-Q1<~MD_F_DR&m1D=TrW%
zgooDMN$eoi%VK-ULC$<a=M>ngOnwNa($9qG7@OEb=TsKcRXG#f5KEafE>*~|EUF=1
z9ztbkEiwM1x>e`4(0N$nxD>)y%aEf=)k!yn?5ItHMb(L~r6Z{=oOW?;=e(syWzJ^*
zV4KZ~9j=w+nD4K7gKV&;fN4ak+d}i*j{EvXy#)KS+m0NDwRp#M-7D=|N2c{|5#5aG
zNL0%Y_{#e>K`gJ_T_`88_gsynHk+w(sT{T4t}L2+D_B&7Hxkc7JmkZbd;3ld<AftB
z%I}6wGgD|YVxcqrF(vYO@u*aJ$*7&w8hOaQNB%Q39?>FxKb?O5a=J`UeDt0=jBku-
z%zE~2>t6S)^wxd+xb!}^)NP6?gf>LUw6xyWsZtHvKRucfBF4C_maDr`*$A#d8(@&K
znq%1KR;w%uH`=l)k@#?1<-}8kR-qCQ?wZ1iP+vG=7lxjV{Hh_Tjd$yUTFDj5@R#L{
zdx@<$)178YzlvXQa7}v1d|TqEHbHOl=<&W>q^Vxr(z3N0oj^i^t)c*dQiP2^wF~On
zTgBcp*NR&(+f!_G{VU~f<97oayRpNm#RRyn<XI83gQQFyVZ7_^uSc)xyNXS`y+Zz4
zniXrI|Mpi2+}l`3GJ}Z%P=&TAtlgSAl|!#;T)X@`50hbu2~k&G#VFIfMR@PG5x!Bx
zRCoh1by*lKitp-_s&-EudLshb3Ma=Be=6qUkyMslv)DP^2*rZdxb1xdW(ei!6)7FF
zuVjS|D(Zj8bw6vIo1<qsRsrF_+mKKB2TETB5dLRg^aPs%nkPCQw^I6&Ox3Mf#6hh1
zb`M6kAiQE>hElg5Nz``^|KVp*W`#|I#J5ndJn!d5sPAdpvwSM>1~@PTVO_7rn+KCi
zwY5@CqwIeCZ&w5c<)XiJ+38-UqWOvS-n<yFF}QspIwKdpn^~gA7A_PYq;zu(RPq8|
zx|DMC%9{oeI=4Jiaox*L7@KPWD0@46TuPIlod$akw42m6yl1MFQ2rYbT(fD&?dMq3
z8$afx2pbxey7HAu^;@qcX*pJ~=2xRoUAl_*7($6qBoE=Q3kx+d<tQ%aymD@cXVD|X
zz;cdgZj*Pl$0?C3LR9_rk0FJ&!`(Ez+3WL|kN+7PE5%QT*)JnrzR{njPK1_P?IZin
zeCq(e(dC}OHsnd;W&0w^AUCTswHwugaek4J`EHQ@{T{56VQZAtP&H>RVLyGH^E8q(
zndp||3#%=J$rJ}Me}SEzGovDgX!pdXpZ5669UrHr)Z@zLvhxjA2PWs=${V*kOpc9a
zi$WbkO5#oCYMB*L66_Q?2y(%j`gW{o<5MtCDg`M+JyH+;`g_~XoZZNO^$qs1Sts_i
z_0`zS-lB&jr;gC`!?}eWN!+@5`>MO#JN19_-3fA~l2k5{ghngY8NUCGG&VMUxZai+
zSKXSx@<J3g3*FMeM1^*^jn3Ukwm-y$uN;^Im_J7m)_~ZL=a6II-LVx80K#83K^FkH
z{v9xQRsMm4(GZjh+-|~Ae;DonJRgAQ$D_Ou1O@=8G4=u77{DO&D+s5*`UwRJ30<d&
z3YXFMwhOpD<o%4Y;A5a2l{Lrnt<q?9SVhFq;~ApnOWW|6<Vzh!!OT!|?auSyht1!P
zQ=)@<lW;Rs!V~qw?O;clojJ?r8wTHpdk9LX)v9#8QdXL=tjh56e@GzGd+RN3Nnk==
zsZ|w2#2jtCsEZr7fczIs%x~A!wa-=)zjOjX8gHpZ-)QdzJJz+{qFl51%HjvhClP^P
z3pWGb0M{BU&A5B|&!ujL)GImo$|_P;LKZf2SeXB(AyK6UUu}+-IKHg_=gI{+ZL{*K
z2V=aE?i3aa$DS#yIUb8+Xy0qs2c9&A*mFOnR3mJvQ8L~D>9EWd#QgVL33^u;onLup
z3Z=1*!j!`ayL5KvIUdWwaUp{ISa_meT32Y|%Gds$#$d4vg8y;mJwTmf;S&P&>+cxP
z+&CQUO!r))^h$(xJO}OOcFdPk<V*z1!gGH!*%WYQlRQrPL=9YJcecUOC|g33(=M?;
zAb<B&@<=QG(Y3Q*SSji&U@;|eVyJ^wtg~&YKWN}4`jzUV2G?(z#pKFf1WIo!MtzK)
z^3q(RTcMMv5FffM?vevZLqoUZY6-qh;e?&KDC*DJeaau`j0nO_nNi2E;56B#qUdJ9
zM`P-#BLLU_g@3wHGRmHU)=fMR-Z?m5f$)3NTI+Bu@!9;ZXT5bZ!Nypu-0F`F@DF}L
zhM|0YM(Av{hS>Yh(Uk5?;ClLHcmO~IKM+4BeqMkQ0ryM8<7zIzn_}<EcF~Tcb*fmc
zu*SB?4xgKvPTxE1mWW#)VNGSj7eAkUs5tir<GjLbtdm1!he^xCA{+Fqlt0Pc;N{|F
z7?^IkgR@0zKS^Nd<5l?EV3w=S*t$VICNS7>hUP1jsIbDS&WMy+@UkAn`cUOj(#=?#
zRv@`GOz~4|O0E73+N=)qhQBbDUd<_^biy^G`gC^ey&R1V9}+PWe*I*yu0~n2<?)WJ
z_FoIPa1a@|WSqF%4HFr7tDTA$4Yh~VNen~COk~e?VRDWiWQg+DZz;>}SLIU?it)SH
z6<T_!J!zqP5?Hif&&$A2wGXyT7gcw{7z8GKTaQ;CI;~Ldv{t!)^2cig3LvC5-6F+E
z;-yqt%8Vb2`P(>NtCQRbZzqYbB1A1%5#?CgHtJZ#oNeD=9jQ;Cug6(n%YgW<ek7?a
z(;_ykDX8}%NmOx+B}UaXI0WeF;?Srlqi7&tWPb(Ec&1%Z%@226#R3my+7IvEk1_OK
z^vyU~a>j|t`1ZS2bjj55IXQJUTic!bc%!gfoZEi4X}v^>MT-C#I+q${pa9<KQ7?^S
z&Wj^zvnj#s=%5&DW6kH#T}idb>>6iAtbJ1cZ>AT%Ac*S?Jha1gh<bZw(N?Hs`=p$v
zAotDrUSI`6F&y#BXz%s$t4hinN&F|%577O6X9^TkQh)kG{!et?KJU>%1C%T;fWcED
zK%hA;*l8ujtOapc0Z@UucAM`6O+LYVTaE6M(~lp&YA0Pn4AvqAR6@TcA&lOM-@2li
z$NMXPkJw)syfDm{@au`4v1OD*ZR}>xPF47RG5|vwq}_N~XqtqVq&7|z@=M4wLbo5P
zkZpPXvLmfnyZapf8w|>aA3@xE1rKRLMha})(Zvp9+&y$h6M)a2=(JD9{-%S&G2bMP
zG4O0m(xYLL-DH<Y^Oqw`|5}W>_pfFBf_)(Eb?^yw(P-`c@A%7FURbd3YWkBZGQ3BF
zKsOUdD;XO1JMyA2m?*yFg&%~Na3%LQHp=2^1bWiojr`-?b+24{9=|%e?P8e!2ElqA
zk=1n7uT3JOU{y+Vk5`RY%v3YAeV-B`95IRgh3~Xwu~RA?Zy~3K+x{}Ogu$EjOY<5x
zbP}Tp?3j%Gsh9eBkxRzvV}}~OwIQq&uN#B>K#~cb%Y3x`^#T1H-m`sE^P)hkI?3Y2
z(r8E>$0p1t%&rgb!of60HZwdu;TrO5F6RI@oz2kK86jV_wiYBW!2!IY#D!yyFwwRO
z=aT%OyT+1zg_mG8mq8v;S|jyK>nQY^(&A=|D9b5E+lIVe{19!sEggowvFCxts|1vn
zMs1zyiRllD<);kqnf2h%RCgylg+JAdHG#$I4l+-wRpNr=W5dq5YXsBo3~Dcp<t8^3
z)eMnPpQ!n!;Zz^|bUQBDNy3J{pcw%7lPCHp_%;Xn5%B^1Z_7&h7|sA%aea<~P=_BU
z#+rWH=-h{&HUBEWpZOj@?9HL$-A+nX1q%Qvd5tx#{=(iHfO}y4Muu9^GhR8Hi=dv?
z^sPrF?z`tKdO%JP)^OONiI87k+<v)jO?e*pnH2}uHm9_Up0U(@(J5-IL^U%!Op-u(
zYk~iTXTjbW7p2U7!=dgki3)6e*bw()Vg{jK1$Kcvs)9DeKHu<d7}c7ln%(@*l_L^U
z#2{ptgUz!pe#uU<D@h59(+Dz0w5y^tl>Zb<rZzmyS}Mux(P_tO4TZKdq08fiOZmd_
z+irHaFssfAArzWN3bwMQ8GJLP?6ItiTDB~wf1wq`CPqk?o~maD=)Jc-+%h1qt)1Zu
z2iP-dzhx;GkD<mwR=RB>@ph(1vl8P-#hF99<Pf!U(8k>Urk3Z#<v(_iDsP$z7cIx3
zSN`ilh=SxPOkb90C|A}}N*w%qC|k!xAm0uNW%1FGILu=C>J{S1?kpzuwn=-g!ByVg
zH)_d#x3@l!m*A9=KL4C86FwM8<z+gn#n4gBSZxitHir90H33fGUAFf*TpH`TfOAXK
zBDDGsLehtF^VUUjKXk0f-{V2l#$UBZ5Q67!JEW{!vpv3lI}9F)FlF{pfIF0>t<s{;
zKr}g#lz5ZuAgZ0B)TPtg3v6bwkSFi<5dDfI4;jfsH*U>s!C?Dpmmp-O+p9FjeztD}
z>oWfi7P#TUQ{I0Biue$me$@p%fTRpx06^=%%q182nV0hXnYu8&M<+B}{h!*TJVl2B
zhdjW(={sydC;(!>*#<U4fs|(eX8_0q#(NC9|36g%y?zKzymaG^)Kgy(V+{*jKFndS
z4oz;P=2H~bW;k$OtJ$AZUX!KjBVk9btac3=7Uy#aNm>w*Wb5|C1X5Jz?PO2zih)fV
zZxVwGMe)%+gm`)V8Y!nmcW`g)J}E*%sI_61`?~Xek92J##4~z?I4s$0Y#dp~{=sdB
zl1(R+arv(ZpR>rlGj~|}SOy)@aPIlSx!?xD0Z!CSf}AZ?2TG4FjqZ7(gaolvMn)Kz
z8XcC`70<#Q(+iTUO$(0gQ<oPu>~gya$2aNKw8Ke8!}jy*^#Y=CXRjYRhL9Vq^?~<p
z6OAAIx}$QM4b4ZK?e$BOykA;beXv_H-Z4MO6VL8fY$1oo$KaPy+)jc`6SMC~%GSa)
z)GXGKVFX5Ur`R@}eFc8L*l^^DpKke8o=;EuSd~=WwL6jNe{XoX;)6<ZLNJXBi@d1$
zncc?tQj|E#7SeI6&T8#Im`u=&R|vn#@E%~7E#~AGboq+4g$C9Br#YRAx;%R^o*)2$
zGogFt5!<A6=U;JqtBWuvqek^Y;x!~<scetW9_si?P=W6)&2Y;ECCB48eQV{iru<)1
z<i+MCIlZCAZ=IFA>MyXSLTaW5aaxhhN(NmhL;^65+>Z>m&_pNyj(c0dC2|Sq#BVN}
z!wBjGd2+LT?KSJ3#7m6w*YA{x#3T-#QlY^Xd_%y>ap&AOf%{v6*UWpSuw$SVwZ@qv
z-@VwbD)ujFZ31j@tIjVsv&4dXLboKvp`JR*t2wuMm@{GI1uR^b1Y6KMc#nhk<M+H8
zeWA9d%y(tRYMxiVn-E^wADI!)*V5b5<Va04(?{`17PbdrH+PDydGH1&sl+1mq}E3q
z#})<@XoHO;&k{PNcL=_Tpg-UwdEY5ZQ+V_5t}xBP<|6XXb;{Gk@vWI@wH@{^I>28#
z%Q@A(W1QSc+}#Vv-WhN%q~0+0!$cFJ=2+F+CG_hh3xq`McGWnwK-`lb>Vz$1J|5^`
zf#FNWA_%b|o!?{%*?j(Wt}^;vIsJIxVr)y}NV?rnz(w~drz*V4JLcBiQabMp>96^U
zTYd*;FZjcu$gbfl3X^(;-k@LMvE4a7T~m)$ZhITbLjBl0#(aE@O30e;%NmcjYEIBW
z>%6-E(}N6_r?%M8Vc=8Q_Xw?QI#$E4PpgXJP6xN_*YnB>GRF_e;$tOddA2KOMwilq
zy2jqs*U$g#))!%xbX7t^FlK(9Iha-IQfP8U=No*|(GAS3(xPi{Dsp&N2V+B~HYqns
zWo*f?;OlIQ9x64wwx$vzsew5HDbd)M7%66-vr2s8I>ofaz&mNUDAg9}vn+)=zl?*p
zph3p4(y^|w6KsE5!>ie<9lr+pYG3YHMq$+;cL6_BPAUJ!FM^AAx7#pEhBu(!AE2n$
z?w;(!?n35gfMi_s3DDgGfDB-G;=g@rA3*<u4~#cK^;6kRJ^z;;KSzHIp8?u%8<)-t
zOQ(Wv+ddn0-{3bp?Wq-B1<x`Mxd=D9hMYg^A~O<BKkwp1qBq6^BJeYrac8J3?$BZK
zrSFc`QPDc1SwnQlHQ=Z{LhUcr9|zsvc`d09yRM!QA2d7#JumOiOhMf(o77GZRu{;!
zW>s*1j{XLYrE<UUSYm=zwCf+Iupi>my-Ph(#vd*E)@ouh(37sutUDKZofA<<a6Gaz
z&TsV4lk5)QF$P^0tou@<s24z!v_DR_Tqe$u^+3^P5*Mp>z%pjhk_lM1rH&mzKoBBO
z$UFCSk)2ErVE*yVg60~Oj2HVC`cJW$lM1?}=FiFswp2E`iaN6W_0&v9F3hFCpST7~
z(I0<MLf#)5V)E-fRnG0v(67C+!6^)#wZDGz)gh8f(AqOaQbLzQ9zRBa>T=EKu&?@k
zuB&(6gNLS8ge0MrIu$F8xS!LSg8(+;hcclf4aQ%#oGDuDqZu2F=)o1$s{=OehV5A(
zO{uil00XCMundax_U9cv%0)!4ix%sCXky+Fe~mh=jNu_ri@^xEA8pwBmTeb`P(%C`
zfoS+aoIk+Z$`>&(%1NVx2mLoGdg>vhc9R{fK;izXqu_<Jy~X+)a|zdaV?lVJK2e89
zi_|3Zq5dxJn-p{rLg(s_Q0pfx-I)bpW_#4xlyx><A}FO~&dQ=qe?5c<|FJsi&}5~R
z2VD>8_Wk*l_9BcVB&JyNHOxxfzJc#hQtFz*4dQd8*|$Qco@R+zvl#}c7+*V@IWE$j
z-?s?e1tb#FS+-~nm003q+628n0L#dC$oJ3w8P{^4TSy1yE|^y`M>*kx{xHp-!R`Vk
z-a53TNV0ip{FW2*qXZO>b-z?$*~K8p@X+;qN}sX6_|u1>AaOt;nExqX*LZu;4fe=n
z^)(GCA>MS{4S&+e+`9bG9d=y!TdvKk%j$XH1M7A<vx2@g1Fw?VpedtM0hY~AUK`Up
zhXpRplcV=mgR4@KyMJC{&r9PzCTTeptSd!qsY%c!Ha)pJXjgr$P9xQ9#C+duB+5Q$
zN8nWyvD5{-KZ{+Bu1=wXpOjh(B)RvY+)d?dtobP(Dq#YnPP3Xz(=LL6ovVz25nkPc
zJMp~5@-4kxxFADIh52iUA5X)X%j2V=8be_DA1#BMx;Ir>s}mb&x^(FzBe_|2*AZ^7
z%I-u2r?ZDJb;B1<kY+~96k$kp?a@hNq-7#>)|{28<uSZYRz;jfC9wWje+yAzge8|h
zvP=KTqHM|ARlF~ai`>2G5Q-jH*cyo46r`u!!O50=7Qj2KemxU&s{w^wt_!~nBl;5K
z%rZIL|DhWHRL#`$z7G6(F-FP)H`#vh@khc>rtz9U(JXS}0V9B{8b2E9f>NY^c2Qa+
zmLw**k9MA=#3xr45$QgXr`Ex!A(C?N;6B_Xfvk+WsQgSCQ>9LqZMK;~gVB)l$)z~n
zkE`6d##Xeoe>g5N<_IQ6zB=!0DY}plqS@uW{}Ke$0*^<Wz^kgAqk8zvjN?z+<K~Dz
zzWrYTIbr^bm)N1(gJk+%k*dZyV_~=6Fx|O}#`e>|7b&#e<i3f38r+Hj{3b=|z)*#{
z#z}m}6?o^<wI{ok^<%e0PB@(W*s}#Qmn#I#)!rWC)z;ieCOJ=A5mNd=rHT$#m*=DW
z!p;z0yYPO?@TBOna%b$3q>;gQ&dacV=vs?=JjR1S*G+MI-1KigC{z*`F8X2rY_eQy
zw5A&1Rk50y?S8e#3+$UU&^07e+M!44im}+-V>sFwmyhVn41Ci@!+Jn;Ejd6{!5pdr
zi$J@>te2)V`O>T&lRWLu?8^0)La?I{O?m`!=@=1F{8Dhf^bi-{^5CpZ{W~v#>B|WC
zeJ9z&=pq?CKVE!}wXNGNR18u2kUM^suZe0QQ^y+k^DuuoM5zy9a{II(?Y45B#ikL_
zNOO~HU=iucT4wjCS>=X_LXkaV(4Vj2FvpiHeTBw;-Ok_m(+khRW6hwC8@f|mQbzB(
zj$AUE7yJfTO-)`0(2y)Zgc^5y=&9beT!?D+DCT2ZSC<xN44TxNgW><8sr%)XzUBUV
zR89e@`W85Gl#S3;oj@zZc*n)zs?&WztzubfIcX*sT5zUbOPh_$=a!P}r@|s#HZ{sl
z&3XFh7oBu^;@$lf_1MIpWrhwvPCm@Lfa08)+o0B(qX}Ft0I&Y{Bp>sD^j;J2c`E-H
zdIKPV%gyKP&mS+ZKp(mZ-ur7HPs--E&t|F@p!i<U_7(JQJVf+o!usdCRBPp$1a~%<
z%+9Dl2mk1q>|)HeEd9@Iyq;I~N}YUY{*$9MMv7D;DA~P}^pvK{AXjv|zVpNq^P@kD
zwDyDkZ1tof-o)5(n$Xise?mf^C?JtgML?KNWxMwo0$a!#nS<0ivt6kQTs54lGWWe%
z9w1!RI7IZ<n%iSU?Gp!tvJw-GIlpJmCY(DsXgeoJ7VGH;96gDT=YVKhgWO8X9IZ<G
ze1x?}80gTsDp{I8sxqi6`VTaHwaex%c42;V<gH-rU(GD8F17Hy)lS`3dF4848Ky0g
zU9tQP%=T6A7Q4m{)NivuvxF%}N1oQhrRli5#a}>f8#p$6_v3wcKZ%<HCh0aZ5#j$`
zG7Pp{SqQKGBAy;y8Gd9Eq4aq7-G)5`zmT`(86k<QWtw|I(S2=$Jcj-3>6Aibc3o<4
zo5azV_%!H%^W*sC>qIWGU+)(;oTNIF-imnPD)9dR;Xoe0NwH?9Wke15@U7*~4~(bF
zh_ahpHxq0>psV+ejNl9+S=I`d1B9`rURbWkevz`4$HrxR;`j;~Jgb}RZVnutYZBuZ
zoOO6qz~DgaAC(3JV0B}h<9dC|0Qc#3TUe;?<~UN4OG)KztQX@c+oZW+7DJT=*?e!b
z5ObIZiw0RQuRl8h=oiUzgail6@xv{Qy&^|q=7+C{%jVMl@c;jR>i^y9|1YyFs5X%$
z4<i#Fj=@Ryk{O_tfpRKUV$cGvv!>JwoIQC(pzscRXMA?MZJnr+RXu0T<2dDCaF3!W
zgGt*WJ*sTw#?%h4X*EH)kOVHFITIHsg`lHLi_tcWM7#VDx?6e38pi-$wkzI74<`D9
zgHUe`qNQhm3)ldr2&*SxK5Boct1bIa_L^MK`X~1%)e`rfRT`{^TcUr2S<<)ZO?&WX
zK{o6))WQN}83O_;rZqbQ8f$2t!pCHH+^X0m&mpbD2lcx)PP%v#(I4mC-kYXRYQ;It
zrBo?2HY1B1%6mcU)5(Tb9AyTGN6UE9>7EQ|UIgM~FM+!x-<`;upUBp-weanvQkYEO
zc{eii+L*KSSudpPt1eR~*y-9{XV;btd8uMFKX~jd#8{XZ0@gAKkXf4{c@+N^PBgko
zIknEPF~5a-uI}O0UCg4N@=KG?1p>l#;k`OS#djVTsZ3p-&~Os9&dv)b<Aki*=t%0)
z5X4#zQFAVVA@zPW%=27O^)r4?p!k>sMdJ+zyfe1SLW@<_>ptNDsv-wUa;~&?h7xp*
zQ1)P!OfYqlJJD7t{zzYefj3Q(L3&hYUh=fnJjfA|;jiB4Paa4v7@w3!h#1UrYgd5Q
zqm`MaXc7f`xH?d=YY*@X7=Hm2{BmiM?odDokh+Z@df4~>aQ^Q<@Bex0|NRv#__ZaH
zZ9v2#?FCd1?Umu?Bhtn<Z<iE}Xs;u!x*FuBtz|`t3xAd*=9)f>mq64mKLcjacu7a1
zmeX4fpq=!yo>q|wjs8bVncAb;9icGXE&FVL#RKA0$hM%h)qp+csPTuQ3?ifi%z#Ls
zmx~SQq#O>I8#A5YFk`VemjfJRWSDN|(r58J57uTVf$VmNY0GP(a%Y&9&sl=Q)8_Z<
zZtk(H^bRE@33wm5HthN;dWGV?u_8)kWO@QM-HR1tu*VXMN`|l^g-7MdiWuz@G6xh{
zr|*7itd0NF#8;MsU38RS{fozf6WRb|V}i&j{L)8GLq<CK6bybx@v%wX3(BG#X7sl<
zS0*vT?qkOKZX*j;=WVC6^m5L1Ir^50L@V}^u;KJ|!i!msAz37cH|KY?h7Xf_Upz*0
z((C)q9^$&29i?n4N|wD4ZwBAx6B%GV5JHQceRr>#kR^vb^c*cGVSD(&N(F`*k%P7t
zR$q7gQ0FD`CbRmuLEFk6Ti=8;fry#nA4j(0C%{G@cmFJQFE7YM=?L!@ZknV8$dX#5
zQNKT_j@hBCIu|ty{bB9RyZ}(0N~a&!#lec%4fjgh9mo4wZO)aU#*%?EFs`gJ%z5|4
zjf+xIriU7J?`duDT*Mq^y(laPmGL&XY9PhA%%T(>e(^rv>1g{8zyJNm_5Z|f^S^(E
z@7v5dQWMFm-Oce|geymMukHx96^fFjF`J_42@BFfw<RyN#inxJG+m!~(chzbbSC&q
z=K_m!yY_dz<%(+gD_7yi-ib#3O;i$QxDVgesmm8er^I;bF<c=K(6u~INMkhDX^KbX
z`kImS%0kEL(~%YS7)}9vJ|iG;Zl4yoD|bmWV<xJ$<{&fGSL+=zsbZvoCy!79Hvd&~
z6^l-G+<f#v*O+@zu_c1IUR*k^Z=>%U5u;EKz@zPbyFPhhHz(UxJv8)weZ6R8!7D>+
zg>o9b7+H?k90w)&VFAx3cN>Km<LgrRpextf%c0ujA5#giuly;hD&<7Bf>@VBT|%cn
zYu*vHHXq&rbpB%SFy-|<{if_}Nk}1CDGvDPbR27QFuD90lbFpJ8>sT?D>j_R&kJ-^
z!QzvWX_>E=`M*0)kaL2R?T8L=2#Sea`B5zBcl2pnP3wCF4_1?!T&Y#0o^Bmqongot
z_VbvH2fib9LsTW&_dWB45h(&eIZtyx{Qm4OO!cI&iminErHAFG)d;p|(+7q=Ck0PQ
ze8`0Gd(^`UJhDneIFe=*+BD?Z7NaI=U{~5M3~3VJ6p`=n245Jl(8-0Iku`E_Qh~PQ
zH=oZHx~pfMDbZ;#erz>0tMi$TOdFwUG`*eCR=S)IoamDmzE=1^kHdLk{@9m4od5Zc
z@BhNL`u{7;W=72G9*-b3ay7-Sqvi<np#BaEB_VvqvS068MW|C!q1_S{&$ibSSvHcv
zo+n@)b2U=M{=!+jUye5OFG<oL?f_+sms?M$`^H43N3ZQ<b@m_Wdih<Gf5Fcrcc!HL
zNpScm?{ji{qpYO~KTsy()oa?qC%mSl;l(5A@JjoF8b`&Pcx_NEh@+tQg;X?OZK$IW
z!^^D~8>&jy^}VZ^k}&eCpYp?M#+GTk8k|Uno@^6)AGGawuX(MgN;FH<TEp+(j%US+
zVaLZ_8DD~R?uK|Gt0$S!#xj<t>_}SDI#9@yFn(KH+w?EJcxp|K^A|3KDT0~<hZoSU
z7^n)<>xSQnft$9QKng!~IZn!p&A9@x=Z4CW`cDw0OG&{LHB+`9_~+6<s4EA(1fSsj
zlzz}g^|;x7+g%lMBS-oY@m9(Lxfty<{_W$c_Sn+5sgs_{2z*-u3o-G_eMQDN>1*y0
zy|Yq{K08zWd&ZNc#}eiyc~gf@q*ED<Yp`)~u<K{jrAUJPt81wavl|xZ7}tpL@Uw@s
zfztaeLTQ-O^2wbqaTaU+JJr*cl}xW{oiuj+tGQJk>dyGyJg-J;T5Z0!H2mp*Ngzlt
zmI$3kz19_{8~GX9jYQfKe)9!=_#gJpGZ@ad`{T+IJw&e|dhb1mL~px4JvuAe>MQ!P
z644`sY?SCNN_2uqq9hSS^hFS&OGHm0%JcU(^Lt*$jAiDzKd<)9&V6RiT=(~TpX*%L
zNo|Al^yjSOjRv*3efuPOXQ6gjsM?l5;7v^L^2SH0RAB!P*#A34|0j9$Qxw?$JGWpW
z|9`Rn_uu}1K>snr@%|su^%2uqM*?sL0QwK;|0%xzrH+1z0s4P#!9@N~r2oME-<aW8
z{~?6rHD?_Oz!?DOKcN4oxc@79bpI<b|Kt3EiTwYC{saBLnC4jjE2M`T&N>o+GXT(k
zK>ts1|5xVd{SVy#dw#)0{!gO+K>r_xIM#pMX7z%zjs)Ng0Q4Ww|5Kd*d^G<>2AKbI
ze!)ckPgMUG2lO8!9P2+5?bwa8js)Ng0Q4Ww|I_UMK6?KH_y3+>Fp>Wg)&GI}|1iU`
z{_p8xzdGwk0M39@zW?Lo=YN6qj}f%QgYP?YlIb-Lb=W-pG%=f&d?&3Sd9b=^={K^6
zEC{<v0=IA>LDozf@4~*tS6mfup+xG&=kXH@c3xMk_UdG~Et2NnMm=<XDo1Pqp^uCi
zc4oenLdCg2)Z5c{d-tv@50wh}cVdHi_pbv*DvK$*jQYQqKZBj{x_2qK#*jtc*NnA&
z=jET;If7H0Q-0lPw5741JGj&pG}MfcM}Gu^!P_C!lvg?Vu}Rhr%#7&szvIu~^M4fk
z_NFd^WmKn0t93M;qc4%ZleMA_?m?X2XPt+BC@UERapvZc0bg}wW8!|a>_27uRWF^w
ze~ksT?Ljz;rwXYdfIev`_1R1484F6CoLHC)?u+qh|91IMpp|vYUR@hx`e8U==1V<y
z_?)K<NBWKi!@Y9N!}30AW7_8*@LzlJ@jhhul$J??pQd2I{w=hz4+}*0+{Y9DoANpZ
zj)6askSOTuS~m9nrrMW%?RaaYw2w`M%h57+I({@pK05a&$)f{a*yz4_Pft)%I56yG
zS;IzMWXaAi(@Ry@CiJ=ioL8O0f3E{2`Pw{&Q^6Iw-(#}wvTndy%t&aI1xLP({k~fB
zgQNfpVg5_zHJlJ42wfq?UY10NXR^2a6rV$_8c0f7v*s<D@UeV<tEL+LCFcdBKf^`&
z+bpbix~yrV@W|BBB>PFPa@v9U-+=!=&HG<Oj^;l~0sjBof{FZ}!2gR&1LuD*!?FLb
z<lB-x>qr3306_l%{XfO}kN8pjM;6fka|<T&f1>&y(Ep1Wj`bhz!rgz?kpP?lr+ohJ
zZ|8sfd;gat(Eo=K+R4fSv?5KHj6ZkZ`eJ4F=9VvxyHhc1cfNNR@_rC*LRIgcW03Fx
z{T_ni{(vft;YcEZh<T!*HMAEFHF&znY9eeCVtiTi3o+AU)r<zu(5)2H`^hmMQ;diS
z_3aqkpl|}>D0{=ZQ!m7P;^4GHEK}Rq9~$c0d=}tXVtwk+mFo2#U+}YtZvMBQy_zQ7
z!gfBlJ90GXJoYXS7VNk0%pG4zG^2wtNcZ|Z+Thk@4qp@=Q2On!#uUPovv5-<-qU^K
zfotq@C*4v%1o!{}pPmFgSK&2&6e_(&lj!e*Fy)>@{==ZJ__$)u*G}Wj+k<U?RkjSs
zvwdcID7F2|a0@~oRLt~^uncko-mc#2ruA3OrWt}zx(5y<SIL=q1Ppe!%J;ms3h|uE
zrUn&n_N11@=D!xe)-PCG&l>b<y%js>+{Z5(C&=TZ#?@}YtXRQ7eW}J5-`Do4(x_C@
z=YVIEB_F9(xYTQjj4pckQYFs^<fF0hw5Y@7`Qsvtu@`LNG7u)UaG%GxKCh%*S?%pm
z@(KbAD=C!UMM_&ZB34((monMAKB2iMzs_dVgsU>5>(}Fb?vefBC@z;(?v%ji#*3`<
z?+n=iDa!E=+24xPVG0_YUFt<acM7mN5R2_-`JhFkh#jLaQWfQJOM2dtS>gmGj|=_y
z3HokU4;^++x&P;H>;M0*e_;M6W(fDPyp3+IU~h`|%_YSr(pU4xTB7vavgP?|cad=6
zLA@VVf$_Mgo$dQc&-tEQr~E7MUt{CK`|p0iQu7`JznIw<G?SwYAQjsjs_^e_Hmig{
zcovM<R#ZAYAwzX|bS6#OsfYdi?01LfuJw1!&oe$CBne_LGi}X_%9>rb-d&A&9<PFY
zyxPM5WDN1vB?0wEn%?{Ca()<TN<c^b@Jp*o`b4Txk~cp<tyg1Mf)$(YUhKW=L~mu9
zgM&&GjfmrB3vfbLXPV|MVY8W4KMQ=_I@25tl3(}vN3qMmTLn3qK|-r%7M=`6PjNC(
ziZ73d8%qcvrq=a>Z0_6lSTFU|C)ebyWN|EKa6)Tt?$f7vDu6^|#Y;D#C_A~isx0n?
z1p6nnLZ;S93BxMaxwr+1UTj!Z@5kPB`LIUHWXG7MEIGa%iK^vuX+g5X1thEFRqyw7
zahs+$dTX)tLDUBwmi(<Hgj5wZ+Tz&8MI@bhznUu;&|I?Nzxw4HD{mc5<>Em5OCzJ|
zj#mRT;~Z&eI`fa>4MZk~Gi$T%J&n#OPoHwA>9hY51>+M{Pns#Jh~Dir<yg<oj*%<3
zu!{F^Mf1&ngi1JuTBMsA2Gm!Q=jwF$!YV7BY<a^vOwBGAbT5#Li7JAZFRI&U9?S~)
zjm^9>puW5DRO^SEzN($L74ZEJeE*-G|C2fD|C9pyf6p(N$p2q_|Nq<nD*^a_%y9hu
zKT_PIa@LUmoB^lY|08qsjKA>z|Ly+)_Wv-#+ytn_8t0+Senw$I?yH@KcKV3Sq@LGR
zBH)==8Lu>*I-Ma^s@Cf%CW?ZjB{MARpXtLg^&M(5R*0VkN|`531nLqORrO=J7Vi}$
z<T3hcU&Hd$kVXzrJ>yOfhi_sF@a&GS@4PjKYo^aV=l$ap5SdU#W@L`<odq7(O!6I-
zodwmoG26j*vn@0lr{7a2jWiqC?_Uz3kHviyG-ug4{tHU3(f+YG(91ZtzN{h!Y1Xl2
z-r01?h}%<1{fTCSOZ8Ww>ykx^R?(Hn^$t>VwS@rNVOK>(r3Ow_?tu%)-BNHAC?1!e
z#>?RL+AfHy2t4!S-C;~_?zrdXHdcC${eE7Q#-<8rO%%tkxUcu#-V<A1akdxH_HlYY
zWY`Au4F6~oG(`71P>kIF2i#jeN1_xpFu3T8cUU)Naj~ATr#cyy6|GNR1|^PC8`n)v
zRd>`r49w<7J=(F1n&VKjUm)ih?&T*du6l7vbdlWNdVrb^c8ztPXZ+=RBa7+0(x1Qk
zEN|jE_24;E=knv3dV1ZyyktQZ`BIE6cMA@EvvjE0=WdKg&(rb}`nxqELk4FkOjLG8
zt{+k;e|fsK(SUfDkBQcc_0O6=gefG#M1*MYJw#`rOq&KCw#WFmYv9ULDV6w{&bA)y
zEv{uY$l+3ebOdY4eh<a;<d9<8OiK#j{{jDhiu0e3`aeX0{-5&;Ch~uR{lEYFH=zF*
z;n@F6YAXZh|Na*_<^Dg>qi3AR{{#L17{Q4JIw(CLl*pbp^M{b#rsbN=hJLQb?fA^<
zqB4+HJ@+(urEUh6M<-cor|I{`&8!kiQV%PxxGIWp<-Hp))DIjj5wBOqxp(~zLN4jn
zhdvMIvdOQJt(3350jAVX!$I*J23dL#U3oUE)+t5f<{KjO!g@Q`!zA0`ww_3ek@?+;
zI`tdO@e=K`8bm@W(?KG%e0^b*wRE^_h$u0(AnxGM!q74}fz!Z&v*nk~xhd|ebnOLI
zC^S>u`uz0-q_DmP%jkTucUOGS?8=vsJ9~kt!=EgAv<(J-nL2`NATP?E;^$34_G$z)
z#z9>#);d<(@HE1zBL*K0%FM^F-SmKwk}AzMYnla<XTm(3YgcTtlOSe<w}yvHwZ8Yp
z&PQ{P+~$M$>`l!sw|mY<%2WxFQ(1R|*h)Ve<KApuD(QvoQf27H2&DeZw`5fJv_T*E
zT_BTZFPtEnQU8`ZF6!?-svu$P>5iszSTC66KX}WMXv0b+GM(g9=zS&D)BRcX{ScRu
zRpZaqu<LHDW3-wex_^o*@{Jz~Wz{qV1zu?V<>~Oj*5yjK0$YO=Z2ijp*$J{B6U5Iy
z9<tS)p4F~OM9=GL5#-^mRnk*LjO?)?-j_?B$;^JDL&O(&$lua`Tdw7gT{D~wbIX;>
zrrAI{H!G~lpn5z^3%J}C2%H(0!GQk<{QoJ|f25B5A8`No`2`dCKY{-T&i`VHWB=cM
zNfD_3|1SdQKcN4oSpSheI{zgO=>NF|6Zt=p{sZ+t%y6v#uONtpvyKGd3^?WUKmWgk
zPg4H_)<0%&qnk~Ueu)gwic>pm;(fYBp$naGb1i^G(#(+HbNOVq_H|_?&^I)BgF+@L
zYF}v@PU2_=Ukl94Vvxw7;;glgBii|>01tLZR?v6caitEsp=IkMRM&K&>qQ<`;i1^q
z59Rb8X}49no3JX9u)FVVYGcE2K~(vV_*GF`<iZywz~vK@MU=suTSmU`h>ggyP~|tX
zNL_6&Z`^thdTH8X+1~Vg<JpoD8JiGuLoTay&>AwZlJv%xMQ|`-0RC+IuaN#*`~@S_
z?`J|wTzF9xg~=5+)SSHdARYuUkbkD?RS>mQabt_9)$HLwtBwt`VJF%|ctv-x#~u|T
zg^Wb~#)^`+S+$pi{xw7NUfe$Kr3-h7ID3gZe{i>xhBEffM0%;w;qd7?DsznBI#euc
z|E9B*)kFO13XTiBCASbm|9hREOcrH;TS_-9sE%9jlKW274peuirR_1hqhkg=UexM-
zd+!cRO|R>F!4IMAPj&uR_z9Viy$B(ToDYYgfpWz>Fa`9+54QTU%qT)d;(HnCNE>cm
z^!@&g(83Fh2%#U@KF#saYG!?83L+qo*Nm+}nKCktutu=+XCsB<CbV-lESQ#W-s&SI
ze#w?nMUDIA={*q^Kk6l?Zi&bz%x$e|-CU#-^Sd%jjE#ctao~*?wL>U-Er*0%es=v<
zL$(0^AMpRDSpShds{a7}zvmZB<R9?==a^&vPfJ~bIO|9N&VbXN|9SL`zwrP6p8u1O
z1lB($n83|TZFHJ!HDPGTGaYMc7H=76>(akOVTP-Ikm3YAv|C{)*SJUPnSmehcB8cP
zFi$(Xhn2ctZ!J~cxPEGtU0&+WBVNBor$olRxsRLG1zm4=aq;b1>N?O>O~T-j=6nZ~
zCg`!^#rOf6OxOc5v>;NSefYxC>$39KUL7vWOVxUnV#$bdUk;y*Rb8W?-^*Iz*Cbvy
z;JSIKEUpxL+Y9gvz}<@Wm#F<h?EK8ix}UtcuJ@9@P$e#3PQU%#>i$K}F&9JJfE)7x
z_>)FO9L?#6@k+ncJg7*R*QCEK&J=xMRj6Fhuw3IDeqVg^a?xm+uoDH-4>)o&Ncg)L
z`VZG-Tb_P85U#1R$@Z*qL7y_&;%{efgGquSycw*{H~Ta*427_lsP0t_IaAtH*X`}#
zpAf=6YG*oD!{QR2^q;%6aE&CJS8MlJyaV}%nhAtcEDq#TaB<w_q>;wCIm4ef%Wsn|
z=xG|pzSkMa%^p?m@<h>fN4GunDiIo6ZqwBoQ&Z8(SqvA{&AznJU<YsR$;912@47QB
z*%+lKxyt)I6x-ESD$4wsN^@`AIWk0IZYS+QeA7b?1*tz;T<auns%}oSGjI)!!u-kk
zc8yRz-$x8HCvML05`6dO9OZhVZi4l0O0X?y+jF16oc7z}c^q{G3N}ZF21*`+LN^}*
z)>A(Jd*byk4y=ESFqON`7i7rH5(x3lk#pU+p`9(j2KIn0V#y9Bc2vl{`dyhkYcyGk
zZ;fAUF}l7w2X-)+PJE>N&Xb20Bw?S^95$cQflbdw=4e7HgiT?=p>#EB8DjSHiLOkc
z;@oy4)|P66A(jP;K>}5UVDUdH`V>*~@@m<>6j#mhw$|RE|I9r7MShz~gE_;Oqs5jc
z7TGW*^9N=KcBkln$=>fe39F=G4;TW&O+usz1Sj}*tlZiK0*U{_-gyN@xomq}a?S$?
zNDx7Cm|@5gBuLI-$U$<>LBdE@!T=IQV8}@ZkSw4G2uKEJ$P$z!0wP%?d9HU?-CMg(
zori60aaW!BJ@s36ef_P~|Fu?iFQ7uPgAeE+FY38@5f?*?>9`RWRk*M?2@O0iR?Sb-
zkjv6QAR!~t=J`px<R)1ko@3f@8KE>!!(@^C!TyZ^kdBdjefJRI>$@ug*dsaIsbcx3
z3d2}X*o+F+u2YzhJqMFGAGIS@oc!?e#Z-d95;FZ7+rpg`^Wvp}odniRTzB^sE@K-C
z<Y9=uoB6cg%e|}T5RcQY{4uyJC?!sB_NY|5uE}~3w!EK%=XJvSn7wL$dMGV!Tnj=x
zYutO*FG|w5Y8d`uNi%Vq`8993B1V;_ELMV{?n?ayfPRxuM{~4sD{@PVrkqrHh`oy)
zN<bcLIw}p9Fd7*$%gsb;${j|yP-oB38$G%cX2hhmFE&P(Q#iN~VltE(i!Ggj2~^7;
zG+ut85#{{pt8EFicey9&U0{tsRTj`OX`w+#<h|3@a9hFN{adcLf3^Pq@sIsX{tt-m
z|9vSqbWZ5*^AU;P2+Y2!umY2K*(NhUdNlex$<N0EP-^(lrn0nyuy1I^F(H$$9LWRV
zrfyrO4KdJVReZ1`%%<40a@<%RC!1!2159yraIX(Fb}W6t7xy@Rirm&H9NCUnj|eWH
z9pY$?yHeO`@w6_=O*5h?+e#mq$y`a&nW$c+m&;yiq_JttoyJO3!VYtBz4<BW`4#_q
zA6>1s)fuWGdS<0X@&m=ma%{oLqRo%-{!b)gy?fu~LWR1TF{#gz&(_5`@|Cpkb{z5K
z$E^Vy-OKDEqc`erD<*5mL{0U|8!RpfE^Tk5qxx`k5%OLkR^G+>QL{TocDWAggo&>Y
zsZL7k?iK)1uI<-(xA(7l=ps4imCD^mphw=TH?M^HQL~A+uHiTp3ovedkpgp{8Eaz|
zJoR)(-g#4r7hHS3iXqZ;wep*06=!?JSlhI%X(hs>*v&O=?9}hI-dp)b-rN}fq_#;4
zQZV!5J$g7st+X*AlQLnz^bLk$m@HW{gvWYRwkuF>lIqUHDy3&=qihOo(!yTraa}bj
zuHpj%?v^h$5x0ed?er6~yd@eUuCisjT*ClbdQ^7E&O@ojJFP^X!D@2!<)M3qX@V*&
z6(7O-K3o*2>0szn6J?I?SL3%!a>NN@pAtnj5_!KuX7iH`TPu|GG_&01<28CgGxDqZ
z|NZ#Ke#-vQ@&Ba&?J#P4Pd=}}82Uln=825p^0$24P2Nt#;n#w38;ttA5PUHAdku!P
zMEYrI3ZZ~zicJ!*xLAkjHVx9SIYZr^If%zMlff#DX+Uy}r{l}H5xdPW6_uKZ0oYD`
z4xCKQ1UD2@Zawigf5f?%M-9*lsX76A7fb=K+wVC8v~vWt2YaI2+xypfK#P_bvL)Bs
zTiQxF^I-a!w>x8wVlhfNu$Pon6^A0p$K%XsGV0_g4*^*tSh&}|$+`%od?~X$;7BE3
zSlheCL!4wsUn2?U;%MvaktoiBlMn?VPWm7+?|2t=(nO__03~rR^Z1Lp%zcG#dWffr
zSd!9c^<U#+Fm;w?@Qq%v!X|s2%OL-z|7ZibVzzL{o6X)*o|~yWU0Z|@AoKoWpA77!
zf$+*(vf`zTd`8wWQ(s(34a&dO1>qpt{9JDCB@+Wf$SX;(S4l7y;us@>U)ZUdR)~5|
zi9fbGP_Wu$CV$;vm!9k;_dUsW{TgP58x2xhlPuoScag}PwL~tJSjZ?IYrl^ua-%1$
ze5br@_K2}d`2Z$x9~^FMk@J1Y5H*e~Wi(e&_S#IHFU^&j@(JWRzxT-=u&;3bQCFyZ
z;sZNEf*2BQw_^X6iqFm}fm7Cd&6^w~>vA=K<WojI9ee1VmMBt8N8|v`yi|>EOJntw
zNCer&FOL8Js{Q|e{Et5WF9n~|e4K#ZrFlgDE=Yf4C9SO8ofKSNx+>Bks$&RB%c5PR
zdevFKYwee<zDf}a@bz51?tCa<9X?>7W%-#_XJVkEfqlJt(w`IckRvaNB?$2O7Nu9T
zGhDCm@$rWGdt6J~;y~HBDbF3+$%$GWGcF5M`x2G+hHc2!HWQ77jtk5AA;n9O*;kG2
zC<a)l8qm}$aj^(GQ_;D_JWrzAl40V*Eg}J~FvJX=uoYOK1YhZEWJFDHs;t$(yMb-#
zykX&dz5`WlI8w{;IsMNlf)$N*_l)jT<{HFcE1Pt)nWZ=&aDy&tGa)qT8aR4_`L5Rm
z^0<I6Q)i@83HBmegTB8FJMU9y+;bj(W_{rMlBM#!!nK3clkW3(PMBW8Qx&~y(*zG1
z-_Q~>iQ(^06$n2gJT*>@u3{$p+!g5-Uzoc)m*XFm-~$aCcM~9*8j>mm8Y09)>dN$T
zbM24CI&EC})8taB$unV((oGtt+VyO)1Y}VdOBvrG_j=`@^yC}aTc8NB5F~~BCDE8S
z5NnlB$4Kal%*oBYf{K_%uwAoYptz<`;~d}Sq&y>F`qw1MXr<%ZIHMWtR^CRz1`U`;
zus{xCTx{0buK^tcNJ@wf-m3D^st%y*9+ihBN&ctphhe4enN&FA^d(540@c_w4yqah
ziQf6z5qH{A8#ucDhpzwqI{gRw(f>&t-T&*K%Vq5UPu2g>{XZ{<Kk9#-66O-WdnIUo
z1HV}R3;&qor}RHM{=XF7M_aqxZAmn)=;%L09i8n)T__953?B0J#%8<nQ9PA(%0&gT
zY<}vS)@@+zCL5ZPa>B+xxE@O89bkatFnn&ptg97qAd<P2v=CW3R#P8L&xVDGH?@Sj
z*o-l^Ea2K%Dg<|sgEY+_M*$So$LPH0*E}e~5A9rDsrs*v9jm_Si&TbEc(E%I?UO&*
z#YyA3lXRoyE(2-SiI!V_bsxLTFhcDL|4zegQak~fJ({_(443;al5sn;2bsS)yGB*8
z6OF1=B&#U0lxiKCYB6|ZvSWOsPc?lGqznyfJCj%wU8Eu?A3C9im=7mCH+MX*VS(Gf
z&G@>VW)b4M$tFJs7R>o5@V@5((|i?tLRdQ|_;f=k<vhPept@B_7|IXLWB4*}DsA-+
zF}&8SFrKAZxzJ{wjmlW%{7$)rA+DA^JkN`nkx|C7mPjELTMM|ioM9Q`Pvr8(kGTBR
zEnZsufNH5vPVVdr6qXxJfn=$nEIZiQSgSBH_na%r>NpH8U%#ob!MG5l!fuc2hH#ua
zNnHn2EVf$-)rYX)o~^eM+p=ZO3|xCH4hvlvPgdKLTRfE1f^fpQ^$W?hUEm~`Hf&qa
z&AHLNnIJ6x@NwC1*YH11Pf;j*cu&P0w%ts@&o4m+ik_Mv@P{Y7v_IWKMoJaN=EK0A
zs;f1FJpHq>FVOlQt^a>v{#W#e{zKpY`R8&O`~Oq=AD#cZ9RAS%59`()e)mey{04q;
z{r~6h|DfOhycBTm7@4|tVtGnYy&yfwt-vSvrWukMy=tt!70@2Gc2@Mjaf@3!k5aFF
z7Q7$8n*L@7Hm`*mwz+q@n^VHh1nTZhUN9XfO4kmgLj{S^E?k{Rv%Uz%CewSxrKHu*
z8>L=t_U*1nt(>J{nf|?DtxrJ%y#71dc`<>86@mEGPNeFi9gXw8gmwf~thEd|HBn&5
z>V?He4TsQHIk&wJZH5<D_sgP>tZyi?>9>D0T<-4hE5OER+R{$91E^&dF~r-SXHc=I
z<QroTkE^p(vX_&_727`Ja9~$H^G<9lAiW?-8yYS^Fc)BFPE1g{M{~<=&noC2M+NAG
zvimBgFw-z3B?R$o2QO4>nQm1sW(~N4`(IgnTLX#Ic|CtxxqyP$dqoH_XNwvOmMaWF
z1!Ds$Cfq*UP^8t^+SWU0&|3bCqvUj}$OA+QpLnM^M%T;rrn3p>VM<DC`L2^-ETs|G
z+oJGkdPHRlJc?d=7AQ7+0BfSiC`Lgv>g!85bmuf`$iF1SVV<`3ArhPAa=Jv)6(z9-
z6h1V#ro8%k@&bxUrGQ&L>p8P}cFOtb-kb!qG)q&9!EpnG;-a4GRH*45Y{Gi{5Ih(^
zfmg#6bC-@VnC}BB?rtJZGex$s_9>IK5$a6RM3urLJ8Av#nDD8ry<ZP;g^4%gvy}pj
zTW6I_X#J1Y|GzN*Bl^EXwEq9cavA&o7xX{+{r}765B<OC%$)JNSAym@@VD9jpW1$i
z{b`QBp8p4<<Nr$n?3+_6O-joG@Y#R9GMj)8mZzn3zA^%;#y4QRsAEsN=1mXLCU8D$
znWc)<iAaeD%*RyU3rG#<rZV81B4v~gQ5ADhs&4S?IRvh6mmq1)0p@&tk3wwl8GWgd
zr93Ut2*X7Q^D;8$n{1i)fo&Mmv$Tg9tl<wPbv!Z6zhbrTl2klnc3fl5OK>6%XyD0A
zH{Gn8ex$uQHez}wUfg$21n<+v$-DYn_h~lC4XcOcgFcQ5EP~R)Rp}O(@qo4bNw4)j
z?A&ha%<)*zGb)z&2os5Fu34#sn_-s@mKEuXtF8-u6&w(<qknLGy?2LsT?OlfD#W5n
zg6`UJj4ViCZI1FfUX)$*!QkYJw}ww>$%d^vXAsnh;*CPF`{}0E=KacVKJN7M$<i7;
zwy>J%*orS9bDLM$fM==c4!MpzJ35;ox!`%)<1^STK(SX+9ZX23Y^y>KR1vIRhT2bL
z%~?qxtG)V~r^<vt5j$5Z6}7RpFsnVc!2=dsPcYs+Nc7{NxDj1;H?^x&5}+2WEZaqG
zLf8Faf0eWps`*GtYAc!G<L!Rx?|cu5R}A{yBmxxjrwpDhsUSm$`&{XWzotC3F}L|L
zkN|D`i0_vHiCpzm2ozavo^wlP(qcK%=pCLsHRI$x!P!4!b1S&%*j&;_sOJE4qc2eB
zT*M~a3%U18>|a#me}=;U_w3_Ood1I8`u`>I$N7J^V_WZcuLR9+;BVIdKp}yDpW}y#
zi;4>WXZ!#6^B?rX{)I2&1N@iU|F7}?e}n!*=YKB+AMz+nnC*kBK$!{!HR*^XCPlbG
z4=!9w^2$J30?Q*#|A_JXoy}$@`m8v0w3tp|L|puLn4@lHhKYvGxZ9^HzjnJP70njI
zxvRTDB#yf$>e)Iba{w765I)GN%&MfYakMm}ns;mIG$VIbu+*qtTIa?~Yyvw;Dvxvp
zkEReyXHnhqjwT?YMAp5j=~9xv<x3=`i9$(h<V8k3>M-Hpor8uax7po<fM=V9x{3Q1
z?JFknp-5|7pt$uLxevQuF`j`jY?w`QVW8(+Rm44@m!v+q%EbAVA*AUQV*y8N@4(9Q
z_{02f`fapT_oAPL@3tqQfW|3zUvWXq+PL*u&vG?C&Gk+0ykD3ya_3s-U4l@`S;8Ti
zw>$R=0d=nspF098#Aa%ZW+DiYbTtXjUFHyisi!0U9(f;L9aY#46~l#-VB-D!0dfHC
zW_tmRMW`~159Ok}p|7bZp>yxGj(bQ3N!%$yg4L!>ozhbRSzYCH5{foSr_<XSN~2bI
zZ?F4pf^`UOd$p|;C0ErP&*i4mzq4Ce+|xKIyC8pUz)2J>(Iv|cfj1t@qqZjFr10*J
zSW)4g_<f4J#Y_}ul07KzWx$EDgo!<ef$mqPAK8F30Zf8kU$#R|-H0(2_#*bW+{WWh
z0VN!aUJPH3KjRtBgAz<@+3jq27w80I|8D;e`n&u;2<`tbgJ0tR!6JW}<EQ*T`u*=q
zVLWO@r>^zzdx_b(1Ky%ED<u7<+BDtNnDrB(wTA}=>XdFJ+sOETv2#{Iaedhu$AY^%
z1cEjY+?~cku;77);1Dc<U;&!OEjS&ZAxPta;O;H~f@^ROG?L&1nW_K1Rkv={yv$6J
zxwnen(|OycYVB{WwZC=F7MK|r8<csEF5V`?1)ki(K|0BxBcP%}I{Oi^Y|=V{^LXX3
zm!^7XR9R3(Uh&A)1tQr5wHMFNXjoDR?r@zMn)QQkUSmx}E@2-Jn{6R`=?Jsx#-?Ap
zCJ};*`q-@t>Ws1N*czQtRbuw1nd|Qs_vt&wVe!URtgsjJQ{2fnJ@6)NP`C(*pX=9E
z<$k@!^xI;J!K9@<zB?S|z4=%Yhp<mCDP1lXuo<(KL4+q?6cufxd&HJXUC{uQu!X{B
z!EqhSV^zES>o$`|eO`LDg&pp`;a8;3i7HEx=AdFx3u?Is5q|R5e*0m)+&5(+1TkCa
z)J+QniY%O^&ejhZMWIS4+PoUFds7LHl;6?~fovTCQuw>#&)06|lE@c?w+8wxjO*&v
zS{5H0x^AW1?j!|B-qLevxXqn8JF$@<R|o#gF;kiTWNw)2vbt)8s`9z7aSxFvLidI{
zoVAeF85=Lp9+~)bwi}#Q8ci0vZBGE7>mz#iAfzKpjp(~6zEI0leNdd2`8AsHmedpQ
zjJkFrfECB^j#QW4K1_C>+r`A>*y2^m@NFbh12>I%t5Gr8&kjI6GOGk<KHA&YXjEJ@
z7GgnP0&n61F^`!X@+x4S4x+S0>?AzDIRA_OgY^He<o~~~d!PUR1iv``0>AA1Cv+eG
zKf!OQ|NQ@U{TC3q_y7M0`MN|zwLr0Q@0DjU3rpF&zPrrh^7Y&r%P-r{D0I}>$BLH+
zsgqC!oZ$IM^65%n+yXYOj44OAKp_?){=K(PV|TdyWE0PH<)!2Zg>rlW(R=_{&7%6x
z>xOBS{^G;rA7#Ud*V0tAaNV3jp(qI?l$N5=XPj_iu(FlHYbT>FBmTM}4?7G*Pc<*=
z`rPyk$?fdf`P@0-so+CyWxNw|l^%bOQ*7HYdS9Ol`xZj@mA`+02<PY;V-tr>kBS?e
zeww>aFiFL<DNfpmMs^{E4o`w(BPtlAJ`*hIvh4}kf0B+H6xOy3)NFU&kU7l=Ow8%G
zik?fj9NUVBe_hDjt1fX63*!rkMjlVED-fx5(-(wSe^<2U?SJb#nKiIj6VI`JD8OAe
z9@+f)$#eE}j?qtGOspJx#EqSQcn?|=8aoY4Wh7YZ@<=vKGaFyB%8XK5Pj>&Y+>7I#
zrMxHCfM*F}fja}$?QD-v-#L!Ck1&C$jK$?@q(-k+e!Q^<V;GxM5rftCafd`-TA7M^
zodETEZntj|T^U+)s)TNgkFV&|GAk+Od3dTUa0z_uZg_?}J)NL!(Dfk7P%hh2wOreg
zl3;SDmi*Kp?os?N1P)ZN;^JmB7>$LrQ@8;{n8NZU(t101R|@Cod^rul{fxo_UJkhN
z=X5|uj?TaNJ^jDf-yivf?*0G&2mF`+ulaQn_Md)}d;SCb7X1tV@6PRCI{)+E>;F$+
z-D<?>I-P-O#?@=&4oL(WRd+V*eIxB1$W9rq-Gj`f@HbH4riX!>l6-?fu(8%|BJ=LH
z_wSE=z!RRD>Pcrx2B}U3x$bw7+X%PV;)^ZwO+oIi6+>Q`rpz5*Hy_kWGQZV^@tARD
zCyz1v1(0n1S%u7`dC^B;a29K^gzLlS`oNbO6&oQIq-O0=g)AP_d=RMHmEC(*Jgwv;
zKlq)Kn%|w3Xg!6OAKMqeF(9Jw#u<Grwk;}gJj&T+F2i$wrj1Y@s9F@~#1;_iK~>|4
zKUj;kq_kt^E565YC2T93(*qn+7}$TJT_8>t%>2S12(o#*ho5YT8?UFyH6No@k$zA%
zffPeQ-C`k-J$F-|PH3R$qtT$w*4|0<+DdxU^@C*a#RC!XKE1mF_*8I8`v_SnDZZ&W
zRLPVskR?xP4Y5{Y61IDkBS!vu^FwedJ~!mxCj5*(GJB?;N2Wl69qs#S63ThE^u(?f
ze{aBL-my55o2uJqyvy^tT4|z^t+Njv$diWO9-CY$Gkpx9YPo{=yeKiX^^P??Iw))=
z<C5z4t>BLtLyB6LL^?GiFY|dY9(LDw5}*9ZeUJ@ftFF$t7KEkwE?27|RfW<jww9G{
zjn<~tkC>?WwOY;N7vH`SVizW66B2qg6?vybW41^rG2X=@`n8HY=o^;pf6w<nzd--@
z|Ns6Gt`@(g?Z{N`eBZf56k|@5>1z46(8^VDtsDvg)<?kfdJkt89s0px^22CCL7FNg
z6+P92KREbWhM+w=kz@ooZS)KgUv)RxjxDWA%6GA~fhS0_B>Q37l7q|R-`~ITi+pEG
z7sG*V)yKQuU9TLaTNHH7)m-)Ucp=F*j?Xcql~e1LFt?=dH`y0hQE@hi$8-ugQn-32
z63rA<mK-Cpjd1siHymu=F+1X^3!Zn;ja<16Dp4bd0C*^!*5o(w$nphbc}VfQ0oFWV
z0br{W16=BITzE!^HVK~(H&|=cOjwps?L#^dQ~j~OJF5&A@?gSYhyFAqMSMjxShgLi
z6<GgTUEg{`eHi2B#p?N@3%8{<NC2VPev}j%qlwR1sG+rd%e~B3HYkx=qFgQGB|c}?
zSdrL@IYPbDW|l!F*b!l@v7d|N!rxTOxfqb%g0ABfGV3s8X^MH;nUDF!RLyCuL%Q?Q
zM|IntA!s<&r2&_rszahUY5o<c$EQb^{i8kYd^v`4als<X&L+Fu$qI~0Ews))M{QUI
z1*>RCK+gw7U;<fFLCoTg9!KhYXsit9Dw!BsL8#me#oX>|LKY>9$IAcIl1~}v>_9P?
zR*rpF=Thk;e(37BHlvg`mWyq}*8Kr}$sa>r+hFfO6d8|4Z$JISPJ|*}N@`m&_AmB-
z{?Yj7pYebAd3lBY^8fDVKYxZ_9{>NT1N@?V{C}<SPvrmqj=zuy|NZ>`k5K;wOsO{j
zr`Nw-TS!2ked{a^SEPnKkV6BzcHxvinLBwu>FjtR_Vqj-Oxx(U?d`RSW61$HU=o}h
z<-hK!X0~I(jIs$WiCh?_opaoXw5s93BUF5-g%u<9ye>Y1*I-H`+(h2iz@c*?XjTkG
z4>=y4L2unOFDzc5ti<n{m*P=O&~Rs;p~@xNTm@|<vEcHjiEW(xI}xf*Ielfi(F=3h
z_9Dg92n5L?mSvJ1$<?LX?Fzb;x#H4v#YNmZCI@v_E;IevB6^HHqlDDL>FTr9RUL-M
zp%u2_s8XsiXos=UZYi`WsWsDH+tFkydM1I?JvAzJFs+iu;prnerK5ur`X5<2v(qpw
zy3It0F%(I~K-67p0)SF)X<#$$Qevid^6bY9W^E#A;Vio63RqZ|{Zn2f`ZM$8KQ(Jl
zf1K=9zF0`K=!ELtbuK9B`<$gJKT?|uT+8{9MI{AvO_kX;uZqupJLCpAW}B%Q5IUOS
zu54_unM0HW(sPhUn-~i<Q++O@FQgO%tl%AC&Lqq;<zHciqJ%MhABKDlp|s1OGdx#&
zbdEvgX7#+GDi)#!ge{(&SbZKWvLTeLWd!X=QM^8__AeA{q3t#c;9FOOJ!Aed0(0vM
z@Zv1U{2`utfc(@u@PfmjAHRDIRezgEpY3X93T<4od@Kxg0RjB2`se*O^nZW<`yWAN
z_jzL&YNnMnEfgj^cShcwg~{|~`P0JzEqp#Y#)6!smuB{DAe&hO+!7~AXynm^=ui7g
zRm;j7OiVECLIkC80_BK=xWghL74{WvM>e)y$TUkZ!!ULKS7OQiK&on9TP;VA&{f$d
z?y7IkRPn<$+&x0Rn=w`vNp0FIzfxrxGP<d~oew2=i7ah42fYG#aDW~R(l(D;=J~7>
zYFJyZ?52Mm7+Q_hrPIN5h7tq)knr@_c#YESQzM1HKGpFJcS-)P6Kfp*g2F45G@6Ym
zgu<g9jjZ#Bfhs0p4EG~SvV1F0PFyGs3E!K^VqpvySr+^^YH#1jFp?5o7&u1US%K^e
z(%&IqaA86s_0_D^C{xdkrR?<}M1$gIJsYWo9o#^4&aWdx?LJ4ZN@VE3;?<a4eq6+k
zw@*KC%uo0#j`3TMXvPgnUNYj3_zNQP6iBlOSkunSY{SVF)<cwxRH+^sSulCN&X!f1
z6YCPLd0NTC{veCSi;Vz?9EDFSmIITSiS~0x?H%T8kz)9G(|ERG$I~@qymYX58s2IP
zI&{#EIe++A?XkB&)9el1gIMDsrkd?*1$dR7ExqJBMII$f-J)5|^Uvz&#geApf)6JZ
zaxE3k2e-(U0pn&8Zf<Iy-7<b^w9dDS8j89VW4??KmlV3iC!0sTqy`>|`~6n^^Yi_+
z$L{O@|6O|B*c<FiJF#;W#U2?X`Lx10YI+T$#6rxTdo_-r9cc75%VncqE0n4OjoUb9
zj3|@!bjGJdFBkG|59QSy?MRoqkB6!pn2G}2U(QoLJz^t;O_kQG_wT<@;L5Rse_26v
zp>2e_#GyU<)ONJ>Hi<halcNo>BAe#J`q`C!@NCjxTWOur9LMV8=r;k~(0l|O8+sQi
z6OR`y)(tg?E_>%TL7Dxs3k9>A#yt0<)C=lqD6jlR<3~o`DLghLjMM9jFuAq?dcMkG
zS)b4|JH2so@@U`y@7;S3h4wJlVsNz1(~$QDA@%g|@v{|?HIhihI#95WDB8l<HItM#
z&uL6ec)+cG0Z3UX5Aald_+^BCL=kHps8vAB)8mRiXPlL8<>wXb@YVSu1kEvV3FY$5
zwv0_pEJHWkKk#%vl<b4DueShZXQc#bde2S^`Lo<U8Rj1h1+fG|&;xUgu|_-bdHl&o
znm8gqa!elaq0*S06hfr6;aePrNXsL-LQuzgC*_U77WVQPx6_D)VLZ|7qq2{nAH4jn
zI!RJWQ0kKhq6#|umKQBJc39Yg-DtWQT{pfYNnCh9aQTxNb>oHEEKk*=x0^x1{Bo<x
zHh|j?L-H_<i8ez*UAPYOb7FZ2<KTDdxF?;>QZYZHJ*LISwV!4AJ3liHTct@p?zSWN
zz5Tz)UwiCd(Z9g`{O6AV(7D;6l1CfnVB_%Ic45WuwmxYx-%F#Ob(S&@+?tru!>-Px
z!1)yL`e8w3RMw=w;Bkfls<}6GItkHjG&1!8JBbjR$K%-E4o;3km0vz%aBR0L(!Y;F
zrWP9c#9x?YKLHfqH|;;$RqMHhR8<gS51DwIlj$5<N-Sf@Gtsk^GLjIBSWKWc)(-3K
zR-i0N<@S4I75dXcAuJu^DPYVo<~(aOta0=KE*8o+D)Xlh7o6#X3Xp~bHRQu)4rxHs
z_&4Yy|4NFw2dqKMJ1WKv3sQRt5Y<A}Mbv9y4%$zHal;2fnlJ{F(w4zg01aTzx{w7|
zg}zJ2yLPcPAAKr_0@71G!IGjcZ<TH_dUmw;T|G``0%usvEWl!$84oJ{W;TzD*6{pb
z6QWbxcx;U#DZ=B<;FqlwG4_b~Y&vtVtSlZniN}L`6~)a=ya(|D>yt3Px>ZKrM_7<X
z)1YqEuookf7VaO?`Frf_7947E0~?(4u8g8s7!2MNhvDL0X0xT30J=v7hXZp|<yN02
z!(OGz^;J+O>r)G59+eW-)GTt!^@wdc1%0O7*xKODWI5MPMJg;W8|B^Y^%MOx0(#a<
zs&u6^;(T_f81pyw&hjhD?%m^*bSNDTjigA!&`770fHa6QGy)3J-5oOY2nbRFQiGsF
z!-#|eg8~9lLk%Sih{W$akLT4nFV0$?1^Qw>|G>T1y6(NN@3r?8Gb9DbiBk4NFFQK?
z9I4j>-pxC;s6I8{J#smXK;e4nz<#<h8!1H;{|wx}k#n(8hUQ}Rzv#dJ7{>qqz4*b<
zx*fV(dLsw1r5`dkKJ$)KPe;dLLsz2g$a`E2uYeDqwf4NfLzmp@SaE1_1NX)qTQQ2M
zEd1RpARwms`Z_zzRLj3LZy1qgMQc@b|C!T+Egb+20mK3qG&KY35SOW|_t#!o!3M5W
z-4SFdq6np&I^5m`U9lR8D#fu>caG-qt+^lFj2Eh}Uw2G0T#qbNN@v2Zk{*1V05*<5
zDpJ3bklg6BFcj&iQ-UWtv8?o~PK%hMGQ!?YRa}i=IJsGK1oqc&ci6wdzhj{s&&S_4
z$cLg5?Qa3vlAP&RhU)r3Qe1~sC#R1K%S;r@w&PmxZE*HFTqRO!b;V$rca^x*Z|Gx-
zmAc-D0&v>Y4dNHt?JupxNp7yG(#`Mfi<P>Q$p<seO1_JHW6s{07~+?}%fGeA*k_^h
zv}m03=G5nthaxHOG)|;Ji|bLYmgcCn`>y>C#2d2w(L9Xx=-p(9+6I0qAku!vuZ=6F
zbN#xdqg-Am{E7*0tG#@rLVHj0(2VDYxtCgA<1B4XW3>}E={FoWJdRaaS9Q+9c-wWb
zw5pV7q+PCCEqFwg5HR<ZzHjWbHBkqPs>v{@OpBWtW%uamKZ+ZVXH3ghPagIndFt19
zA2F`7_7L!ZxUCy4WC#aw?NvSdao2Tj!_d{{<%6R}mJJ3SAv~b~i*Wgi-T(iNfBHTD
zk9q&O6bjDrhNr)i&gtYYQY_UW-GpP1U=gj`SJIB(T9`6=)&#3nz;6|6Z1}QOLe_I7
z>qJM?#|IiuDL))E<D?(P*grAe^oKKpH250FP_}}Z=?+HlQn}VnqP%Zv@Stx<J_ju9
z=`qHvO}0gqB~ehb0d%qKS<XOG;>b&<kgT)xloaJy8tW4$q~DNd4qp3LLhp>^I=aJU
zM4kCaJ(SaoLDl?A#h?I5h?lQYw|dj0f+k?dY7EP`RBtr+7)1-FC`n89S?6Z*X?SB@
z*M91$mQ>udn4`(@TD()ialsK5=+6>ILR_xSZq`mbIbi9?t3XS^O-}_#jiOT6e2#22
z?pxy)cp*`lRiK&M=@W-asTmx2(MvyT)itOC9eU>s*7LA`YM4G}pnp@(7ZNDT9S%2)
zHepH9G!5%WGx;=T)*5M0v?I(tF5q8q;88ME5qR5$W_!q?tfgyzTC!FDz{b5J8(C1>
z{<<T#x{ElAU$q7<^!Uxl$Ii7RG;7tO_96JILYxb~MAq3F(Z0exhKC3#K!f|*!N=|t
zV-GBy`Y9;U{-Rm#NF|T(D{bC_!n!Y=Uj<L-x<}Z{-wq5|?N2R4v>c;nKQCrv(%%(4
z7=vX=2?FzjH`=hi?|<HYm?vLy;7K5N%#dK(_B@DEuQlov$9!UzFF^T@eO^AQn(^=G
z|0MFi`%L{~bfn+cg$sAmv2EM7opfxoW81cE+qR94ZQHi%<oAEZ`=0at9#waZv1;wP
z*Pi>D{E&w4{5oLho&aJaVi*uf{dNAYZtajS0Q?U*{k=Eh=T5;NkOjb*!|Tl(yd%GX
zuLmi{_b>EH!0`9ii0v>S?LGE~iv46`xCaI*1)Zy9ikA2?Mu|L=7M|R?52E-Fb9pO;
zn^xvges|V2XU**P{2}4&95Z2Vnxu#sIAO7!P)K@9#X_BZN~4)Q%N)x+%a!=>iOMCo
zh8uh`)<+~ec>T6TIdt%N8HgY%eWmef<X?a|X@!|1Wle@<tVWGY=wE-+_J&r6SA3CF
zSxV2u>6sLSMLxLv^vk`HZAxadoxj1O!^A{j%pfuKI`MAN0jPQuUw+yV8jY-uYTWUj
z!%-Xj+4(!nqe#0ZgT^Ym;D*5u%Y8Im9dRNmz&Z4kYI&{DsC&|`b@mb>FgzqEi?gup
zCB%qDF3Jp;SQ~R;h(GYNK>jf*R7efif9Q7YnE|T)nej?Tuq?K~Hw>9GwJ*^bPF3<J
zww>x|ol7@XN)$ICR!m~dHw)7e$JgEN8^~KwaA#82jBn3pkvaOlR^pb%BQ-WL@p^f`
z?0p&HUWEx@;{y}w@_finGdm@`hE|tMD4%(u_1Z=U0v776k>Z$>>)<lBzMGf1W+~e|
z{n+2SeZ*zC_GC9&OX6JLVp@SB`0-%98#<?ypS}cudeF~XehcyQtTNFol_1hOPEj}O
zU3DE<TjDFb(Hh!gy>?ynq`9Ryh1V-L;5v?MJpT$ylU=*Mhp(uW>j@-<nLf<PH_7J!
zjtpZiY)eD)U+(kS4wN5{+yo@_?fCw%wS0SVKy*<=Ta)NdIXLb$w0!B?j~^87wosCR
z%J~fE2jh&Kf*Mc2(*$4;W7S0s#ZS@WVqW90LQ{ITEX+Zc8|7B!cvw!tyqW&Y>i*+o
zl)pCp8_i=&@wQo&pe_(;Je@>)y<MI9pq)T9|NV298%MNxI{>0rNY-xMz7qFH#TeRI
zd9e%CmGN(jng)8(P|Jw2hP_JPvO%up0q?_y`E6rAbx@P67rvu(9_L?pD?QIr#TdsL
z?~;VJ`C{!oGtD|$l!>ujsvCt~;3m<~a5^Vsr&dseF>;D_XFBLw)Q?$YadWf2VCCqb
zeL+i|;pO)J*b+QOBek<yW`+O}f)han*WZP>_&~76UIZj_e#UI)Z)q{hNiGeGw&Tp~
zd>;++<H7rL@=Gi!tNOJw=J143y>_qKrEnD@yjW(z$DJPW;XoF8{5cDL2_m-GAX#)y
zvsKgN!K^&<35+q)H5r83sUw|yZe*P@q!tF0a%>@z5Av7I2>U5NVd*C$;KL)IeH9P|
zaEU<gy_T!QKba#ms2Prl14uifmcx+NsJBg9YoBe0+Yz$0jp^#)vws@Q@*^O7KM|gm
z_bS}HqQMYF(@vn6jVh*3mZ9tBwOMv7C(`%%`XiJ@)adp;_P|R`AditbrGXtyfI{`i
ztt)!5&J;859{B9Cu7tcm-eg6=?!$>0@A%2Sd;30T01<#9h68-SU%J8XUQ~eLc`se4
z-W>pmk#jm%7czwZ*9gGy6EK_&DEI-h2}A(^p6xInfE2*LE`T0f?`JOx(V1e!6~m{o
z_T|@3t?#+(HGttkj}9EeS?%l(Mk``I6R~>8#7j5_C1#{D!DJj)1|f))`S;+GF|JzJ
z%Jb@%f(lUmq-E*p?YUbg+v9PkrmeTo2l6pm#bqhZQWRARV;|kgpV!%(`*kUHF1c4^
zWx}>dgzamR-J@z1M7N|Kla^7R*fRdlV(P&&i(P~$b`5iq?6Pn^XnQ%5j(d?YN`krV
zZrJ@5?udtiwzRsNcUgn#H(^`2WZt<a#;y&!<uxC%F8pa9Y_>B&;;ipbrrD0NXneZ4
zjQUvtZre>&AV;e-DG?s_s6<=pR?_>h?4!cW!L*M{PF}~Qnf5pI=8B;!w$lE{6|lQ>
zxtS0*8%(=`-?-SSsi-l^kr711_0#0kXR<{ey$MIPxFlEd+~s+|=mAR@^G;BGRrlL%
z1H^70@$xboV#OaCJV68pwkd&OFD53Lw4>jmn<F_5yS2d!CzA(#tH9&y3g?Rk{p+TT
zbFbv6s=Dh-L@#k>guA7l<H>_L9y}R&!`@Zlq*r9bT>-(N<VJ!)Vk1RFP*Pc|FRkOT
zR4W5rhM|>Q(QEk@k~~_lSTurGPffUqZ3*pRl$V>*%Eb)wq^%q0eo}8ZJGDELLgaxh
zmCf!3QqNpjJa-Ju8*z*I<}!~J9TCs)*RzJim?2vyWdmIo`JiN9?-LU~27`#XC^!7Y
z>7e8U6x{|GU$Jul^ish07$9!o5b!ztvt;>-1E3A>0ra7I@43Mklz>vTfIWD-`VRmg
z{y)vri(+#n1{=4?!Y(*~ewQ*N(9{s^F`+k#odB#WNQBpg*mz`P{m9VQBE=AIBVyK<
z1!-2bt0ViX@oh>2$6_w`kNCC0>>tIvo*BiQp+4(+rnCF6!_RdxogpU=fxyL<BRFg5
zH{6(+DoUlcqbP)JUN@>dGT{bsc=dN9r`<Nnq-p=7nsXGNj}woQejbO9hH8<G3n|Kp
z1r?h5`y$FP6W3*i-ps)z)>@lm&4*rwjT$s{<59IPRQt>+r^j|UYgexL5wRm4(bH-d
zsCLLR`Eam<khxZ?thx}P6=|HYn}w?36;sXFDC5XxhsYavG-f#JAhm7mF)#mtlyRa{
zQqG!}zd7Lt`}pR>QIdVulljQw6*S{cYc^6kVY5Zp>Z|HB9_a)J<xONq#;ICF2l)n?
zsoO^_NJ%HcSbtJIm;WY~!yloCTzNT4+}?)vD$gn=wb1zbOsq-i<6xN2J`UNG%=0nv
zi11+K-In=v*A#6Y+ORCc@*y@AgG`}z9aT&7NXiGIHMBqB31-!Cu{HDN!Zk>;L<{q-
zpXp!G0H?3-7SkFnG{gO6#l&B+!!`+w8G6`-Z0BC^vW?3M@kF7=Ce>HEf__Kuv{#{C
zN1BJVn*pgzNSY|cCl}cNHFJlF)k<-9$OZA^?8!w<F6PCtQwsot<m!|9cm0kz+MeIa
z_>Nx)puhf1eI*BIffND&y8pE$XFzN^z=88~9>7MGSIysz1mo)$Sq*smdiPbB{Q5EW
zj*d{RIK#je;$5=eZ$Vt`@+g>+qB8(&n5p0%ituB263kNI?2$3)k+IjVz50tW-wrCE
zTD>kmv803zv($up?<yiUCooWwYwf`+LtFC&E`{muSGR$`M<?4agJQ-589Fl?;|{;U
zTJ_zmyxTgb$Om%y@-x_UD^l>YbfON7VUFs-{*qZflwJ|6c}pGf*$jpJz5EV;RA=ot
zUYWkrJQTR94Yj*za8XDwMMmLMlptB<p|p<ydJQg;QP!q5GSMbL413Y6?|5KS&oQ9>
zm(q)1itsr|G;sTRcA|u`tHObNex(JbS%ZpqtYajnEwoSao_x)@T?g+gpC*7Q++GNO
zKv!>WyAzAx+Hy)QUM6WBV5*}W_vXpG?9Jb;`w9mxnU7SW2U=BAI7w#q&;>d?$mt^F
z7}|~vnM_Lq+`A!De&+3xb}P-i)hK+(6Wu%J@T%%E`hL1V$h$$_ZgVmG;5Yoc^I=(E
zZ{=>PGA56#pD!gL`<SKGjR)B~rp16U9Fin1OYH&j@@$DDm-GPSoFH~Y@y5<!Eyu8z
zW33&cDj~}n7XSFyErx!&T;4%(fSirnbCD%bWD*59eMIZxUjNHb#8^~N_;ybdGx6{n
z{fyitH0O}aQG&={(F~8$9Q;yc<j}=-5|<hExfrfXdt5I3jtIU3a%~Tu+MZ6k`WxR~
zJpge;`OntLC~?HRtnz}n3cA`ZhOn|c%IKG&b29sxXK1#V6Bo2W_%B+8quVL=Fr>4L
zdekm^Z3SLq`)f7%7jpiE%Jscg(HoHu47K{xi+|f+T-}tNl>QJX?Jne)+gTfrhcU&7
zxGIU(P%kad)e_l5tN|fn-Wbb9O4y6X&Mg+2u-!Fq!#2GZ!s|hUQib3bleuIPj)&5M
zC5s~j0b0;EK#8!mgl2*bj4X)7p-O#wQ9eDLzUs<yhS~X&M?fjDL26N{!YoKxjT*k=
zMtN6O!1DyC((~bFgUEs}9>98T%#{lb@jNN-90-|diXu-a;#O*jej(P=CrcNsWh>ol
z#35)X<^*eA8DN@G{EA}HFjjFhC_d*&4L&!0+5UnO2Dg=?-wgOl9IE0<dOBv`B=qJG
zL*+WEQ+#;^N(Vm_RcAHjuayy8tRg{0ML`6T&?GQHg%0kc5(6`NEJ6JuB}I#(PHe#r
z#5nm5VT4d5H$302-^+h@V;|gqo7OhZaIWyJY@7PJ_v6_3-<0Wvkg%zA3~7?MGsV>?
z0%9%#zMN9eary??Nqwd9D>xtw<r)SImyjdKz=UPiH-udi<@QF6=<uGX#t?UWbJePq
z;+QFk-wLBOd}UfNaAj?&7Gz5@Ao`(QHk?{n1U_m7lEv-lhM<M98_jYdMMK`I0Cx6a
z&AqNe-Ofec)+Q=d^y(I2%U=F$CtC=tSi!Q>1!!tw?!f*?jqO9`!r|xIS1b*W0gc^)
z8xv2USc^hq0$D-)JuL$&rV*!U<5`?5S^&MA-(JNh_-Oz^h!B=TJwnz}zI@C-2}qgv
z*X}Ttu~i2K?FqGvBPh`RKB9Sly1QE^Zt_GWe^6sPq;LFqpaXsoj++7a$HjA#1q9k+
zfihSYEc4zdxA3%JPf;kd>dw|9r3lIhXcr>fhqs0iCi6eT*O!nOsf(V6T@}rT?5{}`
zE|qc5VNPUzS1x8}IT07kP#xfJ+TAzqsu04g$NIz1*Z42@iibC|(AKWsbGqcX;H4gH
z$I4Sqs`$=1h>A8T)hzLJ%X66OvkeHA(&Ot^;O3%!kkMCPJ@4T02W%N`0()33+{v0b
zwdiOcRn#qk8pO^?hu=n^Bnv1=cz%R?V5@FK>LC}&^sVHuQ7J<y4?BQw&1Nuq{(W_Y
za|z^e2jpt#s2ay1ZIAO>!u&qne|+iOz0TUk)kqd-JO+W6;MIuQs-WdGqcv-0;rn|P
z^LhIBGw-xUq37%+e`iuZ!*_Xo9c#@PQ<*}{FH{ItGUUKTXKS2J6W8Enx~!E82Vj!4
z-%gj>bXHB)e>@9G;G;+C)`WPbp<oIk<!i9MIT2L*1H}`6qL9~-?YMNABV+!gI$~QD
zW>0#(4cWU`B??ic*I6BB=m50Fc)+!WUtpzoS_1k6ud>oMb?aWAY)P8?LhoddYkAxV
zn_}iFKAxy!647o*`0)aC0vWNd^9--;14?Kiw0fDVd%IP?PI`I3;nD!@-LuH6m%fyn
z@Md}iOIJJEhDq1lw_E%x+c5KALm0p<7Y~w%i7T5~$b-8f<hb77`IQv8ywQN}Ij3=^
z>GhknaKh4)_go{k54e!5;`1yj_|@a@*mI#zBtaCZ2xy2^57?j}6BmZWUyx)E$Tj)C
z!w*KqmIJc%3__(G?wFMRQNJFy)BZ_>Fu=oxn66q`{NlP>^yh4s0;h$<56i(y=u-e5
zhScg)c~cP7yKmm~#{aZiX9|by-?^Frh3AMvz~HJBsYqnc?2POPO`<&^8!5rgVM?&W
zhI;f;cjL-`B92P38z%HbE^O9(XN9m~KWpo2t1tN2?v^mHzAHX2FeI%A8+d-`9e_8^
zDT;<Hma^g}Ff;dJ<m)+%ffdVXRi#GfTw(TCjv{HcPc_AnIO6?8d(5^xjZuJ&rE-b@
z)G%}W5i@nSYIAsMpV`8ozE5$4?l>46?Cvjy64k&ZPEk|+R(<U^?R@Vw;o-UH{|K13
z75tF3wIbJwVbw#g?(lVy;d<YQcFlDd*uLDRImI!}C4=X60T$NVD&_je=tyV}Mk)5K
zGcB?FHUF^NfFKr%cqE%U+{Y9X=#?l&5pQ0rjdUb;S0&;e{^36EV(JmmjDA8r$7wks
z7h5uSw_37XR&O8fBp<?pX{@2*6(?k<ehOb_5Hl?3Jn$#~ab`2M^B3Uf0&MNghg_eZ
zl3y(NEx?vOY!smK>6`a0j*$Az{~1(yS3(Tb2K4I-{1NcJ{j-Y#e4iZsegr%RgnjCj
z1K=kCgdtL2r3ukCy=M}?Z2kwL=^go=>3yST$OE*ZiyZzyXtXAazlCQBf!TiuOtAkW
zFs-ZrzD@x5z~2B`FvPds1OWUcKo}<V{l+l>y8Hk0L2tFbH@>@oUM(1+d*9+4-#kDp
z2Hg|COzH8U%n$VG_y3?ztT}*B+i&PqfM=wj$an1z^y!8FZ`&fEZ3}8V^9R!e_CHM1
zMJC{V1#tBH9ngyL^Hx8<l`-{wCZXQcXCeOA=CA*H<rhHDMjwDKG&`&QzSQSGZcfSR
zhm$6H0GDnFFLd_E_M9fXq!R$ce$0urP)GZvNvD(MBZFD&A5p$EErfh2-ip9-za>wf
zf$J^4wjpaLEH+we0tk*2cU;NrSwuIRAl1igNfAzP`ob$<LME=_N#lCg6?;Ql@Tv)?
z82m@))l#=Z@fPnw=Y5VsD!Qd8nWoNUP0L-Gh$UFNa_2Byk2kLhqJBj;o!F~BdL~0=
zc}TZ7bk3&3UY>S87Q=g>%0!LJxsSb4yKGqWO|P2TP-4*bCcFCkYnL*AUon>*rcut)
zI*7Q;EeM9gLLJW2?X{CanHkR<HP$^Un~Kjv@MUd2j!YYhpRT*8rjWJvqKb3s?XzB7
zE{m1Q!0^Z+-WyzbwFVkbOrV5Q6N`_1`IcP42?%d2VJu1^-%L3+9y3<bQ#^64R<%m0
zCb){V-{JPv%xV$76@itw+z!Suvp#dx%b0<kV`ZR!cCSEDX>stJh=!I&Ay2qmK4mAU
zH`gc0OE|z99cn7A345xtFh!p(Dmmub5h&Xm;z@SwEt4DL^nD5R+g-iIsf<F4BZcsf
zRh7J3<VFF(<+dX-SpcmNDpL(qW+<<G;!08c=^5;6EGPHGR__`Mh~!(#i5vo(6ATO_
zf$3P%Vl~tUJY1_RzvD@7Bbrg4vIy*jPf3VN8PU!^)n~Mw{frmD*9~6h`~&<czYxUJ
zj(2i_jg#yo8-Gm3CJpgEbx+KR&TH_#+8X;L&Na?iVd3yet<V&X!txmyJk{0E>rItf
zo6*+*cR7xdnY_-jH-Vbxvk#`lyp0X8y-m3t-n>2_LsNdCXlsbQ1!-ycZ5u+|gkG#v
z`9<Dr*0d5W*9V2WQN7{fTf&4nVbz`NK6ij^2UVyTsjhubuMUJ1ZaiOkotLcWk7q&k
zC;i(K)XdVMPIi`;wj>TCNo6<puKW{TX%KBw5fu*2$-=#rWow~ZQhf`ACcc-RFt7K@
zUbUf#lA+#>xJ?yU7t{p)PAVx=gGKYD=1W>A2WtY^pVIY#-*o$&oNg9jZgNm^=Io1#
z-)SMW6BcT;o<ykg8pd{B&vnZwX<EpA{T|Qt5IBB0Nd(5tgdIJar~`LHmE?Y~je9S-
za?mGiIdY%ub7yf(Y<MD?h$*n4%=ufT*{kM`Lr}X(6zoXLq)!Pe62`ftt{%gx@&oq-
zB`!!Z_9NMI{MlwZhdjMX6~9O>i!EhH7x(p*ab__i=UFW#*P|mWzEuaHMEiw}nJR9T
z*{pivoAMYdl_TL|)#8SwnkNT>OZk1z2Fqh0J&*~TD}4ID;2S*5^?B$4jgh+H&n&Z$
zjVl|14&Wx>G#T?JC~w04X;gAp`}x=?Z7e`M?nk*vzf~!@?yW_U?!^Z?@T7EVza77S
zDq{Qr{t<vMDE%~V2*U{z!gf}X@4wboz%7mb`?cYwGfyu=7KdD}lu@dhWd59ge#X6S
zZc31|khI8!@Ck=uk%&ayNy>Gjya7QmGwW(yxWm0dY_y<-^JTfjFOVAP`}JHeIAFi5
zg3&P0xhGObRrOL%@UJgbHYxE-!&<AbK>`xnAY;`Bzjx2b%ac|x!-6!bs>Z#o1v?uE
z!?Zk1o8(IHS~OCn%9%4XllZ%?mwTMiC;JM7cSCLp52$VdI3bm;SB_Bk342l`R(UD(
z87-&6TUUwnm*Xta<It7iS2zg_-g46gY38~Q8UKn}7<0tfjTi|XTY%2r`b-KGTJ?|k
zE{6x?uDzplaw)^;7uO}|Ze{ccTNnOwmpT(o)dsMJCwA;p-TON(vwzJCkN*-MA04H`
zqfEWIOTsOamt*L3-G!xQGD(>z$-aVc!k<Njq^^k_hvOulbB-(y@qxRcyIm!+_c^(X
zZq7>_9;vVjM~Wyxy%gW}(XV?-K@mko$=v&fn=JQO+1OS3LT)hH5MRg=HaZWliCgE#
z+eTM!P>-YvPtI}0HpclA*t}*0+8!pIK???@8J*8O%X0Y2>yu^-Y?GKan5t7US5mYB
zufavP*r)zGO6lju_q(eHI1wGed3S}im#lK0K>qkLdgCteCfjv`hyJe1a!nD8tFmwg
z1mWQycsv2lPke!%`2VgFpjFv19~54jjQEN|&L_Elnf*+w()Ics_=dRv(#I!cwEZEW
zjvRsF7t^7Gi88IQbeh1iQ;2vj88_Yz#_1E1cR5QQU<5BS9sqBom9?_isEK2!*v~WB
zEK0HlaX(zDnpqAnth2dZEn8eEc8NT))_{12#f50mnJUNBy1cwJ${bcTosB9fXCu&_
zme!qj&NYG#5Xy91am<E?yan}KyA)?RV|szJi$GHF@w6tVwto5LJ}0Kb7Xob6BrvA?
zJF55X&zD`-O%PY9K6Ne}DwMUD(QJ2%LLrM2hh|{+XdVn#WQL3DNCsD$YIUEln*~q0
z^$(H_VU=D!3Ip|6rDKl5MC59SmMleNML}n2>tKO%p3vxn1{mEtA@1WjFi>@*eK^%u
z$;im*d($p?sYq>Q2a+*}scOt4b4pJp<9%dVF6ay@h^t19#gH>N2qS-e6!E5xZh|es
zn!hx}zH+HuW*(g1gm)nR3)o=zEoJ6P!WksyH_1_JH))#una#b$?WL)GRY?i&PTT?1
z6F0eszRDkx*0l0U7$y*yzGPQhOLzu?Mban(@1#Rd?XVWMnM5U#K9``5zkjdba$0#O
zboW6N<fEbg{7<EN?p34RLU{s@F*3UDa6;;hWIsrlf=5hIPjxlW=}NaneQ4xDh>YOX
zOx2q{)L`Xc){Xy9Ox=C{^ZlkL-v#XGBE$ozp8)>v_>4cP!TS$4N47s`N$g#Z6W`h%
z06NU8FT@_E0hq&v;i*M?v{=7}LPknV2a~5!MWo_G@Dux0HY|)vQ*Ad%D3tf_oZHze
zPuJ$xuzQj1yc;*(zbpppM~O66L5VZV2kC-*!k%_9_WB1%+Z}9^*t56fKtm$4Mq-x>
zcHT;1aZx;_Z$ZpZ)A=TXt68O(D!2BZG2r~8*dje6^uYFw$vF41Bi_rnGtMNBuNYMa
zig@<V_m?1KIXn8;jg)@4(D4mP9)z-Uug}$9pHZ&ljIgpihRChvw%NHwB_ErGf~1Np
z85rY*W94V4)Yh2wY_pK4=Kd#z9RrGMyPLpVr+%#pU`KPS1RZ)7PFWEapr~m!orT11
z#IQO&8#$;OiX?xsc3B!`{HX#zw#kN&AyYI_B%jreQY*hGXAsm)w-0S^eY}tLnE2b0
zwW%v&Jqud^*FOC~){TvZPeR6Z@tqp|rolt3CHZa|sF44L%sX@5G*&O#8!V<nzLugi
z^wgJyucbvXjB|y`4E}x%y+beHaU`l6uqH!qHW#hh?ouW{<+Ab_uoN`tNG*vJqMTm}
zw=zQBm6(y)<#g?X7W)ILTFjJr^eng~u6N_R#2(5v4;g79jefAxp96OkwXL0xI-8#H
zI*Qe8YT&mZu^JxHlGiPLge!5~nw~Sm?QKA}L>lDPT^?{9hJhT(SzVu<i!1khUfuBm
zU+{~76}Ruf-uKwwW&bC?lh1$HqlkmXU;H+PW#0c2r+(kR-+jHmc6>kZU;V%E{}ZqP
z$@d@4EcBz9`7JP$|Nk2H;p+y=58&zvdE6_7VL?dc^Qmkc>Q@4_L1|1(%2ZQDpk=dE
zn4!cVsk<(?cuVKpoA;C$nh;T=fKx4gw)xxGvOH~3NnXpND9h)ozt4b1=p^s9!cQN(
zCJA78Q`KAW-oZeZkU%5}O8~Pq&+1f~<U|}uL^(PO6G#9d0V#Pl8_jXZ;OFEDK_LN!
zL>wJ7(E0g}|4P?~fBXQy*}dFz!Z*Wby3?3xkV#FIqiL&Wc>;OG<hMjzh=LE>Kh-ew
zp<Q<AkMoo%u)c{iQhy6BBllWQZtR_6;soD;=M33_yYMJBsmfFb>nNP$(Ro-iM9Jdm
z`{A}TcN+uR+;Ph4p)6<Ca1xR>Qgi%@RhWUXuQtPAL)JbR3qL=Cr3<5GQ|3^OF6H#z
zGW$VBmh;s41SI$D;nlN|EgMzzq<53KsfN>YM6-$jnLMNwD+#q&2gd3qu7ZaBL|Ox0
z6Ddj+51qh=8O?hzPV4H{8>PfGY3jQ)(O}2CS?E%Yk$M-;<v*gzIwy5jcDJ-eF$%;Y
zSJdF@TwfVjQXPiwAF$!MNDs3Nq*v`nsV8ow_>q*fM8+lKHi+W%`Rk1-GN1Rjhj+Nq
z{z-_>l81v;+`plGg90k~@5MrFlVqig8x?h+^$_Ruc}Z;XZ<{Na;RVyh%t2TvuEtdI
zdZK2Wqvf-n5+^tf7|-^$yYP7a=uu&CS0Mq~2JU(1LZZon@CKRW!Xxp074SMZgS+rc
zcxLA-T}UT$X<IZq2a<Y_rkmUPFZsR`kaV276n++osDDg1bZ*Ta-euPxoHKye8{Ch|
zr&!LP#Mjl4m-w#*_!J>Zn`orA9@NkxvR(?TU3mD7&;GAppvj)5$vcptEv6+srI5yT
zJ?r*r0y{&(!3ld<AhkLhs(sz7;;sH9ak4A%VVu8^(1AmSJ$h<%i(zuJ<nkrc+@nSW
zdnx1>fOrZ;rH)YFKloGkou?uN5`SAXo)x{j-zcdthuB}ix6L@V2LTVsS<4tE1KUZ*
zhFy1f>v()snVpha(T#O-Rul<X`>i&sFy#uj+cuJK*DJI?T=8j<#qMPcfW`jfd0;Gu
zsPEZe(-T5Ckz(F|r8?hM)SIS%)CNb|Bzp=+37IBgTukW_P^?&;FI;DVPCJqpc=zOp
zX;^va#3j^EQK%ZPjb;TN<=PRCRSf#{OFYyQ3HuU=&sjNGNl=Tn=?=}@*1gxm$lp0k
z9uQorv{Vs78cBNfMUX#xOk;;|LbkoUdrtd=nl?VlN;@hf5MKvJGs1UoK9hh~O(1H=
zN1{r4GJQOwV#0uC#EERC#^&ku#>vl`7B_JJhX(~;uo#!^i?)yQAoEA*>l7lPFX^(&
zb5(I_RO`#o_KH$?uA7Bca_-EiA$Nm0syS3poqvBD4dz;;_gbl`uz-vE+Tn)wQv-#s
zSt14=S7R2Ash!eXjq#oXw!uQLPw?EkN%JQ|W|DMHpDlNWrswS=#v^et{}mZ;JW9=V
z<R8Nmf5|t0@4MWk>lb-Y`H$t4?g!1R0x*2{r4QkM@|`^K?wE-AFaE0M$B%mYUo2KP
z!fc|Z-M&B^G;x9n$)62hK60swgw~rn+4!;rvarH^I-))<0XO|FCXo9QML-1a&9l5j
zuN_cby|&0TWGQp2EE@Hm*=>5B6GrbxG_|Lkp&^<eoUI9Kynn03TC<y)fOZWrS?DRm
zKSc~vu?z~W5uU=-47U(1N4a(`2ub{C=Czj5Erlj}IgdoUktLNp^CrF4p!2*X&105O
z&lV<k_?<08E!tkz(ph<N_B&SG&)tb3Z&8hh(RV1_68)`wu{Qw`6{F$~CZo7p$1C=(
z?m8Xz0jlWLnUa1vrd<a)iG81Lm$m6q`4;g$ayf+Dd9qZ|#2qemo(+b8nZ3~FF?>)J
z`aKqyXA`y({^t*8vT!?h5Dd9EofFsSX-Oi{Kyr@4RgQ+@qQx35P?HS-Aa@J3R&`c=
z2=-kg#vqTGv3PR;wA9EfGEI^2X3vDx((_C-coU_~D^G*kvAw3%^K?Llfo-vs+)mkO
zWtYfaf<6E7FAxnKK{GhXZt?Y2RkzkV{?gcX`h!M4y&QC!4}-sp9(i>%V7o$E`+!|o
z1kD;kQ@`2fKX0t|d8DTS)Sv1Ss;zq#`MkO!%|3%wCNI-dB<|OUwKg#_fJ&FS`Ujjq
zFT#~`OAI_9O{@&iO_Zuo=n|S8XvowRkwdLtZWZ%^<P;~c+{O1Oc+yi>7qkYS{3C$e
zgBL(6VDJ$D7}OT|28;lp^``-JA^hJvs32C|mlFSF!twwfdQCr*0Y8yxdJsuTRO^uo
zhTFW_<Cdyi!xEyr2I?8@zcjmf8VPAoijguraRO+duZR?(R?R`nib(?MCTEv3x%Lda
z!4L2n&_Zivm_zXkPqMhQL3A4+Qt>E1-q%<v#PPXZG@R(G%ABd?rlPxUt08UF_hG7p
zqmQ^)TX!{vad<_taav|t9!C#YRR~%w9&l3a!z@#)%wy4ppuV)rS*>wRfEzf{?8C^x
zYlq8WW;XWm-jjZ#H#D9~#*~{kiPyJOtKcU>Fk!p%8NJD8>U6X8c)}w+hf}eD8?0YX
zBt0LwOwtnX%(Ros*(!Ps_ViF^6_wqpN*e=)HtBLSEBVO49%cX9p%A#VvV4R&3sYw^
zE#q}|{&gOB{WC&%(HMNp<a3%g;BgMd?&d@!$~70`sI^AlabUArRzI=?kL(1wi#0F9
zS<pIc*F@wuEJ1y4{HLnV841|3)bPpfzTn~mXK{A~H5%Sp^2tMm%H26r7LhziY<4hW
zPmVQDkF&+u<1UGpSIJhDC@5+dcMBw?jR;tAJKTQ<vZuR;j08)63$QP}xxM~NH4Ng;
zSR98|LCY9ab#`la!Tnw0^wH$Rq#rUWhv3xU^kG@8Os!g+h^1(4*Cy96t<S*e5&lXa
z_y|&8hXN%gl6u1)N7FU*-I}vUv>||Iqs&<mAk33`N~dQC+#I6I7X|qD3UKTKT>aF|
zB;Yl)J?s;Z3_u?|1q9#z1LR6@-)g&%V9)_YeH%Uka6b5b0f1mm0N{VmMSmOqlvf!4
zyIdlMm)Banej5nG`_K9QLnq+q<wXzW=b)AWJs!|I=PRfX^{oft`{?^!BeP~K{$Iwd
z9suz2@^kS2)763yy^sE|{^{VxGiL2coQDLuITWO8kVoAI`XpFg*-{g&5Y?gjJ$j9g
zPoX$gaI%Yc*y;IpVIcC@>$GKh(9>>F)#~2#m)ULPo<n{26z0fBaY!_4Q73hEmc{`4
zxNL5bTn^5EX`KGHc_JXpVxUzS_c9l^8RVdFuU|p>%t5QuPhH9Xm(YWLcbe|J5=cP%
z9xUSl{BnQ!YI5%18R_*8nWQkUUr3vOz?6B8wL8=-B#ZtTrPY1-<!}|?t@1eJEdVVW
z8nsuClasd}7$s3^T#-MiFUJ-;f-Cn+oK4-d4+AB*!<DIo{Mv}!+ZO5qYt=x(*0jxO
zb4OX4+~oYiSetX(cLKx*%#kgtRVkWBz9jr!?Ebyl<_CMYeu5D#oP9Z3SBj#Xsk$oe
zsm`{8lGlOSLXR+*KIwFMs@ph9o5UeCuLfB!bT@p>-b34rCkt+;p0GHjbf*xk%)H}z
zCyxvi+?e=*>-_rL6MNBU&796!#*)6m{>3DEj$)=3>lJ^WU<96(IR@Ii<jVY@tU66=
zbwUcwQmAdRqnGZ%LT?Jka9lNrc_5@O1sD<{ox7;|yF;7m50+jIBV%HjaF#fp1u~PE
zbt6BBy?`6dEc_*Q{<TtRP@=Y%l?OPnxv{W&?rSLNtpo?^=hTMvDp@Wlzjvv~&6ZFw
z9(FC$y0_2t&z;V0L*K@4#s_}75GK;{sC$8XOG0S@9$dMsb3Sn$Fk!=UOA7U630HJs
zU(k&dK;!(0R<#zzV0*Gb@4tDH+ZuD&qvp@c;MDO}R}?j)O-_G0Z1E$cS(M~X2D!|&
z`JatH->M6U7}Fb-qyCo1c0B>SnI`fE%tY6_za_sq(vrNumrQ9n;~3CknrxC7Pa8sw
zl*4gOy>L&ImVZ=_#d*kU3h_5<ONe=4c8UQsIw;Zl#_Cx5-8BYUzE_RtlXvl$e>zOT
zGl5$s=vzZWD-w#eMAsxRRQiS<f!W8Olk*uHdPJqaRtT>qKz*)R>aZhJ2eb$|F|D6w
z`?W_6&zAEoiSABeHY5o_TCwUpBAwZ4{1TE>7ogKX>#@4`s_tKwm+FRP=k;0ASF{0Y
z7Hvr?DRS+xZ=0zHY=3=hR?3b+=1(Mz5yK$)&Q@2z5HQt5V2tm~uq%3y3yTHGJ?dT?
zFwqrD#Pj-f9Bv}LizimQ4^VnYAsa#yY*i4>$P%y6<O)DJ*$UN!s-YwslfOtxkRBYC
ze&zJ0%)3Zby22NIgxuNcnulSuno=>lm9AAUwhfN<)x0~m5%bsKO<RbtCeI!={HdI2
zs-U#Eg4>Q@_@i;+guL=BDu||iNhQhl3%}79Zga!Lw7ml@W`mv9f~si!jc!UueqG=_
zvNu_)bcGPj(B|NoY3us!Cu#Tqphx%<5)5Ipkc;w)T``DKQrvo8<386>qf7`V89RFB
zSAO*TDuBZ{p|vC4*uPVQ@pSdHRIZ?23lD>I6wA|*t93gvg|9*+>Io<pxy#7R_fOBj
zP_=z;hFQs0rI)(U!+K$PhNaO!W_e!MIy#`RiY#e^0v2%q)|74teMIZTezwX8x*FgN
zdYj;$GG?E6_7+)wl;Zb6GOBnF+Opyz_AYettZy_IQL29jMPN8_@)a<2XDwg;0}6vZ
zwpnTIT%|VsS_ftRgJdk{4Q$)T$F1&%&m$8YjIp$L;d52<*cbCz0a}iMw`b-ez6D`r
z2bvQCdaCwt{A;u#ta3Bjz2QPQa}VN_@oDD~J8c3)!K=0eSUd>jwP{}9B8z7<&8^yW
z@T5-uRTeGspayk?8P~?fEFQCE#3Ve&EML6!N2Nwy8rvORZ`MG5^EYjURQg3hO73A)
z!(Y8cab^O?>-znXKHX;aJ%w~d<Amazr|i`i*WLP-F`3Y{^y|$;TCuXL>r*Aid7dOv
zlC56{<Naqm@OtOr>oo81kG%-SRypeu_!Riuh{Gf75*luA!doSzxzN<a|B5fz;uK>4
zbR~Wy{{m_?VH96<%mzalofT%HLqimepT?@^<HIq2T9T8jtCw$$KJoslNs7A8oI`1G
z+BaT4d!b`Vpo9B8{9E*1lmKwYi(mqPZv?pdJnh`P-4r0Def9dLM*e`)vjGO@fXKa>
zZ#@!0%aQ+ERaV~hZfBsru>rB|fSbQzy6zuF$@vw&c?~JW5e@W8Q8H~<p;vE4^k=jN
zM&g;hh>01ibgdHTa}95);QcOe4rgxzCJsKV*~1Fev<}^WfZfxb9)paS3dk-D5@0!P
zt8KjGXsTDh#B8Tt0)c3?|H7&B@IoOLqjA>1aUIIriMu!L7~NVI;<-e+j3(dUA`hWF
zvPMwq$Ixed5xN#mO}_4%mpo1n<O{l>tgz?&jTc(1+y(VtuQ%;#M{*)&GB_uS5v3m^
zD`D35XHpY|ZO_X4pp`>liOoDS!cUys1Xs(7$qTY;uawFsRun4P3NY~gQfOdQF<9+1
z@<*6vVFoJF4~=IYs=Rg@ob(m*B=lWjbD6)70dcX$vMjiF+Ue9`_S7@Yj)g+;^NI`u
zJ_>DZURZ)APp*JiqT#XweOpm#r2g7N{?udhMq=;HgK<o>xr}`?Sc{5p@=beyf(yVc
zo`#!X|2xcO>4X-ao5Sh3gRx2cEgc9={Z9^m)=(U?jqt9V7{-vuQFo3unB0zIHfQgg
zj*2Eiv>aiX-Y?w?EgqWoLmdW^1I|CP=xJ2{#9bs>jsrP|rt;hsLdI*cCZuaeW(`p9
zdb}gwdxKAI`AoYuo+<JCGP`QL(-?$exPv*u=OScC9bJ#2F+h>bDn<4o53!bNmET~h
zmw=J0^!3hr;u-V8_`dh_3a-1tx#HcMv*Nt9;{7wFwAi5==8Kf2B2y~#5SN4aEtm_q
zB>ARvycJDp*_+n5UQ;;9&NPNXI8%3U-C^-{e{e#E@+e1@V^v`2VkWgokY0WugMBvI
z0U!gqM`D@*{@;3C2w20*VZ_dP_cWeCCBcuA$}h}2#`5esa%WgpUK4gldaf<$EHr1=
zTm|$+>txlz4>re6=-ny;-RP(_qOOT_E}}z+Fur*w0e!+M+Di<pEcX7>quiIsAd=rh
z0y*z{r#V1TF7S*ea0RGYiS}ijSPVDvXrvfg6v>2@kw4d|&6g)8vu!k)y&jLc9dF7S
zQ|YuKCT1suW<t?E>rK+Li|u^Wa#?L5#s44-5Gr#`yQ4X<{|$O?5P9jGCCLmJ!J9*|
zF%7h(6r}iS1D&0qDUMwI`~5q*ts~T(?0Ew%zhe~&_sa*F=*<Vy{?+-xLStGdvqfG8
ze_jG4MS*p1gfxg*a``HESFC40!W`0|sAx{RSY=lfHJ!U!jeonj!g=f;gpC4$#}!;4
z1awma?a1#LVf=qX7ylfmJL&!;Fp97m)FhR)OgGKGaxfLjC-+ErX5iF#XJ<u(RC+|V
zo1)nnhRLgjAmWnIAI<ItZ$Hxr>tzRwcaU1Omc~oo7AH{D4lZU*Xs-lG0PpN@!H+MR
zpIywW)rd6{ZsIa;E*si4JY%k+J^AVh*|-)+!SgjSKY>ZmuU?A&LybL-QL1r+>^>Qn
zse5vM-08-INx&^Uh>+{`RtqtSSV-_X5x*aw<ErXXHkg6$K~#KcuZv%u9Qk~3KgzRB
zmQtw2<aodXdgG4+<o=M5md;m>;0b=r(EXu+*!Z6~8Q?p9pVvfyS`U65pS9F4S^q>{
z0091t-|jmU9l;y^aQJzC#N2B$Qw6>;;p!?2K^VsIDgUAy64bJ->Su}0T)5dfX3VRm
zG3L^w4h_CFLuoQzW(9_0-NnlDov6NvAms<}zJf*f!>OGGg+-Y=FTd2i`Q;zJ`+97_
zLEcBQSQ3XSVm4#mjGV-@{gAVPc<rr9N&pO87rYaBGUrK&iPC5nrQ*yvljaTcdYiZV
zT8qDuy8XX&P_)1_()mB}UQ{PkF%FGoR@(}?3_+&5f@UmwIvvwnayu424q7+-4MDN1
zqZijbO@axRmn49Z8Z+(Deq+RB!_eF2-!@K0jJ9Ha4ZwxgzNUa+RfryUa@vPzwo<IM
zK^ZjZ?bh3bIx1lU9bpo+_E8AiFU_#DnYf@qM|-UbJF9fuZ}Ea&76!e1^DK;aHy217
z@^kX6V(uGI*Q4@ju*Dk*B{VAG9t;Z`E-=>EyH}Zaie^YtA%E<orp(Q6;K+q^*QW2Q
zHnTs$Cbz{-A3HVoI5Ue{JXHpbr#M|>GtjEYiayv_;JQd2ZkhmdiwmLhz$Bz9XKnMp
zv__<Fn_|A5ju@cC;^o#c26Dg~b;V0DvDwu>Hxiz5RG`+C?>I&r6Yi?tv}4Ggv3N;!
zeoQ^Ljb>U!st3~Y@6eF0Do}{%uQX{W_0Gxo4Fu4@K{jJ+J5^#?Z4-9PkyM&j-XBAe
zdJ`c4e%}GchJ6XB<C>aC5PlT!?jYbFC*b!sU=Z1N9}q*{wN+{j*+=<5X9xKY%wh>Z
z2>bZsn*Q&(dEeb{e4p1sK&S+B!$J$lF3SJh7>Sht$*&B63+gPO7v1X>p#J_d2)`S|
z|LVOGRq$C)`IQCyzoECoS8ngNZz|Z2ZQ~^X9)K_PUo-o>6$eZ>IkU=bAo(fn27Lg0
zd=CI?KRdNg_@6J+)t@oOwbo21UC|aqQ9>iq(~We}Zu(SIYQQ|HUibptKg4!S)>m&{
zDU@c$Rq9_?L-!nsiPlx^isrO7_B+E{!q(NGG!sm9h^i5*YS4FgaT%&JHb466^P6_{
z2NyX%srnSKGX47);QFcTrJ$Bn>SH0Z(mksb4u&aSwhjGN#t_isQc9^ke>@)|5tEL4
zKpOez$QfmvOMB2{8WO>!FWhuA=}eK`Zw)$E;`5;MkXx4p&JnS+xW`;U_h;dyHz7xm
zqgKn7YwA$CYSJHrlX`XLSkcRsX(MD+O%9uodTu`64%-H8PqdS}-QZFJ1odxd6TL)|
zj(Mp#4Sw|Psn669nyr^DTepD4&N%+iP)2^=`S>&&^R711JOM)gz!poA(7u7^H?i>E
zae|<;MKeg?F|7L%g=ke|_J){JS6rS17$X`DwA9I=MvK~PRi%T02CHFku~!s*{y_B^
zq#P)R<|P~|CAtDzDZ(jYF~nLQb8BM@#A2Vl>54>8go>&(2ejnedWwdmT0hf9wA5;T
z^9CRF_yOlaJ8Sh0rmD=!RRY_*I0Jo|vLr&7vg=mgg|Tv^2y0O@G=xKpr~3>%*#@t!
zUS5w=a#ct*>$$^?A!Dh*#qrxIm^nkOH0(~N+{tM$_>4pPjxRwi2qS42ZXNkOGr5FZ
z#t<2YWem!%JAMQ}?(S!+-b1ec3;$0#<DT#C=MDX_+-Git^cB~CO%CXPnOW_ha+hjf
z;!yu@8Fm4}@xM=f)gg#JnrMMIK>ufb0=e=19tV*8`ue}7SqLBy_+PcEab=FW{jXZd
zJ--3?*MQ$2`1Hyxfpm!Ab!wU)Yn<p#HPW1hEezRsSabVaZ<sg+qB*djIGSLamHly^
z!Fy#dN1c!Jk~f#WW;5npgk1qql?&vC>)~*kTLk!K+Sz?kQ5@+WcD9g_M;d|U+}YP<
z)1@u4N{X3o#>F^6%t&x#&#+u0iL%qwjbZ_%6oDBdDn-)vW5#(}GN1fZaF3^*E-tC6
z6VB$wN-smr?C?lFI4ELLJgk43kG|jft$eR2d@*HG3DkBdBox>1;H2P4H^Y?P(TLjS
zC?REA?+J~ZthH!};e7P7ev$5J7N{ZfqHocjlfLaq0z|sZK_WTzd>y6r<3s`qEc`4@
z;KhBGxBHvRu4+tYRYE^_uQ+gpKbmuf;eIBl^f)Nv6wN@1R->B5&=3V36w;mI-^miJ
zS^CFV<C>fruRwZaC+<-`(gA6%=I5KOA;s~C1-9+){MfKoULQu#aJ|T5=AjQy#x83w
zM|nw#hE58W_L$7*uUkO_*RBi&iP9$Y3b5Sn#;KJR_q+i;@IjU~#z>25o$%UTI8SF$
z-Y~5v61b}>AO*<NTR!Zv%BM?~60Us1hce$IIs@?=E~X#lhtbow+#2DT8LtWn?tgWV
zloB}UipU<HN(6JhW~tn|n_{!68Odis(TDin8^~}hJUA5i5Hf7q;N0WNGu>A4`^4Q+
zh5ynq?iyVH6nj@z?VtG>0QmeYjo7nmiin`JlM11bmX#};o0KWY{QMQS>So^gL!x$|
zG@XOighSUmjoz%`s_oGWRH&T7G8Gx1%&=y(2laT(uJ7QJVsA8%ltrk189RUW8@i?n
zR@G!PL-=}^Oqw|}wjMPNN;xTm$nDJ(M~zoGXGeP-AXtFmH8EInM9>fETIWDM<7OPr
z9wQoNE=vv=DPZ3yT<;i^*>$px1IHIv>SC;Du=535W<yVln^&a3!3n`jIIRWIqq}L^
z3sX?Xj2Tk+b@emEBp#j2zZ%v%btK&D=+8!0KwnyF^bEG|Y(3c2BPm^z`CA#f+-he+
z#6)y-a-hQ>f+yu)PI<Zp^2inB6~%Q;ZQfEEUzW_&q_dVe>|@_}3$r)KGOZ63!i68T
z>zM8Za%jkfVp{3Mqtg&pb`ypjEiGs!k5(+gTb)FvNG8%Kxet%Y6ZmtzwP|v@7QP<{
zJ8qt43swpip$o*>9qE%AS?$<vkom)2s7Nauf;%8XI9Pe^QjyBZT@6e<`}6}kR?KeY
z%YEPu{<sz)YTWHw6zDU^=6*LS@Vb;H`*4ipX9^`^l+z>LF|r-PPRNy0t6B)(-Z+hp
zpJXfcH#DRAfO69)<v^#t8r`61MNYv+y|m8ByWz1(aFYBvhg%WWO0R_emqIf+_cRHF
z2TpM2-ri+BS6Ys^!+%GURrMX{Q(JF%_EQni^tWO}(CBD$uq7={-MGk1C(WmeTZf^C
z=V?f#34xk9R-OZ%+i(Vp%3^Sv{N%^X&#qzYlpl=_T<WSi|0aW`MY|E)v1pr~nM9O#
z&do=SUalh{lcM=j)N)+wlpeDM?`6Zu+oBRn>KZIb<yV$2G}e{NyY1v$O%b%Uuq+gv
z2NC$>EdfcNc(8;wt@tV~;r3ptJU!U;UaEoh)c4Li<bhpJG^DTjAFvqjteDgxo!AwJ
zR=+)@Ax2^zZE_cPMagtUSvO2Ad(0C~qa6bv5!Vi929aWDkhRN8h%M{I*05MldUyM_
zhr708X)w3e7q!x^8C=4i{F*@C-xn;G8E&x$J-cl28~Kzkdy$Tc&<4y}F3WlUO8=^m
z>>8qHeg^p(VY+@0mvPI`W?iyM-78Rw{&q|NVtPU|uZNeUj~r+TyI;#aOomfs*r9UL
zmQJKz>-O0zna-wC60w<kVUVoV_G$SZhzPnXGk^@kTVE}Y=sWBn3Wrb7@XHE1Y4PTz
zKC&bX8fISwQ36`XBi_m0SlpirnPN_uOT@iDGY2t}N01y#V^vz=%uS&0$YiB%GT$ri
zF9XlG7>iV{_oTP-Iw4G8V(e~Hw-P6gKzmQWoAnO$9n1}zXg?bG;DP%<YMyHgDYZnN
zoF|ywUgp~w0zNT3&P~UqACn*ZT4BQEk#+f*Pk;08e%W^I%G(ih2$7O%<Cv>IR0v8;
z1~+uns$A(s7BI`A9>PjHk0($jitf44ON1oqr>qSpH|>U$WiE9*d6+^6nc~|dO@b~B
z&dvJNxbEJL!>p{ul7VbnTYD29p|W~lDW|1TrlMScmS3cg+>OOgj50z}nYCE?2{de=
zPxO%e^~Tpw-%e<D0i(sqa2TtiZpunn78sUdouDZzVQXWAJ_y1h0JfE-&K3;eVM6i|
zI6J8=2<7}7fbOIQx9Nu*qJgSJ263&nHvG4UY~ht0gZ73fI$ZgA(Y1Z$QOJj7zsK9O
zJv%A%{OdfvC!m-_1xN;^D@tdf?L;Yc+XQ^wY??<Q|DlA$tWQF+BpS0OQufEWf-qk|
z5{>n4fE`!aKsE9Q`J6K1k;Ma~=wixUPkeqVnwZ}6(0MaL??uJ6e^~!D6e<4jbnMl2
zO4vcphC2oYy4sUOg$_DWWJCJ`q9u?)t=ROki({p{`4V-8SQ0^c*C!Ml9sPa$&T^Gs
zuhyLY<5c>aVWP;K-dlq&zNtfUIu70V)X&giwI%wc1U9u$-Aj|@BVwRxx>bKV_Y*?<
zwmER1ttnX)Mrh3OF~1eDX>*lApE`@t1+f~ilwwgEnO4m1`;oD)PnwGIJgO2sbeK+5
z&J0efG6Qb(sBfh2^T13C6d5QF>uM7%F3x|o<^Rqv58!Wqzo~tbOX&No?Zx;{5<mUe
zo#FXE%K;B2{dhSoq`yjk<pKP@b2kBi^V&D~zE8maJ@@~U&bASsW&bCg$v?i?Utic`
zQ~<xP0SBP4ovhrzvmo`9lC&{g<is8k?E2?-rNyAW>qm7U`HpxwYsO41$JW)u6+}0!
zo%kfggy=Zw^DuO&h=`tlRQsxeBbGBIQ9RMNKNkv~-6!^Y1PV!I6}~RKGb<k1*LLO5
zo!%*Mx#_Xgz4P_A<XSV{Jg9F!Wzdiam;W7|IRqX*+x9Y_LG$(iEwItt@C0u5!rxf`
zQH_OY(4R1rhHU%@=uW(-?oY<Oxqeo5nV+={#`vm!+^qVO$M}%ObiRh%qf83fF?O#E
zIWzU&#AQyt_X@w2gjA{pqmyPW(g4hG$9OEqdkTpvD2S-Dfn_aZboGU{lj4Ib-)O8y
z1UbDyH2BT?<JoiCG3SB1mmg0q#4%^)f*!E7Vn5~Gz4PL*m8+sx_<j!GV9EZHHeM;+
zUk%|ghh;f&QR$6NJ^Z<_;ksI&SQ&Rys^lgwGw<mf9>Iua+ddp5%Y3OMa;I)JzlapF
zjc7pPwIc89En9h!{6&^OggU46as7Spe0hG!G_$eZQ}3?gkf@HH{&Qfxq78o<SGCd8
zIxZZ3E7&&rDB4b0Y_V=Xud@vK|1kBB@qM)47bqOIv7I!wZ8x@)#%yf6X>8ke(%5Fx
z*tTtdGf#f^|M{GA-tW0y?U}u<HG8cErX0Pk_neQXTWJ6)@J^#|ho}`<Lx|7|D_@yb
zThWz%xI@z9O$<~sIlz#aajCjC@#CbWU(bs%oV`1mS+?yOLM1`n&$twn2Vc7PVEc*6
zFk|qiZRpD>*5ML1#mL;V<0QHn-}Nc_k#DOZ_ud-fE7Y2yf?2v!!f*Wb`xQPJ0mKCj
z%Y)gyNvz2?ZQpjD=Z5hMYN;HDtD&Q8g?_ehQF{&i+_L=**nQ8ecpYBDFVFtH0Fgcj
zc=*7F@&K-I0wdpv1_8(;f9~BDV9EsYg~*j0O!B|hCE5f{8Gv$8@_?uR%EW+xC%|FQ
z9^^jLljl4i4@Lm~->uK%0nh}fppF57;cZgj>*pQv9hvKW(Lb}v`YQHwiH>YLt_Qez
z!uiSzKpqMyY_B(B!-UJk**fo==gt~1p8b$zbTDXN5?UfPu|nlINC~>yyL~Mr6i9#+
zES(l4qD?(QRqc{#Mi!zXmMx{U*_1Anqy4w0{=TRHzR=ZYc0W9G<Rf*;V`j4!On^>S
zZms)ZonsGaB!jP$V_Hi419!eN&7_Hw&vXA2wpkqY9{g+pCq8?YDXEkN30LjLQYv$f
zX~^%lpW30%QhpV=|K;MAgbW&5h16f7GvjE~$<0ve^sqxoLlnCYoXSix{&W=cl8cxY
zGADv4@q$2T7JNt?QSf1bPR5jc*s@AdrDaOO6|D~EVf1znV2*}stVOs@FPrB^R|D;-
zL!-q$V)(a#=LynIrEQi!2luqrZPxm8hR0iMx6=cAzi|Dvux;=M>X!4Bsr(nFisMk<
zx+mNl34K3w#wG$r+FbNgU00`KSta$Z@S(%<I>yWm;xVk)Sj$pB+yrOO*_t=q06|CB
zqCQ(Rls8LMXO{#qFDl6U)m_aBhGj_-%hRUy15Ob|E4H>Lv3dwGy@r)Q!36API$Bve
zEP@8L##3~sl1s|yqho%*1|{Y%4e=^9DO<c<w%4oz_rEzkepyg~Y?M_r9UjaxZ@SeZ
z#wvN@OT4|?T8;)=1aPuk`OIwdNBPw8c28Ub6{k}ukoV^FG}uK&6$FlzN?BJZevH+>
z-|ya<+~o}{_+M}J)Im;s5)MoXI1hY03kj!V0>0wJX?kqzRo%R(3%Bb^#1F5ds%aAD
ziF&ep@UI$z4Bw683XDW={yrMcf{$#Vqeh<J!fkj3_!-*Vb))X8#IMa+_xmPas97Fk
zZ>FX_MHebaakD2VX=fFwE7qIsj<1?y@SU`e_#xBL<x$Ruv|R7xb7G1gwTTj;MLwRK
zs!F*;jC*gbeNp_~K`6`o_%l}>O;W3N#o}yn*MB^Rc&d=VbX#L0k7zd>m5NYZdq!AF
zEx#O60FPT=+&b`S!Msg-$VS0i=V<Dwk7W{CPwvmzwV;lWn_cW1=n&2<?Php!<e@9Z
zGG_3!S;3{G`R4%2<0!6Q2pS0jhS3bK!H8FPu1Aab^6@KWRQvt-R~2t~=aA$$A}j}Y
zx!t>%;;LF&C+TX0l4{k5JoLR&x_;))yP~2_x-%Jp4kip)!eCc3dMu7-Ge-7Y!#ZNc
zc}?HG_80Qb$Y^GfGe%0T*yBFkpzg7H4(s-zLAtdkk9a(U@}Vu_^5EY!H~L>R#24xD
zN<-Z1lJ@K%`6skC!%Ep%U?$DOk)M5v$kApmzMfsQ?eq996P9PkM!VhC7i<*|`_<!?
z*W-RS+KV`_ep2J)rqk1Fu*2-}5$WorlfAw#R~dE};mjHR$3ycMSrF<?<_-Pec@6c@
z32mTWK3ktv>SC(JI9xo$s|D$k5(43Wij|&49|?OFwSQX`Xt!U@#67B|soSv4_Lrwk
zM`(S*%aYgOYJOB9(w`f4&M+@>8CL7a8R;ciI$f_}ckq83auzDFa_%|R3Ra=nkA72@
zrr#2nUnk3a{qlo;h-uRkO@?M%8ohy{<gEVtkxd|%CbK2n?*|l=N8uXRn|b66^?j-+
zXlaXMt9WwFp!GbCvU<NSi|$J0o?YeNcJZS)*DLtJV{EzhI{q<{l!Hl&bg{j+-}8Jg
zgY6kH$ZF&8Wl_jeqn^7?;db7qY=<qT)c-s78b8E7ox|-$hc$-!T{aIL9c>V*b}#N=
zA5Zm8!rWK)5q)`1=XKb0ZS5>BxtSHlpCw?@QF}AvN9{Y~_^vl>x+#gUqKsW!TI2bm
zq{DEo%|9d`PU?hN?I}r`Si@ChaR%Fxpp+<s^FLOx)_K`i65dD!G`@;qG+XCLn~y^h
zb-B*eUTXbl3#Nk)>xizFTl<k6vCTen9q-{`rf*cm4yk?P3ZWJFf^xA0>-Kpx{Un4E
zT`%nQV>7U}HxfvM?|re2OU+d}R(nKMS3Jfvhx#*TKLXUC1G9Yf?jvjH<yzN|P;fNJ
zNUyTLMj!Lp1v(e|cc=Vi&D6lmtX9Ib2bv|=6k#~$?<|!ivseqDc*OVk%oC-JG21jG
zE0w;p{%$u*=pHLiL?DuQyDUSttB!I3d-L!8*xGsUj|6!E>Nv{)U-$ne%L;)0WfE{0
zxB>|cevCF1eyYV_{^KVHDuHQ(2O@-H;07A|<uiaZhNb7hpL7Vt`@bm_>J1RRe$JoI
z=b^iSaP$xcGVj4lm3V2h{yT5D)cE{$qjeDEwata7bLLO<r1!Iy@578w8-~SM)z^{U
zd^?3)d!6#L+Aseu6YTm7x|v?oOqpa+@zcqMVQ821D->0u{A_!1&~vsYnNtAupH9dL
zZMQ7Jlv|i03;b+PekxdrD*XAU*r_ldQdDn2!`Ab5qvT78WZSpj)Aun><(}@=5LCE!
zt=bs+NNiXSXD}(P8e*eeZzzdM81xbUqLLz6*EZ|L6aL<&;vWYiS<>v0*5H^ob<X6{
zdQ-Ub6JT0WBA-OTh^@FB{gIcYao&mpo4&j>;%8lHRoK|tLfYaX?oXc(&|>KKddIdi
zdyFxYLUkTjP<r@p{aZ;2_I?)=#-;f>Q)l_HYd3VR$H&@mhT-D$NNIdoSxvLtX2C47
zW%2V)AuPv@H(K_|UbI&L`UP4`J=^qL<Ed@VET#}-Z)T#APDhvRtzL7|oLimB`~u62
zhK<>`mZ{5#*Y7y21%`jA@b^yJV3lGrJF~(=7KbSup+x_=@0siKOnSRS`A~&vjr>kh
z5jBWeRY5?VmxFe79ywoH8nyk)nM3}^!2LVRtAIkwsWq*|j_#3N9!Jg5{yz_ucQpjT
zQH!42*KE%L?}G5VcklO@oE6qtr!_I#y!wa<ji^D2<;V;vU;RXTgi$VfW=q&Pis!&t
zFr$gs|FUaI9{quK0QwyGX5tVJK)(2+3ImS)_P~{){?z}q&VK+W?5YRw0$@FWyZ>;I
z)F-R$zkaO)D5ny+6aK$&Ngo)g{jjH=2K=M?#6Q46Lc{Niz%A?9{C|zgJ^#W)di&Xh
z|8eoXh~yD;nqRCBm7m?@IqyP-Ay0@b?R(lPT!q}4PgKZqlGH#J{1OD0{O(tkHLFvH
zNx4`XE?wFn(vaIx&O(Ua)68iM{EUNL^)*4^YFlWo16_9F6onD5I<oia?l~{fq$&ux
zaEP3Y#pj8gW*!u{7tBJVOF6BrCBBZB5~cfprcvTFbUFSV%1){oUHOMpl=kFHqgCJj
z$-m;8g+DPp(9rwMq9zxvNB)fiNyXLBQemRd<{J@9a^XeWRPdGQ#!*6)dkk^r6v0jk
zGa0Y%Sm{JoLT?a9B^#a9ReF6+?pCj<1CQsR1Pi4*lGPmwQqA9Ui{D~jg<)WG8N}#S
zn-r-ewmcM9FgPg=uRaR6!QD9W{$#lc7_HfQOGX9JL>nkmrCrJ`4-AP$1bfAQrh5P4
z#u$CLv^?V-X0EQCz0mCCYHt)+%y{4))h0QB+-%psbr!vie8SjRVi2R<ZA-<#u}r^w
zNrzsZ5Ra;zXN`xRvPYnRiDpSjISBnTtxd|TM4xX{vz4c9m<Y*G8qlkog983FT(=@g
z+Y;wKsY}$Hh&KktY&hl*pzUMl1UVeuKNe|s@7xsfVzEEuQVk1-*23rP850@6%PNCM
z;=Qb|g5DGiulv0-(r-|T?J0?`!l_Xuz+P5NOzKJ(wtE&yUcAU-Xzk+hO#bM>iRpR)
z@_zxhq0gWegQuQfPe3e7>nI@d-otziQe3}Y19}oy7lclwz+!$02>^ZApHRK0gd2nQ
z5tst}U;T}!F<zJ60qYm0h!M(=NdI2{mv_MA1u);h#`+4VKLOf{pzlvW^efQwf*mOO
z>w(DbSr0ggiwpj*8J`Cpi0B_nPlYhbfYxoLQz58ZCX;vkH-BKX=a?c7_)6u0nO`yz
zos%qhk4Vy(u1J`%v@n~#<@CiszU!~k5C4A+xBHih#<n}qJnv<+6`k^MgBHb6^o7Xo
zMCA^>_3g>jo_LR^d{g=%wOzWKEwGYW!?ulIjTkNP)TdLen_I+wdXXYj6qHP@cTuTv
zuXV{=zv13vWvtv{VPTjzTZ?)wvav7KIe<gmC_dcjUfb2yV?<i9dU#Sgf$E#${H}K~
zgBWHbR${l!MW|u&|55DP5fA*WomUnWoR=Y%j;CUk{&Vlc?RxYRS-)bYf7{wBt#m$8
zc%W5$-<^SDD(;Po17xdVpG>ioKzyG;7s?b)O36sqY7Jtq$##xPhqZ?)_cR%=`a>+g
z$eXUa7%%BlPKgZ}3QNsvL?Yj!myiZOo%XlfZY!)g%tJ#8=S3U+eB_%**GO*Rz32fQ
zG4=Qv(}C4-gYVY1qitoe7hLZ7VXlVI{9l)ANc2+i#7-A{nGy}lGFLb4h{$T(<_gnT
zyQO;z9&v7^zq{eI3>UXAv}4y+E)sUUauMG#&d```_6$>^JVAN98_hYTM(5ErG4)MN
zC)R<j*5}v4XZB-T8%Lh@6xKz9BC7>75K`+Gg6qZ^t~@>SPY}2{`vQ91x5V|i<lbW!
z-3~YZz-40Ta?oI*8~qL)>JOqTR!n0g<n#ZW2v^<qcTYC-Azx((dRQ)Y@g%)4LA;zz
z$&v!$Kp+H2sCB0W$V|AD5&XZt?D_yqK9C`vg>)UL9}E!QnM??Jfq?wpS0XAGoRe_!
zB?g?_{qJKjGFZXAmafx3zn@1Sj#p2aueiaiZs<g1&(q&%w-$V3{}EY%?b(l+P;j90
z*ijxHzD*eXo)HYsVR4zNDiQMy^4-UC6ZFqqpgZcUZ52DW%Dz2nFb>)mZ!dBq3WT~N
zc26JLB2U*Ofj$Q?o``mTQiozQMuBMu3Kl<evlVAT3&vER7>IfqgQR=*@Ap9kP;X9&
zHqg<@)pX{Ji7=(TaSZ*s97DVoS(xe4+|CONBBOJf{b7nJ$~iy!-qKw_N1KW>q`?oZ
z-+UCL)p4?@T6Dh$Im*2;?kTLZYjbES=~(Fal%BX`Yi;~AiNaEb>)FQ^Y(M;hj0AKQ
zEAmcqV7T3r1^Z;Q)%x?7F+KI=mYk;NL*$ai_AV~dAQjjqMua`sfFuTAC|6qDjqc77
zB;=BlGnL%&%29@AhgVq25z6~e&wfmBzEX7Jovx;jI<53hxJbn~O{Bu`nlwQbj117y
zCcB?lsZGjc3N=vH<epxR(MHO<6?<{{l8K1C*4<n<zaMM~T~Vx?G0hSkRS<SRT~~~y
zKmGr6h8euGvY<pz#Bj(fOmWi!!2hCAgux_GAWFj~#AmVnhJuD7m%>Ww{44UC{I3l`
zeFAPhIR$~hx{j;+f+r6g+h)bp6T7{O`W)!$a^Xw|qgMD3<;erG7XNfcE74Y^ywPU@
zifP>Z=axx>6UMQb&!^PaYKpm^#s9=>e7-}2SC98zW07tCp_hkYWkFBIw+;lmc_V<}
zq#C1f>1A-#Ub~8foDhh>Cfl$|Z9kUl^l=0rp8%S-LTT7=pQ=Fz$`>Mt4;}#Xx%!m|
zV&6Z>K?TtCk#xvkLjz-Xpu9oed%HoWeLlOH0t%_2c8Msm27CS#D5JJBfD1#KJAcq!
zs{${6pTDX>MDq@4fLDv8`Lr!87#{b<oxw8A1kl?l41~f>k^}HCA5}nJk2(N;BviIT
z4vdgetj_#bdGL-L0QM#X)N*Hnh>l}(QLgP5fZi8mEAGEQE#0u&|5ata05n+u#1)Vq
zbcd+g;ye1Zl~Ss}arPsYOWO-?$RYye8QQphm2(bekNZ}}o4_%Fe|XjVzHbD!eTKix
zC#aIYCy}gTt;>g-dQaxNy2dU7$vdx2Jtr#1_La+v4n`v0$>v<nv}Q(_Jts_LP7O;s
zbPGP0-fd=Ol(pPyYVCG&QiUxWT_i#^g8-+J%5O9Nf4R~&Yv^aFX>(WG^JKVI{9?kQ
zNj!~BE39m;OBlMQ_{=N8ZkJ-NWnDRe>d8wqa4(^knpo@$vsMv;2xX|qXotHW{2^6Y
z7jI}&;uD53T?}QtJ%Ylsu95ffbr*(!z+t24>|WJZ-_?3@$#=E$e^|u<vq6s$iKND@
zxnwLvAL=PHctYWEN}mhwMYr+-hXPr;I5XFN48o@$RaU+=23+u#$?YixOWGkp$YZ76
zDspAXv|XOc23LD#Nl8R3E7LyY5~<S`%!S>eNGj}y@qFa|qo8eRwdV~)eyFdx{Uw>G
ziN$rgn~h(Sk2glYBy^1{1wj7|XD;c4gDsx!L<POwWBuI<8erGwReT6iK=V3VW{JE@
z5yV|8<b9M_oeyP|p+|d8li6ct)`cA?=halOAl$0|Xi*GCb=oWZ8HHJ(nM(5m$(p!j
zSn?|Ipq?a@Uu^MY_&Ewq)Ft*84Lr|B)CBGf$usv5NsBzLqIuG5#N1^n4Ep%SvSO(o
zaFe3}`kDn41T~xh{(Qi9k6#}|6ewI=>?M9%(&@kIB|L&FdvXp&Xx#GrXR6MF6@~Kc
zO%}e*nS*y_#7n+h<N0(vd1qUR-L#Qc%y=oq+7(&EOiVvP>c3BPnem+J^$f}-Tf=b+
z4m#LGFqpQ&1)oe4$Y;G8_!WKSVX437uq^TF#@b2ya9IuYIhR&Y%?ip_(IPhCLSz`I
zZl9prMVxe|Wrgm9JHQ=%(4<kj1^-<kceK?jP}|A!k7bQ2)0r2e-j;2x<H|p1o@SYx
zGP<E%F&-4NvgMPKWqP{^|1u)>kUAT^DQ(LfCMjv~j)R>#%0=zDk$T_=Cnc2Dmhhn9
z)IHEI8J@7`q4RPdOHmR5y#|@xQMZenh(&52?cW{b?(w;HQ^S&BQtr?D9f$nGB{S-D
zc|>^^FO0SAdQvujR^G<Us^~=n`AzAm9p#XlntYX`>XiRta-0O=H6j#A`6y2bF#`F6
z6bow8_@2pGt5{vZ;2VG1Vh=B|YUX0j2;A*bZfll#vqN=?Mdb3J7j$Emn(6N4<<a1@
z8MJ*0fe=xns@B)Of=;@fH?dy=JcBf1s0AOv+uey%*N2tMrao!<@MeG71}g^cY|;+(
z-xVG<ejR$348}U^cXd92Xr1c$NZ=qzp<=BQDZDoKj&o+n=eC;cu!(Lvle(m5FkkZ`
zEY*;15;7Qczq|G7ultYLqfp)0O!`9sH$soHH^}RNFl-KLdNu|J?z0v*XA$y~(-|n^
ztzuHd^8jJ9xPEQkl}S9IHtEa-vHca{YSznXabm;5>&gm=MkTiNDIUt!xj`+-eiKQL
z(-*<nNo}tIc}GbuU9p?u%15xZ%vs-iZfcg%t^o5ln`2M@NTC>~LpgdC!4{G9Fn!TF
z+P#q+f@NklAo?TE*jRkOjf&(imiR)EQA-A8v{6R|JGp3CCx6~5EMy8<3a*{(7q7nN
zpIO*e8xA=Y^V(UBE^+OCIjMKG+@ay^r2%`jcD4xO^(8WlcvEIydQvG}G8ub3mUH9y
z{u;j!yA6Qe4uv~Ekdm?04{Gk%lv`7W1hB=_WR5x3X(6zhg18EQ%z(Eq!E1eK!>OeF
z+C+APkOx}_ht0#)@{}`Suve=;9fj<9cq1<Cq1@Q~tN0h)FljpX2ea6ETuywU%Xf9<
z*l2mPJ--JVyM5(<RpJn7<f1ilyn3`9hJR>Xmg1|PCaoU7aPRaBm(itRbuiD3mSys^
z`}^wxiN53<kuG>Rc$@LFnAh{r=a2zk!|!m9>pbU>0&PzJ1Q~5v^4`yJxii*yGFpe4
zi6hrJqQBMXA-riU?PlRKZA)M|7d!6#avNfCmOlDN<(n{8Ulw$AxugGSgHQNod9JHy
z4)m$9k+D`Xqf$|yYfJ?)alN2s&`6wJeG}-O2+UAu`+y8oto(q4d?2FbwgrGv=xKvn
zp+7(@+T`KKl90gHasLlpeW7^5Ig6wIWGkH87<tQz$6Qgt&g}05_CL#=VmUt&v7yEe
z*YNef3tc{^OL~2nlrIisMKFkh^Psc5T}aMizjB&8Y}`8RXg!()HUCg1QD3YZ;D?uN
zAN1qYpf%~&>Ijf1zJFcr#=jnOrzcCOA#q8le0sqq03j7%hiE|;7qXS-`wSsdYLp&6
zlCX>nb>ZYhZOSicFZlL+rTVFDmizC_q4;NYKkfqAK3{zogTVegn2dCtC4NAdAA`0h
z*Dv&!g+EJpQ(jtOj6vX~mu7UTo>X*<lt#B98J>JgEucU6ws$;NsRm19Z^`%j1nE&|
z)`Bf3qs${zT<9~`>l+@|x-&jKQ<gz;b!GY0f7kKDVX|klGV7U}|0NWV48F;UFnhCA
z*I~hbg?I96cFltzi%uQC=2;5$R9<{pRKLpNQ%+3S09SlA+gGDNVb4++nYi99*6;G<
zAgd?%*lp#Wp^A>hHVr<esilPaZb}_8S-E2{eE2b)!`v+SrwUv9M3ug+hOAA8Wb>ka
zxWWF~?go>^dB=2nfvn+I8)WHO3cX(agtIm{9RlLtXp?{ffow=p)dRI!${J^ummiTm
zvF^ZnsZJ8jKp8<rz7ThjO5<!UM(E7S`a$Ej)Y&VKYuc^ORP*$==p#2CpBe_hPBUe(
zyTwLrTfS~|O_n=Sfy1M;3vjf$BieprqTY#m1U_!Ke!WcP{^N2B(PwgU`pNjxDS3sD
zxL4X@#BELP2cLs6RLJY{@0>OGM^2wwY_401G7Tru6Ngi<wob~DgqAC_ZH0}i{<QSt
zx<i2<+oJkxYreoUc{a8VLo3@ZvCKgB+^~illjEt+AHBMS5<7!VEcdWWCod5@(l6Z~
z-zu+{__#_dya(Oao92oh>|2{Es>5Kjz17Y%ySrNSLz1mK&s*C`h06QzlrCxM@$C9{
zyQDO&L6?~>;{A0zl<~~2*zQjTC0fS&&a^HIS@*nfgOYOYTa-O(sT;=8VSdc@_Q`)2
z(SP%e`~diUT?pKAzq|Y-5p5bupe)YLwJ@RDX5I0q;2+*ts@mt$_324iUeiO6BO-w(
z6u?_Rg815T<X@jfY`W0)N`pg2`<<8zQP-@cx@j-!44JC^KpBG}lIq9sZ0n@8Zo2Mv
zX;XBfO%qwh;^n2Ep6`zY_k<ghZ~_&_1)eASFUxTf168g=({?!~Lz`!($J=z5%dPHY
zRi<3X%mXNLyPHYQ44gOD&UW4iV#+Jf5#DOa8KLNy&-W{HIXk9W3^uN@;rDod&Vn_F
z_|<h>7ImLK&R+!@3vGQ)!S(A911H_{Lst?Q+{(+Z*9ga-GfXJ+(^)eHbgEX%RRaP@
zVDO6iG%*FLDH~kBT_}Dab`atXG{Zg182f?8w~{BfAZlv}Wleyla^DPmdYXVC$aA0|
zB=OE4H5-58xETrzF>B&QXle@N|FN|SfNuid5vgwcc}n1->}0{Fdo6Q;yDSZ0<m<hE
z*|yDVPwrdp_SPBz^(r*)@M#H_X_fkau(=SFoBOu)>7<(ZH4P{XNqp9P(lC=~p#Zbk
zPC64hw)X?FpN_6_w}73mr$R{%uOEPrC^7Z5J@yCo9q>8xgpjX4h^*4+`UZE6ou8`f
zJGj>ySMG`@z6v%_nvI$$PQYrn*C>IeMFP;K7H$XFY-g+O1khd<`7_$aJ*(;A;?Pws
z&COpqtVyv9jxO;a$&nxL2xl%KBbR*<@b7G0+cC~HG^1;ls>qqsURT$D25YGxqVE2+
zGm8jI%A<DfGo7Iq{}*Mn$&V)X@nFoRYqp#Ldmh(e;2K@H&WjIgM!)jagd-La>P$a1
zkF4>Qq*gh_kfu{&x}6h@Cf{dK3Q?W5E>jXqj>~^ppj42RvtCo0mP0o1Unwm-!#dAm
zSG{*Bjy+V&3jA)L<zxOTGB|2QuQm3T7db(~FCOWw#s+Or_Hq9@N(zbm5G{6PD~PA(
zH^~s;=~TQuDl2o9ocm;cf|+FEuj;T7-@Nagy4*RZ@%-iekqF#a)ER>Da>Lp@j&VH-
z4-G4mc$;3C-&YH{WQ)`KFuCoAYtrC3S0fbMdy>{EtQc&@D+vR*D0n(e<ecdpZcMLF
zPnpYmT^<_z=Br6mm?${Mo4ibr3xfpRbQ<dxFU)9ibqJ-6q|@gsrK(%>RoWQI>DNSN
z-{j;9jXL}t#mB`muFMEi>jjpYdWpQ9ZBPr`_fgqg$_5MA5qrk=t{+dnt;4!;dxs(C
z%)X6H)A2@{C5^X8=}gd-3{2KJB4MeH=x~T_6o3*wt&-n<vzhEoc>s}DMB3L^Pdy$1
zPd!R~D~J9fBEHwLYRLRxk0Za~000}b1)K^6VW$CkA&DQcWOAI)8!2FU|F<qW@XmD2
z2Hb(a0{_)Ud;|u3n$m@!gRVM^&}07B)c?1laq#{m`4RdX90Zt%1OxukpZqQnN7k{>
zj9A&X|89x@vA}LGL}LIMaCZao|C|T;W<b3w2CNhtj{M*IWA=Xc(K!@)WBn%73o@AR
z^)xCUZXl5#vu>^rZPeaVP?<<ND}c+s>Dn&xc>9Q>8m1UBtXAYbU_$?W{<WV?zRQYL
zv!PAZ%9nH4IozziB@6GmGp{BsOQN2znIaC0wF6a>r+V-=VaHI+6n1s?1(~nC*z?@H
z)Fa>1tfI1hPGf8JuPFr^=EnE)-<K-W(Dd3((g#0Y_Vch|3bT;{S})E&eAyOcwM6KQ
zf*+m)4A#$0Sci^tmD4Gk;Zc*llWeEV*a_eZ@?-@@BU!t$X0Jr_Qf80j7*&RNh#Bdd
zTy@m^m5+0FT%IV(v5gYy?bNYM><wkT1YWv_ixRXDO$o!ElvH)}ju;uLO8R00NuOIn
zBFGZ1O+t=5g0TUw*Y)b}=}ZYR1Ou(oqE2SH0It01PUoM0>Kc}0iYZh-gMz&cz7KG5
z@BiL#P-PXb9s74=)u2Z@W;#B&<YKC8tGPtb5*uPmaY{U*OFYHsC~&Je;bBdqP9wYW
z{iN@fqU1U3S9&S?sHmT0-)wYkctZ9_e-AbDQEN(e-C&Fx>&b=8N{fPeJz<XhS8|^I
zWOtG}k>{>IK?VQbb(0!-4~#6aVQQiS@%Da(UC%*idTlhao3%Z>Svt4Zmjt2&+wKqZ
z=4BN!^00D15{+bbAEpXOcgS-j3d;2fHI{)U(uorPN;xs{#3(KehIyYQz~deU7dZ!-
zR|0?hL$7NGg>XCoWQue5%hxwL92Ncx$<3mTvg>6|MI1BH@x|3|ZNy^#h!&o%f~m|l
z%%!Jtz$=YPHL2{Yn>9x_8V=;=q_mSNRNKjI!%nDm@+55_@R|6}-?6>TS1=dWf*qYC
z#8mJw#I#XxLXuJ>ynczalNagWQAju$9)AHpAxKJ65tfNVQIh!zTW%y=oO^Hwe5rwc
zHuf{vK5u&T&9z=yk#td(lKRfZX3o84DLGTgejDr|5$#YRMr$AGkUEXgd4}HN87Yr}
z4be*a=DKUXIdi;6v4%N;hKx|*``YSylFfpA@^~32sJ<@EZB8)O*f&$qN7)NYB09`e
z>^Mcna|N=>alhsUBf7FZDcxmTKFnht+|z27$qr`)*yYQZ6K(Hr)W1QTfQg4s4PAK8
z33+6unzUB0<q~@<$|Erdq~Wru4j^OVCtVmE@lK|4SRyifYH%}<WBh@|XAxfQs^-?8
z#JeGLUFJEzgF2#^+?Ff(Xr3V^bS;Qz1_rXeje$i3cN5=oBekC>Lw!{hs{kdn`><B^
z@^cI^04sgBs-$k1M4aLL;^54Fe=eGIMJna=NL;z{E=-U235D)uza{i^a2!2$L22Es
z8T9j>Cy3s4h!r=qjLoi)!yE7R{t}e#&#oE6IC{L0&uc;O4ockP*cS$2mM^2I7lD_1
zlY2`2<3?Q~>6R<YF;q%_IqjO`wU=&#X<T;xX<l8#A<^K3X4w<RHP~J*m@<~q_)faM
zNRjnbk6>zn=#7KP2&)&fXnVQCW%s-EB-8?55@nC;@FdR%0FY{(g8=s*SEMOph%5xn
zNw=KUf6XtOe?ro?aEGN7+8>P0h7v0@`P=BAroDtKV6<XzvZ&zKos0}EepHzkRd0=&
z|9+Kvd_H{pTi2-PuNTny6ZX--I&{-EkXqcA!C{w0^(TK4S0lzGQhJJ9n$2Oqu5<&w
zFq7m9&z(O$zQFr=YQh3Hy|8$GdM0Ae3a~BjFcVipWpa-FDTsAu7pEPsZ^%TQ(qUOT
z)o|&)UcTqQ;tgk(R!u$<aNdiw^ln@oi_Gipb2l^A--{2g7Py=KIcE|o0se;qdKAYW
z_nfJQE<vsY?Nd<3tQpLBOG|8gg1K}i6^7#H3>pB5I6*4@*go?-OfW8eW<;I-<sdm_
ztrGg-ZY%2fr)}-6i*Sf;lv}k9`2%jAyx|wNAU|FLk+)NlxpLc*xJ`_HzI^ilnq`A+
zGOv3(8Rz=<&Yy%(`sSY&o<T}H5~DCO1YHEuD5ucax{_PhUL0a97Zjru;K9pSzq4ni
z68Xa(M39VR9i5cf8cNrr19gwzbHs1tc-|y-NH)J%Bpm(V42)wDi)@!wT9t4$!Rjsz
z7aB{4sLP!4qzu+qu62Lzj;I6+?w{@!^-MAnWQv)yTy_#@HPf{%z9X{avU^g%wQ#XI
zad;ho+(L)>Il=#A9Zr;Zq|KCiIWJ(WH6gJ^1#w}3vZCIsQ=H}g0USkv7C<A9029=a
zB2GQHJbrxvbGDzMZ@oLW-K4pgti3f-LSPM%#MYz3EvBMOyi4z&*(Sl+!*TKmD|48#
zg*r%7?kL_f{LFYXt~r=vD|%nI$DwPpzo$>6l~lcMt3Iii@$?oMo|K2@@L-Zmi7AhA
zAz?jm;{<ARbNDeOw9(u&u>=%5r!PtoLc;`GA2UX=WM~|U!OunzakG0~*k+=J<(e#)
zKZ=e)4G`#r=WJp$u7>6u#O5Jb>`93a^&s-+25yi7pbsTJ2eAnTz?^GhRIQaeB`)Mt
zS*Oc+6Qz9dw$boKhlLQ7D?+Dr-P?&+R&$qxw$X?s@55#3_)_ylqCdN%@64A<@Je$i
zq6TEaxRUM}-PeJ6da>~RH<yErs>bej*1iB)hFZOwe~!Y?CX#HMy>q?F#dPPX8kw7}
znC`jZBzuCN<i-e6p7ukD_<%GO0lj|}G|9d#W`AYG`5R(792D^e$K941G!4$l6}p5J
z$%Di$n9`h5phpO@vAc^wiQhOgkLwzok##VU4>*>o&QQj_TZi7xJ2Mn$W6;gSf4aFz
zeQ(j^saF46dN?UGO<*E25dbkW6o3c2Wgbvi)iWc9ukBu8c$mG)m4#KWb)t6Uqxe@c
z$$##y3M_8O2ZCECJ?d;q-M243N50?~IV@>~-+eDiZNLpv8*~ANum8mcM5F@<jeOKD
z=YBBZ=m3Cu8w>!b14Q_M0m7&1D|jhNn{f?|J{3#@sC)H~dDs%V+ag_l0X~(`*MPx^
zkQ;C`be;RLq{tVc+f1Rw2wwGJ@&LSV0;K-8Ld={1;Qqe@lRr$J0DT1DL?|!<?8;2%
z_W>IB(KAr{=1+VM>OqMad6C#s+dNTFbCHq7HeH0PNz!<CjMKF^G?td(B1Aeo-j_~y
z$RAl~OI?ZLyLW?rz)YMjJ}a<p>&XSPIO()YatV$>Po51loVj}3XHG@Qj3vUlEor9Q
zrbTZJ2(iwGxU+eVjgVYZGa!cl*+XezzSdhI=|oFe4J~1|Z}Q-Hb)jXIO4V<!REJeo
zh>sl3P~WA=uOE!JeK<G+d-NbW{Q~u=%mIgL|BGAwXx!gkd{7~1Uh@q+5_AF~0U;O5
zLBpyf-N}vkr)7??S!ip8Z$p2JvyC^b<y1<^%0e;O6?^3y1{LBNZ((;zmLYVT{&9BO
z`-Kb})a)Wm6eceG?ol642-Few(H6=WwHx<4Gj<0eYjx3B^5e5b-?+20Q3TsZnTHUZ
zT}S>oyNdc{6C0DYU7<BARf~QHwe*U(+;Fx~;2yt-W2Ioq<b4kIjD^jb-7JEs6IJ{O
z%R3{3^0$o6##nFqVNArOVG6v~UA6Zhj3kNiRGfSYCRQ<F9aTMA0k-8wBq0R`08<<2
zV|*&4pJYFQ{FY-)CokenH}iX#`F$=Mvl$C}r+fZN&o=gU^^NGH=ikH7zX`S#ZPGm2
z>+geT7%1NYnj6k6pF`Cy8^cU?e<YxK)8KmhQ6zbau>GTk$<?STZ!TfT30+oxhDtq}
znHVW_&CjY*J*on>h0M?GFMEjHJ^)cI8^?TDs8mopt&JhL2hCF4^kY-a4-$@4r=R{;
z(v^;s^A$>wNrL<3xNG+)JX<B;Z+38POTA0gE>5cd+I5c);bz*eHd=#sQerEn5QxOE
zMtc0D*VPCGX$<sU7SwpB(*un5+R18PnJ@$l!m3jt*N-^u-GcI1e>{gG8MM$^8k3~|
z4fe%~`ivFTEB8kR%#m)GZTUfb*+i|VBEJ{7#3&x>hhJ92PdYkEAJrD7$;3!P8&|`(
zaz+-&jMPuj!do<zAaFx6<|GWVh?S*rlBtu{n1))nucSV>p|WviqjL&+>miiH)xT{B
z!B?<&<E?Xc|BZW&%zPJ^TPdNs(fgsz)<AeeJY;L~Zla`P^Wt_V%&NQhE!oTO9jmrm
z)Gs_je7rP8brrWDQM1T)kjlWt=Lw_aaIB#!$bFnkR?xOuq<7F1*;Dit;Rv)&yx|P#
zdRx^j(KQpQ&yK{)iJTU`)u<?N*NaMk1o|*D`Z+CG;Z;RgW-c}GjL{O7qE#&+asw+t
z>ZoWpoW!a^0nd9}Xbd+6;Uxx)myMPoEN5i!{lkQr1gm7o**F5Lh(FiC$GqEvs?8Y<
zBAjf}q)<+Y>{j{f7fCgw>DRHd5k{A;b$GUm@D$5Rm-Dz{j%a|CmJ|R9Q{QC7caug9
zZCw+WH;1mggGGQzyks|-7Y5A<j2r?-%K)eWkjLo&uC@+H-(#yk{iWVhfq_bBZl?cz
zlzMsm0jkF%Tz~XW!>J>GMkoP}Jp;(E`-*qmT#bkOWR7>+kyfGoVn2IUlD-T*mX6N`
zy;!2qjjsu$w<Do6Y04r<ew+I3@=6J9*~Uk9yvaP@75>b=Nr_$Il!cPAy_B<OBFIac
zC$iGB;L}mv*=Ki^qLZ#+i>74Fx#Zf?d3#qWo;q;33JVS}dx5m=SFGxfO^+{199m3y
zr&15-t*!86UulixHAib_3ePtv)7uTOwjlf<9fh$Wuk?LIP%3B|o%}JX-0$4)$6Qyu
zpP+A21r=k@oCXR5;NRLS<_1qSzlUT&hJuljn!;NWO}IbL3R}pj`sD{mGND>bwno?L
za|!j6k-DixaZbmV??9H4{k{I8S|OA+p2ytU7N+`P-Z*h=TfBpZ6H|t^);tsuI=vIF
zB`JlR*sru3Hxq<^=qh-B@>}m_h7r7Naa-;-JH}91nvQ~cr3SM0=~5|>?`?A<_>E)1
zow?&YEq-yFO=kQ=4}^_r4KrXAi8F<Zl8QoT{Wb2_f|<FOX2AIN-VXz&Q><N{HiKG~
z0gup*Ix*eesw@6gtDVp$8x=#HO;e_IcZmcaNEl9uyF+=rd4;p~In!t<l=%52^T~%K
zB@L^5f5}}Jc8IbsrXw^D3UTUY`g@oe6;axz@`#XcB=JhR8ZDvR)VpM`K@Aq~i>r%s
z9CN)-B41l@p}*6c{kak1{16&>5;~sxkYurW2d11*KY++*1DH3U1%9{ZS;$h_c(0zJ
z&k5G>fv6HVY6X5=Pra8?YXHCx#{U1=-3@#IXU5Np02#6Ce5x&MitKjQ8Q?Dj1V(@2
zC36DGC2YjCDKMfN3&EvecHwod@qRt<jDsTkono@6CK%hi3uSMs@kl)ED?S?NS8_$8
zkkdBJcfJf(HZ6pFNI4DYc#3r)4$QLXuw*NSb?JH}nDnu?5%#>OORG}nTX0C)85Vax
z0_2MC@Gt=!0e;r;f+Kg~Pxa<pRvp(ESh@TJ_w1|M16gKTzh=Rw-}!@siitJt0|S2Y
z8E9(t{YLVKu+u8T+0TbdqjcbLEtX<a%==kT+Y_RUu)TWKsY@p)pjb<1(6vC6c~G55
zNHA3z&1E3lY2{pKLDt`l?f*06a7RRm$^HPePBEs!x|cqNXxz-m(eJm2J%N>toI)tO
zMwr0jRFSF<FXhZcE2uovGHI|FP5Y!6JKvf?NOT{al%0K0vZ&niHzqin^^R(xk?p<E
z4)t^S{m5D`iMiT9#wdLywq64=h8NC}I%3=^$!$+S(zm%Nv{kx;Z7CB%+MOl_Oc=8R
z3yHG4a!x9}<x*S*<Q>sLUw0XXh8vcXxW^SrV9x?wCM+zbzp~qmV6)x}<$K4Q&r-F2
z61eBK5w0A=5nimSg-p@lvXQiETV!;L{V%Ps?L~`h8b|&$;B*a9eZ9B_!55Nn*EAwy
zTLmU3ttxVt5}aH*M;OisgDjxW*0{L!<ya7TkG3*QR-4;T22(wQ0j+T08rEy`uE&3J
z*<i!}{Cz9<PfqmI7zDDTqC_5!0=Gek>s&WdwvV&5;8m+Dh!OIP-#?k<SC36ne5Qg(
zwC@;y{c&MXQ>8Q`RrUt{g;L;5z%uvU6U?xmWKLzQ))gj@<5~7ks4sn1v-t!Uqhr&;
z^-G&{>xDM;A@Y>k%c3Hakibjw!A0M>arhmp%f{_S^&)Ju){O*nHx$gwMC@z=4c{y`
z;dueFqjITT9m11`iIt@qu8!l-aYOy+F<JCSOwsLoug>sj?s(z^h7gL53k|u-eC2{3
zE1$+1gya-&mq28E>+>lIt&Wk(x5a4D<_dYqyG+#rgF*@fJ1t43EqK?-V09GqYTfG4
zeI_kzf4^b_{33=Y=|W{@nM*6OuW`JOrD5M`Kw*y|@ZAdTryOpGq$58&>gXS?zBGSW
z=~TfV&i+cauk7Gb0!P`r|FcifqVX*b$w??fz6a;Glq{A4xB$12&V1P(kMWi9nHIjT
zcC^*}GdL?FYZj9S)&hPR(@xv^rz96{^=rXC&0ykvOK4#g+mZc;U#xCLAIL+%v0b6e
z)x^E{@*(R9;UT1o$33pB9+yqpVM~i33xRP{K<!%Saq_kDF96yrLIRJ!yv&&0z=t3u
zCYhCzrlw(_hzN3#7qcP`1ZUM2#)<wFG<y}Dq=rKiox8VmWzfs>OX&Ot`JDHt-Cbzv
z&Z{eD>7sp3ceov`Xh^rI{bhPVn@pIQ<>3`|@9}$I=}!Vj6TX>zM_*PCp70CG`KTM7
z4J&yx*6f(E^UyT)=`sXLn??x(;tGey)1!_&%~>rV_5nEZ1a#hkccMiAXwa1crgr~_
zyjk8K0BxHJd&Z9c7mR;gO}%R(@cj>ChkfLV1NKG_fbnxBz<9}mk*fFk<pQe&v_L{5
zpeg@bBID)vsh)r0_ki37k@tr?%lm@Aah&_SndX03{AFup3i$Jq3lC18bt`vJGN_;*
zHt*te%VN_qjah_3&t)-&CX0Mv$3p6=b1cWcT=bot<gDrElC9>lSdfK*kLS{Y${wwS
zD+kTC!*Y^?0IT9`VTxaMn(U3cJEyGOVhghCP?HBQ2{QHOTB(n5rD4;1YlatTZi-q#
zim__nf)Ve6l%m#~o#Y=6<nlpOsZp&l<I!d2OnbYLFE5NH&&gY(FH1pq{!qT0^MAnE
z<&EC=1AS3b=d5><gDZ<HYe74+w=-0)lsK;x=nj{{x)qH!5Je{3z5`OAlCN;R1nu`u
z^tqSXT{v5mOz6nT=g9w_`JC_!GbBp}yr1%KOXPa-DD7OgQ@RqZpX1J_Kmu4C_Q4y=
zD*hw=;{pc~#D9jr`GS20c#~x5IH0|@e*1R*9Xv%TP{=WLX*+6yZpj~|j^HrPMYI&x
zj`wzzrjJ}5jQjOGkF)l`U9PYnv~7yNLc)Dt!+>v)KAk*ydhlp$q1?1AlDH>wVUtky
zlNU0BajWtp{9HP4d;_u<ie{R}WHnkuFrj~bUDzVEQ~%WHM_W4gZh1F?*U#tgfB!6D
z*9-hw-hD93A2%=agj9t_99|=NTDwV!;*)ea$GVcOcWHoURA<;y4-ePlu8yM2S~}_?
z<GB;;M$SHM7#%s_MMfZhu!f6s{=(k0)Rs~hBbdubv)}0ADmu9W<bvLWmfx>}4PDP%
zZ$?eu9l!{2%8QL!U%}fYBnTS|Z*IUoLJa;U$|~;i?aNE`q}P8d_+uRZ&!`ygLVY<A
zH9tKcV*m)?=tos*i=ozK{nOQ7bM}@{!|%>srE(u6l~|4>;Loq+LhSrL-hWx@Qry0p
zLKP&|SCh5spzIq)GBNsPHl}uDPO)x{`?NR>{E73gdVGi3Bg})-dz^iSfC15tMt1R-
z5X?~YAw#=48`j!z7CVBY1X=B&7(=}GqN<YJG~Z*V+=F+rGYmV`iIt{4$-b6Hbi?33
z!kDSju(HB8vD7x^8&7YWvR7|E@7vL-(K5yAm!~#EJ$~;$>|5vhj5w^~;e9a52gm%L
zZ0%GtncKeU*ZAFvky*NTGtnlG^cB#Mc74;-3#Mke!$tNg$JVQF+S7f+9}$DG+kr_K
zKL`jK|0ws(>T(D@DWT}LIlHQN?NE1P9rSBlN!z#UCV!X_?k85o{SaGduVxlh8(^O`
z^Qg7rV^$c~Wv`2X=ifAUhzufN6kp5jRnfy90O`2)7xFv$OYiEWMJpNm(jp6%&=34f
zRCD|4=<U>tj>3P~8+b`>v7@OuLF^x#Cy4e>@W&wH-I=2(!&9*jt=DlaA#wdU{v`ZL
zj~kgYRcDfs=<*XgG^w@~L$2XEG4qXRdbBIvkM{1=Q%0^~bghGhyTOaBJ0bIKAT%4$
zL%@W#X^2Xk+a%JOgT@xaNux)0<gUj?SHSD)L|c`}eN53TiakE&y^KY;koNOr(~)~u
zz)=u>;mF-tnv_W@w-*8v{&8~q<u!tsExu3?nyEQ9#$P$H&i)P4bAfs7yaKKOVF{4j
zz<yO;BL0eK6vJI9jWdk(-jGe(6-z(T*0css&ZWhxKaF$bp0G^8^F|6aM9!kDVV#rs
zxWEn6S&BPvrE!w3NM(BK9Z7G^l&e+XbyzaGJ4p<Im|4Fx>Fd<27FLCM?h!VUkEAF}
zKA&ZIyo3rQGKv1cZ#j0Aw=j71<J=d<<+W53+E&BK`zw5PAuQlWD~P1xEaR9MMwkJw
zT;C?aqjG!5p3W>o%smb^Do2R}z54W>@{jbF6g1$-#FL@<=1ZTv@sEM_Yim2Ix-D_)
z!er!-%k5}g_p0=*uT;qj7A~GH6Yj_^*M9E7N@poxUIATGYT^{s2`>vL64|o6^WhbE
z8M)tB3wrmT?R*+gZOh}(WNd8}?tVK}$k3U?eP3&jn3mf)R4|alGF%1Q`Xz#=qo$DX
zH=wK$shl2sN#J)nAL4YdYlLzL)>j(6c#h~H2f@GJ+y>5hzr1k|+Y!t+VjLe?2)5i8
z^)RvFT27BoH4k6LyG}g@&(CEbl050(RaY5)ZEV%rw}H5AZKwqQa0tCEEZ%f>A#?lq
zY=rEsH-r6@<gl<ta<`ACPjn3u8hA&}1iGj{{DCXs)6jo4Q2!_#CO?4l7b2UFD^UyH
zo3@CwfxC_$IVsG@3G|a_<88Pc7t5eNLv7O@Ly?LOPmVUFla}UNeRhW*2{AEi|FjO#
ze{{F0vh&TjbtlAs$LGfIhh^+}?Xp>KIBTSkw+5@#+TJ#AkBUF}wAT6tRY+)8d!oqA
z!W=kTo?^GvyxT*FM?(RP&zClCl{QXjT_;J=N(pi9yyX#op}~hgini~ezF5wIs4df*
zg<hb28=hLjYmF2?Qzp%XP88457N1xgy>~u(Gd_m!^Pl)fN*3I+lZu*2QQobE1e~1O
z9O;8#slVya&_u(v9#5vL6yEj<6Y`j9=>y}KiWPhg0SR@)+;I1r09$E#gcofRG{+s{
zi?SL9nX(oO<xd~$erR`ocUtXB>)170Eq>K_XO6Z|V%2!XNS#4$BG?>iK_s78bQoO8
zIEQY-$ai8_@f=gAEa~KPc~ar%M|D;e`fKfVzXB6{)EoQ_wC0NCA?NEPZtrzUEdkKx
zlk`>aTE=(@YJ@4473zw%QF&$8+vDPhn(AW(T@A*G0Q<ZX@kar3b;eVhd;Ordz?O69
zP&^dgo!Mp80hb2?$BR&er;?U^hsN%hku{r=UqugJ(&9&DJY*pk1y=m^Kp<brzT+P*
zvC%`Uy$CCCsrb2Z6+1z}hH%?>NTbQp#PeD`${0HxC_Js2N>e0(Bi>UHubd}PuF%wS
z`k}w^G60DG=^6s;KEgQoHr*pbYTJP^)7+cCGV1BCNtGW(xp*Bt&80h`cxQZFM10X)
zs=!?-qXnxcNxk5?0F^dcV=!N&Xz%hirsO5WBvt4r79uuV@r$=BZTR0V_iEv;Y;eAv
zyo;In<KZ>wi8HQ}`xdY%-jXcqt;wx(q2s7^?bCYrNB!!GS_lxW=@%WYKgTUgGJ?w6
z9r(nY#AGi`b~C~D=y{E$jc2#BX1}~OsQ)U+vajw^=dcw*8HtLZZXoYp3(Kc_?3O|K
zGb%<`hYS>fM;qf)zX@Nw5M6syYPy$=K7xUtS3yb&Q4wAUy7Oj?lwk`dQAY_zU%cAJ
z^YaEy-7pYz5(_~dNt;ctVJ9fCEesu?{YLfc#y2ulhS^D^`r{*aYw=mdLOTnd(3ezZ
zm}@MP>)EkRHNRD`4o`3?4)yTqI`2}ObIDJWBV@sMzNHW#fe$Q3haF#O_Lee%cXr(s
za<IRQ3bR0P63JOV#<Z9zFbMetvaq3fIGisB>U<d?Gv?qWbw5+U{XkB+p*xO$PRtgz
z%<aEHddV+B3+12Y@<`2N7vY+k^S(fQjc>A!l4Cx4j#>NG{IlggC}qsDhJdL?+0F)*
z=yzGe$ULv*j%Qrhg3A|au>5l*OW$4&6x0xq_r+4BqVGMO+Y%RLfui&AxVXUt4?KlT
zupvlj@zXN=rFJm)Jrw3Ym@5WMZ39D}I9KEo=f-ClLH~d8>r>BiF6fF?3-rlOe*#@;
zpzf|Ga;NrVO~9kdeI?nj4eHNp>;mAN^_lMMA7*kV1TbRH_*Z?JalBLlrH~?a{~flS
z_2e%DdWmkx0*szM2O3IgpQXI#OVU;t)3-_wDvv!|x22^%VTq_G-!r1OoqU_Y;0}n*
zQK!ZdJ54WC`EQr<Uk+W;Tp-Y>$bRZL!YV7#e0UB>Jbv-6d74W`Xu@bP-IKRWeacMv
zOh0;AQt}v;k*xa?_~E!N$Ahyrf_tO^iby#s_?@S1cAu3=dLd(8XW^jgJxsHtGcIdT
z(tNdkKl-z90n?V)5LrrFK&m~}qkYVW;#Bp><iy9|8NyDdD32DEPGk%s+doj1I26n%
zrLzn_Ns~#bC&|Ag$1SE<03|Fk-a<%bQ_xcmN^9!k5blqM!w6M$Ev`w|W|5^>41W2t
zg-`K{;m^ICBF_+-Eim=X7CggW1rt)PlE~5a!Fqoa0gnVx{m|4O=ex(#o$=K0_+6?(
zvOJ}5ucpev_}7d6xSr2$bR(%$ymSFMO{?FCuDZ%favX~%Ws4n|jUPQ>mvNugkTbpx
z(15XICCsnsy%;q6$i`<<qLU%>y<<8h6y5$Fi6|4ub3W_NmpaS4rhcLh`2R8WPSKHf
z-S=;II<}LJZQJhHwrxA94m!5kv27<E+qP}9QYX**I~V`k8hd=N=2&a(U31Nkec^la
zuXleug5AU}u<h?xDa4_c9<wDVUKI`zKE%t`${)EhOYvi1T}@?}eILs%U;DS}`aeX-
z%nraDgmm~9wxp1>#t(T^pDHe@lBihAhdi*&u7sl~G?QV$<@Dpd`bhp5Um%Y4N!eMb
zkrw}T%c<v}@!=Z6%fA1-W<3VfJ_8s+!VH~=I2#V4)|$nxbo-8diH?>X7Ea%3w5#Q8
zHen;Ka$Eb<!Vy=fOh(c;3|@VUvaw4xmxxf-oQ7aik1@mEZtd$~fYWvaUaXnR?<&9u
z2P0O~)4`s9{X+0i{ox#4k5@CHmC>d?7?WMq{DcjiSa@^}__3YzG`seex?th2s3C}f
z!v+?yZXr6W*b-=ae<QrRZ#<|YCXGil8VpDN0Qw27MinHnymB&00HV|T|6HWhl(Hsm
z4VhvCpW-SEkV)sMVRZDFh_tCr5$$S_9%p`~ZS<OvkT$K=V890(q%K*Mp1_EP+im;G
z+1r6P)ouwVR>{4$+zp=#TTo;5J%!RBPhJSCfHSJ@45)(5ufp94tZoLBb@C{hc(IUD
ztP8m%zhQR@g^fJhYc^-_^AqgyNQQ1zGU!Ex(1duofQ0w0M^2(Y<if=NgpW0N3=H+*
zL1X|63*+*bOlxz_*8+cB8w+Hst%(Pa@LM>o$?|)MmC3q=z}58&c^h!-_Xe?zFa4R2
zfXBA`z>;c=GAQ2XHP)AU(~FI5w~0I9@3Z5<Jw=yC_mtgeFZKa<&!H+N5Y=2B3TquO
zmV8y2;Y4nFcX)VM7;_Dl^$4v(t$LLN=e#^fHI1#jD{ZLnKGe*L+Mzr8fVW>wiG~o2
zvL4NvmtELPK_aP@fy3!P_}lQA!w(7tem?(Ua{9_=hAe=ME{(jS|3lE3q?mZvd36pe
z`NK^EphMZ(<VtB7%0nN3{%5XsG4`<lqVO00B$1&dUXD8)M}sMj-({FnK_?@%C?h=+
zBpVw>Pd*$$C47cV3ohz2Mvpa4lbHkwabi8V%W4UA<+8D7Blc_qq=}6zKq5zbz`<~&
zkZ@FHMVo(9w<VeGL9xP#1Bm?xW<AwRgfdCfXho`HcaTEX?&qTXOx2d-di02{Xhi?!
zDsAjhEHw|m-P>7D+@RjE>Gk>GN@rL9k$T@nsB&ZRy)u_M+W`EWk{FUw{+2%+q*aZz
z6V#q}TzAk+()J)JTS&0<#y$Dmw-*wdOTuv`U~E?dVnjXgjZ0GS3!5&@2}ef<CKEKL
zhdPH(LQF+RTuN0Jj9T9qEE!6*8FBDq4m!}4N+zhbCzTM?&3X;bN;lE@d<@EdpUCRE
zx_<7SYMWxej^Ph25)sZAJ)u|g>NqS>N&hYao?mKmtjtKAHpNpUZ)W`9vWk^RA@Tdn
zr-bcVvskH|eFZvw^q(ZV_YLO?XO%nvFq0GP3F;p4&@;C6^HOWMT!%WfX8lDGHz|6C
zoI?LZRK$M7!T>k9f_~-8p<A27rjP}(+_O)HR6{OS`Q%7|)x2pITvI%@?`hc?Sw|PY
zk)aE*FIX*<fg_sXm*i&2A6DlKPosNCt{lD&?3D~=St_J`6gTH5zqr!Dg2y9-2Yf!~
z9o_Y<B^WqbqQ|n;MNe)DJd6x%!s8WBu@1DrWdtUKU-C2zr$63tJ^Qe9Fg5wE0?(Gc
zd*2wn-w1zvfEJ6;1I)-qbT4wfwoP(u3b$D7xn*mmNNyDs8Vb+7HV%fJ_ZkbBOOp~-
zW=x8O6Lq7^;{Npc+@EU>wn0MqY)3p$YKokvBeg~tjCI*tqQ>r%=`)x@@6y%}TLgqX
z&8E&9Qm>(hQ>0lRj*ZO@Cz+kVA;pX0d0hx>U8#eid02f2A$Sl2qU;pB;P`yx?t;~Q
z`TT5V2U9Mpr4MJ@#gg(6M(?XLYc;dG1t$FkeYAgmz2Zvva}44){ON6IsgCzHBOz<a
zigy?-BY#QC*ZgsRcrL&acD<4R3c*n6tdD7>PFr-w{WItEp(EC4A4-^_4!^?LEGT>o
zX;?75^Q{(WR+Yb88g(vpA&-tEk+fU#f~r8~SNTyFu5XkwA?@;g$uhGs!c*^`LvsA?
zUpup$Zex!=&vH%C`cuQ?RJ49ODILw%%X&<KFo;txjb+NGLCCzjT`j&_cxxOgdT(KY
zxp?s>plZ;!>kt%jJnWT?KtNpC_Me@$9>TW2{TgS_O)dTn^C%8hLGWsD8ht>2R_IGr
z9Fniy^e2h-(g@_i43a>(P;Xv1%dzN62$}UZcyf;`f49B*lcnv|pDtZYQ-Q%yB-NA5
z;(=wA{6Aahaja$Aq7OPH%s)`v_5)#mB>J|HV|Jnb5NPOm?RbHNa!?MIq-R`Ff)9$<
z2%^uHlwSV~Tn4?qf9;Y9HWG0b2bOWlzPVHkY|glylUn}rU)L)TV)w|_o^PaNHGg*s
z1idj*G->dIk&1|!x50I6So7K|yQ{1$+3N0=p^TZookwz+aT3(m(bN9JRB!L{NL+1_
zYt%$Jt4^_!mzCpJ(QnQgU^<0?!eOj6@!6u#uYalCxfXJI%K(o-#a*pI6>jvaYl*gG
zzPLCN9o1&nhvn`pIAil<roeF`vyvqimfQdKT^Q3t`&o*^VPL;FIBhIKbI)o2S~^l;
zrd^gWTu^3$^&WDNZ?dTJc`LI;Cc&EKS#}x%rjqO^s$A{WJcxAe$5$^~VLR=c^as3l
zaE3M^_=WyZp=^PN`KhSf9sb(FVZfffa=9Y#FJ;{?)W&FfsrAke-d!ldp>dgjH2pmL
z%*P*xGWIG=tF!u=rS}Rg@)}cGZ)_)sU4wZ+{G!5TCz_hKUo!0V^Ry+=w;8H!$#xIj
zRO)7!nRsL8dvfn4(GP}*P;&9c2$XEF#Iep!+Fb86YC0w-rq(&y-i`r7y3#wizI{<l
zQDN#P<GvOPP{aVXntD$qGljs5nAc?v_<cgpzB8bD-MXX`Wn2|~&Xt1y=Z&Asv3F3P
z$V0tke&0;V$T0JS$<ZI1WDqpNl{%}m$^t&Ec#l}|8w8O6n#+?fG+TuupL|1t8&meY
z(uZwH2LhHlzAK==9t;Qk3l9gp20IrldG3k$_GOgNn~4YAFMx!8e-?x`yb(GP`dpcP
zv5{f^$3}*j0`Omg&>`OdH4G;sptc9X6_6;B#aoYJy`0}_{5M@Ntj^DALC}}oH3-w#
zF+odD#!io^fUwMHgr5g}TJFMDHP|Yt*^hKV*O@qIh3uC7sRTwZGx(=Fb3OhVHs`5-
z%d-_uo-@pf6t}?KJbHdu(iK+Wysj<|Q{Te=Q8upLl+y_LB>X$hqwFh0gtX+p5_^3W
zN+x01Tn4F;<rJrF)v(-e%rF|hQcIKk3HjN?b%Uccd|A-tqS28g<=csCi0sUyPe|St
z6j_KLvM){9T^D&QtBj<UIs;d8mGvbsmXthQ8j+8t-5?$cb*J=e4K;ixc5HN$9&Dnu
z6rl!9*u!cUsaA+^E0QE&MLWg-zIoY(Ke~|Qa9>?o1TZjc?l*Dkq?4kpA<dIK<7>xG
z|5ej9m8@d2jOu<;75?QBPQAkMvt?tJ0s6}zRQGK+FkX4%9kt)!c0(MAnWBOYqmw}X
z%s*{&6JyTo%{4k4JViCOTnm;vFJUqy#2UT2njb&OAMDsGlY8lUzzR`?yD{z`+9zVF
zQ6Sy8YnX#dTiMx+4#$EN*A)A4iK&abW`6!&4T>9E4Fu-2km8x4jX(Zh{$1R47i{vr
z&7Z-opDPT@yJIt9*>9&XyVVoRwqZAviLjR~Z%h`GOXM${D#Cb6-X9A!FYl^h(FoE0
zHcZF7j)-EOimC#p5#QQ$lwq1llOq?rtVA?(dHc*qwF?5DLj#|VubRg#zW)~>fTaoI
z&IVCHPJlYvb4fwRcOYaT&}?5ih|(jy<qOaBjp2V@=$?O{3O9ghz>hb8nXt^~bl%r`
zDuB(Y7^EyBFQ58F`X+bmy%+pfGR?L8Nm%<iE3)t`*$!6iu_|t!;7R2+KewD`v<arf
zZm*)RC_Me!rl;Qf_LK!`gVnXI0|TSbnbZVsso7OiKo;lmmCwqZ=av-R!QE4LXm4|k
zx6qk$E6NRRR@sOg{e+TZF4pvJkyOElhw@@hv$t0{D<wl7eE1^83bgWXxsVE9v~Jj@
zbcsXIL@V-bp}AOuv>dZIU6q_~q_gdL_LbQ-!u5k;7@VO=Y|4>YOtaXnnuD19w`JI2
zYJ&J5m1D;~VPuMuJK-?Hv|_l>?KI#K!e<nXUEi~VgQm`7ie*iE2{?Y$>c={Ckuy2~
zS3Q?7=8QtobD>|9A7y?QLAfEMC%}4++s5SBkN798Y<AG;i!7rL$sT`&K!;Pr+s*EV
z$#3blJBPUGU61v74U`0GD!YMB&FGA%_lELp?6L4DS>2+%slLyF2nS`2PD-wj3Klcf
z%D#Jn6f4qe0dh*n^-YR)IzS!ca!9V!nzw${{=8-leVaJ|339gf7C=$QnOYnMXQ5pI
zzYmZE=v9kiwsAC{cl5TC_gvS8eY5KXuh=3a@|IPJ5LPPPg;V;ii&m4x5RCD&j7W>y
zm9(MJj*eQ_xGcp~zI%M}YQoQ+9DGx0@<KM_Gp$X(Q~58F$ghu!8&;s{%3o^phh&na
zm_Az$4g7SSyXa3*tRXqbWIA;_4pkOmf*sIz5a272IqL}!{sRcmz;ZnR;e8r_gFS%q
zLRmqCmS%pg|0_!Wv&Y9j3;yi}{rL{;ssB%h|E0hQdUMT#)@Ru*z1G2Wng18f4E8SA
z3*rYsoPd%c=wAgTfJoqw4}|ntr-JAFCLLc0x*gR2CHh2Wf!ujOKe<32Zo(3u(?$PL
z;{W^FqZ-xz|5Go!K?>(RhPj`B|Nm6}S6ThT3e@O>8EE@|wO=!TE$FoK4mt~r`N$Ck
zfsU8|@8EH(398rs6;?eEuip@;?i2L<F8B=;i>VC$@P6lCp4=r0q*5PtFRwUSwOgA<
z(9a>j&2SC)48~RRK5z&!@9dI&#R(>^7%uk%o3wIi*?8l0OiY8Yx@Nw+bcAPq!6Mc(
zQ$FBWr~q1C8B<Dp+=ZIUwCGY!)FL%@N(tWtpzB`Sb0iBOaT0sq{$d6?J-d3D;&gzK
zl-$WPJy60kH{`{<+1^ES7!NL_`^l|qyUfNKF?35O{x&O&@)Q}{8BoCg!GZ5z#r<2H
zyCxi^x|wuF`o-8KV($LClM?aii8Lcx{8QydEQJjR3WO9`I|U*x5|z!#-XwVh9h!Lp
z_w+5sU1o!JhypuLj>cFNr<gIC3_n8*13LSGscbVohTGFBOxPaIE}MyY_p5^zhE~9^
zs10mH@Q2nS^{2muXVcG~8;bndWo!ma`j`c>$D>PhTD_G8_4&~}#1a+?Qk#P^jm~*5
zi@=!z1OZM+Z?gq)8`S1sjy15dzmtnH`w2N;Fs7p{YVPAJe*tGjLl#`meArSj0q?5?
z7G@rMXlmOT&YRNt7f;N1_XjKOi_qDGvEOQPI-_A0cj$5Ai)8?TWkU>T)HV*bQKkAx
zLdiYqk`;HHD8%c>e@JetE>>yp4szU29L|lbJqfrOtd~2DXW${~&Uzq9=2sM@t&7|r
z5M8*ke1V(@7J$iUBLRvCYG(5p=iWF{>>JQ;&{yG{RslhM{~GTh@LvT}K~P74{4ezz
z=t;oQ&46NcZ$3e<#{jTn(2R)t1>bc4SV4RjZdA8+**iDNbt_u^7e}%xxVYahMv%lL
z!On>jeZbiJh0BCGqpwL5eSFW=SbScetS21SKlD#w81SPysb=gh4NIc?&63<O`@Z9&
zaAN`Ouq26CoA?o%()Nk28Kv5BRC@`Hfm3`d<$CSehLW3!*!*E@yU-tS$pn98^3Jot
zLdtUlw4}}t7!wNK4xg0imA<bN5N9Ot{Wgp()g%!dfdpef_Fgc9cY7I1pFkHKcCpx!
zV?So7>;WGWAaz(dO2QJ1?Sq?A=n*~p4Oo6$(k<TflK1t<EuNg~;&N@hp^^`^25HnC
zv+b2iy)?0TfVgmFcam+$b>g~rg!e1h=tOFAL+CL>Qj1tx1a%8wsDMbyh_yv*wTc`)
zFi3Oal|d1)aA)UD>)I!hu#-NPeQ(94y;=4Jove=q4$NT}zJ%k4dl|9$DD%im*FNgg
z+h}`ZvgvYanKzB?`JAq}mnqpz&2)%5;^n=C@9R`3F>o?fuMo|~O(e0vWb?WhiJRCG
zKY@AG)pvcG2kc-fSik<57nC^~9a_71m#(Mjmm@s+bZtzHO^B00UB)|kMCaO9ggj$e
z-jRx=cTC+zsbP9;7UyxQByPuC#+c0#UBI|MDGAricZ^sWn2QxJ-X{?okquGbzHx=<
zfAmcUdhU`G_iq@>459r4{rCid0drnXzf89`APvm_6-`2Tup?0Jmuv)yk@emGui*HB
zmQPuynm}JDg_%Ca3c%+OCe`W`9wanw{@i$Ijs!mj!0PfY>2p!8@)P;WvL{F*3E_h9
zN6U7vkvZ^9g&Knk{ux|ydAa8{xBCO9GD>vhS{9H*V9w$_r!uKq*NuT}q{q6ToUBJ0
z%Br6g*TWnaK4ypI2*a{=fyQy_btRKrKaAmj9cS0vpI_4N2swI)^A$zZZdFARoe3yX
z?g<te%6hkOiS53h^dyEsI``dF%cEQm72Ki4B=S@+U$$>_K&1zm{2*VtiN;v<EzfnR
zX~ZL<x9JPWM3q&0<WOvWJYAZ6yug8p5VPukYc7l^>n+vjrQ#ZD5K={B)w>mv7XA^>
zW{)NcSi2&L6e20`i(X)IvS08!Hv4$w^>kdGn+k~q(CRwie*OP?B1RVbswq)6-Z8mM
zxz0I>me6DO)CA5SnrK&F3p)J`F@FEd7m^M^S*#;vGUfHKQGKN8XK)))y}IFRQEquk
zz&^yx!s6YRcw2kTZQ7m%l@oq69f@grnQ4%VVxO|KnkMfnktiRVTb(f-4QR`@i>&36
z{8**r>7ygu2{{efF*u&A(8e%SFcXcLg(?vowD`i~?Oz@7Ypx(>Z&_>KddBd!jgs)r
zpO>idQfk>xb_5%Zvu`E{S|*}0^vz1Ah6R&4AVK1Wso}eqB?O-9db_RD$KHuoe)ey9
zd8*)p0C>yrKegy-d8w=2E?pa{yQuFYMpCHipF71(&1y!fp<AkxWlZ%@iAjB8^T&ao
zZ%<gh+52Z%+sC&^od(C9Q^)t--CNhoLW=~|mW-G%4PbACGa$+~(CajikqNZF4MF%R
z81sqsb-B3dHvoe88Bl%y$3hVLfZ7AW9034NJ-@&1tssV%8&KU9=r<7Xvg_~x3f};K
z1Aqjb`yN5V)gXv&zz5L*{$R679*rg@r+2Q-1WOHzibG0TcNIIWZ$OH_$TR8SK1>Xo
zwSL>0GdJtj!~38aG6T4BzcsmBZ5^?6bHs$!LORz5G6Pjnx90%QXXhbBYE!97D4O%m
zsiNyu22ma+P2S=%<^;p~K`Ey?pQ2-vhd1jk4d4isw9lcM;sjTn<Rk^&&H`?&R7oNx
zArY~t^^_F^GkGCJF2#T=<}#b3hFrnXlW!5s(B#T5mh`W56+X)i9?$uV>B@T6X3ECs
z5N+9%g8^*=q<Z%{Jh@XKjyA;j&P%K#*vByZaMIb92I7-ZY^EpA*qYBiDS;^F2G+@l
zMRq*2Uz#1Q)L-}90n01Im{%oR*QD8`0AZXp&7*07<Ua^ai89Ft6KbWsBD{k^ayc^A
zl;iallBnB@?$!al=I5kJ&H9Ok3Xf-T_iz%6P3eukYETw;P|2Lxf~u}X9rC?(e}QX(
z>-t^l%url|*v(*rw;AL^6NiR*@0?2|$7&vNBcezsCW!RjE2(p7zc=kNVd6$wI6K_Q
zCh50FanPBDP}Y8S@k|gjosr12k~C2E^!qoji%Fr|w(wGGZ1@eAWWj5B(r0)YiR)!e
zFo-_sweGwl+MWs+i23);BT$>T?Ux5NH>k4bTRU8%pJU|aP)96SNy5*l)|q)_4dV&K
zl3i%2KL`4JW!U`w6qEu|K9zuUuxCIZy8kru@D)aYCit-kqS|o2w$cG}gw4A7WULdk
zz>@$)etRQi%%b%CaGXT=Gl^ENe(9Z>dhv$hcUcsA*eavooRW=jJ8ZiFv1~vXEPY|}
z3&B8)5b^RK&YbNI^x8O|;ESXf`}C`yJ*Kwa(OSXZ#Z>%d7O!o`B<I*Nl4c~`74jX|
z+2bWQ16<~?8tv%U##tN0`Jd}od}%U0#G#XW%2ep*KtANRm@e1!ef~r*QdTT^3EJjN
zGZ@UhMR6!W3kmS4k(v3;%Xa+WB7uYXP1LYEzWv*JMz+<cKa+<QtM~^yAy~jZ5uWE7
zON1Yd3b5zp9`(Jc7gqD@d7BQyr+1$GhVg-WH_E(oJjAV;o5rTyI<rH+ux(@R0?wc+
zw0ddD+eNSE>;#AOwnv%sQ(SNsg@s?H^vGRQtT)?#m1en0-CGLX?)2AW)%1j0nbv3d
zwjLGeql4!}T7%s8!v~N7rRMFWwUVb0do0P-p%_HAh_k`URVFzuQ}N;L+y^!$)k7Rp
zSFE8(*MD>wD74?hk`fM&hQQxN;_1~S<Z!9%CBL#{`RyG}JA@(z7p4NWZU-fTSn&@l
zO#3js&<t#sGuqk$Ntgm92u0N3aZZx3J>MU-ZN~O0Mc8Gtr~2STSrduFG+U$-ebFOC
zpG&JPG3`!NGZWq{BW+p^%9jt)P~g4&1p`B4@iAT<<v;U+muXgB7DFYk`rjChRUtDY
zcb;Gn%h9Sq@7I(cJphm~st`!fUsF5p-$p?Z)qBjXP&)z(-B75<Fv8(Zsa3KK++%Qp
zZP5>BBc0A(@{aF!H*UqV^^+k=&Y}<!J}E&dHJQQO$Xl*{>YVL-S_B3P3^Ka;BYZ}j
z&}YlSEcUM9T_&=uL<$+pbXs4j9b}6Hew!pc)T<N?mct02>owX?7(e?RLoM4<&f+1>
zp67kMKUeD#Jx-NP1x%;&sS^&4ILUB|b^7+>@vnb8<Bf37*@)}#XrnXx)7Z7DelEHG
zIm2$UJmfWi_5XQ;7@SMs?)Tk^gVk7kb=Bs0@uwOm|CyrQGy}+z{;vx?`tFB45?FXS
zavf&YFR0Rh6qAgCCQIfkG0rf?MK=0vRt<M#!f@!K3ue1n<WaIhjf5u~LJsSX4ZIIc
zI3DiXu+9q94@@%!u^iNZ5q85U11R1)iy?LSnXvQ}#~!JkmJ`>4E-}pr&__GOMstWM
zd|*MD29Z`d!UTh9V2|9j!+5t%gWC9}s7<IOsUo!*poMM&nmxiU%!Wa}@YibwyA(aN
zBPPf1=ZR%WZFDjvk`^5A(332W9#&ftpeLh->6CLBc_Tvm;5*z13V^~DF#cUbGj)aY
z&5W4%wftNslgT62$eQ)fLu?q#Ts9xU5Qbm(T9eFJ){oo>Bx>+<u3rqj;SiBzE5o7A
zBYLtSO?bxl2p19#8J<*eU%8wAYd>#-y+WYt9yoyyK;;Kv80f3}d=lz-Jl*^c>?8jI
zRCt;GIXnjv0ut(TDJp{xKCU;qCheW+VbLzK2l-+u)pqbX=*l@y(W#qgt>KLxUvUIt
zaiC@-tYkX0ytt<f#^zlLor9bGp{8vVH}Vyp7vMPQ|F@Z-$N=4sR_@H5^^HaU+TJc9
z`NL8VhypyQu+V#Us6&g@4)<X}Q065YZ&9uG(t<y6yl?`4<$uItWc-V@Kn?f0xC^91
zA$Bos@QKMcv&1sOAUXzK=oFjSzst3mIwue9-QTN347OD@X$86b;i<`Zn8q`7#hZ?~
zFUzTlv0%@Ps?ImIEr-*OtY_PO1{pE+i7m>f872-+4O@Da#l@4F_F9(p^*G-1E(9HL
z{E$4d58V_9v@}{^s?oMwzJ0$^5gc0!3;A}=*|KAN{W!l}gfKyqSvnC*s@c1fvGJC5
z&}~*q**=^&o2kFF*^Vas>u;&4wMbdw+fJeZZrhE|M2jL$^iRwA`kR*_Pxqw9!*g-=
zkg9uIhO2W9v4X1{+$eg0-4Sp5!XLh+V)SQJhK3Wu?)gUCIu>-$$1g(-ka_E2=$yk3
z^aVX$_rG}U8!gAdc3cFfF5|3Pe(U&66-c?-jdYZnWhhu`jx?~-+H@UzBnM8#@+VDz
z*$>tVRWS$Q$eCqgY5RiQPN-I1=-{^yhINw!3wv36-RQl<#4^%di)o>V{r4JK;VOEz
zhE1$@_(j0n_y5f|o*>e<?N0@vFGKClAPCg)`E@_ri|ly=91urN{r^qqLm~XD37rFx
zzQFcyUyiVi%O-!-ZOw5LH`C-=+UcczitbT+bHe)0KM21{e8_w9Ux7;znfiqpK|&c!
z>C@*P=Z2*Rb`$D`bIs9ggDX=M45ab%mqtN23J3AEYF-sM2;ldU!p_>tjUFTj4368g
zjYo0v3qT7k>{A(z#yPKMO3q|3w6Fzlb1G8;SuN-MUSoz+Be)8uAGq6rc^|EVysJYk
zhXs5v=6s9^UH-^_6A8`583DNTTbvWQ|8P+#UX1@9pru!vPJ^$`t?SBHR{mw&t*z6R
zb%}qQWIp;%SZGjyr<7XsyM9qK#>9@=nE15omp1DB;K{5F_^58-{rU7^3WPMfmT_iV
z=WejDmW|{b&tYRVi!IbrrH~QnQ-&NWMKQzKNGMFXtmoCJw%KCz453NeS<Ce?wl>@r
zLKs#0O?onI@_Z{xPXntF@1z@OX$9?(c=FkFS2M35^_Q13seXI97LAV*SlhEc1iI?1
zbIobSdLV);KM5TSrqoC6J9ryURhwXDJ(jAH@!J|uxQYc8H~TNA5#j6GIm=N`N(w|%
zgSHiQiF_oPsf-Vb5C&o3;JYGQ^y_Be?Sk$#nG&xRLP+v{ctpG(nZ-lZ+6XW>3thF$
zn{!j6h<A?NX!O!g4IP>PDS72zQIviMu#HMh={D8ay5>@{vHgS<P@FNjS;Awe)>j_&
zf6CzkT`GV|zNVM=>;G7F$Dan+Y5&p0&Hzv%<9GiDzuOZ;1}W5jqTK;N04HXm&o7aE
zQSu_bYS0&h5f>z-!MQL0e^|Rm!Go{r)czmB<5nc2xM?v7tpYe4i*u^^Ktn9LdKa{v
z3Q<$~nfA|$XG-;YG}MJ`tJT`VW+T4SjNUJ3=NOAB)(O5Y&6G?$=_6+T4>|c?#o;0#
zr&nkY1?&;7JGOG7^rzI?5Xx4;H~U|k)SFpwh_hIS6e^`fBt=0lfcepfG>1L{S>yc^
zRPWR3m+7|#a`(tmZi5zYYt1GRt$W-&n>;Or<*%83DIexo(cO7+$Th=oTwmQ?eUif<
zO$w+!CC})!hI64CG2YvX6_(leC@tcDOJ{^6v5_+IG;bbGQ1(;gE4s>`pSJZ6b1yIO
zoiwiS+6jFlr8nSXi4NZ5$l{(3QfNcD_Iq@GT63q!MMnr86`M-<dx^*La`Ioc^1(@D
zmG;F}$+eoe12NK?sdV6<^2q|rXG{2JM{cgg1~xQwc_ahQR<Qg%x_nOjuUC<c2k=Hr
zTHic=d-YE{3F%qZMvzTGi?BI8DyJ~1d;MrWWM%IXGe4su7@1_Ve5x*skFIO|x#>B+
zSVsiML<2)=QznSNAFRmbxUd>MM_^QpYIGTnwO>EwW8Wx(_WS;x(ta;n^?AR}h<=f<
zNRfXE0d5w===7G&q3?`l6G5QBt_!2k<zblIW$c;El}6y2Uvdu95y$U+40!CKnVO)A
zp(GhR>|Dh7bXW=4BQ!g?1Z@XQAmc`V!q>R_b@}1~$vyPkZ+`=VrUS7+gc4tDM#BFF
zWFPN|fd4@l9sAxuFYkf@AB2pG!u2W4P8R-t5VUd$ZZ5>BbUqS&JT~dr7!RV75QP<Q
zXPw6jCJnZQ(=xTZ?y7Cu$L%Q>HeiHAh}4O;^Oox(sx#A*$(AY3>`9-l&`Ghsv9geQ
z<u#seUFWoQ{8bpErHF>C3)Pa)I~Ez#el^bP@tqNH2-W2iM3Qlaj9w7n_c>y86+&-M
zNR<aZ4UENQqBk*>3f#pfwuRJ%n=I?iXsb1k8h6C`%BPcS|9D%{$%(nd{aRer<MMY{
z7+xU+7jO*`_j;4gl6pqnQq(`mAR1(|&T4^`NW~v$K?E{g{Q@x%T`%Lv9&2Ybcx9Z`
z5XyaSAx!R<h=BRmZ?1wL&4(Kjc$xxK?S4s}$zA>C=^UE5=BV5y>(96`+;)u;Lt#t#
z-AIUnS(`Y#abcZV=eB^r)h@Apg)=9T?Vm!4R;dd^9P3t`-E%Ngj3e3*>9u41{N|LL
zTOQf001>aYkbnGKeU#pT@|?9v&35dIbr1$;Uqf&wkbmhSyXF|XU16?v9aX%#&nJtq
zRIN$ZRHQKJIiPd<hy0&`0QhEG=OWfW5%ZS|+nq!YmWhsC7AF6#8*Bq_7b!1`jqBwf
z^%{FcaVBbOm<na^JL+XqB!ymmIl>$RtS6et4ZSijS-Ta}B9bTtWj{h_lDB|HepUYC
zT4f5md=zR-ax~d*b6=COpg)MQ7KFuUN&ePbAE>u~WP4gCsj!r>st^l(Qf(o97ll)<
z7+&QOce#iJHKdJ{5uz#De2-u-0b4H%nCe<=-#kJwtKU5lz`z&E(^E!yn-M!ieKJ8F
z$j#v1zR6!gjPPq2Z6N2IvHbnl#KiM{;(dopX8F4ky>V}&_bjVKmPmEOo`EawGqfC$
z5l;@K--8QryL7vy0nC$?1LKN`OH)xmRt7biIsJR50LSr)<nmCH*wyz*pQV6(;DuJA
zcJU4vSI(#(YH0XO6b-mds@$5N7mWjj9AkjOW=&zy89SB6bG^%l(exz0YMc{WrYxLE
z1r0)GuvNyX%*6Qu&QGP;<REsHE#C~PSXB%s2lE&f`2Ky0Nt8lRQ48vN6O&I}46a9>
z(GTj%nqt%8?I!wg2QRqty*u8oC|fO$U#s>;Syu$3c}CxgY`&p{Tp=Tqi4{VIB*Z1e
z+sBEMk&&5wBR3Zk!&b~72Def)CQD8snD&}}g{&?*{^-4i<D1rg?poe@cB^u`)ch4&
z#zCpyA(0^9$|+ImE<}%%lFaoIOC;Tb?)yuj4{%0QPiplu=WKUcOr+cIo4sCCMi&Xa
zK>lbQ1Ra8wR`yU1<G~M{(@JUmsM*vaG@B7ohZCfjbCooKR#o^`r;*OoKlL#?WF2nY
zi!DXth;C)&RJ(M!YNBSLahO_Z;2DW4u|z~iJllxz37@o_&VP;`TO%Ry<O_1m&ee*#
z8_jhe_fp^q559drl#IsX5;rWkz8qVo1|myP)p*qAJj+=jz)>K~<0Qm6I(Xjww{e6<
z<F^O`0fhGmnmxJk`Pqw;)MA703+XkWZ<B&;Mi+x=%Q>fLd{j&6o@qK52i#tD>e4P{
zIyb-7UTM2LT|z6+v@xcgPS1CWN3so4<h&u6S09`V0-#{4Glsh`>Nz*d>=K)u3lE)W
z{#rhGlH$XgUmXWryybm^e40+t;f^bPgJM~uYru=Pps7~ia6_M0=F{j$8o~mi(xHu%
zj%<u62wKR`W;xVJ2$sHCpHwVXE0=>|VM3(4w;svNK}elmRgv^DwRk1CSX{Br8Xe*p
zvth2zthG28(CPe5<-$OwkCD;0CT4S8Ne$Z{tN<g-!8S11#wqYaN_D)y?5@D5;MCJ?
z8)m>s55=zy&vC{zk9|absr;B7R%LfMR-d`p9S)k`3`mUMs(Obl!;~KUWp?|w3(;jt
zu+@b+S(RqO>>%qdY~B>6IuQclAAtuk*@hj0#i3oOfGuIa2<OD_m>gW50WD0|np5y^
z{JYFh_(<*CL1P9zs&HUaQ$t0Z=FFD3&NrSs_H!lMR}(yfJv+AZ?JM+?RTR4+BIC8a
z!L?YFo@agXJam1Rj2Cpkv{dfA<~Z{+gYM>52+Rgv<|tzzhA?%^&X|w{zM3>>wa+c^
zeUqbFg%>vTn$<n!a#@AN+;lTFvmz3JXho)yNi*QUd)a!arGR7GVFU<AH7d`<(>edV
zc?Uf|gLD@`1_3UnJ7OL_-2n|(Xxk=`36~}5x(Xat7CY64Ls{|cojJj+qv@7Uu}_ov
z)Oogbgu@fcAIl?r6z<|${yT1LP3U}9o^RCWlU20=tF8a;RKSwnDE^ogqs~9;Z@Q}z
z)AEj;O)dXw%}(kchiNe-3WWaYsM}>!IXcGtFO#4Jdp6PMT->k;veMKwrN&yEtsii_
zYFf<+XGbImjAwO548d^5OQMIRSJmErW!mFi8_B4dP(oUiQF5ys0Xu?6fx|l|7cGu?
z{u}*AI63@olFX6%<(iw|v?-iwfXOx0rX04}S{0a-Lk4R~NF{HnxG{*hh_veSB>6sb
zrN)p|pC7>MIO>B?F;Qs)L2%vbkeYz#2PV|ey=G6olJEpJt_COD?BQZeMRaN05-!Z;
zMn=X{freZ)C~Ne@6(hDpT_Eza?Ul!&A<#=u27ik4r!;u@hHq;w8NRBKM-1mN^5Y@$
zNXY_a+&~8>8-yh9(TH@x%&7CL;j$5JPk{83fll||J+(tW3bHkX3Wm2qHS`^ThPPeT
z1h?e_uhcS&ZMsS5pI+hmzVw~8iGTJIi?y+ztN|2L)ZWn&+!7f*rjx=d11fH6!^QA^
zSY^d*jfS=Q@|nvc39>!yVY5PZA{0nPcfaSLd^$#HKmr%S4cV))r{)G=Sq@^eN^_N5
zf=bIdPasg6NzWljZxRH6@V6E&)pg&MNVmQhsNLrJ*&(ypYRy?!W?N6!U2_TE3!~bt
zgUR??T!v1%Ub(DIe_V$*Ha?Cgs7hv$CRsF)cY3Wqki(`w>MX;k!GT|7XxdOLn8Qls
zjo}@*%c{5U19kD~Iz|@-F<H+1x}C&t$9NqBpKBOqT$Q_+xMqAZdqV%Jwt?N8#2EeR
zu4+kwk4v72JQou1Tz@!O%5##H6e<zhA2->yMs^YaHLu03R&(Er%w&`Q=8~9=6C4Ab
z)U)(yHDpgCV_H7GT2zM>I8MdF9gVbPaUwg~DcH>a`R_HHP_!(;+1*#F23yFzA=O~0
zZ+V5Iej6VFaRTenw*$_zQ@7G1@g(nQ)8sg7pOrd__sasU4*5dB2sO2pO03|{mIb32
z=jb2k&5M@EO~$40MaA8<{IeoNV-e9e+@Ci1j{C`w@bj91vB7eq!wW0md-lg6o9rdE
z-9_8g^hFg?S>?wZQ5!MZ@j~=~X=Z#}panleRlF#6#i3lMck@yd#&NMa5R0H*i1RzA
zov`zpkD?uWTCx_HB;UgWJ-Z0PQ}CSnngf1x-f2(z@1wW7KLbZi*QOn1ScF>*DUo>n
zFJ}aO%V6!zoEV&lw<FQb0}kLC1x(%6_O#ooQ}K)g8qkw4DYhcdUyE0;50b2?^HcKb
zKhP-1wjz79dc3}L@CpDZf`AsFpozuLSdhWz&?_hgL`nQ#>wpD4f@~2BH9waD&V!)e
zf|Z~k(Cg6k1W4l%<RKIdo!Hye{T-FP)Jq>$mHbz-1!*C5+d|zn+`o9njM%wWCx<Nj
zH-mwg?`lYf*vWGlA!FPCIu**ox^|$3z!y7!&8oJ|Y?9Vp<V<6FgY9#~J$lJ0C-pgN
z7xE^}cy`3bTzI3|@Uh4Vn6=sD#T7bDpVxrLK$vBpMZYz2>}B=Kw~i7*gxCXCZ!Ya$
zD@M-70@)igD3X9aX8B}!=wPRwfXvB8ZVDGJ<M^Rfo{$-bfjfKyF6k9k6rbE~`y1zW
z1X#vchJ{XCzSYfmah~o@D}Q^CXLbd?3*+9cR+twA73#9g5KAuVR7nP3@XexFb4$3`
zhiY)0PkXr?HGaqC4$M!+i;lj5IjZv;(xQE5x0SNZY3U~{Rw^_!wBfaX7WP86$=56?
zeZq?n%)HiJ;*<(=*YJ|cQr2(1n(;xjsDr%nYcVP$iVxF?^FK#rq)=?Ed{ONrDR-jM
zv@QlH+o;1aPHvagB&paOPHai>aAG}Fro}q!Igt5K;m3X14Y#;uk*c=*&Kx`1X7kHZ
zYazR{Xd@L&Aa0=GZXlj%a}w2_>)Ur`GM0j=eQ+hTJw{<6eynjcKfx#09w+UkdI;#K
zK87PP|D-T-*ARvc#mn-+=k)Z@QMsz1E9#nWNQZs6T2t@wk9pwowch^>;b7xqc3FNO
z?9Gt9=*_tTfi~*4=RnnGpqhX0MNSN!#<r>f^mDwFA5qaZ)$`CCd=~``(xb2xQ_V&h
zUe9vRz4o}FgBJ^MIN!_CT%Hg!C4|^qDN%Z0r>@}`r&V@QyO9NbkFj8QOzt;UO0rdb
zI|xsrAsLw!%FKj}Cm9IlY`CQaO@LbjAckt3<;2r)lAfp4b^El1wY*|w-=L{Pt8oDZ
zf<#uAn-I`V{nn+g^`riJqpCfj*Xd10(EH|nFV=0`>7H_FqDhtcJbxd;OdQwT^4X&j
z9!6Fza)<Tg?rfX26N~G($V}+zizou^bD;5IZjos%BY3FJyMCRytyryksfz?WWJ?l2
z=jSe@n!wtxs0R;zIz(04=UJ&*b=GE1|Gzz-{Io5(Vw^9fRBw`$vEUHHSniZh*HcT7
z$7yzV$p`^kg6Qc6-sC*`ndP^nF60q;S>zqs>NxQ91+^g{<j=S_^8Bbs-o-9qdxypw
z39tUNV5v|zs))bk7EHWxMi5R^jLd5b-*`x9jbLZvPo69aZ)#Anlz#gDX#?NN9E|eZ
zl4A<g7I(PkruQ`DK@9D%<TCl;f2lQ@zD=EtW>z3?4HND7(+3sOQ7`0<d8_KnGn^eK
zk&_x3AY1CryWti;TJ3h<bVN&XRT`JL#KVR#WHp&D{+f~OwT%;0p&k8KVgVm5i#=T8
zLHvdcwaFpB<<9XD=^W6L4tl<R>zM<6!g708|6^U}O?5c1cw3_@luRsP>{75Wyly-j
zAn|^iGWcFbe;lfrhP9ZPyEeWebmLR&){~TmR23j~ZEp6Be_5<ci3l+8lh5e5Sz(&O
zZzb0gf*Sg--Hw9YrA)wap$m-mu8iNZqB<Y6&zOO5%FYJK&F$bLTzHwMP5ES+w$gyf
zncnBjEV)rg@bPa0t`K8O;!m$W5m@{I#cCI=uTXa$qHUTFG&P^Czp2h`8O8dsO@qb`
zN*GHn{BkGVxwBZcuTvW8tx!6Gl{hwKLU1$Nk-yV1;ZXNt#C;}W8hO3MOJ()<I<6cL
zeE^m6uH`0gTSS(MDD!)Y)(Hp{zG%X4voTt>cE@{`ql{u;H4y+w89Mtx5i+h@me}Br
z;y(VKy7c45hh;9Jy+W`}(`aBkuTST|as)dSbIzXxyTXy&X)uW3iKOB|BEIeLSQ%ub
zo*t5Le7$}R)i$)9N(-{z-`&Q1+acHVZx;-3u2RCxnDi-CeB+2N`c`cGOR@{P2%71$
z?=8&`7&&BRjZ}sRbcrB0S530HzBNmr+SlZYu;8~}j7#dI&5!{jYdGVG-yTY_Wk<D&
zb;Q8e^q!$aa8bJV44Lcosqnf6*o>DuIGd<`Rs1^LqOm-r?7*+Ug4UcU;gwRD6!0HR
zYDA;N%9(j^Rh-*_i!rML(Z3-bgFgK~r@#71PaimCwF7*aY|Q7sRQtd?JQGQe-VI0h
zOr<a@-4zBDxHY-BL=i-$NY!+Em;i$KlIxO}We(H7u{{br6)o8A4*nXp!3xbP@k?)N
zY&{dp!4_)`ovt4|clWodN~I7jrpp1;-71kEl+VoNfhJ`h^!9Vkdu`uQE+1n@jVRRN
z5Alw0=yXUsES~p!<72DXHR;g<D{P3PN@gw907jRa$`zw8Y2O1Ag5|a;Ev|k@-E~nv
zAS!-asZDEn_-8gpk0S-555w&X&TRu3IaCcZ=5{Eg0sx&LhHl>Dav3x4xKLJSZ`5jx
zT<r0!n5{!Nx`Y`SxFV8omSid;O5_Hd{~&OUp)!;dbim|z2g$9U+`vzNjs5tyQUph8
zkB??Ap?u~T{lh;YA&rFkXhLPuDNSU8p`NYvJbn?$S4tN54QF{}kW?+^OfraT^BV2X
zdU|0g&K8q+M>rY-D%xb?KrHp2CNe_O5Yk7R78O)*y5&!P-|3dwo{JqCVp(aHamlPM
z!LB7OqrVylJDv%WQ4Pn}-?CEXv`a>A@gKHpE}uy>G>YhW-!Wwj1i)Zj;x%|cf%C{z
zvCAf49XIjD0nBR5Cc*}PFc$iRqKp3hxDx<X7vvDX*0rY-=SONCcOh+BVoFsfi`TRx
zZF~JBzopt9^ql?uJBv|3na4+2y;}D2OAA1Epg|W1gy>bf-=6-cV08LRf1L#1-Rm#u
z#eAbwzeNW6TjU}gr<>41UKm2>Mq9nvfMdaQk?<PnX<1fjyJ?W?{f+MJ4%D*<q8FXv
z%HR&MR`UW1(6}yEw@+|2Y21ileaaPOxD)&m31w8T?#TN0PnmV~2>wA~xiG_jaxyK+
z;n{ro;`T=A4)5VK;bGSUXX+gW98L1fh{oemIas#Z!g8hOe}t>hM@8r7qQt0)G@ys@
z-MYGFMoQ$#cc7kLUEX^YYetq|1MWSwyf5JMk!Ik+k^(*4|FKT7DFjjV%un~~I5>FQ
z<~3E>yytXOJxzZEu9!h1PS7r`{ZO8_0}cN7Sn&$!rz_0^QCQTWZj7ZUjjS$I*wG=3
zj9$pAE}W7OXAfRfsBZZER6YQLjJ!x@>G<|z>K=?>>idU@pu^5zmm}Th3HJLgb8Fw}
zitU--3ts81!*6ymg3`0w_-xGczCMKY>4sHiaB3kC=tMbgxv2}^e|+=!S(1bCW$$n|
zb)d70RO#BJRA6c$f@LXkoM^;{;UdC=*Obru2VOX8EC@7|+Hf9^L+lx60CW?M7I~6k
z1~I#694^YY&mKQr+l_miMfdvnk2A9WZa_4JRPt7rCQb`?F}}K77{&HBE{pFk+9I$+
zpJl3U#mB>wy{irNoT`cVt{9`4Q{tcGg^gG#l2L1(OJQ@pG=B!3@x46HmHyM-5&{ND
zwAGcmczoLQ%NFq~1BkrlnML;HB1r?q1QSoL8Gil_9YIYvxM_+azOAmr)#3h9hF&rw
zvHIo1Kp8{{2A=;QxEx5&-~IE~NyGXOag?Wj#ScMVCty+Dy`^o}w=TW=0z!Bcmx9kN
zk_{<6Q=OE_09e+KZCP6y+gjaA^7JEJKPI+)@3l<I78K~#uhpJb9`6x~5l`;Y5275>
zh#j#(N&)#?R4rIeXpM1GbgH}<Rn1K+KWxbPGGQTsZ$d)d%{g1;@%eeWefMGExr%d*
zPR^;f{{&gHWB!yCmb}qQ<0QIm%ln1*3+k7i@Q+~93|g%(l3YkXn-+#gY*EIv=}73l
z4_OjZ?8=hTitrZD?GoEoe03~+(c!gE%GCza`=Hp+-(4g1^h4YCwhni2S;^(HeOFhP
z11|(ofvogz=|wO_JqM;`h)V9tY6lz?B2g%-y|YMtOQwXI8XSjNdCepJ{{JG77M*lk
zC+lh_N>iUG3uecyyYn>6+6*(JY?P>`#X}D?c>GJAnmuBk4$_!5qPe6^8%A_8>xIq=
zBz{8V1=m!AJuAliLTo2RfqoG)Wye}d+bwc8PD8tRj1h0{y)+ywL2gYTo=CJc8@c^d
zsk(u-+Ve@-i{P^}{B4>ln;2)Kp_d~HEsDWzD_FJ6>OjjVSH1caSp~_M7AYx$Ju$CB
z7mdah!#Z1+CMZ1<dhSZ$%$WBa-Ba=H3a#~S;H`hU8Cu-gF(knBmoN*lQ|Au;=L|vw
zQGfgMUVh8B0gXyfN9QLLI|!uBbXjpVx>|%p;fhfs#fq14c~VS`;nnFTl4ra=Y%yTa
z;)`xdP$hw1tQYzC?|rMIzj228-W0r5Hz4tS>!+G(-ylD3Ez5mgM%`RhRf>h+1h1Kn
z)mMz{-7a0Exeb9H9oz-XQBzN`q#x=?CykxO?5UJZPkfQ1-zz)s_Ue(l&QNY>!_Ll6
zFxH!Q?`->%xPvFmE;01THdphYPNMnMZc??9kX=pqLTqraRcInFF{UK}oYLHhL0DX$
zr5i2om@!f-O+Ipvv0gh}7#_t3UdM+5?)bhN2<t8eGK)i{=V4sZ%VL&Z_wd3I@t}fJ
zhTkALCZzP2`q`ZoGd=M0w7U(gS}&ZCnOt(v+BoDbs%gTfkh`llPJIez3a4RcdpRTA
z7$&XMPhNs-ib2JW^t$7Rt<=_fDv%vs|6TJ#veuNAeUlhS_Jr-8c^>NF^V^Nj`(bZb
zEhsXOt{eIzvRv1Ip@*DUduKqGrs<n+tyUY3hA<OLuiUa4aW_a5JBsXYc~mWiO&+y>
zUfbTXtm{G-auK_Q+cr0q^S5QA-;4ri-rZOLqfNWXZ$0b+2cEP6f1dl7)1_0`6lo9|
zv3Bab*RR}Eb_#_g7iXrDnjOKQT$)I28xnhC4Q>{h<6(tvXf2kwOg!x^W`$y^;DWp!
zvvA_h2Nm{wCac4*^i33#KB0<0ZGCUo2Eb5gY0&+(GyZ4K*N<wT9)iz#5WETIpY29+
zD*JD$9}<Hg+DcH^$0i6&Xb=QQIllps@AV*`0YU7y1|P>f;B{O7&&dVA*FmDFHPG$<
zJ~;s-{JjQp<Nv?{$;<}taN5B{;O<0hgLIugp~^u3JzG`eXG5D6^!8}JfQ5dA!jN0H
z_>L-9MnOx+{R`{uc#ANFywn5m=v5OnOQb@`n`G7%>dkCdY&^P=P3CvgEu>uEDh#?)
z#x;5jVx0!HE?0PKVh2)e@`OHYncX{VvS55f7G9{M1j@H@syUW|+ohsS?<Ph{iTIA^
z#_@&7_A9(xAE$3*hFJcXS$Z^>&)K6^%{>~AE%`hhLD-BagQXX6g^>qsSlGyxN-F|y
zyq)8!xBhq>zo0u?ekEm8SQ~k6+e8Z?2gs|`(8^PAu4wH7|H!F~$|eT8o1PxDtawjY
z>HELN#ww^z_Z6u-UR6kjC~hBpQ-u9#E;`d>>*_nh<>{=?LH-8XvC6n#_=V|Eckiat
zw?W>_cc+nPbAnG0I*l?W+8nkm?+`sk;Q4YU%~utbViy=?V)Yc3xqR{OXz1#yqj2xT
zmW1ea5&Hm~-{icg%Vjt}{Uz#ff@b>s?|8jIctkI@UCN@jLO!$GgtS+II0UT%{|~BE
zA71t0d`7FJkE#InL7KX61MY1$fjopef1-8gfk)a<jFdNO&KTyN)i@j^#IIC8GSQ%h
zyE<o1XA(>(o-*@<4MtBwpovtMcGeRtqsz=o4y41HKn;8ul!atQdEEalI?44fZdC-4
z9z`bd(c(o*fOG!SH@ER*PgY8aq%nyf?iWq?s-LlApqkpxdyg-kTodSc`;g}YQ1(eE
z4Fd50mw(CJ-M;akzJAkogCakGLm)wr#3ZPLVUPS=V9EAf^Dz$zw@hVteVA}ULc}^w
zdCCpjj!o^iQqXr@86fFKqvGvb(4N)%;^8PW;rKys=bAB^iyYJ5qv|kkXk_@Ro9w&x
zy8q`XjMor{_NVcD>8SBB*qUMT6T&*0#;0EO@f&KDL!c{Kq&u8ONjwF;ow$uGwxSXL
z?0PTm1+^*<MH@ZJC}BOMfLs`?zss?FjJV}s(?^EVctA)Oj}U+$3R(ClSJ0bxyiiZM
z`sOIid!R2xr*?DHWnTGMG@*smF`}|NuklT(@P(x0XWG8}+rP44wP4^1?^}MPqz%fF
zrLsCS-p1LLF=u=ypHj^I>8&{04=cG=k@q3PSiQhE71!)XZO_cfn|`$wYDkiG!`{(l
zm6yTu2Q1}g)|zm_7a?htJU+gkgsL-8aou2%0ky-3s?gP{a3yfncJ4kZ{TuFo3*4AP
z;m(@Cex%oUBxhN6Z*dpmn%ZGB;H4x(*P_C@f8gJ+ll~>{H%hSSSsBk$8VlTb9hnAz
z%jCxWYGRE%h^{np@y`TUOB5p@=?>FhmdUDtEUp(0?~OIEKQ{XrMFgWQ1&X`NDZZ72
zN~CBM)xo~f#hQtY%$)K23pnyo|5&>3vkCKhXFF0E^`PYOJHH<p3;2aoBwRU`miJGD
zvy|eUQMXy{>i=Wv9pmeYx_0l_XlyiWY#WVj8;zQzF?Y;{jcqn=Y}<|5*mknBPVW18
z&ikIvYwoqbT)#QSnqywqpL<z`TaTteX7<_@$AbBO80Qqk0=$zg0PVQ(5otyaLR{M?
zv#L<Zm=YXtw?S=BlozUO38wD`kfPk#0zP@~5n-mi+v=2RK|On>Sld<>3Ob^KM-GLs
z`k2IvbOUdltgwaL&i$y!X`l71D5Xy;j}{(vrb3D2S}XdhK(Bd))6S}ZBwpvwyffU1
zVf}t6`GwAvOpHnbc+y>}npKO+-4$az({o>%y;kAV<K=tuLynvM<>zXemOM2ZJq^D!
z`W)@!Q}?1@w;kf~Hn<LrR_FqRz6m5}21KlsLBh=Pr<?19IZs)@@89H_V-PN%?2aY{
zNH;|(<EVp$q<GoHZSLN4-H9+Ah^@M-Yd$SX#)=ur8A{xHPt1wi5fTk5%W~r;+b&x(
zpoUs_8s3TIE(OvgK(xUry=<a|hT8;Tf{nn80gK8QFWA(iyot@j=E+&d=#!qjHaB6(
zXLo$zW0(25JIkF5N92w-RWr}r&9!A@Z}uuk_!&}Z1}1d2AYb>b^O3cE|AwZ|gsW`4
zW8XhXTx1=t|DA-6#&@umx&CIs<h)lvROp@D%(tB!b8!_!Bu<SMt_|};%haLkkG;hl
zIheM3cnLgcQDmO@RY;O+$bNgmuFdqF-2Zvd1^k^ymsW{Mvith*ThnsmjoHuEE-z;2
z78snyR^l6#^31C7ohu0af6)Ir1u$V2*q$o$ZcLzO22hFzq8V}k=jZ3{vRe?-x=^;-
z=S4YvxJW|V)K>hjcAcq73Fm_Y)!)F2Re#ZSL0^WyE{IG1n;1Rsy_-=)i+H;j{yqC>
zeug@WozSx;D-!)EW1ff){47#l_9J9X=Z3;t$L*7tX=b_gYd}KJJ23j!f2@Lle9;z*
zQYzBbsv?-euPWPq!QB;5ye3NAk1sn4V--eB=6^}hCrL3;5+_IT?-e~f?Y`MUYb*Tv
zK9w#acf@y#<#hSi7Do)J+|#qqE^=$mX+yxBG+k!t1Hy$xW4<kCR;peWn=B*$^29Kz
zd`D@YdpL%wr`PDjVE+?Z<J<-|@djfUmb~BQEJIO-7@Z(EP9n%_MSJomvh(zxOa0Q_
zL7@&mo{x-nj)r{mb;IBuVId~exzS5YipaTJBif&COb}rV>6EO8Z(Tvi4n##nLBdJu
zsOZ$v^SAI~u9OHv43Rg;f^LL%nu$Y)_?luCMeGhW94Xgq5d}WH6i^1i?alxUXO+%P
zifn13K-r;r(*8u*cuP}ORYijBBISKBJqfLVli_Yj%6W`ARB&5E5)<!S*3aPD5)rG-
zjC-WylSP0&FVdqIE8JL?FHK-D$(Htq;MdLtk{6`hl9*QuLC@x%iMIX7@(vBkh%-+3
zVC)8=H*`7!%X4(^?T4|E(R||$84Pt3@brY%Nr!DNcCn5-x_h@i<@h;H*$Y|4yGQaZ
z+4}=1ROP<=zg<i53sCm5b$?|HMptu=^_Wk|Yk^d`Cc^=0e!QOo@4%qSOE)O>qrEA9
z0et~~ECk(lpQ3(W#l+_6!FdE&IsrVl_ZoN>INI54@<KRzS%%!|%XW;&-|m9U8$;`s
zD`}y=RLoH_fgKpgKe6ZDdlJr@O7{M02>1;~BK-)^@I2NnL*77oD_dYS3q~?)oABT6
zS0}EM)l@o)kl=&31`KlD4-etyNF#X&>P7VpI%k?v+Fkh{$+H2At%m3DBW#&bxXJHK
zsOss!Vs>IWPSemM;yVX+(=8)9bBDqMPr;xMS5<~Q987Uy{@(?r&J$O$nZVJ1@F})8
zq1bFr=)!~Miy?9ba`}GZD!p^pNLvv)$(qi;;|)x9Sq{SCFL`ROz4L{=UjOoukE%ID
zYQ$!z66;gEw766@=efcATeOq=zec;%8Blj~A=e%*`qUP_@@g<IW|fAp<_tQe*I(@l
z+}3*VzS@3bS#9_c?LTO$xqqdMWW~q#OV}$5kHmiMWT<_cq}_Q{gG;a>u)c#Ax}sO;
z*4O;$Qb?b2MW#75*M`r5NbhAcoeF-J5!3CD;}VYz$ms2yqM9&c??_-kdn(5!ONEoj
zhSWlewXC_Fr8j_Rf1`HEmU)JT#KwE`(&m=K+g%_y9PVtJH1#IpT(u<dZ5jQD=Q3X>
zjSJM-k=rDvH4`fid+>)*W4oN|NA%CnSf7Xu<Sx2&|E}D}cG9ZfV*HZwE@lsF>;RXB
zUh!PJl31#Fe?y<s9GU*C6`&J>jYSVg?*rOT03ZNBMr8bNqbvE&LKQU!7@!0Dfaa8Z
z^8a?a_adoNfa+~`O?Vg%*H)y@3X(4;<b?TV!4%83pGOt}MJBxbpd2lqRKL_U$(GMM
z!5Br$_ANyPZ#T<s$v2$nT9-BF5t8AmX_#^svpD?JGHjZU8L~Bi?qj`!dcQSzeWpL6
z_TX1)F~lx2(p5_Jn)2zh&!W9<1NI7?4_Kp#^#Ol0gX@%aETe9GCjP)nFbA~l97}L0
zxV0qmabz-i2=2<g1g|q_fGny0_<QtFu;X=mu~fKotvS^3x7n3)hYAD;Kd&mBq4|Ju
z{y{wF{+iq<_;HZWjLQ5<ujT5Yxu7cnsDv`1bZo(S#2<}#wUakeUGc@IXnSZf@(UtO
zn2H5?7A5exV}0EajBzZ9YVRmx)B&9vbl9v?T52m~mJClgO$8d$x<B$UU1B>w4lv<e
z(aS^YHh!<PRW;8UxDr9eFysV%lkv<q(c3v}?sgC{czmh#)*fU4p)tlC<^_7tG8n?#
z=h>M?+U*-fvIpDbmsHDP^A(0F%gAmI=6rOW9hrVBKPQz!kI5{yV@N6xuI(wtY2g(Q
zWoo`~FinFE$)lkeejv%+?dlrcUoDLX(~y^|n{a;vvN5pi9!)z|`&s5>7zA%cVOdx%
zCaL>!YTllbnEZapLxl@;`|E|O(yR{PbHS;?!t!KZEyu6>rNB+n4R1$xHF0gD;jbkx
zP~0k;10nC3gC(w%K3|WbnDXzM*qQk7_aDMB|0wwT^M%F$`afT=8ket|4Wdrch=l9>
zLk}7~s@LYcCuld?KawOG^Q*yzw|gg-N+U3e`SSLz3-2=p)zSd~{2O311rqTFAbkOm
zb`wf~_8RDUHD<gv1^{JbR^Spyn7;=SX+Z$=1TcgIr&n(v|MPaN(>RLkm9qLG%J&@n
zO-XxExbC*Ps*NXilQ1r@xd^0XiNraQRazkWb->X7mqhQHm6;63)e822j5+L}k@XUt
z`RQ{y<$I#X_9BZ!roA^}=*l)a&Ft&6uDm@x?Ytoxj0$VoCfFS%NrjT~^;D9?ucBMb
zGlLyZmBYB5=WFm$ar&2Ou#1(TvaXG4go2=RdCN|qR#nV-dq!?c_e`%Q@!PM18+?-2
zM^0LJ?$ecJJn8%&?joDpb={bp5sEin)A~2-IkLj#saBD@CST6n2b(o6Q+jj8l<2~S
zkU?wdIv9htZt<U8W41~&NeA{n!_rXWH(>ru5ejAb@`-!kc+ukbu-|qq&h>Yqz6K+%
z`Lr;q&Z8+U{%7}9xgLu<=};MwU;g(KwourrWJcH~Y>;b@=4}&)%<G@kUDEeY1}Kd}
zYZq%Fu*=sA>5yvR3E>P|d(Yumn7*O$|7mCEpxbypUFjP0w+d3%;ctOwchDwEw0amE
zoYibVpF_4x4j<HF+A57q_oshvQ4Yr7LgSHpT2(!SEXU>+tElfBU)7H$em|AZG1Way
zoYTm(2=MA%CPnW1hP>8tl&+CoO0WuZD_l@<@vEAJBrg0=C!pj_n2tOuxcZwqZokeh
zm-qfRqrX4nDl@)w1-YJC-?x>_GM;5tgR*kUApR4QP`V7zUFW_l_W-%NwTS?*0mw%{
zzQmElf`OE|R~!Rrr~v5y+S9QgMTqY~avvskYdrfsfa(Q3@xzYJKzs`Lb9R$eQ$qGY
z{@3gtbtxh$y#*o<c>j1|0)XWQKtsR8;l$o|pOQCzT1tS}4p8p`1fJiGowpz3P?sHa
z)4tFjmCk&x!q5gO(b=Gkt|_<#-djC4`ez1C{IqjSGW7Feb7z^n7^2SRd0T{8vnYSN
zPDwsT$G&3BGfi`{y$v-!SRHWb{$e}M9o_QeUvc;(I#B;wl8e2=<$wCV{LhpekswJW
zzl9==VOcy`^Wl)%YwZ1(a(E($p49pI0j2dMje+9~`~`0k+(h!{L3pbDF-OT&_}?<=
ziRS0Z8KWGfqgMk$jx=cos;+GFsjC<lg5*9V*>>xB@1z_50^ep{1+tZb4Ddb}?AE-<
zb=a>^tfw3Orpd0AN=KUJ&#8#sh}4_UCSgzidhr9;Ii$TwYlAee52M#!Ee%5=P5ur$
zfVRS{dD`W**|nCyGGZ$u)H;^QY38m$(8FRa%g;-qmS4F>Ho{osg4KtUeyPDS^{Za;
zRts(^Ol7|`=GW{|^)gIjmCV+ns2@6kf2~OS)9d}DN!^TYT+l4ipDYI^@cuJVcjSnM
zHXO57)n7|L#;yrUap0h;Z~hqt`Xv49QEGYpUi(Zgo|l_Q>kKkx-0ey**I<<yv#<EU
zS&^Xnups-I5}6*>@1UqAH?HT=H6A*I2+nP{p84xTL7wiu(~{4Ro{u3~8=n|=^f=TM
z&zJ&n5_ZXg=YQk=T4g>?koCHts*6(P9@$7kFDDa{8KVzAH85KExoO}19XmpYfB)Gy
zuMnvF_4Xe4LMEUP9r6oaZAH5lc};2Gz?-=1sKBfeE!1U8Nj<eV(aGVtwQTKmfS-yr
z+71isRsr`tKR*h0naCEnPl=6Us{h*Y_Y`*Cp7PjtG)pZ=Vy1S%{xj_%l|-^wlFXHF
z6@w&i!sXN}CRFt+;!9i5cZcFSDaHLhD~)vOA5@@IMjhkx>Q=9WPn&DRl=U?er=CLw
zRrecenp!bF#j^^wiUX})zkS>m3M_~xEq3@jc$YLaNeK9hQKZF}Vc<!pibiCJRMBYG
zb98g9HeLO5;y-8qX;{A-Rb5rOCuknkg8Ivy`E9d@T0Bt>!L>2w_=mU#rk52<F7`;r
z@(=6g)!4-K7lZN63Vy6Dp^eHzL0;pXh1-m3FT}6m5$nY{Qu0S`TkJZCq4HVsA~jTP
z^u?7f-?4yTR@$Ie(!N@InUI4qrF#uX?RCAsgCQ(ia|Q$^Q4wiK-Iuf-`X>{MexK=6
ze_67Nt&Ax@9>gX;AZ61m_-9UivN2IeD22ATy0@be<F}O>Z|&WVsXV+us0wh?Pcm?e
zA*Jg+Xyqwu@4Oa^ytK`SZlip^5}upENETDpz;U6EW8Uj{xK*Jw{(84pdWs}9m`FUm
zxH&vdgBe{L8pTpYr#Ro62pF}AJ>Xe_%haB)!}s3Dgv2Dk_{Y;Edqn?E{<+jrQPhh%
z^*>{y9U+KussPaU0No-;`jyNw0G#{ZJxB6hWCn;Pi9H2a#Hk=#VqqZQ|C<d&mjhq|
zd;la^q``z5pq&Nf0q6q6r=S-y3CsU~1LNERfnVS7;7@=CWbPXf6gc%0^aIEw+#KxT
zx>7ytMg_sUo%9M)?gHSi0G+^zo<Yeyr>rRiVGgc@%GYa0JRColKx6S)dh>kseKB3z
zA*dL;o59{=@o>5GVUWd@cQG?!QuVOpN0#t3VQ05V@m+jAk^Q$=oriK$w%X3xJj3&8
z12*w{$f{_2T`C8=Y@#=zSd?9*+b*LQC@nX9&G-}K`Yg4{7$(@{*Mch4vQb$W^R{W=
z*^^pr^{E%8tGnzZ(@rbhSp6&d)$N!C&&;AiAxaWzv!#q=5eA4S$f(mdD>2_<+&$j_
zMBdA*G`-k7uwmY8GqheeZ20;wW$OV`u)fIUssW!!>^FVZ5WkUNLXmxn5pkSf6EEQo
z&Lf-24-TjCP}B1E!ElC&6is^p=N>=H!_>MXLbq6b&FFP<y5EgeR+QrMc{%U9_#`}P
zt*w^9u(MX~ywe-*Bc0pX7e$k0ovH#;b1UITOe!X71==|1opYm2@^R&csfrX09lLuz
z`A1C*IuvIYFRmyj(pC;rmzEj9B?JEV*^N59?0}c0WLq4i(f8WjZ<CTff88y@+v4LW
z>h1#N=Q~sSHN0vX?;<etrkqlKM&zAa&rM~gy-cSo7{%AN$sJ~G^U*Slt5rgf_2%=<
zB5c`ZTn^JSRu-5`{Io@Q#TEcxm92jynN3FI{mhnZ+u91BOXSYNCTOAb;_LF_pwtgS
zx-)>y=+wsfS|45Thz<#$KLP53K-`N6b>REfe^o;PpdX32KV5>2kw8rUPtki6k-ps;
z2z&<pk5FIG?|}a(tJx!gXy`x6f|vn`0?OCm;n`;v#3Nt@mgrd|@;x}<5w!eI2LR9h
zhWUTwd;v-jUInNikAU?5T^9(>{m(l1TaLhIV<7JTs(wfMmdq03KeGSm_9}pnXa8BX
z5ZQF)M1lx`#=8$Trp*Ch?*Mc7l7A#I!OGnj!mOX9m`a)DTjlUJdZcmuJv8-?G)JEi
z1n!sm!jwD7xf<Jrn=RUW$Y|n4x5RLEVBV)}g)d~KM?uOz36U-WeFJ_}<NYo%`h<60
zm^rFda^_M?k2BpUIsM1pp3NwG!mIVkN{3|-ZpxN+agI2JUOb04CmsQr%*jxU9j)A%
zs8UwAvw`Wu({7qV++Hw}A(04;6!b87wiaS(xR>2@vTpUvZCjI06aS-or^GaUqYukH
zctMt-39*#figPLEjkYtK4}Bn0YR7Ul9SvQj@C%M_rSCD$%6piqbc)Ornt;GspHZT7
zxwZL{qM3Mz>|&)~HM%c(_-BUBh{r*1Ymr~xXi7~@Z7l0Swz2)b&#9p&m#u=Ra)i`0
zR~ISyQ)^E{kcD4e`ITS@alTmw&p~-JZCkh`o;?nYjW`@VAs87IZ1HF=KRkisP!r-x
zwYBf0%gmv~10v+Ubm8C}J2(<)n8@1r^~Z7iTn@R>t2SKBL6EqKW29ALraDZ^#+a^%
z)5$FvOH?=0QBX06${~nE)dtKmAdOnxF|7M6i+<_Nsui^B#8&O%SKdWuz-~m5@7AYZ
zC4bye+#o95pDPNg37)h(E*dME!KCsSg?}X>F{Tq1$+Z_Z@5q>aTIF0({g*=G!l$Dj
zkiDX=Y_3G+Oa3hENV7GF{h!Phk-=M_48Z!xDatYYPj~hNaz=0h!av$Q5ieW~-2Z9M
zssUwT0PDjMh}5*@F=ns0u~ocC0tbS;C8D~yr~e=|)(E62IOkFRjzYu|VU<K!9biW9
z5K~W^8k{plQFM%_;cL<2a^OnhZ(|uqTP0`h$0Loi^*XdJl6AL=6>@_%{dQ4#B96;L
zv&9eFZ0Br2xq0lgRQG9B_e~@HuszfiLCY7PDfjKmb>oo-XzZn*>1D_Om0MRLTcscS
zk+Id|ik0IOBDEmn%M7M6$mficArU9n(T7ce<6uL~nlG%X*LppsUv0BmmwN0t{2w&*
z@i<m+cv*_!<x`?7!96k5t&3Nu@H}a8<RA2?yRhp`<6ZE&INW}LmQ!2dzBB8tg-oi&
zV~VBYz~&qiw^tkY9=xfJhQAE1gfv3?7>y2_U+4}7S=_w#Ci!Qv@#G@#S*L75CQM)J
z*8C*n@k`X6e-N+7TQiujl`#!E%L*CJ&>xr)c_jbi7VX1i{+@cwl}OX}ZwaeJa3410
zRK_fRdeHc<;UCswq4LyC@O0Cs0_S`v)clu+i8**oG7Rj2DYiQN%)~z@{_nKKb0Q?z
zkGn1VtArxxnmC|ZW1<T-CUlmL83`2zBzB&|yIETbCEw!?DSP{1+Y+R=by+@Q25@n?
zikcDmoQz_1PUW9?Os*k_NP6S)Iop}T!1zD%M)%+{1tC_<7@d4;O6i+Q*_W=8mbz`r
zWc{|gV!Zz=n{V&XFlm6Zd#}{HvMYeT4w#0U1AvZTBJ_V%GoJ(a-0>)VJn;qkkv5(9
zhqiAN>IzKeLw*+hltr6{`&MNg9QlZKp$dl<B?GNVH1jN4JAc%7S>V$jjCi)LuB$Sc
zqV2BS8~<?RVukoE5R6%8UGMGmYmKfp*&pFH&OIu>tp^#c>iZQL%CnIw-BcYR&SrH@
z-b>UzcLW5o-jLi(a@J@}w1}bVO$F=^8EU(3)}#Tg`QCF(ndFQ*!t+LXyEq9b1GmIU
z)tkq4%*|D;R4nn%w#t8<j!3Vz;~lnL>+E5w$j+a}*i&{R-vh4&d5VpWFJB8ADl<#(
zC`xql!x5#rJZd+}nUs05sy&3;)i{yZ{k%*-HBR|IFI+4V+vNAE+X`%V7{(IF*dV1=
zpRyMFVp)D{(+rNU<4nxU!=)=9`X#;(ZhEoyZ}>YBf9{1-b*G#asPm>R@F=Kartn7Y
zUDaXorj<h|p!UARpe|@$D3rDyG<S$dj6n7O1>B-d#9JS9=W1VNw_e@~EwxT(o$BBW
zHc8t4P-cd&ky>oacU#6PL6OWxG8W!3`dz`!cP~VX98r;oSg=!}ZKSYPdqQWb8WneD
z4#72qW;HMcw?5*rmI#&YxAGG45zDP`h-0+j)|r;kLK&@Umr^KsA{m=Tbn9-xWbE|V
zh2xU%82RI1gT2_9MOl^*l?gc~>|uj^T<Py6mleFF7|HN$4NQH4fSyXpsA1+dmjlit
z<Z5$xRZK(5kkww5U)7C&`q9E?!Bo1L@-ICJ!n(_=r;|K)6g+Um@~9wQZAK^ZGXd=3
zl~0b2FHplu*S{>)$;%sW=?Y{{6AyvG_w~Byfe-fP^nz2pXAqt0-$Ipq+u3kAc$I{0
zBwfw$<MUZEjnL5x0l6`83RFwtXyo4K7codeg=gpOv6&vacO@T%lD4nZvvZU?OIAV7
z!K6F!X~G#=?C^FL*<^^+%B`lB8}CB{Nbmy=zpob`I}xm4zlGh{z9%g>@#!Cv@(qO6
zcQ@^q!E?WjamEL&2fP!eO7}f|g#R~=S|t|cJi9Z&jAx0-n17}NSRKXd^_cvK@?(-!
z?60qNWLidTpug@-%gAQ!9k%ltl6n~57vpYsRtRJ`h3l?l9{#{^kzYiKqFanYmzWMu
zG{PGGd9+nT!bH5Alu}SC5V)(hj(6dvj3Gz)`uS14M>`iLL4N#lE;-(WYA;w4U0&bK
zbrI}}e-76_{(Q<hPt~(lcake5-(L?gyVQbjCnV#P>;gY;G4=Y*9?hGv%-j6}JL0D`
z=Y5=KjR>lbkR`w9M7!DqYE?vYaH8Vw5>_v$WWeprYczA+yIczOVg6KR`JwW)+9c=V
ztWy7UvTY&-VRKpd_%W9>e#)F=gw=Mp(Z>>cYV^QS0qZ(q$AeJUbElx}@>w^y;Rxnn
zveVpU-iuvRK$wVS$f0x9^0rw}n>|Zg(q%B6aUd$0j|5uBX@$R6(+gWZKI%11o?1lw
zQ#q~VANIZjryy1<a#x;vCmw+lkSseCK!@J4_Xr@rfFdJI!JrzrVJ;Cd&zi@8Bk-c<
z*t;%s#s>LAtP80gE-8r0r^J-(h74t*@WH+pO%j3P+-&ijgxccVZs9B&6Ity+96$Xq
zEndi(i26;`WW0+d_s>B>s($Ltp6F7}3=uW`aAviW`gfO$X2wsrZ>NHtlfUOfPQvvI
zagT=mE)mNxN9^!(7d|Fl8RzGd4K-?<>ZX0$0or8M63wG$3Dlh2u3GM1x;#@kR;#Bg
z*O9A*#AV##`|NCvaXK>%T^zKEj(hAQBcHs#jQPy|A$ftKo=Oqd9r)A=uBSh-5^;{k
z!=!W-YIz#P$w>beP1P6$;azl`rw1!ae4G{|9V4oXi|1Uh53#rNI-ok7=gbiH!3XYc
zu``+V_)AxfV&q9yVYBZ*<t1@au;epT+GtxOz1USYDvUuJ?<Sd`45w6jmJ3VLKQrEO
zNH7$6M!}7YnDRs4C!AgLSOW*Kst=tT%*E@BDwS;~3%eOOMn~1rw*49?kD>l$y7hO|
zK~fjTr8A@tVj&~+Qj!y=uQ$)?u&Jj@Xg*^pH3y$YB5xMYQK{WO;!`;4+b-SR9l?9^
zpUon5N~|H|PzGL4Ga=(Y(<vLm4^fukaojj)sVL*4X4nnNhRL468VdGb^>2)hzH79!
zl7=LL9xzyK<n*~t;j$WY*m$G-vg$phN!*x1=eF2h6Yslcas}K!gX7KtLqy!oUQ@Y^
zJ{Y&p1O*5OC4+PB?(Qtagrk8^3i(ndqLJGC%GG`GmgkGhNne1s7W{fJzv6thYF$GD
zH%KzjV-R9%WumESI6(s=>W!&Se!H-QvGg2|$}YmeX2%!JR&o8a{YrWaJo^KEztrxi
z;#aj~N?}{8#U-S)<)0)n?0(9Aa-(hyn)S3^)zH5`S&YiPvrcS^Z#SbC@W%`v3<apX
zGv*p%YnD57bZNw*$@3ifQ+02*%XtarkD9>{SOED&$$8F8E^QiCH{7^?)eEcr^;w~E
zFg!1CKfdcT@G0wM)gIqHH{>2(6GJi?cH4|gt*Hj&rBkDAB;Mfn%zwEP54drL(4H8M
z1lGTKzHX=*O=o49ClFIS!&r&Ogy&N|;dIe%4H!s4J$lmyLauBV&wPe%?$ApcfM2@z
zPigdh$;oBjFvB)UaWJopW5cjAP$r~sP$i+(l%y~H2ebH?@64EvVY$Yz|11$Y7-!YF
zk*&%3)o=J`1UFu!_bq}HS}dv49SZ-?y2so*<~(Q^s0ZbuEg0Hq)+OmcCDXLH6a8Gr
z{=}E9lY@hYjR|68610bN;c*+MYv?%w%=;HE(aicGveU#*!@}1b=!vTL=Iz$v4_<`>
zqB)Gm>k|<L>hBjG`(q0yI9iapgBsj9F4}Ebx|B}@siB(>OWI;WsT%;`GR&L=)LnwK
z`<~O5>E!kn1<k^3#ciDQFdSc-*8&ykrCz}h^Vz1(Di%dX+Cd%FyS_`1OeTUNBWOK^
zP(0^-GSgga!iNTSSZRnFvUz33QD2hp?D{akl9NzR4|95M?UgM!OF!5u5*)sLBN#I2
zoWfNdx~X%8Xw-I=hExAy63_YvHE%sjR&yrgTGdR$|CV9p&(2qbNWXb#QnshfICK?c
zJlV1t%|Bgu159Mc|BhM$T)|0C9|w>AHK|o(=TXc*zm$`_t>~X;YA4JvG)Ve_1VWT3
z1@ltB--J$D>23&U8;<JFiyekz?loi?9HF!hA%(3xd;Eiv!>Z;AD;FT|?pi|MTb@VQ
z8ecDWWLji%Jiw%h<$r6F?+v)VsHA>IkoQ9S!&um0G|D(Iz({#xMT?dR*3UGNq$wn1
zw>RCD9t+%OekxhB9Tro}wp-%@GiP#gdt*MGE;><_OoDTnRD!hbj@$)(yg8B`Y%uCS
zT`j~=PK9``17YMnv%42MZQdxGSmpNyM)%Vjssuw{6-x#W4(}1IHHr+T;k1VOr{%ri
zzPE|w9@3xd=+DN{E^A>$Tbp_WG{V2>WFtX4XDPv>+47<JY@>b-o~N6W`WcNMY%*4B
zv+K@45cv0l-B>IUeDTDsJWek}jOGE^T|v%Nd;L}d4_$<~atPH|LfLPvmCR}npsxY#
zl0d1*ZLaw8^A^CY?fi~+0(?LN7p@$E8cM^o9Y+viN_P+SFc5kOf~f;{Ge90U%{$F7
z!T1%B<?Os36sye7A~jg0qbnXcnTK>*y*PYVB)fx8;?oc_EHEaYJb>jjt+<<Q+oCY@
zy-(<nL|b`7-nLSL-x7H&3)b6!`hGiDvD;YAqR>pSr;ok7X4sU699DFzUP`=5h8?4j
zvq*J?LR0JEXg2ou>uemm&`MZH!)>S&4`Uh3Kd4+rLlN5@(ItMVoWQ*2*h-slw@q{>
z5cXxdE-@Jg1$j*C57DBP8=n#@V{<9m+&To}N#)G?q=Ed=?Ic4;|3OAa%~h<2y;s@3
z$6}pe!wMAIB4g<)r^~1Bh_y4zB`;Ki+~lE~bGgvdDJ6o{I0#Ero4*?r{Ew<~EIr3!
zmmcu{4$$JbfJqUm9cvDKF&|yI1nE`+YLlwX#LV3Xd78u^xj2f4Uz<qL^-NHHg@FW0
zN@Fzi>K)XL$Z;!$MAerM^*m=ITHdt2=~cbpvPrD<<gEPWAbfxC&-mtM7fOov%(AFl
z&D!nen_yc9&v{09w)!2>X5of3yBX^*B}0Mrr3E2#2jv~TXxAe)<OAf`b3aN_h@Wwc
zpYtL8spCyV@j8)yG^u=pA(K8k1V_jR>^neD$yX?O61qiSWo5ri5WSH;S2SQ~KG@HJ
zwp<`A=8N2H{?-`gyJ_Ra(*i{GTfK56u{>ea=8iAMORw?fWN7>1onaF&{83Z#pN1C!
zZK%B83MJnyj89*J{(#~xH>eg^Tc3h(ID*SO$H<}xM(#FGb;Ed4HDB-{t7g)WR4gYC
zo&BAE*u6_g5zC-(X&d9e8$OOeh_9@cwbktJcVsE&`>9T{H$;8FYt=g&=5!38ShHJr
z*)4?_OzPEgSD4W*C&MRTX9oNkNH4CWje@bX)@~t{J~x}*f_Y03Madn5?fi!!bX;H4
zl}7)p8`UP2&tCq0*WO_oG`@W4%tUa%*Z*9MY|r^F1<ey@6-&qAZN8`{9$%`(@x1v*
zI-&>;@LL{G^eaCN+`@6|KBCJ}3TBiuDK(owhZEj{hEwao{bbmC7zj&jY_74vwfrO7
zZ&*>bUe6JGbYZ5WbN=0on778#zYX>5TUyqKLt6D)4?4V_iodE__s~2lmUutcGgr6u
zz&OoUhl4h|tgerHJ73J(#ORfdeAQok9|fK7&`G&bHPv=nHwVtqunzvA^wGWVPeK`Z
zP%E5&9vU-dccHz~%^Bzr9OnRd0?ukTzx5xT|4wPhaXDWkJD`VsGh@bfum3(S$}6>N
zvM?vCU+#-O+R-7v;a!Bo7)qg6z_T|0O-<-xQZ9xTWFuIoJUEotR?>dF6cCiu0ei)2
z#E>1j6O|D6ipR6n(O7mLpPHK29Ud2+vR<KQc__ddG5F^=p}xZiZDF`>cBp}g$sYVc
z;byr8Se}LfF=Bn-1IZM1+pPj-377=5`?~LeH&3kNt#?dDP~dnBXcj>J7k%`BVwzs~
z6umq5Gu>ckV#d8JcdgTi*Ni~Kg?(IwP@HmC5EG$*SMSM$vAKJ>@5Y3aPr0dpY1p0R
z#?1+O>3#UtN6V7?F7U6~Q-&n7^UEFo3%o!VA=?2awGS_QyNDxdXC!|S3Ten+2hp`m
z$m&3o&sNiRAF#K39RI<N-}gO=1MT0*>L1~$*&$ba%1G9jG_KZ__j46FB%f5sE=?#6
z)DpzhTr+kKPoQ*h@@~;N6Bboev-*$*rJDZ|1*sJ~{6v>z3mJJ+x#6?BpZ!NQyeG)S
z&iq5;(}gJ>2GiCffe_+?k*X0rZ@aqjl?iWSyis8Q-G_IhM{>dCo6<8_nfCe7mA_k9
zmc<D0e)sGABaVdYte^eBJ)?k?Q>f{ZsCd;9j)HTxw>`<O+;fM>vO3SZc9%Ne5b28_
z2K>#iI%d^;c~G5{$0GhJ*W{g*&_2_N?mOA;vltKRs}^$b98JYBo8d<pJ+oCc@ja+t
z$0&h*w;HIaoDFYJXng5UA~GX)Y5o<KSwH)waM~<5avSpe;j=69vBr3*cTAz$?hs-}
zKb;jnKC{7}NFLq?v0j->Q~Sobx#%5^{9hqAeUcj`krYs(tNSzhUHtBk@58BH5v9MM
z51amNVb}*T=k9(u`v}-0r4yaj$21CmhwH0T+<zv+O=aZk(wJ$R!mcQebH~}ut9|((
zZnMk+;JA+|%_6YdJ+7Gre7zItX5|Kq5rGrXuO-u?ZZNgZJJj-9+$50N3V^5I@y=ei
zK&h3y0P;TQ?7h44-_{!$mrdLT@Cqcz`vcuiZ!B6LKW`#0puwA@eO3=7Hn8iONNd_-
z$uGqvhRbT-MiCw;yoR6-Df;eDF}0nqs5iZ4ZcEfK_PRye4NF_GKQVt?-v~RhSG4Ta
zRzS&)zRbDtrqO9N<z@*U#dXy?ENuA3rMFwQcVD7g5s@A?g`Cx7IWikw7G$MTu(+FD
zy>DJp0rut`X0Ehwhf8CwH@f}Db0<|A+f#HO9f>A|{+>0u9PGz^1uP3pm(pxm#mQfO
z(M0$%mk^OeZfGMX?VUhF4FwgI2lZJLLJTr+h63i8JS>*HQwCL0TvHC>SSEFI|C%QU
z?{FghcE_2tC;iv7h|}e|fX}(dW0$*Q=WBm9!%{&;Snkl0RE01{XNK5C<+`?6aZf26
zj+c=-D96G0sneP^&`4&AVG~K$9?ie8Z^0UoiHopJApje1OTf9zCcTf|DS=~kKmJX&
zg@I=e)zQx;TGa_9p<LM$PXRx|2Ab3CR~X8nS^H`Qag$LJBn}iQ-h0b({%4Nl?^9cf
zOKg|i*4cMlr(QF~K`|Xp8u}>|Ygx4!;RHgX%1?(vR(<RuUMKmpR&lfe<dNgCi58Bn
z;4*SFHP@KGa+f>nYLD;**enwmD{V>V-yIqDom0xgalTVf2jRx0G~VR1J|Kra`Rme5
z#jZ32|0&X>Ypl>cpfA`y6shjw@pIbct9Ni7@bvbHts)4-SnWWb!A)NA%n~++NzNE-
z85Vmb|D^zx#g9!|3oYbuX*)!bi(`7BlHQZ>2}7|vJZ<RF(cGJ268=v^x2U107d4^h
zTkgO!!-2U^d-bQ?I}s%yH}C!R@Vy!T;vLu;w|N4T??k=>hjiEaz`R!rYIY+v?^FQb
z^cIbX{C;WuhP4Brd|XSt21M?F8W-`sk9$#308!~R)O+qQ0NMlqhj)FAH}r?@K&RJS
z<%G^@7qt=!bW6{$fl^1^X*<q2zW@>4;5=>9Dsks%=Ju`qXjRFBylHrzWbQNM<G9E9
zIa^Y`k#Ia>&VsE9=^3x;gbi<f6anlCURuNWXfwS<A5{Xo1bNRDW1pyQxBFRWAxzgb
z#hPfNoDAvne+|yfiv@Ym5G;Bf)v~W-T9h8bywgxW1%HoQ8Jtt8E`q6Va0aNQ)1ixk
zB1(%xNm0kDE)KZ3nyWF2*S!p_{!PIRY+(^!YHlnTYZ^Ox1bkO75#nmbK_O8YH&~ka
z!s9@pKOs`e-i8a4&-8XZH!Vn{lA7_XN=%W06z^K}2H`43W8BP8MMEo!9!lz>&Jkop
zXR}>wtGGz-5cG-Np0v+x*3Gv8Z%~);JIQ7c&yA$~6{^2x%+oU+I(es>8I^crdaAy)
zd1n=4{4U%*V*6ELqIz5^!PSpVsF<?wBBB&$_wDpaB~HX4n8;6TS_-2j5R~a-JC~)u
zC6CQ>xNJzQ4?WtXkrZ|K>Mrxa>d8{nc*hyl7+Y4Aw%{_-OKJl`m00pc<H9)%G&@6T
zIyIPYI%gqu3WsyIHP#=vqHw@M=}k(NBJB;~^T%F!&#{C@R_o<zzvv$oTWEg!kzj|r
zQV&%LHB|kYF;Vt}v=dFj3j-+v<JLg3YU_YWj~678#eq0B;#i7WH1x<xFvXzGJNwjq
zeab5GcsbO4bon$q3CcnGOJF5Z>rH5?b4T9c7DaC=6AyhAw(%k>6m`+}olX<>O}KZp
zZv$P{Pue{kis~uic#{2hz(O5CE>B}6XA^#WyO<@XXU=T-{&{uR{F6mx!f|pnM3~Se
zFSe;Vi$hJ#Gb}ev_&#S&^C}XD3|QDu?o{>4Qz`Dp2<b;&v@JzO2!7+RF@{Cg>m1Q&
z_b>N!ZDE55z|_smDwi1E4xLHl66#SZDf=sB19qi1gvHP@s?A)bR<-(YSwnTmS(67h
zw|DQ+qkW@k(q9`(wG_!_wE^$J8Ov0t?o8n0(ErCj`hB#?*w-CgAD2Acd-FI3?W+-n
z_3Ruobt=SRyKXw&B!$287J>CRq-~0((dRT>ry|AM_Vm(;6-d5xgJ_{>OOfAHR-`^N
z>Cw7u(UBR17jztc$7|K?s<?8D^z31mr)xVV=0>N|g6}}_B|dgKWFx?Y;VJWC{=M{|
z^?PL$f))9U%_Og)!9n6yO$UeQu=WviA)GfR`7ARycfe8Di*bS>ksizh-RK-gb!S-0
zG4wrkg&2xK9wb4~&Ec}?&6oZ@i^45&K$@PLa~mLjvard|dFE$qA{qKj+4FT`+f^L`
z0=RNJEV$m^wY!5$!eSX>M#QDjkQj4gyXZ?Y(QjW%J-;~<FW4Q0RLiG8O=N<cFr4^@
zGbf^@brsglFqLEf4*UYgb>DU)T)aP)$4`F_brt;SJu+IQv`&j?nS+iEF{W$H;befU
zT35U{u$!>;G2dA{K$*JlhnDPtM*~|#7KNnGsNOu+`RJNcC=h2jZ;EVo9{3=9<}+x{
zfS|n7WA@RLw(Z3g#)yfP&HF<cM;a5oR{x6(W-L|e%bTn1DwEuNF0KiCZ#76!6)pTz
zi}Wos>+h3*$EFmLh}I_cKLqZ+W|z6sA+2Sh;Q?w4#v0*au69H}({QC8P#xPcy@WH%
zh_b;pH!2n<37zHZ&q0I)pJ<jjGv~q#*k)=Oxa78)E7lkzFhn+xw+!fOvenG~s!4sp
z`}ySA7-=t&a*g0fZu2=|*X2QIRSP%;kH*Ncoz-4SGUZ{D;YY!nH2>ZY#WQoj6YGU$
zfWe0*+VBk$cQYzflZGC3)vj|RLl>J-@|WTNMiD;LM&GpVZIba70gG%C+WI28^A?dR
z2~OUVAFE)cCCqg#VeMLyY$=J6u8vpr;U>>}CtA{%pW-@ga_U-|Q-hVOS-jY;zn<{-
zH&R$3TDn_@+xs$a=Jf=|o>51H7<25&olVtW@e7<%hGpGQu}8;FU%6~?1s<0;%Hk{7
z@-y#@Ga>d)RX(*}_!<91^S}CPe?yF?=Xx{9R%k3JB$)MeevYGLD~#FZGKW=`^c0FW
zR5?QWtJJw4B!}?&OD%6xD8>>ncn?y(dV}A<!)*_I1#bUahPF<DApb{@^G6j4-vV!C
z&0GvNG{FoLIDO=>lbwOE2f@HIwrS7nP=><A*pU+U+V*9{7vtb{&5Qb!^u?G&^uwjU
z9F~Jl6oJvjznc%qez`BL{Id~=Rm@lX`|^5W-}Hm+wIT%eAt;q6SceI<XhnRy$qUl&
z`;M@`WQyb5pXa>-JAJuBp2^M0IQP<7S`O17KUD{o<5iX(YIoP!IlbK|S7|0QVzRC;
zENKe^+^(oNFW3|k^gI-T^NV2FaLg1&GKm0_f>T6P1-`pauh9nDMJ~)nZB*^S=?X+;
zY+m0boePy9WMCu2PRXo~qAGUi;+Wf4NBG8_##_G`P7;+JE$BJ!<Sx!U#Pcx6J)0~-
zCK6+<)jTshk}cK0dCM$E`G9R&S!Z02N0)S##C(jSBY8G9+Hhk^el&&M_>;{qFnCb0
z^LX3ymDU|kZ3RJN{J@x{uB?o`&%?}*mA7cHVB=i1IADHo6c@Q?zYcM;V@*!v?7(D+
z3Gl+RXvKbp?P%BhlPeQW?(Zy00F+1{8PzX#qN~>n=u>Gq!`Ls<i5L=Gz*`DPs?O8(
z;!rD!#QjqA{&R4MK`*Hs`_B-+Ym@t7gs4y+=Ua)|pQ(`bZ7^LvM_VtK$HkRxAXCFG
z1YWduV&?Q~5P?S*O&X0r-Td|5;)@I~kpEH|m6X!HQaQrnn1}Jq;-}Fh<t_BsXU52|
z`f7aa<(Da=s*jF$5}BYhp)T<6{Xcr>T>wfW^Sdw=iHEhh&0s~*TzobP!6B9N77I~3
zsg-fYUq{s^N=YX&zujRmsD8hBJ0nRs2xDFc>Ao2ny`e&$W&Rs)%+mX~eBlwp0BvA>
z6qnPmG2Ic(3m*xY*|7Z3Ja<q6*MYs}MV{&4UcJghx<6#O_IsN>;K(6G+<ZbRDb2T8
zPW-q`*3U>GhAGBe!LhAExs@_v9<z`FJM$1R(U*~mk5H&SiJ=Kzr#`Md@8N=6%tn)9
zhHA4{{tddA_0n+Pbt{xOp<3W3Ih6SOd}49?O`wQvN(Z0&FkO8^gxhj8RfT`oEj`#x
zRV`iI#!J{>p_#i6i_7H^PUT=UQQWR$8NX&pW$M26vo|)MgxD&o{`@j(v5#D<;Auir
z9doYz7>?ym!z6zMQ>wcTwop{w-Dp^YoT*#e?2~8y&9v{&qOJ4<$uex1!+9~J*rKyC
z@+DlDFGb$>UA(2<XVOST;SRNHB&)yugZnD5$b41;0>)K7lGx=bm4$L==V|E15MXth
zX7RdYMVowt0%-qEDQFp$sq6n#Yzm3lYLOjjGZ`Sn#5&5hY}GVlEKWOMbC8^1K1;?J
zWV?+Wk^GB^_EsLU<q`1(dQ*~Ww1}KSKxEF<z)a{Hvrih^t00QKX7;{(MIr}T!>WW?
z^7j$R=NQ?=fm43?lUU*bVO3yuvk?+RW&n<>{BL6IbLo5kB<QU(D+~b2-iOaYyd?fh
zz~?lf_y2Aq0pmc+8|Vj^%rw&Yu$$_m4E@ipGY%AV-->*Hzjb}e23BnO8K+h;iLHA^
zKW0*Opqy)3Flhb#ab7H&sTVoz#G9@-LMXZpy3=}0G{fOhgK^14h{5VYZWv+1V8Y$1
zroz}7=M*QyaQo;2%WR^#)L5|d^UL0BO|<}6;p!sR3La6YaHnscx;XZTn828C`p2|T
zc>PjB*}9&YD+zD%r89?F`&>K`w6uDEW}ISn;a9RxVFV6rFY3$(Xs;N_8gOvube>5m
z&=c1PrTEw>&%^g)bP#SlR|!EUGZI9UrXiU#&uPI^kLAwr2X&6!P!r#muZ8g)y1@M~
z?9*Yh2G8})hD?mAuA;SnEExP2sF1eQ@Lp$GyGwzT`3DE%1iRRpQ3#t?o?RL0NR`Wn
zSTks5XUF4Fh6-sqdot{rRqT-dGqimldxKJH4<cTxWR$v?unG4EMveRO;w{SsN+Jx5
zV25=3y=o=z8IO#}$Hcet)VS9*E#$ia@toVOx#4LJ8q)5pggc7L3e`QA-Y)_zCkxKM
zjt3RG2F``|bWZYwXL!P(9NSk9(mMPguSYqq5|ygnBx`xi_8NKq$f7}NffU4D1;oR8
zB%uAOJ=2inUfrV9Aq2iIM*d^vUFB!_Rr5*eF&%f-pSFeTufMe&?@e#splJPK!oBbl
zq@%yMytu&o%QK>@%M03k=p&50x;b<kT*}@NRJ06kB5qKoO9TmrRh0uDas%8jrkV(x
zdc2;Rh9PU58=?}hdj}x;12`|mz`&r>3sAGq`3BIwkTnD6Nl#TkB_>axwF6=-2Sn<J
zQw@Nb23>y$4F)0g!;r7k4}ksx{rkZDKaY21REJm3#guJcXr&h55&jVb*u9hC0i{6{
z(}vxbPk)!B6uxbThTwlTR*ljPb5Gg663eX_R!ld@hPsOUsz+U23O8$xlGXVuC>;$O
zzfaPWcefr1Yi6p0-gnNE2i-SjD3TAj4HD_bh2~pHMW4vz>pa}m)b46GeIC763v;}w
zk8`TP?mJo9iR0(0c8t8meJ~zfA?mL_ArZ9_iq$-g=a(_lePHh2AsWfPNb+<*G7=)1
z&D`R!3Zta3u0ESb<kI0>LAinWH@!OXZ`d7KN!cAy5cX-vs&caSA>vJT1e49})J}|d
zra)yKR_!(Fo7e-daj-o5>CWf&EXQCdWqR}9q|GQLu$lWPK8L7bLh%LJ`v&!fqISfs
ztc=2+omDt6qMaa~rWRwKFkJO|Er0RTW%hgX1{f_@GRU=75zCuVRZbAI3-pp9>xsLz
zt_G{45gIWsmMbTB)hgYR5ue3Aurlk7*BWj7VT&L4avT?wxoxbyAbNku#!zd@zm=?J
zSbH_Z_Q3j0?_vgd4`#0>E{c$EeumRA=cK96eJ(p0TA^~bil=^=`Z%XpemOmDF_$|1
zS{FmT*5>oKl0D$UEjZw6UB#d50p;Wa&X|$<w?ac(G7Zf8JTpe>)e(5KaiF`%$u5Te
z07+zIRuDOrAN?ryI-W1_+~_D?@}Dpi5zPg6zbszPxi8cd8*ZPD;Ub}-f&yfY#o7dt
zKiT|4K#+-Wl_L{Z;fEE|YlA^^LJ&*xCN;Vw+e-KNZpF)cdoe9iTa(^c0|pzN>iJX^
zv0$x9*?!91Slj75HJaPFW`yNmh=DWwuYUyAANV?bBhm~3082qpPaogy(6`2_17rZ%
z^6vo93Ik*d%>SV3PP;><Pr6|s!GN9E*SG0p0Q!!M>unYky$yFeZuEgngg6q(1MqYK
zFZXxoJKz!)=UQaxnXC->iVC{xUYdX1wXFI7cy<B+V$MAX3-$#7cji&NAMyjxU_hmx
z47}7~HR}7{e`Rg~Qjb<R-s8YP_agxHCL(ub=VOd<x-na$WV8@it><ww_rqR-ON^ze
zO%h~At3&eIj3e9Pq}|hQtCa3seu&8USTurMLdi<jOFqEl!w#i5VQ8y2f|uj(oj4{j
z0ZGN})tnYAL-U;dWrU#q+^L?c$5i&71)cU%CK^0sSN?7E5zOeDajAW{RJ`;_E+<Sj
zWF+=ms$#lf;)Rm$ZUv?%?`MH>Iz`^!kTpcA>t6(;z#5$N=Cn)nah+7SX1XcG5_kVr
zV)XG*u$ek~orLa4l^aq?QQ8~ig&5O`ucqVd57;`7df1+0k%|ZPm|3{cQ)Qfg!Xi!Z
zQ?X+c@xJsnp$-soKam<^>8!^r>JL+GVUFkl8ZvTu%9&0yjK5GE68#3ljL&80c=jM@
ztOz(yDs>N@y<dH}VmM%N#pInkWr46Utu~tXW(c0=n_zkseym(x4?i1Imp<7_d7aHO
zhid@}x6?csJ}u_G@^Mj2H^dh!gg8n(O84gbrG-~H-4G)<2hNr5YV^~a^UA9Zn(g6v
zLjPZ<ErF?jZ1nnaWgBeEO}J3&*6622PerZIU$b~cITfRtwPdlEgxj9u1<1AvIM#)b
z`zxb^(vn?gU^L9K$5QhC4e|~sO@1(9Hl%wv@A~c9`IXBPpU)}pelJ2UV8-@71lf`?
zxVt=K0LzX4E`_*}j)O+Skm9I%D$g8QcmWpAhgfhs7*Gb3w*gR6-pXq<U+9X`+|rZ8
zBkenORBkwoF^{G3sN-YQnzXFk#X+5Y@*>E%{qqS{e1{54s)=1;l~Xpd0~RSyTOGb5
zX-0BH$sdUd?u!zZRl$1iq-2)3fP&kfGgq#fSv_VnVzz2efqm#<+Z}6*=mk4x$4nxV
zCHwL0L065lr{Gy_P61mfD<}1`)qQcAQIWQP6?acc7sY;F-Ki8(F6**v2g+D!IqMAk
z()kUTe`+t$<_dL%v!-Q@i~b=@*^vic{UGFit*<eKWtS1PYmSsMKYTtZ(&IJM{9SRd
zqSdX#3OATJeOmLbAW?HDxz0EbGk9Y+;^RbeABSI)@sUrYohXbWJ3ukak&Vdids*)B
zi)t~!_49Y(V%kvaoun^cUOYWWrG5-E5ix>c!~I}m19NgoCk%tH=ZJH|y@grk1&pun
zhRh@8^TB%cl*C?3@LGFS(kA`_R2;GB9)-VIMtty^w#scbM1x{TWgDG)y7G+iWAmKS
zE(6&kv=3h*m9|;>R!S1qw7ZES)xoR`aTaBM1UJ0vr#kwF<2k14f7scw$_!<6TQ35r
zF)`*6Q&%O4aNpMd#b`E^{civBCV@<+HYY2u*)lpj6cR<~&9Ixi2ABR5Nq$dr*}0zK
z>*I#4yhufC3eo~;GD(%+I#)d<GtVjhJ-?ZUZ45NiGDmLF2XqiVx6}M^1?YJr``aVF
z+E04j`$<t*dja_@LtWL}#M*9BXfNnD4bE({+jw>_k4lOU<|l;SBBW0PwYZ0A3ELTP
ze3We6LH;><@bSf6YddqMg3eiDxiqf$+26h_+Wu~H{=_ubQTgsLmo`-7v~5AzthKHC
zX-a0)dI`lZx)jD}pY<vBBQ~Rk?1wF~LC2`QmPmV-F<BsN%f(+Kj`(AZz3+M-?CTAM
z3_~m8d*3gV$QEC`Y0E=*#^BlmYS@b>A~iigwn+z1=wq^B6G`DF)Usik9y@89Z`zT4
z%RYZDZXH|McJ0EdwxS1zjmou)Na<Gaoe1d;Z=Ynt!c+}(I`zJEPfK|$3_-=BEOOsh
z^~YWPUH(5zy<>D`QP(WoaXRRzW7|n5=~x}xw$rg~+wQny+g8W6ZQD8f=6T-te)s!z
z{;aY0*ki0yv*uc}s=P!2<v{gyonUeLEe@=i&X|i|C@(Y3_exz_1Vd6Ng6UzLp_+-d
z6to70um|6(_LfNsIyCLO6{i;l_YfI+{Z%MSry*c3e)2HF{#~Z(>(Y*VE5!>~$_r=L
z^|z!|5yzBMDx$=vxqmD3c3cb%eQKL0d)^qjp}X7ID?8u3jY96uNElnA`3h&hbf(bG
zmcx3!C9V}ixvFB?mkX%CS^m&Z5eiqLmwm6%F0zky9_0hkkEqbS^0=lwlw;Z(DN&5S
z5r{|0K+05+QZgrSe&5QjJK{X)$rUH5$|+jIwC3fUs=#_%fEz>rhcVXWpuUX`T7Nx$
zo<K7C1wtAIbhclv&Ot{QcAxgnpOp=0e<#E$0R+f>Z+$!P;V4o&QT?R01D*iRNdR~U
zVD<rp0QI=}h^VE?OQy#Q2);R3LEH;;3WdVk3O+Ga-0VcZcklb}Fr5zqEFW`~#fstm
z>kbG;p8T&T4Kc%za{Sohud!E1emgjFzK7rIarJSScIwu?C(j-PZVJ;~ONx(QGj2F$
zu3@^8V_oiD{=~Q&u&5G`;4ka&&8!?fcr5#sJr%^yn%zp#Xi<A$cBNm0{%RH<(VIFo
zKg!U}7S2GUv=Of=JGt0f-ab7U?4sd(0T*gu(B38MqMkvwR(lXhx+O;1q(==!4f*}=
z&PI`s{y#Q48v3r)GR7UrGa`~GY$Yke7Xkl=ydd(}UP5dLlIe=~vKndyRxcHIUdSk6
z<;J*q8|>dhj9gX7s~yrU!4nd9l3~D7r^Mt78?<`O?`2!5R*hKt%?~<6p}rVO1xDkL
zuSIL&t>1|{kg*!W&PI0I1QNqoff%@OGx~F=UKy%E-se786a7iBk689f;lqz8yq$2g
z<l%jsLh}W?>2}CPH+xtTg|h)lJ%twhnMif<4OIfm!<mNaE80xbyqFUwZ)nfhowsbF
z-y0;RIYhmGw#+_MhCOs$Qu`%d{6-w?y9Qh6HfV<Zc@U7A0Si$HNGutCJ9-%Hw7=>X
zH4ZwB=(k2&BlIVrr+~GN^7}DvX#MAmuUirf7g0f(uh3VE7Xdz9<`t(-(z_MMrCU({
zLx~oBzkbMlU~Yesb9q$2aUFmMf8n3M9s**;87p-jCBHEE!%qV6S-gANFTVO9Oi3zZ
z-L*~w^C>bpEY_1aypebdtV0-UN;)|y<E3zpe`)rohZup_JzACAh)*c4XoRQ$GJHjC
zfdaPy;v_|LbNQ`6H9lEZ6Pj;oQXa9z_tEDDwZ7T;*z72I<kJ$a)mCoh3%*}=&a3FE
z0;L-HsAft_N)Bpn7^^hdMJx{*YHSG((uOYZPZC^pzLTYSEZ&F`xY-_*w3P9ui72Gq
zc@j}Yq>NZ}Hje!Y?@a?jm8AJb&UH`FGM$B%9YuW&Se#E*gwK|zfj754hp~cQwu3Ag
zA@#LxCNL&^ga&Qi+ux=p{}LiJ9g~fPAm@Ce`8vX><7gmD6IX*!#AKN+e0>%ek;>C0
zy~Q2A&|^5@W>fW+YsYxFntN32v@&>EWXZOTP*{eKfGt4guB-LtQ_9`E$W}cwgN_@r
zVuO)&KpE=ABzgZA1NmQjw-84|iF>oU28W;vfxdKCAdBka@x+qVdH7jxNr2er)thfC
z0g0~H852Q+<$bXdbJc4YLpm%rBZ9d_2id*M?ucBYM|EK^c9x8WfF6UV;|!%*n%<%D
zCg+1OHjP^oA#IhEctMA{*v}Lz++;n>G-v7WsbF_qCJf`J737t4A>%EAvT|VA1?2hq
z6OpU&u+Q7iQAR;0q~XntI||K(LbWzO*EW=&!Ri#`6p`heaZbQ(&dJRDs3^hzH-7w6
ztMjDy2J;MbV<ZiH21FAc1Cb=4XTVAux9q<(*{=74e~JlEgFOa91#w0V5S~RsPS=BM
zbZA>cgYsqHj9DQ3_vuY@D%3<YphVv+Q)!X5K*MlNtgCLk`_^u@mrOUkN35~;{#iFu
zBHh?(med8=UgeZ<n@lM##Fu=Ajh3CU2M1BxTkjP~7k|}z^=D+sIv<S9WR7;!g)ZK7
zOKo(lTz#5v0yL1=`*7{yIdxl6yQWfBW7GTC*P##0$27RBcm14$lL<YtpWkmau2bx<
zdi!q#h9x+)_;A0+FEh=Z-`y!XG|0bUBxngcsP`s&oZXSRTs`Rx<=VzR*k2;ad5IEr
zr5ErEEK;4vtV=j0UZ!PoXU|9yzx6yWFz30o%HXcd$eM{Mqv)_L`i-pm9Hb*0%^f83
zU<}2a91QnT`HUu|zVP4#PjzG*AqNLFtvV36?x~ArZNb&jZ4R{L8;etRkflU`{WT>1
z(aW$)nlWx+x5I21o4K1?98IuN#d9C}h@YCkrPuDrPeiB`=^UR{BO!^)ERfm@n?l`|
z=pxhF?dBr;Pphc*!c%rzog!-XK!_55vUa^-)hXPg&G~9VlcM-9?h_@}TPH$r-_?T9
zzyg#qStQKcvA7}iY_}%ERtuLSx!R}#0dHJ5q;I1bZ2F?<&O_TRw{J3wW1xn^v|{|0
z(kL@HBcIO%EA>OPb8y5u1Na{^MV#TL!A-Deb3(SY>iJDbYU&fq|Dw*n1K;4O*Y2;M
z4HigO9tH3{0)SEg<uebQ{QU+PSCh14^d$e1`X%=>Y*KIgBerMdJ#@_v1T_Aqe;WM^
zCkOt9@V{2iAVcf}Ab#-wHe>35HyfY;n+Cl6rvm02y-y)!0t%mP77%Rq*nOV-MH?Km
z1F+5E-P_s#KIQ<J&u;B2qN1jXEO*#k0;Pf%1%ljMpQ5{1d9@sDo_V?%$4@zLc&>jX
zZ<~*KSB;RIU$ZY2M?k%jd+Ga&)rQ#RF!vAt2H6Iin=%Ytcp`4!Ijcg;W;^RM2-+@p
z&IR#d{oU(o2qBe*1y`0dz^fCZ4EPMEl%CON%)VddGU>DyQIUW)yPm-E4OsH{g1jJo
zHFOB!U^INN^(=!W5!BmS`Lv=C_p|Hz_4;e_5E9Mshj~db(vOj?6ulOEZcEMTiCpE?
z(Q``gq4}s>N-3pf-6=pmtyx+PkgStNwd;Jb7loj2Jh~Ej>~vYM4kg)sDk{!A^tGMw
z5AbYU<w#dVn+avL9gKe$<zre%2;7R6hc`^KlU_yrONR;;VL@D4>Rd3<Be)G1Ipntc
zL6h?G^*Zj&i-EedN^)q+JS<uTgWo~6nMJSpq)3%zv&1qEiJcdiPm+t8(k4wgWQMhm
zbOEq)X2GGeR2WU-u;c$a%=FOV4FCC`+u&=vGujf_Jf|z=_sS*2{g_*<!NJwl4KIyq
zZIs!T79p+CPCO26>Jqr7pW}q;tOl{w&iMT?OK)h`R|VT_h`5O*{puW$cl*+LHsUX6
z`%!?1>YB)E@*017Cr6qKB1Ww1sJ5`X)<ff+W~7d@g*TCIlk*w}$mhK-7`EQUJ78IH
znve2#pbPU`QFRGABeMa=|LL-hK!j;PAP#fszk2QF-(;|cRlofjkTMHre%bWPnwX%C
z8MIH`L3ThCA5bfzL<Xe97QOy<Dw;5k9yXk{clBWI(#dDl-?7(MuJ+~&LWnqgJpU`2
z6Kwun*;8MVT)5ehg_vW)y;$>)*Abs0S*NiYx9PXqh}hx2-5#v4Tr$MT`_$MX3yIyF
zZ!M%mMfqzlh<|1|<I!5fc2KN@nXCkxIaj}#|68DzVKozO>GA~KSN;f6tiFXlYLhIt
z*st7jlPvXcxUphy%q8O<Xv^R`5ttAV&RB(UpSGurtXs_hB^{P0xCY}~to*KkL+{Ts
ztX-`MuAU^AXw-iX?PT!{z5O6)q3_EzmZ`HHVZ(Z3L!U9Wm2av;t0N0G#wU4GOtD%a
zVQLc4s3#v=exjF}mrlxh_VN0FvRyJ6M4CDi>mF~d+H==E;(Kbn3gs7jO4bPtI+$Kx
zJ|?4AjBBH68NpTl(E4?9*^eFPbwF9JS`a8208goR>cZS0*OfZ9hn+{o&*SI7o=de=
z%|H}QpUJZg5}ikcie;2yNLxJf|8}QpjGje&d7q9{K8@o}-<g|g;W^+SrJg9~WU-hg
z(X`2MInTys*L`{X;r22_{C10}fyw!utvo!Sy560--KdJLY(R^OCVxvxd82;H(Z#)1
z`X;FyCLJXtDmTemgSZ7{9fg}FzNz_FGiAB5_-;e;zOeL3yA{!&G>&T*Q8qx(zQII=
zdzAVe&GqSzgi_NJgU;!dO!!{LKOq5yElbx#)df-l8i9|WsrY2wfy5*VK04n#hA+b}
zF?(JK)q$Mt_u~7V_hQHz5P#z~2{3d5Ks@>GgylZ~FyCQlyFOheApAbzEob`;umjYf
zmjV9H|17)Zw*z6a<GuKzr;9{fiGR8NvhCXgP%Z(<Deqfvge1_<z<faDJHY;VpapOo
z3<CorE>qW^8d-ub??}%8<dbi2=#{T|4^WJuy$`5^U?zdR5K;ihg(dBECHvy`<(hvR
zNX!Iy-a&yJ+kg^0!!1$;Ajc#I>Rud7i2i?XbOXKB0JNV+UUG~r!@#F))aREBk&A)k
z78bOI{=X-E#w#cDode)^Kr!a$`#8>gfBXPKabw;AMMWQitxt~(f3z;(4QmVF;R4{-
z0e@VF&cN)qseoNWMPVPlWwOVHUq|$k%GN4<tV1wE-83J@Yyz(Htf7f@DHiiUhMD}g
zd{m~W=}djEc<X3m(yCuX)rP71CvlyO8dmaG&TqjR9w(O9n{1=)ChtL$Bgr(5qaJbr
zHa*x(33(kPgh~w$d|8#)Sx>D`P;IjiI3V_O?dz(483z$B#zDa&<zr6nT5XFM=DLwd
z^;nl*Ti?Sbq(=EmgBm6*6OHRPlX^o$Xfx7-uSz^0^A*o|2^}OyM3%bQ#SoTb>K)s4
z)QQ61b2ogpgRRO}c5MYo*JtwWe48>I9=(vqWpMd$ohq$a6`;aT(e$i$$$r9<h{2Y+
zVWCSh0V&GWM~!0$-Ebtzuw`u~Xm!+gNkmH{mfuV(k;zgLawA)*!0IjFr4{{uj`|nm
zS@HjDtZRp~nep&UUhe|t8j`6Fq&hE|+h4w0hBiGIDIaxMA_1My@rd~@B77CuvXD)C
z((iN#P~V(Nvbud`Gp+xb3UHl6wMr!sJFP6zr_FTpSx585lJ|)#{Hj*9ASu~~AWs8C
zQM+X(@rGn@g#)w>TCd8y<c;n=DAzJ4{n?1I?J=ynRp~{>Y{LJ-2d$ns#Np%ZJJ3uB
zSV6SmRXBRlcJ8M;An}}cInmvhiG*Wmek<gz$bN{)(We}5jB4B%`Am~J5hP9E`t-#p
z`MkXX9611D#Bm@~*Df9~dI0?Hx?6TiKx)s=NihG}H())VBHzy&^Wy!T52PN@)(I5m
z3x5nC;{Vod*B=l34jc#Va-)9Xv73DZLc8rVK{;4hZXkPqvWp*;YQ-AaVJzPKa)g7U
zmP4}`yd46HY&PpYBF1C3*Ei06jAgb@^T)g$Eu@bff3Q_id5I_CN0FSkN>Nm3Q@VG<
zj0%B4E2t!qB%UW4^=g|2C^VZnsMoU9!@O-vMBVD+%S=7`$7f1uZNA&pl4-FB+y>Gs
z`O&T`7F@`3-X1}YKTD`R?|m$ah`eOz<@D8+**|F&I&J^FnUb9Ks5#%To_87d%0qy?
zHlZQ8|Jr%cgi&~M&F~aB8cQx_SIOs~@EyBJ$jk7=g^9#b6=h5NnYQx%9~CRz#82h=
zI$&iVw^+~(MK@7eF%v;KOsz8+i-U)O?IuL(-l4KO-mnFE?%u08J8&zl<?Je1N*2UE
zC%ggCc5$*cF;TSI*g;CwN^zg3KhKp37V)8t)bcGwMQoncK_pel>4i|0as#UbQIIl*
z@0F8NEw^129&}&8H^oPCWLRmA0k3B7m`JyyGMM_7r`%4!WRaMAyN(c)LiEP6$zf`(
zC5xR;eVvvo;Ja|C985$n<3PTyx+wtZSi_M%`yh|ZGcMbEhy<!dah!-ApD8-4RnK>D
znBf^o{GJ0jcl}UqmtpMub7t=SXS1W%)uE+1!oT80>%U8$2sSG6Q$y7+*oku>B4n?W
z0Oq9D`1Gy}O_4X%;cT*K-Mzy31Uecadr{h-`K^uMC4m3ye=ei&F9AugxBo?^2ma6G
z&wfO)2VcmWG`|1hFQqm>xCipxe%op(xEQJ@Zu}vJWty>+Z&V_t6Aa1AZT64+RkFT&
z=xWB#zCAQAiXxeRl{5S9EF&r_TPq{|jXRiMrOn2X`;`p(Xqfk8C5ZhOWl1Q}SEA#n
z5&<znnS8K(HmX2Q3d<oS3<da2o!pHVKEAt*BYV2kUnU-^gpB(iv}13!-`hMQ1B0W>
z@%l2#Xn#{h<t~{Sa!DQ%+O^SI#l*4&!TEZxH|OOH;%+_DZlB9*J^7(6%dI_zW2nDQ
zdJ=YX|9kZ&l^&O)ypOOrG{6&4ttx6hx@8L{yHd<pM7a{(u*r>GsGh21vWvPhGN&M$
zR$yDUNpN1^Bckvu;hIAmBOA-8g5cHCl6+t;Hx4ri5Q*S!^<NsWj#!3gJ0Ccj^zWdQ
z91_HD!)90e(Y+_4h-H5BqDff{+fRiUb=)Wx#@OblFljd?p`q0udP*Mq<-14h=+7e@
zv5k6WhPp=zd5OZx*=5H7?Rw;M+XS<ua1cNH;YJ77BulSz)}Aloy!NmqvzANT8g35C
zMesChcvQs;7#DeeXJHJXp4z=2-X6xC7f{3as=KrqjK$@u_GqR6x1Yr?HZyf8S>ep)
zk~Da<_AEs}8K;v-=4s~53uGDr>?;mk-7Xg~VTFThT+R5ua0Q~h3!KpIefKxDSNN#j
zPGH6A=DP3FZ_xcL7>?7?dqvbX!5{eL|5LY9pA9}JA?E+Lf_{ANkDUJ?6W~NU5BL9&
z$?oIRmF$TBvw~~dB>+axfUht3dn|m+`;=0xXyAY9XwO%EU<d>vv;&ZAdT6>P9cjvC
zzN4>5Eakr~-+o_9-tqf1t?w^`sm5eyeD;S5)vqknh{<X2bcJGekRVCqF@>~fqadu+
z`AHY3A#oMEEJhLnFXf^~N9w2rJFBBX9)fHqNZmhFrc&!+uo`3+KIDE?_V>x>2g#Xs
z<fJ(Lv$FXHu|%tWFXtX@$8l=wkjc6Z{jrG6pN*FE?{Xs4mknlllbbV+hrxVD@)l(F
zD2L}6&CrT=kmkE!W-1vDT*MdQU%o3cj1sB`#g$ooqmG3PHNi+{r$<FJmt8_J7kTY6
zXx*!4<#n79pREms<3=5^nqAlOCYP2g&zV<H7bu-Ow7}U=r@qVh7G@{qEz%QOI?+N+
z@N_C37iiSwJxU_>CzRHiJ@6q!WWA>OUA}i<HYeT7*R!_ATW8X7#;_5ICg*2jsv`E;
znY^RiG!&a;@Ini$j%1SEwl+U4FEX13&%K<W!$ryiCxl1mVmRm^=pkfT08<FXLJ1`O
zq^+mB5a>*hS2(5$!=V0Qwx>3jd?>*Sql_4`e(61-CX;@V_iw{P=C;(g)^v&W-nWu5
zvZ6!qP!XFj9-of>WK@3u?lnymDt)#4Q1$5TVp9YQG4{)I)Z4a^j8yk8ABqhHSL-q8
zgK;e@jCgYKzk()b)>33f^QO6cYx!DO?y7ND{F=aPh#u*Ufn?0LlwTi6^8n>C5YNd2
z5P$u@+v|aU+jreg89;Iv5B+aF`||whW%hN_7k?9=fm;7ek?j=$#qRn3nEnrVfvyfd
zFk}B8NqYwIX99j-?)d-1zW&2H4P)LJ?;eve{|DbX07~y?+@Vzf;*$jijU(#Z`n#`D
zCp9SsEWw|g{2E#pNp4>+EI+mmhO<YBM)!!4eV*urM}>~%P!3fY3>1SHKNh{+c;Y_y
zJ#{niIgP0Ow;tA%sSkQ2zP5FuXper<g<-{~?j;KN8#b!@NFW(OJlAahO!{Q?JX(VW
zRwn<?n2M-z`-m;$=nfW#E{QmE!-I<R)T>m?67Q~0khFa>KUJ5P%`j4pl%R98>M1DK
zYTF`3C3T{e$8470YI)YxSEIZr%~nqOyo;g6K9@gXFXOJqN7Pg{Ba31?FY@W5+nMh1
z5eGLnB^E+w^+CZ4Y{mC0->K(P?Aqldq;|{_nbK;8RMzWv%iSSB%X1=n<;eW&AB~}q
z(Ds7<DW<y>Zj*w7V5x2lx4$Z6xzK?f#ck#(6H(9)7WIg)LPjB+S&XAbkj|(=gUQO5
z0Tf@2EtXePSDsC*^<rFN;gOZQiz=Sa@$KZ>lS7E*i(RbCwYqg{8j*o$%mc?UUy%w2
zdSm|%cWSda8<v|C*5dAX#*GC>^QP8!7XCrTxfQZz_jqw;jJ6H6-^v?K8;;~{wcQ<z
z=%+2=Rwm4(zWtW!lkT{Zsw~mYVfq*CVzd-q<|kHA9(~4XCSvPW?7tIE{<I~C@bIo=
z`t{{%(jwX~XdfHiKylhm$p@xV2)ha?AC0C*9D%e;_N2Uh_+C|N!Xs`+UJ1cD-wEGr
zr@A?6fLNi~)dPNn=5B21LitTOTf*eu3}XHa!=(LQh0xFB4q?7`jh{5O2L4#s1Lv+s
zM~EvPK)&RjA<?;SjN@=6hNCg3rP-k2B#bl^QoC|ucIJ?DGyXJH@Q~C{d_ba3bkZ93
zzic^b+N4=%h3;fYB~~~P0QW7+m?>Gqu2nu#Q$%Ew-aXg@pGa2{ya)Et2hei=S$G6F
z_G;Cn`9dr`Km`!@o+p!DCilg!;krfy5L6W8xE7kaCv9`Tg6^g__ZF?{z7>#XZWh})
zza~a~k4HNYX){OLRnd5bk_{h=YIhtgF!JSU5yuX-{c|gPs&57<{v8vm2qNd^YwN*y
zLv^LbQ)ia*LTmLsMm+&xe~o_@TK~PPw;cukRM8$w{vsWUK>)2Tpcxh%p0^>X_%vx#
zV1c43&8!wyti`YEl%h#)XGpoYp|nNV;*!eRl<pm0c*C+PS$5Ja+=fzM+pmVaOP2pb
z|9Z@uR5NdV#m877rg~pcu_&4QT%haC=7(rO_#M27)xmk}Cc9%kc??UqdIK6ppg<vC
zZpNRDP8U;|O0Gh2cLHw9JqyIVl8i2nazTl#wRezDoP*SFD#7Qs`?l$t3Jx@}sEQNO
z)=(jwLvv`0;=#>LXtoEj`9GYeLRy~pVeazZI1&vOZJG)m+=F~rc@8p)_Z*Ba-tO0%
zQ7GTv35`HU$1gCKz#!r+lhV4j`IAddWxh=rt*!{-lP#A&gY+CchfU?nuQVv&eK#zF
zz2aMXk_N+O0ZNmdI5cbY2`-{#>CvyMX!^=!Eb%j3ZvoNYDhD6v50`099#5f7f3%Es
zvu1csW_X5{hpe7#VPr9$x=2>qnWY{w@$PmT^-T*qE>rUiA|?L`=j>s*Ekm@hpikbw
z@)+~Bd$@OOh6rk@!@NC+2#P5I4T?-+XXwzNC=2D`gK7G(oy6$bD?Z^;5{U&UDmg2o
z2D2mSlT_^24A;GIOh;n~T#J<YmGQZfoqilA0cnHi(X79=nk;!mPzjJ#x<}|CIP<e~
zk(-TnOo;qLWCgaThe~ocCDH=;+%;77bp&RiSWLx1@swJAI@9opi&y8Gx1I(_<tz|e
zgN7q;#ipKAs5uYa+*tc(ii#E*hlOizdHZ6|og+q+C;pMmX$-{=)e_P^%-!irk4H50
zQ{Sv;nY=wYWd!X#%q80~wI=4iZXql@jlxPA<k_Iom{ORfCX=P+LbL2`Pi`Ovg|T1#
zNg<3VY%nAS{XydQ%HH?DqBYN@_B#30B3;>VtW`y$2{s^i3d4(HcM4a}<UcWo2_y+a
zGI1G@waq{UqI9BV315+0B<bhDi~hcM+w$bS!gQ-wb>R1X_6~5YbkwuV8RC0vZ04OE
zG0?v6`~|DIMYh0#B%tx9^2^5U4;;z^75Y`x*gMyrFq7eZqjbBYN-ObOtbrawU)PkV
zCqc0#!3><=VjWqjC2JXZ%ShWQj3++Psr}2=Tm$*13zSv)NUm@FAmC~WX#D^Ia7>^G
zIGOuehlqA#-cu#IMU5k|zm^#<3rGjfaq1V)zkEhjA{?(6x4<hWJSTZxeXUPlPbZ&O
zLq-Oa>mKLzZXcmtnV^oz7=+i67=9J{@aY{~YB`x9XOD>oM%&G({4h31=^+$E#LlC*
zpJYVdpcs7CxIGbY?-~|%=vaL#KKnqzcwRx(Km}K>^qzmb!8(0$YrU43gVbn3;OpvX
z;Z%Z-ua!YFRc~-`Jsw=MGKY^b{-P&sg;REMs$cNfJ;Hf8r76HCtwv(zw2(@L-=wEu
z=5;ayzmb{h<xmVY_2;_SRAjYD?&ItF({DFVh;vQ`;y;u2z}NB^n9iN=c#hvF{5xt%
zwb?8hqv*zz9Ovf}XNlbR7soKrpDUFocfj%&@@fBk{CZ0*71d%aOo5?SbBLOV$-P-M
zMA2-2flL^rqTYIUg`s(&Bv2h;nqNksun~o2j*6~8RA`Da2=J38D%N3X6FnGGtqbcg
zFT-h5&VO9mv*c$ZSb(;<Vygr9_n$Pt7eNnDo2k~{r=OYVQ`_3)DrM|#(>Z9)_ZabO
zx8dE5r>NJbby!?hTd{>IXsu6`-OFd{w~wMPESC6j)eGaa1)uf_q7LoWVfUGLep&A@
zqLw+lIX*U^@17SitmTAky~Q)s8@0#mv^qnP!46aLo6I`?T=GQ3-IO}lgqr~MyIj=A
z;v1j}0O&==RUb)Pw%<9=Wz5R+KdPbC8ppa~s>l9)X=z4FEFkL1A6I+gIPiK+4sIWB
zVI1DlmGb4e&E&Py3uEA#QT`jB5X=K6Ji~+bn>$7Pv-C^;)>qrj_SwI<|4Z+Gqn#!+
zD68x-TK&7(@40Rjoi?-~*Xv1v=7}Voc2;QLCpN7H4t&1czwvYZ?#PMZRNYp6VX+-M
zAUfi<m(KaEw<7zM_|<~|^DF9>3%!guzI0shgG}6!sOYt)oqE*Yv25E>GJK;tS_EW6
zx1{pnO|)bqD<&G#{E!uf83nLSgPT<R-jw)nDt=l-0s6B1t2}*^1Y>T8)L!_k<P$}T
zl04L|@q8$PoNn!>Q{K-Wss&bh;hQFG*QiT>P{NJ!_~?aQ69^gjXuzclu9Kt458I`+
z-BnYy8NIm@XZct15QQFfD63g+Vg0Azl6|G86dQ};#J1;s>(KmNwWjUbE+LI`GUunl
z{-B-7c<z703&1==mO>01S5aQ4_&QC>@DR;;6gjR-V{=nPgGmx+7f|su&g1!k)QD#Y
zP36dgD1h+yz8C?6*cSXL)@WUe!XWRbzv8$CmWb_RX?>t%mqBb?s8Wl)j+}ILqqW-N
z#qP$5Z?-8TLX0Zj(i+kWR<6n5AL{XxKR*&@uu1Cqb-SMKcvM?7Ib4bOGyDdJ1FB@M
z7J>E$0F(=mUdIBY9%sPE(k=UE%;*vDbpr%EvA@Ium{!mcAI)+OW8FQUo9F563Rrsu
z^meQ+gbRH*tqTI}Ikj<F<{cox-_n%@_l*sS72>8|mpf`OSH!>GcCl!BzR&HQstmGs
zE$)TyU(p(dek>t&;1OnKnkC@>^ldsySbW&;>WX2JYDA;lxatcnt^0i9FIKGhzLPYX
z#A%bt8|z<{lPFw~L5PMUcwTS_<UKcJ*Zp}#BVYeAbvC58OB{otnD+|7@GaEhRB8*W
z5*ue&8_Mm5j4R44{t0?z=lT`2^;;8(ss2#u=L2g!>fG~l#2lwP+L&(S#!Ja4>*C>T
zpLL^%*KxOEuo``l+cg*2M`pLzdJ>QP_>a{u8#r@dqU=wNcnC@NOM1fhj8@1#=n+FY
zNIq#$pFV|e(8gXaaH!I^KI>Cf7Ng(4u5fjb#TnnqQP~AeCYYeK9*s$)H?^kH`1BXb
zi7s>bh<z8~o11853ytT25j9NP-wlD~U(6xuTykS2P)|0WL?2ThR*#!Ym!-Qc+3{>A
z5PsGnZ_jMs4{T}SxcR0SBOp!XRaaWl#V6<rJ@?O!sX;2~<X*lmLF&7RW|1A1TrrsG
z;?&*EKxB=?eDOx#he4%Mwjng(WV_To0XLDoO%IiJh5U?u#v5kjKY6V<if4(#&cE7E
zb4*3}`ZWe0X5$sC$L@;v^_~mQnN7iX1ywHfTVV;<-FTeOW_Fw@Q5`oZspMbMKTclw
zfq~_#dBElfc*l>>54T9LyLVV;I@0&Fp`xU>$MIXjeJ9V&OIl@o7e~T%N7rs3H<qO`
ztA|VLmNQkx(>BIBsF{_7ED}J4;Kjs1sl@2VA~HpY=HrhTYAGUPG?QgO*h+(Yo!T=l
z;dc8C|C^ESFTzh6_I3O-UB81y`NSXYqb*tGGq5lk&N6k47#oDvPyqvA6KFU#Sn+1X
ziGkyr(IPMqq(K7wp%IyJ;L0cY!2z*Cm4Q^1YSM|eUhC&UDQ3}XEYP-s$|~~tbh7VC
z-ko#Dlex^2O>d^Xp0@52>7|gV+zOAQ)+$vMY$XpiAsBs}8yM`<VJ@B|A?EWUEu3`q
z8D{C1?c6%CgRNiA#{{QjX!7Z7<hjAVtfH{5%xCRSJ??lOt;;?J;5`N_&_{bdSl&wB
zOd(BzBgc%moXPF+#XDd9RwCc8mEnsk_-L$d><%;E;h-P9Ops={r<&~95ThsXULv+;
zt`IhMg-epWjBeIEeqvU73~ByFvj!f?iY<RO{+kJ=*baB?0ozx-5DU9XEBGa15b7if
zwIx%Map~gyHQfXzLr_9|YXKa{eZpbSr{XY(EeP%kTWWQ0<>AA&eE#mu`#RfrO#ZET
zC6S4;vMiN9v2tr9XJS-OoJ@CFv1nO+>gP^Mngr@dg-Y!cy{`y1yvuN-{cs^A*P;(M
zyAMr@eK}zJ0OXtl&w3w}bZ+GUVEKak<oo#>`4S5PRKWB8FNQ1v-7~<O?+1VLn=c5?
z@>u0=c!PF48a@X)``qHlC6io&C5<Xza%C!2zFKhwflXAev314aNbM+GJ&ww_fwjj>
zpS87a4kMw)+IkZLjz`ma71H4webWo)s%kF`>!!K%FR`(?>3bqXMy>!=^P4zGn+MYP
zDp@a;JeCvWqU)VaL+tQ_vDq)fbC(CfQ=;gk(~vopQ}*S(AkG5>tJw-iyl0-R-wXJ>
zQP8JMBsK^qe~94F_gP4+|17F2x3@j59jg7rh2m18CRwX3J80n#^##Mq6LE-~h32uS
zl4_X5-Qt*J=qPkdiM!##!#ts>01rJrjyR>ut-CoarOPn)hh$WRfo~>@?uowB$^U2D
zbVhVq8p!h{+i2osYF7)kS%}vgzNG1RTU#gV68>PB^XDRg2A0YB@sUEm3H;wfi3`|3
zc$ROK)_7z_M*1>h^I4C`SCc>6Q$lJYt~6&7J|);sFIn7Ys0Am5RY*pgDrHZKu4+z`
zQu8Gx1{yAUJIEqB6;WM@E5$Yh1X24fyPITL-7)-DRP;M!J|wSLsX?{$(}=LWZn2N%
zC%H4qKjm8pRKbXro+v`=FWUzH>|%CqX`mq#Xgo$6I)gVLOQ5HEBy&N0nd?uDr?a!L
zklssJjQ>!IIC5Zv<DXu^&d8_}8mfX7^-zqG^wY`SNpGF!IM}!GSU?wB%K5A)pKL@G
zn6d@|w9B4lnfEq03RI*PwskQ0>Z{M9AN+SZJ2FebVkt=8eE&=bB@8?Z!5>MichpwZ
zWzh+IIYEm_Rl-q;1=;8&enoJ$@B<}ldga4Oy9-pqz|IhdSwvnFleiGw!u6qPmub!s
zTCQR4k4;A^SnI~C72^6Nz7KLur6v)R`1Px?%z?%a!@1=~Ovi$D!4dPj@W7r_&*xuq
z)G9C3VpH)(D&8&G81da%Yz*#llAQcY^ICWdw4kQwFNO@`C22MEl;CDf?E^aH(Nm1m
zwjwHt*{WaCf_Js*aNE@?P+y5t$`rk_HV&{yWbMo(Hi8I@8c?U8C3>MBuqN|48>v;b
zsVVR-bP$-e<LFNz4-OK_$FI~8bW7_VF_K<K$uFGt9-l>|r#3NlDm~JnO(?gnqQN})
zzBIb{Vhy5q-%<2%CO7<;br<tAxhYm&F|ZavH4`mTgpbUuk7b8S<_y-wgeUK=`{JGW
zaeeEb)7XqdJ{0B?6yN3&Cj4w9i?3GVac2BjIPmdJsJBozv=s@3)q-OdW){4$ksfiQ
zLT$iaY4b^6j!A;p(C<sapNwDdKYN~XMIB1K57XThskbe6V*|}E5-o@?qo=vN?60S_
zMr89QI~yA|-slIyb;M=bL?_&`E~^JQgLf|LkQYGz#vPvDnCZx=^QWZ#%7fdbSDJ4U
zP67d+Ma6ajuzm7<NADwXwCG_&S0MngJ=GSgLw-Bpu2ML(_-C&wn#Ht-D#s6%>3d$i
zZ2ZNu38IVCN@a*JRi#f3`h}lLVkT2S@3fj!-F(gj*3;Q*_)~(y)agNS8c-CuamBJo
zg35=Cx%cBHR*xb9BF)>Z7^g96W#Nru5veMorb-Z7@@-Vu6M>09HA;9YM{RaX{OgWM
zck;>VlQg2$lGAX*E!7R~z$lB8#S*VfO|Vy<&FZaH0H^{jmZc%U9%L83Nq(rL)v|0U
z8{+6*EpVBP&IGk5zwysU(JpK=$f^L5+@1bJpybVhT+;f5jW>ys&&uB`ld#Q%_b<m`
zcTHfOBk^2fyp1imJu5VK>~VPhH4!B@0rx^O!zSc-J3UMnkvrM+Gexx@+Y8<jhbABG
zg@h_{aSYDs43cX#gah8Z>Pk|+f=sm2KtUJzrM(ZptHM^jVL)wunY;ql1d7c_IfAfI
z#XNhwbsxN&id47R9#0LX9{*dIm{f~u%JD(!TAiC>l-9^_Q@|r)O1bAPi)5_8-8rdD
zZ;db-2;s&(g01T5LCTas5}f=aTbvFvLrNIo^qHsrB^?r`Ndns!F#h6b&+DCS;ulfE
zqdvcebvsB;Pi`g`xkUL*0@?CFyx@znU_KG;-T5l3$|6J{A3YDEQQbc-yx#*8rU)do
z!PRQoSs*(QaPbOQ16NyM|9W_wdw$YONYa^hmpFVMJRUyVgDow7-resZx}=J_f$K+2
zS)d*cW^6y7wP5G&79}l(TweqqcbEA6V`7(OCb?_3Eq}h&hzZLU;WuUe*Wy7Xsn?R3
zcEZ)tF=uvGk|Wvgum)Wjq;^VcH>@q=N8Zk}qN6FKPV%);4v^P&6naj>>)+;+cY2eq
zWWkkxB{`GRQB<S|bl+P}?F+q!+(_6(2K`?53jT^q(L|GOwM%(ca%}7pU4O5M$=a8M
z1v!vfP@Z<B`D2a!a4fYdWskb>QiNICelnPdj1z^$MQ#iWvX@z$GZh25lj1`Cynhc&
zv!(um8Lf7}M^8RZIg(6AHc^(Sj)bHo;Py8aN<!g^>5p8rH?wCrT4_G6QrLSuGr^zn
z%pWBcW#oojJj2;)qy<6&Q}PM}&$m)Y8rjwfa$DO}ryoX>Ff>v3Ca5IxrGUXzN6wDb
z8ea^$PFP(V)r`nhRtZXZ<YvHv1Z=o&9(;MEESo~!K(sKbRRx2vtpIZ86KcTk+kMbY
zmirNt(Lw0h-Df!8c<qtT)E>{O2Jv6_sdWi+gVj+F@Nxag>d@IM>rqPsLh$E%j9&Q$
z(;5b5yX9gC2gRolO4H9=Y2BoyQioLQ2i+HEP-v+WO?9qQO?{3KOok{gdEV=iFpqQl
zS<#XdckAfVudNlf+o=d6i>+NnQ%SE)`WQ!dn;W6>d#<+3=#B+c+F{WIk!b%+r~Yl5
zLtg7LIVr)}N3h_|Qw7yP#xul*sRmX1E3ADlJR)tQzkGGt^=-x<-F86E7eYIbf`GQe
zY^)mcEk|WtVI_vNxX)+0aC5}tCjAtbN7vx(0juJ1G*!{`e5dY(dm@;w_w`41@MDJx
z^lMq#F2|UQ+y{#tZU8m(=TxPA(y&^Fn>in*w#ivyH{`$3)e?1&<bWL_%g{-T`TSfS
zc74}fi#U%G{MNJ|hZY19JT#xD>+;(4Dpd;Nzwt{oFL$KKC{7yZD|E90w-o&J|Mlr5
z1?$j;3ezj%aKA*|B0aoTWZz1)b!ouHK!pqFX)Q$>&?MO<!i0NXNfW%UCQ<tVG<Om5
z9|PWaEt@Gi6-9wj)Be3L<>&CvM?%LU(<TPWQKN2M%o3zz5Mk+90$K-y2!;_VGgcF6
z@5DGqDkTU|6$xa_*TKAUCFGZDR-JuWmd(tzmyy4&ZGu@WJi^Oc%g<F!4&!#krppAz
zC>N;HHysOo4aR2bdf>Rz8eW+25N4a1#MUYV)ZrWAG_YycvIq0|edtx&<W~rp+deMx
zy$)nXu_p1R(FjHshut5AU@D_sYh)^`62pFc-G9k?G<#9l9poh!)cd=tAC5F^_!H`3
z6=ChQ>LQcu`pgV*Nbo^(`k98#hm}q0{0DM}p*SD@FO_e)2}~7FTqbb8F>vTSf2m~}
zG@I3W!=Qc0;B~<j8YvFz4pXXm@iP|K1^Nn><G@hMq}w@J@_;g12lMl#7JWfm-AqIP
z@KjeiI3g!tK4rYli8#y2;j))o?IEzV`H<Pd>NU?>WPT5U(x$+qIhu;Vx7LvyqC>z>
zex8EZwt};>*)I0mA@XODk;l)_7mIP@=LeU90KVmpbW?s72TUa6t}9+?rg2~fz2>fA
zyQ?>L7tzVgkg8fjzX?jruv4Aix@PfF-&f%_<bz{fwL)RijbUSoN!s0;US!63#edUq
zv)@8@oTg+TBDf^$j*U7gUPPUZES>%|Yi_k1|4k|9XK!%zZA{eHAPxTvv{FGN^w9BL
zywa)k=xB>!11rS7!4N*j>yw~wq3@Lk!oBG-EWRfePnH_C*UlUvFj7N*oLYZG9&ovu
z>~R!&+;lj{BV4Vz;%A&Fxd<f;2V%V^U5eksz<WmfAN?D7`HJ<FQY@02eQ2SgGTz0T
zc$pM05nc#gmcsg$IsICyM-H-{Phu2#M7cc^9mFC**;SDAFgJL>&Jus}UN2xCFpNZl
zAG?@mW|mjTE1^d+quD5iH$5*EdPj2o_lyVBXK5J5rH?P(rFuzi96(y)+dUK>+)P2v
zHb4=24-5J55f>d6d7IA_3eHgAn7LC%k#Jdj{2K*rt8aPHJgj?S&>VuW1Du6Lg4==@
zT`o6rzgs#{>)x%BRib`XK<eV@ICk!+x<;qz1rKbdjScLpl5r5dG4&ZRnMqD*+WT?~
z`~m^YXZ(N`fVlskY5iRwav$&qeGcnW0{nq@zfQ~O!CJr>T7jo-v1h@n&u}b4$?Y63
zGqS^iK;qDDeo?saV<E=xrku?mb^VZpT(NJ`R~-^g32(EV_A`nwpvMq<9vFq?ye_pO
zR}5T_k<^X$az)AL(<9H^_8N)0Cgs?aAGUuo>PMCD6d+IfnmEWuE|k~=kvCkPX>0Qo
zhO{iJlXKK-bF0_sstL3OzWdf=-@z4Fx%F>m%?F+QyqHe*yN(zv{5$qq^pg`AhH1lV
ztza!tCV7Hphx1R_Y$}?8iqm5JCOe9%hOWVBVByiCt{OXm^~gh>hOe|7k3?6R98SZY
zPwew#v86L=3X94<*)24>7H<S4^UG&ebecd>EOoYUS^&*9hAAWtp{00_2qhFXsKfI%
zym<4mKkwkIy}QOFX6qN<KN$W{s4+Pv*XWyH+T1_-Dlv)mha!@>(F*Z40@5m=u203@
z`A8ux&yk+<!WNXdX=($_>!7F`;?EQ=me3Af;uOFoDn~MIm*;*@r_6?cfB4kCoW`xX
zG3TSnJzKzWG-_2muB3Gar5M_`F;(AX-FlH93Sv^ymWnsLUUr!Akt#IHb4`!?i)QDH
zwNKqfX9ba5wSI_^6NV%*rM0vx@cRsYFw7eJDiGKNi&R#x8<z6Ej51pMME)bIXCa4Z
zU&w}6H^i#5<Ya*CmABZ5GxcJCr=;p>YeY?YIVAIOx*y8@Q8^%jQWe#8sMGU7*aGMs
zf|@@E1^qwxeHlxx0l)<STtWQTpjaHx`lsa7>)CE0<%>30>iVaS`wbU!^fR5tmr7vs
zdFfE~aE<kdnPEniU??-TKU7qbhG?|l<T<(k1P<h-TWuxBP9lIg&p_!PhA?lrpuzon
zKQ5zQ<<vQE+Iu43Ic!0GB}uOoiwaS3x!P+G!VWKs+L(7GFzKOlf`G2+47ecB;&$}P
zo-p)-pN_Y!{syDW#&6LSxOaVP>x=dG=N%D_DV)>wSR!+y*6-K?$atT$v>lnRCWYBS
zv^zJ^eCHmk=BiqANRlFQtgXT5nM-((gbEoR5uUf^W0TcW@tP8HaYEe4FJXW5-u|iG
zwK6}_wTtl4B}#OdJ8~XNck_0{dvPzNbeL=Bo~fH(_L7E4MM*0WUeR^<uBr6OcmjL+
z`afVPwfBrS{+LvXmxSj`Y?%z}i%y*9^zrC=l^r59xGk%a7SHk-xo*Sh48BYiUE0^p
zlzJHEgWF3|L*W%Sc&;a<agH?@>dHeaAk<G!`_`GNE5++g7YR#x5Ud4?i9n3$a=vGt
zcud_n9HG&v+O#zBVGST-iT<9}TGO02nz5FRvE^u3Mw1d}k?7`Gp_b7|caQNKvBWFx
zz-${zlh4Kd@gVU>{jOF|<2G6*dxuJ+TwD?EO321F*!LYmru(-7GdjA22Rr7U>(f<3
zD(WKsTsI_H+{|h^+9dZcO?+my)o#~QBk+69s5ilX)oeWej<IRUC@yG6oJ%XE;sJWO
zpwC%(A@bV@uiL}M&6OuMbLeixkurJKW08zbN7P^Jjx8|cX0Ob`vz}+|!d_w+yZs>+
z3ybi@-x)Uy)I2-Bwz@bJCI-o)XJ;-I@H-?er*DdOe{&MQS|!3y=*lW79+lVTUM|d!
z<(WCmj0_Y^F2Sas@0O5RRVDfJhC`IVL+Wx{b?9o;O4#|UW{e-PHH)8%_@fh}HYbp_
z0i#?tg>t!~@S3iY(WKt|UM6z0SwwK_L*7Gsq~W+tf40_|wS#vj$z^OAn~G%N<wR;w
zkNnXT>!<bSK!9i-VwJ!!rZ(5LWU^hG#TFq?@?WlVjw3iLT|q^?p%|Cx(^MO!x}VKQ
zD#@kwnv0V4f|t}`Jb3a`Il7VM0X)_vL&dnYWCpfmqmP(o@{Dk}cqL7;oYp#n;$?}>
z=bfDx#MrOzgP|kA3}febyi(z!%vV<<EUGpP9cLh%ig1sOY@8|gMXhTb(-N4zvS_>b
zn(w$9R&l5E5b1Yio%>)r6in+-X@l1j*d1%akrSr~b6c0igl@@+Z--I#m`9zX^gPpK
zce<(u%C1u9B~^mRzgi2DUdd8fb!^bnE+2sJO9be*j6Vz<LTNiju+mzOY7?iyK;y?F
zvU2q;pm|UgB7TDpzLG*WijGk}x`JPr`lv$}2HlIt_1v#@hYZk-<G+~Lg?QAEHN9in
z?LTt<&xB#0Mxmf5Pf#M&58&)m`3~w9f1mnP6w3GKJQHSB7=iv<hW@LgM?K=d{ip(v
z!9E@HJ{JO8_rTUGVJ`4rEj>z3ovWJl*B<o$YUxv#0b;{m#!;AY;MG$g7-0PVIm+z&
zANd9$J)3Nsh18cSKdGuuUq}!?5fF<?BxLjB$FX#x(E%kw`d?oi<)?oWQ?=WHaO{KZ
z7oP6R-lX99E(=daLdiXaTDa&A(axY~GyHWyjWaScqr<0Ets~ipMkb`{yLuXCR@^Fw
z#gK%r+*`lUoE#gb`Ib>e(3ieB2;sunnu81n*n00Igj7rkmZ0Ac+wKlE4m#8QHL#Oq
zeXU{83{rwDF&g_e6qirDKZ;`mt@=8Dv~%oSU8S2t@uB12@Ie0ELK05gT9!8w4U_$g
zuVJh3Qo0!)=`iHRpue!SkSYa7GPog~-|X?_P|6EGG*d=GQs289$^Eyyx*|8mQ1?T*
zOLhu;<rF|0d_-+>gYY%KuV21Y`4ySN(R6~1KcDNSpxgNJv4!IU#r19*<{J8H+`C$^
z4tqlOxl1tJfSS8^<fL?Spl-F_4lS8*^Q`hbe2`xB!pwNZd`*hI0D_}*8gg?#yuttA
z-a>-+vMbX4?fhG8EZC*XwHTU6r16~4Qo0E9uz!KA#VEmrn@&tpIs*P<h>isLVh~f6
zHb>*9HSS#!Qge(OXXS$cUw#;N*j#1E4wIGIhb@~n$4|+*{w=51c2lMn4+)39Hk~@&
ztYnrmT`IcR@q`~?_`Z>ao2cg}u+w;G)`=pT@Z>~^QZhnn3&aW!U}EByNO{M*AzwYk
z)Kx#Sl!NA|+_b|a<P1b88mzZ&6CMEY2LN~kz+Yogldu=Gdwwch!QP51yH@5VV{nZ`
z{X?3BUvzZbF}ksD9w_v1jTUT5dED2tjk4Nqv0<<e37SbP%Rdq$uq@m`NnJZtAccP9
zjuy?s-YfF7x696|*&`f-ov=ykJRr=zt9~ULh$_{@J^O;1uqF1qXoz*&;H$UsDrp%D
zqLF^D6)d_8sF6aQH4@sfV?`JlfW+4Qi;P53PlDXe+22Q-MZ8#`F3<c6_ojr8$LtQ<
z2F0mwD4egSn~%4J{dt}6!b26h5pU16SZLzbL7I1KGens3K)BIQJU)VgPBW@8_@8zR
z&w`ug^-QTc!r6q&w9_2P;w8?29fgMR0Z0sK;)>np8!T!KB^3?~m9)c()f(R0Nf;U=
z%B2^|IhF>8<3mopS@pop_=}<+&(zdk94}oaD>#V=_1Ta}cFa{f+_D#*s?w@5ksQq9
zfm%w5{1IeG=L$&y-|HAP)e|@ACHs25Ge+a7vO6j=1lw}f<~VLi=K<2fq9&KaoP|l1
zl=p{OX7!ZQriICXT>gpq?VHPHgZIvA2<@e_r`631<Q;LVP>&r2dt1MAJ#{-LGg1eN
zg||h^TV||&2+vR9gSx76spxy#NrLx29_M@u824Kn0`7~)<FJp&taZBoQ88LqGWn)p
zR0|i&#QaGo4C=}K*PymOINQ=_b)j{k`ZWaM|AD5vPh#`Ie*Jk#7yt+8k%5jr^Y9ct
zktyf>e5k&>3340mGu3k%kXi?bUOj<8qFlh2{y&7M2mlU02ZVj+uf+hwZL#0~KV<q;
zl;HzkA#Q*zc$#-#;t!bJ|E^jRcGlBvB>$rJKPojtVCm{5*0AS&sv9%u86f%O-|wH)
zTnrF$8p*3(MfIcIPPp?G?C!n+G6BF7gftBVqB39NG&Kn1thm(SGuLq*=HjCnz!1#F
z<~Swdh7r{u)L`cY{+0@uvV})}+}Ra37tCyP%ud^C|D!90rB8u}t&PU3a+RmP9u;hS
zkQJ}#XhiVRl@}{KM5GXym9BU=6z+@LAZy|>h*+|<v#Lxu9Uh%Nix&f0K?4y!PTrP|
zmRRml;m<}V`Gx(&<AM~xIe{4d+m2h%ULYi?_!Z1NiDz~rYnD18z|XIvfA8);$15fw
zfrOV^{C11ut8dy%T}!K$X!|;l!h<PX!p#W#MXO{$NKTTsq|PE3+md|Iq=YJab&U03
zK26Wg1n0#t`u*U?cgLh>nAo40BBUwp7sgw^(}uNDZkIdQd*Y+H*7}~&z>KDd1xgm?
z^L9{fO6=zIZ@<wb7h)M%Rwq&o-VqJUft{vD^kpR%4#jFX1htPF4jjy4N*_w|6huzs
zDjg0f++0nt2t5Y1FAyAISRMv4u0M&isGr}IGdh;7QYv$SzwcX>nQkZ)=Y0QB))hyF
z=$Eh;yLyTl-bkAuTh|$%`Yf+HROVnh7B^<iq2Ifw+dgoX5U*_TOS#=&&MGxq;5e1>
zZ%`^-;HwH%oJNhT6zS}4OJX(7QN)Y$^`_;Z4C8pKV7$<|E<E3b^J4^lQB6S?b&(@o
zb04;NT%6ChN86Lq)dK#h*OiJ!9$)L;iQ*GYCd?70`{Z^W{si`Pw8m|H?3xphokv5j
zLT$|VYM*R3&=A#Z&XMC@U!5P5Q=^rpG>c=~`5wE|q&@9>X*$$7(&N3-A3`yK|4J+A
zU->sJ0T}RifFGXj)|V7O8VCFkeLuQi*w>QVV<5M`{r3-`^$r}hWCH{6$N#eq?c;OK
zt0%1cb!(t_+x;`~Y8|Xu8|Z#{*XsfLgGA#mmsw>M-_y_|0&+PxZx^!a{tr{{7#v6+
zY!C0owv&yyak8<sv2AT^+qP|MW81c|v2APKJoo;q-di;vrlw}To#{T^zwUD+;LTEO
z1=-2FlTyJA-3&P-hM9Z_Fb=Fr(X2B)@}Iehn)~r)?~=eFg^Rk@q8<zsUX5Q2#d>WO
zw2F#kkuyjT&e&UC!3tRAb>%Lbfx91LPJM%vbs;DQ!5b@TlJtQh<D3ha(Tqh$25|CP
zu@Sqiw|plYd${DUGgZeNp{ys$<FV1`c=i#JOW;tR%g>33RLxR7C$5)h<a=Zxu^mVP
zVya$#ZPqI+Nf&^aM;VvZfDp_uK=ipvR2a3Z*!u_hQnON8^CFK%S{8c!K14R(;jw<~
z9#YVqMkYyUQ?_^p_3;Dcr&PK~qGf&4^t@3i!3wzi@ur2R=;H|SCG!)UPuVR$1*$y%
zttjVQ_|q{(($xBsO8$mO`<~B2r59wDdau6Mu>-3yU%5L6Zc)I6Yuw1|1-rx0iR(}Z
zKZa9*S=SXQ=<o{v+n*XeQ+pK!UQI%n0K?nqGK3@Hq~ZQDA%nCg@tCwHoSA}Dsp<V`
z4Ecy+zu#C5IV{p5<EXrvL=BHtWz_Y{HHm+6an0p#J={vj9c#TcU}C8$WR^fE!hBrQ
zUo`4s`5f0I8t*@kPK6O(i)bCyH@b4-iUMV$8*j7^Xc)?$I=I3&dCd_SrX>EA?7N(Z
zN43tq8Oa7&Ml1cjE4vfI33<(!Ow?zMeWiT@?6s>I^#Gt<tvbh$!}i=<H5VbH!!Wbh
zNI6>}6K%_makQ&+K+E3Z)p053(>{@#eaM=?sILFf!3Z(VJdxn!{eG4#dATL{^|>ZZ
zVz(^{zQmx}%Mds<7KwaAUp~Y4$D~_Jj2F&roY|@BjjA>AOc_(pN^(@UT8uV9RsTLm
z$_RdwVb%>XVka{6<Ss~u!&Uv>^)J;zNXd<6E6?*_aczFA&;H`H3GLCuM*D>|^hhN6
zGJl%PW$Ed6RC;BwI3u`|@;0x;)9wohE1xR}v|`3TE>}fp33Ku=XFkcF^H*WO{89N%
zcQR<<V1l|JyK8j!s-r<vtqgna<t7mR4^5JyTBYh_#@;oF#QwxzC(=T}R1sxL4Imx*
z*wrtpk(uJzq)tG!pACR29ceIHfhJd?r}^`mPieLQmL}osm?EY^D6suRSu3O1K7Ep`
z5%)Fb*H}8gO}|z50Mpg@>fGBu?^T~MzE&LpW9n8sKN;dvjOk2emeG6jnNmN)#mP=`
zFtd7IFJ~X7%q|>D9!6_mN?%u&X4|Pl$e}ItJ8D39x=N5M#(!1p!!v<2Q;xk;VK^n6
zPuB<a*HRB-OZR7<pEp&_qs${qJY+Jx;oRM|S%Adv{A!0VGt6-T@Al$Ke>+t?c_imT
zDeyZ;t)q8}OFHqUqMrvCzv{14O>@5+h))o4E3ng#{<d-Z<a>I+X`lUs+ysK55po7$
zNhd5o6C%oFSDjCg5F(xIX`(8?PbkH;trXQR(iJPT)|wmde$;(vkI7B*{)K$_*XDMP
zAC+55>2GRv+X}uRLeO!vxatsbu4jrs>M$MFry>&JHvC3b7aCcVpR=fDCO$1J#DN?=
zpCd~4Qx+ng4ewm6N8x=^W!|cNkss+VyXX)?FIo2y`k7Wi4iE6?xm*L*etr{EJ;~X{
z1lDO!87%;Ug0lvXju?@>wywF5S2rK2LfLzG<H^6HJxO1kd*UV7PdG=Pdp4s)8t&y@
zSV4so<aF!I=#sjABS{S%Ufz3^T=+=_R|s|i)!DNy^!+uoFv5AcGSjId?&j!JKPj}A
zS6|JMU3m;V+x{+wQ{^RD+SIOz=sB{#krl@s-z#OKOeOXn8@V|o*IashsF%-N<~hVB
zY!B&TE|?0-c(At;yG$s6pxfO!W^l2<>J{pQBO+8g*FmB!JGIgh78<G~wt9SEh!vmc
zdf6R5$^6iwe3&{KISQILD(W4fJlnh0h(<etRjWm`k{WeVJO@{)yQuEYy4lEQVzvOw
zrin+L&4Qg`j$T#v9N((Rl_c6HW?`A?OP#{UyDn-@pkB<f=!n3=!?9;V;!|UDfKkdH
z4|=UFUO%a7&%4)2I<%kOgVY%B?bHyvds~MaFUi5f37j=n{a7*|_D?E)$HB+6cju6G
z!xxj{lj`YbJaWz(^{8%=Ms}SVMz3Pb{+F}+o2{LkC2Lxoc`jWYjJzupc{$g!!ICjS
zzC$Bh=73e+do6VLGe4NQ3fZ3l6Y&Q?$&ragYdZZ|f@ayomp0E??suv&hd{7R`4jr&
z=_Us~pt_V|<#&3u6J+DtfvgoxAzGwSy3p<siESAS5}09*Tb(k;N95PizA?(A;}s#B
zmtd{2@$?@qjMn#m#NzF$p?rU42l$sxTdPr>*PjjoHiECDHPrDAex7xvHKiQuZN3&P
z=8p)I7ggOX7~7O^TXzp?;5}jfLAL=3P#6jCI1S)~cFt2sBi6g`G(_#^I2hz>ROl-?
zZ#nLu2jO5x)*@}<){&Z%#1v{VIY%LDLcG%YH}&9_Qxbbxj;Ae!l=p3riW@<_9A(}x
zb#k#K4PQz6@Trfw*UWoj=AdLC&SA1`F>=Jd_;x*G#UpEfoG*{Qo4xbA5CcA2?DWoZ
zB4Q=s_NEDz$1%LeRo3*8*>@G^r)N*%=A3w8?0^}+te<9APB2}5WNCIUB0}<MRxh7R
zK3UPY{lPc=-XzsYxsi(uBY#ful110J?czQiK065Mqqp3Bh~Tjo^dgv;Q@?46k`r^K
zJc|*M>e?`_9F_Xr>})lLJZ!QqOFZiuR(C<JakS6B@gcB5`GfQ#qKwZwEy^#9KXf^>
zpPy-`frAzuL*Fk_zEf4WT=oVc@Emy5*Mf$D6~uKIC(~Aa@~>3FME1$4)-K<KoKBs`
z8oS`b&Iu7c(P_yZWlcAMGf;}FuSUwYuHieIm}rrZb!^7iLsr|^uWEV3-amE1gN9=h
zM(`E+p@(V$A{=f<RAab|ML~L<Yh^Z&dBsp(ouOyS^`ymiweu^VLegd#M5>EW;6HXn
zoq1z9wFMd(EN716ckhtEF>sPwJ5?SyZLj~52dI`YIeSWH`;B262#$6#FoNh8bUOSD
zXo0%Bawd_V$>etx2A&|$$8rA1L_mMGEL>R<U+k-<%gd*;&l{80s*GUwsEk_aUl(G*
zPt!<7FvEE+{HZJ1m8>kpw^7xg2}5kL;`B;hC!%#u5L1pSxz?RP8a$s@BffUV@EDsn
zfKA#FsK%mwi@H}orI5eH)y5Wsd_&C&iTDuhg43b{)6d<(LTUarXoM$$$n&@B!}AsL
zmh*D@Cz>0nYS-!x3};EzK<?k&G-m9@Cue!=x4pfjwc29i^IOA2ixJfncn;XkZ(Myh
zd1_8Z2VM4o$?uQsgc6FlqWGE3q67+?hT&yRM_x0UF-G#UQg?H5%{6k8B!Ec3;H>yt
zn)*`eB>S#j8>=8~#)Pvwr3TeV|C{e#e^_yYPx<X*DvbPN&baTLxW!1{UoL9gzzV!*
z{r&bD(@8uLlrPWoQ=jHzpz4f|F!%H63gl~J{mUPu=Yucxw)rzf*0j_6e~72=C+MqB
z#zW2-;N#2>0P1>i0PYFj^#>yB`=Src{^<Gtp|RXwCm_rK_zd8Kk-86%zan-3-*G=r
zeWqXgrvK-)mW!91<!-xz*RQG%6m{ZqSiE@#Hj&7#eSW%JjLn=8k<sDxpLUyLg5IT7
zWd4riO~PXy^GAF^t;Mj`?L`7Er6S$0cz%mJi#4;eCrqMZno^{<4eXpBwYl};PB(;o
z83c9Xi?Oe^(6sG_7i^>}c6Xv4;nVzRi8Bd%Y0Rb`eQ`<z-kGTGresv~$iE!0DE2;#
zItiasgq7VMKZ37I$g>BMc<K<U!dLD*1u0vPV+JLjWpsWclqX;bk{!98K(W+#^6Wkm
za$CA8enP@OaXOVb3H@<wwK#fXY$$n<{$ZrKXlH(F4;Q`_Rq<QsV9b$&xVK!8t1ZgA
zNu%x1dOpxIi>$)*y^An@UTjkv=@%Hfx?OU98-1}C&A2MLTXJ1uQ?#+)5ALOeo{S@y
z<;;h0CNFv>HFv9B%d6VHT;EIUZKE8D-#k<Jb!t-dzlXgfBn_{mN9ymg?5j+}P=@b>
z2S8QB8?yq2nSY@qzo}(}WZls_p^0o!x^2Tj70hDj>N^}G!f8}XhU_skH=dFpGnHx|
ztnAxybqKN`NIhe*)k`_(BnGN`o;#pV49JkjKP6Gws>G|v<idZdiCrP9+uvsxuRpNk
z(;Ix9wLaDP9owF%(w*1wIo4*ON3DaoSzuDBooZgdE;M-=>6{C2cX+lT+QPF&Hy88f
zL55)=r<YsDE>xH8`iWr82Yma_^;|O(=yUk^Bw+yFw!kr70O0G|{7>YQ^}YF1wZ8oS
z;4tEeZ?(D`xc>GEOn(7(>-dd;0YLpiBA`+)u>b!f@gEmZtJ@6>Kz>#C+Fyvx$OKmX
zUifNusy}V;upl<RT+&_sr&F+H01P_;6qqx>+kbz+*75rnW}&|@3+$>qu4#*c*g~$~
zegJ^w4)EnaeD%S{4-iOU9q(K$4U{|oB8p{r^$Rgt>d}o}Z_{lbJz~zlYWZAGDPU8g
zDo|4DQz+dGuH#EL<OoE)@>6`Rh*Zr>DVqP|E&6P1*3ASCd7(7LRvqf!`zO{h??a$4
zjzl6zD_fT~P3dW>AW)MH+(Mx+sJu`(B8bC+cm`42R8o|wNY}KBYTAzHufzmRYt2-2
zg{$wHnIYP8usHb>DGF+Bmm%&X7@sGMjuKzUlhvT8Z9~7pD2C+NU(>cROktDr)!V|*
zPiuT3nglzqoN%i(#R)0%J);wN%}-L2jooH5{eFw3-PQaK8-aiALQa21{z{yW{{7uL
zODZg{F!h)=<i#`5H+Xg0hp<bs*p72^c(#Q|^)m9lAoghpmA7nzQg+9n?viO@`fo0#
zBtHduRfDmN4}Uc!)_S`)q{Au6+Gv=cs5s@vrtPwPE}PSM8+Vcb<vW&=#IzAfs=A|f
z=4<_qYDxjE-AD&s2Zo5`6p2wZvBOJcji(*`!dDMsolcU9-S}b93}XIGnh8B0TStcD
z1hRHTSWmGca51)0f$=<M5b+tZYug<_^f2i~b6R=OR}&XEi@S{dEf{MrauOeZNmeM-
zCdvQb!y*fH+wUnT0yx5LiZ~d;w_bQ#^w$ia?04r6;GZUk=bhb(PhO@+L|qqWNEE3J
z)2~v2&%+$#%qT|E#y5ouNO#{iXA;s3%sOIB>8g+tip^~N{teLWoUaLwQ4BZRa(kwN
z^BPWzJq&Rw2);sA_;;JI6~UYwqN(UjXbxJvv@ieFxq0axc+2r0dFi&;hv&ny1R=Is
z;_wD#qo${|{=Isq*3c|c%`bdR`yIWKujyGHno*JKZ_nUdya()2%zJuBtrD(h-enD~
zA$!t;&i+M;>k;3@7W%7I9CjItv};rwbb%g?PaY!#2J@egwg_80v;Nu%82H{(f$4GB
z>`kLetw$~!9WNhb1S~2!u^IY>5vDyuOk%;t3%es#CdwhS)e<y#`i)wikD50*AjFMO
z&fOk-NU$y4*bhdI)a^du)&&A8Y9m*BL)cY3YTcFoTfNdkZr+T=dLF|;M!3*XsW8GQ
z<KoYhjou%Aq7S9A-Iz5i{iF-DNsFBv1Ckee!oOh0Cku9q$_km#Ej<g{OV#5E3L8k4
z{)|et1#~S$=dNgva0-MI!Q$|(YSOs+;6@k>vlpVBF}6hc3UE)XMXxc>mm_@Zm`W91
z+AP3^=oI|K{`t1kenRr9UdNSO={A`qOz=)det;EZ{)aZSC_ZFezB%oOMSyf7)=A;f
zme?Eq4>!<fiooULJwuvHm1>#$9jVkFcJor#dTj1ws$`aZ3;Fj;M+j&oJ7H=0$(Rlr
zG$Nn-AUmOUv;-U>T5jFoSSyZ4!Ui>$#A^H|sYRYsm*Z;LdH#WD+onyk(Uyz4bjkr2
zY8l0BNp&WXu7oP#R+Qb0Y$k^pnilr)VQI{?!-ftl+?-g<+8w9GJ3b$8!xT<n<jJQB
z9Am0kH2*m!1~!jU#nN=DzS|15y9=eZ!DWu-9qaek5nqr)r34C?jCu67>!(NggXNC*
zqN%IZvtYBlt7OCZ$a1Wh!W=;tOcMBuJo84A$3afo-#QHsFte*N=UFb6N7(i0TGodA
z8*0RjU>s<>a;fOB5^L`y9H}62Zgbdk?584T7$QAtZQj+BJlAqHr)yjjqU}Q0dTNKO
zy-pD&h)k>LFtKEqN<E5b#S26_*_5CzQaGsiP_5MRh)ZgV72Ez!lV~p#^`ZXAZAxuX
zEZJW(ipVy}e(NnSLL%Rq-rs`9!|wK<dO@(3<dRbbi9`jfD#I~0rbbbgX9cI-9Q4eo
zN%*0%G?z5wZBqLDU@O`Gj15*tG)?m4lX`B;4C@JF;z4dG<?$S#&I-w|x&E7(?>L7|
z6kw8+Nhcw(bgyD?sfqcQ-846=&8$^`4+7d67yu`=$!x32w>KZ7>6bej%Fi`=6Kci7
zj=1OS5t4MG*3Us0weAx_D@!gY*HsQ1*#3?e753Y9d4f1BlgU{3!7kuSA1DtZw!0H5
zN6Xa9oiM-P?_3w#8h@M@qXG1pTEOry`g4ANef5z;f-1v^bE@P(rpXY<5rV#JZaj0F
zZnl={?{F}a*r^!!18%ydo6WG{K&O6Gan0`YKKMb?Wqi%496zSB=AL02LNsQYkynDc
zPnV#Zt(?~whPp47X8+@}TMCFF-~b$W-YWqwAMOzE`DDV@@3F5j3jlQ{fc82KbR+R8
zd@;4Eejw!(AUg9|?gyrUH4*PlGs)QXZ>k-@70O3<_XD5KpRdW485Sgys~s8b8C@FG
zSN!Lux=t=c@OIc#lDg8?bfGiNcuVVaZBe}FN-dR4W|`9C!|ma>Z;2Y?v4bM%@p+1<
z4EXb=4sA)Vg{e=L!dPC_VR}DDu-QJ?nM$#wGY_)1c^?hH1q--kV_$Rsp>D%RA-fKP
zGJ?LlqtD8w<I6B_c*st>`xZvXWoFr=bd(u`ss3c$(5fJGH*7q}8weh}R~d2rVOnFc
z{2r-H#(a>SD;un+7yIv*7{x@I>$JN@fb-dM6;q+h>L#Q~6ayO)x49kg1iJnPM!Vrw
zO#d_KKy=z7pZ&=b4Qlhilk62GBg);sxJ3nf1w#6IIe~!J#x{l+O|O!fEAR3{jsW2`
zd`!Y;t?X>8t~3stSTD8dvQ_5neyLV5ARc8JeN8-F26ZmX7r_CU{A7PBZ|VTb5|qsL
zb+5QV3@^Ch0fXw}B6{UdJUM1!^kA}nkb0KspHoz)fc=Fm7>hKXQnR^&=Y=!nYeuKL
zF?NIN?CX<f<bug5M6#*nwA!m2PZ=hou*QQ}+Y$%wSF?`*6^SmZrFqNMY;XgHTv_N&
znj&a}d(s1ab%AVMXMI2F)>l*OQT5Z^n{lv^#JLSs-vcKSf$brQP_gy!c7`DsU90H+
ze4l`)<V0eY75;0T4eP|!v)9y{<p760acf*HD7Z9U<E~NaC1Cst5IhAM`DqgX86u4e
zL>a%>Iyz}41Hz9<@+gDQKIy}5>1@ECE2Em&bxU1`;>GlFcl?5hm9i0OjT=V$`)sH5
zn3Kc!JvUSDIfU+zsVTi19BY5}oMcWd<etg8)Mt~;ps`PC*Klnm6#rz-{H9)Y3m3<4
zy2x~8tN~UR(L=*;1JY-H@St|~Fb{0vR0(M(7X`s`G#-x5)^BeKI1=xp(JtYa!|YEI
zGt*;zf5!}HUBZ@}l85e@S*JLHQfD>Fl*NVy^2m60Mvpy+qjVT6jvo{vZo4-e|7r8W
z3%Z4{KICMi@#F7`HNkCP!P*Q{46xPEhMVR0zA59C&JjQ&mR4_8N;TB)C=YI9K{GN^
zAVBGsAJ6#EO!F_u-K@nzsyzIS5CtC>yF5?~&wt#Q|DJx^5<E=28E{JGPJjeQV8laJ
zV5|CTGeSkR%xv7$8yv>{@>e1ba}%uOKGtbt($O)dn_vI+H(qpz9~yJ)4Be<~tB7p|
zhePf9LlN>MmE9{;wEwtq{EIq9X4-;rj#P(VoU<oqgA7ITohEVC3fN^;4!_?F^A+&h
z&$?JU@wza^4d5Y1Cm@`@8B{coKXm-y;g#8f?!~J;t<L8hg<uX3wm;5q<Uxs~IEzJ%
z=*yDFA|B5-;M)`p3~9|WWb-%ugVk&H;T#@J#6zu<$z^hk)I70G`R6lc0;vAdwZ8JX
z<wGX=^9fA<Pt5rsXa(NVpEH2z_D$lp{|zMT0P4$K)c8K|KJpG|#Qv+Ub=b+yE#6zF
ziQ;6@8;;$LtrzLpFJ}Nn?Vuv@9O@xL=0|IQPChLMK|7oyL>bj$+-U~w=2r~($IZat
z>%7L*;~sRhUhs!|K3H(HRMXh}7hSVGEYD7YJQhZo*(7R+-L%c8%yWC{D(yGjvRnkR
zNy@4u$`0*H{@p*656wgHal%DA#Y2tAKiZN?ey3i-LXgq%kMKreVMQEkDf+}^6Kbsi
z5A~zv@;+IhvP1s)S*I!DU^Hm7e&2tVlZ>4saZm}k2X3%7YLh?QYct&~DmJn7&dCac
zPs5kRklILE^AU?r!!`7=YKsK5l1VkJbR#^SV857$na{c^c`aKC2p{4f#9~&!IaG;Q
zxd$3uRdyjdaXv(-RJnj!w^QR}2_MMNbD-j5$$IAd{0k9<%=$6?$+F_*+YPH=zqvK{
z6I-PxWLR*N{I+17jQ&q{s{TurRsZOrBPD`-KFMFo7K3{n_l#ongk)i+0J77gGw+Ui
z+@q^w5BA=`4JzQ(iAy&N?B1>6CT}vV+?DVuekp<D{o5@K3FA*!0;(%_6%Nm@?fD64
zUa~pPR;SpwW1Bv!6%;P+>pmuI`TiHvKFR%0!48MiyTZj@EY!=IUAz$IGi#aZPj@Kh
zRmD~lp`S$K+BRI~;i*g6-~CJlD!*Hg{vM@9_3#)x7WF0zQT+>iO^#59W&+*6IoIP|
zksxi{Cx6ev`=74(>V;4xxl4<LD1u(9D0YtNT(y?84hMDHE~;4!MxrW-A~xuDTB^yo
z*v}@Up@&+0zT#ZmU2Yp|UN&5L-k#qqxS{POa5z_@^|VK*-y^PbEtxERnVaTukKMGK
zCHz7OW=G~erGn&1*b?MmbQ6QdNQ`Oa-npwyoS=1d(|L;#%djULQp-y=BaA*aHpSI`
zoz6A@j<V~$KIqYp`3Qd6M=(Wdl!eIahaA-2RCxz+OAXz=tHak^k-FJgID~FI3x*dF
z>h?T5vST(2hm=lcv2O2~Zq^o>nje8BGNn0Z(hH^fGA@|J@p-I$s6=eSDXd2os;eui
zHd4WRbti|IGgKF!bY{x2a^#N(?@>}5WO8(=jP>g+T*j3ecXz$=^GUFX6gCVD3{LBJ
z-^|Jiu`L@jr)Ak@oc{uEdKF&6iogu}F&zEcNTxuFk*pt&XmrLlZqJSJ{Yp}K#BN@U
z#tSI~b{ex0L0r8?a8c}-0-J4K4u?c<QisUq9apk7;rvwbFVx5AG=f9pJ*inlUOKvW
zLUkng&wTLx8CBG$X2lQ)X=vMU9A>gxET1B^Jt`lS=xig*9>)IPP9iNa-*ox4+Q<t(
zk_uUQJ#C_uN}IWx=In@?JOH!8H4hMmv?gA^@J}g^C+A(y7Dy>;NA=kR*ffCT4yafM
z-c115+mC9Wl(TEV==F=+@>Pd*zW~(W9Q$uMKm_3fK^dUx3Y<-Us><(wemT+p_ueTm
z^5L^Q@U<!UChq6;e>l!x0OtJ!2q%63at=7(eW*S}H-UEi&(m%ify*9gP5*s}mfa7Z
zlw$zM0uGKuvVpVQ42F}ex#E$Ec}Nu4vblFnFFKV*h9$#~o+4MF&j`49)F}*W>H7^s
z<L)hpjU|WHUZoHPFodjjcj}YSqw>sI1wn{Y?t14Vx9ML$Q!%2Tm3KrorOY-pI=`zh
z-DNIH)dvTE(+;>=?^JR#S%j)s6D6oQ5b>gl$@>)XP_B83Th)tCB~S-RJ|zg!rCk@F
zwACWnkfme7Y+8(cpfR>lYmB|gfH??2HTMuWHW$KhIjyJvn?;Yolc@JmE7dRKDfPaH
z4$`mD!8c-?YGSXyN45yJ@%q=S3bF5-V(+U|YGhn#riGyUB{sBuW2GbbFSM6<N4^~2
z{dnj6U)_oND$CH{GDgYTB5wsec4|K@7^%1RDm}}@6L``BW9I1ODAO|EIk~87uE~4)
zqcH+z!|X^8=E6uxA9Divrtx;J#;9by{t|{WgOZDG4PyzRT`px>?$%MTkZrRdoeFhR
zz48ciJKs00dY5+I_qzuyE=YQb6QEu-7GqhMt$+t2E3t=6ml!J?K{-Z2xFY?kQQTjw
zt3q{H*@yjz51IV6;Q<XRt$vY3Am_+-F|d)6hqP7n$!PrS<;4WMcB*_0!PZzp$<Vkq
z?rx{HR#i4NpQ~pfeUNEQ)wb2a#%A6gCfT{h;uhTY`j=M8Jq)tS3+^gAjfMy8OLu8(
zX3GmiDqmy>7<mR@u6#aP0V@BFuU^l8IZf$3CKG7I{~Q9uDYaeMtf1p@x5JNozyZ&_
z?g#)p?gn77w^3Mo6+mZnXj2<9uD!SE;HsYTrLaNiaZXE>ygtNskEDks4H;r@yM6Rs
zMW5rS?X>aQz$Atb!C(1>C1D=bxsgoJ{_Q7eX|qvu#}jFYRPTdA6}<$cK;LE_o>kWs
z-dc|h8gl;ITSee*6ypj`oEpZWhy(sFVavYKKS4pl^ot+`(OVf0=h?}lP=tZlVRx6@
z<AU5ZG!(|iQjV^Jl2=AW5OYdOcuehb3!raS@Q<R^6YCBM!*JsEXL0rzZCoD`6L)VZ
zS5K=PENhXde$Sn?^p9I^_6sNZewTwn17?tG>^eut!yd7l-XRLiFFxm452_2gsKb6D
zIHZMKMf&<?Cn#Sx8%8IWC<0)G@)CMfCmJ{+R3}OX-$lg5)nj9Wk6gQadiOYT`OeP>
zS{$Z2pO~+vC)U$mDN6^{PRY<7BjTW<nmoz(0yOV@Y12-BC}+(Y5E+=PK|}k%rYRfn
z!uW+JzO>e}X<l|fmA%v08A2-91h~=TH*u53^Om;PSrk1n#fOj0jK)o|^+Tk{mh_W<
zqrQ}f--NQM+Z`HJ(il8jv(-)*1+kNQC4s%DVj-`}5kE&=OPi>($SqXDq&zdKvJp_l
zF19G0`3XE*(^Oz4l1N3FH%N{~*a~);H3}}4sTkmia{xp8I#>d9P6JX4m_t!8`S053
z1+1c1obNBYR>zpS+$<2mEOZFPp6UfbaZsArTA6ut38J+Xh<2;bK3+*KknNJE-+#t2
za*v>@2$c9ivmzG4e=hGafKTKVs?0tAT46Z?K3hHsSb!tr7E5j}X`HSz?eEUs@?g_D
z0c&p;WPz~q23-<7K|yJkg1#=|ssmOB$6?rX$+J*zp!lJd9lXxjaUz+<s)75sq<rgX
zMQfb|c><>6>sPA0_!(DivQ(VV)OkH??`1`4sKsr}cC9#~H5I0-*;vUEQI`n@O*DZv
z?NlDG*ZI%NS0+r6y}XQddGs21mhFTx=B6$yGpmrv?jxL$->g=29xc`cO#ZH*EX^uN
zzyHn_a%qk;VS0bxn5ZIh`0)2YaQ@w@DC{VBUfgzaK6)@*AfBS??&+BXf4sL{Xu8tl
zn{}r_vTp20qqQwHtMMm#eie#+p*szGC25jZ0+bPiW^|t>bEsB$zYGG)r+&1*^fH~=
z12VHWvF2qlj}OJ88@!UGE%ZhQEk4b?|Fd*1w$B`$8UKhBYJ?VF`SIm)OhBcu+pwHA
z;`Hp;N)dMbT9j8no{t;Xl#$cyRN)q(%dd6D3Jc~6?ByH`6S`ug4Lk6Swu8!B6uNV=
z0*R;$v&Y$}7&$Kco)R}xDb}u6+I6KCJ+16;Hu)`n$t);<-OrCdQNz<W!ddQJexkhi
z)ulK4+?MdkN+ki`3_AyjhAFkCtJ&JZTYRN&Cy0S~p{sba%I{I(a3rJC{hVy?vX1z}
zs!5WMb3&UIe+LN<+^f=$SZyF8_oP&UmF87^ziHL!33&4w`WyiYb^$j3EMKX2w18Fc
zAQ5~JB&K&3HN7#vJvUgd<C7hFGG1sx&C&+iT*ZAaBXguLMWnrj(tPiK<^nYfzFsu6
zz*yd+f9E?HjzRn8bj{(mcFe&s2`zWM(FqQ%1C!<-C+PN9Ft}R*oQZrIa<!#;8OSdc
zQdQNbBP$uP?(P6>aY)|g02j77pJst7j>ugfKl)eB!gn=)xY(^)s8gg|C^&?b<h|zJ
zc@C%(jk8y{+{;l^ZmLN^133lkc2Q^$i!6(~<pK8TrR~X@s>!1jTn3|t^J}l_ds%T3
zvfgayyW%>QiDCD7jLXECO33hn18PiTD@P6C%{zGaaa57N>FNhE%v`cBwl=-CO4AR{
z$-&|}^EJ36<C}-&tm_1sG27^Fz9j->oH~4l;Q~Oc_;_z%f`;T<2ut9-*It7*sz)E{
zOG8kXQe`X3guYoR9r@D}j*P|w{@I5=Ce$JGs&bC)h6>>)lCMtgOmWl^7ol98*mU<K
zf5;pSL<vyEnA6k7atof)Q<{W11&T>zCHs4;*)2Wc>Fm+!EoPTcxz(cgt!A9bQmYe@
zgL4qZ|3an3tBD+CUHY_VPDTz1HpGIjm%OMX9&%7Tt<boQ#;SB%68;=|nl*a8;%fBz
zfGc(qHc-MGl%VH0TT<G&KxD#5GEr>b6>a0*>i#y~D!_2rq6_d@2Q;A`03VWXg#NHm
zyA$td1W<`nV%=gG>p6I4n-LKNB-Rf+cP<%Bx5NZ$8`BKdF!^E+*%Zv{3)s-Vjv#-q
z663-C5htzXm0d<v)fTYsjdMbuFqbiu7e`%J5DGHP;t>TC&12okAfynmEO#~ZT&eb#
zTFa4{rM?Y#r_S6%%vR&w$XgPBQ4`J4T;7sMWI}ps_<@X>?0cqWw8&78cKR$?;QfG2
zDO%O)yHp2cwx&frM+h(ah51sqeZ1W})iE_vhf@aoD}e22r7*AZ?DbYiO;U_5WsLhl
zI;wYaaOfeHi-l57(*>pHV>vCG7gShizVs}w%Riz2q(jYnhd1W)(NQ3}9iM@6wz)4I
zA?&Wxa26ze@6>@CY=%1&8!aBC-co`{7Y?xd%#{#tS}t2N{MNILi>^lgmMn!(*f_Lk
zbbRJ^&Q0m%VyoO((yr1ySi;iCa$`wJrY-wx+c`$dq-Z!obIL-3Q+}r>YSZRp4aE3v
zfhmMbyu$@~-lAc;X;N#<kX;=$<@ewf6xS+5)J*%6_(2-IJ*kJrYTz>WCz#ine14mc
zH7EmOo;lTWGzdat@YyZJ9*Vk0nHI56UFX^^C}quoqOVny_OQ#eP+LKwy0AY16n=M(
z1(ETW*jWR@eJ|Y|GEt=uxNXu1G8@;l4jRM|am$()EHfjfiLSnrtj^OLuw`;Cd)ZA`
z4ggWMTGfUL62kGp|9UD%DXU#;e(-c4^)?_y=qMnWD9v6!)`_LnXH9A0JK#XK?y^Et
zRW6KhE|%0nq)<_6Z!|MdAJpPWs}Fbc!53Lsucw**AjQg;d0ps;DfmYPHA7QQsXjpJ
zF=sCKI$|ly<ryo#3=uO;qtn%=jIDL<T}1mcAZ^lzt@shtMLq3~vU9h?R{~Xh-t(U)
zMURY%t%(O|{Xf5J{Ct>r9dBGjkGYeGq9!x)hQQza;=4!5U_Cpn*e-9%%BlqvVV)w=
zvfIjxc6wA|H}fVS;x)f2RdL}Wy@-mYlT{f8@Q+*}`EL3Iu36TZU%H4t>@1pLkg2Wl
zbO`u9H-}@-aU24)Xmp~ZF$|GxSMR#2{4N@>dn>$nj6g3GRuyL|7ES}Dh=$X&;2YrP
zWeX>uQksxo6F^I@lCH34nr3dHeyFNh=fqAel1uajL4%k#JgRysVS<KdQ%}Q%NU(IQ
zljUd*ykcN}lwB5C9<`AuGDY&AWZ-F@)?78HSmwjdsA$}J!SWW77CvYe-88V{D2j!b
zdm@mQ={kA{WAIU52i@c;)nnA@@-=LQSr0{tr$AJE`OkwL>)7DVP@-L(DJyWNlX{Ta
zC*2t<nO-d^St=6zn<b7$`u$t>9>ylSd;0bhvCrl2NZ;v@CxsDDr;KJ1bVs<V`8I;m
zCt?!NKJ=v9eb&ui`r7T2lCc5+^Z-R<InXZtIS#lX-D!SUNy@#0S8;vKGe_}-0|lGF
zI+P4iCOeZygRBB|fynm1QEFV9Bnhsy^;pouD1R8FAZ{v4PSC%L*tGTuSLB>c?20x}
zjRFxdLWNyk_QgS~ds-R+g|?uzOxy90DLhI^JscZBdO8~wR*1nAX|fW?WmO#5NemW)
zwuoLczK0oTWKGK}wD2~2yn)T#YLBYYa8IQOO?`6O;k17}xQ)7C-%^p9rq;x}PG6pt
zIbLxgg+diYFV(`-5_ZA@&m8jzeDZ`ID0CL3lFeEjDYg>3?&VL~Y5A6C2YJwwaF&qv
zt8cD-xM!+ss}UyOBRO_IB(uw`^+@6N4`mFmJfE^*uD08v=ynYvLOA<OJMV5P@vV<*
z;VLp}J5{YQq`yV=b@EI`?UwZNy#&Qi-@8?ks=*4NiiX3&##CO8Y2=3uK{*oR2O{wG
zeiHeiGv++e*;m$6X;(kL(VpAS`-4<*K^Bsr4bOzbnO%+IpCHhiowzf0nBrV?PU;Ew
zgj1w^<5OH4U_ST}PeI$IzQhj4+a96VHn(T13O!7~JfXYh!Xy}T0hgmlFeAm|ANxms
zaCtn8N6UpZntq=t`QF~g&K6`N*<%i+ZAG`UC~MAojzoU9Q#0d@HAT_VypEiLa@eLR
z6wYKyCYp^+oV1dod=D#A4yoeG=CZ^g43^~=4^1jhPlCIJ+e?izjnJ3>_UJDGs7dr9
zK>iiLdB_>KdbuK|{P^nUp}zfR5UUJ02)&m8w7!h0KL1eAe7+|FqA!5O`)363`57Sh
z`Bh$%KLRnkKBb?!Z2dl;IYisXt6NQAgSy-4dp;=L%g+VR1V6v>l^BXsIny6Tf2dw0
zyp%q7E5a+6Kjr)thxM%tj^OVYeT%Tnufdj(C|6yZT;6C{T)nP~^-68!N&Ds@m}3O4
zQa-;F3lOu=+zgedF*>89ERW4&7=<=@$#GSP(BSLVF$?~vg^EcCsC`)GVz0x#@4Ktc
zTD9nlEqzTp5gj^xvir6;^`%$wd|#J-lL^`|zIkkobKmsToevz{FL3PAlW{mUiPD)4
ze-!H#(CDZ-+3ck-R9X?3IZpog@iS*YHi{m`q}?u45Eg}CK%OKo*CFgBo*&_F!xFT>
z;7x42<O?IaaDaT5Yqec3p=Uxd2epUV$NivwWvQ-3|4B!cUz2)zz4ho!HEF@TBQv6F
z91|b9vdOX(3%AD4FrU48h*5Q1N2h}yL7VlNb$F?)SVPIx=PZk|eHh*yX!SF5KU5F=
zlx}TLU?9N2z;mDjvr~tmtGtztznd|RcG`vS@loMe_B<LAf)=>d@;1t-{n4Dk6(mdp
z^$xbi{e`>9>vsI`k%Ww>r36Rsivt_8Gk)lQx2K{u+Xfje6X}GC-c7;@yEp4$ZLWBH
zOM^PRo-wgbn%qKXd*M%q?tFeY`<kqdKZ8mGs$2Hx>GhrB-~^EbXj^Z?k5Tc?L+?^T
zT+~Rykgk=8SLEBslvV_}IsQk7ZXZ!N6Cd)R^DX8gnQtNgo=*bM-Fs)N-MZ5a`U2a3
zz#%{f-a=kv0mVc5jQ<yzUOqv6s&9Z3AN_^*7~K846kePVj`AahadOQ{WC;j+MsR^H
zp<P`Y1f=g*JYpME4OAq0m@t}00ek02%Laq|SKt#NJ^g>}A3VXC*fO*xYV%?cjJ-UX
zXDDglXqlQiFeOy${5js}_ZDE!5w&i2Ef|Hc8DE~HvsIkl>(F8$D~RlE(%4tVNv~XH
z!4sA^?GhLKVzXZ?ET2toVXW)5q;%8kKP+6NSDPQ1WR!U&YB*bN1}m25tjz91V=5WA
zNIU{Ihi5L-d%W;qLk4=e7>|-t({#Tt;K?gqF6E?QMNXTX$WFCXY-3Su;O2~+i3hm`
zEkohYn=E@>+bSU*-?gc2#+ru!xtm4TwnRNiR{U~&d*W>g%10p#CgN!L7$r`uKcCmU
z6NkNoH5VZjzDrf`ZG_C;M=Oc^Y~TqoR5D5FJ2qv#8)K@SDkL*Jb3E{{wwiT_pR)@E
z84VvFH#T0#QE3l)T3j_v_WS7(alY23V6}{hCcsHcLiSG2@S4BZMsjTe&!$;ah#I!0
zTgNC3AAb#fA+05{f?gDMsh*^YJ(8Wc7v+sh7$2pM27dmq4y&y6^ICg2G=0^Ov9(#f
zXWR(@eFaZVhn=l4-JE)JPz$uF^(0{lXScVwNFC=l(dADqT3}7O!IpH?-RpnPpO|vu
z>B6F2)a3;?%Q+JTecKF2#}?V8B1d;$(7Ait;;RM(CV@6&3E1Cy=D#2VY{z2QNfY%(
z86=NWQ){giA&?FEA>ZWS)PjP}JDrsp53{Z?*2SFG1)%+{9R>at#8B)uAhZ{=2z%t#
z9HfYRlH=tme~+)aD;PI-wsyo#-eNcXQ%e|=DCu8Umw(F`P-CqhxMzR#1F0tRWe<qy
ztd9(@(|ltWdxG*$40IGjU<?d&Bmof;r=;SDBqr)F4RmDw6&mOW9}faDS46li6yTWh
zOEl%^Z+-Sd)l>hThwsr}7jIo-pMT5gJV0yJ$JSHh)u5;v*rnRpLwQ&I)0gs=21Vhw
z!miMjg<~AP8*2OcwK4W6V^ssLys4W2dLv^EzJiCdTh-;U2BSpJkx^wvF76(Q<|>~G
zT8+2I9v!lBWw5{YWd74CcN_xhXN3?$35dyZi){Go+;;@)JwpqzBwHvStnfc};_-Ih
z2|1nM45`9rz}1#O=?pR0G}yu>eMLbAYw`vvq~2Z2U%B5r(NNi);D}_}g<5}Q);W))
z|3k}3!A@Q_bDc&BujxLh%+|5FpSpyJcFvcd*pKzZMfRCM(G${cjP@bBX~MgCkPR`&
z8aTz*+j?r2W)>Kk-5mL;oieEZK;yDW|9no+Dj{*SjjX3Qn1>qL?fH1CvE6&K)E?Zb
zh=co`<Rsl~3~coNic1coop1LwHRwZdG}Hmqm`U52Hrk5$5kKG+r7vl+d88}L4E{&l
zl-H=lsSFKU<IB4xKTJ1vLk^ccu1+b+w!TBjSPkJn_TV5H9Q(GJ9HBDQaH5+wk^Cl8
z{&F%hs~llBfzt`sOq9xp%sas59)QZv2HN>?pqW+TZH!qoQM&bH!8+8gdK#Q`q598O
ziIWf<4vbDF>=uR!Vd2b1NSC=Ji}!Dil#X1>v9dTJ*!a`A2Y)QObqUo#xGSkmzL(4C
zW%lhwNB8)W2X5I~4!la_Ds>PnV)8m?73;JmnUx#yLSKzdF%w7rf@S2S?qg}_c#Pam
z9pp-uf@^q7O1nVq$}54EdVLYtLdb_Bw>uuf?#D)U_(p&rj<wqI`F82GzQ|c^{H=Cu
zDBsJ)oOH)!oYNYKHVF0k+jua4C4ah=K-Ujg5Z76TvOLMHyDsE7)P6~6j`5gk>0!+U
z`bezY4~(zHz@yxWZ|{dnFV>HTpuA^)jpSuX{NW8pxlT<E-<MYw4XAgtSF+y|vD_Eo
znnws6OFSyB@K{gM*~~lrw`$2A_Ny^@cGbuore|7$sXndK{}niRSbMe#)Ep4?nF`!e
zN8C~x{H3aW9-lMo*}NHN{eCn}-BuZ3U+^7*OD8a-9g<=7(_qyYa-X~m(_Nq`JisqO
zCteMPWmP!Kv@18cSveo2J;b;9WsPFm<J(TxMZ+Pp&-%J(jNkN9fjGzMTAosZt0HfX
z<zLAPY-8JDn{(>Gq`ZWZ7PN7mPIF)>k_^XhBK@RVlwGA+gsof*$I;uRU#Ec54ZZ_e
zZ|zP{Kh&A@iWR+QHZt;l9>vB=b+zf4;|ciq{Y8SllsY~LF#B$Q>kc<Kr+78toqYUW
z*GY2nug$g<rs6YP_?<`R<|=H;<xSp8<2=${hz*`!;mKCxJEzX*JF@mufLj0Vk2r;?
zpMl19<xtfOWI?|13Ru7{RXu`XCYHrw0y&NONyX`LVf*PAXAW~f=xzy!DsmY0m4v!}
zpyW^cV3Bu{fCD|{c`Zv1jjK0Ptx+wC+KVZ+CD!iEt*1l0%5b&m?wx-7bhDU*7y-Pc
zib981hOK9=5^(l#5UyTZ)?y!K?CbK$DL0gGlDBJi-+5$+Gp~}7Uj*2w6f;Z{Vb0*c
z)e$QMh^6^Yml7n>$sXq=|8&SaZq0&$dO;Ytv#xcWzsARHU@VL2n)9p^bE8gm_PX6F
z44^V>jNBx95li}4Y<l!;M)gDc;KmCnrk7933diKaU!fzIKr26bsj#+FS#GENbEXf8
zBM)qapV`4du)1i}&^N9>shE^5it)ZtF4CrCy@-%BrMgpBTvRBuQ?fPOMb&=5qE?I~
zfkYQA%M?o5Ze>m1CmngC<928CY_xH;SOy<)O5UmFz2T_tCY>dw{w5PV?w>{-V3-y>
zUd!;d_+D*ZEXFQ0qmyvGCS4Q{7w8gZ(`QX<EN>sQd?7+Qpd7riHu@5`{w$Lb=8Yb6
zIl$YdQRWS9qon9ozT-OqNso4477C$iRR+#{TCA^7`K7M$#d?oiKdJBUK1IC~0igMS
zcnPR}0ZN|$Ez0h9z#tNFIOPX)xa4-n7VzK@y>$!79r<APWgcZ4=dCm-OjLGBfdqat
zq_5~%Ma|;1YG^ga&e_9ou~nhj>JWw`5Ah8GX}v*ewUyPQIK()ol=>O%yfj?U{}-};
z(TX~IHP}QBGD-ohIDLkWZLone7k@?g{TFZBW1d?g|9-FIAyJ$(<DOk@(yw@;WpW$j
z6OvkFA60vl4mCMuc$kOn_Lm*TO-qREGIQ59xtXf`l5Byt7VpS)IssfW;us&1%d?*L
z-%`zOyTVp&hXpAY3~X3S$n#W9fsM5{++1V}&($+q;kpjBXayBo>bz7xw2?0mH=V5f
zZ3v7+731Yt#_5$6|62T+@>%S1_?F5!np9vXoI;oyJGf)4Hq1h?M-(FN*~RzNA~#OZ
zR-~8jb)_du{q4q8D^V9bN*}(%9Ujr`l@NdD_7`J~WlvlAWtiK`z`yiDt<EE<=NA%v
zINZa*vcJz2$i?61PQcbh54hyqbl5H)xtkW1mc(a-?B0()Pjb_T{me*9bQ<|Rb(5YB
z<DI{o?hTRuJ8&nlE_}@-jXBfRxe3eI31GdI%38(yU8^B$CTDlZA|wH?Jck6Kr;U*8
zC?0Q#eslCh9XzA^?79Bky`@YI_J}G{;o|h>jU*-wEfT9|`J`l~Mzkl?*fCful3pKW
zc;Od+^9k<LL0C2m5=xZHAI;N<7JN%mkc9*PEzi!Oz;ZzT0pNJ;=6mZ7l>hMY(WNu^
z@Hu-SQ2Ov;d@lzUO`Fi^xlqtjzWoFWZUMJ0;Ns{*w)C^Rn;x_FvpWHh|KP(MsD7_*
zJ`i(QjmvET`|N+kMB4etad=N`2@RbAssNuipLb$nV!nGswC585T6+NV8qflO+6Uli
zi?_S9bR_5S8TRw4dx;>_{d3Qt6x1DsZlm-^y-GR=CXp)2Gm~jG9E8QB)62l5Q;z-|
zoo*#zNyTK4<JFsNr8t?~1tojZ>7Zx;9tk`ep~>!S$>=(s61Yf48rHCP6Mn+eA7A+|
zLwL8pax4{|x<MmH<ME;_AK#~0*kCiQRX}{(!LJodYCvD~Y~_p}`<{f%AD<!0*#2>C
zX=O`VtE5+U(UJ1yhP8G#3P~xdTOMe1+J5_`o#z8pFa|fIR2Cgc$Lrm~t2;RhEq86K
zK~g8tMMblNo>4r$C7g4kHsz5#8Sgkfw-M)o{?qGiXm{87iFi=6egBMGsp84jREtI-
zC51ZrDC7q`XHogkCst8ZK+8m;FY6&MtG6oY_R_=C4L1LTdxGlFFX`8#nE=+qPU*-B
zhnBI?21R1pn7`2;?#IK#B9{B+3NGi>7ntZSr(3l{s8fc4;QK#N=fk#s-A~%6^{GnM
ze>)CQD}vL*-kRNjI$0v}{>SG&PIL~+(c$3({zHx>PycL;U2!L$;yM0D<@5dyw{#FK
zJnma8O84NuNS89Pk^<_`F`_m(yeQRER4qg`8OZ!&Sgw_r$shYRm|f>VU!GOt7|S%*
z4KzjmZ{*gyNIo35ATKj*7WK|<he2{9b>KEuvm-VR=p9E<KUv5D&*q<Du3lk#hWN05
zl#Az(n=1Sr;yLsUT8o-n-05C1(LUyF&YSOJZhh#$T#zd|qvn@&62ereu7uoFvJSLu
ziv*hR;+<Jn!xP1-KKA#k+x>7~R4a>&8d<f1tUw<N_Aqni1~8<@+pyuXyf{;h?Y_!u
zS5oB~Ed{YCah253owtFAv!HIsogVgu@wo`!5(VVWYJ=2PDi~hDhKt2r=6?k52loTN
z0)iGR{zg@hA67i-^<zy54^hfdU}v^Za8(r{FzBxY^1AgNNe+^!zzq)^@Y{O+{%2$4
zyGozJwDyx>w!vC@P+f~?hI3^>rRV2&8oGU$@6jGrC!>-JtSRH;ty_d!RK2CestgKZ
zZsr*Nm%Z8wO}^gcE}c35-YAb)BAMt`*eV_zQWKfbgB{JpWo&k1%j-J!mzL7Y&0-r9
zL@P~Y38FLScnl%$DX{X9g%1RTKVeQ-{`}yX%`#TErnfRNIW2|P5Dhgo6sgL1A~UJt
z@p6~Sa_jqI9O+u!;}HHLwPlcY6uiCA_umOP^`%)_FB#8_IuZV%Xwb*<In6YQ-_Dfd
zr#l?c4n7IGxGSzhj6_7(u+TAJoZ?=rH65|Ch1o-|C7Z$dL6Ki@@i@?GM~$a2{OCQA
z)3rRp$>{5$4wKAUCax*PMS}kk>*h;w$G_Vjs^85);;?h)>0+2YiUJM)USs`cwrcp(
zD15F>&ITr7mdN+;YzNy*&guTTBbSKYYuj(L^;j3|*^qMJsoDzAT>(B60YN@Kxz}ze
z?+ajvYJB^DbDQUF_x4vTiF&7}^#2bxjFq9)%m?ivw)R!q(5i69Vc##R_T&5Bpqo&^
z+RAi>k?A`$>iF^sW@04O>rGM555KczH-L54Vr>mES$y9B_Z)5=YuufgS*mtFPqf_Q
zzyZ;XD;u+hT0(`_A-cqeJEFuo;@dD9%+OUJ@l2+MN|k8XOS{VsS92U6^H%2kHmrsd
zxA(gcr`@|GsUY`?&2)(Y<2~SB^5e^5sdIsKxCyb46y4vdpxk+5QlQi1F>{CN$~*?g
zZ-wZ5Lx1^xY21(>9~=|}RF1YU5~o5%U+Z+3{+er$!`wHYW18>elE>uQx$wkvco<(B
zxo(M2?i@tn9xk9nYC1Mq>xF}X^~f^j_N2th6FFx9M+Ia@`rJ-X!t@D=%cy)HRzH3Y
zR8L;>j(I5b`wpUw4C2)@4_0ZE;kKY41PsBTCzQxIhdikcI5Xn7oPy;O2i|I`j;xBY
z+ZrRaokR(e(G3*W`OTSZbB#lIK_;o<lK~+k&L0bEZs*&iW3rEJ2~jbAujtVSUpBkM
zntLH*ak;pX?d$hw8P9p0w7l2P{vY*AStJgqtBOb1vOD#ur&HiGwVEgqKW90vNCw95
zAZ>;#5b6%a3DCR*$8cAV)tAC=<aPz!$VV-O4Ch4ck=2sPrrbh5)yc3~r?SAtBAuU=
zYQ;r+ysUSh{9;W9S^`oVJ_7DWfp@-O{<y7apwF}P74Uyf0>DW%H0l1!Xgyz`5_=w&
zll!I&0GQX3Ko^UB@c#ly>nl~gFrpy|p8(yyy04Jg=%!lEq?B}i4xGRnBibk5F(CR8
zGY1TQef2uOyYT<u_s-|XH+iG^NpSjE0=r|Z8;Obi!&8<V<a2l@fo~skzl;@KMYmC~
zvgH3G>MVou2)3;a0fM_ja0u=a+=9EiySr;3xVyW%Td)_`;1=B7-I>cd_xtMp-_u<+
z)itZ9d#`6Ddl5nlM~8Grr>V#i=kw4Tb@`G0q$RyTch!^e{ych6r!km)lq{NRn`tFy
z9!zTAP=K<hB+-=Rzfg3guru^~P%7m}Gj_Y7Z;C~XS7J;=uuS(~vZJ<3po+MX=#Es*
z(Wxa^?40NKtjcc(n0PR&-8MSp(QVd~rUehWukd{9ch9s3&>vq4<7KN^F+uAohMp^&
z(7*qlo&Q*f;+v*eBPM$pWL^BV9}y%{6u!gipsnxvNr@>TV{LJ4@(Dq<lt6HYA1pL^
z;VJH8KP^f0)HQf3PNkhWr<;$$t@^&;r~+1DD8QosfQw(iK|J&p)1i4-$Ra2{7NDf#
z>W-IAR3s0=^coiBsf@2~Fd9W;VQDs|zi!6p;&;+e%h^3x1gCPq6faJTh;G3sI+p3h
zYysh~9r;JH)d%#!7>Q583XMlxgBy_}BOJtCib6yWg~T>;n@d>e^*ndXO%RzN$sTb2
ziOV%$_zqWuRNN(sHh}4L4MFNM$9Kostscph;kQ62`vUEKxQ*euvgb%4frcaE^c8&c
zFB5{qWZhm~nTRF^j*|+xq=JJWEDZv#sGwwma}q+rH$m{xbSR<OPt>}nXYEPNNyWvY
zu31_8<{?p9&B^hH+h^{?`|WP<pmNr4ev5<eUL{T*=aWxK?u%a=5+3HTB%inDSCZ{_
zO~s4sxu6*=b)gV{pZ;qI+iVN_<H_wI&pJmm_{bnD{6cTfNa_=6XW65CwWmcNJ@}ga
z$C@U*u{G0b9$818;=>T&a|(C{mZ9hz2|@`_kG1qTc$nEclM=kEX+1ksmreh&tk}r@
zEyklfaaHJB^U3$zUhpm_Jri?mU`!%%$2MzrEKJ(;)05EjsZk(P1X-NdrX4D+O-%ZA
zNvd<0yl1?;hst?m+WNY)Xkb2{f^ZXewyaDYk+e%E6wO1dmR<P#QL1&znEJDkNSjR#
zr12(9{F0Qc_OEDi=HVz!iuc6rZ57axdxx7lq@Nu|GZTsWKx_Af69%O#HaZS0S8z(J
z9dE(x0=)KaoC~e%pk{Z1`c5-YV5jty#l)eil9ns}lyK)_@3+$9%8zF%*>eWXue*g_
zkx7<|a>XN>3p?lK77=Ci14|nW7&zUY&zSBoaJ5d|hM#+P)7<@p1-^3?R<ea3P#oc#
ztQ_TqVkzGh4$nt$zVmv%a40-GIYYypU0rfW`9?drL@$k7Uq{<_!6tH7iQor*dlwvh
zVSbwhp|474PT#hFw<nG9^Uovw&W^!)@s8@59Rud{DvT3Jsd_-s>%B+~6Wei46fOxJ
zJ@ROvZC8D!SZrZegZT=<x6m)>9@``B0J*W1(@IG~66UWQ9lLd!h4#u-S0E3g+;t?P
z3dE#*QyReBjIJI&VV1}P7Qem^$T&SrW}x`dhN+l8QihE^D?KQKM0tWuvNAd6{U+t%
z=cG&_)O2(+{Ao6cB`A^P-Mn15??F$F@5t{w_n)3ta|A~vpw-u!VW5QqOk>OC02qD;
zjclF*0Z+pSl-K%oKZiqXrNQcY1l~S=syq>S0VD`e8~z4?bLBwHrGMYY(7QY_U>ueB
z#`u7^ANk+X;{ni-<J)gQ?G0iR==mJQzO;)w;(tfc1%v>-cW5rG4}ntwCK-$}fT>sD
z5&#+iA)FWZSE63ZXCh9Z9|o&pv{M*GE}^0>3SQoGu)+qxjC}`jejmp>MBE6wvc}Y<
zuImJ(zb?KxZ%qE6VLg43d11V0@ffR_wDulYpq1#40cF-Bd7+LphBJyG59ODr$6kA{
zktKq8ZKaQ!nfDk>R_kvTBPLS@V!B<2>0=E*Q6Te(oE4P`?$~|tBqnei(rcIHw(K=~
zCf}vu-iXtYYO4Fw+22MbrCN)Q-F-v<9zFATMQ6IX6x8jcsl|wkb~4-8W1{^$s{l{I
z-jp@eLgasIJNeL?U!b&(wSP&|+j;bR#Y7gi-US+^U;ult+(tT3+t&jc)eD!p&dR6b
zre4c?%A?;L;_Jt^PHja~)%S*5B986iN?|VSKs(sxI(R)*v%&B_P(Y<;u*HKf)kI%1
zamlF1f?c#=i_DIAs;vN>=7A0zC6RC|4zf_G7psjB__|2E1tGrdmnN3m-6V`RtbqFi
zf>+@>&v#!~q`3@aR*H=u`3wYk=G)fTC0*3V2bFym36`vBtMrMquit}6u@{92o2yhP
zr7OEh(<|0K6u1_oJM5d}?+QAGe@9X49Zl4bmYVvG2NpbWUT5-Zs^bdOjQm``Een)C
zM8w10=mG;$WQ_>han0DK+WN(whg$=|@kn*<ds;$X;;0ZC@+1@H^XET?;PHew`W~Ur
z@7z@=z7Ij`3h!`=SbF_>m+$!~RsIVoI5R<#BAoeiHyR9l(uhAU1@1o=$uI`x`=-s_
zx}=TvmtRo-1^(ULfXc2MKSIG@{LOlU0Dnm!;1QIzEdo^QZfE^#fdqpGdqF+|j`#hq
zci$M{jy^w$=pO*odng>lrhgv-<x6e~#@g@ytknNnWpnjDumj%Gf#5;#cY#KOKEPiV
z2nH5_{$Gzk+V<uvXvb3M|3;<$w2J_L0Rv`1V2Up73SgZ0oSo=Dvr|s2Nz~iIf?@p^
zeKa=?3=;+Z3j6X1OfukH1GRrY>-7Iqw``<(RQI1c&iyA~3B3lO_yC3<1q`-6ki`_(
z&$LWjT2n4cI_cMEEJ=Bq@K7j^)k-X;ZHol=>vvh&86xFK<vh%d6525C{B-u?SvFc@
zxVVA8H(j>^mW%X<UsK{`{G55`*b+UZb8D}*G-`Jf=L<o9cUaQ9NTt|JJUufD!%~{c
zAC20>Z9(&h=Ww$!KZCUCE!4V-2D%0rmafRg15B!-IZc5m60)vMG(#ebr<A3z7i`30
z0!fqHQTbzVf9ek;m-Q=QC2^!<nEu}(<mH3w7En(cB9tTk7V?Xf+4f<_f7S^){fr?V
z)Ty|RM((Ux^_R(J_C_K-hfrhaYy`&Dr~={E_iYixmcz0lWAWUAt|R9)?kv8g_-DF`
zY{zl+HUALTYVi88Vx6u}8UDxj*sD8PoXkQWJOjnDxMA#v))RR~9sPc`k@f40Eeq#E
zwRc7X5S>gpf9q@#wB|jPW07sm8`Yu!S=?k<Y}L+t>yJUE00C%R^Ncq&qsfEEi{pEW
zx$?0%G`%L0vz5wDny^apjagErW-&|AY8Ke9Hs~C5W=76(A-6Y-LvfL+3vl(*mQN`C
zG~yqu=EBSvBd=<;j>Y2<dDs<0`JN%&6I=l|I?}d!vKD&SO}6n>>YLV&2_k0muvF!N
zG%6%Vy4ydy0o*1pxBD99aQ8J_J%&29iNv2lx;3=o&m*Y~uGhM8-mGpawV;d~Cjh8L
z2LE#H@0Px;q4jyoH7*aSef&-pKe41TM6&1qe%$zh@yGVNo}WWd0GgbuS3q<KLSm##
z*w8)RrH50nr{Az?@G$<p?yAcAt60>R&{VFP_B7WR0h(=fVOqDc?A=!6xSa&%pG+)^
z@Dn9_IO^*$I1CqO=JCtAJXOwBFs0)Y7!9M=Z@kuvJ$SDd+bXMs35PqZ|75*K*U9GP
z8{YI#>3tm_AbhN-*v>k-&})%(af*fUp1bTGdjFZoo$G)Pw+q0iQt+n1m{?HUH%vg=
zqLQaT&>LQDq6anST8l&49A5f*aCQ4R#CMlwgdAH%W@m^e4weO|uf9(V5a)(^ZV}S2
z7o^z?b!@_)i9~r924WNV=Af1KP%i$%MZNZ^6w&X{Yf??Esd>3kI!ud+>B45|JgXoY
z)IFYIw)kNZZ|MqRbxovij8B;x13n-`^C^*CAuZH%<UNk&jyY=1J+Z8VS07MPWT)Pk
zmJrl*5j5?C<JrOw;a{Ft&z9}2IOZqRFvGT45O4QN(ygY<lbT$ee&UEGZZJ|t`MWcw
zl6R@-GdE$w;g^*SN;>ZTTi~f+rE!@}{!^J+$Dq^1w=Y1|B(!#$G_F2N7Qf(Ut=_U6
zQu|Aj@o>?tU+w8NRlMNldn{d&*sc#~Xq^V*mtMJJ!bikYpV7<_^-yn)3Ta~psuXuh
z37B|t_QU(;F7U5*;4>oHIOKR7A>v)XoE24$PkMbL>(Uw4d6oA2>XGp`n&#{sFX2}~
z+}d7+4~<|Yd8`%L2OYzvcYY1=MsfWh)p;w&v!89ehls5r3|Ly(H%+wFa;&z8Y!!Ql
zs)?#4JVX9ip@oBHg}bl({xW(BHO;loXC&CMM|ig-!tDwdEd_QH?i^2iyj3ZF_&dr?
zYwiqn`t3u2U%FIYP^|X4w0C4AS{R}E3R}?&s!c0X4)oOE4-rYvIwi`pqZUhW%OZO@
zdy)|kz!Kl^ZKVAGpJ4XJig0Jdz2o$OEuCwS5WgtU43*uVykb(dMoik=O^?nglHuaA
z5+5Ywsd3Kwsx7swntwxCqZBT~q~P%fu53f1+(C>iLG+_vR_gi;7i+@(M5)u#q7V1`
z>RLV7sQAb9@ZQ3o#mRslj0`*&ws5`$chQ9^_{>RKiBYJOt3+j@zLfGY=;|(SlYcrH
zn<&0D0t?zb``il;jds*It43wKfsb&pj;%Sk0TI=1&Rs?~qN}9H@4Afp38|@ec6=UZ
z8$d$qaI-0~fxv4lZF$9sp^KRiUJB|{=Tt5?Y6l%E#!NGRqVK=tQFu)EFB6NiJ_!~3
z+2|JVt9Q*MGk*R*JD(lYhcn#b=#Hk}Oxa}>{M<}CZnNiqf#vqO2RmvDz!0P0IUaSB
z<UD=wrgDu2->h&nErMY)0T2iNrKy17r*4S;dIgzd%RB+8lfbX{PbD(>z)p5$hgeMk
zGXNI^J~eIdnepuD4f@Lwkp3SbEWQ;m0HDn{XZ(L$BjEj?tYRF3NQYmEYW}~hmIKgt
zM66jyfOI&&-+#;Geth&A4TG+iCV?RN&)J@aVaVd};uUpK3t)8#JkGRTtc6>&-I-o5
zF<08^SM+;eKV+p0I6hD35k{^IFq);whUK3-@N!%ByIXWShGW3~9PDTlp%p^fW1y|f
z_3!BIX_08^Gxu}nBVP_mrT1mAGh`HV2iAO=a&8DzQ8DmUr`nsqfr&UY%JeK>FNN_m
zoM*c4=)f0MqEQNOcB_>Y+6rSQ@uZlHczJJ6D_FwZpH<uErJShy8woB%*N*50^2FEI
zg6d7$7S`1_VJFVT|Ih-Hp8{h`kUeYy*=f!&ByUE-a$I@w!@|tMX7sSpnOswJHDWrX
zSo13p8u$+XjAWwKPVv_Ar}@SAccjM3OEl@0&(;5Gy!|FB&G(TdLUjG?D+m2esCM>O
zc8+zV)J;-S@?W~Sgs$lYCS>Y6lEJhMC>5eHc$OMJ?I*Dc2|>dO<08A08q4-YIP(~;
zc09f9tNww(0*i;xJWXW_sb9IjPcmJE-6p@>Gx#lD2WgHtK<=&I9}e&#=eYl4<7maN
zH@zYSB`P>?;EpM49tZCcFg07=VX#_Gn6qEn%yehY&@WoX!bDQ!IU|evhQKExb%i(g
z7LW0PjNIb>n(OytT0F_gOs-Z*y`f;Ge$UEl4X(tz_`?>^2J3yUzpSTg=G)x8I>wQY
z`c=sO@4#~t)<ELE5GRKXJL3-@j>Y4L2VT>6klSadv-LG_`6|%!MnqQiuLzRotRYS|
zEI_3Rk4@Ua)9v#mx~P8()nOm*;-{KTtZMVo^*}L<OvRox$9k}9&yu{TUdUeFCq5{5
zrRmlsC8HMF%}vjYvcqm+!-h`1i&2B}@M={>{$BKgG%agc?G-VC?Jc*gFDSx0ThuYI
zgdv_IvU?fZH9m3B)J50Y$-9V2NyI0G$7NL^&FN6-5EWdSh?Vi#W&8U3+7-t8LM1z_
zEmq;Qb?>Bs5<Ht=E!oFD={Xd;fZ^+RilCQ3d#Y;WJ1zC&gg!(Vg(`N?J11JzQ`yi2
zdvfEna@V-X$<)tUBI3`~!k;M8p)|CkQFk{NpgJl2MGbgsZcrD`K>#xRwxDYdVG0K<
zh4@qD4-2^GPe=~&xN7q?YM7+ujJ$k~KE<?~OQFN_vCZ!8iOygSwgNLnqa?G(L>9=t
z>{#wfAym=AggKy%a8z*snL8rcq0A=FHT;pyNSCsJ;@k=EFi71<Dz(MaM+@~gV({oM
zjo&6B?CJf`m^@22tuX$P3$!_*{OH|DiV(dYw9xujwu63HXlvR-imz4Nrg3Z(#rlVG
z?JZ$stnW=kZe%hFkAx9fFZt3ua5K$a*F33`ekkg4dnm=lz1|~XOR+*<9?h<fdOw6&
zm5ro!P(&e+;IdmLVkj|1E$9Kf2^3Jmh2&gR)M;c4BXX_XM$6Y1|2#mT>kS!IU;_Yy
zdI4DBzrO)XFaCyGZ$yb%cfbq0Z_h_95S!)n4xDZRpWmD)!J}uG7_yoEO-csRhrRYL
zr;!J{8?K^Ng56Qv7Nt;A(z$1)W~^WbCMUD$;wWMo4zYiP+;mfZsid-OT`h2%Xp}18
z8)uIGw#|D!1$X{+?i=e47P>e;3L=lXM2QrQ?pRKaNWGF!3xXBD3ZX=8ct>Xtzo4Kg
ziXqNeqp*ui#Sy<8d8#k^3J5JqUA*^SqGvTv@>>g-U;5_EQQj$LTxYUKH|>BeWbYu{
z2%^qC9;C`Sk%_Qf=9PLmk9tiXI{Dh3{}n}qv+%lb!iLWL!+fkrc^*OfY(Hn;Y!JiR
zgwS`;GL%17bs_J0)kwifBZ|J>M_gFUUOz)9IrxLO<EeQRVivlgiHmWVWBCEv+EP7N
z1b#PRs9i)V!MJOHA!Ssxb@-W(Uqg+}8f!P*U)?!A*rupP<w?vYDe<3PhSswLqYb0b
zm5Vcd?{P6QtTHL;x_Q67tMdnfoVXbg2iS>9wN01KcPiolfoKv$S|W55O%G-ClRYSC
z{=Vy}X~OiA#0%JLHNI-^yT4q9AS}|TALNI*Bj2ZuBtapU7lC;l>sLO4K89?C$@9!L
zGaR0pd~mxZxTvVYqd`s<(~soC&^tWsF&)PoC7pg;Oi`X42M8G6dc+as?^?Xek)5w1
zmxRLvcmf;e$kizgXN3n=*G>gLBLw_Vq|({>;Ubygh7JPHIFi?79jbEJFBI-ZeQwfP
zU4Gtk920Wt$dn(SNko|*mQ5Alb%oy8oV38XUfj>Ymk~P@4~)}>f63;Td&l~BrMDBj
z4>k{bWwx&c=$`@t&%i1pkZKKp00w_!;4_rb{r%(e@+$U&$l3-QXjONb0QI<jfF=R|
zY2be8jq=Fr;}JBz`42dK+4N8IzX7g9WBNf|3DzG_A9Wu<^m8uo2-Lm{0C4>JqgG4G
zHPc{Ki%SBKxxG`1GR7+v)@Wq$Wjjs9DRJiu4xQRI+g`ylID?U*)yG}h7M#=ptDWS%
zck?6;Nn~3{{h?W%IXHJ!%iu3mUmR1Y=cZZG-qL)!q>sd0I|Ppn1y`-0AH?2oPzI)c
zVnnot{4|(?&gM0A3H`x*Cw-wU%{+&73CSL0lJm7-m&|U^zp(|Jj>*6JEON1It==M|
z*Yd>MT_#Ni?Q(9Y=XoF-fn(fGI?wxi*nI>jQ%j4*PY7shU%(SWE&;=YinEnV%O$^w
z<f+Q@+n99;!;p?YNxh(Hfg4vA8(7NM3TY%$a#pcg&*;Hd`r3GbRj%S&a&4LR^i4_p
z2hR^QsE`0HLcQL({^-9p?A{%%d+IW5WtUWNh%jJFh1dJhw!9>FQIUcl*&!d5wAtaX
zwR(Ia?x8G<-KI>@$zLfm=|m~-yKM@9*?k#OMZQr<>ls?*=h%5yT~9p=WM}&}KfVp;
zWHQo<^cP0Ez(d&HCrzg|^ZhD{@`v<<P^U@eL0M#N1S6w#((baKFZ<n9id1+B$@j)x
z>WK27<#w{b?ga+K*I5(Y27Iy(K0wr~QqD9y!&?cl!WgM!d7Q%fld0xyBb`eG&+tbn
zlD1sc0$7Xdz6;M8h!3^V8@cOBT2$yfEQuU3O#Jx9(x>30jq!>+1-yrR5=ah#f!Zlx
zv*(0q8ytxv{si9G)v09cLr&nEtk@(cDdg`FTyKI%RB>i;H}T?lgsJfnIPQaw4ljiT
zKD#VM#M38D-ow(?sur4o;ca@^v3-gLfts%z&TpI)iMr$cIS#rA0ujft1qAFbB^<}l
z=RLIJ*^~wdtqv8`175#Qxzrod=AVAPAV#{=qC3yd$~}Ic_{}Z-<=yD7pPPj)WAoS-
z?CL$O6X;#`;OV?02$|`x5%~?bpJzH$376J;q{Eg03@N&;eBW+mUgvI!Rt}Lp-NoG&
zr8dNJ3CF@^s2ws7!tc_ud4q2EbwyqFTXh75YHM5O2RNnYtx6S<p>A%n3|NBoYD~UD
z8pwaQt?WkgW`S7zF+TG|3zj%#xH+$Es1Xc}D_o9pQ4sd8Fc()GjtL9m$`|j88#zJ+
zML|q&|93`6^AYGp{}V1ZKj;m{35-Fv@85XkHopF}xx-0ri;<^_(F^(~@R1kw-Y-0M
z%a-%I@)qf{*PVJvIn2LW_bTcOUETF*@14urFRkG(m8eYcghw~*bL2KWsJkKO9#&b;
zQnVam72dG0f4!Ca7B*k%bkv9u8=PiGis8%ult!|xn44s^+*Jk6+NM}b*N2|*Ju;y%
z_=o4RX|T${3n+`?i!k9CleEu++Q5*B|K2~>o)YlsUGWocR-sqt7z^8}e{s=lEd%ae
z0e$8N?RSv%JD~2+HU2p7MQep!6`W<XSF?8zd`ih4Es2FH@$KRKzCk5J*rQ$U7e}w|
z$W$DU2X(M3RAeop07Wzo$F&CpU8wwC_7yuJ)4!SI$dbAVMS@yta!JOpwQQQ=F3^t5
z+&cQ%S%KY;Gcf;i_Ege=_`uw>Z!jhvM9UxFvtg_+bTyZ1l(L(J|JG%Vm@)LrHV<>m
znP-&zRaW!q?UhGjo(%Dtxv!a@&1Guhu5qx*oDLmqkk{>B%plUQB6sUh`hZbgZq-++
zMR3<fpvLF-WaU%a8ZSBQb|CT|%Q%4W<7%=hUs_qWabblN{qy@=o-*pG9hs%!Ih+`U
zj#!Vgt@FhaMyZ=;OLuxTc(}Q^?{!dBlbw}sTyyC`@#!69W7gKoFR-FR>HAl1xybZZ
zO>QBC#5-m_Rt$s3hrh^QJYB#~MrHV>k6UQMcwsS8F)8niXv9MTEh)0GbtQ+YgqX8u
z))1R~uoU-E@PwpF3_0e$r63~~xv1R`5}zH54A@kWVs~8SARwx8*>|I`K4sBoSu`;_
z;x}!9(R2`%Tylah9)cD!=8s<O)+I`@f7PFsd59fy5n+@0Niq7D@6J5nMD~a6IV>Yg
zofPEo5m`-I^tJl1Y0ekTT^vi?yLpQ$6uG}Ah`cIA&Ex4GI6RWG=ng<5a$4c6e*K$J
zk6>CB)AMoljQx&j3@Qd{0pOLEJoH3X6k`Hy_&J^l8+9qNE)A+LD#T^@luwVgTLOlU
zplHO5DZgomj@rgSV~s~~*;8ftJfDe)_sf6)rW7>t@eukc{I@FVwy$F?dU^F47Wkg^
zO5m5yJuGq)d1R+eA?T&w%$j+&#2hj88c;>AL(-od0|^Z7PSClpNmsOukiSPF(f+RQ
zYv$IH>Bfic$WOA~oGI50*Mh7u#0=Xjl55g@GOoyI?Qk4Q7|%c#mT>H>s6q2_tbY(7
zoKPIyy|bboRQfx&_ng-u#7p?nUnBQ!?E|isYX&_xHav+j*xi4kUA5{fGH^9T>va&C
zim2%V;{$i11H%sYiun&_$}+mbDW2n+S=OR!<;V(AHOA+As|>cWybT-xPjcEfXJ~?;
z6GfzA=lw@am~-}*^p7en54p7+d7qD4&or;rbQ9XIKjWmlF3JArQgco?h7rtgVbK3{
z>zAqvD06qEv>j#U;!Y2xf`zWXoj0VJytdr;(Mo-w8hR^%Z6`6Hw8TAz5bv6rhi#^}
zn~b8w*wu<k2A!&e^=d6Hk0a-jR~Y1zHWen<mT@g^LsT8JuMQ1%V|z6h+xf+qenAvq
zBqet_tV5$LZ1K8pGzE<M{-DR2k?6cgC8~B7ScP+z#*j}acvfSQMeJaSZD`7!93pU4
z5zNu?U<MsYAxPDl0iV~#euMw)kAc&VP5pqG*3^p9W`W?V?eLF0>ICV@IvFb)eXH_t
zFvt<#AY;`JFb8=^vM?BSTr?)WqO?vcW_@`wU>PY0SKRxED>S0xpmf56S6XG1lnK<y
z<J;<xZ!VhFzePJgIn%{FLApbl9r@Q=&xY2DH=(|8fVfU@?DqWdpeR6hwhETzvg@G{
zR{up=z0}ov-iS@EeXUsNo`YQXYskW8=noMjk$lXD$miwMABqVTa;=q6XXT7kpe2IQ
zv2Dc1FcUb!Jv1dd>vObjnh-~=XC*twYEL2e=gK4--Xh&*9Tf<2w>R@M%=fmf%Rj1`
z67gM$`+WqOBH#8AJbsI9!v(zHBeA;}9ZT7h1-5sfh1UI?XhYmW^O0@r79e|WVXKBY
zY6_e8t047rfZ}63HNT8;rO(lqtM_G?zxOJeGbWUYitK!`6Q;$+>UP*@;c5+QDV5hl
zwxP{7_J?MdIDaOcN8J*VPUIEZ@kiH_|FirZb=XWtJ&?cd32!c6Co78uLp6|K5$U&+
z0;NKHWVM`AVCSq=O&zs8?JXPFH?F~T<*zdjhu;-vw0$?QD!cXdI-)2Ux4CX;Gva)4
z*kuv^HVCS$-5sn2D?Fo11@UirBNU#IR!>-;64`Uw^2`h)m!yqaD@=hYZ*Va1c-uK=
zfN%FED#&;)2T~}~x$5LrAeMT*h2DPtE&J;)0UvPLR6O3<HYB)yngS0L-@1g0WO1sz
zrNxuf16U2p#-W<i-rcCDd`B$YSU<BsZnxq`f=f~F4k#q}$3(NhjWjRO^GdpHFJ6OA
zCA>06$|*=<hFeT?mYC4jeguWoLKM{mC0;O7<NJso`SXfuNlLIs%3^)~_J+sc<@A5O
ziX2S4Vd<8pjX$2TMGBd^Pqc;cdAoSR;}zE!mjWKd8@hFMp7JU^4Sk{>3TDalv)8;G
zj2r{1Zj<t~urp1=r~XvE*GuudA{U{?2BtOd;1HM@+TwBwQ%0XJus;!co=}gzpjyG>
zcF|k$d$p{pWHRQorGkOCj5|`6dh0t~l5dy^D0I$5v`k`a)D`T1OFuVRj}1)1tPM*u
zH&n5h4Eia!O>V5JSC+Lr))UgDX?M$e8Ry>INAiowVBS%5BE<M8;<JHVK_W(mr38h9
z(s}u)qWwuG1Q9$>JKb9%O@-eWFJ#t*-Kyr1KL=(6E62?qy(mRMhMd{+;Prg01#^fx
z_x?(p%Z9%!diOki-HSmxG24!97GQ6-Olob}oG3l?^I@zJB(t6GZRF^HV!nhyrxRzy
zAEvFBk_|paeF{{<83QLJp-#=7yzVJpGq+pZ8I9r9f7bHQ6nrGXsG5r~*$|DSf5RK<
z4QOS5SFbd=xRSK(9^E$vf~s$96(<?5<Us)NsS~aMs0Mh){8~DVzM@>NcM9d@Ie}`v
zWv*g|;9kQrL8dNMxr{l!-Kyz&<s%)vM~bG;NlZEI)?kA@qhb~oj9^1rZd^qIBVLo`
zjLr;xl@;#yov-oGjMihUG4H!$QoL=`D^u>wX}|Bo%+^&y^^WBf8C0^NLVM)$2orG=
z%)g*_3lU}`y%$v)LA{*4axMFf24$wL-5#SmLZ2+J5lJ8to`Ct7Zh=w>hPaVSL|@9w
zxIF}4gnIG`joNt|%I1;yY*e#<iaV=IbdAu(Gi5tQdX%}ZE_N7il{DOT41b3dyiYIi
z+kA<7DU7eL1ui+~bi(bj05J(l6^Vg;uNR=FxXpis=w8Vu0EgZL$LW*ac9obL2<pys
zLNi}?zbIwkchh+OC2@t=aj3VqDQ#!vbCEtcu9xb8xtyo7zl4P@%4aOY{d1Q@gal*Z
znwlRA!*p0<!;JbDzQT3UCnG=ki`r5Y*RNcovKD4SD#3a!DyELRayIA-Wz1VRxkk!z
zN!XtVe$a|(nIS7O4x<n3J}`GBRmHaD=Y;QHcZ#oW{vDg&`E8bS>yVigaDlf?{3@%!
zI{!C%p8C+8Zggk&5CP7PxW~im4Kh8sW4MM|XLcpI|M^(?1<4Ry<1|fbTZ#N@>Ldmc
z-5#pF>(H4=@g0W%{zpDdVw&~(zwN%azB;m(6zowVegJd{_@4vs>Sgal-saDkt{wM|
zJ>b+7L5hMRg2Hj}sK<6V+(lnea8N>$YVx(WzJ`cNaToCv{mjtT5^nE+gq>=Sof>b<
zX^gQ3?@pT%VDhehU%g#l>VDWzcgR2Q+OQ99W}iV&n==%tu6b;R9830UEJahL`$2w5
z3M0uNt&%fzy^w`C&dP~IF>ani7}ukeJrTuPJb$hxA(|$Dqi8sBip1|k2KpKGO_7nD
zxQ~ml;|zPY-o8)hk$_M=hVVzZbtb`xCFC7cJAU$kAu5Q(;jx=mSCK;U*@-u%-%+VJ
z^s2XSnsiiW+<9hgf$;A}U=-b!p{M=AVx=rQieA2%KXH}$zwtk^;O{sVbh4X4+N860
z)5ynYr0tyoiS2xEZof;PMjT8F1bK|xUp!~!wfke|t4fIs{+f-$&Qc@m^qFLxPDrRr
zzS$6BokX|N;u9`=e!W~3kw5RJDfMVAtv+{nl#o(y+i#(VX_mXZH9oQ_+axLdYN)c3
z#B+<4Bnp*{9yRu3ButV$HIs%IWH*O@MwHF{+RbUD8jqH5QjG0W2{R^tf6P=oQvYqu
z<XNFpukF##FpmLQ99nX|Cu7kT5nvf@)uXed<$%fuv=|;?mFjK8b+s3GC~Y+tw^<;M
zQwv37531OY*dq;A(1><-5QpAb!0c@4;i*uf;L2oje6Ag|hbp`Hko-Pod7h7Aj&~9~
z!LFy{5G+Vf{#sZzKRgeKIb{Bg|GF+Av-Zc3Qfwf<Qfd1l4zg8epvyaj#;bMIoYsT8
z@SjTT$;h|Mo<h7mm!bU{P5^j+^;db*hi5@07CKxVq`$q4vvG<&bT#T+uDDTl_HW26
zM^$2R2oXJx%4*{M+T5u6=slT8p;WAjSBgs{4xwf7gT7#APVP^+cRYWX?iwnGXC$hj
zyU~KizdE$n{Y9Ewo!KspUoV8RB1|O0p;LFLjmPAbiS&_8F&sXdq2Iy1z|K!=s3&7`
z!3>m+aN~cMp8s**){7PJYXlVHUlq~Z78jP3L!Q-LSeN)#>L%}=#PVlK*Q)ob-}pM*
zuwlR-H&l~R4wdh)aivI+n;5!_o|S4IozhQ_#w>ulte=FO!mBYtQGXfS>OFQbuwZ+b
zVHy{>HYzoUqLVR6N}q_x*k3RMh<NhhtZ2k-;ZyOx4TTie2tK-HyoaFU^Ct2FXSm7n
zM(8WO)9>JOBBt!|PNu%Do9>WbubMs0u^2ZcqVGUaG$vrIgyL||qPT?vL>->CyiO<>
z`c!y<6Zj0@`+28~-xpJ81##A1o5XR5deNaWd$=!M);*WD97Js0C`aSTwP>yisTfh&
zpWg$BBev#z$~zzgOr*I?dzt0dJj0k!7z=YtXY&prg{#oh+meFslIs3dZ6gt<3ij)!
zt5Gt@EV4Q#u7FB|dF(hOcjKBr5SJeFL&;)fmmgg+8x4945UE2ZjtK0f8m87h%9)$#
ze-=5Lr+%gED^JQlERNL3g4O*rK&t?kn3MjXx5u|16~JTczSbu!|C5M+0f?>xy2zjx
zf8)x+8~YVBj2}IikHCl9du}p1Ca~076ss_rW|h=wjNcAT<=q!PUhU71t!xuWe&pE)
z^U9?zgoV8AyxpES+s^j;Sm{Ad6kFTt8o}a0G=7Svh5KMXXl3Vd?kCsKy)*2CFnJ8k
ztxlm7vXandlXP;Y2YQRf*53~rp`YWBEPc2dSCHJ{CAddOGl;#?HgQ?0MK&3OD;YI?
z90;WBf6SM~RWh_A^_93z7jai3;ZdoTc-j7G+0wcBaAhAvkDEhnC(`;M&^TGclxf<;
zELyFV8WC}$ynRR|ylcLhMXcGZ4nkNIBakZ-XE6sRIB&ECt=HQp|3hJ{_h*$X<M39a
z75?&L?T4t6Zf6=Z&7IpNRH`4gogjtjaO6$vyLP^wQdJeKo-eF*k2G=!%7jfmS0eW3
zVcO~;_<?}W>-vuFAdUAHeN5wb<{+J51ry%IqVo<Ocn`G!ag?W~G`EJa9!Kox%D3WU
z-WE>{VLzn-tw~C<=w=b^yVRywFQTIhe$~I3poyzu)7DK6%UCsPHY1kp)%atfVy5_6
zP1Aa(xl=LzQ#lk@9B!9BZK$A2EuU=>U$)N66I#zeAU^_rA~#=bz^48{`KEUuk@!Y;
zW+76XlSPjEE$Lh0PPgH3J#u5(H#*F>`C}GU%L+XW4bo=5bgc;7VOn&Cm75j<oWSd7
zVob?#Sa(7ZUQe}Wi6KA8XTDEx!>9Ly_6&G32UuyXfXCc%*C(Q60O)-i1BR(^T>jsp
zIRro;09zFRVPUC@1mSJFnJsGXVupr19|;xPo0IsC!=|++9m;2n4|^Ewln3g$59(7w
zU(gkrVkFQ{{r=sPWd2J1hV%}N1FOC8n)!a$cjG`FzQ|&dRV`y|P<U<WGPt3`97;q-
zW_4^{S2ye3vT8l7iCk47G1t7Xi?cxJ-#9N1Cl={GSH4Zv<xtlrYj#RO8vjy(SbOwn
z*RMSwmta69#0jp?OpA;`AP3KzN$%9hr00t=xgFQ2Z|J$0p>p<cVCisK!Y?RJ7}dSD
zWBuAYO41q?fUR+<bM|OQ!qesJT}=BgqvUL3_>YukQ=Z(4)u`bl^9V8#<}=Dgm%K|Z
zIP)5-S8WCnoQ&rekSsb3UyLk-=AZRa3iy+M6jlXJ%G<S!9q<%CDCuHxq@Q!lp1GR>
zLY#fXJXs7AdwUI~seHzGADHBhI!ZG39Sf$aIyv%oF6}3*X@gE2;gLP;eV@w$B?OjH
z|5=ki(F`S0(8R1pkbNvRP&nAhfkmtZT&Maj@`TRW%l3QDV9#C;)3y9@i6smQE=e9S
zkY-a~-0!FuxAs3ALDzIMtvDw`=)vw_oPZfvZ-`@;*<cwl5x0R(M8@$5G8eQrwxfkX
zWbU@h>1CtT{BG+EfvElK8H%cu5|Kr-?4^IR^ucYx0Rpmwp!X`En%#7u(f!w~!Riu0
z!$}T}wYm@R`1%NxJ?C2Y=EuA#=Q|#liEQ1vzc!f}a0@&Alw}<hvYjO3NBTlXaT8^m
z!!Lu}%Tk42v1~YvM9PR@49T?aI#SOzz;L@5!_PDzOg!;2%bXs0U}^H>x1-N*7$}^h
z3sMPb2zfWv8APi+H+*q&dMDJnfPzOjbM8$JzEYp(QN9B19`p_{SXSIV*Wcc`Xlf@L
zn--Gi<e6$$p-7v2d)S*>@dxm6N75^Bm-TQjSsx>2UEr^sDwxuOhK~|k<cy7cr)zp*
zE^QBu;5eO3yL^al8&-kQODGq!ATF=74c-WUVudL!zxc3X3Dn!2Td+i#rJo&;EYA9m
zC%)ldJJvfged5gpRt`oHN8Kts*u>|sX9y%EnpA$0Gx_&nm{sogaX#Cov5A|jRab9D
zo-s+2I_dm`lXqEGwULQ<qL1>dSd6(t2cN)+$OK!5N82V~Aro<dGs80gXE|Boc~TgQ
zG<q|(nHx|V5FDQxC@O65kVY=kcXvu~`ACX)=Vxo2NC1;n{3)>NM;sXxlMQF_jRAdc
zw<GP)5uDGqX^PqDCVDmhEwCO(<e?<6;`TmoFz@Wm@iKr=(N<nh8&es-G@J2eTfyjg
ztj-uegIJSOZggd2cum!?{5CqfZ&>0t_O1a$_%uD6+7X}Q8Dw7eTg^ni1CGySG>fi(
zGEg>ytAy7-a}}`*Y)TjV(S9ht151JR#NQ6Ws@d$AAKoS*@a)IkkOSveIj<YSBodK*
z>H-Fc7ZH;cc$Kh=rq&CB37qi?t}y9H3>CL0@{pYhy`(vR%|Mxdi{eXIHiPn~>t?=(
zk@IP%Sl$Y4zLT3C)mqgVL%bUdRJcLgND%|&CX=m||J6^;nfE_fUTLFDG{TwNvH+B5
z*UYy<r>t^R>}lhy)wI$I(Fq^t2dBlWlOnJapS9DFE0vsDGzAyxOYx|f>FHjn!=%Wy
za(d9zRdkq)<H!#P(Ah?@=PSnhoz(>KV9FtpP$&97SPmZ8z|7&@c7C3LV1zX$g94^h
zSX%}o_y#iGDM_!IJ3>F?6u({WH3tUs_aVL2Unb70o!cTs*TA^6P<s+UqTC~zN0XOL
z{N~i#J7$I4N2!RhXG_0dcI??#qesvAab%gSm8BQK^QL+iZkFLQ{5?*##b-A~a0{kf
zT5`R!v(jt9%VG^5yz7ghPV2u8jpk<Gr*9p_yRN@$$-E&!wv*ZQzvhb*b_%0NE*$as
zJo&9HrXsJLJ5G@{84cnZYL`Pc4Pmm0q%%<7ns}w0+kEkTtxzUhDq-Gcn_+&^mMGP*
z#vl12CMAbz-tZ-gOr~{R%#l~WPnbTY{?gQ>RO36;4*6`&{+(+Csp)QA9Bv!1g*nIH
zs!@Z;CVcvfq&sIEgKNl`dzMw@9a$CV7<-Og+QMe+EqmD{`qY#ET-UvSc3@Jyg9!Z=
zfHMYG&_)vll^s~pN8ud+_X_%021X)Qfak+c?j=zDDv<P{j|{r=zdwS#_#~$8d=)(Y
zM0nIXeB9;&{v1gkz#pAZ!2k3ub_H<cdz<w~jz@3J{3O31{+jjwe02L6`3(=@;Na8Z
z@!#27CqK=y0=1#~FZ#dDTRwU8d2Qe|FYlNBe!HLnz<&b>&j32G+M=V^bfsa;s9YMe
zs)ljhS;@cpc+6d3O>s*UBj6(c{W3yDKTh^<WPCO5o>qo*1B%e?XM|dX-nFH&v&6m`
zZ+-ZqHvvM)fa$d=dB?JR(Jz^d!`Kz@#v8Th#0!_&#H(&*q&ZZVE3M8WMx5C+!8wk>
zwMZ<LsEgC+imL)?$F?h$O;2;`<+TEeS+KbBl-?bRT)EC>%@@8TNzblr`}O43a}3j8
zB~0~(PK42y-fbu+$ujSA1&&xN3UuziP}f}F<r_u&sBaDG3{;~*P9`knW=Ae%L^$$O
z&kw}Ll5C1TZg~*Y-kt_iJAo72%BhKg$yUS4GUS=vWt0O!tJ|mO=u{*7;^Nz^44kWp
zbPUkWs8V)==GL^^kRLToD_`+%hR@HWy3svc#n{A#z7`VPq1A8|y+oQm!(+D+4PB)H
zi24}9oyRpqn!54aDX1+E7u^UED`%EbGsK7wCD|lsI{a4)e^n6-T_nv_ryIL&F~3$}
zu^KbK;IXXwehcr>ym^?sEW4aUiE>dl*?_QIU?SU*hcPW7N#E6}xE!tDzxn(35Y6r9
zI0m#EuQ_vInZ7NG!~Pv!?-`YoJbE4BpIDu~n`_u|BR0*f$~5$V@+glnHKp>!`)d=L
z2W}yF@V1KVL6Im|R=e$2PI0VZcG_5H1Bs9%3KsYMg~g~!Kj1X?)0ntJ)C^o|DJ0?R
z{%|L-8eUT#%Y|poOwzlrV^4&u`>`pK8075f=`OvWe+sMeT^n;gW-B#{lSu5vH~w&#
z?+ShUe6oR54W7P=lHtRPlvc~`_Y(K3srU?cG<Qas@WZ0#fY(FpJ-KQhJT{Hqp!l-t
z9}NEq<epM0OfORFtFys0Iu`0&l+;L**qRV^rYu>M9J*k03wKaE(*TS%qVMWp%YdaN
zsjj*5+&Cx#A34CllQ^$ky6fdK3&ZvZ@FTxhC0po`i+gOeisNs=6;l#DL*Zy{Ttqgg
zq#EtOlf?7@i!QA<^Hocn-FKH#@K$^;+kfpn!zoIQ%R<+8{xxsrRk?&~c~m-ES{a=C
z=ziO>0%vYqnl!L6L<m7w^e(;7`PQsqNA2v{IhHyRc8$tHZ?5Sg_D{>HRN8_Q3AD^w
zQ+f7F@es{+HHgDavPS}`&ar*$T!+mq<9G;ekOxom)o-k%TR07+@98sIX>dc+L3G{K
zHtPZ_&aTK9M_5FGym(NkUD`=d5HjBESAIv5-0@fH;tnA}a>$S*$D&uw?#Fj1yQMF>
zr`em>X^o3H&Nc6#2maSBo4vQHrX%0+`nST*4a>)?&sIz0gW8At#3Q;ZHd=3OhKzJ3
z21oMqh@(%;>bv$IFXv`PNDN{XsTVSyKWZUxe8J}K%+1fzlp4%I<g&94M94nP)a*wA
z{k?s9k+p|MkDl^%wkKy~u_?)QOM8oT#@#F8Y5ll^;FT5J`{noxDX+A8#YpI5qVDvi
z%beXSz2<{|saE>&CvWd+{{V-NhyI^XXfY2$Tr9&qY4wVaWqzOMU9_b^C&=RK<gNrS
z@9HD&jyhe)NoZ>xM{%?{zAYz7)`I&HRy^~SV|o=uhoPJ6#FDBk3u^Q)b3!V+8H3S2
zcKrT!H>9z_j-%a}v`UNz7QPG+y+;!Bm1>$o*uQl{^E<LH;IDOT<K<~d6Ly*+_p;NS
z!Mz}DyI*Ixb;Q}b_74(mV4{ikZ&=E2ur3{%1Y3879gY3Jke#UN93oT=oz})IJrfh(
zZe&M`e+loJ&A--jwikzx=GNfH`ZLDAQLuvWchm7E$}0dQ)GKYU46lwb>Lcva6eLQ}
zC30IHZC6UOB&#%XFZnM?wiBBZg3`REY9TBwmo3AxxK%)^m_H8YSHZ#}D<9(Zy*G^A
znEl3_Nfo~~l8>tMi^0EoYmXYgL;U1l_WGSrOhGBG(%ip!SloTR=#`l9ADjka+lu_3
zTfS<COo5|g4I?o)zb=+!A9GEm{DG8oU*}$sJFtquz+O;*G%DN7X-Ro^erD~o<98!-
z$>#n$jE1*UkVCwrS=vU<>2fdHW^Wez=<_&@tLBanKhlfOYOBrFr8*fR68L?2Qmd&y
zrD2+J;5iqovv1|~^7XMc{Yl_g`UpQGZ&{o>-Q$WB29F9S(}wq>V(nsb=e<V+MXwrR
zDW*1cFV|_o+NxXTfh|r+W^enAozOn}DPaE>cv1)AH$T~`2wdCD_?gU^B^!4ugiWV8
z43t<pAt$eLUSrb>KmOW`v|s0O-0{D7G0optuG?j8JBZU9ui?v4K1)kfT~2e<VRh$7
z^>AypM_YIIdq?4L1}85@Z*ls2F_jO2;`6(9m96^^LVgEwVxy%oEbHDoRic_1I@=lj
zL)GM9IvU`AkO=BBk$oiW@Vzw3UVL%D@0<-G(Qsm*W+qY|(DqE=J*uR{Xd168%?Gza
zXUbF_A=WL+Y%>3jkiVacTtGYHcYW)PbWF89ZP=CjL>g4t#vH(lw+}u;@zZWxW9`PS
zo^9I%&H`;Hx3cXi{&$RFy3`enD}oj#tn2AG?YINxJZ(x|0>1vS!#i`9bRgQJ$j@={
zE&d~db1tpde1tdQ6|@W773i?3@5EM~j9F@CGi<HxyYP!wzN*?{sjE%F53_$NS1Bs&
zVn2dz<EPVnsE{Edvl{5@towu~i(mQ-6HV!dn%_P`RjdtFNDm05*D)^7JAQMJ8B=J?
zs>cybT!atu_&_#pN43wK2j!*_dP$u{q|5u_fL)GlG_-4z)+9Q;VwFp^XD%*6kMJa;
z{GgFijIZ;<(u1$sy2DJx(b%~%@_Ur&cwgSv9)fKs6|9*Ty^R{Sx9?4f)S!Xm5Zx?n
zXil%A!gWKOz6Hm_)S%ADUCf%QZIs4g@K+qu4#XpV_b&qceGftZYM+t&MxKfM8GoSq
zo4f;z2Sk8C#zx$Zd@bZC5m-4O@eUfgCAvC&6JG=XJv-75P(C2YTm-nYz7+x-CF-I6
zUKA1^U`w5VzyAmJXEYBPT^mQBhkyv4+BFv459Z|MY7gvcD%y~~@BNOH%l$VX*;jQf
zkLl<6{EB@M+X^mu2fF)w=+TXX2Ryl*6>i&jnn-<ycQA``QKlN+omMQ<HuP`b^3l9;
z#Uj!TVY3Bct_G#LAQJDwqi|)t&UVY|n!6tJ^Iq8wd^K=DY}9%`UgW%*R~i%P`4aUf
zed8hu?>lQ{!9R4Fi;1kr1<jo}o53-#`E_`)7xtzR$um&lh;j%5)U^lNG))KyXpyD+
z;WuUp32%ZRRu0!mPqGj6SVyYI`Tk%-FHJLIIN_hdWvnfDHArq-3%#A689d;YpgD47
z#=$S{zZYj@tz&83Qp<<`&9wqo)T>DKQdRS`0T(v9YuFah|C{m;hbE;flCU{aTk_Cs
z1?_t10(U`S_%w5&qL4!>3i3UP<5h0b-Y6(`F$rhypFiETPAErYdBGM`Jm24>p}Fdf
zU|ROWe{H{mUo^ZJt2<yQu)YNmkn^75K>hmgiM;r-^BHV=ZtBx(JxO6k929_pxBki{
z3}FcDsGQ~5(L7k%j7ZWokngd6s?t+U7DoPAMRPGZ8C=POl9DQfnF;?&@g6)%-1KrJ
zdyJhKYU0{C5}PJp3yFA_7b;oUG8vQAS_=4Y$uY~11wRnsX(K}L&-dG?pjnC<SmJ_2
zvFgP^s^(#o%3F;8rW{zG0ce0LpbVJ~0L^P6Z-Dkk>>1Fd_%RAB^!&^I-(@55E`9>A
z=KwwWj{<S`AW&*%7+`-aFbj0xe$4o5-~CPy=t3j+|7HCE1o^)Y*+2V_ya3U}H5t*y
z(PjU_#e?lNpnkVVx>pV3->u?cc2Z&bJ1xo3`9G)Klkxi?hR$!~?>6IZMLz1N(z=le
zWzLTzsV@DcP&5P0{}xYPd>3EY!rU5KkE01+rFO>B9c=l7!5LNc^QHVSqjCQiwGqo^
z9+CGXQ6QeJ`({*$fh`P{&qLzFO|^{O{8J7&#LRDyp{raQ&DbG*M5Bc@Jf9+lCVX62
zjkMd*p)4KKFWwWe@F{+JQTykbe7r%eYrW~>%5(%iphI;N{|Ciea^38cEb}$qa2T&|
zqY;yfo45sA&5^YD5W#XnN9NgN!YlXVOrov2n$hwh3=L$`It{PvGRcg2o@)TxzYXHU
z4V%eA8C!2GpX>7e(HbViMb8yT;#N{{RAW{VvKCP@2IDS9jlbPKie2gyrWNVj!{1C5
zM=gq`yN7bgY!4bygSGBG1dKXLzR(+%MB8Vk%P{3pJ$O=lTCXYFx`_~Fko<ozz23O4
z;w2GG7Hx&DaHk{~?mNdDTl^3hqT%>v#ZZ!-dsJV2L9n`HCY7=@f9sZ|@wAwC8xv`>
zh#DI~nOq~X?&(aDdNU-s8aW$n)QK6W=d&isf|%aVM^C{|Di`n=lQCs*^JMkGjPyd%
zW5jYv>Q&yH92luFS`CMm{o?}Ba`H9WEkzBfWe?Zqd5RQ8L3ri2mDCpdBLH**v2PzB
zR0|VXj^F~i^8+0ghH_diQ!lN3%CCldIm)f@UHbA%VNf>%ICPHUX1PlO70i}vE7P2-
zlDsFAUT$bhI6|T|-OGXn`wU{)x6Kv~-_u69MJPNKIGnl)Nt&oaHARhSEI<Zn9uO_N
z{G=j>i~2CFoD1H2%5pc?eLi#@jd-Wp6ZPLFee%B)Xt!jh$tB<sL0O6B*jk*VS+;$P
zY4f7r8;*kI=a$B0v2tpg3qH{cq>4)*&-U>2*PcyFh<3ZmSML+L$#JQK_NC0&Xe>q(
z?NJx^WH0+3hCSP3pVx!3UBtW5DB!)Pr$i=x;jqZu!o5?8?t<4DPO>u@NxK+c8NM5}
zOWhkG-G$_Qw=rn!(O#}bhMM>lFMQFqY&5}K5`oGIR+T2)Yd(aPNiZS8JV7sc$@%Qa
z{q!e8jsZK4I>w0lHdtpNWfW<TDqmWlQc>5JZW>VvMzU*-M(>kWTsf30k(~u|CqI`n
zJ;Kh;RTP{F>$=D=1l8QPfiXN+w9POLHyhe&8?->jwbISc))4WF$W$sTRV9+V!+_Gy
zo@=PgyaFH1Jh#YTk97>bssXtQjMa>PJw;eW@Ck&;%>6-YSef^_ZzPTyLzkQI2eEw+
zb&o41U|#ql#29bxb!z{^)LTW>(RIP1Nr2$)?hxE9Sa1sv+}$C#>xMvZcXxMp3GVLh
z?(VxU|98$E_rCY&?uQz4%~i8zRa{_t&{0z`?emg64eF;b`wd-=I;S`_<R2mg?4Eq!
z`Na=WZWXWuS_OayfP52ZLB(joW2Jz@a^JJ`T|+asY{_q1t{PbpII)YyQdIoKnjQLZ
z2o-~)w&0{V$ir3^(&+E*tVRM)<06z4UfT_;AzMIEs)JMxfoj8OC90sa_4JoJj^%FM
zXSrUN#U+^5XXdR9)zVd1>&{>{D3(m3zpWiZK3o-fooqEMAwqF-K$<AiuQLfwW1gYD
z&#DRzM+N0DK;R-~;awBqT^)Hj@j8oZPER_poBOk7yoiG~^j^(dmG>|$_ml=PvM<X-
zGTbX<9XZa?usz#>C!$$ZCyesc%7@VN0`4!$pDy;-SRS2n!mVY=Zr=9IKFWQC4j%VV
zhcOUM>Hd$u5(#ZrB?D6vPpr$WTcPKyBvFNC$f5-fq0?uv8O$EUy3n+o$q0yPHZ^))
z6jt-K$E$O~7Cw_6di}h<RtNDn@0e{;FD9h&k*6Qm2wJ@|e69M|0*RF<oJrYv0@0U$
zx@CR~=Iq`jGP9+|ct`4EL7QFE+vXPNc=0sL`A}gU`#*PdsuESlDR!kPw+$5HD#BgZ
z+2qDm^O5lTdQ|mJbmpC_5WZ1iJ*sVbwfW!)HIn<viw=&!sl6^uXqk$}7ZQ}G2o*Fm
zi-+XpU_<3Y#{5lvZ=P3nTlCL3nh87dV#)zGKIH}fEf7iImx{Dt1g9jQkB@j*;g`K@
z(RG_W5SoNndDVzi@q7#_A3@PCAo66taz#(hSXaX8zLj+7Rvd}FOLxwq7>ZZ1WYd8N
zd2>>6#Ww+w_X&}ymT`Qslxyu`9><DZp%R}lRjE+ZSjJ>rd85p>Q+DqogfJfcu66NU
zTb}VjQ|Hzg+7ym5KEBddlT7yc9q$sj&!LF0YI54jpYuktIg5^0OX6>%aveeuz}R7H
z;DHB90c!40lT0P2T;;Wa%&bO8jq!N1xmgETV(D@m?(NV<3DF1(z6!#ITiZ0{aQn4>
zyC_}7%957{A1b?KU(ml(%g>VLpb*^N_DGndLP_lF5f=7+=fkKvy2e*p!DE+v7<$3x
zHfyB`0gIy2Mn1K-{ytw9cbH$2g{0|AS#;-QZHadS$WfGKsKj*6H#10Zs(mb_T6Er>
zJ3$VKhdZvC1rKOOE=Kr*bvd&Arss+84h+AMzf67Eh=V*-4K21oa0Z6T<j$Gq*2Cj?
zLmFk=A5eF(9#ev74hV@n{gcpC$_=oE%bAHdp6oqun<&EJ!O*^yc4+^KpeZh>IRi*L
z;6-(|Kk`UQ3WLr^cJ;enpNVO+8Nv<tSMV1mrndd2Q-Wd|i6n^3Ha$)dUKMa14<^|8
z&i3Tg2;o+Xj`?-@5Muh`A>v>3eB6pJi5}?(Va|UY!lpj!+(N{?J~ksVDAaW7Sif}A
zXSx~WSQV(q5$otBwauE-Ne12lF<`*i2Y5dLME`FS3ylA7PaL@xxHNql1TGl{geHI&
z07emrc>zV-68o$JD54v{vu8`l6Cn4lhfxA>^$NZK*?fuH|24*29*<pDfc5s~H4uFX
ztRt+P-w&jA^34~2i8S}5j&u^v`yA)>C-8hX-u(+&$3X`&nuB8w)J5qSL%#}Mwz59X
z+&UIT*tYO}1AQq6q*kJUXU0)YJuU6y(I>FzCoC(go93@vGD2bG=ZUD+%GCTdsl|7R
zF^OKmr>-!D;e;PMrS-Ouil&v4m(_U+@6!Sal$=%hxYtw1THh%R&+~8EF~jO))|?@)
z#y8aAu=E$N?m5Dc#APOQtd^NoPez4)ZeiNoxZk#5v7-*zBmK}f-e8IS$uJ5Z{y*8s
zI;P3uU;BKS)_euU&p|c@Uq1`w7kHX~hQ|0R)M}t_e*8H`TvPPNcM7O@G^y?!apCWq
zgZF%TTP6(u1P>lzA2eUnJ@p=)AC`m6r;m?o{9~K<V4u6=N};*tyrNfS^ujyE55vED
z#9J?X_J2Ujo<MmPdfiuFqOJ@uN=Dc@FGo9IU5{Qn&7il=zFDxe#Kv~~2A{{Sl6ZP2
zu`q-^5Ic8YTZ(QNug;Nb?`WM|tEvZU%;`7ku#nOuEypIk_@v?qc^-?f_Su$AH4>Ym
zUce5k6S>lsf9XD605`mH+Vbp%H*fVe9)~xT2%!ysD1Dyg=uT3t&{SQ;IQlvm()j5b
zx<UYI*#gOcV0uQiu@!<-cRz`0R9Z_?;il#^eNMBiEUy8gS20~I2T@_b#?qvcICA4=
z8C<F{oNTK!ofy+aS*lM4>YYAtgw)`sdnR2Lx~C-+-&xTS8y7BuDh1;XvS0XvC$%A2
zr!Z2`8$3^L^&r-)IjD#?M@@Pd23x$RZw0~SHIC1~r#o;Lg4?wuCBYz_X+(u~-04-c
z798dEE8Ld<c1os}ZIYT#3V~3iy}g|COUt9@=O7Unu}q`ccMnz^7?tU?pMm3yh^)ao
z6iv59sQ8!C6b^_UbE8Kc1vgb!P9b_}Y=lyCq7PpQQ?O|U#`zN7ub^bo+!E2iWfF8E
z1ru*2cpCT<i*-u=0gv`<PZuN*JIYh1qKgEh9KoarU%Q=cp!Jx_;h54scxZg$ewaUo
zzhx&YbFNM(JTvhnZl0ZudD3B}cW{j#U&2E+ucC-==WJKZ-G#a54FKM_9|b`lgPYWw
zA3yrJjuxd`=%l(tNX0)^P>Z#&s2(V*685dP&$|TFAZtpUa_+K)KgjdaM+P&ahC9Yz
z+9Q#s2E}m+<~~ZK9R@+>Q8v`tkEj*T8XO-M3J$~WuH?|WsG&=;7-=;>-6p#ZGY^*I
zc-I;_1e6Uj45Y!_9y8LG8h?A<>l7`ZhTd>x$~mrye9@=1Cih9WN_a55Ya*Ez^tb)S
zo$At@x4zh4H{?|~sj^1ey1h8=P_v(OvpgQe|B6{`3pR1QK};bE@E2%pQwFKlx|go-
za6pa>)j722ynoUg)M{+G%!<cIxJya?PNp1#OgzAXVkezf9{Zbyd423R+@_tm7kZGl
zg!nqaZBXS5NprQpM?%b`hmt@k>T>BXzHA5F;>HWJc6~s8YZ8xF?Oh@Z(1H7TFOD(Y
z-RMO~3KNAG6rJ*0CLn$JN%ilipTcYX$j_QjgfoNhNYOX?9He8}Xrn0`q4utnl4Xo~
ztub;6cMIGNuyIm&C(~-4+uVw#Fv~HiL>m{fp2EC&&jaY1B~U!E_ys|BJTFE{W6vkk
zZ-~W1IfN23*uOm-sHF&tH+~T&4I$|9`I9V3UOX?TK7DbL`;EIxSHONbxKK0EQCb5{
zqw6wL!#{@bI+3F^T4!6XrcCA7m(XAP`&_8PGU7M#*PIjt-{fJ>Tv|Eu4DnP!hkWKe
zQB4>ew8z9!U&d5kWd1uo=U%bFYFoAUqmIbUw#}^PhDh_bD-K@-pQVmhwArORNX(g>
zGX+|c*16!Wo)iqA*hz=XqT8i2XH-n=Quo5&L4ek#3(>t-9t)jwUqIa?zoz~)usoCf
z@u4)ZpOe=69P1WK^Kh?hi(X8hi1}1*>L+#DbeVNS$G5VS5L7E1Y=xdyB|Vmw#sf{Y
zK}WIQ_{2OcZfMxuugPf8<ZT%!klIi}mVJBONIBnn(jm?2X}vTQ5ks~I@Tb(|la`DV
zQ!07dy$5KqE}?#BkiAl}ko)tRh5qv>&k<C9B0~#OlKb`?7sQl5+zo}%KsO>?v7ibk
zZDekBkp9!foRk(XtCNYtr@f;XmCu#zu9w0WmAZzy2raekH;M=$X5<4f1>S^u0KK~d
zge1NX09cce95}oN`ljB2q~0!Y)<_=GNLeK0IHqqUaP$K517Bu=k%gRq$&U)N2LNRN
za1Ug^1EbrUFI9XMnxOfZ?3OQ#Pw$tGn}Aps;K*b5DQ~?E`LwQ&aMmA3;`HH)&BN$U
zP3>2Cr5kZ)jF$-Bg0CLtC~o9$ZxC^_BoElS*aLb4CP~S+F0mALN&xduSau=xcW({X
zteF5_@`7(0Iv~wnj7|$94|S8eoH2G;oy%UOvULWSQzuH4{84Z{t<6G06RL_<xo0A;
zO5MIndG1tz<sWs+0WKy*B>&kgq#zaWUi@_KjUM&kDXM_I(y_vy5dXrT@U##Y+!~4y
zq@`r1ECvmR8=og0yC}v^PLdvP3&buwd5xSjt}g8}rC;9;yqV?Ie2=kA#<1RIyaC^f
zpt~FB_xRAIaV|5RWma}yP9dhqrN@wI%aPt&m4>W$OKGKo3@p*Oud-b5i-M$np*Kw_
zc(OZ&GHXV)bX69mgV<sEY%RYo(SFQ9&Thu0w6Hk_l-icR>(_3LZKCvHa34Hs&uvDe
zKz$|g!XWazX!F@ONEty1ShKgZJ?y?te>{h_lKC}8SIQ6X?SAUwn)viGluT=s-Z;du
z$t%o=%V_(&8|rHRZ7FXFZ}YE?8H;+P=}sX;;OU!(i0FGbaW&#@Eb&%ZapED${;bqc
zJqfl#6f7QzX0qpja5j(8=_CR(u51@7t~&vk_1Z@m;m!Nvsl@$fL<5%h?eQ)mi(m;p
zi;%FiO`nXEFnp0tPVBY~{V2@?rPyoU-!CNfV2M*8EFE}>0;3C^0$oX?LxB68;L95j
z`@thqFW_qEI8&Hc`oe<&LEts(=oXOKR^l%7`{Ci_+CVcJT<L1)RQEn$nXfrgZo~SA
zi>1<D=QHCMQ*y+ab3{abA?s<*i}i)K9^Ui4<6=FCa@9tTjr#2e+bUJEt$}07DQ3I(
zJ}VCg6njK@8kQe9ws4<%6m_o%mUUYf+?PU4;NSIcKYB`O3FT(EbiR_`57TD-(m$lU
zmQ{Va6UT%@^$58_S~YUm`EKg+yxq)$W6Dha3hu@8E%ak~DR<TU#CT?-<Yc`3lscGh
zbzs^kifJH?WI=!CjAT(4-}uZi7{MamJ<75n$&{v>P*RJ0g;*Tg=$)<%%X56&N@#Cp
zDyByl2qi8wq2en3^2$304zimSFubT=Qq5X<i`S2@?Dr{ie%Jhrh*cgxR)nfjZQ9#M
zYPJ~%q#;h%U$$Fy=-}`IoB=E;3L-r+>eg*=XZOr)MRk6-Y}b)JxEeBFa^kw+vn`+p
zX`Ms8Cx6*zBT^1VH80=67jg58Wt{BRt`##g2=Vfk?%daC<ihLue~yo_^Mv=WQ*tex
zLZeguE`fXca+<!bq*oEOy~OB>b;FsxHpuEvzjn}&A9K85lEERX5ZE8!&2e$uJI)Nx
z)h22nlu)VZ@3;NSK@le-w%A{YXd2#O_j@$raQ7}GlzVuJ+lqze`sCAne$TARo1iVJ
z==^v~Xy<INS6h^A0RBt-XN;*A;tGJt0o+UcP944gfEbcufR8rD9JqA&z>LgXCw#|=
z<dpVjY%k!F;DwkUIAxtih9I&#h`FvIOzUkMy|llwq&PyM8>Gu3gcrKp85R91U2C$m
zyIRbjrz1Q*cAYUX6B<0uw%Z8;e-+4|LX)Y%jzo}P*PrB;zM1@^7fI#B>r@)ljQHtk
zO+>GmB5PX)y;7&mAbyu9l;1l1*{Ce?Z&qu)T-m>v+UrQAK1jq*tGY(kC;Q2MmGpmA
zMjF$sQ3!n{bi2KZrt}9}YtI^Ax4ABeMZ^_cwQ4PJ*v8cQJoW77K$~|2{p=Du(S2Ut
zy*9pU{H$mD<tDA2HSXw_3{rtjJe<TKMAiv{>Ckv@WGWd-Mz`xem?pH73LAbJt@gL%
z^9z?@cAm{!6iz9*33EFwT-Y>LmZO=Hby`P`8B~8KG?-O)`Y<-><2Z)zetjJl?<G>Y
zx$)iBMAH2iEV(cJ)`?w;nku{-4`Gn8539;3_#?Hm?m2fv2P$9&HOPCR&fcYU_b*-9
zp+7`LMg*}z8p{%=2iSPi)o*^;!tqh)+Zoim<<HcKb>+(vLmG)@bCNBU!%H!WDVBu(
z4w0rXf}@QpfF(oc!e-ZwXuBGjDS7G9<PLt-z3e?p%+rd<Er#6dYaG(GiDdZ!^@(s5
z3Q<piD4ahu7li!38}Pi+Iycs`;4nUGy}%LtT@kVGfW(*<;w_qP%B+?8G+_D^P#`n-
zZ6pkC&IlQc+Q)wZFn<U6Z32QX@}DX`rVJm48IT43SboFy1^|aATQD+>@Ovq_kRw#~
zsbDKuZ|i+ha1&(U^bUBogui8t0wNz>5fZQfdKtky`|sGZ>jr;FJAmv*pnw^43mJb9
zLkAPa{~;UPWi{@DOtM;KX^LyMmfe|k0)Flg=_li!H#*-F`|y3+6ehwj-L6#fjY~XD
zQ`aVN?=?|q8VhyCC19DhR>nY)4S-uPYKlU^5_2QXD-@c%lipa3wTw{=xLOx99HFrA
z(5~0GMSNi#Op%gCy+y!}3|sB#*+?SMhV7i^ILD7x*>3HKZzCRTe_pe#B^LP7GBHi$
zrkr9xf3Z2%klACO)$U2Rq=;6u<Mh{kW!j|}2}A0WS7q;Vu7Y{9$zaj+_*3*QbaeAC
zWxva471|zOo@|p{Px~bGfqbtpG%EGlWfI;1`a0Q29Fo_A2QJ&cI))d6TI^lhwS2n=
zIoqa^ia9T*2Imgxfq&bR8+1sazNX%mJQ(!(d~cWH)+$wo6?!*n8Hez*@mU_D3Y$LW
zP2M~slu12sxEj5Dt&7H_`N?;W_9!EiqT*>xI?_ke8{r8Xl_`$Tk>Y8|&B3rWgTt|N
zY?13!yYjh&%_fGN&y!*9jL~_ry_h!;moJeegtRUcZC5A7zQS<R2Ld}c(Lg*e@=J}*
zMBtYlGDuuE)@_M?bRQ#KI)ZNejG2^=WXY!ZRN?iHRcB!$$@nhjf6`@{tet!2Yk^6)
zyNpCnkHh%u{KYTq*Kf8yR5c17qL3yY<oohC^tg`EZJQRhCEKzWAN|auSwzMtAn`#C
zVo=<F4g7F`kBz-hSt?fDV=lE?*A#+<U*!t4`8waBixEEg31pT~vvi+(=|v^`TCg=u
z@2rshjVWcgL`V|^!)znKv$Q?uyIzoN<!u0-=6j0)f7Ose>SLXlEKtD3=If@-*UvN@
z&vug>C+b&8Syf`U>Q2g+qTSiV9=Aw?J56Bk$YR<+5D12kO)d66U^<{0ff_E*FmYvx
zwfjQi9nLIm4XCULBi~q=tPSbsp7g0m4`ONF=eZhZ)>I0MLSj9xUGp?ZDR2>D@Y??6
zE}1oJQcmiWSuBlXckTPSovzTOYz@3fpQ#!&yZlbWWb%X9cpsx7`#MIFTMm<#hk1hD
z|Me&MQ0zy_X)Nw{;{He?%i^eOAGNQm)gDcP#p4^S!=TH-lbXdEwd!cNCLOCK?Bah6
z#RB8-BWpYxeQxwgzv6`eYtkQCu5<L4HsZ7mw(er-*#3PFg9XF6C(!5w?{DtWi!++b
z9SFy^c^&hCyyp`Stt2@e$^z>8Kcc3L7;;{jQV1!;*NGZ@QF&|B^|(s<ZwLAZq3|yR
zreFA;;2~=ViLZW_mQ<I~b|r0rHCKDUCdIaW-)tBsWq+Z$dvgfI_c^3D9Smj5uH*?L
zfzed>{t=LElqHu`PMhsYbVZi&+hfajKW-VcBR`8d;;&FzJ5UvRtDA5H-1jLPr(kOX
zlY#*B`NvHvYoCO6^6H=W!&ss;e?=|y)EMVp-|vqZAUUq2D%}vMYbW^ipe{esxRbg;
zp{9x+>JS**&=3@RceYQ562%k!B_u4Y{o^AQxPX@uBR?NIzYYKMF&3)2iGuJCC@h*|
zmy!Y*nu7c+CS=e*Ha%1IWOsq8P1lPQ9>>S`&cn4ye#1-a4N>DXhiDZfMYEU7XztS*
zPpCgT(E|Puvig=-#VCq{zV4wZhhgbPWD~aBxgDPa^t+{%&JWHKGY`P@hoVwH3S##Z
zg|Wi0A{nWIV`znnoR4rZ;8&I|D#|s{8oK1MNGZLIV;ulG1IVPtUhR@)-n6eOS?xkL
z-&41__jS%-lCA3vbpjIh5TSL!-Wo$TPn(Zp!RPc96Khs_XuMqg6oFhsCzhq#$|qa@
z>{@KC;p~UCpy3drMQyw{@oOY4@*ItKRq&DjaVWOd4Ie&x{k9O1P0=JaTK{v<3%6R&
zbkpEwEHKLj`RvcEp^nD0?Dnup1`J@|PS1mP+N3$%IbKc(4F(3BcWXu;Va<}6anQ&H
zSuWT5Dgn+S{^8O#bU`ZoYscAQ?J`x*fA;4p7WS!Dh>_l}rCz@puzw>{KliU31*{SX
zdM;q5`xT+9XJ|Uow){+povsgL;5NvQzA~s0UlglrayicEDr7S%F7j6H9cpDiz;<re
z@WT5Z3U`m^x!y7uTixO)*@3zo(cZ%%&7xzv5TeBL_v<b)?!5nUpGl9P&|QJ<K;=B5
zc-=4w>xh%x+Xxa=iY@ew+LfHI)a{Pw?)W&{Ll(rnU^dt_auale3)~J)K+OS+48=o0
z$_dC9kU%WD7i5Fo?Ffs6-1@?O`3|Zb(0CJst_BpoU{BBsyBHkl##_RB*x>axV|4)I
zqEUxg${sXaE^e%wLq1fsu6k<VJxaCO932kZ1$&*@9Ds(!SibnBUn#XE%SDGoTaJkU
zYF61)N7T|oU^4hf2TRC*!2eg39TNH}<6}Jy^?D!*zW{#5H+d_i*HVfLM!#_;c*X|M
zeqom+&R?>_b)8Gde2vYjhsNwnhA3pW#J?P{1)e_->MhX;tt7-mZ+t!>%C~}c`Rx~6
zbIo(EKTU-i_A5Efb2)E~Nkz*_ogCOo)r8-()Vow&I7ugxTL_Uh=32@RJ6%$nw!m`@
zVk5mj<(ss*LjN_E3F+73r|v7_FXz4Zj*To2*VnbS32%v8iI%CsC4#{Y+@oiv!j@5K
z`LxHMl2yVN!WFyMs4KWYq~EHz)UcE%j(xImmuCaB(R4AoG`M}f$#@|5C=eL9NU3_}
zYZE((8Ft%}hR}m_D=wZ6VJe7hds9zbE^w~&yl!Br3Cg{v5DESoJLOMm+zG-~X1>72
zc4v1mqr_-;x?QFMxuF04QTeQvA?|9n9(;9QU`sn`O1qwpv|!7a6kI+vSW(fLp@X;p
z#j-B(BJ3#iIg}Imn8lb?!odPFAFe_Ah2Ws=eYZelFoJzxF?==c(j>?s!h)moE5{I@
zCvS{YYsAAEfn`_#N|hOG<n<mCb)NgHrW32y7clYFhhz(w?6w{2CjE2=Ffn}~r|T9t
zD*_WY15tQ#?;u}Mx=}HSFLs~*^C{(d0CCG-fUY54Ko&w`;7MfwVgnFDEPB!VZC7!c
zOa8g}(|@+71ec(UJJ6CJcyk{L^I5R>IV%jA8^{Y(dY3?9`t$+-Fxh}FILiol+<O~@
zP5(b1#+?9wH@qoOyj>~q^Zw2Wn-KONl-<UCR~!d;5Da|)(k5wtJpEBMMwGHDveD|o
znyhnp*Sf*3G_^BiIj=!!s5$q?j~$6ZJtsf!a*z7M9^wnRv*vfxu0@_d<HTtoU5r99
z4R2&?ou-zUPxB)&I!WZH8~G>ACKJP|acoku1BG&9+O(;UWmK&H;#VALL+>|44BSl(
zMO|9bI`nj_yx@%j+R+l<Wa{`3Q1cRq!uy{Nsnj+tcxf$*JVdEG&KbL8FM?+m@sCBW
zW0LF5ez-C1T#0bM*0~4rlb!!IQPuIGUdeDlE9`deU=Cq5lYCrQ&zZX1w5GISz8z=o
zH#5BE@JTNpBMqu2=Dxa8sg{oZ$0MU2_Qlouw1Ov(-WwhZRd$V@CNQKAN;ZfT1X+|f
zOB9FPj#Rke*2Q^JaIq<jEpSSyViFYhcY(5gb&Z5e_#f}SZc9j-0Z%d|=`+Mg1i4p}
zl+F*YB~6#B*6?n%R+RgqG*d;7J{?YDSzSwq4{4NUUyUuqeW+9XryKLqYkuV0f8mj>
z`C8ZQ-*n;%%4`)NU4}ArC6zV4^&82dH+*Ns8&40J=+)g}AI_&fMh@QUYO{RIb<^A*
za-vvke*Qz1zS8@f!W4x61L7zVwNgrsVyY<4^4(=zLg1cGM_v;6{##0yI7hN2Cks(S
zaKWa|Q%Ju-6th_Bm$G&`Q43Kfugt*aU#(FJ)xY-Iqe={NP*0$LK-S?$YUT#;^$jS1
zqI?z%`=9+ENBRqJMxZwJA6nDv0KwOH(AHZN+StoL7)61ELEX_zvS$-)6^Jt!=3ZDI
zp|Oe}r1U1#{~dk>5skLTgOdK+y=sx*d3{9P%;Hp&E;6nc?L<V}8H!{n(qQnsAIOnb
z=Juzq+a+FApJfwk$}m2<jM}dpYEJ1}GQuypWy|Q-#q4;sJU%FYsSjc%)}ufi+V>4A
zT$qCI6+34OW|h{vVWw`-g>%YzdI21&=Vcs}fn%BS0V_#LLn`l#OrXc3)y<v@yV^Bj
zO0MH5<eR_NCooMB$!EOWuU>1+^_&lPA>LC1rZw@0&{q3WCx}Zv7k2$Kkjgt>Q5**~
z8N=iKUgpKo{?ePe3P?tHkl5i$t$!;h@ATda#Ut=S3Y=}boevUEizLS+wlyz=8w^lu
zI)i?_Eh7fsUC&q;mMLK3zRdg<^!a4Vpgd#zrv5rIOo?8;f3rQy(P_#4{V0;8n5tvT
zcQ7+HrKumzUFP2{yoFBR;`)sRk0q2mni!`2NRLG%{!L7}3yy;IF+wgx${<_ATzzS%
z)YkVGZgns<wo6-TthF$zp=2r6DRL`TuBlHMoPtXeI~(0=CrT;@i?x@di<9{D{ZvnS
ziztFh6~P_XFMm|H1pI48A`K<M5zB9-*qPp52`bsD>P0>Y#_sC@RCeZb#S#(lW~qY0
z`HUUl&o~>C1v;piD8-gNIgTpbLJKDFvItjzFCaMhs3(8WW&i0GVEljU+{Y0~`BCdM
zt?TWlV?Jqr@&$iXw#a+p$T%<)aW;^IrM&l1iUha7#FpIipvvJk&i{(irz62^;7|kL
zPXS=ofUfpzGQeyKWV7`yk6~X5lw0;6{NLII28<)>?tqU%NG$y=IluSm;)DeF%HIZW
zdRVAp5_|_CYi!)3-;)R<MyciYF)Q%(oI%fg4z>KT-&S$nZj?NIh%qwVXIv|Z^<Yt*
z*0B{N#<?);I?kr0_N4{mi%c5lPn~@P+26)V-P3kF@4Q?2DI};P(GxgdEBE%FSq$#@
zXfiH!o`iL^7X~WL9gUFL)Ahp;9SXZeX=>9X7Jsg<ZJ7N{yLaQ3X+ubEofNB&NqXDI
zC%TTLO=gH)I*l9jqtxS~eVq7(XoYWoS@afTIbHkB*WYjKkhQ{^nT3IF24e?_@lP{r
z@a6b#llopC&h9J%Sq^p)eK9O9y>_d^tCWdR&)uwI_aLyr@MFF|VXrBU*n5;GVeOl=
z&L1n!`=1jvT=_{k`TkL%@M{eWKFLd-Iwd~trwhdDN2iQ7GDPMYortmg_fq1@@)9Is
zrRVvyo@{z_vA<dv*!RtaYw91@BWc?8Ll~wjJ&DTN00m=fzM3DY5wTMeWieXP2RcN9
z)2^Q3#de2^P2<D7RN2GLHX(s7e`!gu5b+fu3%h3UF}JxF1XOR6b%F&#K8(^E#5BIP
zl!%bzvJ@td6$-g=_Z1a-Z$jr@E}s0NCGWu1e3xWz!4-TV#h<9%xd=?mtF1glGs*Sr
z-cYnHX|a*l;pH3C_9t-U3XMrXpWMO6)XO}?i(<Rb^F#UvK!5>)F2GpO9SHddk@`RI
zdKdfwDD;*9uIdkBT}P6i7=3To0U%faj~Uoyy*)G^%#^q_$riumNKBLK&&C3;BB$_Y
z4!*5Spy)~m(;qkM9q_b7gGo<m3k{xp8eltf#<~Yll0SVBPr0;0?K|KRQFyaP`64j3
zzk>jQu6@p*_z*!F(?+ybbXUZKIn&H1`Xx&qBT+L3q0_ZtV`hcMWcs^^>Pi7;Mc=O_
z?TdppE=>BDP=2Ix*MGdRRBbzdxn(6@S7~Qva}po~ICW>#lK!wk<=?at4gP8rR+4Ps
z3K(0YEnKN-arojRJ&tDS{VV7@)&S(N(MpPEN3^2)XKLdqmod++{VCowv&mId+!J2g
zzL%DtY6Yk+Yit@nkTW4-Vk}59l;byfb*UScUXE`yyx8cw!s>AD7{sbZ3aSnLbLT((
ze6~p7s@Pkk&0kxptq(29y_j5zg=gE=lHfvv$G2_b(UdFJMy!y2s_5=p`hIDGq^pDV
zd6c_WZQ!7E|ME_A!_9SkXb(Q=vWR*<$J<-{LRibXq^^Ff3_B_A`=+P)D}7Kz^z}uy
zz@f`FMGf$_7&IS3(A>Cx4k1Z{spC0=>1j*bmaV2JyrZc#7=Y%M&(+JLW?8d~ej;EL
zcB3a18DQ7X1M|uq>fLNA<H+T#4IlTwDUdeT%S#ezrp6N#zZJt^f-EjuGtOdP0d0i#
zj5F*#5UOfUoqi$Z?0Puu^s>LfD9I?Z0lSLIxA{H^dUyu?153cFEjVM~AZy@y;cF{J
zxIV2V5RXaIwHQt`INJMMMWVAdXmNN|T-`ZF@*ACj>7B2NBg8+Mqv}zK{grrbnlNh3
zA54F|8x1CU<6Oah8)|2uJguR>#3h|ivdT{5DU@h>Ge4qzjFl`Ej<fwSv}UPMO+WY8
zAO_Q{yLpt<vajkljMmM`yZ3dHSh|Y&GeOttjo$B5CF%LsLF{lXmv5fYqhu+xfdZ;y
zQ{g>9pT+d>HMTUUa2FFVd1Q3TsJG#V3vE?@`{NU9ST5F?>eZO8SKIvD)O(((t(0oG
zKkml^EXRK0<G0pETNoY0@rx93ne57}2kw_(GKkY6<Uwx=Vc4|rrR?s=6U*BY;bQ{T
zDqk;&C(!Ruz7-XOu>L*FLk~z;2Un+2fNsBWi?=zL4Bo3E!;i|px`h&-DQn)_%?zS>
z%0ZrcFWvoYBdr>p>wMt3{aTXq9&Tk+aThI=lqu|mE}}eRilLvYA-&B4CRM9V{ZnJ+
zyum)|F7ankU`-M(4~G$OiyzI6k}PVz%wHr{xrt;-pvcu%Z{!to9}Ma>@2pbed}#~(
z1df75e40IIv>JI=Ax(8%J(6@?AUzvI@X<R<#7KN2j;F`99ZY*K;Lr{l_}zC#ikJ~c
z=ut=5J|F(Y2@ZBIP8CjO$LWqT1zv`3%3JIzm{xC1Vl<j)=?Nko@Vf<gCO`u2fFHaY
zuzT|-^erm~80?2W613#z2jImvpbmgHL5Gb;Kz`xL6%06mnV|o7@9X|r=j~uQ<ZVrl
zqqI5A@%$KK5bLeY6I6H(t6M;1VT$>ZNGISkzwlR}pB%oH$$z{8v3?N;bvvAdO@>Kb
z*95Xt*6P^yJxLU=O2_;moJXk|i<#L)ngFEr)V>!SKCakbN6YCuv|G$%gx%`Xla**4
zWaMb8&|MDa9>W_SPyv=NAz$jhCF+R3BVhfV>E&q>I*0RJz+Yk_%a$@z{-vOGdG^zH
zzhiC9l3z-i_2YA4n-|MJCi{f%E%a5tG?K?<;~34yVl4_g<}>OLt`OoT^%!uzATVq@
z6J)J*7kc_coX~q13rj?QuRZy3j*3Nj9GCMe{k<*3sQat9Rg92FcR~X{&Uc?B)lRr)
zvNcFmb<z3BeFRd5XP6#*`ZQu_Vy}Pn%ty+TM~tbPffOI^M;&z+p*OE9&A#7YB!fhx
z*@B&1VI;qk!H`S329cD+&LByLNz$RsNJ_gtqI@J26C#nkVIfcAKh<Kfz1f2{{+%^E
ztR1#K@R(iZEtNEQkFq1H3bd(%xN%1Le~7tg*Cg;wm~`oCqu?ecAS|NMr>~otSF-xn
z^ogvroqPXK7XOo|cU%{eufw9aF&(4Y%S_Lq7FH;`R)1%{^0hiMem2u`J5#^Z@~m3E
z3XRfxt6RPk6W5AGz!JBopMtqN6j9t2(>3(`Xrs>ZCO7dr)*-HKYPG5rjK=$)-E-*%
zdM`I&F2}(?vT>=MyWRo8!I#4Dt65i(cc}$lZEkqH7Is}H48Md^m#KCaw^6fZB7``+
z357``T{EYndNqz2-9K~!XM!#<FIo7>Km-OJajwcAT5dX|+OOg2OOoBU`E7ZAeSS<N
z32$R|QFxQKHu|~23Atll6MXAg@}(7ZLBldE_%o0y;0bR_U&4yY5pP`bG0$$X>g`Z<
z>h;AXqLwxk6{goITYuQDM{;G1G2?R0*rmCjZxoAx1Iwvwj+>sfut=3R*4MCYDomY9
z^}9PduA+ro#Z?H3&+YmJ-|^mg8<N7#{TQJ)bny*H*Qe;Boz@p${>@Xgs@?7GpWkz_
z-m@5Gs(KN7(!jU*EqcElc;G)U_fEQT4Qz;wJ(^s0dDaKl{Qi0#=4F)#c;+kAcU6tG
zhHsPFf0-v=UF|NLH4neu56vJe{%5K^+_+G<Ot%;pN5|Xayfjp`g0xpgO+#NeV{hwu
zl!Z#2x-9;HaE-h;c{(sA6rLHsP)yLIh&625-AiKEbb%xqlGKc{n#kP35Kyxu>$5%h
zxU5=MbMSNsC8*S?5`P5(KT+%ddnT*{sqEyFhRlYEuE#Vd#4vJ{sSsic5j+$yaHYi&
z{^|dI!2nZE^Ef+a>{Kr=SBG3jEA=T*d1a5k4SQE!#ObNK3x-Y!CQ=3Mm8w_GkP{^r
z6xGvdVp!*(oK};@4RakYzh-0w#*@WT5IQADc)XTL#uHs@L1rlxjQwR>TF!?nlACu(
z1ARYU;u(}Iw~9bUH>ZGpSk+4{o&KVaJO})E2Zey6E`b+8zZYQSPyCzS-W#zSfX<V?
z2>7>u87Yp0`~;<a^T_1%fR9}Yd<LR0P9p9GnxcX|VA&0e_B#<O^|WxMEzF19n_^Mh
zw(Ld~lv}Q!r4Sz8#S3mGxyCkH5yk35?y5DGY|xcc!jQj#({iki>#X1Q%17i?EAQ&1
zzvo^!S(8;v$3Q&9D+N8d*mUh3EwoZzf0`y=-0zQfvrdS@7>9*n<=_6=o2Hr!>G;4Q
zDApC`8368|fV&f~<Khz2QYY^|#2Z*4>OnF`KdS9GzE^j)aNWQNq?-`La5F!3{2BF^
z8QfE|J%f`-bzV)&<THo)VNXZ(@19FAnD%|z%>bE5q*mRFR096cVe$Qu1})$zzwrc=
zhs`4eb4E~k%7<h)vusgbIv5KREjGn*RmwrzyML~BJ|Me_{;{Y!Y;UXFM^^5zNwZG;
z?dlf6WLb__Yw5PkPtk_YzO77+e2Vx}PN+43XC87Biai%L6C7I#NA8xr#A~<;PAwvw
zNxuX&F`g8}@F`T|Z%H|=8m2=Z?W^!H^o|nAln{<<igpS++?r4$YF6VG>%@{B$_5%+
zBf_Xj_Y<hwfD5S(O~Kry;U9p}t?ie>R$VHnM%p~$NB_|KyV#auytG;Y<@K>6C*fP{
zKpYmy?%2?{ck=ILf5MMK?(X0)Y5AnYUy^v1t*3W(ogCnG1+8otN&-b5ROAh#hFZl+
z>mou3_OHnDu{uU-%G{)Lzk;m`ApXZkB|U-5wwB-Jvw_Q#KjCkB|A1Tj&tPJn^jA<B
znzM|u#24Q$j4i<B&MWZmnON~^Z=8isE^`VbeS7BC_xIX|e(@NdG@%=R5x-LEXAc6@
z`uf?vOI)ucFO0_`bxJlC_b87{RG|-4<0L6soP}KBUu)nvd<pNZCd0l#9qt-drnBI;
zqGVFGGk5xS$!Ma$1o!q(ufo7|WQq_2g^Sj~{t@*zPmFx_Z|GT7?(%lBVXA6?z5V_f
zmE<lwDr%Vc((D7%k{8d07qxWV!>BkeyZEaMq(qMX-!zOZUzRl*0`Cf{65sv2!=JIr
zanL2fa^ZyMo~b3a!Py3K$B5M~?a3bJK6N}-p>KhmSgl9G^Osv3F>;!b*OFi7p;!Fe
zvEZ^olV9P9C>n9^M_ic41k-0j4MDxwTcB{67keg>y962IIDHMF)79Zh1M!NV4{G8i
z9DS``Xc&Um7G7tzJ=4rDMWt`Dcp>Bo;|<rnXyzH|&HnsTXsC!nvoksg{pdWdG~~dT
zP#5x;i}Fdph&(a|*u!s}1j42$_Y7uzfq~u~O*h}mf8LubhS|GHbORJoTMQXN>`7{G
z!}pyrQh}p-U~Arz22n+olV;6D+*EYT*@inp-Xvt!;+ScVx=;L2EW8$lILE|$>55>9
zvdiBk*=cE~L;ccnDmmY$_)w;csg#59wFS3J7-hn3BatyfN@1Q-(=VMkzjjpg4bxt#
z#6&yJ^Pz4F7z)R<ZWPdV_!#DbH*a6E;Ge)Te;6WO*5%gL_vq8#cmtM221<!~t<t5i
zcy$y`VhDx6niA<fm`;`L#7%6faqFD#d}%JMgydEUa8M>F5uC6pRIc<H(2!iv*l!+d
zXFr%CQ5njZzWGOF2p3*S<^5~eE?izmWit%fcqIQ#M*q?5PhQBteP2pd{IeOxViAtF
z%F#&!n@fJ-o%HN{>_L7JRE^%@bQyYgF5r2<<sp?ob8gwiF~zFvRpK)P4*uDLZus`$
z=qxL14yu>hHf`w-tf6Zs(V3{*YG58jD^bm)vaT4VnxaO!iMyCD%(8JI^|(z&UprwZ
z|BPA=?Y<whinzJi`|IE438n64W!J(bYZr}_THV5e;XwL8CiPDoq?ZnQ?CX;5Vvc*M
zpM<vN;4N&4`GZuR9hdf5f4ssY1KdNFoLv9x{N;E!2Z(#Kf~9Q}a78fk<ryb~!Isr=
zdw&nwHQEjBiw4A>+KAFO2OVgH#bL373zOY*^)+t|4kIGt7xidGn;06#1zl++u|8(z
zYC|(LpfS3o^{2&<?~XIV(_J15F1Jw$h-!~*;;l6`|Fn>Nf?qvaCEtCf>+8Xs;>mEa
zU*SZ+;_+2T6o*9EEQ~h2+vZtz{S9<&uG6{MI7_<ctegbTz2_{lgxMT&5qYoUm=O;j
zeS{W5sg`4B0rh6@JU8jStI^|*q9Nq4^2bo*7ofNEGU@yPrkeshorT1~A0iRzf5=CI
ziriJewa_n^Qu5C~KL1Dfgggp9PabqRd~iP|9}fa)V2F1?$$f3WIRX1xfe`i++<!4y
zG9OdC6G5A7a91k{Ie<L_`k;jzxEDck#|td~m8JivZ?r|wM%}$0&J;ig&w2wQeTV*F
z$dL|TZ13Dp82<Za5+CsR5w!&dz{qysAdI6HQev)DuD;n>g!xuXc%+kuGqcxHk$gH{
z!{02)^6(dQu~gqTSZCP#gQL#;@(;>?!t~~D6led%c&<BN^zo-Hg6uk=kfm}|4?pkr
zzEWFi>(`PDiW+by7tB<xsd|Ja9^E@{S8jFwCdYC4$=XUP&#)RcuIF24*ChGubTi3l
zCkWEGatvLC=A4R9{*>-Ftc>%6VjCwxBiP3SMee%vGH-n68%&QJT5gmUzc5kH)r_*=
z;_`LH4~3y*Ar*SkaVNjqRJWnWDn}podNh0uM)PLzcl(ZC*Ql|TRaz7w;S}*6-B4N*
zb4yqRJ2e?%?k}-Xt3Am1Vil-G;T@iZ;aaj?T2P4|Cj%@aH>23v7)qe_D)$}iqnb!H
zy{Cbw4wqjkf7Vyq{lq#R1cnAw7C504dB3vFkQ%}Y-m$r>oIJC|uX2;anUQHYf}(m8
z%oegZT~daq7q}q?L+;(FWa@d@zj}|Wul|JP6x1N!<!_7bU4O4%8h#JlKFm4XfHgI!
z7v(b~xTK~`a9I_*V3ryA_S(lPWs4G;_&gHI`&b+{xVOFBXLpEaW242>vWc$cx*M4E
zYxA68p8iWj1nyHu_-OH*pStD2$7Ev5g468g-d`|QiGr=i`m{rk**R>3XAD+FaZZmW
z`j3g^P{x!MyoBr;dYx(IR(RYK>JPck|KqgvasggXAO!jdX!#FcSAduHzyBfZ5!i+i
zVE+HX^;U240p#ZQ-c|NLgyp;o3jF|LdRoAXe;1kZzN3A@_>Z4VY6fSGgLWYf03Ds^
zSRm}9EBg>iec*L@OGx(r!|TlgsJjk~?DIir{&(I=eq_IaVtQM^Ra3BI|Gmv__=7Qh
z10!Qs10QIeTL-BO4daQ@F@#Ovt9GWp_mbB`QAt|r?JlkVMjjxP3EI(H{bUhn@c6<q
za)`ROzc&iQl8Vyb<!zHzZHeMlcf4<Gv|n@@u{uy~71aC_{?w<6OJ_AJ!HVTimU`gN
zSAk!DX54LLSs-yhHWum(W~!oxWrPUL9n7bb9a6`_YdU!Fp-g{}RtaVfdT07BrnL;S
zwUQBOn%^xH*oXWuCFcA2MjuuwAO(>wTzPa?Fj@l>jAT~ZEz}a(VwZV1eQ`rN>wfp^
zmi-gK3HNN(DLTpHC8=XS)U)^0snbV|-SV9D3+gTgn+(nhWL_K!RN;nmYMVHkD*LBE
z`B-GL9pHgFtp7czX*{~<tC0-k?A2$0k;lU8*P)dsP6M$R?Y>#%v>3rRSNmwE$gHz|
zu`ZpFs(Dz6N<+@0Bo;+8odRLW_vRQL_PoeF7MG?(gldEChKr6we=C)!QQ4M6!n|vz
zEDiA|9@!x&`kXPUp2VTXP7#-4!POJhmX3M^oSS+t7LeJd_ISOhTV~RB4FOsUcIS+q
zHukPZFyb{{Zp9N+Gz1e2rz)JC#^#IBof31R!sUY(rt7^Fs>XVB1q}qVlES5|s&_xP
zgiI1zl)e6nxYU}$%Ot8d5-&QQD5?1$6(=e;)S%ztD;lUXntDm!YkjWMS}}}kF(Oeb
zVo*OO+WP3&K_Rz#6K}*^TR;`#&=3H+1+@RYgNz+6fJ=R`b#Z5kPv1UGfj%Ht1Na~Q
z2J>ElALpTPpSz;L5VxS{4}6WL?RWqBUvX{Tdk4ZM0q8eD#U=BR@TA8Gg^C6oON<B&
zmwc8`{B89@k`<0CU(0%lrZknWlZ%o#Y9V~Q{62~&zRUo+MwOU3b*2okL?KaAJR7Zh
zQ9nCYha=y8WpnafTNp<8a8f_+Gg$w)SwWmnw@G`jN45g8(2cb7>w~A*zl2b!)8U8|
zlq%xa4OMoV-Onj=qD<{`z5F|?oSQ;_Xs}TEq4IkL-bSAyaxL{1>ir~?mg|gdajl=&
zB6(GMEl{PvZruC_ah-Pdrk<|eSH$%2Kk@KTI6$Vv7;Uk3jRp+Vf7lH2;!|peQbBns
zafgF*HAC$CFsG}Y+J!!Uy`cni>s2((XT^}gQzOi2RcOIG&86ez#@Q(*W2dG~$h@5!
zpW7~1IC$Fmovpw{5qU;cfmN9S8|nGJ`q}Gw2l9!rZ#_)@kDtNOb@ha6%w$QB`|C1m
zr@SnQ9+ROEP54s1OvaauE+M!ID0MR5mNPWINGU<?zmsjyd`FTI%snRsH0*LK@BAfn
z%bea3%gAsmyH}H>P8!2%t}LuTM;Xmo@7A&{O}$0}=kQcuD+NQNrrDRjyFz};Zkj7L
zRF5=*@9N+Mh06n37VOWJgE@~H-EEc|I_5O}uXQ#k>=2=vT)(uo{Ankpy-oalVc+KY
z`C@l3Z%TA+x|BRw?-M#he`$*TqEF~j;+_y%GpsK?`+&g~z;ykNy<PXZ`Q{6B)qWhd
zAKOz9hk)e%8sMor$oAv^1J^b9Q3K#2o&o^Dhly6Y(nqUZ63I~JfEiL!nsve%5vfoo
zf22PoUt-B%5NLEn{3WHN{heU`>`lQ*N+E1b34{%9;y<-w`Ge9Y@wq)KyeG6hD?Km0
zfwqs4jxQMKeY*rtHl;bLeT<?p?S{bs0P6Ypm$oYa>aX9k-duE=Gb^&Jc>&~QqaaUR
zm6nxls$GX(z6b+e_2FW`{9_w2ecNqLYaG@(xwS=EtWQ9WWy}08xXc1_rQ}#p9)4iv
z%AuUxzI!|Rbc#Dam%380L+f0KrSfl{278tg#Y&>K)r>BcoPXi<1H6X#2$*%X!GmJN
zzT-4!sCz${aW!=58d|vOVL)>$J>T)dY`3m#t5^P6m0?!$kYPxs)m|vxsc0XRQ%?9T
zQ)X$1Lj}xbm{yl^@VCm$jIi>T3d)Ya8GHjdF6<?bdV742?bHY!_ic#;R8+END@Dbw
zMZ4$%^q&#dtvzkFt=Kz9xpX&h;hbozjj<*qM50E}s@-Il&Q;&BR+?S-?X25rZwdW>
zRGvb`ea7%C;l~&q784nq_t?+DJa;zvoVFpq9d18K5>56MCQ4h}EqD7?DIH&IrRekE
zD0d@2_r3Y}_e_k-Swv5f6vOgT6gifl9?6;YjQafLlpn+rCDr(;m#2J_qHjHE?{GLV
z!vRi^^;r*DZjCJG9F#}S91WmDp+lSjx#==Jf(;(QMED<F8=O;cu>oBO#{T!XY~dM>
zavh6?ik%=UUbNH2C*3THvi;JFvqRdZ2uY|L@l8mg6#5!iD`+OyT#}05XJi%KFBr*<
znbG1uCt(kj&&;^x-5ycU!jVf~av=0oULU5!_;7ZexPAc;_W<RKAQ?6|>eDX(sQUm8
zNaX{qpyF-$_bkb;(jWTcPnDnkmu}ZJ_FNSPX4-nY-26~Q0Jbla5Ko}uy(sW%vm2=G
ze~<afJOGePnb(`|f}})SuM&uqO!4?y*XBEVT&Wx8s?|kB<^tnqOqc{O!c3ZE4rV#!
zIj(maC4IN^Ey(0GgJU}L4yn#;(rYz{>Z`G<-{%E<GMyR&-MP;l>Ltvmur4=B1PT5|
zK5o<E?vCCJ@s*^QIN9rwSxG{rt#n#)W(H#%oy7arpW`u?aE$l$ef2+;NORV$<9<jG
z4!qA?sy;NkjJ+2Jw_`29a78QkH2AY;jSVUgH?Q6B;Cf(tizDYE)oE2oX5^xer%0;C
z+8FNrLAVgDjO%Q$qnvYS>WdKyUE;q%5UjZ}3Fg1TJ>%eIx+&Z}KugKez49fnUV-!s
z^{A*uHAt`F@*tbea&Qy+ZF(H>(>Bcf;v4*WtY@jiRVm}YdAsi-74opWwo&`}1)`<F
z^4ZQ2lF9Zb5G_JgUe%$rsB-hhT8funpv`bSY-!wY_~l}>+-OM)xm$Bx+ii|lK8))}
zmPy%p6yfxHYYf!_75%EG)HNoKpO&z5&nQQkJ^!F#3@M5<iM%Wp-MlAIk+oV1=_qE5
z*2zi);hfs{pjaQyt4(k3t*>6T=<U|!_J_jtWwp=P^$IQx6m%0j;v^Ix{GHzDUhk|t
zre&GBD=zFaJ6JM^7Pfac3N8@2h5jb=%c!!}VG`!d|8|Ux1~I=Vuz@w{g(sicF+L#X
zg5;#mr~G0?wli?!A6)s6%my&-c^&!QbP31<OjiIghkm-+_py)QG})hr!G0`E*UcnX
zx(&2e$0!m`ecxxvI{Aqy<79;rZ<J-~I;>feSYTPTT)ZH^dnnXByD99t#cXz)nJ=s7
z2|$UAG=9WL3AFrX#}4|~>XN*|(OUBr&E?%72+B16=4e5OdHia(;9t8)W}cDF%z5!A
zVpy!Fdj09_$00Xph9tNl@b^19f|3bY{(-t%-qT?y4b!atM~uSW@f%MeX-U40E#=_b
zcX=W*&fC`bbM3(24Bqs&-WJbw*yCRr%}ts194l;#mJ9PRQK?EtFl|@rE5aPn$~NLM
zNG`HzgPR(b4L0qg2i2l`y#6(RGC6tZiF>=haQZPyC?&FY0BMtc$6LGc?j$!$bZBn$
zy}W%K3$K%9mss=2aPGsehh!*!gteion#)i-)|*_EdeuyAs7;$$CxQZR=Y&w9MXamV
zqGGG2jzN>`f^<1233z@zlvwn+(2~76oj2tX;C4QU+Y03#G5oV_A46+S+LV8B+j{mp
zgijyY_}5x3BCB1*E`>Hz+<=WFf4`F);IS@aC9et&Ol}u4=wHQ#!NP)%{fuK{ABW?l
zf`)y%zt<6mBXqXGdc1XU=z`D*J8YXYta=M&K3|=w>{VN=oG-|<C!Mmb^Zi9~Tcbpw
zZ4#QRWzY^@fOY=1e|Us<Nwnmpfttvr)~;>SL4Mt263}ip0u=!Nz=HA7hOTzKQ$bw{
zNssYsv|~EBJeiQS1b>vC6UPy%pJ-Q2-$}}Vr3OK|wdQi}ewCW#;+-PvzSn4>p}!tJ
z_1bH5JjrgC?0>R?6_ceybJNw7&j>du4D<Eu8kv!bDug?JrnA~`v}xNFvNtIm@O8PD
zZaLQ;m7B7DYt_L*H89}LbGyX3&BRiZ$Ak$%Z8pzR{(qQytEjlTrVAHH2o3>)ySux)
zI|O%kcWr_Mhv06(-CY`YcY?dSTleAp{xilox7};(u`kxHRaL9zGwn!BW4Rl5K^)j+
zDqUQu*j<H%SD~7RIp?w^oFfN&=qD87Y&SHWBTAc5R*4V|N+b14p@ZqR3fDcF7fJjc
za5<Wl1CA69^3OJ=&K}oCj&qGRCIuH?>vHDY*yQ26Tw0<r*CF<=pX$W?uQn57sG(Ye
z+;w^dmvRt88+LlSsdh)BW^>idT=`>mQ3~H55m~-(Wf!i_b=m7NcoQ{XcQKfaRc1zP
z@-?J*G7xSHv`@Eg7yj(hI@y}PL#Qdf9_aSuGaXQqKg$u+gVel#8tE$mab5FN+BTwJ
z<d*mYn}pFx2uH6o9aCOBPA_$Ri#7ebb1L*@pSar&%#y`Be%M;F_nA&f#~M~{Q^m61
zZf@{OG2wWKGuoLWo*?LNyv|AGvFPXiw3xK}7b7jey6jGp3B`fdWrt%Og|Ab`r=tw~
z0EwhnM=@A8rfya1OM&FbuK1ZN%HsA_wVTNlNz!uKVN^h8umGZ+pTcRm$*(`I!4Tjp
zv?CznB>)rR5)AVE9M1#qzN4gpB`^T*Le9hWw*O0F{@>CNeDW8ZiFFJH|G(?v46$3m
zSRC)OV0<m$iTdZj-~Zb4PB)1EomL0^h&Q|LWP+JgF$p*GiXAF?vF>sPz@|!3*g;$+
zYoeGH1__P3e|l<epu$RH%Y4Z{)^7Z0GURLI_G6G6Q=CXKD6E=`*?a1;`Zb)Zj8(_Y
z7$M*vp_|!88^T}_du*j19)RGjK3#g;FiUtD75!QPOGev>rslr#jQz4Te(&ld!@VcM
z!CZqrx}BZENJD<j#C4yeCpI4uO}*ulg@P7|{#-kGh=<pi^#mU|J7V8y#_M-ze1Rl~
zngmKJEjp-ZHHQp<BhfBMhUaVnhpvO^TKI?W-%$9fzNN?G?O$TDIT8h$WM~8qXJ|8>
zDr`3~KLL<5ZDO;Fn(mBg^{8$IlklJ+E@D4MTrTY(yH#jK`S?~jGG$eV6I<HG>q&JL
zmPpop#=Y9S0aqd<<ZtQra=Xm#v(_&8k+zmdiLbwyNN+SQsf&mj>zEcsB<ikP+rk`V
z;FdF0Mvl>RLtZe0b2|Er_9dmex1X&ldklWrnwL>IrVrM)yA;}9%CU9;tHMXg|K$oQ
zjQ9?FoCgmj+`Luv>nI4&>ym#OS>Bvd)tO3e`M{`;Vc#N(SL4@JcVW@lnr|wT%>Ty!
z6_7>xpqh@J*2VQUB!YK470);E96E2W0bdSE@9XhcNq-<sOg#E6r!aB$c3HXP`1o^}
zz4C6wx}Iurd9&k{<|W4+Zg2SiT52ZXr$LZrfD!l#h(LP_#sU#Jfw{_`)xaf~*ZT&a
zdAa8QeCiENz{`X0SVYX=r>oDaX>js?9ktS(I1ruxlk)#%I^&Pv&qPNPL{tm@Lc#y0
z|I};DCQ_9_;K+3!ipC=nT4hZi>eGyz&cO(^E}15XCiVlzl(0OTG(eKAidcM%EN3U-
zSyg^;3}#X_8Tz9D_t}R?v)Fcp=HGUHw%PCL<!b0?@h+H$Z5fpp{QHu>l?jI~Q$hG?
zx&x$IN&BZG+J4pWPk&LUC^+Ss1iu(n=1sAM6<K9PtYDBX-4HKtBO^nZtsAMUeL>nY
zCVb`Zr271x=3SCAeyWNuSe>D`<Bi#5gcRmxmBbb(pTtue-cf0D&QZFGwK~nvW;-Fn
zn7gD1X!Y%|#hLukQ+(Nbyk@*_5pDZLi_h>uWHhEj8G#x84Z%d-x3*6oE+LnjKGc*E
zC9(gu8}(blrdxRiOEB`@t7|}NOZmPJJ-67SAdatu9i8RWTG&?I&g-z?*QP0Yk^512
zKJQ~Qpz)h<NrTCcSlIb0iPg+Lx<fI$V}#Rho@e>#j@_01J}aFi9fY=5zFFfYSDe|T
zh)f9&raK3ZJvV{Q#Ha47;+UK>hntoO6j{3izaHKTy<Lro+N&C@B*x}9Q-V6ffJhi%
zuQbR9*J@5YdJ`5(P<A;Db{Jl}f5LvvN3kk%OzRR%fn8g~Oy3^Dg{`XRY}aAoBH5D8
zqaJ&0q(E_sEOLa|G-%lG(xz5Fa1qod+Fd-}Vz@#-a7|Mx+2k0sQQF;Ogz$ff^d$hj
z{TRIa<rEC~Z}zU{6kr5`;dn0t8?yP}8UBC!>o3^#=56}3SN4C~@O2vH94w9sxX-l(
zXYGBq%343~h(O?|m#zOQ$2%eF9X5+~s9RjT`E@MkdbQ23>+s4h7i>7yX;@Y$ZR6@i
zI01h7&3X)Ui_S@H1e=I)ssy=cny8JOmZ$o|>?c|~O$u`gJ{%74z?Z?i0D}@pKpDH}
z+6D<A#u^w96Yi_GIW0z!xJbaa2NKOwK;KxVz75FyHfh|<`p_rv?D9<Y6)rgEZFp04
z-28$^BLUYD@)a7977c5RQigC2()nq&B-6_+c<PJHcMc>26KO#h07-r(hFG5syJ1J?
zdSI1-Zpr&mw*i}~1?dCJ0Tj>ZMGc3txB0Z5-V+(;<Uhoj3$cNeb2VSKdMy2!Dr7z8
z5Ram){?gWwTLSV9zF6{`GWC8Wp5Nr;EO=23V|b^-LSgeFl&!ZobnYKjrv;w<H{n$q
zv}*n0DZlFp!NjbK^?%haiX9&kT?eBoqy2vCVpKk;4qq)9S4d#pH916%2z;q_+AARX
zNnEpruI(yUKvu|X712ZA?XsMzZ*A9s>`C2vcPJThw(h*4)2T{1Fm=!0kZL#r{9eFX
zm$eK~CzfRqYVAKrnc}1rIU%u9lq_A<!N}y}9@Npi(SQ#Uu1hK<HG3Xi$qrnB;D<(f
z@hFfvVD%~R?pk?~j}~;XIY4<L$|;_1uy_o8SMAz*m9yPIv=L2MY3p{lPSR=QJy-je
zaIbGGSb)cjcc8n?!t{dK@>yGfUBE5hQD(rwxB>DZe{PN4BzG!=On-C=jGBwZ{8~yV
zt7a48mZxwaSNpOS*j5x$A<@Awq_fb)vdebAbD6BokaXE|Q>QYV$Z&)0qxU|;tpJ#3
zh&uD-X|4%*OvhE)J-@g<=6x1hbUtFdh)(KDFRk4gej)Ny`#aw*brt$a?KQ9M)+DDV
z3Fr3_r_lPBK_|(EGgzfOm@qqeK93{NUXG56+5ginOV^Kq*JAdUTd>o_<ho86d!RJ2
z@^|tsBb+z}UIoL6*HTVRn=*I0LZzt#<)+SEeK}0`IVPA-gM%R@+huA_2cpyAIHLBf
zcAXKC+5WfhKXughYW|xe@jVgcFT*mUA9K6IxI><R)(}oV)X5XzfvStg|5{<C0q7Re
z#Mfy+V-Nr8J@3O%5`F|;;k&YG?Wl_TM7OKJL~Kf6&r)D#m(B(qXU|ID`7eCW{zKh+
zJj+M+3OidMLBNnk%wHhk@3{HaeWpL%e)h3vv9aG~tDg%D0B1KWIRd6PEw5Z3%W!fI
zY!iAXCe{K(ervHwwr+TgTNe(nPJ|m0Bc^&x2ukUW@PvNDZ>XPsft{rKmBX;q!#-e1
zD~+W-!V<(_kWIYq6@H}|DN&rb&bx9>26B-JPZ^p}I`UoHl~auC;BLSk%T~BwGTc|d
zm`uf<2_rSX!y~-^y>HSDqY&>HZMo2lOxeeO+9u0-gdf+x`9r}d$Cn&9Jv%AX$ktaI
zbnlo{IS<wGJCH<wkMPtTx%tt)w!_~vUSpVr;;7l?G}6<DUzkMIq&qk2Yv(NfI+~n2
z+h(XR{M-@n^?eHk?+pix(zyh7Bq4qU@y8Lnn;TMABcc{HKWX{|I8<fQ=3c%X$*<fC
z2;rI}xus8XoK`X3h#82--6C%`r0=cluX3d-!DCXYUaT^>817ZM-VWE{MPgsP=^V%0
zvdRagltgF-KVfqc>FO1;Q-$ap5+oZZmCJW%Y_f(sWSgf=glQnB8$lcQ-8R7gUjC&3
ze;o43&*G-dg}jgKV^L6ZYBGvWF<=Suodm@T(N`!(E(O=Fx=Sq)x^3a?tWft0vt63C
zm<;pe+}{^=LI!9*cZFKzMH_ux4B_UlG}@YDf4~kI@GtZkDUZcu!J)e;4~L!dnv)As
zT?{BUr~oB}w6Jhz+?lY1Tlu0f`FS7g%cGWEHV(<zce;9p1O-pk?Ndm+vcjuTSSria
z1>cu#m>de<5!+jB(|`MePUM7_+EA)wZbwBw^nJ@iuZBOlN7N_;Ey7WDce`7qx%zgU
zm38PhB1a_LvsGM&fy;no;Zv2$yZ@jWGCt|({AG;`kfOC7lz)@aM~9b-dIDQv7yA|x
zyIVhh6~f%^E?oK#YqH*foyh&9iFAjFb#?NhEiMV)#rMah3X5g_bYd$+8#@)PM%j;s
zo~iLE%Uu;7c~k*BjsA&wM;%VF4$PF*rm4$Xlg>?vXiHjedfrTnP);;qzwysT#{LZ)
zbxFTYRT{1$g5USYa~NPNcv|Tm-2Mm#qW7X)z_7fQMRN`-N#^o#V7fAB2iUtp8-&Pj
zN6Bs9GcDZ}0!vGaUgaHG2h5v!sLE3Cby82BmeR3^Rli8QK6}PfSbJDnUrnPBScpKd
zka&2{vp0`M7{%Pb42}D*DH*3TsC%!ue{U;a+Ka@%WyJM>bnknzLZMtaEIjnqwzbx~
zbsfz(We&}{PBoO*__msnGZ`blWm1jT(K-Ok#pl6W6lL%FeAl~lT#U<;{m2)%Ej^Ml
zfz>WFW2RQb&CC4F`nbuxb!K0g3bJ&|*gEDK-tpdz2Xa#$CX`T7{z?psUEa5<G>G*c
zOPPS{1vdQZ<0dkH&uUy7I?v#%lUSENnYGHeRmmWSLRj%1f<+x-*2(p??5oY`plo!{
z@%^Pgn~JcpgKIh}WDM8=Y&^fFt+l?-jRuo3fRHz<*ew&xvAEfN^Bm%IZ{z1-RZH!v
z?yM=POgAu81)UL&9$B`H5i$1qF)=GBf!R}ehtyHOSxU%R7c!Kh#ar1O-Bc#F7pvgY
z_$ueq)6+bpBWP=DPF3dsnU62k>6;e}2rd1_JYk86Je$A7za)0`a0x!KN`1#7UxB$4
z#K?|7CtE?s<_MZy1MSe&`Qp&<D6Uk8x9F|;p9O_Fwc7M3e3$xN?0U)`vXK+b>m4{d
zg|*gO<MxpKRdSf%=C`=K-Yn^rVI??M2<+Mg1~c&69efu&!{3kXCDO*tm1R!^n^1d3
z0$Bgan(irob6>-g4C9!|!;BVw{#ON9k1m>)UpVsQTK}`xsCRA6&qK+xd~uf_F2JyH
z*Fj&lu7_lJw8bBQCQVIfBD%m)eJbuyoyloYI`zJp-fPAklM6ZH{cG^%ImSvQW!6#~
z*Br?}^J%{sN`RPQbw#!%$#zH*<>_~fWIQ<z5?ZOTN{G6UWNYB!f?JEFNepv~z1s8C
zOp5xtk8e}wHx*G&y_yE*1?R-qYuhA$tm$CYK<`su4$glCg}&Qq!%)T%#mPga+|dEr
z`vW9#RO04eUfu-J1<U}-V^zd(RwrXN-$t3|eYMGo|3nyyMk@~zR`KC}dB832lB+7e
zVCjl^rFs5`qKMl5Yb-?dYtqdG)K*-c{5kTVIunO*>PT^p4_9@sRZE;I)aZw4!w=jc
zvKD1!{aEv3yBrkV7*xOwAuvU`iq))9&)UuzW9p?WihNhnyRycQ`%*IHo#pJ#@vxVU
ziD98ya%@aaUNOH57CvOmoZiAF!slo5f|a6sqt~S1WeoB+LAD=L;$PA0!<B$WoF%Ct
zSw^CpnxS18c4wXLp;EZdQ#QToThilY(E2Xjnlh*z`44&_+c*L}N$LUBcjQ0qATm5l
z;ns$MV-}rzXg1%YEr-@If5@s*SVydscU6P+m%#zXAgt#-Q0j>L$JJKKC)^EC4)WXp
z?>${Vz2<JFH?12AB-(<Y0-WEO9!;ZjBfvFx0AN^6)4wzOT7uoLEYzaM_g{hGeNtL;
zaG{f&nn_tT*YN9vn>G}s&4oW>`DWDwn0|Su5CJwJ67N(4zS0^~E8!r`1OcOt11Z{6
zMCGGC=!tVvgOAZs^kmWb%bt3(uz!6u9u7vj%Zh2%PC6t)=oL{YNN<sHCi{6<yqAK-
zq;5ZBAk)J?#sJ*{&DCUg@bq2f@SVR>Z_$&KU|R{^m>?F$X#y*XLQ0S#(qEL;*U8C`
z+_JVek-&x}zAK9nXc<E|g?}f}oMrkuTkp%^>x-8JM)Uy04fNg5M~as{k3Dn^^!^`^
zjOctLM0_2nvmIVEQX_<nzA6F|PVhMop2@W}Ob6r{7*>fF10FyKTAe<Zknaf+<yW-u
zuHn-x$7Gp%SPo^8H;yy~M&m{FxbpwtFNbmkPfY37)o!3V<?AYm?gtdMv*%&)cdxa+
zkK2(zU<l56nH6{pLZI3}ZOt+G|3XHk{5i+2MHEWm`%g`ND>ZW#3fR!^g3$KLk0R+T
zb0T%bb)Y*z98yo2nHh%>`U&kT)q3c6L{4#^Yu6aPuDU{u!g_P~u@9fFa`^2S-zJ+5
zqoy-Hv&a7{6S6)fdqCHEq9Q6(L_~9&NC*z4`N8czqQcxqo)D;**RDly>a!y%wbqBv
zpe;`#s0xFTP`3d4T=0wiiukV!v|3Kmg<&xmoG76DQ+eAlS9lhT^ag?hqrBf-Ujcw%
z-_PJ8@V)^q3D402FS4~AGHs_G8^S)9uzW811YTfu#)1Lp!VFyM%$FfxxBQh|){<yo
zr!`GO3&}5fx$Ov7J#UCV27*p{V=glGb*V&yD`F?<7n~zRc51`;DK(}G9rhW1PlJ5f
zRQvR{2{CI8z2t%O6TU}iD{QUBktr@-0UL9L&BA^X0820ht@A3j#?;?%j=rk4VHtC~
ztP7{rim>V)wy8=L-gXpc!};*rn#eUyjoN#Iy<3*1iBXhfPpIXUvY&j#qax|Jm2!h~
zH9KYVxuk~E8gaPW1jJP1GOtUdK^UGTOHX*S2#|cA@(|_TIHL!W9#td<{%TGXE)N;Q
zh{I<8nIqYW5PHaOoqSd!f@4Gv_RP&~C2j5<e5KV(l~+N$MIK8y3~a)-3VP8YUfiR)
zX!A`T*Im1cMZAixO4p!?2UbmS#`-wKUnlKPa3da>Imv<J_ToaEtllz-FHq4@x*9k#
z^Mr<=uG7X!p|R=ui=CUNR7Kn7pfUviY0}(YdTs*JJze9uY9@_K6^bqfRW67rRJqP9
zV>;|-&cM*iHTmx>ag9rS-sm0s_5tdK$U(ycO0St0&hoPMojI0k>f`M-EhK>inN#C*
z(Uvkw)rp)GYz|4wIO@7;FUQ(`u&%_cOeC_*e1&TD{5Y9EI+YQm-C&)>@zz{W-bHA5
z1~3<i&&vq3T);++BGVLY-{dXFO&<oTId^|Qb^tyjO3(CD9Ot9hJ}ChG{?kbhtOAA-
zx&$M9AVa=~oq<y;!GBRe>_bYG;2@z};PM%`rsU&UC9u-s@wY5~7=7_lG4mC#@xery
zJ$tWd1o3Tc_=LNEn_|jhk!TgQV-W#MGOY_S0$Kk2C|(9GwD;TYd(2{n7RJBJ$4eRv
z`G<9b1skmgqYni5i3jYeyme)WjP^g6w26uO!_0lJRUM)scje!HX)v+5b0ByPn0`l2
zqhWSo(E85iMrFt1XjddNu&OMJ00BqrO2(X`;1J7lF0j6+ijF;e^%#ctmi)E9eiMD0
zA7u*bYi>)6sYF1sU|#GHQBjq~c$}l!o#kw2i%|IRUj5#p7g|$e`M#+Pq`-jIdYJUl
zaY&t?<3X2gb$iJx!>7o)NpjhG*>h=e9W*n<;=xT9I|cc@h|ndNdO-?D8~fs4@p;9c
zD5z{eOmr*8hS!T;?Jx3yEX%=;So1;>i<c2Dx<7BoA*cRfP=!#|3%PRMN@n~+fe@i_
zZSB39lE(Z6iP&Ins*j083h%%xJ<no8W+7u1Vv%%~lzg^WmkF`{W%3@sTLDP9-Ou~>
z-buejM2VyaPPvrg7p{#K+_OGH<x)WYu+481Sl_#p3wY|xckELtRKcAYM4#aTk_lIL
z7vZTjXLaQzg|7ju%iTUUf2gnRtrZb+SE`L=!+NlL2jD&A>F~I?zY&J+V9T6uOV8lE
zjZL&Y+DMdRv}pFp6O&o3?GhY>?HB?S-l?vs@ZQRvuYAByy4xBdOIXFLcJKz|=rR)5
zvnO2P5A%y~6L(8&@u!VtHN_gHC7AH-%u%Ga5Kac9*6KAALy<{NN37Y<W|iiH+9=v&
z#xhC53i<=iy0}rO2E(X<_$0-$=Ozgbz>u5bnHjyxqh?Kj5cB?{tWosGTCyp_om(9}
zvNFZl1^iK8^eEEgdsS2;JE>XFbI-_QzNc%t!N%ztCYoJ;H0=!XOLIqHEKRphKAnO;
zpG1ON_8oD9ZB!%*fJKzZaQ3XAeQrairuTG8;?LfV)DE8+9!9~WvoWg&BZBluF-sB7
z;P()+w`xq1{U`(mpShD?{xj_h)(v9kGxNLMl2nc{GgvHort&4vc{{VTSHf?4LqSQT
zKf!B`NNg5yd+7qM)DZalc5cNqp2T7=Ypx<i4+scrw&Wd~OR-D5H%Npm_AvFM18J4W
zznkhFP3fEKG!CI<)SU_tY1p<6@DxZS$QHI`!$)=nuJ1~p#i_lz&1BR3xr6V%JZNWV
z5_md|{Bl80Xw*Zs48-`U0<s=Q7YN|6w;}lXo^k;zo!u?63X%PXpSwMyeDLM=x|ZH;
zYXvUP0y_h8b=P+B12)m+Rdij42wrRZ1DmdEkcB4G78*cNYI>Nfrp%b0`zJ*utXW>i
zPe;s~3&S=s0qyP!4QZX^KOM{5<_KXVOr#@c?RSnBqB^0~6{VL?pZIBDD0y4_t_dyu
z2G*714{N+9iXKe-*b+{|UnSB4Cs~6X$wG*DG*!rM3VL1&gW1<g1TqM$bqrJy4o~ph
zmG}CKIVts7gG@KWFFBMP6Di)8?Cvu4m(&Sw7$|67l!{zGk)=kbA2*71%dw5tWDdQn
z{#-OU3-{pv4YL=gK!^Gfxr{gX4L!GdvfsYOk4H0vv9=|;2uZHNlli?eNX}Ks`!FW}
zxDf8e1tGxEw6To3B`_96)lTATyUYG?2B`DQ5mDg0AS_9RfSQYHq|TdzQ~v`4E1ihu
z0|VFPsr<)aFo<15INXgy8YLfA8Y7;OKomwK<KD+F*78tbIt#@z2a5M9bF0Lc@@e97
zViVj|zYKW#=TTH0UDvKXnWrDc^Z`vpcL}Pht4}E!O4E8!b2dlJysz3@?JFWc<0zlX
z$9^+@ngq&}Ma$>e%wO7d!}lME|Hcc&m_Dg;={?XxG1n&KPdkx6t>I``Lfjimxaz4q
zt9Y1spDaJT_JFJ(*wE5v(SnSyF78?Ja!ouf7A_#u_;*|a5>sqe4BW?QZlZlD-|i|j
z11Qp0_K3GUBb#5IQ$n8q`?`FtTQ8R90#?X;42GnM{plIAAeJ5h5q&y>Sf$#=8)uY(
z(=x|Sm+i=aXI=8;2_a-V-tjRG-wJpsiI*`IX@q8@<|#P<ujtDgq-aZ>lKjJ*!Gp=)
zYBKRBZ<<_f!|X&A(VsrAdD$Y|?Nfc+#`|m4BYuj#%7@-Z|L9}NhrzPWpWu;Sc3W0?
zURy4XdVy{Wd>IX??_$|i#+LL`!Qunf6-R#o#_?Bi#J#{Au*4SF$M}5&TurE@_Hmw*
z_X3v{1%iG73f)G$Gk{^bKtSw(<6Ih6$9>DEuaipKe)mkT9bkl4-B+n)K<np!hB*P-
ztJ9Zo8M!?|=U_kZ3Ap)2^F8-U4eB4b4PuH4Om`c`2~q`pKC0upyq~-a>a<4KvIYcG
zrNkNAxe3zT{cCo6O0ci-a)|(YcH)(E*d05N&?6qo8$QmSE{zCq87H%;Z2eb@$j9Iu
zP*cd<#9C}+=>@P_Lp>`Uf+}{4D&|M^)e$aJ3Gzgu$v?>B-~y}I3xoiz`Ww&MbWUS>
z`kX4KUz!+`AG_mJv9s{KswWu|WLwAc-3V=W)piIK;mRnti^uxytTNzS|3wd~dHa_p
zLv0N(spo~O%fM|nA@LFMWRL1;NL-M03amHNAi8L}r`5WP83`1n4O=FPeOXs9X>yaY
z4Q#76R{o_h$e3H)XmO&znXVLuw90g1;iOov5;UpSEbpk1Z*Jo9OD{vZw7tis&)>}O
z#h13ePE)c`ec}1nuP}6~b%N8Zpgzw1JMUHol{iPX*@wmgzdb*@$k=8>928>3UDZTU
zo`(~D8Sz%mGrq5?=LN8#S22ob1}%5mqfR3c)uh=`+Fm=3bf^*XguF;|l|0A}C-;Rd
zfsEYjt#5JY$JsGu)(g689RrEXyz!H=D1Ti%J8tmX3P=>{_?$oqrs@~Tc0QYNb1lbg
zP{E4!iPrWf$<H?P-2nx0-I}GlkxmOJU0Jn!;FSG;hr?P^EnfrpcKdh9{L=+gy7^$0
zl7ytjzo!Xas547m+_i_IBqa6}){d^PA8}DDUZQ$;<zjLZeIS5$@WkGLK*lI;DCZdg
zcZ*;vY{GK^f{E-eQm&HIpGGD@NjO{OPD6aQ8ivBndUY4s++XxDznDtD$(@PBc|`f~
zam^(qV0&YM%Q|45Ys|u|FUN2*ucE$G<}M;8j6F@uj$W!c??HRSCLY_wXin%od06o<
z%UsP&tI{Q(#QJU8KKjAzFYA+*y%-zD?4(31a1@bFE6~7Wj?2cn{R^fVy4fc%WLrbn
zU$+l~B~`tppehf_5n2`JvB1&kB@WN@tl$yk*vT5H`Sh<m+;>51YQg?7XrMFg1{gB&
zzM$->AcUcIDPs=&&29LE!~W;=i+!Bh^^0_h9niCPWolakZ{AbJcIr%@F}BE!ouZnF
z?K^s*HQBBntBl3;PGI0u?Rk^2?VF87`<VOg(#H?@L;jkR@27)wnjdPMvb6D<xJ0@g
z*{8>$xElPUI=(YcX^t()p&sVKK-(SvN5M4@MuyNA-tkP@JEjG<vfDBS%`T6-_ote$
zOJ{ep47j!y$HmvH^cc=K0kR+)(J!fPF3XbG_g_?^2?gtO3RSv(XpN*XY3jXfi^yug
z!40ZP=lpJXP5GOKMY;?t_&|D9cGB56IVAX#_P!(IYhw}~{Re{!$!Ot(*}isB!{tuL
zTqMk?!*C|67%wuTje(#`M|gI@a~oRRRBSjh(;wotqn+z^IkmZeFbK~t&qBZ&@K?~#
zt5O<@KX@4WM(7E=33CSqU;TY)+0(mcx|KTk`viDz|4yr)>^GN*eP|f5P;EtYy?YAe
z*~E2G?YVm9=n?m)kRg#U?(cJ`4P&wfk~vZ_=K{W?)%4qE`_5_DD8H`47~Uh6)E%Yl
zG%~N2=A%FpD~hH{$~D`}<ou~SRfd!MB|mLT>&vdZ7a1z^k~#$vad)sPF3Qx=?ZD|D
z7lSj^;5&T#_WisgE<>RUf&>ChqK3i@f<npE%}aVCE%`Yu7g2ku&-El+ajZLyB>8Wn
zym_*!3gBpO3<L=QaTDPj^j6#|NAPiv8QwQ86{gd7#hT5ew;dii|4dLFXZdf)`ev+Q
zse&$IB5@fRb#zQl^pGMT&W;5=uZ-N_+a#Nu=#6gDA^%|xzoyQg2*?p?2g4lrorW(y
zYM6*nH${$Jf&HpyyFu!)dIy#hD(&>_P;TxHs4p&ee7TBCuh%Z~88UfVsf*N9{YjDP
zz?@$tm>TFYcNGg#gm+C?ofM|#4!L!pbGDU~uXEBDRq#quaNAzgotzOx%LKh&4obhW
zGTmBiD=w1M>7hvS?H8EX!@1)*B(CvIm-A!rs%&778hlSJeoUfwwkC-=T|S=5gyFB!
zv%gcNL1P=5@(t_JK9tw~(9pjkpJ>R;#dc6QRSPR0F(a5nW+5&%SXlbzijBvjzpIpM
zJh<JTw9`f9(@v(HgB<>kkeN4u!{OMbQJMU?WEu<y?s|`d*m@EIZ9Pnb{ozH90E~fv
zfOqin%k)*jyDuKV1O(Rn;JSZ_LlB{#Sj}rH6zA|6yjJ|-iF$Z$d6{sn=^mZ67!~8(
z6ymqxkNM!$?61mtH~4o_IW!zT=cEN&hp|JGmUr<E$M48->(8;jdm7JFv*^9FWDdSz
zdFT=XjhiE^B!1J=MOlc=;UxPSFJVLryH~au@SsfOFvYjj<}jQMFPaBRXZr=EL;@i(
z@cKl>PT*w5wybvFil1sFW-o7CF8#MjdA`zepa>z7({(bTCrIuh(FjWYlGPcBlXt7W
zice3(3>37SN3bbBUm?>n>0|8qCY?@rsWWB<WSMWaI{v{wT6fxdxp3n76IVr^{)qjV
z<8hGMLCOnfLvgZhEgU1w5~XNb3^`qez>i1jGK9HKYJsmJ`7A=_8J|C!OGELf8=eby
z$T>lJP9N-oJ^jgu-|dmm1(BvK@B;FH7w)e!Q>*a?^Rd3kSp5+jRJ9)Ai>Pq5*0Hsr
zf+Iu+A;dPkMwFBkeT*c5;;0vLM~d9z1KELDa|@XDx)Y5Ng>%dgM7|DyQ>&_|qY&@R
zjA)AI&Dnoua7;|>0A7Xw;JIvmORpTnL&{EAs^?Z#Swt*d-5IBQsRZniN|W^2+wY2q
z&Wi8Sl=5vdcoUBnhwes3{8iJa&V>%)usrrh{haCpXX8P%@}3Fp8uPY=YS5}wRv7uO
z?VqJnrZLAqMtc<L?LX6V^hXtde4ri}#~<`&0`d1T(5IFCVHb7i-+>N+<8S1A+jFuR
zaoQ6c<`nv21Wz-l96BXCq1yR)%lO5yCksr-Kgu>O^5`Qe)n5zD$?;jlMnxH?1y4?`
z4e#o^z`OBQ(Bx-B6xXtlyO_)nMOgV%$Eoj?M$QMwm|B#-|CUnGj+wo<SVtV&Fi*Y}
zUD&4bk`|Bu6fNY4L~}S>_`T)gS$pRWP`_*mh_N{Th{|99)jZVOgiADk_o^Uyx;=m2
zXb&s@KyKrlRp|X)r;%UswD{s#hVba@kZ-pMkT=268cOsya%*5=mvE8FJ-#yD8g#IS
zuxH(!77JW<O%^lX$f3Wkeltd)ukZM&>6zBxSYlV_-q|Eow)gCe+P7PR=dqux?4Kts
zN316(i?4RyPU0~ye62AHI~4PBK6^NV5egkgWjD_Cv-L>fzyt$Ar+s=QWv_!Hc!1xD
zCQP%J#$}>K$VL1g-2lsAQX8X)0P<o(ac2#+rLUNS(@)JSk<L2RInKo+5pojy*C)xI
zry))vJdqBXs94t~XUuZp?)`qqR`-JmYR?I$4pUpX48_0goUo~RIrW*u401nxB1mQ#
z9FY!&m*rYe_Jy|9mUxtTqsNi9PwH*T<Bp0O=<~OK3yaMP%+-B@TN+RVm|qo$*S0^k
zz3NCCtjqdqI&!cT&qpd`Z8_5Oi0bioi@<9DRnY7Wc)7^m<4L7JXkP}I?W~M%lv|*&
z^f>gKdSm3GWF0Z8=!xL>+G*n@quNbp13yv>!7JrC@s6PEutmyw;{D@CVne&5{bqf~
zRiKG`y&degq9C|!Hg23_tErS{9<LDv`C}SG8!to?MfC8onciih1)K0X^6E+Dx1q15
zm-zr|;U1rpwlDo59f{#Bn?WWF0u2<tXaTyUet)g`7Io`+#SW#@ori*<f;X$tY8L!7
z|N2{Yy%1z}I;3s&ZU~bzTaeO~j{|Fh1X41(b{VMNk-^~s3u2P+kzY8HJ>2V=`T83{
zZeMnxUXQe*(=H$+ko#J=bV5V69Io5Z78qqts%Z^XS>zzaP3@KHbr8P|n`?+tF$h_a
z*40RJ4!Qec60=W~wPqD(CoO$AxEU8kGLN;!tVpY3`?C82MkJ`WTb!x~1e-fHqsL`r
z-L%O9(`l|Jn!g!q(+^d$arI;eyZW~sj9A1H=d5E9%HTR#cenB`J6Ah*b2*A4O_6!F
zMR{h>vLUi^Lp#6`=ZP-`FBP`3P~;FRa#gN23@e&C<DVaRIawI~ytoA3igP+O{UW&d
zwB|eebx<9MG+_3p<Tyq7bpFegG_~P%DyN(y0F)?_mLAJVt^=%dN!XTkWB3MfTdy3j
zZszz#*DU$BEDI~t!-ie?!P@Kz{-ip-1>05!vK@ri4qD@>20zQcK#TMpzd8cxu~<N#
zf`pglk2ovvlgaZASUwG9=KX&~QQn>qFDQ5G9R=-G5R7nLum@%umx%uS4czx04%Ssl
zntcO*3i6NMw+x@aGe=;iko~an`_LxV9NRChi+jC)tVkf{?iM+V$yvs`wY4mEVl@*e
zchZe#EwNP%-7Fj_1<&MSTzGXKjlakwOmYxBFNK#IEcDNIvpC0*j$X^?1a*Izz`OZQ
z<J88p<@VON*%#6E1Cf;&P)qVt0rVW=?@xxUYe9~TlhL%B;%-yO)#RVy;_5*1BC@Y?
z#3DHSgK0f1n7HQg?53~y)Ij~K!q&w?DY?pA+et;8K@Gy~R$+$IaX>RShj}-BG`~Tj
zP<K<j9z%$jqyH%lsy8PDRPyvofT?iVWeLhN15u+J7X++anQM2vGn7yQWMvTSW|oGj
zT6C~$R-+Jq4hk2G>xFk(;qi+PkEks}4khJ!jk}h=4m5nYH^+V>j#Y6tek2~$2uajQ
zwT;JW=Avf9mCtukDVmAqDw>E|`?^JGqsW>DAFrQ&$|HkR<0($VJuU48i66DuwwxM|
zEoE7^q^Du6mXeUE<g`-Iwrab~EsDWCD9=s`C&3n(^7E|kuGs7`mm5tQyza0u`=Rxb
zcwVE%f>4!Pif8I}$d~8?u!6Y1k4&f7v5nKJ2G3+lR!!8xy~5ef&Qo7>vvBR4v{Dti
zqS`j5`os3fhXZ!?rR#n#^6D3j7Mpjn8cw1hgTBThQY)TM<>ciIm#HiwDERGYlr9V`
z(@&jzMerHwg$ORpt^rAi00E`|#m`3YecUG4og}Nf%AeQfYc_fEm%G!?i9X+>7o?+C
z4kP`0Lh%^1zii@BxD+JF>9FX3LsZbeii8_bg%f_lnZphKQi)^zMIe0*`OeT@dga_n
z1hCC^uQVSDJ9>r5=~~J;>b~@!-h7%@C0?G|mWB42oI^3pokT3{e8M_tZg8;M)Z9e6
z1Ccl^)}ZV~NitGFS9Rl|_@*y&3;CP-2r=Fgh|O;A{=LA{IDsn3F*z}Ny1ANa9XmNt
z1Ku2t-*tGJB9pG~?fj5XVvLe$J>=b$CaA+~)l@TV@3_lU%-(3?Xo<4SEiH}8XcEC`
zqb^<E8J};-!`pcX{n2ToG;qf{<5|JLydnczf5sS4mg~0E)}Afy>1+m)3>dad%aYiq
z09{;%wX5ibT<qA#zGli6&UaD1Ah7(>`bmkIrO!7lPZs-j#&H$RaOr_s##qMx<}^aU
z<gJc|HvR*czw??noC%%V5UHC7@qTNW9h;CFxU)b|JUq^jiIkYwM<mvg$;GVC9VzKS
zn|)O-ZMBTyjzbJXNEWjy94mIwFn}kRz=@>EkC8)8DA;A;_{5`oCsKHlVM>XL=rPSJ
zW8Gnpa=^f9bE1lbPL}lGji=Rl_mO6|w-Udl!lLND&T4hM8S>y4^tDwk7tF0JtZ#E@
ztR4@U%kf?=f_@&16ZOTM@QNJPF3y-HLSf#?tTOYkD>>2mLKX%kd`^3G&z|-iKJ5>!
zwg^cDvgc9Q+ci^Ha3-^)9qB(A*)n64J8yp`y<C(XkevxUldpwQa9qW=$G=Cq3R#0m
z=(&lqv{;b;>9cd!UYSVAZ#+M!NZ=R1SpUuY0T;pGXTzV^X<*?`bS;qMXCD4WJVYL3
z&nLfc+W7-ZNE<8?2xg)${RG^;quhi4{#FC8IVk+e=R<>Fhj{+PN4#W%WpnNU8=sI-
zM#j%&+V4zX*TG?*C{rd$;6>=AG{g+V_NUtRXa(%73XXt!01y68ivz;?b_)3EatZ)4
z99p@3LMFaVwShHv_i@0tpMpi8Rbk{Gy~E6hNZ)3<nkH=)Kvt}FA3E<@N-z9MR6h!H
zz@8O<w~LR2xRj;r<TCzg&r8U{^L<gtnKR)5$x=caOml5gtz=ldl=HWzjKf_?|6CdO
zV}A=$tUZKcTxE~1qYD_DZw87zHbCVo5wtlhnRTDsXjp?&bG7ZhRZ|XZEXg}0-KN=&
z0uqZUWu;2VkI;R!bv%}Q%4op7>10KA(uc#EYHa6Q+VbsT>@-`vM$2Kl0e;nPK!vO<
zL8OpY+I}Lo>C*<MqqJVH0s_bHfH}mJgId-A;8T=sgROV-MlXZ<zDH|x{=DU`uDzj=
zN|+gs1=_pOGktbIn6ctf?awj^@K^x~4Ie()T-RT0*Q{ud=!&(FGaotzo>USHI*hVI
z=%N7vT1_ubIABk8A@#mokosg$Bs6sDg`?;dTzl<w8x}dow{>OfO5QZ9GTX4SA;%$P
zXJ3?ARx*~xDi=y2ZlN2?3KwrCmezgdKj%+b*f68_%zOPC(S~18uFTwR8IAS<|Jd9>
zI_Vytex@HSVj|OR`ZbSO4D|?w)!)S}R5ZnRg?&g=JA5BBrX{tL*sz+dE8ulC`|9$k
zl=#5tXbc}PBj-V?^X=(txN(U!Vf8`IRtz`zoPU@dKLVaGAO7+;>)QCjSLt)|o3%0G
z=3|CenZ%Sh&G7e<o^;2U$D)0@ZiBP^K}5%3F}R7)Cy}>XhD6gbf%J7dZeCJOw9BAd
z^a%#Ss-&kpa~(1SVwwK1;uSW>*Br-kw}!fJ9mdw4K>ym}+={+#y$*fK{+rc<Jngk+
zMYde4U@>A`rkd$Y6mMbgRpANZF0om@Lk_sPNcGu4`OIkEyf!9+v!;I+b(OGf{V$Ic
zcE)=;RGT_-PY_vSOpn74siGP$Sw3YoNu%65r%1ZLVUq(9ivgH7_h}#}D+`Sbgx0pV
z?;@4a$^g6cJ<WG9O1tgE9Z=)Cswm&P&y?Fg#hZ`3)VOU5fXI(l$^nC^AGlZNk#wc<
zZE9x=zI8K|s)u71V49LEQ`2J_nmcy&F`_Qc1tJE;ofEA<`o?;TLt3KAgoTE;*a<hF
zjli?^K&k_tn2;rvx!h&{N*`8?m0m6I+NB&yd^KmKghPbYi1tX8C(R~p37+jXEt~I5
zg`>nuqJR*1>OTaUHfMCtO`<>^A>EQnO_m)rG4Z%^ZTEJROgK=IEhK_l!c*@-9xDhn
z6j1zgd%&rgjQt8Viu^E1TB{_6|FFqngI_ZAa$w@{BX^D@aqZ*mw1l~!<|H8E<X-{Y
z&1-)`VG8-116?)&KjKA>nA{}}@fGA5D<);^cCC~Ly$0V^7pF79q{I(eUDHsB0=30I
zs@}XN>gV~W+1Ce-)zj4##^{a>l<u4&-mQVJM5W+q*AH+92pt{r6pZjW6AvhU{cnH#
z7rt&Gu(AHX@OAV4R0!7n@j0^G`k%NI%*0#*%C$vI7xg5Eu!6Y$RK2?Dfkgl{U}Bk`
z|BHt7Aee4&IO!*axy=Oj*Z)6sG5F1a8IYgBeg6&DbA3)Y1E>!cz}*$6KF6PAC8Vso
z_bZ{AYhWiBd<SAO`Xo6EH*X9Xe@pFNn?&JN6D!xesK$6;n*r?qHC3{pQTdLjaFmbb
z4P7=rsgWvnZzE^BxhQ>^q7yNpP0XsVm)*&x0ul`aj224v!TvgtmbUysVU$Gup}Q)H
z%9O@fNwV0~6q7*A@?`o=as~Gj{<7`acS8h62@8O`A7n)#QKxpVz^?gf=-_*akL9iX
zwo!7xr2fW>E7+I%G+6O%@-+k=LE<`{>o2-{1q%IN-$BFD09C<t7lIN({j}~3s?x=K
z2zukT+>tINmNdr;BmDRA(QgS1djg^3avkwegF!p5c)(Lvnl)GP_qcGWbNXM>!xA=P
ztodYBi<vyxG8+V&^%K(kYmpsvY4WW(lp#&NZ?q&199)P{C|eWl0@RvlJ3gdyPzYZ3
zB48K?^!sj`cqE~Uc1Mgkws?hx@5>p!nGy+{hBQv(G~+HkhhHFbWCvUJ4!O@_{K(A+
zaa)Y{Up-W**nZAq9;*6B1+rz4Key>hZ!F3F#bE0!>$8;L{+?gt;r@^;T4r0^U@ve{
ztFz75+wquX?eXKiz1v;OM!-Ok`%D^%Pvhaou(C7U<_haRYcg~5cEfH<6gjNb?ZI+l
zxNn+THqt06a-FZ2ryU9s*J!$sE^|Chw_L3{A<-h149pSRq75>aC$K*wDn=uIJfK%h
zM44~po^3P7@v&k-Ws~R4@O_`lBjw5P>!;X<f*7~Uq9=JeB2&^DIfY&x$G-^bT_RUa
zW>`tb6ye}~)<`Uad~s6ThMVtEpY%hrSbL8~>N&aP=y29&CoY>@Iw>ZXpsAY5wAc+&
z1dc0Or#o5NAvrvB#dd#VT#k!@e*-wm988TU6e=~%yYNlqCuzo3F|+c`>E8HO9v886
zp-K-0Tw2i^<3B@P`s*K3lj}x)Z06@8UO(pgCW(QCsB)WPKXUkpqFv99&@(mPwOc1I
z8}G><Ac+poX|DZw=Br5B$cZAt7`B7<3T&_GxUlZo)FQC^t?$r2B@cxF??NnDyyArs
z*h~Y>3jqV;7CKs3^mn*Aw?B?SbA@lP3<$m@86%RoR<Vy$R#cH1nV5x*$-IcC$HuCD
z3;3x5^h48F3G;K^{1;yj759nVD~+<L*>Yk#^;fR5*y5OfuWbh3Iq~fY{+dhZ6Nyjs
z<sNUMzgh+s{#$O<xMF`{x9J}^Xvek~h9bwyfYx|C`}F9eI4d!td)i@N_gFd`t6Mx-
zw10Dx;ldX)mp*?mC(<fbm8cDOta7yAFC!SrWoM$tEG)9W&cRl4xvro<DW<*%qyJ_1
zMJBPiSTuH7RD%iS6>l#iHU=)?yQqL=$H83<P_pnv8``s7cjifihIzGBkJ+u}mgicx
zFu0z9PTtvXVrvCiHZZBu6Ju*gSr8YqnePac%k~70f_MWY^=N7beme0n^m2T9|7g+f
zzyz0A`mt+dM0<4PiI_oakK?-DW|@&(5vjD)kA$tjzre{nzfr~2U|u($r1X*_v=s9i
zl5j75D?lFnVmTOECW`=vo)F|97IYX_&gI!(aTr<93e6i%)O_jO;5&D2f?Sh68T%VA
z41)%ogC5|8RDEi^{--JW6E-u4F?&h8q@Z|5<z~8k*SpyxkDFZSJX_S+=j+?DRf==U
z&&C%^*6=6g_u(g<9z%0V4@M-dB^S@S<Aq@An=?+@c_abmQoLA`6Td$9ql?1nEij74
zAl|EeC61`3dxu0r^-twLw{`S>KPwdTRvA_w^!KE8$BAsKby0!60yQWP!o*2Zm4x|{
z>u3r7H`9y~mYDeQpwWh~%oCsY2gbb=z`ycx$;Kr*D5jU>H?74u&g)eBH{3*+G5eG2
zrJ3>+{$iQDf>pYEBL9gwQ3^7t?kdklwghe)$)tHL3GS_kv}Lna9j#}+y0WJ-R(}$Z
z;k8gCbY;$UZ$U80uyV;l1_#AfYtR_Xhr{aj$%CjwL947{@8Mp3TUJsF(YVMwOhpPh
zuc?qUP)6Hs4>h*9pTisL^$zWeZZ{7z=MqeDlU9)g3XtO-+^~_R%BUmxiP>BsLcXQx
zx%8qLw2JWxt&_Vdy)uhXI6&eWN$s5@W&FEclyiU%F$E611G;vCU-m&TEZd;CsQ(VM
zlsh33BM=HlRt~sIbhLf;li7g_@s9Eg#$N^}zQp16yifm^LkrD=0X<Iu<$mzzeMkbD
z@PEhJcGfglLNUiV<?a)fgt9=4<|r6PGABTos%0-#o0ITR%Bj;W<s9+LhFU7iW7+<B
z!%t@1<$j5w0D|n1sOHOLU1(FzqA;9;iJgF6st+ff+|yw2&j<}{UeydAq&EknZ53x;
zoH+h{7O@&_FoLqDxu~?$w;-z0HOG@2mnP^ElO+BA>>WFjjoh02VPib|R&qV32wbR6
zT*~(v49`Te_nnt+^9pX6x;NcTbTJ#uNZ{V0wE(vMMCL^3Giz2a>t0x_Z4{Io(Duks
zj;vU&#Hz-3BU>}NhcQ6deD^x35u(2IPdv+|a#GV5lCt^4Rb?z=6%UV`lq*y#6kxGi
zzy2q+V7!h<;Gty+_r-AJ%+=4PQ|bt7ZVJ(VSGD-_RJCDdF;y1`cR2#FThCz~8`)@_
zv&Q?unwNNA1@`YH{pl$+@liMc`Ux{vSCY?o#>Z~ea%EfrP=dnB>BR0jarm9bBn|4;
z7=HoFKCB8dHsvc51V#=@QR?ZNchE)+QF~sVEBUMV2)1mN4r^jh3JqVj_DJm>@RnGg
zGscii;ZagRdK_DF)IGTGY`cDwhSX;y4T|#(ZLiogd$WzBc^%RzCHuXF5(Uor2e{5M
zD##!aao#gQkw?@APLZF#*^0k>?Ioy%8$hlpzxs6V9=K4=wosJ|>Bxt2`3+tE1k{DS
z9Oz3MX=k>WryW>tCqfxdgM0%RfdR2^LZgWvx!AQ}VC{eW^nc(lPoMSN{D;tdRJY&%
zDlmvoUbYbM!SH<l9p-BmSYJ;$9t=JN7;l4xJ}WhFblM5m|I!@@5X}20wLN!5=7S3H
z|B|BIvi}Stls~cB-VQr^|6h6d**>GX+cN2S|6kenX&ew5`1U{g_UhY?)c@~cXTW2j
z2cqrIj869R19&A$`_D@SWVn2rE%AT*`f~u2-+So44D0R9P#BCNYh=vlBJTiQH`Yw+
z267Up)bC|F(;#EGb(uvUUOQ;-hxDxn6|RWg%+UQcXIm%}?dG`Teob}F8KdeKKxfMW
zmF2u<%OuM8t_@Vi*O4@d6lmrXWsmQRKGxN8WgTx=Ytj!H5^Rnpm5si)k&@a5<o*hU
zeNDy=3DZi_im~R3y-@7ZPAlR&M<nU*qd)0PX(4QmHxs#fQ0&gKACtsr2Fi+{FKUNv
z>qLLx;N-4KozX@4@^8Ka&a+>*lCHqRDq@oPb>ya_33e)C7Uv<TYTAF}^;a9{%n-C$
zmwL@c6F5j#BhTM>AN3!z>zK4jx0JRvg#xBtvOJIShz@U1)|Yu|-r94g-+UM}1(!UM
zc)#|HoFdu%c?s0PIB2%XfUjT1pu*Shr1uSID98EeJZ1Iow3Qb1+|68<$(*Ccc=#Ft
zDM7ap#gJHdiGjCNdu*;JjV<j-OP?AxMtx>wc&V6r&4U+H@%2Nzi{nQAwMONSJb^|C
zw7qxU-s8mF)2nZ)k7?a1>));d<Q@&LU1(Z`9GR=MFLkFz`busZ|4`du)=TL$pgjH4
z@MhjwN4HD!=Foegq<?l}U$Hq5JFESZKKp30lF>!c3AV5!kDw;;JM3QOph}5!^j(I`
zrZ9UKaGPgafFfyutCv;@(l+Ca;U*&e0S_DM!~E|>ixqid)L%c0k#=O5nRrV*V<C2*
z>qV*YkYlDAe>clKcWWf}AZ31~QZHd{nGfBU=vraz?`?f<gl0pS?M!kzj%{^#JBge$
z9F$3MC;Xpuj`r|GnQH0Np*KJ$SZL@9xD8$gY=3|a$0G*7hA)8k_bc>+7VvWUauMG}
z@-`3j^=sTR*!0sovjX(xcg?4fI8Vg$-W>qI0(<~K%5Av*qw95r$A5YU8%{ra9s$7j
z;JqV27A)upIVx2XXQgRQ+x(ocKDlrWGt@elY^eix&^SYd@|MCNyw0B|Q^WNFK8m7Y
zq~5|o**}!3O1`bo$Z{2?W@iW{p0L~U<QHY4!4IZWu>$CtsHqbwt=hc-UZ(&wC5kKk
zj^0`phCIOdK;@IK6|>s4ae*g5#V6b<t8$pXc?eMaH_TyL{UliVldf)35Mrs#Z7t^Z
zOK2AZX7EjUw|%pgg8L~(>Hg8rEa&*LDoBv87?Vd0?d&NbURso{jZ42`io7=6)7CAd
zj;;6zBQU~fM|$Y@afbw~eYvIkg_!MmUF(fhKPF@@p-+&LXr7=-Rk%Orc;SU-qSD_*
zV;2)fmBELm?JzWRQMWDLmRrXqjM#+UWcJ_$*-Lmz=i$;~I*4<Dt4UFxy}H--6f_EX
zm?x+=eh6$bpDq8qhTygwoi|>q`NPVeEn;4fKrwmJ-BE%P%086R*-O;2XLv-C>9gw^
zj(N$dg2+;xv1E|TrKjv6!&TO(D{gn?ruEq%t>mf5eO*&AcbXXsc*;e??1eaQ2&&9M
zPO$z<#u$0+5xH~J#9Nw-3?Oyn@6V)P1e@9b2|ceWX?M;eD@p>ywv?Iwhp2Ok?yKwi
zc9S$tW3#bstFdj{wi-KWY^$-Y#%gRkX>2F|{pGpegYSHeu}{{XW3IJ+^SXA&f<73)
zlV!K{8Y#PP5|<vvm>72#*RvS-36Gf8Auofv-`0kkaQxBZ+o84J1%6%eL}n(0Os{U6
zz1Xt`KLMUVK+IiUz$QQu(F<H%9g^(<62}40px&h2Rsi~p?~>=gEf&`a951tiMuGi1
zfHElVWtufsD}U&Px?E0r5}Z-cyS~PWM9?9Vo4wPp;$S)z1<bqNO!VmCXp0L9ZRs5r
z%IC!+p-4(KiRZRy1>fnl`s|*a2s>5F-t5<@zs5?&s>AahV9k90=i8z|B?h)G4N;oU
zG}k_+RO0IChqDAHIIW6TtjDG_BueKp##E=V#m4h#zi{#Y6a!rcVLT1!jVz+slOi&m
z6~bNbSVN@;Ad@PGK*#CdIF5yQIoDGb4u;x`gjA2jCpG-}>wWujsZaj3K0duLf0AKx
zOzoo^LUo>2F>{Egp&2`(IW+ju%2O%yYRpxAe4<k?SgtE-OYaj;q%+Khy;*%~iM01o
z8D9T=V=HQaO)Zq|iz1xIT6S@&aQ9_H`X(8dnGg;~do@3b1^xwtP8@1JM81x8e5n?G
z7kqbToT$F<%RRVbRdqE{Zp$|@MjrnsBe$!Nu)AO_G1L+0Q^&TOkO?%j(p>kS0)Ghu
zD7VWhUnL<9)<Ra6y)J~^tYLKOjLwrT@N>)3P}i4dsPXH9+ob57ory4`_o!drgCdtm
z<V_OkpL*I`3te$rrWe+PVM3k#P#i-Sklb398rfqtuuXED*VTV25*VqoBw1xT5c+y-
zVe=M4-nV%Kq#%?N8Sz1n7}E_AiXCCpF6w+^Shc;+D)<4j3f(8WiVGqxGDhl(;|3_N
z&j{W;-hjN<ysYPs0Mv6~b1t3c=$MTM0dP6O>)oIa$sHwyVf-F30|Zq4?(EG1|B_m0
zw3XL^)%%yqL7GkKeSWW_G{qyx;A<I1+^v{k6J)Cc5!&%Mt(4Y|!Q9r0zg@WC-GnUN
zye7rzb5QR!k=>6Wcd<XD<(&LKUze{cVM~nv6l&q@Y7_VFpBmLw$g=Z}m#JP`NQYQ2
z|MX2ggCEejKkoIV8Np8&t9#Juq+I9y+n_o&mPcA%Ovl?fU$Hgqb3HSV@EB<7&-3GD
z^U|=xQD<cSk>`>}#FK5!FaO~bJHui*=tNvpB7i7WG0hau;)@CWq$UHCyu`gu=&5+`
z3W_w>IBkJa`QVMksXa6%%gZzk=d<0?sjH<j>xFRFn~A^wy)mo`G~_cQ=Nd*AO~s-@
z75ViP(LE>(<~7@Pk->lgSUT=D!*}q@-K5pJ^rKkhp!lXyG&qvamC5YcY*3YrLZFsi
z^;_xIu3*+BsxwH9I>WltOhzVm?`tyi+ofB|hlT8(rNc4!Kq1o}=NG>>i1dO{)qvR&
zPgrG4QjD2b)Ui<OVR$4ZqKAxF80X9ef)a6U)AIeKcFfh_=QF;RtYo_}*FLX-vA727
zkfHUTZgrVMOAGHI&%V;Xxxdx9(7W%kmqu-{j_lsN1&e6yL~Q?9O+JUnaZL_ACO3=w
zGfH`__X0V1T)R6`1qAp5SpGmB%#npXHwh-vcIrUruKT@v9kv;U!jE-ztS3sLPHJ%#
z!!->Ow-(zC5Tuou+R^V-%K6QIzt%eaq!en+=lYIT$}*~*o&O2KV+)#X^{CU8$0P2|
zN_3k{plwCwb+9OE{?4$=G<vm%7cy$R#>8E6A|@x*M@Akey4!`OrakYOzuRk|aEI6x
zA!lCna=jX_Qiv#qx_i@eX?a;eT(2Q`3b%+|!c3BgT-U6rUM7<JM@h|b#svRx)iHQY
zny1wg_|moTWv<+Em|`x1(7~&QcRK<@SPyf4ewBpu7l;700F)7!C^{+PIM>n<Zdb;K
z(-bkq^QB<-U%QVSG^y?wyxOT)weI*yi^K-L02xV3b*_?*IVGhQ{Wi}!S-96|_&s4k
zxh+O6laKhv25ttwSEGFFy0W!tC%9MSz&1}xXz(;9x+7KVDQddcBW+evFt*4M!4g*)
zzwappAJmJ=aVhiuZsoPI#@6mJY9D-#f|h}9B{^JIu|Kb>KAw2M^+UHgPr^J;pv&Wa
zo>!V=wEgdtfobP8VT&?MWQ_ZMX;!AEpPok22wKH%&)kyo(QPwAtPbU0bS9aCL`Wik
zbSmVSjf;3ERrP6j9--aIh}rnfi8d;^4d4B!R8C*TM^8{0c4K`Mb2WJx-FWS{b6Of|
zuzv{d5T4v^!zB5=UECYA&U^(3wgK<~z_yggQ+nrf<Gk6@^by!RroW(jI6Fr<n!uND
z{IYv(8m*aLJk&W24XJZ^m*CkM3q*W9^MxXKpzpuGe2V-+7BPM*+lI4Svv&PX+uV!x
zq-Wv$x)>eyDnr)`qlaN}6e$rm!tIJ(E2Y>SV(q%pIF|;=-AQlU^c_cA0pp6u=-AdX
zLJ}?8vzR%g1wrkKQ=H<$v^Qe38+0liMX2R5Lxt1n*tkI6+p^Efoi9oprFu4!AM)1@
zFK0lzM;p7=*p0nmGq%LOg*t?b<!?^fOZd9Z#M4KlV}7$gFu_-z5{{}6Yt6mpo28M@
zZO8Nv&zf^~YzR_)dLh=jt^iW(5!D>~JJ<eWSTN>&YElBZYjFgJ^tA7JhFGN*hNse8
z-qc->^Mla?&+MFxxBj1~%NeFnsVZ>K&QgsQ+{s8MJKSB#<p$;xM%Fc{gFcLPq`vTg
zCjZQsk0p<-v!Y|OK1zH+^&X~q93Esa_908`zr-XT^lv2)S(7DC@OHj13CG2y130oq
z76@6M(FaH8nq!iJlV}D{@d)U9(s#c06T6_l@N64*aMj9Dm%k%<W@hD67c8YbsMs^i
zw(E)AkvYE?BjA7%hA1oM3A=BHI5r=<=t7U~N0O;%3Yzk>P&UQpu~ga_N84EF3GY(^
zPu6pZj?}H4&<EE(<!b5szJ-@&)yM>mK=_9j2+08OATh<et~|6*ywE8wg*<OvSS+53
z?e}5lhZ<s_8;?AcV0`Ns=f{kf9fOb8OXxI#O87geC7sw&dvL4lU8e%Eih91s#=dmj
z7CT|IYh-xnnxuk2>2#%V1_qVx?OvTu;-Rb}geEF&(4x0%YVDAbB-z((Z7&{#5}2F&
z^~ZF6E3DXU51@%Z2H6bhz}ib~cXRXcw=un_;iRRWBY}}^yNA=V>6|J-#enV4TtU)(
z%%BW@(v+BDxTi1Jk+WIw>(5CxW{?+nO)J|n;s~Q64V2pz`GS((gzDec=%5f+2Q>q>
zrI%5wdhdw4tm|(Mo;YE|8Alj`d#Vh6`~uEl1XEHL8%%X-_;UL=1af?K<c6DznCiMd
zxpDJY2s<nhm_kA7s-rN@zlJvBW4hsLRKCv>pil)paFk;)V>U;57#kdC;P%|Q`17W8
zHCDh0u@Hr9WIDP`By9WZGcb{V=McyIBh=Eh4YgLoaNqO=;Z5emsyknSLGMB%Qk`-~
z3-O9usAlGUAq8dw9C|JQ{*OHqu<`{})rFF_Asms1F;L~-K?%}`C<!5xpdDV}V#B#`
zt^$0y@{j1X6d&QQM+@4h6Ak8a>NI&X_FnO{sXDa3(TXlFw$8*1S2BMP>;(Uk*9ahP
zhq7Z3Z$!$%dExliF&qJ>chn$MfA53maa6la*mn$Ezx3|Ef#5$ff$u-_fSV_0)El7a
zo#+#>Y5JT4MC&kH3jF_r&3+f~vHVUc+yw%fvwyq;KY$wmpd57gnBG=4<NyEbOwNH<
zH2`*K831+vZ(R;Z^!fv!9CP?6ORX2reU!e=2KW3JIRl)Q0zk)aNPTC(_Jq_RQ2+?Q
zx>EoI_hpvn^<i^WcG5ot4?cU{kxwW1gW&%<VK9wH0ySngHWFP?by&kVDAZgFs7#y3
zv1((zZ@(kya@xchd-RBB?TO@NSe;~f%j{B_1V<0wKfX6cBI&!Gl`UGtbC%v6=M4X=
zw&4&dXK*iKn889cTy!8wDxRmHCN(}^S-VOUlp6X2zq&=KX!K(MSrMh?Y`7%MDS=xw
zqFbrNm59VCNkUJ+15J>u^f;tU`U*22_oWI?zw<zR`(f>6l&vyzuh#g<No74jLE-XJ
zB6N6Y#t4HfO597Fy{3iDcA7F0w!dkS7GKF!@~0U*6a68(%lo-Ao91^r-rli7-%b_w
zpSxNu99hIpGbwJ#SRr_qp4Cu?B3g<8-@~g)P@->k=9qTU3-lVACdYI+`u#5D<TzoF
z;IAB3r~n#<@9Di><sBT|12F-2#;?c(mChs2DLeMRYQ)F7XG&%c8)w67Ypyw8Mt{)J
zc7%EbSByqqcI_$@_hj<;cR%M#szah^9G1M;!Z(kI+c<)KBqkQ38TowJ<%s8CWX{0%
zVZ55c{q1WS9lB)r7y{F}fZ5RWNNJh-YVOPOHGS;))SGH>5+-|$>H;$NjL%Wr7=9fK
zT<2WawOGz;J!!~_4`J>Gp(V?=hjG|_b(qte1)QdkFkzqPAeMl+UaGxDWPEkiEpk$}
zM)2&LsNU;O_96|`WH#!nXP36uHoCEJ?wt?8Er7`6gYrNF1ReGS1kh8W0D?Tgz!Q**
z(E9-Z^&U%lO742tl;p*oqQ6j!W%dg2#5-_Aq<=9`pIjE0{DXpp6%&z`)-IM2!A1Xt
zzIC{N2dTegd>#Mx1ZiIDcC@kFJS|}10C5`;?(qqnC2(9n26_Yb#sBx<42>pFrXWMg
zvrCGV@&V065=?cNCpu4ef5Abo#uVJfexOR0nOOI$V7BY>2vRO|wA6l?=8+U*uRyN!
zJKvt9y^bu4lV>k`w7*hxRM<^|OPOiq7~(b8Zz~I`mbb>o6r@9u_6;Ogxp{vcr1d6Q
ztLiY+`>?XPp136?N39K+1h`E~yIE%|($U}sgLmZYNPg3??>V;n*in4q<1XZ~a3>=N
zZ`KSG#?Lc;S#*~Jp05Hf?LRo9ZpBc$W^nh(1@dIC8V=IqZqe8rbYoV<ireHw2?noh
zPR3I&3!sfLG|yH$Mz1ba9+$Ej4LS~JgTMAtw2OZfF$nwL4!S<hXdp|3^tfTfGZFXY
z$#DR`k+Qfa<alT}-3kT6O(YHc@%v-C`foo7J(MEuVHk_-t4PF)(R`6wtY=+${rT=`
z14=Q2=PzIJ=1v1;F<3H;Ldpcs%bpTa`j8?!jqQAug}?gLhk@cYyAU(x$i=Cnz0Scp
zRo<7g3L|dEd=F?yXd8ZM%S1q2ZRDRsM~Q8grD<WYB8YG7x54w+eti3Jv0ZZh6;c3J
zVCG(#sHRcC7nSAS&xSMdGsoPHzNTXx^)gyD%v@4^56SN0b2J~iroU9Qe`N*d_{yc6
z&wX_Lr6D^Kq}=MZ7pCSKL~)g&c8_xx_cux=)gSfikH%Ex7+s~O0?GgUftXhTu%O3)
zuAcy46FBs`{VCS@2f&hoo&#_?%6mFLMbC);*$Q;tLBJ(21%D3!KL1-M32=Y;2!{>0
z2Yd^`oR<^6Y=E_X-d=9@1KTg#0UyB64<xigOF(MiPAHt_RoaiiNFA9fVKrThTEt&c
z<SZ9`Mr5PiQ09{IzEUK|P-d}{@~xR@{yRnPg^iJph-$G0JiA(pHAQ-emj1Eu3&c6A
z_Pj;qBowcDV1A9K{OmPZ^L)Di!HZDpjD)d4c}7&ZIizycaU^>8fx>Z*kYn?RzdtWc
z-^;>5IUFM5DD#e!Qz?>DKsk1-Ga_t~|M)9Ra5+XTR>*5<U)~5DIv4WYI5_iR@;ZUv
zQ(J>~Q#ZvNxLipSmiIdp-#&UI&=Unq^F#Nh<KnewZ{S=!vTLqJL8ms9hPoCZMB`16
z8O~*W%{E+of+(du>oed)PJJDFAE`j`fE^a#IE!pCQP_mIGJzmw$y`Q-K~UpMZ@_O|
zarPV%iP4oFb1X4~_wZexfv4B5ua8(WVDfDpN<#;=@W=ZL28k{nY!6rB*1|w6jNo$W
zz757nn7x1)vj+)3l0Ppr-eRDGyo`;=y&(aC?8MF8ixB>x(jluZ$Hs_)@KahZPgC_8
zU6)^d%CChOeJ!&-EW%+U*IF3wlo2ad6go$YHo}@jv-?KWTW5dsgL7|(x#XE_wuGkN
z^bsgU1uAP*Uzy|OJF2R7JAy=;H4Up2L)1H8Ri9}`EaVwTF?YXoq4r^*b$*jm$W+=@
ziz0(;6_xId_lc^7j*MBmuT-EHB_d4NxP1fgrh!B7M?u*g&T-<hSY!p{nt8R|G7dsy
zo5~g56MV2}SL!pt#Bh!*x~6S350W)|mJR$bO4(Ia8KiY|kdAYh%rKf$NVOEg;2#;W
z(<GG4go!Tac=DRfw{^VD(9UdTsTr7=-2tJfae8`|f4BDe?>vKiB3tvP9fJ!g*hgk?
zGK0)-M3}-XI$V^~hGrO3u4PDb``4k(YMa#Vg2w;-mF}45*sMO%ur!|<X_(nYoV}<#
zlK9t+-Q&$I`@@{va)x|u)X;~$=sNhN?RwVBOYweLng2M>%EtR1zLke2@|dd_Tb=KY
z+ghWDbmzP5*8q{X2h7$GyCX&-OUTS)<Eh;wMm4X*>9M2K<QcwPH4AbW8m+6MOD_bh
zCk3W6)VZSXy_VY1qTyw2Ju|_C4J$kcQE}a6L%I1O6SMN8SG*4^7=_uAk>B$Swaiq_
zV(%h1*Ti>ixRlWXj)OKX&P~and%F;=4k86gjiabWMhxaP=cnQ0RZk9YnYs5iyA_Z7
z!~#||6zHwhv)9mBduRMYJ(PPkNb9*bSnoiP+r{R14!ePWOj@Zuou;b`>l;TxOMcUq
z&K`L}4ito11i3%ax}_*SQWK^ncEO@!cf=L2(H%HU_Ib(Q6l=ce*V|c?yN4UM)tiEQ
z&B4Bby%bD_s#T9xYM`I?|HIa}xRY2|SLW@ekX&(S{rOHb3OLLHH}6>h*b86)FS`Ul
zy$Cu2(Bki7z}0-3*2X86&*MMr<M!UWL~g)#0K_Y>44(7=^xo&e{{{vU1z!R3Bg2cD
zPc9$Cf07i;Uck4v7tsAgtT+EL{%|M;KHUK;*Al>m!o%q$59&|eoz!h$GavM{{r>6U
z#gcWzcMz${kTC7SO|ZA5XZmCP=0%N5yEcAp=TXl>@ppOhc1^THtISi**y=8L?1R?Y
zB_`mSJwPmeUOpXqOniyAa?FB<DtMzmr@(T#N$ntthL2ntQ&TqC2UWE38f=~<EFIJ^
zaXj=msmL#Df%M{kx(Ll|&+OhClJRJk>l@`$TRxXXr@Dbb^=jgZpsMVYv%1**+Z?e(
zebf1{MaITYpVOP3wC5)(3%9l{-KKTwKOtlWvDvB#*aBtziGtt&WQUBi{)Mvd!0`2P
zSebU|xtTV$hTcbC#mI?=+ws`)y&c&0fwQPr(<z}{a-f*Y<(Y$n2`gxh?Ah5*$bXH4
zMP%;XiEZmj)YFe{x0oOA=u{`kyu%~6qgh_q6z{&q8wyk}Am98gu28=dhLFJpa{%7z
zmDlpUU|27XcNMmqyFntIi+W`gV$~@%mru4!J*Kbc+e&8~OldI}m@cww8#$RjR>^IL
z!86fn4el?486|0@&zn3Qrmfa7UE#Gphe3xZofL!>B|SZrL#>|gClM8k3lU<IY|=s|
z%-L%g)M5=a#x4O+wcYxunS3uBMcu?Af4An4B|w!Vty%E?ohChD^ih`WFK||akMKU5
zrHyPw_s#bfd+YIDFXXu~zloVt_M;ZWaM0||1KyBxn_u=;Try-MlUxEq1Fa|AA;BuK
z|7UUT9eT>^Jr=zFggS!s4eLRiH-Heph<!5xRN9_KZT)X6{<(M!$i@2$d|ZJT9YIKF
z<|?&YC}d|i;=0R?li{I(ci&?Wy`u11#ESKKHU?gliMMQ9l0XO_B`+FSA&#@qjpEIA
zyO%c(8@pXiEV3Fzh>1yY(g=KqDKf)J-u%f_$=lps9ZxQb*KGCFmmRZ|=vgX(KQEQ$
z4jRbp^UzVAy`s_WJjP9+#g$?k`<K*;EhlvG>k>PRqU{untcz_5L~d2ACOyMkTSih6
z^1DdoC9l1@&YUPF(ap@b(wc4&9=r<Mkj>?JK((gK@FPV7%srVDn3;CVZV@v{7+g!Y
zr<NG1{4lAm!sIUGs}j=%L{tgTmi8b^9EW7N#I_5C#CQuW?p!q#)){CZ5%kk>QiGoI
z?(i-Y3YCIKzB;N9jG2{cfPG~LrzMW%ux&;`)ny^RO=|jls-w8i567ftplO?sl~NoA
z@~kKCx5LY^TNi#BLAMmvf(FaLaB}h|JF&uQ<i2|NPb;UOp2lA{ncb&KeAa*NgZ}wA
zesiyejFW+fA0G&KUYBZQ>feoPhVv=9U@-g_yMH8y+$6W!)X<K+snL-n(%OpNKZGLO
zJ-RAuP^<H`4E+}6-VYmCcTDy|XIOoRa%_v_gJNg%()S`Vqgd<=$46Z69F@cS8V%kY
zRQe)t_bgmvBUx1S8N`k8!67=J7U#dB|GDsL@WH281D&OzLUrsgfruLyP_@+^2lYRz
z#Ag-zr~%-<d=@6G^eRB^U2q0K<9NRT2w*{W|JQL(eDpdn0dMgD^d-;_C4Gg3euYQ^
zDYxG(%ZJ(WA_Msj#bV`G(UNTUlAFH3s~B|C)4))}O>gI9E`3Rq`$O?3ZCLuEljSfa
z(ur`vt0k4>b;~eFaE)drzAqlVAP`(uf8y}OWpeT(`+;N0d4iy8=UHw4QS=UTEN~p<
zLGes92O?EX!YoDMncJU=<mH%bfp=3m);Nd}O-eKpu1l}h#UkRxM?X>Z#~Uv~DAt35
zr(#wJ!kt7}68(j#D`i>xp_DpT3YzO@z6?@U$}@v<RO8U-Kv6nV*nG9y+s|smMfZ6y
zXV@hZzT-62Mgd(M;nr(tiVC}0LNiLg{wd~lv(~}b?>0Ls;yUNtH$5I!_c)9`+NLNk
zyx&k@vZEe(Q+>lZIYF6ApEYrw#|wNdHK$f>wf`{eTH4u-!8@h1Gmht;T$CJ&XkGJQ
z^|)$?dvA5$=U1?-WKv}#Qa6OQy$1L)T%Q+_1iQV&udC}KsM5!AkPMA{y=(?&1od~}
zp}L;xU38Z0l}oBT{!;y`B`t;9zO<!1P4V18*?jfxiy(M`WrP_Q0k9l-WkdnoM-S#`
z{nIN5TPWRSX%b`6ThnCt(S9NDrsi`F#C9jt=~W*oI!tGeR*nF*tWFx<7$l1}GMzI(
znO34+q8%MqyxIW*fQjp?m$%CHGweST{17D`%n}N|od^zlge}vl0pQ<3@n8?Vy=j{c
z!nUCG$=vf@z&Al>=Uir=VOg9+_!arUsg_(D1%qL5p4O#lo&zc||LVtZcLuIU?SXPL
zorgRYY*eE}LX^&lgvJjKM6b0K4Xq~5IhJmrG%|l4abOW(OZ)Uod()auS)rC+?qafJ
z3DaCun-esE+tS14+HDX(kk}I6sG1;yb7dw4Ik`DTWaY5&hwS3K^&I%1i|Y#;NV&#}
zS!zM}y-%x{2GrOibzdmsC=9LUYSqTjPbrA!hD1MLTynu}>VVM~clcYpe+t<ftG4sa
zXV{GaW{R{wx5AlLQgx#=JO;6=)8|L~6%jJ6bJs~iDxS=H)aN-77r{N#(m&eJB&#;Y
zAkIRlH}fK^vW4#18p+b0%RC8{DJ;sR{H#D<pCWdu$p~O3Zf{lwb~C$epu>JcpC9@x
z-RBn?c7guXZ%UXQE%3)Ww9W)&<27eaWJ0z#kS;tikNRq`{SxV{6S~CWU)mv*ASE6(
z5iCU`c6X>K5CNlet-OR*p;C7j2-$vrVoLNRtaC<an;!hOG-0!w-%#NvOtVLiK}9pO
zy1#r-M@Q6aoyWC~Wb?t?cLLmO@%7lQj&Q9yMZcRY9GWRC4WD>o#Qu8Vsr=DG&Rilf
zGH8yK=CfBje)S}w;Qt^g{O9lVdZM(bvQ8r^ZQNP*9)|U#({!_}VY~z?*loafpm*{G
zsrO7!=o5jBrC9~U-UcuT0Y?3K@4d3U;vfI@IQH$Jk*7CKdsP79T~Ib1<*z^2;XmZ8
z2#g3C&D<X>1gAc>CoMsSx_Bq&Sx*EBoPO$!(+pg6I`%5q<=<({u!;04W|bbuted}I
zW^WsM0ba}{GF4Ih-~+g+j&L98U(H%Kg-3LHcKX9Rh};R`r!7X{E12SN44kam>?nFA
zgns2zkjp8UvrqOTb2KKi|5~E^&F?$Uv>(eq*wd<)ndT9>xFzdlIu*Pt;ptQ}IB^Yi
zk=Hzx`e(UllLgz8=W3ZvGNE1Z>k?uThIf<Hh9d&4Bd35+x%^XBWJIaniB5gaT=u`6
z^kBF~d6tAWe#gC9?Aur9=J7fbGS2B?9*)zvEe3wO<JRu0?^=N<PQZS|$qM7QuydE2
zm`zeRB1JXc+s7xjo;VoUUWLOmk+w*`A$S_nDcF)djv&=Rqr9oVX~4*qmWSA?-#2Vw
zVce5nmjynG#U(yr>c7m9oxUdHT8E`#Ba?;OTNUF8TUlX?Q;SI}{|fWqKYRIFYcqED
zW>UlGIHhf|`LuerW^t8+&V2|*Th~Qt?xF5ssS@xo4|H0gQV()eYJdv*x!+<$e)Fmn
zTd7`}-JA_(@h41=+60G^A#P}fKx<)HTVb7q5Ri>K@P5UWq}}t{Nwy!}WjtixBB6i=
z)Nkq_EaL<Bg?`9(e3R5ypFq>B<i>`+lrS6aAw8blUHJ)<UH&c}|0>lWbPdrWkEKNN
zrN>8N)2teh{xwy49%7JY$F^;Ce|>H@u$AVNeOj2Yt8nkDD!cwYzF;Ho?Q?_#)i4n&
z*ADU{&d!m2(Tn5|2hR3AJ{AD>0HWvVcL^!mcR+B$EgJwBL0AJvKuuD>e!!NMZa?5n
zsR@Drxr2Z_cF^Fb#Wi3#IK*nvo)r?;RP63Dg(AVz?T_;keWhI^Gx=#mT5x?tE^Y`Z
zSL?f1R}l1C${55Qtx!?d=!emlvw4QGBDO4~*uw0E`)f`TTsJuq$k_BjI*4@WX%sE@
zm9FmUuWB@25Bu;~RtsOuo|0E>%v09BF0Bt({FSGe8c%|T<;Xt6HyV8Li-+-ueV=(o
zJ8=`@6;!uTr<UK20HL_~uY*Y~Wyn`2w6$||QF-{TVqT;;33<j49!g&@F7#7=m<xcX
zm$Fy>`~F@j`46G-_<E7%n=UqTD#4Q7s!DMe?E?7-dVmijVS^<hd3yDs0M$)8u(fFE
zG1v2~drR)5=C9NH%&+K|g0StF;ULRbN7-(!5LEkq82zzl6-Lt;&w-J@8ucDKEH+Jl
zc@XOx;UAK^dD!~3;8BNNb?%}m+P9YzM^}e*H0rd!cZy4Z@8;2Zf{6;}<k**wfdQ2A
z5hR%CFrFZMY@TJ$?Wx@;*ZC;h)Eh)jW|;|5^i2!r*DGR|)nL66lmWrN+GlKKk&tlO
zu}kA{rDCo69Kt|d`pe_O=dv`LGAXVgCaYL{=M+!;B!6Y(Vfgf(4E4~u(#z;6Iu7wT
zpWwTyAT-2d+Y)w6SAGFYUNrl+5XV*pcv{*lS|S?+Y+3_*-qTnIA`RD6L&RD_bGI2a
z;(f(zA_p(-_U@O7hkyV+KnB6*^B@<=t#Qruq++fjrAlrOW9uMaRT?81!)(r!T_+lf
z68wHB%_H%y<Iy4^WR47EB!-<VnNfQEhCO6MiR*`e-8h0iyvTgrw1*l?MZHE{MWsAd
z12g4Be1FzjF@msS);-LniGSndYc;tIsru-9^j0Y?gnd)v;<g=tLHZR9t?>5ad1XJv
zEsi4p;oCw0?spn!()chs&#P)##9Pc-zc@^mtEry6#5FJSZc1GRt+@o9z+%~X1;;We
z2R*FDha5Mxf|S~60gmd)-4>UIF^&@$MrL|Y@}wLn9g6z;M;%*yP=q;dhczuIBo+5D
zHSj~{-xbYuKZ2E8<?Y5myYK#p2@2>cj+%ebd;6C^VTmouua{L}#Z>b>1TVi-HD>g?
zIO;T5Q!I>D3mv`Q_2&sv2f`VY-jnk(-Z7(?ErSI@_c~ZJDXE~GZ~kOcFoyNz^5eIy
z6)!!d9udob*}C^Bvi(*_?1yR9o;&_(+E-#G8Js?`qvnW11$;d*Ft!r-TiwoCY|v$M
zGjq}Ga$|*yRdZCKwCqQyQS(0h&6rSx^siTPnBp%a{7apct1J*JLn7htx?~i3ynwD{
z1<rg)9P(Zi9k<Gj%V_`KWjX1oa*KEIr1x-_9yP|wi1!gne^CqdY-|_##h_BsW(`po
zw`BX+bif8kQci++rFk`ik^<U+Z6aSl6Y$8nF1I&Z;+^nb)|UINw4BC_pOmjyqfb^o
zK}3bKvA3YwUih7HXDdg5gLzW+L#_w=-#m=MAy3Y)p*w`rFlp_gCCsioW<?Q|29Nin
z)!k@Akx~QZeb|$d)uARD>IPQBbrkxz?t{T6%s`gE^+Ghkj6E3bPfGk``V4_fq$tqB
zX*I;I(>_@0eb8ukPhM3X`nIo~*Y%M>8aCW6-)sy|2DtQpt<Lg2tVW+QhLG{~M;+D9
zmPeVlUcC@k{t`~&fGq6tTes~9+29|sf#<~c*>wL}Pz#RRcmj{T)S86iwy!N1#L1|R
zA>gc=;L6pgi+{k;<MFNSmj3mev7%95_y$knZ`2Bl*rf$TynvtB7ca1heqrBhQZgjz
zhuotU`P-r>xR%zdvus9&hkQ3qUJB3Apv3FWtoThHgtnjr&g40$s(?Q;5^Q6}Tq+{@
zP@g(vvQvT^Qr*AD*%P&FU#bc!8<`A2?Jt!Oe}_wtHn&j1=P=2&YDPHGcvH<fO?e3e
zYAzOWzNBzuUa=wFnp6BsamE@f%RVI)R!Pao++=u~K!&sNo1(&ST|Qtu*die_%7AMa
zIWP&v=2_U0OKy<Q`cXnWZc>psv~?-*4JUZdpcqMZOj5NaoP2f^Cl%d5&3R^m@7?UK
z`_IppKacPljh;KOwi@|;k6s~NGB{{UfYHac!8rg@0BL|{0l@Yl&lC{<PQ(EO@V}n{
zM{U}az*&yr3)1uY0{~RrNPv)Z03Uiy$R3yPPP^Z8eDEB8sjLlcd<5r^HOF`(VP(9}
zk!^lKUY)*g$f{2ymTv}2T)WMemHg4p5e}|}Q!406daELOq;4BF$C^Lr;jdJ{3Z~Fh
zbc=J~1KqS{Q^0^$=KOX-zLiFMb$8<#GR8b#s8oi5fJBvZi@V6i&}_qdwDW6xn<Eq&
zA-&X?)Dz`rQ5Mu4BF8!`SL9s}E93>MaIJ(C0+}ym-w%FwK6dMdBz1f6_?uKccQl))
z7Nl4?o(8#NtuSjjYo3u4j4&<VrM-sTKITHFLC$yvP9b-2l7DS?ADiMs%-ebavG?i|
zq_)fdeotYPZ;!G?;l`#}S7~CiJ6dI9NKPs~GVw<}fe;Lx_Sph#YOkcf)a+(0`hR!d
ze{tINTXH6EaNu3-cOsgKCkyWu@-T7K3QLA`9eVU;=V<UAW)bLXRwXtWN77$Hso6*R
z{*8#Ja$Zl__2g^a+y1}gzi_pBL*VimtWmVgUX!^TpxN#ThxOnzgp}0wfwrALoiInf
z-G+m)#LwX}6@@GUHQ`YLE@(ytP$9z7c4)(oT>^6Wlr&<c5+lNeqET0+KW`kKZZ7;h
zw)s6D5?L&(vqA-EQB_-Wpnv6N7w&<bMKoVNdDewuRsG)H^XI5ML)R_3FV!+Q$T;?F
z`{|-^Pil@Q&svu$wmF@LAQDmC>kE9|4Kh{%y@aU^uacZP{j$PNfrGaEM$=w!>T0>-
zmF??s6&cMw=<rb~O$g5F)Z{H}6UFjhA?Q%vQY|98O#V@1w{^GwInw+$K$`MVJ-aPr
zhOQsPjhw=JRZL@zb@AGiy<;ujV|Y{9=}&`rErqhS-9fpnGTDHXF^LfkpRW11dq5YR
zBuYp1&-YshrG$s|vD_;9?;vSix)9BU6V3-aXhRy}&YFrm%chyly1T6_ET$NfFH8qD
zxet=4Sbp7TrpB>R0d@MQ694*OE%qX9kJf)9vP(iaY8na8JL6I;LN20T6s~CIc!ud<
zxn5ehC#>a%@+v>vx-kv!Whd_Pvq${H?qm3r1y4MDY0FElh~%B_a_=e5X+H@U=uu1K
z=|!D5Dj-c_q9uHr8fr5&$ks7>{rlhuTB0-%{H2o;%Y28JG<!Fbw5{F%RejF2`pXE5
zIHSM<zV}h2?LA2VjZ>JB`0Y>+RoP7dswYfGUjjV_?{vSYmszN|l^OfTGx{QDCVj!`
zlB&I6I`v3{QMLC3*nRfRm;?#JPXsm7QtK1^ii-?L4E<MR<%na*K4JzIk{$Wku6;g~
z;nAsNwCpnTpYLE_(aB2f*xOa{DnrnW5a8Z~ak-A?JW4&LI=6l~9Mny-x|Yt8{yHM%
zzVeDd5$8Xfx#N>k?E0&OaZ#>(_BQ`Xt+_h}5v>Dv+SqPSwD?kZ*Y4%h+^-b)rZSWl
zQOZ4F;jpip*o<n<G?OFE67~M_pD;kXp4mViXXrNu0>PUXV#$8~!AMintXQPD3e%+f
zyr0#Ql@gG;*|((-n6#(aJgT+!$J$>|Q%SZ;L%KrD_c&TA(VC}Nmw%|@HmGBME#Rza
z7|!jXUS(@Sh(fc9cGrziCuJ~QC_hn2D^m0`6f#v!c(x2)p@Rc1e;XDs7QA#OlAYm&
za_-`??x6qi+gv!g?TLCR`kWeb-m9AAdT_g<D7AJdYh;Pn+ZBrpgq&@jcudnS+&Dqd
z>di%9u1zGT)RwW}Y2&Hbl@#iQg{l%^4xf6NRfv==b?MsO3*GiF<P~H+HbWS6ek?5K
zhRwFpl;VWK#A<GKPS(>h@BZ>2{<XVwZ6MjM2mkjj4oXv{#t~0!MX7sSkxoT({u2&8
zWRa?SHNEgnOtzuqhc8#!lD*?1^A;^)C5=cpE4(>J9`qZr+!TT0UHNSiZ^83IxeVyb
zd%TG>gE{$~cftXZpJ8!gPXTvG2Xsh@+eANkG5SDok;lQ)$0a1{y|{MuH;l3LK3P6#
zZ3I<a6ikC(_@*<pmX1c;hJ`dn^k-XBZ65D-wYNodwaC20MfHTOi`9Ir77<lFpFDx#
zigxpi*%ein{mzsIJ6{)O>>92yQ8p#cxP~=@9sp<qVetZY-lHAJTizR=@dp25vh5Z5
z_nBLF-4E8Rmxq{m=7_Mx>M!YT`iF7R3Yaz9!>t^}5M6<Ev{T*j$uH3)7pC6*lW+5L
zWan(-6hl(_;zV$S@0YL^kmJ9z*=7X_LeSXAsT27ao0QfzxtRqj|Jfdd`&yD1-pIbO
zM})mjP`f{<invNw20U>+y$min&x%i8L*DK^Sc(f+x-sQ9A8yyb@jx=Q=BenkEllL5
zmeff&R#Bbwyv|-Q-IJNv#Q4K062wt!n8aj*L3wIL%qSMJykz!>Oml}3#Pr_2m{Kz3
zuC1}!UmB8C|68K>4gO$De7n+y%CtIKP-{(yQ0;Q9S<umnh>6Ky41%i}QOI<0K*(aI
zbgYTJ^KD2{fHgDIJluCFa+cW;aBW~!VOuC!UcK+(KL5eeT65I7)Wkp|llwhlE-ka|
zmqr!p<~LJ()W8<T5Z03FSpFf=pQ%ilhRJZGdnbj&Ajp7SX!Yr#Hwfi08voXcOVn9P
zG%}RQ+OoQ>0ZwY1PSU9he{G6Uv{DJ`9%L6L{1Z5hc|h1t$K~;;KL4iF$BfPjfmaI}
zeb#Ey3K(bXjiEo;L=~e(d$HPXT2CAB;^@fpq!Xdg5-}nk!?GYA^Nq0*g@75aF4C?y
zy9JX@z;Uw=lpipBc_U2qu1UfRNiYdqpIam@Fg4Jw2N8Y3rHw&PL;!8%XY<ghJMsb~
z03)xxXS)UfFl<VAXK?j(BH)j~<!1%?5UjrfYC;DS=NaRJ93U{D5;;|k@nIV(ySN<b
zn4B4K<<M=y-cxemYs*sgz~||!Qf(`y^3iU6V5eO|n^${YY+_ZjGTSwXZhw;9zG_x5
zRS2m)?gT9+RPszX6Kd0pvuF2oDjO*bP!Y*x(tbA+;rZC&Y~i`BVlUc`KqkSfdA*k;
z{Z~ZdVn=Sy&dYwxy(T!WQd6<uw`c)B*;n?<3c|%M!{bQm1=b!fryA~O#iUmz#HR1d
zSQX_GPO$I<j`@0ZE7G!mW!G(<M3e8A+~*VJeGZ%8A2zo@e0Sqc)NS+<7tE(!w8%A_
zZLY)>76GR4=bs2yIB-!Z$%>zBaFV2R1qU<q)S~72KV9PwJQ*hdthTD59qp$Nzrd%e
zW{auDyvAvPP9fnFZbAFD@z_{dWwT2yes63fl67<^A;<NL^$9DMz<UVIrflmGB)I6I
z-K5Gld54Z{TQ05|yxX>-r5%Z-Y1b%G4Zd+j<Rk0TiY`lpIT}lgbUVwBh$Hw3(tf6D
z4l6!8w9VJGI>uyP@O>4%@9B4*vaU_+#1AZmHV<P}x_e10wLw&vN*S9>hrINOQInHo
zX4(=->As~LuoKmyzhKdi=B-q!i!Byz*|hKl@GG`rLP>}YzM|ooS*N~w2Jw5{w_FeZ
zAsIPDJ%LB4ouAibUW;CO%UrQK!s&NzIa$yRUQ6XsUI?~+<;!wzyhl9V&%(W%q%y7`
zvb}wc#{64KadvUUEgu0FOq)?QBD%f^dphBd&$EKvfZLS9JriEtOZ$zXKO6T9tdF4$
zkT^f*bguzExg!$r=cA0(YK)I0+ng%w-jDl_Qh8rtuT(Nt<X=xTXeEQOFGEQ*-zr-k
z9Q-HF>C=U-3GsgrJCd-`yGD&P(1}}qz1YU}Sn8NUUVC;P3+l%gVb-hb@QV<7647ZK
zv%5%YK^Kka5W?_XWCR9Db4v`-?#!R`XseEr1_B`Hw^&R(4`4~Bqi%3wROIb0b$CO!
zg$cX74)kQIq!2aWlYCG6Q)!&R;X90%Z}vXopuj174yIi3-*|Vq#8_P6Sq0op-~PDx
zbYUjAra^l*Qn>8Wr@x&T>l2$nLcpLMo3DCCik_e*T&H953b@Hyd0TJ#OcNt9EbgWc
z=8kG=c$vQV++dS}5x(h@dQ3B|*&|&AN^om5aE%UM`zY_MW!S!w5z#Fn4!hPSOi>s+
zv3?Uv^%9I%)WNv3uX+|Q^0#yFCVE_zU`wzInrxMD>%oXxHZ9TD<oC+MPrJp_i&{p`
zU7ii^aO=oGN`%Ng%M?`w6NlxlnJ=C&kR<8H(s$%*%bhBA8#PjbCh!sP3Od(f9~8-?
z!T3ggh1N=~6~jOMn0DxD|HS+RtQ;!W!#zcztlKgFsEVIcEkRYJvpO(yM~Ia~oQbkv
zr@j1*jJTCDnmyprf}LdQx>>&L7g;CoqFqJPAwHs8m|PRSgMXN$jgc+njd672ZfN7L
z5bcy5yG#J~pJn{^W26zJU<exNh3DA|Km-^`z!ren0Rx~G<w(wNl@_e+D?=M7AnqOL
zeG&|OCDQ)BBEmj4tW9Db>-|HAUr86oL>DI(qKp>m_cteOFNy`!G}3WuNOh;_$Z6@*
zc#flQpMQE4J;G^E-*TF$FCEgbmoL7{3>~9v95w(Vp(rgdy`nXl$kO9~|J#J#JABTz
zmWCm<5AIcX)g_o@8@<DUm7cY%#>#buO1qZ%;6g+8#Lv1DSIz1P1l6>>R=2ZX6^O-f
zytJrx8<y<mtMc|nxK0X}jE+fy2z-fB3eaiuydLT)We?ArP0&Ly49p^~X@m4Wz0p4q
zB&68*gf*6-v}`UQ1^Awth^MRSdUr!a&ZE#KrIlnWkd|)*b-I`d-qH8m^mt2#WHb)j
zXK2t;qES&IW>gixf=?|>T8D>^#-`!^<`B1Uyekeb`@!X8D6j0jj}0#VjiZW}t2t@k
z%vAj*Gar(r$!>=9$OBKtQ)wNOXNHMV9KQW$z88mia!Rgzmhn27aVI{)Uh$6C*AeT~
z-SxHjG*|+}dRZ9=eJI+syEOlIa}~N%#=tCoC0_@ss3xR!WYsxs)Z{frWW{QSmLk@#
z=}c*i__ssQnMljTDQk#_K>M=>k%#EtDF3gtmt@|-Yu33k6quY{A_<pcEY5ImYl~uz
z8(RNvuQ~CKhV%glcpkMwc6GU%NqyKT%;b>NTg+QKT?tHl6KYt+x5|H-)T;2BuaW6I
zw;sBVAHe%Zz|YSzQrljF`R>7FAs?dUhd3tBiOj8&jDxs(SOqgG%Z+~SqF^qJChCZN
zjP+P__**x)ZSL=iR^kCdg@w%uD8s{C#Sk}AMc-ag{U-a*SI}gL#iNUWuj8wJS7)2q
z=p<I#u%<nUf-kMhc9jySY0xowHX-w(t3)elB)0Z%jS~zz*To861^FRkKg6cR-?V@Y
zkbOtXlfu>?q(G~7#v#RnKa8#GD7v>nO@fP#`VKw>Z04y64*GZAKOr=3N*^{=Z``<?
zN-GhKgeC*zvqZ&hsGFSLFDqcr%rCCE>s+hqzOhL~MF$xY^gkmLsQQCM{OR4oIK<p#
zb~>o&*SJG_Y?q??cC-M;W*TF!Rm2x5@j&jh1$_e;XT8nC?>t)w;I)*?oTl!R9lb%d
zub@ikrG|boUOvwN%5p*Hkfo6ZK5HkP_soN4;?18+mdABxo!yUT?liNh+65Z5nQ3UJ
ze}w?c(q4Di5KT7R^Zpuv3DL|O3mElj%0_@I*YrhRrc_?pV&PnPn4mAGqUV+&{9~Qn
zol=;1o_qbx`XjI~oZs4LikQNQFyf1Nd#9mZ(uU7fT?u)#b*8bBHf)P91tP(AbPK%r
z64Jk~P$E1dFqbO3rE9n+*9dQG)_zeEsiPKrgh-jrG_uuc4S9Z6EP@Q%ZVnkz(n}Bm
z<MH_GC^nyC@So4hjE+DWUnLL)_Ic9|NpK^m@If>az;?3?M2F!R>OD$-VF--A1o+>E
z+iyQ@mW<ke7GWt)3^Z{kiwr`m`Lu0TZza1NDBYp$FG_Cbk!Z0yg+g9Z2RlsSPqjZ_
zo}5way<==9e)<G)jH0wNZG1eA5b3Zgtv*jTX!&jQ!;9!>e6u-4c(g4{zi~K3+<OQk
zvO-IYJaln8pl8avR*eyFcRfP?3J*ll<rOqi(KUO&o&3zR7U0C_B;%qD^qn7|M?q+>
zKKuyvU{8Pc^JTxq7D)V|d^qmpb28A;II}nCXy%G*830Mg#QCSNFnxw0T3dG6RN>pB
zrB$&-MW>pf=(I$0n|{jrdd~^Td~4~~$udV<PjaMLEER`aVUd#9sEMy$QBemn=G`5Y
z|46Lq5_Rp{`HBaFo1bv8PJXJ1K$SmSY}omCh6Y%3oWdXJq%OhSw9~Bpo(y?nVyJtJ
zU@cPEkXE27<Pkfvjzp`<e7%!1MjGMou;@nPsMfmA9Y74^Mv^x805>@hsEhvBrTlL+
zB+v|51&V*~`CQKgo1A=QS2v?RaYIIq0o1S(SvA51#mS9>7A7<5Ftjq=8;ff+kuK|h
zI>3bcWa8LUP%%UppS|>a4bT3~v}Wd?w1vIVLtCel{tIOiSO9#g`G#PmP4C$^zqPu6
zhA}1+f0+!9aK{EXH-bC67y|y*n<Jll)Y8lX>~~A`=aWRo<AL~kLU+%lH+oYKwl|C}
zMM^!=9r(`;@$^FE2oUlA#SKg^rh{w|wH;s4!p}$)T#C_aZE9S-GEb<fFv1w^%SWE~
z3U9ZEh@9Tdef2cs+mSoMr~nmU#RlCl+h(k>GM?^`n>+kt`N-c(jV&q}9sHcT*S=LO
zEETezFV8DoWQiz@MOu+d(S-D_Y=Lk89!}tU3meA^CV?XvP+@vEeW-3iMXDjCn{9MK
z7(Boj-g|Klxmvj-BU15nu7XzQgPYN>A5OKr=h1SV{Lkk&my9euAb`mOAI*VH3@*sF
z%YGu`l>S+cWkNa7>{={Y?gy`3){5rQ(3GXA4(^oRHdxRHbm=sG<iiq8s1x;dEnPoc
zVQhm(wC*c0sI%XOTZ%&ekkqc3M#&imNr5lnWmCAnIsM)!#|(_oM+DIAYy4<S38&S9
zt43P#>K)nRu(sDyr{g>|_7;3ZiR3xkqZ|;7HFYY6XdT5xSHib$#D0`@J(*a+%z^$k
zl#vJ(I^l99rO^JNg)RR)$%%K;ex&!;D2Ottp)8zSYGAz0Ju_HI2b&hv9POPl+O|t8
znwFt|`*c0)_*C^u&m?gEZ6xYfzn2<uYImRQxG&l{SM?QQHN~EyM@cr5V0cp7a3~ME
zqj@<>`tY0`bqOAK1N)lfyM1(oN4VTf`bipoIH4r9#b^v~{g@mc<M>w(O)JUypPdxL
zZi+<qlz2={mx<J0K%e9~EKlIA3Pk&f!UObXP=LGV0O8Nb`Tg}W052A||9^D^9t6nb
z`t9?93_in9mVJsw@EHzUbT_b78ggcd;%%`-&-*HjdhpdDnKUp}Tl45*w>-s%nBQs}
zP^7e9ZJ4P2<K(EZi3cy=-AlFHV-87SO!4fG#4|;Ax{h}5zw5Xni`KVz85}$9PMQwM
zy_jLd<GGca@;bN4>Jbu3+*o_DWHnGEpVMg45yqA^7$YViGmG=pYB8OBgRG4zbyqiP
ziI>8-Fg+Qsp%oAqH>XjwiH(ViXhN77QR=c%hNquyF}RURVPkxgZo`!<%l4Sl*si`u
zWoE;q=57dDV@2chud}-jB%`2quCRo<y$Z+=@+tQntOFKAa3ws*YzYUYRtW<im~BoB
zUo`5+BrIf<0+dv2m{B<MauacBPDSF8;7QRT#}oVF=HkY^8b@2d&SG5qf&=v4B-*)u
ze)Vl9tPZQ2+&o356p(LULXM<Aw|d?&bw~(|6xCe@BDp!G_*J(scr4)>upI|=`PI65
zL&Q9EKDeU}&$`h(4(A*M?-T2BJbxK-j1|HX)ej--s-c9pz)I-MS)}_^OIX-7Q^E%a
z%cXO<TUTmhpCmtp``&Q#k~a9gF+<4EX2mT!l<WGD^@XU}C~zC)bY6iFnogUF$%3u@
zQO(8^c$fQTHVd;H-rX>&3|5J1+A;*TtlBP$eHMgpyHoP<kyo)?&<eY9a7l|EJEjUT
zC^gu>i~@o00Qhvk*Xbj{D2Nw8@UxKx0ww?;3xLfA3c`C|dWF&C-pp#h?x42qyaAlk
zJx(>RMAslJZ7Pa|s%Al@(uiZ9e5kRYX0+GE^h(TW%~uW!Mx=Y)dG$Sf%iA7KqyfRU
zp3~SBwf)GFVzw9>%R?2NWu*23<a{YlGdLTNk?GRJ>vRNB7@_x|O*ck);T8(Mcv!k{
zgYst)E9oXk%kNZJ{VjeAt`URB;YoFnxekdaCXYFoL-*XT0#108-Lk3Jv7HQzo0}U-
z?*D18Cn?O*SCe5fMT8qB9zQuZrsQB=a9K38G#Rk+Jn%;Cw*AgtI$C6qV4l24D0JZd
zkR~2^NbN;#Fn&zd;@l5AGVMZTa&(4Bu$0P;{48z$WNT(&lwE<W?3G!!wO2#sgmpIt
z_nTv?560w=p;enr0@aF&z~(wj?fkh%515nwit#$;h?`$SVcvQ{<St1<xv5~=>*nBa
zbifoZRPSk4=aY(lQQ`CzR*vo{d}&UkMtY|Ua!#@}YNbacHCp$NTCwNi_DnRp>h!bp
z8a!T!Oban`a)jvNDQQRPjSERiXhDC0DGip>1~#`)G|G9u@zi$q%J%tMvt9ST$1RMd
zk%?_Fc2Q>4HFAG=RgU4^)s$SGizT)VX8OAlIx92OQjT3U0NL)`vbx<VOOsktRG53~
zODj$T^zEBh^PCMo{=BiRnU!{;96iNos<VVb*v?HkL+ZKrO$Gljy#tXRKCXQ)rM|Ci
z2?XsDkB<-t=>Wj`WMOguO5o|h%T-X^a~>rC{TeVc_!+%@Xyg27&;WOY{ql<R4}jbP
z(0MBXIIve>`g0wyeGl}$el|d#C#DaN{g!{d=P6%w!GD4vUIP;Dh(I0yR@&G5|Lci9
z19h*!%%H)C1CDHu%YP@U|AN5aPXUpQcLpdz0HF0*^juB^uR%oK&y@fv4pQLfELi-1
zA0E2++_>*~|BtD2jLs|S+I6EwO=H`(-PpDp+vd~8wr$%^<Hl-i+vYxb-|su)od0|5
zUu(>@)|~gcF08HpDUF|Becs{`fh<4)>-Zhf+x#8v{_)+h-4NE&g!<U-_(JnISWGG|
zSy4GwUMddBvWPe3BGJw=7Oe~_>~gW@lCXz0$CDR==XQBm(BX1?z2lH?s_pRkWsdjv
zHT17Rkmg&@;0Gfx^})zV_Zd)L8+-;jo&W`auo$=uHn`sGgzP<5xP%-c+)6$LbqX#%
zAwB}1&?EnKfL93d#loIGxuoB&Q>=Jn<V+c2R)Oz}EH=O68v(}=b6l^H{#b0=+&mTp
zL+0Qy+7<j?`ebZmXUN7HIObZQ6|Bg==s-T*cdnA3XyU@F2A>xX7TSA*X>_RY08IEo
z4Hb1Xs3wc>3bXdui5%>?^&~l5R|I`zUP%E?(C)}u$F4y7Ox>8JMg@9i5e20*b;LLl
zr3DOU!89j#K^8n|5dX>H_d>ZM)c7-z_Nr^}dSY5REbRU}V$yk5bryuxQd;nO^R5fM
z{9HN|8N#nhJ%<Z~@EHVaDkY=13+j{Od1^~H`6|KaPW58R%$Tq+lZC6~#`Fk<-~A4d
zP^(R_7JDZV(tLhc$#^H<kvdLLZ=Q508$9`VMbK7hSS~0@#Nk}=Xw%L5%bwgg5=K^y
z_?8NS%?-g4AspZNxx_U$vAOD5n@$b-bdsd;UDc+f-9b@Z`eNxq7bLR*Un^DxbX$8i
zEJhy>V1syL&kEfSnCQKo3gt4A!c#``v?4gd10noudP8-sCC8e{-4xQE45QxsLaycN
zlFKYwiw$Yb#)NWw2PTu|ba11(+5ddcdZEVROQam*nAR?KcpjIc2<<L5oP>U6T14%=
z@e&N}gB933jA!SGJ&r8HgYW-UNSq<W!kk3*V^|{kC+@wa&G67Id<nlgH_Q5{Uxy;{
zt-1ZQ{VH&HXn(f34oU?M_57Fq;3&$VCmCB@Co(kpx6X9`laM&oJ8hh?6z54sDOIc&
zL;WKe_tpGYgNELd?!uJD59}N(;)hDjP|#iXA0<Q<uJ)B5-xQXt-}KTQ1g(FmQVri9
zyC@!`d89{ccoV^{MU1f~f5QV$j&?h;S<KL7Sos;&NTuPgm=&Fp__(tZ(ZDW7d`4nD
zz5{8_o8hgB$TVFp`EoMfZu~9&+=1KQfOZpNGWfQJUAv+?xv4;03N2~E!c8ikY#FMy
z=AYn?`~pJ$^F(nH(}Lvlzd}0HQ?3u+`;bt#oN0ad&i{l7>TQ{Jd4qkZ1_qZqdlg@0
z?L1N7CYa5j*%=$vgwje-{ncZs8yMvZ4TNBM>@@4A<Z9S(3skYg97$ZoF%FJcu~4m~
z$Xm!$g&yI^s4a7Xy97`A)-M(2@=K&9=#w?58GUguqRsHOX4m@&c6{2;z|#Bl7*I|#
zjM3#i16Io1{J<wl_a@DP*n;$gocP?`3Hkh|PSA+W@gYS1D}6{&F_*ii;w&O>7lh(>
z+J(@Xk!k}*%<fd)J9qVk_=plqC5hK7ty9!+w+)Hn?kZ&XJ7yBG@G=D2gQ_sxU1yRz
z&4a>$sJ=T~&lUM)QU?{N+r+z6NfYdk5NUVl*1&+et7V!x^3lI)LogPbv)B~O-~$01
z^D+IBEzQQ!Y~a~nLCD2`;R}Fq*z-w6$kIXj^mb}r?7V?wfc_J}y`S-&P+pYhxx^iO
z7tvwtB?maf=_vpVKS1sxehJ@W;+ajviAj5)f9=l{*|iX>UL}cTMyBfOxn6e5b2j$J
z7L2flze>v=?}CBntI*77d!)97)^;i1{VIj{!ClbgGqRCO(O4*JlUtAXBUMhc2c@Q<
zc7oe2Iy|piaXBhQKLsfPltyrC0+%lt-;w4>kI0^)!5;yh${X6n&KR!Huf$XD<8@-w
zhTA>DaTPj>O?gK(*9XpC*y0=vYRzUetEWE5>%_Trgc`7?&JALKmOJ-M=R=dOS1)%7
zJ*&~52r7|MO_IWCNp(i1Y87r=OTuY$Ij$>7(r%@j%ikwe!^zULny#$6+fuVbWIJ@)
zm#d=OflisPO?N%*D_nZOz7RgDN0dnuL0zx+nei<QAvyR)-pVZ&x*`eJo{?$jVLBW*
z91)e>FPNT$U2RZj?}Z?X-V;RnqNwtkWDXSkrZ$~;u9iA^$8SuMB5bhCXeo!tD17kc
z*>r)}JL=616S{vEBkpApFr1d-r=n&g|A9|rSjH#O680+11<ciQ^`xBh6YqX`m;7VG
zhH#TBl^H%*D!{w}mFy;~)9X1f=xO-1hM&}WMl0`-vn#y8reevy>|CYchaos_T-f(y
zDV{4*u*)Ce<_ny&dHlD%kHyy<^5ElO$$L&kDKXocIzivDiZTQ#_L|!B`H)oY>GzGT
zis`s!_+odTQ+qtdJ`8%cfm?-l!~?*a^2kh$-*i@^9}-5byAQAA55?Zjw=buiR$!GH
z9w^VCP5e0Z0_J-z7MmZN(8k0(ZlPM`*Ed9dMCQf+YUq&qHQU8muZ{!<QsvCmP;T#z
z;1rUl?OVz<!wR(ag%d#->AvENLWvNvDX`9erX1SyacPE$u8KOL@f-9ERa=}628dV1
znP1_Or;NJeN=kZ_=EelSMyNR9x}px~;J_Ss6_gcDbV^(gj=#B~xcJ}lM925@1iD&$
z84o0_-10R^DHL5^_UuI2srP0~7hH4s$R??E-D5$$yGRdZ?|mwus@ciQ{3Zs4%9gs0
zHmNGvZftR+%a>WSEff5pb!ghJxYp{mW7FBZAZme1`ha?}Tx2ZL(vViwOu^ZqDp5T%
zt`sfwXdC1pblqumo;6Y;e~N%ggEjo*l=|0n<=4z>QebCBXh`d8zbY4LSp@hJp%H;Z
zu&BIUz2F};vFl2=eO4sIfnNt?|B$}QV4a{iO}D#-%G(WCghFM9H`zR!h6zl6FQ}b{
z<oLZQ(i8gH5Kt{bh}iqPt^F+`e}gL`-OQ@EuYZ^@&TZs=+-Bd~G=@0nuaqeUqmI~6
zlh0aSZ~BkHMhQ32QfS|BKTGxQJkIO;X_>5i$LZW(6YvL5jkU%yg!`@ti}S7m+<)0$
znW#gMr7xW#@Uy30n+WnXECgn`YA=D_JHWOZcsU085N|&TUu_Y$fcp!O^9ZW_JfLi+
ze6+-KP=EaQ5YxK<2DID@Rs!yv1KMM9t>S~q_hTpQJzU^APVjVCG9;vku9j4lK1fUr
zDJaS#&s(0TCm{UnUqK_cCN8*$+TK#QbJDf)+Sd>{a0$wAi==7Y3>s2AZSX35#<FS!
zn5n}vg|{sHl%OH>-i6>4le12x(k_#*6swH6KYr<?McqIBohA@G2^3`WE3h)`d(wZ;
zXv~0MTIKu;u9#6X_N3bQqo#%JBtia_xmmvgV7G~FTO>bl34s%adPMk=%BYF;@%<Eo
z{sL&{sP!Fv+KXL#PV0`+&fCf#OL+R5y=^6C9$w<HRove^a@lXhWb?s<=<Nks;4lkM
zMGc}zy7slpH2YKhPvDdlEN{IF=6NNhXa^iSHD^8l`LM%2Egh(+c4GPwD#blvf4&xT
zBpZAnb%N~|@sW_clY$o$l@a?oEhr4(Cq@*6l!l8Vzfb!ysOv(DK$hbJ_|6NP&X+8(
z!WU9`ByEUEV1|hbLiY##bLtgChTOLQLW5?r`F=1gi4s?#2}v1P)J?pXKCa1_AuqSP
zupu5JIV7Xu_@f$=ew?NANr-4<GQMeL0<}<%bzca4rT;X^)#$4yB9Ga}mx{uGMVRwY
zbLf!|oiu|^Pts&Y8=~lnZ>HyVFV`2NbRmq5DF#DF6Xj>)$Etq2JTn_Zno=pOKW`9z
z3KvqY;%J*DWRZ7hfsn;K$L@Q8jy|S$;1OKUfvWVoAN)v7VC24b4tF*OS)$eo`79n6
zJ<F3-`>+(EP@(9Gb6xZkQX30uxEI?70>?Cz8<Eq%#Zqpxim7#mQ{h=Jg10vRv_g}`
zt?sBM<z*BnB%zJ(11+k+`pgSjjm?}Vmrla-1p?_s^iQMG-&Y*G4;2c{G#U$bUZwD?
zQDUDACPusqL-n2pU1wwy&gn0hU`|)v-jAzL^#g&^WTY#ec##REb%9Hw3ttxqFm?AL
zp!uy{?`-0Ton(HWi@*Fpv5XE&8;dO>d4+psrr<V_C>Mt}?(q(~Jc@hgT8(MByL2vx
z?};rb(nIL?oTwHl`Q@8wy3`k5w1Y#YZIwM9kV2wRN7buQ{oBf(*TLPTI~q2Bkb_vS
zIzga@*xDFXSPp#KC%;<O|A|>Q;LH=ET{`otaTkqzb2?F?A*sWWS-JUKA)Wf#;HWOG
z8$K!9DQURyI;M#Mv3{ox33~T;9Pw9FrPf=`Jv4}%HKFvi2!H?9onLbGgK_%w&lj4l
zUrhwO5@->>Te&B>a=xS}8*h~`YC)yD35p~ry`~PcwSZcsgQ3*p;svOcni5%(U&d!e
zvggxqMK#-{DsR*l<+@`>us(*HI!iE75ecm}I@k`OzpHbAhnn10`Fp-+v!=uZ26LUe
zR}5x*S6X%kDqc=Qjo)2}$6M_AE{6pkgHk_wx&Y8d&h6&fXXWTg>EHr3Pk`IL9U$vU
z2I!F$WPASKD)K`3IK}Qq3xs@LZ43k5I-zRNZTArpdTW!dgbxs1(#=pfD;-fsnITU-
ziR*G}TAyHWT@tyZRxaoa9V!laPUl!}b`WM;1v{-##|3N5lIHn~22N=YkAta>&WsD9
z@_G4f{wdHPb!*Y!5Gk(ThUaa%ILcDy{@v^*!qPfA25oZZUg)6gvH0(_)_ofuCzA1+
z?1ZTve!3xIlH8ngP2kDm^54-ei0R`<7)A;47Fm-Kx9)Sh4N06#Db)tVPx42ft^=us
z2(TY<Q3xne2kCaK@nYP?kdSme*-QLYQb}yLrJf!dixDWx7D?V^-nU>#X9tc|+~?HI
zG_>KgXGf`b)9G-7+f8J1H7bTRg<?%nc#7|>i6&__q#gUt+Q)fKIaV@f9(5-U!3o%D
zZ!M^U8SDzZ#YIc;&XvCft3=mqu{FU9yQ>V)Nm3y35|P94xQgE~t_fi>{7&gViqMl*
z{-}!bs6Y`(C;yGv6kG;_+^c`!QGgJ(BnX*T<;o6SM#6XJ*5Pcc(+it)jW_Q@BoiEU
z7@<rNA-1_arRzDzbv-g=z8D@(46Xkr`S&uQ=XdemZZ#VDG7Y&%v5{a1E*Ad$-XWvL
zXr3wQ=jHhITHF3;5gy_>ITo?JOlgiT_PTlcex2}h81GdPEpElOmIOMH+<@x~!^E7l
zW+fpAUGqPFm-S>>QhBrFrvpOvffg;`ee+ELi350jbizCYc;5w=-Y)U4X#v8+^^j-K
z2dC56B>*b;0IWYgk1iliDhgrj*QYU)fYUnVS2~igVP9QOIEnOuOU|F3ln~dr3^SGg
z%+<RL+9ffzW1j7CW^l?lGz){28t$UmSM1SK^XCz5B5=4HLbxv`i5OK4O*IDMlLFq$
zzPoAXc)WT95}|Wb@}-{mw|H*PJ60F(gcQP_x5D@@!8)Hjk6K;9e-%7n^~p+(a&s^o
z!*JyLC1|$IKO4LJXO_(fi8qe%upU>%ylo<(Dn+gA#~ey?TF0xK6m+Tpa($ioaFuAI
z=I~E-;&pL=W|Z@#$!{4AN4*JMnA1{b1FYSl<{OWZmBsD>d_RfRJlg_mx?xB{d3!@D
z?1q`hu|?U~4~Utz!sTr$#~WiL@kJYP9~K|&p03<9oe0oF{D~G8_v;3;6ab~*WwNhq
zre;68q^gspHXLSDb;IQDUtEPdv+p1(%j;RnHqA5>uFH%yf=6A;XGjHGMYCvtM!cU_
zaVuTeW3z)e6XXfo1V6TG4TdWaq1g@?UedMZTXhJ?OG^d>O1euU(CdkmxKK&L%!axw
zB9SPA&l1CZcVul;R-Roap^}7~{L=TOyC!A|vsEjiw<-Jf72Le0VTv1Q0AAZ4igJ0}
z@aeD5tWP>>dRzp_(8{p0iQEQ*1@AM=EIr?1I}1QmWiZ|HshiYBIBQh{GnvawS`YLI
z8ZE!4uE^Ye-}#7ohju*u5c#z$Zvm7m38t>v8e;BTFL$AZNY?mk5n#{AwFLXJdL)Mx
zK09yP-dSRng_qfmMcMmptR3m_)&D##XhonkxfUt8Ua8~^N=o4ac6Saz;4d*KkwdPL
zb;SIQ@TlL$hK>0AWLIXgIUx)*W&{WszSRm%Svnn`M8P!)5^)JV@Qqq}tqUoYm2lVi
zGG%$j2<5)={XvQEWeSlmk+qp>*r&Ct-{<B2pkD92!)~8He#ndc-j3~WG24)4-@Uv2
zwRzTqKdw$9N@Igb=-+kc0n==3NxiL07Rxc}LNswa*^q)K4J16;dc$8H1tr&DiNAqb
zP}JWp<AtLYu85S=&N&l~SiMq?=l9MA+YEcNb`9qBQks<OEd(OQ{YfGh$bQ<7&=xCq
zyrE*<kLMX|COG)fd89#%At><@H-^%$EiCoLPAT)9_w-6eHw-5%3TyW~QNZ1RGZ;J%
zG(qDS`P2P<PwEn3q@Xfo1JU}^F`c=(mLpVWdXqXjj(maxb)K~-?FNI>9%JBh`YUTW
zvo__NBbg#t3<91bJ;&;4G*Sk1bdI|vk#S|FLYh<P#!B}W-8-l{pWn6<%`&?95)88Z
zdh-QfK-U~5B#A%E`w)f>0<az;$sf}zE#CjN^Jp1gHZq8$>YnZese}w{d~9^%ntz8I
zP)1lqvn6-Kr!gN{JBH)_%GqXWX}2IK<<BrKD!)>UXg3r_$o5z2<O;e4e=^LCQgzoK
z_OZI-G*VC+HJ)jc+scC46gSze@>@Ih2Bn0JaCVNIXoGL$Hr4#I-3BdgDe(IRKzZNX
zd?!@O1s)$ijTi=nADEC}pR42JAK=GLT%z#_(?S1oB$x}NXaZqx<{zZFpY$H85uj%l
z0IC77J3{ui8IV_vZ{nKmubxO5eSq=$6$h9EUN7Gef4(D1$5u3xo2%R+pB-5r4clMm
zTL$?4yTf5~q$2i!_w7Gw8C574Gm>O~HGYdF=VHR1v89;{h{kTsF-Hy|BfL^v#bTO4
z>~7g24o$f$4jMztx;zjl8F1U`rdiDB&MP^xFZC6&Rp@gYB+ghy5A-DAM)Xe)X(%C1
zU2th;X4JLY!Acz?ijH@a7*^Y?#`mn*jlb`^UzuI$5&7v+oXfiHCr!$;i6%2yyZTBG
zFJ3pF_=r^Ws(d#-utY3MH#I3+;0q2duEBlL?1J#3<nWy1A0A;jMs^VCn8t5{v_A}&
z*U)A;xPDiQMD}`rj}FZ!Q+=T^x#?w)7e_77uQx~PY~ABbXpR)O#1AT<gPYh9yWc)<
z_CTpS2err0gt;?42e)j;cynK0Y-V!lwe`Gpv;K<546r_ZJv@by?+`|h4uJp3GbwQ(
zp~!b(xnXEjO(Js21Z~4-(7H*h(GnLkAedkvjUGpRYOHAyW1-}MQ~TS~NkGwEL_(B+
z$3wo5X$MhKa^|y9dP8#YIjUnLUxIl$JM*~<V?7@EU7=QO<s0BNG6s$9m!)xGjKFi*
z!EuozY^$Z2)WUpgMtNr1kkez$fopH&_Pjb0;>Lv<cz8E+zPg##e`q;YD&84&pG)_W
z{^5BfjrLd?v>amPAA{I5n0c5)pD;sJ+m$qxCX_!kp0Wl&y!#C?>;Vw3AVqMNuXKr7
zx22suT2|`)Jd*`VKRC*qu0!e`rqBb1V**ox-sx11ZqL4#Ewb*1LlgLwl8i4Lwln%u
zbnOy^urqXFIDPy=trGc%h*{vpF5Ce#H-n;uj6%%fw?$N8{92$9bm!qWIp4x&cehB|
zU*DOX%D4L)D(~lnn_3a)?%eH9HdKq)R09yWMuq-;)n5}oV@mK?AtIHY`RCz}%s0RC
z-}%8DSvCY5#;nkN{hH&`zG-D<!kEXW%IYqA1FPp?vR+3{D;#J+I)~N9w)BwE7{P^p
z1S3%`!Xb8TMU>YkxLa1kgY1@DDdW+Je(X{~f(#mZaHG!arz(jT2`_c<W)G>*utuI1
z58;X%UbsRB)q~TdrwMb-Q`V(<Ol1xUn-M795~T7xd2!ue4+0H1-&Mz&dGZghGG>2C
zJn)a3D%6N>_pJ@Z;iz>*23So|F|w(zJEL1jjM4_a*vSfD-1DHkJ?P_icq1<cFE&xe
zD^IN#R_M1<HMkQaH7*XB<Wl;C<RnPeAD+zkvGKg}W|SVLAyG`XMkSBJ`Z@Xb?JE2#
z<YM6vC;35)^6qxfD#-^^`JC56{)EwtQf$~mer@zgY#xb?9PfC-2u2TfD*Y)m9tIJS
zpt*9>ZnTWDEjpYWubDc*@K_l~Uhx^;SLaf_$!IWd?XAKWc?+ma>Ct8UgrS^0vbyCx
zegc>ZAfMvj1iKZA+PadYB@(JqYxWUsqTo8>2c&tRe>#W0{+#4c;XPJk`MO?iq!cj@
zMH*&>I}tx<RRx9p7=Z!0GIRDDuJNVjKVvelnj|)TE2_|-ch(oWFkWzqJ9;mwRG`lN
z#``wIJx2o$P2jt(j>qRM7FLKR8Vb|ceZrs}|A*muwG~y)(cxeJmzAJE8-e3oNOnJA
zG2)Oly$gP~seD%TrXng|Gu9Q0?dRl<aNH^V+W^#OWIr756XQ0$p0$4Ig|C+uuYcny
zva8DEVsJ__cyOs|({L^vWjVerMIH3r!nEM1w*`0x3953F<F(1tMI%Ky-h*C^vj1Jg
zs01h)qfe~ZSfri@$w?ME$x3m2C1}WETlXMT&6SpXPe(Io!{r$rDWpDcHhua|#?`0l
z`bOth=S=ua|BOycTNCrhVv-}-Jg!VR2K)tN=rV@VIQ+L76W~!AIiILi_1=k)(?O37
zZUtg}A8#ef`{EMS6coJ_b>DlGNw^1LwPtlcr=@NDwMY|*S8m#KCO>DL8LlzHnI4ji
z9;RSI4#VDYv7Z_p>bJSEZNy9`i=ex%QSwn$UA~6ip4X&xKcjgIYU*fg)idi4xOEy6
z8`U&H#C*G0TUGZBDAu|9RTwyELiUGgd8edY@Neo&XXfjkNBZ+uLTIvoq-`-63}^et
zVqc#=Q(^950I27%2L|F6^r8RhD}a9n{dpn$cQp*)R%fxao=ASF{_+C=d+!-|QP_HX
zG(ejMdj4a+6MjJ)|8xw1?s|GRo?q1@z#X7;-9D#E>|Z{`;^a4>djl#^cdCP&LSqXo
zuGPiKN`@mE`&-p=DIr8%wj1y)tZ*|qU>i{9>+ngR>A5p$l)ieAvm}>1Ir!Jsd?@WW
zJJtxV`g$u4!QlgnF3{-r%y{W4GzTK@t%9<~@2nAftt38K_gv#i+{HDKQ)qppl%g!-
z3(eWxZ^;f{!@B)G+d{E1TyP1j?aP(5y~wl>DzxQIDV@UL=Ks<?PF*zNSY4^|74ExO
zb*{(QanmT0R!=WMRlK>D@2Tt65@e#GO%idLsj<%JG-bi)W;2NR4WaGZfwo8~Yfy)o
z#W%hq_<qx>E=(|1Uvy^NY^zs3Zp?np3)>S{9rM;<u*!3`CHXQSW0oD~_=j;tAeD-M
znpy}9r!<Vea(JcZb?srC6h+!fsiMa%1;(*)$f-1RLX5qlPt?pZ+(x#K3b$Im5aULR
z-<4>*2L2NxvcWr^fo+9gq4E(D{s(z!IkjwD%y2@0yJ@HoCe9_-2dxsuCO>$*(7&!J
z296yy8DJFUrQO}?6uQ)r0qJ1m@lTN%daBi=5+zKpbS)eW?e+nT4Ls*$JBq_rV&&Jw
zQ8ScQb4R^+x@jGY@_^PE=LNfKw8hiPvpE4&Vle2Ax6*T)Xo}tb$m@u#Hqf#ouV96}
z|J`iQnsZ+!#tWYxD`G;RvZ)49*_xE<`6w4LZ^Q9TVV-;nX!`+t=0udjN-#>uf6vnL
z+t7&jI)l-A5qlX;z3bTb<ZQGya8738{Mt~HkRlz6WO67%3~+2>>T1Zj?gEoud(iZK
zx48{sKZbE#zEJ48bX*bBo;m3jgp}g0akbyKKXJ+Wz1XSaO))*T@bnGud>6vRGJnR1
zXg1T2I)vsM$8@j;3*JWo<ivb)cajwN%@f(&{83=cC8}EK*Ryzg6Lo8taVU7ZFlq0g
zj(RaJYy{}r&{dVW=md}49F-uyI@81hBc<phho$C#GG9o!?(Q<~#iUu@(Nng{OTkt_
zV=`*kkJ;bulSss%CA9v&X8}diavTxgAL=bHU=nCvJZG?uaDX7X>QUP<9bDw)<P7~T
z<cV-!K_Z)@#=rM*wa7tCJn-y?8*zzFe)otUJVi#m`+u(z?k4IF`Da(<CRVi_j|RgY
zwq8h0_T&WuVW$LxWIdPV5DW1<lg{W@@Q1@IZR5A_cN6ph#no@!6_#1NP4=}k8P~1j
zk{hZ<rUU_b{DZt#*YcjUs@tlIU5$2#8BZhNep+^!bUU|Cm2SfrgMrmQq~9j{R%j^R
z{zdt!onCY$fL%@Mac?dzM7_ScB{J$+@8alW!k2cepicQtQdbg84{Q2J+LPg<<Az6#
zP7oya%@g`_HmC@Y9NtlIwh<5DKSsY7CI3}4%A2g(QVUsb{wgO+cPaA#FfaicNU1=8
z@LTEdM13H3Bw2+Kt@80z>!GL0athPeP;e?D#OD4CYgO&F`JBfkbc)gn#ao}_$-6U;
zhaJDLY8_Agy@PMZc{<wV-}?jg%MVD<<ka>&_tHl1g=pMgtyQgLJBjkY<*TUc?ojJg
ztU$?#Uq}{B>%yr-X7L^=Pa<MJk`Zc9>U<L*`3U)y8=Vsc;&)fFhVWPM!ZYu<9At3L
zK9s{`cD{T?)>%<O2NheEt9eOB7I{IPl(!XP;7Et?BI<8rVbtw%W6<`-UoN5(1)V#n
zgp_^1^`yVAEQ8I^F|~`qqe<%=R-x}oR#>xYUNXq|_beMWHbS$`n2u^>IDnz98B4LZ
zvKyVVy)@Z2X5RHZ;NGR$Za9DoBMjUO<cp8lFM0dMM6dp%gy6D!_nA2RaV<AG|470>
z0&1ALqB}QpK!ZWX^V71T3oi@*#(3_#_-&+rEQ6v)U`>0`NaP>iBm4HQY@e4QxrWWw
zU3ap9c?*>_1THmC-Dt)$(T(Inf~%e9;@sMp_;CE2uPfvn938LE;G1y=FNOQ{#Fw|e
zaz#Z)`7W0sp&((*x;?BKgXVZ^HGK~>Won#V#|`X^*uPm&ckLc;jB!SE+jLCGsecL>
zpUbk~=_yUe6bO5dt-bZg_m90|thY!Q4zF20l#@)hW}l1mxLdO$zwM4ymLT)G@hAKO
zpr1e~9v`=t?*>Fafz8eTn46FR1x1)?P~zwALz@QJxX;IZ(FOZ&J|pb)6JP?oW1@Zr
zG;01MKy`mXJOd=CL3e^zKa0-GKS^!i{|#ucybAVAfxdi3J{JGyX7#Dn$qyBLi4hcS
zasB`Pcb_wT`E0-QAE4W(%?Gm__<ajf>L+{$370}X0YHTA&D#`w4nPlC2}r<F^Y<%j
z9s8;1sXRq2$%7juWiMhPVi6mY!WtrRe(b$WQ|#h}*(KErGt)yC%G7mMYFzjwuqIZP
zAIwEd=*j=AV(VJAJwKl!BxS+|4ed|-tQ+S$W=Q1IkCXm`xJ4bVg)HT)HCs#8v?}A1
zY!**5C=g3ma|W;F+`E7uRYS_?`4RW1lNyV<9yM|>;l^#skJ-Y9KM-N8^Fm!Nh1ppt
z_OyDGZ>gcJW_b-5Uv}nffA4^*7K^~>dYpudsLdB;L>3Z-B^hOy@eb4HM9Hs4$rsZh
zCnnL<yW2n|Cy}m&QIDd!biJKi<8?m#xH{<mJH9?8c;#z0nSFWdIq5g$`KET_$3u?h
zt+_!hH_`JV=Ck5Jb-6TAO{0~t_|Ds({WegY_ft^BEW*?9$Cf4KKT3Bf<wYOFxx5Qa
zzdO=;Py0fr4dUW6Q90&vC#+4^%JQhetFX=ZMbYW>fFZNee~%f+l^*Y__hYHZ_PEq^
zlqw3XPeD=&++TL)>RZ|uYMN#oeyFp^KYBISFQ|Ou$>-Z=xx$96h|xGQdm3)38LfR+
zmgBS1#}wYC41$wY!NB}C3>#-rrcJ1nt+{@$s#s>=ux^ogwd_<wYR7sCV^$(BrH>)-
z?@sH_sw?6c-8a!e;gss6sC^18t!!mqN+)_DNEMb<&E1MfzDbW!V#FI2-GVdSTc@cB
za%TUbvGkzl@2f;-#LVY%IVTomCL2+sVzDuASKZ5M^3!5#&{DF!9j1fROrxG?r<nM8
zKK7_9Q!dknivi@i*i>XY`Kp^MPHL_bRZp3hz;nPeA<zjRegb)eYD;rxu5iW(C9Y`#
zicB9!H8A9V&Zzdb5@iT8<)R0*&ei83%9th@REL2QxCV%asG6QtuGD(!1-=>L7#yZp
z$jHVC>z^$OlNR$1?hwHY{*}SSBzJ6nn=f2T$ignM{mCUj?Cn#o)cYP>%HE5lzsxiJ
zif8J6g%Vve`K*>lu`l4ebAbuo?LTTI8uv8ugo?PvCsY*E{wsY(3+A5o=f;;+`T6;$
zOwC6l4BX|xU?0i_Im&VDX#T4%QDK^WCEr)PW)vEECWWf{9a0)_9~~ImyNEyX&f6Jz
z1WKI{P?h_x4@ekIRU?SD<ma$$QH6$tRT$>BHQFk#E;M}w&w={GZ4>B>*yVL<o0G%?
zB*49&SyeNkNisu7tVEE>*@Tg06pY7$4|9a#YWM{IG~qjv6(u1SEwn6Uj4JMW0}K(r
zDS6M7x)Ygd+v={ly$XWnNVColNuA<`sMuyAk1r>3cL%2r_0vO`=Xme;^nEa!@(8Tk
zCHk$9UUXBt6k;_2{>Q-;ODylV9WQwaqaGM+EC{0e<V1^-*ci{WNRD_!mw}n#Nsyfq
z5jske<Mr}vYJuIKCa@O4Nav^NI$A1upfSmbc&XZm;npk{R;_WBGjRoz6;5&^|HS)U
zG3YMS2(If0b0@qx`t8+D76GI9c78F1`!!mR_B*%J^5e`Q=<XT7>j4Bl^ZEIw0EiLu
zli6GbMC85$Mo+#UjH_jhU1v$TZIF}Pz~`#LJO?oS!*G%44EeFlTT41P+}9q0FaOxO
zWk-9~wA!KvVtQ>-=yF+s?F?W*s#9XBJ_J89_{fEx;!ljHA2YzPMbFq!O(6=WZ%l_I
zB9jfJHWBz%uo4JCMPg-HfWQg(t`g>1mibK1i<*<@yDl5-8whO137@^7U9#%r97tF=
z#s~v%);KpFS9(x4uL=~Xe0DA%&L^R7r3tG0yW#T$O=L0kGAvmW`&<R8U)~#WV@Y;<
zo1=PHzX}~m-|8a@mnb<vzaUSY8$QHmbq^`%jL4zT7D37s6Ei@KT<nIof88c-*5c$-
z&U!U9V3$QXBiMCg8;e3K<X^roC7M*E+J=Y>KQD?JaU@$78vfofV5Iq41p|?}(Bevq
zzn{~%H)?ZLZ1X5WtzQ36bCo*w2K&~}cR5F@muuD?%iRl;NAz;EU2glTzL%$bwxO*~
zEHRiunn{;`U|?--L$L9&*)<n5xsa~z+EVY#K)gqwDT3AC{qIAHV@90C=!I*ApdGwh
zSbjOqCY*g%gpI6ohRq$bR*n^)ra+^2k1p<Xi(a7y9KK{|Q^%+S6lrZ&_5DhrA(+=a
zKm^Vt0L_WwMpL1OH+ZqKn>0M;(SllOj$?u3<m=rQ`VXE;jxUsYED$VX2$#uynGQYW
zkV?x9@J&tP@ad`+Gb}BDi!%X>PaF1%N%#Y(5y&}wJ7fh!K>rzXAYTKh0H*jOp#RDF
z26?aPJk)FWAE0m@eh6+Yvrc~ikIHv`UfAJ>{(397e-{qu2ZYB7p+`37EkfnS9B{)9
z`OH73HHD(WnS(!4ehrR7vZkzQ6YG}XL<l0~CaZ@a`nU>B-}z}UogYJ7Dt#e32o00|
zqKf_1wg1^E>f7}0CHO4vcaUb)(aoH0669gwtJoZBXJf*NnqBkx6xYjwd@vZETFB;)
zokbff@KYbWAP5VEjb<J7g@NKp{>1YvGsIzN=EaMpDYQm!{1IuR!y`fcBWA(UjC|57
z@3=9`>s#ap<&N;w$3+{RfK<2zD(Qp;6Lxz^QPw%v(ZOo{LUx@I8#}?}iD@D4BaGcI
zZrgNQqQ`AJdJ}N=5jKMNa}M=X#U_cg@NEt<V<KLJsg%pH35Rpm0|avftOqArPSdff
z_Rz)!yeR$`LK)o6Y+u%Ghgf13y5*|2uY9f*{^f*W+mWTGk1P7%h7~Pi>vrY~u0jEI
z(D69p#MbKXzS8ZNeI$?QWhy*G<cw$65iz=?Hm}to8XC`xV9jj@y*yz89|{%6tuzi5
zgkO)y>7X)9jncSZYAjjlc3_!l)0u7(U2h$l4!=EE)kPyAkc3GKNj|i2(HJl4RPdEG
zT=yjPw7)0^2rxN1EW+l{-bsgCVfo>H8-Negm|5_#qun2u5}S3E(c?`DhiB)jFIa1(
zHO5CFjmOkOPTr>e6<N(F@+!CjOw9n3FFj&2@Bdq8Za{aB0A{~E&?6(i>9b5L<P4kH
z005rvguWj=NR{9)r_pxme5tW&O&mgvZj*6my{!8SPBG(3LWHGy=RNy}<j@op>prsd
zrY0}3hjIxQ_YV%$v~~3wWbm(k>+80ZH;s+SeBUb7I_<vTO}Waa%Vv>&DDqXRp%VS!
zRH7x}s0qx7np;9t@jP<VkzIjJVH$DfYLWLUZs86`zhN+(eCD^cKygMpMovCr>KYUl
zN52NcYhi)=`p=OWt}-0WH4kEAPQ_`~wL~m^@)O~&fU%nDnEY<CXXuuxOkv}WpcqFi
z@!b-aO*KvD&|d)p)$y~1i8nl<HWs#A7E!vlPQqHSKXo#M07>#{DG%>IQ=1Y%N}W-$
zc%>?vJlw&m>XOBo9e-^24d-?+=;Zv>On^2SQXLArAD&OzY?)NB#RijkOKvIw#H7d&
zt(sLMrzEpUMx7588Z*_+E-wkiYJFC3FNp_lSh{b3*fz}0iLMD7aCXaa(<%M^foX};
zVy1=w`>T+hUJf~l$r{hWfxIc1D;WOlLtsH;x`)c<!g?Iep^$I#nVWZP40qx>twlhB
z$I4dzosnlgCkx0h$2H~7LgPDL&9!{Q+b9cy3p(lc$C|G0z|0OKn2@LJw8e{Y(#7v8
z-wsq%9T^G~;cc@a*`gOA<XOUe=fobxy(IcePn5%mH+cb)jSyz`e-ShuFoiFp<cB&<
z%9WJeKmPBcIp~3yxdi}y29giZ7Lbo(0rX(`z4lO?=nsD;_b135Hg18*>`&%SOgC^U
zymUCH|8!DmW=mX8!*y%zhuV@3=;z^7y&?e{!w_nuC($v=#V>Dg60$Gd%i5B)deWI#
zX=NHZ6Cr_`q5FRrScB%+Z?}cDPSlviZ`2CjTK~aRp|lt(Lvx!mh^LBq<{SFYbH26>
zVj-o)fjk8rF&ijyB_GvU-yv-s_)=#<VQuEG7`=+qPvXe%T$aAUGP6dPQtNO|%XEfn
ze>N|#YR5>dc)AF$suX`4#^}Jt6dPZZr)~|Hv<gMW4ka2tBZ>nFsoCc7e`npnJp1+Q
z8_T}#d}CP$KVLQ&Oc(VXf_l1RC3kL>Jcl1(A{kQRf6Izk3ib-D{%I=|L>(+oN4gc;
zlDTnR`i@Z5`0=xpt5r=}A|jgrykqAewTn(G1T{F5X1ys?!1BlE=4VZXE3!zR%akj1
z)LgF|LgHDsSF*aJR&Rh83_{R$6WnjitjtH3)wImEN&A&DNGc=v8R%-G%!8>!<AyOh
zPo_7(RYIkNC+)xY9v`Kr{lVXvtheF>L2U8?%j@aX`s+E-YQ^(Pm6PvlNO{Wv1|Dqn
zwa6X{EKKW68onxgv!ib!X+ECAw@6!4=Nl*`l3<G<rgGFLPbcd>m?u;iW^A9@<2f4z
z(R{eGUsEmt7kLC61|49M^>%+0ZPu&gVj4@zhEC2bOs&?JaZzJN3&OVw#QwW#96!dQ
zSOJLqcc5mUWCxJA2i?63{-@S(K5%e!{`W{T{VM1M2o66pn!g*M9DRHeOd~>po@M~Z
z1|UQ~yGdAnm%z@(D?&;a3R}t_?kV7T3hiU@1a$OFhzToj!yaR17+3#Kwz;g-a%dF+
z;1|1*6ca;<Xw;y+)%n@kxx}91n&dL?H~FM>fbIQ_a288ope{vPXYE8CZM?|4tlH}E
zfgia7E$Y|C@*VrvjhBH@Q#C0AK4eMtHWyg89ERo(UiM+8EbQ~Yq#Tx7O|oBVIeyP{
zzhm$>?H)}wJj=^F5pSU05E)%BTz11dXIY=DAYK?-hPw=m;kf)1Yxg|nIIv0H>QcYK
z&zFDHC||p`vc+|$OjFUYA&mqoX9yC1zoQXjJZOs8XhmF5lSWk8ic&?d1WbO}?aj)4
zoK-bA(wjH&3hGTJ7;f0mNyMG+8a)q&Wj@|3p7Q*=RMg=lz}Xno81(KT25^;oqt8?D
zyhgUc7P3BkP?tW8*8dLrJ++uQ%5SC=<p|v+Nk;LlOyH%iu<*>{VQ8Mx@h34IwUPBs
z+3TE)pyPV>0c-2gStN~IMXh^M!gP=YOSD?D&MgNbr_FY=^o3#nVY6?2b!|lmn{4?<
zytagYTqPkDzj4VD?0bey(~ak?UDD5jB`vUxzT&_uyz>|TS1m^eJ4mS)ML)AHhi*q~
zim2ZCA&JDOU>=_E<L^a#jJT#dF~!S4%c?Du&wT15|MCNPXAAGwbmcr(V9)XJlQ2ZY
zTonbc*R#)8FKzoXcoN^4gW1W8pS5|mnv|t4T_AypXGR*IchJYsWW27h@Ed3o0B8X*
zGBUCcQeg0x`3IvPGVB$=_vw(h1dRYXZ@}{>@#PdxXcz#0dK?CNrU3AFApp_qV^a)8
zec1#uwzUfSc(;*S^>y@ai_MEza4YQhNdXt$-ztg=uD~j9^V#Z<Yagjr3&ZP=Pv=Jk
z_olf5mUTThc5dOq-b=cGZD!QU6{g^m6&Tofh)gh|bGZj@P(2I*I(87h+xzSi;4v0+
zyZ@^ujs@JB8fhMYzv#<$OrlyFD^<sWWtSOsE{@!dHEUj0+9KxNFMM%AD}UthE!0+)
zKbd>jVHiqp>6P(#jC3ZNBAN0vX65vIV79K%&vzOGbJQ+nAEC1YcK`55$kT_Pr#7AC
z&yUzSY(&bOuPsfd1pMyZ9k+l@wL%Mkf=<ip3X@fMOjkv;juO73|2k|8|AzCJz*BG8
zW$5K^)pvmtg2b+ZnM2qpB+?aBlE2AYr{2)?MTg_hAxR_k;8ap~^!n1oud;73*J^!&
zuH9d>Z={XZw?4iip;u8&e|XIPaF@>P*Lw^HvtF>p>WHy;e=TUEljKSCL1!(NL_DI&
z{L=??d-SVbjg23gvOJ`uMj$+O{VmP*Yfnu;+zPY%{Rt=C=h!E6#W&hC?2hJU3vE2w
zQMlPm7jgC)HNRH95=UMxdVk-Ktn-M<uzxVj%5-Fi)1sJ6eKk6<r#s=ro^WdHANo$X
z@APTZut89)8;Bw^gI5fpWPqQkmg)3vFs?T@YNsmvY#(`>?;zZ-emLr+R%&&NE=Z1Y
z1T!0B#+zU#tZU+!(4T5HFdDqdOFzWwk$IC4Q^+(^S&t;^2|w|_zkyA0PcrXj9^Sq{
z3oLRkwp~8HI_oX^Zl**ijh!YEmY_BHrY|#Qp1g#FX8!!ZyaHPH=7sc|`gaKu@oUZ(
z-hWL`rOF4!7xR;pp3P%Xi}eYLKvBDc?nlMsV%(abNG3*4k>PS-6-(~z2?vd8Bm({X
z>%BU^cCE9-&qqo$z*TK7J>a!T7IZQ=lh#4gKjOHxRx-~k*-w%qCth!SAK5N9i4e06
zmZCB94nbKJUZz7W$s@cNMY~%A;jfm}tlm|E(@?y8`B0y}Kb}Bwt@@ko1GQ3RF_W)W
z3^Ds~C{={4`u;jwDS@UGH6DyuB!aDzOp4|`d@f14RO*ka2RE%f-}7U3YLCXBa+WiZ
zDx5TmY(PV5opat9Ufnnq+d0P*&#W1vQtTHD<Dl<~cScrfqfjQEf)oR?fsg8_-S5fL
z308t_i;z$rM;los<24h4XA5+c@pZ&R-ao0lqdbF0`Y(^CmFV*b+R%3oabr)lG$NWp
zImq==_xV3pv@-}BB<n5P`O~0l5Zq&VZX0q&k;-e*?Pi}9&HiGlB;3o=3SNY#Ts|MP
z=NW`d)FAL$vGcbQYU(Z8e;n$z^w<7u%2IHP6K>I2^@-pZ3=~ee+P;@xbqp?W?|$r&
z{ShZ9i*uyd^obV9;W$549a}dF_P{`KVeIv^YC6e@q4#<Lh^f2Hb|E25wfN*cXDMrR
zVn%T$QFfeD@$l)C8;>|Xv1Z~&{7<NOTM^jD9#<pM?!rZEIHdr@J)m+2A}RjKOvMCv
zyY-5FC@2Ha5bvNh2VH=XWmtQg7v&4zf72i(&%k5OJ0S)55s(H&`79Xr@!!uXfyD;;
z*r#a7FNm4-fZ+41;Gbtu=AZaKAn0ymjV4y;1!b2BjhP;k(O0!i|HLQml$S_Zc2XN+
zn2Bprv($x7BG;RcxS_%VV*0{qZ-sUOR6Q;SUMwegM^B|6Rp*^-2W{iq5gyZEoAHJ2
zIVqb96E^MVrDi3yYC}w;!>1gi>AY}=OP%3(n3)y=BSigVZkb8db5n-4C8kv=XqcSu
zT?;2=!n}3@KR0)y&Cm@uv&fGQdLG%sjt+m?`U~pqWhlw0s)4qZ{qE7n;_4@+$iU22
z49bV}h03gYhr)SxdlGx&V&I?VvhUEyx}^4#X<WyU3CgWRF`Qwv7wHR<p`4YY{Vc^C
zAnlVex-=278t8%0C@CaDFXr+u8pNto*3OE;s<RfdE$QUZP@#75EYIpNueEch)AScU
z6&3G}%PO-{)$81SwQI7jqIdi2eQ)(}J(T2?A<~!}P|p>Qab*Nv;10GnqO;wi+ZYiu
z1&wfV$JG=~BrJ#a^(~T~#!=HgD?8A~m|VQ-EwG<z6R8&iWVDN8W+8PR8A|Jz$)>sJ
zyvo?bMwjNEujD$~*a4RY1|Zdmzc(`n_*7L)-;cK^OeNILNY@hih6Gd{cKcS?`l|QJ
zd+#mrrR_G!jA)I__kHImSkW1!xq?yjEwo7@(R9Bd`ajO<{5~Fo*Pm3q2dNs9;2>u(
zOt>_W{L{uAuxefFav6OA?K~51eGsnwNx(WYthx<KcyN2Pkv01(vD?9nlE@tN9zX|K
zOVzE>cR>@YTG+7o=&JU_7EFw5BcR5zv7iK|(Sg;%`ftx}I=k3%@q;N4web?4!P@Y4
zJoM_&x<AmcqQqL~$Z_{^kq#&v_zu_Vcmt57V$ig-#pPBbDtXmmA>z)?kzcRY;Nm_o
z_#TbUOY$3%F^KxSkHT398)T5zhG%B&y@v+v+d?#(Jt8<@p4<NujFEg8kU7CHz^r#_
zZh3)6sAi1rK#=iekatFVp~r&6p*CbCHa_vCLgF2(PHfix_ZvecQWHOj?`5zw^(^&R
zI{rgJrk6YZcYfz1pU|kdIxPB>UY|L|?*3xJp^w;3G4zpXX82C%a1Ffz%Wr)))6QMV
z<`deO6F>2$z6P7TdxwKZ_d(Kp+x88aK!k|oVp9Q9r%W)XykN8Z%hNJ`jOMzL2dr@n
zHLv7`ERg<ykek`^Qj-q#x-6?}_XD(=!nEjJnKu9VZnYxwyWmNO3kj+(LA!We-PA>@
zNrv9XPqV)zCBns|{ELsOKzmE3SB(nzl$DRj@31ecL2{<71R!qp0J<>~>RE>&w|Wg?
z$W2v0%3r$5-phHyeAkZJ_0T`rw1PvYgf#l6=ck4?SsH86*3@F%4PEyvkY`5QqFr%<
ze|{Gb$tun~8fz9zXCd*gL+$jcCoAdvP^kPg*9f)}SFx98s7>A)(m&VmrX@|Z>G_4n
zgj}Rm<jVv_F{03on+)`@r;oK%>B-_JY5NWoW#Yx_BDmLHtGs@9E_I*&hnZ!#$}s*3
z_0O6ryS$NN|G04qSTvoU9;VjoiJw;Ywc@^%pC4pGeqh>R>bmR^YkD|yb;Et2!aOb*
zCo8DB@OyEP$;n+T)x6KxJj)AZOB*Q&8+f}D6><g5d$a0$>D8IynVQIp=zaB^(o80$
zuZ(Nc0k5(9jmhBdkpUEx$?WAwYu6CZO$J0Zx6M1rH~nGHe(Fdl;x`W6yU+9sV+jQx
ziU1!2^LFlityj&Xd|hJb7*&7Vy}H8PUy8OV<5%2)cPvys-Vy1q%GQH2Vvg^oB8lO{
zh~Lsv`wDR3`&R1?*j7$Wm`#G}64w>>GqDO~P8DZmR+xCYVOKnVD+r#pvsAZm%Oi!I
zKjO?yW!CtX6+h629+iuFo}tSP>-Ip&c}J#`L6OOBD>~&Jc&^%6CL|bth_;S0fxKm?
z?K81Tw4*$yKAzW8wzm``UgdC#XL{MkYh3<~Fm-1sD;KiLduQLAVtP+eSFn~<cb|9n
z=4LkG7udRO`}|QfsKS!bknBd?L>*$I6h#SwNqx%7)G;})PLER6YmPAR;$m;364Bf;
zSG-wFzbTa1Sqn{n_UxYZXhd@_x7Xvbg-e`DLoWqBJrQ%OKriT3kSP~%|KH8$(*Y38
zRSlRv5Y=q`zr9BTNc#0*4q$$YMz}h*NC3(c;4`v_8+~u!PP75L8TV!D_uM^@PniQi
zpMbaw12aSI<i<<d#^@as`_daQaPfX|V84F8$uG()y2EADo>!~Xdev;3_PA7c{*Js0
ztzLdHo&Fj-(v*2U>?$%<k1iE7)<>g#JH%a^jlQFpIERBkHThewv?z~)ZS}CY2_dYE
z4@Jtk)Y{~9l3R#LdqS<BEwvzPi|OmcS4XVe=}kfV(@LA~d#x*xnhvZI?$$oniC$8F
za<l?w{IY+asfN4U@@+1Zq&&~E;*Qh9SGoN}#;+_+lg&=U<rpb>q|hAQP3tDBWowl5
zHW2Gi6ZUv^stdbe*VZIa*!^Vzru1@ELh?eVM(d_&clNx-=fn_HR)2!H+sO7opEQFV
z%PfNq$0ZS?=&tM>VEQpHtZD*yqmS8r9Gr9h3l@5mro^;6Okh-=LV8%Kh-Ir$^oj9;
zuD8#1s$LT@ou$--z8!RHGN>9HlIE5sz{C1Rl6hJR!{Jvm9q;G#=X=KF@XL(MLQ$~>
z;>&gWAg=G43SL63r>dyM3jzBIbt0HTN(FH-no~EF{@rc1>qwG?8broLyz-`casJ$e
zU~ILI7+v<ZkJw)ePu6<ZD9)PhDuctW+G<XkU@pJCbJiFhyB1D<6S9JuDgFu79;CFb
zn%$Qnz<l7N_T$juaZ%s7tD)&88%3ayMM;CRI?J5(TS<eR!rv~pn2$A_@TKk<_evBU
zxF^sbAZO<d`swnm1#%0RqHF#8nP&Y=wYF|A0XhKK%+CK?U77&$EAWDt3z%bM?h#G{
z4P$j585<tMA(xV0uKpZXgRssnIpviBRCMSCK?WuzyL_W^zaM)i@TXGr1l^i%L1F<%
zR$Uu(;}{}09QLub%0iZ6el3UPeQ1r#ixP~gE1Q9u;*VhFoH)%%MB*PFBuftRL=&|t
zWirh70m}&41>r9flyU{IMhU^u->gil7l!7(C$4&ad+9n3q&i6hkxer?337-P?;{gf
z#>sPYa*bF1_Uphx6rK2UOr`7xDSP*33{I^l8;{t7xi^UPMP_=(K!(!pYSl}{OBDm;
z*ueP^USIU{g{walq*8<QR8*b3AMvYyN<-N!C*O+gvQ%tH7MiVo*+HoK*F9!bD-&v%
zYkJ;m1)Ue>{v3_@jx9JE56`}&ral|~zoIeP>zcA=?T(OesJ+G%{Mz|ye~3AgAHDec
zbXQ*$cq@nkg}wvf%@b_Sr4(Mz`SA0@P{q(T^xGnM-NfA{uwW80FyXmvnPB;J;1`tQ
z`ElwXlsA{t-Bi-&$+{{8;gVp4oI?iV@(^LAm(YjPFeFR*G)hS=g6S`eYJa4w_-|&7
z9Q1B`LMuNO4DnMuQ8v1#3U)Lo^!AiO<PgGAiA-ZG`u1z2sAm`Iq$#o`{tr|C7~N<0
zy#K?E&Bkcb*tV_4Z0t048r!yQ+fI|lY;4<h-seBp=l5OfzMr1!T>H_i*?VS=c^!vX
z^b57o$xBtZwLauMhp%(Y=5DNk?Ul!uso8f4m!9zz5WV+U?BgayR!*J`b5f7*;5{@O
zxDP(9?%L$IbWMd=$I_=hp66LN(;$$dM!Ob~eDZXL+NXfv9iV;{T-FCDp`QU(1cqB*
zbO2=?2qlgA5G07U?{g*l;<lZ1<g4HVg1H8`gd<3<j8L?}nlb2LDv1kq;1*w>_M~Lg
zzdoh@xem!=@_th7)cmO)Ts1cMW}*B?SDK0luC9Da;<7`*q}O38XX8t1I7|UJYl2~R
z|M?l5%-YD<KvyCiTN&=f58G%A9}ky5-m24L)+T{bUd4=Ltx~Bbl?4#(z<7j6=JCy~
z+tZgHJt`4&Cn-I*72VU{58u7eC!6sS^(1fF9xv#Jcid6jPF)v=l<}ED?ceB6L$@9{
zA=eHezR_^{cw&#Nh<v4Dcx3M&hli&*f^?tsgc*x%CiWEye9}m-@sgYfmh|?-l_P0r
zvp3ZT4f{pl!vOQSF3;<m1<;=8MOF21wwOz(>GPZ>Z_+LxNyttpYVB2?ZnHfUVeBP8
z@xSyW7)v9u7I=fDQ7FPyGXV>K@EUlgi{c{)HTPN`%M_q(GR}^pAVXVetSW>h8$*67
zN!NdS&eiBjU=A!!tVQj8WH|8Yx+0!YpQsZXTBVdwQ&BYqC5oc{hWLgav|1zF<IduT
zdSI6rv1lHw4CftJY}*x0@X$5COs#ja;G25jFsl1>Om;^NZC>Fltq^EWGvpLu7~VtT
zG1$}xBhg~@bZmfdPmfWpo0*c>k;D=rY>?O!#q!e0iW~MAIH~2k$&^L{bdcE$Hv3T^
zVKlp(g#<^tSc%}6i!IoI|Jb}F-m)|Y{|{SK`k88gH2?|%1WW`(zUP*KP`ZFf{Fo2G
zlY|q(OA_1<=6^zxdk{cuRAS)3Gy@2BZj%9&GrrsJj4@n`z}@>K`2VV{|FJ$SHi7#m
z5X|=b)e02$i{L-t(`r!A_VYJqQDyc2-*Fgky#>BczBvD7IGue!>_7SBc8Kvuu0+Ep
zQ{<fy{6D#WX&WF4x&-Wn{x4bH6S)B}oCIe;4yG`14=Gq5L}@n&@Y(CF^4<Qh`?Sdw
zv9OkI*AA*~bK*{*HUi%`ihI3&g_<!`N^$1hOAv+=Onp@uwc(Ve953H83h=h$;XU2O
z<j7y^=^DIi{)Cgo^VMH@quUsQq^;q@7Tx4-mmIX?e?&n~?c6lj8n<BBd+%sBT%Co|
zXC=?f=gr7?iVtHEc_IRLCN@2Y+S;?3^Hn9$-`2dwoo3h;%*T<IVUT4fx(~DCpHcY*
z2a=V(dmtY1EtGQU2gesD&`bn-+Gg?`ctMJ6q}v4w$RevJ7!*VDu|*N|_{*(I?y2c3
z3sXFJ8X13rXIXtiPkn(l??^gUldV+LAr52CczTo3j5sP!6Ka#_I1FXC;i3_&1b$=u
zwdLVu(eFvs;q`VmFOL_3_PP>+S;JRHJWnngM_EVSdQTr7J%}mz$H500yW0im4(>Fy
zZk%qRrnJ}#zu+&!1!D2a-DrlqRbVsYpEVQ72j*sJPqcSq8^ufHa$LWX1*sgXqM%$N
zikAIs`lGJ0{;ynmknAd>D7`uEna3uTTeh)ijF@lVM+SM%Qxd8-5NWUJ;K%v{oi-T}
zsW6-5**5HD@Sm>vA^cB2K4Mi117&TB4c2c{Im*3bA7XQpV;51K4{x!_xQD|hN*5tE
z*nbVGkky-w+524rbF-(-p0RvP(}{C;Q)r;q?l)+{VN&T|Y%`~ryQUM;SXF<(VS4c}
zW|=nqP5-(lVFKjAP+I$*95k1k^7clYavfckxjelseYNzFu2n?tDz_D{8rqe-`F%+>
z0?Sx$@sN6>6{R3)yQWF<n(e;Z**j*Nef>hzF#H5S90G9txHEpQa`E~0Y$LR#R~>|Z
zi>e{ow`Vg#c&v^mlXx0kIp<hD%8NV4ZAM#SC^>S+_Cq;`o8S{B6P`@@1j3mpLrX(7
zpGjxNpLt0F0*`I|zhV6#y=&b1VG%)xdoNKXp>fJ4s2SqH0?AJ}e}B_@P-+})eZAa(
z<`U(5-kSEX74d=zh2LU&a>oWHhMK=?IMFtx2)lNvtOoNWRReP3tk>_T3dpe>vU7ep
zKF@lE>gcP%(k-vB%PJ+$Nm~j2!@iFj;H%%os^_rzZ&XeJk0&*zWm+@bKq8)*ZhM-m
zd+R5IHDN=I2CkZr$aFC@lud~OxkY>r$lrIArii&O1BZuBJ+_z0=Mm1Woz<%do8ygD
zZO%`A%0^a5xMW#W%z2?pMY3+K;=1?<^=?nk7en*5b}I_Jj>)3JRO#TkKC0So-i4IL
zd0S}qf#b1ZmbQ>6b0orh)j<>W7i{!(&0~!b*c(!^Sv*e&(V@0OaDDZe2HvJm=uxoI
z2|2Vu`(BjriM33kMQXzgs=b%E;DUK_*dM7#XL2Z*;mq~#v^J{)mq(GSRKD4Dlm99U
zzuzuvg|>WI9U<uMx%Dz$Lv<9@u`+Shya@1^49R4ojI_AL_rQK}ESbFfr}Aww;}`AY
z>;sl-`&LjU0mBB2U7LU4306p&_}_`7M2bL1eJM}(tZR_qa_+BluB%?e8Gsa4>Rb0C
zPg1bYY6a(EKLkl4FOAZ}bv9OhW`?KU%)`UlDFsA`@(`iT+K!-rP68*+TFF>)Zf+ei
zl_QPn545?OG`%d=e>S?}h?heWQkUxlm8w}hM?#Y+KYbQ`yr_0Oyp!WLV9DQUQ7n&=
zBgKfEu7CKC)u-zvM@~f$>_+5$hZF3G^DNiJ$?s#-O4L><bSx6}w$h~0X2J6qYn5);
zah5dyZhT<3N;SmT^zz;3cx^BMsSW3<%FWz##Ct7l-$)Zt0#VY4duIU5_oJ_Mt+ykQ
z9oplUBP4%kK_IEN$%t3cXR=Q$?%`j#+cvD$OQlh=vhtxVrygS2{_d_=pR;Lesq4TO
z6sBydUZusA_o#Sn#gxmT)XNAs12wO;M>L1ye-L|CJ`HWH2q1i;lK?-;%1i2wg}UIa
z)SLHqI3=#r2GFzILq_=Ji_2m8w<hVdeK3Uslln!ztoMh`RW<M5m;xxmq)!nr;LJP;
zWtWT$kNbMNP$e7=s>J09Bv1mZu;HUNq>G2A643S1NCkdyyaI!Sf`vvy;U9+8fAILK
zQ$#j)vv(l{9k7tuyE>i;2NP^l5VcmS8u;SU56)z7GNN-MK|EkZiRA$;zlQ|m&*bIo
z_4Uarb1L~7=jwXqGa78A=hv}&7d>SfWO$L9Uva|-(7&zesr>f07=Hfx2=Mj*Fie0X
zYE8*#$I2?lM+nzq*CpvrHOD*F-~d|Ya(dkF`SLLyiPy7J@JFURmtXtGD_?35?#7MT
zeOgExX7QlM`M}>?AADlEL(??yN_lqW@dw_5)SR5X*b{-BccWoFR9`{&A-JMfE?g7l
zwK3BlC1E3QGsl&YEH;JQS@RaLd(-bh2+}X<^I)O^7_3LeIhPjgef2g?60Ea<3}5B8
zw%)VZ1WUOjf_;8yV`4>LyD#rxcfLB(@e+yI&@djkNq#$(+_5SZm#{7sH}UwMp<Cm{
zz8a%79UmaYUYvBv=K^a+(k8$Xr{i7_<o~QazVSA%j+IMgTlEKR1|OGmMIgT7VfFgV
zrlv*?57%H3QQYdcBp*lHDt0mx4*uOuP?-Fz&?P6&CWcJ(S*GKQlC#>fwtF~ZGWaA;
zy)n-za;C@uZ-x6Bc$3Md?DaSrN!H<7R1;Rrp9^w+k8=r5;~c87>fgi(4*cufCtgmR
zQ#Wl&Be>@*<iQoxcp;M%)dBq})UjpAvk{S8*eVF%7B~bq#m?FZo7i$>xaNCL-9JLu
zuUS;+RefThL%zN=YP|Jq2SeaV4hQGz-$B*ZThS(Ia#zrw0zN%ACj>2hyESyj>3%^9
zrivZ8W-aEsLAbNm7N_^d@PCa_r>06$RhWY$wAw4v%Kjw&%&)#AT;K^#`L5}(1~&~z
z0q#RFcOX%}4?#$<BiHu3Zxw;QELQH$_$1aVO813+B%x4Wdkr5Dlr2;!o5it~_Ua?6
z^l{n|4+MM>Dr0fv>|@#lT<UdG`FN~B9sTnNyYXeXNiMEVyD+y;R=c6|P06^Oo}By(
z<Z^|B8{?@dIFPxjaG#2RaJOu|@@C1$QN>@JdG!dN%=<;CDT?!>{it=K^OTk`1cYlS
zT^Xn++b+Kl4pYm~=EvQvtXjeDe*|Az^z*u)GFWNZlf9p~OO8zU=aPS!=nLS~=x+`$
z6$^l;w=+m>n3#%<S#&HR=t}m|z9{S)%=wAvt_zM*f@Rlj7QV9{t9e|fom!^8a!6L*
z8@d>uIp3sI)M9um@5zQzuq!mXu&57YX+{!)0!-&u`DAc)%DD(?GxZrc1WqsSUv$%E
z53h#Lx_`LWSN^1cXX5B!^<7ZY@{g3drxD;X^Pf<;X$;#RwBVR_LRSBgHk5=^H7glv
zm%bmz$75ol4qUQIyJ`J#QMwkD$KZCS@ChoyYku`3Ny4rE!ooMKUOriE>-GFrIo5b(
zm$xw5@u*>t@3Oa$SQ0+e^X{@@QRi^d0{j$)4o1n#eKVn)*1ECMD(p?2z|iL{sIFR=
zjDE5=kEe>=x1iu$>8MH)r_dC(6GQiQr~i7UT<E*swsnDBCOU8^n2g|XC^=In75*y5
zrl~&D){q4L@%fN-4LB2Id7K4Y;bwrhU*E+*v2#G+=VnmQjvb&tAByO*8vi8=oYEV#
zl<WEVy!~8ALkrrV+wnq1{ztKx8PU{Lh8^)E7VvC*wK5_pAc+-7h+Qe>1aEP2*Ll?o
zSCobLu<Mj$vDOukMVa%}HD3DZ(?iegSd_RH*hA2%4F%yaZBZo7Q>RM?{0`JVxYV}3
zYdoftXD$eG+C0+M7C2?q&*YhVHm;K^Ft6BOjZ?*A+2oow*7WvGYQ06v=Bw_kby>b<
zKbDHrPj0f%F&lsTsKm3Co8NlZ&_Q0e{fAxZt9-lj(UV5ib{rC!K_sKOlRX85cc?^Y
zZ){T`iq=>?P?GoY|01Sw_a=7o`UA#0yH#$jKtdW>$cLKgSpuFexNL=u`?J1gMuPT2
z)NCtB(JGMGLFbL7>o}2CGKWKuqi)Ac;~J`Pjy}50EqT>(NSU$9aIz7L$V->HoHxWA
ze&F?Y#;eghon3wsQpfqE<#zjp{LF<&XU>;s@Sk4BQ>rUSFvFIzQ&r|>ceGQfIhcyc
zv}>}mH>SK`@r)iZ0-XX4`5koFg~4LqqV|6aCPX-28zI&{RU@n-YgX6#$xthji5^P3
zB{I7G$rT;#U-%tipJ4(QHmy_GDwPec&#d;9-BrAC=8}1!J*WPBz}bSGAO$jW(z#@I
z>(HuPEV{jlxsv|n<f$j7VeGd}cslVW8B)8xAI~ics#z~2eb@^PgOOX#R&tx(+(hW*
z!|G8zd8-J4;(y~X=^9}5$M~Nwz_c&6$UeaJ(2KbJNlpYU0zCu+@1>v1(bWGNhf%tL
zXz!<AQR+V3zk*R;1Q%aF8%LCgz7M^iv+dTo7|3mmFZZ9HzMca@ATJ>QQ|sS|N&*be
z`WgU4hM&yFG{c7F|G(eXftO)G7wsAVT>p#MLZI)Z7jm~2B&lADoco*XOX>eS<8!y)
zQ+IRkhz`I$fd55yA;8iH2>y4T@=VO@|IXvudC4_?^Zjzy8w6&weonCR=POYgS_M76
ztZ#S(!NTgdOyA<JV}v)vGu$yXil^HwWkw~Ky(bjUUA<HM>Y6U(nauuMT$?Z*9Cs5v
zVtv!fl_D=ja4`#<sz0;ih?XLm8j<b>+J8MS9P2#SV^8}jIUdUld8^&Ct?gO=`uX}S
zh*A8KXhMeay`bpn%rM!VqnOC&YP<{#rUpc}A_{u=K=Qw8o(^C8Q-W*i(j^YroE%cP
z;Br>1bMn{M|0?~cfZZZi3__6+GXK6MfXU~L&#|xTa1A?ku+P|WIAao(qBY`}`ZB5#
z<8}F!SrR|>x5E&`8+qBeO4U~*5B>leM+FHZN}OLp&f1LE{PT>fU<F?V-W0p)wwCeP
z{%W@zaA$DB{#ouHqQ+23obOR?N$o(GY_31Uoc)GAO5gmO)GDN_E1=Ey3R?_C)}72R
zf#894UW~);`TplJFDNeSZZhDt(d~}Fz-bd;`$#EZaa!Ubq&e}S8g{do3y3EC-d?~$
zn_x&D0q>gMbfvJzh;ibS*J~;{wkb{@dG<}=v5CUA4B>i#%(Qd(XmZibukjD|^#v4s
zsU)J6@;tmhCUwT0giBBFk3MWnH9`}};Dhz<62h^FZxUWcau$4JL{o^VHbHTQyEt`O
z@7M==8yU1qdfll*O7Ug+3Lb%cLS|p_?qI(u6`*ZxeHt_fefS345jg@|0N5$uixu!0
z(jS5bAF)jD)xcb0ww63Ex}VB+(1&2m1pxI7pnc*Eg+5%_r~}XS+Cx&$Tuw)sNYffh
z3aLpxU$b0K$~e;$8xxMpY|L!|RFY5a<(GzDP18u$twQv8T8)BDg5Mh6L2Axuztz``
zcLEjD2SsI+(8S-g);MXYpSi)fw=NBQagai1C)UO~9!d{b1w~c<Htb-@N=FSU@#WR<
z>Ty{wno(GY_X^ym=!G95)ABy4HB=&&d9y2G&e=(p-5N-%8q=N%?_e@ieaF_z9<}ne
zvI&(-{8y`Uq!R#L-ddUZ>bkZWOZ|Nlq<GqdCwUnZ*QOmAeV{3V-as`H$>$PJVS*0<
zbGWx!<mmDAXe!g5pvxFT!d!O+Q3_86Grqibs0HdyaL}>QHizFmF4urA4@vFZ6a8n<
z%qqtYKSk8>?GrMLDI}xBQ9f~JuR=uD-s0?l%9VpFk42Y+MeS++wPMz^&tZ9)v!9rT
z@JCn8Dz@eIY%tbPaM0%V_K*2uOV>;nNR(G?H2sQF6S<hw3PzY|EqmN>9L4oat)_~P
z(Y`_L?gZ|fmRt@^5Lrz<P}46o>|bwqF65IBn_gjKbRl=aLzr-urZmm6@Jdl${}<cn
zZqso^7sU(XYHcj7OWg8pjA51T6c2=*SUp6bwkix%G~8{>Q99fmu8-%4tqm~1vXeJ$
znuE!kecm}-=%I)AwDFA%xCf!_Vn)Y)uS8{l!Yptz{aQ<>2>idaRSpz`0gV0Etspy>
zHPVqKtZkybqEETg`rglnPpGXZ>Tz5s{k9(I#PzJu!2aqGu*`c_OEo|qg8=&@byiA>
zikRVtjH{HZbgLAcl=KojofIh&IJ^|~Z1yZU;cmig9W61jeeKd4wmtGT%GD8(+ff$x
zH1Afrdk*eDQGZ=%$y-_SH=2gPAexB|Bbq1JOoN9jcgQ@{mz%-}r<{eT1+?E3qJ@J*
z^_t9<No9~u1{-a<pnW_O?jhl|>`=Z<S1ykBvy9x14pRrwUH9a%xwr(gy>GU+P%?8O
z<F$+ASX2q67(M-1KQUU72Orw?SJU@okrxwWNVAf&!uBQ|b>$Q>VE(d9?I*GG)lp;h
z)V6;t!Q(&aq6{<7OtB#7^&b4fL^vM|)9b)u#BD<We=%_VOO?mgOush!@BPkw@cUAT
zq1j<8`A8mB@^JWT=plCHuStC=mP3b|<@sY-nCCc=1@zx)^fx;x0{WINi1mZSjuz6(
zVsq{@W(x;Hia&~VCx4=WF<P_Tlg9p=e%%Mp(;_Rnk&dhQCED<J;Pw0=<mEmS9WiUU
zw%@ucTy;NZ2kp?vSba<Guvkh!32P?ER}iicnR4g}x;Uw7{X7xN#{|>R>L+wKQSmZn
z*0{SsT2DwPw;3s}8vQhx(T{vR^BRGqs2w7u3hD?_N|YCA3ur@)5V0YV9lcChQOA=r
zmijwR;vnAcO|qG&V>~H72NdYjDDs$su#?WE<_hr|X1%sc7*v^*dT5WQB^vLLT~0Mr
z;!N~}RSeEBjq^Vg2(OcHRHp<Zb_R_WuW}z>-lU;(wx&a^3ETWYF!uoYqVIR#OW)hi
zUAo)@ns?vtAD`Xzc05om(EPdjwTA9zwViP1n<Kc@76$s93hE-=9(D<QPy7xKMI}NT
z^|d_aGykZlKUd*xdu|>ewK+*=Ry;3@^SK)gbn&_gcpg)@L+j2+_OdKL^8e6xW1ai3
z*GS}RXM7~94am+v;%W%IqKo;o5WaD_>7SvjfyyPW&Q{&B(cn+K<%qQ(l1JD0dx4Uo
zH4BzgQJCpoHe?g+bCnjc`O(80``x2cL7U#lX=>0FlExB0<{If(bs!=vP@^(j>O^|g
z*6VebgqcH7+&l~DB8>j`vapAHGzPYI2)*idwH>bo?>t<+dPH1i^)~ri-f8Kab3(@y
z^Di!v=jeBi;Y9qQMEPX&2d%0#`r9&j=G;CH#$Q-A0x7(mqnr(_L3o<@%S8BGG2f$8
z9imz41Q}T$oU2VF4zP2eb3TcB3db?=Y*~sR9%MoWAyT=fT?_Y>HLuFxUhN0h#hu3&
zgj5oQIYzR6=Db;tn0d{xm&gjpilN!9q3-3!>tS6N7w$AKnW(VBcoS&}S?baG<cz9;
zfPT4JZLllnGPhlw@d)EB0kvuOASc^D;l3>mf}w}w<2-i}&yQAmo*$h-l)5!DB}D{a
z?)~V0iC1Nj4le1coeM)WFw_9j0EyNu?GJt_L<G`$D2bLUr$9&sXirx1wsR8&=wC*q
z&y|B_?kx6ofyVREL&C8B)8bBZO#;NdsLpuNgkyvAVMQ=~@1J{``ewk>G)P0h;L~z`
zT<sYkc_sQJc8k9+0F{JKWVQcA&X+Ji=>3x^fHIu>ioygOZT%Nu`L9GUs6cH{?@cc^
zg!J!?lrK6EsZ{`@4gm2AXat`7;N$J96a?$~8fe`c_G{Z45a&9K`@9pd!~0TlJCHnU
z6q;6Q%)`{6r6(ax5&S!UGS@<w8ZoIr!v``&M1ICcA^m38&3(tP(49y#jpQ}g98&Z~
zn{Z&3FFECRsbzDVyX3|lNtdRZJiQ5XB_ii^Y~x97=jXxXZq2<|0L|u~R#z|l(FtR|
z+8->%m(Su88wn5Lt_)&VtSbx3lXJ$MRj4HuV)gZ4DJT}dh;kRCt3bK~!xAB^y;T*~
z+G=yHCXr%vD!ijEy<nbtyhoel?GHs7Zpj{&-WM2jc;i+vr%w4=$hNH~Eu#?~s+QHM
ze3EFQaEXN%joMRIHiw3!Aoxd_qfx-?J!VN*9j~`KSrC$%wYG6o;VK~8RQI<eSIWY1
z399I$bYW;_HwYt22YJ}i?Ap*gRH2*eIg`x>Lqy_7i?$$pq73y{mx#3&Kb{f*d)Szt
zcIB;bVA5+--{#=%C$A@OV2}6BeiK|P`n3+9Gn0oTs{it(FslYEIvw&Rm&bK7<>3V@
zWU`sRjd>eU`6>TkHh-xpNaDKcOb?_WF@0&G?B(<vrKt<2vRfvT-kfpoXXo(sNcpiK
zLVIj)<}zi}XtCf=zozBH+O3C|`Dwv5Bjd=!W@q%APw<|(DLTrvK#@yRZ|Ft)Ub;TL
z^#V>iVR0eJT=0bC@Wz+>&*GA?9=Iz74Is?}Al;gN0DBhbdjl$WYC*uK=5wcm9;^-8
z?-}JUF#ZMzzTN>xV7tKo!cgSqbDZMK{vHh|Gf;Ui*}(O&fBEZ64AM6OLhlrSBQ(@c
zsQc%ELLlHjUg_3=)Ut~<xINPUR)MF19mqpK2M+8>W{WNPpvHLrBCLc<W6ARD^^eUi
zy30IEv#YrzQpCxAcmw%}UA*ja&1(%@&7J*4R!6q8Yg@eiSG=TlBNyS}WbVfS3%mEQ
z5HU+w<c$ck#n%e6-bKAzMb@GZBwNZI?U+ug!esdz%{g~AtrN)mWuuPZ&1_np&EJur
zn4a)sk~=Q~J5}aGUY`aV;)wztY!&4)9mI{oT=Ge|Y>;0ye;Nxjy*Z0D_fEz**jeY|
z+;P`aYc}gipO6vM6~pz$EvKgEt^8=kRcS5Bt`Ht0aYCY@lH$27#sM-&rG>RQxMr?}
zBECJ15N-b^QUkJSkE*zd?hJ}d9LDYiOX}^>aeq{s`5SE%+hd?lV6)h)zJ(}@)^SVQ
z9_cGps&W-A)9)6#xkbbl^*%NqyZvVK^ZlcN1jNwPWX@qP^O5;z2cr8N=j9deMEfN6
zegENKK~{z7A(?KkA!SjdGGT|Cm+3`A_U9TW>va*1aW%>&K?$XN`7;0F%9J>GDwMvR
zF-(2q#H>UZ-?nCji^j^Fj8;H!vMOc6q-V@tGN@x*xOk8%{WTi>7?D@%G#1`pE@DEW
z*ZSCotZiSW%@>G<59jZipq|otcgMW$T>6KqlYHfo3CBUkEMdPsMTrsqffRk<Us9Rt
z+QGP8=b2O3E#4*H-J_VH0p&?K|ADzriPz{6;4Aq|azq4v4s@Zf@~wE|d$UJB8H=Z8
zIG^SOL!uop_h%;zIy@=7v#j=+>@$D|q-T)Qh%(Nf^(GgV`d^Y8On#f|w>-EMYGC~t
zF7T!qno)eU^l<i7Az;Q$2N?+_zT@O%FP~|Ozcc6W=EY{FM9sH_yq%}j`;LR`#0<;h
zQsLG5)?kQ_pFzlJsrs;1$S6VWOoFVvwZY^swB_9a-P~!$NKf3J^YM_jL60oTS%u7A
zYla(q2Rc4hv%PSmLE!F)lR{G`vP>@b<(skr8iOMV%=A%Y>{q8#F60tiTlBtNm2dS0
zqj;&W+P?I?C`9w<<YnxJJINUL2Pyl+4Ydwo(nGIxrJlHmtYN=XGH`j&`PIozO72{V
zI9M|>w*8BWLc1P@ueQb|H+I)FxF+A6hs^EvZsz9$Kh7nvEa=xj^o>H_M_D|fWt(Ya
zrcjCm`)&HEJoh|WOdbWJ>TQKnpPQe#S<x(Vw;_Ml+k%L>5ALac41wu6-&3&>B@%?F
zW~-g!e|FbG1TtPhaKGd+LP?Co_=BL}-dw49_n^WmUN5zq_@dV>VQ&=&V<QHww9>uQ
zv2t$nXIuc<t9G<sU*K2kT!fvLH8Q@(V`RuRNe8t4(UI<K&utgO5swNUB_FuWUF%z}
zw{FAmdZY|k8sBP^SB-%0FWD_ssW<9D5K6M0++^HTJVE?&>q`vu{(X-<nts<X0G9sW
zo%bRLlLyp>d>Wd>zKy;9zeMr~+WLGg#erZp0ev_!WGa?9boh!l{u>WLZ2GTCJ7UtN
z`YAZ~?vpGn%mt==cbrzEo4%TZGrE0hPy7P-x2(O?eM9SbbUO`-`D`roXKgm2y^+yT
zo)M~;XP$8%R$Bzd0VK<@xVShS3^&!w@^xQid9x3(zem+wqvC+ncb1wvfLk$Pb+fQ)
z3ie{rkbcffS8ntTkdXHB7kY1pifZ#-GyHFC<Fm?QXhLy?+q%GqPtW>}>I36S&1}(H
zjHjRpotA3<NryvZ=~KUW{kQDd5?UH$O+Gm+Wx)JjH`|V;tiIkZs&2$zZWsGbwK-?H
z7D5q2aA`&2K{|V4{(e%~!neMT1+{q1EgD;c@}?MF;?Pc4UitjG8ptFQOcw;put})d
zfnrWU-!N_(HO&BWv~qRIe|%D5396gd*^$yMK@vGPQY9(9eL!<oAhS!=9No?pg96&>
zm*p(%U+hm8eXDdhl|NlpS0g*avpYad@9rc@w~%o{{m;!ypii6mRWRelX|mr&Yt1lN
z$q3QYq`TVOH{d86ioQ3IZyW<N7<GG0IX=TTiIZeE3a3{J1MB(usGQ*R)c;1O5mN(D
zMsy;q2$0v6Sl3jGPfMt1W4w}ayapolPJL-sy74(H*4agP<nsu#zMJlOZsLLcKya`)
zGB8Nh`ru37+JOHxH-qTO&@FMp%*6J4Ed1LH;0Nmc`%xPUy7z7S>?ch-VuE@V0hIq;
zQwu<sRSfn2t||MKw_d<&Pvn)T4R9rgU3G*F4o2Lp&os|A&JNDG*xxIBIaN%5cLXn<
z8!d+P`sF~iks_%O^$xGh_79bO<gh|EjXK@htHnNZD0wXwtKm$E0DglH));P2;8`)e
z+$9ZuwxJ%rcBPO&8{?hZ_@+8X((UJEd$9~Hwy3#@F$keX4BDfxVeeF|Eo%-sQR|??
z1Bygu)zez+f)^`Y+Yt?B>^?MD5kmA#<*QO{^roxp`ZlY1F$EdAi$%!d`x(n?kqqt;
z8cfPf%tS1g)i1fis-B<136WG0j!vY+%%-DU+52{#cA-&y_Xfii9bE)?Pru9}a{~Es
zmJcP@{}kQ(cgo{ALJ}%??<a>KoR1PvFinr}-_V_nI%xl?d-_@Yj=KtqRx1yr<rAZT
zW_XCFv(gk_fmdIdgLMN{PNUCJItylxFsqcvC+#jgxl+WwP~XQ0a1fC~M!9SSEI?AO
z>S>q-WuB8z=8`4cZToLZweVUKLEW+Pa}sm9Vpz6ZuRVYx9Q~X!Ku(VcdDpYjU9xy+
zwcQj|2ut^PK{K*B6sgV`;Vi(H<EjcrFVc&zYh%QsmaA7ZT;6QoepSRHuS6V@ocj?N
z<s<!A5nrgqmamtgi7c2+(`ZV|nSn#U78IU#G1a4HYMn$$Njj@Bn+4mAXSP9;U0D8r
zc2_ztxwmE`&Yu!4F@GYD_w<Q!d)IdZD6c_Jme1vWUbVvMTknm&rj)E0LqAH%p)O}~
zKSnsWC<;_?%=!tAq|&!#gC!?7WGe<}-~}UN4Jel-y5pfh(QpY<zI{6$yG72Fjlp)!
z;_uQPDv;hRDy#mw`?bs!zrl}kc5!nO${O|x6F7;kGSk@zgvqCKFksbf>xaFB^|747
zIcrwqPOwq*D#AJLraa$I)IxDj7?*W`dOI*DD`Mw5!@26Wfh9~sF01!11-;1|w%TZ`
z(}Z``*P(-)zd&_gzKe-Au@&}x+Lm3$j6sc1xP*F+LuwNw-t#?m$2`WeCek{UAgJ3r
zJ7B&yK~xhkK0QtCj&BrthA?Y#(-e^RSE|qd{pBz_qh}i!(dq4}`Y*9Pm$yO#ioD~9
z=b#YZH5_Z0JEnR|_PnT=&<y!+8r=q6iJ_^8FkK@w^(L!WJ9)wxn9VxAw2lW0y~v^b
zGcr*RVJN4`J<;RTTlOgsy~hQk38%TDUBuPWpdlHf8x}P&!^|3UE;lj-w~|T9>S+=y
z#if3l7Z`Nz5Ovjhc1P64a2k5|472$uKKZ=UyRMe_^}et`DiC0bl+%+p?%a)<C53%-
z?E8=wBiS*0Gj_Ab5c_BO1W7;CTI)*B!qv!|bAeGb+VWHS*ZeMG6S2lanQN!Q)t$E<
zMJfm8snHEcp3)p6BRPk|PwE~oaQG4niIc7(t;-Y;Df)(%Od~Ropau8)KE2e0sOPm^
z$w8uO{KIJyW~k@Mb%Rp*?$2LbKCc;t$ZGa-rZAs2N9@(NR=LSQ%2%F#*}nPkUs=oV
zM45oT0Wh5Vg2H_MKHWQR`V8p22(|!6j?at$C$3J!>spGz3&N+bsQ&ph=M*MjJPi~Z
zxYEK`_gl^!c*<nJc};dwVlj~LcYW772HRN`TGgdyJ*t#Cx+GJG4Y0c0#DBm)LZv&s
zf@!aDMwl9_VrrISmG$K$vqkS7<JO{qro4IW`V-EYzGtQBf%tO;Pg3%|Kigq=>*c2j
z=>pg3G3N`09&^?lb;y!a^VirX%W!F{J0q^bn?FvK346^uXMq)j<=-j`>xmD$6WYyf
z^hkcO4-@XXM#FW3pA6i-j#oOMG^9=*Y$*_|I(%8luG;K46VDx6t6fNRf&l-x!koA4
z-^8xugI9xE`dhMr;lF`(hqNixjdG&p5wr`hgTNLC5zlQh20k@qmSHlD*lb8dFb8`Z
z1Akq#>a?1fsz`F;<5pY@i8-6a`Voa{DT>@dK$zb6?Z7+MIz4U$%G9ID8#Mkqx^RAr
zy$%OE?xa%G_QiS$9-90$lbL>g;yFuG;aA5<QvAr5&pHWBMGyH7Ht+X{M}r+-ShvZr
z5M<!e^n(*_%G+7G=d%;L2I;6|=wsP}>(vO}<uPxHE-TL2ElC=wYz?E!390&PUx8WY
zBX5?cT!KKBmcs8w3@ueO8hswYw(K`~Zqj;a%)Gs$o+G@4;l;yPO*d;*#^cP?{U@0{
zoVp+V5L$ofhl7q>!TX&>M^~(k4~FPDi79G@%vnQtA57)D^?j7F@L8G%M>ut_->+V_
zfd0>y4Lm=x{T;p~eLm_P7B|MQ#0wUFrIAy*V=lAgn=<dK@Pdbw6QTD|)vBz1gWw)p
zFN}Lv-`AfnqlHRFQQDE$6iZQ#AHu`LZp`Xf!adGzS=D_OnzV#2Fck&u{2+n5A!rXA
z?tIqQ-{Z>e{$XCI;DVP&e<N$w(tabhKH-{|Y8MZ!Awo95mNJY-`IV%<;h?)5fm4N;
zhV=g-#*MNqv+sG_@D}CW>cO1N$RuOPiW+O_l|d8X^h1F1Zyl;3_c<U#w%T-y>8Xs3
z3zdc7_FCe#ZgG<&<lfb22o4@?Cai{Et<WB~wc21k<=UXKAG>vq&#N0&F!mPYPrk|g
z<_s|iXB!(BRp;+wztT=r_t!y4Kf>KlQG00QCI3Wr3NI+;i`86NQ%vy9=YmH*eH;q}
zBQr4tJ3omxY<4T^c1|Z7XXK5g^yRrF^+cpqRi_1?Uv9)%%?j$#N#dugIq8m6s>QPS
zY3IRx(aEUD@2N)2N)qX_C`pq!yr36-*N7%xwGC&7lC9t`5!P^aea-9IkWvx}3RfRy
z2TCL{CX6K76^fUPl+&dJ+f>H~bip~<`^2PH-wx$$T1%=BrR`@_q2gm~v`=U1PJ?|M
z_pL&Fe_=Q;V>cNK5F<<FrkU!_q@6|?PS`C;N;IiO{MO^HEUh15$@=UEBTy{*EEK!`
zdlLlSjgNSM<&WG{5y>Pbb{GfFeT!@drER9CrJ8LuzFa<$j6k;b^(2FV@T{O7)&yQ|
zJuvT#UA#Klp06aUk#`kK+K*Me7O2=53!I#*oTfgUiPs0duT1W+lCBW>!n*oBhm28|
z8rK5it8+QQXX|AOdaDq3C@z#8><ZETOn*9vPCR@iVzyztAf{ndR(7oZ-h{=!;kQFK
zbT7DAmY!eIcH7KcXU6q=Xy2BOQ9d-$l&ihqx|ZM#(In|?sLnWb$p3wd+4w4F?`pX>
z@Y#3(q=+xk5Cn(+cpQzC8b@T6XTC<I-v<jOVB5eIi@fcR*snyXE{0?9BT+sMQx&((
zK$xpEPT$|sp!e&NvrjN936#!fPhIs-x`hoNg%LY!=Ha-mO+p+_I)WFPmubQJw00Xz
zY`>kHo0UnW)Ackt4Xh?wa|w8!T<JO<wgh7kj&wjp*znD&89F9}I7a*Bd4UCUquViI
z8t;13XdIJThIdM<@Q~lH8dKhoH*J4g+V&oDq<)iBQL+>3=zdGL$*g9PNjzT|4T-F=
z@uR+r#W{>sbw2hHK>qE=TqKn_xZ2#<G9ZOOikcT9{~bJRfq*wg@@v+*ZT477JTT^3
z3z=4vFxts$>;DX@{4PreNgqN%P7Tvkb2j@XAKbuDt0HjP!@3C=wIUUxFrVGbYpkT}
zln1ohlUg(U{G8;1>OXo@`>hYY!-V`Of9r6Ig_B<%rb$jhBj}bw>1vDqGHb^+sH*h4
zZ{k>;_d6M*^slCh*|XCQSgU$l**-($HC_6HOaqH%NBorP7|=)9tHAa|o#9V#Ct-Rh
zGog(I3}%b8G{7`~)w!F{5G@nUU}BJ%#-DoVI^q)ZtbuXwT4D!2B|*mgh57+3q{lHZ
z%T-hZZCdn(X|$Fjc>S1mfIJw+LXq$nA~KhQ+<<I3MfF%~bfRHs1nEWb+LLA_IMxeE
zW=`{gJbb0Z1i4g1pu!hj%Ao0mSjm_LR*$^hmYn)~@^!v>{=1H8P_B4UuM{|S5T;T-
zL6O~zn?awD7N-Tz5QT#J&pU)yl!i{tbb|51O0<rtX&yUKa#%5UiG~x)xA&T;rFD{w
z!0b_4$eoRgo(JQwo)BSnchLfzE3SP1xJAEjDP<AHuYbizpFbrCkyn0=*)Tl+&SK_=
zX{mzU?C)#p8c6l1_36(q_Lg7I$d(AnxhZx+Y;W`~Hk&uA7~?Dkp_rey$ldnk?Z%@O
zpl;)dwp%Tb$Xp$KL%Y<xiPYEdl^IR>Y8U)XekI=^VG8MDlLVS|`>T3#CjX1}rY!EW
z;fbJfzgxe1&``xcxk&_*rT`CX&C{V!8n$f1pb6_c-$V(CRrsPKT(3JYg1x3**VDCi
zDpN<M3aulOd_Qs!@B~PMUWTWfK=pUMsiGB2=+q0>@_eO?D;I%5=^>5&IfQzcBsi>K
z&4w{36N9F9FZdTloniJC&3#;+j#;_|C`u5v#g{FYCvR(-lMXBbG9Ny%1K+<eKG>KK
zW;B_EsOj0J=q|cQ_1J-TKNt$Rlhtq_Jb8rpGrkUXg<NUhbv!5f(H}S@y2|0$zuCC0
zPV9WBen>W75rZEPCp3FOms`#<2Jii0NE9tM${D69VUvJM4sjp!+^5{-$#_Q7sC^{k
z>6LdBR&#W|fDhXeQk@V;GaNnmNG~SqFKuYK^B=r^ChiTe9_iR#`@zWLeZyLcewx#1
zS!wkAP>=L3v#nNKwR06zanM6O`AYo8kUg!VK;QF{Hgw{x<c-CTCoS)Dcy3Y7Ni?b0
zNcz1i#@IYb94tgK`HH`aa&p4P))r=c3k>Xb95Yb0q5b$aS7<?Hf%ZMzzv;Stn6<Q_
z?abRfDbm_!@sGs1XDh~I!gx-Ob^Qb7+(gnO<~L<Jb8yF(-D!D$Eo7Wg{^-6*MGF1G
zGp<f+>9PR($%RYLp*ZGIh^_uFC3#9r)p}q{5VJ(+GMfQaq_^wvq<5mWWZaDW)cgK*
z=(hI##GSB-mg{IBD_Vv~PCAD*<Wf8lN4C-Gm^RaW3^~@4{PEhL4=c6mvxc`l315s2
z8|fz#8AMTJB(m~n!iCpCdrSIsUHcDU{SH`u>mA<-jU-{x1r5^9hWZpF+>8Huy+T&Q
zbY*r%BE^#ZbQ4;0iXkCirr*&`9+cYi?nWftgGS5^IJSn4PghaomiC}{Mz&+0t5NoI
z9ov?%zU0)<VNi3J3?&#W9j)RJpz>aB(u)8$4cL}a`U0HHsq+iLnnlVFhn3;s&VSPu
z<wD{@J<!BfYDrq2WMfh-qs0-~nv@_6HjS8b@+!DitQ3IqTK*Mx4adr)sNd!-_+>Z~
zID=)EZuPJ{BhkQ@@E-P)k7!o!ofxxGH9{AJi{pz&z)*K`Szko}f5)(~L%b|@azZTZ
z@AhB6B_5Bs-1)+P*Qz^z_%-RX5MWY6uegY?_pBP>HV@y^I7Kd##R<~=8cWc`ed+S^
zc$GKdN7bRV8i&T}!g$F71y(NZIiwF#5f!{N+fRddcSD^x53-tSa7o#J3Xk04T)AfV
zwi{uoNt>-g#CcAT_AnZGBsigjAyXD}e>I=Sgz~6+$0kY%nB0vv2Sx6Gqt(Ua)Vz{-
z>|3bC3_T&@|Jz8}HGH=u*5Lneu0I-ezP>wqgDQ;7^-RtmXKPBiCt(=odebp|dD-Sp
zuRP&uV~C9~N%?N7VJ3Kh`y-gNl!asn8tQO>>6=?{&1@;B#?{B7%*o{CsB${;N7kkZ
za+5+|H0{`^Tlvr)4z*D^+Q089%_6B2!PS8A8G!u^3T!Kn3kzau0e$vEa6y6^A4F?_
zC-=JspixxM^zy&r!{C9a62Sfm#J@KJ!WfkRK$p7npBd|K5a9T%0Pq@5%K$CpKSAI>
zKZZ{Ms6$`hO<&C6o=<~>|4xhrAsF2O<2!;MFmpaP@BdfM0I@T<b_Qp@07Es5Dx~-<
z3wnZDV3YgPhM~GMEh$Q^ZeZ?9bu-)Kx~~uqKb@)L)dN44C_8FBH-he9>_1Da0Jgtg
z8dH}maGSE+Nub8Sco{a`n5P8c#A4Qkdo^^Ed&zox(gErU*uKcwDVAAD*A}q$+R_n-
zxne{Onuv`=ALQxpyM#K@yZlcH!$xJwekBC1Hd8&PuD@ixDHYpsjWN9F<P=ewQiV{2
zb47wVzWS_a3$iNjwg$_0$L$6;tIe2C1mkS8FCp_$pb#AjZf?R|$X$8rN_Tzub)#Ga
zB@9-YGK1GC$vO6#MiZmjzqVXyJ}=sE52aDSb1X(~sk3voYzSy;;7&Ou#);LO#H=bO
z%riC&6^UzBFn=1FDW8p&w6bJZRLYagjnS|18Xs~l_=c4QDSEuWs%{oZjXu-Ajqm+>
zlV&UN*HC>=Bv3Argcqw_%8TO&T|3R@xDcKnEVz#Qi<Gd^Z)r?_2p(ch;S*Koe#QwV
zPsWhI%3)J8HsakS-6kxw;igog*Q}?7&F#71y>DF4mLWrl$X)u3_Aut~dyM_V;Z;-x
zZLzuSfxOEK79$*T#b>W$QKbdi>JMLjP^d}NU<PTtbQ2gQpSK)(%DuKKY_hgfwAtH6
zxV-Km?X?Jul|xOBkSVR`Zh!5urR`!9%fIQ~x4pl&S5h9;8P+PQGg?M_zSi%){&%?r
zzPp0wpe^6j@oT_+*BA8>boE&WgPyR6xBf41u0Md6H=yp$H#HztT1ArCF6C%v#4!e?
ztJf3hW!6R2Wk~a<;x~!V1fig?V5<QhH4QFYxh`Yo>qIRKJ-l*j#9WC;Et?Wh#aqV;
zjPXIoApMGH+FsE^sm(<$1PTQ-fkV98skB8s!nz&155vMK-Y@!8wqobI_019&9*838
z6K29TTvLTS8?h2NsDO!zb9!P^m+|?auhZk(b9IR@xYC7Jk6-p?8W<C#r`bId&^{it
zcp~?TqSRa!#Ag52tk;36d!fuWcYvD`oe-qHA<p-q7vJ;jC(bOJufv6r=mkNr>Q_PH
z_s6EBW0p#V^y&!s<Rsyn1!9!yV*2D&VhEK_@;{XdpX6bM8#eE{rhT`wM(zfDK>lYu
zM;%8w=~ol!D<$W)kr&7dW=KzJASR53^`X$!B!i;q^OqFv^<ZWZT0{k-2;+(>aoDlx
zxY;=pI2%7V$Fw%2VysO6)6^cTQ!!@gTzg3-L86lsN9eXuWF^6nT{(U;dCUpYAPop|
zgLLk(8rhc(!K*yljG)*G=qmYAxU>fEwFs_2n@0lCzDT<aw_|fB=&CfM^u@-~k;cf|
zt=zjv-5J&DugAvVPzJi5;59TRDo&7tj+V-j6=V%aboNj4{e7x<dt_ooU&vM;M8$_-
zhQydUR0$@u@t34hmeUrr#Y9A(bxmi%$~HWiO)q)V466KC22bQCea%P8Y~nkS6)W^S
z4EIjX+vh72ihst<imbeSxwW)b=Yw8-Dr`{imsd{I6A99a#}whK#YLCDiuSy4wro+A
zFNG)AB)bp&01obat3LGMoc5v6Aw}qz)|k-zXVI6c$uHJ;?eTQY(>uMs-3>tB*)}kb
zcpDR<Rv8p4CAnSHxP@mOMm*IHCtH=jjf)MgHwT?@a32@9cS>)iIR^fMl(x-qf<lgz
znCmLsn-6ZE@+r7g=lD@t&NtGy9%x=F5p?gdq@<=z<&!dTZ>HR~M9+b07BAE#B*0s+
zB2Vk}&J!P<;I+jxR1}^>RP8R~nirVK_@^I^r~BCICAvuFfHg!UrHtVF%nW6eGz_%m
zM|)qmr6jnOW&q{m`faDpt4y?vG4dnzs>ka+)5`VQJXlc03NrZX;w%^zT^0It%xCJt
z&KBDzh6S7IV2A(r%_<0D_d0e7pRMnjEJIS;RHD(*=5Hy%J!!<oKiA)H`N_Hc0e4|H
z`P8)4*R8ugxC}3RJ43>Zcxrl%AvlmnkyHp(h%a)9#arBz9^<&E?CK2at%&@*0LK$g
zmrsL#I|(JOlbEJt2Vs}U{Sd}sjiLNQ*8NF*9rHAz!R@u^c+ke%-cz8F2W%-w-W%w7
ziyC+Q(2mG0*S=op*<g;Re6dIGnI&jGhYRgZ%VB5@IERL!H_I!UE|M?~(JwKD$|w9<
z<c#v76+z2mX7!^>f1g%E=GZzvC0)4jatR41A?2JuTjH{}HIjL1BL~T|Zfe{QaWf@v
z?FJI(ou$#ie7*k=SbhgkPJ4}jTp(!jQxc{#`lkOWW<3Qo{`S837Ao`a+igLP>u;m1
z0mVnYVD)#twLx;SV$W$*%EX!Rh<`IsP0yPk2z6)B3Y!?jMT6R)k^j<tk;DTFXCjRv
z6PE$+(Uz|)>{emopZus^<Ea(xSzQ+POotp#9&t=);qe?1K%{vgkR3%fSg+h%e=H-x
z9e;QH^8#m5YguMN+HhVVe}WbGBj1~`Oh`^ZM4-$0`-Si>qY!l(9npP~TYTXIaYY`E
z0vtLiKJI#+2kcL-sj?BabI;pmH6koZl05m01C>r@X3!X9q5GeWuXkDTuRqPkFY4+U
zBRG3sB!)9=J=#{3@3!wbI*(eaJ3Q>|NMq18h8QuWdm=?z&_)kpayjozUfVgnaLJ{$
z6zF8&<93MEhB}yxH5%=U)T7xnFn0f)MFw`Y%E8UD!Zlbx><|<lty)98ekF(nThN_Z
z<&elvb5({G)ECD{Ie4;jmn589UVGbC+JO4{mqE&;KB%xLQ;=u+EmNf^b<)B2;1sO2
z468};#<3@iABM$F4{-(B;?<wk_|Jg<;-m01spj2!2&Mlll;IjLw{zZt-yF>Wm%Vln
zynEoS=3>>PUqZmCg`M1+17^CCpd945zc2lz!C@4YK!V2i6()Ba*7QFdj52_8e(>>J
zhFRXN$LY6hLsZi!LeTZ;%-*4uMWv2Xr%@3quRZ!|ZBFTYXjQyh=b%+my&X*!IF<`R
zGjej@rv~sDKmh^8pm3n>6ELk?v-`oQ1`ND@$|bg*ec3mE9{*p^ECFHw_nz{r;3B9t
zsKba60?ez6K6%l(mnVYAVZq7AFX%>eFp}u8wQR{pqnM+ZgiI#>)M9rcA(nOP3^%Io
zAC1BXTQbQ_Op8ZmQEjOu+&xzgtp(H9pKc1(yBF?C;rYH0GhPB<A=Q$jU(f;z2t63H
zmwVdY%_wDy5_R55mgmxJ;_|Ex!$0Zgzdj}~j`6rs#k<8KJikUD$Wpqw7>k3=p%B;f
zjN@wDcIe#~K*ExPFV;|4Z^(*s)#iBmA((OOIKU7IjR$tsYU#*!%)MKM*e-IGZRkUn
zHePQwZe6cCQ*#@sF0hT;O7X4bI-hS{GS}{C#zt;pZ5+oP+EwDQTZ!Ytx=?^6viU!7
zpd3#M+Av>8xC#Xf$K&2vWFu`MfiYGkxV`djA>F;Kz?j>Mn|5VOb4E^tDO+2nLb=5j
zomMX(!S+}EEtvBn#-CSR`Q0JlWsAaZ&vHnOEI5pkDq`$8Nq0uX0JCzqbBB{2H^xvP
zB&8&%@njkwJEd@{d`l8|+d&g_cvzZGAQmH5kiNs$pH#DX9w~FEUO8>`LYcUWBleXP
z<rs4N;0I{{96w&u&RooOBUy%2RCB7<w?T8+vL+SL3)|zY(xmUvHJY7r;tozhFAoDv
z#S`XVJjE~N5r#ftD&F58z|ze&gKB#w@BOP0sdK?;7xe5!2l}BbbSCG%jRp&L0Z+G&
zu@^uuI-(XP%Q{(<w`=J-@9*ISTAp-*S|ZKiY_bW0F@`^}gGh=zcwR%?8y@|LN)}I;
z&FNhqaY<Xh+A=M7@A<O>6EGX-h$=H+HVm#Ekmlk86X;L)oTg*>e<)$AN4T$4EVI2F
z$no(j|B8Nt$(J#VPfER*M<^Ev$+s94io_6@X1Kl82zm=Rh`K|sHwvCZ#)X^`d+pPc
zlIE{lK3AH?IC#Cbn=kny%a<*A+*#A#Q(fdKymIHEQ7i5<QRKlb_&&`1a{#3K=LRlr
zM`@SZQ*qVPE5!ugEeLb&)4V9>k;7o#tJ5o>prL&4{hc6k;=~N+G<j}nJi9I?)4dpE
zN~uKz2di>wh6;fYjF=x5Dj-*CN>WRy<D!Q?s5duF%=nI1y>nHUPW!WTd_&;drdIcZ
zQL#54iR2K8bl%+dd;vqXE>(OE-fdkiKuvsKE~y8>tgtjnJBBF}f7a`rgyCUB65*g+
z>y6>?S8&DssgZL3|6}SMU@QH;fZeHW+s4$!bZT=twc9DCwmY>kwQbwh)V6I~=e_;^
zzVGJV<Rs@LCwY;qWUsaM+RxLN7BF5lGIbuHhs9lbfyExM@}f6Yla}ITXxz*Xktto&
zfXO%tMOQR2V>{zLt(l9U+;_w7_>yK>pt@pCXE8aon|An(W91>m+e%H=(pI=Yikt6#
zBz`=^IPb~LeM?M1^h<^t+&}_eZmy<Iy(}4_sOrc{f-I_Pgfr#89WWp=YD>0;SF}!F
z#iB0;L&b1Zm<RywqI6~cr-1+I|JY!_hqmDO?=FU`Qa9^&=G%oyN%N9ju%w%y$z;?e
zO#^YCf+r>(;}2G5imAV-wxb8(K13X@c=Gfze|;%ovI$JZf<psF93n7&yA0gJwxwWD
zwuNVrT^7a|{IfDglf{5lA#rDbIEZ2n>tgGNF5JMJKICjAr*-(yXqSw53O?=yLGs%E
zY%&-fi><09%SmER%fV^XRh$jw9oO#q#n&b?ey&H6SsjRufL@p$p`ULU*r|i*{u7hU
zjG>%uOg5&UNY!r=kM-oFaFDcBC=wb;$>cmCuUY2R4%^McMv#=E!6mzajcVM0s^b7Q
zs%0BP#}r>E<Vp=Y;g=S1A!1t4q_<J$j?dEF*u<!AiwDGnU5!!>_W1~euIbEjq%&7|
zv8EMrQS<n-Ye4n|eT58P{11zU;~ew9+Vkr9k&6;qbQMo>_(VI3uM(jOocsd>S!8-@
z*v7kr*6)ranF2@1z2ocZZ#8`E&vjIe5&^_QK&|-R=2<nGnc+^;8Gau>-_xWPi=H(I
zCPZFgz3yRbjnG@fM_G1XUG+~?Fjjg8lmD}}+YbFn-*4xoAsa{BhH$@kUooLs?`f*b
zjCEqNBQZ$Pufup!)3tNZ#cwTep}|bd?l^aA2m7%)>zh*L7m_d<^+VnZ@6t1s&WoA~
zQjSk>X(8JYZgokBq29)iC~v^0FSY0Ka~O`?9i@`4vRQ#dQ_89636<4y=RHXxDeB}B
zkHoHcr-qG&0-W{(y^&Fr$$BgGcV^{Ym!uDYeN5XI=(Y%77JXUFnk|8PEONO#_8Yl`
zI&URbyScFkL@wI^2I(_*qu~tJD%2}}=StLZ#?<rkHKFS@lm(iUG`pgpzg?n{PjoM9
ze`l0MBE?c!LnICd>>3o9aOCR)*k}AhBDvAsGlQ~!f`zRwsC87mBfvC&k4rWf6(^Ui
zbX8YVb@r#X>DZ6m+}tzM984l=iG)d<QskUu;WJ^*kq{d+%&G0l1N-*49l`c<7564{
zWDo|9lZ45YT9rROy~#eILcuHM>qZj~6xxF&Hkt!E{}yS=#<k_yHoyfpnE9eR_4bLh
zSg*n}I%(gvns4k&w!HW$Wh`<;71944fe`FwJ}0aAw{HF~1P+`oJet&vPUo+yh)Z-m
zm;E_cEOMOze=hfBk29V07eg|OR#8H-+(@I<EAA)piA%9T9==4w$0jv|y56`(w5_nY
zM4&$T>v*N+Q%{mI`E%(uMbXucPBMey_lF*X%a4W;?R^h6;!S1`hc<<G&vU`hW5FV3
z2ki#%eR8g3TI0-BDZB{^`;096nO$ZIC9EPRv*SR5rfTgDH`#Zq<sC|pN5So8=dhx*
zR7Qkym0Oc2vnM$XG|@vvD|4GP=bEn@=;+|d*Wm4QY&Uz<FCdC9SiMsdJjV1Nru7J`
zc~nUnf>-txj42`S@}46y;VRTqWg<Ta>m06F@C}zXJ5u&=CD~C(<~iIX+Gt1Nqh)z%
z-;9%c1U=XZlBHbPZ7!4uU)%Ke?Fi!D;EHu=C9(UotwJ5;VNeS{k-kJ;Pp+cxDg5@$
zk*8?~OjehENx#Icp3FXl7c$2hRkhm??49wk$EMs4r$>D|i~cz{PTB5lCgPyi;tyCZ
zT=du6@5LdgPH0BIBYXFLyK%AvD{!zM+%Lu`=GC*c5%cQGx9Gn__#G)zT&kx%`@j^g
zZF1C8MLDqZTW#E4?A)u(?loklu2LqljOoOlOFOe!IXK9E&>ZRB<e#{qsuXD#(JH=S
zLsUD6>dT3xv_|#wlv5yO<xMWrpsi|o*d!o-AKk)Nnf&%<8ZJ9FWR!eMaFzf4Zw&qA
zJd-55&}u=V=R)+^6ISLLS3gafM`6@T^$#ib&05i66cvz-N4=m9ivia1a(bnj$R=Z%
z296gC#}paEW;K3?I^|O;rn2c&&DQ>=&aw~rZ5kxK8c~5vP&WRz;GVeru?B9BS~3#c
zD1`38QA-90N;U9@%=lwTEm9_#CsQJky&f}-O0*HdF+Qp%f1Zxyt-o^}fgNZ1*Y~c5
z^wi#q8Z6u;uXPIYBXb)}<@<Reb@3NOsVqdlKTx!RxA@oU!q5~<7vRV@x!esHn+IxM
z0jwL_k1I8u#kc>PZccr6?v5g52LX+bE1743I4ZnrA^$>`xIl&o4#Mlb`$jK+iczsU
z1jsZr*UN9)qNC?5Fig(Q?W}`bS`310F}tk?xX(jzQX~PtoZYyM>=yZ^1HZkzff12r
zYf~|cM^5Bz!Q3u{w?*s(-=nykr2HFirizR(`jq2TwCBBdaVdoONx_qYgZH6|{+m9|
z`8*WUKP?q7;OB%iL0SllxS{Jmo6GTccB9e>M4WxaZ^zUle0T>vsb{ryq_f25neDAV
zyU%%8i2F>-B%X<N&_al2IiY`!B3IEbudCDug-p#`*>YeAVW|X~MBjlLdkHd@q=~1)
zGQNO}S{0&;NdA7fHCi%b_`-KEFP|~lZj+Qtfvg$G=M#vH#VVv<tGvrUhBxAo{|D;G
zHVg;uPeCY;ssgz6jn;KV7smzy_X)boUMNg{ws@Zi###DciGt$#t#>@d#bK1#3}3Xj
zM7TK)CL}-dSpKJg*j^}1mS5tS&HS<&l`+j?z*>>*D$mm!V@MiYmcNrZwWVAZJGGpo
z@|aHWHsz5faJu!0ZepBlig4m<$c|&RH(RXiX~xo2sE%*<io*O7!BJ?t`}v*F3-hJo
znHiW4epAH&6CJG?@3R&mlbqF7pI1BNgm;ZNZ)vsIdHR+9Ma_$6B!=C3di4q(R>H|H
zRh_OfiM;zR%@q&$fgLMVGoo`J;w_nwS*U}`9-$%!IlP0S8d?=1Ay;GdP8P(La-XZT
z##9`y|6H(`sZLb~tpcqj+*OV<ky+Kl3XU8R*+)^c?-vP5i*R@ZCZ;Ni58+ur|JNrc
z74+4n004fqhP?w(z>x$9xHEg60^*Um5w~0@rEI_oKok!E{^!P|@R2Zz%ID;_4LRUj
z2&_webfbah0P(D?fMz1NzuMbrR{*FDKv@AC*=Z}H%iTRua!{Y`w+U!5IpuRCP^6q!
z?<?0v+E^52F&KZuQ7S)r`N!G{-yL#R6PuiMQ%o6<r$}ZtqxitZv%xvt+q>U;<x5${
z*K)g=e97<oDoRe&CAor0Mp>RXmaFTla$R;%N)|0f*IFtc5qP8I{wRWDJX4Auzv)tL
zREV{(<_@d3s!6fF{zaF%OP(uZs?idmGNi(CTx%!l)L#Pa<m4vzz?Rf8U`6jCelZa?
z%=|cBMGUNdcADC_RJLWuB9+4DDN{kb#{_&};|D5k76obN4}-66kf@}Wc0+w0{)bPF
zS9O0fV%nTfXZ)IyYare6_ETxfw1UlX{~?VHF_D`2Jc-yRAi?h$DD_>t+;XFn%R!-Q
zvkjKeSjo$i);VW%GUxxpG&~7a2I5Yl>bB(TEHOWD^3gM$_~5T-MSm7#Nr?I!I(9C$
z4d6YfqRVML<Pzl%v0e?aB-3OKVZy(?yZ<il%e6uxm{hlhBay1L`_)fec16;U3ZLaB
z*U-K^vL$V%zd`zoL1|$S?ecT$I|0+@2`swZUO6wp!wHZ2BcZ+!-DMdWgx~+365eeu
zz4$RZzPIx5G%hJ)*NlyHet^QX=<bkeiy!LX9`7bN%GEcbMn1gDZHl{3Yi!QkVquyZ
zGxBlTN#n%a)?EJT&V^=Z4LM#@+T4T~ytEG7Jv{;cK71)M{L5%wH;WR^0^a3n43cdR
zH8{E{^{Vpr^)%MjH)2Mftnr=*?Lq~fM+MTNRj^>cXxnp8k)?4-Qv|~yU8sLMhCDb6
zHrcM<;Q7V7#amKuz(V@L$|0bg>e4R$S}_$4V$j0AaIdh$ia(u>wmengcA*#9T@w0s
z#=Ci2Uf$n_f|hq@fsN5Qh&GCN<rH=E9g=~W&37ooc@gR&GvHc1g{7J2xSK^xzQ^8o
z538phszrKF+S}0fHj3#g&}T3sKj);e1U{>}A=hAM*kGSvNT~SKIHVyg6vIg&sOSX&
zH>xOG<Q<dfufEnCBmA3fbh<)noncHY<KhvfE_9)~a-@ro$>5iv{po|*=3s$wmt-n`
z<zoZfHqiFeXKKq5GzitKL0NlaMR47n;dA5n`ZB!SI(a*;AN-2G^?efqd{>Cj_tT0w
z``nSdA*3r@buiRw$Z&OF8h1sgaC!UZmm1NakqxwGy?Xwop!AUUm#1l*^xJ)X3Up^(
zlx|)Nowi(!LOjalnp+sC->N8)iNZljHIl66NTSnSED9#Ctp1Vv<@0hiEWv3AUuuYJ
zdZql#6r@Ub67R^POJxR~DmBHCljzh3VxiB<sTQd)T*Uv>A(c2paU^UaUq0L=7`@;f
zlCF3=|NPsgOtXm!4hs22mZ0v$$4r&1EBKAnPU<}EQ_!>pgxmw%-x<xlzC}8{|FjYf
z@=!q87^I>=Rl-H?Bilky8G~C6CwMA*%}ZO$K1yZIf2nmcQ6Fpw2rjzN^q(GneD=T=
z2^71ZzfERWGsA7!KKN-`bCS*sW1VVaK|P$h#UXU|?x96KJ)7LO7{*~}vE%n^2L4ZX
zD*E7B$G-%hn4;?$is@5A26MC{i@NYS$@bX*P1WDR%kHrEMHU7=BwGjKJckz1m!<l_
zkv`2;&XkE(A)S`J-E7qEGZiArm<T7b8-M_NgqzvGaOj$&1G9Y5lmxQbj_DxgN=9N2
zwo%x@n#CGBdSrBdgr7+}o)lWZ@4{}?46W)ybV0h>i2jSPr&|XLTkaME?sDj+TaOtm
z_*hL$@lThCWe(@&mi(-^{Vjr0YD9;QGV&Ks#o3{+lP~a?AP)gzgyMjeLa0F*jV>Eq
z{#Bj~Or@^m@2PuLXu^9W*&x#v7-62erP$g(G6OColO9TR?vUgY;VR^STnToyI7}u*
zGBG+Y9{%!3OE^j0kQp~=if)@?jkpo#mb5b~l8ezBl>nVVg8A*j929Jjz@Vj!b?X>a
zT2F)NQsl95%&vGu{1z`P#n!Gumh>rWF6Vkk-s#3*aQrjh10CA(GI+On-+WCBMKLS8
zXx8Cq?F_+P)_^>J8TJnbrzKjN5LCl#FS<o+8wTP5&C;&Jmu%k;5DG8wW`?R^z4t|h
z<j=o5&F#J`qwxC+X*i*Mq$qJOYEeWe_qt3%@8|B10mFBV4)N70;pQQ^4MWT%(>fXA
z2qMR31u+LdJNbf?4Y<sRp9vuDg-Hr7r&WCQ``ZdL%aRpat2vKG3T0EgKoY`w!fpuP
zdG0TJ-ZFNWH?V3Gq6-&nq>7ZK8psoaROcDGCTYN##pG_<Ne_J>sof#xFD^z20PHgP
zdy1FBm0Up7Q><kpp&)E=s}kd;KBu8iKxfyilgL*M7Pqw5`Mb(S)E9B}$Igz*Ko~F8
z={ftu7boT`aRuYcLkus%PQ_lVS$^9`yHj&QX}EBr(RH8kYaJrvLJumvfAUU{pQv`f
zh?i2eUBTMFZ{@!923#R4)nnx9O#FB40Y>!%_T_Dz0$f*kHsZ6PG$<%{e+h&2OK<hW
zF1nB;ScAOBIo0pq>9y$*TkuOj3s0S$6m}g3G2}eC1if3X*UVCuPqdEC*mYE6(xvKt
zvglcdN;!{T7Vd89DB~Oh^g|+SIog)l^8&8UPS5!7lTr!9a+=!%7E~--imJ-osA=yQ
z=Z-!a^0&%45<H!!pgY}-d~k_(348lWbilrSuVzP|zr%u4_gu?}!6WfQxwAz2(%acG
z&lxl#mn^-?Q}q<Cy#Skr?I*?+CD~f~s;xkSE{idUUC43P<DCY*aRvg8vTYGtKRd2M
zR+qO$M8u5L;f~^>LZ#!zCwSU)#Mde*QEkH__j6Jf@pV@(bz?Jv0Z)T1)jl~09K;m|
zN_9#aOr_&XkslhNIgz~t`>&mW5wC(l#FWaKv>tZCGd8SjqO;P$t4dO_f(xCLJ{JS{
z%5X2c9K?H`uhTm=WIfTXb5H$mGz1)TTIHmIHp72UA)j43MEPsdMPh6mZV-nWCaKi=
zi58p<^<&*};lJCm=orLkT%VcWr({Sx(1ponf_L{mnRR+3z!}J$cy{&R&|OKIzZzB4
zW|VUqmV|h+8)3*YmPk$4f16!fdJ=3)`erkc6oLpIgmbY|F3wwfr~8jzXqWkBK!<As
zEfHq4aGQtlE>3FA{%7SgpSW`GYwU?A5KMRNhG38LgKgOXeSCV{;o4o#jl4a1Og6){
zB%GUUEKn_4(tKDkRNwfvOxj$@=Vonesom+IFWXK}di=39B8IjWVMM&ulU;5xgC4G#
zT!N!}fi904+o|fMWun#0i1zH2=4HA1_7tW>>bCd2UBv@KSC9p~EFXz29F38f!Ca-%
z<%>-`{8S_6(_3RV;(b*SaXat6BuY_Id9h&3bzeKJCx4RN^7kOnwhvk=sh2uldm`;g
zLZ9(@q_C>tdn-2h>L0S#05Ff_{egh|h?RfJNvT8&3g4!HAku+7Atw+1VN6XxbP=eU
z0X|NEZP7>Iy?tE_6!*~Wn*yBr?uQpI{+DHbDFr?g&!N|;>^uF>-vBdr9MC=E%Z#c5
z*aiakzF%Tr?wTk>91wJ>fup^b`XT)dfb0#hg|yCf9ZP7^kvUw<W@hrZ3_B93mNOCf
zGeUrwmlKWCXiKU{Vj|t98T?pIsG#)_YT_TrKFUoZm>|X3_9O^t;Ppc~yLeQod6YF*
zEpvdp-l?gD2zoJYtr<PZ$Tx6qn=Q07!#<7r8<BJh4}H>r+LVX;re#B}{ou++2M$xe
z6nC9wXxVt`D?te5Kh1g08diO?3?_1N!E3uxD(zk&L}OAS0pdmtX2yxLPH$ZDZ*ncr
z8=;t|YGrI3T5}vzM`Nmn&4}Y+GU<Y_-Z3yVByRIDD4cB-KFkQRdX*jXYp|&v8$XYs
zHJc*Zx?6G?lU$!)YldhOMO*wdJ?k5+Q+`q8RIIgx0g2=(Jl|hJILByA(RfEeS=X*t
z#WQB}o$-U^U5l#mKB0&jN^B9nl_o<68crT;y4nn$lu5_7skuDIpF@bcYWo*DTEfh%
zQ(wI|*<jV%9qIFE8mrmc_}J7dV|#83cIzj{uoF8ENPZty_Ytl<E4_7pHCAFqn*3wQ
zP)WW^Dc!Z31M|9J0r?2~Ma?Puy8tR}N|1$m+jIpZ>#34urkoXd80sW1s${TiiySdl
zv!JKovhhNzQ&_|!BK%y4A}&)}(}34&uDGirtQ&043Vzj*`CVcS`t^$1N)aAB5pu?W
zdBNx}H>#BV<c<T6u6nPfeZ!T+?p!EHk`o{f1mJ&=OaX7g|5ZG3|EqW;CxI3`&>c_$
z`&zRW4LQQ(H}6{j(%*YSxfFgN@hSLZ;e5s+AOY~k-TB%Ce}))lGt2(}39-9(+v#jh
z(Bc1<voo`2!QRxRZ;a4CAmZ0#mvM>J2tlY*b3S`<OvP*P1@gbgv(FMKhLMce;;9l5
zocbUI_UIIni=TO#@P~$5xlj7bk`G6hedwY$CJ76a^{3r#D>6XWlbhTbA#aTXhcDQj
zF;XPMp^@5{s?OX+>L!72ZxwVZLvE1V$us>Mh{n=cCsJBjh1vtHsg6DNEYT$_?d2ct
zRbQaxaw`m#v+>h-U=ME#4(b;$cVwd)V%Fl5_Kv7Bi(yYFbqI}EE-J3ZW7PsQP?F=-
zD*9q@7-XgvQLrI#!ioRL60Xeug{PGWkAkr(P*)F<t6{ve>XVPGHx1Y%*&&ilkw3Uc
zH%0CTvjJ;@ZB08`)w2oD4E&=<WNl~-7vIkyI@oUH7`54L;4Fuyp6obW!j7nLus1<Z
z&1TO)TAtk0xv1HdPzOfvy@SD~zjibiwUqTGzESZPZe00h33Gfr4M)`OIXb2e*W^!E
zjF6>f6X*t$t*bcV@0BUmCcjii^nbhcK!s)EY7PFIkJj9w&N+Z>qmQ3hH+^%N1uvgj
zP;;KRRI)l@k|+neOc*@wFY+{AiFufN@EHhJ;JW5;CE4*lqC_&(&5uPZTL*2wn5*hJ
zaHBj2(_>P<3qMZ!GmMs4^@lb%h2WAxP>^kuI=MD~en{zHr2=R-Hb|qKxM7jWNMR%W
z{Pv%2UqIlCMh2Bnt)QOzrB%nnt|y^i+3b^fp^(Ux6Qyz|uqo>LAIjpK>^z^<NsuSe
z6G|a%HPrXwy2Q()0>}XzJQdT(|A@^<m!CV4!$2)7*ynL=@Q8Q)ascKW=nwv^!(CSL
zKLZe~1<Ixc)D3#`?RiI$vvZXhDtO2X%}%oZ(@cR_Ls%rHrwYo%eOsk?5@TSC%{1u!
z8y|)!T1@n^v?{`BI}j)v4}Bt9Eif!M{BTTsA!gmjQB5r8Yji(_JyVKsrqN!RUJ@@W
z$q+f=vH$iXfCOpzEOP!#f4aL+M?=N~V@RKXDZlpnaxZsE6IpQlhc~jMfJJe=0E9nj
zlQGi{>(a)QR{Su8uV&eV#(hzyBt4?83D?N%)>W7*O5a=GjONSN<L|b&q}l!Ymq&V_
zb3T9Ee9A>nMHXViS34Prd+f9p<IL~eVdcLl^ZAUq!6RIbMUm#U3znw@?d~N4S}3ou
zI?LY@3}mG0?W?2z5MXo-*c;CkQtxpL##`T0g_(<p<fX-it79mJ;IOWpNt&bN+FcOn
zcP&_AKMYc7UGX=~#PVEgFsx>;wfI2WUly$1dB7lO=dmDv{E!ou5#O*dO~OR(e<Zwk
zYo)K@Z!h7C_{i@E@zj<en%)ko7yoYXET7(lB)K9>db+z}4+&jMd0eAf9O`&llgE@w
zd2Q)qeJiXmVVHqUd@-{ia>;b<-!NBxFv*T5KF=$`(?I(-68w`BEvZaIKD3Fsh+$xo
z1#*zavX>rNT{u`Bg~?Y;_`(`>o58wAU^_kvJ?ZPuf`QQtGOYH<y&C?u^H=A;@&A(6
zcc&r~d50fUmSzm&zsu|fe|q0qUZZq>eXv7Z`SwA=`CmDlr@NPn326vu>Hqp_Hw0UB
zro`wLFKV}cjMoO;JwbDDOlh7Mybp(lHubcgpK+BLKDL@Q!S=chEDf_iD=StJcyYy}
z7hetYnTeS;jJjH+D;6&uYwG4xUlVPJoARkZf_IB*=lkHGcIYQWjbCB<RvsRk94?Lk
zIlAJeMzE@-jEe(e%8~XN85<a&sd80fx4db)br`V$2bv8PD@0RApE4oGW6lTxwUSNk
zlRS84MQm%nKuP6WisJ<7N1uqMR$CSd%RZP+Vn>J0=LcL}scczSc3EA^AS#u1M=*4v
zy|*tP_I`PX+evD=pJzO`Kj9*N^;C+^A3G`iJ4KilYELX{(SGV{x-NH!!iy7`>iy{L
zhGsRVoo1Bz=1H#)?w<1Bk-k#|;wu)3H@f=&P%E7qirp2gkL1PSEG>I#!NwJ(0^^`L
z*mK_PR2_^nDZNt*a2vfs{Vq=LHbN3taO2h?P(IAC?B3r5NQFh+L@wc9Y{Z{*5<2JW
ztTn#t#nb(*y7>?t`sk!YtUj0Ks!q(Xdl6euuS7GBU;L*#^I~>xn?E713&rM<ZOr5T
z*F!7`UwZFgqK#MsUWKBFF)w3Gz7<iuj`h1tJ$$UwF^4rFG&vOKQpArBFE2DB)=@UH
zMz&$tK~S~X&vOXwgqTb=9Oq{s6l8R3JlszXed?P7>J|Z9e*pI255NW#_Di?=$0t;~
zH`w<9cq=rB`CRq3vHt_W5o7>nAHW@nA81R{;4ffxEX)ExP=HRl<r5-6){@|M2>+41
z<+}j49{|{u@4Bu*9ALEo^niqaKNkbla+&xxpNuZ;?cgIIrK-z5^Fx@r2k3`Xx`#L;
z2WpT)3$U7KI8Pz>N)uqf#eQfOV~ixF)bD{YeE%gKfHiP3E+;b@^B5GYHd57_j5S}8
z@S!AZ54NCZX0294Ell7!&tX~0Sx|=bQ_=h%isB3eyE#V^eW9EPVCUl;NPL9KH-W<%
z@(6MLMgQ16emvVJ{_@i|xgI&lA{{y-o&lxkc{o{j;npS|y8@muEfETm3G#PQXFr)E
z6BjuZ=3n32*IoW9bL_kQ*`i4L=G~+)upz*Z5lUwxzxG&zX`}(MDe-%OC1g+GY>DEh
z2S0Xe^~^UoR{6*(K75Hl&mV`y;bKx<cwv#D8&h<-B|<JzC;8HaW%vi@%wJ@@s@E$U
z-%i9D9bizLw>8}kJ1@HXe0L!fo1j%vB5-fJ*_bWK<Y%v9qNxeSw7nhKh7(=Q-C$n{
z3(>HBvZb}!Pf`{>wMc_-0QwKpb!%Ze|G52PF^)f7MRedGu<*3xybj0w>SAp5>C*zb
z2wSd{Jrx){0k)-|!TIx(DfVU8ZToT3$&xQuAC2623x@S*OgvbdoU<qMo(RMu25n$#
zw)b}o+e=s^4L3K)5_ZCHHl+cFzxt?Ae4Y4o^8E8x5Gq<7W;ozB<87ZrpytiOLMlpi
zJNRVlu^=>r%}11tMm(~Sf4!`{mImS0?_uE9ad`_9KRq37%9-sC7w&zkQnmrx8o-eg
z7(^ZiHa-LAQ+lyw2zv2Fts7na|6&UX1UTwm05xE*zQ6v6gQ^<=nB)I~3j~hz@L2)$
zF#U%#<mLf-oj8FJuwx+e|3-8M5QGHWZ$)%tzWkrX(d|PY0NH*z<fz527Jfl-H)7zL
z5DV+5fdXC5!;tw@?MIeISBO?VO~A#TG-Hf}8%DpUmkw%M%8bW3^wL{v-a5L#Z&S=h
ze<EbAbayr$g%HT*K-0DV&fKO4&|D71Y3s16Rd|WW2D6cpDw%dE_ZG)wTb;<!^2W?|
zy0+|WafK)h&Swsc+X!kvGY0asx0hw&)i>O;@H$?n4G(g~6#ENZUAkycVX26kU*|5n
zGIGoq=0661+0+MezWbbetyf#AgNZ!q2vpu^*zj&;BOy}79TRu{`2DBoZ^^L2^(=<G
zA>btUmC&R7;Ql6LuY7m1Z<xJ^sZq&XoU0voKHqa@HOiKOS?Msg8@*FN$2E$#zlMn`
zFCTh6`tP?K9$v9@{R-Sv!aj3uudI<EQ`4l68CHSOWJGRc6?G8D7LIA}FOO!+){@ud
zC6Bbg9^(f0pSux}M`OQsoE4INBjUbJe4Fo>e|arU-#{YPoYwcxFi9_=jo*Y8Lp>=T
z5lAQlQ~2|#T3%Moy-_ByRCotxSveA_ig9-?eRMk+_@#}7z{l?tp`;O|whr@BH?Lqe
z{DUVBeoe(s*Y{RZJ=?5G^);hG6NQJf!FDP*F;hU&aZmPS8Si_v<bbh4tkvu)rq7qb
zUrvgShJC&DnNlLYZ&h@Vbb@9;;{{Zm_s{FdTyHY43HIimu!Qgl0zF`<3qWuK5V$x(
z{&C-1-~6BsD*b@>_Kz_p$xXK-yQ%-GY;91iB5m)!Gj}@tQTD*bIQx-pEnTn?c9y~^
zxuxvF?e>*AL7(R8YvBk#(Y_7GTkRYTuea#@gBBZEsEO$(%*96^H_sT<5|LkSJPVfX
zn92}}Wzpmp?_Y8IPxE4KOujhg(FjETWYOYA(xoGtqmk@z`o@UYAle&>nXCdxLnW}i
zBNVfq3J5RJgWa17_6TbW+YsGbhHuy*Gqo!1Y076QgI-!Y>Ro=y1SlELiY;+9xpxDG
z;(;&U!b<a#<pKpBs@^p`Mqs)R75nNMHsZ!<5(FbYghi4b-NU_5h`y@Mb1=+PNI;;h
zu@*v^_($X}%K1nt4x&ZF%BNtRbTf8V2LE$7VBXI`QpGdkfA->5ay~nuv#ihcx0(6z
z^`KyJ`$G%$y<WsPV0u}FVIMh~0%Od5;7x{3%jsd6$`M@ikW{nEOORH+Jo8j@KBZ^y
z4B|J&!%MYVEv~48AQXo7;Ckm6<AhF~Rl@E8vy-F7jTWIu)+2#@(jPSk-jFjiluHJL
zh!eT`Q|i!fNxO-Oteot{%pl@ETOJ|Jy>dP9_|=kY9^^7hOf)k!!L9o|4rdpvvC4)A
zrRlF+mNU<*#gklbVyp(L(uQnUVI`;jYfw?-t8$92oB;U(cEI6N+YT7*1<Me43Gn9?
zpuX~LSp`f#ag+QAjJLj(pWb)Cu)q5?TkIOk4p;)nxjR7B-T)2@07LNisYCjEM>?_n
z5{j|P{1a6X@G3O>yT82l+fp%+G{kTvu6pSahNpx1`bCr$CElDboW&2(HPwJ<2HkKZ
z-$GqfI7(xE4KG}R@Klak9++RXv4Xe_hW<3D8nO2yqm4tq=$FtsiuqUilpU2d*M&7Y
zg*}u0zVLp8B&MIGXe_4QCn<PawPlv>o0et#s*;{YShTAK6Cx~6<qV6<Bv#nhBOZ-L
zfzDebT|o(wrArA^o5m;-K#&e(nOQbvA=(vqXs&p2w(<&cgy=<M`&Z$=_4D@pZ?Rx(
zvq=L4ak7_mPFKi%LJHy<K1_tcX7q!Yb47UwDZ+2@a`LS*EA%UUa@s4KIXdK18KxW?
zL<s)t#YrOC{s^{I>!Q&}`V*_y#Wy!7^DL|3NOJT|*NGO}$uteAO%BmNPH0jT`<Ie7
zB8!Jx9#em-6;c)_3=AX`q3%6-u4>kIf=ZK>W6bG?LyIcUk8|%mbV^2s&Kb(BCGu=b
znC;jlc2exKo7pVV8m0V4(3qT|vMsy`XgmlqOSKI#^1gHX$3?FW)qzQFUOo@*>lSwg
z&}N?H=|Nm<N{?L$Mvr^;lhxyhRe5$eb{PlVu{Q}JMuf+CV?RA_S=xmW+y--J)73nz
zae;JmXuoTQc?&H&Ry@xds#EYAMG(B@SM3Zf_Zr+`epk1#>in|%Wg7qkd>!vd#(^8(
z-=B3_cY6;xuyg}N68eGq1ARf+x)Dup|L^MKsOJrF4Y(#ZK?u%;J?FtcF9@?Aet?-E
zW#U6<TBDc_C@o4M$4vhCoDG|zM3{O*5OU9}bL8?f5`D{>#Yp2e$W(J<=1n1;-^;!3
z*taid@~`Ji2&%r`S{%F=+WDa+sQEC)^ec;KN9284<BMfV1@u^w{8$#dPEk@4#v0xI
zD5-f2YQ-h{82|Rg4Fl|@tVgcbvBhv`gw~?pxpSBr3{_z{Q4pmjboX+Cj1NsSzIlH%
zgGhOrF<E)7N<sF-7yXFNhM=3@L>68Ll9fjT=_BaH5SDoNHgNpu{+s&`d}!-lA7W64
zERj!JrUh37#}ZcB6nO1aY`L~l`;YI~;-1pK^p>FY(pBRKR4E{$BJ`qPwc)8mi7<0C
z83Knd_h4VKTLc)_E>t_j6FVQL(vx=BYX^m*0w-gG8Hbs01K`0osES(Ec9zP-2Q2kk
zhCS)>k=+xG-G)+%%_p5Wf(y>Sg<pfT{#E3AsO0h!L_F`aCdjlw2AoIFtN(30r-=uL
zxy)3dHg!(4^_90`3B11_><~<wG;?=)CAI>0jd`HUh8$i+yFjeMd8<|feCW35@(Pg=
z0roDbC)J1K?RvA47N34wrMGyW6{T^x_l&~TAsSXrdD%N>`v-$En7nnz`~B+mwjVRh
zYy{uKj%89U#BW9fahWlGeT6B&wkQ;TZz6|gZ`b+)pgaSg$#oYWFaeeEf1~E~6V``9
z0P+Np5b}Dj#eG=^_X9z^`UYGHv*|wg`rQGpI2!wa)`#%+JIVjD>tJ5T@Bbx0c5`RI
zDZ$bS0Cp!_lgs8ky*UIE?r$78b<#jM!m?k(ZyMs8)c&IL8hAhM@Ip58GZq?5nYCpT
z<uZzUjVFegELkv#dSK(_=C{JQ^fh_aR>#NR7Sj^0xBxqfXn0>{;VQ$nLb0r*v!$+)
zs)adcPw42FeKSz)MqN`%tyrT};EObJ%miwuK(?56&Q;x2=HXrEA7)b0*54f~I2gtD
z7qZ_(@8}l466MeKIWC5zO*`-iUreUt_@K)1Pkl=)3%XXv8R?eNVcX^5&PXQ|LP$s7
z9B)eh^ENf?NMmtAm>Sxxh6N07YWj+=xOftZiBUp|wV9ZUQ56*8rGbHoeCI1{*Dh!m
zHKL^p%GHjA0Xxa+4Y`a>!aX32IU07YbY)sJx(<1}LmAhznsWAi+FWXU5>kTuAgylM
zi$Rl{U?H{8>SphR|N8+Ih129Vk!Q(Q@8gob(oR_VLZ(Q?YU<}tUo@t!%8Ux5PLW0+
zxcKO!W9Zm-R@tDP_D07XDkf#7<Wao2+bgFfKj4W~TF?<Br2R6$9F0NtbX;vIY@tRU
zlpSVFh@9+W9U5cI#GSH4k@NOQ#zaT|^qgEKcfivLrOK6Vswq8U35xlCV^QrdlJ&(Q
zV@N<Q(4@NIxW5cVZ4{}H$xOD|#0)Lcg@G;0lf`hjmqqUIAtjzSUFAZwv8UB`knNR)
z`N?VbxpvrgW@WSPTBRX{k<>rhsB$cJ?<&T;Yeb|ZUvQj3Y&BbB2(%s}{K!iq;Znz+
zy9L}|b{svt%@r6gR%^7}XAW3yNj@eBhd*o)PiTs=OX@iTz!k7uc>1ZpB#~+9ChC<W
zk&)QW<dmc<x8E&WBj-ls?P19dbIjbCw^K+;xGBi`=c7UM+Ike>!7ubb?>nltSZikw
zLPp8OBkp>e<*J-52W6rbvyUH2{unb-Jmv)?S3-2cw|5h6vk2B0EUoMQ1IplveH>wb
zwy^;7Q2N$kts3=I_BRaTu+%&G3Q5-SBlX9$Ad2?UE0`&-dRV@1D`1@2+_di&qi@cN
zsM<UXjazWJ3tTB~GI}}mQOR8GIwQz5Ya&y{p;277R`uR3KLb&Bn?53%?eSsf(gZ&+
z;$sp+$uqT}spKGuH+t^pdb>4zX3sgSoBl4^UhEX~dY|2;hP^f`V%EfF2Kf%<mXfq^
z241>UWOqMiujwVvaA%(Vc(5;FTiD}Cwnv+d<1t02RNXp0d*fBu&!>;l*YqcKvc^dI
zRc^9vld1M4S9-kO$1ddSV)l@=D$7sv(q7Av?=XzbqLUUcKgd&~Bsp+LX^X7?8c%T@
z`!1&({J2Xce3N2Dr!K*f$i8yN$Hh-BsM;s)(Y7NQ8;l-A4Kt?>=IX$c63a&&rhGHf
z&f2dPH5l?3wv5zKk`cm-nw_QOSAd<pbLul5!F@EUNBWvmqjt;;mmK<Xq_!#YHTEH0
z_XEOP-=R12#FHlfjfRWYP~L$^!@d1=o*8MHZMMb%gQ6pUnL-QJn*Tg}3OIQ4ZTWK-
z1D|)1eN*Bn<{FjsNir>p%HoI=%eD7dF}|PYDd+l~C1{XR4YrlzbK^oYU-jz&i4zH;
z`tR3Ttt1=&YwFD0TrJleM^nsTa1wtTg9!%)nc0ASi^bDLqt%N$&UIs<p|1SAyYp#C
z<EPz9&YEO{2Un-1m-WCGs@}TSG7wCVT9QX)?eZnrfVVN51`coIU`{%ObA958aJMx1
zwHl_%s(d-@d7S4~!Uydy2g5bsk=fT>GF5w=I=xqTGR=$CS*u?RBkLFJ5YFteThMV9
z1#mlF@}u-wlW)e*Upz<wPEuwl(}zOWr&$e+#BqaCtS!ZhTW&cDGs1QXV;<20*~*QQ
zI%^p|O#k0gqeOm{+F(MHwpK&s#&3kT(f!j1vP=cad(#SVodRY0a_7*^_{qAZf2M<e
z{amK3w+H0hLpdXp2B_yPB*{Nhx~|eMXP|_ws-dkc>CQ!a_Uj7@Wxi%-el>pf`#mLZ
zXHTr{Wsy-}wtt)7iFT60H~PB|@9G;y)nbt^EwwBmufl2t<CZSYKXw5-hV$!qDrYT}
zRT(=+1rHKWT)e!grPX6SysG8iw_b(6WQsKp-45k~F|2y7>&S{FyJ?qVTI;aT^2kyr
z!Xz=P6pizj4g<|DOd(6QR%@)SaTxo)l470p#FMCW$M?u0p5#&s)iGT<M0R3FDKPVZ
z-|H5Z5AbPey9WE5`O;I`0X`=qJ|(C4pn2ds?Xiu1Gu4-+|0DqV2X9kbPr^N*>~0*j
zXMpV$<<l{M=6m0*dP#KuAA$5ghaCKsuRHMcHZ=lu4Co`!zoUG9jgx$EUlPEz*~osW
z0{aGleRTJ|eC>V`7KD2A{pif;1CnPyJ6oUkJQf}o>b?5^UF@#Axcg36;Tr&GeLmXQ
z|GHQ(;_oxQl<DpL|M3O?>tbOYehLqdd^<jE2aW%`+9>enWvgT-2E^TVgs%I)H|W8d
z0$#c)-t{K|-*W(L*LOZPvw29MtLZx&5>piy*$k4{V`AiyhoNMPI=sT{@}U;LkX5nU
z@vMC<jwqd^!_VQo$#FvRz=iPmf0uDzD|jTaKn@y2uD`Uzw|_=RCmnS{BwI98GpsC-
z6T|v;jh1MW3rvUQaM9inB>7j`hVpWu8lH>a%!<j@EaLvqVEn1!I*0LVM0rng7r(w4
z7x`Ay7)hfq{3uwAW3{Y1oM0jBey;HesS@5?(_>9E?CgprESO-val+%WzVb>u&w~AU
zdV}%}6wtwYqlZdXJf(%jpPa&;)$yu2{i~Hv`Bi`5y>2)Pub|wq!hU_#r%KSxiWDIp
zhePAE@lOFtzZp-EbOE-_ecKosKe{tr*1%aR%F4)h;-|Es<GY1;Y0vI|yeNF~ZLL*w
zK2_oYE3o#*uT|4gs^{Fc3<=v9)hx8fx<XnZFA`$alh&;XD4P_^w(t0@0nA;}w@piL
z)4Y&VPU6{tku;1OC?5w^Uz1YZVP8qB2hQs6<KcCiuw9zQuhA(Q$=2E%948ul)aPep
zAfnG<03l9!?6kf^4?IY!{XR1>`Wn#w8cA@$j78<!jgxS?X_}f7MfI>TJhsK9gpvjw
zV&KltI*V2)=fXCb#X`7U_>Y<+<u7PSKfT7trz@s!0vS-s5i8PZu*&HR(qTu|U3`Y0
zjFWqu8mMcgbm?K>20nqzzCjNpms?lDP=3!qHPk1IQ0*fIX4*I5ng+DAa6Z!UznJ|~
zp7nX&nVT5{fVdM@4p><<37zww^{VfQW8tOcP31j4zs~iOom~p;?9UF#29MX0<kN_b
zp}rTVGYt^p@_Rn=Lc^ez^}PMyD?ZdU%iP-hA>~Nxgwu{M=*9?9%!Fos6fCu5iZ^%5
zf$YAcu-HIo6>^?x<1n66ZiLKYr7~k{tG4DC^X?FL=Ng#cY+@_MhqT?Q$ljA~9)B&r
z<38P!8~-n$`QN>NwZuBvJ9_0ErID9()bd8N*tpuEoAK%63r5J1*eVH%M~&aP5IS=#
z3?&pJwUjdupY3MDX&}S`=p}4|3Vprs<=9I8vCD<dnfD)0GdNx`1PgN?oxGWco}@kS
z#ZV7n`Zv!VEnvqPeN<v#T=jj;K6Zai!j<#oiZ>2FKJZ#_n<4iL&Q`1etjX`pwCyVj
ziknxxl#-1SdB(EH1SR=*gc}gI<EY10p$7GB>o|VaG+@Bns`<C%s6~Db!P+@;moB`Z
zXlzJNok$VFle~yJ?i1deicoJ@28&wWF5|VSagUFg=nKj)J&Sn?FIGY;@IYv_?irAZ
z#|TiyCg>Xrae7{kHgUD@E2>?#$n-kcy2wrKZc|rw)Rj0Lx3>%)^A}RGkj(YO6qnlH
z!Hh9H=Y)<fa9bA?unizxd}ZR*aXd{Gd4fK_P*`KbGr$cNG|76utu59a^Bk-v5;Y2P
zW3BGUx)mcFg18Yz1@w2G09T;-%QOHy`NISHWuPg9V_}(R;3FF=DfX-havQ&87qlfi
z1?+mkXZWhs<b0LWZxPLmA`P_RwTUp3-N8&z^}SY8lL<MxuVUPoOLNvf6UqO}PVfBI
zH}(#JIn+!$(qQ-NqpAnnm1$fPiB1QyHpfi}f8fsvtm+SHy9-l}8QpO<<m&^E^X}H@
ztj^yfv?BzIMQ|I4@5^+}YI$G9DV0svFt}?m-6SZdHP;O9BgY_m1$VA@mwNLl-2!M;
zmxNRMz14PT(hUwmf&_5%9b#kEE~EqkIfd3cy4k1%Fw@Y0u+XY|$`!bG83ed8JZ@4!
z#st3C1`-l`SL!8P<{!P<cGvj)+Jv(6ySt!uZS63uU7eVNi`1DOGANNU7R1h40#$e1
z`syex#W7JHkHEJ<uGNXWLc9ROT1)xa9i?auU<Wgf^H2eiq;247Zay%zk>d^#YCthO
zHjKw{x0z(UyOmx+@5g5KoaNbf1L0={H_LF!u78F-R|k<zS<`FNu$~Zk72k+KZ&iV<
zG5ZHrJp{TqFQp^s{ybzjPFHts>ka#e+v-fL*2izpUihXHY9fgARl<<I8zOR(p%Lg5
z(~t0#4g3>OD|+a#CMMo8?V|P3Pw}Pl>f|J7^uq+1xk~+))4gflBys&l6@{t==Cg&@
zJ?d?1ax2SmAMa9=B8YjHlr0e(R6WkgnsLl`kgl6$SVBv@nctz({~kDHc#g2%Hkp0B
z^19tz*aYr$J%Fz?c0dTa%D{y?Ml)x5(8QSaB*sA29*^*C(}+i|5;8h0O)n2uC}zM}
zoRlO<g3a{(=|kF)qRmeeG*=Dz&S}z!fBw%m1*;l(2o8Ls66^dPO^0e3i;`JE?}R(F
z48$Hd^g{!DAPZ}`I6rtzm7+3r{3kM0CR08cmQVKmVexJT$OdCe!db#SagCLWAblKr
z{yy*bg)TP;1yTL@n=}+382--&)lMRJo!(M1jZRTCtL^+wWt=!Y<F2j02H7g_J$_==
z%eXqC!@G+`obh@sDN(ruxWfY}_)}-RE%Gk9WIg;Y0&XQe1@KiltaGe^4ec!5rOTG3
zjr*N{)=sSEB0ePQrn;>}U*M!T53Jc{IX`;kX_U0RJ|(!%<TyJK{=Ta<_BMfa_)WY6
zkQRl~!hfwl{1REetrp(<@vjQs8WjidNt>NR+fQS6j11T_IE<LP9uz+?N+nZKKJ^Nz
zf1s&DKo`QIP|y{b1ozXD@GRe5Pf*_|S%L+p9al#c5?<&a9>EOV6qPID>;!1*wO|z2
z9x{zumK9a;g4qX9!5;9iaaA-;D`#hZp@#91UoRv>)wmMFDxDJs2U0FbV_nROnw2&Z
znq{cFT;3`FvXlm{9{4Q<9WR&a?FKKaP+H7eNS_~lAZ7V}`^V#YDh-#<`9`Jr3-<8B
z|L@QZc{I*uv$cfZJIOzwni=GI>j_{8*8pc%pDPf|Ezq4J{Nn3cHGTVk7|Qk_-<J=P
zo;Ur3Se!%s>kk_(5wje({Kz1bXqGMNq$qa%>1v8cwF&G%dJF9#`pPYDZt$9?i_+-?
zmlZK@s+bp<;e^Eb*nze~-O8xV7==3K^D>lS-3_^A6bl^dS0p+TF3iN}D?#e73T9WF
z()yG*iK80_bUB>Rf?<(A^EhtXf)=$oXwxc*I|SI_Y~)WWC5JD%OEL5Zrzr3u>_G{>
z?Z3};UJqB*+2qvN2Bhkk*A5hTh80Hx<Asij-v7MKWoPO(7<Nu}ieE-TR;x(?QL5vA
z=3{i-womJ_u-^PAm-YE0XLz~B*`+*~q`W!mxh{~K%&)MQ^RS~vp{@oTRF=zO_x+@6
z4Bpape>unIudl2x{u?+Pr;Di5?$?GIb2n(8x&C)Qn&7z)X1GRmG2<qfQX%kOxH7mG
zT`)u=X?xtduQU1_J`@-r9fsu-YC84=E6z{0u+fm#WPzXw4~Mz9igdniC^><|DD;G4
zdHEfB#URZ}T>*WyJ&18C%erl6q*GmC|DG`1cY8qy|Bm<%E7x2~`u@N<1G<jt8<CYr
z$4|ZCCbVJ;C()F=5j~pXv+r8rIOoKU++9F4)_iOebt?6pZVbV@T8Q*!<_b)(sn)(S
z5e=;Z4kuyRk2=rDmqB^&o&BWx-*jtQ!oq341NA~mqZj$~)jrMg(SqnueO1pDVm7?S
zq#&4G05H5_4A|9L<cx$tfrPze3*ZkB^@oNfUf(dagGCkz@bnjr?IrtG^UaQg5dtzf
z2h5*ld8O5Jsq<)2@M&1#qDFCH=cTc1G3K)D^69L(8{|=`?*{6B=?6AGfUB+KHC!P3
z25@}<ng^~x!iZo{M^~34M7|K+Zot$-epL4D=YPJ<-&5<7TxJ6a(KHjWq1IM9AQ^FR
z7p-!<RI_Mf+Q=lE%6<lVdqC??H7)&HRQ`KjLZikqLhRe}V^zv67ms-Wl_pk=Kv0Eb
z-;krkPU)NBsPWF1{#MJZ#np|#wz|hAq@;N8{+jfL$kI0b#YrgPMON8COlC4`&!Str
zSJs}Q02l5!CCIWldgKQ7FHp591U+dofzi8JK}>g3bWRj}U+}~0{D;~^5$H=&Agx19
zx}+;YGSE>;eRRfSiN_G^`u-)C?k46-Wnu{^OM9tLkv0fE|G?-P6^#~|J?8AH_G|~6
zL=2*MO#?X+25~Bdv|9dCu~*|`JLAFWCBC|kd*=aj?j48!?a_qZZRzFKOtt-90B_Lq
z1BtLg<M}wX4;*}$`q|)?fOA!EX?e)eB9)(dH~*9+B-*)!>aKNo|FK8U=a8T}TPD<a
zcU5~N5Is{nc&Fk5{soeF_L$ZpAC+F@V$aFTK3wfK!XpkWvF}@ja-iWgMmSsbG@}lq
zJ<*@wqMh8g$2?P0Gq4nXLR?#M^pM;sL$lF4@;g0qA(5DY{-H8i4E0y3W%sAp2cwqA
zQWg}*I{LEAl{>vc1?*s|e*O-dDo3H%>K?0YSmFKSV|OO8FMmXS-W&goBQoox!QgJ2
zy|rdMhq^P}L-#hD8UB-LtbMAj*lA=O9U*Y}4rBsA&<zj*Ky17KzWO%C@4lnJ)&j7O
z-2Da!Y7XCYx6`=3Bfamwl7L98-y?yewsydkzoh|%y$m}u0i2HqVbuS04U%!<H+tTi
z!B4n^<H;+Y;`0T`AMVa{I5fDmQ}gKFbMMR^97i9&Q!1x!CkbBrJ7H$oO22LrZxrW9
zn<A;CM}EVlp$=$0t98Z<nxx?r^cYVEPd;v5-LxU)GViANx<F&>T3SWq#MyBtVdcrZ
zfW>J`8?hhHpUV<Rf?HmkoZwnED;q?dY3s^nqR#Hbl1k+guos+pZ;-RCIfY75@j{Dx
zI>~#O-Hdor?vvX!#lX1WFyxlgE+#pWYLlQff)Q8a2v&UMf9mm`R&&vtul^GFUA%?t
zpXsPFSGD2gTE$2%Z#8ta+$jon+*@C&53&{7VPY8UZ@q`68x{xv?q{4BW1LS&O+Q>)
zD6z%2+KV7(SngEcDP$s@HHdvp$f*2kPMfSUpXi98P|?kTlnxOLZdRN&qk?2Q#W3y~
zIVY|4kgqJi7{p|~BhixWr{;z3GkT%+&z~9hU={RWI+HgNG{W3GQMIJkqOgn95Q;K)
z_^s4vmcFSKiKghiswB-4UoZY}x2TOwY`|uGJ=N&uT@2gvL-paaAZ;HEIQTn2zN3o1
zRsMGH4G!K`*-B>fj`ODSQc9gn4)!nWnoHD+;h9d;&TvWb6UM{=k+Q>*@F!)!wR}2f
zIvt<=IpGYO4rM_vgpa*V+^;S#?AvKiw;TXacq)LlIzYmAH1|_*;D3DPgi*MUnE_XZ
z@o$(><RpEK&{b8Iy@!5aG_`S3HqRsxsrNXu*T?$lxm8YXClU_TRukcZ&|-y?K?L|e
zoy#<DbO*C~*G8!it_**$q&oUMme1Vgk3SxllGRogd!ZY6af}C9j6*m5puy~MU2?Er
z9_n45=XeO^KZvuWc&DBCr+|Isn}Pea@%1_`>R<401p$7P%h(<C4@tUIGUBJq#78NA
zFvO2A)a-G2xjZ*<hLqW2Tf<3-fao&L_fiKb@AxfmwdC5sn0bOJx`}MW+Aq~EHc6;Z
zD(xf&{3qEpt;0i#5lCxr4oOi^6YLhd?G94JO%PUr&SN_y&cPA;GE|I+#u%c7tV9Ij
z?LW4}RI^3;)L}9t5j(B_AFAFdI@6|WyG{q4q+>hj*tTuk>W*#Owr$(CZCf4NxUN6X
z{eC<D80X$un`_jnRpY2Rx49P;>)B9E5i;fVnBng8$#Y{NGMg&V-pz$mtoqdk8(@s9
zr0SXv*<nvEab)~Lsny{ae>y+-!=x(nZ5l$2Y_TNHO(m7ykuM3Y=&rvm3Lhb}=6=~f
zP8#KyQ)+l#MD=gBlc>@C^$7cuoxD@lEXQd`IrDxq;J5aRHugvpHvnn6gXKn&tH<?p
zal|Pbit%!@<m2ccKNj!6k4+OWBDf$~0_fDVDa3X!4pTcsPlE)<^?;S9n6b1Cm+P;d
zW;KD~6VXMw1i>)zM(p$g!Xk7)xiUlVxjn-k@7==~a=w@gpVJ5fQe&O15XWQgl5aTR
zjRUxf`$75jzs=+q7NhhF1*G#IH+(5b_?iuU)7&!Ci%7TROL@xG9rj<l5GQBhGbjXH
zkI)TsRhns0=VP}f+6uRu_H@7Cc{L=jK-i<TALuiSY4ql>k-CzOXu^eLm;5F>kYi4$
z4_ZfUYCbCx^#pwed%}|vCI}&G-A?*`!^G-oriMN$dIjtwCxAdQB5D`$gPP^_SYcc<
z4jUX456HjJ=n4$(RhHRl`B*Hj>ZO79MrN)tm=i;1GV&PBxUHN}#pUe|^8oOIkwqZY
zv(y{Wp@+8zJUX9>O4L#pWos_RQ!&`twMkK<ohvJmG8{r%IHh+5Wrp>koo8~P^Jd1R
zJQ%U;2eT1xY`PlVH!aT2emc|_v-S`FM%EP2?u=kM3Wj$u=I^K9c~ToPen|v8&gf$f
zShztk2GhHB35Y()Y7@_EuLTSfGM&xep1@jrz4bfVF3r|9De%zBYw@)@@K#$o+T0iz
z_bTEj+EGt~Ii)y9YPHbH4zi&S;-Fb8eU8b3tsDeN6?=R&+wE4nuv73Toq}+wd!~1p
zTMGMIQ+n{&QcUq7maHe)5u>Ip{&Umx&=b5gkOYMg)b}3N5ibvWdhy5q^P|@m7gB9f
za|bM|6O`TSMTqzV4mun$i3PL?2ed~JYbH-|7t!^DD1pk|$t_@9MvIt=Cd1Uf1fbY#
z+F4YdS>EPb55zD4VmMxgjtTzW0r~=gzE88`(?7(AJ#j!^5mtfp;lST9yZG*akH%bI
zBH+X5>%&(Xvg;j??UfhU*!ysQ{V@v+|6G0}*zv6g`3!%ZecG%9MgYCM{#$b~3e3It
z<yW(B<Ie;he)0l#zkvVL=5~DwTPPA62jvfA`=(@-{ofIh06sR=e_P6c4OCoUuI9}~
zx*>|RE7x51Z-TE_{ebRUY$FkN&xBKn&wb?|P})9GS8y?izE&Tfjd4{kW3niUK0Dh4
z3G2J)mM7Qv>ny=wAQ&X$5MJPXFmaHi<#mE3Qnz&Ee{t<=(MV-6I?%*a!8GVbHCYqV
zgM;;xQbeB|{8)IUc8oVLC2D5NCak5##)@=SpQ4lfV~dd-oJ9CNAZh>ul#vNIo+ts&
zEx>xt;4i-TDVaUNrO)&lhR6i+#}W#5`I&yK<Uw2LC(FNi0+6&k?I_o-KdIqVrR84}
zXD$?7mU0eU3|N2N+>rrOlZd00i4r_hHe{<VWmF({5n5yD6<5b(0&m|WpN1eV6+C{w
z)o?&*C0T-{H0>F7Brao2_`FR75%*X^Azk<okC%hQ%&t75PN@*ZlIV5znxv1Jry1cE
z^?gKWi<bBxKhRC<(>sOGbF`K<QLZg=ER{0f`9BVvFT{Ijb?!+zz&s)++7{7(77+CK
z_71(Bd96nVnQ_auKKDCU=M)nD!FL#m6iWZNDX17O*!^`ub=nH{>twj>;x33Qf<aZ^
z3df_-WY1dmoN}pCJ;1Kq(P@r-sI#cI_$CNz$W-uAl`tQ-AQVM$JRaUHw8UdizTSD^
zbR^qQfm(S7?>b(;(pRpB!11#5(Ki*?iG~{Ay-Bkn`L&zdF5Q5s;$sbUuc_`ZMYg}2
z36%#rmObN>ih;Hq`r3%?{D%!Q5wUnenY){qm`SK5UpCS2gX%hO|N9^@;936zdL_Bv
zdBejaP~3}RyZV^Otb_e0es=@jpzceRj6SZqXUITe(;M2NLNe2F@}QZqF<jVVgNWG%
zN*@tX{GARH4kOizZo0r$oA7<~MCj_ZPSEIn`?|qKfpWXlu!oaiOU4%u5~Q@;9Gx5X
zOE*8n5yiVuL-EVGf4pto-)(nW`X4u_*EQ-$R9oO*6NDViZD4bTrCa48Njg1_)e6~;
zUnMcG_JU(%7}eVH%FF|m*Bl17=~K(-m6liq&@Kq>*QDx#Q$N6kS?97g;|K#QuQrBP
zJ4)1&DE%!GgD);kf={9NByEY2z}g`X!(9kqTy`ERCi{A-rH4t!7<+=F{eLknu-h{k
z*T+MIi}@1aXNkG5PxD@}V6|`te%jzvHNT*W$LNu0An(pwI+?0SM!C|MuXbFCUMYem
zpFqx?egrTHTMC!TtO>o`F`>U{Q*WHshXfCYNb~h?_V3Q^b)D0Hw!vzqxb@0y<x>}#
z-(Z9i6N|ra@MSR&{SD*c3|g&~51$WQP$X+15#OzGMzF;Uqhdkk{rPI3iny;5|J0)M
z!_U-PCZkY2-29p5Ot)jA`S`8VvsVqs!><T@2?gBTe@{TsH9>h}%X6Y-=#Tiu&dtQH
zo0E@D<%cQkj`U}PXUtfd0;n?`?je<1x9U%j&=v>`@6kqCg))4RFNfIir~6b)nMJwy
zM=T}uA*E+K7)VU5x$DGKD)}eZ=v3;key{Iu|AZqJxt!hlW&HtK5=Z1SO4y<7((_u|
z=%}}yF>7Hl<y2pMRtQv<nml2-h(GnU`fSAm=I_ONB6UN!vj1?r^-ErFD3zkZdq+o{
z9qjC;PUVy?o&c@P)&J(c{u&;E_*v|+ui{pb!ry<x;W6Y_qAcz6Y9fT<(=786(6(tL
z6|*^!jeH53KZWUyC6M>WX<UKzkfuF=k_k=y`k+b`{QA0LE6dPr8MHH(X(Q^oIs<|}
zk}6oJ(WJklPNh_W;cJ^`HC9d$RO6<R`##91&CzA)qEK+3v!e3pGV_+S7`au;5>7Z6
zPCpLgE6=fV2qN4vlooPzkKBY3&=F_xRxgU^=57Cr^injs)L2ZfzUZRh0#z+S=4g-#
zAzsGj&Sz$imb>VmC!>EIOOun31tV#9JfABckNIw#mD$81eM}KI^7J0b<AwD8PV{x^
z0@GXgRE-0dWz3W#OXUiIl>Gb(F~ts#{7J*u<+n_}-W<Kh2UMD-t44TYjW^VS=B5%>
z1L-YNJKoc!ESrT>HbTE`{G_-Tq539T-k8KFz^5Jv4FB-;Jq3PGLu#*0_@Hxa=er7P
zj~c?|GlZlFxJX&)cS;Ephm*D{a|sYtw#ul#w@)>UD+iPH##Ry-l2~;$Rm#F`$ioWA
zMS1b*f2T1#Ow;qvm@QMb1u)#8x-M8yr^Yc5W*ZKgB<=IWcw5X5n^wKg7)s$uEvP*)
zo9@NG<u@|esNDK#$VXgNDK|zg7Tv@B>}5k}s9q4zz~p3F>%xzwrR}wm(H9;Od5hFN
zwW&OLnk%XCe`<YftKNZ;p#9Tlz}LT30K@wAQMO=6m25w-VlgtyJ$qMbDLtmAVfk=N
zl(7swXAkC30)DOO$@#=jL|6O|2Wt@<wUeC%rJgZ(4Mmc;oAvz<vDB9gt)R*FSW}X!
zXwSR-uP9LY^F8~?L#VM=vDHYPg{tvD5&Dgo>cy9>SqsqV=$m?}-LV8~U#dWg4dz}M
z<GIYX9hG(gjOz30Druakf5<P+{lqgDwhAXQLUhdB<wczaV%jIpclD4-7AT*A-49k4
z4HxJPq$Dh?pbMQ&?tTIcEP|qE6smoGeo95ex)rG3Ig<#as7ESN)E~k~f@g>x6i9*|
zH{IhOe4~y&eTF}8g==ooHJL44t}U;cpLagZ4>HXonAnHypVvXp68C!tmq2~pm%@4{
zV9!fM$gY&V7f8LyiST*y`Ll>Ts>unN1;t%w3OnX^g|@}JvSOz11vW!JL@!rb&1mDV
z$4T|EuSRkkc}4KPq!Z`?&`Kq&?l;_Us=fWpdklLRSG>WF3h!zsUC@bX_M8$UHFtO=
zY(v}aZ)JZidjEu}@O=fMU9<TBF!+I<7C<0T0?`QK{Ke}_FF<dG2ndV?%mTfE`LAES
z%m?zo(6zCg$1dW2NBFFJz%KMPaA*~13Qb_KE~UMjW^%6<YTbrz^LPC{k3|eXtnP+G
zd%EEX&YDOvAPsD=uvShp)KgbAR9b%}I#bt#m8M_LIbURY^K#w$L{6<Wbcl$v?Kc$J
z2wE7cse`W3|0HO#Mdi)f(p}*Ck;!Kj{A2~lNh)f$>R}(0F5m0(6I>7n0awk!<m}&V
z;0WB|*RR3sGZt;x2%|#6`-$Ii+Q}NE0W&K73(=gGIjsijgc&5E+h>-;vnJn%g%CPd
zL&aSS7vG9usc%ZPmld3=BH9(T@Os#?y(2{k*~fc1z_qx^$DD!0mZAh-23D8E?%Hy?
z(>tGO^7z^zb#S?!^x&q$sVb1H;?&w~z)Wftt}>MOi>4uOuTYzl{|N1;0;>-99fovw
z({@@hyp)#NPQ=qMW~?`Yc^b$EIT<6!<ZGge-l@<dT?;bSWl9q@6z{?4f<_E7I9NFZ
z5~SI?G&x!-z9X9hAXkOukLmgp2v_umimTYu!0)RnB<|lg%!Ar6M|<^er-xm<KiGN&
zO(XR16h(cGtYT27e(&eh*WYRh2hfIO|0SwH1!q3au`};Zp7Qln`N)1xU8<yAOtV=Y
zKMD*!kr1VpOlkWozTX0X-oT?POIOuJRZX|pVr@?9Unbat__AG~IG%UN7ZLmWLF-!W
z&D=B!wL2*D`#`mTDLL#jE42U22S_T{1t5HV2g=M{j{T$^a|7L3y5+FHnl4Xtdgds7
zLkp*<Rn{KF5i)9hyt>BGdqoUwSMlt#=z+wJ<1+c{h|6q$F=^E-XxaMVLlm!fR4ihC
z`z9yV(DVL`42Dt=^XnfO4M{9}h7Bm}2OL*JDN<uoLO7Oyc5YB34nkwpo!8@JJt=i<
z%{7+3ob_H?fPg920Jj^p)ESx!k&}~PPX<Y1uPYcj)0|pvcSG(Pry&OvQ-g%%{?w{Y
znd?C7HG!*froH;r@JZ-StXslVxPV1#<%a2;G)VS%b3-dC4)YZXm#Hr0a&@s%nP3yL
zGI0>BNb>Ryj(TWrJ_M<4$@^VZM}98aT(Vx?&qW1Ry#j(Hmw8Cq*M6UwO7{d!x2qqW
zxX>PtxzEwT@xMGAtuZi<ILoOm;@rHip|9SMV1gS|y4|$i5gF64+XyhMN)5;(oYF99
zDB=9KyQsi75C_HPxMwANYxhV%(H++#t(L1utUtFJhbRS}Z7k$QC@TdXh#hX~y>h#J
z+TC(@L~gVHWJG@=Jv0R$!9rG<3^VS3Q@q-JxtGX2b+V369WY&T+VqJTo!GYg;qB8&
zHIvo~Z2RDel;l=Q?JCc`g(tMX2_XKK#`@VZ9V%H#rz7eSne@-Kr449Uz~^jZRJlE<
zldjvg?$c{FFp*L#4hHkdlC($8ez!y>M1A1l1yK1rx)DYA2l4Z5w>PzM3<!M=1Ol*u
zU;HTFv5zuB`16Mt@L5i~34rgx8^PxXfvIq%-fJq%5S_d^VVNrhKI-Amb+?#A_P}%n
z@1cM)2`Rht-?0t)F5AyakeW?WOAl;Ytrg%-gV93-9bnvr(GNH&j^R)4XGrB8y+%JY
z<NA;gKjTxEnaz}NggIPi&PUmkD8iHEV52Yw??IS*a8FFrKIl|yLd|<=WlXcjkPefH
zft7?b^=ZoGOr;IR5?ZyT?G59AH@j=}#h{d5iFA;z5_lQo|M0S{k(56J#);@mLd5J{
zPmv_u`C6(}Y$zD;`L^OEH_b=?raCx<hsViMgpQxQRT7fnN84lsqG65A@g5us?_YE`
z^JF%B#$T6QQpf%bB^zV&zJzHGw2j7&-sN6-w|6fYIpGtS0Hj+;8o6&80>YL6jMc7m
zn@TFTuCWcNycP)GanZtJEeST}&=koRH2-_nr=Kx*?2RB3EVv2At~y|LQUb`^dCmLu
z2y>8<BCAVbR_KcG&3D9vPfM*spP*+IKf%4K7vB3(mlFZjc~x3Bmp3yLH(=rhQaXQs
zSDhMW#Xmxg^QX8*N0tp8OyPDhKKzV9f9c}OOoK6l6XQ*Sge=!S@-D%q1)Dw<-3Cdq
z?Vv2`Q^Qom=52uhz0uu5!mB9wp|x{%xJZrE>^u(D*kuwLwlyVeZWBK@kh8yoTvbfe
zFGkMMW&3eks4l#)^D|(^6qXz({KdBmm|O5YL0|a30(N&NHIINIfY=*gHk|J#zwpS=
z`~USF2Ox0h!T0q8I2*F6CZ>#VQyNXU95WV6n_sUQ&_jSfgxuwuGjO~_puqU>VHvd1
zHf!xe+(WE}-hw!w`-}JEL(pMl9u~j-gF0X+Gty}~b=NUDFA;7N9i-Jn6frS#@R_ZA
z_F^PMI5eX0X=!MV;*RObAu0rG5_Uc261R~$Py6U!vDE0tmkE!Y7+5aFRSH*6J4wAb
zOiQ@Copy~;leix2eAG{;R&QrY`z4y(JNC}6VzMrh3X>zP=T2V3L3Z}x#;g^U9)tC3
zHM$xDP8sTAc7mN5%r)<lE2*gV3vIC!Zv9dk=(k701^U*0vs|ix&w-aANRTfmxo36n
z9Gq4p`dIdWN-E);chxj%vJ*z^VwBllwyfYMuHNg4t|mVI*P*LY_L~wrV?@d8d4T#R
z9bQ4wv0PD}mD~>s(z&>;QCYUnoNV&9Qb-I{&Kp$0n`D?<bERR&>0wWI>7VcV<^_Ea
zW~=3892$+g1J#LLYBH8O-k1s+FvT%+YNvXL%1ul8*%8aO6`XcfP-d_S>@HwM^vOT#
zPG6FFlxJYa;51T{)al3Dblbp5Y>o7a%;z)TYFaFFZ9b&cJ$oo|0AlKKzlC3fsibGT
z5Rf?*aRu2%TrV>hL{~$Omp#4gey5pqXuX_7SV)>mEQW5u5rI+_2a0|OV8Og5L=pFH
zi+RY{3!xR1v|NS3+yLEx{KIbuX^bMMK){Rs)OX#00}zI1fmuktpZcTnOh^A$I1Rwu
zy{}#1ldsp8FWK)8lzR1(vk?3^0`n-Z{J8C4S3kC9f||@g<G+igF{*0yzo40NqP`4k
z{p{l2hSLtXuwA!hjYMt2BX>~EtzaU$a*xHmmHueRaA^gbq;*S!2$(iGzc?2tgf$B+
zq9LQtUwfdp;I1@?J0?`9%o)pu_|>_A<;AG#M7D7LBO)kZROcxdQ!u`J$U#0qD#R{?
zx39)#7b$MuhQC&B1S$50R!6L$J&^ggHH%&&Bk79<{uq_Z2;!-a5EyL2wjnNyU8AaS
z%jQ*c6~<EOy++1&lR-Z~nR2j@WLQotR?jnctcL)N*izB|qgb6dJh7Y91dale;&5H3
zsI5Pc530;+7*DuyI2`84R&fb_JGSg%f@{SVlP1hZ;|^va=;pRNj-JcST6mu3^l1%D
z+m<%^&SAvK>UX!0{-gpVoA?w$627jN)PY<3i9757GKl`w(w9x%C_xF5_CXq`y}2v+
z{7G|W;Ks1_B=hmbYLa^o)o5}Xa@2~~7PXC$I!!Wim#P4pI>7}xmjH!L)#{5qdeHz#
zZo~-YDt-Di`=mHX!{Qq;OsNNSyas-2CFwN&C%mqg2w;kLEPbJj`!U_00Q!s<^fTAV
z5>r8`MA2yF=tg5ztsu~aIMaUhXwq7{;FGKOgxa=wlXv^0yCH8w#hX?|VP0$?e#6(>
zuLk_Ts^JBqe7$^zlK6Z_n2*1o^n8=wcY!W!pLf1SO7jcu;sO6~IkunZ@A)zObBBO;
z|A4bU4-v34u1{v`nfM@H>__hN3cI{TO=;{|znb{cMbr0wy~Ye?33*yXywj<bX$jz2
zt9iykk&LrQUUdoMPybWDbs>vI#iB+NKEZKL1k;5&IyeX=u%(8}w0=W^4cf}7p}3)S
zv+^Fbq9MV=)3s)~Vy!?nu|vJ}i@LMNtj(#Y(fRQl%;0iWdOnH)=}<{@a%Tm}Q6rt1
zhv7Qh@gZeIX6F(%jE<3O2&35|_8eT`D~7VnL?$J}qbaOQ?{4O5XuL%*+Q^Tt+AskU
z8>oIdp-|8}L`SS4t7qGmX**ga2-OZyYz%a|bVVceh)G)!wTq#G(5balCp(7-rr>?s
zD;dF3gGdV?kEh$t?1FNky*D|9eL?)uRfyu5_mLOp;O^spw#Y%4SFYg*qCjVRW%7<M
zmTKI%BZccudo_xtT5vey09_ok<peTmahhjrg76riJmwNWIys5G_g7VTdB^IQ=_t*~
z@hHbP-CQdo!MY9s8N+t6V|2WW7Udi~@qG-vX;%-p(2Ft8mn)5$JDvkPchBsTN(O82
zzGZTpDhhHVvXNp8qj^gN6rYXlaQ%d^AaRTM<F4KWk`8GMcY0Ar4i8sUI{}@09b$v(
z^5e;!FrTccH5hs;!YL{X%>edIm;`5X<}W?{F-#3e0E0q6E$jnv3g^P?Ql%01)-53R
z1*p9BP1>vl_7B|wfU6GZZ~WoF!+*ZBVf+As6X{Neo%lUYNICbf+|N&XpRZhKUH7F%
z3w~2X<zC}7sFA-F5-CYqi&-_MBJcVHI#8yFdK=y4Xe~X!NQP<%*C$m9g{p|vlWeG$
zBbS%I_O;E7>HStJDZpq$P8xBK34F(c;f0@v!bs+gRR%0WwEC<4C?V-MqcO<W*TKj<
zluJ5gicpMSjC0yXv5kFkxSy!JD%o&b<(+G?s;PG7>pLtK*c2dsz6YL{`Ytf!rCmqX
zSB>y7@IHeT{%;XMp161KipY<gBjNJ*qkS69TA7llZV$FqnO6kTBz3VFUPu|T5UJB1
z>MB+zV%I2%EK#_4WZc@HQ=Ni@^dzm<lHT6fe8$Er)6-Cxtt5GH=h0ey&K_}3c<CC)
z_prBITDyBhX7Fb&B@3_3ZeN)OA=HP|q`WO9I;1Y}he4swKUPvC$F&K&a^NR>`4#KK
zf8vxrv29Z%Sn5l(2V#HV1%jwvp!(#<b{q8Dww+{MA(O2yl+X$clm{P!=o&=S&}A68
z=(#ZeaV_Din-|^bdf&<twkX5!i;U8|-c8wjGyX>&`O|fKJsVtF<$4)z2QG0c$#0ZJ
z)0(`j;*_&6io2IKI<rcmLJYo!12Uk{1v?{)4|C#Fue`{<xN_U;&E?b>J2tJk*&F@r
z!%*4go?OaSOsgmA*vIGKm-i;pU)ZQUi+4%#b)`wnmXJTf%UW)tG-LRCUj#S6Qa51X
zYwyD@Vi)k+vn>jc-vhqB0B0h;s|G4thU-S+HVdru5=h<y#372%2b%gv5tKmOh4C1^
z{~_cEP0RO`%<LSX{Mf^(-Nv8FbRk-yVzOsY>Hi0Lh_FoJ_geT)on`-X7`vOm-736z
zLO*QwCrF~$rSn!hS=7Do>!i>c`6^k>V8R<u=Wg8@FVfe)pTaJzSCeK=lt6IO$A}B!
z3<Q6tjh?}PQ0%N@|D6C%9_Wzy04huM8!+l1Y!HL}W9$j-;nkHGB=M~zzFZVEN!c2s
z-WeEd7YBKLUNT!oucvRpZwK{64a^~vpWp9t3SBTMV%8<UBqs?DSVpA<%IYCRVQDDg
z*5BLHJOM#|pbLa>0lybm1K_)AFW!DuLGbxb-Jo1H&$QooXLr|n&y+J=S?dTFFWK-v
zaj>Q1ut*KjSFP~%W~*z<!H`&7<R$H?;62O7mB6ztbFNR!;};H^g&sa*u(r|vezy+^
zML%Lb0#j!7div7SWcq@ansRGqSzhqG{(k%<P`YGnIc@&&DEk>rY+oqo1ELQ&tY<ti
zy60^6(-;`>7~zXIWizYaDN^gLY2(nWK2^+r?oT^cdr7}?jjp5w=<DU74JyZ#PKAaM
z>-J<EC^%8@MrKDIWGz@fb-#?Uu4N8JJI&>sXR>#Fydu+8^0eD(6F?GZ)4|E_LZ}Dr
zf6Uos9VJ!>y!Go5t905)`C59SjNsl=_$EzM+uq5u!k}<lT;qiom0q7#nTt84WR_0C
zz9p`C5Gu=0?XsA;$E4pMx2U8S8>3zwE^kC&1-g5{`Z@$URC5jPIwD;VALPas8G#vG
z^@vz1bDu;*oq|>7nSDt=1NA<?2)+%($qH$c+%Mw~w;ZcR#YimL;!5lj)1Q5jMZs^s
zt3+LsA#>laY-JqaD#CHjrq?SepRAp|{p|%3r^92i=K64ircdJ<Y<>CQTr9kM-Prul
z%ceEIk^D(zzWJnF<qsk?rbBbZCbL8tx+mnr<b9Qa$`BHt;JUaU&GJ8O2s~-C@h4Sr
zHXqk4Gize!aNa4zch`@mE)}8gQjm|x{93zI{uV+BP^D9L=Lx-BGInEz>0`{>6kM(I
zsx1orsOTEBD_VEHg1odh?15QSfxN5Bqe!N;ULT;Wq0tg;c|lakYhU)<&X>|+&i7Z0
ztVZ;oM!#m<K8BtMZp80SXoaA`yw{Z8;c0bb3R|sW*s|702@0R(7pO+qc9ghR0#QDx
zdp*xIX9I?g>}myjvasVJ6{5dD_QEsnUrH7_XD426VNU!-H4B0u?3r$w39?|H(jUAW
z&ggi+Uebvp$ijm4DS@m!nu*7Mp%8&;{=?@fjc#rfL?Rh(=7a!hlgpaS%rhG0@l(L1
zVZ)kPwH!a3f2%TKunfePp-R%h_|GrrFZtHPU0%<}i{zruzBuB!`okcrx<VqfClvux
zW&a6mCgwuOCo6sA2FVhMa4S^npq=vSEjvPGQf(*`YKIM^ls<XSIZ9??0~whej9Ueb
zL`s6>Wl8yY@u>$G=F6c!zK{Y=;{bxWTwa&_&)BbTJ;~K00^OOPr9i_0wwn69c?b65
z6#V%4!;C#c52eFWqT;!S@b4ec<P#G5#WwixOSE1(Z|Tc&p2<RaamZOsED+peS<(KR
zGZuG>5$ZLPDV!}mA;PPXyKST&+{eQd!Id48E?u`9X*HC*pKAKjXy`{pxiHsve?~xF
zwz-m896x*%RfjLM`xwa7K4xXz2<e<($3J+49FLI1*d++hSFQ0}Z~E~N<gI9bCK1@(
ztDpM~EmCC(_505wmEG~&r$5F%fQzR0ZX^sEjJ#Wz+&k4c+`NE#Ep9Cy-<=D@zS^Pr
znD|byFNzxNHYxIc7#?yj+Wvt=aSDG_10(E729KAC!IC+^@aaK=a+1MB&7_|G-HCG{
z4hTQH>wd{DN2#Aiw_t1Ce%=q*eLHu$tJqiq!2(DH+>*HKCn}7`#YVx>#q{<aJ=V=U
ztCSC^>g*zl$S9kphF1PEU}kFZ4}|S?witlNbgh%qP~s7+W59#dTiV?z(JHE$)uCY-
z+{{V;C+@nOsEUgk)uquY*PZjH@uChl8La*v&#=a^8SIckt)>Rz#=2LUMV}#9v<lHq
zhB&ypGOK@L8I|;;=+L+_K>_mEiMIYS+<9Bew-2F^NybupIWx>q=*NSk81CPLm@Y+O
z_<qcJN0iD3r5Y0@_lbZ*g^Y>yy1c9B@~iKiL5BzU_sds3prxDuxU-YUIFbM|?0LgG
zVr@e7L@Rz?Rff$D7wE}m_112vbR1?O$!QBl@a&xdX5q~`6ajL@Hz%;I!XfkXB$k<k
zfBCw8NF%*decsIL{;P6-n*dj5D0;v{CRmG?tW)1)U&r`Wo24(gVbfcL@y(m)v@uzw
z_kr(<^v!**$-m+Pa}a~-_=NE;-#Vw|UD%WNXE~_0sh$s{l>MJA{FI}rl-(`CmYg$Z
zopxjAvtjRnNYaK%v43A@n%L{fWJ;vNtOo6P$@Xzz)VZc_|MFH1XIXmAyw(0RvtmGp
z;)dg(Cv(4|^HcpOklrofDfAaZ+b&MU-RsGAxd2(pe@`UG6B5b1J!Z^)Ykp+S7bLxS
zYd_iMdHn$>yEKjXPKttWJxGf4kA0AnnsM6LCS#k;)p){|Q#5(WRud4&V0z-#2rAd2
z_hIXyYrk&<q)!Eoq|NT3RKCmJ#rMxD-N#SUR)Rns99heB3f@Xx0Uuh7>owfkC6y^`
z%#zWUs%pabtg>4TKa8cPEl{t@#p-4o$a4y(<uLK5Y&QCdqZGHG$0ZZO>ttg05m&zj
zw5m6|yMDZne5c8pBH4{>P&4FGw^-3=`2_JFHXB0W_qCO}j?ceb7&sLB?2xRAYg2<>
z=czZ%@Dn&dmTa?YZc)QHyu(=z&+>Ida$xMRgLE7Ky|<sSAT2;w(lW=b&!SNVhW&Tl
zNNcN!aO<ck)tS`Vn_M`H;fSniK;W1Te&FBf2T1dcCr49#HgJ@yTu19>WAD0j>#{uv
z4<R2{GyA=!&HAwjIyLp-ZM?pushLx*O$9#`cK)4-*s<siX>xsbI+})*?YP{O{3AQp
z5VC}iP2oilNQ>4}_G(w?(R8B$y$D)U-Atco6hW;cB>(wqh1H6Z_c)`(qtY=~eqHff
z%xvBtj`){4UCf%m<01N{Pc`M4DRX~JQ@tf{+8gIg#D;BMG`0r4gDVE^^+MBqNzMFW
zj@|6aQUibjH*QR>T26y3%q~~JyW<+cDId$dN&VIUJ<bHb9tNHd<iHR1UCAi-FDucg
zOs|TDb}a(?#;CY~L93|OT<F!hS}krlW-ID-14cYo&sv@%5qqago^;WtOZo5cdnb!4
za!L7+XZk<cZ7M!z4|GV0`NNVFz=_9C0y&RDj&gfT0(H$7Y|&qu>R2t_%}s-uKK07&
zX`(D+_%AZ{(Hm3UP84q!Qw8$Pqb2;Mi^82j8+ursw<LnOyM>82jeq;Ci47i=2P;<k
z2H(xkzN8WaOr=XbBT-1SwE`V9zgE8%Nc7}}5J<b<Z)KiCnv%z~mdyva8H@Zeq(ZUc
zU*?e{-uneRJDDNi<XHS%Jt$Se(cIS3ER#%bY7kW#-DP4oEcKqh_<f((f_r?cfG<*g
z-j9C><FLbKo19y$;`wKr2vSfp8+J#*?=;OADLD|39NsblJkAS)VD0ru9YiMLj%?22
z)wQ=m3-Q}<1tY^g7vmsS1IDR0|G=BuMu2*moxZ)ciBxKMxyxvmjN&i~sYb){&T3Y`
zmzk=)mY$9`_{+kIor#<EAEj!y25wOlGD*n{&kW^i@1;qLXLr(Z)|%Bx?^*VuM@Y<(
z*yNbCG?hQ$Rkf6MEaz`E98+_iVwg_CV;v7p3QIw|s+Y-Np93<Yer&(@^pvyAqf;^W
zmJ$t|XZ=>8yf#+HRU0xu*jcKW7DVr2-AltMCip98UP~gc7?`T@DhXl+1`IFO)a{)a
zMtcdB8kAJd*Rp26ymXDt$rh80;|F4iXhhnu@EUHv7p!`=z8~H?VB;d%BtL0P+g0Ik
z=|4}_dX8&Smr2TvBx$8`dfAxJUXb$j9`8lAoy*GVgBtNVko}?9R8I5Two=Hi(CXu&
z-O{{FqR*Fo>8N*s-p;A^&UFV|#h0RP`R}$uYFCsg2H*(Lt84V&cewH8YtlA_15dkM
zoeDiQ!kI(Bkh?GanK%xOFV)&pR*^y!%=^5$%iGsXra>pl8aH*TT~A8s?>i5<>ff8b
zNZg2Pm!dV*pELeOl}};T>;E3|V!^QO@HAJkU#fymDWq!9OA*j@7uHb**#wS01L^Al
zAEQ9Zm?t2>wLRjgR{*I0`s4Z2m-TZKsE>)|@zP4%e~;03;%f!yoqE{?d;;qMy+Atk
zdH}{aaP8rL>I#55_|)syl|<bq1l>B&^X`TJTc$=W7(b8X!w0n||Mx6iRjA}u_r;?U
za|-81RDh=sm$|_l6cYT#W|=*LS3XF(EL~;Sfw58J2C)H~+=fH{*nq;OQARFld#TTh
z!a5so3w(n)Q=I$JmuZ`5ex*E=*9%ct>GSGCbLlFY<Ao~v?v~GJy1vx<O*WJ=m^R3s
z)9)un1+$_eMK0o_4`S1S>GJp}hc)cqD?49&|0;+Ol$!XQB_@T619R_%!NW9D0z;u9
znA~hDobX^(PvAo`VWIl^8$8R=1Krg~fc5V@F=FH^MZ+6XR7n$)lidq>I-Gwj9<f$N
zle1MVzMfteIt`({Hl83r>zt0GjC~EHspxNq@t^S@z{DUXToE;^l)ty&TnMIRSJ+}-
zJ>B`@5vJ-fm&kAZgpaJEg)sn%$x^MLBf7?O6SN=Yd<f&sfBrhD9+=uv%3Z|a3FME0
zy^!OHJWTcaC^*iC<*a?}5u0(~A8GAA$B`uEF`qVg;a<Fh7bC);Qd;*yN2|Sx+vB8A
zS8;<@his=RQK*)WUu*WpOBAzc(@RaN&O5+6FNH}1Bz#sDiUoh#^93X&RkA&ejE>6D
zwH~`-Sx;chDjNSfo}y(;zoEdpC(loUyPFs}I@_8!+ut6i!n1r5S`;ev65s7BV`+rT
z7=<LWfpoIl*wt>kk-^*~A<#B4p{hjfD5!h?mJrj|1BqWv0m87~65>Xk;dgxjAdLTa
zc~tJ}f9*03P=EbbUTsFe+2JSt7Jx6Q8-4B(qu(HCUa0?+K8Tg{E~#!=^wN;)mYS51
z_}cHAfgTWbDvYguM*aQ+N?L2$R!{5@-&t<2lto{^IsoMK(m)O&QR`iulg<Fz-BkF}
zX7rzsR?1pu^1|c=&dS&IfW@P`LdVpCV!Txv6{<kQd9EG-!5}eQC7hMx-y4Q{P}=U4
zJbt~u27q%Kp_`{1=F~fy1&NMS;V)sk4!hZ~&T1JFoIJXSA9YtFDu1q6DFv$6VUink
z0=+yp{Q@OU_6~>sD!4&xd{IZP->U`nDTH?mhOM4r&aDx6l$mQ&<Yh@bZ(xnG=*TBh
zzBA_a3pL$$94zK(o(#XANnOP*kfm^Nuaw>>6zs-5tg<vP515;@gocaw7ZN7Frq_7j
zzroAjbrkTnz3f7r^He*)9PtdqL2k4EYp<jzZ|{E4jSN<9f95D#Bk!$L2^9vYij-aQ
zk~z~JJ2o%Rc|h*fdf4stFDhwru|=8row@IH#Y(eEyk0D&k`o><_IO4_-gCv<gO}&P
zRjWB2k>Rd(f`{`pi2NGB;ZTs4cZp!<dpf^ly7BX&9{=*1Va9arIuKs}ozb4g&m(-m
z<*Y<T+s#!!%H<FiZ_{G~n=D+k6$IOJwM@|o;ciOD4uRJeYpAJU5;TF;V#{XIso8KC
zeN<;d-lp+6HWlMpAG^y{9`_7i39NqyGTr#TIRa6>E!VrpR4YKDCts_tn}}C+;ES+y
zB+!NATV9>21MGeMB>0wEOU0RFOr<!3FCf=NIwRQSAz(pe^d=s)V6Sz#-%lmqJ#rKP
zW}?YEibQBt`MAj^Wi%(tuLhRfR$>#jpq@^Qkp9nnbJ@W_M|%5v8<~iLp`dS07xWwO
z`uo(6!7pin@;4#jHXi&!_OHMMBG#aw-=vhBu!M}ik#8>Uaq7?meYbk)89b|bO?6jy
z{_T7OrL2TAC7;5<=UD{?w4EJN!)+NCCsj2yF$qi&48&(4&n6Jt>9W7xJQL(xpA~-+
zap*A<5#7rt-$@!sdj94i8ngRz{wep8Qd@{4{|cF1;EK*kNXVZqrnQ#TDWepT?ArU8
zw8#kjs@_6<Gy5a;8fIMW+rZJ}-{LL@C^43Eor0<ln&bj2jZ;@?F!~3X5$3*J@=EpA
z<(jK7yMxW~I#|)ff^YhYH__~+<VdtQf=UqNPBre4>CiyHB^ma!`>#=1WdhODLrqk4
zY8RT@>9)*^_hY!F>%Z~U$w7o}J-&_(O1`XfX~i#6hTl!rRn7`0_I8yFRE3K+Be5eI
z2Hvj;{pFEQH{B=M2wk!+t@vdYb_2p?zf_<Sao+lC97~CK4BP7{mSnBRI+S3;ybj+?
zHkKScABk_~?>3PSQn3hV^1}lWE?3-JlAKXrqDw`bv9i)|`Jc@%x%)6jze)XiV_esE
zJZI8tF^yd%48GG36}(gmn}28UXJr($4rLGi)*cODR3*yOf2_oKgiMI#gbcjB+W#tE
zOqLMG9$aOBAFPsd+`k|ibQsLIt{T93BfPFNt-Jz_``}9dv7#x2&=B(De*hoHPk`_q
z5FihG3Iui<5Ccu`fPJ6zDX$m62SZCKjBhp}#D8qUf9=3wOqwx-u5XKaK=fy>AkhCS
zckQ4S;28?b-*qYhLI?6coB{vnm;ASF9RutUxC?>v#;^Q8D5pVa@B3``sHNw8Jctg+
zKQEx~$qRpf-`nUf2|~M7n#l>vG5qi^T^aL3;d790E8R+P%2)gGJfseldPkY>$wk}l
zqhU)NC{nat`I)_9aOmbZge#{9l-@WcKJjFX&C;7FsvBqjM1H$yAfJ#dEI8L!m8o`F
zL_AAr3$5QDjkMu?O)Jj_Zow>@O%LlLy)yc$HyKj%ew}M@k}ykyp3CRrb2){%^L}Pp
zc^<Mus#W1~tz0*Vu*iMLRbflnw$SB8>ZTp)ZoT$<q7JAb$?Z~bmz`$reunJsCySlw
z=`B`MV7X=)ufC_oS69ew#QutZvI=Xa&^~E9tC{926^m_5nk}jaO_O}0z#9|Fpn_l9
z3dk|Vx~lxd-0a~|fHqGuqm1tA@7Oc=fv^|RSw4|F(KNja<jYbN^W{i>5|}C^vrLCT
z@n1cph9Ln+=iOB5H&g9Vy7!9V*kUCF|8~n?zY|B6SJi>_-1S)=O^73tkT%z=e9+-J
zX%I$e^cVN14G{4uJEm5aiMhMp*6rfFca0V&l_`HFU%j;hvKOSnWbkKhLwa_!y8>;b
z24dMxI{G7^^EA7un^EKuy;1mT4^&=HG*j2YYr=L^*s#sMbbp`l#0&p;IW0^xJG2)o
zmEgDE#}-_4=0Iy>5Up8edcwD{RUa%5?2V9@6_!jnMB`O^`qNwAlTjjyeiHY`Xz4C|
z$F$CNrknF0pm!}7xRyS{fBS`?CQ*$BeoSw4f&XNh9_4#&LUfYGN-@s4WQ57Gu5{*u
zC@191F2AvfPSUSyhG~FSH@Gsyps!{kWUYolz18>Gk@|A2K+_YdOWuW|wxK1$NKpZ8
zu|B82x1OyTtdpv(xwTJ<o_L-9l;C!DyO^7w&FwU2Ych;NgZ883^7QpcnXC>W=BbXg
z@W(d8X}N2ccbB>9ZhZiLuGzUjGfBDRQw>6dV5lsQ2$F%K3C!14tn(qIh<hgeSUXr7
zUd+kL%b$wtJ_~M|KpN7%F<m)_dogP$CgO_ml%5t~wk4U*X>|xwfYSDo*?!!=Fmzm1
zH~ja_r0jJg+}t84TKnu#Usq{OUjz}+?n5!vj2X0M9_W2HuwNeIl#LXXJ6?6<6UdO{
zI4Lg|b}wYRba?Oe5DmUp(2?-raSj^Zgov)>)w8xy5cbgX4#<=h@3{+q;{WPDne$_G
zUm-fb!D66!#?MMT*tH{BaCJ_KQoa_xZYQ}^BQ|}0yjAOG5VwN{(0T}o4$`FeJ5;!@
zs_h%_C9FQFNVkpei#E4r9*!knb4eED6dcBTge>iBPb?f!d6OI+Vd>0=_}J4w;4xK2
z=tW<L2dU;Vk>-l2G9pxk60H@}#NB!$8%}xg$RC!-OJ>@<&|Dokw%$4;ddq5@(TO=*
zYmWdrlcRumIYP1C`Jn<|2ur|!Z-BwvcX{x#Z!cF}JdpVbC<^j5`pfsiSNi_>I`W(B
z3(E2Dga0;nmm?DR4+DILpRH|MllW>m1~nUXBu;-<m`ab$OPYYj#=qXA|4fliA=((D
zJz`Izb0cI`x~>ryJ3&G6>Qxl~VCSyCDJ`=CpF}|OdR<OpnTG1KGmBMriLS>)_)N5?
z<#y`*ai#&QT4aGLH*G}8Lu**z9{bo}MDbQc3-w~D)Q-fIk{PvEI3lHhk{4`OQ0x2(
z`k2d~(p0hOXZ*-(f$uD%l5TKiyw!Nxp}|jip0UlIQ?=(wq;SvIG(8^D;*g4qkNrXv
zN^JruFAAvAW{p1Px!mF(yZ`v<q4&e~y9&Irm2}olzdCy&^5w*|6lPN9x-8Q)<#_&d
z)C?RYRS0XDyg~fv4L%T~JV$1_QY)xx=wA|Np5CONOk6g(b%6#w^q^Ufi@Y6mIVxu>
z!xm972oUoYaBh<M;pi`{kP(;F(!119w9ve~g+}1Mtc+PCh646XOn;|K`f3G$>+rlE
z4?0>LUHIG??TUv9S2BD|^3pwYc17YJT(V{j!@lHL_R`NYhLn=aIm#7Vz$plH5akXt
zHy;t(WtL1wTTl@#ST>=t`E?)68QRj*`0MUSjm%??5wXKba|kgt_CA51bO_{N`RonC
zcNSnmx)i=V6C6DLDjD?tPEEZ?zdak=Wl!?+tMPE+jRXpNo2_v$8cm4E8-mQGZ$qgI
zeGz-KWYj-GYG77gh4TN}*(ERlcmos>`2hsZe)lP`7hfQQ?-#$k!`7+jH|zPwf0P`~
z8DGFUaOk@=eg4<;&VfIk_+4HrfdNaz_5Z(~_cjX<|K{}kUmbokp+D*Wx9s=B)bal-
z!y6z3;BzGX8tC`MuVMJ)2?h95$LWgrfZ)ggDYX(hLP#O#96+pR^-}rpv<y`pv{!yK
zY@|TTs8ed}VAnIwl^Oe273xlKU-V08c*wfP`&jL-BB)sP_y$=H6qZMjh&$J*1apGp
zaWzP{Gg)wP5ojje(beD!N_X3*^zSW^Oq}R|sdVM{4D2OApD*MVX0m=P#f}#|C*9a+
zj>ndbZ-$|YY5Mx*QcMEVB5f&d1{`8?hz&Kjg8nK>7y#*SP|Vx>7*)@Sf-dET<B=u8
zVWzk<>DAWO4hGl<a!K6WXB=Cpy>mbWp4<`qJ#IGkE6t3y3!hZmj*xvqK?d_IqG~+x
z$ptl_{{ikry-@>3YqSoRn73RU<xB^SY5N!E-}0h)<m1_J)*?>Lj&Kv0+>WLyG%><*
zZG?i#f$WZxut-PL`M(jO-a5<r?*ut(3VQ4AcgNBv1(@+x#r@d(FNHREiwuHdLs$3U
z9j^*a{9!!7$#z4W?s21guHPz-_?GLUbJs@@poD%*E}vAaBwY_~&gzO((Ft9sMUfdt
zvv*t5W23C#!>atyay&@Pi`;t`0){kHaD(!K?X)~9&s}8=`(q4j?T4ySEPWiy0>e7+
zYvk6qMm?~$Ps2bguFK|~QdAT?pbWV-u%RYUhE_lhvbzIgFEwD%LDc;Iy(}hZq%QvP
zca$}_5v|>$5B4q456Iv9LBJT#|HAJF1iJQ%0cH=rPfNQR2em+Qr)s0_|DBfn9QlBz
zxxgRKz6KEdB9W4XPUG1xidgArNN|c<%!s=ZI@f>DKIoI(Kfa-4k{Q{Wms5N~WXjzQ
zbPP|0#rZnwA9mrDVJ`Jnq!eJ#AK_kxv%JCWh3f><ywUryFCjd&Vm9d`IN!6=hYXc+
zi^gsN=)l`aR$}5orfpU)p5x(|SQMd_oncM$Mwv}l6;~EtCk@FRG`#<`?0BG1jq7oK
zLl`jYDi*`Xsgss9lKlM2`*PN|9DDY)?YKn0+}P}oA6vr4a$1kc!~w^GBRo@eOe2v=
z1@XOybp~uY=9nTDRcz*L4xPNfar;*Bt-CLnYr!H(S}ij1zd+`F@AW!{j#F)jow#M~
z0iH^uDfYCtKmE*NlPo2dG4%&72RO0A*UAnv&D+YyKIeI?UK^8Bh1+%?O5yhL$^@mI
zt3fuwTH6DVt)2ZlU?(lFIM-EPu>&pV{JYpjwE~EdvLObSL5#96S#9uaatJ=dTbxf&
zmqlM<1xeb^@B<BHz%B0d8i<oLB5*MhbtNw&r{MLeEo|I@B>c!7h1NzZUu=NYJpG}g
z&HG(kO<tG!LG(W;)sehe@l~Un5^dBMmtHsBW6spnquj2S#{Ajut6`OtjjzGa68ny*
zNu1|=oS_7r+Ng$xHCOgUDep2|SA`Nf>qeN`xM8#=QX{L{9+D&t>NihH^I+9if8jaZ
z#|f*y|M@Z8pM3$BzL3}7>Zt!UzE@uZ0HpTk6EIVAsqDWE=RcyoV-^tglNm?}e+uM>
zVY~ND0T6r>Gr+h%mwkg858waW=dv1s{0|?wpMJp6Uw2gIMeCUKgoT7Ak}CY;9b*wa
z|MtlIjd3q_aIuCao{A6on93!9OuODLcYXg_mWifnR<x12kJV}--_?IPvOgZ(xLky{
z+OEtAu=N}oGajh6(Ve5Fh7ad`h$f)l$QQ+FmSV7AM!DDbAg-A#E@2AH)(pCTeQhAD
zX6f3(M&;>RxJ{noGQ5_C^Q{<NlYKHkMEtP5!FK=UwoZJ+ebpXXFFX^@Ja6%pg6Ac2
z*?@0*P4N{cs-1c{-+gDP>_n|g=5*?+b$M>k`pU{0g5Nx|(T#++IM{3lYg|W2Ar+mh
zz-wZBc>j4lwA?$9z<YaU{cC&G5YW_sjxm+RZdUy7bb4);eNGvzETBzCM?4`VYdIl4
z#-u0-Sio$|KoX?57j)?vyw+vSRC9xdo_GV>dTDapun=Vs-76b~O2ni7#J$V+%R<vV
zTLr5jTNzY!sl!}!os+K}4VkD`l-Nd*EK_~`ipfi-@H`+^PCktpwvf8*<tkxa-N!^;
z0kX11VmvMvzUHb!8+f&@LV&<^r!~>A=<`)%JgQvV^P{9=OaIVg6=uLhve(#c>C{d>
zwAzd(<0MqLzebcziIIoesHpbBjY+id-#J?`i9OV413wcFt2Kk}$+p*!>Ys4U2w%h`
zXy-Y@!QZ-qx5DJgjoXab^X=}bPa#)M@9HU)|GWURd_aU#ezh=j=Ly1iD~E^@0_9De
zIc}%pTw5(qk0R`%mbG-NU1_669N6g6UqjJ+;d6*m4RClDl_UoAy}weCc0gNIUV;}j
zjbk<WkGpxK?6QpUG|@TbS?a8xx7rQ5(L4qhvZd5b@75K>aMDchOQM;x1k*MVwp*`>
zjiqfd%!pInwk@FR0|_NEag1vv^D5ta=@wO@@u0aTcqLAl4bNpn;MjD=_a$WekH^MT
z(<n)`t!#HzWT~>6>u#$$N<U0a_s-lba<r5Df@0xuy5vT3J_REQKCf)eS98R9qk43y
zX5wCaVq4k%mJ1^W(6o|TCxYK4ku5<Sc6S8t9QvCbFOuf>iseRySVmrJZ{uTG5rtEu
zSlbZP3g8m#vn8lTDf(~eP`s<2OGf4M(!;&C#uL@a5Fb6xBTu}&ET<NpP^?(}=*?u#
zF!M$N5Krth7z}8s@fa-w*SIfgC_3q)5}BP`zdz~0-?T)8N()L#!r=@OQsGM=!WU36
zP(%SvRKF!8TAc#@e#1ijzbwi7=x0x#_sYgUz15!Qoqt*PZHM2k*jH({MJqO}^wT`3
zA}_k1`oq1@ikS)$%QeqnI2on{DJkT>CW&q05vqQ=m?xb{HG|HLF^6cWI^sp5a3+)3
zw63qRnVtpE%2j@Abyl561Bu%%W%pQP4b78tS-;_GxLJ_?UCxSJ1WppO`fHWeG&e<D
zeO15Mtm|$1HZ%>42B1F>se}`apd`Fff~EaUchnx%1*E(+T4j0k2*pfS3G?3F0Y;pg
zfZ`uO>PKJS6aJ&Q2Yw*kDiToo&6lzXpbrCl^ZgTebK>hsY6bu``x3tZqP_FC^FQf-
z|NXuz75}6!2A;m}KHcU5F5UoHubb3@4;TU${93?TJHW^6hy23n_tPHT8e%}|yzk=&
z!RnCjd+zW4#phP_fD?MV<p+M>9{X|t!8>5qvVSDL-SI6=NDv#rNe|}xnq1)09O}B>
z(hglUBh!6h8-kKJ>r^|=Xl+vWudBS`((ZT!;|qL~H4iEq^meBp4UO)stJ%et1zS%V
zb;_HH2a8Vt2acsV!|PG%$nuKo*Fya!3~l3O!M|YAKv$ShG4c_-s8CilP>Zh5gF?*@
zkKe6&Ar=|^f+;AfEmeg^obc#1QESrkch|-XjW*v=v@d6m_L)iBFz~j+rU7{7g8p30
z4UG~A@QBo#&as9XVAgcAO+xxPo&2*&hCY6l8TdrmG$XRMduN-{nJoDB|HsrjM%Nj2
z?ZUAen~iOA$3|l{Nn_h??4+@pq_J(=YHZt$o%`f@-gCb9`@QEF>mGZ|HP@VLUEr0*
zOit~|A`2V(vP$=ox{yxvB$SA9&t)sbQ-?*!#mLjE;qdJCo6eH<3-%b)*89!QiP;Mc
z!id63u|!HjK)(Wfn=5(eWoZgUZ{|nbNs6TiI!4Hi9BFtA*a}Lpw(-ek%h9!t7tsz%
z!WC~H?SK+oqmXlSi0k3EnF*MC+5oVsKUSAHW!hHw3U9j6*ZpSEFXhUo)$HPE+fN?E
zBG*5LqOP9NlK(RQVIEH^<_j{SHlRD%MM=8Ch^<qn8q&BBD8(~$P?5LsJnqFfX`}~z
zNi6B-^g2U1pOu^qCRs^Pwkn6#FEEO^&o16^bA;)?RQ3)Or;!l2pLE#}84L?uWAT$J
zeb!`Yg-8%%k(?3wHJ~1`?FqH;vd3TZ;sfV6gY^oG=Kx|kKqvMwrY_68)NF$eXgcNg
zcq?gFQ+-Wj6lcwQWhOsOa#$bf6h|Uca@Fd`EhASKnS<vJPw6tTx42SRs|erR+UI<8
zXv(+Dkx;)kg-Z=Bk?+&9t_*@ZC)j{qo{CTEUtzBQpzY1-gALau+xJgs?r}GUi5etf
znq5GfP%mL>fq{o+5gy=RRh3Qdy0^!I`4f0jLn6#}rMVzZWxk=#@!&c4VYi=)VI{iw
z=f@Z=1Rn%<RiR~~s|G@fI<kNOuV6L3>Mr%&0Gf13Dqrc)C{5Fvajce8u7M&aqu)-h
zh2t%JhpP5)AH5CsT(ogjIyUlx?~k()zIs$xypuwcBKhZmH+_;O=f7*syeE_7XU=;O
zUNVELp=0gS++5GRh;!F1tOU<S-{asfbEw9pY%Wh)4-!&a+@lz=U7nnkgE_NWK|efE
z4%V7|$5Uu&SQHbz0<Zp^^Jpx~ZB@&Zf30J|9cwD<csNwGNDi=Tg_lDo?GK>H6{urn
z`@X;4DR2<W?J4HRom4sbojyc;ZRc9S4=aL%#NkWAA4%gc91o3HVs%~Yif*2cI74js
z=uD44`&^^$l78O?cn?{Mg299&EGfYr`azdbdzCoyd~BNzbvO4#V}-N}Aw5@QBs+KO
zNr!V5@U(tc1~+yz*s2eZvBv1o2pYRFw*2S5v{vh^$Gj@`>fZo#ivo|uAM`O*pVylI
zDK-bd%p;(W@>!MMmA>%&PgT-<`$%2SvHwm7NCCi7-ym|Km{;Ru)JyDjL;!rf-R6qn
z3jW4d{@ZAVnTe7aSosl3@~AfW6m)cD*V?tHt2EL|g0ebBayjF9h!*1STxH^wJyi;1
z`7W*C1h8gW7(KC;T@~ABm2B%ZP~t4{6O5g|EHOMs4qwPKmZ&u9*n8QTZ(kRsAG@?0
zM<~Uaa1BR(^!w7UZ?f}YK$cTNYURGiVi=#0uwQ@%49hauw)K`%g(-s3UQ>3gk~1dy
z@WH@yF)dqoi}uC}N{1%+dl2c3)q`>w(`bXNkC^w)>n3e@NhNkIyJGh;{t(ywA>Dr@
zeqiB7Mi1Y6Xt#Uk#ll}Vk9e>g8eP~LIX5kTg6*T-LQY`T-V$JlE9%*M{(C9?74>h8
zA`H=i5}}wMVRT!o;$ZEMMj7^A+><|>f+RU=>LmO3-+HA2em>^s{+MSr2_ONpgcvf!
zEFV%K)PLzMc4CVpf|O@fr?I=2l{)@_qa-rw^o>31{Z*Wz!8s+<!PvfopgDej&()(Y
z$VP~>r4zyHC60?x7mzq$=VFo5Q+z8By_UwJ(QeRJUyzTyFULtjXWUetQMN8RbeLvd
zX<xt;+GwQp2x&)>_f3Ahf#Skm%<iLvHl!$fbrX$MMl|#%KvS5@lJI4>tCbs3iTkOL
z_o=h<MKUZ&lzwR^obpGv(V>K=G(mTJ!7;)h)~kOh$opL79(4D%)%a`ZZTCyq?m1Lk
zT<MEv=>wj6aPA`wnoyHtZk48t?8RS!+^o24YHML1oo$;>9%G3Jj@t{KEUhinpe<v$
zCxr;K&v(keHVF&fay$hAc|#A)Y0Rh@{{qzXKI9xH!@vFBm1`7#?5U)vN)jori7}@|
z&Yl)snKr-LPSGRZ^HZ<~>rvgMqNqNqE>3Oy{L-~Y3u9{|p3URrhrG`b0@^t5h&1T(
zI&)pWb!GI~$o558k3}5VAN{%Ua5Gu*s6Lr?A;_x~z)m7J9#AnI>!jc)E5srXv*d4P
zkvDcCxQNd&+Wh4MnQj*j9XiA(-Km|KPcpqc=JTFJtj}aqU_=Guu`Z$(A;PO?8>AXP
z=Gw2_5?b(ct9Z|PY-y&NOAwrYu>dhRP<ScpF~l##vNrH-`teb>*win~VuSowjPIdv
z7j#Fy*}ss+k_|Vc1)iYe(M>O)WV=beOx>wGRiIL4C(<xnd?8bHD=Ws17zUwq%SK?|
zxQij(&o@z=`kWv9hUQ$voVY}OZ%#^-I@(@v8Fre8k(f8;ugWb>eMSv#o2Xp&+~qI<
z#u2CFJ`~$3V{|5#W8W9_xb5yr=*=v7@Oj~6o3e$wNplx_^EJ6g^>L7ohS24g>Q-Ol
z6l+F8$o~FvjIfMf#Rdg&ZFJEUn_q4nPk2~^Udep6|8zjsNJ_X5-v8%Z5!nK~8EceI
zQ_nj{`Y^nOudzv{HZ<JjQF*6-b_!+f6KLLk-!Wu`j6c%%JEu||(B#T>$?n}>>h8=t
zgUi00vLiz{DG4ZmU;DHBlg<k-Ba%Ot*h7_|i5zb`RYIQs)xCiU`O6lxZVbpfX_E{i
zKfh?3L-K$DKFeDpBYm~!_4b>o-6l&h<Z$&;9cF(Tr~1Qk#-HQH7@GTxswd}unAG|m
zs0j7i5mV5`s4#|hO2+^iD8)!NI%XOVp1K3m?1XilwP0)<63o|>k7@LJDyr(}{O1p(
z2;)GHcuh>oJPJs+;3n(#m(iAXPAD`<$THvN-&xWbO3<6wNWBP$(UQ{TJ(Lmd$32|M
zH9QBCs%JxjBO^vuT3)<Qq~Ue$k9#%BovY|(p|Qb;Z^*-m>8QwV1=*=?#N<*T5zr#I
z@#yc*1qKAc-FXG`H$gM{*5`1O#S&g&i^2}71xI#lM#6((H=;1<>@5c`!si!McY@PO
zen?*rCFZ4AU+XU~RIM`!USp7@wqyxf?8j&PT)(0X`*XDajnwIJ(<a{S*EIGpJWB43
zFpk~58x&L4nP#p&ZE*6_Rfe(gfuL$##%wIe)Xl2AU0h0VL!b#@?8bx9*_m4m37gfE
z{u&Y6UJ}t+G)(qz;pn{zoA6i|Cs#6PxJEwD0AXh`G9wh6!l*IZ)O7rBTYVaMUorla
z)Sh_<tVwHB#C|vWi$#vlFcIY%JXg{d4n2CzR=8ORx|kwrjA+NHMl-D9YL2Jui}{rx
zzu&+7jKT)jR5)chq=@%?xGX(eDY<$?k2>+xa(3#*+U8V`SAtli=$s~-3}oF9v6sIm
zmt9rkCD!%7;5JLl(`8;nimkgKkYp6DH&|4l^(=s0((Jw$Mnib3uGM5oE1X9H6BCX;
z@k-gW%dptt8YF!7Q$2O8TVJbq0Jn{ek1)$>o^YlgwQc^M5zN*^X=%*ALEbL?g@~`H
zox>;XM*Q8AX-X|k1j~5iBTPbM;NtM@D$Cou4*R;`*TPP*xD7=pf9uaVY?0T0)EOq&
z(JnOM$1g06Tokp_g;ddeT&}$-LSKK?97BseWP@LV(?VF$icXgjxhvNhZ+kyJ$<q<J
zozC<u!}9e7Eli*%pAlTDE;KHA`o-*<7Gd|P)b`Lv73YdUkkrH3RV1Thoh)RW_jTT7
z@N`&w5kKN7*B?EtD1wj|;tPKO6~-FU_1H5R#32czj#!RXr$VV7-%W!P1p7-Vwzt#|
zz7)p>_EwI8VN@%bm8_vqG%=V)2bGN;FE$uls9smd6I~Ynk}j^ss`>*p8yfwc!;j-C
z=ZLAb)I^=+rzcLIyEB#d#-SK>&a(rorjTdF%>h_~HdXu2)SeT=yZQz9BlRXEBoMyO
z;0yD!d0g%-;GgOkA!&ZwS?S0X_aeP0^|6q($tu)1{Hw=7K604b*;50Fuoh|_Wgsyh
z%B+z+*O6;K?1sl{#?s9o6e`!2Z1VP0R1v)C!Q<6d{uWP0NnRn|p?sD`I!#M~HvBK7
zG)?SF()ZkzKZpdSzWqZb;&vlSatNOgEou3Z_v@IjNbgRAYN2zt0hs`u$6`lwYfDxJ
zLrXSajbqHzHJvEi{eqOb-iF2qOI`ShwSPPCA1A2`xeJJ&R#M|(x#RRV=b(U^E;gL@
zs`FGA@%ucHj1~ABs^^2}OoOQ6Dc!SujW6m$c$zH!c)PcBKI*mhXm8klLMBOYo(luH
zzp{>D?JNv>Csys{#*i@lJF39V1UL?Le;)A@ax@B?g=1cQ^_%Nrp}wZVv61k=UcQea
z#7#BS#X?gnj`;SY7-uS>7?0Vw(exc;o;qMi<tMLdLKkdVHb<fzS3&(I`Jxh|ZS~=t
zeJd~TzvNgP-Gf39`Tbid0c2y9Ss1wzZ{YPSi-r0Kr(<!X@ENySN_@UHQ`Mt_)r?v-
zOS3PS8?U5m&0%|PgHsCC497;=gk9Zw5u0vly7q(=^eOE~LEw8!yBqjoF_GNE8ErhT
zwU4ywf$mJkQ`Vf34?~M67Q-f5(U|)B`>LYNG=uh!JlS9@N1=*2aM*H`mpn7Z1~M8V
zss1z;|J+yq<Bu(@F5vCxgWB@$)1vP`lkoT*@b}2SDgt=%PnK28_`f}8CLpKZ^$|Ap
zDX|`yIvvvN4?%YPd*6zV(hA)Eo$<>r@BC;T5~1osL007`$e*rFnE0~IQYQFeUM@xB
zzO-_XDJh=x4v-I`f+?rZFUM<A&~*u915_FAx6ecY2q0RkU@C)y`H}KQ_9_0mFy*?(
z*nTymwdv$9$6jp_{=bS;FOFn2QE;F0)F%8`M6;+h6ziXc+su-RSFyWg6$@6p>Id6l
zN__Uc%;91QnhqrxQ^d7Rw-HHf?K!7bKuKfMou5;#s%RW3M1H|cgL1>cNESn3kKYFQ
z{imz&Yvw6{vMp)$Ks?&zwu8SCY+@=-(Mm&3pZQG^PUb=0#J-uHpWj=b-3PV#*9?}U
zUisDa_1WX^E8Zzb-lJE)&*vJ?%iDJ^&}Q|$&y6>nuX^sIK}*EpzCH>Tk-yc-^jz=d
zhGKS96!r6J{>mSLFnlWyUF9gK*~3X_()FQ3&{)8qa5sbR)E1Eab<p_BMUyn@cH>o2
zpxSWe^*KUkco+=6`1ENF>^*DLU1`gXtCRgNzAA@yYkU1d?Uv}On#QWbQmtb$qm4A$
zhH%a*R&yB-x#Kyf@^lG~3*g#Sd1eYLGoS)ma#);ZVU$!X`CBgP-J*+d-Z@`E<Z*+$
zx?mxjTnBerde^&}@T^gXdz6p7d_vwT>ud2?UFF|Oj#^f%Q{MxBI>C;Q6%X$@C$hYY
zJ;od0EkQY9@U@AnOW|u3wkro+H#%3TD0stOu`lA%^QngGX?jQUXOR(vs6^}OXmPD&
z&-D9^Vz33xUqX|n8+LbwWG#1ytN41npH8;`M<>$&#4CWill&(9o-*j{BX!*mC&aMJ
z3o$6?XXVJWn5(Y&K6bG7m60t-(Z`P^>6~kA1CykJx*=~~0PnE*Vh0b8ZdFoE<1xI{
zjPi6l>ZZO7zNT(CRVu4X!ueJsv7cDHdSk;8G39)TqrOp1rP*hZ`Rvqo@dqkDb~Foi
za-QX4x)+^~Rx@9S%O2g7D1*pR+8es03#SisT|*HBu2GTnZ3F`fr&l&vh40euTHUiI
zp&j1%-FNoJN@_UUIP{3oEBnL`t~mjQl$jGxQ$38VvhB%$y#app^Nf#kYy6=1%=y-U
zhhJCqQN3`;BtR#f>Q>y84gng6^rH<Q`zpNN(?+q79~4QXF~0B3Rbsp5_<DyT^}wIg
zxya@UY?DLtj0&3JtQM%+gu~fhcW(*4^lXz|u#IFPwXO^!=H(bwL;Xk9wvRZ9z>4QY
z96j5p-Ej-91Eps^lcyFnQ3&wW6!P|*$!*`}d}ck`mKg}=jq$G#R~zb5-zQV-TapCh
zP3Cm%-L@47hD9{uk{!gwoOq0$;*BY!p^1Na;Tbub{9DJD3DMUbrakcaO76fJ5#}=A
zs#D^mnQd-ro6dCM*}f6uFpF=$)?Ck*ijhK9UwQP&3q2v0AL#UJ7(=&R>_$bsQ|DJh
z{*VJ*g~N-`|CDp6G=hkVp_38+UVWJnvaW>~uOytK&;IEVatN4veB8DGK|Ftfz1_fw
zw;ZbvlqVAQ-xGj3YN*=LC&Gsp?1|(bfY${K#x40vfB^<tEb)NqGs!U!fv5O(Ma?DV
zyBQDm8}jF;QC!Z>M;xv=6ayX76VMkJ|CTcZe7@OFIPCiGS(@#8em=1xgMGlh`KKIp
z0~Y|;{{%sv0XV4`KoF5|&vQ2*1qMKVfW}|qhTlmB{&zJVAnJ3q>AAJI|Nm<5)q9WK
z6x%=)BGrvQJ`e?V53u$}09kOqRi{5)d7Z)jfwlqm-#`RmH$Vyge?R?+gaLlyzj2jK
zZj}EUS6>16bbKKG2D)2*kO9Ry0PHDX6p8^{d47@1cBcS4>cPta&;&nX0M-w{`<-O_
z4Mp-RTaaoHOg!7X%!Tdm_30GPdM9@&`qn5DK>|rm_TG@JccV<(T1gRsW})xK>pv8_
zMZUI8IEGbvxQS)kygR6(TIOx+`rVbfEA7X<%OCZ#Wo^xu9$0gPqH_3vHC1eht2GvI
zEYR1=jaHBlk}73mkJkHd7=db%3TB*Y#8=OeX+Qa`22DA!*ctaLE}(P@PRYVII=fl8
z9~do2uq}iMX&izmXvHtrm<N(slX#5ZXR){D#m6Eltp5F6fcc8sd%mPK9J7Y(?0b;V
zTy7aFe#HI`JE`+Rh@D3LTCYvWkPvg^uY2+{TmI>w(e~Vm_uA$2jwJ9VT#8tQUB5dy
zzgsUmy0G<YB`}w%W@2$eavkf{u7SYscA1|^w{k7lUFlf5Z!{*lv7uMyvV`aUrt@Ic
ztwxgwtrClA!ys)#6`U#%j+&$6mlUT8l_du)*gV{oUY2u9U`-m+I%tgOHLM&ws%3lI
zLw{5_c7VereXFH3+KP|IX1qw!_5dAb{Lz=7&di_kF`?aw(kMRdI|_p1b0{|Pz-AiN
z#$JBkwWPaOhc>s(?pZJThnC;zm^n7!F#la^wv5m(W6-9tR=4h*Z}8wCH{lu8AasjJ
zNZZ8Fed6E3*KeX}Ip=M+T&o`JHtaS=h9i6%r~|PBZN2SW#8y5In7V3iru1(cE`=~$
zpU@;9Ajc4(h7X6+(!zZD=&t#n{DD06HwsO>0_?d9j{i5!*uMk3RR9D0Jka&uJi7sX
z10dOdKN-xF;w=NO{!stT*$RN-!Tz1P2f)FO-Um4T<9PqME1y7*j`vxgqBGlsU~ixJ
zJftmP_z^_$^A&`HBmWupfdf7T{P@h-wNOdJ{VkZ5AOGEMp^u=rSCBN=JBW!XZ3HMi
z{Ey4o=dJ|g?u0V_yT=`d?)`g*yRSh*fIkR8JO>PeNh4d}lPbPOBJgW+9l!saRdLv}
zqAF21i~mz3C^yjv;UtK0%)cpfBO{<l5gEq_hZ0%o1Gjj)Xfl)gtQ_o<ahfyo@%MU>
zNyJ|h;Rcd%Wg^)<W{GK70u6bz9J`QR?Y1Kh<)<H%si8d%x6uZ&&AB>_C4|C#=R(}K
zqne_YQ>4x2!cru9KfB3ybi4tFrQ1}+ahlApAA(d~dV+$wlts$DS&%ed#-o}6j%&Ye
z4^}S>;*PQalkm5lD-}4Gxd09~4+&xmnUVoKj1wU{y4)i6l2m0wYm&nq{D^lxhlTVa
zsb`Hpw`*T7sP*iwBzEN&sfC)XALDEOnIF3mj!v($+j6lWb-5Wcv(<Lkz21~FeAxSj
zOx0a=%G)U{MKayaptLvqSxOr4;mXJ|EmVLhT#tdQEYbS$YDpw#DZi6KU@(%xvkO{Y
zgQHxh8F{wWdgmFa%!`~^C!xaVMs+;?SSGdEt4{bRdNt_|&WFmNQE-b2a?`RKrq7_U
zksEYWQRp%mD=jLfn5L*LW>b<dtvX#{_Z>J^t?~?VK-*KASF*D&^)^Aopoc9o)j<A+
z-1_|p+;kNOA@1W?yu71EKZ1^c(Kyw6wxDAi$NoKwZUjTt_Iomq-2%<rZfWrn<$l$d
zYT|iuoOrK@VZNlX#{P`x*Bc=$bxa}iK}BjCaO<p3(LSQSVmyFM_}xBQn4eI$&p@tE
zQCXS4tX}|)q|oNy(;rgR>b+`_NsoMb+K4|Wk<fa#!LjlW{nb5JwhP417p8lXa@X_e
z2I(iK<SobCOHJ)WmVypM4tqN6SRl=@s7@!1z>fW(4Q4e)j0U=lK1E{L5@b%CN$Tju
zUE&HE9eUDRj(f}5y5zHjiwyYV210M=!UKds>}OeFf*jrCwnKYc-DWqFk(!-?-<vKw
zUd&pMO^A#J?=7rKH?fd<mxWREfn9N6x)LTJlj!3iu`5i`)G;^tIgNpJS&{h;^@%+o
z3H>fjn7Vlz+i7gJnSiK^*(CsS)(ZZdy?VS0nKnHrU7$gRYj9kKu_W<L7>+WoaXrWL
z8$SB%{S@0Buly(EWShTu>%D)gz^!~yo)16dRC64b?j(HB?^MhLbT|+U+(wd)I9Md*
z`H=PAY}(E5;aajVWw*7}Lbe36GsU%Fe%Lz4cW)Ipy7SIhtQ<*yTcnrkeXE}4NJ873
z*Wd8ChwjcA#oa>7gI95^4-jXFD0_*swdgFa`b}AtGZ<ryNgfx%kqnXdZ!#k&x9o|0
zlmW_vgs<Gsqx<Kc48u=a{Ig=!*FSf%a2XPaLYhHY{4ERJ6>(g+q1;aA5d1n!&S;Ex
zUNpxY5w4`A`{~kLA#nLPn-A-GV+Hu1%2}*Tn)zuZ3C&IVC}Tb@L+}2Du{pJ>F`q_c
zD3T?&8RnTW{)+@+3ksD{l^_Yy5>pbBd*3(H(K_zxdRAyn2ph<ueL4#(JxJCVxXJs{
zJ}a9dF*fy)M>9X1PbAJY?$h<$ObKTdbqZsI=tuQH)PdvfDjII99RhdjHsANaIwZs8
z02W2MnLnICU9PO<Q&W~$46Z}Un44P6cV=<F{f0-$AhC1FrXNBSWtp+i;~4dKEvRSS
zdIs4ELrvB7jY1wsC@dta&8W4MAE$gkUM>SaJDOf3J0D3FxuI!&UiY5PzF)%TmK>Zx
z`^wTA)vS8l28FL4%Nf~09CIU3B~*3<qd}qjmWGU3vRQgB3bDs4SE8McL1u3=8)&qp
zI&Vi@f)J3dGj>ARRmDgU|AwYstR3+db0QtWg*zn*9xwcGu|H}i???VN*H`V0(pS-5
zzmsb5DLIqw-g$FPJNf=3tQ(LsYwYp?ck{=aT5e!+Y&nONgQS1exq`0e<rK@IUu0j+
zTrtJ%FtLN#zM_*_lFz+cQ0tLf%eE1O&`Y%(Y3%SuYfiH3@VDOOR&~>gNo=~tQJ>n1
zu_EA4pxc(AbP<}Fh151Lky$(}=YYZ)+<Bo`#m4Eg_0CQ@cpG&$p_qUWYpFSU&hV*N
z?)@6d;Fhxf>UE+#SfRylCJNIYp?{kuaCRu@Qp=62mYm&n`FfknKQ*6|HTd&Ar<Vcr
z;pyelp-+fO99om6WrT6rqPI$;?>|j7bnL>=LK?}%cRZm00sEHyeCf75+WPsFWpryu
z`Biy7q#ETY4Xx7DG}2Z)(4?<LnP*;S_225ci3=m$;0c#T6EUbf#GXMElu-AWq~U^v
zZy^~oh7ghxG2F_IKfwJ~N+F!GP|s<izzB)b$0~ky-~GDje-Ks<ifhcex*M=dO3YOs
z;0DpdX=y7uJ=tpQ{KDBia2)39()g~^T?~Hjo>932F6EQSpZ7P-EqZgRKuRhk^~>N*
zJ%(d+sU}0YZOSZ(LJbtl?4lzT7Uw1H4?r<8{Cv$)*afc$)REsa7p_4tf)s9a>+6~0
zJ1Ew~5#rAC?%Owx#cWPj<ob~IB>+1ePB)<Yb%V!D@DGnB+779JE})1o2%^Z@@?zb<
zL6U}jv?u5=wN>5sR-GkCDB>`rjcSf*x!H8#`~80L$bE3RgnA>gOhAA)NzQ@9@2JDd
zL7{yhn#$=-<5=~=t+AHR!yjdXpdJ$G%%zH%wBzR0d^x_$F5oGA!HG@ZP`S!V5X@f2
zWxd?RJ!HaCgl9Bhb-l=_6#X~q`fH0)ktjMQz#8cV!R(*?3*p3wIRjsgU)^~0u?wcx
z{Si59@(;YFlhE9hR=HG%puRwm9}l>;HP>LJnFfEH@3;LdsrxQ6l8y^uH$+SR3?t;x
zwT*R#vcL70fcIN;mepGn*d7T6=4<U{1Ntcez88@>A}ud&^MOI%)>ac0Ms`wp11m|Q
z`^aC;cy@zW$)j7EflIywzlL8?KRiySl9zW*ZImZgRUpU2{Jrd4Jdwt3Yfh@TH-j^e
zHVFr4Tnn790uU0$u2s;g8@RlqFQnB5L0DPzPPdPnq!ZzSP7Jn&xj|iJ#G>6P<|PgZ
zZ#txnEYz3p4X=R_dM|POg)x2IvRDjBookgTxK>R_b0bvgACX50+00V&A#>!mZ8FqJ
zlU};kfsn`mO%SHq(dc#@K4y&B;j%#IGxGeds95?MG{>L~x>O}O)>gtLv<h3wQbBD+
z@B|!Oy7nJEgmbl4e+!)PSFWD5hv#QJd&Vn?NaO}Y#Ks6a0~CHWs#;d`{Q&*sHi}1@
zoydRr@gzj}CEcmmHw1HzR{>RVT$Kfu=SP=9KMB@+2W+`V(sOQ@ymJw9oTqix<fd*C
z7m7=+H1*yj3VSXyt)R%vjE4N6O6SwYo|D&pxxwDReEfAaCG<r7Fn`I`TNNP*yCz}S
zOq*uAi+kZmr%w9TXeBj0X^x$|Y)AXC$r$58OaG4IZN7nJ`grd+mP_=@jxyNL0=F<8
zQ)Wl<SAwF5&JP-Jky12N7wMCDLRtI*?@$=Zg<LT{^PlF=Z<_(uC%!=M(U<S$mGzIS
zTh{*5E5+1=9tuYsf44uT+Z)!Qdq(?3|26I!T?;r}sQ@C?IhC&QyWvM&X^RM~4zQy_
zRf`dB(~48$*~&e#OHl-oOgr}h4iaawZ08+nsg3u3$foo7QGDM@j3_&v!)^fpCD~vB
z0GJMiQg8^La$tOGp`erNKd&hRG%$)dPMZmKeZ(hVB@=BMifHLfF5NFrNjS0ae^EfD
zZH*#cVT>0|@anesLDJhl3^LN0&m4=yulFxNX+-Mk?a@YvPQbZ~4c#4n`RlEXEq*6*
z#LHWGa`E+5PpQ@mHwRkl?9=^ZF^@J-t0GCvx=U`PM4Vb6B%eC#WDPEA+6Jv&@wd;(
z4P?$T^L@&?2#TS4;4O35-yAoRL`NsQ9%$;>?zqmdtRIp2G|Rg>WUK#hY%n5?_!XY-
zC(whWbuWh?*V>oGhT<xVVo_E=C&#N7IiPZO^4kgXP$F&5jxSj+(glwSg*M+l6mQE9
za{am>C98|lVr1zq<Y(WaT;&^@)<h-OQ&S^AXB%XTotGt?k5Ns%4R)#}?|W8*i5;V8
zIE|XB)Rf}5#d;I!)s>yUA=%i_A?(Bv-+osk;bQpaw@7fzCuw$rYQpKP%|0D}%oYQ7
z#kuXSrf`x-&Sa-$PWHTs{&sW6+5aL&C+VeDxMrH24pZvdESO1%b0xh5-7$KY{VX_?
zQtC?K?upS#_z2#Qb@mu!o=uUw1bfrCGG$E7<W8=W{`|v4x+lJ@#g|*d!j4s7*65)`
zh($6cE5P+z&2M2warjIPF|&R&5&eYfF`<H`@$!Zc88j!Cv}a!`e_LA-G@_vnt9k?I
zKeOS%pMp_*P@;MYcz1s$cm;GnfQ9Go?tb76P)Hvw{k&S$d_#QO`PjNT`%irJx0>Qr
zmI0n`iDEvIVMbVzGd_RvAw}JM)Pt8*x0=gRE-3#^@1Ln!Me=^b4-dvMSfY(np1qEB
zKf(IO%<O?#4=CVzY=qDp=aQQ{SR-7R!2L2=S&lQPKRP*{&@hc&VX=xP9ieONQKB`h
zId<7WemCdc5m>FhFQxjP^M{tb3&*7ic@~0{7MdZs`esfJ#F4_$Xx=X%f9vAqU^sIN
zACpN)c6jDWw8~PLue(mUs7{kWu(k9qi(3CUl6I2S?o;kcsc54*z+7-6&z9b4ORiH}
zc_cX`)W-)_w(zxq87(Lfs>h2KjMB4{{Q*9HW+OfNCU;cW;lsFq=yt-fD92^Cwl9^$
z!dY!I@mFTHMA+8Ob&g68+PZ`k-nXg8>Y>enp=oDi+$=&z+A{e%gGlJ(z3;wXIV)^#
z>!9|WpuJgjzoS2Dy?CCEVjc^Cox!nTw+o5aOZ`Z*_z7@0o|I~PO>yHW!WF{11->Ne
zZPRY(u(Mg-EW+ugAt*3*Fn@jKA2egSNJE=XFug*(-4(88!>KaeeooRDNYOo1mVpn?
z?$b(#p&e5oouOYOF-2;reeH+9&p+4euRe916!b@oGi`V9{d{gGE5dz(nRu~LgS99A
zN_35kyqvnOxwSZ|ck4a=Z#J}=8?O2!`xV55k5bb_yPomBN(|3tz(`ho2PA(0LANCS
z8^Eu&*-t#}$Iu6m^3h!e_=f=}{<cC~7ymD7p8XTLyRLO#fKTbyYT>$zDte3g%~ByK
z8zGo0U&MaM04hq7Xh$?bC~h6Pipz)qeD91M=4;dmQBV@q>}vMGbtYz3(WPIFFYwuS
z@;M3MdUdT^6RX*CMD0DFbLs>vQeaK>eVvy!=M&^nGRZwx6(5=#kF>)JS&6d!7jgQB
zU%v1PW{toaiX7+ZqjW7XnDDuD!5gfxgmA-Xb7QMQ`@qmdu%0uRqCNlIq0oGhTE^fc
zr1D+>o+YVhy0;09K*JhB78BNQQPeh~mueWrEqoU(x8P^1>}^Uki?~Z-P-umr$1jNL
zuYvU6se<yxpI&PA1-w1p`)`>lg^Q+QbdSodi`{Ni?K&|kII3UuBc%;xEZ3}8$s+Vv
zJPHbC6J+ZKuxP?)aq2lNymC8ZVac`~?L=ve3PU#su#yt6j5TK*-r@R--1d5ny1`So
z>SEZY<JFqX!w_l>Nl}}adUo+wUhiITU(s4swdEao*4zi^jL{!-mbm!e*OYU;)dy@}
z7`^MpU|+G?Ja;7Kx77PQYVr+!LsCL8G}NTF{iaXD#o_fl!w|4-V8^-B==4$7$a$fU
zo8?a)$hv@NEK@Umnn8P^fMz?5?Xcsi+u3Aa-}Dn>|0|2>`}Ny#+iQhctCR2~DZ!iT
zhnV=M3F0*@K9DuEaaVsCS=}MPT&0H{c?GA#VBt6Qh5NPt8RZ$vxH}Qhya%qfiQ)O{
z6w;(BPk;V)3bYPM)R??HraWSBiW2?B&z37rxKmdD3l=4>Lv}38dHA=A(g}?W4HDuJ
zN`e;l45CPy;@x?i9)NH1He%%lPuc@l^RHl3bYqd<Z;r8)xH)er^=h|c<#fk~9*5=2
zpBOKPe(o`r3ezm}4LONxm&Q1+0$bp(7kxEvv)IJQZyE*L%4XSbW+JT@zu4MWdB`L=
z2_u6piqOz=qMm3&Nt?*bExg?7@ASa0xc^Oy{_2`Quikcg3nuBLWggai3n9VSEB3F=
z<B_iHd|1THOih!lDOt{m(s+{jy)+d>shdk~gd@rSNyI*un0T;176KQ)T!Gp4J=aI~
zb()c;+1PIpmR?T+4N5OS5UuwV-L{R}=LvnmCzfjYXKM1%fzs!hNNJQL*mCG%Te+!M
z$6-3Jg}g69;Rw@g$9PEgjJqR&k^7BGl<Nw$)aNx<mh@iUjqo9dD~9h!Qc7CO%Eg+m
zt@0e+ojFU^Dkc;S<ahz|;{-MK<JjJ}Y{DIm{T~yBiiq-D46PD~1Z9soC$P9xNH!0H
zptBR-T8V2^F$Pddi6mt(JwehpF&=dightI1)i2x~{((PA7G{y`oxif<C>obcT=Mxk
zv+E1&4TiR`c;<T<qpA~u=wGsA#&lRJw>skjwJ>gQ?{;msz$7!d{aXOw_0j+H5bA~y
z)dR0{GJwV~&S-NoL9uf%Cie+2T957igJA4PgcGuZGIy1c{0~Kl(u(}y;NrL&jxWdI
z3Ow7AWrIfS5CQMicimW&w4|R3L_g{5N#*7>%VXoz^G?lJ|Fee58}ZloDXEzabaZxW
z-YSjW#fK*XdV=!^^o}j&9O!GMhxPJ&`+5H$%nJKMe5WWgZ`mMC&r6D>;|1KZjGUvA
zGfNc-|9TqB+PLWPSNthT>I9ixNsYRv{W_VR;RfBd*%@@RcRW3DNglS=ZO@~Vz+qM4
zO}J1!$sm*R>Ax>87)%Za66Zg*KTSD>jk2bM)x2rfx7T-^x9HTLU+hN79M|9J0#cXk
zf;M^*^4z()F-w@Sx=O!V5PkB>c<PZ4ID@6iAB$d%9}5=oV;;oq*<oUSl^zhFJ{RS)
z2I`kC>~BgP7upsgQdn@Gw`?4;xC41<v%aIF4Li6{jFIq1?CuL?epkID{IO$%>N)bB
z?>m+%e5)~hEs`&s`PR|rhrVy6I8^O*LIyUQK8N=WoNO!aHxQd7+M`l66g6N)-v;3-
zwD3-r(!AFT(tel9Z<f!e(>A8S{#d1QDv`Kti@Oki!bz=I$bFI^8IEF1YZQbm)F4}V
zO$-vr9=@ArSyUTFp5yBvFO#mn;1-u(bj4sKMMkit@yGc>eoQS7AA`hjr8Et^eb$9!
zK=aD~4Xa3S=f}MnOr8>7oNu<2<WzwxG%gqVD<K4tz16Yj*8u910xT%YDHsEKm)E%h
zwgRt|8Jh#i6m-L9#Htkw-#i7**bwI@6wzP#c#X|&%g?=LBv!0qysY%8k0YrYYm;6I
z1sSeQRCA2H(j;|<Sd3A#{2#q5tmwFOLMrKRZp(BH%Z2UHDwpP{`!>4{sR9%@<a$P8
z`=oIf%|xbJopY>cC4cjjS)$E*FF60%W|S$u+&dg2^P8P_<*Oe195rR7Wey~1c>R{h
ze0qo78o{P!)4fBnBI25}X$O}-J`|3OdoP(kJ2IuRo<i85jxNsR63Ec$J*!>GBC>?|
z@}!-YKu!=&DHr$p$bmWeDMA5aSkrKWzOR4zUW~$BVeGtE$}6bUR^GF3wBKuURjRU3
z>Zz9DVNMs%?%)S7t^U%{EL>`<wZ!5md$w>{xWOl0F-Ax%l%Sx9p<7^j`W)5HWeinj
z=<~YXv>sN8%zlb_GHI~CYM+qGR4VeP@p;=F&k(bq2htUIC|c5aJhMNkjC@g3$Z;$g
znen}NgH#-){83C=28Xe{8Hetu3s!GE9nRFTDZ5>`u7IfaQ;62CcXI0>%r!f$>jD24
zJ=yP&N)R+uY2JM2i*oA3mpT<BsN9!vN&#n&C+U#Wyl-38CpuoFma|q$HNEiYIvb(>
zEgy1kk+t;iz?OuRtX(jhqK<MWI0DF61}Lgb$b~}a7VatzYX%PwbAhvUW~M||<g6So
z2-4ZZaFcJ)<Riwh1i1?R;Wq72iB}Q`gp1pI7d~A^o~MO<3qCPT)FLIag-FP4=t!`O
zRn574w$<y;M`Hj{vDb>Xz5Sr0vlCW_sjBM>QT+;koz%=sS<tC3p;S6L?_Xl4W`eMu
zU=m=NG~bJX4&}9ICcjwPy>gT;v=z!RF<GcUVm_X${fs|fYb?n$+;WYGIw;2wuGn-f
zkt(+s1LHR&?Cb!EMCx0e@)MfzU61yahJ8ZN3i_%sAo@^DsOjf%eemBI$WwRsUPtfF
zDnj2$zk>LG>!hIVVM`4BR)|aAp`{7?1?d2+NfXA73#3k8Hx+#9_CYT^cv{dQe?WN!
zEV<f4W^VioZUPT>#~HJ_JI_@WeD`t_+7CNCEoDb}tHJ|<;x`e~^<l2b5y=m|4a#G@
z#so>t^(OX?y<d=T&`B~f*#?KumM-}h5Na8%#UY5$5xybz`{JqH_shA&sK4bt^eg=h
zN4>pyt+=wSs9=-EN(Vhq^^pMFTB1m!Vn6*a@YE&Hw#;$Dglu8;nx!he71q->f!?JS
z#!D0T%)F=CFZF?$rs|@aOcvg{TAlFB1b4MiE$7>CT*Dn4UTB9u5K1qF`ue%pTPN_M
zccw_DfGvOE%<5y<z;N@SV&0GC@qJy>&^zK}f#b)%Jo1E4Qd9W#d5n*wNJ%T3SkSvJ
zj0Ko%26Q5A_<AKH$3UI;3kY3aT|F<hm^msw?gv?p$y)ab|LdUHLA=&(lt{e?jxO=*
z&CrLEbHsH@Ex5Y<XvRx1U9=qnR=Z-|(SbKVlXAPcPnWLJX7vf$E-%6to}mcbn0le}
zipH0KR6F=wwyI1IubZrP7i;=08Erm=XN`n6F_+uGxE-<jy}ao@sr3Mqi<GNSXaelx
zg^2hV1Rpr3w%%nb!n~DrjRt3b$Ij98s&BjBFMGg7|GwaQHjJS@m~_%QG(>7XUaMj)
zR(CyH3nv?AOD1Phgv_mpmV?VbJK%(TvxLuuCb1?S-h@Lh;#<8asbSnGw8UuUzbDx&
zvJ%hqFq)E7G~@|nKu3(NE{o)a+`z2cn{E}B7*9`iZ+mC9I+-fbSKJz@(k9?}`9zo8
z5==2!?d8ei&UnL-N?c`Gz$=ToMDTer_hPuZkfAe*p^}Af#xS909g9a`3(kBYlbwIO
zetN08uUgV!-|K&Wg}oHCu6C}n{twOOj65WYY1#HWnl42;e#ezyzE=iU8y}u&lvvQk
zm7u-$^Car!n@rLmzmrP%5ROUXgI*1-0tPI;9!FNJTtfR1nt&>_K4Ot$^yeJ%lv4d^
z;UV5Uvd5KMT9HAW8=1K$1q-vu;FzuNz!fteTf<jkn7_OhOUFG5G22n@O@y4h+eb<H
zl%!--h9NXV-PM6$5c}0ocPl>hK^QvQBAS1@m!=M-O241a4(bIE21wFx4a~1V{~+H1
zIYhb}|M(9O^FM%u^Y<fQthNaH!;cQe@n4yak>3E1H-MG~w0Ha=18`>iiMKzP=N+m5
z7E4%`Hga%b$e$mOFL4vETT@g12oNv+mLd`#%mqLX;QybfiD#ym<5(!LFaM!QgV>Hh
zA8VhY9^DOpC;-6!{Rju<&|kT~^@E`9HY)c&YyLcc^q=m!{uEpT-rq>J0p-2|#?U&Y
zkY0x%Q<&iNkV_AqI1OI@VJGb%_D3)6eru(}j_*uzEhG?{JK7)n$-R<QZ+nxD1ZAIY
zJ-X@k={nZ(qi0lu4Lrl-CRFOt%i0&b`T?K17g83J4u3&@d|kEp4)*&;86d}d#xewj
z0mZWnD<exz?twXaoA8PndrrCH%|JgFjPpsZanQ&CZtEGVDdBI{qai=eZ7_D}@gOeD
zpmwcIuD_SIu1gyY=uYH_ee~l?Cw{!H<01`CmF6_IUL~+a)YNYTASp3+MCg{oMAuF%
zzpBC0NKx5j$?!%Z9P`p_Z#+XgTc6U`k1*%BN3^s3nns9d%PS2>Xw!x{et97BywYQ?
zajLw_(emy@_VBJi^L6Q@cjw6-qx{Vdv#HqXtclHXtal6LW31cDrb|)6kuj>u+Rbl@
zfQ0m4g|j9C2eGUOz0SJQ%V~dobi&;~U-h_nYWwPup>(|fjlXu+8y?pkq-1geI$73}
z)3b?*Za}ck1JCoC7fwKjWW32~XP5L~4^lZ7<l!&OY){*Bv37~%kj^(aA|<6h0+$<&
zP7)N2==&^&BNn;H7;!%IOll6HpnB>rXrHveuhn2EY_p*=SUmhfk`G9@CglFbGT;4+
zn#=1{^BWdE7PlLAO7!0<?oq&Rh1ePKcT-?|TeK*;X5Kk%77$*O9K-1nUI82-U>tTH
zP=>h320O@l7jB*K4CX|+z)1YPGw7NnWu(!S&8dAW0`Jsp6OkmdR)!7#&afnTy{@_J
zxmuD8RnNGJ*y%%op~Plr^);gJS4T_|Qs%n>Mi+S^Zkm0wl!%fK4fS3Y_BaVq1J<Kl
zv_KfmjRa1?Jpz=7PRI6|9syBMxZ{F`Yh#Co=vzhj91ZK=c$vIMaS9m8Yvgzfxi`(y
zn&!AHGC#Gjl~QMIHK6hQj&p`_n;t!#$$YA@#F)6np!YAvp9>E)oj1qmIWzI4KJ#8Z
zSwpU{52fEp5#;WtCF%<ddt4?LwT@%V83H8HJRrlF4tp*p`^S_6I_<0y8O}V_wXG13
zdSat!W#2v=pZq@!B2+T-F|Ga`35Pd_T&g1{`UA5^!f1?sdVi0;rkFdl>h4~XH5w24
zkXR5CQ;Bt4;2pK>rS$3Moja7+WQiclI2%we_C1NE(@KOEkfAvG>J;ckcXboH=N>n!
zim=pqrU>4i(m{dz<P=(1fT};*_lQQ{HnSri!xjViy&+QIdDpGZg+?1h0ta&<zIG{e
zk`3?m{@X`~@AOA?HcqtmMPzzbL=U7M2(D+{sIbCaR%>C#BUC+7p=@wnFd-w_MX4q-
z{9-FYm(Uu<km0z~sWHaJ-55pa{0jHs#K~Pqs<^1GS9z8+r*#}$tj`}D@7p(Bql_x%
z1YGUje$wKl;G17P&9@UtspypZzFX?GW&mox(yol>lBI-8_@XlTL6K%@jXjFb828tY
zYTczP1S^d}TSwlvV~E~aUEY89hO1`pbp33z`DA!Ue&qBkm-<#`D(r~#UE9VSLcU$t
zfV4E<ara)2^g2aemZ+P5texsmRk`a;DjKU@&hjTP*v+Eha4FkhwJB~eW06Olo1P}N
zMKy}?9UHQ|$%2s^+lKJ%1&ggG+aIMx1U2LpSave!S^u1JQCXl~|NcswqyiqFl_PaI
z*->DreTdh0ZT3J}edJd3GO^(uEnnoe8$t&jFtOokGYLCIK-(;jW%{rYby4WD%@MoL
zWJAK)<pk`3Ee1)q5DO^OR3)TE55i?fzL7ckWB5q0c;N4ez~*=I1wzMX=an}hK2{Od
zAR;9Ss)r7HwJnJd2bzdlWqPx%8d}Zz&bVpB$wa*^Vvuz7$jU3?q$~^Mxtuj>ljmRY
zOhU(?9;)@0jcK@{dfyAVbqYMJz|1?T&W$NRs{KP+3XA*afKQaOaa<gskTpa^#HskB
z=V*beyDz@i-R0;3QnS}Oc^<_ojNN6O#_ASlxo`K+G|~krW$iNTuPf#d9;MJFoe%;k
zvBJ{Ard2<2gNu`dr+I-@$b;L}=W%HyP@eqBqEDGU9@Iu-Dd`J6543LRqBSyVqP39v
zBDF8u7w}X6Prz9EE8u@iBK&?e8<_BBQ1AiU0fgXBo%y>|>Nd|1!Gq!dhv@E4u?h4z
zyM2hk{r&H;hjI*19)1VTq%>^){wGGb4(R^(y4CYaQWDTO6;!D0wfVJ{7Bk!KrdWQW
zJiYzjo-ua5#nD?PAj~y6EUDqlD0KXE%k5~L>E^PV$-4r(c}3o7*>oaxOn6oF9KkkE
z(csQ;;#y8#>}Zdfe#jXAH!%P^VJFy%te)Y8B2@>iTIzB<C|x_uvZAZ>WOS2Jz4Y1a
z7wHW1C1_D<A!)-d(&cCpM_oBSQQuJO<!z$Y{OOfm>anS9jhz;=;|IeL&93e?xIV-}
zf6WLc_*-G%<RhXx>$^tzKaCt5PVy9ZRD9>jp?O-jjd&(y&Rz_b6DB`1i$<T)hxVSo
zVcU^GeemZfB-*DpKGsK_G-q*~66zzb(b_8f?F5EgeiEmA8>G~Fu)|cmi<O1$l7v6_
z26$jqg`l+M$OOEil@%c6xC2{6vLh}<3yh?`SDhq-PdLM%V~~dU_T^g!!=0q(_k%rE
z_s_b))7cjHZ4p1dWymkKe;)<W3b>%sao<N3%k8JR!*v<;a)8=5%X#EDy4vKKn1769
zmt!^#qcIFSu9M?5c6OpflBerGu7(mgJ3H9N3^JHe!43#5y$;mgcd3QC@`{9{Z*{~=
zrDnfxEPG@c5*bfBqFb~V6DMJYzzQwa+Kj_eW1GX^xo!PbKz6Xr&Sp#^_a+sHkBXZn
zi~IzB3&kE;#rreH4L`V=sKhfpOn?7J&RGF%$tu_L2`eOtxFvZ5UO*zsJ%EAEw|D^Y
z=@ae*a}1K@c?8ZN$|L^U-F)@@c<g)hzlFF3(e&mzh3Ze?aoF!(YTVr_GSFDXJHDSe
z6tx*bO5iHBZi=j6*Iwk<r~9|Ra3`~{juT@%)AIyC>JO4A+_=7+a=8Q^byQldyE00t
zK>aSSxWuMH#2b{@{k!S7OK00@Ws}r;%N=<5_%E(XYZT_vXzFZ<{2&Gm-bsVc|2Mfm
z5{ipoam|#0(p=w&#<!Hx!OEsB*1C(D`vJ5J3wURnKcss#F*2P}A^b-mggHO+-z@qU
z$=Wy`sQbDCqgLnY=;7^a5$)_jy6HXjcv1#JU9WV_9e2gx`m88nt?Fk|U9|O)=8?(w
zJ_$j+hu*GasLOJedYWdPXV=xc;>T<z{fHi0T0-u7=>Y;%@0mpO`$e6VZ;ej$n{34(
z4ND>u$&tt8_lAuT&&8%biW&4FIqnZa_K66BYauCrw0tzREp*L#H+p!3GdiK+(dgh<
z)_k&9lH{8KEznf+d>W;g>`vC=Ug{|agjFG<Shx}~Ooyj{k`Lm8V<LQn{jA&-g5TfP
zq3{#+bp3Cg;uK?#?!>jPgs)K>a^2h)(S(rI?x8lenEE0|PEOXAAQqpZp*RI;)Rbc%
zI)33O>o&><vdRra|9&hx9@7_7p5KC}^n0KOGC*Dd+WqZo7Vd@$z`;0b2&X>r8-bMG
zdREh`bf#4ng_~j^YAVsU6fS-%ujkf|Uw$_h=Is+k8s7rkX5agVfCK;27OQ>YL;Xv3
z)`7Fs2g&^Z?Xi7;1DpT+l!~La4~V{eDpq~_Y>HnkSWEK$zaVJ=fYyZz7=%3r3Zb!{
zyQKjX4**Bv_nH5eFD~(aJ8@}!AkTcOMH+~U!_fjtgjp+POw9_yoq4S2<=(W<^$s*F
z5VGFV!u<WKtp387k0C%IUhA-|K<BI_FSPWh!x_%vG3q1SuLWoijqo9t)I68mR1V=I
zgrXuUIWP9eIybgg5k@V&)=ov*uro2eN-cj$N}uasq5bNgvC>j0n5=#QYgVJ@Zm{dH
zo1m@pRVCFqKgM`p<!y%{NKhr5J$(-(LbL*QF+dA}LKv^lUWR;!!np09F5d1CSH3a-
zZ!pVuPf$F?UJhQP>LZGKNA0xn1f2a)Yvr}by-U82glL1_dLz}Eha$+NOS_;OpT}i8
z{Us^GEYIka6Wqf=(db`&(N0A~dqPvNX=MLa<*{A$A>41)PthkY6%e&znIb{NI$NDv
z=bCZ)JBL#Zx+*0V;^FETR+I$@y=iH;j+ZA|1$J>kYjo+Fw&U-oXsy0UW_9y>rCl_6
z)390`^~|-6PpC=go9|wP@_>xUWm0eAMN^myhKMeQ8tNXw#PZ~z4HbOpgVhVAq0XV2
zEL}CPCb?g$b*Q5sqfs(4OG$jBJsf8n&N;i2YxR;q%*dugzt#5bm92WQZ!)Di`cj;w
za#~$|#io0W!J2&7yxQ!8w;n;oPA0dxqDiYJS-5K@_%LPZ%cQ)m)a%B<Lz4YCN?;O9
zHEP(x0ErkuWC)ZH0z-dXjj$?Z|ArUwz;+=j8SDS8VO!?626>;S<4s`Xo5278`3U5N
zI|J3rx-&m7rNRD!{Q-V{kUIi60%yR#|2M?V1CX15#FwL&9MhDA*#Cw(ErF{4t#C7`
z0FZ}(a{p+h7))hRKx!wXjBIzE=G&l>cM%@sr@7g(0}V+9l8Pe+ep~Y+#o;$r#MVL@
z3SA7;p=B}HHR&&ZX6alibaLOWJwTDFnp>C_R<y*izB;i#WY9h~5bDoCU)|Sc;nb23
ziWOTfQ><U8-SY!~+byI`3Qm(56n435uP;`8BUHo6;lnx;Wao#9&_LIaWRR9~!)zNg
zaf9N&UPz2pvG1UegVBBz<*eUKte#$f^hAOmBljRhlL;0<jlWgwis!l2Dw4P-E$10B
zC?b`CS-f8G_aB?rtGE$=Jw0A^y6XBFX8+H7(x<Du4Ia^tiMo1<vMWl^if~xI=Treh
zG;l-h?mncTfUC0Q|1kB9(RFoQxQ%VwW~0VxoV0Oc+fEv*v27cT8{4*R+dTW`{qB!@
z|DAF6I(v*W#@=(y^~?v^V-u;Xitrn|R&yn7lUo{87!r-g<Px2-f9gZ{Q!dwpYzn$T
zD^_Cl>%%53^;td>QE4{Mfp+2<kQDC9gua3M1wMl&xX+z&1<x3jMjjix$#drkq0ugc
za&#^41YUwM$~e6?rWpClpj3pcM5iSy_CmBRxbpFS^__@WxQU<@K>GCHVlel%9LLN9
z$AIc!yW+l_!vB3NFORsobjx<IY!+vLdc`(?2=9d6G|r0a`_~7TA<4$I3@WDI?O($W
z2pomD&A5UjE>`U~KZQQXu})pV#Vtcp^7oTc=o*qsmG{$nMNIkl@f7FzZzB$DyV4De
z*^@2PR-_QmzTE)D43O0U^h2}*F7E%G|5X5p*Z&ndGgfz_{~hfA2PQ~m0;tb+AcX(A
zFPU3kun!mzP!Q_$@if5d_y4V`1a3iXpUnItfQ6-W7zldx?ezl{{BinVnX};*`J~mG
ze;Il5)oTWZAS!(m^{L0vQoF&mUPvA%8EDI^Wc&6bA<@E+XnDSIaFDhnO;e6YO-eyq
z#FNH5B~$XqqN1WUKtaOACs2ZcK~cg`Ngo1)C8n0;#g?Zf(AT^CYDbrq<u02(o);ZU
zx<BWKA=PI1@2Y;;R?(qLghiPtSf>A=s29oS$~1Q2eSI#L>q#Ml?Ms(hw>TutZ&oC-
zn0e~Nl5(6A3?BZMycvW#PnUgEC27%jtgL0~%BD4Sr#F=)7{KNpeCutbY9Jtp+~HpT
zF&E;dUH!ZcgZ9XS6$ZYQ(NDjp-`<vmcl(H2-a}Hxg?}yzlU9_UCq|H7!tj^>y$VX=
z{+2j8cPHR1qx{t+>1MIaT<?rji4kQmP|_o8$BLtf_x7jDbze$awM%_yg&mF{rP{jO
zNbQuhbFdFWS`5CEPsvUEd%qZQ(RRH%nVW_@ZYXKDR?QzsEiOF(x+;=Is+(EVyucR^
zFxjAp8u9^~vTm7%u`MJzH#5Yw@W$_RCH-x@6P7BQi|G!Ij%8H*UMxyd-MjOXC`xiB
zX8@kw`w~M&_9~VbIm(T7zt)(w#}@Z$h^pf)c&#e!5S0re0g5hz2hKo1xAf}aN7s%E
zgVSH{mf9k49SVjQyaxlggT6SwI4dU)+TV24uqbVtxK#uUuSEYgW)o)JMV_A91UvY}
zfz;akh_dt!{ISn|DlRh6iqimA;1qG|iN}P3I0my`q1WX$q(dc>p0@J5f?~mzm96Mk
z#0K30tg!da&!A#|(x8&fWoxuPjbd>;FVdTNL;5Hb@m@<eVc$o&*+;_%6dvGRFBjB>
znNIOeG(#-g?z6n+(dG2ho6o@4ydxE2i)|r#Jj%arKvOs4N@WyW2eg(v@}3-p>W{#(
z+V*cXZJ-!^#K!)8=p`u;KFM#-eE9nN{<;%q087~n81d2=(SyB~krl1*G`6u7^hZ`@
zLPB6_v0r>GO7uloam!D$MXw-TyPxfgmSr|UN9V~j3bWrYkv<1e+`?YgA;LRgWSUUf
zOq^?XMP0p$hkU!>nz`xznh4o}%`+=zmP;)R?_oE_B=Wf%*~qWFdq}}!#WVs=QgKD|
zYt@9A4A?ixekb2br@0mvPYAcru$Z2h5i%IgqU&esV`^R&Oi<U&V#83&n6e}%4j!Ol
zUfm<z+Y5u)$_p7S_g2+;>Z!zSVmkeUkW#2N<gb5{`0v)wIFLaPq;u(aUFL4QO`2_P
z<N+Ynb`ME*bd~BP60L{FN7_DpPaIVjiO%5*Z8lI#(J1c0KX6^KOf5pB{Kbh^{X!qy
z#jFkH;+}tt!?DlXH5<o^RiktEQM-mJvhk&AeDG|+Vh}L_5xQ{%d7-yY52y!pochW9
z)gnGka%oO9oQBGPhX2&n{PTKWOf;$^=IdhwGR<>t1%)JJ*lBUr5vuO^`Kc1U$&J;P
z3;CIJRvk@xE1sUSD3sSIQ0hNMG+;)0{zt=WGoKB{P^@N_&LX43Uaa|mb|TI5)9nKU
z8k{Wh%>|y6u4QeiiV2gLbnem9%9(&qcNH48SA)L()FF4a^slu#gKi!d$rVUZm%*~y
zXEPFInMLMwNzI${+Dp(*IgiNsEFxFG?9%%C`EVzyCn{^2ZCPL<2C-zWnjfYXsSiH-
zz?*gd)z8X8>%Y~m^!Bw0Wsj0!E&N&^Gj7^R*h;ld#Hbe%ZVS}8zuvs|!ogDO_}(<8
zxmP*(UfS%#>$0GFhxtC=p$UzZKv+N$^*l-OZqk#>@<P2uRwvfX*|Cm0g!+fvVgaM|
z`hJ`$*d<V|?HiZ^Utkfj9K?W3aIx9dA-qpwzB0;n<zSKwG%V$BmgqYIQOTDyVe+RF
znk)TN@vLo1MZJX6f$me06H9&tZ2OFk;AFj*tne0#1Z;PNCC*;OZ)B^8brqbH$sc$U
zg4{W^*?y~o<~h7Je!CQxF6R&8{FFoBG0GQ#(6>kL@U4<ID8_<Nc(NQfkDH8q<MmOw
zv1IP={@Q?#ljG_Q%PCh!d#^y$HZO-=548I;Y^3|%q}qUpo(9GorsH$y`RHBmU(EO?
zcVjtK%hrREhjtcmC_(my85T52V)f+m$yC+wQRsQ*);}jM%%`y$1s%T?tCx9O*q@8>
zRe2WY)wwvS)T>q(e`gq;1`Q&^w)9C2JINUZ1=2Nu!=n$%YjSHTNky!V_2z8yDOgD9
zI8+`>fh_`l4_yfSK+jVfAPcJwyjitGzUP<$D5-#x^t%Qy<|rE0c`Eg#>Pz>h%&qGa
zRLGOi_hJ1!7Wguy!~sq(LiV61$LBo&f3CAv?Nc>}_2v2VBF^WT;SFTQY7b0pjhXBN
zgrF%DEXa32>2u{4%1O133*{HJFWaB!m)`aZ%dl@I@OiQNK<W1L)ZokF`|dlX(C|=B
z0oDx8>;YUo@qti2fU6^4{}-W@-qS22lQMpD-J@7ZzBvpT>Qz)h^40zVv??y{Q80-P
zqOM;UEzIG0kDLaP$bcZZm1P;IZX-l*V#^0*0X8kXLdixZS=%6s??vK6s<gQ5gwrA)
z{z~`L!R?L<t0XKcFyBZM4PkJ`|8oAA^8+TA83E1WAX<B>{Pn9l+O2^#b)2cXms?#H
zL6Pzg#I{d2M(RZmp7&QXXO3|*4Uxe_gYx$b>uOo@3mBmhKa9}6xm8c6vYlR}xf~-4
z$<>${^3+K$om-jmt~!#`-vq|Ier{J!+A&m#7-4%f=-R0KvKNb)L=Gi1VHLQPKA!C$
zjHjY`P$5)=kes+l23K8$iacd{=w_p;==P;SE2?dR-qLa6xKa|cH&FTak*fze?7rW1
zadqTF5>33nWHiS!fQfy;SBZBX-?WWz`iiP`bP`kJcB-EjX=DQCGNJ{La=VtzJF+kA
z&&T#oKeiRp_j<D8!RGFFp{_1%U2UM19=d>jT9$iG?qG8*sKJ;(<h2cl=nr`{um?Y7
zR80t{8HcPAGaP<xB_(p2V*EytcgYKXv)x)cUgp02+D+Wcaqg0vp6|5X5JSDt-<ZTg
z-14hsT>d=l!mOu=YKNnY-_qc9l;}LI^>1kB$)mH)kiS|~n`SfkFSGB|c-iV3X1uJN
z0^D=!+nzRCKL{?mG3#UV5iS9qrw^d}rE5%N8oX_JjdI26*R8Y1n7C2F_W{?H;1p~J
zQts39;=-f13f}O~$ZOX|e8PMYHKBR+>H>9lE_D3mG+k4!np~m~ar!7_d2j|ddgg$A
zYQ#iUI}G$*H>9z*uocxUDu#Y2AHuvi*!g`2<@B}IHZ55y=6?ilaW7djI^Ptf(zV+q
zhG;F6h68bEGsTroJq05ApjJS)57>}25fQMH-+84DFTY2D9gzM@>g!ingYHD8XSKMR
zBu03cewL<vdG2mZ{psqM_TYo$rETWpomw(kW=mb28b>ar-%(FSuIa70I^r=at_rb{
z){fN@Av%kEs(1coxVN}hsaK}hL&o7%gWe}MHP*JzQMNvjZC6xgtAw)XEEpBScfW4%
zteEhcN0_Ksk2&K0ZS9ckCHTDa`!{Nxk<@B+Jo#C)nK0XtdM}1>H;+-fIW(3$^XHz$
zOc)iHu@JED-v~?#%LwU4kju}!k2i-eIO0{puNECHhZk95siM?)(%9l*wp<U+9i@y4
z5O`$x(O+tR+>wrRVuJRi1%no-llcmFl9ksjli4Qb#Mt?b*Dwr~TiOO0nJwWlKV(jB
zC#dtYuj-*Vuyz|FR-{cPb^TjJrESQIJuVKo+35#6<<_k5mqx7VYR29WW>*-Nj`8+N
z;_#k(l-GLqTNcEw1f-t-IFH1*Fl<AfeoAt>K1X$3Z$d%-pwGbivEff?Au#Y>26Qpe
z`?mjo<?CT<>y9MI?<L2V<^NVMR^aHr>SZT#K>ok#W#9ABb(90Z-2-~?ydTs9*;R`n
znxFPX?21cOLypbmq2ocx%9hbXk-4aMFUAa;O`STX<fF$!<Rxd(c(sxSGT!zH4_Sg^
z(=1$zjXTY+1Q@#2*{<lp4?cYjQMU`oGj^7xqonrbTbK}>hHpSG3i-rFx0e^I`AFzn
z+VY$Arr-EHRXU1I61QZ@<Ud7|uO%k?&jh<`IzhEK8n60|-$@9Vj~ZPbd|HqY-GkDq
z_T}MO?+n84jmm<sIYW@Kqsl!IW}u<Zvj2I<5R$CWCAk?i$ub(`c@P8pp-X}mX4hhp
zMwMyr<)!I-lr!s|bCL$V4egUPE1nM-E+@9P#g*W9xU+|~H`rEkF0E~;QjOK^8oVuk
zkGakVz1ci`7;WZ`Guv0)XHi;*>PnKFGOHK{Dv;wH9#K4;2{<fHqccy8XzOg#_V}S*
zY@`pZ5}41~EV$|KC#I$b{LG=H3Rbf!blYk-Xd3otHBB2B&%zKc2#dr2^u{j#QwT&f
z`4;1FTV8!enW=-kzt&!R(Qg9X!}&*^7?bxe<=^#U<XSa<Bk3+Y)dMDC=lv!}mRtS;
ziU!(bx!l@+5Xu_$*aUb2IS14BU@`9;T8QTF{QZKp3STWvwzid;>8)+Jk}$;?&GJau
z1D~E5-IRtVmdO55SpQJQ`Y7%Y);hJ{M3f<Ca~2=}!c^=jES|y#e--d)R`3y(W%WTa
z4HRwv)E??R@)D}?{K7ss+I8@6uwV#6%J*hCuPH_+q^iiVtBWrqKfZtFl@kKZuxhal
z4@|y=#tR0_zm`(k_al!-g+9U=&%V~lLUj~#2tx5})XrzQn_tCqF<Xj?@a84<U;u}(
zRw^1-(luwbL1T5K;g!g1Wj*%k5k&81Vw$#|HNCg&^jr<|E1nJpYG*-zFf(?@u_eY{
zobai}BY4F+#4qM~QL2#dbGC(}Cpms7E*jqUvAs@2HBXM|V?fDQi|@4y4L2oYTPa)3
zJUqJqIfJ{2drqhzJh1{L>uYwlG90$bN<B#c52D5SBGhY3TIJ%)>}G7oX)HZ`D7#fe
zdUy*rMfunUf6Ag_y8c%wEXUKVzk)lP+?b9A?k?z9Tak(4M&}!8K@Hr+ZBtWg^V1EQ
z={Cyb)7y$UCHOn}#J|pZ_16f@*4{wjIz0~>-}v9-6<m}FS&D^5WSacx?5_{7wgJCl
zzePme6Bywn1nvjGVlOB<QeEozb0ma#&qU!eKM<>?EN7ZwoZ~EGUr(FuBcqg{cqI3%
z(T^O=fgdUX{;01#fsp<LtO&fi``AC2gE3qaXch>WppR?&{p@auhR&A7htNEjdImIo
zS2vU2N>xQzNB555U+?d%mkl(gjjRm?9XW;J3O=~pZ6><a?Gm9dCfP1Ee{rcVBMl*z
z0{*W6xi0{e0g!$Vz<<RCXgT%O2LQ)sWk7b!*irlc^)~vzx2vlc`2fGq$YAYH!|NU3
zUEzN#_kibJCF%cFoNJ&M0FnjNVZmRH;;y<@J3&Yvfq4qYLa#V};ICbjpyQlc8S?A@
z+YE^Tq5%Lu{B4#V5YXNZ?gwHC5_-+it7Yi;ugLi!%m`t=3vJ%modX{wAhPcF9NGLK
zLJOtK`?P2G#=YGo=-00tcQyvHpAxENet!r4{7jiA7)x0@+sTaNuxTBu$JI1iofSgQ
z1c7Bn+&W&JseYsH5wKIaiKgl+SB$hXy|CA5co|_AQ;iZDS7g@?4(SNC^x}iAa9ix5
z|Lkm~D9HlXe)N<xPF`k=AyWtsrjC6hqT~zgSEq-8x3vncW5>PYlFWyxAWLal*MT83
zsAuAhRv&S1K`lau4vh7eZ@uEA5{+NEqs^!1#+pnXrOmT0kf)@->foNZ{tXP4N7DyC
z8&tHCOt$5|4-2O9B56=zfn0`4l;`*kk|7ans=23QF8&CGy-FL}@fN(Oa4%m<%@8vb
zI-Yux{6TttNF**!eUHexL$s`0d*lvqKKW539ji;(Fs)@SN;`{~PpVTWHKb4!=nO6<
zEX)fFMou;BiG`|w8mC)`Acdx|efqGO=6N{&Vb9NUz1i~O?ICDvdNtw!dh1&Bc-$OS
zhxxZ9OlAv1nPTSxXEqF9;Sl*+H@2a|;=~>po`k)rgkViHK4sqaB9-hIQ#a=!j(tg{
zbub2KugLYUMB~5o7?3tyiH%Iq*+!io+hhna>~7pP3b;3&eaDH)uV!1rx2v<1T83C(
zJ4G>#!0=>XD(4%Zo-M6SAm!NuqfzN58fwyl<Sm4sUVPA`7#ou>3%gY+|8Wjy_ziOl
z?ASZyjwsCPz2tr5SCAUbY1@3hFX65e3;F<uZ26LsrN~D0;%kvN3r+Rrrq}3`ah$@X
zjkdvbCs)s61?1fR<F^Pe*7E4HIR>VT-zbK0j2<(NBPIF1ig`IPqPsvcU^EG2BXxar
zK@22#ZnF2-Bfk%P2<2W!`4aD?^ox+j0XhKinM2TZ&*F&viMBa?<opEDJfj%Bi-2et
z{Z;@M>QcQ0V{lLW-;YKyF6ZK-H9IbLQmh9>`vkITnD>Pv^a!$zW#}?h((1RYe;ju(
z&Zd^DirOY!=qIgnV;EhVKm5qT5QqmHi+>ik8b2+oX(HS*>=iNbn!n*>A~MU33gLZ2
zg1&WDh3>z0!mi+THWd==-)XP)h-<RG1`h&4Mv)o37Xu2;{|FyTPBNCT{z(p@8;3e&
zRZ|vAVvIJM9P+3Z^=5QE{Il*+=H1mCXR@d6!X|x6%<Z957YgkfrC>o1Nh<u22nnvs
zZ(bg39iGB($c%Ifal*_b(J$~D&_P^``(?!gw~WbHd^w<6T!B21=Sw*7=V3kYy|A=5
z_EjPw_I#&XVb{QNLU`cOiUh;?>Vix-;>$QkR0_L+R(WfWvxYu>8&Qqusxb6eW&fK<
zu|Tz$1Wj$L1|-4y`ro~L@!(lVtxo<%=;z?5Aj0Rw%Yu3f4dd2s2QQwm#Hs1Ata3~B
zOT2#wm9MBdY$tCmE!vukFelG$IYHtOD7FK+x^A$2M&zgy-X`lxT9qE&-4iDGmhyG8
zwi8}IS2n)L*Fgldg~HD#nclT=Gd}QQeZ?ffoIALieb~sOVkOJeVG+&9*WO4k^9dWZ
zQt0&?SK~tT`$;!#SpJn_S7IoP-y?IhX}eaz%x*Tm)?z;db%pD%6c<%NO^sXJ@>{O*
zOxLgw{Zq`TkQ~U3x;u?HBx;xw-C|*o_`pJnUGIoo{*@~W^$R)p6{pcx*6&}KvFrkw
zajSAQ+nG^>@W5&!)9)w*RgqvjS7i>0<sg!+5J;R^;(P}3U(%lJBDSwm?9UE3MPdv-
zvz@fscJ2b|W|GXC{OS1l_xe1)e>e+_Fx1PL<}O>YNNf;Y#DuWeVma4&s}}!dZjz;V
zLh-3dPK?c*qP#!Qtn~Y<@yNbB_ptC7EH#E&8tgL<&HNV<mGOgd86Iv3B|&HgQWh-P
zs#8lG4Z0?{Y`x}8Tn!a-OK{Qa4z9DB>4mAJZ`zujNhw$Ol^Q6X+e@U;py~h3G$WWS
zBRQb)1n;Kk5bUasW4&NzygBdiGMPAnkfw@GO;c{7$Q9G*@pt@adP@ZUesAhkuYo{L
z%WFclgnPt0s@BT5*8FE`v5!YQqgXAxFWQE|NwkbGzpO$<`fAhGs5Fn^h@p8o?mbw6
z-(2sK>SF(^HIs;qdAm;xC~M8F{LJE203J$HMMD!`l5%Dg{eAG;HAHKWwD6sam%q|!
z*1e>x+dOz9dr|!AO-Yeh>hrEa&3JfwMa^ztNt;PHk_r#^dVBJpaKjuIT+w$(8>`|j
zjuG88N#l~JR^;(HJe-)xbtl`s1V(H>8(A^y3R`y}4{{hx`r->NE3V*irY>}MQYNNV
z+KagUSv3V`-d8{sfCG6xkeC8XE7xrxD~1Gf-m5fyZkV5R0PsS~7<>YJ66~5l9~T5d
zIZtw|nGn7%z^AY6De%QV6*Q%Bt#$=Ke0bjAyeB<>L<*t)2?Nrumxch}a{v<)`U8JY
z?=ww@0hBM~>vsdx`)$M|nU=5l#Yf?f^i=p};nC;{^q%}#qA)ZZQ%JVbtu-WI+s-Uy
z9Lp1?Enic8?eLp&vg!&R3ZFuiBzmBf&ss<T>GtzV=W5KSQa^s*VaA(E0DXJzS3;O%
zA3yXsbz_<Tl6A>T%5#CAA-P}5#ABmX&2aWgsQ5g7*Fr!bIDO>SuXpCJUglh~Suiy9
z{P_K1RFS6wS@Osv1hMUv0h&hpk&Yp<j!bWtht3$+d#PQtvQ%{-X?Vy6*KSfet;d0Y
zNStLQHj<uo0rvnoAVpG0ISs=GGy1mmXVr^lLxVUOL1}U4ZTY6X@WbSwMRy~k_O05m
zGh5g6XZHG&Vl`YcWpqczX3Et++#)B&8I_xwy|jDym0qfJ*uA85(DJOm-a&+1C+DPX
zNpOZZ@V7(13ZC;VC_G29<*S1-3Ek7e5fm7fkvY-K*)dy&`R{4v&@M6T7|$X91?mgv
z3izW1b2<XGxwf4Hrx4I>T|41>L_{#j66s6z#d_eD)vDNNS><SrG}KwCwNPS2d}f4$
z#P4=_>56#mSKNb=7^eIu${XdmICZg#FNUc2At}0x?Y3$}wluzXy#I(bTq=RomR0+i
zLM>5gLt4nS-{@pjLk2=Ol;hn^(}>`QvQGNym$WfO{JZh?IrnW4DZXwtKVLr}%864M
zR5Mj^3y96=j!sSiH;U_+`<NBLo%;7dPm_88*?77rWm$xbb1q^&37ke+KLV%c4@9sn
z)gjylnGQ-QJ5I*_0wfk&IXQ05OF6xZQIhM1&S!rMSVq?}YLTz({Er$6vW(<w4TF9Y
zBUBsNOy}stE%x)qprs89p%jaT2hPofr19D>C8JWKJ3rf#-%zZuJYPOXTvx|Si5zm%
zn!3A^3EsVUd7pjhuRS677CJTY=;ry_p_*igt0%0HH!rn9%9<z3y#htu!=T0>Q1O00
zQF@z+y(WOS?sr9Ax}5*OZ1#j?q^g?WLFl*edTqS$YXeJsqfo;?k$9Ew2NDA&H#T!&
zm2_SLNr;;{+u?M6GGSb8S?v==n|jCsqB1PWSy=j>5s!4iUX8egPkYUxV@Au+UExqH
zMOSwqkyZyR@@n)Im;ao6MAGT~r!b$r<k)t*)1(usU`wJSWS_*<X0S{o3`N7__#cb%
z#H80R?-L8t?eA5GzjV*cx~VutXV779oR_y6)iWaw?B}N6b|p`^b8W17V>k7vL_*Km
zc#p@<(bO_sNNf`B<P49;8f&8H+RppwEWDvutOGS0{I8QZBboibge<XQ7X40L{g%OG
zHK7>q>W_r?>u#VgWU)u$kk47`1{Xf_lGE81b!3wBXs2-@4spJ6d?WrUMX8^xss<5j
zLu;q8G+W`3Wb=uQBI&F{$hq|uNO;?V`uZf4Nyc{DeoBNtn-ubQ{aiw^9~u$1FoOdj
zRX;qI-oR$VALZMhK`D!*&c%a4`h88XE*t4@Ar3P^l~jCMY0u6C;o<70@OkB%Yb0P3
zl>KyrcPB2JF6q)9JIC^duu8vpcX`8l7qw>y!}^xojq0OEv_n(+*>Xb)9uFmo+}Uzh
z$rPh@l+J$fd#{PMhvsj<vXbxrHl~m;Y065v=cYU<ESX<A7)$);|C8aMHGfAWKUN)c
zVub(YjlpwBYZzl9m%jGMu3@+K6{b!vPN|%*jH*b7p3B$=vI?_v(h%pZ_q5cg-d1TK
zKK9Qzr$j?KB~D}kd5+A$X7<%F3ufl`2(0v@u4=*CRB=q+aBig^E`2`MTNL?O3H7R&
zCaD6~>2V|KKl2!oyLYVt(b9SqOMCC_#Uv>DkY?!`dFQhXGFB7=c22T4E8P!<6B?0W
z3omqqOa*yu>g9F9G&ZOjSJ6LT>ozTZCob^|9{g-$Y`);}5E&!Xa@yiw><svm>PNQs
z_Imef5g<Xk7hvaJ2U{(J4L8uo;GxDarrlRTm8_x~FW0qDFg--HESEF=qc4w`Wc~6E
zo_RWz5whe}<>IG3o*J}!e&)K%*7AbcR-rM*n3!drCPLAT8>ZBmLnZ>vb)@igVf-RX
zMx5GKXr=vcGl5jp!;P~-GVCAJ3KTuI8oil7e<r{`@G3tINsEZtmkGSDIbz=cIIqB`
zty}6F$z=G}hc9!mJj;|PHSQ!>Bw+LoU@rOA=A3oqvJL`3W2X2!&<}k5=wjb(0wCzR
zbOismow0&qZUE(T0Hg^(v4Vi71IArI@<Hej6jHy_1eAP@earga?p9LiJELdxKJz3r
z4%%WTi&Z`wiXlkYp5=1*l62(BGeajMo;84P^NB}p(tefYrboQ`+cu3@g6{nFTO@~k
zIs_`mb70SAQfZyeQU`#i6aUu7N19oV4LfkJBW@#f4tarU5~Qvr!e2_xPW4<!7=4R~
z@|%3v7@~#sFiXs;Lp~n{Ara9#L3S%sgtuABQr3Gm#6G@`RaNxu+waN8%DU*S<eaF+
zee}IW<e3$n>qj5Q8gD}^Kh`n?k!u0e>tXSbkv;vl!^Z@U-)m}^NE6~_byp92$uZM2
zRKn5I972bqkq{1dSTof2jB)yVd7V=V@gd)BH?IpCD6Mb~kqCUG15t0);ONm&{M@ui
zyeVPLq?os0AIKf##K}#Sw+%XWu|V#!wk$PHGggvS;&-y-juRRpTrev}h+oTS+4{;V
zuk^zw6o(!b;ew8moX`yxhOQywLjo<)lj8UcXDnlNPh$HhJMokb6JJ_bzU=$Iha~j`
zp3XZ!#Rh5ljm&hK>7a%S#GPP0_r{b?aaW6e$*>(*Tf#m;K#3SWAM)s0$(-lDzCRrn
z)g#!-jc2}sioA-Yh9DVoN1F2~cT1mDb7%5q9~RwZFKs{UZM^OAs6Izf=^n+GuA$Tw
zVWm27$cu08qjjMg3OrmFe-JGQtYumC*}cU2Dz$x#0Pn1oC4ECP1p#6ZR*qd<Sf5+y
zik+@@JOA9SPJkS^ah^m4bxS?FMq`<uO<s^=&r20KDRb|d@d29zyrL$_tI7St#52ji
zJH?FH!^MNn*&o#$tL`r+2pIpK>Si)!c#mM}s>9M%6F9QT9#zwtlc_LuzZMs;d-VR2
z>~JY~{FTxBaN`A4V0eKt06saO93u4#iz&eEH04x)DGfX+A@Po6X66erhY6hMoJkba
zScD%>%U;wfiMHI*xER4Mtir`db^;egw-0jV;<K3d11!_4r&JnB<I+Epa$<q%YfjQt
z>2rxgm({IT-LF#3r#>;9EVk%+zi(YS+#V>a!=N!hV(mwjyuVWTIzn>?iMA1x4Z!=0
z0<0>cNhi10mh{r^uso@DggUnJD~O!Ed=Jjj4@#7hHQ4bPOu;EkKyA5HJ|V+y9tdN_
zHzeD6)^TjpMG3_4+%8|--;oOp_yq0ld?Imf#3$Ymr?}1@(uZ`Gak|P>?Nl8DxYxwj
zoS-=>mEJet*{!1_BDAqxlO~??1H8GP_||F(z!`!KE~PxHro8A@C|pCH!B$gvO~5{b
zF_2>5MD)$f!>G5NXg2H3KL&JhtMMkYuHRnwC-X5CUk~Djh%}wnw5C+cNgbZb(($1f
zIp?i0iPQe1+c(C}*hPh`jq!{zBcff*nm!7I<d<iwn$rIM0-Hon@e!DMcgMu7Z_ym>
z*7z?V8Nt@9qjw%ieFg3peYdAx<)sLf0l=Fl;u%l`ND_b?q^>hySMD8jmkk%}w4K-m
zd>o-w361`*9FggbPQHDj!aIpV;Isoi7*Ds^gf#r=sGT7$imabrbz&8~`Co=YuHkKR
zzHEty&G*Z<RZ&IJEsq!iJ)0VC;wvr&naKWlnjXf-m+_a#(ohn(3S#=gsFYY@tzyEh
z-&>0$gdqzR3n|5TiFu($o?Kp#)FXO?F1K(}I~KE@^gQ*B&Yk#Ooyn<q2aPar&ji=w
zUW>S^9w+%8nznp9ce_|mU(!RDg@=B-eQ;3Z=>$coS5+e)3qMorRH(o(U_U@9g4b1<
z*dH>cNSo8s75pfEn$T}))A867(t~|SX>@(h1c$4No3@Q|#Nqf;*=pXT6v>?`S4evP
zQ;O;GYqhu1xe}b0zM?0_dEfvkoA0z*38_RNUe-nvtm@-o!jL(EL0=nD?Mg#>iR_Kv
zoj=ay&C8qQDQlf;oq5SPPBn!fd~@)f!emoG_H}RINSd7eaOd@K?!Wp=8^Y`&fdgWW
zU--2Os_^z6<3Gg{8yvQHq}d1esSNjpaOwC1z8);~WbG0OF%^sXb3-s4FA@&7s#l8+
zr4i8F$p$T&E@?Kp1_Ur2NIO(_tRP^`OdiD)a&ley$#Q32_y|tcrg_%awtYX4`$n*=
zP3%80%~2oWb%w0NZIwvzQ@ymRk9&_&SY^8D@?4AQ?+NOU{ieiN>=EL}Ky50onY;y8
zT|3tq=q~?jLt<u{0*43~1D4)n)&=(81OFb=7~MbqU6zx2O`qD&{Odg-D4@cC(nAN3
zHTt3j#i=jsEVDhUI*(CtE_E%&R^+hmqcc4cEk}F@UVUFcB-}s@dMLDxq_=xEH$K55
z^ZmAon}TWvdhEU1H9}FB-(??u;}T@qevt#wz{FRQY`zL~C;sPlsZZ8{N%cR2L?zfs
zcgOLRM(RW1pL*UoGd4cqE}LCSn^5x3*BF{h9R&pXUrCxzTR^`JOH<UEg4w`Z)J=!o
zLNh$;%>n&1{7X5`62osBHmO?_vW8{ksX_)N7p2dPa}7Qf<t<Dx6Q_;SsnS~T=VmqU
zGJ?vTB|VAKkIUU32w&B6)t*xe*L+<6IaYUxlz{6rOx5WIBcaIs!x_>ozOs<z^gtrW
z+amBpe|nloYD7l;^c9I5AN~8|JH~E&iSo&=`K_x{WTGjpTQ{71#wy}mQ&X|?hp25w
z#*uXLf=hFs>$&Pm9_#ty9pV&B6;CKrjT^5T=HNR!3vG8|VM3@f$Iqe>!@uI6S_8rT
z;;+3_%p+=gE)d>*F%$GW&=;kn;k2%LCF?`TiV_lrwhk<1-K0Z<`-_e)#}~~qA#S1T
zl?Gj}bOd+2wMRdSbsHmZWwxzPXIe((4_q1*e`sBK!GoKvCnqMU^d$H8lizg)WjjNv
zq+K?-teQevKC!KDDQVCarw2}JF5Kk5S|wQ+G7iq1mQk|w=5TUoBQ|v;xq9y^dhr`-
z!wuGGY%SX+<E5<%iWf+lm#m}d9pO-DOWrC|_T@~}BN$tGKzs;I1A054shlTYO24NZ
zkd8v!e~3BBp&cOqD+IUmla^WanJ4<GscXIJD*Y4WS5pI<3jmCtyt$%xUq#_h1)bi<
z7S~V8mjAc1_k#o^bhjl809XIfLCb+pd)@hKHGl{SpR4-Q1J~-yw68EwJ^dN5wFk(2
zdHoDN{lClZNjN_v0a5ajR?a^CME@tL_%E&NQ>%xA4SxR_(EZ6vRsm4fff#(yDZmb^
z{_)96ZifEy0do()A9W3Yp1VZ-KEt{`m4qp?pMT@O+X1^_-IM>jUGwfMaC_zZ<*tj?
zpPvhY`Y%D%WmzUxX5Kle)j4g+F$qIwT#4mR?k8pq21>`9+^{cU&(|(`u2ci^L*bnC
zah$n@H+zbj>o{Ufi7KF)cZm(it3k<nh5g-fHjH3x+XbzgD<-2ij~@0vGH0xjscW{N
zRTOPJ4H%sp>M81hQ&=sgQEG<lGxuLUQ#p*d>#=$dStdwxtY|^{h(F(o#Y(fsV(G6Y
zl`9Be-;z2S>=5i)BQ{@WAsG2i34=@ue71&+=--gsPj`DuuvndZj<20BVPJE_r3zpT
zhkeD9N)?IB)JOJHMH%DV_k=FgFzk%<)H-K6-$?a)beEM9tOf6qIBn>&a^&A9Sb@Xg
zIX<h{n$l5GlJ$b*s?BLR>Y`Dd7No^*pIR;CjxFUyQX+Va3d76=Awspyx7p}=c@IZJ
zbR0Y>@7n&9OF^kTXLKO~aV;`PID3iO>;*x8XugH>-A<46B^jR3H~8@WL;REkuZ<Vb
z(+2XR=bDt3UewjURu3fU<9$5N+DM6O|D|ii&DF1ndAc_WZ*b8Ib`&RbsJ_N(z3r3)
zC%tsh0kT(ni2PgNy6Jh_Aw;Z0`ACD$8<bt<3Ie}owN{#!*DmJ?r6(hV5PwLyXQvOf
z^>4mc!X>wKygVGH!d>x(3gcQk=DFe`h5I}H6%Xbjh>+4yhJ?=QtO5v&yl<GPFTy{7
zu_*u^?2H79me2U5`I(6z;BR*WDj_bQz}2-UjUH<I<usZ8Cd0((P1RG_60Ji$d$x5n
ze|45E>4tb-zsM%wYN&<oJEF7+_b#P%FA9pap?>uj<d_n8*^MU9#T|2TpRw{#MX;1!
zPs~^nNMZA*a&q|4qiz_4W5|&cc~l^|t$w|tLLLf|o%)v4o05U&bbNgK^4?Lf4BPU~
zKz-&tlbMy#)_B4?uiGz(^?PXy;%{oih_G_!mlo#R^@Ndl3i7tooS5us>VK8lLmHGJ
zWje|nv&A$=>8KCmki%1jK&vbx#tgFp-=k19j`L<2w{K(9Vl=J3y4f$(mDD7`BtesO
zEmkvs#$$8aaBuyo6EGI|GZa$$aL}U3RkNP!v5=af)yS9W5XdEr-?LUv@jzinwKBey
zIe@4r&W{=PlXurY?fyH+=f)q&B~Lv09r9?(gEFH%B&18dO}O$Vl5XmG`FgW*AG1)A
zOpodu6pg28u*Z|(A$)_6X^qFxgR95b?}1iM*tc+VN4<8_hS+pKm{%A|)Ape&a<j{#
z5=Yq2{m+rh^r{F3bJ1um%RV5zbZ#wd?}%-<#>>p;h~w*veE7vg7Du@}xv~$Dy@dNO
z@u@&9B2HD$_|gfwzIfJ3BPHUu=dR8NT3YYJ?dX}|?}pcYv|fMW0z}aRU$`7kT-?I1
zpe)9)x&WH@BO%wahtH7Z+&?mtf0P#;qPTvz@qWJ3N%0wp@n$m(4Q?e9|4tTQGk>da
zc=M%%m)9%VZe!SQ$hkIzCg2TG{N&hbRUI)bBOqF-JvI?*-WZc}>E0vljNj8kTqUOK
z##4efU}q&>CZjtD#R>B~51J@x^X}1^*Q&D!rrK?|=4NW(TBI&fi7CO4FLdHM4R%QX
z9$U}dR6sRtojc&;z<YT)37Fo;H52VaCm<i#2lV1_Lj9XgR&;6psO3%AD3&S%+|+6n
zTC%qZ(YoM>F9ey1ujzG&D&4dYoY0yW^1atMtK~zw-L5c9S22gHmdT9BsiF5&9<wtV
z#tXLfNZJzCwk^+CLH8KG^?OxO+i{O5X-2Bq(f&U+)J4`2HaDF*R^{*LAn!G$WXMjz
zyuiI7#2Q<*B}e9nb5sgs>?yTNR`pq;R}*#JXQtEcq6KKBqx9d8iF?R*;zbv=Kk~rR
z=DE{P)eQ4f><GBy(OvF!G@?S-FeDd*LL;JgHIxMoTRjj8)o=}WA;`g<BD*-FvYHyS
zZpvj(?Ih|oiUaRj<DH^d(foA%Su1-wHMVg=%jDGEW!5-ET}6z%AHt5Vw4wLz1yl4k
zo@M23XZAo^ENg8;dwc|{mkBTMnDm^f*$AAD&XEGGFcszRwO41{Z6xG>*LjFY1O1=G
z$fY*5r-H;(yRJ5_v8Dh$pN~%=L&2Z;IQ{#9KJ=@A6xncM%M#qb=s*4*06!!%I&6C<
zcn_<(zy5YT6t(emzFsrWV&dx<3u6oc`zWA88WH_qc2L^MOM_A|kJ)EU;p1g6eJJ|=
zIt1nYROJHFYqiaaQtX4YFOQI@2?1XrvM5YwP<u$$quK4#{Yy;ahJ(PhnDSR6be=DE
zcLxCiE?uzeh?!U*DMv;cF<NfCo}&CU`RfLT0L&(?*%QtrUNZUBjL>UU+};nh1jLz?
z?fAiF;fiLL)(hh2$+>~MfyxoNsyJ5HA^Gp+1<LCrGvQe%0u`{|<!5BLQZT<t_f65{
z@t`{@HPl23d*dI#G<Y89MbvB5Hf$S&;p$RivGW`>8le;IR$6fG&upIRy8YqQ!?+^7
zC}K?%;F*kso_vW(;#7w$tbq|F@z}e=ptBt_RHV<soDEhpQhAq&h1jBEw$JLgskGh|
zNNo8YaJF((HG^K)fIHKp@^@v;oMz7%c_Gy9G~t##In}E&?+r^90aa-kk#e6nIw|a`
zM!A=Lwy$6t5_L>2v$kxc1pL0?uzF}6RN`YJm3NOB5`^`3bug2i4~hWe9M);QwU$XY
z<yOw3nIA~Mb<%px`ixXrtUKXQDjvbqLSkq!o$EuT%QI?M8cE5CBHWlF9}RH~!5Fq(
zkXmFnXBxpI1Hb9R*h4?CVbb`_>;4QJsICFt_JCUm5YY9Xrvcr6-zoIz0YYvDQ^5b%
ziF}aE2px4nf_(sH|A`d}KK&44$U&#RdBgZOE}ww|NZL2=R|lUHSdb)~6_21zYNO%J
ze7gSa6%7wjxQVxFNMB1pMo*BF)nfele!Ys>mfhoApBijV-IbE4D=yvaP5sZ2-P}GM
z7<psF*>P;@=znf^vOJFhdtGSe9rEJK#S(@u$EwZ`!XZv~P;M1gPK6}o?D4ks#*js)
z_$W@;4b@9e%re+Di@bvP`c6i=B8at_R7=(`*SiUaZzuBIyj<ALs+EY9ZB6ayz6b=a
zcY}?0g+f2pl&!rmH=`bMj|Pu0PSk7l^!guiFl-H`xRLA`6VeVfaH=#OaIotTE?$P1
zPL63(XFj+B@sHS^$MNq<w?hb8FYb*s`;iVq`U%tg+naKNjl<OjlcL?ik{+jtd_(h4
z2XW7l<0WJEM5lgEQ2mk#6xbR~z~u7|-WOn4j4I?hB7~=)A$odi?~Js#c8VuYAPsF5
z0%6}y-yVdbj3o$P<&lY`^~C7Nb%xgr|8ozhitFG#WrTh&tIu&Pc~Y_UFU`WJP}cNd
z^+6HCx;XBZaqDMGH*mYjEFhRZ@3nE0x3S>}IhXuub@9i_5KEe*(@xlt1szEP>t+U0
zF$NZu+52Q;ZIh6?T|E>HGpPv4GC{_qmVhr|erxf0*Crs4raK{5dvmz5y+738Kz?ew
zxCBdfB9upIx`J8s$fZEMLYEBu@Y}z~7BH@rU%S@u)ud{r%Vavx|0Buu-s$;n`eH(F
z0?%&$Jv6ES#2Zk$WB0MOq_W_(5%)zKLd_f4%Gqj``(T011ir&bodqEUDAf!0w^N!l
z066Xzr3qjmp&}j4DEG{~bH49fvJpbrjyUx!guQ1hgM6O!6~6_KR#FEK`>!9Fjnq{z
zGJO-1eX={%7gK5xL}IQ%EZ$<wlDBR_3sLR!PsjW0f)U0{uc&Le_gdz?_7!-`-<zu0
zo1VFl&IAoy@l?FpN&enCFKdz@_w1q&cwO&Ug;D$pRh)Wh{0m<{9K-q#QH*;PwbjR@
zv?LdmB1?7Uc`3fKp&X+ae-NS*!iuvqTt6!Z(erL1svy9@AF^y~HJq3GV9|1y#OH6M
zsR|z>-*TnnYU(ySQ9dl)^}h=U1Da$#4!4E}I9%~1QX}Z&^QDWGf7?|nTyC#(*mvl=
zCnw@{TF*E->1V&SBuY9ogfxG1TQ4(NowuxXt|Ui}BMSb;NFU!xOgO}Koyiix!fvQy
z6&)8so7QLiev^GJXybp}NPHs*5qRb(?nsE>X~${?w?6;id!F^6rlN;42xkFya!FiN
z*d}5rm4q550wtEH&`R(pPpeg=^}8rO9=>U)NUSYgoR?k~2&NM1xz7va-?p^+v~IR_
zlv&?|&CjE+<T}|ptoPtu+DqHy9WchuPEvqAsWf$oGuC&^C95HI)kh*jZ(jsw?AvUI
z@3&BrBLYjryH$mOv-&h3y^iWR4<^6s4#U{`#e;H2FyhPts-;7fQ1`>Muc4N61?A^i
zrex0&scdzlPYKT3nnn3*hzodH1ouJXufvk?Uu<660y%n>;%#60$jKUFXCY-ih9NGI
zL+UL<@~w0MwQS%Gbq3gz=w@&|Q8Uf<jN{P)z1LJ3<cQxK3=m>lHtH%Yf(@1?HCT5B
zQTYB%faS1~dX24Ee5z3Xi4~1@s)BR4vAu;H`2|}Ueb+k>zh~W|KvXqYUWQaBi_!<>
zD_VC|pj#bln`%lTrP`3=P`B3Ic%=Ff=gCRT3^Yk8@~hr{u)-AW^_Lj4PxRXe6aDz>
z!9za$C{sHHzkGIad@v=i<}|GV+}MV)WESy-L%0OS-`^uTe!pZ~`1^G-lnYu(8`(Ea
zmf&HGFrq`d<6vMYI5<617ooT+D`~N0w=Z8ZBg3x@M)Jwn2{HYZZ1FzbG6iS1>|O_V
z9mX}MkD+gH&&u5^lX>%12;ahsEw8;ZG+2Smn)^DUE;+iIDHcLu%wUUP9F{7B6K&Xs
z*X?K_ja?Ilx)UjTmSN}2#g8}wy)ha?DTv=ui0JX6oz5z>A?|42glY}3m3wtt9HbO}
zqteaE8&YK6{J~`+vG3G|Jug30IB+NiXhnok4^ERav!9j8pt~(IE3GOzWItu{_+{sF
zTiC{NXU<=*4zc70B;{xl8(r>~^&1I_bIRa5_PeF>*=52|u;mRjF7wV9Cm(AK+hXW{
z486kz6gSb?uXExsHK$9Ev>6Bd=HM5CzO@QeXs-B%<%2eAD$XtYY^5kl)ty+`@mDA4
zwF>zNoU7Y}o^vDF>Jg~+0bufgZ{UnYLhXE*voMvuD_3e=&5u-(ob=M0gHXdb-;Z}P
zWC;r$a~vLB!XcvaJ<_#%Jj!8x!_pm9(SG*Aponh?YQ=oGQ88|c8TNVeT$U1N`MjMo
z61F>pVCM>!rW6G<v{daR*m5>!LV@h;IEFYAdzv~#ZjLB4`##iN4D9a6<j?>93vkoN
zWM;xn`0+DRWKC7^k8(cx!0%rUGE5v5U#Zi-P%ix@#OjINHSj%iC+j0)Occ98Nno?~
zsMaO$2J5DOfy|<O4pVHvaUnuE)NHY@2-e9_Jel7eN@YQpARY`lGA+d;bz2eLjg{ku
zPA$Wyoo0unh;0>`k@qzV79z}U%rsLBN~pp>edM1|J65iKNMBD@eZUoLW55#_F1W?^
z#2a~Tn1icxZ&!S9{h`bKw?v-p{&@XK&?b7Y+lqT|KvQ!ka^Hb7(_wk6`i&LB;|m%V
z(#=bJzs_u7PiX7vOZ;|+$Kx#zeWO1?!d_A6-6BTKDLJ&Xy%>3A*gJRAgNTFxm;TI(
zKU;9^9$kkp$CDLQl(vuf<Q`KflV&Lj4mPW0>q9ShZeReeUYd@8whVqulIo`C(Ah$X
zr<{L1eYkvZ-0yVQaGsk$C-&pB(LCilI|nETcFM*jGcQ$c-;%kD3FZ}dt<hq>3trjH
z9xSq*TWze$O+M-iqE#LR`j*4HE;U^s6h!jvdt{>$W|dN-;HuKwP0FyDoO22}>vR6!
zoki;0pBGJRKhP(HdkXAxYF}y}@ry(yjAnl9cOxqp-#R)VOtZp&dwUA63rfP1;Z-pn
zv19GgIk5Wh=~yB})3iP}JvoLBS5lu}%3Jwj<<zP3wa^`>Lv&e%hovP)CIbfkfH^U0
zDQHsw#Mb*nI=wVdQ8ts`*X0bi0p6mlcZn``i6TM8i1<7q-&Ie1_x<9gDd*%?Sa385
z=Bdonxf6U<jb&p|D|Ny>gW+UtKSw*joF`^$y2Q)+Xc3M*LH#20g3%y3Uv%@x(y=kc
z8m(>qbYKi`6Y2F5D)S2wFIY<m#z0G)3z$<JrYWj9UeSx}_qz=jf-~JM7Wrdsg(dt`
zWnb9-1x%5>qeroygOG{xF5jAe$)N<8jlIfJ?c!e&{5#J^0yq4a&%92_xTnfwdD4I`
z8+F8eJsO);VB*RB96!2CPcQ!KXiK?ED%M~;4=S^<)=7hzT!y(_P$%<hbb#8wf;fR{
zxRxMx5$7F>p5+-sdB`w($MVbn^Ss)<V2=W}m`~NIVh{0G-)0m98^iOVVmwMQSs%^G
z|AM8yW^$N0?uB|73`V6GO2Wxoc;h!b7^Wd=j`%OsyS2I2G2#b2@_?$r(VEuV=0!QT
z1M@GAV2&Q~rXOT~IOMCG)_b{$zdp90?f?|;z}Y*9;O-U<;q#+!a>g*A`tIBRUQMuD
z4UjN3$vUmYkv2o2zQ#-gR_#C!u=RoR=M#}zmjYGi1EF_a-}>}EgwEH8n=hnL*TI+C
zKtUj_URdDMl@K0YGgisyuJB<TOtAEf3D2CF<eFq55O0-L|Lt0y<!*jDM4<nbv+b%m
zdx^BM-NJ0aYumk7)&RUynNnbNf;V|U`S)`IbgIs_n7nkR!!S+;;Uo?IB!)SqBYJKm
z#kMfX2nA^=#{5NUJ>#fR<A{AK2m47}+1E6);*^;VaTQzIjY;hN(fQ6Bl|cw&*}sz$
z=9ZjNzYxUVIEvZIx2Je4f?Uz$er9P*hwc+`v20Z;ZHF44YJ}f1jGRAXd2CCu&fHde
zypzvkdFoQn6k<m1oo@UgS7$Lu=C<Lf_cA~9xv|7IARmz84C!1hfZj)E$uXc!_DgV&
zXL*<+L|$qv9@)Nm4G|1i8Xm@X-*_-5E;K(EqZ`=rqVP<Cv_gu3R5n1<YgYwlJ@Am<
zbR-`0?O-jSuL6M$)*vu`BV+H*)zEN!8~mN0_BPNm9W&R=-`Pa{tKVSYAa3{%p<Bg|
zzF8+D#!-FWC&GfSJdJ4!zkEm@%VYB(u9gjr4-;b&dHN%ciUTE}!=52s9ifI1%F%H*
zGb|`t^!C%oOE$DTn&*Bxj<YQ`MCPyjy&dw4Kar0KcgW$vX!3os6tIEL9=sqjJ6xMx
z-QxMngK;Vh_i*d)93`vMUKf`+HBW=ul*)G)TCW}BP9-~iAxiCOQK31xi`xnd21cwV
zXZ2EIMseyZ_Td}#iABF$^@hIq0?gmy0EPts_M;0Av<O60Z{%#cQo`DT{Q*(j1Nd)U
zcfb-rl=lfne~b71e8}29v128ZF_b1ExB#s$dH?-R0(jcVdCLjC6Z+rHDvpH=L03pO
zYJg&B^tde_I%HEf=M#Vix{Ith2gojg4MdTxPDw77emR9Hg0xH$O6fIr^cPF07$z3R
zAZB}*fv*NF9nl4(N5)Ecda-rJIp~sl(7b5*><S~HR_;Fu3(e;`_)3m`tof}ML?63u
zY&u;py`?^fQldzipKj-A#i=M!d>1n`DOhx;A5^0{EuE>?843bN>&r5It6kcU?6X)T
zMz>#A9RFAPWThO+s?J&zr4SkV&GGgFu5vnwK4NO(9m(iki5EBNvLO}6w2t%T%~oa`
zHkWO0B6mjXH^m@T_7b&vbF05F0Sn7wJK=$dzH8V{;9nfo%Ps$NZ<#46M4vH)1BQzZ
zf?rWu=_upIiu->mntFJ73fnK*cI?V8Ej_R4){Ku$GRlMq8zR}VYX)M5DC9m=zPhUM
zby?4rpvPjza>;H*5`b)m9wS+tcN5dHKnLki?nrFv?Tv!^KbS4~Jq4n1nW}*^(Oy#B
z3#${qlhY=vlmV}}j6I?9F(Tb!H2&(1EjQxgGNY(Z2J?=u8CwPKpYw#Il}KBS^^Qt?
z)oVZXzAwXw;QRf1&e27&bw2-|c~7?*wamCTpn^K%=koOsQmaar&Vra%Vocv=fB)*b
zYMp<tYS`&PDJLmdW7%~n=#IB6aHVSOabKYS72lrVJl~Q3_`BaYIHR39gYf@Q^^U=j
za9ta2oCzl8#J25;?TKyM&cwFOiEZ1qZQJSe$@6}v>eTt$)z!aNt-X8gdtFzFOxmw>
ziIgNmPrixasoax$1u>sjiyz>W?hTL;r9k8-AlthDvEL^Fs0aW!<B0kuz6b;|`d#>u
zX{!!x#6a}X*-rrkg1&eUq@D!!KX0OYGk>8FZJ2`Wt6`4dht(Y5?UauWd~ipJ4_7l|
z7d3(>=y*(T3`O%@gm=;2LsX5&ws=Vyl-@ayV^@!zYVwGgBL@qWFJ08)R<W=15c|Z)
zW#&3@tn()6HuU<JQeEt;+(k_*(JW=-Wlb>Zws2ou7a{9vR-0+{5X=6<e`UHepuUC+
z^?@S~f7$|PgAZ#8iPx@23*3i~JUhIg|Ikqn5G{wQ58L;(^kn3$=g);p0rhhqRm}-C
zDYT==ly@^&NbfmQz#g!?g%l&tGq7D=W{qh?#TR-R?*8$;jAkhaKhcZ}D>S^x-$HX-
z+&&W7k`bu)wzy7;!h8;p0R~n{%bIjH1V(ufxOmLhOXE?8V5*#=<;5&Tt^E_~Ypdb<
zEOae;hG=WN43qU5r`kCS|DJ3{L;SQOzLyFOjAkV@$$RTZ4v)Y5F}Tv-^-xgOd>V6h
zT;uVn!hKx1Oh7+}q^;p1AI3^ylvas28fqm&DdLl;siS<;!fh5-FZ#f9Z#|*=1UvtR
zHUV|BXC}e67mRV0gW2}y-Mu7tPN>KJ{Gn+_tAkNJZSK+>?`o!apeaCNZA+3>&Wp(<
z9swxUb_Bk#?gPj&b%V=v1$(1CoK$<0EH4}|<DLX0J1Y!%1UVTN^r5sz@F@iasOx6X
zeR1SNJ5p__(nA`G=6^Z{ucNJepNCHmJ>Oji*_BDc6h?-o*S#*2?jNWsqofXpKM$>*
zzSy>nvgG<)O4@E4D7Y4>wx#>H&BS!MmeTKx*5%R3r;*I3H(}iS`OptsRAy&k-C&~Y
z!3WIIjL;fwz`7bYIcf+4hj8bgY5ny1NU`eMpZpCAF<)};e|e>JQsN0>B{XL`1Esx3
zAuIZF;K{X$F>ItHC`G@VZMy<k_os>an^gFYlOA9ArA~>T4)d!el9MCT&Il?kGsZzZ
zD-mJg<{pN8Swl%=3DzC*uXe8bHq5B6-r)(}lZE89B%}c$WA0zOjbn{HyCMuu1uua-
zKOZ7ggt!LRO2ntEi_#apq+1RywOdUz8dX_3eoti&4d2wl^)m4)tdn<^C?Or?BdJMR
zZ_eG)_V(h48}s<ZJBR*^67@lI^f*y_J$d@eptzT@o9AULJ31A3DmRrzk$d8yNO2yl
zN;9U}XRl4v^~C>t+g|#$HaKg%&^>K(cXMWq9K?((tHjPn(IxM|FXnKq;{3YH>wsQa
zR7xc+opDTz4f3yx#t0`O`Xm?SK-`gLRhTS8(~_hu78A?h(+Tb%-+cQZZlEjg^2C{^
zrmqiCJH5z+(sM9osiTAYhE^ur=z2L#+LuO=xpyVdifZj~Y5eWF-rD4(70S@8HUjw@
z7xMPgKAXJb1%r>lOeFKdydE+~9=VUL#tR6X;c+c~id_ZvAp2A94-u;QQxmG5=2bA#
zsa=?*f3lK=U^aUx{A4ihlY>BtCEJ2rcEFbG(mEGvO3++rd~C=Uklvj0PORJ>C5#Lj
zD5+zFEq78opAXaMI~?)eoks>gJB}<v={posyfUPSj~A4^)mbi^Cw@yQbiuP_fK@=t
zTHF7d7xi=)|EYB{TbbuH<fO_q!8&ggUpV{}e^&p()yE*;ny9>}#oc*ih6BmDsgF(;
zk**OHX#Z0PW=BLn#+c-h_s{+pe0;Nh?I3D<uxPUPDR7nNqJ*-r85F#Ko|cM`a;xnU
zj9!A4Ou{X4ex7IxCDNZYA;3R~kZ7K0o{&(7`kTW?X+VgwGjUS0Gs!Uk565!j1OWG%
z+59HjW_8^-<<ug<&r69jDjRmurL5qj1*SNAyhYK7+x~lJgQ`;y<T9ZgsTNrh)-cG|
zWFhh0Op~BjYFkm%T2eaKPpMYKRV29=cpF{6*ZLD8Th3PhG%icEJS$u}^R%a0@jJu}
z{^xCf9UhOPc@%?Bx8^=g8l~c(VYN20Rhb2SJb_j&_gCf-WYr|3vYwc3-w$S?O;3CT
ztR9RS4oPu%pK}HYbZben#_b-J>ls$y>tM!wLB>=c9>-lL{zbmvI2fZHw>-W~&0n!=
z(agc^&h`t{#5JEmhQ6rwka=J9)+XgrJ>Hi|O)S)_X7+RZE9j#^CH7C1IjIqVTNU)5
zHD4n-<DJb8Hfip)ke|lHcNP*|sg11=@y8-gXfA0ZFD~NepWsn=R&9Y+>S-=@>x`MY
zGRts)J;qJ0n;XCEm^zjzzuhkZP5)W>5@$7Gsm&bOZBiQTtZ)Q8xZs|e`nsWlBYR<`
zH5XA{e%OMVUo5Ylp(}RhG>E(zi>0&?vR3C3ha{#RM+cA1uL=YCjL8OwZ!t9S0a7)Z
z?DiMrjXWNXM;=N!GGoynnTxc4DKRaZ$_f%23hm(I1CKc%YHP)XU<FC3VQurh|3F7i
z{}kWg11-mYTMn#N-FxoapYArAMa38B%xF!IK$rG8Tv{g(c^m4svPomF8I5_U=l5t|
za7C}*Y*YFmO${xaq6qt(`l?y>F>=?G32T72<`czI+Yu>d2~*(@C->!wdx3?$HnRn7
z^X=3>v?vxXw&&CP^$-UNMiMbo#A0Bf&#CxQk0skjLdKM{lVDFxK27r)F=%5V3dr#x
zayuB%j#LbmWsm0aW9yox#tn(yGB{uZ-Jwj0Xvt3<j(53*R=#6jFDy5k!hj2|Zw(gO
zC*y=zisItQ^=-+S1RM-|nfK&AO(QnOy+{T09u6%x%ZNUV#;eOO?)zkZhu^ouCz;0{
z$wZl^wi`#*s5pNRgpl)5e|oL0Or(M{da?8{ROI4nGRq&}5#k@T*fd4DZ!p?0X0Ep|
z-nB8mx+rZC-(wXWcdGT*m&mHvp?L_{1TAoKP!g-oUGoS}!=E1ydne1s@67yBX<g7!
zN*$38N21oHpqF&7R>4m$Kj8%ul^9*pJ`lJA;rM7tl`ru8BXmZRj%}e2*%C9g9~P5r
zqjgstyi3GMI-__dsvavnLd#_9l1a)&Gp;wJEA3{8R{x0AW@8L<*u_&9;|K~?MA6A>
z)LvR@YXx3Ww*I)Yun5k<IQLjKp;f&rFG1-KGju_;&0?gxrYu5Um>r7U@;Lgl;DGbM
z=qURH+SZn0cmzL#OK_pn#FS7%$`D|<g<7kp`A)xM!sy#D0uf#BgCOp}rn8h{vgyov
z@#9&Ju#wGP@mPS1KfN)!wNAy*bEz5!KKb0ZB2d*2XsPM$BG^-svX8tvR*>sU!@^iO
zsN|X1=$W(y+T$&W($ehM=!N_QOK}RgCrUY~;w*^}%Y~KrDXsQB90wstK3J8o|L2qW
zp`OO!@D^KB$&i&jiMh^(r^j-TS`G<^IaJ!RfB?0(O{*9^{FiCP-#1D6rFb8B#F{{_
zcWwL@K)0?+P`I-t$EWCAIryyZQFTS7HpzQJ6wQSbIA|wVJs)PF=eYUzxMz|CHg{}|
zatvF4{SfQ<!pGPcd38p#$j^JDVNF+FX?F*`TQ3r`cdG5?&Zc%oum0QTeW*frR1f?;
zfGIjxO6AT#UnM<#sm)Z_Bgu6akXV4#qK}+oop|;_wSqq`4vL2MaqzQYH?Pll<xlEX
z*ujDKXNzV)p<w*0#U<z&odZK<EJ6HeWBeuI-**B9AkX(gjr>PX-f!T}5hUK5fHXi}
z;oIh``Kkt7NR^uHI+XyS|K^AI1845OT57Q&U_(K^zUkQ{K(lio=sECoFBj<3qzH!j
zjSqnY`A@p-(G7I<1j4xkPwoR^KEY3b(vt!}Kd+NZx4G{(3XqdcpwsdD_eORozH83D
z_4qrkk?UZ$H=4@eMy&!OU7)a4;fQszR3k22l5vwPRFSmQV@0*>le)*wi(xs*MSkWD
zDix&oLb=4RZ)AGcMxdYL)Vkj*@4cHuX-~X}rV!m8`A;wC(V7rdG93<AK0Xg)$^k+h
zqtIUj;fxR}@>cs=3KzWCz68@1xx4RkI8L?L8is_(o)=%Yg2nxU3X~+c=y;p<OJkyf
z>c|wE7>`&*6gDb3XAvYB^_z={2Jn7j3Mr^P-e#|D+u@9r48Je9C84*8!Jy{(m}igM
zhQve0na(8tsW`2E)mxc@By5oHp3o{zJ(!P5K4XDJ(rB_$Ygn|Hyar<ZW&z|km<-^~
z-1tP$k#`nrD%5>GGO`4D5lfIthSH${>E#=u4#$=ff9~+~FLT!M9cBp-@NAXa*>RlO
zhvUyM1?Y#3_QA(MXc_BqSVa=h#MdV>*4^1Kc!t^^-XEE~$$J`zI5;eZOAlF}vV4-E
zc&$D-{3f+%d&agd5gAv=gN8n+a<XspCoM$WmqX6o@dtaG-3S?P0%`thLY2%RxO?2x
z%i*z@$j>*f+*q$3?Ma>NJeaZ@$XluH^=2FOLXgYL?!8ThU!`uXqSY?ExyfpObZck!
z`~5eRdS7WJ9{2BW&bQO9GH|f7OD{#_ju0K-Sr)-oN&H;I(HPueIKA?t8vNrsgyk0l
z*dYe40byW3Kfbwa-1mO}{tKN2;(uKMhmKNo=($n+;r?eufB5|RI0Fj!e`DEBM}g_*
ze!T#K$J-eo+n?l%|E~hSP1UvE3#;Gibj{fWV8iRT^<5AV_z4tj$K(WlkF5WzQm$ve
ze)$i9zb`=g|NYeGcV<ld`%47eb4ot{SE$}V;N*>;u>Y4pqdr~4iZ>R<hCgm*PaUL&
ztJV(*C5Dgrqe`_v&PR2M{OQ&eBz+jBY(I<rE<clc4>x;=>0sFADpRXk7QzpwMTa4H
zYP~o;iLjwx>g3IJ6FqIAyB95NG-C0~M~SWqLewcKAH)-PxU8702XZJZ6DZIa^U0q>
z1fQ4WchLud!xI~^4pGvSC2=x?m5|+tx?!=KO_}-`hhvC{;EFHLFQc|wStIm6CwrFb
zT3-9LON>c>O;fVdfV`&@Hw35t*0cRJ7kW3+#Q+@NQ^9N?X!$|Ds<hP%M&~K;hAFpg
zkiVpEv3TbT6=3V-OQ18SiyowcdTz!DyC_{b`b_>{vO;iET*)6UtEv$SSNy&znJnIS
zBT7xH^s%sUz*_B73eIszI7~`8asG8L;J<QcPB|2?4ao6R7?xN^xf2f8KCfyk@{s16
zN#0$<QBT*k1eICYe_uWXN};|`ITeLl7jzn-v_qiX+Mezp@k?>cl^J<pXBr!zPqZ<j
zli4#k@f1?Q3Ra1}n=Oik%Gi_L+g<8mdp99ylv}VJtuEn86l(E%@w0lBiT<jIA|c^+
z)K*H2J=@(|>gu2}Qbj8W@`%A|D}W*}AB8g6ua}04n_k(D#+0PqI%je9dA@MRW(r+}
zy@*jT*`~iI=TP(gfc&heQ0CrmUX8YL)VOLxuPIreQk!=Bf{V=h-<2xwD;7iB)-vp9
zIsP^Li&NJVQwKkbB<*g2AOK}W{SC<;@%~`_Dhib10jUI5V@5U(M@aV(ZpjhAD1}v%
zw6g_MoSB8pTw997_BlcXDE8?4XrtJ(v(yF7N(5sTg%S>scl-zvqIw;}y{gcPW?aSK
zj{kJz-s~Qva)ePubQkK>tL9UID#74xO&eGIv07hNcQ%JDkZGPbebJ~Y=e)&L7T?IW
z*Z4=P>8$Wq_L7t%rd(Zo*4@9x#Y3mFJUu>G;$m0FVFkN}wV6!Sj`-o7lkN>Z%0XX-
z=cf_EPn)%KRF02o5Sjg*ej4x!79W;jeUtSphVzHBwDws$DZPtm@-i~w>#mBohIE}c
zM!Cs-=CdCIs*Yq7^TfjrRXJw5T*xfdZmL;vS2`3VTg-D2pYJ4j9Gp>Pvqi1!f;aK#
zDmHNjcgX!6bzLo{oTf@^p>*r!ow2<-NDeLQRfUIruf4Dk;V1O-?e*Cq0voJ<94{ll
z`?3}f*_EZwQ+-wsEiyT(H6^Ui@j!6OSIKXg?jZeaEqgNaojd#~#$&QsT9#ZBKHGMB
zg}EO@B1ShxSHy1~#T{A=Z{ePjM92s9rG_vVYDgSgFIe|Kc;Uj-UiiX(wJ-5=x_&)I
z1-g>mhub>oy)Zbt6QUL}o|1W^dV#TOcuk_Gb>fHql~(N<JQhU~Sc!wm0{(sYuam&#
zb^{SMfnA;d9gAE*xPA~|VX)r`&<NwBIPyEE3idzmJ?@I%so%1nAm{G?H92x1_><p%
z-794!FYW)=y-EN(NZ%3K|IW|cG2m|i0pI6?AFVtDqaY9m^b_$Fi2Kna^53ET-3aNv
z8==O3-Afo1_?fGFknZt+-Af0^1BeEieSOc@1-|LzbVUKN9C|=lj@|o*&SDwKMh6{s
zM?LPTf==#)baa+~`@OzWVPbT+v?)lGqWiydgX5GoXLX*i?lWFPm^&I&)S3=nf?cfW
zgQpmX6uF7qTO%_E(>CbC(Sf#QL7Dv73Ze?VwfX-5EltTjQ7JxHRS?968Bb%GUytJR
z2-g@gDQg6(S{3*-)?c*$uu2dJu-kua)Dm2CuS|<l#>8SP+)?h-%1fB1W=*BS<p*-l
zeOiu?X3~20-ceaBuf`)Qo9plv-#b-+k|4HZ`s1LnnC6SJsMrm?XHGO&@ofN%DAiSW
z%!9{SYsN#MZZf(Ivi)OKTMR(^;?Iqqrw&-j#y`I%Zx~ib!Hq_EM77c2$mtBlbs=eE
zRiJYRMOe6h7&z}?c-Xo5O_pb+El|>);i~BDLaE`U>&1I_e&@bfvG_MJb7a}wI-~^j
zlLB06mS9>!tu!qBtrJgMw*E#g?QZ+CbT)=b<}Z}5RN-4R$DSP!9v&qHO?c{ralMH!
zk89fD7lsPgXI2A^Fqu%^Fmqk-g>^~f+{$*-Hqjm#xznFn$WWQ~!m}J&ZNlDKb**&L
zMy1U>hoE`cD6v(=Ih6P!5L`@*A^)Ao(%BASuXDvQ4rvXZG&7)bWue^n;bH55bvewo
zEI?&g2oSV?J%2Wwi*s}>na5f`d})7>-E|$>Y&qosZx@(cQ{EULI)R}W#Ds~cTZlgz
z$FJ=ZN^k70<0Si`Xp9~s<2_(HZ8Qg_ZS3xO5Uffpe_k*vR~qpKmzDpxSftsqQW5RH
zGW0^7w-3i^Y0&bd+IK{2&HtrV&s&0803km~H$LR-5b{L`0~O)Cda-hNzwabMcjMFx
zLk2N8jHzR@XTNkjnB}fAFZ#1d@-Lly+5VXK@%JMxL&0n%JZ4L!HiXn)gT3<+r4US8
zQMu#y?poeXFdT~{aJ5shl~fA)sBsomarhd)k?tIt%<3YuHVr@{9L|&OI5#X$2YtE^
zIfD#{5=RWt+vgSZYE{vN9*Mxmnz#xVL{uCOqS#mS-eIgn`;5xA<OHXwSv&<*aq<Z4
znYV7%G<OCHR^dk+*WX3yoM0*LWewE$A`ic1C~Jl~z1c4b1CKEs-(GYB#%OuDhwc@U
z32cbzx`a*dvikS2f&IVRMZ>(3A*J>VHCn~F)v?R{)J?)RDN$S<ZgVx)GtSSfDfEUf
z%~4RHHvbaV=-6C|TTxeVNAz+BnM|!tQxv1Gt1h}HrtA*$?zY%8Dh-V&X3>E~ZAsC{
z5*i}z#yX`-0$&ot&UvdTCMJmGouZ57oOcH%zd!!~pvtj6yR&Tpe&2(aYRVn*7zSxr
zsX}K-j<6(uXA)W|7zwvPe+jC2s;x-Yc{=F^;;k*EiF)Z0O3InL&m6T~t~|fXlb@ST
z)7nlmFWOF1GBa5zn-dGETU4Z&>S8yj{{m!TISz32C$N6_7OSE+Ci&;Y_Ormh-Gl3H
zWHLOyFPXi<msERw0dH8I#ozQm(19F+!EoMoZWk$OG<^0R#_hk-F6$8xynLh;=KYc4
zI(p-6%2g_d>GT140ndla*iH`g^8NPnZ!#}iN)iFO4_A%17*H=8M~2}t+xKuuI|MbA
z^ZyE_Dpvi5pLL4Miqh4xXfrAUT@Ac=K+?PGrgoo}dFpzW5P!M>4Zjjh%8L)1G05&P
z+mOwNODhSNWGe6E9%ECcSP=wi5~FcN?^SCsMW+epMgGn=hDxrwBx@+S&q&J@=wlC)
zhBd0yyjvL)=^;>f^TFO;GXK*X=aRX>s|^#c%z^f@d7oEL)n6>KyOyguI#O2b4|A!N
z(^lRr{3w-bz?L$HK6XJ_N)}p0a@Fm}S)!^UD7fZZc!K@=!<Jc1qM7ehoeqj5nQWTu
zhv|1_XF`V)!Fq99Q=o!r7kc|{sUQy;dHOcI*mi-u>sN$3MFTp$PaHw*3Nm8=`=~^G
zOyr8~tV{!P`2h|@z3b-OexR@=3wmU0v2QOYBtm_hS)N&r=D!0_K@81&ldgoG$Bl}u
zJW`U;N+MmlqPuOdn_1{G3RA<6<O`$_qN6%Ql6&OHP{@0{mWq}Q+@T*KW7c<-%~dt0
zfOTzlkNRuB`?m=6^ae7TL#=w<)=077Fvyul>$bn!^|yV{+>t9Vd#+n)E$Op-J(2S*
zGz$`279L`|#!Z@wrXe<JbOkO`4?RHdF9s>#&X0sI@udE^*xVb>;|a_vxdOe*z<+0M
zdB#G4V_Sp0S96q(EVZ;-;~<zsCMY1I`lR^+TuRB=Q%M7=<b&0ToxlZUwi$Pv`TozX
zq*>aK2*RcF@p~We4&h;(Uvt|!IT?~mrcX(v-ynexSP(Y=gOyO*XH#8Kb7bow__1aZ
zY!HTayl?0+mb@8ucbi?n{1Rn1d$l*`>Siq>u)n+?c{I^>X#f&4Y5F6{F=9-oje-2$
z+#qcDypA$xT&!4ar^3PFmMR<|+445PwlciQ%Gz@;y3E-}QsHQzo%|}^SK@~GXFRQ0
zgB4P`Ek8^J!+<4r6Aom6-K1A2Q)Ownw%4lFQ3v{+D5zB<kTwncFE**n&Ul~~lr0hy
z0WEq!6=J}c^kZ0Fj9}r72prgTvlLP&-dIvwQLYaRYlHGJN%Cl|U=k24G<oI?t=UwQ
z4g#Ossl1d3(<6IZKgMT3;j?(UIL0rs5sS8qp4L5{V0A^+6?fN&o^|<-)sE4xD7m>M
zq{a`KFqDV5OUTLPd>k)di&vnSYB4FEd0J4VETX1R0Fd7jH-ws@&e$4OcxK_wuZC&!
zJo%m;iS2g8m+?O97Ae-0P!BKD$gVhQ=nu=Jj+Zm-F;ePhE@ZjdocNU7yjdyYCs#ya
zU3qO5eV_94X0elAF!bX3r968{Un$4x8t8HR5tY9W+#xgnVxf|I`9dCqtM4oBxu(r8
zjEFq5IkA0vo^pyHwzQF(a$Xo|X>dpiddq<iz?<m;IHeHuL)z2BO^IM%V@XzB=>bmX
z70LI=usC#jxynShFVu)#(2y@?sCflsk}b<QU83lUtrtA~TW$@HgbF8a9J)Q*dkmCs
zUUZ5UVJ;4P5nopi)b1aOV>Ff+C<sIs7I*hKM}xzX);2^7Aw{52oVRQfk%zXD=ahQ9
zA4oJ)-S*O~hYE#%&?3TWV}1QtK_fHoB=$gM$3>RLyKWa|HRc>)-5H7O1q({L)4yDH
z8za-nLKSoVaM0T$;x(7DV3^b2f3Y)4C`b+RIn6Gf=o)7;wysKIS#_^K^Z3jdOD(vV
zzAVmHe9kF4+z`DvogQ7WgGwMih18GUG9PL^qA>zt=`k|*6lb0(3DY);bo3WWBM~>N
zA8lYU6_BqN4wpzgl6Q7seA{~dT-nr!Y|aW-N^_56>PeW>fxDqC{>4%+FR%O6I}mBi
zX9aWig1{v9qw-w9L><y~FQWAq;)=M1dN;l%A1f`SK?liIVF~_qqwO{a<!=7%&4Gv9
z`Zb{ucJ;iGU~A5gc*LlQeN0Rtw4Y@VjBO`lkfgar7q}huhBfNu|I8>%U6o=0wZos4
zW^QE`y1UV`A1-}UL9*q9-CbWvbSt8<ZQ8+6PCrzD!b`yF2O!Yvi{%_}(=#FaO7Qe`
zLU0WH@H;<Y|7s?q`~q9?1~Pnp;P@2*6(0m_g9@A`GIWgg?C#jgo(!N<5!Z<)f+MV!
z8BxQ2xDb;0+|6|dIm2t0Cu*QC5S=d4@;vcD;eYfdYDDQFzryVO+;~q;#z0P*Mmt?g
zf`c-z<b7};y7OQfF}1ZDFpDV<;K{UCneSo(-+B^)ULjpZ$b9=XCEOo|cF}~Hzl?Td
z8PZ;0a)@l|jfQtg5)PTjz=tdLYGcJqbQ?V1hviH?p;b*<e6ks6g1&FDIogn}OLk6(
zlt-O)chXVf@Jl_4ZEVE%hAeW7YC3g8e;`Y}LCY7^@Ji5mPKe64*wa8FLa_9O)`v~F
z#kYE!Q-!xl8|?Co8fEg!YB490WcAsc82D;sts-|MqP(DP;2O~d<4h**v09bAka6g5
zD2cZ~IBBy$D2Eg3fTEStuGUr^W5cFdGxZfDn~hDRwMT;foH6Ms?+rtcBhlRLK61vH
zdXR1rP0OtLfiH45hF^c3-B5vh%ipmP43b)MDz1MnB*qf}1760bBxjpLX(}3hqN@<u
z)3A$PdJ|&G0vEL!N5Z=5!M3g~3-InCEZX({?JZd*120#)>{sU_wjUZl(1Yk-%FM0I
zj*wo8i7I_i`b3@lfSM>tyP6YEDLiw{;#sSKu<z@vnpus5S0D2$#@?*XRsPgHLe%2v
z^b;E60wC41+r0XBD}e{+or&~kF$5(bb{@FG2|RNHauAe%r-6>hKY`-!1S-G|?5_o&
zy0^QR-v$br-(RchZ@ADW!{WydPJV{LQK^!^PEn@4uNU<ZWgIp~qn+N2B&ePRY<iO5
z$J#F>y?d4zaJzPGv<VS}9}}35Z>Ce<?0Cuw`GB~=+2WKvbrf>7WIm=?N2KeZdkf}U
zhm$+lkQWrRxfdiI4f~i_=Q^8NMc4qYVSdY&mb@7s8`DE-pMurp+dOI;&A)L|sw4eB
zI5pRULqn!nT}h1!>VCFHZZrk(32<EPxkd=<&DQ^Rbw1iOWx}PZ3`HA^A;<+Kj*E4?
z*(JrC6h~Ku8c`l&w;v}?nMq+PZ^}}?SvsLIPlsvyw@|9o9Vm>4rtHLvx(MY+IX+7#
z-~F(Og8_wyyncL4S#l(<8oP4OXNflRM?_U|xd`Qb;T_Z0)jLot$x7_lGF~pcPYW&F
zV$Qc6vf7c*Zl(a0S!$(XUlDi@|LAf4z`9)@i}R=6hEwXL_9oTO&qP7_s<P!T;*T1*
z!{&#jaP}8Ws$J21_Zf}2OX!UD=`Hdhf0<C>TBC|4#IV)Ml&CGhS-zT*S<bcbYxtDd
zAXLFd4?UrRrqZtOQY9id3JjzLL3?H}J}+z);U+phpHfFu;}w>r(1;FC&QJuNBo}yd
z%kbpX+wMri!c4pioI~nba6@13*aV5CAQ9ah{aq?;iAVKw7y_?|L*eY8A-MEIt+%3B
z1C=cX08K`nf-P&b2fP@l_zwK_BJjBl{QCW)7zos`?FatXP@aI9djfzP;Xbw77CON@
z%-=_Tf4+K#-)nkr-fMnP1HaQ~K|sZ~?;Tg*hd`5_C(uS(;S;i&;|mhf*Y6<q8mRCB
z<mg{70t2rxSZS3>!b^B(vGO;jx?Cm=k7E~h7<Ma5kp|AX3(MX@)PO}xy9;x+!0iI|
z8sgS|(KXth70^>FcuP-_6~jNlIfkp$3$aKpL!|%Nf3g_An=1$P^{;^aK&D(s4AC;g
zbpk8Q<45m%7WKSWTWmF#e41V#f-kmV=CMu7qm+O@<jM8=b!y{QY(m6$Tc!BnElocY
zGH@_8ivxpewp}L@cqBfVW;sF2C$)I!6RtcUEeb;*HXj#z^G5(8MFbvpXjlZhp_w1T
zG*%9LKD)l(qoBvn*&v<^<NiV4X7Pr$R3=Ii>>~bWldTqA%-NPyl-D+Yj-2rhlCymu
zv%QFO4RY0Z{@J;5GknbFJ`t@$1jElSi`RoFh6ECJ-7ArMo}qzJ{(#?CDpsdX6i)Cl
zk=Xir=IQ*T4PV;7sSwE3UWXafb89ZH9<U!VXKJ;?ZC<UEigp;<e4*Hp1_+*Z47^3P
zAPDtt9nsbb?{Me=ZHdMtMn<F{9812!1DCy?AaZHp#3`#bd&a(*Vf076L7_2A^a98l
zLDuPE67HBT5MK47%)5C_&vScdCDsCI)tnF&Rc>UTN8zvLWbEO?cN4T`gf?w{0b3=6
zndxrFU39qfg9z_dxv#mcYcIRrVY$unkmzg*SC~ujx}=fb@!QX0`WyoQOLgnA<r=TA
zk^lbm+{KQ6*F&-=#a7ZgQV>&M#smIJkwN`lhtx+rm3&b-=lwQ|ieKIR38}@>bBT*$
zb{4<OWuoGx;m_7zAbR(9=fPPGlfvetoAeTnd-JOajfLQeRc;mLUL6KGQf8Beaw()}
z)qIH6<=L=4C@1w8>uYJ)Dw@|q-k#v(IpyUty%L7saA<VHKrVsf@)fN50Sn6V2g~z}
zJ)G*MWhVRM(pQUSJDOx^;Xk&8P&PRN;xSR5aM@f!7m3Hh#uRhN&`p291<tE*-@^CF
z82wQU;FK*{Rct-Y>k?oRx{dXwNa(<%hBbGN43nOyYVUYZv+6lYNyJ%X8BgZ&DL{hi
z+~CQr8}IYRkXI*WtU{N{`sWF3E)0j}VU&v*k6=fn&UqQ<*Df7(=0!VL6aZs;wqe)D
z9&1V*_Tg|v5<%=CxkI&B0x4hf1$~-UZLp+m(yp&zsf#^Hn6Ka!KD_6<(#&s|f16OF
z^2XJ!e@#NAbG;U-bC(?%8jFip?ZZSErI_A93L}MzTq4o4Of^I6pwJ>|FF+lR@a0qs
zf<)H3HF{P?Lwq?G%`ea~QV{r35o;idA3Q<Cm`*%*PIReV7O3*cCzOfiF1oL+6#C%d
zc?%}VlJv<Vm|jY?8A@^<&%Xcj?Pqn}BsQ7K>p(US)IFu=&Dii$LycG>Jp-@mMsYvI
zla=-Bx|?|!0RT$@ejMO@L{+JOUy4J@Rff<59Ho)9`CvKb<Oz#TUh)cEB_wbyF$}0~
z<@OS$l^1`EUT*i<D4S<;^T#0F^w^h`7?hyE;N6y)?6%gNB#&;*b<DBn$%}>fkaJi*
zY~ynub70A&ZjPWxQNDsK+&6+o&w}f>s0rZu@Wz|^a&q!DGzbnTw5CEt!Ujix%CeV1
z?elkzWY6<YliDcs3a~~pUAyJiG{;C4P;k)wgE;8>`$Xd*e5HnX+jab2p&FAa=aZpS
z)?e$Fj3tJIsypskdD6t*R;#)yQP$`gA~3z&KN|M^w$#k)eQIO54byP6;j5)_rhDHe
zQb?4e&#FK<J$iQ7CL@&YQ1|ra<X>F42!h?h+Y;htXt{|R9iOK@W7s0$YZ*f!RzX+G
z4v<(UNP(<(4~u{=42#-tS3m0PO6g$mPPV1_V|=_Qc-qU!{s#5%q6=`mk)7@Gdi~ZW
z2T;K_T^)=P*A+R3j*?K(5^en)4;WMeLy7F2k7OmL+oJ4BlE7`(wxq%=ibsn>5fPH|
z+{-@U+UdpSGCSVdp=dR`ZaaS80e-;#LMq7y6fFL0OGc$;=XGC924B97_^ccD8fS!s
znuP#Jkqh#-f3@|8O=;-3old`%NghY`g*>P;U}@idfQ$A&uU0@{YYsl(>eu9+Y~%)!
z)3)1aqm2DMJAXWeVQ-CgIvofp!D^A8MN`pV|1D5XvcXfMOe`isLEtkwoPpr&jI?M<
z71E{$hE;qZtHm0;_$BfdO%%xrGc&U9BczeJ64Do2tyB9&unhbNyb+iKz6q!UZ}cXj
zH-R^=eyg8;ET31vC502Aud_t`H|W=aryd~O-p(9QX!R=>XYc4m+-j*xVAGX=_^lE-
z3k2WBpoRHJq*mP$*6I|e3lDXOuVSWX5;V{IPR{KhiR<SiCZ7QYaII^xTq39#2Md)k
zErRlB5;u=)CT?bGPvmy%8Lr)OF{MkP@<K*3iea8Ex*Ne0hl(~`kc^JT_Sj@dR(6Ch
zAFN89sBItPy2W^K^H&=!d(Lj#$+oys)!Wnfe3pE*Z1O2xhiVrLl3w;7*_@P${ek7Z
z>|U;aZUqhmg+!KmK4tcCZK`vT+4--`asyc+`-RA#(KUW-i1O7xoab5kamL8Vb5h_%
z?<<7R`4vl=7n`IZP4+vIa6?Z2shmqc;m&t;@uoIpVpqOE{xZYimDN8o8Ekqk#q(gX
z0Z?b>2~T?GRJMe3FFo?a5)Md~*YOv`b0#~}x{(Y#UmIMcJEGaR^m9_i*X>|)W*<&r
zlpX@E=Fy8q3za32^VDpteyP$t>E2Lk_}_w!v47vDav+$--^=c_6L<*R9TXw{u&-VH
zWfbI7fs>W8^IMTL>=e<!1Uf5&l396I5mobkg2p!(WoMxY<6t-2Be`|LjkzIEe4n`u
zE6(zs-kl{rN%z}XqGrAEQeXGx9q|P+R3gemIEtuYXZ(IM)b&W$WtJJ#R1ulBlWr~w
z@l!?fS44zYAE;Xy>T6at30(ErISt=Jqny7oa>(zYfSzxayU_tqY&FZouqE%LP|F7C
z(<R2-GZ5J|7SF<<WxX0F(e1#vE}dan{{z7+CR3!!Epwad&>Wc$Ys3AXHLi4ys;5SU
ziWgb16pSDxbKIBY_Rz8W0lC7}^T{X|K;u7vVa5M6gxF7&gydLZkrdU4`A@0Vz`aV@
zi}ddex7yx(S8$Qc?cF$6w{s+IZ7&Vm0l|W@y6w*w{Pmc~?YjJRDL;uG2zhc!0r+$0
z)G|A*XoK1DeTkn`bz8F$G;jP_6*_XD{8?GJ{#2XdCQYi&>cb!_=Jz6lnw5WQ66gaz
z1+57554&kuS7-_MzA|3JDIrj1o8WbK0i&ri-tw6S-IuhoQ}hfex}|xGvX1s5ft$ui
zj`J=MbGYyt*J18wDap=pZ)sxoD<J+detAWPjOTXZDwdKzzcEVj7SKU20S7tpJ`zc$
zaJEL5XmV7LXRu4fcpC%${1wnqTTgIjK3S+ZrtB<KY6knYL)5Ei;*Dad7xCRS3f!Lj
zYpUn063;Lp%&1Wp_~6Oo;00<0qng$+5!U+}SrMPwRmMTqD`Z?|NE5C0L!Igwq9OI~
zQ1fSyvV&S&Q>PtIe<2R^1VzU0NpfDB!}+wpY{nPq>cJ^Qt@J?-%v#NE!`9bX7`L{x
z4%A?`&=8xil=NlRgd#As4PT&1W<ETjR6g(Q@BS16?Z1G4H-S}v9tYTw)if3#T2;T^
z9Mu+B^TH)*ff?jA7%2^p<T0RIPwa)!=uVogL%L%mQ88d{aPmolR~6@;qsSD086M_z
zHIZiqi98cQTQU-kntdvw#?@QDk}AwaiwxYu!RDzm1OfTORgb>9wp-9oxJSHw(#uL5
z!=l2*l7W@`2hlB6<YhbaOIY#sCO-h0F9GtUDN|jwTE$p!YMtS)cybDs-@nr<=KB=T
z{;S#LjSr)X0bh{l6pgzu9fe->&R)i?tZ|xUHV{6->XmN>040oRTz26x-4Yf_<qvG1
z&MlV3+EmxK&HDX^5d*|EnKtBB^l2nJQNiu{xt48~7IE&amaF*N+)b}@K$&z6i!IkM
zX4D$!QNQh8y9V#e$@dm7>c+H<CJD!_ndGXT?;85m&lG;;6wjqYRMI^y#WJZsUuv`?
zDUZTR>-Ta0ygG*(6qb{Vi33$bE(xhY!$O@a=NgSoVdgAm%~|QKY9ad?^RwC82hW!n
zSn8IUdLUZzgukWTG`Vt8B8$juA@@ihCK>-cP=_!b3%ULrRM+UI$&wsw;F2JW#JgfP
z;V1?PNg?_mIXGR1AUNeG%u*@$B&MQH51G~-TyM=n2vnE9q*t&{;WOQlJM*nKOIZbY
ziO+;2?wE0Iwx9a)l(^;FPZG)qCj%ot0@r<)DY?a&$QasW&@X@nfF6NU;OF<7_75K5
z$<BoACeZH9Z}qDubI%UQ(Er1K3kU$l3v7O?fF62=>hAnd)$6^DZvHJy8d~jj9@Bwg
zmxX%JNL813?xtUEv!$XPlcm`vNj%kV41MHRBm8_Uq<k<jHIzN@T3uf(h$NZLxMzc0
zz@Vn1-50Vo*6)y7D}17r;#9e;pTkb(B|6=mbQQcub?3oRpxE@-%^CjC&$*T&H>z|%
zq!(0bi8jKGI_+u^G+qhX@%5b~ke7Li9uwmtW|6+?!(>?FzQuGI5JQ~MRK#0LG|RCf
zejjpWCnzl^IMGpji_jAtc+Xx-&*d<&x4<;rU#g4-vbu8rCO><DO9{5M8;hn}FNJQ?
z&f@fIas2%8NLe2fC2mk%a{WB?>c6ixOVe-D9V)8JRbs(<fu}n#mkohU*71AG2yre+
zMr*-+Sn}LUFe0Z&%roR5$<;|IkcjX|dWCWjo0Hd;hWt2Zfj?_YlcoR<@>(`#P1dvg
za7<A}m!h@J<~8Ps?dOam@j^U)!l$Z0C($;MC;X|cq|0)p{DaUIaA@!7Z}`8+mnbI8
zqzjo`U9>f0%fU0tABb0I`O%XWh@ANa5oS3h?jN7@qFgsC{ktG-g1>d!*OEfbq3G(u
z)0}<_?cE)NuSZ}83BW=hB^<wo&|1?dlq6?qq<*#aO_aDu!ghS(Btq~~WilMBDXzG!
zuKjUm#-cU8aeoJ=!T~Ejf=V2i6nRRuqgp>0c)+WDC#V1d^?}f*J;0uQb-=gtiTwJ%
zkA^<0fQopEbihZ++E4J$y;mRrp!eVP1Jo53Q_TfhJxQR~<ZHIYuMd_huP5f(;pkvR
zl)__57a4T%@cl4J4pl^WRc+Y{1k52Sl&HL-H8aKSfU7bExPYVZvpjzK{q#`{!loe0
z2XOc(5ksS3;|oL)JZOau{)3z5H_SSx^MsQwe=b$MKeVaFcPb<Xn^j>afT?VMII^Mj
zGf-Dkd5d2cJ<?=-Pn~n_-QC^*<Y7ur&45>0TH?5ci;IP#6ioG;Sf9}?4uOte_l$=*
zYCt2NwK~}?Wx^2gVMWI4kb`4ow3;|zp8mX51oXW)PW6)qDkn@{EB3DqB}vw!uF*$&
z426d<)XKoHfpR@cV}q=_5x&XFzZQ2}573U7zX%t+dg=*iEXA$PeYDRwO;pmwJn_-m
zg9oQvMx=t0N-r{=VGA_lb1~zCa#eT{rtziveG`qoDAiEgY%mJX+U%TTERVjeQ76X@
z>6iYwd0V2<5`ybP3V)=;W|(pYKQ|I21^x1P0Vm#Je%QMw*HM4!x7dpHDAGYdeLj+B
zG)^xlijlz(a#3L$D|`uae`cYK$lSYIlpmF%D5f{RFuF#GzLw#^Zmw&~&l#DJ7p=G&
zb<)gfmmpQx=BCvmv%85HG3hIKgRrRb)H$9z8(y~e>s@cqJT7bY5t5aK4dppNB8(ha
z355?$Djy>%S0+s@U_ig|+kF{)`@dekO9p5g#PYgHTI(zY()r*``AgZwtiE(NNUYb=
zK>Ue>yPT0ZA$PS3=xkXN?p77?@XX?O^{Vc;{rB9f=0sA+vSphyAB*ENmlPuIpGGVc
zz1(kUZHR6gNcHpIi=%=yB&fX7f&2ILA()Yh(Y{<VZC#?`v&NyjfaDp5o}83lG@%nB
zj5+%<WH;u?OylO17Uz%5b2BcOhO6ljLMm6I^bugy9X=KP)#OX|MJ#gvMvn|CT21da
zp|@e$6&xX%p<`KvbnnX!H=Y57PnaJ5F1beX*_aIE-1qZpqC-D2DY8rh+!3^t&ekF5
z6MJmy>_PJr^_y`O3l3Hg>^OBhuoY)YJrJrV5O&icA17%YOO_f{v!*Z>TWqa;s3Oe6
zYf+IWTaISiS@}9M|1}yLl}xoU#B>-x53l%`rLRpf8VCDQoA@wbeUnvM(tEG8PY;xy
zBqMpe$Op9AKav1new|V{_D~6#paW`(S~ur$Hkl4u^@gw%OXNvNPAcqJc|>u4L-W?M
zrm8Qn%6}OyT1`-5{KAY-HWfO(x01lGda&2)B(;E3Yeyq7k@$NjtQToPRY3T&i*3YZ
zp$$DI_^XfQpOS8K2Y}NKyNC3Bf4%JDx4Mkg13^Ech+A=K?8%2u>*pnA3mL^?G;R+P
zGo@GcM!ji{wM)FXD_-O2Sy?MPa?#fwK(A*97+D4ELcZQm#8~&>gIryg2%aL_PNkfn
zAhf;_BD2&>Hl3clM*Xe(&vaR?J^7|rGRtI98~}-9A!fZ+Uey3&d|Yi!E%uz{i1II*
zXnIXNeE-d@cP~+7EcpU1Z`%Rb;EZr{^-SbTTE6z+Yoq7tJjmnJuy$ZQg}$(r&sAd6
zo$=Sj=h2`WI=N_<FY8xI%GXz=NZYt9TLgX4)LLjN-7IzQ=f;c7!Y}$J_qL;r+-3jG
zhSp8!&%)RN$Lns#Nyo-iG+9bt6xQ@PA9)~%9p~KeQxK$?YRl^4P|n^8s2n4Yq+K26
zh@5`$askM6XJ~_Y21iT;SvoOCm&)^f$adY!0Stg6HrjCo=6IO-@5kGg$49Meif8P^
zL&RAu`!&Jb!L(AjWJ1{vkDSlfen-koDH!QAHE&-e65f%m7sfTaiw6#>4!=t%2>dk-
z_a`UdpaRLZ_uKnLx=H(MBq@D2O0Vo!yx!`vO-x9?w|{suN!FHKh1w3Th+;y!8MOT~
z=O8v({7oIc`+~RIpQ!^8wNQ=;c#pO<jCr&duE^Mg;an<4)X=ntCSt=gt#iGir@FgS
zT0Ue=^DmGaA^E#RW<k&iyZ%>xYUn{B#$BcWYjWoph|_gX1<HhJDdf}&-k`wh7arY&
z2^3!%R7n$WNv9&gI2SmALvBWz49+Q(dZO6RfhWJ7Y+&8f_qMO9LuOO?Uq)J`f#`c&
z$R8D8u|Z@#dJkn8taGW}&;I${Y%t=Rz`eSic^KB;<>uYadM7MBZ^Rb|tZ>|{9iOv#
zGcsoqqceIA@8PIiSQE5hef@wxa91BtHV%yW#=vN2l{x-DqqlsphBh_RqC-0Faz*_*
z7D@%yoAi!XL9HYZ)fVbk+~8?f;cH$)W$}0oO4sVSER%ub^4+Z5`y#v|Z4q}nd!ucY
zknvNH+NJ``XV8VhnEf?>VTiM(nz=C>alBLjfr9pyI1I$_eeu>T9bKWTBwG(^xbTOb
zsK0|5eY3d1r3?qGP16FJLi1Xj8jh-XM<QLKHO$ROz1D$sZWwZkzB>e%>W(n+DJk?C
z+(p9e%D;aL3I2jPLs2(?p`wB$g%l|&<_}<<uTlb|=_33I=N)>7_&UWnus?a@@r|IG
z%xatY0AxAMbP*h%Qnkdx=fEC45)IxO9lYZad)ll?!DFK{6+WEr*2oX)Co;TD=`aa4
z#`LS!{GzRuad9*ik~<{C-3;CDs%TLWH5W74*qk%{S^Q^bhCy_^`*Um`Pk|JeIo5Z|
zB=^(0dfbG66Yl<6#Fg!H>YY#ATZ}=0<If3`?A*rzH6jW=l^8L-%9mI<hx}@U3uQ&?
zHnjM4YJ^~Y!Si&x(b^QJU6i0O_{=|P8QvE$W`QA~B@%#=;H<X;Oqh4EZH3vy#DvPv
zkmKZMvu5HFXQ@i`Vf~A%i0>WepM>YR{F&MLV>Ft$h2*V$pSZ5?kuaVC=vu%9pW@S<
zKmK*#+^qRx_3L+X4j`ZpEQDBqikGyr6COES?VDYh!=9VK%FxU+Z%AG(S-wX2pn$h@
z+8y@b=YHsr%D9BF*p@+a!0_hR*k$1N<byJn`H<Ikv7)@BfQ-~NE=-@oVIb;`BzqeQ
zAd7A+UaG6wsmYmwCk=r^#JRYldYnPc@41#>{M)r^{Cdq%x>SDbiTEXIOp43FbkWB;
z5a<0@xI>685X@n|vYm>LuH}nZ_{m3r_Od^vo8xn+n|M7;%7-Mfgt`cA0Ot0Hn+z8t
zW~C|E@>;HEfr9_6bHfr&7U7tdp^vr^SG|QcNvwvxL9#2mw?W0M8QD<rN_b3)Y^pHy
z4cj>ly?H?K)sc4Yv->KvkMZeE!+}j9e@EswiB?b}7pO-BIkL{Pbw(N7RJ)6J`*A(S
zT0k@ZjV`*mM!x6bW%TJYCIq{t;%WY<FHEV2&P6`+2&1~n0jV3O>=!(;9r}UT$0Uup
zD)Ew~wn@k=gUJZ-qpPE>wK`t$k)vY_Qvod}{~uT`hRq7vn5i}Xdd0x8-`UJ5lm#IZ
zm>fHt=wU@T+ssqmE){rzdM{NyRyT(JccA^h<FFe(S}_VjaB=Gna^8MyX+3BT8BK~@
z!t6|<&_Z_cz<4>w+DF)fncY!_J|L)L=Eg%SHh;y5b$v{Z6w@i=TeX{S#3&lurS3}S
z67$wC&}IJ)ycoWx(8>dTgFmZpKSRSHbMx{*W`Q6718yw<!LNaW$bKJwcHaEW+TTL&
zmH!Fo_4YnfZ-+kQKmT7wXz#adFs<kP2K&u%_kZ}V>UThFBpdxVdubY&2hoO<2$G0w
z_qY)(Q;sql1gQsup{>{s>}@$7&Qb0yx1u{-(s|BR{~{GJmAF^33C|ji=h_p;b`8@P
zO7}XSOt@Z&i$@u=Kft{4vpyZ(Q@NQLx_FLGifu-b>vbe{SVY*AUnzer7eBZr!y654
zv%WI|4TRW1dhECcJer+kb&4h@2{(;dj+rmqQGw#!yHK+L);WE+xtQxzqr&Ax2Yx93
z^x|nhF0t!EHfWR2!fyOEQQv>d=<Kci8QMgXN|jKc=d(dIW6bCiXtc_20*#%WIw>a2
zKS6*qi275T`IH)K6LEQFirLJi0lSg0fs8tFh{rNofxW7csAL8M2)Ixu^t+__QyMUm
z9UI@j|5dgGUZ#3@<0L<YUCbbCN(g)eaW1hY5KL|s&n0M=)lX}ad2_jr(8Qdh6pm?{
z6u(^bc6T=CkR*<%`^|0Z$DNx4l-kj9)~LH2?3ilv{_Oq3Wxv=WDf=9q51R`u;SjKc
z#KJY3owT?NWgyHWbsYR;Qfvh<skL<ahvukVT10BY>0_#1tQ{XB8Rm*G;zY7Ic+&I~
zNvX;G4{J3DL+MV}ytSs)YNd^U&b#X?w&IU6e_4st#2A!xVxZrTH~1%Oj;QSCc>RFi
z9=Z^&IuYFBl3QVYyQA9NlLqx8-BFn{{BsFaJ#J+#e=G}wv@2@kVQ#-SV|vEFY9Mp{
zDZfW7{{zq_0in;o-SaiT8O3<;Z(J8}6defE`}$(g|H34DbbIExY3={Ho^T=HJ&>+d
zv1NNlBXEJA47>D^n1yTp6o@&HkiNK5YWWOW4~cMdo#ciC#2<JtTUx{b|GVTO!^%=o
zo-UV%-x?-xg4PDmgK;&htS-8I1V9Pmm;w50i_C6*y)6U<N&jO{a=(Ylu7n2Loo_iQ
z<C#y2-A5R@W(#VSMuqU**RhY2qDEO5p}#(jg(WH}qtbOF<EYkKL<+Wk>DmSc!;v$a
zco0%}(?>DV4qq+IR?9g0!Var)>7lCP6PJ-kseW0XO0G4j26g7XXZbx+TKM1(d~uF4
zX~OWOe8?O1IU^8M{?4SLW3`eS^9dU-=Ce+<IE`}$lbVK0maY=602M&=#0w9l?}By>
z&(12?v)uBqop>m9=2Fcczs_@M^uXxXqoEkRIv!2*Mp;~Lv&Bd5$>^-B5VYfb(ZKm9
zsJ=?lne;#*Bf{uiSG?~pjwiSNV{OZ+_n=|`;q6#nc)(mKq4byxdlL6l+IRfS7N3Hg
z)oViHBea<-@gRku;hYn0b2n@C^dzX4+TraKaGaczR~$!uJ%;pZ%Sl5u0Yc=#lXSvo
zV{(o~%xPMVrSYj>@s!1=Iss&qaVCw&v{d6WR>?0Ld`tVft@BhES;H-jS=-`3-<gmI
z1F`n=r2&_>d0=fU!B%=ka#oAS4*+N!Lv;`of&8yzzG-fl06oy}l=uG#$iv@RZ~?Tt
z6<`mbpU3_GU~U~i$RLL0*6(UM_EQi-_;_a-5w2*iUR>%6T(CVcravmstT)%X=!kSH
zot(oTDV~=OuH~xeB9lwoLGsJ`8Vwwl5%Ttr9xM4BeX|GEtfBLb^;GvkV9>dgI>zS{
z*GGuqCOEB}C5HLRYMU16i+7Z@;)raJ;@`;K!rvNm^_IpN9ATX>uq%*I%+VvBeLr6c
zlU{0Fnb`YO`uu;WI>+d+qOMyvNn_h~V>@YM+jbh;YHZs{W81cE+iuKr^S<A`V|@4j
z8Ryp;Yp=cboX>2_@I;(8p@KyYdZRXE;ry$O+O2-o!O$6|H<Rp8UAC0ItNZiAV)rRB
zp)L1waqvqo<&9g?YL=0a15-$lmoqfgE2z5xb6Eehv@kzZ2J~94V2zke+crVT*KoY-
zhRzhpI{rIWy;>I<NW09kFbzqcpXd#n$Mtgn%iweGqrJXw5>ubA`5WCtePhI?d79I(
zc18`MHacKYCK`m*PtDJl%6WYja%j_i=Eb5tO!qNsL2MRbjEMi%e4BUM7bpw2xtzoz
za%wT<trg0mY@5H!e`~0MgULE$CROSLtuVrTkGdSdG<z-8b`MVq)4AQ!${ooKT(XiT
z50|`x@nWbuEe)os3ams##Syd<1_)dswJ1a_!{V6B<Lh4pqQ_Z1Vyv*R_G^DdY^vdl
zlj-M$=#RzR3V&80D1;C+2OB@iUJcRWk63dgvt7bJ47;IuKSCcWCOdlhAzh^&V6olb
zE+x#LGpDbW71J*WvRt(T6EtQY;m5uV-T(0%Q1uohFp*W2o^aY>KFQ9=FLO^eAS~*n
zYEjz26mV+{+e;I1ItJPL#&Bx+CT;xvUE#Wup$pT;U{CgdRQ}m%h!|WaF<14rRyKaC
znyMdq@<IoSpZro4uBzfQrh}NI=~AG1N_JfPH-*pMVuzPC<6D?)6`7S}=w0Rdo@hjq
zLeq`<?`=DpPpI<X4n${Meir3RQkt}Np{XibiBnWJrCIitu4<ZDLz#hhM*M1xIGzKc
zzONz7EU&`;Ay-1E<*!XruBM6(n1SgmZAL+E4TTW`YOBTs&2-@b%<6DWK4(L<V`FbG
zkyPf)j-o&wW+CJ;e85o5Eq?#>9>+NO;76BF!>ExX6~%nwe7!xCU?LL-GtnT=XwCcS
znzt_P&i7-!`+i@dHI>|!+oRblr5{UzEB(zM>}CT~FVVs5gHxQ2Zp^*D`pE*vaz>7E
zqu+&$W6;9lDzRp8_O{c6d!24+ip|R$+O#OA6q#M`2hA2-0v;!Biz7?F!Z7)4^0zrT
z2qTxvp|JhK3Dj<jN_<|L5Ww8M>kHm=`|Em|h57mZMS291*lx>;sP>?9Km3u%Wx#x|
z1uxUG$V1MjzCum0(6?Qe(e!0en5$9y_i$-eRP<XrQotY_b^<F<EHVBPN;hRuY-zKL
zWPUfv_wRvaaXXXB)fTemM596JmQcBDBVXs<CvbQTK-?34fvs!=5_ZCol!?N4!hd@R
zx+;@kQG3_F^A$Pi-9a*)Pfjhj&Z13n5};4qH*LOZtz7hpRe(l=i)imVsuZNJ`|mH*
zTNRzCZrd5(>=_gISuTLq#?N@*^n6G6G3m{kEs$1)6J&nuU($M=*f<g?UaN%OEwiSh
zCqehP<5TZXWXXVV?!LYBnOkOvcK2caJ#0DZoHCOd`Ao#5;N1;>3)<mUcJk&vo*uCE
z4skLX+o>LJY<>M2bIrAa#?daPoqQb$QKD`$<vsK(qa{M@eR#G`2)u%!bZxkG0m~M-
z)e`SH9NK&zNiGXLf;QtjKH8ytqWqCzht2SuDXGJsPFxrrZk-~2!};iQcPPu_Dy5t1
zq*MDrGij{^wlJ2}^VJe-3bZ=a_#-UMlMBO(=^lljU)fI-q4}b45KZ_89Jgdi{IRFj
z3RrG<VJ#|ug^4rl&$}e>%!TDr|AqtOW!TS@XN6USlsa*2B;k3`@I=DI+D^sZ{(W`i
zJbANWLlVau3m^fimCfDCw{Alo{ZIYVhELowjlw7@x(%ZvDr*-k4}Y}sZ)CNcDWJi*
zgMx69pbI)W!=1XkE>JZdvl|U3O8K>)N6P61?AsCXuyeS0#{9d6Uq3zIOjurP${#LV
zewOpyjiF?R|HvBq(?1p{@6?(?W92USVud*`u`4Q63MUVMo%yOge{{D1GT%-Bp#49H
z`!fLS^^1hR1Vk=EHvBKJe$D5&FB3ova{>tbms9%@^6fPS<@2mtOSpaMzW~~AuZSmr
zN;c5({0R&4fBE~8fZr#f#dA3@vC#Or{AKuM`*tFb3#dH<t_ncVw+Fx%Q~3Zud1W91
z{UT%scfZ<F$LYEJ&tbL!pmwV711mt!o4~TT!Esu-^SrFdeB^kkilBz$e)#I-^Rt)0
zXhIV}r8tgjZY+egbh5;vSWFb{tUJWKBImAnAL>CTL;G*<-sUyC16sGGeM4bf@>S`e
zr|5g)(?f<UuEX^*E6p*foyTy;Y}(eek}l44p7zn@P&UbC)f{>?KcS2SXGo&qpMF(=
zcFRI3)@OF;Aa$;B60@OVB>V#F(3U@$Alqy71STYgT}DbQ>?IXND)EA9jF+so$(XkR
za-nBGu{fy9NU9*u&3M6H?8e-!Kq5z(h^oeSW<vxFN1G&DOowE5z>ZgVkY|Mp_Wsph
zhobC~%$r#rmMTzRxlAOqQ+7s4$f7V;wB93#8h=vjom1s_-}$Jr(xa2i+?<iZ>cG83
z;KrJthL3G~%XxCT7$&lR#1m2D5U3{L#Re#G>$LuYmh?1dKz$P6IQ-EbD)ZYynTb`R
zqf5nj1_oH+^k<(9uwiBv?DwEVf-o|^QegOtSl_^!VV4NK=F(pp)M6Ryk%Kj6zt#J)
za@+ul=WusU#;R96(9yyK$;Md)ifaHU`ruIwY4Yd4f=f4T^*fF=)f(rBuySlg@=N@o
zIf6KUcxlW?mdJZIwr3X?f9-sE5;ncn$*b}CyJP?xx^nf{E@S*tmOnLd=%Ibg1quy&
z>X(S={T_nKr+COi!EI;BP~&mX2V9@XpRddZ0KE%v*ag0W{J$KCPsr!59EfFr$2d7z
z?|<FOKIHl^yg&_mKDq(=uUrX}d%{#e4B7W#TWV<L@qaF6EuWNbwL>Ofmf&{=3#@MR
zzObW=M#OskP=$pzLQk_j_y^#_{>$r_OedIJV$6Xh_~<>U$eK*7^(>w&K`PZWf+J~M
zT5EdoCOexrnynLMjB7DM|BuJ}4KdS*^Z3c<9n5jM_0B^e=joxX`pv($VMwj4T7LP)
z!sIPBxrqqh!UCf_t)s7iVpCPHeYjw2#xM=K6P+Xej`|Iwwc~hgsU9B9jzJ)OJ3T-A
zSXmmZ(J>KgigSXB{Mmi~9HPKg0Q~e$$d_!$wOiQ8p#jvtCAot`sV<6pt}a<lBqBmH
zt1D^?k3K?GHXZZGnTxyu)83-l*HK?gZ+{ksa1;H#&R8COk(8sFg_y-Xa{W8p%X59{
zcHe_8*YdV2+U|A7?QhfIT`kDH*h<I=t@Z`yV`L6Y(`^mRYIWoqKMqd^tFDgbvvBO?
z`jAM^7hz!U@UOHm_>I7^XE7IDPR?Z?<-g%#x@SlZp+o(SIP+r5<*653H_Pk_jPVM~
zjb}s_#qR!7mU&5${l)+z4*J96tUP3Myn07;G?kOW(|&KcPVTq|OWmzJH!OQUqfALn
zhI7BRZIT3wY$f)n>@Aq%0Ai7d1?V7Uoela@g+3%}zKb-S8rb89!*8%0X`XNwXw>6L
z1XdUB2T4E1$gQOmCLQ)0(m>NM{P{9&NnQ^FCJbZ3VOLoh)$lQ;H^HBfz9(byc4KD*
zvKLihh@*3-)rK}0>8$e`u|L0^G#Rm44@tHOvMF&9R^6s;QoFJnOh4hO;yr_&^>5Zf
zQhL$SpXI5m#HNw8U>L0NGPxI1k=+#jw`6C%fx$fA<8IIoUrJ2F13>=s3#bvm`F;nG
zh+M4>e|1Hs|8_;OFRk+ROU!q>Pge(G(N9F@PfCyz0fpycfMdQT@BjPm<@$qxI`>nc
z6^RrGDFghTd_(&MKB}{rS2({SQ=<Lyvw?>v4g}{<$O`~DXq?sksVlI*Em3Vf*r86@
zNL)fM^W_#lJ^x$pt5cwUdP%F%NmLfgb(t3)gWjGaS9|2$T8dQn>4%d3==9Y?rkCaN
zpUiZlpMJ2U6vKg|^mG~!K14Gt$1@)FtQ_w;k^2+;y)3y<voxLED3E#w%mPYb{P2i_
zvL*=gr<?kIKeY-bsy#!3974F_cGq2xxEhq^NNw-1dQ0g4lyBA{Y^lw2xJAo4ZKUI`
zM=2eTP^xqZbC{F<AWN-SP5luj+3BRxWs)`>s0>Ip{9fYiRS{sCaBnm$QXLxrq4eFw
zIM;eDszn=)dFCQ*{|vSfv7m`Kcmnwjxe>ij^dP%zxCx#PSzO1(=|wx6wou)w(Zheu
z9T#lIw=<NW2J3@UhO1-T882bTek^QjRMUCG1VM7Xs(f094iQaos1SLkZ<S7g+rWsG
z7CXis!A|g8RG@q^O_>aye(W*0+Gth80aq_s`@9uYwie4+jVjc~<U?#rF|iq<FfP%S
zT(y8xQQ;=vqo21_kp4&{LN=nL$^6%40aDg<6yw=6lUO*y5}qZSfWL^)>nG9|wj`sx
zv4AFxEy4>!#qlxSPl5k0{FaqM{P`ZE$CE<A{Lxu%Zfu)MtQ52JoEiEjC7We!nThhU
z?0A*9yj;y2j-$}!B&)deuQR24h(gyq@P}^qx5R0X&o6$#S9$GTzr}nd(qA74M!pkT
z0AJ@dF#_=3y=(;bZ~x15jP>pQi?Tt=3%s-gq|g^YmUd_yAawZ^)B_Cc=6r@QnMC1z
zwb<eRF1`qNKNwDdMc+T4IqISDK>vvVBap%QJ`X57Zf*ScZ=8E~K>suV`U-^hZCx(m
z8)XIki?Ar2Bw;UXRpM$&X&~1<sxA@M<B%tYeu9t1CH~+YpFBV<l(bp+iR}l+uLM@k
zA8PaCY)Qx2X!}mds^l*(dS-ZV9ag6~eIFv-?~3KshMY&xZVzK`AgH&giJN{({1s;O
z3%S5*IF_G~rSfU7ZY!6isXw>;X#S<-M&JKtCqe4BK_mR^83slOo6_kn2~Jt3M~;f{
zMtyL@J?JBSHExkw^sm|s`|jnWZkhfeygeB1@iH@YBNY?<uuMbCi*GJ*69#<aqN7qi
zXlEeou<_`p+<c;>7egB2CF|92PkGuXyFD$wWv+@o%=p2E)qd4`VMirs;a`CDqbpEV
zrQ$hyY0@ODNq8&9&5-Ya=U;7PIR-^;L?E?fMY36jSV~*GSJ^a7k&ABK!Qvi~ZJ-bV
z-_%mFPyVB&sxW8idp2>DA}!|^79(r3WzzTXog_Q+Sh<i?cv>h^Bj{Z0){AR%#<b8S
zD~0bwQtCZt?$1mf&y6Vo21uC2uln4&zOv`FrZEoliO>E{WT74W1nib4Z!p~#Ws|wv
z5HyduEd=6+O}UYtVtV1SC(HK(;*hI9<?OCR{<oJ39UAcLg8tP<vGFFWaM>&I6jJU9
z5nNvLVcP>0mXz~gbj%iagxg{x@7RL6oy#1;X@-qxr6Nf&=*Bgs*q{1P&tEC<gu73A
zuf898e*l46Byu2x3jjOvMGo=(+;(L^N(J5k<p0D%3G`hH99%!?fzAM^uuT6DzbaAx
z^R#>FM!U!UE9w9a&mP#`J@y4T284G>GCo38hYAj)3TVYXyP{=pJ@qiVi9i2#&0#OF
zjrnw<AfGK+cyP?3qc~npQ;oI@kv8q3;&u9+Rh2?}9BMR=%5;nzjV0U;!QNq0DAksp
zBIq`jU4?&#5Sw{a&1$&a7Y%Z9R44XWJ!fA$DC&_x+jB@-oq;Il_~MhvpYlX)3xPs>
z52zfj5Dh0Ts$oFqK=EnKAyjTy{PQ^T`icD7AabLo-{O*-o9vsMW_W6m4)&fo%geR9
zC!X*?^<no!-_lQ{+)z8l+R@S#yT~Xgu7YGwZz{+%K=>Zr+#7;BT_KPuEQi%Z%Q=6(
zm{Aea-nAG+Rc3!|yB;?u>u1cYAX=e!+YqO{*7DH4_%505RQ%E8IK)O^!$SIQQGWYA
zJTL_@6%f?8IvP3;tJu!wW$m;MNzgP=4aOIb`3Yy={rOXtDQQ@)HtJqClvv*RDHBGS
z;q&@O4w@Qdl1&2-oSGT=Tirqp?NxvK5MTSR$EE8!;s%)T=P4@1YQ#?CMC7pPRw}8<
zK=5)er_VoA_xB<nzeE<!sxsh%baH+!N22pKBgbR00-G@NHKaG>)Pd)Kgh`2S&+`&c
zm(fVt-3ZZQIeRQx_SEZD@!l@4n)QTP-vU{(d9~w${8+c=&%zvIVh*XQYxmcr3xmBY
z-7-J)puNce*pERUdVfhC)?P+F|7vW&xAPn-b=IvP<>M9{!mB=u_x)u(<K2l`|7xMb
zau8LqUmDq3PVc9>e#xG$gU!PMest6b;toit$KFXj4{fJ~!`?-~Y#(QG&e%MKZ3PoK
z>h!}$EsxwV3tq`#6tfKPI4AYQ=~ybScRdV3NI#C&E?~u;1WdVPGU^4Z`1Gx6#M$e4
z(e|>27}D}oXRB5U7eiX-R$1^mW1yRwh6Q*N=tN@Q8!%9h<59YH)v58>xE=bx93>0s
zCJBl~)k4(igTJrUEXoQRw7LafFYW`dwQOpu1tfe<q;G;YnXk@0Es00BOw$<kGcFqA
zJB2b-)MgJ{y7)Weq0?Fj1T*A)2nKegj=ZcF30`v`5>*A_l84~s0wVHjAk^4w^3ftR
z;{y#dD!ZEJTW#)4i`bW9Ftr4SMIDB>=l&J=PtH^7QmZJ1me*ED&`-=x#MedMTBsu`
z3%MN?f*w0il@I8RMzN6#*C!U5?Fez>*L%5cC`)cwknpgPn55-}o%7bpY3T?1BhE$c
zXt5LGN}hO%nH^o5>VE4Kf%|m`acBG1b*qnrgYUF#&&LvPK&EwURp0+U$NhSmJr{ad
z0jh?a0m4u9guZ-EUi@5a*F^F}lkT&IYNmoidn`2GpEiJ{&X&Ux6b99aP06Ab&@@Ub
zmX~=+&*sfT-T>f9+5DuzR3F+B)U$m-E&=>r0jM_t6X4NT666603&MJVJOfZCx?cs(
zKruWw;=bX5eLW99b(4Ex0SpKrO9D)PGIUqHpQTRy0nKmK=vYcSb1Sr1=!Q;Q+X_8%
z`Z!rPOoEF*t47fe*R6qpg7BNcsVIePc$akCh1=4Hj$1re{ySPP{ez7d%MjS1q2={;
z19Eas<CRpH3fL#Osf!96<0phjl9@uu&$G(vpRNQIg@-mtG6#sx1qWaHU9OQS4RVne
zYnosOEOrVW@Uk4fZBS9g7^xB5n58&4qDHMEw&??i1JjPE2V*@qOSRw(_#u9SK=XNl
z1XTh^v2ePy;rmiw2B+2n(YY#-7?HdPGiXBHgKcJNo|INZRrH}kL+$Lw7BVB(`oVLX
zx<91hWGL}cOz35KS+;o3%57CTSB#h?_L0iXj2AbSo1L?Sw30dulPn`S;}Zr?-fzS3
zca9cK$5%stcH!vSt=8yQ94P%Z)v=^`KecLE)Qo=%3UH)u8M|}6w3Yt$YGH`JAr-j~
z^X+GK#?)akQMRyqOQ@Qhy4H==GNJ*eQ$>o<a(Bj>dzWFtEr^V1oH;F7^uWPO&>ba}
zKa8I^u7M`+4z-UDCp>lmJ)R|SHzg)g1Xr_R*1&-6{#Vb3a2kIiqBtezZC$BN@(;G^
zSZ}T_d=~kgIR&D9Xm>AX57+1wUSSe#`apN@Ie0izKCQ`>Y34&jdIQBkt~JO*9#diI
zuzNUJE<m#tUInVU+|X5&`rCg8r0382jqR71x&NL{UxW4SSI7=x-19N8Xn=M9e@~td
zhW`xKjlfr;7YR(svV<8fEkZcGr+o20tb0hloB(y-1lu<3=h8r-+MY%g>ud~j{Z?tM
zkSuoS0~1u8l=)pTS{<it22rwKOS+UQp57?2{2?kS?l)8v1})Cqj5rkU1r;&ahFX&S
zyU7|*r+bQxe*C9x{X(VcTOM}$r+VAnSffP2R~s$3#itERKXS9s%q~^}8laVz`bS5D
zOcH&)VdU2HW<_}?hd-^bEXr!gH3ovl8Dlr~0!qpREZ%d|UF)fKbg(A5a0AcJ(lwE2
zk`WuZvj)?LzQ0z;Of}Ul#b8rrJ%LRQlqVi{;5j!(Tg7YCy&niQ%M^F}tB2)_6qSp~
z8Js<WgJGn#EXoWqH1-6i=kmb?zpudJZ7#a9VRM}ZrCtq}!ede>r&15BrN8EB+se*B
zh0S``Qn=o5>AMo;7hymDO@RLV6%_$R5A?ZQ2SYAWQ5x`29qxTJs7Bm=yY0aY9oSLg
znzemtMQQ5(OCP+dl+Fog>>|D74)Wtg>;700iRZ*Uvvx0>gyZRA>3TBAILmzi`3ipn
zBHCu1rq(HNRZP#=R}12@&j^kiZfAc{a%VQMT3fc;mPn5agP?_Nqm^p2&!KS88oPZG
z%z~1vdO~)w-u0>asqU^hOIpMpn60Ve>UwsRr8wNYUiI2K!3z6J3sRbVaCyeVh`7nS
zU-{m-BgVXbz2E^W21^2VKnUl%R}+hUf-Khyo=mBZ^H1uJ%jKlw9#2l4LR<%=u=tQ1
zT_`Q}+nG%;=bf|tz}7eiO;$KKrNL{Na{NM-+F<3g$ne1^^XwIf_26eLG_Dr8VXci5
zuZDTF!Ro%0O&@z#jIo#6A6NfQ;)~oAlm6g`;!OIP@f7k@+C6L7a3nn;6p1kPZ?28I
zJCWY?rG~2Wn;D_C*tQhIXr7O-*!;TWJITHEgmsX4Q3%-spN^og8^RYrYR?)or&uVc
zb+@luQ47-Wve_0tfSs__ts7PtF+~WBg`?cZH4%f{6d5jAdh5rY*oVNzp0*Xni1(6v
z6><i^$Oxlp5Au(Lu4ou}qC=g^WKL{+SUSCSS1UV5%y`h0bXi9_){s{-8)jfy-@wG{
zCVGRp1%aX0gD)LRvVubJI)PXi$Z0GJ$SIm>D7G+CES@BYd4Up|1iG*ycQC@KD3Y<V
zqF_%RS%DB14oInjAlcOI^Wm2B^@p8$NN?lS+uMZZw610SaX0YhzICiolUr=J{8MV%
zXZ~*gq3;4pJB8CMf=R|&l}C9kv;3#4c@DNy*hy*MFrqOme~wK%Lz-}EiOeoLnjC7n
z9>>Qj(b&mGq*u$NW%X}fM$xj?E|(ATlnwcBLFe@g=MSQHh3LX#6Lj$hb>)F;WZ-AW
zPIYI~?}}4;URHaXD@~@Wo|V;5ylks`;VqbnnGyZ7g!JUGg6CE{3^n&cSEwV!*xBSC
z)|1OYk=q7;xF>Udw-lD(uNj%cWN@^<@huP;-WDQLqhptCml<-?({}`)_u$aGvBLgm
zdd}JVsP3Nj4F^5;1$1lT0MxIm*|Bd;KOvCgiCX2p6!$F?q}b~d@zpa5^#SPl6j1%c
zej-<^P?%`;U6$l;;KglW26x`#)fPN<;lWdU%+r>8(x)=i8ns6e{S3F<sgm>x>&eB=
z%T9*WUV{s^J&VcfQF}VWN9C(V@9OB8_!8_k^7LJ<2cB}W-mmX;wJ3?J-`y^q&<FU`
zs>!x!5QQ56he~OWt~aCWG=Ev(M|DR4XtdfqtB1YrWde(9+Xap;#G42T^7b$tMj1Bf
zQ0p<|a02<?_50^m)Jm>nz3EnJaDIWJ99SMhm>KH0Zfx~?FhsQ9%|o-Ff9AHC4KKu|
zUal_sKZmXQn<l(d2EO#srH*+A*aQ1XV_Ym^WW4fvLB%UZaqjSXBr9#05nJ4ct&g_&
z0%_aPG$OW1P*Fq6t%iaS&p!wk7as)!x{T=tv^F^=-1y3D-m&@d7u8ZkxvV$PdwF)m
z25@WR#qu)tcUy=6s<;sG&U{g<wt}0Ab{y1Y6Rjeo1<?am?t#w;sKsk*zt)xX6Pu)g
z?%R^XtxM|x)MU&JvP5@q9X7=Hi<yzVJ}+~aE+&re?g5_Bc~Ya7X?oUaBidQ6ERj~p
ze!40`)qVF~nywG-tYFe$mFNK(?9-6CRpCE;YUwRA!L?A?(f6oZ0R&&n1o<a*KiT%_
zI28t0Pq0hojBM66+g_cRjJlOx7dj{Kfqld}g((%)v)PO=>~>McE$s4DC{ro$SKnMf
zVDM%7`V;Xh@YeSWX$6Em0)O7RYx{FPbCQOGfeKO(PB2+_fbic}<$M*@oo_{rF1c>-
zUwCxr{z`oeXp`#+*<?!{%rHQMYdKQ$CAN4<)lkTe{PZzjyikwUJPG{Yhh4vF=HdYE
z`H&O%qZh93ay0B_X0pJ0#Xdbvkri6E)SqY=eKWoJs>Rcm#eDqzfLge2BTP-{J|<F!
z$(hf&`~pOWQR7h1H&B&w|A0Pq+)~Z9zy)?Nc~N?TM!Jb{$5Hmur>o(Y6Ct_|eDn3D
z9Mb-nxq&(_u7k9-tJh%Mz+*4}Ro^N6j3l(JL}qhn3X#hqM|Zv6yds=hRRXkh122^h
zJ1e|Rfmx=q`XlmnMM|MzhYu~*V>LQTC}F-oM|JtgBGB8xwc{$a{R`2X=An)kS)`9K
z2CVCtVG<YVM<NpUv%-F&*+@lYD#?9D#-d9u)`{af=JWV#Q=OksE(+Bj)omkV;PvmO
zZ^T7S`!C@q5Ts#`m{t(bNaq9SSF%n1NN-?{7PheMXHyhlyQfnY+N%~hn{q|wI^xp4
zYWL%YXG4o&<Sy)2D^Q~RRbpa-UNv~ayP1h+#Bp25`Q6zzVaBMY{<7VMuD6x3o1U(z
z@12@AItd(1qy>+HA-{gr>9nwz^Cn>EnWipbj^e=cZfw0&b`c$;i7pk3y7%x-%Z<$K
zs<Q?=?WD-nC>(niXBKb)UZ`db==+kLTInMN2N2OB4P(x>QXSzowEkZg@tLol^J0sv
zR0Aaq`t?GjSrhkFOF+cSJYZYM%AD;?_RZ|S%b=X2kLm7fU(hK4=+q|#C}(|l-Wigg
z^8qEe?>=T<8&2&1Za9lM0rbz~>+TxPT)>y^s}7;>^}fSA`(E6L0c;S(5Yu1SPL`d9
zucZ3Uq5qWVwQp@-xjZ_Hv1e-sO*XNKGu##zg69*-<wZfF{B+$x#LcU1ku=Kh!HhK<
zzR^d5*s!v+Njj&&!^9S7#R%~7LGL9>F3AnS?*bPtFBQzKj8TeYowBdjWSC~Af#4pG
z9_$=d&g}4M;3NDibvk5AY>DP#Wa_)Tp*0*XT9%C+Ub`D#bL(KI5{FGb;S`2|X3wrH
zo7_EtVPn*W9GWm}E~5Y^gx426ZLvX%KugAAvQ|L$_`~P!?CG-8W@`5E&7ctr9U}(3
z{L156SqgGOwR4Q->|oZ4DaFDXyHS&6uI5+gD@`-O_zULl{AJwiS3>>LIu#D^jj)3|
zRu}=cXinEjR_iB2tQtZ_imzy-#H)EIWV!a`OG(o}b>{#Mk&DQEZ9CJegAwtdT2mut
zG=}PeflvvP>X&)w;JO)}LTP)%*}|@4EQP;ge42ACu_GVHBsym;evzXvcP36;XdilY
zM}WZemaSYDcX>X`yj_fi^Cftx{2D8s>a;yx<5q+cjKDXR{stMauG&n-*dG8{`P9g1
z%C3vQ^3?I#7R!p$AN&|d&s!eBiY44=h0@E3Z+XN>D56izM1LLPnYzIU$>n@?fa@c^
zP%}Tu4(6e3Z5bhgduq%jb8U_%B5Zli!)}jjtJ{JKNPz@i1lc4MHDY%{ek>X&Eabac
zUyd^eKL1TG<^=@)BU%OY!HIEBOK=&3go)i7(5Gm@=7n@7Kup*;Yxc!)B009oOzSqs
z_J2}hs8WP$Ee{+5EEF={`+s~!%B$z9PlMG&QXEE{zY7&{3XW&&jo3)&adSmU$0*r~
zub*lrwsZAIC{CX5OQ)2I8O=sye<*R%DO^i%;S(}RD2Q|A!HFwpE6=A0xNAHIrlUj}
zrBXAKDD45c3%*hBr*61(Cwci}-+FsmJ63<ReaNJ*o1n<phd_dcJ4lF!S*4C<_M9KL
zquo1*qMe_PDuyewfQ1~r*xI7BR!C?D`q(uhA?!{tcL~Q?(~HVcav-qm*QG4CuF5z6
zID~gJITTR)<#rq0<v~Ej<rP7CWz*{Mx0q8<ec&y5pzgUoRaKD2_^vP`tu$O&9;H+3
z=4Og{_L{mkCkiJC&i^g@mN%r@U5-yh%ZA`fivUHzuKnVYH+nWxHCEXrYBwNJcZr(!
zD|D_d&Y~XDNVs5GMVVS@bnC~p0_ozAKAD%``7gafk|c)WI&V6vLNc%_hQ6~rp%-wj
zc?q&1D%aoBC*1`X2Rlqbr2gAH)mo@BPmV=A|7uq2t`nTJ;u1XC#t1NDyd@5umEY>b
zVreYM1<pQVS<lU;<==|}?+WbQ1VYI|)gb9ASy+~{Rq>ffQbN_o-X4q^!ZAsk>6qDk
ztD5v}I_`J*=9oRkg}(jIEcE`=3<P}pV#tBxz6gxI>tQ{ABJ#Z70w|(MGXJaPe7!~=
zJiT2r{`_zI0#HxC_SF3dzW0Q_*^O8KbMSe7c}{RB(*Tf%82lDOfr6hfggA<M;D|}`
zqdu#yJ>EgtCgA5_5`zhY9@c$t*!+j5Hl5toOQ?bKBhieK4}0YD!IAo@SqoynRFald
z_zIXArX69XBTGxb*1pU?Rtd)Kzm;ZqjiWJ8Wd#pDwo*m~25jWa#q%4eG9ZU52)p8N
z2TP7G<91kW#aK|g43?B`o%t1Pvy+<zk*3{a$c1qDx5h}I8)e97nTxt_n00F9IXoIu
z$PB62Hgg0ZQb?bCh@W0={VPThBV*ZkgJ3@BCM;4;h0|0>9X?t7EBs`Jj`{c{T;VTY
z=iI<A;F)k_4A=Ll#qv|Ssl*L#Yz|+Bjo(h2S%=WZF3Fzkq`NO;tuTn(I~8GmtMp=Q
zhvf9A&lTPJDl}h=c)<9OJrX8!3@Q0665r_0^Tt2CE#MYU5lA&Bu_G+vb4TG&xVOk7
z(2M$Tba>hY{UJWd%$DomMh?!Z48JPOm4_@pZ}rmB7y)Zput31+H99y=6P!0;$?Bt!
z*Ux`bM*~SdUTRWFn4_u>P1lm08}DaK*VE|oXweiAaVC105Q*>mJ{?v^wmF!By603G
zA{^y<^H;)aS}F~k|CMC$Axw>p#?)#5TAF_OFs6oppALE5Wo8y_H>wf^XO&}g4C!y5
zcIfE7r+mdr{9~h@snXA1>s5#_?DLD7-9MCr5Mr59-Vv7t)K7e02;X!L<V#k7N&u+*
z1YTT`6lxf;LR8>z!Eb<$PXGace98GlgnJgSx*@Cv01`l+Y5|Rw7=jnL#|(&i{~}e%
zUFdyHT$#WSg73Q?p!IuQ<7;^hk!kTE^!f09-hB%AEO%p}k-#hnu>bMLxnwc)XgIZn
zk0$z+A<?c`C%S36i5P+h)=fR``&m^6cBtW_=|fM&`o3Z?=|=NQ-?Vni`=Ns!O%>E|
zoWxJ2d3bvhckf!zj?A(}O(I=>c3{!AbQW$`b3S~ARZKr}U-%jc(NSzG8(U3QJ7FpG
zp=!{VMlOn0<hHWzZVJEIjuFzLTC~_-;ZSoB(Q{>4Skoy%Eb;?8-n!Lv+=79uJB#iN
zuCV18e+4<O$F$vO<{^z%F((6V!4Sh1|92m=6=K_b9u;ZGRI>ra(2RX_?aLX%47|fN
z(|4i$AJ0|?Z*1a{kglK)u6?`%d%M`6YkDC|{9BJ?{P!)1Ipt{56fW1Y+s(|+<2gT!
zHj~gPnsVk88w@own?3s9bXjdTrkA!)d*N4=K6+l|{kS=gv+?^s=vxGT7&ez!lYr#>
zvEXfCr2D;||GjRHg%1UMZ;ZwLX}~`g8^gF~=1f^3+J|!H!lPjWBE;BV6Q#%@eTbr^
zz;5#L^$9WQz?R7^nejGr-}xQHB-x=|&%Jfx2BqHK{w^_?z5*WdVL)+%Y1gzTh$cOb
z2_qmXv6J?Qp4a@Z{nGZFo8EMtaTpZz4+WJtnne<>NuPhCb!5qkA|s))l8X$7XL{6p
zvXCrkDA=~N{skr+nVMjnI5hD|70+*J@zDfk$F919yIkCw<vBJVfV~}MsW0-*r&vXe
zZ{f_B@WV}H53)IoL%9{BRFhKCreUX2XH@^#;Sh|Lvh`7r#$=H!y21`pkGE=xEq&F^
z0dnpkvRw*PF@%MmJuHh}p0XcD<Vs5KX4}TqT5tMko0!@L8Al-vH7hqx6*&?4#*x6H
zCgx(vosprJUL}x&<eAmcpm)06nru==hL5a@zFA)g30yV0(EN&-1kEe!XW;AWJzsMa
z7#CI0vx`R`!>BuXZ?Jo!SJKaTdoHe&^y)Xz^o=vjV6Kmup3wH%pJ5%NM1i}YtE$~5
z7=NAhBkR~+t#iNm?<kFU!VYLYnQngNcSSO5@$u|itYm;bQV*SPJ(mrnWqt$^CU1H3
zaE~>)`^s1@C2<kNWMQY@prhE7CRb(qG`5-8r|-2<yB^PEi8lMS4qy)&v|fr=DGQ#P
z7@}e^m}@vwhkDH~m6ML&Iir6J9X|h)7V*MRih<fC5bR!#*<1)#f2PCSapxTf3Uz<Z
zk1WXM(a5;a0afPd1OpjCSJ~gu-&lb+M8@tFC2afh9jn3OV`A}Mn<*>RU3{Pjd?QY2
zrphk(^CR?BIA%U<=gZ5n6}$G?_D8Gk`uJorYg3dmn@0^TwZlMFnlU>QyG~oq=ZExZ
z3x{*njE8_29~GtT`f3*$+3VjcHqeKAvSr=2?*_$c-)-U-FQTiXk=@@T^j^fIWSaqj
z*3XD<PXY$u(N=W*Cl40E>1lHYleLuu<br88rgiwr`D#t0TQ5=tdbb~sxKc$Hjshv;
zQUlK-wVNa}I!ZP_<x1ZJI_s~(9X?*4^L`1oL5M0k{4795LLedDq@II<A|Yn93y#Io
zlx&ki#*%LnYAfI|hQLzPhl+E{cJzY$#MmLca|e6UwcLJtz3Qx9k!q#athk{CC)Xz~
zfPJp-w9^Hwf1q%LWRxqmB-*eD(d1A=3fa}a*73J~&)D%7<5uBmXPL8sR2vn!4AN}t
z3+JhL2CE77|64;J@dkbe*}E{IBxH@Jphi#H^v4$pEYgy?&qAh!<3J(XypQ>3R`g_r
z24XHZW9~R8+W9?*7D8KgRNUA7h+S84GE{MpxngZFYpsr!V}|nNkwiKtnYO?%abKiJ
z^0?FH?9uOn5t82S4Mg=Vg4i+~iVbWDuWw^NNzK|P+sjsa!v#M$78|9h)}w1MHT^Ew
zvm`S_F@owrx)pjC-!OnksP58rP@|rP;#^Xja*y^bjzNeK%Tl_6mt%n9L=1YEU@Q0+
zo#ZFPQRrKZCvw(4#^pc4pX&1zL!H`^-d0PsFF8xtyB9JX$s&Ac_AOE5Pa6Fr*wIdZ
z)gfyS6H_xvZ&m`LC;UBrw9Eq@ps8yvRo+Aksi3YTSs>!kH{3EfBSMD1Oqa;e!3z=t
zioo4v?OP}QvN{_Le`aY(H%`X>{aJuw7Z4G#?&HEd(Q7=Z`SUhW2uUg52M|0qGR0K$
z*;kTVTRJYMm!k_#gMDl9t9p7vJxze%5p}L&{{(P>d(YdLDxf;ZQ$6c=#FsYsk&z9I
znH@7>7k{*rVyC(sk(Q=qD%2ASJ(X;qvfGKU=4l$sP72(TydZH%j`)E+TOJVw6Es3c
zuV;I7+EAM|U{7J%#ksWY>Clm$Hk_YXu7toJ<8fT_T8+MH#1|=VdEo6Ax!N9UM<{wN
zW-F_Fd?SbDc~QoCwHe!XCwAQ7P_h6Gg~+?V>W7MyTDjr$iTPPt$RBfJ)sLe-%_JEz
z;=BBUM5WeiBizlYX+6IyWo7<M-$m~<JQ8g^YD!4MI)<Y4sU3GZySbICJW?ofs}{?T
z&^Bvh(KI8^rrs_Oo8R2EE{FaVKJv%&;?Gv`bmIk7t?27T-H1?RgA_*TBt!R6&02L{
zq6zgT8^%^9Ql4z8zRZgx%U-(h6>igh!FAcTHN9B&%V<v%^>MVlo5~sL-Mscw-Pkz<
z3QDWW#YojfJ+i+gyXo__#loUkXd@Xc(p0(F7%{$Mw@Xb758#mq8S}D=VCM`|a*{-R
zi$FUnJ?s_dk+fuxK4(5yQ&$-YE<_2B6CtjCl{4O%EQFcG9W=d!!`tS11Q~n6=T(7Z
zaFVd&F;sBk)3(M)Uplrnbj9gHC@DD!#@d!(S>jKsXcTU7AtpU=^P+NTrO*OXm1oW}
zU=4Y%RP;U{-tyM4YL|UgVhQDTuM)xF)_$<|w(ESvhj0Q2H-YZD2R-2p>7Ux-SepRg
z*opuEssN!kaPINE2)Jg-A$FTf&1`&A!vVU7y5Ds_W1;~|zvmF&#G#XQ1uG_oWlZ~e
zYc{f{lbY<2>ZypNU{DOOhd&iMM-kSSciHRX?<k&7!s+9QT@oj52NfgfCc;MQMAvIO
ze$bzm99%aSgD;j3Z3bJ8V2`HByLCDKUNV%v*7S5rvCWoz&?^Zgmyq6N9(Z0-2kr06
zJhJPxMgGvMwVt^zoQSncL-$h@>wQxjKl|Obt+G|KmHq7Ck8<cD`b^2}b6oANxskEN
z%0gM@Sbw$cSm;dGEQhA;l4fUyx8tN~dh8k6(9$U&jx=t~>eev%jT=)wvc(kBp<nsd
z5m!^KKEK2_kD^#P@~96^s!L#I6T|B&0P@#uL3O)nOvA6GsLw8ex+^qsnkIfo23#i<
z5n?rlXY3dwX*_yCZH{DuA@H><-9n#bBrOedHl<=HHNM6yFlrUgp+Tf%{W~I7HFZHo
zDy;$P3)#`ef&a{y*yE~7R$oD~ZOn=+WGWRDBA$~eMO`BG@8yu~Gdq+lbuzBN-!H}P
zmvO89q|FPnole}@5ouTx++%myP3+%q87NBXL$+!}PTPf}H{zBsGr+PEwM<O#h^eJY
z1;1TBT00zli1}9k3O`++kYJq)GZr#o?GuJNSV)X&bS&VgIeO1Nu9_|w$}w6zjqAT!
zp^h{E3!#<XG5qufWo)eU&pFGJP<3A3`KI{7sw<QC*D-MN4va1N68izuz<1%<7a(Wc
z`AgmV&-ea)*m6(pbNU^X%y&LHw-sdOHD(DYUk6^A0n*4T;G<VN1n?~fLb?EFzV|ub
zhsdS;jHd6C@OFi_3{;=n95Y|M5zNpYm!h+cOE>0<EyC9_m{7^81Xb^Z3#2%XfLae?
zGp0;e1yje~QRaRd*Ab&+8Ycl?`l(yrn<75|@25b(s?=YhDGim?Z%ezuWe)-0U?oYm
zy^T3xx7U_P#INgE<*FTys!3ZL2(Olu%+~8rW4{sfw@-Z#d$*n88@0HQdWlE24^CjV
zqW$VLTczhWu(Dw;B4v5viO{Zm38U?qrOBL%XigGnjo*VdVo_nF5Lc?str#UlILzVJ
zxBQkGh;6q}yVhKm!>Y+abP){i;Hls}oI2+c&ZH2C*GCQ>aXD}2m)f|xax|)`r}U##
zRYe3_@>P(l1j{qr%&b;Cx8jz*eRXiyPJ+5~MT2_jvtw_+Bo}^^8}fAtu~k{%og4CT
zobm7_a($h*8U3E^Fe(g>RnS6t6U2?KrpqQST)Q8_<H4+*wmx+KlEtUVq|MFM*7qIC
zL`3x;-u{#HmmOe&!ds<-av4>Xt9F--2mhQN`p<LyJz$-FKQU8r^>5~&zw2?fM?5uU
zecqU2qb#4xp(G3Y!_s}IjZ4K|%U5jaN=|`Qp*RpDczDA_#HxpT!1ya%E%3Vl^$?Zg
zCzK*aVK~!^$n~kWVQ<*t+QL{4c37Fi77}W+#4N;beP$aeBv^C_qwO}OwKR=?g%=*Z
z4e94=%;b&kaqA;hQWec`+<@3Ipyu{@xBa2#1Y9E?alZpvF9NUcz{3p<5Hsw&)%D-b
z^!r2X96-+oK3zY=VthXW{?oydKl85vUBvEt0pUa1t0KBzj$pYDgq46=^XE43^_>9l
z3h9Xd3DA9r<p8Y&KBofOQ+szZTK-26Eo;x1FW0!;jX+2?;6|tXJCc;7Ee92~lh$jQ
z;Vv4=E7hHo4DQhoYMfXKiwm7HfOo+00`_AJ!(y0b*k#Bz>GCqgRU#c94Apz@N5o0r
zX7dsP7hQx>A^{u3YJ=9!uRTFX<915O)qn5NQvp(zExDIM;kH_)b66(pc@iv>i*(Yw
zx+n`Za-Nf?UUbrai-qu`E_&W>!iK}9*;TgeKk-i(l~<BZ@Nqq#oE$fP3yHvRTajke
zN>g=o^mW4>J~MLsihjL4z*MO1IIza|8llzmKBdUpB-#lZ<(6U~-tt?`cli^IzykvK
zK`vV-_LSex>XQ;!!({#24Igfs?hf)(_mc*Xrdw!3u$nArQy{Xxb3Tk-a}|N07(FPl
z<GdmjO_<!ghBD>CO;}Ui`d65!m|cn8-J}(;_BeHX)j_PVAbx5t6W7(?TF)y@?W6ig
zh}Deit#`mQ=$T&w$;H@ag$*VYSQFjD6<=6={2LdP6}=)bg?^q2UxYgOXW~9TB=HXv
zxOjnuZ?a@4Qk+mwqmuH2cyGL163I*7e~Bq_&nW&*4o>s-oE=lPK(B}){f3bp6XS6T
z>mC83827#l$jcC5N{a94$Ye}{SHx}TrG~Q;^}BJn8ss1<y(kJ1qlfQ>vr&vPl@p4l
z^Jv9i1%~@+S(8~Kzz${a@DJ{y`-jD()_aEbkh}h_dVH^*@dZ|F2L-;|yq0+hq62&-
zCGC?Qu%;MotAf9(rNy+x$dj|A1cM~h(ZcWh0(S=}-<BYZ8HGhMoyOO+ghrk28cIJ)
zC)dd<u0Jfx!wgsiu@m6!H?+>Z>i#6!Q@7Z@iLA?81#^)0?6`|b2B>(EHtf)~N?Tlp
z&o@1ZCQlYMmZC)oC4EJ&kiJ8T-fIhif=N;RydGC7P^K&v*5`vT)%ctBvy4s$<saBT
z5}nAF4mi`N*^9Rw4gG_Y!QWq2xt=+5bTy2;wAt3Pm@elftZ9;<%8PtK-1$27pJCn;
z^A)fckk7p}+9&rUVCd+y7`NPV0S`i`8X9J^_3?@#u~H%C2Yiw8I;1#4Vdi3Q5FlQ8
zDSLL_9}cQ|<RN{N$YH}gRA35NEvMp68@rS$erhmhKYQTf#mR?;Nei}KkE|&CoO{j6
zb63nB+G|MZVx@mnn0{vauGfFG7}~gka!RtZ{G>W4Jb9AX7kMA{A4xULU4zA%11EWL
z`=<eSs_{2QeOeXeI4>jW-tt=)1ICw>KhSg-(uh8NTAS;Z|7@$fhJi;HU&Mn&Oy7hC
z<U+LDry?W!WN}WG18;fc3HsjC*DM5qP`GXboNinCqqeu#2+Sdx)3EZzbjQkvgn+7w
zi!#?umEHRL)zQMH3m0EH!a7zNr5w%JpbzH@$gMO5cXuQvfhl0}ilhVNp9AIXz=!Pz
zW#|_^TED6v=vD#ppMdHRy$7HYG6B(M4TY7XXK@GsZayhJfNRZXgkdxu;{}3QQ)eUF
zgrL5Q9W7=*fg4@870oFa8+at1O3i;zkH%v?2iQL$QJiyN>{az+pdV6Q7|SZWyE_R(
zr?5JVozfSR&7?_s;Z;pfVhnq9i><3PkqSEB1%sNGSeu0{DhN}cw!$2IccK<=;ucRF
zo!cPIU&J9;Z!p{>a#`6NEyjHO$CL{fexh6_p&b$<XLQCwg6w5SB<UD^Z}O`}v-bw_
zW|;|fGXzj+2y~9=c?6D)uFsxQs}uhQ_gU6-Gk-g2^p6N9bAmh*|9QEH$Z50ti?CvW
zc^flDJ_6LJS4zvWezZilG+^`O-n!)i#cOa6^q|fRgM+CX0`jO+J+#RXs;p=_e-?ig
zO;B_}Xv=l@?>mEWv^6>2GPVVex6sOcLWNs@JsS7E(pdp~KIKpH99DxV5i))d#?(_(
zEV17>#fifv2ChiFv2$fDMRS5gz7h`xeLb>Ih)_HSvGzL|o3fn@DVp^L``N=QUME(p
zv+<jc(z;yz9cZ`b6&KMI6O1k^BhyKE#COg4=p8jnqgyun5VU5nc|O91wXY7p-TdQr
z$*_McfFBV|uH+BOUR_#hRN{4u<XHJPlQrmTw9{fb!(QDt6olgs;cNL>%_riW_9h`9
z#YJg_yeHb&7?s%_FJah06_KQ(-_g{U($#uxpV%|r{<GKzd`p1YYd{B92tCXSx01U}
zK_WTb04z~zMj^Cc1ZHSTGSjdR+HNy+DI}Ti$lWK9>|ame$Nb(5h`_KrT+8)*%jX{h
zTMJWPIX#^QBgx4o{_dqp)01Zx?3D4l3xl#Za2l1Eg9?oyfj3Oy%d*;lgH+7I#O<z}
zC9tFIH3)Cq&9%0J1v5{DY;91L;mqxP2{fDQ8|jn$s%zbi%-31gm#cPrF@uRS>EZzV
zJd*mNvtv*uoSmS?qqSkJj6Z$Dsr>$~n}a4GhoU7XSbxp){{@#gtTLk}5#<r_>`hfa
zNc-8Q-WiXCkn@O4mLy#rNOC!GekO$0OOhjF6CH-?*`nUEv#1r$N6)_|?tqBP#99#K
zxNj<Hj>JC-7Uqt2$Nmj!7FAb<_s}$gxXqS0C(3_>Zzj|!LY^S>E0=)(9w!gtK#onY
zzP_{MZY;Q=Nn`Ja2P=(L6_Z%+r?RD=W(?V-4B8E=Zik~qR<+rq+o<R^l#=;tv^j{~
zY-K*wItd;arS*;X;T3)R<tXz=QYhuN{~w%+wt|fgUU6XoE`%MF!AVPELxEGXQwnSR
z9MNWJA}L*7;6Uu0|DOV<P@=p*BCvn-)!TpCv9!;<ee`x#EiaEVfoR7^ViVQr2whu3
z3>k{f8yh#2eP!q3h~n}Us}X;dN!*RbtT6=$8xb?uxv3D7AL#esY}nkXbhS5Y1ZIx#
zrTi#_z&D#)I(}FDEMER(oW||K-+|i(vk$$uPP>4D=!3-YFL(fV6ZZV>GJ)Fm<O@{!
zT}s=aii!w;{0E$$15h7bz$oIu*Ykep4UqKjE5n!2@Hqj<nV7-bY#{%}(ev;KxB(wS
zDtrHl_cavn9_+Q2+p%ZGkf`xPWeNW)$rv->_Xyu+V8FQfJTYx%-agB#9LuajNg$|L
zX@`V~>`6>!OPc+2G1336LQ+eVPrqXAVTqhxXy($YO?CdA+2ZC6l9hOWqtzh($ebH2
z#H;NJ+y`3Y-gZ(aYRRjpFzSU8Z(`c#Od+wWTVHCl9@;q>O2I;VUYA;7nrvUfH%DHp
zvr5nTKr-VY9?g{Q!AEv_rWb|!SoZvCdJZIH#W2Qd<9U<K;V2|tDF)ThV_Pipx{Ndc
zGQ&tsql?Rg>`byem}K4~P17KJs9@1BG8)^q1RV=l@px&dK<@tY5q0sTv!KyEdt3P9
z-^I6Uc7}YIcz60T$zZzhoH_?-9>0v6C~w!de(~&u1S)BbD*w4(o_q!TZM5DTmB@;y
zCqh;!qDszNej!|UAB17o6jhbiTPW+iNG6KcqV2E|uI}U~q1|B@lAtbQR>=-i0;&fe
zb(Jw<|2PXA*eyj`BbMit^EL~aawwacN+s0J!Hx8<LS>&%9c1Bj<DwA6Lf~l21j$$|
z>Pa^zx<rOKSuGrTc+Q<*Qo02Y4od}dIF3T=n%~|T+EtoWN7AE|9!+T22dMSG|9uu|
z9M_~bSo8o@L2KaO!`UE0l~>0g5$72RkT@Z`-Zc&Rhds)1Fm7Jh?kZVqitw6&Zye^$
zD^dVM^a;5KoM!+xZ=aMLcEA$@1oCIM<oh((J%H4o^Xw~NpnFh62hsvk<@(t?)4koI
z_(8}CL?BT?7t!L)5~H?PJ6MK=A_!q<J$YP8<GU2*z&_j>uFXO23~UM@kZjdI;<Kad
zd&yOQ!ul+24XD^SnfHGxMl)BQt2ROhE{7YWx^=<fPMwZ0{f_!46pI>BJ9SbVD<sW)
z`07pKlROgDE(~_mb_lLR?JlzOJaelte<kPWH|qTn2fFL}5vV9f`2;#_r9a`la;RZ5
z2Kqy2=qV_xn9ba1;|Yhywm7O&!`)J+kHCq?pyx(<nC~|8`=^`i+Aj{0CLea;2n@W!
z<0d+12RXE{K{oXa!5<G}RW?e)#4yFUDOMt-ERA}Ncz?sTDvDAlVG-7Xd#=aD-o`p@
zSo&=SmPx^?r_<4wq_4y|{b?*PiwBqEhqwuov7lf^l&?z<&--h)gXS<NA9^Utc;In;
zI&g9wa7K?`z|+CI^9%mw$M5$*lbYOoGl`MO)b5~ck+J`sexWEW%Sh5V6!}nZ<+L(m
z?@()dwEqYF4fIaU!d|m3CW96I_`@s1;oa||FISF1!s!1n^_M|$wOto3iUooMcY?dS
z26qV(++Bma)4_tf6Wm<`L4v!xYjAgHtXYTW{m!nve|FWXUhBuKDfd0*HL(6N!TG3|
z{^K5nwl~wPdE2CT{t91XpmY0XzPP`~jV=%NVBvGax1!47SbEfM{Tkl}RX7<ozj#1W
zqdwD))9a*onEmY3i56KoU3$-rxNHg?(dbPr(xv6hE(|f1{FWZN`kZaD(_E>MvC(^&
zBxJrolKqvXfod<gSNPZI0su?{2$KK>oZ7NY<!92LLuyjEDf4yE%1gl?<MY2FjC&na
z>a=a2O8v91|GqK6TAC}w4<@h7PdAC=uB)w@R3q9&Z8?(sOE}p;w~mKB5t$nlG3`@n
zXLQ^#Hn^})LxO1SOmITm{-fVG9lt6>I5wAmAbs#jWuFbR^5!RW8kEoQ43m&O__Qe8
z7%_WBLd{N9n^t^*=hH&mE|h2aKL1Na@r>%^$agP%I?L5(HU}+s1~S-Y4>WZ<e`q8q
zHIu^c9kDup5fHVhK)v-GdtVzHT3HO-9BAq!*O?-Vlb?mY5)ta@E|00t=8aCyn>&td
zMph`N<}d#FcIlMmbLHbA*Wj92@9ey3bSLaDTaFvadd+Z_{qNuDF=^es%U(}rR+52`
zd+A?zm5u!QNMdsMgnn5!jJ5W{Vh%kL7;E?sl63snhwD@*rjHyjFPgWR+L!7%CDn^y
zW3IdHt7q&hTkMl=v^wY6zSu^p+pIHAo70G>&mX28tN=1AQyq0>cv(pSLNz_%j&J5z
ztJCn10gsX=20^C;hfdn6^ygDb$b_ZAfXpbo?7uz)mvY)QkDu`AU*Rbbh-GLD_z?Ct
zM(fh9^o05{sVST3o^vSZj@KrTZyCYeI=j(f-mR}5Yy=)Yg;u1E;=OFeUiQSO6S~IO
zFYC4lvbfWpOeZR=^&czz1ch%$ZF2y~rHDuIGie_15!wp7_j4R^Spfcnyw@$|WYTtK
zaJ~|q5~K25?^oDwR<%hXvppvzKRP8A189qPTyGtT$+0{h<1HP|>^^b81}eH*>2>tn
z<C$|X&r=!b%m2LmjD<DOFAz*Q-$&Ua0sC(Tuj-5~TSnRRHeWD5D3?L;oq5NuVr2K{
z%N<W%BKG22p{Q2B&gQ&=I+6`v_IhOa2VNnypfju8CTCQnvMJD{^`qG4&nTwWZx;P~
z4CFcHr-!(iCD>%DX#x(pfbq@nPpBwW_(?3$izU;H{HCqzQ<dzpNk;Zg7aEGTnG`64
zdaRBZH&byrkitcuX1gagEfxocEn;@1e{aJB)xqN2Uq?PhLa@7#T69lZ41S31U}Xo-
zR$7MN{kdP}u~j;p(k9uLBKXAV(My}(vLy1u!A#eb&aB@hkMy78s5Bo`iYcT+#V&FZ
zMquf{G<9vrCWKimk!VbLx}<viFDOn*yPwAN*)Xfbn8bv!%p1wh39BB{ANps{s$vXM
zbA=78IbMddPSDgo7}+83g;1UIuLd-hYTByqp=U>3TF(23>X@$mraox|lNWB78ij?Z
zO*!`Y$1fKgbIPj^{r!+b&>~iTGH@^%@VL4PZdX33v`C%%7*eutvK6eYbYsIfPD7<8
zZ<f7_qO&8?BkOFm+tN5)vphlfF-m;MV=GKUnbqL(89;mA$2kPhdnLa33zMcbNXf)#
z(>WgP>$X<8Qpf6k&yi#aEp=Y{w)@A}j&z60!2*r_zzpFrjEPkt4z66q#>WP;x5_X_
z*Z|RqH@Y@bH)$z@yqE)yk%@h;{yVK@Q>D#?8*^^HW`!Seq4#o&iuJ`0ovaiawuGW)
z|NXwXKs;%lNfN@V2$YUTLiHs0&P5Eua!BJ@tOYgG!HC%ok6Gmdr+w;eu8fhvM78U;
z@OU<JS{tmwI%^uwnMNrW^P>A)PL$<mR>>o@HMnfQaW5%BJ}ulBXR7PO)%w{9=SuMr
z?%&zD*7*)=%H-MN9E3!*5frF7$~GqtZmRQNKCAU~U3@JG0bwal1hJlGFs!V1Af%-(
zCp-Iw{Nx#Tn(L%06+iROTGx1-A{Oz@(EK~jba>G65yogNpV$Ol<d@n^I<&!Eokb{|
zA*@W9dGIPFB^tbvkw_-{8gYJEl!2#Q@tX~9YEGdt)9Pzr^GeraS3IHfOZDNeB{@wu
zl)HGw)^~~i3Y_rG$bgj}mSgnWj<)6ftXHR9#FL6Y#om|{H#@1^tn`Ij3XvHl%7?`5
zvgw#Z(_JGXg5^0e9^YvRzl<W}N&lg{vBav6f9BMt#5W~5)u_kJI&R4>n`u`=Z5yv$
z>(qEY>?0xheSbn^*VoY=T#-@@6`Nk;<VSqI5h`Bukj7#MQL4O?t^RXidIG<&cE18$
z_>zx+{QbL%Fb@B19%xMG8h#&?e-J@UgG7N^=eM!T+uXnJD76l<UO;OGWccozjQ@7j
z<;60%r>F<x1p7b8#Qiw{ygT%GLqPyvu@E5e6<|GxdqY->*8cyux{JVD)pq3_@Z$*x
z&*uoN<)qL0+-epjA&<+y;Ko9xcXT?<=?*5abEPNLSfocy@0HuLvVGaK^rK$mJh4)_
z7Ivv=eL0-h(6Nn6<;R^;IMmxP?@70J8#qyYYV4Ro>w*i*y7$F`cgzUo&z0Djem(ZV
zdTr)b{U{@~AaZ(RyaSK$J$ZyLZElQJ#bNw;SUro?jm`0~5jUh7B|v%Y)UaZU?b^8F
z8kg~ufc$7$lctChrA13`-%~_R{r9)w0;dd`lXxXxxnZ(NESl4?L35Wn9nZ<T`Z64w
z)}foQ6OpX;gjfjI{G@D=3ruq`wO$@tMFftE)veTyqmY{`Pd2kzT}%8I3UL+ig#gid
z#=^H7LWOH(?VCXZnM7^W$@@PV-oIXT+8rPx)r5wfwLYbe1G}Tg5jaPY$VzU`DZg$T
zdG!f<b9|X~=@C3U43epp|I81dFbT`^xnfh+@WR=j(k#Zf(i__u{_V2MXTBzmS|+;f
z=yp@&ET#F97&c?87ym-{!(8p4{3p{W!|2D7!H-zQ|HgamhpXU7f*<cE%1bn=cno#_
z*u=P3Wrt{yqF_Hp<>vj7f2WGlDVyKCFtU99+F_N=od@!hy_(}9?P$c_EtKd+iDZVY
zwrCsUWFAVu!fV8`c~GMN78yTacr)m$Kqs&LB-3@n)pcP_c}-5;SND%5E)~3gs<Tw1
z1ppEN=`<*WEeVU0KE}ahu<CVtWwy<sqg<F0*YU-kI{f6k`UdrCjrkkx#09x_wwL!*
z9C4=JuKPoF#CQmeKU^5LE4^!%Qdj<NTQvg-KGvg=7qc-jTzOtRn88Fm<<CB!gmegm
z%{pl1jN|LLDVRQMLqB6Xcp%;2lMSnX?%x^*N1lP#p2jbxyJjhBj4&tlh<vDwwJ9;<
zW))U**_llToAl8rDmqqz&v~@O?l$QDvgrns^`fSYDG%;E%b`e942J;%ZG(LDY9R5@
zz)wxDj0*CUroXiZMq@KA)*~D8dsaW)^R9gmUn%cpgkQyf=e70eNSasfOWkX-{AEzq
zkcos<dXcJr$`NVF!Vuc`qNSg_aILJPvyYDSn-o@-C|9M1P;&e0hxC4^&H54EL86(h
zyUXYpsZh69BE4;D7-0tNmZCD@kzYtzd-26n7KMh(Hj^^~wDXRhNs2(L@2Dr;EG;CC
zxjlQ=?0S5<EIRLdy6U&fwdSxe+_jCYh0uA1@7Ck??s9Txp0h$<2TAL;s7qQNL*LmW
zq*kwG5-!UuMICONZl#o3dpt&T*ttwtikTUkf9-{r$*)2xH`7+jcsFsdDb3~mFZpNo
zPHqP@I?1kyTSyF^KVS2{u5J87ZMBqV&f9**%^l3aRwxZK{Gc{Qp4%mSf2^76!^9Wk
zUl}sM$NOpcznt;B)3tSPM3VOg;01pKjOhPMRN?=W-*O2Gn>^=Iq1K^(yum($V!$Gx
zDG>Yt2r}@0Iq5xhk-Z%O(hK-Q|DTk!59$JgNZv(;rs)3w#(kjsRk{CN)l4fd_vHBh
zCb(-z*w&?pE9^4>4tjs5+&j5J<lVFi5~fA~a|i&Wt(&(ZTDic)5ONhr^2(l5EM|d%
z=vC>n0+w86^h+_7cCM`&Y}(@oc}gOYbjas+MGw&fPAXM&fs;vTt=%kTO;)D_L<($e
zx8HREIKgeL6er#QcWbF4nRVJv)CuQ(hZ_N5e^7liw&vp-@lN5n!<=0kIS%fesl#RM
za0H%XXE<In`&p;9LpIm)=^Pv}0-9P*T!TaqMP*F6G_o7`ayZ~YDE(S^D_@A@P*?%O
zw~>t`T2oe-Xu})ZszAy(H%i)iVA1a8-EpUlarEMJSDupl$B*#jBDbM#^h60T895n!
zc#(vB8rLkDEHBC|Kj!T0#>Q+xkzkz2Rv;MW)l9h7xVEX*_53-<pMzqeRY57mer=k$
z!SC|`C%0LD=zv-j>x7&$i89xPwf5l-8+}L<TnUMAd5l?vyJ3Lt$f52%c_mH_*}off
z?}^uf*9y~}56{!080pP6)+e&vcXQ7*7esWK_Sv7D(Os%oeoAz}Sk#^omy94GNip8V
ziKCxDiW3|aXO`hDMfl9RFMK;tUyeWFlUw6F7lIGaxFuBWxSzeh(c%46z`id;J3#J=
zRx!p_^hUfS6mU1`8G(`w`A&Ac!gKItx8$8s&U?gp;D}fg^IXH&(-4}h>8NK!;t9HG
zM@T62D#hoAds3o`SRnU#5Ex)e_$DCVK%EpUGm})k9Mhbt&SkERK`%IV9raf>Kg$d+
zO;Ysu%Rli=Jij>+{{k&s)t8+J+aAdh)jK@1WJkKn&vWFo!!(hU0*@{^)h^TH+T64K
z{Ysg3Ad%eD_j(xy0fj$;D78E7XN9x7VJ7W3<%aVv&P#8H&zkj~gW*i0#-A=lTpX|s
z!(*~${M!^2jMayCQw>|R*yt51+re2OKYn<sjjQ8P@Elf8d!|U6S7ETZ7}fB?8|#yd
zl5y@B_TdT&4o3d;6b}fuBl)n4mQAEA<ht^;Cb!6x{@HKE>YhJ$*dwkg8J7}6d@5*f
zlA7<A=_w)yiB|e2gRJ1{Uu&tP3i{enuN7hzWUB3^5u*mCK612t+SBzq1nV<&bK9#%
zn4Ob-xBSM_tWmxBGh~FpGQVH#*Z)}pU$w2t5<S@=7*wlc77t?&gxzN;Me)6`Dm~6(
zC@cLl!mEoy=G|A&Gv-OO8jj(;oDm)OPX6^5Qf}HPiYy6D`m_3^lcn`4iA&!y!1197
zx=?3xPc9_IXWWAN3MM!n&LNf6gq%Ah=^2@NHvx-XEnjvrmx_=VMi6?%5G$cuG<B=V
zZB*Hc&Qt~}f3`H6?sxhzm|z!`(Y?w%_=qSUEO5b1{%N};3`WGOLN%;tKi^?95!Q&o
zM<J}Swe{Kd!Y%FxVO-L(TQDV|m3V!s!JEh#eX^5`w0M-r7(ZEJBUS_BHpXi%rh7}K
zYEwGrs_iTE#D+I}UP`TtVkcQK8Wx#e+&n&|P$%h$rCQ#|ldiyC=?LYN*nSpzrBIrU
zeIb~l_L?PewA6&Q*!6k0QOyHnjzEqfHIcz+80wEdf2LKlReQt@dKAzmGa2m0bPh5~
zzUaDNR!7RN9Xzh``H*K5LW*0IF<VPA5|0OI)6>Sm)}B#mAO09gI<kdQe`cR+k1O9b
zpRjJ<#4|Oj$sZHbwM-bf=8?y)it&hZne4~?6WWI(XTW?R2a*u^QEnLcXM5ZnbI^{=
zU=*#NG$Z{KmN?&HhVPrf*SKdf@D56#DxuRJYpM7TXL<q69M`0ox!vo2C;`pE{2|RL
z@vi&Jh<rD<Kgyfs_ibdP3%{Pq1JVn3%2oe3Oe<iZnujwSMOmxKGODSe5ul3}lGh!Y
zhbt}rB?6s{WI!+~Y~|cJPPD311pna={ZPgt{jL0V00n{~%NVma7`SVJk~%HTNcB@G
z$#)s7VfXfHHiZQr$mkfC2uTsgglmO27%g<R9M=5qj*MCDMUOOOqDwc%VSN7BRA7EB
zb0{d_8tWCyF>GbmtT!an_9Y=;S~86yDly%2H+1GS>C<v;DXYIxm<7|%>Y(kB$9Um0
z-$lj=0g+)VQXMW>eOs@ob-81_EnOl(eIs)L%vC%}BdDq-1mWUgIsq?yY!h9Ej4mSC
z<(uY^a{148HBuBG%+Xxs;^uby=S9doygq3=qE~g7>E49DiRYf_Bce{RR0X3RBGuS)
zulqxXKHq;PR}f*4Ww5PIw0#i$3xpj324-(yJzyke8hGn_cd^8{?E<BXKtw*k29&Nf
z!}Tybb-aK8iMKeucgMp1scA)25PMFqGCyM`Ihx(GnZ|(#KJw}bZYPRF&!q(NVV^G6
zKBH?mI=}HKPKd4bzvTm|g%@5*qLjP6?t+hP(?-d73SO&GUMQm@@jYQ)txJ=?6Mb2W
z4!LgFe^C%GLfIF<MAhe+8>V<geE1=>(Xz3NwWvE?q<;G|jx#2ANUR4+o6mnGUP+`|
zlvJ^ei(-Xp$p?MQj#H`@-ggbe|Jtd%;T!zv=|=YrW$-s;9I|r5ZV94szWu(p>u#KS
z#q26UYYcJ@j9h@?=g7#hTu5X7x&UUFVwFRDI6@*0HC`Nt57VbI7ONXv_(mb?+rN*B
zLPFd`#NjEpFL!hW-1%er<11^W<L#0TCs_HWL?6PeHSBXm0t4)v%Et3NsAE|LLK&Hb
zaq_z}(hlXyn|0!(CeM%3FIs0O`;*i^Z<W*9{gu!_HzRepiFb=+Xoz^y!%Xev4Y$r}
zLR#z7BFURqUr({(CUkmYZ;_~caG-P+5@l}Ysg$!1`m?|#t}@J%Zm^pb7vWt&Oi#mc
z%|J#sYC+xdv4sFHl$5o}Zmot7^-p7KA|=6y(z!`CA-0Psu@;38geI3o^r;hzM~q6d
zT{1Ak8_jk>>iZHa%57(vPu7~Ld0U>QkgSMbCE@vy)Ku(84S_q+a#5grhn;AT&DJU~
zW7(W_)3Zj7B%t~*H|hnnwQQ6P>VKCJLUZir>KKcXs*2%!&#bwV`#UK<EI#kY`q7*x
zHYg~&D8EZJy$Dpgt4I0dlF7-wajnaaOMh*72fhm_|09Jp)}<NOQccvg!!`lofE;~?
zz1~1TBX%pYOQ>q>NbC-v|IW31;<(aBQ>YrN7?493lK;Az81I9uELIdlq8kND1@ns}
zXkYEcNBtTf5#+fJjd1bZNN8mo-kHdr7KJt~k)^F^(b~K0l$h1J$^9h9rr8&3i-(NZ
zRerOhQ>p2T7O&61656VLiSBQy0!o+x6DqN^<z)qa$J<wpT{STzHkhap%J3j#M&`oo
z#%_3eYn=39h}s)9M-5*zp{M<lDvR4DJYm<3>4nJivzUdN=JbAtP57=d*=qimk+5KL
z1|h~^g5?nNwa9DYdeU2ubl8vh{6WQp)o7J%i;3?}_)mfC<RWYVJ(0zL3(7qtT&%}D
z9ID*`=Zn)j5ay=uM#%2xVM1e#aRRNQa%u4_oy(PG&K*P`Lv!BTKF_`+Ed}J_eG>lF
zDm1tMLbdc5++q}rQpan4=quf156i5E%b<HHc3zpS{t}7cKXv%q>3(oAo_;xDyvVr1
z*=tw$+}k9Lz^hUgE_WPOqcG5*o<mu;_7wX~aD#4Gpqa)(D09#`2iXSiU`t%{faRi{
z!t$>l$(OJE95?Q(N>8YynWX~pq~8F_6X0|X^tK3cqPP<Q*m(Z|UF85j`V%m5Rr;nC
zV7ctQmP*$0;e8Cdl~H@sx_u9wTB3h@H=hlb8TXRAxtdSZxj#-UVxE__m8nkX)Q#x6
zL(G&%<*)S*hWICtolsuM9Mdkv(d}pb9C0x+rq+ZC{V7ITQuM4Kb8*}Dck_yU3({I8
zqXe4)1R=8<Lg^;f=_Pow3_ZCg)R9J3oszKknj6HSJGg~c&cmaT9MRFj;pF7YalecI
z_Kp(6@?6-VpSzXFPap(>^^fQwt0@H7y4lpQP`Zqc*4|R59;DRKy*|-?p}ZBQh*nOY
zIh-pVbJ`Z{V($ruiLQqK`H$X+y2svt=0Y;qO#)%}Vm+!viGDaOpZRp)G<MzPzL;96
zsQ3NV3@LRAxxo=~#932R8^Z(*#qo*MtlBj<MIS^Lhc-E_P<Qvw-Xi_fH9o01G8i4w
zIqtxEkW}(r;V8q3Z9Ew;E_%DB4<GJ8UZ;@?PRqk_DQAjuxi_rlk2_=Lbx#S3iB*Zo
zh~2Eu^7-Okf5pOrI?gJZ9XuZcA(neddby>*QRA0;wF#?iS>E+(>(6nH9}a!|+HJz<
ze%WaaQdMq`i)Pm2Dr#hu>tCpSl3ZmyY+YwmyZ9!2{J3x-8aj@XyCZo%`6fq@zm7C#
zQq=g@^d-&p7ZcJB6`eBMo&vJ>_c(<4IcxjeyaRI{w1KgF!Q5wE)^D62XPd8(zi6A8
z^WiA8eKkr;bB6E55)324<-vFop#Zu%-!3m-jP%3bi_HHbClesQ6XEU4eFd>mvfVZ_
zi#Z{a?TApk85O?W{&{<ESOCD_KUZcP0OS5Wz-Zr2hd12Y?G@11VV2ea0PPke`39n#
z7Qqu%DCn3yukU|ZoqEQ?b5&TSX}Z>H=1?S=KFtTm_gH-3CxZ9*RiiQTD|Ldd>=Sg(
z1dX*N42r(9ID^TT89z3SuLDfPks-&zL)DH|B5$w$LLV4&;Ji<lIp4DZF{_|FX7LiG
z?qb6IGK#~Or}8#J^2WGPbJ=oNJ<N?H?|a<MUehz%a#SrCsE!38IQVf-R=r+KeR*oK
zrwmoXg8{k*cE=<$Q*ZXaR=;^AC{$HG#_>V*>hJb1n5Qn>^%m*L-1FJS6n)Aiiclhe
z)9NT{kuj>-^Vcr`&w9`K2T=zboi$;olxD-mn@7X`{uCVW`Kv0;m?^R%DLrYa&=2T~
zoluigM)R|d@Apm48$=`x$n{s7q1%f5K_iO?Fi1A|e_x$UA8ft&YOA(4D8eoedG$M_
z=t;r{q+co<*$)zM>=KjL7DPF6mYj_tR8DS}XEUgzZt+wD<6;}ak9=435P!1bnvg4R
zgD!w6KMyOk6h}aU`Ib{Rc#+CzCfVP}-HM^>@gavmSGnU5qkRY;CtEBq#~v#kL*2&1
z{55aDBbHL1$uA&7OBFv$$+bLEZNFiouP&;d6y@u`em1TX&&r}1D@3^HFDb(zeAh<Y
z+l_d&%eE03yOWF+>nSBC_1&lCIV4FIKixW5JXP0S)|XTG84oH{nI};;3FMs&T_Hf1
z<5}%He(q^2X4{A=BIuW9ck#shxmmxa(iGnVrL^osjS{6YLxY8;cfF}P3HTIm4CTu=
zl?JPkr`OkM9=w61x{L>$><xaeME@#)KgE_fGv=q9RNe^{`Iwuy*6Poh%Fr@y*4w|V
z{^WSr1LK|^x65z<z&fibp~%)?&a;WaZpy2ll%r+8jr@0bY2<2Wfr})>MWU7|t*}m|
z8na~`KYJe>QeyT^Mh*U)I@u-7-6J4{2K6)46bT*lym&)@iw=>@-@ID6jWxHlI-2QR
z7%~*?bQFZThJGjCbMN2wb~wMV-KgV%#tS={8|wKQiPTM9`hZEr&+JVKc0?W~*f=y}
zi+CCBdkn`4XCl1*>Z@@U5_w!(e*%#ODq<28vj_w1(Ad032`pGvdSg4`0*BTt_%BDl
zD-jX6j(hVuzx=w1o<d=+Z*4Xvnx?M^QkO|JZiqZ{3)Je=VN$}C|J#;ib1ro_<m{DH
z0+A-ZC0GUzH83jn3{7iqbFp~kKEmSEah}v!z^rw+Z_CnRF%ngo;{VGbh5kX2R6XNR
z&oCtyr*bG6j|HPsV7(GNT10tNT>;jh2oJT8Y**o0VTa=oU$3f%kFJCXzl_smOy=YY
zrM&_R%NA#F3fb)a(e7OqDlhXd?IgPoZ$hF^AUq+`x2)Yd<f#z>o4nM=nNRzlA%)sx
z1V9zM$;<;w4*=fwGvw{p`%l2L6%hawA#q;7>CZ<sAW1<TZljs{qXV?$t4u#|+73MZ
zf4X9z0*G4%-o0}p0B9{An?Lr5L3-Oh?>Wl^z%vE5V&eM)L#zgao=~6fyq%lUQLChC
z8TD@p)f`rmX{on74Mw>C)Bt9eRb2&VZNf@vdGALerEYRD^YO4865;buF!Cs5*_8A!
z@?-DD*}G(Hv((h(ZVIwU;dvpy1;>WKU{B_Yfo-3y(_6Ih&c&S5=bT$1t4kqC-x!=r
z=ZtOiGzt@)yYoK<sBVH<cv`vB4_o`zyWzM*8WEtSyCz7(3`f=<gQ*(jvEL7>u9v#p
z^oK`Wn1}HL&i@jzzOI$M%t7DxtsU&c8&uGhy1;;S%Fi(G;+b0%M@yGmEWU5gIc)}-
zs^K8fup@lBy3cf~`VA5)XkD9yD&*0=A1EyHzQKgJNtQR2W;nYE(TKkNd#TN?_!hr#
z_k0%j#Ywr^aAeykymY^cw%wte{1^EiHg{4GXY3414#TXr`0xGR=jksR(03>;o_$E=
zd?A?uDR-nBlzAt+g;pIvi_=xIJ5SnMrkP6ox1e#Ri!-fuv=ga+F`iO>D<m7%o*|Kw
zNWIG({44|ILp!0wk3B0WIJ&({X~9Do5xxuFk4rL-DD%wYBv<NXdBTG`qevCQN8>kP
zi!)<ZJNk@AeQh0v&niFLNQ7|g9HMGlN>1I2sNllDv=_V~sfRL;#u1^2cWRDXpyM{{
z{R`ig(2dg<gU>0dk_(~j;siq`Mb4^?KdZHu=D0G6XN!hc!;+Y$GqspoA-B{iy+tZh
z3lnEf(;?8IviuWQFoZj^owh~<IdiX#kbY^4cnz4Lneo01wPtsN1I@(Emcm5#UoGNt
z`d}y$n+l2>zk9&w4#0-q1bv<UTj6xO2y?1JN9Yk%dt@<@%~5h^=4vB2wzDuL9uB)d
z?h83nR3KQqz$u?2vRqluoMq;nKg!u=NRumgg*~skPh@t(+xb$9Ybs%14QDDC<xW${
zoQqca1FO9x$#ZW#b*>&EJ3Qw~S?~c<c^)s9@ZsD>vBI3Qf2oNCCIY0!c>v*eu_4ah
zEN}hGEWcG@cNV(l@J!8Wn?WX6JM1T~{9G76iA9SWZ)hv}dle<&EAH%D$_<jYrdH8E
zMe>$76`Fv%%8NZNGu*QkXrU_$OSYgw9xF>eF<JMtda_X&`SULoRpXDj$vTQQHDC7r
z;LCwJx^0PUyO6zi6Ui_Xxcxn!u_S$b64*~+H^#A8WYt3|4}&wHeUmsyF~YcyLsda>
zYy7s=tlm6krbPC2)^%$6>t>9^h6CKbeFtn<{55j&*uOz?4w?&`)^)731A|pfH71=7
znu%_1M7<l7IMHFss_81~b}X~$#)^%!9Kgg@hfIx~po~ajRVvsUSLFVWPpv$JIRHo8
zRW<-ooivIi`Ha6koG293!Y+&aAg3gJWRr3hH%788t)QurD-!mp6o)6ffY|V>=j{P>
zSIx*0wMA?=<mA-}hk_R~Ja<KT_u$Sc`(r=}0XYY!V%y&y1~9DnS~yjjQGuDjTZ4*i
z242F<pWKy%E?bkkcrCuIX8`2<_U=#A|4~n|&+o)_OnA!61*~iFS&G~4yK%_lOMhFM
z+H220H-EeK07HiwLa(>RAe7BY;)Xqwf(%DvcVh((?eM^6xI^eS#M?M|WK3zXZ_JAW
z@_}YNn}6!7vV{ff)_=FePG+KYhMpQX^M&VH>wzsq-X*y`+bTbc{DTjXVinT-x47t8
zc)tr38PCt@rX=?=mhbH2Xu;VcY{V($^V}D&^AlPvoupMcDlgFX9NT#3k^Z)-K5BDJ
zU!R$4ArPVJfPcy%uD&f9`R;bol89d{MwN-cS~lHGz}=9xv0lMzZuyE0a_lKv)Z=r@
zUC!lX>k<lL6tP&sSxkvJEz}5395&iIW*re+X8q=BqI+{(@+)Xb>N2GV4J-a=so`TH
zd?RLYf2|0PjRFbnALr-UMtRMvm&;|8&cmNSvp-LKtgdyC8$i9VAQB9c$5YA6QbfT|
z&AMZ3_;^@_=jeL65`yk+uFHOMY#;u)J>$a28R_P;lJVqyYTl@EJ47^FEM~*UX>P<h
zwmkAgoo$D0GSZ5j@&pT^Fz!Vu4P8qvl4DHEr40dkMHQ`SV{a7Q64#%UT7()6Viw*W
zomqES;~zYJ7+H2#-cAu)!CEli^>+5uEsKABn=X0dD`HhQt*%5rIhK0RSneEQDSc)*
zY&Ko+pjdJkN`iTwB%cY(WeUL+GlBxpu7JtQ7gl?E21W|hM-YfLeOP20fDF7t5X`xR
zT@2i)pz!_=&$0zJnpahq)+C$;y70d40bifd)`1}u(B0Oz)TsReO6V3SD9C$Uy`FRh
zTmq7T5Won9<_1IqL3jm?zh7hQ_At}ny<=QH{14-DxCDs3f+5N}@7EoMYzaW)Q5U`w
zfX4Z%46v%f=K({2%>VscC(w1+B?om2yqU5kyaTM>$uWh%x9s9L)_2eg^8fC9r)u9M
z9>8zPnE%h0y}Up7-<KKbJoNzsVX%)|d|OW<R=EK3JYWJJQ;y=JlK!IMVpBE$biJJf
zmmmno$23FEp}3Qr#vI}H7Lml@sWjHPsHa-H=w+0eHBjP7C!b!EHy#GZvKS;v+Q%<(
zdElR&bM_YT8Fer<?%W~u7r5g_$WY6fa(P(4D|a?jM)^i#d&^pFy^zwGDzk{M+R@Hs
zW3Y8TK=kH!4)x_M`IaQRZgdFU@Yvyg?1*Xy@nu8;S8nfvWp$s4z>XM@em~JU>mn`j
z$xtuEUUqmnPWCYNGcOk6kSEbOXX}+|hd_LmzR7^u^z;HN;rU6QbT#&t9QTt|o`HPs
zR^~mvVzTA(W?JbPLbi6XsHm2OJ2-$tM&VPg)6bd1KI@9x=75YF%$99Ebp|DMxRXW!
zL89ObTz%;<u5^L*e5A>gt$CuxsiuBJ13f0w%<+k{eU8F!_-J>pc_QtV=5K}46TX)i
za!%2bwG|Z}#VD?0OlY4nBrVpH4ZWbIDD5b2Wgaz%#y$&dpI8J5iG6U}7z(1Bxha+I
zf&q6;rGKFlYO%y?3}LCp*DfDH5}6dhfoku*<lW^1)nE*!X0bp_NX9OfznC&EE5F9a
zYgQ_}TugOGx>%amqBKSl&6CnAFbS;O-({ZLz~9KUiOt{fEpvVv6yHk)s*gHgk}w|)
zSj-tywA?9?V4lhCj`(aSh~H37XH>@<kf?JQ=mqxtzyMJ2hSvhbVN}^GT3>$tQ(i!S
zd5ZjGf>EgMUi&fHg1$iMK;c-w&p^BO?wAm7z`{x@uBf=GCLagh0&ImheLhJb)+)ma
zyGOIl7;h;V;qtMX)ALf1macC+cAW~u*&&r}iVse<P{3%`wLeHVIHpUBaRpPF;w%=y
zyW8(jM?x6zeu3@2QgYD`gkRg{;C{;&TZ&orA+2p8q2T}Cb^xZ&NB%^@yU2%QLe`;s
z5zDxaeJuQUPrO!HC*<~nY))$3-}nHn`NPlS`vij=mbgAJ5B)|GRGg%$+|w)_|1en`
zP<-_8d6U1MMKovlU`VeS(}r{L5VC~-l9Qz<x_L2G;C-H+>tjj`D0^Qa3ZAHB^T5ok
zNPl9^qqO?ebBkPJFZ}!6gmbB!`KlOj7bMA**iuA~G?xCxDq0fKq#U}w^nFEH3@I`1
zDJa=jUQGFFPt!c(h@#8?%a$GqVNpsrvi_6dRotRV0n^a*Pp^nQMEafy!j0UYy;Z9P
z)`K*iUkHd%OzJc=aETkNNVYwyH&SbqD)ij2P1Kav!4W2|!pm1H{(Y)+B+QO~_qnQA
z0%nxdF*+A8?QxO(_g5Y3n~HT(GfCSLs2MD=nds={VmB{-9kvWQVSoFMZ8V>flH<9Z
zxuwpxkXUS@)$S1klfr<{PqjpAX%D4SN`6m+&L@lJ!r%KKc=+xh0+?C(0MGy$Wt|3E
zvFZELY)oM1OEE@~$K*uVLv}@F)FMw2uULMj{XpKhi_8a0&O~lp4u)7_Oo=IiPL1o|
zsw7_ofBis3hJO7w?EXq-2_MTp1|4Yfxj<)yWW_lluj5it4Pk}LvTviqoNP3l4avcW
zR@Jv{d}*H;Yy~e^lO`wvF;T-)s&b8I|N1vwX~|3mEPa1rTmrtSB=J;Q9?NU!*d|J{
z)h^v|;P3UT4`f_W#_6YX7#IA^JZ}NvI;f_i{5W6}OGx?^-48x-+bLrnBK>8_`!w@>
z`CTQw#rkEFSmwy<vbmn`T)OiI3F1o)raUsWM~uq91LdQmz}nlW<9KD6U>47-n8Cey
z|FqcCKm2K!`$<H?P9irKRJOM@X6o`$uM8CyOJ0IPKteRVsyx;3OjX>hExce(GQLw)
zX|+@kvX5>4ydV9X^1`Xa4C3lhPZ%DXVY|Lna`1JkIy3b7p&uzl4D{2plV0xqOl;xA
zSnAuZYCi7_Vzk?VFf9?$#RO8xLVwOwp5AYp7^Pg_kDgubaE6ZlwU@@!<{3%dL9uQc
z596t>simeZU1K;44VYr(Pk)0mW;=~>doWl%A#K;Qs3QOVXxgbq%PXdqj~JJgY7W1i
zmWshh3|x^1{u#NUSjKI*j4jAIkJ;%BMttBT{o#29Ykq;bNu?z*KdsxEUQq$_M!F4T
zn*m{4_qpA#U0wM96}v;w4<L--?GZ%3bjQi^|CXL9;K=|Whn@#s2aG8ID**uZRph^F
z*WPS~^uG$V?RN;u@_)<aV*_9**NH}=LfIJoS=`<T>e<qchYpuXOw+w9DL)mt{_<%Y
zLM524M$fdl+&_t)y3@eq^(|njnx53w^*&^nfDd+ag^h_gP7o<g<St!o>_1lcz{(9<
zk?4)HGEq9Zs)_S_sb%|fS<l_gsFK{N5s?#Y#M7}Q1VfalR&x-3gxyt`1W(Mli0y(q
zjM_*-N_OCT2BX%p-|qIV93-g)++0N@zp?b4#p)m{V4u8H;^1PRdVB;0MCk4W&R|!N
z#zrxagd6AO2Rsud4%e{dH<liDm_j0vqV`TTttL6TdUp2q{Z04_)at~vcW>P?YS%_~
zLkv+}o1KjT;+h3JE-8JX@@14;D<U(DVh)fC1qPl0+%7L4$+ze8*8>j{b5pU^-81l?
zMni2ia))G44l`6Ead5-@&~Q?y2A|))SXCgyu~UH}T8Wsqdl92Q=0~|De2Vykt1+CR
z2b*NPYAH^T6tY_~rBmCF&C8{cvYhGxX6TwRvAj6kI+RHx?n{d;O*=f9x^im&&l|QI
z(^Kap#qPOBxDUJ%Q!|<`hmoRnPiJGT7F2L@_}s8j1+hwl^1J68w?cjK8V<4^SR3L|
z7PIwun;#*|Db$2~FQe_b{f!KrlqmW;Vw`KpOL&b8mp|ST0IOsVlT+f&3Y9Y#MazOc
z<B&!<t(za-gNFp@JJmFGZwQOPq37GJ?^`228}PykkM$&y1R%V3CO<_^LEeQ<&r$C_
z3NU<IZ=|XKB!;v4UEo1V*@9eWot8wy<MqAWY8kKdSj)tktEp^ZwS1M1<oC0sHv{~@
zH$p*TipS=$U$y2K(XZPz|3b-1x;vD(L>dAFTg41L68n-P@CS8K4%%(xszNTlW-Ghk
zDj-ayV@Q3Cbo}_ksOX~}G4{PYx*sCV$>$$yLc9DZCx7g1qz0?J4y&k_1hu`gf<RAF
zVLRWGIgl`s7$p)sHOmQT2Xyv368nDLp*Af0_HeP$fF6~RIJt4)oI5msIs^&e27G<;
z;T31&eus{ypQ$R@#<1OU=;@1^;x+xOVXMKKpk6$-6EDIN7|eq_y>PwD(V)F8SBZ2G
z%DYWVjsuKLjz0>>bZ{qYd{=_)c(kHbloigB$Qe6xQv7FeX0E&SWB5G3`-6uI_P}Q5
zQvi-wI24BJ1NTL7_-gW*H1WqvFy(059D;wpnSiSQN3Du>#ex)<I85u6aAfYczD@5g
zH3$F_Bxmer@2iij;y}$<84*}y=e%idkQq!!5yEsgx1^;yCELZ%kG8Y0Fvk`TpG?3I
zHX_~H>RQ_O=O1$SH~ItGzHg}+y7${4of_JG`YVzaAumpVC^EM4Ndz%x)yPSSO+#-I
zhgBU>#VmCz+dBD*d%vsjL7Ugu&JnW&ZwkJ{&VL07fZVU6{`_;b_3^4zhTi_{S9HF_
zDor(33d}4EmE3N&)`drf{1|0)<sb>yXs0tllXY(MF^Jk84V8>msQ<PR540Drqy?U!
zK8KF0#nr0aG%)z7(e7@u>b@YoIZnpI`l%xi;!p}*s{M~wL(I`ZR{}xnRSIqLGy&>f
zMCF~)_`)i4PkQxsNdQmuB=QZy3V$S`$yWp1T70E)CPsup{hzVN+%MoGaR=}|Ddd{G
z(_@p4-iL)y>ezdrhBSzDDFJF5>VM`79pK!!SJDt@AdVA-=LSRpd6)T{gqcA~iS%U$
z-ieQV+is_zVNjQI!BZ|>-CKRnQdFoW&WcxCLs|W)8U|-Bc@iTT-7B=gEjX`!QXUP}
z)W}1+A$#a+FMg4W7m1%e(d$rXdL%c>u?4KMrRcT$O4pm+({H1oYN7C>$tOgT4&%7j
zEIl?HNrrSv+=y6so6!)>C8lwd)8va%hL;YGh}ZQLT+H(`Ru73Dc@Gq<3LLQp>yot&
zF*7E<DdW2Mtenq_lPjd&ml^Y%5w)a@1e}iF<kUto<bT|Ddy18uOr_J6Ec1BZz+{vP
zwAd_6oD{L~|8~T+`Oq(a&f1i?0l_>21a{)x7%~KZqH&wFCb#ghSvRL}k!_rOV3F5V
z`*&h>rZT2QmB8sXywA;p<bQC=p-^AOiUXFL;(7kQ5%&$L!rU=+s0pu8U_+PrOoct3
zVjqcJj6K!I#ZUp&`Z4{VK#*xZ%_#?5ZsbPFpa@Oj7I#{^ui$XP4zGqQdJI*0qqEsw
z^Dgm_Q(d!5v8f4KN`cjVvc?uXLSLdtK5wKSz-E0|r))W2Xp~y!g?332_z*sJwcKC{
z!gcv&Vp5~&trA|Cw6|*<^nKwX&0wlaC#A7V+_vR@jJGJQ%jIgk5=(nuyOH;Xt-rGS
zxHqEO)7awDl{b^kmKCQbJul)sb13U$q$)4PMhSFM^TCY6FFYR87}C$aRVuv<CleOg
zIJ~IgqX`UKJLfSK32LGcw0WS^6Sy4)G|;aAp}zkRpyj}a_onR3Ngue3n|K$uy@|m5
zXZ`knk3qvcg0lV#!go&b`y6}bR0ZgM3sz`}g@Z!Kx_B081xVqpfB_`W%};^>PgN8}
zdYC&CfYazS#BiEpKk4*mrTII+WGhk#z;~CbT54RhIaIjXZwFNVL~;-kHhgA%rQ3Lw
zZ}6lQlb*@{bdVYrFOHfnvjKDu)s_s<3|n5MsTZM(9ev9$RMNSkn4JHmsZQ8BEP8JD
z=$3MY5$JSj5Ijk(9jg2mRCU_8E*GpoLK+s4&a<*sB1e5VzSBX}lSSdXgjRe*dV{&N
zSpm`AaOwH+*krbV6fSk_t?z1D6+O5EX6Do5Z;y{TWfctVeHe#@#HMLTD8*W=#C<ln
zE76``=Lq+DfuQ*d58Y@fp&R8ZgiE0@eC2g$YrzODwrExTHN|gRqUR*VzR=@4@PhkN
z^MMcrVaio?`G)X;qb+yKFL=bzh$Wx(<5Rnt3a<l4*?cz17zw=&H<lauNo5BWmBdtX
z^VSQIe}(B1R6*A;OxFCPUh(~Y&dm7)L5+XpPm~ea+g>8c)G2mezMF=ws0Dg^wFAZB
zp&~@ZJ9jioSKo-lW!0y0=ZX8}ANv6!ceA~0-o(R<eEQ{^KP+1ot4UcBO|JN4uCUz=
zK-eXn{#Y~mXI30}oEP2YGLO8BHJtIqtbVlL;d*p6arxr4m0s0Q^_Mb|=`Duqcu|Zj
zY+B2nN|Amy-?xokTP%fjgd?$1u;XPu&9>q=^nOP2pKi2mv!z(7$+>vFG+GA`7DY7E
zZy`l#gbV|b$0=hoVC!UYnvjH|kUd`?(u3!RBCLG!?^MS}r}a^2Hosg%ZUt}}IH@5c
zRV^+rn|0mGKbYHw#Amv9*oH)P+|(%aOz(D~*?mzv0NOe_IYi&rFI1lP=(8$fa;203
zravRln^*ng-MA_IzSjIka!0>Ov2{?s$Z9FbQ8UOcgkqR_i}~Kzz+hz&)rh~_)5K!I
zjBcvUpF}=-HCS}yd3`MKX{EsBG5trK%pnCVT8i%wEa?h_aBYO>t&9}k9WndxPw!6k
z7vc4<vpyF68et&`b@vEmq;(%i3cfJ-t_6s>>YJ^D>@pL+)mo)9l=3dtwBKJxyxF4{
zhOf8qt5MIo@v)t;{`qqOgu)HTqc-e~nx${AMj-hcaT)cQgua<|DL&UwQd9h`*_3x#
z8l69E57D+Wl3{2t(sGWWpH+^B$C7SieyW(YH*(GeWmG1H{1#1FBO|Jo!nC-1dDE+D
z63&o(GmkB!Vb>sTepjKcg<+{SNHoC!)>nb7SGdB6Ia*+r5q}|ZsGb(2=N|^PIe{v#
zB5lX)#D@JCNpkQnT$~b)VHqq4?wm<uxmp|#z#u!$zrk6vjIu`_U*oQG<RO*Z$7j!s
zY5w{<DZT@>QWt5x?j7^r^$estRv+5uRZ#0GWwTE1!_Fc%p~v9OX^fPhd5^D-9{?p`
z01N&Zq}?+)4S%V|Cg)7w+p?XFdRmGuKXk!iBNS4k-D4PIRj{dl3fCq|Ip|Jf>}C;-
z;qb30SEg3j{^iy%NJ5dv^h&kIw0e+Z!6enAHP=WntqU9O^@rB$`%RPeh(A(c^P8B3
zbo&P?F}i%3EY0Wg;_qJ$sxPZ;6=*7tO1ewE+jTCbYF58;(!b0QZC+g?H@2ypNvr5I
zy^1H<#I|9APVS?_4tnx1cTdd2uVNk~HC1dm#y$?++X!!V#V~H!Kj(aVM@ju*oRSoO
zmsp}<M?%o_9G{}uDgDkaYlVs=F;j#oig11JgJSAm%U3NHVCR<DXd*jui9EQWIlbZ?
z+3&|0al*d~#dQdtTK3ToB(F8)TSnmP{S^~zye(S{y*CuIs!bJE9bn`A)iBfa>g8k&
zvt>H*u`5qH{Oe%id_gzrWxVJDi_fy1>#G@!y+eJMDw_z5rg$3N{`UBr2c2`zE!Nfm
zUC!5qr(?Kf&872{rFN77x6fy7tm-E7;z$!&`D5d94gKzPEo4YlG6)e=8Fk2cj5=$p
z`jTE77-q2fh&nUJ$er=j74Qd5$EcA|Wh2b(iGd=0R2M#Qwx4)a(KsY+qAz1-XV-kR
zma~7kH;)C|#qV6oq$j<d%|Ufl_&CrjOC8MQKcl*o4&5K<B6X<g$3Z<odCdl9UOg}@
zfBNvg<MFmd{|3Yzhy;lOmuEpSuesL$osie{IRmw7#(RV{l+fMK|5I{DzQxIayQrWb
zBJKYbs7wGF4Al1lIe^h7O8<Y2&HoN0l^x$)f4|4q17L-3w+BeR{I{z@9D5H+;?~0Z
zuS@zdR}BCIFJ156AdEk}gk3)MxDC@KQD39dnfhtKQhQ2S9b%z<prAx9YsdEP417HJ
z^<~~Fbe-yqM|JvszCHit*A;DKO@{{s$xVDTPt>oA`;H~T-p*q0Xmo8n!ynSTf*~?<
z*N;1tuvK8RvO+Qy4+~zQUs2yiQQpg1sA~@X)8*B<cu4|=1M7K7URn(Cx4N*88%NJ0
z)ELb9npzU5;T#-1iON57&BD)5!dk-!u%7;POdk?*A`!uPNu7K_e62BL^3B};5El=}
z1Gka-safah^yT_4%x>c^wm-w1)8RknRNB{R1lvezHXp@-d;2{nn*DL^XhjwoVDhY2
zuaxQ!TXh>flIhja=}^PFHAm{5uqL%}(6(sn+D%Y#(a8J^a<7nqes;OS>>+5;iU;2!
z)&i;Z*V~Of{RKd@lyf7y7b<Un^vXdS8iZ1n1<$d&w9`HN=*`2_C_JV9GvbW>@M|oa
z&N>8|@utY7z$aAv(_#BJB2R;w+E>^16m>V-3**jS8%dR48H_cM8ewexF+r}2B34Pn
z%B_cF)*z1)Jq5Q)(Q`B7(Anw>)lb2=7j0N0iMMvGT<u0M_k-%4o8Xg+0`}&OO}p<Q
zN_IMjBZJ*Fi`667TnA^3kNZ|OH&v>GtR{(Vb7z#z`$;qK)vHA=dCRw#WmWn$`YgWP
zF;%(#KDWK*$CJm;K#m^-_62lSr{9tydow!L?;R+!KcI#`uV(GhV6&C-$QuQ1-?)ei
zW^J{@qeNgeB84nmQ5~#&NKI3vgzSCw-)}hlwb)-iT>9o?9V6-Iq}euD5H2(AkTM6*
zj~%_A9c;82r1_)8c?FfmqRU=+(|-3*yUI#MGcepq+GiFB_M+qKVh-z0c2oV5OmF=n
zaC=vG{^PbI9-h-Ewf>g!wFxmJE|@5}cVl+i&t5{ymm;NC*tOp#Jai?xgMsk->WN7o
z?Q=RjuK7M<c)WsFuE^HGoPu<AZfhm$mG>5{K_O@U%~aL*U{+Eqr@{Udg}^&h#s0uS
z8V~IB`N1nhrQ0$Vuu(2cb6<<#W;fsCM2aj12e)dU$nkEKOGkujA=iY^QaO_X<#?AJ
zYYOTy&=%<vKCVdq8tc)8H5=&jik7u=h}u=J1D8&CAY56q3UT0a1#=ixNVz{E_zIi5
zt<8<Pf3Wf$S>&ZYm@P(8%PR1QN=n$(xI|FP+>a408h->KRD??%h;Ldlr~Xr(rO;Ne
zDy|kAS?aK`QN8I+m!faQ#BbXlp8I{|I%FA>(0(&1k9-5}w|L+f7i}!tgm)!s`Y1ef
zbp4Z%uY^v>@8{G6@Zn|E>YHzkw7F(?tbh2M$K)48Wj_)kp?mMsh4B|#R7@Yz3b6Yw
zYcX6x!<!@?vI`qv9q*fra0a~Jog7bq;$Ds3J!;>#2;V2DL`WC<HV{Z03kIspL-3sb
z8_4)Jo&lrB|CS`{VP0w<N&63dJV*v4!Ya|G?<A#N!PcLrXI~g~iqA8AX>^_gSh6}h
zYAv}x=&?pBOOoG@95=A4uvf)n;sk6&3g0RAv2HndQHbOD1%5ps>#3{yTEJjl^}L!=
zdOV0ZaF;s}rtw;y&!gmcuv0pm>ms=vkbqxoM#oHQ7(qTll=Q=Op@z^ZX}$z)S+6sd
zK91mH(!@41IUxZGlb+r2NUvb!cU9P9<pahhE_hNN1RK}49<Ui_3sbxDI#lIC3Dj5&
zQfzZedek%jrtiActf47ME9^DJU-w&;dkh~}Kkuq>wzcPG$L2cNb9oF25jC)fT=@GT
zmai<2qnb8YHL3JD^D@3f%G~z^JCj3?PI#*t=B~huZJxnEW=~iE>LQ10&D=tXpw5pE
zy0*r6zW2{c87|?O`y7KgRbGI`XkqKt%TzD3tVQg-vgE6}WX75`+Ej=QjqJAH<W}|O
zr~NSLu9|+_qf)=D#oSLUnRuh>MX^RLD<tu+*bq6}x!5?@tU819v0LBga!1YwOq#rs
zW)Tt@b=H(CyXknD8Fwu&f6l*RMG<t{pPEWd<uG^SlCDSC@G{^&+$uy8>57`Qc<yW8
z`Dt;%lt8d|vo%#G1AWN|A4R-7)JD*vAPND6%YrlYjOHAVde!EGStnefVr5`GuP*5W
zht*h-^W0unybmX!yf={!0GN4k4C;OX{a@+1eV>=Yh+|Iy5lU&x|IJ4KTYo(60NmW(
z)bRNL-=96wZ^{KgZ}%JNm(QmF9#%Na|6A{T0MHEZ1Vnv=eg=8`_aGMl`+uXn3{Lp(
zZ2?TE&;RGj@Bnmq&%fJoLxBHh;(rE~|7inDB7b)W|8L@lfCk=PVgNG;>?P=5JfH1#
zO|%}E#dQ$l*Gd__2%5fz7V|;-&UK*`I2O`m&e2@+0*fN{$u2l6^iTd1qxZlSQ0KX5
z@GZcINJh7)NCLW8ugx4vE|B~~(U&3uQ|pA(Wa%~u(Ke!@_AfH>;%&P+0gw)uoDYvf
zew*DLORHd=rKTx<-*<)c*}+3)R<qxaev9X1W;jJghGW;EUl9)Vm(oUB`{-SoD{8$r
z?gT!@Z25iB^7r}1*lg59A0Cw9=G@RHDV6gi(cu*>36P@Ldk_DPEdQS95I1aMDpj9K
zPjjL^UGWaG7;U@Bf84#WZ6Bow)tXJEAj7Z~8J=fr2S~<v<2*O)T%UbU;ogM*e*nKg
zK)>}qFBT<qGkewaIbT!qe$6<o4$Ha3$f~0q1&B~jSImZQuSgzncKEJaM%r|(TK_QV
zS&rsC^tK=-T!ODO#0>Fhox5f}2fT?Efyi%23NNJCQ%ZY9<E|kVJ@+@Ar}0U#cU1f8
z5hGe(-E8>rB2Q^A-Y>7QRJ#y#)C7-)VhZmDzVr_o+bYnu(rd?~)r>L&$dbdq#5lmM
z(XHt9x1ICz4!J4rPZD;LxvJsY%4T%+mjz2yUQ=^1K&-ZXja-P$>ClZ4I0y6mS}!W|
zlM5}SrUvJ07c}InS~y2F3{64{1Gy&NVj;frevNuP*VCgws_&QLIz{RRT5|XHD$evx
zJD!Kp8RpU_Q*7)}wH#;R(q{k#0}(W^$-X0NN7Wal3mituk;Y1~w~&eUJ*m<;6sOYt
zSU)uIwrRA3Pz07r;3RgN`fl}~<G+6ly8i!NHcvr@H);0d$T~Ut`_*3VkM&3_KQWrS
z2f@pru}E9Zby-}}*~D(;fl>R3+#FmBJxHA*snESQfbjwz>Zs{kp3AC2jlB~Q#rfk;
zFW!0d#m#Qwfr}A&&-p3Fzm<Xv{DJgL2G11quv<@;FE$*}4N=h(a>ujLWU-x#d|`W+
z#h+Gg{#a4WnXe+>br_mASP`P*SFuTd*E+I|hvaM1_QEry%O4RCi4-m;kbug!oc^>Z
zH$z=<$lz>CbuOK=(TziA^5TWV*w2ELJjCDS2=!cf5?Cn2<ycfAC<wUtiYr5PdQ?lD
zQ3-S8rwRgVHCz-xf6!?fBQmo$Qev&O<lD&%5FiMD2UQbaKqh5h>qR0;W^{~Mh!)mj
zJhR4d3@{h&Wu$1j<FJ!H*?_;2lON3{{ot7R72}5-+zqGNfrPPr{czN7RsLX_mC#=a
zn46V82BUeRaZK+_o!F9<Y}sGXc?-X^qcxNgJo5`!w<s_%)Y9MtK{Q+x9Wf$pXKC}(
zr(r#4Wq6E-nlP{mAAR9tHdGcz534c+N>y!@<^<4-9JO#YOrSPD5*GZ@ee#q1{XRQr
zU=+zj!EsX+uqzt3WLE8vHQxML;uW>;Z@5Qc<UdO3>-bI`q__~a(W1?Pa%BifM)?3)
z(C)K_3E9Qqu+>V|7O``Zx`nf(a|>ww53T?2ZvMlc{a;q-{{KJBedPaE^*{9e@B86z
z{V&+liu2HsKzRV}xc~3JZ`{iNvqRVaeE`Z~LI0>M>7VbLdp#U=?C;7_%htQeWr+Cm
zs5UiVw_6T?h(!@z+m}4swX~BT-e?FUBp{mJr}5p4`%!!5o)a?K<b;1l^QFc%DQS5<
zCAr(^3SetnZPZQy7ZLYlyp*V1luLLfWe5WhUN6nc$wD7Upe<s+j03J`)|uula0o1$
zi-ND0U9V=^3((Rnbr0vqw$wN+WNT)LD%djFE!VsJJ=a_g8NO&8K|8NoL_tcmG32kh
zPRyYq>KPF<u!W7LH~$bn)Lm(6qgv7RQgESE&X<I*1a2!l5?3fFf|VO95$Bl?RTuH)
z27Z`pl%t*pwU%qtWfsybA8!hAWWX%j2#HQlbJluiS-;A#4W9;!uABH}V_OpBoYa=F
zI`oZLsfH0Z%<ClKI#F%LkRIuim;%}r{9SkYS^Tf=nCh$XNa-Mt0qxL%Cx=lfdF{dd
zLGP2Z<s({Tm@;bh2_&-^<>AC@l}^j;2J@Zc$1k0uClFSeU|*d6>{+b$Cl)wb^b{KI
zR4}|*_Nx?%$agiNz+_+2iLWQQ`W2sKB}(bXitIfa1NdlmZA&WJvL?G{_RgUw|Ad#%
zG3poUSF;81B>Al0ByW_?TUy81#P;$vw$x_xT`r=sLzvyhG6;LBF|1$^-9(|dG1nLD
zuvf%m)oGM#zQ<QIg2@)DZ3}Hs{}1*5cR2s$PyYuu)c^mx+(-Uz<^Nfs`hPF{_5T??
zJYOF=5-1M<RR5v+e|P6Uf9Ah(K<EGd!`w&yZ>9gx^S}GyfAfEYZ-gE?5-1PA-QNFU
z`R^OI+W&+0|J@4_vd57*Y*MuF*Va3-NH%5%@Itih*5Z5HIKn5Zy3CNoqwu&-Yw_=b
zvY*#$!e=^(=Ib%}VCI3g)jYG{EjtI?iW7Im4teOaOjws)58$eK*;czP`>k6SsRq1i
zQvE6p7M?LMU?R3EOXVZ2sdlH*ZlA+g#4o+gAk@qHocwLuL9clFEinE4%Endc#_3Et
z&avtKw*^F@apOR6N%}If&skb%euCUGZ_QOLbF61*W<z*wy%;%ia0GdVLm?U%>pdC%
zuv2)orxKl6>5jy-P6r&2#(D6OodK)%HsYJWi;Q<xVS5P*rHI16XWP((4@rezFflF~
z7|m$9jR@x{Yoa~P?>+pW3*26~03%O*C6y2<N1r!Jt9}xc+;j1RB^u(>oe_@eM;0y6
zt>$UJKh}_0tpndj{F;dPScb0LJ~t1{y>tFz4jXf|cG&XF=$rZzVP<oe^0kFsGB;7$
z$seFv^hpWLLtu}j_3$$}xJiIqU?=N@gmTwWs~n8F$Pr1uU%6KyMmX+I0DM$s5dp0T
zFqk2}&a1|#+Uv}c4fEHP8pqgoh7K>wZphP8SMkwdCYN+1)nIXc9Bz}3vo?6yD@*-K
zHeW8(MxOuH%Kq%~i_;aW($;eL`BGvRJV(A0M(8ukIH^oF(RenoPZf`A7Q1@NfX5rT
z)(DN`XX{Y^5B2|dcmBhs&BDzC?f?IWxsUwc#{aWI`~U8Tzy5#Z4KB|^M*`&mxZC$X
z{vZAyy8nMKFew(~ngMhC{9{AF`rl)Tr_CmRlEcdvEzO)r8;6rCK&~3aY6Net#=zCW
zC7eEzqZ(l^C`z2|v^OH8`0-en*sc25b%lYKTx)TR+d6z8V_Tfkgh|ZbjZ?Ba<NR9y
zIa7x3!3tI8B%9|t1$r%!aYw}56u8_HssKZJ9CtK2b2UBUtA?Vb_lSOkV}}=2JRvbn
zWk9jD287zL_#p&Q2?_&)KP@87q;xkDNW)my%M9m}&HQ6ZhBsQ7+@x2-yl;5i6#$(Y
zDrR47k!R)f%lCF=fIvwwwfUSNECpqXG_l{vqd1rjuo#63?;dO>OrV{TVGckoEoE->
zz=ZA1p_g5d7K{j0h(4c!RFAtPUx*~E6yE?pFVcrL*qEz|xd^pt0yo!_T#rG}QX5~)
zhRP#RokW_%(y@qvn-;k|gaYN_$E$>2*wo-czSls&m3YWRZj%QbqV>6myd1>`YE2B2
zgsGin?W(>y1}jOC`nilJ*N}3hIL2iB70Ltjjn%DAf&CwS^~bX#R_JK~GAW1tu+lu1
z2qSf&y(ZEy?kaROplrsFFx)QvCKgf(q?I&%Fjlpj!-N!hN}9NBOMLW#rwOJAZ+Tx|
zlN}8Px#JQ-k5hqGqyOXIQN|yPX_fs6@C?>G5aUGb^dx#CmKz|r9bigt06t+=Ks|lz
z-ReKrfBzVC{r|hf&N<8dGFDL-3^dh?)i%yy)uGW`?;kv*m~p&ehxa5p*sM%-p{;#6
zt6tWCSGSq`J`5Le^n@1%E!*3veYJ{(b{R*y!UtpR(|&3SwZabLN~fA<mm-^Hq@NLY
z6SksORi@)Pg^K&nvZy#Xg&X>M^nh_JhN5`Q?52fc;|zvzl1ZzOl(FyN)fy8j=@<_r
zZMqrZ*~!DvI%`9Fp2`m+XQ-ar3x`>9K0D6E9?JIdXxM_9lFDxnWdSM!RUJu9*@xNk
zzN{6lc8bjb@4`rifFb8IK&rufqw*Nb?L4dgSpTA>8bU&xH=ht14V1mMCXdA-jSEsi
zxOBG2y4XZr*za$IFzvl1lyiz~y<YvG;%nIk8!eg^5XD`asqhIWt%P@ls!q%I;P-8a
zF_6ErFNVAH^30R@okGQhKNK`qfzdrUnfnP_+0E>=fcd4jmCdnw3Fs`0nv!X}WWV{6
zWc|6*b+PMOjVg^vpsivEc_i#^rsVi}s&4F%;?kwaHyL+gBqcew8EJ2HckOn;4t8{&
zxnzkDT|V0Abi9jM(o8tiaG7e^&)bwmMW2CzbX(ldu#<xEUJk`LTOV+G`|W0;*)%GE
zFwf9#E+er|0y1siaO99mxK61oc`2Qq%;yj?=C%3EU^hH*X1P>Fvmj)7&cSSH(!U)H
z>82V8_kq^`(E9)G=D%?Lng7BDt^faB?j!%VI{$;d|9L<Bt^dicm8~B-5-1PA-QNGZ
zef`f0J^#NKw3{e+WmsYA?c2RV9Abn-kXB{65}iXY9aJn=KB&&=^pZ~mFdLcdu^kEJ
zMq7*+2@W96@DBTr#PR2MX0Y#kyqNMMj`$?CcC@!m%;So~AMN?nzJU6z;&<xs)kF`X
zvY(B{+nFlaxkN^JT=MQ}0q%@P)BR7}pK2;c`kX{8nHm%7?et0yI7**M5Xd|(vviyT
zh$?#`gp?o`$zCRt;>Jnortq5@CnT%BKII%6L)_0LNpmt^V64_~eEG_Q+_`9FQ|n6w
ze6HehR}?4*HjD%{?NC^yyFdkoI80}rr$PSmNJ$$)L(rrZ<#&p0e8l38jzj2uhG7qG
zMU{=rzb;y>RZj8GlAZpUCSal4AW8MZQI`)(OC~Z>nWFZ9vRqeDcN<3giV@k-aYr(D
zR8!8koAy0I4+Zh0N?KN#2t8RUli{FX8CT5nrB5TT+rPc9k#-fTUn=T(<xXa31Kcwz
z^f|5K0iu=ohSc_{7X`UwA`v1)w;hzbt-q<rj-kQH;cSen9An#wPSIGw^&nAQaCnMh
z6}U=)Hzu!BCIEkEicKc*c+NW-mk_d-vk^CJ|M9pRS*XIVQnEdNgvBJu#Y6Sw=>oQo
z%!em8izUB8`CD?yM(M-s#45H}(QVINg-qCf$&9t0H@R_jgN8qiPnFb**!aXv>70m$
z!Gz*N{Xf+I-(CObAOFV+_5c4c_mTfw`G2VX-w*$L|078_@S!7t@&G{fAFBU%c>nXy
z{tp*a|NmX?BmcM3f9U+r`{A$tvvG;GKXfEe9)P>;|GEAA4|eGMpL?Nqpl_aT+uw*|
zNf6)JF0pUlfhSEuPE#ozOXa1Yst!Px^R+(8vsI%*q3uGDrOfAuF<tQpTAg2|9|5z?
zQIU`{Avl83lc4U>9$(|j-s0KsE<@!T<h~Xjf^rBK-3aHJ1hiFpkU)*;7Yiq4%|#O&
zpE{Ad+z!pE&<QYwGPB7rzhy`0TT!^RLu{7Erg2zA$kkU2O?fIFmkLo7%fi0p?;|Ph
zR2+A)_L@Padp;R}cmNw}=~C`Jz16AT3KrUH8ez_FWH;d%U}DF_4u~S{U|0LC&7&QR
z+G34Wszhv{&h1k(VU=`TudA)iA<=Waly9<Q4)#24fH*kGUYSl1D199%fFor|U$YI)
z#-Q`HEQaS1Ks&V>5xb~#{<aX-*Cv4y%>H|@wXp?Jv5whjw<%VHE{;rtxvJlE!R#&P
z1ba)i4>fT>uQqc6Wm$!C_J?0JXHu`to12w1ge&DCj3+AZq)@2AfC==3b<F*mu7RSd
zV$ak>K7G^BZ`=l<@1<#K_x_K)^L%QmefoGPLZpNuy?3PdjsnsW>4G$+MruGnFh~m+
ziijXck)|NMg${vR=|~4dlO`xgZz8=2@*8j8J~PjZ_W-`g=N~xN%$_~p-M#kg`j9=a
zuZ|0PMQ_qQDjnfv!T&0o&U4H@n#Dyxd)vM{xh~5*u@i{=QHxrAy5#SPDzNx*m1yp8
zVt6y-#g82oNG_SSHy{<v)cBA>g$BUDP6>9w5Inr1)Gai-Jk-jA%OjiX6XrdTm$Q^v
z$J;U3)9nUB@t(XFWst?3?fu_>*#C{~|2Y@TNLD13t>w3?k2(2%MqiQ%;17cmCd)j6
zjt0fy>D7|e6xLW}1+@u*(rR%RmP_=g6)Th8&S#-=l)=)>)nSW0Vz{wGTHLB%;v%_{
z@<^3qqKtuLmsDjKhmDB>ry#3^*&Z*cuV$$5K}XPbmQGe{$rKfdij77Rp7E((ry$?m
zk@vK^mu%=r7!sh@k6@gyS%U7iTT88i9-__N)hd{ZbEEFJ7pL5|U38zN2uU!efjC<b
zvS`?kc`*2UBp=*wv||HL8?gsp*F&?&3&_}jPv^YYO&uRRSAREH;|3sJ5|Vaa*afAJ
z)d6+JAp1+)Ywj-@xb`C%9LwFGkty)Vf{8vG@$1j8F|3-qf5I<@Z$)8tf&q?8ukfSD
zboJs4*^nW<D|4^IGLVvMw@Wn)cb+2JVKkxN61=jgLzu-Hh3LivnIc1Ol?A&9kq|I2
z(=q!90UFwK8&k=LOzo2&Rvt#?(kPSd7YlRQF5Pt9xk}RO)TjH%It{5Lq!##Tov4xk
z)A|Hyy9^XAckvEx*=8|HNe~IRyGNG!QpIPMG7d&%Lur^zP$01r%~LI}BlIm;HcFNl
zp#o>Y_)gs;0p8NaLm5J5IQcs{^aVD6T9=Tvl~tgrthy%#NC#X9W8Bf^=xZyU6M4mt
zh<k<mitX*CGzZCE9l%JqWll3T|HtP4XP5u|n*S(?o&Wh4a~}4`*8l%ve&_#HCm-M!
zeG)7ez}fo$f9U_m*8k3hxP6V$nbA=iAfAq7SfvIG5l-9t&>h!9FCL%_ZE;WG-wvLf
zr+U;=_>I$eHyhH1jx+5P@kz_#c||!`2!$>s0pDI02(sL^@E)T7a_xk%!K=|O2f!sz
zIQ~uX#!J(Gc8q*FH!>J7bf?D_K)SC(r>%$c`a>mk>efmPZMQKNO!HHT*V+}QBZ6Wu
zh|-n~beQPv@&4RVQaXPOYy7HUpbJ?U+ocH-7uc+RHXu~LP!(TVNg0RP#1nSCiiDu9
zE-iw;une@tYeCS0@Of4{Mw>tftNxJ}L3kPhci<Tmcr5t5zjrBgal%U#VfLVZD8$>Y
z{HOE_C%;+)+^}I&VgPz3MLaN{d1ft-HM?y4?Jlj6-v}<K&+O!hwuTbU3Kyvw6(bQ<
zYt*BJqW3>Z5Ltm~!wi|>MJThOg7`k-5>wJU<Q$YJp?<-ic09Grf@0>MOG}39AeU77
zzvBav0{BiDLv<?#(yunLTKXuS*5FW6F~xF1p!Y|qnF4Y>3x<mkT@C6aU8wTrW-%Td
zDQ${Fop3_qDnHvQD~X93_+DXvvQJe18avaIHX+2b_mQF&hYYbc(uVqhH5tiLZ*!8I
z?%mOCcNn~-4r<jI;MyfL|FUo1f5bPVpTpI|$@HNLVzsp#{5@rwD5D6oBBUZ-Alvy>
z3r~D^0<cQmbGH63`|msUNB)oP|2-GnFT35IRa3>&?JV<kB+FA>uATU7Wf$mHQ++vS
zvI5CX3JzC(2F#D{9}g(<(&U<8{6g&VU?2AOyW`H?_57oQ=(@&-b%e_+TwP7UjOAgk
z+rcWV_`x5JVCd655yQ3i&<p~68gnN11Kz7M)K^v>=W`H%eWipB%JvO><y;&9qVWU^
zS~uY*t20ZKf=ILlQc?30iFBqK9vsa+<;WiHwW1~<LHVfVA-c*S&#!;GLv3m>B$bF^
zQ76+=R~5<6QH)WdNY*UK=5($SbbBd+5Rs#M4G!QE*;cOseApix=ogjiT28SNzGcx;
zHc)`5Z4$Rv{*1%hMq+MU?eSc?kz6NID5&_=t{}DFb(kDp!003s%o^M)AnPV%9`RTb
z#3N~I-1{unVs_^3ZMn)#_Qj|#6PeEA+^*J3jl+4tdw?3wjEyi4L)yw$$YXIL9O#C3
z<!)No=Q@Mqv9j9AS_M>?4GBrfjSow?&Wf?JUOLJd)87;<;&I0EA9cAbbMKLc#O@ZX
z`i+)!B_FuJ5S{Zhk)QAvG{+QR^o#LQlQGk3gnUKFY0^Z<RpLN}O=4$1+mWvo2r^;r
zGCmsigRRRd#big0eUa^<ks_TpbBb_*%;UhQ12t+>!zw3Ae$ttq^~uc#9_=%YGjMPT
zZ;@S<G_P9OPm%mtz&Aq+Z2phU|Ie=f>(~BAG3@@&znJr|{~zW5*!f@Q!|(jxwR!uj
zzW!MLX3qBipZ^g5WA}fY3uBP7+43Xfc4d-&cAM(J>7y56Vl^5n(<TY~DG-tmQL#o5
zujaLq9p#-zgZzk6ZzbV<8R@=-Oun=@2J!pqTlE<RuVT4U0&yJuo+LbRYU|~!PRv5h
zp%>hkHD?wPIW#E(cxN3U@71Y{l-Bo(&*YQ^3W&V~xpwuPj9Wda{e+>YW=GEInX0`b
z>ncxOy9R&`dZ<p(la1ukMO_goz5`r6tOK^=T6(L#^9c~u5c8jyd4umYKdh&@q$OY!
zTj|8}W)xVYWPg`7Gvf%vMQMWY7js>`gYgLC%ZtXfEi#kTW7CcV;i^t3LhpL0_q;2(
z{CuWT0A`Zz;wBN>BP<|1-%J19v2`^GpCvZg62rLJ4gUNr8a3Ir5HtuhTwiq!=F@MJ
z$Re&G=p|}Zz*rF@v%0LAm6S&HNQkD2*dH&n@hPde^YaL@E9|+1=J0K0!TPJ<naRic
z4IeqQ4mWmmv(e_Y!ZNfQ(ecC|F7do0cWapO)SI$G!!QmZTsS!84n{cIsBg@L{C&r(
zmVlA_2E-E{8+gsPZK59^zIlF`?I6GQ@oF`(eVOyg;wvwmhQVv%8L5rvEdyJ<(ga^E
z`3%L5I{V_J<l1%^Hx$0>-K3LWZsqe>qo=M}0DgcLrnP@iAC6zR#wN-1L79K(5#I*)
zoxos%W3J#T2kib2Z2W(Q@!zlg4`SH;AAd3DVgEmh|FQaiKKzdV>+Y*_UGzz?TmWa=
z|NH0hza%#QKNl{;To#Xz;UlxjnpsP`3-Zztnf7LVIH)C%VoP2$9;Ys&$MK6TF_N!e
zkolr<26D}G^bJ}>l|_5h&e4=bL?O!(5A??y8s3{`%EDQieI3MWCQKYYWfie($P$$2
zt$y>tBQHzi?<TzFse3?-Ug&H2-boEMQ=086O-yRYGG(G5J9&7+s)^D#c+Tj{k`6o(
zcYq}n%GHQJx?lL5=7z?oxeaCbm}Wo6ddM}Dn0(9&^i6slVz;Yd`B7H*-r;^x5AmVK
zeYpgdzF#WR36_TlI$UitcZZ$Yd70NC)WM?rF=eO9btPb_2u)^5pQ5A<T=bFnJqxO-
zT}6)U?pf3vs_m+3+c8OuZ6t(*rBOj@LVVeP>=yBi>s_^*ttclyS>NlLq3m%}Kp*56
zYJ>*=NM>n9IpmE*2r5)>39xYI^dI_C?SzPqveM$7on<IN_>Mm?A<@ACWqG}a{)_m!
z7&j4%>Y)x>12>!NrpYD3da<RN%(M;#rP!o}pT3~BIu=dV*PFO4Li$G{>;#EJGGJYz
zu1cG5;^=(c#EITD)sWE51~>kJz3dA4du{wmR<L|mjVMF^Il{Gdxm^uI@=Y+$r^o4S
zYUT@a6@@47ddZ4C*?h!YaG@3^edsz~M=2(;a704=y?t@v$zFkA&g!ErEjcBM0TnY1
zQhnXC?f?A`^FOfnf9Jxif_()UocVr_xuwO=>Fwd=Lw&mNAME}>il+`sZ83$dcMR9A
zD6u`-zk9R#Yd&3QhH2|zCfVi3c6~ARak6*G!|<P5KA4P%V^V3kB0spz-%c9WynQu&
zn3cCQ$12dT-u0eVh+?9Br{OST2^rOQO11#~lJRDY!<b@!hR*Ak4LjwdT}DB<%ni~3
zP8)3f@a(v`fbpRg2h#}i`<&mqr}M3-Q;ZvjvdQyb4ge!pfj<qdAMj?B2ic)i$hV7k
z)(NC0sr2c;F4KsUKA(KvsqYGrr%nGhsDI~k|IysZo=T@I5XyX|XtEcMNaK}>&HDsN
z)iTLYOoJrnF~(4R?r*3xU@A;p3HQ_Gn_cy>jAbO>V^>Y^u5@g8O4Bd;J?Z)rkX8oO
zsQtX}BAo&Ct#sOrpn=+!kF`C98e5CLfp=5w*6$)alU8_?D%O<3I|`USPLYq;rTf=<
zN`K0)m&oOOYX9=4=m!LWefa%d|I6IePju!j{j$1=DyqOqEgf7K?V2#-fooPh;U1px
zd?#iuC0yX#3HMGwlDE$m5h{r;`T&&1#`IYaQVy+HPprT4h&*YM`R&o3Sb6o@>lwSB
zW7R?Z&J~5`lLbvE+#^ArVin4P<r_Cl<m0`>byo)G=1jW`UA7b))ot*t;!@<tTSXLG
zN2=aSrIy`Tssv%@|6%k0Go1hY>;6Xyd;j+ra~}5pll)&C8~>jVzw`f{=odv7eG)7e
z09OC8`hRxyUx{D!U+n&$znJr|{~y)=vHkz&!*BhMI*CcW=#yZ%0I>Rx)&H~m{!9Ow
z|0s^t|G$^>u>T+FKX(7$`S4r+D-8*!FZv`{E&#0lWA*>+_P>e$+W(5}|NDzM5BvX7
z{U1C3?|k^J|CUDcOBa0-EEm8T-~avljQ_{~|L^~Qu>OB8C|j4+sutGusUXt&3<{2N
z*75ypL|pkcOW8<Sd>A0wTB*Ys^`VC;av%d4Zhq~)B+iw2nIftK1>ozKO;n;Gx_5HD
z1AE+>pI9ji?&osO!0Qj&5^DD~DnnDdLtc$6@Dvh_d-jJEfF3pliV0%Wc2d+QASwR<
z7c)JNeX@AzaO5hv*=8!i={Tca9a?g77QNQaBQW$o)#~p<xVlV0lB#S!=~rM|9WJ5I
zpj0M^?CZV0aNnXu7XCm%)VS7O(<js>9q4UE;GG*qNe_Q;nK?pJQ!Q~Jc-C90LWj}l
z<fhd8ELJ8$e}OC73$!zB_<n-%0lE`Wk6|xvyqPePwU;ncyMv+?E29`DSWCCT4gAqa
zP@#oxuOu<dnPAGSER!px7-L{~jN?@JNH1nC!T!2j_t%g0h&<NQ!9D;1t@_~{#%#W&
zXIOSw5p>&-RT}5sC51FuJ9L;eF>~ZI1Fk3``ho6XMIFKDgHamhyer{ci<@;X#%H>z
zIVk$Za^3u(89NW^Sj=j>Y+#~o<K?T#Kklo-pXO-f_*cxQCgy)IC;gVi+uTV+mk*}`
z3vS%fkd)(UT=S<AdK!|LqV^*=SOu?O(|syVwU><5PqMpDFf?~CU%^PHMzV&=!MhEq
zpRFsuvNi8*@ZK$6G}%endjen--wC#U0e@X4`|@o2|D^wY$NtFwvHkz&!h&$bz56=&
z%Nn0_Tcb5}lX;vQRQz_dPoI#|9=|6PYN|_GQTwSqqM?}SiV|j3b+hyw!qj?Hth~F%
zMsnkgPf6i!VC@6TcE{I0mcyDbc=^tQs`VOpMN()goecW#T2FC$F-}=0h$P#_>tK$j
z++}^*9RJ*q;P-zj9;n4}6LK<h`%(I?dx+!81~K3>>^S^xHk7r?6E~Sj{8m`R0JI@<
z`*g#l#Z)yYRac-`2N#YP>#-gQZ~r(tvVjCgg@2IQh?ES>x+z3^tm*1cBqQ`{26Tz#
z{un8SwD5oIo%LJOZ5zhPA)qk2L+Mb!0n$i^Od13g7&1~yL{hp_6r@8sq@)Bv8i(|d
z?$Hgx7&UpH_z!#!@cCh%f8f54<Nn5Zombpb`iiVo-hAG?o*(U@`{R1$bDA9tBM10>
zpKhY{A3CW-RUN4gSX;R0)UKS|Fn1sRxUqm8m>i!tx)AK0?aveX49j4Gi3PjaK8Y~f
zvE;<hCb%{ma!ssigLj><*_1IMbgo_D`k=Ph_tVT)*wWgKO*`S$sG3Cv*m`Nn@FGQa
zQYTfM_YzO;Eg`eTJ~^GZpm}GH+_Ji#VV_@ba|ySIS2aI;Kt0xDn=Zg}tamMr8-GEk
zZ~40yqSi=Xsk@tkZkc!Wl(Cie6h2CqZ`;~4R%p+L=V9_?M=%B{M8zOpZ8{Rc5<KR1
zpa)+CyTQ%xqlC>al;n}1IOvNE?4Z=DC|i?me#tI@8kW;$F#XFM;-$6Wg|BD+C}k({
zZ&NJv#ivrXmwW%WDCnPO?6=;3%>3UgVJK2x2nw&REkp<T$!6*HEqmlRj4a4@jn8`k
zcbA6b1%vCD59<kYw(4jD0w^Y;&QZtQkzN^4NhPG=p3GRz*rp|a6yrq*nw9D)zK3Z*
zV;QyD;=5X+lLES%vDb_xXqyByGKb8D_&??P9ED#b&yJQhTO4_Bvf`<=mK30k-?hK6
z^wZnEKIYe+(8-eG*oWHkZAL<9L3Lr1Uk6vB4Sqm%V;<&>w3@n^kcQuuPeX9WI&_*Z
zGD$g7Tu+m@A-hE`V%5m;%JP{5Uf?HcO9%d3yc-1P*Dpf*W6Vg%)qC-L#ats0lL;=5
z-1qeCErR*;@~U@Jca3dDf><D-_}^<ihIJJcX^3XK<w^RYrM%k0Gt{6$TR=)?-+dj?
zR5~%Ofq5&)i;NauoI@AHlQ;crIz4f36UU@9r!pvJ1HXojD5gVh`h&EX6`dXZC7`9C
z>t63mG+Tqq?3LI}$`C<5V6zugqzhcqz*OfEh*?=O9hD#@6~0PUNLdkn#dr`l82iUj
zj`g_=o!@x);FE{$E;~%5<)0l&dy(P;S!9_#%`GDF?~?_OUUWcroecuZ2xmQ?GRExD
z78hzATfel!r}naUgZ9Z+s~MJVqx!I85O)>yb7>d^26dQ77CgToW`u*9w0Ny=@UJCo
z!h37(HFA{y)J}o<L;aH|=`sEv#{av#`44~3e-*;a|NReh73cpu{+}SG|L1D>*Z&g|
z?ymgPJHhY=xZL>v_x-=SnEJmffu;m++MCj;MZ`r}Zu;;Drh^+@Jn@9#nRufkUzuD4
z^p+g?lITbG8=;i#owN-x{&As?eEG)A2?C1<6F5BKIj~73?7^ynY`O@&X)y<-TnLi|
zXJ=J5u=!-q<Mqy%$CCR7AZx;D@Ir%xbl%;?yr{#`Lq`&eRF>lYGO=yYg+)(~3DIKI
zuC~l*Xyg&EaUx;|acw0koa0G0&I3LhFEOz<zF(C;%;+ZUCjI)%S(xO82EwX`wM+?x
ze-4-Dla7w0H+~qavfTAb8_7$IdDK;v3pwnSPQfB};-KUWY4vUJ`~I#!+;)8!5`K?|
zuApwKZo^5Q@YFR2yy3#Mv-7ghhDuJ!I}rPz4~h;s1&I$OhK;kGgIJfQfp(Nen`<c$
zcb2YWa)P?~Cv!VsBOY$rnqQC<3Hat`3O`;n|2qSu*0Zel+-IdIhFkMN)<(G6TSa%~
zAiZ5`%X{2$Y7?4OvB=S{Th6xfVS#w`<L@<akh?yEfM1?H)mqZAuBy{R`rVBig<5LI
zduy(w6XcpvhtKxUS40ZxZ9H@sdb7-_B3Ah+tk{0wdMqRRe$*jFrOX96^<xZWLdkNB
zZ-XDZU)&~>Im0G?ZeS|<-a6Z)y^>%<izJAbwIRhpsXNt2x&0O2dxmeNvB}WnJH>v*
zx3h&oTG#m&^nI$HO_N`4{_p?r|1kdll>j|Q2m##cSLw)%y<+bTaLP+WRhZ-o_VbzA
z5lF+x@K#HR8O%OyFKzOO1ihwb4L@eKEL6c)M9s?ih($)1SSxxmU!=?X9ENTM_KySh
ze3#E>I*lA>gOOpC-T1|D>c`yPM$tr)1anqa_iv*qlHBJjbjxg_b1h{W&z_0WacIW^
ztLR}iyOOK*!LJL1<T6aTxWbsHrjMnaG7U1IN$M7l)eilvDV(-4)D98EXAN1d$#^SU
zX8TgrA@xpRnX_erOi*lESg{O$D^9jsbge<pCdHSc{lXAHHM`27ezpCFl~GkMZtVw@
zSx6!l)`aMuw4A}keqiT*%1F;y%p@H<gX(kfSol&Zdml)zi0u=~m_2XEtZg0O62k&)
z821PQE9`y7c09fl()GYEPE)tK8hh)a9``2g$XC7b8VRQKH@{HK_IeC?79~COKX(!t
z5!yyB=tzMKof(SVCVfevp-m$V8s#kBrpX)me3PMkZ+AVzvsd_?7s>!497GjI;ga~@
znl|jDhAyTF8$K%vKV1qax(=@_)*79qR~PR)JIy)<Rf`pwO*oLqYIUPQ8Z-|{eE3Rz
zYJ2vLU#M|*E`g5=#Y${<2v<($m>8+nnWrBkLLm<QhFy83hFJ!ps_D7?n#)h3>}d0V
zw-`&@@Fk0%52ptoR(2sY3o!9NCjP&?`0wxj4?#@-&wrS!IRD>?|1tBwu84o*|5CcU
zoqu{K82$j4T>tma8ow3)WA6XD5}q%AA}~rf>rK~wh2X?Ty9(cPS=PuBxj9b=a~K=w
z*uPMS0^Yg5lM_U`;@z}pASJE(?t`yqNeo-NUSJ1L7RXEmb-dG_Al)`aO+w)o6a#4#
zn$(_7ivhkq<2b(qEByIH6=0=7VBJ659@6XCS)4G+F?`+x|1te)aDQVdU62VNy<SDl
zO5-!*fK#TesH6bPesOV)8V{wmoCu$k-^6{cqVUpYk&Iu>9obd6F$<7TPFrc$R5(t@
zA6S0^Lp&kq4*kJ~{Qx}h%#t(F>)Dhuq3b+BY|K*DS5^S|ESLX#>}I@vSpdoPonFqf
zDO9=I(1IK`T4m1TT3efeKhaWi>fxg|Jf@F=56GqQ#0!QHC5}D}d?Mpdqp;|ZSu{O{
zha2-|ZxaeSN?&*9WSfhPEs`}&F7C%Cz#UqJ*3HABL{uWbOW5BX<M9U_mN$4p7#h_I
z3neI@y<~*DQsXv$x<UWWNr%y@2o2)-M$A_>(?KCyd&2!qQ&Uz3HS4Aj6|nuC^`Pgu
z_Qo7A!w=NE$+X_mJ(Z2H>&RdQJAKTwM^#7?xb3j#6vj2~StjNSmPE<$5G_Jk&e*vn
zEbrEffotN0LyiPyek8fVK2Fd)dcUK1+#r$o=n&<qnRu3KJlYTi#2ZO3cZ7NNWOr)B
za4N$*nDb5EOONF!5XE5hKSuvw-uM6S{Er|e|Mwr}D$f76@_(5B|JCrX{(oxhCh@0t
zg5eKv$^F0otnpj^Kc@fpN(l9PoNLiI#Vi?ct=9B;A!&FGr&J(XErd0Jw9k;5+CUcQ
zNyGA<80)c{X{K%g+xj&KWrZjYjiFR2jEcIm82Xe*o$v(A1aT#dNdA<|L(qm`%05Zx
zSQ8Vl{Yx+LR93Ln<szzHXH}{v9Y*89jY$?#tI5waYX_tsr(ZnZs|mxVi=1?$1n?>v
z?dzSZu0lZR44*UoxI&>Z0-r1lXJQjG-u+V1mAcSPC26oTw$NYuB4FU{ZX`HmJ3k5x
z*_<UiU~h~d)BmWI-!A*uaqfFaoa@OWMXzA)H<JnB>7My?^d>_hW^4Vv+hVsxa;BSu
zsftN6AVpO%#I{VFA4I#bno5NDxTvVI;oW>@ZFy?4tr|G@XNa8}N?S(By^N~06o=m7
zf-AQ{f!evnCAvb;T?FV(T>{S2P`)UuFQj)17Bv{Bv<QF1g&H0UYOlBWhdVVi*G{FK
zp18f~B*^r6m^02fey5F(VJaj#>b#x^umnI2+RW`}36`v*z6NdM@W11K$_Czfy-Y=Y
z0*j85UpLWPtPc@*CGJuG!Hj)O!(H-J<vT&{&?|MELrW6<e4i|{3Bl~_9g(@pc)-Am
z<kS3uj}9rmFh76#fNh%(T;<M@(frQcDONE>^jjwZOcb}9sMSKeH1fxMW9}v~`3XOC
z-9Gx(otH4%MK6z;|B2E6m)QR${FnX{6~yTO|1MW?{=en_W9t8|hJW>c$I|lYpWX?E
zKfvYcfAN3T_$~d9ssFnYX7$<j$kc%J>Ql)I^?EYx_)4h+U+25*g2k+n9YkSrAYWUk
zbZ0sc52$CLdy)>ob(O<{-~wF^wi%j-l$#^>PO)G}qt;b(=<T1sWaoa447JEieqU#&
z+EjpjIT!&&qcnm9N@#<x-|upSL~rKoncueU#(IOJvJGRnXKeS`I;|*1$*{5{r_=<u
zbt2?w%9o#UK+AIbCZDEBw1Ie};hiYXlU6TeNuFQ1CyUWT*sElgX3NLEdB%o|H;-$6
z2uAVoruo`cEMyk@Ij(Ur_Li604j`Ww35G}Jytvb8S<ANM!7UY_?)HRT&q*UzoWj@I
zGD*k*oEW-`@NX@6pe>*t+s5@&N7XDv2IUK18~U8FAKHnUx@Se<=Abnz`buVVckdTU
z?qzgHyyJsCOTS79n4EJ&CKzs?c6OnR&6~KN70*5Z%C1oBvKvHNG!iFp=pBw~x22*k
ztTh58*PQN7ooVdfDy+<%Ye7BW@5hNrOOu?}>8B-k;5<FKkr2X=SP>v$6Zb9`phb9*
zyL_^}lQ>gsA3GK8JsUnn8j;K%N@cCk-jLu<-|KA~cmE`R-CY4ET>i)`taUV#5KiIn
zAYQ+iDsTh-)`_F@*G!`muxsdNDOupbD=YwoXqTZbcq5r2{Z!oqXzc7SjrP`9V}2-Y
zF8x6P7JBeN_Hyfg|BwDZO#R=L0A8*ttyzoIhvVsb{fe5-Blg=yKa9hzy<aDkMA9Pj
zY_<=DBr#0u`JT)f*pWV#|82g<NjkQn@1^+#d=1Vlzr;1M*iJF4q<;4ik)3Ust-M`w
ziu~t5tbA`YU@_@cU-4V+TFt%TUNO~M{FL29!pdAX1v<^&3)=}<1h#K$e7V<N4D_&^
z-B>@@)LyX$K$RFXTp&&q5db1k=VwoA%2noan|btXW&((qxTepZ@f(|F=zN=h@7P$4
zfIxjmaF-Ds0*7raQj{3KLuXx2yi?`YM#zUDIWXWwPZLkeuAA)5u#lIr>UGw)SPBOB
za+%VeUqmaX^b?GL#8$S0^7}J=061p@M92O>=_*ix-|dWba+z)ibp@xj>-sCHyJSr-
zdt1LN8z>l+pWGB=$XInTTT+YfYqhHQaI5N#$sMc{MkjF~GJmH#;;p9Pr-_O#*T5;+
z8uppTwG7wmxU?ZQe6FumGw16H<D)gd$b-F8f38?9<uJb1>mPOE4vv4TueZw@#^UD-
z-UzJ0d&gjnmg{_ttlwHV<BURovs&;##}Nt-%p!Tdv2j{GG7Q@KfeqmEj(6Ki*jsm~
z7Ans>&oQSmcoJB4pqBhrHBLfXvGRfcEDU?&u*<$qYV(c+2@P?WwH;TLNMqki+M?Oj
zyCs$K+aVQ-&0KgaT|`=!TmN(KpJxo?|NVEd9vwW%FJ%@~G%P<!%hFc4m>xPHjdR0S
zm=gFwMN|0&^5F}<gqG|atK(f(eE~=W!g1Q|{OdZpDLwokLgM)rUm5T41>9&;;a8KB
z;0Om)v)%~N@^I$hbmIj5_9(-8qIa2|sOaPW*gMatCbw-3gLFii6bl{cH6f5tf@r8x
zq*p;Ah=2r;-Xww)1*L;D73m-dh|)xm4o0d}0g>K2n_iA??znA_JMK7~O>m6!J-@zx
z-yE5F*PMCh%329icc^vnpS2mdTg0aIMO1n9dGh*={h&7~_2>1U%hY=&-p(f}=**fC
zZB=4G<t#;~Q0VNPh~D>_R<P%YNYBARaz9ln#22GS``yPM@OS5Gkd<K6B*5jKpLkj6
zaLe_vZeO6iNvK8#pH2^I{x%*b8xuJ{juV1~N4&Kyyz5j^{8sWMLAj=zr=&L8#nxKm
zvo}7$&Mwjoy0|>|V!!nI7R+u9yn<UnpaCm!>(6E7R2Tkm)`NfRWryZ975;@bJ2}Sy
z1?XtNt~zm-H-2i|n7yx#f14~c-p6qNyuto1`$xLr({(r~!rn=L%y`2Ddu1%#AfM4X
z+oWlF>FNQgk)1sO<s#l`r_b?Eu8>81ZSpcdt8JK(96hDwa<1c!lH<OWE{a*<Zg?{D
z=;*+WLAbz2P3ewPu*;DWZRr9#OEr&`E>`+zC>rswSJL_7L{pc2G-6xe^)6Hl9v}P0
z=YNoY{+{_khhS1YLGpC;mUY#ut(&*;RC2tOejvWFVy>CI>#vQF?}~Dhd@(2Of#4GB
zrB~pO{K&!y_<w-^cZ~PH{W|{@3iyA&FWAWck^Dbk|1Wkp^#2^%Bfp<?BmgJC-=_cn
z(me<U7XKgb_$T^*5EKgisecGW7&!k2E6nKJtnX?ZQD?||S0lq=mjC*a@SJet+>fqo
zd~tsaT8Vd>><cnOvM#CU)M5`VcvsqgyCo*7C8LQ0LRyYFQ`qb~c=MYimBL3W!q5!#
z)%noK?Dm!wf{YpBVndDiPE^XQ(0!v0#E8Sr2-~t}N3Gv!1`c166%~-aeBx&dLoF5y
zi>SET;#P?uWNOn;FHPeV>AGqZ+w(oDTc()xMw2TIt2LA^bB-)MHu~O@349lugBh>0
z1a-m4%xZA9mvJ1|W!A52*a|gKJ=P$dUo-tm=7>rrV)fth8JV&&6l$L#_a?Zb6Cf43
zK5OR^yCj_@Uq<+uEsZx+OS?2rJd$h1scSRG2q#tSmEc&(&F+|V@PUf2E%;RkS43QL
z=%vU!YJZ-Vj*86NR;i~pwvq2MuZk#k_i-wFiP-mqS~Ps}Pkl1|mB~pWUs5^K%p-xh
zogW;|0LeWQOX04j5`WQ?qC8XvwVm~TaF=1@^t$E<J<^+-SB5gMzy!kEyn;ix(GQ*f
zQa!2qf#Hwu4IQngrbLp8a#mX|q@BKVuMqtu9Km9vK8M>nJ(~RR)lQ?^7Q0+-$^(?P
z;r%UXsXN`pr10oRZ=MG`jH`0MJkyCA3LF+!k!aXgq3hp6d(EzH;IbD^Uzx^#e9k%{
zuL1ACmQ5wfQ&_PC{C4tg2j}LMY35_mzo_WXN0I;B_xVrM|NqdxC=?3p|HBT4_5VVg
zI<Wum-;ra{zlhk+M-cd5(m&w;VTVKg=LO1ko^&JtC&01jUrhYxBSiG*`WF)h&i}#^
zhx*r9<eon1NB~ZNzuEtTfQ0_~j$ac0)zJT+`v2?if3PqFheZ?{AHcu4{{QCui-G^O
z{DXymCjMvsL1IuK|JdO7nE#3Vb^Zqi=6~4W@7Mo-8vu!de>Q?pVNqZJ_}hYw{Qq<F
zKgi+y5Agr7!(smq(d}wF=|})h0HFQ@_5b+Re^Kzy^&bpe0Q&oajr<>}{tE;3A1fTz
z|8hP?)sv0{-~>2k{r|ZU=>O6G|Jwimr~ZY(!2Ay@Ao3qp8&ZDv0bvFVDz4Q8*1q+Z
z#296BXwI98;7n4T+ifSl#&=;6)N$d*h@klS(&55sr(xd!`b4d-jtxnl1~*AWH3w&1
z;5&G0R>K^M8i8dJ<us!t<ho-u>r1gau`=qGEw@gm`rktG#~Hd=4e&Cm*U5<wGWM`O
zR?%a#hwrD)(<%p<LAWpTOT5(<SHq=!85HIb^JD=PD`{&^hu;i;8kF{&o5HigA*H%{
zeOOfC<(YZSmz40wnx6{qYk~f_ERfR>s66*B(j>cMC7G+VSKUpbTBP8`rPHc-^zQgC
z$~p=@L2zQ$6kn5m!)NMt!Rd1i&3S7w$gFEV_u1@xK!el6*pyY%VylB0auAB?4VCe&
z@_Wm{f_#}f%E~0hZml*Ew{=(~SPL@mq}ycZizwPk<k@|Q@8;KItf){?C!)TSB}@Ai
zA-VV>q{_Q-nEJp{{Z*TVrA`S*a#mlL0&Qdm2kAU8<lWFyE-t-DbTB?jJ|x4vrVvr!
zQ09n1(Bk+-3X(*h#gqQ3AnyCHdHvh%_2HW9_r=a%jrqQp(UbG_3d3cbr&{=WOX@Pk
zW5F-0$L9i!!hQKfXa)Oin;9%QdK{j!_}lb(`q9G+Gmub0WN;KWol*M`EZ43&o4!mp
zC2Kactjgh8kb1(F=?ymAtL~Z1sY|{Le)`*}@HasJ5A^@Xxc&?O>i@)m{{OcH8~Hy<
z|1S*u{~tRX_W!D%YZp#B5`Yunc=Zp3{CdZc`hVc}KUUbDSpC7tUa=Nnyj%*e^pEkd
ztqxiw9TKwVB{wz~sFU?*m&{}uW%t&Ud0Yan;RU<tz|w7bH5T&EA{KlIP&^2FccQ=*
zG}DjuKrUALBFzUh?-+<($Xq2neKLaR)xwR`<b(HiKk7)zCxDvAQH|mdr>xqsQsgR5
zSC}sRk${cUd&jB#t~+iiS>)55d+H$q_UpCn%qd9Svd1e{k3=)11?(?VCg!c$8d-YP
z@iC1Ja$mSh4Yla0(69VJI$xapCM-|MX6EA$3RB*L6mX%8_p2*L!7UEbv{zo=ukg}+
zE{)S+tmwSCySt&=aM^~-!%xL>ymWv6+5y3kG;&rXzdCIj)op#3Q@#Xo*7A1hgpx~Z
z9Nvz~!F!cGz7=Qd=n3X9y_GWK)j}=&{cDfm6w&7bmf6)qEDI)DrK_LvV8B%KpIn5O
zeLZV^?Ud4MOBy<RCuy$Zn$i%QS_sMWjk0B^&B<}>F}v|z?E)1MbmGBNA*zu_o5D!J
zw~XTCJ?t-28#>3X^RaV{7VbYQYHg5?GLxzY=Vg*~?6g62I_yRY*Q@C%R~#VP=`;kl
z@`tyzx5&vTuim=h_EE)IeA#b1wn0hl`#dW-EVp5?{%O_Y&f4|}YKC!&Eo7>I2?jGM
z1V&b=$JO}_N!f0G_J-WEXf=)86{DZqgdrS?FCMS{A+TTHu_NgpIR67HG^VIXmxR+o
z)+7V$jAcVO?z(HromZhz@WSohQEU`=7#iCXVx_1|2Aa-Je7kD#Swy_peJI|s=<V1_
z1{8x=d~Wv~Ca8U8Vv);~JcH_iP-(&`LSDtX3Qv8Zdh!gbPv<E~Z39A09KAPX2)U_8
zmDk6NeY?B0rx?T^j$Jn^1$nQczQIMMY8^$(<~I^UzcO523kXAE3cx#AxO}B`mxij@
zc*1xYZ>zPgOey0H<@QE|!t{8SDBvyLx#+!go3OZdGjOjExUIX5z0$pRf>yDPGiavE
zS+jATD0XzmJ!pQDa-cm=T%l^#>+&Gs8wgB3;S}0!yE(S+`s{mW_Tid^0?9%8JsMZu
z+X8o9ng)R+9dfqor#qxyk#sOx(K(}hs&pq-`n#9Hn?z_Hn7P#n5RlnCSU#%?J>OLy
zv+!|m_GS@12(uAr&QOI68jq&~N8h)|wHq)bYmh(N+p#nO^$%0DRhr1+*^S*M;$<mi
z8xqN%q?^fT)%8@@ByN`Kqq1@3o+|Q2Uf4$*h@Dff_ivHjy-g87uvbnyPVD>8PPT1}
z_Ddx`Ye@QCWl@}7MJjnwLFerCFW~IYYH+0q!x@fws+<`qe2HlugmCjL)#)T_GG}d%
zN}p=<YioVBfESuiD2;Q#bThA{9Pd@$XKwDSM(UV`e$c=W1ZN$u{$YO}00h+k-<Mox
zWtI<jNlgC$r3q4hhf6PcWdFgy{2|p<q5d7-6=EwhWS{hH&Km1t0$~N;+&)F<#<pH>
zKRt{ygqJqqA)<6IvN$D?msZAu;vVAKqFHvlNJ~kAWTZ?xSkxzTmZXz-l+em<c!_F_
zc}XT$r_+qik|`OE472^F-grO|RiWM*U`<_Q<}yN)a_1Z#N9b^YJRh^OZqhR?c>~3Y
z<#{4<LmUE($x|zeg!)eM2;@-6eBnnzMVB}lZP!S2?)$pC^hs;%+ZahN!8B9M1jP+r
z;UG5WS%X9ZDm5b(txcCTwK_@`mZEjxi^^FBel9npbo!g7dl9gBgJ2kR#}(G{c*%Lp
zyu`k#vz8y0wrD<T5ngjGgESDq5CwnMYY`=*YO1`{hUtk}mW<gtqbKzY4nhri+$2L&
zx^$|zB3c?PQim(i1{C4$i)VEtUKW}c$p@GX)8{@a`gWS}xqvhGXrNs|nN04b0z)Dv
ze>f>}XOd*ynImVQUO(A->H*&^Iss^PAcyvs**QzDejzlU=R8}QK|V(ktBnAD_!Vx+
zC$BFOwD1&E>lDTWpUFwYF<#oNM2lXSHQIaG!@aHiolXfQbZxd?TaN&>Z_VY9K=dQp
zwXK3}O!2&(+6<F=z4@SHWCj7V&E2xFx!(QgAVTK!OvLis+!ba{n}fh|!2bjMzvEl~
zMSjhHg@O71?+Z5ae<c48IR67X9QuDkVd>!~9SOh*0Mvh={vV_NBlc_l0|x5<Zwof^
zf0X(U0`~u4hr{~M{4VgvNk;;30vz-F|LFcd@c$pI;BfzZab-Q1=4-qdWO;(bz_PD@
z*34l13x3mh#uwH4*ADoT^~&bIO))6eJRyvo9+65sMLg7JRs@N5tyH~LR9#!JuDj5n
zfnW*lZo!?2ySo$I9fG^NySsaEm*5`UU4pyMaan7h)6TxnbGANSs{K{H`d{^ZpY#U!
zvn+F@?4!KskV}wAwF{qx+n9E^V~Ha(H`4R5L&@)Q^x#Nh(LB;$<-~uOv%4W~gq`eg
zM%P$HntAlQ>_rKrA>sm-0RPyf@QIH7NYljJ4?@?!xQP-{Q-&vq{Aka}e2$IG&31TM
zx?}|IbPL*xH;O;#3?HHivsM|R;^&MH9^Ca9voz0pNt9Uv?;iP-Klj})I4mvf_~`BL
z>Ew2$#@TH<7iQfNX}WN|WSTeUBkz<x;K&Td%sHd-?R!r0jeoh%BOHhH?^ckDg|G~C
zyq3;}9;5C^*PEj+C&S@yC4j!G{@4hvP8?N=lJnP57d3@-PMRuNM%#{}{Kd963&SW^
zto6!obtW{l8P&AVLrnZ$lImJ~iKujD^-7x4Q8IoDou`)a>d(-g*9B{~ik0G>OHgdr
zR}Way(^vbGMAf^-@YUcVKi4HfcKdLerO(d+H!WVlqwP;q&kd%3IhdPs7{}I;5YPt<
zh~^}Y)=3;|n61GtCz|f&p-NZn5ndT-eC1h^#x)g76dPIyQlkTwA09(vBgS>z*D9UR
zZs$>RC0Ta?%z#FH^_uEfyz+g<29tclT@G#mU#W-RG#&TRTl-+fJOD%;v+_YSJ_7`L
zVSe;5YK#JkZ=mfr!ZZ72paX_?o9F*mD_`s15;FY&KmJ!L7lS`m7u5|Kyn|k~_HX_t
z#u@?O2<C_Q4e-yqQE>I_^=NCyG+z4eJtlUwl*hqwxO-mEJgLaC(Op8=5EC*_o?3A0
z$PgJkj<_$7QzAndM^|iFW!>7bMvW|1-2_|gp-g4DMN2)sDsrk!V&qyNWMr+l!1Fud
zhADZ-TqXxgbNUZtb)=1;V#3DwIXVw<6BQR8O-T(r7K-z$a%qrWh%2K*DHLg!UNPPX
zd(BPlV~2vSqf*GmLH1>mi&e=(Id0nF)~x}KxhD>AAI-;~c?})?=X_~SN*`;j*#xui
z(Rn{Bydx*9b~<FS9VsT&-!$>t%;CM)Ow{a~i&MalNGRhyJn&zES7DDJn#kT)cTLMf
zn^crW>co>2_3dcVcla$8l88`jYxRb$H^E<dtf3V{l<Ao`Dl``Q-Eb7;Q45zM9Jjj}
zmkgWEo=+$bQw_8gEr@$ba{;W7A6}HZf98n8ScN%+BU$@rbay#NX6A@a;vheMLX;pS
zpUl1RN{QX_Yx+lj;u0~dYmxs|hv%a4lB6_7Df39L7YUw>xvXrVEDQZ_@o@&(mqAzI
zU)KuX-{ZAlFs36)9oX*YSmM604JAsOGk1Q;Nc=!sQRh?Y%tZOtK~54;ywzm)sXeAq
z4%+gQmfw(bfjm(thnW2a<MPTA$Frjq9<|{Mw@DCxUA2a_RI$;iJdGVct!u<zq(??8
zegED?bQ^jc%tS@TwFvUxOEt+<aW}bg@1Ai&2xKO44G&G4Coh^cUwG^~99F^NTZqjl
z_ZcOn^_&p%gvLCT(KGR_lx?iVmgoDM;347SH~;{=@3%3!lwfyM0N6l)9cs<f+5-bA
zau(?^@iY9jnx9_h*e0Q}n7f-}-j)f?4gL}Rz^yBRvt2Q_3Fi!M=MT_|`N;~O&Pe*r
zJDgexe$SbU81}N2S#xd>%hhC~SaV|MOzFp=6ocJ}iXMbF=c5?L0)ucYG~Ry{<l=Jh
zw>K42qEiH@d(07&2o7SqFw?8=TumywcFeNS`csfPpuO{K!7chICl&Fpcku1Y4t{Ay
z<?>yRdM=rk?i8_YW+16*5%%xXGCW0g_quopmL!i9l#Q6XX#M$WrXms(&zlf?$R*j=
zze0z@a;Yi8`;T-or%?y$x*UdeAhGvRO6644qU+$<>T8dm_@f3aQo824wP%?_)+^sW
zc^^?fJ(D`3Uk=<P1g{)=mpc?mOz9P^P}!4;F~gN~g|nxbjXM&}DbCJ&y;;O5(}(>#
zfo~Y$&*xs}0U;r?h;du6@g#b1<^0|qX2w6-_D0p-5n@4l_|=m8f&HlJ2sn#B<oM^x
zi=Z7~gN5~@1XR0|p{5cRDxcU5UKLZ4S6CWN7;u@p3?#KVXY-g@1(+~t!i)@22>YSz
z(O4*N>r+oS%;bz=@3`iF!XrfN!H-Dfu5`Y5w~i78PniGKI!7^v5s~yPI;a-;V{NrN
zxfrO9=s8gLMr{(cv;##G&q&}W7HPv7k~Ofk?~7Lae7y6|TXfmK06%0fK>Sn+-V^<3
zM$onF09Fe?*lkbCz}5@l0>r$-(g!yZ3iTy+2FQE`18s0(aVYh`>(&ALn=k#lcoxus
z5B}T3QS)nES36+)v%oP(2(YUIUd;ep!VfA}&$!JK!2J^23hbpkRRU<u==rW6;4Yr+
zkRxDe6BrI`1zy$M0&Uf@5P6V%wX&;QP^d3x`>u6ICz?KJ($vB}tMr&gring&OOKY!
zy&%UWG>u}(yPsc<Cm?wl+>-kf|4PhPpwyp2hls!!&7&sD&UL0ArFh8o2%S&<di-pK
zD*fU%xa^41?tG=j?zWg2u9Z%^Qa<m9ppP@tobQ*=N`ISX(nd9Uqs0A~$pUXCy{%M<
z7x!IEvnWl#A7U>JVnEzzc|7G$qYkhFhLs(PnpfA__{u5LCc1}>z^UVX(x6~M4~ceZ
zci$_hI)IhSxB`N9{T7(5`&qs5+i$&g3d+9e*@sGEis{p6V7&9#Km?0ah4)7CEGX)A
zg`!buTg>~7fk${n^&6Y|Pn2<)-k$(#FbUG~lT`2;%>rb{VdS3%5dyUgQQtDIdT!Z^
zl85QyaALCV2r&JZxtedLNHAOiJVg{Tu%R>t7CzV;I=m|?->}8joIyPrX}jo1$fD?o
z6p9LvKHt0Qk{&6jgf%~{I;7`^O{Qr+7fY@?xQmSL@80dXtzYNJVMy_$EQm9e(1yPp
zC2Cl;#Zqn@C&{~T>j~d$S`JGIr~fW^SA!)`qfu`NUUU(AOr`hbzMS86oB2*2CqCI0
z5fmBw0$zBcsW+nXp?=%}>&Q?Id1#Q4?rpDRVJh7ms<-8e1hKer%dtDAb=p}UFu%)2
zer8p6X@6p~`&dBqpE7-U2i6R#2C{o?&;<54f|>e4=srfIN>_BxT1=wPP!zbdmo8nK
zhvoXqbqrA}N}PsXQO+^2+l*qOZXvn0Z0Z>;zAc+i=O|RipTHWWjC?rwEk5V{o}TAu
zCm9X1wh9@<<*5x8{|RlCEZpwpdlIMD>2!&(fbw+mTur~$MwG6B5jB=RozZg);fQ13
zzgDvGA_c#8i0qDT#M3N;m>yg0=+tokE;Dx38WNj7FlQ`U&<b%j4>r;4d{h+(?a2Br
z!%FNmN&*LKbXa#?Es4t0KYb%fw0Bfi-@l*Z(G-~5WUj&;eM*ms*&1mTcUu%8(0arC
z4_SKmBjjf*tSE-b@e<0oh+)U<f#Fg$ha&k~Q^x`NTzC>{VYN?vfm34N1B5f$;&X{_
z`HKQ|)8i}$U*>Lq`+A%T$TH!;t&3x7pq!G1DfbTk$$+m{XyHe+j*Ev12~`zxoA{(<
zZCdKR7MYj3oS19pfYluF3@`C19W))YVqpx2nN3_{^TW8~h^m{XAmbZaGZfr9bDM&D
z(!s-n<1;4fWJ_vxYxpxU8xG8437V|%3C}7l3-?zp!ZmAcKgG+Ge;m+_)I~E$^z%mK
z4a4I%|5C7INLrE(R7{8Lt7CiF9V8^~899x<YA?L~kteV8XbgIXKeHDY<}DNM{MlwJ
zkrAz^ZjKZ<xzd5e6`ssd1uVt>OA)30#!Jh-Th`=vz;B}9L{TxGFpTexO7#_Vm=)7Z
z?B?7l^-sz$)`7%1a*f#mAArds1QDv4)X;u^*E+JY9L!+}I}#Tdjb=U$LL`fA%`7=~
zL$My*!NxOyl_r?#OVM57l{)$@jBHAYBFFX4L@iJ7y-!~$G)%K|aRIa#Rdi61Z?Nzv
zT+SNz#5PxKE^5Z8Lk?kjfc6y-bL}x{vv|~odX+k{8(k(a?>RTN$+Z)hCEf4LnNv=d
z`5yD?$T!#iUez~P=uH_T@;3if?y=FG#qpG!AC`&feT+#3S=?t|8{w1CZBAE%lwQ77
zRuQA4Z+fAB{)k^Ub3C;{4;)KMRFnykxvENq?lS5Awi!Ra-rgdKPnCprrfm@VXk$P?
z&i7tTpIvl8<P|=cfDZV|$+Z1ROSh0r7)h<&GbNSX)KNSFtQpcu4f)I<QAC=<oLGC6
z9>ni17Yr`^=!-HXw-9M8g?c8)n2iu?cnhmA)kX?Cw{H;3*0RW->{U5*TkrB7hK%lW
zPx8OquYArKim`KZ(myO<Y}m=tupl34^EZIUn3EXpS@-51H_B3f|4gAn7+vQ)?UHi;
z5^zd^wJwqrqVVQ8qN}8~oUn{F$l(-=giD)|Ga{6<?V)8k>oqE>K2^QH9Kw@shJ(^H
z|CH>tb`W2~O-?v{mWIuH(Yf>VwcY29bn2sCSq&ms+XTBb6Cl*+>8B3-xOL2UsE>Lq
zR>J;kuhX(x?hT6`MAx6xoR#+Aln;Z8J{#mVhbDwHVf<Hn7y=~a17gqDub&50XHOMK
z`ogCO5o`vfJUBKd;oUG_<tmnUg_Z}WR*Z&uZ^<WgVuTt>Z{U7&cu=W{h;?uyrS^>v
zC)x%N3QT5fLjGmTvRiWNeopADb_jQXcz~f;zk*<VI7*8Sx*3FZVed-p^eDZ#Wh~rc
zJPY>P#m9yq#if?(YTSLr`~D~2DLc{Avn=7MqFR0`OqI*Xc$8Crd3=L08dP5vu|u*y
z$9j&gd<A*H2i0O5D5?9}%x9Jp(O*rGp>Os)U6uMO3FdqdHk#0xu=EuCByvC1aviK7
zx~_gXk!VK%biVHKS#5bId-+DFm~Rw=wwI_v>#awPYz|eN{^kdWmiA+`peg<(WJVvi
zo?tk?KWHRF&Evq{CK)wZ4KF6rtFFa-4R3HaG@n8BPGc*#2|7JRNLZ4sm3@jJ_;IGC
zqiX3@oIW_=$U=|fE3aCE=bu?iir?f}rZulr+pGR(pZ`52`!ZiU!4~$F3h{4Fi2z`q
zI?xs?Bxm-`G5YJr<L1tZ_Ma2~_=X8+;-*f#%imjsQ7}n{fz_$y*Y|VPxloaeNfg~o
zPc1SgLM3AbqmT7RLQ|%fT<VP@p>P#%t^*%NBK;ko>L>9tpc~Uv6z%(MypB(c_b=4T
z<@#AaZDxDju~xCW&n!JzV7Q;(-(FtXDq(znB8FhJ2*a01w-!jo*2L2-9DhqZK{HM8
z|3VJcF3=CbB^nbRzk6Kvw@lm}Tc(cT%X=dOR?fLCP30N0(U*r_$#=?gqpj%gV;JM@
zoC6uG?!)$df*hw$e;A7onQAmK5y}L7<6i{7ju{)obk5|~7$Dj(3Q?hWZ)0-7DoEL1
z)a9zjKb43S1%${&*_F?tBMWj$4sQG44@M4k4eR60ZzQ(xWf9^QWgLa^>S3X&DY*%b
zLvy18Ki2UIDnBnDOu#$sMMGajB+naS4197GHT}s)bY}jmsf~wvT(?(zJyZPkSra~#
zuvx;IRB%z-qq3_ur8D32VY*P>_3g?^F-+~G%JC~h8JUjm{+%(dmgK3Bj%-NWQ9cti
z%p{_DN#`CN>pxblm5#+dTOGZ;edXdK^b!%>rq!xBjfix-PEPUhC|-rU7nM!kfMLVK
zi@D?nEFp)`)x{zIf^KY0G9PhhGy&U}W*{SxRJH7$@5Ds#JO)m~&M}#|qYfn-y70IE
z*HJ<9dgCb={6Gzl9$Gqb399>7zVuR_^Jx(!b1Lg-_N)cv$qM$HEm&UdGJn%ssI|m7
z<5%q-NXxVSN-jFDd-f=K_}Yo%^U?Aq<p$``Pa`j7qQ|JWpux9G*hkP6cm<$|N(0^-
z*F%6>7GO{84zLUDxdp*)Eh+s^$yxFUytxlG9r}iWf$BVvKGyKH7|&DJ;!x~L^iY$y
z?QBJb0NL-csA=w6-LT_>cH~^C3^=`?FVgbCq4MYr%U*M+obZw~Q?lxmY!!UpvuU`&
zka7m0NGt=_99DINoLckG?m=va#){)8Vuosi!{ceJF<$*IAu<%{jY2M~qpyS=C>rR}
z^2hH#0}vp}$c`(E6imzxm8RQae^7b$IzZBwUgy!HG_=G}ysOrx(0>UIrp=m+V*Mg5
z#C~CBXAY8RWoArS@le#+wwcIl?qibngG<2xwK&^;ryKaQ3zI`xyP}m}!}=BEdE~)q
zc`x6JuDp(CvLJpw8Izi}PjFjWD6)lV!C@>F5r{-jf`e8mAAZwrr4{xZDpex>&sON}
z5XT(%@<gIX8*`TRQbw6Vg9;DSI%Fl(YS30{Q*S1gl{O_YGc{(_lxz{Z$SnP(=E0ya
zn}E-$q{^RAmNy9eBMY4Z8V2ep3;5Pnf2q2&-mPa9k+dK)CYt%ps*2pp-x>UT_zItg
z)>vY-YI`da#9uA?8h&CXip}s1wS79q(jqB$xMa4>>@gNEO#Qtd^IrQUyXmq_x<5~^
z6~JD0NxBJKWlzaa|1tjhA!;Qs6yYei+DJqbIssFHuwQ@b$Q5QH?UJc>hlY1qMr329
z@5Sf-)-<ma*x+$e9#}ncS(&Jg$muO#@w|TGG5s9&Mi>ulZG)FU&s)kOVBpdb7u+KU
zo(?<)Ha>qWqXR)LZFV$6_u>1^_y&PL8a=6?qn<CX09e;{09cyy6?ymNd0X)1Kq9~Y
z?{D@4?;wBBbgLSG;s8EUTlObujQ85!^|JhK5qTg!DF4PU<?tiyBCJLFi!sJTL+MH^
z@0ZNbo#a|I(YK<pyPO8cs*aB1Ua6r^(`~<Mu;@|E;RDA?E=GD41f4KN$Rnk$=x6`w
z*r3pFK0Z(Ey{K({PdR0$H9RGp=^jD4#Df_>jL|JSq5mgBwpncM;hj0Z?~D4w<`AQ!
zJBkagiwt;pGu>Ah-_>DVDTN|PN(RnkD_knYu*xWvZ>YQ0WQ$a~IqFPgu_21yD$-?S
zIq?hiN(1XRq!qs5Kef|b(_B+bFFUU<pZFiMJo$4U+a7%`x-h1b)g`^OR#Yk&$0qMk
zE3nvS4;8<a-p4ePKDdVvCz#CpR|GI;Zg*KL2L)n{LgYtEifzC=@sy}ARtuiis1Z{g
zW6HhEHqdr4T5Z4jIf0W6e#xwyJoBl5TEZ^czE8N*ov0-*R$NuJ!~fjUhnXFJG<QF<
zP{{Lk4|yJd!|J{p_X#OC${Q=w#z>XmE~T!tMiIDJ?W|A}QILGhCKG2Jp$iTaO}WNv
zLVFBJ6KbNzBB!nP$h_BPPk=DoEWT;=z^ft@fR*zyn1j!b%*4m}bMRK*T*N|+F_9#l
z<G13{wfJx~nGi&76?Zi#s2w#cLhNfzZJ~erkZ}@_0kXpmzQ<^=&J2Cep6km7sknaK
zqF#w7>h@}-@da(?Rc9{F%tsNP`r}Kke;LNW#5VgJF%^Y%Te~5j%lijprofWIa2(Tj
zpIlXz!jSUS_2<&?-kr{G8J1QuxSjMW&e2rG;Hq;d(f-f2sKjdU&*`s}ZvgQ0?E3=@
z(i7N3*edAJ0wzM|Ur)v}tqAm06)BvyW{@d#v0yu4mWVTQPdGvw))ZmT^Bqu9M%sSd
zxqAj`Cw~9!p2T^lB$cA>CQZaQJ7%^%!iEEW{#|`u4mE`2@6<uYhR8lqKi0@yDVDq5
z_4_&7XWm3oU9>_cid|2#`X0ktC$F#GS{-G6`0(WM@87*S6Vmc-rZD5Ks}Pigh2ie9
zA3ogWe>X6u-pXO#JP*qQEO&*a;8Yo=sop*Qc~Qfhwa3a3&U_a0&qSIx?s0g8E$LG{
z9dluR-G+NcqpRe9pB%HkLngDL7_m5YWG+9Ujk+{HFGPWxs??L(8>b+{{+J9Nn|tVF
z_k~^f0S6(`sVX~Kadb=(Y5){6<DO06Zy=Bc-zK~M{NeblngXY)o`9<RP@R0U1A{=u
zIzFgV)$^B)s(!<8ReQ3nYjmZ3Dp84y-hPIc$>dpphluK#H@kNANE(K<Ly~Lp3#Nw|
zrmx#d90w*!K!c0>Ye^arqFrX9@f3XB_dv5<E=6fa-JM-SE~Q5u8|#$7UGmR_g1VG<
z+GLEhtEDf87k$R|!ltK?j3eR8pyp3nBcLty8XVm;;H6<eM@@UkErQyw=G5W{^P>&P
z+PJ(m7B$FlKs1oKj5^FgBMrm0S1FtN5It>*hP27!r8AlNF)hMDNHjy;?ab(O;0;0r
zpsoS<Zb1B%P}KiD7hrh$uxIT03INvwTTi}>Z9Z?m=pi^^{zJh+zk*`__6P~Q16weJ
zU{K6Q+ZnhT)PHx)e|Yj(P5CDal9CU2J&xMj2mGE1p9Jrlx(~%;L{O@8P%1!{4#LPY
zb4Av2PNhlU-$4ho98E!kq}bLnv&8jY4_iB?-oGm%BsrAAlaA>rdE1fZDL3dJcl@`f
z;$<_+QRFKoJ5(=;cLLa6fB%jD^9zHvST+q$2>2%}9TSgM{d&r~mfUVrnp^6s&zs9r
zWMz8Yzebg2FX+?0?h9GInefk~9Q_o-WFIn(Zy*^$X*5edM${aUlmu~bd{RN?tQZSp
zkg-)0;`qRkde@}i8`j`Ck*1e2v4yM-IUO)L@@KLxG65BX{E1{qy{X(g@$~X}ZGIOP
zPgga*gJB<6n_;yLts%%YXQBz$+sZW3kCX_L2^{v(A=Zo`(C{LZrtVAT<e*p{IJ{$j
z8UGr;1eDd-MwsWEGGoc#g-gUgHREM+lvv7(65kHWK8nHimoTp}2E<Fj4=3+?>2}67
zSiXEUju~?E%v*^j5F4Tes9jRtg=mxp*T^^8RxyQhbuI);-*^a~KR6sB!8f-nr#Fn5
zb|=wG;n6GtdNG`8zTP%2`J)^xK^FGkJuCMXd##5<gWzZH^kE+t&V>#PY6O{va3%Gk
z`2Cq(@g5Qg8MJMjOIPT-+Sg~w_)U+gGT4N;(X7iA6V^z2Amrw~<jXX6yB&Du`sBk-
z@bhOf1bqesX&s6Pb8j4rapf~jq&79&nHI?V@F(DxfEaJU|A`QEEMhH6Nq_ZTfqmwK
ze)Wa6!aOoZdAy9?c^^?WmSIENt=p71jsHRsO9hu?9*DI1P8B1Sb%+BXR=#FmgK_pL
z-fMrFp2Rt7vQi*2HEQPW3*nngV^ORzS$^>j33Z{a>BcrOx$DxkxO&f1jU@5}`tNH%
zj75%m)R@@m-1j-@`}3B(6U919rZ}-zZgLsBh`?EG)T-9348BwH>wy4k<h4_X1o<~C
zJNT!PbWxI8wcsX|EKQOxcgV5|7X&S7MZuP?zFP%vL<bFGbb5#E9r<Z9g?57}kF7G}
zQ=j=0FFcV=ae-`j>!B01r);$`OYzay>u>Y}ORk%zJP@aZ_^0Q0hML8Y4qCD!0cR2R
z7oZ4xc?WldUwW<%4A0}$@A9WP%?cILOFg_S&jnQ_B{)CrIT*0m@_1*vZAtgp$d5kx
z5?zalvba<7|09{A8!uI9vx=F~je{zGPvN;AN`F4E^Yqk6PQ_SyGWk<8`L=vO7i%=D
zzz!xIr%{X?sefRZ5V-i}b9nR%hIqejut9tlV>8{ohz~hD+oI8m_)0b0MTTj8<mwl8
z5F;+Er%zik^X7Uk#gLs8|2y>ji}H$G)m}vVZ+Ya|xUfx>xcmVz*B$9Zu_O@?S4CDT
z(rI}@24>^pX8*<L#>lmLtq}{WESH<Q!KMQ1hG>`im&qxTO0WLsp1nulU*QnaHP~%D
zcpj;XyAVCq@LUV0FrLB{T2Mt!t}^3hS;P*^B+-7%akBStO7>XA=_qZ=0Nw23KkHEt
zkCh<c`1DPeNPcaGIQ_mG(1M7las2H``P6qQ=1VoS@Xsl&rEjYKjy@lY)5(K!<u4H@
ztGQVbf5B_eSxp@t^}>wSwQBLjDamWRSBqs?D&wB*Gpr@x3^TueXTP**wbra5iKTt=
z$WOvk3X*d;dnhetQ0}Teu<lFFx4{?u-hkl5r4%Y6G95Oinj+UHI$c~L!@1;DWJdRc
z$1M6m@4TpQ;WpHQUxNdy@12@epP9o}^WZA|GdEqfn?W!|sPox79!uFh6i9<o)1d!w
zLMuk3x9xV_(Rm$`;JB%e$t=+H_VFDf&tI=m&JY(O)KP&G#4SfN<4|Te0R&{soC@k@
zcvtFd9CUPWyh&7Btipe|2Ja$qIp&v4ya`HPF<G&1;R+P7fOIW?f{=squg!p#ZVFs>
zkh@iSJNu&HxjUU92mc&8b$b(86W<gifiYDJccU{XNg!<b5zC0hp;P^{44TWV=Muu0
z3<@RP4vS9R<)Z7P4)Q<%nya=+@AOFM$c3v#eGjUso+V<}_?$4v0<#>hy;=B@y6#HR
zJP3=gi}g#cg>cE5IY*B!hn^^AK?u2w1$v71W=|U<*^zdh_TB5aGkhEXb>mC<1SWh3
zFd)DHxMO<&7_I;yZh@<Tt+%aDoWY|O+K~1L{}B^LyMUJ12T&NqD+sK6wF4NP{QHCs
zdRqYY1t>E9G(&G={6|PcuLAJSeK8;(eE;XXxsPZ0SVHh$fPu~$_+QEF2!wa<yAJ*0
z``>AM$Dr>3q5Q{b{3A^%|Le3ffU^QXfVc;Izj{3ZoG*-U`yaVc|2>zG=8Vfm`X4#}
z#7)4#c?f6&fLEXg&K|h#;~OTK^<-qm!}R_Ewd#a7S2>uGw^^3^DWbB|WZ^nvc1P<1
z`imLeJN~*1D;E#TX$uxMZt2T+z7A{J#g-2JdL1v@-h=HduV#FgFXa%g7&CvrG(DB(
zD5GSUL_0d8@H+(uL|fwj+LyE{%hBi7RUz2Lrg|0+di=Y_Xv!BQ1TMfGGia$6mHswm
zzUjSXpjjCZ5bxM!+SP5C*LE>7%6TGy9z72?Dc9v;p|(i`n$|Iz>LZva90fsKFg0WT
z6}58}>Y4A^PwoDhbC{|{CvQty-5Qe>)4rwSm`u30C}T&3Pt$RodOO3Ir1g{=UFJ%9
zLi77fn}>du&vk_Gu>4aXft9ZhO{?^aK!z$_ft=}5S?nIet5AkXJw<eZ&kuQQ4UI4+
z;r`0oRcg-tpW2`7Og|Dd8^Nqr`5_t!CFPZ_a*5%$L=Php6c#>Xs{Rn>3m0niY6~P-
zFCvW`sp;!LSDN}drccq<cvl}Yg>Tu3F(*DM!na7G#QsAva&GW)>1pBfBd@jrw7H0A
zXj&vI63Xy()x2mosy=kM&^OHTk9ka99w=si3{i_T4bHV+OehA(rlbSVCZw8;$aU<j
znnyi7%DkcJzp+0kd^P65A8ar)sC9fPE$~q1+U-U(uQ^Q^k<G1cs=Cvw4Cd(@wn`IH
zPATlw2=YtnyfvOVK+gf*w`jepUQynF0mKw4g-mKyRl%(GKhCysZ^p$UY=?z8$VNMH
z?6vGH9-AV3nANX=?^zrx$+B>-9{B#LyZh_tIFu<Z)L+%MU3dmHSs}#eJsPHqA{w9Z
zsQ#uk2@P)yZ=u>TK#$b@(4&~QWF;9icfKHL;j(epSMwTx9Yi{_=l@ml9b?A)wxz68
ze&*WaC8vT%m_l7&&D3egZ1hN=fSNadRJWmO-*8sU;7@=T0n;*R!-`|`Ny)U8Mq&z!
z=epac*P$KqX3?RRp;7)5qJXsB>-$YnMM-*`DV4?g@5?YP?jjSU3d0)2v3P1cOnAGd
zKZm@b9a`AV3vA$<xa`6xmZ-$POHs84<Owe#G=I-uJ{IC?Z4<sXW|k$2A*yN1Y@t-+
z`y(*dzi}GiSIfnt4JIhjnj-zJzV{r`JLkwxCIwNiSz`ZKF)1_WtZd~Ra>3Rg5)z@t
zM}ZO%Y)9JApoor#9Gt^J`-5&U-BZoK4fpW=&z1I3197$eY72hX9|p@xn%dXpq!(5a
zZ6{N@&#4!_2~*!KPXss#wT6g}g9kIeUw%jIXxV_QH&-tgr7fq}A;^N$ET*w}N%~CJ
zALvigR(@|!i0ST72n{iLguOtUa_+6;%GFQdp2u0i@lzP>#(jfBFRwGTl|5`tXoI%L
zt772vPet`V6Zw=++AHiDgfC>NzhJ{YDj)!Q50qc{B###c0Gj{m*KeQ~40^lb0H=QE
zI^+FUN+AAYxAuV<uM3}JNj_YxjsFVb><7H;KV_1+GvEJzdiZbAeoH9o_xwLayTct}
z8L$)H^Rnejh|K?gg~`)-sQ$0702qbwR};oA*g5Q0C2f+|{v||nO7bPz2(-`O;6PAO
zkws9~5$cILX@v2UV#2%qz#=t!Nj1djGl~Pt2EFCEzJ0CjrGj3)*lgtwBz^LvHE$bU
zp0~7)l~P`sYSC7L$7`FIyk8rBN&WLh3DHZv>L6q}UCTBD7gYj^%D)JI!|4<xLA5Cn
zl@b}|s)Wu@0lg!IK2xq1Bq>doHIvxmQ@O$~ukP`Pv?%@r`lJ+R+sPUvBA_HAk>=^@
znO%g{{TrQ%>JplsA?|0^8$r(Jw!jk4VzC}nm)CodZyZj#jh~Bqbx>J!$VA1ZV_Dw}
z^7Ky0vs!rdi-I)D$-lkBsgl8oU6H`4D`8t%RocCAqR{?uH_Y)Ai~J0AVL5As-&poz
z-LGc#n#2r4_t#v>-BDm<Kj-w(G|QYNt7eCXG<%-ZJGE0AVV&6Dx-wlCjp3;p(PN(3
zd;b@bCrll58Tu7oD|q5p(K1^q3s#A<X+IH&qydu2lNVaat_(cWn||ZPP0`$l@E8kX
zIZ|3VQfLFWR7zWCe6K`_zW8pD>jhjAn%ewJudz?-oqb%$gMxs;C0%R9aUolbABhqp
zNq&-_UqWaMl!PQ6cX5)Kk^*X+Fvr{m5%C;3xkQVzs|4wWOPpt$7u4b|-eUXhD`ex+
zD$6ZzqZ#nX&m>@2YYAe#14C_cj$`Ec5+m0`JicTz7nYu>#6f3@7cqP)8H_oHgIN`B
z9W3szu2`9v)hqiMPvE$-(y2X*KrmaH?!^}?uQMRV@&f6>JgNwz`GHv92JGy?w<ZAP
zry0Q0(_b81djR-@^`Gny026S4E9wUy3-Z5ojOztB=}h?=Lfiq1kRL>?Q-E*=KqRcW
z+iGWFz?hByhv+|IaZevu{sQm@8XKTqe69XH@BUvP?an|l_!Z}K1<42K2>L(J5y#WJ
zt2;OliW6}9_p=c1J->BMeD6^9*hR!4{r>syq6+&8VtfSEeN+mzj8`K-)7`(u-j7d$
z<^nI^3rHaZ{^8&S9zQ%Bn*LzlRs~Jb(|!tHl;+xyK3|Wx&S12?rXSpeL{4^Z?`zJ7
zeh?F6bHQG@h~9f+;(30Bw-c?)olPVmWvR^a>x<)sSH2RC%#BJ7)d|Ci%DleE?sz{(
zFyw4eXX{J3e(BqAC~~E-C29l+^?w&S;*2QxWuIaOiJR}(p38C6t-lt3J>%VJ+!vPI
z(DXQ4qKFcCFUF^w9WQgFB5EO=T2H*@AKPNsB1`G1ixHS@TJFrO_><8y&0?fvlAVDi
z!DZ(qcKUp#ijEJfk~R62SLl9G-@$8Cn3hoS=XV(#_jy<;Gqs==*s6%jmb@L#H(_5+
zEX(KOwUUFKGAyPVHt3Di!0AePkE-^~f%H~8B{S?bu9sE{mBf)2gToDW{q;gE366I$
zZ*{KKf)e{vMp*Y%BMW2=oqX0>UH6w%u0*zYsNg91d)0wCGHMjJHd5-35now+lSp~P
zc{HxJE9Up(F^@TMEYp$&jzF?wQ@T+|YHF<9u6&1g)5blz795gVnT-%;GL5ncscVV2
z;;#0;IU4bqeCF<qocOY7pcWp?(sKc?d=)WrrnOc#Wqj$5YVFNAp*Oh4Zybk2w7iRH
zUkKrQusH@ednoeycJ`+R_s|tH)xOAjT!&E&H6(Pby6m5xlbGt(zoEZMXXfWwpbcc~
zmw|PQMeENG(tefTbQer@E;@ghJi!3$v~S(V`bnrapc;nZxhDqrbVtaq^XwZp1byZA
zL5C<g^3~Vd;|3GDfp?&8fA*A`#jy~U=l4|7r{A9p7|m;BkX~K1)U~lxDjWvK8e;o0
z&TSUD2_}Y%*f5RJoFqI;xBmPJy*Ji<7L>jDtahTMP9|Mq(Tt-UMMsKhFWySRno2}7
zL2<#!EIx+*a-=`NXx_A*xcYV23_(F^>#W~SRnV&;uAgOXNf2GorCsQ0amKk{kx#~U
zlJQ8~-x<EIf|Y0cQE;(91q6$8CqSM<6sYs?!<_lnBb_tnQOoPd?@!Tu$q4ahOjCbf
z<72}VzB7An$Yx!y%er5a2A!>G55iAG@rYw}L*}pq#HI(9iujG5LOVZO>KHy+#w@o{
z7F@-6?a&rd&^XY#5`pT?Y>{x8bBx6rWQJC3?C8^YtTO(hcS}_{$q9#ayIj*OXn_Qx
zf@3U(e|Pon%y~!a?xH|i;aT;^BaODE$;DP4vQc<R5!b;ijMd?A?@!e|i=GDMThE)s
z6MXLoYe8B@^F!NT&8DwdcW&+^H*!_WjU36&Lp2E<Q1GrQ1Ch(O__M>@Kx_wIenJtc
zSsyUGL7wLPW}iHpBl}D0n6pfdz-fuVc&H@wIK{$Wp|822qmMlU{`-g&b?K3BRXUOL
z=s5Vyp515)XCd4#7eqEQ8zg!C5kyDoJX+7M!zInA5uLr(Rr-{kkhTO7k2&qz{*1pa
z^S~0mWmhXb%ErHz@UH+rphpmJZ3E(wmjU<xbZ`&wf7Z9(9Rt*}$+n69pKdJ!E?hu3
zR2ty&-``Y$J;*ykh7avJA^z}7{3l9pK<>c}&eF#X=)K1tLVhV&<%@eF4{3PWYY#Me
z?Kg)a>W^C57E&CeB1Q8puJP$^gHERA1iKmH_ZZ&8$7^=T<>@&EAK^62=g%$z_w=_Z
z{14@uJqN3pOgtV5-9BDCUuW%RV+xH=azKsfPYi7xw5V*Cy!($iL+mL$`N$yznUY&k
z<Euq3!EUhfFE}V1(JP*>$o-czg`}XKi-fbQ$INMS)A+CG;ocR=*sJ!o&1{x`zpjwz
zHD}N(FTk+`)@%p#n2@<XoGHSHDPA5|5N17j(l#_WAKmOLz^S&vSePiz?+T&Gh$JNL
zzi0NWdh7hE74?yattnK%DOV7&dE@*<Z~y(KboOvu#>dW_sMJocmKlZqieD{-iSpHm
zi+Ob4c<2{5LFPk?pfnY9&mrN`L%U=8i4y8UBg%_`a4F&7T7n!a4;s~SshXFsiC|wx
zz=I)K=x6z4QX^(s^aJXgfL@5i_>Wc5VyAj**Yjo3Fm`a3$XOeSIhP`*n`R^2oA8cu
z2mQ&?oYm_^1vcc06!i}!6}E|vyn_>_vbPWVX1A}km0>-@Yb0fW!u;T*71t+bO%<K*
zDy*T1I|9{}VKlZnTeC7b5&z&v%)ibMy{ob-g2s?ZX;j{>_5)`U`=61G>UAglp`v?2
zo_`JVWycoi%}gt}Wh^D}l5?Xc9ueWXos+_y0&-wwO342kV4A=V^k3hWuWtK*);;J4
z_^Vgz4bTJQgF*UlfY}ec`qo|ontn%w1oK4CAD(da)J$H*CzW?~ES0-O+N1h^xIE0-
zh9zpmOl7a)Qs|091$PM}x<flADrOy2M%A_^LJ%8Bx{7cES&0$;=+*mZ)o~^&^;k1p
zD{tvgJTM|5=(N@T-AL`|t<Nx6#zYT>W+ss_sYw@XM@)E+Oer<N7hK2cnvfvRt!&hv
z@VTsx%A4ILjbP+7QDl;RUQbwFjC$!Upfu46V}xgBjZM+J3UU^&&E#Nn(}zD3CQcTu
zpi5{z^f>k`K<cP$Tp|m^ULdw;a>63zNs63@&|*zHTO$=mqvPoysv|es=x(_WcVUg(
zTQH3&oeN<*Z%#V#<&ir^!t&;aNgm0B9%a?;8c?O#IXb8yJQz+B!hq%;%QekyRg{u_
z$NZA$M|GX5sevi>kol90mSUf<n{P_u)DMqSy%Ofru8L&Gi#5*FL0eSv-5avQId%J9
z#(ej;m%rF39)HiyeqXrqTs1=@#&qpYP1G(ply@oAoIA38&e1s23A`C`FoTJ?IMiM6
z=klH|M+v?g+vc0(YWXKZ^#oK`vhy<W&3ZgaGjdz=Z=`D+4mr^8An7w%FXC%T?GPpi
z?<5O3*}9Iyy;gen@Rs5ONj^PLGeY%li;`9Vk-H&6I2#B!s$<>EUAiX1-d_6S*Uemf
zGq`W+7sFk0U1=H%(>yUk&LDMCw}${wo`8?KOaJ1d?0WFs(A$px*OKY~?0dB{2Kcth
z%Y+<D{DazyyaaGD);iz=C=);sN|IFutLk_zs0X<w6TCRyp{6TZSs2Br!!Yc+^aDJO
z2eJ5;P)0|Fp^MKwJ;_Vbj&(RKuRhXZs5s+1$W_lqOL@{1R%n*RLM0wujexLfg+~ea
zSvAPgg};nt8gI11YH~C~5eCHnAZ}#YR?!?5$-_-nDnF*ieLeULj^i&cgB-j!=7D5u
zZu3cezaL5!K^)NOKhr4SBiR2PqEJs0`z!f`9=jzEq2nGUA&_fwu^<@6&WA$KYn9Mc
ziU-9v_G2x}CF177^!v*Xsb9nJ@U9nd+Rw648G_b{R35Bi;g*n53Ux+#hi=*fg|#ZI
zC$<wt!vl!5->fD0Y83?}B;UX_!7!4wxSqU9jPx{SjO4`96&m5}^c`*JXGqRfXm(?I
zEnC+&8?^V^4mG5PfIfG$)X>PE&BB=b_q*u;tB4K+p_D}!8;ZPkNFr%aSN;)5_%OkD
z_R>NMAJyI0nAPe>(=|6*-GZS;!vln}{Yc$Oj+I7^Id(}dsgV`B?WDN|M<fVbPU_eI
zRM^5xZc*jNioPRhnbZXGOg)v(Yu@$=KW<g*xEzY0jT04)QJBnf`~UKi+&j@?t*QdC
z2Zls%!E4S{aSz0=(sp5w%k({eOq@z5MUoabYg>}U-34xLlQZp_Bhd~ZmMx=@Fxsq-
zgcZ0M>RZKm91=|XlnAkI0}z03Ao$V|3<Z}4IQ*Y<Cg=wq2&Dyl|B|Ui|4-aJ0{T5*
zlq?_+@oNAbROXE9S|=SJ?#H|BgmRajQs3<`Lbn|r$TZXTZf-w|o^~*JZA!kaJ~kpg
zOYYB$Z>Cw6{ytQTdg&p0M;wyn!|0Zk-I($1)Dy=}9greh*POR(^80Vuf~4f)^D|L2
zcth%ITYZ|hS+x%imqupf&A8|Ni+s*p0Sq<g^<X#B6Zy&}@1{xm@EcC#r=r{fV^dcB
zNwBGgbN_+nK+vG4Gjd_X(ZF}09LgX)oO*swe%eNy9qJR}XxEB-W<)_SxAQy#WTG;D
zRlt${uSyebVeyAT7;V;Fq#SZ%&(c$MR(gUIShu&b$@o7?;Un>HsAfx1mOGirX=w7(
z)x+8PE+tF_^lD>++WsUJBsXO=VIC5%K6WG)#X3q_s;dH#P;4c8t!Y#_`lJyte4!ie
z+}|+GdX(vLltGrUO-8huSF=mA_EWyfgosxWTVunwEG(4pVO549U#XK~d5rgdvCba`
zrc{3Bbpf5ve{$xoxtfU>K-zj3JD8%8@f-0Xc-Q9l#+nThwrqY9+u7xa-vFhU{N0Nr
zdf^qXxw8MMhpa@bKxnGlX&6h|WwY+wCKB%NjY`=D`;&bE<=XS`dxns&C56^)pN#rI
z029-GviPi?O!VaRsM(1Dsg`Qjg<@z*M!V;N7s^AFVOb9iZKj<-AbGc^_uFe*t9UXB
z5Xk*MVRO61a0IG@y8XCw*^dG)e*po2@!u?^F`0||zpjIC;Er`*2=)x<=;|f?*8}lW
z0NCkI28&}9F#UJSvmf}_8TJl*T-gu_RWKcfD)gSUrE^c`5}_G_c$~*mys;EY4XfwW
zH>)VG|KyOx%OP9+f-f2hTT;Y3=%78|sljQibX2?;nfS4Mld%NOP445>UFDGuxW$|*
zB4Ii<B~RW@liMB<`c9~o|D!r`_Q#VlF#Y0x$&=yJJ4F4Xp?-q?lx|GB+vBO)-yn!Q
zQJVJXt2y@adN^efGV#xxGZmYk2=F9GeV}Aw1Np7a{<!(#u*qc8ZSqIulhs;w`Pva%
z8B4?hl}hhB+>!x8a63$-_<jDoB+b@)aF+>Ik8nsp38uDpRwBon!jM2ap!e4MmV%@m
zUbXOL^DfPjWKR(>{0GFa^Mi3)B-5%VmN~&}DlBUfRd-T!Z@s`|Oj&%(PKCkBsyu~;
z;-4ZYL`<o-KT59;-vV${Jso&aYWBZzaz$ucHsh5~sbr=2E4Azh59$QoJ6ta)Mpb(b
zLlcok8aE#HqhOSE8!2Q=723P_d_m-xog7QhL6(rD4Z&C<+WDmF`BKz5p={H+cC(hZ
zdPzdp)mqH?+AUJ40F6dZS{-VucblG3g)sKpH|m;)shUVpFTW&Qr4SDf=}<LH{^;)#
zXg}SxVzJ$rFmZMiTpe~nf^J+#k!b6$G}$e;Xm&hr^Hm)pzbRqKJZLRjIkI`Kfi4(x
z2Y!}JiPN!Apu0?RqL!Qlr7C;OtK;Myl=`^bl;gYohN45XH{Yn|&U+h^OLRJ+{*}*5
zo+<=ViMR@NBpClUc=Sh~frkQBR-~kYd>~Xfcxy8peKPRb0jYEd2bIFK4Q&j8uQKF7
z+e`S*Qib{EsHJfaUkqXIS(^_`O^u3x=pL6<PejLOZ{1xhHb_s`5a<36l;Bfg#!N3l
z)c%>S6riWM^LcDk63l?I2M|6?wNsC=BkVa>{|c&;9#A4tswB#0*w~=nKueIKlj4x5
zj&OFBl7MgRol{Eq7$SO!x%GiE69AUCzPe3KxKCxBwp|=$bquPk31XEb=LfRUl1eJV
zrG#n+z0g0lq6hgs>%$4^82Z-RBWv8F^^kYms|uw@w&=;M>_p3QUh~MK*i&Gon%^A5
zz2lH}BhcElQouJSCQ=5hEbY(~t#D5>ik0^VLBBYAm!2WRyjL$ITNC;otiK|C{&koI
z`%GBpvT%El#51zVaJ=rXqW2Qd9k=!AuaQ1B{tLpot8S=#3p3dx8U1hA%UlIzTD0X#
zG7+=EGsMyc4d3aKrLE-zD=u_jWdq}iTGF>fX@amC<`2kK(I@H&Y4&F?HLxuP3Qll_
zX4+>Xvzvy5*qD^Iv<zs5xWAjV^y|m+>(#7Q$CFa(exyi)$C6aTVaIxdt?7u~LR;_M
zJQgS{`9BWv?##?uA|21$IdtUgVR*JO9oQH2CEK4f)FI)poXBU^?GZhD>MFi$TpE<%
z2CrU(Lqf_uzUFe3zeYCC%4k#$<Mu?#TD;ysHFvvSA%ZRw7<@kCt(Q7YvHMEkSnGOD
zz5vsYK;faUE%e}GSHnTeSaSCawt|#;CfgT>$YED*%I-KpVFHFcJ4jbsHTU0@q)e<K
zF(kEpVE3`Yp!Av0PsTh@qn@@|%#MP0(IpeHL=Djrlh<Em3c_Cp#;OUKc|U(;Y|uj>
zBe<j}PP8N6x6Kv;spm>xRaX31qg9dV!@Ke7KI^V)oNi#TB<goMfGtLCEN#0pu$oAL
z@(?W;*3rmvp_i^PWfkaba>`CILh4Y#=XD#TfC2q2<9%TG$vIv<8_t6sIzv^G+6{>8
zZZtFikOk}Rwsh;%1g_&F*(WjzMgB<NZ|_N5_;erZIrEms*+j0@ORF^7%X?1L6U6$k
z!$`RwB>I?<BS}E;%~kMEjz0CSt5;lmA#-6DKAwld@h(y^9X{OR(=4efO#}CYT5NTa
zT_6Y~2-tpfWwtlL>7RN#2W3gCBVYXe%~!9LSYHXYSOU*Qy3Ef5ZCAdgpVANb1~tf#
zJb_ktA-)}OS2dS*;cya~Qe2x{0gi1!rE+-mJGz5p+0aD&oT$20<tM3(E=96FMZ^z6
zb6pM4ZArC(Q!@32z{N@7Cd_ZR>65~WW29X~FdiU27u(a{?@7>H<W#a~RMrHunDPbW
zV`H<UuUuQD^(o|cU%SjPwb1?@oeI++#Y`lcO{ud?M1u;}i^mmJ8(Ub~h^W7t*Q3#y
z(XGo(?JGEU>+;**H(*QDCT3VkDL^Msb5F%|w$K{8Mdu7JC<YzHCU(0QnOQRSQugzV
z=D5W0VPBc_hNdqy*;iB2Buqlpa}xr?lTLw3J{9u?iXrGSDYia?KKTui)s?RI&r5q&
zZUpygx_{E=a6!W`eeF1PM%lV(Ln8(FrVAC}rE8a8J^43v7P?QJj^A~V#54TrhFaq4
zmX7*r0!rVm2w<0V));D}mRx0A+$-gz9_R<6J{kI;?VWE!pu`qL_<zDk!(mWlE3XSO
z`8m#vn)=p~TRTndr_7uo$%c9!EygD3O9%BWeZFnlO?mfA$^)%^=fjFLmKYYgbotqZ
zjoZ~3?jxKW1Uag_I7GJSILlx3K({g`_KA6S9BDW%bZJ+UK8{8O&5q<nB8*w}XwieQ
zqq-HLheND8hK<nqGrR`F7oyLZxd_V6_UvxCUX6??$_C__7OCk%7DiF33v0szj4;8)
zZVt5SMW-qDFr(-4{wE<<_c_;ZdposbQE9(qJFk=84-oJOBe%93!p;)Q)Y{XSe@p$5
zvMFiG<|EuTzM_#^LZK~-d-pkLaWawA)W^kWtgC6MZno2a?BtkxA-EO4jTH{GAf>qW
zA#!bXZqBp*bvdzbE7~I5NFv^U<|is-sCh*Nb?UJG$*ooJ8~UjgVx>t-p~rZ+(Q}fe
zUVyRg@R8L#+bA;Czib-)Lh!3Mz|-^37yy{Hg}(vuK<o`*8v?xhR<CED_29!t^!!r+
z6utm#Q@(KTIl!Ut$0Kn{<_JJ|@0$d;vb=2pl0MrC@8=Q<Z!k40!0YX^ugd!tT;R^n
zfItCJ9NxWj3+=Y%CPBHk*SM&BEkTP>j1>72csgg7Fo(6OUrsXB9wSAzS>IoX*BEwf
ze5>mi0*v&W*UV_hmAKHjJv)Nj88zTW+*KyBqNq3FH}dOr#tgzJ4_J6ys*M$LY4Ow7
zFLjg9GjEGAZZ`(H>1luVc3s)%4RK%(mSKg1;&Q0F2_i%delVO?MXS5VnC%%s*(mLf
zm0#8t2r|H&+L_A}kYK75I7PyyBNp#YB>YUAyubg4R7|+&QA<=w0v1bo96}A>u#H#)
zY_5N+B;bsU&nkZlRp_;LZ;DUFYqCI%P~J_m4$fLIk11j3s#>Lg*H|r#Pd^~(U$RQb
zlgA#n^a>;1Cr<tozH5@c@@7Ppp{#=OC4I*OZL50`GezH8A`nZ&_5jg5WgAsvihzs2
zI3YD(aEQTPT=M&*%ELl0T$AcSv2KcKw5~D=>oRA<j$#mZWfHcE-rd;=-P9pvNJ`^w
z5&MazocJjbP!p}zM$_>};G;k3$D@0LIKsB|bszWdolejl<v=G^HcFVfdeZTix+<j8
z(nY@cP__p%S5pi9lqSYMP8eq_Tuh<NfBGZs&}m0aM(}f8yCcbPe3^F$n#nYWol;yP
z>JH>@#2`nqzTV2sK{h=Oky+qrZ<-eASL^-A(0qOvWk_8otr@Z?r1dYj`&dk)e*}Kq
zx+O$S0{@@j0*hw@8%V&ZuW<_5$yN;XZ~g6zQ())P>@6NFJ_&5VeY%^3tGN4yL#!r@
zW`Dy^wIA)F7j)hi>!_aHL5^!w|G|pZ^DFjPg7GC(?Zm*JsV4WD$$`GC3q`di8LXO@
zZie-26lu(iD=Zia3?Kd7m0YY-$k!gyPGnFeOiVI2wHR1aT{a7%>tA?culc8CI;bs-
zrSw+*JpQn~aQi?;^WF>P=RtW`Huq_9gH6fveYqzKa@N5YA6VR<dV=q8EZM2elqR%s
zw;k&9*khDg&gO9T-34U?J3HRvxkI2$8CldppBf#h#n6p09^>>|MuZB_cb{3mxmlEg
z0bILz799O^htahIdR$xWAOOqa0Z&5dx1J^Xm^$)8i(|QR4SA(w{Zo>F9^DKN*}Ame
zx5gT8etsx)=keMW+2=c2gKEt$8@DU0Uxo3+FxUJY){KxQ@HB06qdK*e4b#64*f+!?
z4}SgxA3zjBX*U{BzR{I_VVj-vu!aL^v><Gk-MI%|9{9b8sgv}$jvl~o1pZ#p<tt$P
z`SspIKB8k57MPt!G7p&(DnFC~!<F%)m9=@V{C_N+V|Zm<)2(B6Y}>YN+v?c1opfy5
zR>yY7wr$(lC*S*=|MS}WPp!4atQvI>=7F=WC3(VpXSHH9DK979KX*}N0!vh)Uvs~E
zkHG4|V{rex9mz+^xT(*dU)`RoIEpxJoSK&8si9lgh?1PaTjxRzJbZA`y={NG&3r)Z
z4TmvtMHNdxz7^Xl*T^+2n{ISWfaIQUs&lnOywxbJbOTOac%CVq{0UqECo!|}q&c8i
zUnLl9E`liIbvVmk>(V-;pk`mnBme%y<&=96O5ifRJcWt|(7bWnk{e73YbdvWN8cZU
zgN;>hu^z5L>B2bdpEshm?HA=-@5|dCNJoCCi?0C3wZi)gV7>mz<>Q`In4SjZoy&fh
zrU_lHb$i;A-Eg(g`37PLu5lqxaRw!c75cN}Xf1l1*)ecFbMWoL9NicN>jG#@hwuY-
zX+hYSNAZ26r#Nn2Gcz(#WJuvR({v8UJGNq}@G8RAkOQ4Mu^{PuyBdo{Sk#FEH&lhg
zz~fyGuOT+Bq<fIy9EAp;eqOnoQhSCXho>cSWnr<eg1_4lJpwZ^gJ0i}b<n8nvu7o5
zZGj=jJWRHZ$oOJzo{D>ZlvP1F<-t!N()Tk)RfORWK2fQoVE$U=)(34O(bxgq{heq&
zd4sHh@tKXb4gHJ%X1iv7f=*reH^)Z69P>3WJK4XR#{r%2ct3~o$1s;qG!s;6xM@H3
za{RybHp~TWVZreV%-@?@7DJTq*HtM#x~F>e?5TuF<a8=`k4fsco1XV=+S90SeBU*j
z^j>Op8w8B=O%GOJi-H&dWCGElEU|q$B2Tou1(t05#W7cYEiM@uEu9yM3emQQ9opf6
zrGHbKb;F*woGYd0MeKydo)1oIxLK0lT~$2VBU$e0YNL@k(RM>GYW#ZyZUE))y-3Gp
z>F{^tnbaof?w~!l+c~+6fO=!1C$5kdM);&|GHxf~`%T$wF|zjOjTK=}y(i;8uO5~W
z24inn0>q}@CBnMQCB`-yr0)%#VRLvIUmz_dcP^Rnv4xoDkU<2DoJst(p)-~^(cbKe
zw#Vt`aJSx~n4=+Dc1VBZ_x+(%j+!oR>uGF#L~||je457RoPjQx=fI@NkKqm7db1XB
zI+%S@h=~+(aP;0qC0Sg=45ZWsnH~xSO)TKY2o><KJAB<<;S}?cFv54?Hy6;e5x>x!
zf#O}^ldiHPg{D<r658t{So{v-`6_^Fk_)}l(k$WkrxGp3W{cgWVro8^F>znBN&LIl
z!pD$$!Q<S`qG}1|1bgA{*^i!Q$II1yH|Nk>1PY*H&tct7O0vFFM>?q`2+f+%PProe
z1D^1ol_zZ}KeG0G=XM`#-U>ah5vo-~vg&{=4qMx)W7}A@$cVSxDMAayWW$|c?{)~k
z)Y*b3IC={l5A)c-hhDCUA2EKZ=FWmY6|?J<O--<^5=cWl{;A7d<!lG&Vuhliz^NFy
zqi+DKTa#2O*M_}@;HJkRtQX1|pJ-k)VFmjXwTBqv$!ubHqJa6HQ&GrK+E{~jj)18Z
z7?48|tf1iRix%d{%{N4MlSf-o`w7R?b8a|XH@GD3K<^f)4JvX)6N!y}3cmSM0&ciZ
z1pEMi&>uS9jT6cnfCPZR_J2a;24ILi-TwWb5PACm%sdJF2wm~`wZ));Mi=*3gwwJ7
zprWo(9Tx<cLHsvpE6oS{^%I=BL+(f{8oxYH()w=r@$c>I(B>CSeU`M1noyT-6jF!k
z&7k!iqdGlSc!=0anhGM>U!h#fXF+P73rm%bao2vNGQBtpuizVu-0(Z5##ly0>B)O?
zrz9hBQzb+u&QGB#ntgYCsUn*USR5-u-M`?}Jd6&v5iDrLvU0Huw-z*9Cq%t8Zhil)
zSp}v<sg><ci>G2(Y_CNQ9e!tL3`;tk&OoNc8w`GIuag;F)+ECCjo!@M&*~e?Rb%qu
zQX}M(P5K=wWCdlpK=`WA&VP9RLi%0(aOUlTg`J4mX$o9L{)*3H#6ep5JXd|0tTKGn
zxVC3FvlJX5{^w!@1zcHnR%UB5(h0l2Y!irTAtJ~d92D#m=edX#i8}8ifMT!}Tn7Z6
z{(&^TsW0#DOW31wX!%f3p{)K>V2t<e`J6O-<X$cj=T(^uo=-%^+EGwB*8k&?vpfgt
zTAq5MM{2}FRmzCoD4WV7_TOFmT<cfDb53}t*tbeO%eIjEMHL7Vl}wQquHm~?q&vS6
z@AX4Sm*8Qn#=YIu1eyH%zt><`!U{4eHib@p<Cn&w+<@ZsnwOS5!4bl7EHp`w*g)JW
z-9Te)j_+!%o2pBoQAP%_I%k|wEl4M78PSOAiX_TMSvB|)fYLhv8vuCk21o%l11@%s
z$nWFkf6}Rcgb0Xi&+-3MZr{@~K%{49M)2(ivVB{Z0cdbX*H!Y>!z@D+6%2#7BrQP_
z)$Y*gkWt1iE=CF^DwgOF>JSPO7cEW@$A$*3Alea_u<z6URr|EPgVE+)!{?lP!he$M
z+ZU!Rv5U`0kF7?0I!JR|lG4L*K(5GNpP5zWRh?w>F8Sw?;Z1LJ*YX$K!Px`F$TQe`
zitO8y{3Xkq!c1!qFHFMB_=J7GgvQxtZltffCGdyr;{k+GHoy1;63(&947NyGeiMDn
zq*NQ(WQd_xP?g)|Y||g$cXP%}MB({P5oVgXThNsjMd`~<m_5A2rtXH0hg;HfwqIw!
zaxzzEdX8!-kv7~oo6yd|-G52?A@H$sQ(#p(6VkRsY)q@!0teJz@}6|{`>wTppnnau
zE!5dfK^S?}jfFgf*F&R`iq_GpiTZ_8%+pva!N|A_>^#p;IBeS4pQDAuk<_d``Q(x1
zo8f{RSB80yuA)90R_<wKqE-k|VHEZ&^k<jG-^*ezyh|msPm97}_${*QOIF2kH*#l)
zC0qY%JN10*5)xFQc$XUWb)SsF*JhnuK*aHkOp2~NuaU=~x~0A|;gE*!4Og(suSt@{
zWw1Tq8Ppfr-g_t1PvZStC;sgA9Ht=VO!UmEe?IMgu~W)`p($n4d7m+24|C<fmsN>d
zV-4e~uYUjFc~C60pAVM$YER=_3Ne5wb>+5nD|nxI(a`=>J@2#-kBp33q{asWcSt^P
zRq;Y<Dryjle0r7Z>~XBmL7Y2_4f`;+CRT<OP1UW1%UFY7YCO~3-e?q$`Oihf2x!0e
z#|;1g+yf;5KPDpJuW$taFMlU2z`Lymhy(2A?WaL)mAUQ+0Q8}E5A++8#!-hqwo<Go
zgJI0+AYy<7i)SN5Y^!?Jo=Lm?i+M&_EdEP{pRT>~_%pZf>E)4?|BqZRtuO|xP8Gh2
zzBK#63Y{-X@54CFU-Q1FTuA}*O!!U=riTJmycESpJ``ox?IuJ!^>ky)gy1@=DTJbt
zHRPl<xy%Pn{bLjCNIvNs3?fX-q0@Gi8+aEcognmgcnMhCr3*`If!_7LfRKjQX{P3u
z_IWKl#`Y~F58M~sn$Y6)w_l#bA7sOje1~x!GpLrsV>|yU7_5kyZ}SiiVQAF%wPOVw
z5;KWnO}xre5bGX@DzS9zauYByP@4#zqicXjb5iOn>z;#sxblp3hRokC-J9=ce0|iw
z`9_d25Q5~x4Kw3=&TGy?Ljd29#U6zH-ll&XO}yZ^LcxsnUgB}UTx)I*L)8!2ly4pb
zYi>E|Y{lqymR``&3to$Q+ff;MW%}_NcbRo$Uf8r<j^-xM6o>E4uczbTkxk?xUPZ4I
ze7u=)>OQj4Q*FXKvQ%Z2n$HR;!48J;i^q*3_sXFJnNflS)SsmF`y%&sRz#x4-BZJh
zXtOhYJ04ACM#-o@E_ow(Pe0Z-8$VmBwDIV(MGnrVMlfYo4SK%Fs>UrlLsA4xFEgcY
z3gV9B7+u{fMM4z8xa<;*KhCsWH-j@Rv{fPl&Pxn~kt!q%{Ci-*{_~%God9M4j`u*{
zfIM*gFUWg<e|qnCuX7>ELkkUX8@Qdvx4_O4OKl1O^aQXgyni#WTyXN7s5$m6DyJ~k
zl(71iDrbxP1$MBbS1)qIapHCNTvEZdIi{jn=LDrt5bmXRiD(cq0H4VIBx7?V4L$8|
zSz55hcjPL{!oAzbsznDC18p&(d!=xXv}t=heat#JeNH(3ddfvgX6~LH%DO%!kSIhu
zjIMGO%d*`g$*3utd+>3)Pj@`Cq;?nd)4<tbo+G(ZU;urIMBZLfne$vbJbe{-JcrTY
zn^~7V#wyt?*Shsp-XEU!T9(1Nw&>i92<Cf7q@_G<#l^Q{3e}0L5uj>l`|b!{#1Xq{
zRUD;p3!B4Vy5^@;{=yI^cveE#Yzu|&h62`YF|w<qdtZc31Id|BGa@Sgm|Wf06fftD
zBjZo7!667hypZCu63dB|SC5i6{DiLBTpkRY4V$VyBK4u6z6;uM+Ub-Mwcxl^onhlA
z*THKUw(&B7F)rcq@pT3x8#2pLXt%K^1jh20aUOcSSG1?-${WFXq?1xMND*DTtXJSJ
z2Tkbz!}-+&viMrKxRY=k#8}*6Y_(CPJSMO8SC*e@zJELgt(bp6%pO<-RK;j3PVogD
z-;9Qx$WODm!*zK%mD}U;jW1I7^C8iaV)_Q?5jxb{hFtvL$NgM3!`;I`Y_bZW6J00|
z>Uz{n>}zRw3snEH(%Dw<B6w_kEGdeH^vUJoCJYGEe=e^T|7XA_0RqGBj}Lcu4q*M}
zPY4M9dFKFb6)2`RYQc8V|1&O5`qwV|!wUicdOxQwP6c@K0k?Z~-^S!pKlSuY0Q~r4
zWW?bG__6_VV1MFDZb0I`4KBV2Mt@9;KRa<|HZr|e(m;0q^Yr%iKLM=1StuBPutz_o
z+PnNA-~b@-`N0{LM03Bl>OuF>{bz3U`2Mi^AvHh#Y}oyG?7#mEZt>yYaw7w3?Su0N
zIDdTr0zUkItTw^b&2um4M#n?d1d7?aDHaPUW@h7u%ww<X(nNDWQC9cY7$5bzwcgSf
ztKW@F7zz#P&6Oh|E)JrD60wdpB*HX*v00p6T72q{*F^UHyEO2(KE@nZJ>&LENYVwm
zDVESI;V!>?OV2NzbDBsD6n#p$+Q0rt{O-b)ih0<Gbp6LPFA|Mw|I2xz#Pq?D#=y#%
ze7r%N#?w4->&%m2!<F7e!k)Nazh$1Z*)^lg`+jbjzA=#`Tor$qH49F~lBdy?j3l0+
zXq_TBybB6H5kV@>oI6s1;$8TJN=`n1n*JWsD0L1TZRAsu`d8jlZg#d8zIzcQ{mV>3
z&@3J7LmLAmb<us6l{Q(9&NBbW1&zkL(JU=|Mf800eSe_`muYh=6Vgz4gJFi%HAHvi
zF`D|}M0pyuTk)QPMO^ZFYT?OWE#abY@`0&wgwAXXhi((g6k=}PnGZhSt#XGo{>eQO
z2-}#cwmp4K>}wWYWTFA|@LP5sg?q7&P64!N1=*BYY#YY?XFN;70SnfmI@cGg=A$~B
zl1DED-&b9^5slU-{$^P3P{rJ6o~_`Bj0k~B%s3tX<JosZf_8$*%)fC9xyhy*)Vj1L
zYCP~)$y)3V-B8tZP+u%Vyj<c0p%STYPy;O~XJ$bP=GUs29@i^IgR~HKl4Z5m0|wr=
z)Ydq?nE&$!^?&5m9t%7GJ@o!ps;~a?^8YtfH30O=ux~hTqyTM#aC`!KzuyFQKLpxt
zjcJd?_Up=EQBT3y$@<j_uxrW_yC(LzGWSq-UER<dZk!E#AvdiYQLa`NdwDM1>IefH
z%6qWfS|vUH%wGBY3C-^?syoQFu(m)TXXml+DIZOS_&7LCIW+Y99otlv%{sgRv9f%U
z_94kRjp2wrFD|6Rr#&FeUwn#E{2N9vgP9YN;u#VtXP&-O^AfgH&)bNZC$Zq4jg(MB
z;k;BR_=B)|_PecfC-;$*qS)Le2iLt@@hE-6&}&dRPTnU{B8Kr{0ehm&<@3KYQ&<uL
zyt%x%cWsgQ^UuCH`ZyUw1<FXsOXP)SoPj)xrWx(~oq{{L+(O!2EtvAkN}Tfq_yPhL
zZ|s^%=VEtq!^g}x>@Np4ChsukcKo5r>32aH$EYXfBy<&=xcx6!Kp!^d4)XI0W)%fl
zwH=r)MLz*oo9JJrLQwsZ^IoO`AzJQ3;^u8zPz>nnuVXaU6>l^`K!1Zvr|z8xgiHGS
z2E3tzjB%4%kRRY}7IX@{<{0~0$rc-x7#=e*Z*=igAy{qRA-Hq-#Sy~$&_^+{$ikpF
z*P?(|;N)C`+9`tEavr7s?fA(qQS&-ZZI;0i4BHG04Kzcb)AYXQgMCV%de)(QC;mEu
zmpL`JP~b}sKBs=WF)RH%yk`1l-yw=CS4lWZmc(im?$Fco1hFyY)dn-4PE%frBO9Ox
z`2OKb3g`wL)eHB)avRHaVX7>uxDIc_k~v0o>)a|^)xl_lTMkD&-NVZTxcL-t+aI1j
zpD;@LIECc9vVoLo87~-<uksI2G@9=nM0AM@v=nzRh>E81w79#rbBypbx4-_SRe)4y
zSf4^ntHh5o!Q%41L9o=j<-jCbmt9A+)Mur-v7**seqKVDFy4klYgnx3jiM4G!nh{1
z*g|wr{;XE+_i$@H(P-G27HSv<&wWk+F4(?{jg=M=rzr;oz;3wQ$tQ;v5nMQ^C-M}|
zc}2fky|A3Y8Ug!G!56oT4|W@`y{Z|*4l9L1J&RJsQOS{k3$Z{T@KlpvZuhs1TY4HV
zQcC}uWL?HIT*gF^w=JLlbf64e!ob#AP7H2kQx2`K8-Qlsw=%}$4aI;L@On^TGO(?f
z_MWD@*e52KN<<1L5irkkFwUh2&&30aswjLNes|3ZQ4X4LhGPF{SejXUKbu4F)<?P0
zH?f}7DUj_(s)x76vo)#U>YzAGh`4Ohhq;ek9qVc|6guBB-6CM2+n-J&rbtz4so?zC
zaQ8*^`9#VokF%5ncPk_EtNS}82c@-MP3K2&Sf3~!8p+H^c%?xv;l*9_smfK7Fy5NN
zvVL`RxGuzIY+}<jT8yRCLWt8GhQKZ{`Hxx;ad3`jaJu5iuhQZlw3F!5)2ES~j2woV
z!!X>5Kd(k_gZ0^ut$%O8$?;)a;be^9j1zhjv<BbS6OtKA%E_cZ>YKR~5rvFKGEPQX
zZ1wG6)Q7=NYlEF{n2uk%6^^uhYSq~aEy$VW!vRumP_`Uwg5$lDNRuhSo=sdh<{?vm
zg8J-e#IU8JYr~ezA0U%wQ|_w_v?!Y{%n+ZNm+kX17iiExfpx-eEcX}L@GI;@aU?XZ
zVg^-VFV7VshT>R0ZfC?_>rx$l8>)Zi8?)j4olyNcjrOrS-0h(5AYai~GOoin9Wmyz
zB1qxYq;1R0K4~kvRo<JlJ9W#e6wRORruIP5-R2PUndX4+%eTz0H*s^utS8QZ<Oeew
zH5s3eW<;Skz=-U)J|KI#lKTXioWqFsw9tsKRVv9jD3Hamy#a3tsg&jx_ALX7!3PmV
zY-46;k}2Uw9kgR%UWw22@Fp#+Y1pyh!Ap?{Lts;}iX2iu(jdWy+>q67hEB&q)uo1x
zu01jKNVRsyG;h{1aeAr~rBL$kw*V_q*Y!XBrs5FS_m}YV^}oNR#;*g?>~8)zwj$U-
zGE}}}V4^wQJLTkG`&|h0`*csYwGbvI_bH!?a!psV1BdQ*2$L1F!ch$$L&3y9;mnvn
zd*Y?U<z`8Dyw}^07*6awWV45?t_lP}WF0QxVH=^H`D2SzGS2E?g$+eos}LzEP9pi|
zLVq5`sdErq$>;Wg9RBPKxd*=p=w1PwfIt54+J6dYeg*`7^zQy_X5MIG0sH*#vl8(A
zv#t^RcC+*;f&csaq!*U=-M{8bfDrI=iF?{vi4WcVPl|hekNl^^zX|9?k4yVu9y(6m
z<gJKH*g^hvI8T{>9egQjyT0(FxJQWjQIP%miO(BPA7+_Z9#}XU&^#xGvBMOkb20h$
zA`S%-cNxSSdhamPcVc%Jo*qMN(;BZ`+lMJ}7tTEM-EJhhBoV~Yxb<^lBe@f-9(Ldq
z7g9}YPdzNAYD9%gS@SAryM4(aF7bmF)+AfA{6;Fs_zGh+R=}g7f;B)M40lDI6dEFM
z-@#h&8C$Y3W!uwHK+3WkVncyOniG0WWEZwN=D7qw{l(&0DJER==yFWwR>ZJ3k%@pz
zX+|^Ke9ZM;Tlyyt!ID=3>UkrVkP0F4%6^f2vAKDo2C1fQE``3O*c9D256@nc5vdn#
ziKJ<!9_X@AdSF#|rqzB~(_2`e`W4sR_#Ih!vB3!?dGf0QWS%Jh7a=Dh7wa#gtsD_|
z$&*=W1mq%OCPFg3d8mO|D!BO{677sv?#mafuFTB`B)@;Z{>5cut@E?%)lG@YfT_PK
z<rQ&icBFl`F6N7&u!B1~q@MTa{W;z2W1~$+W`YDaWsTynyZ}Q1(QlMK_dqqCsP1Jg
z5iNYoO~5=40l{>i9T_$Ln=?sxA+B1S>g{ofeu(40CV>?RL0`2ik7UZ@+KW*yS~KBc
z*$^)oN2LPT&dM1wMU2?Ew5?iliQ2c&j<v=-YcV=Bwq2u)PF`J(EF>~2<)n2J4+Fqw
zsUfLUVbqKj|4ZpD&}8Fj5pFR3TtW0>QowzM_#{ZHn`*FRA&jafAEA>N@^cH-!~!(+
z71on{$`Z@gx~YHL&rsxt`1ljpF8r6{Q5<~GHC+mMSwVYRef@qiC!efywNts|m^>Lq
z0d>qL|FFACvQV(wlKmbSE~#7<!^7!a{!3VIC^H+~QdO^V*)oTE43=@?C<lH#9Tw3T
z$eLn07>B3U;)c6RwJwF_PBHDzBtIoDyw-H9D^UU4ztgU5y^8LngJ5F~Tka4S`s4P#
z-v;te*=tUhRRp;Bd5BA&RA)M+r$S8LMKx8LS&hO`PpQ+pJv`?76Xaac3x)YoUJ5Pt
zr2)R;qqRYy)uvZ(^X>zwM{tLDD<0s9i?^ekljGT-j;0GeA~9TF%kKf45sl|wR129(
zk58O2C~WD{!RYYYHCds!0-A_@(5;m+`T(Puf`Kp*F-R=#fPgXnD=kB)g4MoHSA=4f
zoToC@vv3gDh2?mJe2F>?bc5Ucn(>ZD^qF)d%bh7XZDe?ZF6Ew&2NzWwGG;%d&0TMd
zKmt0h&GD-H`J^ZiO}G0JXB*y18aS|6p;HLraEA-|^0!9p9u_2PWm<@b3aRGlNpyEA
zV%vu7sie#{&}<imF8s_lKcDeGqIIKg3|zKBzenduX>l3@^=2U_rzdKv5dHV_U3zOh
zp+|zb_b8;k<)CbAf1GHNY3~rK0Hor{RGXfatiOgB3#7)}W8yY=$m4D57oxOW2J7!O
z9$NXh%H|(>d$nC_=LGzKkFW1M9RQ&2)^ig7KGu{d+60NiZCtm?5yOjEazT@~R+9I0
zJSvc+j{;$Vz$^?q8b=XsCxYaj@vouYjXZ|MR;W;pxQ=O7lT;O38|-61`}KuSo_f=#
zN^&B2qUbh>gS1-Y-<y2BwK48cj+D>IyiG<LM(Qq9=+z>_8@)S+_|f{N*lS_en+RWP
zFO42!4yQ-AV8%F}fZ&lheoV8llfO&yPCMw<@63z=WX8J<QwYbi>zXXxCb@D~Bd?D?
znPl!-0!7XuIqQuIFkE;`hmJ4=fhH4}4W2z9kGZO*O#81F+0Ml_mm`e`Z?H=?uv+)A
z&${4|`+vtCfDg{O;|fl^D5)VibHv_Vee6FL4(kwrd46XcIb&~3r;|zbp%>^P5+|`c
z--w=MGZ0680_$ifbM6-hVm%%$AX3fU6;r(-FUg%`oP5ARo-2f@`j8tawPl7}O(x1?
z5Q%GKXKBxpZ0?D6AoXR9n8^OF=Ao<bth7uR3xd-)^;Mij+lK?*Nc7+{8`QTYzDXZ{
z{}g1ZJ2J5dubEqgyNgF!F7C{+kCyM18NfsfT)dVxwAziHhO+Xrpj>5r5F!$`Ih$j7
zl;l8iET%s8J-Un}3^I4EZhL750(m|5Eo~9Gyq8>&yt{mpvM&rhRjgzRu-br3X;6Hj
zn7a_&h)fU|cMe`4dV8GIfBAm=q5NGp?05m}ZvbCtF7c)wrXQ8{Bhlb3f#%kXV|lTE
zx6UUAm$e~BTV1AC?D+&@0}P(d9D-?;PtH=#GHU<r08LQl1o8`O=<4b@{raU9V<_V_
z!jg%F%xJgC4r=`kH$qM}Wi^+1SM4DqMp0f>dUf%;aWx*QF+;RK-QP#7MTos9fO|XT
zB8hT=Jd8#Z(sfh(?}bg&%Am_MKhyGMT@ysZsg&0NSh>ZUb!;SwDKWs7T!6&By&nu&
zB&aIGOe82a+|n{>XKuVwESEN^PA7zqbDGJa{Q47fR6*-holEVHqZc=Pl!&ud`%)I}
zPl`JabO6{HC&T$Dzl*rHKu4?51FZzE17_WJE_AsIF4U-5?AEwT-D|QxvBfV$)SbiK
z(aPl6hz^v2sT7PVA<km5+XM~CxYEHvwWv+63(JF|KjyDhAbA(kkj+UB+3ZDaTkNWl
zt3QFB4)p4`rM!q_U)cF*e)>i;)ti{)8Aw?Q)fIKqIk($1za`@nG4Frv*>}NsIn?1i
zohAm;Y|Hr^p*ZYxo?`0k&U$a%-&GcD(};8Y?v+;$zS=)Yyh0_Q4!=<en%|(n%kO3v
zcEn~X0a>92fu%x_)|vb_y4Y>1@$XPy?l_nL@}Ew=@k&<h5;a*wjqRb14;96Jfh-g$
z%t41MmVQianWr;5h2UvL3|p8Q>!VG?d%`EdGN25wW!(Cf=g+XafBbPp3KV0R`trh`
z=e8)*10B^0>=<h+FX1=WW>6!Mc2_x8$6N1ttYa7H#ioCZ1l0anPbmumJG{PV9HHky
zKH%_DDmw#mgrlkIdoGo#s=3fhpq^M|-CQ!S8rkR4$w1gWYlM|im=p%#SKDzdS^IbO
zUrDyXHJxyNetCZW)GC9DT#!ZD>uZ~KUXt%SMqVD#c-op*ab*c_9So^+WCM8Fr`V!*
zsd1HJXIOOHil{srD8tGWGFZDq$_Qq%=+kf|GFl7Og}lcTo5$^<)8{r#@{mWFOpcap
zvzv<a-v+Y3+H=(Bk}0ZPJC~q}*8XRTb@m*IbH&}gjSM?B@=MT)*PH5m9Q6ivXnuA&
zcQN@sG1PwA<)h5Sa(soH8&~p%=$vJ@Xa8C}*=!1LO+t7%)iH~7Bi<;$Rfd+DhaPh`
z&!%Yy2EIe}K&w^VmoL3V{Vyvyy^IDXDfP5nUDp@W-ZKO22=P)Ul2$*(yA7nb_fM!s
z;A^%_F%QVTpi0*)ci}wu=b<e1@2E;6h?o1Tp_euyw8?Q}b{C^FQ5+c55LTeOnz#-~
ziIUad4l1!L(866DSrC#1)n-N0oL@!MxlAD?3g@DKV0WBB1xYI&O%XYI$p+91bhvOa
zF`@r1jd$&h{mRSd^Q+oXZ%CF^TBt&ph#TkISK;lyZ$I;PerT}gfSvwt$`V2P*;FSU
z&kI9AdvjA1_-!#_R>@)!Yp^6B>s=UyM9tnLoR2+0|I>2Ah0y_EHQ^FcF*EDFO+<z<
zmaf6P5_QyuyE!(EQZ`abJZK_BSwA{dlt$G&-+6-IkslOQ>=EQl!4U(L+jsOI*!BYD
zD~;Fnu&L(C_%;~^;Dr?8p1>|GQ&!zbSy~0r<KgeBSKj^XrOD>AMwy`%@8{alb~Dhk
z_gSYf7osFzSypD!8qr3+mVu9{GewjeND|A{bo1=^>2qtbW7InEd^zlaL!9B+^wP(=
zp7Jj3XoF0Ah$nVDORXe>Ev*rcK@LCZ3abh2WSQ3Rncz#Fn#Z%Q)EUWCzv3y?$7m=H
zbp{gksMl?DkFJ?OI<RV4i*lOn-@mr^?B>o!!->&*(rv(0*Hpk}tTw$BzwB&2i~e>%
z-``3a6OHT5F1wRqn#mU2b(J%&yqei--#rZk*h%1SFPP~3&9`=nTOQ^>DeD~ybRNTt
z2uePH4rJjY;A22fIZKK76X?aoEc;2VlD3R0T9uW|95^uic{zn8O(zvEo4bh@V}diT
ztBY{xrhorp@HdXDak}t?gWlN-$9P_afhttnNg)@ihbGwuWJBl3?=&IQTBtFavI+Wy
zuyn|8SRorn-iH}~EUe<M%N#g*n?0Lz+gOBnxG9h$-chSlgxwe5M=&Tn_kOv5NA=bG
zXon+vUck;h!2YMni}&3NNZJ8;Rj4~m^$*bb>Rkc|qyvy&4Zbhb0Y4FVDJKA&cmJRJ
zQQE7(7a-S+>HnV;`1}I&DvxbE^!hWDsHXbv8a=+|Qv?W5)&43BMk#E$5GeCh0(211
zX`J}X==s4@pI;6F!%GP6#l#67fOzZ5@6F4#Eq9)*UgX+t<Wvu6Hy8SlA*Pw;NfHk#
z%{X1~^=N|{J97ayS^1ypt?RJ~OkW$0VefB|;C`alql5XQ$3}%UZyglAaBZGC`|wsR
zddfE6E|6W8l&u)zsA*os&#$&t41ci1j`u0~X}PyQ5YT@3O{1(=f;ooSgH`Qsj<rCA
zZuA)onMXDWHJLJ&vETX3KM&V;7LoqbsbGx>eT!meyUlRn*{9t0RPC-cw=^ka6N#oN
z>UC|kN9y1)#D+ST-~2_3E_n9OQcl_pobIr{ZNq^4H{E_zZ_vI1Idmh8NIFyU!Zgks
zUWa&L!^QRqrAPO=XO2&(4muqW`A`kGJOp%J<_qc=cDDeb1ra3+-IwEV6)#fCelak{
zbIC;U_mVgR_@|c^SIcPq#Do?trdELK-OzZ3BrFcn7b{qq#x{~Zxg3QanJVxpf1=+h
zXC^1jg30m14!)SV9j)Hy{#bDylGW3Fbwo$NM0ghozQTx+^eR#G{+WeI(<9|DD6bke
z%Osluf%u&r|9S-(y8o<?Z0TQySJ&L?yJW~#<V&Fv=CW%--R;u6M4>@vIaa+@KW8q>
znyqc<!}pSJ()zzUd91ex7l4}+fBOf3e`x*R;9n$7V|tFMO*t@I;9T@8t+ndG*_!&B
zt^}lO)W@qABx)r3;KIJu-rTrAY$U;SYNp;`ZfwV4RC=T{T8WTJzfwoVO6bXhI)77W
zw!!0B!9i2Z*>$^G+q`9Q&ROHT?wS-gXp>b_Nu5wM-RNk8ITbvPNbI!Tzn>cLc9@~m
zn+1r*@!bIvn)_og#K#dwTYyKb3reAr14pYKFUDFEXO((w_24>z^;^|jnSNUJmAM<I
zM2bJpCu$393(?%Kn9tBFBv4y{O*L>bSc?&iFseuJ(n34mmhX!_d(ut9+DA-;$RrI0
zsNfY^>pL~j|Nb{w<j1t8^aci!PgSuC;?0i{DVMxh&>I31#Y`Oyp$9B&7AdLKIdAy&
z%~^E6UB;Th7sk>C{pU!-&7TKN7vf$ykj60_xo3MD6QFO`kC3Z{m_}@?J%<nk=^~Dp
z@PTZ{f?GZtFKiUJEM9#-5EpU}Zh-CXOod!g8!Ev6FR7sW6WV#uWTCUQHaJPBPfT%0
zl>U_t(N+Vo{_jxHqNjS(wt`;`Z!a@qW~ZRer?tqvPQiYkPE-?qYh(ntIy_nEGyyoe
zch)LGDgR4YS0Dd)4XQ6ul9y_dg~XRKyp9!ZSG<wu^0Hf*iNCwENz8&1_$F{fI93Hx
zmTrPxNzPha5!^rhK6Bn{vcB*7A41gI&c<7>KR7rHdj;1TmLQ^4K5A|kRekRY)lw{Q
zjYpYB@1E1Y-kl<FCR5%Re-c|e44O0#sI>#05THY&(uUIpDM4mi=;JzhgJ`d?p;9iN
z{u7Qm>$qQ>Sx%dQC}E7gkrN!#5^XpwB|mw1xy0Sem?n<rGA3)CyDL$Mg{n-&u4rq!
ztWQg*I2;jQNQo~~MK>3BjziSJqKXeK9>UYre%5&aA#2<ZbZT#__Y1FHx(r)_<1D46
zIQ+freXGHwk?G7ol)B>)Qd;3zAz45>kb58QWbY1tq?15tL2enp2e-A{#oFC{b+N$$
zfk~5bJ4A$$P)WnD<)P1}g@lwLIENHL@Rc)#671qJ;|qj<#X1t;OMI>$Ug0&P`UPrd
zXjZMST)%p}4LZ9FC*HRr=SN0O$THWPoA~%B+Y0!TITCjiiKhk)h=gn2_<NlC<XbiQ
zX@bQabSu1=m&by5D9*(K4{GMJJQZT;%efn4bl2qM2HB*B*(`-0Xu>12TktfmCEMN{
zYfTZDDnp1RRh{)C#-oV!*>c^OGhWgw!mX?W6F8L!@QYxQ?yJYymx%KSZrH^YNXx4p
z>CR{a74=IoA&;`rT8@j+<TKTSr5-CF@20n@dwg><jV~>W$+~42K`%1ZJ3K=;DULBb
zvml2$9rhOnnF$<-Ra#&Qr95PyNdCbNrcnxV=OdVf=Q*BMEh$cqi@YGgKg*IR&Px`Q
z>{U8RsLSH4?+QFQb5K>LjA~aD!z`xv+1q3F6dBCTjFS5^4>LXBgm}-*`3*k-CPn}O
z-$kJc5su+gjk7OnBuWxu!5^uw%6ASbSf?zEBGbOx_!kb{i2Z5JxM#WV8}}`#c4{Qo
zaEsP=AQON><z-TQv5+rnQUz)#O+^~Z31R{yZ5qNSod%BU`kqz3@pwx~RjRy&>u=w|
zH>2WC-HPut;k<t}X;V*QLzDBpJ74!W%r~!N6gb5vBTV(_h}&r#xUF61`RL<ILza*Y
z)<TEe1Odr5N-76lQDu%8_HZ`jB2~Yr;=k~3h-Rc(qIT$%X;oe3HC%|!SK5_l%<H4!
ziuh!?79BtPr{Bm7*$JS;5B0NKew}W^H20wv=xr5*I_4@ZV%$8%T`HB<VZiMoYjTh?
zSp8w+d~vbJN4=LeFX1@|^T64XS=@_Fxv4Y`EkCLE=4XD2^_utW{uGXNIl$YM8Z&}r
z;ijUMOlDF0lXn!usvIEP2FIYOaM~2?+lMwLolMeDO})o=(Yu}oAsG)gIGPob@mahj
zjh2s-mziy)wa6SX<n-XAl&O%L<|!K)+LAsfhcMjDf3^28=(msUB0APCsXp9Qxb5?3
zjOl$eXUP-XDYy~PU!L#B=l?dUKWs7mX-zcYTkCAOHqtvWHfhc?X_C?BiZ2iX&wL#!
z2_8u=&irW%_Y>4b$u*0u2)Ei}H9b+5qp^@Rn8nX=K1G$}m+#gUX)Ml=!X%E;D(g9X
z2RQopi4h~98|~Y#k@qmc-ry2K0O7`=^A)9z3eD2p`@&Y(m1vQeb$fwu1_A!N#r<JC
zbWS8w+Q%;;^r)kc@g;G8>3uOxXFyUNvlGCrbS<Rw^Mn&)9)X>ZNESKrD;>s7?R*oG
z{`4VnGF-}rIBRw=8K5G9iw?Xt{nh0I`Hr8xML$HweP$R9<GPlQkCTg?o`9Fdlt3Yz
z0Cww>!x+YVcmS#e)x)%u8{^rR#?`9u5$a+Uqb&9TGBbLJ(xP^5_yMr+{#w%XRe;SY
znN%i2hkUnHlyplkN?1_ZTVg#ayWE~I;mv*(G+IeIKS5Kgi*&uDNE<sgD#U?@{SPQA
z!aMW#(q;P*j92b-CGii?Jhn249$h654VK{cP3c}$!-wZBE&5d?`oko8JSpOg0ENS*
z*HD}28n?G-l-rJN-|75WU3Up5QCcx&fBG*)tqJ|p44av@Y(f-#3$A2C*;A?Wgqx})
z?-a8R0E==_e*&cSpasNPW|IbizN8l4;$6x&w+9#w@2aTUv;N%d6PA|(?N!!I9xS&=
zXkTt7Y?b?CEeT28AxTi-NuEe`xMh9tA*jJEydAe>DP*r4?C7@|p9fVLdXa+YgV+2+
zejoSbtZmY6j@M14_4J!b6GO$rYzuD{6o|w^vNC3KiO#!+(MUseV?}pW{B^W@he6FC
ze;#-_0Qjl5sta&$0DyD=eB6Nl$XQhYLOh@-T;NF{ii@wQs|Cm(>wi7`&<}$U0N|S?
zAK*`CaR)Gc_Ye3IINgi;2FUnR`fjBH>4N@u?k(>YaN_^NCTq?g2BeMs__ZVu{2u`?
zcGsV-KdeSL-MjDJiJ2d>mcND2ZMX(^it$53W=rp!?`&2xe%p|AC72OGo(C7d7t<2L
z+LO-l$M8?Y2jm0&lAeqb;BU~3zNPoj#$ZP<{kGo0m-<x6()nak1-Xt<ltIB6-h7ux
zND$@s6@SjQ%HS_*ood1q@tqiOr|e%5%hREgp%&<)|72N)7DyGSGH!r#F^YvtbvWAM
zQT7?lAN|Z>u<xh#WzecK9E>}%MterL1<PZ{ljU3c%W2bd+&W7WX67BMIJlAj_982|
zT;#4QL?f+hrK$61%rpN$Gp7}gD}8DFlyMeTigzHUa&i?UQTo$qGwl1EW1xt2OCJ>6
z1X7IsNr>OnSh2shA*JMjYAmwpl^V(nPBGvAQnNvsxi^jR;Es%aF3#m9&1t9U(RDE@
zu@ketMa7bcdc{#aC{Y%${UNLh7lG7A6zr$n)`-jstIQLQzu4V^E0Vt^emDJK7Pt9(
zK2+%_%H}ZR9{y`Q_+-`WEyj13=$LcnqYt~s@H&JWLrWt1GUBv}Bl!+<L>RY|FWfGt
z_#pd_Q4FZl$uX(-+Rv0A6yN&=hL+d9oncDHb~%><F>18sKJ2b^<efuhY_0VM<zmGJ
zAzieNnItaguB7PTQU^^hsSK|Px79f{fd`j`qxeQUpV|*98?^?7EhEsfTJ%G9$IFmq
z$E(4AWo0(V^Oi`z24GJ34Y?1fx&(Y0d{X?H1OU482LXbg0E`EUZw`Xly>>eppxXZ&
zG6SDCy&v`<eP6x37%r~>=6435M?ikKz`Fqo_`?6r1=7?4488#b^#B4os8O0h15_3V
zH(%Eyz%Q%)S{r8IirX=Cg+a?5!@fa^zv6BL8fv}YlenN0e8$n;>C(1E5G23Z2=R4j
zNW$xCh)Y0dDLM&JMT+jHc~yLit0)-AENvDnaceDIl8RHG8#CTOfKO5Hw&JijZnPHp
zio73gcw44gN+e#hKM^$hhkCpQ=>dH-Wsj<czLJmgClWcKOa_U}!AqGaEoiQ0f*V#S
z9p?AuW0O-%?<3T<y3W2(y{=-LocHqM+6L4=TR7#oxX+_&{^r{1DFYP~<xC~q!5Clr
z3U1WX%#)=p5A8NwS(@aW`k{NtJV9KhCsz+~Ex~Sn{43FITYM8MIIs=!8n&-fo2I~8
zqe*J!c^-*HpVf(c{Pf>)$+D^6wjd3PbMhr&gh?%4pckUNg-5$xWQH^M>`O@I4Ik0w
zCghigLaWCGJRzWYI)+8=WQtotbq5U`J1Fm&Sx1bE$)&35_4Zwwc87dIzaZ|vMfS_;
zB{}j35SEMzT2CePW*zo=-;vwr=BEr^ZlTqq>+ST75zsJ-Io8_-Y%k|<DXkNoC#-Yj
z-&RPqc0Ud4s|!Wny3_)7BKj<&Z(4$aP9XFCDxaHkBl1$moTNgeGn!s3Y-#W(AS0e~
z5&sLw|HhJ~edSmbr^a_D^M1o!Z1yEmaeZI-9Du8!9vez5|HtDx{O<quCh!};p-q@z
zk-kU7)-|h!iFUHjC_}xF$_D)tN>O~%fICQ>3phlZ*G=;z%9I2Avu69@NN?0R_3lV-
zKu1Z#wI9MOlA!YG;Voez%m+z~YEEn;+xlECYZ6#7tW#>(D{f0S2RXNp<Br#-if4KF
zFUKCpW4JQn4y@KB^yCod<Xe$sO1`@&h&Xxti~>B}9_d^$Ue+BB@IZ|u;+SC!&a-er
zmyDGey1(){&i?fJ_1`uyGRVy}_@RE3muOf3GmH-zBz|=lDteTexmZv9E&jCo9of7b
zuX(ShiP+vX@tW1QI^G{{Dko<2{xd<35}PO5<f0y|J-6|odi#RMURcA}S(RBVCKH+_
z-sD}-p8Xu|_YM`nwCYSs>A#3W7WCvI2(M^fK+Vk>4x8GK9p_W@6T4ewPf^+}7zl|4
zx_7)k;2~g!uuloclxs$4lp7DDX-JFCJ3)YAhGzT|#9>EM<o2En_Cck!nrG`xcV$?L
zX1LJrR0Qprsl7UMh@8?vu2rhHE6g&y=OcTkY3m#<bHQ2;-tuSf*=LF}xj<c4qSRZl
zISHZ~q;+YOTxFtOT=U7BeTSz-jMwI4S8r_!r}7ne?Yx_KmyDQ<v(AR6l`my?=$HxN
zUL$%Y=2X5ekhN3<*FDH<)opNoxgmn7npE&9{3bqAqmEQrLj5HP6GzhS6KeEF^Z;N^
z1b!I2G$5Y<fVWUMfZ+-7<HnmC%=;8@<heWSpaX7$_#Yn-X2(APu<bAO<L%R)-2=#+
z{kZWk_&(?Sk>+P~S8SpC*#76n)A0P+^}OjNjQ{Vwl{V)uL<so5uiXx}3(eX8ey+Cd
z+yCujNAL@QZgM1IM$!jkc=sQ4Mm3tHSbaQQZ7nA^TzAU9MsFh1Lw47Zu>Gft%GXJ@
ztx2GEvAhJ}93xV#?@S*npN~BkP<FfHpd)w0ufZj34mg%DdZb*G_|W8uBwacYvrS^^
zT9{y@*v?-E*vzizsNa5&n>uccY21l*x&r(J8+K&JE5Ab~%QEdHWC&uB#$D-nndM(z
zXS0>H<gs_WDmz?1yqEpRdd}Nt(4!l-@y<pC7U9{EBuJZj_!SQI-uO{UVqNK@n4jff
zy%(&OM%GiMtcsuJSdWvc#OHzYT$)F)^U4ZnMyDy&O{GNdL}FkzyWp&fkpnras0{j>
zxuQ}=Aa*d6U&(lVTKNkWR>mk<(m3IW+K4rGyK0}vD?=z64u&@%rOhL^vYeW5L;hrn
zh~x_DRxS!LLEjmt8#TU=A0Y^PUm1FwSnQ2xPpZ1c|4@1PGavD_BFoF}o^8pm+kA17
z!LbJ-gA2%D?bK{_eY9S2rf@Ye9or1N@z|-D4KArR3CU$Vs4c6M`jEo!Ol*CKRhNN<
znP|9j`_sFJk_|o=H;N2a#?tB;yAvqf4hQxR>rY6HzfdCYlCx!B(o6k+f1p%SbZ(?`
zhLY!_IlCnOZr;-CVY$f?wfunxDB?~%@bNBlg|af|J)j{A9cx*c7Nv2toEOnEYu39@
zpNPs$1iTXb`I$X_VSLyFCin=y0oMOlg=jyx^WL8-d^H#wEIIwJY&^bi?!Wx|J_WQ_
zbt%WW<d#4n7t*5?T=KedxR&At=gRX?e$1{|)r}ZRGzF{AL09DiixaWA9|c^}=R?CI
zUj?U#+to&QlNx5x=xsDo(j^&ptwRo`J)I1Iv&CpXpCk+YPrqzSlJ*p#j_|@=Tc~B`
zc6SCdgbIB<t;<ba&qWsxvYNHDysf>Gtf}mv)dW_~V%PP0rDiPkqr9(fMDD!?E@c>w
z5lFRNl{{#1(0_2+!Akn}5-0=84$*k2A($ps-`Sm&A{>>cJ1Z4&6;L)!L%EBJWlr-5
z(nipc;Pf-e>yT?&<-J*}s|YY>RQ?e*3Htl)*o4ZuU-<P9TEFYL)TLA?A0+*@q_aHU
zoua_G%C7lcopyum!`mG$b@4os&MUlJ)f|PDP@sH1;xF-i-01J`ss!C<PN-x%Y#+3f
zAxJw;%)fJgFOw)l>76Vml1H|&hB0Z+;v_O*m2W4NOrxz$CS-{_v*TSUj+wLnY8wk>
zNHrFCPhC@{mo>WP3AH9FtEZq=qZ!Q0{k@ySg{o{UTKV>YLfs{!w_Mi>c|eP|XC67s
z;~{YBCv6(W;ULeIL0Wc8?~kS8Ns}QSHb5>_!Fj(NwH;J64wa&1;z%=ADpnefr-QN)
z)Wdw8U!o&R8Uq3#0&f)RM%2~iA(nRr&T<LT+3%XBuHLK7yq;&`-Ke;c>f?Pty8*O+
zelhHRNWe-lMrJ;v<`7)DvqoBc$8|qMhc#Zjw+SU9=`9kb&sn=b7ny<~6{66EoC^K4
zW=}<-=frQwq?4JX|6q5&$cx9(TiqV&zkJlXZxQ5Gb2$0mez^4LUR*X$f7kgw^Pj9s
zU>|pK+%k&aauNDr9LVXup2LMpylEB}h&N=vS=HRC%HwAv!~3aAfKI9pXUwU?eW~|O
z*bj&s(BDGn=I0jn(fdGLROfRIx**81?<$9Hch4yFo<J|PlgP&PFvK#!C*Np(sE}vZ
zkMQenjJrtPa#?3O;27gvC0SI2wGUssNWVN=V<OX?Flavs-;6<Z^&xTVYrL2WKWB<S
zF1R=rNx9IP1ILTuYeAE;3yFk2^(+Z#LJr!!52rJtC6)^qY8#z{K<hN#0C$c0RZ(G&
zU*+U#6+GdxcLp_60Of4E<suNB>`o+6apLghn$Kv$(M}%o;lbRp^s<mo7P?960v7H3
zs>AtcNdH8>$(3GP%R}=b(KrPNq`#1Cb-7YI8ft`DHPG&br-@xv=f)z~=H0p_QR(@p
z>Ha}a@Ve@02F$`2v~U?<M-+I{4om+28dcPfYF=f6DYRsFh^^`Ub0iiqF>J=3XbI}$
zO(=B19I|M;>o=fhx}d)6#q9&qy1&sidXV@UtG=cRrNv+m2g<1!wX{6vPfX_?$jA~J
zx_lMD`F3#yX&<e#2;RbY??vA8+r8gD!*EO1tuAQ<2vp(=TOt}CEgW{{=Cw&SQmHVn
zJv`5nJi?U_(Hc6srhCEU;ZyUS=vjtrYn!yskB4XO;uF9P0OSDtzfu5tJAk(rC$tNI
z%p1V<3t;ui1JDrFS$JDW)qQ|$iv_IQ0o;24&l-TAnfmL`Fob#;khTwS{q|@3!~-Y<
zhS~V9Ct804^}c->6!adyro8VweF3ThAFQ_uLzUoj{Z$xbtWS78PnE+UC1Cc<G6yn{
zVe;&ed${lzuFQN(x?D~zW=aE$7iuwHgcurduq%d8brhHrLlLPhldSAgDahekSmeuG
zbE$#+Is#R)C7evGT@ecB0(~h03B4?<8}oF}32`B2_IIK4T~#hH(pJTW-y;!wVVsCx
z_Up0>h;7Sjw*9spHA2@1_iFr!LcOWUElhUla*e~WF4`uM#UYGh+KLY+jWf*%-Q)SW
zWv!T7gy?nLm|<R~a0;_+V~&{k!*k^wMMYrwFB{n)j&mYs^^_Objr~y!TrJR0)!#TN
zd+W2c9TIidvZn&gul=Tx{kyEkZlN82NtN@ubuMlC$TJ@o9MX|1vgE}!&xxv{Hs0Z?
zo@I<{$0{L4>vqQSq}uANn5<Bfv?I9}K?&!&WVZ6`X3KmuaKGx`PAQJ8R0*f<%tYN}
zd~&M8&s7uv=LH37zfY2i=rqGnX4#J5<d1TM&Hhbu8tHDeO>lhYZc&hR%#BwM3W!s;
za|QaOHSV2dsvfAf-z?fB&OhK_pwA+Yu?EhmTl9WiC?9*}pBk|&1PGQJ{%KmT$2D4Z
zfKl5lQ2SmDh7&e!$XVC74_#&vbqzCQi6(@BA8TS?108B$!4U1NnCJHe^T1%VaFjM&
z+AM_3e<31ZmLOeH4!n`HbN;;k2Kc|NGMoWA04FJe>l2@NQtJ16AsV2~c50x#Cs(Kq
z3N4n%+}ruls6p9kiAcMNVXQcJJHl3R?<FZIW=kN(0fsEyURJM{Sr2NibF5fkrhi)2
z4*6XGyR{i?SLO(kF~l@LNPkDm2SyrN5fu3?wq$Zosl0Mjlyh;g%;Z8#rI@noa`%{Z
z);q(v^sB4jx8nrXl&e=GgUS@;jPT<5e9nc(q>oygnl@h=td|EZ<hFOg+6}+BQE~W0
za$~MHHK62XcwLYP*9`7KQ{j4>G^P0^sCK<?_q=(W7fx%Vycjv(;$wu^2ZK%7DEQkk
z2a(I;C-N6U;Du<^o-tL8pPR6#i31vzSQ{Vg@<JniHh;x+aB+aA^j8*;Cnn1NRhT|%
z9i!}0l}^~s;o<uW=49_Dx!cW~7uJw!mhcmkJw)h_QFz6j-a&y#<q;cMZ-;jdZbHmv
zzO)#7rH<l?`<Ey7dL+Y&Q(e4T2X#sA7MvMsp*N*nHy?%yMB=}!_?6B{xFET(GH)s6
zoo^<Sb(x~-If|ao0ddhmE8+uNF+LossnXd0nPOaEw5ec0UaqwQM?Dkr$u>ojUzH2?
zEoQYm5Ik24MN2AQFJLI-@mW?EEH);^XPvrp0*l5gs;Tg6m8W4N_erN)xw?u3J`8LJ
zGUQl`Q@Lo!5?}t1ny%ih7G>sJh;M$~@%aW^y!;=OR2SO*#4;I7Fv#-%0ee7%zaJ1I
zWEXCXUtys~`LS?iRGRaRFJ>Q`US9Ub=Y5c^q=hOCwj9dlOG~7roL0x=%!NPm7u<Di
z&@;K0{g73Sia%IKFJ5D8<Ecck?fiv7(#U6eb(~lnFK+q}T<5ZSRR`_aZ(Lfh0E$h}
zG1x{Syw7lK8nJY%%1UH9KxznF8i+o8JomO9`%qF!dQxQfFet<w!Us(7ti;YQ&0cPN
z4jq><*&2!bc36z&Jp4V*Is<9OCc8EaI>Sn3-@F{k)CBhYV1L%-VI=;|Ruhy@!az}W
z?wLP+04Ht;t|>Lu+qqjly|o9Q9~>I-_i6cLlI$@az{PNWLMCCI3Ah8N5(<SyZZdY-
z5DYK9f$%*KF3%nLvY#`ozS;BmU6Fg~_k+{89>^=SH-a0np)A-%82Xk&#?(_E5NGKj
zV(*7s5t7S_U9|$fN4L(;jgyW_0!fb}xw1S+jyWB4r3e>Xw=nv&dGPty&1r04bnty*
zE*pBamWI60JUg8QKIj|+7eg&)mMvnjW(Y%j<nr}VJ<LV4H$gLH#E^?X#;={Tb=vE>
zECu8>Hv0S`VpG~CjbkE}uxJzeMq)ZYuP)=3a951o&|qT_s#vNEDdoYfB$0d<J;B;j
z;7g(T$=C@>y_7F+eea`7Es#nq!NdEaSzWyilQhL)bM80q|9?6DU-$pJ8f2W>us!eK
z5a|FU@0yxqi#~>9w9ed4<>+5oEPSPGlQSF%Yp1Wo9H=XsPCT`lo)Xhqcz&NmLE5sX
z_i^RXNPj_C)RF>a_R$O&anc-hbGeFS%K$m3D!QP6^YsV%iVFLP^mE)F)B=|H@*Ps$
zG8%Ga$k_5@t501&eK~ibs=&S~);BK4_5-V%6Dp`cA#a?+>+?6cCz;ZrsU9?iyHf9I
z>V3$E+^k|QWs@R8ba~LL-cj$`%r^uz80sM^h|K{H>w2ixG<zZvH3C}Nk8jXnH^*t|
zK+vno!BJc^>(nI)UkL&$E>;8dcH~>$PjoTlJ#;<p(-KQ_Pu(}0L$giIfMoI02R+JI
z$yPO+8DE@uYoL5f7i$!W#xK8tN^^9REOyt_E7qg_adUG&gsi~-{M(L-;@+OuW^w<4
zp|Qg!`fSb%LEPw_!GLN%EH<OyrYDCn*)NM1OjhrUK%PyWhBC{vqy*3FDo8;Z_IS8*
zm!T9qdWs~*aR)hkV!)>Qer-Fvb68u3J{<Vcl*P2@eZ1;Zp2BU6OdhqpWy5ja*<Dc5
zXH`^x6^#L~CE4IB6K#dUv9CFDP_XBd(AYA75^D`1I~e$4ytDsnm+KDQzLo=NZRz?(
z!ut^7^%U8p94Q%vRJ0KiC%W|=rjfzGo1YjC#h9q0+?<2%ButC_zv=(~WX~rea`zuT
z_Fw3qPgq#^r~U;5c(3>WS3+{3m8nMrzIap_^Rq<dV2;2(5-*|>bu-7Xp)6AnriI27
zJoJSS8&QLLiN@z54m|LWD!2Sc$omvN&r?4oS#*=eEm&;u;ra>>i5rQ}o+6l|IjA{W
zM;%(>=YAaalu2%Fci!&gwyUR*88h-P#4pr6Xy_JJnnU$c4;C!d%zhzP4p0fHq>Oqw
z&MctMaQMstY37y6BbQ3$<SG=r`_`+PA3T_g`jUXtwpni6_CmEvyglDQS|v@z`0=cx
zA7!_4U_JH-ZB&rB^7vi{C4&e{`u0}WDn*qTSc0<cT_)b`*#|_Hu}Yp~(pltYRPCT=
zIB18umUcw$v#F)pMPA!v2h_?$baHM|un2?6#J-<;=Xo8w>y&}P#eqN3)_~Exbotsq
zT2M-OnCAu6m{~(~@~A`LdJPs_-Y+N}*w10ARG3usVZq*%vV}~hj!(Y%F;pL|>3yKS
zi;|t3m?`0XiP6_zQ>eO0^Pw)O(%XS{P5sF*kkticWHnSC*8gh5W^3U2D-R-Xi!La!
z(pwdxlwJ|NAwm9!IQ(^WH%C5V3VK#p1gTk!M`DJficioNGe0l$bjG8lmzMPAax3Z>
z-Q4Mt$)=C&=x(|j|8m8S${FL;%(;MyM7;5ilafU+#gC^$MvD^Q4;^k`d~_5&cSoTg
z0rO~Fe(~%J0IkyeZ_@wIp`ghB9{c<k_5c6TztGPQuJwN<{9XSCu5!r!X-ls81N;{K
z3-SIO@(caC{so1Ful0X5{H_1;_#>J>ZOJu%fZwBkk$=qbOZ)%p^ZzShalX5bU6+le
zE0Qz<RIc*`rQ)Q!kH1U|UifkvTX-gD-cZU%&c}q0Qn!f2J_ny4P4rKBa^}=JF4nk7
zCv-zrdec=_?9_5en6@a07zC=p#<S}CDu7`vW-fEGBJVZXMppoiDN382B1bD$u^MP0
zO)TZ#WuHT#D0!+Q6UPT%bi_PWO!BwU<cwEgB-o_rNB}{Hqm(d%p&O#OiI?BLu`|Lm
z?>0_(r=NMf>pJkHo1Ryd^rE11WT>8C4>uS(u2^1Damg3b$D?gN4rlRTDwCEQFVt-j
z*HpKUz-RIvZitaf0aG*1WQiPzPjx-&qTlMKYy>Q8#~jiS`!-5qaiUnwUheov;a`OG
zz8lUwKAQ}x#QeO9=Qt}J<Pr|xwWBa+sA5R*dL3mWsN7bo>)suZ=Rgd)M;E;U57gR!
zl|9cKY3bO<S6G)6KK8mCPfls8Y*2%1iF-wLx5CL=NIH#`PTKqSoV-j{IvhxRJNhEm
zbN^-B%Yj{unpURsyd;LoIes)29GAAKXO{P=0%n7(#Xm(3Lkt%JD4mRq-5sE5$Zz)w
zf~cAX8cA5#?QQ^`?iiL#-mQT&7L4jrcyA(z)sS2FHST$QE!%ARNax}1j>ZD)l<yfj
z??QK%*c0I!lW^~uc}&~XQwjq4hqXLVDm-Y9pk9oxW=;+NE&3M}{D+TS=l}m+Y__RI
z9xY9t);~_!;cSRGV9U)zIoc%-9dxWg*aApw=Q8exor8^^DB;q)=xjzKk5BA;Rr@YP
zWPTE%oY@eRy`UU(>%e(6%29o&kj3<?t*7G&<GUFM`<Fbu)dsLM;Vhp(-Kf|W!vi=v
z$Wz9$&iUgWAJNW$!_-HmDSf3VRyz@cLJ>p@8$=Vq!`7!w=+A%dE=h%>b0C3qxx24y
z?`f+-0^jK1HSI{q5@lb^u5@9cj}yK_9zn1Xj~zYfnPiXwX)qXa9bg5g3l)S4T|RQu
zSxfmQ7X&~n5`~8dpoRA2<_B|wYm>h_MPUL;2HfL==y~-!r*R)tXvw=~+c(m*hd%%v
zw_9%C*KWgWlSXV$Xiv9Ni_9CLwbO65SW7=ZT!_q8?=X|6`@B1lUGTjxkL@r58yE>u
z?3Nd!VMM(r;jXIkM%C=D4Q3{`@^V4ppAVl;^hg*nt?QbIR>+=pB1>Itpp=p>HR9F&
zE75msV0O5&I%w2Q)K3V}Nx#*2t&c`{f-h6KtOsroE$syH{fE6Xjfb*t`?!!O`%;!@
z5KXu+wy|XkF_s8posh&Odt+=F``RG87Hc6(mh2(xsI1uuGm@PwSt{#&`FLJD*XO#Q
zH(BPsKhJz$ov-FR=5wCM?|=M{<$sFHFQgGf1l=E3O|Tt}xzxg#?iWUy{AkJQb&VG_
zZ!D@j;m>!=)5cvAagDokaep?)N21ccg-x|N_c>a{0reXnGOBVC8)@gXlVS!(riY^1
zw4FuRgeK6>8WXqarI;?Q!04If=$)sdsL=ICoc|Y+5cuaiw(sO%u;~9C|Nqnfh4%aZ
zMgRFzN6-Ir|34P}7x}w#|AzhxgYoCToe1AYmBxyw7<0@G2a9&uZw3o>p!(gZBSrTt
zSV9SlWbzzt-vI|-YeszHa21-|c0f9QlxKsVdll2cH#h@vEA~Sr(uKz<=E_kl=s8N%
zEc%b!z(&Q2>qleE3e*fj>h*#O$KhEuPD<M?jRrpjqfu>_uR8?jG81`+$(<$O8Ml)2
zl4j}ONGFX&nXm9pSinl%;F;s7b{pe)WFy8{F+4WRM_G+;3`3FeAynWUp$C@w!>;Rx
z8K_x{zH@7t#NJN^Z(rUsAZ3$W!D25X)>y8HuLZJH2ozu>Qf<Ant1L*U$qmz_A1%tT
zTDN{DG`Kg=bQj@H)+t{ny8uN-O9`{yA|z(G<+v14*>{tF<|Zg9=}aHTdV_0y1{NC%
z;Ib+39ECalh!9>+Uz%W)(WH9|+8T-QX4rtZ)r#iPMpY(u_ft2sqA*sYH=5UoRBRte
zyKv{(F7d#@Q>mBINfjRNYOrOKn7H^xC928g+~)d~Kt(v+RI0-4{E;E_)<@D0i(F=Q
z1Oq8+<rkk$m?w*(n;wH33j_l)&)=IFwLcfMa<em0Q8~TvT%L>FAd-`0<U41`msh>7
zV|3ZNq_W!pZF3IJ0lCrJJg?uo@}^1|P<nUKTiWRd)XqvHgFxUcPWhEOQVg`-K!7ph
zm!G*8IV#e3{DJBDdNQ{%lg_Khv;PzO>rzDMQ2Aec{C6@O<bTEzGtjuU1P=~4;`mQk
z?5N^DL45po5*&;E3yb~j9>2B!$M^rA2#{`b32?`_<!Jb6_lJ?u?f{EH_<4aZRct(y
zX>^f_5LWrb!~zdZ2lin?r4_9A`aJzEqVe3%B#aJVG<kC|_c=%O+;+vUf+#jIi)?yZ
z)5U<0>_5noeOuQz2Ds~)688o!Z!=<<ip($22y)9l|B;goxMFRnhuKzcE6VK;x|Z1Q
zu00BrjurhP$jN+K!i$X)In1se+Dsq?akA_nK&Rj4l&s2C*xAb0fwH^6X{uK<<@(UB
zQSlp<4|am}`YWUoJw&AUvKG$2+0*_MoA8JxEm%}LX^ql;q^zxtg~pKbNy?hRbk!31
zt15D+bP@yI<A!VIY+MRY1xovrVk+G}>v1tJ4xN@*1_s&u5&72Kx+wLsL1A$|bGpLM
zhf%2n&&~S2V()(dC0vS8$h=-rd;2NJ9z6<H6b?@|9POBJ8jU5DOjh-aYWjgxqcLzD
zLT?A?`bfd#<;5;cdSR`1^m-#^Z$w@j;IBw}*@t>gGj@yK7<gCL0-Glg%p*KG!3(br
zT$*vFU9GgcyOdW}Dm?EAhRRcRaoaU()lR8HRKGe5kBz>5S0FW@sKjtK?hYo*Rlt#p
zj>gnADfnGSFtK$f?ZPa}xTnl+2fw%1v?{vcbxRO^TKoz*GUR$I1lrWDbb(S!i3jeR
z?2CwREDzD9a_?ENy=X`O(inc{sP+Hf$p7!?KS&6_|349qMgN6F|GE?e9j5*(2FC0E
ziEt4A8<Yyw<JuBDIN*r&U-ZcIUj(oJC&BU5|0Mo)4}AUqKbKk`m@Dm6h?q)4R+yls
z(>sx=G_rf26DY!9nzwFFNe*=E6%e&f>*vR<0=`dbT7UzH`>@#D>iLJ^JwDSJ-QtpR
z)I1E&sZC^Cu<eN3rw!L-5a+U<QIX#u%%ma0WKKU9(9A5z7%<g{rAa*{L2A3H>%x!#
zSh;DIleMxlXX)9qPGR#4XakpT%D@cWfgybmj*HZmeM5a$Z)`Pb=@-bWihaA0+U`O4
zH2j|a`Fh5Oxrk_uk~fkgXoCr1&K{yM4mS1Vk9_<s{*M=5%Izghkr=A!R1i;wcO_^d
zZJ`91V#k87Qk@<8@Ih1ls42DeqDu%FgUmgbl(u*RXWq_fLuxzIU-V@_DOF{VkQ8`#
zL5I3{i`9Wvpv}WZiJ^B@cr@o~E#=KL5~2#DQuKzk(=QD_5y*Izp>-VO5vGsGcZpGE
zp;YGEq?=3jjK=ekZFSTrR;^~zbJNh#Q!hJ>{F*q|NKB=sv0)Jp^_kXCh)r|t=NEAq
zv9Ggr41RXOwraB>Nysu~KHG)6Qzhm-0R9U@t-VB=w0xa+C#3mfT%pT5PzR&p=GQU2
z3$x_0n4sD5^%gn!vm)QzLO9>L38iD9tB<jBK2Ro^6avZJwaEX)IPLK=SO;E_7JljF
z3dd=GE}pQF<;zt$YmM0Pv5eKFVwzMApBMufzkKoI+5aE9{x1y1$A2dRI){$j<r<CC
zLu+lHr_=~O!c^Xivbtu`e!L4;si>h8W$ju$8W%As&Fmbam6cR<ESJk$b?D$86px!~
zhMBC%dyVGh9fNQ4E!>PXV*Ij$uzo7uA7Zj*2{rH)?rF>t_BLI3qyBEkVL<uW^ae7p
z4zyT5@-^lW7+8Hu4|M$&O+uZ&hGx2Rf~c9DJioRTjawkXJ2$1<&Iur<Ud!~pqC-PI
zN#>53W!Xd)6-h7Fqt1TD?~4qu80)|3Q^Sc=Q-4qY%CU@ku$x9jE9vql@m98I5}lqL
zv3HuavzBg%HNs$KQp?=NT4GDe$S#vKW~^>2Heajtg$Z=lH|M)hzFY?DTFgjLGF=rx
zF`Lq~XMFUZA`5IO8E-zwRKzrJQPETKH$EK;WwYvXRUjUgtJ>voxbAWq&J14Tz97sB
ztLlHrut`7HUDWG@c9j)LVty+p_3gAFDy`u&?Cia*vs|f;YmuPHZ<Nb{p%w2h^lQuk
z-s{vewWuQkRIN(*+d5ahzR?kUG|p!k;{FsxXmlM4D|@?BHP7?e-G2TvaiH5|EsD7H
zmQ4?<=7_6?;tSgG&}1_;jde|~l13_q^g6H5{sAh8dg2!Ul|+f$2Bc!gH(H?girA<Q
z!rBK!%l||`D3{o2eIk9Hr|OksbaN7mD>Sx9wuO2%?X2NO-;<r=>HpvF{}nw%|F4*!
zApZQnli`29|GC(qf@@3g;DF=l{{a2%9>2Bz<LCcR1UJ}L`Fq;M8GD&6hFdNbwlP#u
z;(Wn!V)dJP%-v<<3LdKIDy>XpelS8vv)V5ENOP*0M0W$@VlprCD~55<rpf(*Jj|f+
zDjO@2j@b~>TTd1m6ePYXU<(wwizaSiO;?bFJ=?p|zBnXz)@{AU81#krg~?cWPS80z
z?g}}-EaW)nQ+DA{R(LeK3M5G6$#!X7N%mclKZt(acr%Smv-Wkp=I9!=+odq(fhM+x
z6KBXT%1XX{D~b9kCx7W-%B<s~fS%L#2DzdkcCHk<BH$m6S|9s33pPH@0R`hd0y+&o
zvApc2l+?AS?KW-k%>Ur!@XWe-IZVIa#HE2SK8f+PurE|}LG=T(jT|&VplEV%OJk4p
zT~~}R$$+2tIpGq)B_@@EQ1(!g!i_~jHcqcKF(CD3#~I7IPZ+x^dc)-v61ih>(Uo(I
zzLJ2kyOXXv60*jqcv^7#jfhdw``msh9CYaH*C{2wBM%i*vNe~;gh7DMd_pdbVdd@q
zL8iL*wQ8V(vX!ybPAJY)#B?Ey!cL|#E>}fH8uC3a!x>Plxayp!oL$d$D_%X3B(|27
zTGduiLoNQC4WP(dLfCu#a?6u%+`aj(<&;f<Y`=P>5bGEAzI^5<_KZ^1&shxlo>%RV
zam5EosmW(aAP$ix(m?&;C*)AmIqM!4GCj<EJpM2I*Cj~eQ0qUw{&zAQtpBoC$Qf{L
z2_779#Q9$lFuwoyzl!6@|L)I!3mtC$8?XN-!-4*{`KNrvwIz6Pz)|b}k<EYL>whQ0
z@#O#a^M8VeoBzk_|H*Km|4sKSXmM=`9vpBy`~Us<51~WMe~9ic7kK|a2@d>UF_K*w
z*OuVH0mrlc@8|yn50U@FpZ{}W9QeP}nQ}i|TY?7%9QFLa$Pw-T_WS?v`@iGoc=|sM
zUH`?;f1MBsLCbaxFdB)bfx_@;lc_uYcZM=kVJ3#fOShlEtKELQnDryC)#slv0`{rF
zh8-dV&L~5sQsQ%V6p%*fh*T%ylws29bpftApIHVetB@k1Fpo=-*i%|SVD_&NmXtS(
zgH2}Au`{ydP0H_1IcXVZ&vseaCW_>u2`JdCyGSAeiY5bL^GR%i<pJ^(Kltd^tX{oX
z6Ws(<-*_B2OZHj){b)PI*vdUb>g+qc7ZZtr$}l%^zK14Gt`QtpZb|g)pf2+>2QkqR
z5tA>l3DtL3jaeBW+$Zgm%L1R4lE>+PG|!}cMh1AvOB>Rb+>u&b0uz<yCVZ9ishyAu
z>!ZCn=cyGUN$FL3*10vDwUA+t8+(VJ(DHF?Av!mWD2v!IOIi8P09Z|rqFJ!ZMW#Ru
z71<w%<$e+xg>L&%vDlx}u?@0{Bn?~}Aln~=OI}$S!x3(prnxghL+vF{^y9pTUMhC?
zt0tI{?DOa3F}dIhcd_llIg{|Z^sOQv3IN^tSU^{Y_NTbOC(-M3q`D>^LGh3>LmwJd
z5Hg!44Q_hQLR)PjYru1H@#1v6vYo!p1FIVN{G)iyi>$=fM)T@M5Q$qO?fD&9l+2sX
zpqY1UFIicXXSCkD=Xh1-zCjHqC5&HMxNtLi>#sk~RC=3qbzyS|c)B)wK4JNL$bvnE
zywfrDfBo$p`>p;DeE;W(AgTUk%jtpB;N6)xM>2FDFd$SXx6G`>W@_il^Pse^&(0{#
zjM%<fa>}<3DyDD_mVPEp`%`vf>XHayGUR=4yzbfSVc!#-rtkMzcPaiL%QDS#1`e{<
z&%VDD4fo`0K}02t06y0aFc@<swnp)Vb8*okm+wk-@l2~0&Ra4t7pB*~pR!Qx#oR?`
zzWD?&{a`~$k}#a~eQ&ei37U<;jIRU%q<NzLjmf55mODEov|}n^wb~QPZC>EcA+y8W
znEzE*tW#b#Ly4$Mcvc#mNpU?Q=Phk~zf8vhhVRYDGI=BwryJE30@S!dd^N0IS@!}A
zJD8ej;tZS6?HMYn%QB5qn42kgY6exoRLFja6Ickd1jC`gEB*rIDmh5&(Kgx3#2rd5
z_Quj6BFADnKN?TNdM}_(N{pV>OG2C8OKpYp7Gn}<yRbZUfxteDapX`rojUS4Z~gh#
zi%m3F^NfSfBz=lv0#Wh|uf#mFBadr~L(wf%EpREFKBZpwWPD2ZL16pa;IJqD+;u1u
zpP+IV5)*9b_ouJ@Noud<(dbQsQcG3Yw`Vyd8<obl+~M?|>r+T;$%HPAp8kY4!?70n
zkk-MA9pC!yKtdb8^wl=IQD40~*aBuD6PO0L^CDi=q@OwCpD<Ele(ECj`U{h60^rT$
ze2Ob`fS15ijQv1^qn`gfvidIwAOD>MNBsOjNA>&#!T9HY5*$zdcYpp@=uq>&`18L`
zh=csk7j-=>t}VfX1CCn%|J?vEKL7Kd%klJoiSM8PFLJ2<FTDPr3<vtJBO!bT*OuVH
z0moDSli2V77sa3d_+P+*|3f$i25@Z&9vpBy=Rbk>>;J;|{oj892mT+1UZ%#iC3tYa
zvH1UAKK#G=t@<y%|L;Ty*lAXtBqsWKkyw^#i+lc+h+qB<!w*@V+A6U1w$EGle{o)w
zw~dION!yZkoDd;LEfks>E#DJ=P%R@p2c@64uynTzzhOGq{Iw~g@*b#1K_Z)7=R0TR
zGs%xO)@$TG{D7`8$)by+7+SmVx3~Yr-g$q+y>)+FiyB=-FCl88glHMPL`jC|B--em
z7^B@0Mi4|DqE2+e)fqK9nJB>!VRTW#j08iXhG*S%f4XaZf4Wb~_gTy9ANZUf_Bo%u
z&-=a4{zITu&tyX4fkQyewI{Y^(>nYmwti7M3}I}&O7qq?yOhRs5{Of-au=})y7%Y}
z(I*Zc$FzW$)InQEiTfsYHGsfO@w3dkL}KTm{oJu|IvRlfQ#Y#lJ=_cwzuwY{CbM}8
zqqL-oP3ekAF@f>;IL2bsEDU;djyXiuEbR+K#9=VS85{Ak7N=Xdv9QKhZajx4o-j8?
za~$z}dUaZc^XPz|_i^gAEEz(DtJQT`<{~SWWRAG_=OpR&!t7xj^UdI!X`S_SR3D`?
zGbQ%tUr=09(+8?79e33_tbM_P0E)65epDN|@s-Nag=G~K<|cC)EBQtVSgA?do)k^b
zhn^qQhpN+0Y8MJ)=Lmw<YFg6KT}3q3?qIj35=viT_L?sFV(z;XM6Gnfr_y)fD74{<
z9;FQ2*lT3f`)szO4w;W8zm(Sz`NVNLw^P=Do-P2lhM<tEaHgNNXlhhHP+K20=ep@&
z6iVv-MF;djC}~)y1c6LzaSl{SHEVC!>x>FbI#Hpe^2C@XG16*2$U6K<{{Mf(*uT<$
zFW&$7B`9KF7pD6Pt>=ka=O;jOO2~>MIFuz3+)fo^G?~ib+>uGCHt1epjiDL9p5bh+
z_9Oe<gB^BH{+o;mx_~)cKH~jZb<rQ|vrr!|H)A>eMWdb5h1O2OQ+Ax+`2foV7?J+K
zg#6mGtR-sd2w(%%*H*S*1TpO&mqp;iHm_}B<ZrjKc`5S1S$fEI8mqLLd^kf(`x(0Q
zyu7-c{!}IAmJ?)n`Qqx497hh!sMT*-pmgnMKQFH=x|QV<kW!6L&A5fW0`25RS1xEY
zo(%|=r(ZOmhrd(vwkp$5+sIpbDAxid5KUxli3Us-5g>*Y4tnom0+4=>L!LO*Q?p8?
zOZu>D7>+VrQE)U7zfAR6kuvv$IFmQANg(=O{tEjU)04ihv>J!R$_P}!W#VbNCnNyO
zdYgFLxJ~mrfJWg9(YG!&TPzf^Xdl40mba|n273b0`4sUIu~KQ7x^CzWN>?tN?6B)S
zMs+*>(K>Fjm+e;Y*^MG_{-Z-v44W{EcXt?N`L3(`h+7@eslRwA&+_<ik<+Od^VhPJ
z+hEoeMqS&EXsl<SkCw#jE{8V8mUcnYjKFFr01)@WcsAcgNOAB8YbI0`nO!@*7(QV(
zSirRSd=FZFaBtbc?F4O!Y3RMn5t6xa2H~{yFtfVH<H51l-p%*euTN}LAyw_Z*tMUN
z|NnLWC-Gn0|6Tb1e;I%0{|&RL7QcHX7yJf(wEyFW`F~|D^q*hB&zb)t`Ir79d(r>@
zKfvGTKT}d$_3vKE1;2rxlmGpt|4957`p<3I3;*vg;_v-GqiG-UyH|3-Z{X+L|Nema
z&lmd7FCm7$4x3<O+>^W+FUJ$gmo%}Vg-*#)e)PWnoa5U(-4d8dy6Lz{o#BH`2<5DO
zeUHQj>Po_*D20G$!%H6)hbn7tNXX$SB@iKL_R&{S<-T4V=2eQngNoYQIy;SkfES*^
zRg(jtl8s}?r!m5M)7xvop}}<h;U@=C&p84qB8q5rDq}!_wFo!9q@Yb#5h3^^yCZzQ
zTq~31uGLY-+b7RFMw&>M_5`!H?_oSg3^PUWq^k6yx|{V{<3_L6_IB>OEw4uFThuyC
z%b*E&-D?NT0h#_n>}+lBNBZmJCR@Dbc-e7kC7kb4URd@k^=I#z>{uPYU$K6T=EX-g
zS85hhhfmIgAq1#!N-!4Ca8=j*!(liUvT(*ob5L76n!PN4u(j1uIV{0<Tf5Aq^y5Ak
zlS;yh2c`SBn_fJYD{N*T({CZekA&M%)SXCXWUL6q66fNHGS(VQO+frT@t%2HV+@FU
z;(SAThF8fhBpB6F%$hr4&uyRjJ+tqc5#o77mf6l!J2YKVy>bHx;UW;zNG1HXBh-2M
zl-)7tlRL*%Uo#ec+`#<-ZYpZBSN2%iWnXj#e~>P~#Xx!_ubWb38PGT7mubv}VfwCH
z?*&L8+GFia7V$`q$0t)e@De`qD<G;erPmn+sSSJK?<n|WNFOu}&86!bI~^!Vsr}&k
z@BgxY|GW7g7xmvS;pfzUKVbgHMgRXVL1U_sbT6=2sOqvGz*hM1`ok&hakCYZ{$543
zgJfpI?I=k|vr=5638DHfkE{Z5UIcKHnHo1~Fl}eY(j;8MN2}h#xmD?xK@IeFWjM;7
zgi2043x{60;nm^0{H*wyR3cAv<zNNC*I>xvT<N8<fuJfa&|8U2$*{=pYWx1eLtL9Y
ze_FKZ9LO-I>wzn2C2|nr=E+da1x%(qVV__0GU9o^I9y)*M<-(zkFcyi_R(lOpt-%X
zKQe}fhf+lO2}h}M7y<BOBYu>Kwg?ftPt5z2g)|3gsgHXZ0A|!kBO;4GG3tt?0*4cl
z^e2a?Cy-sQ4Ym~zW}v^@ZaS^+VJX1y^yC`xw;*oD{%#Xz*2;aW%f=A!h)xkYw~_^A
zcBqpy>o#|V!+j4q<=8jD)ed1w4A5Q`d(~72_x>~C1D}M`S(ws6_$1<fI7ypA>#fft
zXq9Q=DEUB8J!jz6*`R*%z~>DzlA$IZt(Ui(mPhTNuH0-nXI^H1O5g$mFAuno$-L&q
z&L?+*SMP)fzY5JOo>0$`HUh|gTUNb_veGEg^d}9D=aOUK1a3dhptsNbHW2kSg3=1B
zby&n2`XHRVz3P}_Gx2Eh*oNu+si@c-iIt*B!_rbl0iVwPqGRru?o&w#hKGKVVcz^2
zmrGPWFufrP9#c6G*n9j8`g-E$<bOY4|6kO9zl6i9G2@HOJVG){e0cWewWFNX{i<pw
zHeP~8_WRDUm<LBAv;F)0xu)eF)mrEcZmj3~ULnVinAH;5tt3=T)z&4L;)1;63xSci
zAZ?2p5C!N|)uCA}W7$2rg;Ss^3$wesY$M^wKgL&}Naq?>*)ESBd!)JQ#3cEUyP%I3
z>euCzr2Pq!*A9j4NKa@nK3<S_zx-ASP>4yI&DwLK=YH$y(mED^+GOz>irY!W&};Bs
z8lb|<g?@CpJIDOIzVIef*Ti@1ZDi_9@nV})zX;!(8?Bv-;1KsN9@gr`O)%~CoM?Lk
z)MKNj^yr)!_k0Znp=kB%Ao^7-goB{8d#2}+r;R6tL|mK+9)j8G%uvB6ZSV$0pJkA3
za9YpDRzGUyRep&>>BHYircSX4!k&+Jy@-Eh3+_btue=b_4}mMelOb}>u;ALE>`2I7
zWr=)NSbKs)vN_gFr^uP;o!xRy+S@-aw>FzieD^IT^+Xu>2x;C)B9YvGFY+c1wXf-@
zSaqlA0n9d*J>*Nua1@+8)a;&Zp7yXd4*3M9@P(#qIe?V~>9%#~Qs7XE70t1<cI~+a
z9F<s?!Kd{vv?$yYdSFcHTuWWhDiAx}p-f&-g9jXxCS`$`*<O`XrZ<iPZBcT1+zA#F
z`P=?TlOU_Pgv<?H&cK(T42e{V!JpIr^#lAr7yAD%!8dj@dGHE-N-+`!DdEWhc)IF@
z*-}sVXES@8yH+~X&k@wLyi%fZ+&uGo#_hA|JS5%`2IO)fJOHbjPoAes9yDnZt=~2Z
zO<)`V?3HeN#OMqT1-%w0xNY_@4Ga|BCvSGIb)mIiogxExx@pKtWKCX?$XkwYac>fL
z#}~2<Bq`c8q6rG(UPVHyd0fg&o~W$CXbjojPVV{7p8Mu4((1{fv|<IgYB+5IN|2=K
zT5(d=uKtT!b`F0IIZsOo2N=Aa%l|BoSWIJW)}r8>r>+wQjUm1qJa%_(H-7ka^uTfk
z+vjgV!&R)WOz1nHJN1d5KvxmOQO-G9ch6E_Y=pk{-fB+J-q%5;!U4BJQr1tsyIQ=#
zO@2E)@2gSAquia=b6^NG2`|vPOS3>Zk%KG+HM(PPVnf3;hFukxN(Bi<(3bl!QsWlE
zYEuJ>!nvE>__J6#N?ic-77yODA;)d@jq2y_=RuG8`&2_mmbXc^GbkS#;UAg^xga-!
zrp-$O5abZdlhXphvk48;=3D3+dfQ%p1ht}Qg?R-b+h(EcnPg3wr&;`upDB7tUO(^M
zi&~g}$;P_y{WyDE{QkHEu+L01KET^Pl4ne*S)8*LOA5rZghY)mP-DzyP7~P+gEfv*
zI?JQgo~w4Ltap2<`JQIYPwiRHCUD23{iOb%f5h0o+W!~xKYj^Jpj&}cV=+r-mh$?+
zCZY@S#i9l2q37=a><#=`VxD2j4Nv2$Gh7)u8A4NxOr{Q7K&A;NI_=<I<7LlqDC37H
zxQR;A%kUX3EJ~0wAju<lz|{!e*2VNxrk1QDZBRs7ACex{F7J2WMgBZ7XqxtQ<(nQo
zMD6bFJhdj{Xhb7i=xPErDlXS?CqJ_AGb$v9l%FQP+UfcoLa>2gv;Zm(i#D~WxItI9
zE1=etJ#MG!6ZjShR|dh1x2b1u>^DlDetS<ke0Plu3Dfph6+RidYB2TXRC#uy!NeIA
zk#bANNjq39FbbXOU*5gub$7~Rje=~-($HJQH(oL(tnzeUTkkWeOUHV(;XUQ7CS=6d
zjMehKT^P-Y`%EA6S~BhfN~<ot`*nS(s-g4;DGP~iOPH&q){>)(b|B4E=qz;nhV3m$
zZ$j7Vvg_6a4ABIH+keu@LaZw$>r@rgYc7!vai3~&N+zIFv>ZN3g{1wFHSKWPNny9i
z4utzg7#fkc5<8K}i9cd2PE2RHz0*zjT0plj;I?GHL|CNO5=ze{9V^uLagVmMPcw!>
zh#0p4v4&;@0pn#GWp&NdHD#Fg!=*TcISm+`Zsy9gIVD`5o;O!U*-t-4G<^VG8*B^n
z+xM&HNfINCT8Dfaa@-ZuJr|BH@g}QzL|tAHkv|~xbMk-bf5h0u|Ns9l&(0{}sLl-z
z3Lri#=$eUdhiQ1l%}gs(-Yu?~cV13npOyEoQ0@_tEml`J!B&I%1Ge;PsgwyRHf{Y<
zKg+gFb=Zh+bR1%Pw%M_=@hd3=o;dKF^6I7iq#cs??~k)!lcIxfE}ck69!U@D8q{lG
zv=0)Y6K~SeIw$F#7m>U~4Khk@2_`+&sW_Py_%KYe*Y3<T-QLaG{R!?K8(rjCEG|-C
zG;+lDc7iK|O)jFLlFIz#lN2N@6<1{k({KXBd1&4BATLv?hYMOaX52yY@+eJa!SxIC
zPm{)7%Tm6n(Ht~qxPAG2s$hNUgC`Cdk!3{Eh-~xbxk72-O$aq^-+1K;jc5o_hd%fg
znB1b)md}BEs^HGb3$y2Zbo(fh*~YIc`|^|u-O8!8jJa|^Fd%l!uilTev0F^OFiRBE
zMVi8D+*dmuZwKP%3#}2)3pR21{zNSi=A3J-dnRH;Q<#IMp$_!NiiT<A*3CJzx$}qz
zF5SyEOjKD|zkU-xJTV-naiay=M-3FHIVE=_Iw+LaJ<d`{@AYA{B4R%0aAn0{tuUq*
z_Yd_Wts%Q)RSz)I3Jv`ti#KD`7P)9ADbG%1X=l5vI1<?*5ai=?$4tRi=HokO-c@Qy
z{ZUuwS6Nu}rmqyVTerDLhNQ>oJ6WLJl`0SBUXkSoys82}`u%sAi}zptr}#<!&wqU5
zU!DIK{hz;tPh7Im&J*RVv_=-ZaIvNTuy>wOO|DxWmo8$Y2_j8Ex<DW_L7H>|DAGHj
zgAj;x1%h;tC{>DdDN+;x=^zBDK|)86YNbgD1dz@gk8@|%nGbW<^<2Q2mEV_q$h%hd
zTKnDmzw<oL-p|LWZad3QxqBm969z%#ob8w`P;INN!su*$yrV+_m*2cOjTkVQ3(Zos
zA^hMOS5l6r%W||6^V=(O$>b;wsyMe%KyaC!a8E=<1KxYZ&%#dDa<c6r^p&c#cQemc
z_wMs&tXF)G4cza5RBy6bj$N(iX%~%Wx)mmhA)dX<yj#gWW@jJ}zNXwR{@JqlEyic>
z`AdxL9JHrwW)SEEVMtpBl?1=U(!;u9-AwCq01OkJ3Td(fBe4DXT?au+)yoN-W8#bD
zTSj_%AK6KUY1ge<4@S0!M4F1Gu4Lk8pi_m|2)_1FEGMa@v|APEBE$MO^!izZEUq?c
z)Nq;8%gsa4xkcZxz7&R79d{GLuxlW5aa2*G2cu9VTRz4pKLw65HJjadbI9n$p%;WW
zoZE9}QPD2w<>C$O?k)6IY<|V6a_GL|VCE90>#t6io_BG0oa0GK@A|t1qF%Bt&P@;*
z|GZuvexl&RPR}r(#|6!_+msU2Ac`HsITlPOd(vgA>-wH@g}I?f>F4|KSLWBBXYN(W
z?l50dk)+<AVOUlge!$nEm9=kFnp_@H%Loqz&JJv_`_$cMzs@6|3cknIYrfjm4Pz#J
znnf?4>Os}Qi^o&T96$8>tSMqL-tp_|0Ed<iMIJ{l{%Z-<+mDw6kEZ|Q$NfKof8+ii
zQE}Y;kH^H%^FItR<@G0R362xsX!d`9^nZx_z4<S={*U9~XZ$Z*u8lfrOK_Y3N3;GT
z_Ltwlt^fYMbn)*az6?6Y<)*wK&n7$V4e$k!+yV2Vwp%SIGh!Xf68v~m6HJ?OynxY&
zgxPP6Si1m(Lyii`y437~y;RE$wm}*rSE8W4D1>%%$q@4E(qTVjnxh;7iQi20pSu3;
z#oYWEGEPAqjG<@fG|=)|Uz-DQ^=YG5Sn>_REdHm`ZRf>p<upnspAQHq7dOqkOlNGn
ziC<X2kyw(kVcG{*JCp4@NOOOB7q09X_(EMdV=`>)!=1p6n`xNT!YYt$lwIw8f3Ilc
zWW~Z}`w*V}Ov;|B!&~znl;Me6W7QM}90OV35+gqN49#LKw!4vp2F7?9hwS7mV`BVk
z;ICwt_cdrs&72<Sl46A-*gPMz@FA3kgW?Xp7izhF1QSJ^x$Ewy<By8YCSwo9Q?s<~
zpd4SL6d0QylvKZ~gFG+3VXg?jv3Xjd&=KNQyI;O_*?!WvpmxrQhWQ@4qbnGc=Cuza
zm;n`HLWV80gRKsWD#ff(F8LdPwbKSM<s^J(Cizx1(<brq42Bz1gVOQni$<4NKR~n*
zHev{u-QgQj@uapsB8GaWu&hQV+V+gK^abm0XUaN2h6m+qjq+yZno-x^Fn(;bkxw8n
z3<}m~{7T>J<i*QPzCUet+C*8MIy44>=n#)SmBoB%T(RZ+b3jKXsx*BWyJiArLYX<Q
z?HrB%gZ}c4{X+cX=6@d(=@XW+3lk5kZh;|lHq&H|FF>3d1Eb7JsWV<T6;-h|*Hvr+
zJ`tZ^eCgtl*etLQS1QUeT~95}zrsc=3>%L;6si|;&vJ#*LTD}&BKIr|2ruefm0X=o
z_PZ-<U?sa}&7O~>BM=0c#Bd;Qk6DrVFsi?k;ufCb%V;oQ{uEK6nADg`rEH^>QwdpV
zli*542wh%Prn*S6>26gLoZ5!sgjsgFROfB?+VS(TQu~iUJI&}ClUD#@<(l*_Mz7>6
z@-1meX={?=PuPuf>7Wp80gLpirnj*d=k$j2%{pILrZ7Ca@?rHOVSnLxvWo;uxm>qy
zlPa^CW^XuaIn)^Ht}uM1Pk0b^%QwI|^OY+#si6}fM?aIO35+FAkpsQ#V{#359CAnk
zY)@Svx>f!qbvA%}PVo`}Po#Y5X9@cP?lY3ty><9C>zTQ^Tn)$Uw);Chb$D)w1xqiy
ziVk=m`1Ub}LWAds<@wNJ|KUob%WP4^Q_z^4#Y}nrNF?PV*+O}{yc^J49tk1hM%DUz
zY)&>WdG%-0ZlcdUlX@lb(Y=91Q*2I)fN3tpop7u%uKBb6bjSDI&!&4hqZsU{hsvJf
z1rq(P1);BfG2kI=UJXIqO8P3^nCqMeWRVCUZvBbthVWkhOBpP0LEoSY{!+PPo37GE
znSU(z{Z)n6MGi-^|NEo=5A-+s|8Vy|9UDLE|DjF}zLT~D#|iLn-v1H(oA>{Mehhy7
zasFQ%cmMCP@bCBke+$7MF8y;O=wGP+{?q?re@Fl>{~re-9>Ip-)n1m!gt&`J{1{(g
z)txA!hsh4yEj*IG53InM?tr916;rCuy$=SE4j9<A(`Qo;A9;G%Byaf3JPAE8#0yqN
zmpWTAq$j}Rnm_T7=6DCN+K*A)Fg#_xL70j0&(3BY$+8firiO^|iq^}RvumRPwZOIy
zXuAH0+_IJK36F0Q{`Hjjaj187Tuk!BD)*jm!l3A3FS<GLcUzXVVSotD5~fqttY2Sc
z)C6Y9FrP|PrzYG0Xe+{OU03|pyGF9;snDl0GiF%au3vbV{%Wb%Q(UgJ=edge(+B+X
z#-_HeG->K()B@Xq6YDKmcfZIdr}89*twPn`-f0K62ltuTrmep_kMT2A?QgZ83v)Ny
zf#X%C$BS^6^CUH>Stq_{C8+Q;G;Ab&@)~6;OA%(E8`n4(9+p$BX+5b!Yu$VwdwD|{
zHpB2ZPZ~L#+&+3fN_6`sJ>4#Kul$1Sx!^LhC}6C|g#R0T63td%d^vgUU|CFhFfEuP
z@NQ#+v9=2PtQhi*sY9rwHo_f5V%<4TLS$}PxoITuNmrvNidPA(RdF*+9JqX~r)0@v
zU&`RE!<7{cWb)8Mpi@rI$R|RyGtc{u7)cqs7b&}msQ5zW9jZ_0bLvgEF4){Dx^5d%
zw0wRE9;h|}9~gXlw!J-aLn4pzG0%ICkNz#A4O&MV|6;!$|G4_^Sm<uU??zhk5kdoO
z9zPEtR@yi-o9~Ud^P~spxQ(yPOcx{76qvt{hMZnDsRMe_e#~R!@jK5O|IlyJdC#I1
z5p^$xC#Gd7(!<aiGu_rs?)~1revzW8fa;m!1L`<Yy+8{0bIxJ-;1$}gbpgPwQC-X`
zW-Yu^q2rD-FGAUyletgK4y{3}@s^-hHaoy%@$v8z#8ly4lf3K!dYxWH;-=fhzV>j=
zW*WFPNdzo#&D+lF)K;cH<+cDPpSVE*(!{(dP&e0QW6Xv8brQ1djr7-S?`RWp)WjD1
z8_Xq2Nu|UM0r`g?r&Uz<^$IW$d`H`btF+>Jr{GVKola1<9U8h0d|G~D2u9h@yMT1E
zFC!-lv}^Vq6(5cTn^e;qklH+jFBC=}wE9F~dqhgVQiR7p&TLTinZC~zMwGHUJ8xPv
zyhX(`B~d?7KQ$j`dq~+~qjmAi)#|$5U_#5F8)KJPpx^v;Nx_h>^>zv4?_VMyyw}_g
zryTBoDBwJ$nHe<2;E?7^81=wPZGm^T60PLnw?y5;QYUjMa<lQO+lZ#7Z(PDfAEG`p
z-=x;352$%AtdzFSFqc@wd7Bu<_3wsYCIJIICQNrfiwSt_lOOUKWZbyBr*;}N;KRUn
z*1v2ZT~OCA7TTH`nMD;)u?V%Ibf+WaN<4dkv^!1Y!1>G*0iXa-PQ%s3Uc=GF>4@I3
zKjU9S<R9_=KR*S9M1}uS3knJeiTybLr*TB~{DptSzniP8$N%=+Kl}dwC`X(Bg~cs|
zM1}rq5Hyb8j^ptEzp(!E5B(Pr!p(m;9)7O>h~Up~p0p)6P5_+#<MjXN^1q1ikNhuz
z)BoR=<M974=|67%<MHrQ|D`YJUH#|J;`o2Z(Z;{TpN)XH_5a@&*ZKgODhCFs6+K0|
zrAoNNq=d1zaL}WKXScK1;v6vZcD>t4$g26ydnpf{ioL!tP;-JR$4lCuZ>U2<ZU(;9
zJ!2D4F93f&_2`Cd;>xZoV)imB!vC84y++-{`gAG<VC#kTH7M!9;X?h}v&A#!P!!)Z
zf1}6N4D2x8LeXce)VuE!tl|_)2^~ddHZ<xTKap&FS1Zhs{mqBG()6Bp8%q%BVnT)K
z{gIb@n)>%ydf$#LofE$zIJTR}+gXJFbkd46PI7VhTicZz$$1H-T@g*ONa;KQXVkp<
zGe_Dj8nPz>z65+UXTL}lxCnY`;pM8!Zqf0U)jVsd>m49`?W{)QCUxt{r5Y}SEi|%a
z5=A1Aq`d1f(`oECnOx?`vvZaUmN(N}(D}Vjk{p}y<@ECaGU_*peF1(^;~k}YN%z!b
zQZJ~neRG6VK}kQvHh6yui9ayRe^cWqulCX&rAk)-5L}nayVPaTLrmR_&&;Y%YaZmF
z?!0L@SOfNUKaB0Y514D3P&<XPAfcVeYM_pw&v!XH^%*d7V~s$6CqBa`|57;1ZD?{!
zMY~t0nW>#}*^Zj&Og-Ng2;h;34I+_LDE&^S534ir%L=ien{AX|6s?#ZfhBD(;ctQs
zt?H#;<Ty)<Ij0SA)!#f5)2<UFZ1(ZtYv>fEBCz2w-GxsASO4Sc|D((QSB3tl|3t-c
z_5W|narpn2>VMq+-|_IX{s&Sf$egq#I8FeZ{^Ruj2+w~B{*nJdVmST(Z8;AA|BC+O
z=6@a&KlOhgrd#}<Ka1o49XS2R>HiV_{}cHm|BDIY^#8ZzSp5GB`VYd*|2rOj>VH$S
zlk7=bg5v}@;`;y37Or2~|HH-qvEZXfYYiW2S%06^CB;2uaj7mNcf`27SF@0S)rA=t
z3%Bn|+%FqqH7c;EIfpM&q>?36Gm+gkG9I%|OtQS->6-LtK)=d59uNnM9H&@@pbgwP
zc6K~Gv?LxmQR}ZIWD>h4-PUrEy*9ZkB^tVPGe{(Q=V~I;qD)SJkwRC#e^xwk-?D!^
z0qY3H*w>$0o_4$h8B%MIL(t}~l=0}b2HO?&a&l)h%**)OCx}S#PL~$)6sWay-v*#M
zU4m>t5x1TPV#FBi5!Y@b-Wz@4o$c38*|GB#qP0?OM|w<bB|5pr+yhD<kW+7v9geZR
zkY75}&M#x-0yHuiMFmt|YwH5D6w77vX*}stA`rQR%%35;Ee(Iv-Gv5RCiC;QtU4@3
zp-goTA_!fdUEcx_o4YNQG3KgRbGk0okf@CH*EPnHYa>f`yxJ2&qf<rF<Ksro_1u|H
zL{>)F?979csIo5A!uZw2RB~-3gKN-?<3hDkp=>-o*Q1v-BW+$)Xj$O#eK7XpdIH{Q
zpnY-CP=iq}UPiE8xq<(JqvYvP7ONVCm6W=&s$$bUU+DtpgFPPJ{5vIU_3O8wX(?1b
zGT27xvz@DMxjRCWtDoBh<D>>fXJ=w^yUW2$TvK0Dq`e<mI>t%V_)HFI)P!MYJxSqK
zUeR490l8xzGoS%HkLr&2{Li0*U~uvO`x2TVZ@F|H^8RL0YCcuWDyf1y&pQ|SaAag#
z(MxyU?*(}N*&|&oDPhbIY1xAWER#*QU2EEdE9jOX!1%eom)7?x)OkZzGo0lpiJ3}K
z;jY?U($H+)O4%k&%cNZKEgpKYF3XI_l*($p%XQit^=j-sfW_kA*IzzljwL0N=~RIA
z#TV7@P*cQW73Jcmf;pyK?)C_g)^JxZ_n%|6i1gQB=8~tX%djuDp%FI{w1^aO>1SUc
z=>bsouM?T$&1$OOvS5;Z$9-@B2g33Lf_7_`#~F1V(9FWY{NP540#jAEH6~%1Hzf86
zT~Hv2OomB_62h2)Mxi(;sEO=db#xJI5ufaRljrv6&Fzqxlwq{t{Y-uC30e|M)PJyd
z)=yElUmsU)O1f4-LL?TXLu%=i1_9|72?1%AknWW3QfeuYmPTno5EkhrmIevwl;`X1
zug}bPh8Y&;dG_@eTsvpZ^}f#goIM}=*D!yPQK?(7C{p52hn@Z?4)-EE9p=j8S}&iN
z&x}&g|I?a#hq>@l_%xZ_Pk3KRxYug9u^9C=;M~gJX$C~D9*50*p8<-avdT^iiF@3|
zh@<me?NVQL|6^YB&K8Jhf#~j1uiX>IQ@}Kqk9ggtj@;`J@4#(Vx7b;W!ySI?1G{(|
ztyFZk8NOdKbMkuBI67a}RY0gg48x~HVY<QEl|@3jFBOEo1P!UgjRRGLncUAcTqODh
zeN5g*6Pu#-TRo!$`?^<`8l>ZxmWgX|px+S>kS^QT$$6j*GzHrF&U!cd?q2i%|Nb?V
zu9W}C`5%Pf3fheC%Y<i_pB%YJz!VndjeRJ}7|DA)1gtUczbMVX{y_Cv)HpPfS+0Zo
z)wb-tCY;svL^c9E+3gjh^t95?%L;>obj=Qxo<G~1&US4mg<{S1w4j@3AL~lpI_+JG
zK0_1Ore%i1Td2N>d3OWFcTThCaj|wseoEcGw41YVbg5tNcxM3J`=ICjLs(3>_N@MX
zOmtZQT2{Bny;pgAm;$C>2||`maJ{0UXcsplrfTg#(AO;PT_u=a3j_%p!Biu_0v3ko
z7%Ka4s7F@;d>aSG#EyB13T_l(`<cJK7}RQ4iTj{Ayfx&E^kY(<&_v8#o*{)n&l7(_
z{WbGubZ#Z@oVTxN0hhKY>K6iYkH%5Ahb4d#d6nBXM&>_6srE(68aIECh|6`Cn6+u{
zGmqssSUaW?Z5tF!?Q$s17)$Y%Or2wJWnIvyGqG(?Y@0K&ZBDF-%@dmwPV7u<+qP}n
zKIi8BZr!@y|K7d!u3FXF-A|Xm9O2g()U^?O%n?Pa&NjZYWDFQ&^SkQ?d>lM>9LusC
z$_bCBQy=yE8hyKZ2qn=QH8Lom&T_owdY&sX;M2jb2_TtB%lQ2XmKm8?v_R33AZ0J1
zo_;Y*^o%x7J1Cz~wpe6|1nHBlU<ZMS*E6}MNn#;H_AbHRrWb-Bsd_NuUvMtQg=~i%
zNcN@`CnqC6L8j=junf(QRZOf*8H>^=*yQ^fS%_S8&CBw-SA{lRMa#444WFXti89Um
zoPKY(vyBp<PYG&Gc#A_N{YfFmk-}f;E|D{B^`QiBN65NnKyA=@EjhfA0&?8s7)BP{
zyP8j%QXNORY_f_nL{T74h)w&+H}DvU{VSSw0(z=gp`}zK8w<z#p#cs>u@QgI8~=`^
zBvKG9D8Mc&%i?0cC$^17*TyJmYip^(g+l0J0&c0nE5T4}G`lw&({v;ucjJmh&x`Yc
ziF*87N8Wo=ZKl@Nd=RrUt8sAg!bwgiG}g1wO6|$<>r|+``b6`bHGZwvuzPxu^3&t>
z&N~t+0Tkf*S^yy#ceH!uIOgzM@*OYy-9JppyxT6E*t*0(_A&YGW{=sS>R!_EqXC^?
zD3i+pawhb+p&5<xZnP6y3MS|PG+`Ul<iErUIXQ1kuXf9yJn`#d3g3pZ70HC3^32uS
zm^tmcgdqY5j^2sSNk!DljEVF<gG5~$77}q8Ml|u8stt$!*ee>;fQOC>n6WgCu|h66
z+P`l_S%LDHwDZIGc{0f*1(lv_G<(}mMl~dMFwzlqD23tTmbu>jvvGWH?f;M#N&m|2
zVkqfz@)Jq}XDR-Swka#g<74p?V5$E?6e)~w&QqQfgfhW|ly!O)E*+hl6;IylTYx3o
zRcg#5B*vb|`L5M21v!ux!y0}LC`zoavGpcp3Cu)JdeWyzGQ;4LC+nqep$ofKDoH2b
z>fJLvcy+lVK=UHtiNArQKp?*JFZ8k@Qy~bn92ov$I0!lxy8?(K0zN=A>KnBgLU4Zw
zz)C?<pWQ>i>+4UHj*(9i0CRXaDEYsqQCPo#cMNA*dH+jp>NO6u0ourv`uswdiG5V7
zfyf_8zT`l^W5{#<m)y`h=ov`ObO5aG#t|C;$-Ko~fXG9I-xPbsK!Drf@2~cH_aEEc
zv>%3FOPRAkKd(SP5dAjMKT_@+pnT$xFR~)G;KaPx%n9kTaxby~N=RWjrEt@UndWh6
z6>isPG9$Z6YBvu^h-c7zX-Y#m6XGRj)yN?z`Ke>)u%NaJHUm>9rYV0aj*`E4fBL<w
zBm-A%FjMtXwgqUEu;GovzZqWq6|O9$Gr3jRREN3FaDi4^$9!iR&SU0d=<^xZ#QLpZ
z%!t9y4L58$wUhI0;^6PVHT{Tz^KFJ(O%zU$erdMFx5ZTVIpJoUN3R<F54H-FYnz-=
z-FS~C8wcgm4BH*2>&oqaF(du&Nxtn+jh^=4$i#hWcCUN;7TZgNrh1(tumWUKFB8Go
zdM1wF8qFFP!eSBgB37va{W}mKN1^&kO7a6<P9Rji=UsQx@TH*GyPT-h|48JMFtDyS
zIpJqxn69N6Z97k;W_~ZKOpxOoUBR=0s)>nQu!@sA{qvsft1EA5`3fnul0ro!@W|gY
z5MURJPo(`Au3?SKotlYJq(tw4d$(6%fq6F9>Xu@_glFhu%y2x@KX8s({TGp%N0TSx
zq4uMfSwZl~DpNtb1Mp4jFQr6j<m}iVh20=sK%cIl0mTkCK?kUaia$HTiD;%kSAM~$
zG+;{p-8JNschIV%%2V$Np)!*gMAXU3>!~$zfBntHEdp7XgtK@5Zkgk}o#aJmWpoxR
z-%2&}7k&%^N7vEkwq`bHU*rjdCeqn%PK&?3xe@M0uSwpQB9en6Lb7*9wR5Y`$`g`j
z7{qBDHg$M}9D#8zF(f5sz74yl$WPF%<O8!YC{#o(C5Jk|<k(H*^D=8^3yIhxotP4R
z_o(JZ^_X`_Ef+6W#}LbFHcwZI;*d>|;i33Dgq#4*sYhJDr!XOM2|<0C_z)>+w0NrK
zbol9-MW<p+ZCBkRTbH?=Me6+aex0W&Ucr|gaSp@!Xu|xv!fsMgEuopskI@pQVCa?E
zW_Q~Wj|@Wh;O8IG%4`haMU9Um*+Xku)`VS8o0^6~g!af1;?rLSsb<xOHe|E#Sxc*#
zS*S)U{t-;=NyxDRB2{1Zm*kk8Nt<zoi}kW3py-BIttG0Ybl{_<(Zvj{T8sS=c9WfC
z&@EB%q;EoQ_jG)^UM;c`YqQJww`Wl2dp}Krq5jy7Gpzviuarr3$-lIn+4g0QGA4eG
zo253ds|ltOPQ`Gyju}~ZadsMs+EKZ+DW7-QOt4DiEcSFKAia<u8FIt);Q6e*Z}BzS
zX1-$Oo#;WF9%NADVyUmTv?jXCK#_b>r3yFFHT;L)w{}oerz=;O4zVe_Tb;kXt^<u+
zc^4M=0z>9p7w2y?-8mr;((;x#I!&EAenYnyU3W(^aq{)x2K+%5;u$aBHJr`A_o^A>
zv5sS%QZ*0}G#KWVel<y<Cp`z4egb0d4ZEMa9mt+RADyIRK+RGRZ#+=g_(c`8>>|JU
z@H2h`QtDIk48-{+-2G{2_hsvz|Fd<YAju_A_!plV1<~}+#)EYH2H5|IJ#K=0z`qpU
zlRko~q0nx-BZ1_{AhZFJ&trE)5qvNZN$b%^_ZyJe6i6N{VqJz0HmTPbi_=*a#&VB}
zb4?SirPQ^X(mazz<<mwA9^&7E^6&G=Ljn5<pN>R(b@FGbb~1GQkSI>B&Z%WvrQA;%
z2}nj+<(Z{GPVzA|m4rtE*$}ufYNR&Q0t0qUdzGa`+>b^B8wEY-tk67w#+s=dw=?XP
zBJr<5et}bPm~wHf?Du@A1TX@^5lwp7#X0Q<wI-d=CzWKp&j+meqd;go$G`(Oe+4z-
zwyq-2`|?hcMdn>brCQEt_dI6z!v0V&`v!zDW{ibsxpr-@ef$Hl4}$T!OfD(E^rt^q
zdHsYlCfK83!Dj>X>BsTtdG?3-6%IMXf(BE%gEnOS(ajqMa7M1)E`n{-HCOGwrR>+6
zPMJL*8~#3idve02mjOF6o2Y4U7513&;%m&+a$CRqXj4)W)Qx_0U}1`i9J2RsFo#2R
zmty?qBS3B2?7cFr`<^K1Assn>Inn%`DC$6$e&&iv)mH`#upfN;JAlW7h{H>Tg@ooK
zOCTZ%Drp1_&t^%SH`|`aO7=*7qEbjOPwh@^TMSTPZ4D-ZZ>9w-W1>|H+3UB9qAJ}I
zu1{0{D^!-`VueVNW{hWaOT4x!rhB}^Zj|pTcg*Qu+{V9HO<u22M`6N^)Ji+O%a%yb
z8b?J|*(dxbpw4m~dz|bzpo}_~?=3KAs4hqE#ykERaPSVozXol8<_wPjx3>|<_5hTi
zID%3T?C$it@bqQyeX(NT0d&g|5VUv<`jQV;3bvBfIT-IN&x@uTdnnVNr{~RLM`5Gi
zG>lF!dyq?J_ooyxJ9{@h|J~%Lt<fzkB*f%AG^4?-_h=#>&Msz{|79CJxbJksr~WQ*
zCB*;WFDi`U73Xu0T=-6It@(iBl5|DG_XiznS&2)$Yw}<yg?h->YGZ$8!_RnHLkuOI
z2D4886!w8n^acM__ZgwN?<X|={*BCZUhO~K?IMUP*C`DMP-~{Ab(~^?fSq74!mq2C
z^Dx`GeSXB0FIEw{jlj!Erq-Z*QB3;YN`v~eVEC>MkIBCyBlw3mGtkn>a^!#wWzg+Y
zLHK-8y^&Mj4<8Y9Zen=NzEZvg*iMju4`q(7S#54yX0)j_NEEhs4O2+{?Pn*ZgA;Kv
zc1v=W0sE!g_jC=yo}1Tiu51hVI*n~@Ev#%WAH5tYo{8HEUU?ne9iCd~IJ}u19b1HI
z=kC7>l;Kws8+N*q!Y{m=rnC+HA(V_g(jO4s9f9OB^!6K}c>7Jfxg@KhzEX^sA7ZPg
z1J*Jd2l0e!HnkN=v~f*lXP(to3L=yJQ=7RRV<!C~N{q9gO4_O(9l7C!p^%MMQVCt*
z3$1pvD1vSSkGhw01)r2Cm7^S%BeO5OJ;9oK5qYPjqQ#%acA2z|3`Y;Uq{7T-YUWzT
zyPHXHp^SXN`1&k0M==8(Xjr3d1Q?&3(;(ox@+<wJunGtb+&M=`kI5Qe?b~#3H~&x$
zH;)(b`HMq)n_XsOW@Ido%&X^TpKbhPcH!1X>I--(!c{oz7ZAi}NB2*yL9V8NBtwaZ
z#jFLja}|TVH@Up<XO0>46}EdiWgL=zWne2dMOX6SEp>A4Os-8BA$^>8K?PkNw!o|o
zY`xWBA}~0+G_1L*0xf&k(98$*n3tJ_0A51V15tsLux_>(38wX+gFDlivjOS5Z9TQ=
z_89Z)ss$q2f#-6DHS#9w?wqZFKkB!y^-fS-?}5p4-}&3UCXibX>wv-NqAw_PZ;xw~
z;3nE)nDRJRwV5%509?ck)h!*vlOSaIATxsjR^PbHgN%ovOw{@mCU`5IDQh(dc{wLr
z>))=LK8uI00r#}=Qyy0H(oHvWJD$$2_PvC+sdUHsp7q%wjemMo5A1gz0i_!r9k&a<
zpHC*p*CnmzuMJ%-Wc68I4vlF1{i$;^SU2n9vzA+KQ@7aKs=hCWo1g3g9}tH48vS88
zBd=ZR)JYY0&6?wi_esKT+Yh}jCteqES74(ha2v++=0C0G9-NA<zrl5o3R4fa)o2+D
z``u!9_8X=vuyj34Fen}gmFyGTC(*p36OrV%q+pro@$<MXnT^z5@XC~?Fm3VbJ7`as
zfP{v5YJw4A1g|~iv063}&zDb2;x(ie%j)=dQsAyR&q0gN0P=g1@1{u)j#|d)UiLMx
zEHMk0SR;9u1s;ov-VOG0BZ%R@WQcWtfbaTm)Tqq_JL{^Aqae-X3s*_CG#QnJyYt%B
zD3ZgZM52}5@l>uxo<A&<D8zD2q;z)Do=sG$*Mf|$D{{&%)}SV+3fn0QRe#M(k+&qE
zinZ}4p%?y)Pf-%lfif_VIlYRl<oM@Oe~KE9%p2DKdOP96K2gKXe%uNSu$bJK)>+nh
zj?7T2<b40`OBl)eST<pG$%c|}z^*}XSyD(EeRp%qdCf$yx&@fOBZ0m$((nk=6n6Zx
zKaRG^V^NXq^l$@r<+2Ny&K;op+8_&LakLGelw?xHR9~5El%m}$F$=1s;%i0Iz`k<h
ziKyY<idt}6{(hk~p(4@k*EE+o8MgKEDC(>Rqx{RrnY!AADcP{YLiyB!vbdqTb=gAr
zDD5MN!6ZIKYevd)R=U0ns)!pqu&%kPEBmWKf90h~vu3~uOL3-#oQ#ODP^DbX#$(Di
zsiT@1Q#ZKX{CLc6l)r<4?~?o`mEz71gJ3^ph0C3mAe3%aG0f62bkmcSSeDK}!dduU
ztR%|T!M{H+u(|l1UZMXawtqyz;?^ByOyL7YJYI$CueHSj{(2YZ)iY+S5a$?6geI&P
z@w<r6Q?PBL;9kTBPw$IqPbxm8?ppMpK&;r1(Ph8$?jp?k3Kz_ros#qUX!*1H3zU-?
zU04S75pAo}_@)=9PbIPi3FKCS*WcqOcqn-$ty&+i5eK|s%@ViLN;6cc^wL~HQ0VMY
zAH3c3GVT$?yQ*KnahL;;9Sf-6{VxdZ+Z~`8+hYKv^ToaYL?NlV13>)MTMM^?0|N*9
zKzRW{Zv$EhL9bw-ZG#;&kj-lj&W*5M%bhS}J>tJFFgjWf$RA|y@NwKp2nzWI+Sd6W
zArizF5+=P@lIQAk_<UV(e=sl*1hBjJtvdB_J2>DC(2VnSA|LP=Vha?Eq6rkXotXRK
zA`6BJwgcz^alZh^&48(2nDzgAWF;uz9&oce2Ff{gKStd|2ZIEAA-Mq|WrNx(Kvb{`
zp!Uula^SMg7ZMxvpBR0+sN?^7|7!r;$25?62c(Ojw+G026jlPE2<g3c_qV`@o}_@0
zg8k1I*nQx%Zh)}BpFsA^H{qbhB~Z_Q+5n&3Ro^zgzH>x=8PxVM1ULbK+&>L-LH!{K
zbelZLO>iMFhOhm=kQG(mNp<M~a0G;B$C#1>9%=V1I-}6&XwDG&uvbVzVfPobd{m8`
zhu@j#ia*)RSTA>mSD|&yld|u!;W52;cMrY|y677`V$?Q4`j8L9ChIk`$1@}wbz24&
z?Yd~-BtzBmMiU}juyvr+?TRz%Se)j;Uqr-CFFE`!BH1&LdKC0ZF<r-KpHZX!!61Qe
z!^Kk<XwogurdvqE@xta^L>Ze%Q##G}YBfCmaYyQmeG)gi^tW=j+Do=((p;=$5gml}
zZTz0(uLI`3GHO^YVPBeTr-0HJgLn!O8S9#+X;}a4_~<**Ug*maM<R{{{VU4eFyN4H
zbU#k$?I2B$xlY~mx%qw}Sik&_kcFh?eH8qFOpq*O^oNc%#D}SEI%EBY{Jw3Tn<34;
z4O1GUt!!}ht5`~2eWyp^rM*7WDA4@z2epqnflhcH8O&DuBm|KUF#dZh`^p>F&q1d?
zgE!Uo_9+21o);=B-xDAS+{W>n@2PN3$RkW?lfZ9jlj>cH{CaZJEvYNu5LHTtWO4{z
z0j9_)vzB_#OYyIEmeMO5&v&BfNS-l6)~MaMq7CbQq<WD^8(O_+?Z3gQkFNZPl4FUu
z_vY@-oh`@cBuaDY-31$JZO=loCke-A-6e3+lPzL8i`B;yWwFi{eU?iW0~;b{b}t_!
z+lRt#SwNHy5CqAHI*V3uFZh`-lspS!W{b}@(|a<rBN^bU$gZXXkL)R4HM;heWbak|
zYhjVS;O3mUj=fXLeArKyW@(%C5u)IstEY1rQQY2HpPepv7SlN5Hgv1baXr5Ef<ygk
zfQeOdZ}+0Af-5IIx9Ln?csc{>6v4GK#_J=oD^Y5CQs+^;STJ;_R`IAk9z%09>w1;}
z4ML)OpAE17Mx@uyi=Sj^!||!kItG%a-^HS>{9ecbo&0Z_s!nfYgDB^AcGF^ID^i*A
zV2$vF_Q#aSM|3=|bZ9{xgd()Ovck0I06S9BK$fi}s+1ReqMcIFL9_V*Ri$o2mKUwM
z(6sp-7fCci)4A^FSu6e!R;a$KkBdlea$AxNa=CJKjWtQ#p*j(vk)q2fp_7j4$s1RV
zDGlr$cdW`P(-0v(xhIMZ8r=rjsP%QDBahq_!eCSNsReE}5_;v;c0OR#DnXB#>kYZ+
z-6o8@(*4xI*B=CLgKU=P^2=!oW8RR`-H?#_H*Qz%q-M~m^xWr0HU(ZRCpF{WPz`lU
zTGJmy&_lX5w;4r$Ony*3R+W!TCK-AO`euph9!B;<tkGqnT*pzC&g8{G0;Xi^<r=-r
zY|7a&6An6RUbZ2Mvc^RPhs)BR+sv8Xm4DN9A0%)-tk1_TBa$o5#4R_^o<g7G2>oE4
znpWi9)(MH-e)s_0k+f@oV5UHQP+Qz5YZp_Hkk54I?LNgt3N7c4kLCR<GOUH$$i})7
zt9jv?2-dZY!l^1q63J&gm^`>ylfMQ^b8DG!s1o7x{viT0VBe5teQ*76`cI;5!HcJY
zLOHpB{H-YElCwTN0qQPEo5Ratk0w9Wy!flfg&!7Jk#iq^6iTG`7N&(?|NI#ZetCu5
z;vMv@oHeCz#Fk&X2%7LZsgFMzSjYGGxU*Zft0Eff>Zc*HZb{T4y$OjNK{OSDN^JYG
z-a>|FA=9AB9!>9eu~(li#|v={luEi##n|x7;=t<e?j?VJ_f(^rO+_i_`RzYDkm}A_
zFexNP`H}4curScKK@B;nc}XOQzjZ?C4ScF?I5QRy_f<9~(H$*=ZFeUn6j9Qh!e1I6
z&G25bb#zBw+R)nOugz0SEiC!9;BM(@#xgan<7)iyn}c7K&*UW(oeP`WX?cy&%|VOn
z34ES}itYY+m;+{a_10q$DwLnHM)Qwk<C)BjH8sAjrRj`zL-xC>9e?`XtO(+u?On0z
zD{rHdg(W8AFe@EUTt?b!H!C-p_h|OkZ<%qLB^ODvQo56IR<z~(bjrm2e#G>`g_}lO
z#jv8!G(xRMos^CK8Pr^{bi$!1t)<a58J58&2;S1PKfW)W)YR(SaqEZgVzI%bt7<Xn
zsrv1PEG<whl`G4XGNOvc40Q+i0lbDj2K1#q3%>+>Y*#`N-*#&N6><ObqhlcD^l>P%
zHcBwqozVC0okMQ_SI}jV$ew|U%9yV+aUZhG%x=%J96}$ul`%g%aSjX~n`(oP-1rwo
zK}li$`ujqW<(ldk8hurfd{hFPd|nuk=^`zos!|-W?@TBqC<+@HxD(}~!(>dq8)NY3
zcKcp2du#?HasQfN51U`?85-jF1KxEo>X32%a=W~Q$_=Y#1*#seeF-zRQK@E=<-OGP
zpof7XbRRwE7$olNYW&FHM-e~~WgeVi(jT<*g}6?IjZ`SC7#4_o&oU=2M2tcm+PVa0
ziDci}E_(72VUW16ALVJqoi?bA-5Sgx@zHc9Jh{{x1c3xy7Wv)8RwDVI`t1X|BIso<
z1&qTXM)T6(M(pwyxmyJBGhl~uhmH@n$0zI(F>pXuGClj4Z>6Kn(h-A}$YF8Q0<Os%
zb_>@Co(Z>q6zYD(C{+DiE?~1_r;ZQAve>SbXM6v#$!znqT2pZwu3soAIN)MN&&z+M
zknZ%|H#p^;wu;@GM07O41P6<d;n4?{Ag^xE<SN_A%_QUqLtO{_&-wu`SFl^@5N4Wb
zt-cw%*~)wqtC=+?IALxh6ry5;%Bh>xqGzFLM<hBb$BcH}YffIx&XBM8enhAIvY7z0
zr|{ZhwQq(jM~eBGxM`)=IMdcSwK}R+kfro)PVdra4JAb7Hp<%Q8+K$Nr`f-vkMxZB
z0ksY}XjdW+ia7sQVHQw#?=7efSk9sZdVT_rdoi>CPNQUk!ca8t0jw}fzr~s%!M<(W
ze3Ar=+k?G-1y$fRYv4b1hrXfbEkRD>CA}q_K3(X}WWHi@7tC3m-{Q`Omi3A}q!LRR
zWgd40yzF{HG>8&1uYDuS;CXcaV1L4Qlz?gMD1R?`LrWKJSB*<imM&CMcs~OhPiS?R
zl?sgsi2M<KPw}@xSk>5Z&ghw<R}uq>n&jxqwy}QA@gb3&wj@4mXXaXRe?;>mmTJ?O
z>8_Eyyxr*0NdshQuabDGjq^zXUjh4>(S4RYRU3R)%U>Ztr2ETN&J9_IK(gX^K2{~K
zpQ=SkwkA=kvZV*cEYB{T$^kzi8;9gV@=6urao36$rVxOJIR)?GHJj$mno+TisUc>-
za;2l4lw%|ho;JCtd#Tvme|S}@p-TH{k1X%8$cV`{@D1O+K7XL5tFo?fD%ar8q-3eM
zU_O;qB3P<kxIv25B%)u(Qhk)rLMp-&gNFW@Ma#JGM#$u^g2eW>#}v7w>z=4TV{>^?
zzgl@Gco6WsKW{b?9+JK<m{7%CG)_B_8+`SIVzWO;XG4x4S85o2uzg_=)&7l{cVJ2!
zScH~F15UArh;>EXbDjj?4JAX5s$kdLOn^{UXYnkzPk6$A?zFJkG;z{Ce79D5E#|;#
z*PCX6Za@oJjnw5yaEqT7?#nO;1lF{yV%t@fqf_rqq-*-UXJkn`;CNOKx19|N{c*lq
zAB<MmINUzK<G06d|9fGFU56IeUx8}iL)5;pyH9J+hb8I!&n?l2jx#O%OP?D!3Kl^y
zmT7=aBXmT2ukK6&!P(FLpw#;ut~O8f5^I`G2-o<jJ5^O-(K@ji2ejs5U_$aW!O-_Z
z7=jMwymREi^71X_D_xZLB>#;3kGXtFK|jniy7AJ$>(mT^?^ye2ByT}_Ss1add;;@|
zr-uqs9ZFr+WvT6tM(Tqx<9VMsUL2KG{mgkp7w?u53+~&gY#51(8_S5Z!rZXAb=l$8
zo~wtL8)ZYDG^3KI>h;ywt30A!&`gWCFx`Qs#+x~dNe@5Fga{9nWzY)bh$RxG?RWV9
ztb`P5-TGR1<Lg@jySBx1J;-}!fC;dEo0%pUZ_2yVLT8>F+WN!UQ%&iP-~@1|Y(Gb-
zjGgkAXS;PuoXkixoC9Y$IJFD;qGi#?zDuaIfWKE}FGYLh!<h$P?QT0g7BZ#%w)pD@
z`ePrwlzxI(_q)R@;9L{$Z1$;>G&%~R7<;i?zr2s^x}(VqDx&M!&*v_*x|5q<+CV2r
zX)F-G;a#CgBA@C$s`z?SeS5Pl6VHvl;8twLnj77<V4Y~zIp`fuvYyJc`m%rI3kYVi
zyPC2)mYb=1@&Mn-w{|8lO%^x#nHP#E3!A=&r8!6_x4y`m=?S1oWp&ouan->Q8kSbA
zuUny=`l=Ipq+gG(E`6&21w4X~x<F2zAYHH)5WqV?@}s&QcntLf+UZ|>>yD2^!J1|K
z_5;ix^p(CHyk3vL8}|HXO#UZBgV_QFU}yp@*dELz{(pkT1B}wU0>Og;yBq(@yl#cR
zaw?eraw>0;W{m%@>=zKn=M~tF`d{iLum`C85Uv4!882Y90N=RSf7*KFuR;2L`@#=^
zoevUlJPJw24cFS=RVqF)!w9nRKFO5Y8q2};VjHa|bB3BPnMp<dzsn!;mq!E(b$z~Z
z*9y$xI%&OHK&s%*2!eZ=T;9H0ma3tYY@_5uahczcdH>ysdc5?!j^gEIJU-6mMQ#IN
z>V%3fM5>F?&N^CMnNjFoZJ(AC<S!e%YmB^KK$;b3CZ?<uu8&X$#BkBn=vtOe^|est
zh2|O<(;~Z8v*_FA>b9_(yT_Rf#!!zhJQK+qP(nwEjPZD-bwNd`m_0h?S{R^E&Zc5x
zle^W#)IK@yLZld}<{vs}JZw4KBR(8wniBZJ7%IcB8}S9xO7Tc1YBaX|^Ug+<aJ;rq
z3QhEPgZ5z@2~^Ioj_f6wN+2DlDB5pDDCYjBW9c!W)TJm7b;o6?cvn{pjOx6%v#zu0
z<AIe@O%EkL{h1C62~H#agA5Xj0(?%H5Au|Vb}j=GPClI!y$w^8S>)fhQ~5&aY84SB
z)Gfzs`<>_)V8S*|%k%^<|FePj<*KSCp;z-*Yst38Kw?vsH{ewoj<-FrV1m#s&U-+0
zcPD`?WjeFKjncVkV`c(1xrLPa_Qr|_Znp9bZjoeWk4H#*`~A8jU@1w1e}6MBv?20%
zavXV!dW`9!cXM4gv&ip?+XuGzuGg=G^XOY8_B7j*wCpRhW&~zo9s;#<X6wt1g%Q7t
z+P^^Xl6TgU%%g^0(>pWCouh<v{PFtvbzyI<+&PzKwx#l?j+G&{1Bivz4l9>r>J*GE
zo0^Aj;jMUrFZRFNN8vr-i%(Z0_V%V{hHDqTX6il;Us7Lvhk!IdI3TEXW(>qCs@K8(
z<Y`4^YxxVFpYXHFw@S5oN7_|4ZcwOGEp$ycEH5Ya%;ic@KQgrJIsKG3=3?`z4~Kkh
zZo5+(Ajy3HZ-#}P(+V65?Dp3OM<pZhYh6#kMZb5JH1q-YiEo#<>o0z;U3NOL1l<Gs
zNgJ=Fs!JH^mQ=a7IW0DBaOZG=F1&7)RTsu+?y6X<)w1%h6>)3lNzJ27NgOu{lEv%C
z5`JN!QqNZrmZkvhT8h?L6Ry=p7FJ*bLVH!Uy6wD`q*gN5Uo7b}n*veU+Uw8zdj_d{
zEb4w$7vZA`yl{6jsx&=fF}wvi|9{z3$et~K=?z`Wf~4^Ze{H?pS8g*pr^2)oeg;3Z
zAC`$R<u7^?usl9=xGZ~(7E{YbijGT*bZO%qYS-x|R=@<q?p_-re<M0vDSsRY{mpXu
z9H%4@^O=h{XJ}Q&$8mGF+zJlcR!0eoH_1W12({045-{5AT5|(??2#7-d;M1Hz_3I}
zCM?k3;63e0fsF(_g9JM`pMI#fn)WUAg~+LR-R%;7EKCLPl6$wP1lAP_9U)UJqLxtr
z7-?1VsOysi-w(s&3kI0hXG=u8A5!Vb6fvK~GVnIF?uQ|7s7(@o3hX*{4wBo&iuUs6
z@rB7yQuWVx0<VUb5W+77X$yBs3sUt{{kJONqWV`;jAHb{P+;-_U+u-$>`&CUivK`a
zC{MT=;#A|qS_GQd!L>RWs=cVSK}k&FD!~EN>J7d@y@{ucN2f$(;>=io1ONRZgL`__
zwYwBzzUC#xeXlBGGWth-7|jQsQ_mL?v(7XWS%u|(3@$?wu^dHGBPz8nL3yvhTlH(H
zNY%05Xj(w$ETCck{V!?hR^K2zER1SYK0?M!(D>ejy9+X2vS4y_<G69c6kV<xTnA)s
zz#vo^NgGDb=x&hoo&88puvDQM{Z1im%6(tpiRz4p`12X>Q&=R;WnqSi<o6Y~h|BMY
z)NzKLvRwt8zcDup5lkpQnFR}@>02vPtUCVc!Hm7ddiehP*RU&3<vX<u&zzQO;HhG+
z*E{z-@q!$|^>jWNe>>WTY+-V27Ur9{ge{Mjdg$GG?_ajXy_rp-DK4Zt6DZ0WrB=V|
zC8Td=j7b2$ydvwu&yV3gI1wyU;_8`k)hTm;rm>*;g3O7-tuBsqgBN!*xgBzN?&7TV
zhE#YP_i^So$`(EoIBsLlwB0=GbUy#LYQEi>uo<5KQd+aSzl`04J&5+KOq6CmB#lK?
zw@7FG*Onwr`(9HY{v4X8XB|#`yRLjZ>5_?WckL|oOnwBS&(NMtZ-6hOi}=9$@GFsT
z7LNOLep>>9)eemE6XHYl=dg{P(r+09Z{Est6)9}TvfF^UZt`dZNW3~;RnyP$X8_O#
zNb(bugP_l2Q1ybqC2Wosqgl$g>-%HZ*ct)(r;qx)>t|$i6wANwmEqx5=_Z&551X+j
zJmYQoA7{|^m_lLDYmRszTkPFb`dKgWFwU^B{MHnvD-7i;+VxDVx&c}_*+CBjb(ZF`
z8w%x?hI4crgRjkjNelPZq^wA@&DoqzwkiR<kl4+f^!wBVT#VYgn!HDIRHsv-PG59n
z8Ad<Hx<7qWq%vdTmz?w>H&4>JAZT*YQ380p^$XM*(FP(5FFPy9TS5xcBI8zdK0U_f
zam0n#(B~{9!V2Fm%By-J_vK!8OZ86fX2eDZ4PUI)MK&&7Zi!%)1``wht;F$QL<hlc
zNH>8qL*ol=YWd6&#5rQ9TL4c?JBdWZ+z0VBcaJTu?Lu_Ou;n%KW+IE}ofc(NZlFxr
zgC0IUl-=wxZD(7*p3tFiwxw@+N!0xPtbJcI<w;GP23!|UL3*#>Adtm72-lMk5g8MA
z;vd9=oD4~llvCS8q8(UpGXy`*bS?~2y6J~$MB4;8{&xvhk+7eLT@VGU_=RQkI3m0R
zDeRqvp12c8gA(iN@pVyjDdX)kw>vs;FPxjzTWOUeMN)@pI(O*ZH1T|>ASO6lGaa#J
z@qsBlF+hfCmW;okm7?{MaqM~OgL`vkZEs1HVoThk11@R{J+Y#b5v%6MoiZ=y8}l|O
z;pNLwPypdRyN`pUdNM0Eqk3U5;w&b$f-Lx6Ft|DSB$JidnWPi(DM;xEZv9Jp@^xt@
zCkUA+Y<jhM9(uqT32IuAA&~C)zHKL5;VXMkFu2NL-&}C`rC2a(q}@H_t>6ygQ`?_8
z=P1v8HKJa{JD~ira@oEvW9^6TzOfpGn?<~wZ~F&>myE6jd4vz?`I!10|8jVONXH8X
z<A7aH%!U_oobN%g0wWx+e!1SzlBmw_Uu5yuRMU=5E1rI}{Y4|?ST_Zh5%X*eyRi+R
z3GNrFNsF*&I#I2<Rj(uEJNlYY;oZaU7QX1CrS%d#xo5oZf(pa6w4*x(7_b*Rc@3=}
z$V3+5f2##8@n`nwG}E9VU0|c=Fa@#BeBf=D7@Muo=EHueU|6)R!f#;3h7Oes)X5uN
zkKwGW?Clc~3`x?R*Rp>kM4D>sL~)<QGhScgWG}ELr`OR+CaDMCDV0NM$H8aK&~u%e
zm9`C~A89GJeisIC(f8+-UF}77!JGf9E-qS(lKZQ7-w!bo<{}X#`qcYlgQB_P$S>^>
z8z0)A>e;!DvoY<#36oK}Ya7=Mm+92o;I;L%hZ42rdu_VSpmn2!$`5_@X1bvI!VaT)
zE|S4ZcL-^iFtOLb($q4D$G8&Pq$-l`5R{3sIH~fm{9oTZU9pCc5mFhtg1XnHqQ48k
z2wx1LeFz7Fo^g)5fmfg;iU$x7<V5@qk_3|Mf&fAv#~?g{qOH$m`tLU=FXgu=U9ZR2
z0MrLitG~=m1oac%#qPPgV5yXUsb`)Rqo{8ra`#^Oo3TUE;6-jQH-lzWpg!|n(2w!5
zq%cR!u$wpbV|#G7I+Cq2b~0L4`@&F~k3mMKb7Ydz{<TM3jSipPKmJ`oe}|VT2IJd=
zrHQ$LFLu(JDK77AzW&Mjjy&b?q3-uFY@`Ok7BK7$k1XAL5NA_D1*a-DwXb~}i;&y>
zBi~b?gGjihLMN?olVJMuhBh$lf83PUUsA6(Fw)7=GhEuM^CAk~dZR8_{XAmmQ3rh7
z<CZ5tvZ`Y{JXnc=-laCZ@gIbd8iRMsva(|GP_FirM<~2PgB|U@s_R{sqbti5{ASb7
zvZ4irt90}}yp*bYFQM6?_ZXd%{nZ0W(b|~Z*xQ6%M6C<Wm*1c3=ueQ+>$-Xt!8LG2
z`G=y0S5!Kl&6~x`4_5-yrmcTm;~9358?w01(l9u!Kl<e4I>Ip;G}s^ne>SZBTf>Pq
z>=5&+_unN$D)Ror5_?=nVBdRWw6L1cyy_&$iKa!Sb~-woY3U;QXuceVR7FH>mt4p|
zx-*-vJFQ}EHZg%SN-cEY^$=vXaI@8`ym@+a-oZ6nE#4sW;_lCj^t$c8bvbM`)zPx~
zshd)hPA<zbywb0dTVXvfJ8nzJd7bW+3|7~3>+0~ZekOMO`!s9oM?U}I=;S>+F>8M$
zpcVK${0Qj#n7-eg2;lKDPT8mqd}XT90q1p5Vy!TrJj1KLLe7dL+KLJHJ+0T>#}rv=
zdozR7Xm)d+UW)k!ZA<&X(e5<dqj-O-0?FOI<us6we{JI2lGCO%qxDZm?nv@Az|d&=
zMAtQ#WW+0w7cESU9y;2$beZ?%heqhr-*to3_h{|~%Li|Pr~`7(pW7+qc7RY7O+V^D
zEFaI2<O&W>*xjx3Vjota<7S%tj{d73Zqgk@@jgB&=|lz1W#ui6#4ZpxLLMHcoyjbZ
z88|nY$*N_M>G1LeheXF*^O(67XX!VCYcR`_*i^JI)P>Kcm!37FYR`7WsxkCzP*0q#
z`Znj%v8KJHt080jW>oC@v5KLEVvY;_##c<-ZZeg}f+zi4kyhTGW(LyJa~!gj2kKH7
zjrKOEd1#SV+l=`u=15h`npcmCKF8lUJ+R1e{g859vbLNdn>qx90A}eYy7P$->i1lD
zkkdyxVKy>k#So9l>UiQv$u-0uKB?7z-nMj8s_sg*qZmm_XQetx;alWwMa0D<ygtgY
zzklNO&-YRy;p%BH`G}WUJ;(5Da9xwL!e{V^>o>pAf$OGU$c>r$asJcr1|Fe&tM;ua
zs!2oUKExL1ak=8x(pQjx&{{!1b+k#Ff5x0Ygfj`6!f4%@p^%GlVY>}XW5)ceY0@Vz
zTSGPys-O@Eq&@+4uYzv9fe=Q(V-WLkEeMbgg8Kv<4*=eT!*m1h4XcBDgm;+V0mj|k
zw~}v$e^5ckz43nT@;_R^_TQ*b*3=bgu9hSm7(3%i?AqM+D;!ia>{tS+v4~%t-;IJe
ztt{iP64t4yAe344QYFN;HDo^mhgW3cw?)cbz(#i@p0Lyl_geI3ItoS$4?9*1bOh0Z
z{^BR{dK=@FhK%)(Tv_|mkxPCL)NU!>yCpilan(ufnnQzL59YkLyg?3fU=!bOi3gB6
zI%52T)#2J}qsFybGYd8zwNTD8$eOfdbaJOb9C)NbBcdG{nUO{=PLvNefK`8{w@?ks
zaZJ#-`5?^4+mJY3YLa@{@oe?751KU{>TPR;J6-F|oTe{0XU2V?)DAOU(RJjEmMk}K
zO3<BvYU&ETcd}S`nw6X9txw<B`ZS}o1=8$!wa|K3j&KN1RF<tLGsWqA%4@GSo<Eha
zJGBMf*kQ9B6v3@Ac((0dSzH`qc<V^&mFi#E<#TUhNHSKK&aJxG5|2=eMixYkrJCa5
z9Rq|4M|^iM$K%cZ{h;S&$tob-cPH;IJuYJ9vl0D%yeb;EiJhqV$h?OyBYUK?L#n5g
z(o4~gbezr#PgC6tq_q9E^Ds_F1}(`r>D2pkdzpLYbvSTDSG+f5QsOmjAI#q39&*mF
zSUMH`+;m8<tkl~wI5_8zF?;wBM*;`a=*b<eI_5Nd@;UYd1+T!r3p6!eg=FuFo58pE
zZ7rhjAnF4UfED!q3B*Xd0WSaFo09~>I0GH`16~2;*F10k@8*1YBv1|u=v@z%PYijm
z8j9yZG_B!Wb^uCF9J-9#y6%Fn0&R=CU|LS~<9jX6<W2hSh5(NBrR8ACyh2-{ZHZ%t
zZegRN;ryBEi;>W<9Rjb6LPWK7_j>Zs&k7-4$=nabdNfWlA`(erpvo<_wR#%^A?xOL
zO!}O0x(Ai1Vf2)YaZ6y1wcU=axUSzL$`4{LYW*3x$cnj2)?Uq7X?5+{=|=w4Y%UL<
z*TKTk3X2Vz+aL`^Wx~oCwG9>~a^LS^Ydq#0H5~eWadV*@B0sJG7g?^VN%lDY%2uda
z_=Os6-d2z}rLJ&r-%e4*bbi6np2o*tUD=&pT|rwVO%)BeXFe0~kOP4$=NOrP--V`q
zC;vK6sS+Mc{?l-T;xpXgwxwWtv?{FN8gXm8$|ULR^q+lz9Uq)mj?i7ZKD~{&g0cOJ
z@<YziBB*;_J@Gg1nvD5W-aAysceS~N{6h7rG|WZ9*R;Z?*Iz90o+3h{H~KyTc*D45
z?MqTL7XcV2I1-)+JZ!jE#13Tgp0+`IwogiH+}=w#9pth45pEH~L#!^OCzSpDlBOIR
zZE3srbfx$QfuovtA&>%|f}M{h6pDbj5E2???oTYTgDm0G*S<RURz%Q04=)+g9#Vxa
za6cvjGcwkv=s-}zFSXr&;KUz{bf$rMalF)2IwJ1+ISjS^jL=9AqPj;a(5i4rDgFg-
z9wuv-s@3pS)ovF~st``<i{_$yH>&}hORh@ZO$88~;(emu2N(D$+ct8uoqH;C*Mvsj
zs6a@hgNu;6AXpG63OM}f4GIG51A*!{hF?JuAm@A1Es*yv2zdSLAo{(U{O4EfGyVt?
zeg+JDTzB>)+^-rw1^<3k{|5G`<y>DGD{3=%<ulJ-zoyd^+70F<_!CUZ^d3=3VNlgG
zZD`KHV3Ms>O#EqYndrx>%{a_jpt<RZL7P=J+7sDLuJ==@<q#;+#0T8nf{b?TnC>^G
z`GZHlp_$(X6%sf>cZ|0PSDh}*wfhA9UwNk=5vT<|$9+6+YO_^?1Jf*#-1_?ghx^|e
zHk`siaBs7DinBMQn!0Qg&Tz%)6Z-=I&u~G?+?TGRdADb#Y3|GD2CK>ja`wcRkqbM&
zIN0{-6x7m=(d)U6&#ET@S?WQ4-yaFd2K+Og9heK1&Nl}w0>X6Ii-Ez{eD}LoJG1d&
zh?Kw4(tL<`-y=nXmi#??ZFzb>?ZWe$RfXM+-f^*<Y$s{M2*dO4w-jiMe$sIUeb#gf
zONXz@{TY7_joNHc{5<c_?-c0}Upru1+QS@=<4?gh{z>kfBZD%Vg5$6WKf?jzs?=hV
z2xXq$_<E#{idHudegBpIMr+k!J{QB^mX~QamZGmw3mWj>2dBlbT38axRZ5)FHk=%~
zS6c|!L<s%m^n$q%gPy$f@UcpV?0eU)mQbyL^!&zA@FW?RxopVOw-SW8-Nw*vo4nXL
ztdY>TF3c`_Wkn$WVtqD%Gu07nQ*boD`TZ-LOVGGOxEr~#yF}8b|GbM~e74Z#T7tnz
zg@FZ0egUOFfS@bT&d&$XhkI+>J%}76IRV;00X+l8H@(UML~wzC9>Xb+@D`{y=F2nU
zL=*SVYNwq#$+Tk$nc$V;94<q15&5Fsa2-bwx$d05W79@SB0iInSc2+Iq~5H^_dYII
ziPi_QeJ{Y@wD6YAb9U~JIcqQ{Z8jSukyYI+3#CS=oZId%eH_6rX0k;ItG$RmBMOnB
zd%5;2CAsMdar>C*un(KidvBxLl44u<@32#iit5Wv6`A47e~@@;4<j_fkm>|r946s+
z9w;8f_=Kr)l<M>9Rj$bF7ZjjGbkSqe`ZWvqPUyB?!-WvcmsgX)(J?(mpdu7>Anss$
z3*INv;-_P#-n^|sn?>$73>6UlVi1xJ&sXw*75f)hCoK6>^amv3DzHuRhyAd-9YiNt
zT?seJibw#KA1(IQ$OQeH!Xou=yfR9Vbrk9dD?$5|fx%yS<FB^FM)+`p%ZAfL;eu44
z<B8oMqL9RAjUG0=CJ#DUh1gQ2AnPR3>UPyA_ItPl2x>=b$CkXs(bqMJSqS3h*gCVP
zcY)G^Hw$fo8tYnpZ`;ORhL?)O4od5-3P+p)X5TPUqNQ2&T<}Fb>2yS`ZB7K;ac20K
z*cf=S>FKKF$ns5n)d{c8n>M#ZzKQeJb7ye@Y9UsA?*6=)u8+s=TXbAT?7<_`<ngV`
zIX4~czwsrye*y<k32hFIr8i*msSG7n0d%>G6gL@(WF9-UU&W966782vF_LFgVBFVe
zKQHL@9fT78xee04+W!EJfY2Vh-@j}P3R9uZ+j0Ww3(UtMFz4&qgrtF5N#s@u_^~g2
zG~<u$hbLY|E^5L3-5Z@q{cAI72cNq>7H~F46jbDRk&3MCAR7m%Fw_<`C^Ab>*n0xi
z^b}}AJj6Z_MZQB9uP?*IIO>dWbF|7v(7NhV{blZJIOTFS`*u1q)6#dAKO(!>L6dWf
z;gSa39+R}UqggqXLt-jU%pQsz14xc5P9@FX5H<R#(b5&gsCsOkLP2BDhY@g^JiS_&
z??Q+nbZtBByQ!z*%m_Enj~*khSy+?Lw3ccodwD;ATx3G=+f<iHn=6?Sf<8_3HAF~(
zutrC+X_v_Ncdj{9O-Cp#Y-laV<6rm(LOn_RltM#on-r;479wX;+iuTPLmc5ccLruG
z5`;3RKBAw03I^`JKu~}F^hDM2S;&v^cKIQga&*Q>9oke(<W@pEJk#HB2K>@8DwC#*
z)`Q-*3sJ;k6zPwtcRbuUL9{y4;iHu#9a1FcKzL^>{c2)!EwGunp@tG~QlSjiwTOoZ
z=Ptoq+FBe6jxg|*<Bn^3dWUovF+WrQGgzdk^cS8r7jwS}|EGAQ8nvxcDTWF8t0H)v
zK!#QiIafiSctwE5pPogV0(*evH?HUT_9>Ld>=HYimYzvxJ<VS}o0}?V-pM*hF)5XE
zZ)W!BwS1pTHJ44K)1k$zK8I8vZM(b@>zFF>_-L`lVGAV2pVQ1A?XS})Z@$B*ub^!+
zDb-|;H099gg6GL!g9xdju5@yj*&In>o!IG1s{`{U_o^XM`mq_I_N^I3DAf>lb5AIJ
z!PP?#2|R?`<7o^!7<8@J8gfOW))fyOrI+<T*_>BT4D9*sj&-AcKW%mx@f2_pZFm`}
zZ1jH@5d-X{!DQy*n!WK#a6Tzxm7Op{uEd}NXtvXpR)gjP__rr@D@2J5M;ZJa(7}e1
z#jF<NaZdX+b8QVY=1O;lRD)_29@q=Lm}$x2AUs}e$}p{0`pKEZ%vi7!a|E`zWNmAH
z7ne@JCDJ?q8X55$yCz=?ehU9EFM#NCm}Ak%q3Op`7)vT6HzFx!7d;ipap&8(G>=^k
z8bH?_awz8*qCN$6qB3+Dm>>HouMq`j&xlGkS{H8wDO+7vNN;nNSG3K#k0|CV?!E${
z_@^vmp)C4;O<Dgnq#8$$ZQqC}b<S)KlEHKI!V6PUcFiO<2<)cVn2Pg|w|z5ZZxoE0
z5RJA>S|fjEiBB(*DK=eP#+S?>Ry{9rEV^5Gr#Rg|fBOBk{VZE**px4uCm6XK9gA7~
z$DH3)>Jn)ss#zsq<&f!}zSOWZN0ZVvjjWGao)vR6Q&YohS6IKs-3TTm68Yl2S7HS*
zggC(qGNrzGIu%82xy0FXub!9RwQS(Fdw(OX09s})-jX_2^Wis1V~3q_rq1j7d$-?q
zt?(E?3^d*8Ff};hz<GHsS+A>0V7kovTJuyeVk^A*a`(%L%;W|44{Dcf9`7xZJ@EF=
z#6|<3tBLZx#uI_my#k_}e;>Pnfl)cv-v~tfJ$|xpn>g>%GQ^X`!AvXVgE(FA@fYMl
zbf$+UB(BpJ;(<z_NY&h&?`iz?IPf0m%v|X9yIau_ha&btDbwv_;HtP!2!!EYV!T#h
z$-j=JQP5Bfa(7q8&~Fg38TyR!xODYD4;v}PjkoTkUh%2~i$x?7!(o-=zJ3Zcy(jz%
zn!Dib48n%nzzq4++PAZM+oPUx?aCxb91t;+VHDdmq^r~xpb2jA&}skEpvgfu_6E*Y
zI8_wQS&UQ9SwE&+X!-_h__TPCTL^dj6}~^A4v^{UUN*o*OIAbI%dQZcN#fP*zgo=9
zu<HhnGFWnV_o&kKj33uwQ_rMfHb{gVoWX%Pb?6xi>$|6;Q5=Q_lpOm`?IpLE=ODJa
z5D}n#ZJIB})oxQKI;ROu|2>w=u`r5-7y<L%vLta3NY;6)a(jPL#6N=wsT^&@S7>b)
zujW*c-Q!Sfl3Bs+%L@H-ZH1&NosxPS_Ne_lJZ^CAwIF9;U6zE7^Q9B9kqkb}DjpcD
z!Yd|m8;_)|seW)8A+$;AIlj%rx(f7D<5|Pw;Wf@cD+an@(FMRs?Ky98{|m3$jKWF9
zeI36B<y?bACO}&VaaHlbfM_DA_W2RSC$i4OK&}y-e+?17r>nKPY0Ab0zL9onn};6X
zHnr7<WzgJr6nVm3o~ff1z>F96X%!g^o#!b1s<Q;ZkD^C=xa-!iEvcbv+-fsw9AlU*
zBudeh-vDk@I+^P>p-3$0|NgOA?9*pixs6Wy{`02^J{!p_Z!Q}vjLNEXxFuhdTCu*6
zMg+bP+bH++pI>?L$^F@5&@hxM-3irL8(*0_;<onbG2^b%dT)TT(@rw;{7F{VsfoyD
zz{94%k%nLOVRknDk|2Drs)ic9{uE>aH+hZ~+hVW)v3XYhJ4`9(yVOfMSih1ca2>ne
zxP&6<V{TfX8a`hSvE`?cAQKxW%Ae!O?EGOvm3Z!lrZ#t-VtFy)C<i-kOnP&TH|y)M
zwcw)K>Ng?g#dGaU0=zBl8!LNve}F_f+1P9wEbn&Q!0@?EA427+&+mnLIOi@;Nnd7a
z+PbF<i;yuQPEF^o&hK~;iM_tAFASiO`QzwKevCvcATDk#k{A4DuGxY#Y7g8WZg!1Y
zf&KU}U$ziM0=zv>&jkJmJ5%hY00-8sO6Fu)N_GJ}?Yw06i}Zrr6J2(@?|ue36cMr#
z@O^c1WE8)DUJYC$-k#|j#wm_pT$Y`)%ntnIPax@uQ)Rm5Md>k7HPIq`|IqM9L%t(~
zM<ZT-s$^DqAOGwI0D<IZfagBlqM>iTLdW$a_BBGHGZr(&H#ITh!=ejs7CI^NF1!T_
zdVr-rZ@XQYgZI|t*>6P&hg(02_(I?xJ?4~*-9nQ1x7nWWfBviUw{zR-PjyC|734Z7
z|KrYd^oeCQ?zoXdXVl6Yv3BzGV__mq&FMOzr^wyNKbJRbzb#*urRZiCUeQ#U?z`h0
zK@hr5(-8RP+o7S8VENg?NzCJpIN|g6t@xqc1WlVvx@5Ocm)?$h!|<#xynb{RiX$RY
z?EaYh&G3CJ;@D3k=m7h~Dyve%^Myg=bq#=pz4WMc&nn9=8%2H|xgnqY1MS{_pzK$=
zH>=qRo9*B<#xgL;23|M)aaHEO>vXVUSY|_rVHiGXbMn7za2dugd!FcsA^xzJ>@H9@
z`qXYi?JdQi1PElV9*8&QPLU&!`=1qYFHaB*{~xB#DyojI>DIvl!8N!$1lOPm?(XjH
z1ec8y+}+&??iSpFyKUUvy$|pA-<-Q1J$m(3jaqZns(NPjK{Zn+(m(DIvra?FpVdA+
zQ&Km<rd;e+&g<ccp+_xWyw9tpI*jvZ&b$a*?v^hG^%yNER3yBs7Htfvx|@4zmfFbR
z?X<1TCLY_kv$J|ajhLAY_YUw|%nY_2YPx5TRz9OqfBt%(7g7zQvDw!TtCGtJ<MlNb
zL-X(bRSJrG4}=Y2F+S(f>7=Noac80@WiF8sK{C3Y?U9YP$Ef}LG`6$WYe4hVp3)3I
z-qN-*zqWWrUUll12X6{|>ha5)MGlY$0M1ziP~SmJOBb>=BTB49d^MkIEa3c~U|w!p
zh~Tn52szKVNkce=a>@JN7Zy13lZcWa=w<)o#uEkWRyk*N2bJd$;#PPib`u>;LGv6^
zZSyY*p)vosvk<H2P5kYJ4PHx+>=Ryxf_hSLN9sskfLgZ&T}2Ch;uQa%ifzIog~CP#
zpW<+&cnS%6^F9~0qd`d0enEpSbi^?@lsl69NdZ%qSA>QNn$&&pfT@Jp5Zu3k|DeBS
z-mE)L2oSyZUmory7tMYJ*VI^{TpqQMknG18)|yR73OBHh2R9JgJN^hMn>k-|Fg5w1
zen(=maI@X~n!h;J{)6Yx9B!e&vL>7uOH_U1y$^=x)Jca`Gn`mi*|D*FCNpsz<478F
zuynlXyYyRj*#HLFjMU5viS0#3ajsg(f#yR{a>b7k$(a)y!M(nNph#LLW3G6F230X}
zJ%Qq0aT!IjbJ|-3v5#)$Sj_(4i=_Eqln$-+y{@bULohc#T2w<zo2mWcy|fC|O7H5*
zArh@yD@?HbGQU%<w*G!`kcWW3-c~ioHyFa%geK5f*u#N}s_I{ESnnhrqp$5eQp>hx
z*zX{Q2@~+Nfk)Jgf9;7U*%K&rQJ<I!SZzl}ptbhcG)Dd1qTnf8sxhxP5d;RU?n=K%
z@iF0+mr5Jm=nOHrkJapv2zxEZvYz{BeZPi<8wg5SP1M>U*Guq3mVGH~Id_kg`2*6g
z#qlvaBe=GpwzjBG{oN7&Wg0Nw3W%U$l7<{EvPU0EeV6jP9M+$D-{z`VLY8OvmV!PD
z4BY~MYTn6>`cb~3_uqchOmsp4rjOU-Kqu8Z=v@$c^Rk)Y?<IE6p`aM>$LW0s$O2wd
z9{@nNx(`U11_?yI>!Se20DF?gJGcqDPybT^fb-Vf`+OmI&`lx+0PX+%u;63O6KJuo
z`xyk`;`e4N&HM_({2Vh4(2oP}Wk3M)hqXQ9;uau%BuE8x6TQy^jivF?-L_vsx_jo&
zLH=U^5Y`GfGu&#eIvh6sb85}H{-#0T_;>s>ZfMW)cE5SE;OhJBA%LtVOgAFda)xtS
zRUoBmM+CGDPztppA{?Iafn~|A9S7O6h<_j8ixe;aGScKeRWwdumz5ohcTk3}36$O*
zafwsI7|UmvS~I6W)BGfXPu4?81(#u`|6SB=Fh}%n2NkoCXPB{$T<xiuiXO_d-$@7^
zg@4Cb1nskN4I(vC;3hNOIVBj`P+w5MK!e7p8HOyWw>N}t_QNVIM7(94(cV}2I6+o!
z3aC3DunzhvI-S*K5-KGrz-8zY5TxXk&_Nz9?ui){DyaXo<@5c!1<z5@{<YlA&wuyd
z@c-G|DwpR7=H<K$f8TKv*0NK18mYO$@hJC!%(!?Fk?US$=HUp6XB>q*e$#8)!q>z2
z$yclHHI-h7lUI~lGQT=1tQpk^Z$__tfQcbzSf#~ED4dBO{drt%^p9C++J*^^yG81s
z9|1Bd7jI}#CW8CVky9zKa+>!8W1F#1kb-v**y=o&H)|GVO#(r!%ESw*1C-W&0bmgr
zI@g)chHq1|<{O*ro^>Jgp_BcQpO{l@1;P+?V_W}pJa16-iF_X8{uxaYCMpgs-6Y|S
zBnX9X7kHD4WIYr)I*%r=RP^pI5i8HEOE~FKvnhOtxw~c~n4>F8adSr#$K-ij9ig0L
zLp3hruw8xtyw?vh)&ndz-PN#($R6qj7T*tMKe5F7`e#mWYn~^;pNM69E%`*U_XLA6
zBu6P@L#@5br)E0u9n`Q*=Me8CWm|$i%y$)VHo{t`#G72HX7(*Qt6qY7v|GB~54Pkj
z-7c*cz8q8xN?R?5oErTD?Qvd)^k~_KfcEPMIL>PSesJ);9fy-?FP7+g3-z|`s+UMa
zE4yn|xN2-NeaP9#sJ9Cm-C`3^qbW6>I0{0)wh36Twsk3{8A;YooeqA@a7N-$dNjSO
z7rma`I|ow<!H>V5)wu^z(rKQ_CV3&tvFXlw4NMh@%VnW}*9wcIvxA)0owE(*P`7&*
z7w>Xu1z|8TCSpe#|De>Hb^Q(#W%m*V`xtqTrk8_LE%zXwaN8}d8fWChc&!?gKzx)(
zAl7w6Qi`)2Om(EO?Wf|=1Xe!h#lST6Jr;jGV}ICAJjt6MLMf6a^l=rvFgaqw>Q=(U
zn{*hFpR4)3Szy>ta>=ndC0I?NE{j}jV?f9O!PeL_BCHd)4o)UDepBwy;oYR<13yEa
zn$U7kg`%XgaiPpNVV9!clz(D>pDbz_Nq`DD4Nfo5APkEjBbQV88a+*+blVWSIxtIq
z{Z$^4&NtVfPWc1V?pS93uQv$b3(1{J;JPEZ{)zo}ZGZ1FXM``e`5dbdZh^5D$z+h|
zsWksk!WlZ@YLE;dmwAsF0sfr7f^H{Yu}Q~YbN(-l?ERO6h~EDJV<zz0Kocd-JEZ#S
z`@{8>VDY;fgT_$>5eRVysuZMIj!8Z=X@{`%`{v$4(>v_o_)kur2$e^QFrm&ZB%giQ
zF9nsBgl~r<>S_yX6PStRXVmrc@M$qMcV^f8>0}I$ACQaM33%>c#m`>}Z)CWzJA9;W
z0(SBOiszcfocq`o7ZnDYdkJ1DOhaTS%no#3&y(+c6xzX8(|fKB4B{Ioo<m0zk4vlY
z6S^x%I}%!(#A{Si9y8MRn*~-;c%yq=?UPD(D|2q`+0_Ln99JzHyVNxvW`3Qu**mLp
zHku$%tKn7d{05(S4WavG#xGZ)P-!^&N|cg4=<gFI6K&EuQL<vzFV~hfG0a0;?Nonq
z){max|LJ4LyE{0vXVpKS@y(OZEB(z+ipar6qtMy&|EZ<SV2i>pix-1Omv)Cm%i}JM
zs+I3~svC!Qh4H;U=5<OKE^Y!Xc6|-jqOsK4M1C&W_0>YWpu1AZXYjEh<Ihd!d7fIH
z$~{wfOV;xN$u{QwMVSV&k)gF2?0DF^*3ko%YoXD%Z>H+C&QZral>$4IAUw-0sacC!
zB_u<G(0SVYQ@BG%*JL%=aQ#nFnF8ET=xAtA8NOLVUUMQPHCelubiB$8YZ%WIU-<=>
z{5O0ScXnAC?gBZ5!}qJZf9w3%n?~<LDAU-lHMeS`Lt-uA%~N9`?g?sBkhI%33QK-j
zi`Eb|J*4jffWsUP*R(gLkFk{-txIHOb&iy6LfiIwlCGoS3Q*jAXWaB)0G;OjkbRh7
zB?_5XT@LxKg+|n?!JJ248l%aKkwVlpfwd&o5jj}WjJeZ>d|^#$K0bL?GuMmRg3$!^
zP(CBoomrFNfEM;W5WtWdJH%X+(mbAFh#vE@-YiKxrMFQSUqHb6JeW&q-wTm!oGX9$
zX!Qp%e!A0{@_Wmn?p04c4c8yjKg;Zx^aY8xoXUk*JEInwk5c%cxz=jrj2KAyjf_v4
z+3b*c$9I3U5OunvaCj(AvZpTOg9;DkPdR=K&_TN~8pQENk~N-&>WEw2wQ_cKl)-$b
z|MjCeg`{5$;-_FV=x%k=x*N)y+(E_Wt^s3UGAT{Z-yW%%OZu;Y<@wC3r1y|sSM96N
z&Ileh?$*zeIyM>6?V^W=e0#UxIBv3#ia`(U9lxeotn-Xj2HYjBdybjY$9sgLJP*`x
z?^!y}=ZF#trFPmgVTgSieI2hT*kkc^i`TBTg(#dj+k7!B^kjCCD&!TWvXK?{!(R2s
z1~ze%cJz5yYHYFARo>97@-z&Kft97gO~uG$5E`#RtM&f*pxT0Wk2#~ITZTtom58Qq
z%(nKaUo&nF>=DgZId$#7BhC*OiJL^eis-0V18e>-VwIY2`A$mmFUzt9bF-u?IE|Az
zt<sxbWRn5stix*%v;-D<SMS~4Z^RgYKEeX298uWk_$#-3j(K7`*dg3q+e@$}9rYB^
zgUdnEwJ|D+s)q8Ll$IjQ#BBSE;a4RONGJdA*2TzN){hmZ_{5>CHaD39=(p*VOJDX*
z)uRx&5jx$v2=+hmU3xgzm}BmCWpghmPT0;P!=ex)H=^uXCyl~zHnG}}=Cm;hx$xsu
z48wk3&L8jUPB{gC!jE%;S`c3)QPE(%=7@*@4GOU@Sd9G=Kr#qJKZo446nR)tIxBB*
zA(aw=vEmK4xcF3*m}cxqab|$4dFr#WSa0+ccx;h^szkJ{U^e#X#;r=8K_m@!LI@A(
za|mwJzsG~QxyzbgOZ_@%+qNE{yG2%UEs8^Ma5H+O%M?g|Fgx1rJ*xO%z1%5HM1FwW
zD8>_B=k86^5E?M8P)Kh0l2G{y2j%j2d$Hf0a=S@Kd1;oX?fXS+P*+?vY|FPvf0+=4
zVBCLIsA3)2%W1Y54wT?V6pj^057Z5uoX9G0{`5@S>Df;jFcDRfxtG)?-(>M-r^!**
zk)lVwNQ#V9I_5HT6HhF3I!OL!U@9STF@=dkBp&+}T2g_L5%;&^j2-VkSy!LJHL9>{
zq+z{9<acp9vVOY_uj%Y>$m1j>GUS5y=J9#wxWn{Esj2MiA_l$!t)q-7D4~mPq$*eF
z!)M6igjL$Ao6!hbgxc(pl0!x6nSege`-d>DhSh!E%e0~Jhnj@HFjN*>Q`Yn1d)$bs
zHQnc;d~|3&`1&5dd(h&Ld9l+mVscqNr2L}gdD}|H14Cbv+X2%O>dfQg{=(uCV>eNu
zKG}$HQ1ra;x?E>VME{8d`zmpg=(zl>*Y<+|_+m~>^AzNxyLKHKHEqDPH;zQNS^m=A
zCTq*_m(k=G!GzX&ViocmBGo|G^7y7|P9icbn|uZRO_fvZVQhx*w3R02@oXPmwp`x7
zre~(^%yc#|ZmjdMqgn%eWz)MEdc}*EkIcLBTtJ=jkA2jfF)!PxwOnkO!it)qCyN@R
z;Q)$HqMB2C2;hqI4ePt?fYA-B{ArigGS~9jb;`~G3tdoNTc%iGCqFHb;6ci2jl4u!
z2*Gd4EBSzQU=!_P8z)f0ok8XJQJFR!UQn7S_3g^8Sd)pB<ml?3P<J`1ZTlzn(3Y|-
zwxaR_g}NgT!=c}(xxond)u2tLzQE{jyJoz-i7e%67PXJRCIawsGE}pc@<jvf0A?Lq
zr<HO>F%lfnr!B>=_!8=8EyoM$$e~1LH|p25miZN0ah8KN7m?6kdSue&gkG?QBJpTR
zR2zBn!vqNyx+hGi1bwR<Y^-Spupo;aAt)O6&r=AK377cbRfH3wC7j4i(`*_gEnx5J
z_0|kh0_ukm&k|Kc9}t5QG}d{Z3zz#H2cCeU9nkm-_+-mtyFv+}K}q`A9`yYiEJrL;
zCkP2&!A7Ac`MY&gNZa3j=|xe5@4^AIKAZ7Sx|&B?>TR8)`9DL#WlQ*xN-(Oe752)E
zn$p+u<I3A|mBE;`@CUfX`{nO9B1|i4S}lH6Pc>}|{Rt7no43CZ`G+tJx+<3FhVdeu
zU4{3yFr5*rzne659vDsxWfCu#wmS#-hv`Z4)@L<sdsT5(9&E@~C>TY!-JP!A&<(CU
z+GRLoTRKl>v{sV-7)dWRE%)s<C!3>{V)&LM0oNM$yQhw<!>x4+CG|MHl+~+C;a;ke
z9Fd^E_OQ^?)fp!HeSx-uL)+aIvi*KHD;n3y$2WeQj^r*xRCVX;LT4bGWzH`vkMEoz
z$WxY$FgL9Ks${l9JGDON{x+c|2ih;!_ADTNC|V6YX7zIPRtZ&}GdP^vZ6Hgw<o4&m
z*dM!nt8Ek*DX+iV6tO16b`4qVPYwp}*EU^;bg8V}6}j7wd$V5%8lF?mN^zC<5#lb=
zl5KVUSynVrWQx2jBozqbVp#1EX4vFgEG=eO@=T|}x58cDtMIj2RKg0~@Q6)h(?_O{
zdweFeB*UVINGF&ad&h#2z_B=aa<6C<@Lcxqt{VDzx}41?rMfr$XJ>mKrhMU4`R*I|
zqv)|AE6b^iBaS4-gX1|rRp@r4B!q^l;AyXf*&jfHR)mlzCGP(yk+Sh6mtFW!7YgEt
z;a4m&+LjMtHw2p>X!il;emryig=ewT+znO_CZDfc^rj^~_#(_0E47}G2r{#Csr;eO
z-nr9;d+!<8eU5nm%!S;XjgsYO>hk)ZZ^o?Y{vqKuS9-wh(xxXS!1=|=AbOb4%eTj3
zC)9E9%aSf3q(60su@HE;>F6rqnbZ+GGsc9<QOe$L+>|dPpy3r5rKJ0i(w%3nsf5)g
z=J<1cFX%MJWdxbJ8at**wCe8@^M|EQlvGqu&);?7cV9uxvhYagTG8!97g_(i`&{<j
z8eU{M?NQu@r=4Y>Ev}E*Gq4G)V!l?EO+C&<bqF<^PoUGn7bv}J4vC;42+>tM`;WSE
zsK{ygceCT1o=i>KviPK90x?lVkR@%{-tuf4Ygiwali8%NPay6X#`9TWWta8)PQ2J3
zrLBH;#r9y1&F-uk;VQl%T{@?>=Yn%;v>kRTnUq49z*Gzt_)J&`ee<UP{09syy3|e?
zL1kzfK@MB<{rd}p(3Wz4NtrJyE_fM)kzI+_^e=x>9$6W26z^slng(7<m_Iwtq>ns%
z1RThm&Pgrb-)-0MowZj7(ouFxrTsa&<sj~It=5QZs$rX|60J$=rGT14XPOF_Yp${i
zTu)c+OIA6wgNZ>Bm#mTad_n9K_5_j;pNY(~mb!a?!BJ{d9P6YjRlC;&vmKtx9Fk{L
zcD*?J#mv@f1XLOo5G0nJt<tZ*C?I?-cuifs^{8ip&#vcNp;!63a~xVtf2=wsgerrq
zM&#jwuC90IpwEAHBM91G3R@6-fA41VC%$q@HQ6-|WhdTu2;TpTU**=^=<^4*LYKY#
z!j&q)o>GEuN}<hc`zoRREBa2Y1_AH-0w*bU6O`W(+VtaX+5WdZEaxKVnRA`81`{2b
z_Bc#W?R;9tZ`AV^?neVV3)6k@91wt=ZPlcUyoA-zw|QK#Z_27FsZ1n&L#!C9!P*1k
zP9mwx8aS-Rptp|aK6muPy1+`;4vb9loN<e0;(_Eiy_Dp@Vum$CxP5zgCj7`We|c^N
zUy@<4YHLg5dQ2Ae<u7URU(w+mQ^Zog-Y(KO{a%$Hgkp)E^pa~iF=t)KKQ4AN#yRYh
zIV0~P=4@wTQe=k0KvLwT#7Y^=dp@SubASFZj#gNKjJM7<9Ok?+Ax3`E`s|}sjd%-1
zT`~KY>>q%sZ+}ac?7*l?b7eeNba%7aLnc!dmd%Zykd%6iF4=xVa8CH9VoDIPHO@+1
zC-hdT?||pNI>N0&iEluE^GbCn`Mfids@Hh?$bj|xs@xX~5z}P)cawwB>0gKSz0Bej
z=aZ5n+~+?{aJ57Ge>={GGc)9n<DaHA-2Mr(HVyZ%0ul{IL|I3VGS0GouOEIcZC}#}
zEyi4momcUe7UZJ!g5=+jw-9r^8f?O%oe3aiSS0IZKYP<|bVA11d{d`F%BOhvzMp6%
z>&+HM8SlZzb$~XPy8a+ccph+xHuwN+zJTPeUO=;2B0@r#VBlub>FblAB!Kb`fN`&y
z0dqInr2P)^zs|^+*Uu@BY=dFPpw}mW?eAaXNK@KoMqVv_As<9-T_QQ3u++`rhY$(8
zp<yuxNf|uW-uoflUr0yK5NLd}Lf^J{%hu2vmI>V}C`LS{9`l~|HyW7ve97Kshj-B5
z=kxlX&Z9{1$y6P`pM<yb6i5wyAipN6qXfdRLLG!D+U2|TcF^(c;C?jQ*rPs19EWPw
z#@UaLvTi6ghp*^6ZmNAHY(*YX@p7M&^m2FfE9ucBdefTD4_n}AYe*gSS7)qu^hxz=
zVY%B$)Ww|1r31<7>@|m*?PpwE$(L<2FhS#ZT<K8N*865eynE)HoCFAmT=P4)?D=>(
z_Jr#WJ}?iEQdW6(p&i`)p7&jstdGgPf`#a%=OU`35=^qc?CdW?9F(ceu)8ddk2|ut
zh$6&%3G`LMzX}E^@GKdpph5l?V@r+_q9rR2_Xf#LKoZUQu<aPZbG72+M|+in;1;l|
z;hbZOQN;4kLZIhQ5tmsm>bJo*M$cG`*d{4c52@UW<2Tqg)L7t1P|7>~QxbHXk=2xA
z1oB}k*flaJg!9XwugX#V@ltT4>aoXF*imj?Nu@HsLqu*sR!@_6x#j824~iJ_%;))^
ztBrNP8>A8!>a|VWYKko>zk-LCY}7TpDY%F*4rVZE;{B2a+`uG6QTp-;mHoKh3l%J^
zl7{p^n!rD<?mlx4QqdpFOgWj<zeW#0{lGZO>pQp`p|^=&-KgpO%#)Qni_6Z4Ue&8H
zGx~&ETx&p{b#;B!+fYyye|m{+Y2G-!nxpJE!9G511{Uj=3fu@c6?vjz(73KOtgG{)
zWsnv@3X^jJLOh7s9JJA1vM~7|IxHOnOJRHGFCMa~(J?{huk_F<*YLw>x11yi5B(Ef
z#7r>`%^!S3(|vDyyalW;EyI_e_DhaqFb%BA_i|C;thJ6M8TActF~V2c<|+BM)>9%X
zCmCQ<O5l{ED=y2t<wpW&&%u5*fC!vtP$|Mro5}BzM2d~GKl^<j?rR9~EYHIbv(Ypk
zb`a7(8_B{w93i<#*G;lehU&1L4{L7a1!qTwx_7_R#by(HEy(^Eb?(#?ni_?ab2+$0
z7khK%U%hP5`@ON(@n*fZYC2?NNq{hGe@T8#-$Fa+m-&)L!PMVt7Agu^z1E+;cHzDz
zuU^hxNCQr=(S)U;=xTuujI{^1vYpd36q#IV$|2zDL%{-M!;^o*URfr(3~kvxLz#@8
z3@^y`4_GI)x}?av&&PqS{&AtABzllZVZT1=#a^6M{mSjFYMz7l5C&SvAW>g%ai&>D
zyVx(Z8@jfg83msWV@b1_lz^bvC<4Y11yF)#VJ!^$)FQF*$CW@`RY!n>_tRX<fC>+3
zrO64z7DrH?R0e-D|A{Th`MLFVIJ$6?NCz<V0w`Ak?`r^we>boL-ure9A_HRn0Fxoz
z?}D9gy7M050S5#<CxUu_{LSl7&P@)w`x{{XJ>oS-0=W8k>eGKK`9f?aa3OJ-302bZ
zF8}(@)CC;aw1DCy?Pc`WZAw#%>ovqbh>w-{c=kthZ-rD`8giF`)=+Z%74h=Q?CmA!
z?vDO>y)_PVB))-$2fu@M@X#Ibi-J8ni<judP!^pBRn|g+&ow+)5bMi7Ga+=f)#}Qw
zO%YC`(u~h7nNg~HSB&>VbeyUC#-<-{)>v#bfaz%sXr!Gy(v!%;P_?nQbtn_S(77E(
zeKvB(K<%vb^9hm5XRT>XFH7?u?uo&I<?vZi_>8R5s^NZd1#dL2HsD{Hsp<6biR&7D
zgF<{@e-TMih$KEpFFDP`^O)~6CzZ<HOpO;T@Q59-Bl8^}u(auwk{_DFD2&+Gep0rs
z;Oe{aMFes5mYr<bwt?|)>nr*QITn%1PCu-j?#=bKvqOReTJ3QcvcG5bu;A$2DOZ=5
zH*TMOIM|RpnF|f}2>Eh!GHnG!en=(-9P!SdnV*jLoraRaS%i!C#+@SZ!%ZS*wyYb*
z=1Z6kB{}PfbOfhL7M)mL9nWU=UFvkG6R%75cY@_bBXsRfM!8oxe4Drto`<6hX$%Eq
zQv~CDOgYw({Sy!KGkm{@qR1I8pH4rvueUF#d;_DMl`k<JNz}-B`LE>L{#6+?L#T+i
zZ(60^QDSzx@F&2y9SeweNu*Z7i5!cB=ra|wAP{C%qmOgC_h5LsPgrMfjuk%~Na|&(
zDW1It{!g^%0h2*Q?e>x43q@qKzCQ+_jf$nR;?S6Wg8Si=+BXlou8#;-PTCLa&;@M8
zlJ!c7l%!mrQo?+HL%swL>}49u?(Q{)r>`Qb(_lY)_{0Tz5*`!oOgM=e8vn^yp_8f(
zzo`6}q|6li*6H{~jGN@9U^VKJJk46ZS9T`C;Fr?cl<xidcMhR<7!u~dbK`6A{bvmp
zAz86$@@$<ZWP9G>c7!6OD5csps5r1k8qE4x;GZ^n)LPHt_3X&}^)1QG>wxi!#OZou
z8TKk9gg?3I_p3UX)aFWjk}=j{<40IG{9&?{jFx8u4L=ct_{Ki*1l6BdUlW*8eicpY
z8=r#H#~BizEQci?9ekwVIgZcnmddAhmblHONm-3)nDnybqrQ`SZ!CgzlpHOX{L4F<
zw{aQ?qY>XQGo4s-zXmtcp7o8tm?fgR8{>m>zb9Hrn-13UBl}Tr;{vmV`7_)|1p<ww
zb~4D`0jb9-UtRR;1}L`YF6=_&F`8DSht=Fkbu@y0k)NF@6%q=%<%4W6UPy$FRNjnX
zi2JJ;o@AGnW(#rSqrV@HRKbQhX3$I6_}MsnVE*fI&T<0uq!&u@KN$`fr>tDN+eUb7
zZzRs0>=A4|O+Tfe#}+Ium%$$_I;NW!3n$g2FnkFe{eSOpceG>fy^WC?kV((0jrc?1
zxe;-7dhsuSt9Jl%5)=l2fv_(-Z-C%f+AaY7P7J&c;a)8Q=F#}FS#A{W6aKTlz{4aC
zbr~>l`3}ffpz$}nar#o*Ej}$Q+$Kt;8*DU;tdDSlOH;7n(azOhmV$T<@T%>@Uu>{T
zRV~P@QVYw2y3U9PoGYM?ZOZ$wJJTwR)t<17QF<5#z>QENei#jlUcWgu(+~!;d7Z>=
zcsGbe^n?^{Q%YE!!ScT2$u<M%3bCC(TAP9zHdSuEMm#H`EQ*}feYuw09W`AG@c*vg
z!91dLyji*k?#*jW|Mz=Qyil<sWLnCIDbXv{B%^WJ#l^Fr9#L=6&ncklk3D>M7wp9N
zk+)+43~v(B_$Bqf@GX%-Mf$RvUvxs9(JHN6SOP!NxiQkUFM6o;Y&_Rk{IAWNdvQ)2
z48C~4&~GRK<ea1Gr}Do{d{-W1Mxa1PZGOZj7xoMlVWI?y41=?T9veZn$`rALUTMy@
z1d+c^hsxH_s9_jb`IW0^Q#7@zgM%0FmTr|8O-&S9!@n~rxtO>+f4gL#68J1uXIb#f
zUjSj!<5c||Vu48t_LgDQZAFpz!^6Aj1zpjo4m)niUOp+dD49-KJF>b78vtKv5<0~k
zb#=N-)As3FcD;TK@;8?{)%<wev%SS8^ce@j2E&{x*KoZ*`|fzxiwWMSpW0@PS1oOt
z5-z!PoxGw;;RJk0;pDPVo!$y7i)4fz7R3XIil~h6;4Y}`S7>oh?H)EC;mnJj;(&L^
z9)H*S&>~Rc4n!>Fyb)V^zXAVKy3_B(UBH9Qqc$+vv<8{^U*JG=yzkrrnB4&ShbM@1
z_~spu^S|BfEv4rKNV`-AOo!^lCwS5M4nFAtSI?mE55oUz4)?~#Ep(>nyL<x>+6~;;
zJXQdVc<;9dgkQ3qHygmfGuxo#J#hH|%0{B>D1zTIi_#?XAYFeetP#FLTj}TryN<J5
z7Rs)Mu2zq5g+#(4n*Y;RBae@owyvy8aQuOn{|VjUfxEus?9Py)0oo@=zk&Z2Z|-x^
zNQ$!i{Cwo^#?Gu<^US_U@!Ym=0U%QHO$_YgmlrA#HR_e-VqVl4YwE=G6mT)E_TaOX
zz36m1g|&P5Wdihsh+myEb*C4WllUe!=fTalWa-_1aR)9kmaURg?ovv&Lv@_FW}91?
zty!CIUEd50-k|C=KeN^0O|W7V6O~rs3bI(v$gf0*|0aIEX@gWx%Gjs5nf*n2S57Hx
z(h*s_vzi-5cg944IMk<gj1-S?Ls8YutT{+P{>d4eRV?4MQn|n^xe44pBL1QN!B6^N
z=$fO5ljN=G&TMsD2QR?*f-mO?zMWI<x5cy<wG`^!VZNB4NZ3XgUQp>Y@4;boDYcZy
zh3+pQp<6sM5mXAe{1l6elaWR9{WO-HOGDt@zte1C<H4osMekwdjVS)jOvtYB)m~U?
z^iHsKn15YBEa^0%fOp;w5#j9JwPT{`LQF#=)%N*gR-J#RQ{$Hj`=QE(B%Xaz`HfJZ
zqm1RD=9RBqq~YM-IdDx`XIE=BS;tu!^@edJOk)Qt72`|BZ4GPrKeT|_zV6b*A>I?^
zhyaX>{(SP8di2pEmnz5UQJbG>+JduuoeA4y3u0|ySjxnlG?laA#G29~{L=QPWyV#d
z>)P=eNPnfwN)w8FJ1P<w$nzSx2TKXhOZgipE*DgdZD@25cveo{|6TNlZo~Y;ngljG
z-G}@xfc;*1m`N*XBg{D3IJ2l%hLkC*L+S+>!idV9*pB*Pj;?BB-N<zICl?xZLyM}U
zb*2-VQA2)At858WavbFr3G8o@pKG1NbP&>Ng;p$FHrPz}2b6mgK~W7y8U?Q~lPLky
z<(%AMtI^>S@2)<BB7KfJE(l`Uw5~-N=Es~SGc+z?@LIxkXbDOgvQqt;b+dyMW`Wsc
z?p?x%-SW$oSW{)DRN>V66WS+sFr#r5J&2z~aljxsiP$GXsMhN|2QDY(5rGo_yAU+%
z-I0>?%?Fn6vzri>xB6YsIR>IdL(M6iLOSp!1k0x((wO{^1&jIJYkxhQZ<9!u$3zS7
z7&j`-J`lnDuy<jr0&f(o*|=_X?aHxvq;g!mUxzgjWdz1iX>~LS#^=~h@jK}8?@_gE
zNuTKY_U2W53q&Ua7c5}|vM}&-;3JBYXAGcBV9OikEE}A8P*$AgziDFZ>;BS@T2+gX
z&ikWcA=I3;Qkxx(CujeMcl7}r9sTg85sN3taGo~H@+hX$OadL<7TKWG-*&lPm}llq
zGQ#g$+f^yE^dd|qg`>28Y65XBfPwtBbf)2oIkN1xd~x3RZQ12z=9#52fSa?X_oZJO
z9T#jv7N4Oxyq(sN^M(JLW|SvQwe~IVEnJou_opJXk&+B{Yl_7}!^HGo`^=-%npP8`
zQ?*2;fd4aaya3vWctRmDcpv%)gZ9*|@`iE?kcEKmx|w)WhFruU9gsdfqZ|VBRe(1i
z_DMHtF2MCwWEWt4o<v#$L=k~oU{0jwu8ka`<@2XE*joVp0;GEj`ts=w#D)ET-}NCJ
z3JN`z0RQfEZWjr^^l&%~JOE6fci4~ha3`4(eFLhq?Nd^MEMck`zvQ@2e}eg80u{h$
zTiye)Z1@!ZAqL>Lb2XUj%*BdXM=^h^y`MSH_rDY-xn_i0wIHL=OD6Mq_xnA~c3nPN
z<umVwv?6uchb}s_b$33qd_Gh<<VJc98jT{)V4%pkC~S>Pbvp2-SYgUP<<}Oq)4C_B
zAF^JkTEG408CfUHaJUmUFKByTgq5uk(=?xgvV|J%OI|*P<wvHx9-AhRMpo)3^0XB}
zNDxJP7MzCEN&t3e-C|VwoaG@@?++Ge@Nar@gbn|PXfZ4x2qA<Hbv!U=5oto`?cEI1
zct+TQc(hJ>)xW!44yT-qEn2QX6<=#7MS$Cp0oTRER<_}EzxWXLmkK`FRX6u{thPE_
z<*tX^LC&T4-@820n}L_*U6k0eT~qz8`@L>`<H#=8X5B|q>hx76{;^43n5p0%bJwF0
zl>!}Ams1y!xEr;jb@4QLh9s`{9s^30E8*$z&1R0lfuD#KW6Ux&TBGSlvs{@7({l}Z
z`2lL1sB$e*16;)l)Y1q;F}Mjze=ZPz9PyXJ&vci20}3rzO1YZ1nWMAB(oxQb%m>Qh
z<O5W^xav~)+;%IWu-Wt9Iq>}o^L4UGZfg%L3R>Lk7Zayw7Z15$8%1mxp5(o{R=LIW
zx~egsTP2tf%p7WcS67CyM4C|K>2)06Ku-Yh=>UMsOELkyY;h4a%0)Fe&y5d~A!SJx
zFw^qZ9&B4gX`l|Q(a<crQ*+L$>$dIEP4{*fja9PWDEH;dOS$A|HnzS0I->#UeK-ui
ztydf$lB<J9g9r5Lv8neg6e+B3c>UtQvb1->-1;r~UlVCYWjO^%W7+smt8wmAeOMY3
zEAE@Zc{R1vX8O3l?pH0!-mcn2Ak1+VGhssZ^{31&8k+Hf44vjq;$t`nWD`8;>C09)
zJ!Q*HTS;4@r61Bwy62Eq`AqYxJqEOqzCc{@aDU4{tj*#uU7@w=oE1@i%Tk?Apmt$q
z`eCQkQp+&!-V=X2TO%UZ#?&r%K;lYbF;Qjg$aN^I(!0zO8pIUjeT|Ia;vUr&OZ{*f
zKfUX^)q-NlE9|1jz_g-0rlRuDK&eG0em8XR-uU$k2fSfjW2?a~N?azBy1J)B64D|c
zGCrB6lfZ4gjSt-FKjYtbd_<(t>-fW7wnJa6!FV#g>6QCuo4XdR)bpG}`Y(`bC)ceF
z-}F#<>M1WoS01j}L`*w!F-(MFS0m(W&uFy!A%tRN7cPr5`ksG&`%IkYc=1OQ`)7tV
zBkA$;^2**0ot2k9di2Gd$PxRU@T@u&N174%HOR)U@4@czYmE3x`8Cm(@P_jvuMs0;
z$8m`(?4M2Da^Y>XUyAnWcO~5L-pZG7n&1Ohiu|96OaJQvY(E6{VV?ne#^1w0(eVe*
zn*1Xx34RyQe)(Tk(z$vg-ik2S83dqix>1GQr%KPC!RJLZFzwDvOqFluj9dS>QOrwi
zdP`@#<g{GGmWW7p(pn{@=$ZT%*jVeb54wz_mv~w+Xt=J%d7Z*TPur^$ZQpV_9fFYz
z#|QL9p&4$`6(@vCs_|Qeuku8?5|5sdufkUTKwsri8jw}lQ5<O8nf&vFpfU@-8n3>B
zo}oBE1_V^tlj-=Y6)W#QUC++x$mGF?duLiIH?l5~%nTa}y<nRyE5I%=nsJ^+2G@%>
zE@!Rb9B-u!Pl6*H|9-x<!8Y^(-9`tiIjd-&Q3V_qzvfU=X%D{3QsNL<H#@Z~QpZ8@
z2Kqx4<sp@M>ac3WO2O+08y~?Q546P^A>yk_5y*=3zkR9yO>D1SKbPVC?kkwWTx=3L
zO6V77CQm`Db$2A^UYc9291hyVLuw4c)n;q1>y<$1YtRmu9KksHdN=MUHG_lv@A<Rn
zf-iQI<?|4dHEiuS3Q5;e+L3fGl&=OyUs~L#SnpU(ZpKOw;SaTglB%YB2<}35N)07i
za<e+rFw&Tl2c3T#_4&srgX<2gz2gsDUno<LL*F*Fa9>j18b(|ad2ZC&e==b!R%>!P
z;gywK_>8r~^)8OROzYIkX*q3c%5AhnO!8>*NP!0kiOUrwzK*46ak+~~Pi{A@RiOz)
zf2Xd-)GQQ@X33zKdM+)tyHA!^KHhik`Cy|1@Qa`>;8Cy#0BfMee*_I!=lux~(aTsq
ziH6?9`*ce@1<-c@v<@tQKkO8Mk3e?)vAH4b=e*Ou4mNh5OMI&Kr#}a_THOat?|~mb
z070SD32E`|iia9j?!)CX#uzp-S$(*Ue?5A89tf{!?9A%CB_>xd*7PRZlO17Y(uB1r
z2#Zka=1NQ9&4-@1K}<+_B(QG`9wA=hEQsgz0^&aG?QGYyVURFZo-t&XomzKg$zJ4l
z6Qkf+*h<8|a#20r%nm<m{L4>{Xtdv75~ljO=W)tflCK<o5^L^`2CADg&7Lgi+qz*o
zNij^iCTtrtGbt2RskkvDZ4a)0bg%%y2`!>UhLKU`yn7XV^GUxihMRFtQ)c`4uprS*
z@}8z6xEh{e%EyOz`~u=TB)lC!FCvUm;2cizFJO*L;%(>$`ZqrB*x_ws`ov~UG(`#`
zg@YE_ur}K;FB4wls_*?W)-&FP7)gpTc@!k|)A{ad`hp`19d%mO2uK)2%j)49S2DzQ
zq=B$g$~LY`lOXfCvw4-E6DJ(;N7{{o4EAL6u^IfPi}E_tGXm3#a<KvS(co_c-#lUq
zBk&T#VhXymQG4pXWH>gb;iplIaqWKZr-4gVWTfjG6v&EwtQS5CSF^wAQ<L_3x5%^7
z{K|GH3BT%o@n<4fe}5U7>Y<{SufYh`X=zj=g6l~i+jZ;kR*bKGHYE%9%7VI4Wixt`
zR7Eu}rLp^mx_`BJ#+)Sj0vlrl)qGD=Kqm1$oh(T~RX2&QsxV$-`>z2(@l14aH7M-M
z4>o`I==-0K`CGmp0PsJd6bZmWynVPF<p9*uF2DX4IS@Yph>vFD8{)qaH^h2B0Q+zM
zrLKG6)0_BzIw{TM>+S!ilO8}!``uTNH-Ozoh7)vncME(f0j}HLp8ltiJ{=0?0_sb^
z--n!cl>dGOHv)V_q(1<Vgn*vqfBp{eU61>u1Eqcnz%XTB34U~t2>?*3KoqK{_xWUo
zfS!HzH<Rh1Nj=wma&O%NEWO!&a-2P--0>IAg+#w6YG)CAhUF@!%1={W)&@l@<_#mG
zZm81<asMWH(7C(y(Y&A!Wbf-l1@H0n_R&DfhD1=*_ni0}SNZ~u>%s$m4T3RF+Xx#f
zr`PcGt%1i@9rPe7)HW^+E7H6a@Z)JK4Y0B${!xyBgFji_sGTk7!K2Na`U_PjtXL9z
ztvuF6*}F|cBbw4VK<6W<=ciOymws^8Gymz;nWz2F#2jXb_XK<r>(fr$xYjqzbUmH2
zCaP3qx~?dk2fzZM+uiZtTkCZ2SoC467nzk)U;C#$=QLC~(*{d>{*4H1J2HU+)o|*P
z2QmQ)k!dGC@!EQ$nEv~-EJt+G4QkY=c}u42$YXCUIpI}mrC+vx3H78R`_1GLdNe(5
zJdD<0$S9DHL&$_gGHuHS<t1>`X<eL&t9o5n^BRO*l%3>H$8(4R?^^ooTW>j$w)W}P
z<jf#Dkx&%R?C2Pu3nwEEIuo}WCF8rNj){FPB)#N>Ru-f1lmy<rn9g3EIHzbQqpw}6
zR>eNIl$Hxh4Tvh1qwt}OH@x4(sg<?hXSOUtT@2;u^Vh;RpBvP0lf=fZUmc9f&vJeZ
zgViQvP;wHvlPA#1&Jj5xKQig6%0%=CG{<1tymqr#^ztBRAIsZ=dZ|kGugC`6uA+61
zUtr&X2vma$RiRen;0f+_PpA4EC*K73FIR)?DVirg_gI`(Y%&F@Qn9@QZx<8^?r--V
zOi=Z%UKO!n>El&i3Srj9m`bEP6W@Hun^?yE;(V;|qD>6?M9bf?E&F`O+j9ozVpY{m
za{hE4*ylAE&ck)Bnn|5X2tTDw_}`3XW*4>g7SdSiaGNY8$=3uI+9@bL8eS>8%$LnG
z%%{T!AibB;^V>lRd#O!yg+<CjX2Q^#Q{60lrVZQAUC}L4w3?1R)_uZAmy*ZAP@Ep-
zL>KlHy5wo0Bl)swyZUG@4C@SH;a$J4lV<X8ZJc0r5wH{G@myzUu9kduurM-4ac8QL
zrSQOSq;l7aDbzGR#7YaNh>Grn`#l+x-4yAlAnGy{??;oo!c!V1SFu4VOR_`HfmRJ~
zf>_jdanhcI<{M4&*a{;z(DULt6uKbLCoaefcjOTG%3348*Ao-Mk%OA?xy#^nxaBSd
zMW>uchmh(xHMw#7V$mXh$ShMEcMGFOEuZShTzdS5<fH6w@5;Q&5XWfva8QeEb%-tq
zt|iZ#FE!}I9uqRIs3{evSIxd-!w_UUi$OiRYS-_^w4R-CsoNmGzm$m)r<3i>7>~WH
z$6AL>G22dCPOsj`y<k+{JubOz_1h`8Q$B(BDjCAFVWWQPw<}%<S~z&%|8Bf{*=-{*
zJlS#l5eROGQ$R)p=3vkf{i5XpvP`*Y@G(wrh`&%CQf3(>hL#pC)M|4LaXbOxLqPZ!
zT(7lKTPnVI#4V<F84;y8YJ=W)eqd-rQ%rQ-7L=**qpeU36XFOD$FfLU2`BbzY%F6D
zZ=#q}ERI76vM7Y8mT4hn5&>Re(OBq9O9$X`;d7^-;)3ga_0o~<*4??F_u}1cKKb1o
zY^LvUZtz>{xY|%J8Sd?{^DD_J&);zt6BG0cl@L|x%HPa?0~bKCD2_i;i2r(Sc(>%(
z=miQR`LvEm%w;s?KRhy=^EpS11RK9}RK<JDAf-XumC6n^pn_pZ1rL_ImE{}rH#Z6)
zVYDjQ8@Q$W2(WiJ_Q$qcJ4LNTAgVk(Z8Q&uMd)`H*_RVKt#A=`ru`{GNoVyj=4o4h
z>QaH9@8Q80^tp6Rtq9>v3>$w3d#icwul;)%S8UH1@6B{5mXuSO9=*F2Pn>F1u`tK@
zTyDbMD=-xCzDOFEvvewFN~9R^YCi9X3QCvB^eg;vKS<a3n6?qHZ!j|TwQf#3Kj11e
z^7_SDZrD)l0zvZH8{%k+OTf}{Eu#Zjg4MM4kHyAodtQ3|7&`d`!9D0p);lS^QR|87
z?j$E2duAa|EH_OTp_DOJPORV9<CqP>zEEx9w>kW1yk7U&W|+K)Z%c*j_2BO_!CD4L
zRiYJ4Ew6|}K9^ca;%6;9kK4U`Iyh^+CaB)&zH>Zhp=o_16uxqXZf2~1^9H8NIw5G!
zd>(!a*>NY|IYmt_(D{NTzkJn4t+bicbE{14vTQl+gbrlW<EVgq2K@jo5GO(JJOC+N
zCh+9^SL9uO9)NlkG<#eJ=v!<?9X8@VWkQ*IzhBJVbo;-6Qvb&7-5LIIw{&eksp*N(
zXglDT`>gj0{`?QG@5$z^80YU%nk))6yST@(iAG=_BAdoDRBgx*G<FYF3|W)d4sHr&
z>_b^v7^Eq|neYR((cMvtVUi_=#}bPB7$Fn4b7$M}!Y@rf<>^NO@xN{GY-wTd6a}1m
z;%nlSy4$omNDNxwO|OZ;3}wSMqIkE^$fVAi!G+*($_H*EE_h8@1ymS(Ep%oWrJB52
zxuC4^EhTdlJN&YGZyo5eq=dzr?=_)Y*UggzI{mLr&5>gLI%hGoBG@*=E@8<?+3fOT
zj2>*=TjVqL(l)WP*A;k^*#Gw1P3^WleU?6r0npaM@?E`AciJ*r^1`nece;y<u6!*!
z%C1l`CsCdj(ujr^fwX4vQ#^78R`?PC&QR8HhVbs9*^K4OGhE(0N~B8}HtDaK`L1;R
zMb-2}sx(PE*~j~~j><PHqC-_#)O(?Jm5#~^I!*-^_-$zOd`CP{*TUr&H8_G(A_J`W
zEmQIG5MWa*fpbrwfR?G65M*j~=z_u*rmOtwq=lkb{*wX&!`oJOU}RkZ!t~qosH=WT
zG-08t+}JNJPm*CF59Fpko}24>&G>#p0#7yfpJL5!vcApm+a3n$<{r|@ycsV$oz?r3
z5&W(B6EZEPQc7;_upH<FzMBfPJus<Dq7N;(KBSM0!{&Yf>?^Qb1sHAW-{^~c0)U}_
zu-BZAL)`(u+;0yEf~3)0{x5EHfRc+3g-=ZG{`6s`>a*vVi0!JvYY={1G4m*0z+)v*
zfi$8gxGZpRm+<I`yCdnhZu|#npqdcBE>n7zh|9o{bc5LWFza$1FQa<LtulHH4tfy#
z)QpTQ9;-@x=>z^!o08Du)0h>_(un+UGje(hYC&l?@olg^hfBfWC2_6fxqP|3Mb0N|
z^|>D2DQo}q<nUA3m^)AYw=E3HHSaXWX}P7y%BJC00>Iq`?ZQQ!2ScuWL^%(p;D~8}
zwpiaOQcM)z6!RZUutGe$>vywRzE_*U3g11-%@7t@5Jv^?b)Gj5%GuN~OYpu9-<!%9
zUW>o%<EyzU@vP#F)9*mVy{uQtMuvUXW8cM%&*_7>rk-knXN|)0Tai0|g$hPF2yIPH
z$FbgQC=>E;gVn%BxRXqu*Ol`UwdTn>5#1!KZk8^U(TK8xZ^oQ#TgJ|j+6z42Fj4qO
zvkD#N4d+~-66-}ytR@+XQ@^;o#Vt2fV|kgSU2xGqv@a5d#*O2yrtIkoh^mw9Q|AY@
z7Zsc8vd{Fo6rFe0AYXW7G^TG9d!1CzKQv>WW<@Z_-RcL~Mdc0B-2BSjcTDe$H|eL5
z@H<`P4kIRX8IcK2#I~<DRao%09%Ia&rcg_hZDTjfy86dKsFLHEdclMJ*=#NcR~{~z
z41`j}^CfDOlhR|0txC=7DrDG=={q+Q+<%H(unz!%)&ajyAM9Bj<~Tt43H0*^z|w0E
z#5k0seDnu=n($}42lBhS9Pt1q=y9MA?rQo4ddgCgH=SGzF!KLgt7yTgtCTrtl1n#Q
zqVh#CN?2dCIxcV<m9?&pa9+mJsnI($L!FpFek}l8yVd1T2*uT9ISW0?kJ{p_0aN6V
zn3nSo5ii9^m?@aJUN|Df*{uZ*%xTp&o~)S4nY(;DdLaIuUZ}K2e`jdQG9AnC`|wGO
z%nO^fJ<`Hk_<h!8ivMO75mvO%R?EgytF2Ci6Wol<QYil`ao)`!_7y*YbRnPRhGe;S
zKO!wFnTTE#m;RL7c==0$&6lgVY2D*X=zndW)WmAy++Ww6A2;@y=V9iTe!pa>H(*bT
z+cG=l4V5M`a!h0dLWmkSm~aHP<*e;(z4{X|h=tftpE1N}Ak|YBAbFj!)}aRH=*8&8
zu4Eb7cEt_#Y=pK<awDlZ<IKd-*4ojSHrlnDss5C<fYxeW^gO?8<4l$aoqi%>{7x;y
zn%VHzNIaDOC5eFNVcJwJ4$)KojRl@J$*fe*1}px}zbyfX5koyLyqTK&AlV2nlERo8
zFiMc6Y}O7b!S3k&U4Y%OL=nZF4l)=!bD19<*L_?kZ8A0kdnGe*zm0OV=3J}_Z*rpQ
zgC<4Bxbyf+9FMCj>JOjJ26e87E{xg?89XS}Q^bTfWQfBk*~WEdin|D>NYo!U3aZx5
z19hOQQ3S1-DNPOJA;vpjS4T&27lES#0P-Wd2>mi%sJe90)m&?eC6rt7NepVzWpnaf
za<`DGVo3MUmEEaNPu(G4v;N&FEc_!7+0OFkJt<tWYRE4_ZS_myOOf7{?U4Fs%LVfI
z9i23rEk$R@FHc)inG&P8F)}#R-fWMdU3@R0A6QOj-pIIK(*2cT+=$)SggNy|12E({
zZx?--YSp0v-4Al<tdROdr|d+FH3+Yfq%KiBHRs->I<F-tiWI0zJ@F_*4@w2`s5xvQ
z$2;;ZQ~$_Y<vUX*eTR2;1QwO0fZW3HhC@~noxQ?_t5;CzsS)m-{Yhxs1S9-B-{K}U
z;qQjZP}6vw4x_gA0@k^fG@!2bLScIzx<VMAt!0KST{KX2NDQ#M-ptmha%1f4)T1tl
zhiNDnQ+oZXw41h}#XQU}H9pwV^_`>)pIs}Q+)A=5W121Qrf@@SneeZ?;1We$eyA6h
z5ZI^vvz;~pO4Goyu??#%#l%D3OnGjP&~lwl#NkE`bK^Qw3Eo{dQCdZZwGW5cpAlsp
zQw#v2t+i<k2U0k9=90pua+=Y1zD_vlPx0CkS<#}%<>$2(<SAE|tD;hA*8t~>e9q3C
z9g*Vr?GMjQJymyvv|qt)v!*OY{{|~fxqeHkJqWS|TNnuQzqU7o-Yk~q?~9JkmA)}3
z#TDAm%w*~ECD`2%n<Y9h^J~KqF@L%TdfoxV3lQ9^Cm@Nl1OT-LWI)OC|7|@NZve&(
zy}-w{Y|r=qoyE<Y-x0#zI^P5BA)o)ZNkKgWus7O3+BNdbBrm$3^JXL%@Oyn8Ec;Ih
z5tBPKSHGXC?~TN5E69=Jtt09PTHHVKkZqIaa*#=($`F}=&c5P%O8wiT4K;>qB?)dD
z-o+87lj||Q7Z(19cq#uUk&I54GR>><`fLzUU$;|wRU2eis(4jwA(ey!TJq;|q0;<?
zI3+O}ndOajLscsAkaa;h8Fzp~j~@Q&n1Qvc^;CVmn?6n+e)d3YiTa{-#rJvJltEiC
zgfl5z1n~3%dze(~G;7<yyy~_qi+29i%F$6Z>^{iz8p^$ye9DeJ_V?_3E))$G5R>;9
z!1@wYxK;oBwm6)ycaGR03#-$blA>!yB;%h@JMgG%(WMQBt5<WEW>O!&a-e2=dF=h!
z_5Y}P=iti1<qLFTTN6#JNhX-s6Wg|JJDFf&+cqY)t%+^h_SrA@-dFEe@85H}YM)cJ
z_SgM&uU_kE5_YjfypJL7F1)nw*8;Y#<5FvUYJ3g{p&Uo_$m43F!rmJ(IJAtTOnib=
z@kJNh=wM=^P}H&=@kXbq80M7WJ4UEkkhi;qRrRtE5#`@wdo|hZc>=qHQ=;$QkfW(T
zj4i4kCQxo^Cbu4+N5nc<cW4{FzK2@c_amw<#JK%Y07K)gBG}&P@?`P*_{s5|hLY>i
zr06GF!LXs+G?vg7zB1(+G!N^9`;S$s_TyZp6JtC7l%S@Sl&CBj!ID9BO(-|wg?~v?
z5nUZ#k@6}Uu1sq$_Gg_*+Y`F=v$g104lFixg-;|$ilw33k#vc9o?Ci^vedjEGc7s3
z{Xg@Mv1DXOwm;24{DRMb>X#V7p7$w!9O->P8ARj`pfJBb0`M_^CqJnKUyi=y0>42y
zJFh?mKnD3Kll-4_Hh0Wl0}P{fKln)psJ?ZOfpNh6cfdxs<p*j6L0tKLwEhRLs{q84
zA5*{Ghun}x5C4CX-hbOr{QYl4-G|+wU+(^s9OHqxbHM+NKXs=WR6!oP^WTT|0F@v>
z<xyWjVZ_gS4=4lt_yGuPG_;p?5D6-nK8Rh^o|TxI_m~?UD=^|ZQohm8&}{G`z6!sT
zMtQPC$l@5kOtWj|w4T|cR{N`6qAF*CLrCu|Vp2C-+g+5{>T{O%s7nZ=sq6vM0=E3J
z+3`~*=`n0lICrgMCTBvd!9YT=qV-2On>Ba2$-rE$oRD7i(ZZ)D%*9B&hi@TyeQZPb
zR8psGt-x!p0vpVrpu*Dguh%=3bj2y2*Ievoc4FguW!jB(w^4|MO2=wJ7!QVT0jL8u
zeCkut8X_9;WAK|u-2>4jTl`(wbd@E)cu)COhiDq>EX&YuZV%)1f4-mfD<VTgRTq}p
zA-F`7WVN}b3$?X5@}8Rc6c9HlhP8IiS9G6p!|`I>-?ie&jJ0W3kS6CE<m0WEJ(zlj
zmET6R76v&Z;wFNjvyitE1cn(m2HQK-Dnq0>uSzZRAdsrxY}ZkPAG&c?S<H?%$?ZS<
z_&OdPYJpzzbCm}*j)n=I4(B;&U9{D4W+bnt`rfo4%st9I*%y+;-@IPK`=o956z^~{
z<D&DUc(5MFvrVTK9$E6+N6<Q)(OA7_C94oE4ET{f3cZT=X<fV5zjm-!(nz0qh3pfh
z9MXx~cLyoBPzCJjO%t!TV^3{2%9+dpEtUyB6Z1z)RbUYEPsyyVe1e2dyk*<(63MPR
z#q<q^aV&|>6b+sad_e|++rQ>hU8gNzuUi|y$I~kg_WN5&>@l#?1qcFw2G9o%-t$KE
zA2_+OX!>ycx7MmJ1G;Uxd%B0ZKu-^TO2UvFKn$+$68}Vb%8|$CAQ?GR;R6_Emp%AT
z7n3Q#<&NTlV>;qZbEDtZLe5ohqQZ~ew4LxUac?^<lZCv^WXI?uUvecyHKfc+fvSHa
zSJc!8GKRw6JvaHezW8u)s4bft%ZAYI%)Um#qa@obWLFd);r5x*477nil_;8c?WD}y
z4%^(yfzS)m3KOU*{&2PQK)Rv4<WTi_B51WJH|op5;}KzZKWsF6rhc;Y-MwILC>`;H
z4zn6eW=qi2%O!<^%G?*WZrSektD2-3$w*{wzFpm9n>oyGF<uoSh1Af0wLuU}JzoDE
zwKG$w-{Ql<UiI5*vLprPC?NlntF5L!A3WbWqpNU;LRzP26se9u_e~^2Yg_A39tRmw
zuxdyU1s`L9zT*IfM(?)<LPhnZCC?UliJTCA7_Y?PL)WRV^9;?Ppe+D7iMK^xXhpvU
z_V^6rbwntA)PCV0&>%d2EF6YS4yzSb^+c@cyz)tRv0=-9N<PlA7Op1ACl_AxWFQF;
zj-j8SSkKv;T<3P0%wpbivrcQhI;#HIYB#NR<K1dptlvBmQ2HJPR)rJo=NB9&XrB7y
z+CdpR=Q%_U9hiJNeE+oDG5ywXxUp@V>RXm_66k{GDi>pH$hc{+@?21E=5#5<8jteF
zuvbW7bL(gFfyCv>h+x~u5v-Sk*FW_D%l1xD>9aJ1pQx@si@fYg4JA?_!*d_2zJH~f
z<Bl*6!*YWQ(+w)xEHR@?eM;D6fNgl8RHk|m4e`t{%3Ij-S~4_OO6Gq0z1_2kx`RM^
zHiEA@ia2V$HWE^I{WbQfq})ZSX3XS|=z{eAqI@3`;XVU7$V2V{0Bz0r<$}bJ&0eRh
z2Pl14lD}w!<DdiH-hLnZoj~)cA2IOx<;|4hb=`B_53m+UQ2(3Xdaf7n9yy1~|Kk{#
zdIpZ(b21W8{v_kzevXpvo&l6MqJfvEcVO$Sn@8Jk6l&X#{L4S!%N;+k@+sPRN5qp^
z^2C1w_Vjr+6ZZp0X#m)(pZG2vAU6T&qSHk2CFQ>dz25e#AK?6f^W`3hfx-pxr+^?n
z{PyjO0eqD-trQ!$9t!)~o2iEw?8)vhz|R9jMD^)Sr>MX7=z5>`%|Bb2?ZG=dk?UpP
zh0aE8<CmB#s8z<lOTJDIHvv*4G(mWwvfL0ynlR4#QHiDGb}k^8qa^vf#MW#}?Xm5n
zflK@6w};^Q-5)EWi+``++g0&gy^i<WpwT5x7az;8h6hxvm(!2x4toCh#wlQr=TnVm
zy&1ee3VjRxI|RpJnzlqdIvL^5Ez%G@N)T{@2aPUPRW41}=JWPlgmXhy-E<bOnivLU
zW>f}Wu4e9;(y6vNy?o#wdJd$dm8Mun1>E!%5$C*=&qcOY=c|Dh>xr$P=R9_%|5BJ(
zuc8%X5tyELx(vHuUM15rt;5%$&T~lqq$f_1@oyL$mSL2&2K=ds-m7N0g%6NUj|wP6
zeeER}ear%9O7C@a@NxoQ+kJQfqxlm~n$=-_pMihbM}+8=SJ4lpm@c`e&pNj9j#iEN
z`m;+kopr1$_TqM}Cy$n|&(bERR57MGS&nZgK}K>}6+E1|Pujb@8T*NY@{b~ZHtBXs
z$hlLn$l-~{<m#iTpDguM0V}JPeXhYud(D{m;;HQPInb2VKk)aR7eXya?D~sP^k57c
zp#WOSK57HyFd-KXDHO}q`++9xp;cJDQVsM=r--+v3Hd35Kgt3~A7-4$b(O`ok<H1b
zC?_2y217_?F_bIhX0TFz`Oz;V8yNYcP4lCRw;31su>iyiFjxhY9PtPKzUv0`V|M_j
zgU{lDETsOun?G>$^uJL4Z=tZe=!d$bcLw<A16Nc3FV40AvJmDEy_}QEE^DbT^#7Y!
zwLIh;HGuY@PXT@$<7a^9bqeYqK>VM$`TDx<|BLH+iJ5!Td;V<QfwW_H{Bi*R#;F)6
zl&hZ6{SUT#pr(N9EWW+10iZh*`1HfxC-(E=SnoIMXijo<vU@Lvk!(ZA7CHGchGi%}
z6m_e0a|3DuN$p_#rT0*XDgUFExK}J-_t~vX=%zbi#5#*Ip!85aEiwMB(@2+jbyeW+
zJB?J41~XMNp4R1kxm2KIu{c8(C#xaFUmUWfi;w*-P+&4$bc4OW&(2HVo%6*&zkM-r
zLcLU{gtfSt)*&nNXtB#v8q;{npL4&oNfYtnVR+ILPXN(uGJ3bV_e2SAptYR~A`Yh7
zrM*%eGeD;*x{OV4>>0}2=c{BIv`K=FVP;FRk$%(ec`L{;`xb3!>~{<5L*PH7y1)_}
z@3aYi1Y@a#R*#cwk<DH5F&P-GNBKe#sFAd~0$Z6)m-sqi8&l1TyXqFZ{YP4bo{Q6A
z6-5b9Lk{yWR&56}Vl&2oqa9Ad5rTr`2PoS8R{&ejqe%-)6odmt@Z98D1(Vz(qo0VF
z$A$p8Z6dq$GqXRqbSiUV(QwCK>qplZ_lz!LawsrXD%czp{ImyL*o|Hg=Pu+hOn1H^
zwvQM`9!LVXVMh3YVSf-&?#y%2vSsNeZM=0jwOrH{h2Qvs-hTR1P8q}QcLH(oUW0EX
z3d&GS^g;awCrBJcY3c2l!8rdTYw`RGc;4ouw6rE(blgZ+u~EtBUC?H-*B9u1RB1im
z_JNkxMEzHPP@`d?N4vqY);NCiD$^^2I{*-ocxOL<vN=W!kmW|RXxPF?Q-fv1E4r#E
zYEpgd8XLrG-ja59B-7}WYf1ERwFhDgRwOmZ_>*wxNXJ8|8(oj2H<(o?HCh8kD^Zd=
z<9(BKV|Q7J<N~mtoWwqY#~w({SlScvF`tES&7KymoeF}J_cMDv<3$ga#}fA~sMds6
zW6?&4b+b09*sHZNu*+jyzq*!KM87Bh9p5JkwqbZar2G)KIlg!CVppB*;ajb+nsSe%
z#b1tVFbE0uqs||VXSUq|(<~BQN6akA@Wx>Jk-zmdIaEW<UF3NYawOh`b3nhJ5k6R|
zw=at-u}3If>|jIfFq*jkfL0vi#~B|Q_I{cvakd~M-%~8IrVx9P*9){U!;u`>EmI3I
zOP|tqHqDTxt8<aJx+AmdrlV$>O+=6r<tJ-&-3CVtSrWdsld#b{Fj{YZk+;TT?c!Gx
zrX9@DK&cU*Wxxp;g!ydioUz&iR=DkXFcBt(^rG^6`O@><_q#+9gW@R{0y1o+xqE7D
zM0S76fZT#=cf*ERFOGHvYQ-Gpn+e|ns9i4M{Ff%455{y-oe}+~f?S^RFqEtjWKTEA
ziiTPRw6+)lQ-~berBY_8RJW2TPf{AnyD^4+_^QzAtMTWjM9aH!t@BVqRjtw&q$Mm`
z?JhYaZ~CG{<UjA4k3nn#I|zH)O;D(k)maMP%L7wz2mtMptL4^RA`Sq8=G`;De+||q
zND5{*WC*hvJM?>t%!LN+ts#AvtFql!IruZp2`RIz4Pt%|-V~U}Bn^x5f2)euY&xNF
zS1~<BzMlII`M&uY?Z21HG<`C$qk3r6_a;d-BDhfl@RSS&%Jor>#@O}ip*P#x`Vegk
z_nd0d3<Q{YzPp4*h$N^xHJ%^qCmJt~D(({OVh~7}`fVN(e*0Kay$VUs39I%|^$_^G
zI`wvGeh3#onN*;xKmWzPg$_)LdnHeHNT8w6zuR(@OmIpd+jkG_xT6pjq1kWq%f&i@
z_HuCyqx6qo>mmL@4{uVUwu32)DDbBu>CEji75e?s5S@iH3{+4LJ<er6E?>X;a{g^w
z!yen$aNcza934u(nQBWbvP80SM^e;ZmDSPPO!j<*>c9Ei2%4iZd7F^tLO>6vLrD?h
zH{l6a`%$;~@<l*-YmBDFry9Lk|DPvYh*M=!(%&Zv^5*w5cIn5XC+&rAD<6~w+^6$I
zx8HT{0Xlv6YcAxcy?ko#;wZ+|DDgNA)TkMWlr4z6m(pj}<v0y0fiqpCma7fv)Yn{-
zn-6zHZmEA9JPQu>ebKMv*6MIr3h$Qk5ndcP56w~RJYpQel`p2+0{IhhL<Z5)VtB+Q
zu!}ctTvOpel4j$ozQ3hHkWq31*!IJWZIxLQEE>ffw>``o#1sed%D?H@zu)C_86Ay%
z(kH~=r<geO(Xh(yXnXr0CCGVi4)a>Zif_>)Gmuu=3qg$OQ!PUan+UxOj>Zk$tG@2y
zV&bbu8zhRSq<egieFWL32qEHSmv>vXF&5*e2B&_Cf{zi`TDq|aLIEY@nXcB<Q&ENX
zsT|i*JNh0P4dwB{kg9Adj!C(~#v23|=N#7f8AIH(n>Z*@?qqa1w6)1nxk9@3uxG)A
zH^`buuZE=^QXVQJSvgTfMA?;Z%7QhptL6q2^l08oY*xx<JcZcaWB+23`pb~wmERrq
zmB-ZMU4+It%nuK(GvH=9f^ad0aF#HN2o?H&?O<b3yiD`;G9go-lQN)<h3&?v!_#OY
z(^NLdI6_+X+=rq)Rv%N+%>Ul$M@^bKK*6-4!5Y17UeG{KdW%r`Yq|gaH-OGU=0rSi
z4ZDdKt6!8|juDoEXmSZWPPOCAd8qdcBlZrZ_xXZeW-?bUKbCTgcC@Q^|MJ1s5$!?d
zyDCo^GB#^S|14rQKC@WQ*H*`hmlW6lD2>$zIpO3P*|gH|z7R}UWIfu8>yPThb2+c^
zcp0vPOzfTs-?BgRPUEAh*Ag8HM!XQ0MYjQ(U|2aeU0h<O)X6us-s}4LR*GQEIO(ac
ziZTW_TISj_DC3D4gd9KVF(z{^2R6mGw1O@Ark(V`(M4~fV4r@M3dWF~mW^0@+>tU)
z1D}}!ry1mQCkS$+z?lXBBY|LGYT@%^zmc6vV9V_~;^Y779PlT<XA<oWaGu{Fp!Ppy
z_lzI?_B+ad3hMQxdoPAH^xslnrazl<4ECT5z!`);{l7X#`*jNLm|u}&&QCWrXwgIq
z+#XKb{ypcDn7j;#!3(Z%UsW_7MKnC32P8Ia!dLTFbFU8AGF`6eN)BW+V5HU7-glks
z#LTI2vetvO25Q)cDEg@F&_aAYY$bhe`D3)wiF)ZprGI{W&6Z|RUkYu3KNA^DP@&*<
ztO+efjT<>&MD|-NM~_35Y4TN_Qy_FxTy~KgA3<cF@P?t4vL?;5)hQK1=H?eNK>_3+
zJWmR-Rm+{!ahV-TA1l(W)FdR71lk?deFj<)>&~Ny*hKh*y~-IG0wFPX0+&+1f?1aW
zqG4Q*3&%nDw#WV@X94%t2w1Yzp}m)d1zBfK6Hcz8FQSxM(cDGwH{+a&mfY1jOq-pS
zlJ~k4tORDOAF31AN9G}1Bc(ggzCY}exyU}6&*T$8!M2n^1ee$K75&3wEuf<LZ;><O
zLoh1E>uAXjH>dRXUT3;!1-c;9)EVnoXJ;h`2vmox+}BGir|ipT9jsYKoRUWOUauwg
zO(%264acm6Dlmi#i6ZMnL9MgQf#9DkGvBsUH18VyUd;&?NJDp4GaWreCS(LY@O2}+
zA?HIc_nzgSe21-MvNX~5AL&Gdq+6y+_zg#SFE7$7j!q=K>kzZD4D|j=u%X{X%|s}K
zuB0iY<lYGUh~D^HEqnhb?;q!p)D>bmOt+6g5!XynzYMk#kj?ccT<&z#n~4OMYgkky
zhI2{2qkKl-esl<G2{_6Dz)t-N<^Sq`ASGr2sd+`&DjBzJ{hjh4+0%beI5jinst;Jh
zmz%PNY<}$2&usPWY++*fMbRWeHsIr#;v|1`#-{O@Bg)9FrkWBduSgQYx5BFOP>$Rj
z_y>_LL|l|O4<%A*2b<Ry3;gRUtZJ{4G%d#T>kTRdQLCrF1rXzQ(&50mh(KCf=cT*p
z#BjKh_^;Y6iyA0KRs8rFuTZ@sbsTOHTqIC3ZQizAWjt23Jw>4Mw!+`Giz#+kS!;M{
zmh$Z8y4aDML<n0kz_wS9V*dL8nIAF8{dabY&y%x#Y#QFx-w64h{35{tq`p6E_103>
z4P_E&u*vt(z4-8W)CCxDCc3pT=kBn4uHQ54=n`Zt=gNCr;!D$M^R<vFCKwm9>eEj~
z1NtP(9<ywYVX5{DB_k81K7QPCt8_~$;Vv@iP5og+w;1v6nPZAG-+YM7n>e3;xNL0c
zf{e07|2f2<;<{sW)#I1313OmV5IqCpJ2hzCTo=v17BOjZ%8Sk>gVPO6Um>K5l&>Oh
zrzvaXxT~of)-90(`$MP_=o;{+2J}IEP>y8DFWWLvzuIu?MVMR*4@NpawDyttLRJ^>
zafp73&R}14Qt64ZLlS{^4MX#G&U0Rc8L<F;ifXj03X3+_aV@*T9p!!hEF^3PCbyWC
z)k&aeVh^_Vdm_^IW?Gw19)NiG@68KGAOLhkD*l@vx$qevc;Kgko%SoVR|S^VVha9u
z5Av&ZOV&~F)%luYFOOCz($-FH`~|nIy&X-yupJ+=urSV)`b4#@5Zd_oGEYdq@MEvu
z`yILx>ebL!Z#$FqEwi!u?40+l>)>tb#Vab~*l*x%YXh}llo0O(^$jyRrk3LycXM!j
zc$Eoj(`b^XpLzi40DAmDg;%%RIty1$R+mver8M(zdtZnwE^vN(nJvzB<()8HKCWRX
zB%}hfKca!?rMth+_99~y!iI`5*?wKY<k_u2?FUrE)~=?Sw_7#;B{FtZ`HF2U>iCyA
z7F$;eD+<h!509yQs>ji3_v>MUQ>egA2Yk2k_&=!<Y<KJ^UD}E2ndm}VB|McvYWoSk
z%d+A%XT^(3X8dd1OnNq%yWoKd^DUWKvVPBLgF+;IuDMvSyiZMZsY`4|Equ?nXjz1i
zN=~J#(g={xB6dF*K^pYs{H8+ros(NJ=A+fLB$k$tf<Spwp`u9k4VLDrwWJMbZ9#+I
z2T3cmEg6nMaiMK{sl(a_O`Y8znFGQZWw5aqy=G)v_l~}z-6mvn9iEB`eb32*etP}Q
zdjJ*TSMPQUaly))^3{ZKr0$IKI>c^e{Dbn(B4Y4nCkhp1nLzg72U^}zS7`d=F524m
z=xbMSg(WZoYG8=q6{M{6VZocjovkMO3}yOYzj#n`_9m#;!DAt5&x*&sD;qXeMjHw_
zSX`0bPc(if_S+$C8EdL+tja{qd}dYdAG!F?Nd87z#;d9PSnYUgy^FS~MDQ_#z%8X8
z_lc))_l8Z6!4#Xbwpmy0c$NxTP+7c03P&q;EeD`(obIXRs7wBQ;7YbeX?{@3y6Kml
z$~OYS>U|wNs40?{=Bcim%RF}*_L5zVCY%!&^~oiaZ<!;!G#xO5Pm#FHD@ALnhuB{1
zVBgmtSMhqMjcn?WOFd6(aj6mnr<X^oA#Dkm#B@ke$g|sH_xoEy+O+P-@7MZGnCWLb
zLH_4~eIi=6VDH%*+PvS&MH__JfA+sm=&D^|b4}Zd0ktN$a(|xpy$K#<`7vx@OGUT#
zrX$q#lYU_Q{8|`Q?^Ygvb>0=V=8IMOejbqBe0j1b&V77*fN)^G^jI9g6N1C!YIM;w
zWWb8PCxNtE*h2A(u*n(62*G{W7v}`~8*g00U+OlhgLTk==2?vV0c^Vn#?zT_4JzQF
zdPf~;A=cr4bK$sKTmJ@;hIP(BYz5=FQaWJX+Hdqn&wTMKF{hm)qT%}Ql<=+muYqIf
zY730PxW!W$FI~()CJybf+nVWwZ(v}n&QNp86KC3*0_Hf=@;138r8wY@i33z^A<vDE
z^{(pYcl13u2iijN4JX&)#Pfj`)|2oedw`%En(YN~%^QAY2i5~gj%WKnN>BO;9jL_?
zGQ8f9Xvi}uf3pay?<w!-r+;eYb|C&ptbm%a3V;xE?>AejO+ow?&&Lu&@^{YkLh)4<
zj&OWK11kci&8--I-@w5x)CXJ_`3o+j7zcKrPEAId`AGeBBO&U4Tr}+*KnPb?FAUnB
zUQ<(!I5%SR0AK)m23TxrL%TaMApO9EL1O!W*1aD=_gl9f@$Kgtw9Wt^dIf|6z!s9<
zEk7mQ>Y3dYWUt<K@&ho@4TO~f8*rOciG}%`zYE(okGCJlt3px86y8~<O(HGP8lMv?
zZPzj#_lV{g>Mk-D$(hx>$dL7_Mj~9XYB}c@-X?X44i5)jTG%2pewFcQEup@xmNt5C
zhPalWRX%^6<@Y!1i#YV~!n*=f+nLY`NGL3wMbT*EAA~>1beHRr;hkbDjl|D#74fKO
zEqdjcMCh?f7oz{PzJ8<6Bnw$af}peMj`(NfVNjslw<JPdKPKYyH<7XJ`}};jBA%XQ
z>(`qz7%ceCZEk~Z8B>q+QR~2p2+<*|F6j{?%{%xN5~FW+Zxh(d{-x;@Ax2d}I92u1
zVPm#vU!7|H?Rid@NW@~goQP0oaYPE0ZTF|ND*j7smf@rDl{BY{lmDT9KuSqbmkANE
zhy1a_TSgj)K@wgDwi#k@qy22F>9U{+cTM!DkX{8oI3}uCun)?l`jls%%@DCJA(K6X
zfD$K+xtrGtfHZpw)Utnqufb~*Mqx^S>AQLUkxeMeM(6F_#9oj7sGeOyw<-be)-+$j
z%YJvz7<_JaWE}A7cogOmS{b3+Ox@2|F3mD@^OTy|yJI4naEj-o<ur?GrwmPQA@a*$
znDl6S%o9vAFnVSV*>!3biF<2OeUC0Mh!-kj4m?xMghf@TNg6u1p$hX?U=50EpRw1R
z5Ni&<n#^!4WyP68#zWL(vo`5HzaX$>2s~ZApk#)=5CQaVXaN4nr#A?&aV-Y)t3WV=
z9%WJAp-^9l;sCoDzyat61&#m!og2EJFbHsaNdWF{p6Y=A2HC!Vw!A?M|2ep(JxXxp
z#l<nwBi>BYzs=1HLGPIdjg%5b*if+-c#MTQhUM^bh7SxnGRbs4^r)gokMa{AsZvZ-
zp3#V8Y%oHz!9`M_Zl)O$eIb?ez0NsW-%Yh<JZhNz6P*B_)xon&LyrIbSkadwhW(o;
z2d~jEue!>^67L_O=m}>WvTG4IN^KPOo<q*E9Sdxv#Wfa(sf*Hu%9t4f{Sx$2$w7!>
z!s_2x7e-_*ityM$A&?)M*3jdXW8Zh+yw<Htdc62nG^Mkb7d@>uRMT$$Dk&@Mg|uD%
zoeU_{F_zn&>zK`Z&Tq{|@GShXRZGzBFgEK}S|>KkoLMQm$b|nP&8fIZEp&be=A3mE
z7}Cp3vz0s5&fu*;D%V8o0&^#smw+4I=s0ARyaGvwtuhC<+GX142`>=#pa341uGDVE
z%Y{PD)mKjtcjQ@pkFXFxY>{96>j@mjg1$=_=Kg0Lqf{8hAa%LpuZaQ0rjN3<D0uf+
z!){nYf%5<?9tA~c8{%4V{y~1ec&|V)N?O9YVma>l`mWw~zSW;=df({Lspn&OTO@9x
zQFo6HW`7p-%rT;WPpUWVp=g>pu03IYI;L>HO7h|Nx0ux!>DL5=C6?dM8pbRX126X}
zgCpr5DRHp~5?a5&&^ru0H5rkI<yy*)wveg+iPzOA8m4lCfzv5&>cR~Ii5&x4m7nVh
zI>3R*G2oZn9{Pzjp#Oaa;N$&a;O9jJ3j%NE0RrEi@YrX7&{tsNSF1-9@1G{rCn@re
zz&-Y%;TV48UqlbC=2r8e^S{(Z>DZCMxgsG<8^{U$5V6QdOD^uIz4LCgJL;6VgjN=x
z9tpXZ4WPf<-9K10>!Rbsr<hS;vs@DS{e)L%6)q5`%=`%VV<?`)G$Nmh_ZC-3^T@VZ
z5dB4#>ut>z**MwJxv2|_6`S|dG+i=vv9_|*yiKKM-dGUUw(2Af#8ap}?d$U8tz5b>
zVC=6oYaTv|-|1hBugWKKqeP8c=rQCn^;!5ROz;PH70bJ^VuxGnJ>Mn3>eja$v5D*1
ze@q|aFR8KDw`!&!G_6{;iT*tZ;?ZiPl^N5c_TlP({Oejp{<HW5ad^iHpMXMzW}NU!
zAT2^p#-}_KJh$%j9t-2QtEf$Y1h^FuKkY-1dfw?Li~C}23DIT2f-8{PA{)gcSzC2i
zVg@ajqEfdZ?b|+&W-_S{PdxgC0<r_s;(3blMbx;vSoDW%(venvs#Kx_G0S`;m&jrc
zwx0X?GPwzp5#KNVS9jUb*n?q4xu#!mPE5s>!Xqg$UbsZ$QA=e6Ps{VtF;2$~Q{GR8
zNsg&;8A07&2M@g(*7t^AY75JWNqPlTy1;b`idLE}td)f*=a^t!6pF{pUoeu5=E>yO
z#^!9@h{W+~Y~bC(FKTPN=xyNYyqt5CK484#$N4ZM_h%n&F4wXF;4N}v1R#3_t{~%{
zzoaM}jwO1nBoi>Uv-^CxYvdEUGxLmY5m}M^nTl}y6?@e96qVpS)v$;ADYQH|8df^p
zNJdc-R29}@$wFzF!QxR-H=V-**86j84654etpc;8DNd6#n3(bhTl53mm`GuzS#Wg9
zbKB7p9HJD00&iDH(j&}D0IQAR_xl!EVu;A`kH=aorNVD<%}kR!eDVt?=}2xBC5f4F
zlzMtAnW=BZDA8<{|B@|I>mX<3zMkSHi(PT5LIq7{BIX!8HHE|A%N_onl2){GsxG<C
zKKOmBP5EYX&9vYQS2Ju<KGCmPQh*5or<2H?6I+-5lD5Ybs0cGZ*+^5`^;4Yn)4njn
zXL6W~%ee^FoI*w}_xn!tS)rL~pjFXz6op0YcPNg|Uvg@aM>~^!IfdUx1ZkK&1z2Mx
z$d+2aDyCTUK+ndlQ{5Qci!Q)vz*Tq#prm!~M==b%2bD+Zz_t;2+oSSq{StywOQc0d
z6yx-f-F6<``TNRAz*pJK;u~{~_T^Fms&NDJNcOr{z3Ht;!`6UxYW(~T*7bHX{&s`l
z*B7X8@7FPbQ^jPZp?w=z_4e+W&Gu$X+Xi9tX{AvYsF(E2yRP^x&azo(rLm8YS(X*v
z?CR<ss%dxFrhkaP&P{%MRlui@<y#tN>`X&}*eie3nU|kC#I~3@<L-aB^8e@q$lie;
zkAC(*HvqBoNlCaQ2eID(p&+1rCk8OfUTI0t!|&xEvUvhNboWGGb1)o$EAYaz5^$Su
z=MM0Afyc6Gtx8JD+U~57xYmex8%Hj|bc>g5e}ET%9jBV!T}FB?uwrcxtT#<glj=<P
zi#!%`t{i=${}SvntDOR;Hs2-D7geIDSd>oz=V2|5<Ql`(kt;5A_zY5-7__J5LX!({
z0%*=EksPlHkG_Idbe%%uB`itO4uMDRWRmZJ9X+pN<>9kUl8Kdl9v_@gW6Vn@gH3%_
zbg9Ww?c!}{RXmw+E(7SGAJ>xsh5<)}ql|B~@F1mOvG?oQ6g&4W&S9F^rd(kK70<nW
z79?AjqSjuP(<_LmR`3P#e91R#sR<%*qJk9oLzyI@amq3eITM7Lc2=2E2TiloFaBh7
z$pxo~m;?fYrE}rNq~qZ+1Q8iJdkPb2TR8_uz!OQB(rkfm&Xy9DD`!>+wSr1y_LnM;
zCiht*;w~D4uk2d{k19dmO_mEY(xEKciIexqk=IDZ|HfdfG)kne;QlhAOGWWDZyzN?
z|9)h}lxX%PnelnH+TAz<(iY%Yu?<`Q(WI`arh&Ycq;J7`E=Fi7p;ZKP;9#*L`?@qU
zLi8-W#Do}MtUo@yU8lf<r5-pdi~N4RFOHC)0A-6)_j4V{zSA~e6o8Vq*+^_od{J>*
z9?Xf`{cUI-ulhUa2D5t3d%Onwma8+K;W<%VygXorV#=7L_-4Xp3IKeDY@GqLE5J?g
z=f9wlvKj}ms<(AEgqm7Kwek*rt*MbWjPF|Bjq;X$cw3QnWK#SWrk$G)%MQt;$OVzn
zi|KR-jDtglj}!-RG<HII<OF;s0wZb_DEJ`p)RE=-v(?-xrMupAjU(%~h5A2wc1Y^{
z53d=k2nBDAu!wO>5Y|+Rva^}k#g+E?O??<K>Ky@XM@n_KJd0F^1f5-Zd1fv;jAyVe
zxMhYXkw)ElmTwXY7nm8fx7u&Ne_nExoMY4r?GspSR{O6$1tXm+6IyisOAm8cp5L`^
zy<0sGt}Xwi#rZd-mADrPyu=XcG8EZy`@Wrd2o9}@8d%yYb1F1GkBV9gCFM+1!V~*_
zM~WRX<sEjciL%Q5&6^@)JE3nD0<#`-FjGv{vBs<xUf-MH{WgMesT1;}^kpG|WQWLS
z->?H=Oj64SJvbueJuQtZB#0TGC6m8j+>}N-BQnA5R|~CTtNO^nat$kI2;t_Z0GeB}
zoJ!}+H>x55ydANW#2%6&EsNO6Ko;=$S#fG=kK@Gn>o24mBorI4;u3+0inD#4h;~>1
zvJ8Tq+-v!P9t~!z>JOhqx17doyHnvjfixo8@UW@r2j!MZ{@s*)zcZK$=LC3q5iXCl
zgxp%_Ni?1w`qW-B1<x8xoi9jSp|BF_0-8;TX@(x$(l}c$oKXe|)u)E0Jy*tptQ;HJ
zU-Q|NOZc9-tO8r*Sb2G@7iUJRjS=y&XoH}wd>>azOJ^kU=bf3ePLNWPey5k<Oc{8M
ztqr(}O=}ON>xD@j8o2#%1<WQN);0l$he$Bc)`kf#4q8R{0h669$t@yyddWrihe~ju
zP<g3r6URj7tkOh0`mjz2@jnUtM}(Blw6Lq{Y;JR-#E=;l>CxC+$n4fXpB~9RJ4(c`
zxnt;=I@sS19iZj*JQ76oWMP3uxnl;UGh)fG(h5vtZR8c@kO2!iW|%}0&kt~1UhP<!
zM_8<5Z<EKi<vsz)f`7k+fh*tf`i|$ly#+L?+jPP5yy|q3J|fb33>j1{sv~OwbOQ$d
zZ^jD?_g_Va#msp1iX&@d0?;c}uLpCYn)jAzCG3O-bls_Sb`RvU56q8{6{Vk8CUS_v
zb*{+*o@l+?@UqA-DP%RwNlZsZb?Qd*6RXMBs24GkRIS3YS`jn1INoTLVjwYnn?BvM
zGhy+7<>p&KkD9AdS;6J%s_=QedjaMQ$1M-VG8vZFGP(+Us4hvZIFfcuN{v6o7s4QA
zAUl4OS-0niYJY4}fO26{VquiE5Ya{0Gi>4B;Jt){BdK)k8Z~Vv*P^Ij8}Y3(cTq@?
z<tR@gW#$8Z(hNW8TdcWr=soYTSE8B-RbCWPWG}t}3P_>#I?fb^r+OUnityWFaV$2s
zuc)!rvZY|NG1{v;II_}(HcO!`#fT_I0e}Cr`lNF1YD$AS4=3_bmtL~UMlt19S)7WE
z?ECkJB<!EMDx`1qrbi(x0Qmi}N(geq{3!+)fN~AkIstnNA5+9VKzn@;DZqaFN!1`?
z(|+?)5GmNdj)we#yl(q(x9$xv$ODW9#1S&N9|$A<ux^6q0=Ql=J0hKF9L80Af9dn@
zoUMcPT6I?rTbX>fS4Fx)E!{ipX*|Y^oQq?i;D$~{s^n*u`-lSOx@Dtyj!hk1teYN%
z<1Af&4AQ=&-J`ZvLfm-NBbDEtCr4{)y0W8v4QS4w!mY6`y0MWFF>P1V(y?&qLsUg{
zs$=>#aI9~Tf}$m{1N_@wjHX4sUN?m(BA8Z5VX}&(k1ZtD33pSupdMD(zemz8eqWeD
zG8JK{c|sgpsA8ca`|BcJa5Q4#*IAIj!wceW_)!KzUs*TNcP(cfKka2HetdcV64nKN
z_)62uyZ~YB6*mNnzmCA@sl(xD3c2y?gITUG2ToL8$#SZ8YT~5G9Zj(=D%|O+-UD*C
zWICL5OZl+kR3~>n9eu?~v>JC{R2{}bOqtNi$XgvRLv{n73&kD!CI3($d0hDzpAAFw
zF?43_BYvwQCRJQ-HY6nSej(-(vOngG{uo9Ge?v9>NJ)BQQ~iUl;?KnuCGtXez7glp
zw-wyC$v;P@#BDpoTm)fGgE+`FYAOB_C8eU=xGv$=VWK1&J_}n7E?VrC9e?I7QTPaH
z#`PbKF3<(y2Jw^GX9S3*YK-lW|Isq{P%AwF=V+Gi3pr0!TxZrIn5U#4oykRVIRmBR
zf8e_Ru_LAOfj$nSqUhAD_R#0wSAJXpN3EViw#q=yJBl<ln3Pz=NIs4HDq~GyzU>rq
zYY{ULzgDAIqNmVU@wRWgAUphLqKhHSS?|+0H7%n)tp^Yv@~Li+8nvE|VqnMSvXtz7
z9Uf?AHl$I}R%TEYaI0qtqd1>#VWCe(m}3z_Y-QEZ!g<wHyErf_v|HO-8}+zAGPE4T
zu@eW!ZQpRF%HGB}!Amkb_2crEOu)GMNQbye{1$XHk3XN`TGLQYK0nLByD~g;g3C?c
zsVSz@Ijw6O3BOC|8AoC5EzIy$B!-8P3`1PBcxzbBt#yy?vb3?|bT6PoP&-ZiIb7?P
ziQeZW|F&j^?x&TeasUK{^rRiDgWXS7&hfC&T|p0{_IogF7tXeU6VDLXWK3*NqP8=)
z2lNXun+EaKe!O@J^T><%kEb`}nn{aci@kN@r2OF^WAeV)7Yc%{nQxVTPu&a*h>B`d
zn(z(Nv`D;XJ&8u{T5ZD8F1^mwHBnKgKm7c^65#EMAeJlOcx8UcL%T{^mGw@4hY-jN
zOc?3^cjhgf5eCM!dnco6zQ-;3UIYfg+vS|uQ6LF1B8V~%co`po$BDn%y+w$ZR^<u&
zViOmiiM@E4zRbVnV2VKc2#DH~(1y(V!8@jmf+FZPx>r@6xygFI?3wp>J<C2UCAkee
z5i5g~!#&0sZ9pn1{lHYR+#Gv=23s71=Y_urCw&9r^^<AUJ@H0Vec0{)lGBdxshC;-
zB5DCJ*tDMjcMb)m|DGfNRcZR+3;1|HfQ}&Ufl2U)_buU1`Z<cI_L<-Fo&}S;82A?$
z+n2Yki6cL#->)H1t+tvm!gp$4QS?AhBQSZtu6J^FZJ4fLTpmnA8q#&G16%?Gqir*S
z3N@*Gal7bvj=ql)z#8*CSEQU_OR$O!@Qf!)@TE1%<5#=ca4)*{fl>XVAlCYW+TZ8-
z?nn}<ucRYy`Mag)-Uq|YKUrkTGVYlE;SCePrZ^qh*8JzCzb?6ZXs?iB9%k!RX>`YZ
z@2I%yN${LfhZA0<_jbYE=qXsnxA3%q^CJU+3>T}Ejz&6G2J`W7Uz{g&fvOaTt*o(j
z+}Jh&wQ+_DNcLtI6Em&_OXtU>Q8~Z1XU@DSdT7iw3~RznCHqGf;W!kmul^RQM{V~Z
zen*h}uTphgQy8+%WJdSRLo94hCnys}aJ;W!MBfOfMB?(L0$6h==1C~0Kr5Vh1V8P0
z;;s#qibpY}kJI%l(P$W+4+7U1DOk0$p^E5pj)NLVr-yFL(cWe6-oH@bpe6kYo?p9x
z-c;k3IZ|lYbhp>$&kldW7pB4On7jJ^waky7>!Xt>d`~pNEVx|ET93bgE6D`ou*Tp1
z^yH1q5VmX7szIX6dUFot{#jyw*n{uTLEBmH*r^N)Lsy<OZ3qU2q@cuzuhG^mODB(7
z##~^FtlxfHb7|xL<8msexAS{ZK!sD;dPZ4a40=ZSw-xz}*rYs(<VG5PJL?4-@{q@v
zm{=%IRJbegxv!rToFibZ19-6nNuhE8TN?UtpH$cOe(f9}3xcw3n-J~`!GBd#*1Ui_
zy$Qd&Pr(W|oYZ}Q5=6uZK;Zv<$T6rD$NOB-?D-#=Py|rBwgd%!PVKq>U!*SoFD$OR
z8UFvmCSIxmAHeBTyT=Vjeg9LHh5KJ4$SmcFxrZD53&(#qZkm??IPC|&&$0f0e${95
zk^hqh%cgw>$Sp=m{};^vr8#0B@e8Qk5%mDTC4J2Z|1_{=@b>|*cFsoozo&@+DOY2_
z0rdY~3y2SZ@K6(wa&l<c`Tzc(mN%gH(!Ks0@N@GQ0ofG-Js<ovJDR}SlN!r^qgpOr
zaw@i-{Z0X36F|rW3<8K(+H+NcUWSNVku*Tta)X=X^ac4M#|4B_PjHIqj`%WW6ggZD
z)*L`c`grSg=Bhzbm#12URBfB3TglOHr+CLd+i)$TzYI?(qUC}<<jwXKV?Dt<iF~Cg
zRBQ?4;1p;UF<oYK`JYrthd|YzLfUAST&hs&*^yL|3i#U?gd-h`d!j-ggUF7xSY57o
zGpKZGu50v}hhA+yI-mDU0ZCc-V3m%EhLgpLiqwu7q<u^Dt)S-bV-zswhM3e{bHG|u
zM88O;o|o)vsMtN}*Q}IXjM-#Xm}Nt5y~2=}#Kp!oY1;*sgB%@(@9^DYE&fhr*=JhN
z-^tk?^JL!o>I3FcE)ZKadJ#M*SukWyVY=$Yb|Vb@Zb0f33aS*d7Rh2eP!>cl_;sau
zs$DbFA>>2tKQPqdplMQhi>>;0h6WoYa-!1;=$?%@1v1*cXM5M0Oh$Vj{+827V=g*E
zHR22P!5n@=y&}$%4eh22USbphJEApDN)}x2!xehNal@92!7ngD8tm@ZT>Gvw$|H>^
zQH<6FAzTr?=PuyO>-Nu(cAWfl%Z}Hfd;gnzy(rFCk7>IN{>u+lCbHA8R<e|)VZGMS
zjhDr0rbaPSUhX{uLa<bB58e|iX3G^nl0V|dFp3x8oYv2;IG`C3r@zU6ah`O8%Rg+z
zoRBo6$wS&?U$%ob96z?a0rnaIfs!D&NOEM-4{PZ1O84%gOFy;b;6>I~Byid<i>_^h
zTV-t>nbqhEEpQan`5|w7KX`p)lq`*feG47YPnEd>f`HI!47_n)yFz(PPPm(?r>eD4
zj4kOZY&b4KY=df^cDPtu3v$eqV7Y24A<^Vn89beqa=BIUog*Wf%n0tyci(iUG^Msn
zZ^|h*F+4x`K4tze*D!Qw-`pr+R2aev-QT*BUb{uvU31I4^RL2VwoNMG?}Pv2;Xj*=
zzFa(y!sgF)2-At7P-xyRf9rU^8R|=HL-~Mje~-K?lun6=IQs}2K{VdGn;XI2zdKz8
zV1GJ_8O%GlDG{Em$i+r%V&DWvX2BP#@-9deF>Dw+QRVc}<%DY>1lv}eU#CF}Qlq09
zPvKdlk?9p<Jd7Ebul}U>j(PnawjZP6M_?2%D_SXLwN{sTIZh>}aIFy(%)u>MflMAL
z>U?FFS)!7k-#P7|px?6v+nD&|5Z1?<TKZtMrQtl18{DZbys~bcE)$l+rkdP)IjO^t
zgxps0STCE;rx5k7;A_|A)GD2DCeHClD)L(sB4;d%v)GB2+D0HgapDgJ&CYUE?!PV#
zISmuHt?57s`r2BkVYs)S`fE`>;;N(P%LR!>`BWag#i058ZHPY>T6r%2g7wsf(^@R!
zhF^{HiQLO?yp0JKxBvXynI>7(>H-qpPI22MKAdhK9#9Y*<1I5z?uF$EAIySN#ZCWB
zqjL{PeGTYRd6h~~cwiU|^HU5{dfX|`m^@ncXRH~)1afb64*h?5*I~pC$p;C)_qkX3
zD5lo*uD+N|pzcs|=6Bdriu^1WBs?H5)`(r#UprIvw}fslebU^Kjf9A_TNvYo`X{YC
z&;=jG_kppctnp_4VMl6U9CG&6T=u)<DnU+K@{Te!e|HbN>RYdIr~co;onT4A))&#6
z49$%ANKMbX<Tzp~To}e9soBMJKd|rFi$~My{$oCZR_&Da%Sp@4<7JX9ff-MfJ{P>%
zj<NFvmmX8KvDFml8%9DTwbzGt0^{)9HJobp_PCEDET<`3F9BV%7Y}wj0^hok!52Fy
z`A@3hIo}S#aZh5N%KHh{m9$BSkNYOSl3(2!>KJ}g>d7Ti+i#K}8`>XOIwI;GBNCx$
zyYHmu3EM{<YreyU)evEtd#G5=(OjW^-P0~eu9n7?7f@AR8hM59oE{*944PQ4vFm30
zh#=Ja5f$=Vhn<A>kpg2gLjB5BH@-in(0O8vj@tZ>p5UR6Cx%t`>oF-G5`g_MNE+zW
zLKd%d>+{>W65KSTIzRbjA9X`rMF-qw5b7y;n7`8$kD10dOEXAYb#tEqmZR1oqLl`N
z3MXYRo0c`HPKRFjATxpaLSLxsVrG$O{u@6V>3LKp=Kn5&GeB!Pun&FcclDX2fT(x=
zUw}b>BOu0zgN69HKDFKRV+ok};MWIGq=~z&Gj0T_?b!#E`Agpg!mCyPwY&b~nX0Q^
z;}B?uVq1Kw`G)E~=zl`JPaEdF$osrSOwH!|y#mUy0W&?1lW>7Yn%wvP$T`Q}&er(6
zdtndl<}rH$E)6ias%+0c@8XjU4EQ}DL$*P}>Kp<q?k3*MA_N!7A|63XK|+EggxohB
zP!Kq>K7h(jLcJl`|NbpyidO$e&!>kn^rWtp-rMTixznVZ7E)qos@9K??-=;_8+$dC
z#|r@{@wi8IsK;T_-($37timV8B%;ub9c$6b6$!e+rOIpBC)ctLiN2B|wl85-!^(4Z
zDJiA;dinLoH)UDHeP8-mWPplCsm#W8h^g}N(LT@kX{n2u=3>d)^@Muf0oCP%rZn$q
z|71^gEKSX)+S=tzE-*v(^B_L~4ogUTrz!+@%`Mj$;^?ns)@AP3O~J#VzYp;yn1@_1
z0Sf|Oy34+9lZ#wGy+4utkTSxN36M(Ks%7I2KgV@qf!uH1H_55%77<lOvEvHXWLc=_
z+n!B2wDS3Gb?INLD3Wl^3R=j@#=KS+O!+4}X{qg+<{cm-r#tIPKm$KZ+8Y`;cC-i@
z=Dzrwk?aJbVvFcVz0s4iAq;1ZI?3hj+KJW^R#1?D;l08Zy3QS!DKT03XY#|b@FzrS
zTtB*72>mAO2=b8Eq^ES)Pwts>RNny!MPDr})DnshfwT>mAMs<&8=zRRv>>m!aqPWV
zzC@!oXylC3)T?(`Sq4UNA`-N)I{dJwSAjA$;}n14X9$hgE?+%^xyr}V%Q-tQ*M%oP
zUq7RiaKHQaZYu-Xrf}#sy>PW-Z%knkHLV*X!czlIne)zr6arYgn`cI&__6it*WU>F
zzXIm=`Q1sxj#=}N>Bz0@jVnVN2Ta_r1fjq)YxW*q?b(L-OHkZeDaymNnJmEkT-P=!
zAO^5vcP!kcnxwK@<@|-{+%RAMslvb_xjZz+2g00YPu{cdCe@91gOxA{L4@_r<-q1`
z&4=1}awphZGbS)4d>y3XW+X1S{Ts_>iRY0R?zIA+wQuELB@F2#$k>rD6l>2Sj^%&|
zOXB;RH9~>sj@JD-WlvkfBg|Kg;PFZCBeo~!0WaKiqVGMOn#3-UyT3}FqLq$EBe)-_
ziox-x@4TbU_~i~1kxKeM!mPY__X=8@TeG*>aIPHauCO1Ga9FaB%cbIXls<~*T`@)8
zYp7~#Q^X(zA*Bm}7j~3RlO$Wlci!s3Au|&A#e%fhN2u(*n3K#8g!<dYFJcskExQ%1
z>daZI%7e_{BlA+;2ixn$RZ|-eeRQ~20V3a&Zv3b`_|6l*aarbI8;aw?w4C8YP@G)D
zN*Wy<G*@RKwe++6sql4e$tHsRmP~vXmObQYrqZ3p3~>H!&}h-QXQEIFbE?l9xk&_T
zp?M^6z;^xB%uVr@9i~9yB7|c%qcjhuaYo*y=(qb1It=+PO~{$x4iBYhQNXx#p=+qV
zjC`(EkM8(`-xKir^E%c2KqNf<O614zX?8t+4$M3NtT$#rH(3sr$6Ru5E7<f4Q5H}w
z4+z{ggCIOXTU+BU&w%2G-~Gp@0UdAzR54_%H&B?{esKng9RalOK!iF%n1p2h9iaE$
z$QL4B;Lh_o0oW;h@y}?2oItW4yzzT^>o)($u@VsD&~5)2)b2_>Sftg2zNxj-zS$yk
zr6qGx|3y`>wo;PCA0{~_#k{Ym28ZeNPlrBs^A1lm=GDO2E(UY>sLXYmAGrMhAHM5k
z5Zp|unVi`|%J`q871W!smF;ub_cP&#T+`@6kLX&CP!pqB<m$V`N_Tnw@#^?nUw*=>
zP&LPx%2^u7T2rETd4d(cA?lfq;j(jVJB57a9k|u+MAJ`={i|y%=eJauC0K4i^h*%c
zEt<$!5Xo7)?kbE!*^33rF`0l|1y$J`sxZTd6~VjCz3x?bgv6wLP}3Q94kI=if6K$H
zO#Cl|$J+GB2ZA=U*bUL!!%5WL5wyM+P@Z;iyE{(O$1VH-@3qn5<H$O5q*o$lGoz$C
z+w9@a8X~W|tn||YH6_dO(t2oo1Zz7!F29y7+Dyj6Xw*7B#;b{RF;K55sI^ZvxPgvK
zMul#eRx-r0*x}RFvaeI9liF)fi2n$KAq;Zh$C@JLsh#8XT!V@dcf=+*Q?$d6dX5`(
zB+$7(h2nBr<+gRqy4Ik1jUYaO2Paf($0|sdJzQ~4*@`vo%o8?{lT+@sd`)$L#Y%;g
zqjN^ve51iRDQkwJ?2^5$uj%9(4kfYth1}tRBgi(AIqQ_+_1NX;O{LVFnj0m0ik<`^
zf7>N#+C_6yqhc_Ac3#u?N9(4hz%YRUCh_={NC(i{d8^*K(-WC~_4^MJ{hWa-hC{gz
z1~rov`~M#dRnFZ2m@44u$&nD$Ee#Ue0$M3S`+nd+&F25WweYIfz0@KNpi}`)ywk<5
zu8K$M{(bu`5e4iI@uG|Koy;&Hv_E5FM2empz2SYj#yL2@zb}c*jg}Dp{&lfE$FFC8
zx#r6|X6xTKC$M3HD5jxG{Qi#mH$vMo3PG^VI}PG%-xnGIb?8E^@5~!46K&+Bj&^JT
zN4+#f9s`Qo4u5mENfrXX6)YT`fqD!n<KT$sOagks2%D=y`NAKSE~*p!uRdfM8h8d<
z?skgSAQ-jWaNW?#8wzoBM2BQl(W!GpKIld2vVKkq%7r_0J-7-U`%NgL{+Qd%3)!a$
z0aL=&eijV$`F{YsKtsRFCr-A<cgAFPcb{PBJW{T3(=kf6#-h~|^91yQQoqUKr-PZ^
zA^-W$le^~AVoaKvMt9|6=UbUh;MA85R8r-}VE7QN^Mj|&p-mdG04H|oavGhoIWL3m
zB_+B?o32H5F2d{%2`|gu^?_1`i(}%n+026It%2u1JUdTV9;wrn>g6WRdlMo38j8y@
z#MATUv3&(|U*mGc1WDhk3}!F@o%c)q^3E7EFI*zWd_*7}4d|>iL>k%KEmsvhB{?rY
z=B-zOHt!RTSbCeTDM7G0D!?(MIR9?sSCyJ&M1yhdPW6qokTT~)xDM%!Em%AX2tt?8
z2^VTIp%ksKw!0VAec)~Z49qoBJft0m*ejg`2`_cAG3Wkin$(kOK7S#dZ$@0C3i?+Y
z|NmFTV_dTTkB<LqVPz+6zqV58*~>La#|CR;zp0KqVZp1mtQXj>Ht8;=N*ngHgQ>4_
zY@1T8@Pip4qH}?uHGzbRkfPT<pz~)aRVBPBC$;BOh(!=M!MZ5qoC72JKryX|MR;jV
zBlr|6sdV>=U`ZIRECFj?TyAFl7PeI#A=4~deP=cFOh8|cHT&PsBsk0-s~Kgn0(u34
zZ0QYpyY6o+*1kV8T>_5I#Q)f<JA$xOc11d713%LNMeiN|7)?dgoN@T%)hNQ!bJ%|o
z;;JXPg{Foptc?!dpO{fgH|pJ%wTPeEs`;Rx0}%?OYO`qtg4$SU9~eYQU^UrwXpC9?
zWGTLPck?_Qm)Ek}$<j@64p8JUD{XolJ8-d(-XQKc5HYUhD|X;*f{8Wz_)deuiZG#d
zpBP!UxvY2SlEe;x727qQ4(|TbH_?!-!$;OfW{gsAAzHWINWYc$by&o>hkOBqU53Ex
z4t2Z1WUha4{PQhU4D64*+&ZFPTLMP!4KnIx+5Zv}@2<5Zr{-Ma!!{DTPkXxqAM-VA
zj(+cq?~XB&F?5`>N`_b4)4T&ASaMo+1|paM92P~#p3gW4*z<!AHkzvjGE6#=YO^x`
znWp5C3e<c7!g5woSsH*`eA}mAYI_+v8>P(GbVp&J%C8FiKX575WeVV3M%V?G9}qq(
zy=llogyI#)Kj8N_cB%MBpZ{MA0o1XpLH+@fK710J1o~EoO#?}oJ&6aqGq{^#)luhS
z)Q%OPqK7ARWykeL{LHWqVPj4Mc9R9g`%2N|yR73}@5SY$Z8Q}WUSSlMFKrUt4n4s4
zwLL!z(FmUVhD0WE@CuyA<$Yv2uBZMXwyrI#KkU!jkBa<e_r9l()yer4-yVy;Kw>0_
zRro%B0)k}k3v)UyN8@SL(Qd%=b1{|oT#VdQt8s$1-a~YWB>2O^)>(1P5soR-rZCNV
z+#{j+=B1&N&q2;@dt*I87;Y!750iOc#4n#pgnxYD*fMbzQ9h(Lza_*U`3#PA;SI(M
zT2<~$jvy%Ok)!073QL7<Q&aBBM(*^?I!CFVk3a`vPwTTehZ(SvA#}%C@+KEa&Km?;
z`SQXgiUdAvJ5EKN+0s0XkXHJ@-J&^=q_1k{&@W)$u4euWVI+H$?BN27`r8`r2o|-+
zzH#2(LAgE`jMSd+c2Yco2K*jA>}vVuqYaANs?qkXVZbCIpzzncqVb$P819M{-MXxt
zG9)tgKIk;JrLUMlF3zdV`eeWayMtUso0yz=aEFF8`n|q4?pG%|5&zR1vX60l@zBPn
z+l#6l=ey<uFH{h%|7md%z0<i>dppvYEc`LPT?Vsg#)lV<X0U{O{PjVE4CBc_{wmfs
zG55bBG^PMLN?#e#4~*#kAG-f{h5B#5-+u|C-~au+T!;TJb^eFe|G6Ii^#AVb@o3((
zC1`GdD~^B3-)mf||A&tMYXQjf-;qSNhW_nxk7#o#WO*a0$IAfDk#7XV6B<!(XneA2
z6|yJ4i>(qIm_bj=p)lGlyGU(u0f?Vdo)GA(3^l61)(g1$xui(2j_^YpKt!8?pfXrt
zwmufc8`JVC>dnwb?R^CvhFDD^1n%lIsu;$rbFPy4Q~QEa2W~#npWJSY-?p8kdvHu7
z!wXOHca<(6JOkU7-jPi2N>Wv*^J|`RSNpPpll44WXa476;<2HsUq*}(g%7)}eUD>d
zs|oURzny6`W<p(0{8#Ga($Zj}agH)i7bo+@JIunEv+xx+#*A5YUdhc)>>O66d2%-!
zlUIdhWe1*Ovh~W8#|-o0wrm{!N+^C=evU1*pB7L{t;lWH1qY{cy(bCT@<8nDv8`O`
z9m*J~3#z7a5^J5~w~a&^$43p^{(aDuJkD<Ay3SR+Iu}Ov9{CU~E~Cjk2z3u?oS}IC
zePkga)MdY$(q1^LI9QW<&yEafE>-rH>xl$S6%##%O2^nOQD0-vps<l82o1jNdBlc|
zp-z4hRE7~qq<z91B|5(i)Flu6Deuszo+uz9A@T)(-<<kWV}Si&%|5w1M|{k9qlNeo
zc(KphgG4m?*}7McWe8bBZaNz=Te#;ZH*LJxm$jMgp58pMU8|Ib`I#Y4m>3<N8PwB<
zNdAM@J=ZlyI24Jl|IzjT6`ucy{C@w5e*g3LavlD^RQ-=W|Gyso)c<zphQv2*37Q+=
zs_*~)UgJ{rKU)9qS|F!&AE)1L3fjW0kY2HX%@`*c?XdJ00L;9~1_#M$Or9Vog@Fs!
z0GBUiT)Nfet3;w)tRc|qQ#bl2VQ*~H$~iGS7m?4v-wn>QX2ryz=|_s9p}RB%nIVo_
z3!Zctpc01wkslY-N=+k(sNxjk$GOoOpNjHKo=Am{L1^M)dl?`;#5!KJ<lHl(fpCp!
zeeiOYYeSVIYkt*x>;{DWi-3A%*M)MkWB?H7vH!+2ed8m2>F?s!HK=mn89r+sYL*UW
z&-GHo>v?ldoV=V~RN*$0W~x9A)NGs}49kbt63D{#KvU`#?BFo|JV4$pYMT^N$|Iv!
zC{I26Shu!Uo+cvmt)P#jUZeUO6G)Q*uAF4ebZ|ias*6$UtosI&Hz{ju&yOh4k}*)1
z69z@jxc_1tfev6Py}z4UM&9c=?%t|>0DN}0`rNt79k<q%5@c}^)j2&k|4)FqbwoJK
zk&)&?!==5cl4(iR9Ps+d!_-lIwfe+;kQ`Ewcz_JYWG&%Y&r^IS!w6ft1-Ul7vxXB`
zOQId^&}`~@t3`jz9%58(CpD)&u}fI@f9#!iH=JD;#!Vu~AOs;I7>tM#(MOj=^xlKP
zL~qes^lr$AUZRXd%}7Lv-igt}Xi-8$jXG*fM0?lsKHnf~k>`*3eS!O|weP+5IoCdC
zUm)*Ase^Z_`@s?x@PIu-t~CLlJiSv39^Qr~Vn_S<&iR+$ZjV)`Y`y|%&JNpY_S4(j
z3Z0=j=zE^^rhL>4<v}@QxspIgykeQ9!zFtNTA<=aA$jL~|4;Ovf9#L)AMgKjAvo?1
zHQrpSE?;6<RzEs@5<}q=kc{ZisY|Nx%r(3oB0EzwJZLS9^9o}a5iLQo2kRky4&jzs
zXBng|M&qM~pOravLYex#m;^c)l3@&_97#5qjJs*k%%8p{tPb;AXk7)nYp5ZNf^_NO
zp;`p7Uy3A_HWc@EN=Z1UDqPG2vC7&wTg}%&y2{Sq>$H&!jNNmIZ{b({*HURC-}uv-
zj1CVa3z`*?Xr<Ci8mpwP(uEs6oHa+VCtl|-nEvJ>qW;-=ZD0d%|LZaYLH)jkusF=y
z=h=9kK8%T$Hq2<bbS=-GOS{;c-rDNZBQVg4ee0Q>XFWJ;CAJE*4<dcYDKs|lv@7|9
zU{c<gMTCT1&v8#T@<(dh8%~RUySo_^%X`}T8ki^-NtYi*Ax^an3?KaO(~2h|wnn^E
zpsQ?Wzv4AM2v|$^L7yX3X2{Y~2OZ*^cL00uTfYjG(LLJ`WlpZG7dYjmx>Y0`4pPCI
zt7d%@*Hc}O^_+A+<jJENY`6=Vt7df&s%cDzI=#_N`Qe0AR{Cu6^XO1Fr!Ry(<uX;F
z+2nQjP)y1<C{$xcRE_Hs$wmSjJdlC`aqVo-fgrprQiYHv+KLxlHa1#}DefrLJ-9M8
z@!7nt90_nE6z|p2-@lVgOx77%_?`M*yoX8rrA*49{raLFgtqkDUX$lJ_y7NR{x|;p
z&&8l50;aZ{4sQC!0xJiLaJB$PL#C|!fXy~9^+GM566~m1JnITmYbqFjMb>?qUq5pY
zQg;+>O#5Bs5ItfVohj^odH7XxR+wqy>@e$%!&dNy=k2^GO)4mRPu3l3;gaxCoW$=-
zH!>f#+UedPQbg@ET325ZNwoF-X>>%;HR{RP3!E&nO_wC|%k?Lc4wvv&MO!_M(;iKe
zo{2D&Q)wn|FPySw*<TTQ05U!6i=yH9uHf1_`M#<0wJ4G+$SAA4{z)jo$tDAT)Vs#=
z4K}juxM8^$Pea)Dk#dx=s10~6C7Egccc$hz+FAe_sKV}@wLRXq$$V3C|7O3jCQ-B1
zzMjR6yU(cgqiEy0G{;l8^Zm+L`M^aC+z;D?N*IX{^3m;5k2-r;u0*&fPD0sy>3mC$
z?!EAOLHDUkWB3W0k9_B>srZB4Rk2+C1*4le#Fmc*x5K8sWE@`#cLQ@Ub8M9iB_2MH
zedT7F9BI>@lFpS+E`0NViK>KxWWbVUvmm}=s9n6u?ql)#xQM&3HAz#)8cBe+l4uD0
z>w)5D>^9R!U$D>$(DsYMExGJX5EuVQLq-kxm0h2AWx~}G;?X+#zLJ(vg_4kgRgTLf
zpTnjq0egnpkpKaeL!lg}!pOPAB7ck8!1gDLRV;<96r+p%9Gu~CN$`_3St#yt+yP$y
z!|Q+NIREt@{}(~L|IdGyi-`Z9=zsYA{{``{{>QlTV(@RT1kYdKyz~E`Z{Yj?|6O*S
zS@pmx&Nm*@fG+_gXk(<d(=*!i!?#8Sng&BG%$2`Dnu(-5u)(EYU`aZ)-h@w8*MC|B
z<w7V0JR1ebcNP~*8tW7_p6vzXd5a&*B1HXwnN>0xvA1c5PJUa@rBr5R51{IiVwu;2
zfLcB{QjZ61-<V2%!(ik*Xt*AC>$~aZQkBZ*{=8%b?Ao0LA*UQQ)7EboUr`LV+NZAT
z%*!$f?Pn6MB@qWLjZ&rA(?87B>6eCrQZbO#5C%OCKyNq!F_G~p5NiE9>LegvI@L8X
z#A?qfUGVehEN~>aW)`>6EB88^10hI=)nDRC)EQEZck;^xxijz`M7Ui`s7aEA!eclr
zrS`H#jGU|o9~m)uM6SnhF!b9Mh&@6$kbptq;xXLD51gF~T+vH1>MxU7zN(<E(CH}0
zFqA3dYK8+>=PF9yH6$z|J3ZsFSKJ!MOuB8S4ppM&o()i*&AJkBh^e8*JkNU2@5Htv
zaSQXjgKIm{tYm(=@_EfO0L0mwYh9TW>5-@EQYeAd-!B`!PPt91z-X%m7KYdq)y(3=
ziMmqc+jC-JLG1VJdV>(FIa(0$W^4bppz0>fBGo-3geQkSMxtQEil2+qd^|wm)@c-K
zep#YdeKciUu7!f?5y2FoFgaV{Ba@U8FC1gZtT{Uog^)HOXtn5laL)a|KY#y&&;JWS
zB;i}g{vhMPgAKZ10n*aAMCH_gl00<>Vuf6<3YT~nSU@@5L51$GdTH6>Q`5|ZitE4R
z3)s?Uw{ycvVJ|8svstxJ-kVs!i>+4?KIvQ4?YW()hq4^oV8_ol^&sKOB0nEihEuCW
zjGUrw=|jmg2%o#VwH1~XeBHM`r086tR5W{GP;2bnfiSR?K?j<Gjjj@{UTSAraz9q*
zHoL?g4A!R42O>zLjKrF($USDgU`4K6J7Q3Cu@P(R&<BzG<FTQ*G}qlTw)ldCzMOu2
z5t^DY!pdD9<Z4>QRYgG?Ir?=`mooZhrq`A~*Mej~fT8*ulrW^c1$L!xSW%6yHD!J!
zjwbW1RlKvH&!|zR22Z=vbt3z_z`N`9z%O!9g2kmMbh9HLdlIc#)dKhCatZ|Ge#q~g
z`b$KQN0}v8I<=pTuy_-Y*d>D&+u*X+#+6S$3+Q@19bZ$bVrdu&U)qci8H-L>NpD&M
zsV11mj&Y;a-o$y=+@S@NT_YS#bSNGy)dLX$uS-Tp+5RkduA-|NdfZ`vKCadxI~``@
za^&RmefWFr$0riScM(G=oT%su6q%=ix?1zp>phx?DWWBrIclVNgC&2)D<rbof3Na1
zn&u$!%J}>1)BZXNsQ^W$XSY7JJ<Z#=0lcx3Gnx4Ez8z0^$?vH;sI9TJ;5py_`*Z(4
zeE;u4kV7Fgcs^#*Fl8Q~%{|`A5Xju=H7yC?Fy;<dKH}5LC}iX`=}?<3+M8S-8&0K^
zGkT&LT3Z(rwOnr+SW>hT8|wSL>)H{LD-ky=Q41bG9F~*CC?7b3{rn8GO(rqE!kyV}
zu0P^11-4naMeHADK1_kN)-@d3hD<|reN(7Y&Q=m7{e+nv#>G-GST3MIVY~O14qxra
zQR+>AC8({Xmott2Ep~ZAUcl*=X+0f5<87&|yqI*=QoC`RaEDA5yNT|Z(&KBw=n0u6
zg<iN}^%|iF;I}csgV40HwZ>{{OH6j5Y-8S*O?EamKzSxpf!gC#*5~ee|HGh-8poG*
zr%B2;8T3=+&>71K=9FFjKVK`cGa9~3B6d^6I@OcqKB+Z?Xi}U;?C-yYvH=hV?^dIT
zaL!<|d4&hV$6JM`o{+br$G4N7mNvU^Q0y83!O>bgSpM(U3*8OEF(^po@pjQ|ySOWf
z{bQ=46Fa2UocGB>OnQ~wk>f#ia*n%I25Z-!bOO7x{W~pj=wc@aOyHtta#f*Bpkkaw
zmhMJ86gGVn2QU`<;?JGXlQIOc;p1vGIDTv|v@ZK<#q*JAKS^&ZQ7D@bG8Nkmn!bOJ
zcj1!~+~vt-$IntVi@)HX*E!-AQuCsJ)nA6!eCSGHJf&-c4?Wh|779DdVzss<!|Q)|
z{qG$6zheK)f5H2I{CByC`2UgqhoAp@G5o9l5o2Wg|Mp7o`~~p!A7B5^QUCqN|49&E
z|NpyOMEw7#{^RHWTnzu#|Cu14g}=QLJb!_6_W$^Q3jdM*kI(-LA>(8o#JGOerw0PJ
z_!eaObPux96NZTjoTTN<n-mP(^UeRDb1i$|WVbX}aja_6V1W`MA1(nJkRSIFuX;ie
z?QA?^F)Y9|vbx`oT1#w{k-g(5r+eAa_2=bQ9PawgrJdJ&dl)Ph-J^%GF}8OB!X=vl
zpj~DpGdC$h0bRmn#kCupY3S2xB+>~^2>b#HwL;sDR93Fun_@Hg=IYDoXC#G@v|)VP
zFn6`*fuA)`$9=3Wm{Ec(|2GVSiVY+)*kqDOzT%o0omBOGrk+<Rx&yGkT_wlGm_2a3
zK(~XU4e({Bfs|Rm{I>L>dC(1+@`M|D_jla2{ljMsma-XPl>9{ug_z#@e5;#fX5vg6
zZDFxdWl{y%<lDIYwi#vDxiXJt<mP)}W9_)w_jV!hUn^VUJV!;!HJ5_ok6zp+P!=&$
zO1%SHm_gtI`yzFw_4wz4d)!uzB*~(C=XDf>!r5`Yk0nRTW*hS&9Y0d+lA7@K^nP7j
zlg5qS)uL!3{Gds=b}FD<Fy*j8E>UU@k`CtZ7vUKd^YY+I;O|>E-X%bE{g@8~T=A_w
z%=Zno8;^Vq2|DC4s#9YecdtxAsgMX3n_NkSaDRE;vgwvUkX<Zl0|IQDBP+^WpDV*)
z!k0d4?oQrKvgC_wJ<(J+3x$N`=*fxAH44yF<Sf>l^ZEbJ^B;fz=R%<E>Xo6dR-8o`
z?Wma8Oia?MG7K!AO;`*8bbbRl)rCzOz36%YaU3mD4%zX0lqqC_<RR6&LHb43DO7Wn
zOcU&Z0hLk;Dx;q;2aNXaXsQ;5%z~57;+{6tIySJ3u;YlFU9A3U@%1M7#@j^X)JJ#!
z+*{wEywh{>u*HRTEBlYZJaY;2_H!c~B&>X0UfK29zsw|-R8WuE8|U{E5r;IjmI^DB
zoxRVrt0P5pv9YAQi^Mdo?X`~L4X`6r7}LgOFF-e(1Y?yKGI~H1T)uuVMhb0!HkXp|
zW~stDn&x00@sr1{--5gLiO(X$x8!<?<6O!)Czq_lmF^GFd!}c)$rbaFm96yfM`%Vr
zFY3Nc+g~BW&!$Tnb;tT=TAx((c)EJNKryz2`uI`hM6$LZv&7b6gKow8PpC%z>F)bG
zVOVY6U}rk9pnwcxO{c>o?yq6(3b%a6l80p4m#GF^2>~1!)rHY?(!jHq+p7WyX5XOQ
z*^EbxNpD_3JJhy74kk2{xQP{32_>gx2f>yw%ijES7capHo<Lwjtv#;rps8YvFZ+W?
z06K9#%ODssqtV^-2s3Xom+=<5`sQd1fLuSAHQ!UaI-seL+@dnrGJg5ptM=xM?cF!8
zl0B&X7N~lEd^#p|Oz+bKU==XU8nM6Zo^DuYd_9@23|2hn{r{i)f8po<T?pbl`#KgK
z^2ks+V_fSDDdQZ3kfDL<NMG}I3x*rGTqwSs26@-gBhFI`vFK*YIi8<1EcdS;Cn@Do
z1Ylg`EBQRT!%nW==+c#@P;;jpcDxpMlrTkCP&TELZYuYpb>;bK<V4GN-n$Ys`{X<j
z4VF$)pHXgwsxnBO7c@B6<z#R<YvXPOIODNv^|2Ao`RdWxVG3U_<*HxjJq_Zl1v-rL
z$NWBx0Ll++s}tL~eM&l^b!sy%%iwP`$AN3}E-wuBgW58c`Fw_i``KUb0rd$&g|CDs
zENw=u(&8q3s-7nmn62|8T-yYo&Qi&l_evO1xpe&pmM1>@Ea|)vs?2Ko+m&fvx>GM_
zHdpS4249}8<4t`mcy$&gePWoK-p<AKBkizgBFIysK~Uhp!px!1?N^NOTgbTjO#~IP
zQnVB+d#1rz&XT_o(=(GhyY@f!&blkgt_$OIy?`h!-Q5x@Avqv|4oIi8fRvzw<j^1?
zA^E^CgfPS)B}fWL*GPxNAV|s}p!B;~egoDb{<wc%;67{ZbI!HzYoD`^a}5gTXwOyW
zj*kW}&D0JPCgG6BF#apHZ8b_wqE{`s?K~4mLH881TwVkLO`??SdsR<5Gs57<CC+IU
zQNNEFp@o}|)<xb3u9xu2gqzqWElBI^g!AF^h*1-$$Cue}P5M#w(Uf{AE`!}fe^9Nm
zi{J2Be3xrJPHZw61<P7=s6LpRC*z2N+%~r?notOmG|a5?FR9q0D#tx#<yUd~9<Yhd
zrPaf$yx}%5{kWUxks{##0sh|w?*GDP{of=2|L@vz8Sy`l|0fKb|G6Cg`F~UX&t<N9
zBmh?cp#OmWUts^2v;AKT(EsbpWyJqn`VaX3m%~5(M+x7Fyy}qvTmcvC|BIb{<6Qn9
z(EsC7=w;iRWr<$g+)q~!_OHPOzY8p!?@ME8`V(XJk!Ab29!siSMLw*!F~aakAh<5{
z$@E%0M;vbr48k969Szsk*u*L;IZ8L?$Re*}`c>4r)tI<A{cHvvR*O3carwOyV@=*C
z?Y6TxW0}qUdL(K9Tz+Cw%@k9z%qh*lgPGB*G7#}IA~Tyc)#RSzf2~bJN>s;EHzbD^
zA$8P-DEi))%>_M7AF5!<NyQMHGICFgI;>FMgE~^qXIO~OQ1fS@IR%vkh0b3}92I?j
zKWj%ea}|9FtN7IWR_`accx-{?6;2U(IcXG@rFKV@!o3H<0kOw&nxs8_MUnVi%a$a#
ztUt>+m)OJ&2aQYVzdYHk$4H*=f8_G^ls0}zE+pmG4aA2+{eW?|q$q@#e3$=^w8tDt
zS_{7wVqH5BatCyDCh*9H+pUECbt!x1ztI%R(Vgt13~=7jp2vsQ{yZWflV4jxNbZK4
zO)z;t=*Wh4inB$(N49Mfjjx4_i@>eE-7iMNG+w@UxUny|gFXH+@YWlTTSjd@lV1?l
zzN5ITI<S*>8ndD%*jwwk1XE*bc{~^d=Aq_&ZA*>0Ac5o>bJZoQ6Mo6}u!l1kU!OfO
znwa@g!k-lHI-Yy@spN!68Ls73{D+)$&>NR2@$;-u2Bb*>J~&fV${`*(qqCo&s~N?u
zbkXO3&*s>9)<1Cm=W-}t+iD`K2{sR>Z014OS6ei7*%V2`>^BTt!Yx46*5#(E4Wq}b
z(aa95Pe<5&+3gLY+?5hz+WT!lSX&Is8j3+TPF1LUw`tc^+xc<INn5GLd)!cn)8Mr%
zOq{paSvon4`?e1glzseIESG#&gqAdHJ}lnG%%Wp%D9<*IrUiKsL#q$i*7!4XJ~BF^
zjr7DVZ?pa+{ScW2&4O~THcTQ2iHIeabam-<!3#&>I5`A?Hr9H@qpkN_?N(kJRqm(s
zqG?iJvk%>#g}1b}{V9Nhk}Y;<!>R34cV*}P^ybQ+q**NraaSy0iP&|+Dd`EKafDQn
zuJwd{)fu(8EV<eC`x5Jc#Pyh?G}eo`@5}<+`TlfL^2x+D+X$prYYi3cZdLgOi&Q2#
ztqxg9qRm6C^$QQQM1~5)+P!1HBA+s7R?lzRHGjdLF0&)ZSr24RFj&EcB5(ajSXl@H
zS%1u=fq$Vfz=irf&EJqoD=jgvPDtp+;@R^PYU8!H@?`FBq>S!cxUW^$+D)BjM1UoB
z^XB-03doR-Nzr3C=+p0;YIUV*1@P9~=Nlj+LR&^#&4nsIrHK;aVzea#TcICbbuGrO
zjBG^3sW`|I9*l2;48M=il*UJ*!zG&@In9-WDe6t!9D`@e)m{v;PGI22Gr0w-vU#b{
z#<A9hl~r7{|93XW&ZYmr{ohN0e(rGEE~`g^F>`edf8FlId%XssT0y8&{d_lKayX>I
zPDRve<YQNJ!xJdYk+kf$Qm@@78%IA~X?<31`HffLy5I`#klovr<roek`e2EtFEA^D
zQG-|@2g&Akq)B61&Nzp~RDUb#`2Jyz;ICX9X4sNnf8J2@Oo%&KdorjAYX&dkE&bj6
zK~h8bO3_ZXPHrECs#Rus;*^3Np{~C-O2;Q`aQ6O0ByAI4tGj3-l>T?*DTXaEdB)}=
zB|>buPk-|><^?2AkKs6K^l{X*<8;I-+dK_Ym=^zi*6;a&g^laguKB`Ql9)+a(#?yZ
zze96kJpaLAJ;AJEI4Al22c%k64l-{sLBeR9o1nvpf+zL;R6#d))SQjp=peyQ7jAkr
zL^SehK(l0ry<*3AL6u?YyhbJ|QqBaV6svc)=)DTEf&{VhAP;ne-(-&<qU3o!6<QZ5
zK4ijt`WFg>)ukAucI<?g53wcNJZ9MxtEMamrIfz#o8O!UuW+pi)E{73c^wP+aEYTr
zQs3+Mxu8)!rRuCV$ZDP*`5_@eCL&cf^0#vir8XNS!hO9aVfbN8i!MrU-Dy^RKD$Vg
zpxzlUIo(7FYTOY8Lnf9-YaZKa<HcZ&ZbupTd|~+XN{Slpx|@AxuMBsHm{Ov9@V~Uf
z=IHlr5`XuK-$3#$xb+w>c>SOM{a+yezZ6IbkV_x~KK07YcHG@kr<^dBS!10=#9bJO
zv@;8)-xNd;)My0Owu=xPvW^o*;upoKA;|J=Zox({*k(z>R}A0}J=OIwsPN4*r_^%m
zl8U<pY~$o>6TO(dz`vf85cETHI>gD}qY^e73(DHR1tpUGF9{K_IH@-PPReomcAO5?
zd^9)qyu)k<LJ_qQ#W_4Y66tPJkW8;2P-H3UaAV%?^O&RcR7e4S?<+edV^=Tb#okl~
zHq8TN49_&RN|{G^hb(9?#d4ebM?5Qx*V(4}2TV{BUB5wQ;hcx5%sjVX7z`GFS=h}J
zXrb=1)7<W@DKtSu1m*hOnHnKp^@oiK0g;jizf5sn*ASd|ejOTO=8UYx^k2GV{c*yX
zV_`10scn>k*Sb8xp-KU)e4Dmy6hy(6@jnpFy2VTHz7zkJ&v6|#t7f<1Sq7nZQK$RV
z6j)g5x`rQG%)2m>slg6o${VbId0H0Y7Ijl(U8XEh!Hyyb_GQKp{x`q#I$rR@7!Pj5
z<<m2IM&OW9Q8&trOmJA-3ml%~gy*N_w=b%zTC^rHN#j#u<LA|zlVj*~4n~otAWT&9
z`<Jtom(#~yaH4xBJH&6LyGmg(_mo*dr{8U(b#mXMw4hIt8|fb6J`*r&A&q@1KWxS5
zZ|t!1(5zB3n@YwiFd=3l)-MkY`2T?ae}Vm9rOZUcrGWl_*O$wP|9Sj>p#R4u@z4Jk
zlhe7V-5=mO1L!}X{}*}x<81#2>i^f5%ZUHE>i@v~pUdH&{_7LOU&?L^aLoYpAJG2`
z^ncIZe-s7Y|Gd6jM*PpE|3Lq*%i*8?o5sosUiC--u7C^f|9k%WAF%!}g&kVcz8yhR
zd>WZa+IYOh_AlNAQ<FA_IaN*Fvq=WQYr@tPE`_hbO5Pe$<IuV~?fKW!h()7reN*iQ
zE2DkYjsY+4dd$Iy90}s2mmBtPojUMPiKG>|n)Hoje<l)}@@{bn7LUO|o^xV8uRAw%
zgb4A{NaO-&9G=kj4nR%X|Et$IaLNPgd((m3lH`ticLb<WH(U?EYSVVTszoN7$2838
zavT;QyULOl5~V0Np>~*OC!36U1If1s3dE<Xom-VM&ln@3l(!U9ipr5+*{%AF%sUwF
zJ9#|!MJ{l}S9uY1Wf-?MN#s3m7xr*OO0;=doTjE!3@jUc8lT_(6lVPRySH|^?Z};O
zSr&7Wepp!&w+o+=c%ey#QI`vjBg+FG5dnU|&j|ekP6M*vBsQ`XkTMQ@S%bld5~-!{
zsA34wft>SO5B%C6WmY>4X!~y_;=<N;LwKR`@uY`+<b|9+c0@7{+@kD*?k7huu+;iw
zii+Xk4P&>6GqH~1vwExb%6;k4PpoA<R`04GbZJGWg1=I2tww7Yw`OR&h`mf9u8|fw
zUNPB4ws`e&bM;&3LE=e-4Oeli{axtdmP`i`pgXM^b;x&<Fk0?ksu91)zn_$nf_8XE
zc;4%9a|!=dCv^{~)n`jvNP?~3He?Ycqmy$vYDW1En=7W~<XQsxKal@l;QoJ>|A_$k
z|MlfE;t%+L*O-6#KOGXaa@8XNxB>wE2lW2}-+wy0|0xXA|E@2W5&v`OznCO&{`YeD
zr~lt-VEb1+5`ZfJ(0@SxFS7sRS^Y;6(En@8WyBx&|G&ok)BlkOU)rl43BVO_!RP-Z
z&c1Q3`kyec{x5?8&0h97OmYz_s?Jx{3DoI#9zlF8f_J*XtO>?BgNrt}(j^E*d8hrl
zzoB6CkIW|v1ABa31-w|w>M>8r9uGsB;UVZW5d{pBmW?6tLQ=M5Ww8BpY5kltswx@{
z#eU@dTylx5G%fk-U7=rj0gF^yJgeh(^9W)Mo~3u(&3+)uB6DDKFxxF1uy;6@i$SZR
zRGN_gG^(x(!d|X8*(2<=?m4ZiMM2-|mwl`z2F{kT!C#^JUPB?fQE)d#Rq|dZtVfFT
zr@YO(Us)%<F^#x^CHK%CP^XT9&FD%K#lm_$Z3}LkNve}ls%0UrSXo$sJX<cK)T;(d
zP(Mq3T*r)zZ9+3x=yhx=^L(W*%C*_y2*gO4ASUY4A{yTyd;2}Fu^z|LwmEaXA#-*o
z+p1;)<NCwLYH6?ttPOrjT{=_|&Ss(GceRGFcA+Cs>28YcI}sQ($(i%sH(KLhn?oDZ
z5(?qAzns3Kco+{1pgqQ@IK7{_HbUI5jb7}>ZWqADr%Qgam~h~XV+SHT*4jrtcoOy%
zdbcr-tr=t7bd$hL3_Plw;}ks{|5-|Z?@u~>L2FT8Esc-v<?-(VWIh{IKzzM(vPps#
z@;8cp&6b=(>~-MEd`D)sDdjz%rH9J}Z%n@@h=Z2|e)X&ER%J{J--+4L>T)&f_Jd%C
z42;6Z_b>SV&-wd*1Nwg{*h+FCS1~5yD#sGH9!{6UZaJ^|(^WjPjnDot-D_>32bp=9
zZ_sU-<a$>zV8cko=y!+@nE(qfA0%0;>BWOJZhGCXvV{7zx!T)p5t_jRzI&>J4f)-h
z+rH4koAQsFusBw9N={IPSxRtW$NBBx&xY@ijtBA?kna9vaub!3vadQ~x;lIsgyy+r
zcgF4DYH9cob@a5$t0XxQd-_e}to9iF^QXs$yreAprlOeJ``ewP*cFJGl9P#Gxa<k$
z=FicP!q&%HKS0vU-SDJ8R8LPZ5u_=qwxxe7_ma14R%HXL=f+crJ`$TiQ0$db3%=y+
znEjKJ_oKL4Eu)*erpA=MQDETBco@c!^-|X#3)AnExGNkeSTHQ&hE|(#Ewej@JFh;c
zPU1y#E*Ot46Fbj3l#7<2Ls&;MA!SO&<O~T-(C{Y)HTU)iUgDlMy$EF!aWSwbK3R8s
ztjyg_#i+aQg{%+2#l-Nl(=?SDa7b*aN_;B&O^YiG4Hk5F?5VTtWO_L9k<*lcyr~Cg
zO5b1Ab0;x&!v7=ESf|OfYJ+_6Z&F~3<)Z?DjHWWBh=ypFL*7&k_<wqiA7?xoJQwm6
zGkF#w7p5!A;#RGH#3(nLalSajs-bAo&~OOvVG$ycZei0I>Jb@LqqH#3qSxay&^@Gk
zUJ5Cv^~ha|APT+U`k(0896Q(g2m1eC3N$HET0~vgW})-AQzt~v`~p*#t0=XPJbq-F
zJND(c9r;vp2uOqq7bF>dsuFVSn7#90=7au>WN4+fT#U{npCu8ilkI&L+j0d<Hr_sz
zi^JG~Rz^F$`Z#fqPT6L-E9WVndVtuE1owSOHqZ2l&oi{QakRi3y~-mpIc!m?qL`Tt
z6#UgH^bR;DMgjk4@2tC`YP&EF(%sT6A<{5(OEbbyBJD7g0}Lr8E%_iwNryBdFd#96
zgfN8gAdQrCgAdZFysyh|z*>NR%<mKIwf5QPy6%1Uy$^SRnZZtO7KfU}dG%_!)VI(g
zu>#I8-pdlle;5;%hE*e`bY;sdxcNm_+y9Hc2dAb+3_%R{TAT)k2Dm7Px^<}EWDBHH
z+@-~|B|}nZ^M0?A6ti6ykIxI?Lpr}E*c3g%EfuYQCj7DHaJ(c36A4CJZ<8Ep8)jZ_
zE(}tsp!2IP@y3rUAdfwQQ#rTnCk>|D<+kp~Wk$zF9FY#CDgy4lTrAWLNUyb7@1Wj$
za{Ojus*NppRt*7TaMr|2`&6(>WV`v~=}f2B_QIE!hGWFGh1kdq*Fne6$hiX{0T7oL
z6>XczWm^cXpCfCBorPaoU20uC6vIas|B^%qG!Nyh%=Y@U<SDDUL>e8DqJ<>*WL>w_
zz{yAKAX#CMS%Oz>$XLw8PM6s^Pi)pP)ZPx@h%QJhAVfD;i^FWh8}XZj0mGviV*0|c
zc-|k&E#*+8S>5|rY)ielB<{kDWK&U5;_*c~&6<`}?<NZ|a_W`r5Jn@a|A*@TU8Da4
z{J#GsgzEqOwcJGhuhjoT?f<$N{`CJox|>nlb|ffn0hIou^#2;qf4}EHgi!N8e=j$Y
z|10Rfh&bx}e>42ie>|~*iQA3@#Vv5n^M6<0|BtHw8zIA4M5}Z24bk1qOazHyI<XrR
zgt;-OfI){Y#R+I(Q+e6j<@E|vG}sflYYhHov*2YVvRY|t(>wAWp{CB!B^bAx#bJ7S
z#|pf%?gQ|VBRBOQNRXDeCleE9eX)|wry#&gxW$S{0X?5y89TL9>ngVk&5360OvpLH
zBnm7822uj4sKJD*1HPq@Rw-*b*ZUUzTpl&Qbl!HaY!wRfPxGlHwraG!Yuu^ps|k|J
z`FNfgX}Uwp%&3gqiB;-b_$R)ldx&Rb?4)I<XNHp|OXKZ|?W~g9eC4CvgH3SI&QdTS
zGkhbwovZZtBuIUQe)pqT7f(!5lejDXfI)7#%2I(O?+?cg`1~#(<yeetv?085+@~;w
z2&^7ONh}K)vmv21irSTYWI@UQ+)>__UyodWdnMwb?;R$BHmf_BAsap3Qe?eeTr{D<
zZD-P%VxP^kIJ;rR_?rnQy$QVYI@-k{YqYgmg$DMlrDs+pch^(zuu|BdzlJ+gw1!{~
ztBE}0Nd{FxTb@eX!w7|E8~q}1Sse1_h>3>?F0OiR>veD|!imsEh!{=65!?(N@SReM
z!2}&se%H9CBTCJZE1w$_N`$l*Xi2(-^LnkMS4Y-Nu^qAy+OJi<8J#U-tnyX*=TFvx
z%?KQ-vYkDs${@V*`};^Wqe4i)&Z6xhHW20iQU3oL=f42I|Nn&Q|NXt(ME<YT|3m5j
z&G5(nzewlGz3oU)+yW^5N9q4{{{P|k`(Fg5|9>qvk^igcKWhK?4e>|+_5FTI-F74>
zZh>q5{(trUA8P;CjSx_s=dC&H-i%hi9(^KIH?lqtfm`q=h8ufy!(m7pDCPO0d7HgF
zudxO){`C|ca`;21^n?N#VTm4oe=-hWSr=AAe*oN9Zd4gkiX7K}>tv-rZW{W?rMyR{
zi;<2MZ#h4v7i@s8&%8Dnyc+n1&tov@@Z~diQBl*ki7AM^Ud0(4F5IX%1p5W^kMK?9
z(v4$a7bG&D)y1>N@%2)1i7Tf{SL>6e2%vP?NMO?pM%p94M>gN<#B>?x66}q2pED9u
zj4&#Lp~atO6TR|vAMxP-Cs4ykd(NR0IuV#A$fMc<yJTR+c~yXefmcV|Em-A=CS_!5
zq+hxvW`7FO9oM3z{c7t3qgWz?d#8`5o%bNOLHU6umVA+kLHhHJJoz@iZ2!@5T20tB
zvCHQuWU~L+LZu<x2k?E;70jbwZ63Mgjfd+iIHeoFvj>=6d{T|(u=`-WIO#n<MzLqH
z-tna=^bRF5epGLeT6_Raf?I@=cS4EHe|;m#2hVlf?BhQ~Sw6W2SOL3SU55?n(?DTm
zXAA1%PX)3di~}3U8(8`UL0!?0`ck^J#$BLg^}-e*Fs9aEI<#onik*qQL~|3m)c<hK
zBeBG~k1Sujr%q(`*f-bTCw~3?gQQGW#nO??7gmxDeWUhYLO6xn)dRp`198PARMo)P
zJrLctXC%u1qx}DM?tlD!{}bi^|6Xn)|ET`oU(6r>|La%Z<J*n|#Vvr+f0X`T<M~h6
zQV1X}fztoKmYc}`mGmEV|MzD2qyO@CVpz8w35r|bn)iQP{r)ei|93NBj<_ckALgjk
zKpahk=Hp2Oi5;qG=5@cuG}y@1l1`e;e%h+E|B{y>T)X@Op$9%XF_#q_1+JZM9lbZ)
zd}M&$IWD3?K6&4%H~q<@0@!fDK`gqqzRczZ^nTfe#M~u7&!SSFpfrO{!d5dKR%qcx
z4LSJgSJi|GT&Zg+WS~zUs<O`a)wgI6-cP~uO~2Sy;+Q*ZHI$1p<<yQ?+SyFiJ_grJ
z_{*B*lAab3L_+P@u=gngY?c@~Slp3r@CXGplZ2s-MfBE2j_(e{&yvZwc37>Tu!F!e
z(|4374}~BTBQmoz^s5^leNiuqE;$7a8+N8X$>Di2L#=GEI%B`%eY4Vk2&;7NEZyGm
z*>(_cuXfG=gUhu~CZ6xnjmmhGlYE%$YKN=F2$Fd61Tzp`Dt~@h_@a7jZ%<LM8SP{?
zxV~5IzUwdHF~a*y`%S}9Tkz$0*pVfDHCTZATW^)*$@D*OzZt3~lMmpY)IPWeXUB;o
zM-Hm1X6Gp`1r7?m*i4dSn^wljkl+s=ifBvBC>M~i`4<nnx}UZH{rRO*13-f?qp_2b
z$aS|8GtyX*YwY{o&t4r=>`GPTvL%}zRE*tnR0rM_(n4S?JtL1F`P*+8*@SU^*&vQ1
zt`5q@_#AKD+=sJOlN!8=IUN-{hwBUgu5b#L9{ZFnb$pOfMfrb}|G&=tPyhFSlENte
z|JQO8`M-+)M}7alA^!OPdEIl%+l~aqEpW~K|Eur+6G7GgO>i&jn=*~4-;eu*Js=hZ
zaZB=~^j5D>mb~Vq8Dtn3!(@Xw^Qn6Go?PBK``}ZSAi5}q%2R7hD#i~$`Xr{ZcA{4g
z?5C^$wP=*3`u=i?L_+5UwvS{o`kfbt)>TBRw2%*JDS9uzoU(|}O#0^4-?3uMap+TI
zc@T_ySlo1>H}y~jNKX_9g=9F0W9FGlq^<Hf5z^@gOJQj0lu2-ka_qvCg#rV2Nt@@4
zr|S__mEJTW6g2kR1TyMHzCv(|Ku6KJVziAGHi_xeYAU&qapAG$xfrbYCN}+AU-Mc7
zuX9H7I+e*xzlW9rL*J3Rowoz`H+e;8Rhx$-Z=FrCWRk|1&ItAa0p!GjlkZ+{4G-Hp
z^;;+6t?O=6P=z*Sij?8lMjT_eOAs)DeQd-c7kFN{#A`1oFvP<M__IDj$)o9WHsbn)
zT#A;US=o)E^B5Ue<%qRt#`ku^oKku*BM2+Hw1X!6qE#*rJUwHE^`Q0_eygI88McYf
z<E0D#y0apRu}+u6jn~@~viP4cJ$2V%GKhJT+tqez0<FYK#M`%j3GyPRG1wpZXeV1_
z5N+2aS~5et7^cIwBcsabhWvJneZ;ag?PFS95a@6u^UJIINIt9w;61q|L$Kg~U(XL%
ze_o6E>f(6@1#pkH!Gkk%aPm>GIR$^c2qS%YkB-vY>z@Dr{fwdN|L+B$1gY2>^(B4j
z-qWL!qz`26uW5+#bxZaQE(91!A5M3cI1V#L1_n1>4!$0vvVHRj6Pst5lHura4)26v
zGdX;O1Ic{Y=;Fy|UZAdH&-4KutqAk6rnI%r-M;lvKJF#&>31|qUp$^~ihG)CfT#=o
z-z9XY2C4W(o3XlBds%#FD`_l6G;6bc0t~(TK%ljdH3f1WO_#lQuOi3TYRY&#qf>X3
z@+Yo&R?Fpq@i;q9an}S`Pw$TW=U|Ok%+4IEkbpeqF+y*ip9Il~ThgvPOsxzxJxmGe
zWOpGHpV2k(gD!kW6-35i<0-0V8^FP0cJ!&2O^dM|vEr*{;voY6y`rx1E`X&gNH4Rf
z3=R=`j=mDWb+Rr7E#<wDd!tpJW`vA>z7^&2q;iWJT;-R_7U*wBzPhC4&-T1N!lArh
z57a*BZaCsM%v~GDGaQ0X^XZ8f?h@hDu|eRH;W2d3{J`OK-qk&7_I>-$`ufFQFv$9V
zHPV#n-4eN<(OFP?Uta}wCtR9sO^sAw^!=O5<p8I%#7dm^jQP}}H0IQJ@|6T@;L6yD
zSX~W8L9Iv`?~l=apGk4|f3D3ZTeC>6)D07R#@7(h#|MmuYz0){NYZl!v-v@_3um;R
z4UxI37gDGlRn7G`eY5*sm7eH==4AK-xBg+&5IFZ6v#c2z<>PCvf6?F1*p=!Z)&IW{
zDDYNfydRY|Ef6wRnA)#y_N=usNKpmy@g(MY7ih&vaAeA+uhMy$({JK9&S}y&K7I;9
z^17ny(sB`Ec#Dm_7b6dIF*KYo@y3{WIOF#EiwoCY0`_aRHUSO-SP!Ar%*usqOgt-a
z!|Rn8P~t&hCNp3er@kBfFH>CaV+`Wl(`vI({cV+WaGsr(n}waxmwhBvr?t^DVaTcS
z*I6MTFYhd$C$-O@tyj2vqZH}TF?q5ezv|kqhNQk6KJ9w!eT-R=!I<$03(ql4me3-b
zno99F@OhRXL~wx7^5m^oz!<4~DTykQljP~L(~pk9kKI$9>IDxsM%)okv|!;b8$B~m
zS?uP{5DS%F0Wp^nIa%_3S<6aIC#8GBm}HbAo7oeUT>#P@fsJ||HNuAcyHw<h12bhE
zhbeEhQVx$>S@BInIoJ@(#`%`5S<fat5qyW|6>-EsVg%gC|0|a*FGbgBb_OiE2!k)n
zfuuallJ`r4UFe;0{L`aJ(U0YK<SiCx`YcDwH=Wy*iP9=&`zS;x(mouCS*WQ)b?Pxk
zDlqckvP~9c5eh$yLK6m-iI1bPypKu}`x;9~o<z#_NVc@vTaZ2Yk;tFls2EWnGGVt#
zELqnaW6^9ly{xXr-kmqL|CQJ0pph0*<HGN9>B79GIT@>ICnT6*8T!^!N9>yGU-I`e
zcBT49&Hvm8>G#B&gAH=op)Y;}0X<)V!Ycj7i?&+mlA5?r@=x5z)6D%X<+!!YgHy9s
zQ@w0hoM_h^zS!ZW*bh6@Lf^6GK6pJRQVbtv{!ka3?{dbvDm_E&A9E4br4iGy(9X-I
zG3E%mAnLK<1`1KpX<<}ICBe6yeO9uUI2xCq%ClFbB!BYNISjtg5b6&dGn;q@oH}pJ
z)=ie~+ApVDah}aB;R3OYA39O@i(SqR*`?I?kF9vDow21RR`q>;-9234NJK-+xA=>3
zO~QxgV367b2QCwhWBXPzsm+Z~lakIosM6Kr%&csSr`V0)yW3u}6D+k&g%D|=+%waw
z<p1410$LOngqD**{~uwlnxtu&0gS?nT~2mywoc)rzccT8#xs(n_@lTIwAm9X9yAVU
zn=^n9ZKrHo^u1m}vJ7w<Ave%@{@uX0{Dd->5i|p!+<;i9-*<N(Zqk~ad!WqkhZnx3
z^B_a}KIS2<()NBNtrmUg343%mP_|X)E`XW=6q^+O;zx&r*kN|=*^!0#uyt{bp#&yH
zmt`5&Oo@!srCea*VernI6ooZdadCWgyb<V2?A#*r_FYIAJ?F)y%>4XWsE%WM#<+H<
zi|;6gltct_!(cMQc_bOFt7T44$@YKjods8v@6*TWkVcSNgoOqC;UX;T0!oL3EFmR`
zpwt3ONryDjAdR9lqDyx!jk17rDIp~#4T4BN$G`7@b3o5|_VWhrIcM&<=X=l0HCIFH
z>}tH|QeF_Jt<*cN*MieAff^Ox+*@n7X3JyFtS>hH1<&9A!`}aODfDDL7+`zfLa^u{
zd(v)nt7LME7yeTt8zljnEAC1(Ena6emsQy?wdJxe%Ikv+ahQdYf9$?<njBh4>m;Xy
zwxs9oE2~bvWt!;Fl`$YGb%PTuj%)HXYH-t@)HyF6B($BOaOkzwy?whQ9l*08PIV+p
z`>V0K`F*AIXxTBMAn<Gl785s_LJ>`%$}~}>Uoq87MtP^^mdoJKN>{`ZTtUFC06oWT
zV0|ppkeOltNHqvF_?Gb)2kd3@@sXyq*`cgqhXv8c)T9pkmsxu*`0@<T<c?1eq`D}L
z;t-F*6?pQsU{OZ#o8rV?=Bzo-!3ADc3E$G3c;;U7!y>d)@^f$MkEUuO7C*szG`H9E
zJSTHl5>((Q-X<Y(lOpfBjI@pI3@vbH_+z!tFO>)_@<%hyn(fPJ!Q+AURLjEwiG6+c
z13YSPqUOj;u4_OGxrV2T>|)0!oeO7Cr*jI-{lZM0R7uW<b@jC|dJ~ckcbB`fu0N5*
z5p6QOSF3_^_a%%Pq9L$eBtMfT3UPC2SIT>pkuK1r80mIYso8p;KB1vPy+O9cB34Pf
zXTg&9?$LhBQUM&iM!3JzY6W%Wq~`PYS#~we%bch?!VryB`lyPC9<En}(?JpRJ05&A
z<LTt^CsjYLHd8Em{P(tBdtle2`+f(j{Hb%@yv9o%3`Q8+|HJnGE^z<T@B5zwu=juc
zyIh9<&(Z%A62b2Oy&V4Z|4NHTu=9WaAHn8-Z2rH%??3c^`(Ls7|DWYj{C|%5AME`9
zCGjW!LspE1{<bAp{sI?V{}cWF3~c}Z-vzMg53~iwkCs_KZaE(JWundv7q+a45-E|0
zbj+<M<LlDlB2-Jby-=Y`n)^t(HBw~Z*-sK#?H-BEnR`Ux@~%hP(FTM22Xk*a9*~))
z@7!2bnP@ygzja_{wAO~Y<77Em_2vwQ{><GG!}0!{eNWp~cySpTw)frp^SVyr+L6Tp
zoS9In7N8MwTjm9rH_mF!d82_Z8@c5hZ2GwhU1e3!x7DPhX{5r|^W3TyAfzv6EZ|HY
z=bg7ym<9<N`&DPX8l-p@I9C<?H9>`B@<#$Mu!s$%#2zy^V-m6M>km%-;65f_lgF9l
zytsGGmN`!Yi67)Y6cvejaIfqhpW2989t(&+JL$H^WS*EgyrX#YEI%^E5Je0_e-K~V
zlW>j5ZERJZ<f3yne=Ne`@4*jgp+V~^h?nhFM}KoP<0!FMHY1(dbq{asG+_KV&13fg
zQz5M0g)K(svv=WG7)#(FE~PJUMu-A;{g<%!I;oL6k(*8gN_|kjzN%T1;5Ajut!R?S
zv3kS%C6RP@%*K|cL2fn6H|t0#>|uB_6lxf=*ph%5q5RAhe+O`LS&#C=V#4pgMDjhL
zj?_qmJ|)0%e5i%Ix`oCcimH4=spn_rUUFKh%lh0upyTM4-0n5J+-(7fmskoWVE@0d
zssLa2EM|%m*^#xh!Ux;MzD_#@FCbY7SpARH{}<W+`91%QJ^%afavA<Vm;T4r|1O6=
z`k(XWjrzZB36{UW#m2wz|3dgY`X9Uh=W<Zv@@9DVB!}Ff+P4uG(8Ok`gB<EwHQ$li
zJCO=-d9nA<7l4~DzQ2`;S)SuO#zg}wHoqrr&kGLaJ-xnDGJt5*zIP<hu_f**{vbi0
z-G|%X{tDj#F5{RNd9On3p`-gd%PZ3fygNdAqiQ_2izDsE23!*boa9Vu%5?H%8e8?P
zyiu^X8{xg|dn{+Mv0g!|i|@&%1PZd$J$e`D5F4V~IcEr(S!D=)S0~N288A9?knH6`
zjVi69h3`hL#i_U5tNI`AfZSRpEygX4y68JHIN!zche{Fj_lH%#Bl?i(srZU9MbC7!
zOwD=9Ay#4e)aDw}e#XdFuC|!UE#>8Hg612dmM`{9s48D6PgF-K^N&t!e;XVpiLI8a
z%wS@qYOmnR>JvC=WcbPnjFe8fS8g#CZ!RR|Ey_NP+b=1?oveG8RG8RVi!aECg`s+D
ze7?pKh?%*frpVH*u<5-BOHshnd_uAlmrt{_nh_OeyeY-&XDt=)jqfvjcSotyY9l<8
z`Cz{gP0YgIbFzV0e$xET*)%`&eOOp&a;+81Frk?iJnon_tD<kttmKy4;}%rj-1AR*
zKP)-{92()?Hq4D@yhJ>{Lj80bdi`+nM;M#u_f^?*3`SGGQ7x@JFHUNuDVnf$2oV`p
zlJ$FW!UJL?r2>BGw|aR;Y#|T4fYtw4{eOYyKcWBAe^~wh&vGgLKac*$=Kss#kN#)8
zZZr0`Ey3~^z~+B!{=dNU--5sUzu5ZUzsqI#|6KVWyZ_^I_>=zu3uw>3Z3&jYzy;U;
z&wu|1w*G%982zwg;G%NyN+f>5y+fcuA`uRpZo^wR$_%mK5&RWqlv#M}OXtp*?}*cL
zz*y&rE=pfLxzd9#WK?w1kGZk4dqy}u4PID?JWzWX*)DxYQjdLREuoJ@Kczn?ahIwQ
zVPeinVv;_BdHSx0-LDcH&D)k4XKyIE>MC0cs(CeNQ@o@+lBsMWGuYwl88rn-IdJ~*
zqQFp94B?2f?l6#uiCp*SHs)CSwVyu{akVwW&qfhf0U#LqRW0b5Y~-EX1i=O<Uz?(D
z^x0^0f+uXb(9t3nX{uOKx(uNS4q`)o^x;<75B7=rf@ah1EzV8t>ejeXL3~2S<hiB8
z>u(0^61buDH2}iqwBD?3Kq(c-jD#pVDIPueud3XsUNeIRFzGceR+QmfxAKW~$@<E+
z(>%^{Opy0eUD{}i-k+@#<?Yl~2U0V;p@*XFdc&>itjwOpH1mpV%b`}z+=$(R1?hdB
zcz^yh4<w@_VW`=?6Tpj3tJtOON2Q2J<x{H+PBmL(G}F(GmbWYw*%{J;<|X>Bi_Xy2
zLwnyxS3IRxVhHDH*L*l^d7-eoai4g%>=(aS2%8{oigl^Z4&P<v0L^XIjN=oyj&d8#
zun(cgy5d~s>_>`*)^ew1@?6-43%kkmNRv6vRL8sJdf~p0aVYAAGS4E(Qq?K*g5owD
z<gof5tN$->{`0r~6Ts^Kf0xVf|2g!(kO;Q^cRBpg|Ko*esK0FqmcPIS$N%~Fe_+r5
zUkdJ=hEB=Tk60emG#N<5I(tYvpV-PPG$X;u9c7E2cMdEbc?H1AS&;IXR>kv}`oM5r
zFW}9o^<rNcfb}zf<HoELIgMBlK&~4-spMm@QpQssq9(=Mk~sf-EvqB$C%G3ri*j~@
z!nUzJJ`tzF_0{5cj#8PqsvX3d?F=}t@f>YM4{+b~GpspzNDo~Vk{G1=VD_4b)|ge5
z2Hwwc&7h;Z@5A8E>Su5((QC)HwIF$e*;`9Spa}xp*_ATS-A|)no^PISjNQ2$d(pz`
zgXuO%f^Xb}4zmt#UrYRqm-@BICJSK$+&<#8D##jH-sp>JcS7$)`ELjF`a?5O*Od9c
z<JGvi9M>YK*yy0_mL)fDv3Obq3t`UuG-_*g#BAYYJDbIkOP(!B#wG(!RiUX#Pg`N`
z9&r_=1od~SSavNHd#L&lS%=))fR3^C=*RY=@40m(XbxR)_-$8ut9=FSYC-*l)wGK1
z*H}ZizkDD$aMw=DC-f?qnz|F>qYQ}6tCL_Q=_1`6pohIE>!xyK4||e12K{;i7ynj{
zyE}4<x-1Z`;4}4(813kTs{fj4Y)$j!2zgK+#1hAJb*TXo6Mv;Mc;it`-wUw^LWE>T
zk-nfrGTd%g4%>jY@YIw>0<rXwhqm6%lpCXB%6^X;pEIm;<+PHRxT=Q12I!y`7ySQ!
z{`kl4|GyLp&iXTIMB4Zg-GTSt?;DLSoqWW+C=qSVE?Br<9j|QInFYztZomNfU2fWs
zQ2;~{45#A%LBBSAXG@9W2*#Xc8Ii?v;^u=>ix&wgLCj#8SB>5NV7sf9&Uo3+XkbHj
z*&-8^d|avdQ#&otv%SHe{^N_*KE<#Ih~c^m9<twtt*G&((F$xg`)Urc?YDtyqqoGb
zsF{pr-j#qQ>j5NJ9~$8cbGIML6a|lG?=LKBxvqYHXr2<aYZ!{_%GPd+35nHG=fCT+
zc_ie2PuLXAx7qJNN$nX;Tp`f^m;$YvLPJVbxEl~ejdS9s;wGYj*hHl3um^iPbHqG1
zLP>v2N-|~Jd>~!9*fW+`<Uv!EqFn%xwsDBxnckJRJF+rN;qI^|Q)@6l`j)A8^10D1
zOn?^nX&FhcV}96*&*GXl?AnlhKyGRdDq2lSVjw;i6;%ik^fZTn*aOMgPF-dTMQ7Rx
zqhc|fv}=P&`(Im<dU9-Q?DuUy{?yU5l3tpzputp<g9==?1Q~%6)ZT7z=4Ye|*RvS_
zzIJ1?g$tbVzRiIZdVa_ktxYFK$ps>@^W*lOgyPgtRKJ<)(<7%e_zC|aTz`J6o5x&%
zp4|FTfQtZ?nGO&y!yy@Pe?W52;DAdPO2esT5H|duN@)Sei^8rmU8miT0*{U`Q<CO_
z_kW##|1UQFF9o4Cw~u(T20?hHq&6e1P_;@JY(J~=&HZBG&%R0vAueTVeGi%NzskIy
zyuOg^QwQR}2zFLXQZ9>Xnsgq(^-;P@Pw`vm)g8DGh1r4kmT;G02){P`@6)x-BktFr
zO-<LM^3#U$i4<iMo#NljBjr)JRqdU|r67>xXWT852tYl12J0)+>X6b6!;KKVI$X6t
zE=-%*l`qCseet)IGUMq!Xbh8QM|pct;-rhpjGw(C^G*#~_uoT-EbC2dL;aAlH)6w3
zljPDOk@$xxr!x9f1(GNHv9GUC87&3GauaN=1g_U{QR>#cQ?S+ch|zOe`k^~C)<eQ&
z{;OidlhOpF9j2thIAm(S)*f-DLx;{!C)3K%t^ZXAoTp!(MiLkLkqwE=9jTg2(vObd
z3vur;%@B<&>sEpL-*9kyYRwW=dlb61Rksd3N56S?Rg()`MJGA*%^KL*JtduL%tFhq
z=DJ~wN!{qWXWZu8T?hO$Qf*gxJ(OH0=|DL`Z3W|p!a4RbT;I%5l#sgn=6$yEN%A7-
zOZVgSW~Jev?o9}E<$nGOK46WvD_S{BCxUP?n4<Ele6X<AG#UwRP}jrNu?i{w&{st7
z<f+xu_L;#lrEGV&sRmV4)1^WqTYg}Z1Ti>^L6)U}^+c>cmHUFcM#bJ|ml1zx$7LEf
z+U~jF`CrKIckEp8FMy5z%RuAt=ZG~uOx4laMvlH`{m;|4uq6`)bnf=6XxOJYk#bd%
z-nTue52Nqa`@oReA<<6o<4NaO(<N#xv!`0OdZk_H8#+pBxwA?*bB-XcNFYCikWRks
z)ZQzS>jM+pto0AjRy&Jk>`W;4(ZHN;70E<1uxEjt*jPNWrf@(zwQ-8-!|asfm8jb*
z6q1ms5i(bC9@qZ$V@BPP8^k=NuV0lt#eEH|Jvy2%-;>t7AuydHEZdAu3{K01X54-i
zHh_VJTKPH8Ma`^3!`R(=w7ego3*q1z^klhGvAOEX)fy4O>EhG0N+5_yvCL*I{B<~~
zCF1j`e4&&Mul6yO|2y{fXS_s0$7w>VwNv$`S>%;XFwJ_wyQ6do`RYk3a)&y>>Q@Tf
zCxAs;-cabBl~0>3BDU}BiK5;UwYUcGu_8(lqa$ntzy6QC^9*Wo>-IRk2?0du9qFCW
zi!=f0g3<!gg7hlF0i;QfNa%v}ra_t@(m|0b3K67)B0Yd~loE=Bd(QRV`_7p=?}y_E
zIP>QBDc|;<tmnVi|5<DA{fwF~#BqyYsR<I88;|OAIlV|wSO<&&+C*jQ>+dQo(<xUi
z=W%IqB>H8*>a8h;79yuEE7QcLsk`@9ca`|`f$G`$!JnUQsJt8Z*e<)TPKL@b3{0~s
zmO^DxI<~;TT&OA<)0FJKCFmoVfvSIjRc&wn^y??Hm8SSl@7+!(Br*P$nir%e%bYPv
zb)AC8CLwy5JlyKdWQh_w{EB^|Pehx>^Wv?dQgIjnNt+1YC<a0vu4}PA?Xo!K@BjV0
z|HqvFKNG41-!?`LLi9*fd;v=uXpUD$4Ywn%nB+6jEl$AIGNpIjD<dP8v8GkM3>ZAa
zxU&n?AXQ@PtU-&&;=bzV5cX%A13V$gBtXuD4gBeCf=uuOEwr1M`l?43KKYil2TQu=
zauCw6H?av$H*$4wf9u_S0a8A>K#?sz;W04TCWmXX(Pf`d?tn--?jprKedi&fWVece
z=0iGKr_tS9EvOc7qzmjToTM4)b-8f8oX~>5CzSxl=dRVL<(;&zZ0Y<A2#?koDSFGm
zT^XP$U{3jtq&9M95A{bTbRvY3Lq)$$5t`dqzIfFTCK2V<o@8;UL72ymGmN%_o=)bf
zL}kmDk~qm$Sir^rb(RD{L&}S(PbLNcY>BJUF+_h<NzjF{Le`w_?N##E^B^Mej$Nq}
zs2%g5?u&)=kW0b|2wk2v8z;~d06J5oJKKjY#O>)xLF$YlOL%Zv(6sacGNXw6Mf!Ir
z<<UZ=&8E$zL8^me-cX;0YKo0i@b0^N>8oKRf)Yy>`7wqWbY_#jNu>o}LwOaPus6C9
z!|n=FudgK?G<_TK4{sT_6Swi-**;REXh>Fg&42h#w7@AQAu}TC`n|36wZ7iSz-WJ2
zs6kl`CHc+E@qB$vUWzhGbR!AP`9ozE$KuisS2<iShgiW4AbIYt&LxMim?UcE)dWoc
z57YlU#rlu<fA@bd{lDLqGl~B{@BfL5VEq5t@T33dvH<Qq@0nmY2Qc{`lmAa~|My?_
zzlvh+|NVVAi}+*m|8LBX{IBtFboabxg5exEW&Qv3{(nsU|7<Amn~#33NppuZ9~)X!
zf_01gAh|06JAYF%+rzXSKG&9?wNpy77)6A8kxG7*WawjKzlm`5x`0u?m<b76F$w9q
ztw0_{*i?p?P$Mohe+`de_`_ulM1|on!yATi_A=3O?w+}pb|ukQ;H-t!_CeR#+Q`}?
z|08r}GQtdI$53vEGR8i}woiJiJQL>UV0)1_HK~%=J`^iZL}XK;CcxM@2-H8RH_T}2
zJm1`2v^>~U+3@)y8sgXPVDIuNb#AL`2Q1Y5fO0A4Cd%VbsLwa=R$Z1B3S>RN-{LKB
za{{KzIZ{g8lqEM*sT@6g%f_o(kN8@i;1p<un(50_nAE1u4hufNRwsSGe-!(Pb5p#&
zvT=3X7S+oKTZBSL4OTSi#)Ow4^K*Zb=|+Y$-`<yv35K6SO%C+9hMtW{8AO20l)gN-
z#3E5;?b=-)eZ*rGMCk(r<!P(B>*pD>S#(W&yye_rMQ!SRiNM|>H>3nBxMrGR0l&4i
z&Ld=tcJlc_R!sV`QkJZr$+&ffEwAgN9(=9sR0+qKz-jOYS;CNs4RmA81K+Vpu6g%6
z@JU|Oc1yDhMcf6A_XR8ien&b6UdDUQD?zXY$q(gg^<=H%ZR!W|4GL&4HuP$+j+0x-
z=pU$<ddomu{=Pe~zE|Rrx9+9tlx}JIYLG3ih9CwfF#aFo|4;G$2dTgAe*j|q|8L7#
z#Q$gfKc@e8M*Q&qF9le|&wC~q&Vf^||4aQf#!vZwjQ-CAz0Ld5h<&{qldCG6P-b)7
z-~&s>TZPe~-3_uvAqDd;SN#0%QmZy+NaG_W*htIT)!DYHpFqNr)gE3V2zC;|lLVyl
zF&Hqm$G!ISYKIe(=RaK2wI$G?*53Ds_vvh>z}jtpWts+bd-MuN`Tedd<muM6PXnuC
z2#ICnh)NqG`&mJ3T}LjLZbeb#1pKQlj@%0Ly>CSDvdR;z8yAetxWN%1zef+et|W2^
zTU~EhDf3~y{1l5QaT-s^jhbs7!Ct|db{LTmcFBk$o(5GDHSEab;FfcPN+EeHZe*WP
zD58E02vNT0#sp^!pzCd+*AgQ3pB&ZPPut_pjtFC4eV9$C9g;H6Ib%S{Ah4D-#jbZb
zImFZZ62SD{`mvMI2GbJL*UAHv%E1!R9Af@_ql0{GH9fSAz!W15yt9q+O7O|`leEQa
zGIn6XK;VX@V(1qpTnDd4cRRBHd%C(z*+*#IO?d#%n$?>7oc~f%;=W+6l-G#|()s%x
z^H#k&H!U0AeKwqfI1NQByxG($q(A9JH`(vOW*x$~m9cfL8sABBoWsbd7Iew6HhOHY
z9v5~FisCDo%njl4P~FNCAy;wJNKcV{*PG3h-(j(t+h2J1!d`7w5Z$&%o_3|)tzIgx
zV+%8xxNE*vm5(@7wbQs*^lLknb`i(VL~-Hk0|SK^|Bvzir|AEHfBHXZ8I1q`Z8?kh
z|5W`SbN=sa_~HK(eO18cJrfM)04D!q^8YEG|M+wLmjq(+|L@CL#Q&%AKj!|gv*Abn
zf9J4Qblx+;a1Q)p{fmhT|Nk-mlDL$V#J|`7zv_RYQc_ZX>R(*!ulz4@7JtBhxc+}x
z{QtG=i%N_CJ#zn`{`<f2$L#+)BkbFt-^e`L^lLvXLN43itYmPxZRTw*gpQ(MI5C{g
zMGgcTj8%fOR5l=;&7APO>FB!Pk7KD@ZGx}6Nrcx5e6KGH#XNfsLMtti%RYW1R2LaV
z)d>}Ki%mn&6YCQx<`x6UDX)vgzZJxS6%I_*MPj99o7Nr}17vW3qH1)-f){5v8_Los
zYc_q#^Pb?vy6`YarrWa>(JL4qN%&o9aEM^M5?Qq)JfQ9Ar3KT0d(RJ7R3A>F%EI>q
zv~;=?q9+UEhQ0#uwgS?eq|0!!Q)yg=$vmCsX3<UKw>^l2WvpA&wxe7Nz(k#J6Kla0
zwe0wg^&V`um$j@8GX1tk71E>-h1el%{wfdaWK#vCQWP`zz~~*0JT>UK6K6`gU9(dK
zg~g~UjlTa!mvM#tdy6}|qC*ia9wkZ12c++0RG@p@R6<fV^^zX<xA>ljKzI+C!b<rz
z5r!odv0!q(<wo5cQj?Eyq%Y-J){67&vX1!$Vk{l#Q-@JZsH-tm?V)`4bqx=EE4Gli
zN857tg73bv3FPjuVPy^BxrVGWIYM^yJ8TSK^D%3AlcD%;-!BkeV}zuCnl~yI+i2l{
z0GWc;`YIJ)zMRQeRkQ;Iwb+q#E~?%VvaWpU&^*=Ec&(y%RnUVgA}`5#K@V3b{Dxlw
z37%Xt<E%As;{o0a({HDue`(3TJ!3zme@y-7Ovq{S^=p~VDC@23f4D$JhIMq8XWX~^
zVayd+b1Gd$7zlA9J~(d}GUUA{{Y;^mLX1z(%0`}Q{o`6?baF9~zjBK49F<vpIuuIU
zSyUX7(!@D^gdH1v-2cUyn$!7+-mR<@m&lAUpc6XMg?25aw!x+mCR$$V=F0vo;ec{+
zNmMYR=jZCX*knleZIL}R8y!y@=O_<wO3S@8)TC(2;%aWko_L$7VC0h+1n#`V^4?9)
ze*FUFKwunLR6*96^6*uvh>p{^Lurll^6IyW@|)l**T~H9Dkn_dlCv$P=Sz0hvTIyJ
z3L=QDy>5C>>czRfXI38%htE=utty5P!F9}OFJFr7Xal{Zng6aeoD*Q&A!TG}Xubyv
zp0vnFsBUTySuKhJk!W@)3)NXYWuf2N85I!Zk`&f1R@$u;3zA6HK+Awt7iT3$EOhJc
zL&=`pl#8)GGD?E%`dtY$@MaJ<Bxz3T0qLfojxFrcQ?vB6^l{>di$~iI?UR{CwXg*V
zeG8UtP$7Wba!A+ST~$~1p{e0nGFJW9b=~{Zw$E**pAxXi=#nn*zRnPO8n4JJiIi?|
z6V4f$Nq&%1;w$&0T>(nu*~1O$)^NgIKmIOI8HW?Sr^y+A@0kVCcMUF2ZEk%+9HB&U
zr@>VK$W)5U5jy#4uIum<n#{2-deioF^e_77Pl^BA_Wuvw|Nck+k|H9Q`(Mt6AMbzW
zeJ0W8JrfM)z^Uk868N_<F#iAdg`nv~f;;n~Owi*k^M;Y*R#c%ZIFmOp%Tc%KNZ>`F
zk4ze)2%oUnOm6*?T;8M-mi(J*&g&!nu3w}_$Q!;L)Opu8l>myyy8#EZg-~bCrTqmT
z@C)_%10kQ86vw93STz)pAMGSB(*02zd!C>YMU}Qm*Su6|mS3jEB1g)~uvT@whi7Xf
z=vk~B|LAp7d%J;a`^*}DaBY^5Qt5rcR{M<j(uj0O#gARc27`ej)sLBa+Fylgs=U4r
zBw&j$x&Pr{ai%Kg#->NAF{#|5Xh41d3=2J_CdJV~L7i{ufu9h)V(#(6e2T;dj{=)8
zS(Sa;Mp~lH?qQd@nBIE?tdWDi;w~aMox6&EUTixWs~lO7EWboDQ8G=-7{H?0SYZq(
z5}awNdd78WQc=NSa?<;;tAKd$+fcz#;&46cQBJw!gN=E=ux4gkB4u&=3uW~3tBn)%
zpAtj+0bWEt@qQ9A_tVvxce@a`G;wx9M@T60tSqq0+gp<;`db;K`H#qMl3pF?(k_&w
zt$T(u>|woKBP-TpRb&OnHEIHY1h}yhRMr*8V?s@OmrDqREyF1Q`&X}@>}PkdZU^$u
zh57N_83@eI({6#oEpWg(HZ}dW$Ubj^W=|q_M;Bq(?G$~1;P&o<Hn}@B>@AK*fxvW!
zJF_kZvO{e70dJAduYynK{a@^F&)84sA1H<K|7QYMQ9G+lh~*<}eo$cqw=@>Kp4E|?
zd(c0`?G^U?^+WV^)##zDb<f!a$D9*x4x&9?OL0lVM_G(W{U`ZU*b<Ng_Y`WZO>3N<
zWUULR#Lj_KsQk?eZ9|;F3wzU!>K{S|IfGeB6~DJ;M7{p<!YqO&<S+?u)XAZfo>^D+
zfh_Mhbfq~r<HL;_I<kUieJj_q<UsFtl6}=4SAVo|A50ng@a;jzXC*fp|GH|^Z;VNH
zurJkPBJrFi(610@KEh@pob*y=r+ksX>5<R5c@S#NB7K_=cfX@zYv?Q*QGaNd3?bY;
zCq3uRZ=zcsTp8s(&=WH!PW@I}AZ`JoN=96aBK$5G2P@cZZR@0W^$BiyyVu8Gw)%A=
z>SJG&yWgPWtz$S$z4-IzMDjL$2W`vyc<F_%Rs!KA@6|$Vj3TpqgYcWWjT7Ib5FQSM
zS5)Ad%*{(@I(m;)w<Idwwuf{y*u=AcqLo5wG~);r-H7*pyX^Fh%2f%^bGBljb9T-D
zc9ojrn~A>g&HYdX{)1N)2+=q4A8+LLFf?D3R&GYHOh|hHY&FR^0c#0WbBs4kk1aEg
z1AWa3F9ag1S<4%?vfN#9h7l{TU_lF2dpi+19gjKR=Ca}`ZHU}cU#CF|?>yycEwdoY
z*jKrvU2!8t2W1u;34N59_*Iucp51jr(hgqwi|fClBEPEsD}t&2o&~?U{xAKD;x8(S
ziT_#fi{md2{8jpw#KiwB_|@zGFVjC}{XY{<#s33E|2D=?`F|kB|DOc}BXED2H`VB7
zd|N>G0;mk@VjXk9NRBa*<%#0PUZ{KJ%c^x#IE_EcQ&x4pPX)tbJy>*s@bEi5MbW^A
zMkgTgCBM$_O!9ud2^(S8p7xwc_6*I^{^U7>9^TpybjVy9kkbIN7dMb^MD4%Yt@n_o
zqBsuVGiczA2s1%@;7UcqF1zpTE^cbhYLzo|vmzhe?cS9%ozAV&%tuKPCKW}{%W9RS
zMwGUSXlhx3Vg*);mKId>FhtGFR#fYc{^>y!!w7yK4)>qK;a<-7oZtNg_sbncyQsYP
zPnP%w*j`Vn#uXFW0<Jy!{CL&5qFQ6BUy<YZo3!eyT9;1b4y<e`@0FgFlq`GwE<ABZ
z{fPYqQ82|No!#2sJN?sGi@T=5o%L$M$i>q9!XC}(_^?{P*hA6WoPEO;&mKCO#O-Z;
zGviOBgj58j5+AAt)3fdxR%c2F&Tb7ys}ef3_ZF@U?rK3cNY1OC`+hjJdnmwpB4_h(
z6!yL)D%CjH)!4?oY)B6D*GHVPrVJF%qn!S43)z}A#C&;x#7DmG*v8%?{X3g763UJI
zm>C7<<+I9fj*oCT8`Ct4I&UYrk4MHWK<ZmJt;h7ui0tE$ww_4;3!LQO^|Vl&W)Ihm
zmAi8<T^VY0jGI*HyUpdSYA#`>wYLkUQZ~PmoyxzgC}Gw;b?jFSK9J5Wi=H5K6HALo
z-Y&NK5oSK@WaLrFiVkPV{TplVxPm&T?v0Y)zBnUr-k!;~F1tpEzKD~dldbwO`AEw0
zj^a%Xt}}NFvbQ*Mx<7I;Ws7So0~a41@F}aSyG$<da{VV+Z`FSi>i=l)cK=7i|Np=8
zm-*W=vwsrwFZ@aVG=WPzvkDCE|ETyO|KzyDBu#?WoA3Bd|A&zj{ayYP!9f2vDnfL2
zQMS--mSIX6PN_&jh2gR#YMqSmq=4kwELMJ%s8Mt3BosFaqyjfFsDd#GC}qNwr~#)b
zlx1lV!+D;kSQaswJsT=oJu6~0YE;1rlxJWl#qx~j!SX0CFeJ(tctR<9mSMOFG3qih
zMGiy09>Xk)AnNTI0;l9@+C<U>DhdLQQnbjTO44LNO#~|{l%!{x62E<(E-zc;)G@l4
zbZvq<4l(n27P~E3wB}}5vN)8ck$=6(00000000000000000000000000001hmwf?B
K4|m%D5I_JSQ(ry+

literal 0
HcmV?d00001

diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-datanode-dir.txt b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-datanode-dir.txt
new file mode 100644
index 00000000000..e5890ccda1e
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-datanode-dir.txt
@@ -0,0 +1,23 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Similar to hadoop-dfs-dir.txt, except this is used for a datanode layout
+# upgrade test.
+# Uncomment the following line to produce checksum info for a new DFS image.
+#printChecksums
+
+/small 	 2976363016
+overallCRC 	 4099869518
+	

From a41c314373bf92669e35ddfcbec1114826c437e7 Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Fri, 1 Aug 2014 23:44:48 +0000
Subject: [PATCH 109/354] YARN-2343. Improve NMToken expire exception message.
 Contributed by Li Lu

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615270 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                                 | 2 ++
 .../nodemanager/containermanager/ContainerManagerImpl.java      | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 3458b2ceba7..a03a63d79c5 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -80,6 +80,8 @@ Release 2.6.0 - UNRELEASED
     YARN-1994. Expose YARN/MR endpoints on multiple interfaces. (Craig Welch,
     Milan Potocnik, Arpit Agarwal via xgong)
 
+    YARN-2343. Improve NMToken expire exception message. (Li Lu via jianhe)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
index 0625df0edde..7922fe2ce06 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
@@ -514,6 +514,8 @@ protected void authorizeStartRequest(NMTokenIdentifier nmTokenIdentifier,
       messageBuilder.append("\nThis token is expired. current time is ")
         .append(System.currentTimeMillis()).append(" found ")
         .append(containerTokenIdentifier.getExpiryTimeStamp());
+      messageBuilder.append("\nNote: System times on machines may be out of sync.")
+        .append(" Check system time and time zones.");
     }
     if (unauthorized) {
       String msg = messageBuilder.toString();

From c614ceed84e6d942137ddca76654b77f7df368c9 Mon Sep 17 00:00:00 2001
From: Chris Nauroth <cnauroth@apache.org>
Date: Sat, 2 Aug 2014 15:02:23 +0000
Subject: [PATCH 110/354] HADOOP-10925. Compilation fails in native link0
 function on Windows. Contributed by Chris Nauroth.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615320 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt                | 3 +++
 .../main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c   | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 0dbfc6e1348..7e3bee29110 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -413,6 +413,9 @@ Trunk (Unreleased)
     HADOOP-10920. site plugin couldn't parse hadoop-kms index.apt.vm.
     (Akira Ajisaka via wang)
 
+    HADOOP-10925. Compilation fails in native link0 function on Windows.
+    (cnauroth)
+
   OPTIMIZATIONS
 
     HADOOP-7761. Improve the performance of raw comparisons. (todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c
index f3885d7499a..23513bfd667 100644
--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c
@@ -1081,7 +1081,7 @@ done:
   if (!src) goto done; // exception was thrown
   dst = (LPCTSTR) (*env)->GetStringChars(env, jdst, NULL);
   if (!dst) goto done; // exception was thrown
-  if (!CreateHardLink(dst, src)) {
+  if (!CreateHardLink(dst, src, NULL)) {
     throw_ioe(env, GetLastError());
   }
 

From bcf7ab1d0fe4c7e139e8210b4368cfb3db25a9df Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Sun, 3 Aug 2014 02:08:32 +0000
Subject: [PATCH 111/354] HDFS-6810. StorageReport array is initialized with
 wrong size in DatanodeDescriptor#getStorageReports. (Contributed by szetszwo)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615381 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                     | 2 ++
 .../hadoop/hdfs/server/blockmanagement/DatanodeDescriptor.java  | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index b13797ae06d..436594ee3a0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -427,6 +427,8 @@ Release 2.6.0 - UNRELEASED
     HDFS-6797. DataNode logs wrong layoutversion during upgrade. (Benoy Antony
     via Arpit Agarwal)
 
+    HDFS-6810. StorageReport array is initialized with wrong size in
+    DatanodeDescriptor#getStorageReports. (szetszwo via Arpit Agarwal)
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeDescriptor.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeDescriptor.java
index fcc189d9f9b..d622905f0ba 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeDescriptor.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeDescriptor.java
@@ -260,8 +260,8 @@ DatanodeStorageInfo[] getStorageInfos() {
   }
 
   public StorageReport[] getStorageReports() {
-    final StorageReport[] reports = new StorageReport[storageMap.size()];
     final DatanodeStorageInfo[] infos = getStorageInfos();
+    final StorageReport[] reports = new StorageReport[infos.length];
     for(int i = 0; i < infos.length; i++) {
       reports[i] = infos[i].toStorageReport();
     }

From 2ad6da01c3cdaf79561175a24b6a7170e3dd89ef Mon Sep 17 00:00:00 2001
From: Chris Nauroth <cnauroth@apache.org>
Date: Sun, 3 Aug 2014 04:58:42 +0000
Subject: [PATCH 112/354] HADOOP-10903. Enhance hadoop classpath command to
 expand wildcards or write classpath into jar manifest. Contributed by Chris
 Nauroth.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615386 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   3 +
 .../hadoop-common/src/main/bin/hadoop         |  13 +-
 .../hadoop-common/src/main/bin/hadoop.cmd     |  13 +-
 .../org/apache/hadoop/util/Classpath.java     | 125 +++++++++++++
 .../src/site/apt/CommandsManual.apt.vm        |  19 +-
 .../org/apache/hadoop/util/TestClasspath.java | 176 ++++++++++++++++++
 6 files changed, 339 insertions(+), 10 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/Classpath.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestClasspath.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 7e3bee29110..0887d047d2a 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -479,6 +479,9 @@ Release 2.6.0 - UNRELEASED
 
     HADOOP-10900. CredentialShell args should use single-dash style. (wang)
 
+    HADOOP-10903. Enhance hadoop classpath command to expand wildcards or write
+    classpath into jar manifest. (cnauroth)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop b/hadoop-common-project/hadoop-common/src/main/bin/hadoop
index 118534274ae..55c843ff77d 100755
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop
@@ -90,11 +90,6 @@ case $COMMAND in
     fi
     ;;
 
-  classpath)
-    echo $CLASSPATH
-    exit
-    ;;
-
   #core commands  
   *)
     # the core commands
@@ -118,6 +113,14 @@ case $COMMAND in
       CLASSPATH=${CLASSPATH}:${TOOL_PATH}
     elif [ "$COMMAND" = "credential" ] ; then
       CLASS=org.apache.hadoop.security.alias.CredentialShell
+    elif [ "$COMMAND" = "classpath" ] ; then
+      if [ "$#" -eq 1 ]; then
+        # No need to bother starting up a JVM for this simple case.
+        echo $CLASSPATH
+        exit
+      else
+        CLASS=org.apache.hadoop.util.Classpath
+      fi
     elif [[ "$COMMAND" = -*  ]] ; then
         # class and package names cannot begin with a -
         echo "Error: No command named \`$COMMAND' was found. Perhaps you meant \`hadoop ${COMMAND#-}'"
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop.cmd b/hadoop-common-project/hadoop-common/src/main/bin/hadoop.cmd
index 54b81e364bf..04a302c0f38 100644
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop.cmd
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop.cmd
@@ -115,11 +115,14 @@ call :updatepath %HADOOP_BIN_PATH%
   )
 
   if %hadoop-command% == classpath (
-    @echo %CLASSPATH%
-    goto :eof
+    if not defined hadoop-command-arguments (
+      @rem No need to bother starting up a JVM for this simple case.
+      @echo %CLASSPATH%
+      exit /b
+    )
   )
   
-  set corecommands=fs version jar checknative distcp daemonlog archive
+  set corecommands=fs version jar checknative distcp daemonlog archive classpath
   for %%i in ( %corecommands% ) do (
     if %hadoop-command% == %%i set corecommand=true  
   )
@@ -175,6 +178,10 @@ call :updatepath %HADOOP_BIN_PATH%
   set CLASSPATH=%CLASSPATH%;%TOOL_PATH%
   goto :eof
 
+:classpath
+  set CLASS=org.apache.hadoop.util.Classpath
+  goto :eof
+
 :updatepath
   set path_to_add=%*
   set current_path_comparable=%path%
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/Classpath.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/Classpath.java
new file mode 100644
index 00000000000..0d3df2d0ce0
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/Classpath.java
@@ -0,0 +1,125 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.util;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.fs.FileUtil;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.shell.CommandFormat;
+import org.apache.hadoop.fs.shell.CommandFormat.UnknownOptionException;
+
+/**
+ * Command-line utility for getting the full classpath needed to launch a Hadoop
+ * client application.  If the hadoop script is called with "classpath" as the
+ * command, then it simply prints the classpath and exits immediately without
+ * launching a JVM.  The output likely will include wildcards in the classpath.
+ * If there are arguments passed to the classpath command, then this class gets
+ * called.  With the --glob argument, it prints the full classpath with wildcards
+ * expanded.  This is useful in situations where wildcard syntax isn't usable.
+ * With the --jar argument, it writes the classpath as a manifest in a jar file.
+ * This is useful in environments with short limitations on the maximum command
+ * line length, where it may not be possible to specify the full classpath in a
+ * command.  For example, the maximum command line length on Windows is 8191
+ * characters.
+ */
+@InterfaceAudience.Private
+public final class Classpath {
+  private static final String usage =
+    "classpath [--glob|--jar <path>|-h|--help] :\n"
+    + "  Prints the classpath needed to get the Hadoop jar and the required\n"
+    + "  libraries.\n"
+    + "  Options:\n"
+    + "\n"
+    + "  --glob       expand wildcards\n"
+    + "  --jar <path> write classpath as manifest in jar named <path>\n"
+    + "  -h, --help   print help\n";
+
+  /**
+   * Main entry point.
+   *
+   * @param args command-line arguments
+   */
+  public static void main(String[] args) {
+    if (args.length < 1 || args[0].equals("-h") || args[0].equals("--help")) {
+      System.out.println(usage);
+      return;
+    }
+
+    // Copy args, because CommandFormat mutates the list.
+    List<String> argsList = new ArrayList<String>(Arrays.asList(args));
+    CommandFormat cf = new CommandFormat(0, Integer.MAX_VALUE, "-glob", "-jar");
+    try {
+      cf.parse(argsList);
+    } catch (UnknownOptionException e) {
+      terminate(1, "unrecognized option");
+      return;
+    }
+
+    String classPath = System.getProperty("java.class.path");
+
+    if (cf.getOpt("-glob")) {
+      // The classpath returned from the property has been globbed already.
+      System.out.println(classPath);
+    } else if (cf.getOpt("-jar")) {
+      if (argsList.isEmpty() || argsList.get(0) == null ||
+          argsList.get(0).isEmpty()) {
+        terminate(1, "-jar option requires path of jar file to write");
+        return;
+      }
+
+      // Write the classpath into the manifest of a temporary jar file.
+      Path workingDir = new Path(System.getProperty("user.dir"));
+      final String tmpJarPath;
+      try {
+        tmpJarPath = FileUtil.createJarWithClassPath(classPath, workingDir,
+          System.getenv());
+      } catch (IOException e) {
+        terminate(1, "I/O error creating jar: " + e.getMessage());
+        return;
+      }
+
+      // Rename the temporary file to its final location.
+      String jarPath = argsList.get(0);
+      try {
+        FileUtil.replaceFile(new File(tmpJarPath), new File(jarPath));
+      } catch (IOException e) {
+        terminate(1, "I/O error renaming jar temporary file to path: " +
+          e.getMessage());
+        return;
+      }
+    }
+  }
+
+  /**
+   * Prints a message to stderr and exits with a status code.
+   *
+   * @param status exit code
+   * @param msg message
+   */
+  private static void terminate(int status, String msg) {
+    System.err.println(msg);
+    ExitUtil.terminate(status, msg);
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm
index 149c2202506..01ed6bcf39f 100644
--- a/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm
+++ b/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm
@@ -296,9 +296,24 @@ User Commands
 * <<<classpath>>>
 
    Prints the class path needed to get the Hadoop jar and the required
-   libraries.
+   libraries.  If called without arguments, then prints the classpath set up by
+   the command scripts, which is likely to contain wildcards in the classpath
+   entries.  Additional options print the classpath after wildcard expansion or
+   write the classpath into the manifest of a jar file.  The latter is useful in
+   environments where wildcards cannot be used and the expanded classpath exceeds
+   the maximum supported command line length.
 
-   Usage: <<<hadoop classpath>>>
+   Usage: <<<hadoop classpath [--glob|--jar <path>|-h|--help]>>>
+
+*-----------------+-----------------------------------------------------------+
+|| COMMAND_OPTION || Description
+*-----------------+-----------------------------------------------------------+
+| --glob          | expand wildcards
+*-----------------+-----------------------------------------------------------+
+| --jar <path>    | write classpath as manifest in jar named <path>
+*-----------------+-----------------------------------------------------------+
+| -h, --help      | print help
+*-----------------+-----------------------------------------------------------+
 
 Administration Commands
 
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestClasspath.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestClasspath.java
new file mode 100644
index 00000000000..9ffde9030e2
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestClasspath.java
@@ -0,0 +1,176 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+import static org.junit.Assert.*;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.nio.charset.Charset;
+import java.util.jar.Attributes;
+import java.util.jar.JarFile;
+import java.util.jar.Manifest;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.fs.FileUtil;
+import org.apache.hadoop.io.IOUtils;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * Tests covering the classpath command-line utility.
+ */
+public class TestClasspath {
+
+  private static final Log LOG = LogFactory.getLog(TestClasspath.class);
+  private static final File TEST_DIR = new File(
+    System.getProperty("test.build.data", "/tmp"), "TestClasspath");
+  private static final Charset UTF8 = Charset.forName("UTF-8");
+
+  static {
+    ExitUtil.disableSystemExit();
+  }
+
+  private PrintStream oldStdout, oldStderr;
+  private ByteArrayOutputStream stdout, stderr;
+  private PrintStream printStdout, printStderr;
+
+  @Before
+  public void setUp() {
+    assertTrue(FileUtil.fullyDelete(TEST_DIR));
+    assertTrue(TEST_DIR.mkdirs());
+    oldStdout = System.out;
+    oldStderr = System.err;
+
+    stdout = new ByteArrayOutputStream();
+    printStdout = new PrintStream(stdout);
+    System.setOut(printStdout);
+
+    stderr = new ByteArrayOutputStream();
+    printStderr = new PrintStream(stderr);
+    System.setErr(printStderr);
+  }
+
+  @After
+  public void tearDown() {
+    System.setOut(oldStdout);
+    System.setErr(oldStderr);
+    IOUtils.cleanup(LOG, printStdout, printStderr);
+    assertTrue(FileUtil.fullyDelete(TEST_DIR));
+  }
+
+  @Test
+  public void testGlob() {
+    Classpath.main(new String[] { "--glob" });
+    String strOut = new String(stdout.toByteArray(), UTF8);
+    assertEquals(System.getProperty("java.class.path"), strOut.trim());
+    assertTrue(stderr.toByteArray().length == 0);
+  }
+
+  @Test
+  public void testJar() throws IOException {
+    File file = new File(TEST_DIR, "classpath.jar");
+    Classpath.main(new String[] { "--jar", file.getAbsolutePath() });
+    assertTrue(stdout.toByteArray().length == 0);
+    assertTrue(stderr.toByteArray().length == 0);
+    assertTrue(file.exists());
+    assertJar(file);
+  }
+
+  @Test
+  public void testJarReplace() throws IOException {
+    // Run the command twice with the same output jar file, and expect success.
+    testJar();
+    testJar();
+  }
+
+  @Test
+  public void testJarFileMissing() throws IOException {
+    try {
+      Classpath.main(new String[] { "--jar" });
+      fail("expected exit");
+    } catch (ExitUtil.ExitException e) {
+      assertTrue(stdout.toByteArray().length == 0);
+      String strErr = new String(stderr.toByteArray(), UTF8);
+      assertTrue(strErr.contains("requires path of jar"));
+    }
+  }
+
+  @Test
+  public void testHelp() {
+    Classpath.main(new String[] { "--help" });
+    String strOut = new String(stdout.toByteArray(), UTF8);
+    assertTrue(strOut.contains("Prints the classpath"));
+    assertTrue(stderr.toByteArray().length == 0);
+  }
+
+  @Test
+  public void testHelpShort() {
+    Classpath.main(new String[] { "-h" });
+    String strOut = new String(stdout.toByteArray(), UTF8);
+    assertTrue(strOut.contains("Prints the classpath"));
+    assertTrue(stderr.toByteArray().length == 0);
+  }
+
+  @Test
+  public void testUnrecognized() {
+    try {
+      Classpath.main(new String[] { "--notarealoption" });
+      fail("expected exit");
+    } catch (ExitUtil.ExitException e) {
+      assertTrue(stdout.toByteArray().length == 0);
+      String strErr = new String(stderr.toByteArray(), UTF8);
+      assertTrue(strErr.contains("unrecognized option"));
+    }
+  }
+
+  /**
+   * Asserts that the specified file is a jar file with a manifest containing a
+   * non-empty classpath attribute.
+   *
+   * @param file File to check
+   * @throws IOException if there is an I/O error
+   */
+  private static void assertJar(File file) throws IOException {
+    JarFile jarFile = null;
+    try {
+      jarFile = new JarFile(file);
+      Manifest manifest = jarFile.getManifest();
+      assertNotNull(manifest);
+      Attributes mainAttributes = manifest.getMainAttributes();
+      assertNotNull(mainAttributes);
+      assertTrue(mainAttributes.containsKey(Attributes.Name.CLASS_PATH));
+      String classPathAttr = mainAttributes.getValue(Attributes.Name.CLASS_PATH);
+      assertNotNull(classPathAttr);
+      assertFalse(classPathAttr.isEmpty());
+    } finally {
+      // It's too bad JarFile doesn't implement Closeable.
+      if (jarFile != null) {
+        try {
+          jarFile.close();
+        } catch (IOException e) {
+          LOG.warn("exception closing jarFile: " + jarFile, e);
+        }
+      }
+    }
+  }
+}

From 04ae5603707e53cc6b12c57bbd9d95f1c8e770a7 Mon Sep 17 00:00:00 2001
From: Junping Du <junping_du@apache.org>
Date: Mon, 4 Aug 2014 01:15:46 +0000
Subject: [PATCH 113/354] YARN-2370. Fix comment in
 o.a.h.y.server.resourcemanager.schedulerAppSchedulingInfo (Contributed by
 Wenwu Peng)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615469 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                                | 3 +++
 .../server/resourcemanager/scheduler/AppSchedulingInfo.java    | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index a03a63d79c5..38414574764 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -82,6 +82,9 @@ Release 2.6.0 - UNRELEASED
 
     YARN-2343. Improve NMToken expire exception message. (Li Lu via jianhe)
 
+    YARN-2370. Fix comment in o.a.h.y.server.resourcemanager.schedulerAppSchedulingInfo 
+    (Wenwu Peng via junping_du)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AppSchedulingInfo.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AppSchedulingInfo.java
index a127123a760..3c6f210b4b6 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AppSchedulingInfo.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AppSchedulingInfo.java
@@ -360,7 +360,7 @@ synchronized private void allocateOffSwitch(SchedulerNode node,
       List<ResourceRequest> resourceRequests) {
     // Update future requirements
     decrementOutstanding(offSwitchRequest);
-    // Update cloned RackLocal and OffRack requests for recovery
+    // Update cloned OffRack requests for recovery
     resourceRequests.add(cloneResourceRequest(offSwitchRequest));
   }
 

From 30a9ec26f799977ba36d8860daf0a90705927fae Mon Sep 17 00:00:00 2001
From: Vinayakumar B <vinayakumarb@apache.org>
Date: Mon, 4 Aug 2014 06:44:06 +0000
Subject: [PATCH 114/354] HDFS-5723. Append failed FINALIZED replica should not
 be accepted as valid when that block is underconstruction. Contributed by
 Vinayakumar B.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615491 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  4 ++
 .../server/blockmanagement/BlockManager.java  | 10 ++++
 .../apache/hadoop/hdfs/TestFileAppend.java    | 57 +++++++++++++++++++
 .../namenode/ha/TestRetryCacheWithHA.java     |  8 ++-
 4 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 436594ee3a0..101a5dd8d2c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -429,6 +429,10 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-6810. StorageReport array is initialized with wrong size in
     DatanodeDescriptor#getStorageReports. (szetszwo via Arpit Agarwal)
+
+    HDFS-5723. Append failed FINALIZED replica should not be accepted as valid
+    when that block is underconstruction (vinayakumarb)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
index 41118183658..190ca892a06 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
@@ -2167,6 +2167,16 @@ private BlockToMarkCorrupt checkReplicaCorrupt(
         } else {
           return null; // not corrupt
         }
+      case UNDER_CONSTRUCTION:
+        if (storedBlock.getGenerationStamp() > reported.getGenerationStamp()) {
+          final long reportedGS = reported.getGenerationStamp();
+          return new BlockToMarkCorrupt(storedBlock, reportedGS, "block is "
+              + ucState + " and reported state " + reportedState
+              + ", But reported genstamp " + reportedGS
+              + " does not match genstamp in block map "
+              + storedBlock.getGenerationStamp(), Reason.GENSTAMP_MISMATCH);
+        }
+        return null;
       default:
         return null;
       }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileAppend.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileAppend.java
index 4ea534acdd6..d8400778ec9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileAppend.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileAppend.java
@@ -19,6 +19,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 import java.io.File;
 import java.io.FileNotFoundException;
@@ -32,6 +33,7 @@
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.HardLink;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.MiniDFSCluster.DataNodeProperties;
 import org.apache.hadoop.hdfs.protocol.AlreadyBeingCreatedException;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.LocatedBlock;
@@ -39,6 +41,7 @@
 import org.apache.hadoop.hdfs.server.datanode.DataNode;
 import org.apache.hadoop.hdfs.server.datanode.DataNodeTestUtils;
 import org.apache.hadoop.hdfs.server.datanode.SimulatedFSDataset;
+import org.apache.hadoop.io.IOUtils;
 import org.apache.hadoop.ipc.RemoteException;
 import org.junit.Assert;
 import org.junit.Test;
@@ -169,6 +172,7 @@ public void testCopyOnWrite() throws IOException {
       }
 
     } finally {
+      client.close();
       fs.close();
       cluster.shutdown();
     }
@@ -380,4 +384,57 @@ public void testAppendAfterSoftLimit()
     }
   }
 
+  /**
+   * Old replica of the block should not be accepted as valid for append/read
+   */
+  @Test
+  public void testFailedAppendBlockRejection() throws Exception {
+    Configuration conf = new HdfsConfiguration();
+    conf.set("dfs.client.block.write.replace-datanode-on-failure.enable",
+        "false");
+    MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).numDataNodes(3)
+        .build();
+    DistributedFileSystem fs = null;
+    try {
+      fs = cluster.getFileSystem();
+      Path path = new Path("/test");
+      FSDataOutputStream out = fs.create(path);
+      out.writeBytes("hello\n");
+      out.close();
+
+      // stop one datanode
+      DataNodeProperties dnProp = cluster.stopDataNode(0);
+      String dnAddress = dnProp.datanode.getXferAddress().toString();
+      if (dnAddress.startsWith("/")) {
+        dnAddress = dnAddress.substring(1);
+      }
+
+      // append again to bump genstamps
+      for (int i = 0; i < 2; i++) {
+        out = fs.append(path);
+        out.writeBytes("helloagain\n");
+        out.close();
+      }
+
+      // re-open and make the block state as underconstruction
+      out = fs.append(path);
+      cluster.restartDataNode(dnProp, true);
+      // wait till the block report comes
+      Thread.sleep(2000);
+      // check the block locations, this should not contain restarted datanode
+      BlockLocation[] locations = fs.getFileBlockLocations(path, 0,
+          Long.MAX_VALUE);
+      String[] names = locations[0].getNames();
+      for (String node : names) {
+        if (node.equals(dnAddress)) {
+          fail("Failed append should not be present in latest block locations.");
+        }
+      }
+      out.close();
+    } finally {
+      IOUtils.closeStream(fs);
+      cluster.shutdown();
+    }
+  }
+
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestRetryCacheWithHA.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestRetryCacheWithHA.java
index 77f7090e8f1..daa3aaa4c3e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestRetryCacheWithHA.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestRetryCacheWithHA.java
@@ -50,6 +50,7 @@
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.DFSClient;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.DFSOutputStream;
 import org.apache.hadoop.hdfs.DFSTestUtil;
 import org.apache.hadoop.hdfs.DistributedFileSystem;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
@@ -725,7 +726,12 @@ void invoke() throws Exception {
       
       client.getNamenode().updatePipeline(client.getClientName(), oldBlock,
           newBlock, newNodes, storageIDs);
-      out.close();
+      // close can fail if the out.close() commit the block after block received
+      // notifications from Datanode.
+      // Since datanodes and output stream have still old genstamps, these
+      // blocks will be marked as corrupt after HDFS-5723 if RECEIVED
+      // notifications reaches namenode first and close() will fail.
+      DFSTestUtil.abortStream((DFSOutputStream) out.getWrappedStream());
     }
 
     @Override

From 33518e561368c372bf9254b6b55a9b0c499fbd4d Mon Sep 17 00:00:00 2001
From: Vinayakumar B <vinayakumarb@apache.org>
Date: Mon, 4 Aug 2014 08:43:51 +0000
Subject: [PATCH 115/354] HDFS-5185. DN fails to startup if one of the data dir
 is full. Contributed by Vinayakumar B.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615504 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  2 ++
 .../hdfs/server/datanode/BlockReceiver.java   |  8 +++---
 .../hadoop/hdfs/server/datanode/DataNode.java | 28 ++++++++++++++-----
 .../fsdataset/impl/FsDatasetImpl.java         |  2 +-
 .../hdfs/server/datanode/TestDiskError.java   |  4 +--
 5 files changed, 30 insertions(+), 14 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 101a5dd8d2c..9514f326a6f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -433,6 +433,8 @@ Release 2.6.0 - UNRELEASED
     HDFS-5723. Append failed FINALIZED replica should not be accepted as valid
     when that block is underconstruction (vinayakumarb)
 
+    HDFS-5185. DN fails to startup if one of the data dir is full. (vinayakumarb)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
index 2f3909ba564..fb7ecd69e9a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
@@ -253,7 +253,7 @@ class BlockReceiver implements Closeable {
       
       if (cause != null) { // possible disk error
         ioe = cause;
-        datanode.checkDiskError();
+        datanode.checkDiskErrorAsync();
       }
       
       throw ioe;
@@ -329,7 +329,7 @@ public void close() throws IOException {
     }
     // disk check
     if(ioe != null) {
-      datanode.checkDiskError();
+      datanode.checkDiskErrorAsync();
       throw ioe;
     }
   }
@@ -639,7 +639,7 @@ private int receivePacket() throws IOException {
           manageWriterOsCache(offsetInBlock);
         }
       } catch (IOException iex) {
-        datanode.checkDiskError();
+        datanode.checkDiskErrorAsync();
         throw iex;
       }
     }
@@ -1208,7 +1208,7 @@ public void run() {
         } catch (IOException e) {
           LOG.warn("IOException in BlockReceiver.run(): ", e);
           if (running) {
-            datanode.checkDiskError();
+            datanode.checkDiskErrorAsync();
             LOG.info(myString, e);
             running = false;
             if (!Thread.interrupted()) { // failure not caused by interruption
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
index b55abed7e46..a3ace9b5125 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
@@ -1075,6 +1075,11 @@ void initBlockPool(BPOfferService bpos) throws IOException {
     // In the case that this is the first block pool to connect, initialize
     // the dataset, block scanners, etc.
     initStorage(nsInfo);
+
+    // Exclude failed disks before initializing the block pools to avoid startup
+    // failures.
+    checkDiskError();
+
     initPeriodicScanners(conf);
     
     data.addBlockPool(nsInfo.getBlockPoolID(), conf);
@@ -1510,9 +1515,9 @@ public void shutdown() {
   
   
   /**
-   *  Check if there is a disk failure and if so, handle the error
+   * Check if there is a disk failure asynchronously and if so, handle the error
    */
-  public void checkDiskError() {
+  public void checkDiskErrorAsync() {
     synchronized(checkDiskErrorMutex) {
       checkDiskErrorFlag = true;
       if(checkDiskErrorThread == null) {
@@ -1821,7 +1826,7 @@ public void run() {
         LOG.warn(bpReg + ":Failed to transfer " + b + " to " +
             targets[0] + " got ", ie);
         // check if there are any disk problem
-        checkDiskError();
+        checkDiskErrorAsync();
       } finally {
         xmitsInProgress.getAndDecrement();
         IOUtils.closeStream(blockSender);
@@ -2759,7 +2764,18 @@ DataStorage getStorage() {
   public ShortCircuitRegistry getShortCircuitRegistry() {
     return shortCircuitRegistry;
   }
-  
+
+  /**
+   * Check the disk error
+   */
+  private void checkDiskError() {
+    try {
+      data.checkDataDir();
+    } catch (DiskErrorException de) {
+      handleDiskError(de.getMessage());
+    }
+  }
+
   /**
    * Starts a new thread which will check for disk error check request 
    * every 5 sec
@@ -2776,9 +2792,7 @@ public void run() {
               }
               if(tempFlag) {
                 try {
-                  data.checkDataDir();
-                } catch (DiskErrorException de) {
-                  handleDiskError(de.getMessage());
+                  checkDiskError();
                 } catch (Exception e) {
                   LOG.warn("Unexpected exception occurred while checking disk error  " + e);
                   checkDiskErrorThread = null;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
index b133f60534a..a43ef849202 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
@@ -1151,7 +1151,7 @@ File validateBlockFile(String bpid, Block b) {
         return f;
    
       // if file is not null, but doesn't exist - possibly disk failed
-      datanode.checkDiskError();
+      datanode.checkDiskErrorAsync();
     }
     
     if (LOG.isDebugEnabled()) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDiskError.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDiskError.java
index 798b7b7c705..4b5b6e1ec4f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDiskError.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDiskError.java
@@ -201,7 +201,7 @@ public void testLocalDirs() throws Exception {
   }
   
   /**
-   * Checks whether {@link DataNode#checkDiskError()} is being called or not.
+   * Checks whether {@link DataNode#checkDiskErrorAsync()} is being called or not.
    * Before refactoring the code the above function was not getting called 
    * @throws IOException, InterruptedException
    */
@@ -214,7 +214,7 @@ public void testcheckDiskError() throws IOException, InterruptedException {
     DataNode dataNode = cluster.getDataNodes().get(0);
     long slackTime = dataNode.checkDiskErrorInterval/2;
     //checking for disk error
-    dataNode.checkDiskError();
+    dataNode.checkDiskErrorAsync();
     Thread.sleep(dataNode.checkDiskErrorInterval);
     long lastDiskErrorCheck = dataNode.getLastDiskErrorCheck();
     assertTrue("Disk Error check is not performed within  " + dataNode.checkDiskErrorInterval +  "  ms", ((Time.monotonicNow()-lastDiskErrorCheck) < (dataNode.checkDiskErrorInterval + slackTime)));

From 10db613389718d8df519493b958ecd97fca8686d Mon Sep 17 00:00:00 2001
From: Uma Maheswara Rao G <umamahesh@apache.org>
Date: Mon, 4 Aug 2014 09:56:57 +0000
Subject: [PATCH 116/354] HADOOP-10886. CryptoCodec#getCodecclasses throws NPE
 when configurations not loaded. Contributed by Uma Maheswara Rao G.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1615523 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |  3 +++
 .../org/apache/hadoop/crypto/CryptoCodec.java | 26 ++++++++++++++-----
 .../crypto/TestCryptoStreamsForLocalFS.java   |  6 +++++
 .../org/apache/hadoop/hdfs/DFSClient.java     | 13 +++++++---
 .../hdfs/TestDistributedFileSystem.java       |  1 -
 5 files changed, 39 insertions(+), 10 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index 3ce7695ddfe..498307e6bc7 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -51,3 +51,6 @@ fs-encryption (Unreleased)
   BUG FIXES
 
     HADOOP-10871. incorrect prototype in OpensslSecureRandom.c (cmccabe)
+
+    HADOOP-10886. CryptoCodec#getCodecclasses throws NPE when configurations not 
+    loaded. (umamahesh)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
index f484083b592..9de7f95200f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
@@ -45,14 +45,21 @@ public abstract class CryptoCodec implements Configurable {
   
   /**
    * Get crypto codec for specified algorithm/mode/padding.
-   * @param conf the configuration
-   * @param CipherSuite algorithm/mode/padding
-   * @return CryptoCodec the codec object
+   * 
+   * @param conf
+   *          the configuration
+   * @param CipherSuite
+   *          algorithm/mode/padding
+   * @return CryptoCodec the codec object. Null value will be returned if no
+   *         crypto codec classes with cipher suite configured.
    */
   public static CryptoCodec getInstance(Configuration conf, 
       CipherSuite cipherSuite) {
     List<Class<? extends CryptoCodec>> klasses = getCodecClasses(
         conf, cipherSuite);
+    if (klasses == null) {
+      return null;
+    }
     CryptoCodec codec = null;
     for (Class<? extends CryptoCodec> klass : klasses) {
       try {
@@ -80,10 +87,13 @@ public static CryptoCodec getInstance(Configuration conf,
   }
   
   /**
-   * Get crypto codec for algorithm/mode/padding in config value 
+   * Get crypto codec for algorithm/mode/padding in config value
    * hadoop.security.crypto.cipher.suite
-   * @param conf the configuration
-   * @return CryptoCodec the codec object
+   * 
+   * @param conf
+   *          the configuration
+   * @return CryptoCodec the codec object Null value will be returned if no
+   *         crypto codec classes with cipher suite configured.
    */
   public static CryptoCodec getInstance(Configuration conf) {
     String name = conf.get(HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_KEY, 
@@ -97,6 +107,10 @@ private static List<Class<? extends CryptoCodec>> getCodecClasses(
     String configName = HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX + 
         cipherSuite.getConfigSuffix();
     String codecString = conf.get(configName);
+    if (codecString == null) {
+      LOG.warn("No crypto codec classes with cipher suite configured.");
+      return null;
+    }
     for (String c : Splitter.on(',').trimResults().omitEmptyStrings().
         split(codecString)) {
       try {
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsForLocalFS.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsForLocalFS.java
index 286fb6a3d29..765a364faa6 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsForLocalFS.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestCryptoStreamsForLocalFS.java
@@ -25,6 +25,7 @@
 import java.io.OutputStream;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.FileUtil;
 import org.apache.hadoop.fs.LocalFileSystem;
@@ -50,6 +51,11 @@ public static void init() throws Exception {
     conf = new Configuration(false);
     conf.set("fs.file.impl", LocalFileSystem.class.getName());
     fileSys = FileSystem.getLocal(conf);
+    conf.set(
+        CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
+            + CipherSuite.AES_CTR_NOPADDING.getConfigSuffix(),
+        OpensslAesCtrCryptoCodec.class.getName() + ","
+            + JceAesCtrCryptoCodec.class.getName());
     codec = CryptoCodec.getInstance(conf);
   }
   
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index 04acb037665..d3532607c84 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -598,7 +598,9 @@ public DFSClient(URI nameNodeUri, ClientProtocol rpcNamenode,
         DFSUtil.getRandom().nextInt()  + "_" + Thread.currentThread().getId();
     this.codec = CryptoCodec.getInstance(conf);
     this.cipherSuites = Lists.newArrayListWithCapacity(1);
-    cipherSuites.add(codec.getCipherSuite());
+    if (codec != null) {
+      cipherSuites.add(codec.getCipherSuite());
+    }
     provider = DFSUtil.createKeyProviderCryptoExtension(conf);
     if (provider == null) {
       LOG.info("No KeyProvider found.");
@@ -1333,9 +1335,12 @@ public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
     if (feInfo != null) {
       // File is encrypted, wrap the stream in a crypto stream.
       KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
+      CryptoCodec codec = CryptoCodec
+          .getInstance(conf, feInfo.getCipherSuite());
+      Preconditions.checkNotNull(codec == null,
+          "No crypto codec classes with cipher suite configured.");
       final CryptoInputStream cryptoIn =
-          new CryptoInputStream(dfsis, CryptoCodec.getInstance(conf, 
-              feInfo.getCipherSuite()), decrypted.getMaterial(),
+          new CryptoInputStream(dfsis, codec, decrypted.getMaterial(),
               feInfo.getIV());
       return new HdfsDataInputStream(cryptoIn);
     } else {
@@ -1361,6 +1366,8 @@ public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos,
       FileSystem.Statistics statistics, long startPos) throws IOException {
     final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo();
     if (feInfo != null) {
+      Preconditions.checkNotNull(codec == null,
+          "No crypto codec classes with cipher suite configured.");
       // File is encrypted, wrap the stream in a crypto stream.
       KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
       final CryptoOutputStream cryptoOut =
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDistributedFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDistributedFileSystem.java
index 0982ee23884..b71cc32fb80 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDistributedFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDistributedFileSystem.java
@@ -38,7 +38,6 @@
 import java.util.EnumSet;
 import java.util.List;
 import java.util.Random;
-import java.util.concurrent.CancellationException;
 
 import org.apache.commons.lang.ArrayUtils;
 import org.apache.commons.logging.impl.Log4JLogger;

From 6e421f78b3c880ded0b9c2c87d6bf36f70bc3ed2 Mon Sep 17 00:00:00 2001
From: Uma Maheswara Rao G <umamahesh@apache.org>
Date: Mon, 4 Aug 2014 10:04:33 +0000
Subject: [PATCH 117/354] HDFS-6814. Mistakenly
 dfs.namenode.list.encryption.zones.num.responses configured as boolean.
 Contributed by Uma Maheswara Rao G.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1615525 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt      | 3 +++
 .../hadoop-hdfs/src/main/resources/hdfs-default.xml            | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index f8289ac66cb..b88b619247d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -85,3 +85,6 @@ fs-encryption (Unreleased)
     to a non-directory file. (clamb)
 
     HDFS-6807. Fix TestReservedRawPaths. (clamb)
+
+    HDFS-6814. Mistakenly dfs.namenode.list.encryption.zones.num.responses configured
+    as boolean. (umamahesh)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
index 961c214c855..3606180de32 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
@@ -2054,7 +2054,7 @@
 
 <property>
   <name>dfs.namenode.list.encryption.zones.num.responses</name>
-  <value>false</value>
+  <value>100</value>
   <description>When listing encryption zones, the maximum number of zones
     that will be returned in a batch. Fetching the list incrementally in
     batches improves namenode performance.

From b8f151231ba37247b9daa23ecce1211fdca0e49f Mon Sep 17 00:00:00 2001
From: Junping Du <junping_du@apache.org>
Date: Mon, 4 Aug 2014 13:25:37 +0000
Subject: [PATCH 118/354] YARN-1354. Recover applications upon nodemanager
 restart. (Contributed by Jason Lowe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615550 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../ContainerManagerImpl.java                 |  98 +++++-
 .../application/ApplicationImpl.java          |   6 +
 .../recovery/NMLeveldbStateStoreService.java  |  92 +++++
 .../recovery/NMNullStateStoreService.java     |  20 ++
 .../recovery/NMStateStoreService.java         |  27 ++
 .../yarn_server_nodemanager_recovery.proto    |   7 +
 .../nodemanager/TestNodeStatusUpdater.java    |   4 +-
 .../TestContainerManagerRecovery.java         | 323 ++++++++++++++++++
 .../container/TestContainer.java              |   3 +
 .../recovery/NMMemoryStateStoreService.java   |  76 +++--
 .../TestNMLeveldbStateStoreService.java       |  51 +++
 .../ResourceTrackerService.java               |   4 +-
 .../resourcemanager/rmapp/RMAppImpl.java      |   3 +
 .../resourcemanager/rmnode/RMNodeImpl.java    |  46 +--
 .../rmnode/RMNodeReconnectEvent.java          |  12 +-
 .../TestApplicationCleanup.java               |  29 ++
 .../TestRMNodeTransitions.java                |   5 +-
 18 files changed, 761 insertions(+), 48 deletions(-)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/TestContainerManagerRecovery.java

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 38414574764..eed76f7581f 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -35,6 +35,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2181. Added preemption info to logs and RM web UI. (Wangda Tan via
     jianhe)
 
+    YARN-1354. Recover applications upon nodemanager restart. (Jason Lowe via 
+    junping_du)
+
   IMPROVEMENTS
 
     YARN-2242. Improve exception information on AM launch crashes. (Li Lu 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
index 7922fe2ce06..aee4e9a78a0 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
@@ -20,6 +20,7 @@
 
 import static org.apache.hadoop.service.Service.STATE.STARTED;
 
+import java.io.DataInputStream;
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.URISyntaxException;
@@ -42,6 +43,7 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.io.DataInputByteBuffer;
+import org.apache.hadoop.io.DataOutputBuffer;
 import org.apache.hadoop.ipc.Server;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.Credentials;
@@ -63,6 +65,7 @@
 import org.apache.hadoop.yarn.api.protocolrecords.StartContainersResponse;
 import org.apache.hadoop.yarn.api.protocolrecords.StopContainersRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.StopContainersResponse;
+import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ContainerExitStatus;
 import org.apache.hadoop.yarn.api.records.ContainerId;
@@ -71,6 +74,8 @@
 import org.apache.hadoop.yarn.api.records.ContainerStatus;
 import org.apache.hadoop.yarn.api.records.NodeId;
 import org.apache.hadoop.yarn.api.records.SerializedException;
+import org.apache.hadoop.yarn.api.records.impl.pb.ApplicationIdPBImpl;
+import org.apache.hadoop.yarn.api.records.impl.pb.ProtoUtils;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.event.AsyncDispatcher;
 import org.apache.hadoop.yarn.event.EventHandler;
@@ -81,6 +86,8 @@
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.ipc.RPCUtil;
 import org.apache.hadoop.yarn.ipc.YarnRPC;
+import org.apache.hadoop.yarn.proto.YarnProtos.ApplicationACLMapProto;
+import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.ContainerManagerApplicationProto;
 import org.apache.hadoop.yarn.security.ContainerTokenIdentifier;
 import org.apache.hadoop.yarn.security.NMTokenIdentifier;
 import org.apache.hadoop.yarn.server.nodemanager.CMgrCompletedAppsEvent;
@@ -119,11 +126,13 @@
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.monitor.ContainersMonitorImpl;
 import org.apache.hadoop.yarn.server.nodemanager.metrics.NodeManagerMetrics;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService;
+import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredApplicationsState;
 import org.apache.hadoop.yarn.server.nodemanager.security.authorize.NMPolicyProvider;
 import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
 import org.apache.hadoop.yarn.server.utils.BuilderUtils;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.protobuf.ByteString;
 
 public class ContainerManagerImpl extends CompositeService implements
     ServiceStateChangeListener, ContainerManagementProtocol,
@@ -224,14 +233,49 @@ public void serviceInit(Configuration conf) throws Exception {
     recover();
   }
 
+  @SuppressWarnings("unchecked")
   private void recover() throws IOException, URISyntaxException {
     NMStateStoreService stateStore = context.getNMStateStore();
     if (stateStore.canRecover()) {
       rsrcLocalizationSrvc.recoverLocalizedResources(
           stateStore.loadLocalizationState());
+
+      RecoveredApplicationsState appsState = stateStore.loadApplicationsState();
+      for (ContainerManagerApplicationProto proto :
+           appsState.getApplications()) {
+        recoverApplication(proto);
+      }
+
+      String diagnostic = "Application marked finished during recovery";
+      for (ApplicationId appId : appsState.getFinishedApplications()) {
+        dispatcher.getEventHandler().handle(
+            new ApplicationFinishEvent(appId, diagnostic));
+      }
     }
   }
 
+  private void recoverApplication(ContainerManagerApplicationProto p)
+      throws IOException {
+    ApplicationId appId = new ApplicationIdPBImpl(p.getId());
+    Credentials creds = new Credentials();
+    creds.readTokenStorageStream(
+        new DataInputStream(p.getCredentials().newInput()));
+
+    List<ApplicationACLMapProto> aclProtoList = p.getAclsList();
+    Map<ApplicationAccessType, String> acls =
+        new HashMap<ApplicationAccessType, String>(aclProtoList.size());
+    for (ApplicationACLMapProto aclProto : aclProtoList) {
+      acls.put(ProtoUtils.convertFromProtoFormat(aclProto.getAccessType()),
+          aclProto.getAcl());
+    }
+
+    LOG.info("Recovering application " + appId);
+    ApplicationImpl app = new ApplicationImpl(dispatcher, p.getUser(), appId,
+        creds, context);
+    context.getApplications().put(appId, app);
+    app.handle(new ApplicationInitEvent(appId, acls));
+  }
+
   protected LogHandler createLogHandler(Configuration conf, Context context,
       DeletionService deletionService) {
     if (conf.getBoolean(YarnConfiguration.LOG_AGGREGATION_ENABLED,
@@ -358,6 +402,12 @@ public void cleanUpApplicationsOnNMShutDown() {
     }
     LOG.info("Applications still running : " + applications.keySet());
 
+    if (this.context.getNMStateStore().canRecover()
+        && !this.context.getDecommissioned()) {
+      // do not cleanup apps as they can be recovered on restart
+      return;
+    }
+
     List<ApplicationId> appIds =
         new ArrayList<ApplicationId>(applications.keySet());
     this.handle(
@@ -567,6 +617,41 @@ protected void authorizeStartRequest(NMTokenIdentifier nmTokenIdentifier,
       succeededContainers, failedContainers);
   }
 
+  private ContainerManagerApplicationProto buildAppProto(ApplicationId appId,
+      String user, Credentials credentials,
+      Map<ApplicationAccessType, String> appAcls) {
+
+    ContainerManagerApplicationProto.Builder builder =
+        ContainerManagerApplicationProto.newBuilder();
+    builder.setId(((ApplicationIdPBImpl) appId).getProto());
+    builder.setUser(user);
+
+    builder.clearCredentials();
+    if (credentials != null) {
+      DataOutputBuffer dob = new DataOutputBuffer();
+      try {
+        credentials.writeTokenStorageToStream(dob);
+        builder.setCredentials(ByteString.copyFrom(dob.getData()));
+      } catch (IOException e) {
+        // should not occur
+        LOG.error("Cannot serialize credentials", e);
+      }
+    }
+
+    builder.clearAcls();
+    if (appAcls != null) {
+      for (Map.Entry<ApplicationAccessType, String> acl : appAcls.entrySet()) {
+        ApplicationACLMapProto p = ApplicationACLMapProto.newBuilder()
+            .setAccessType(ProtoUtils.convertToProtoFormat(acl.getKey()))
+            .setAcl(acl.getValue())
+            .build();
+        builder.addAcls(p);
+      }
+    }
+
+    return builder.build();
+  }
+
   @SuppressWarnings("unchecked")
   private void startContainerInternal(NMTokenIdentifier nmTokenIdentifier,
       ContainerTokenIdentifier containerTokenIdentifier,
@@ -640,10 +725,12 @@ private void startContainerInternal(NMTokenIdentifier nmTokenIdentifier,
         if (null == context.getApplications().putIfAbsent(applicationID,
           application)) {
           LOG.info("Creating a new application reference for app " + applicationID);
-
+          Map<ApplicationAccessType, String> appAcls =
+              container.getLaunchContext().getApplicationACLs();
+          context.getNMStateStore().storeApplication(applicationID,
+              buildAppProto(applicationID, user, credentials, appAcls));
           dispatcher.getEventHandler().handle(
-            new ApplicationInitEvent(applicationID, container.getLaunchContext()
-              .getApplicationACLs()));
+            new ApplicationInitEvent(applicationID, appAcls));
         }
 
         dispatcher.getEventHandler().handle(
@@ -894,6 +981,11 @@ public void handle(ContainerManagerEvent event) {
         } else if (appsFinishedEvent.getReason() == CMgrCompletedAppsEvent.Reason.BY_RESOURCEMANAGER) {
           diagnostic = "Application killed by ResourceManager";
         }
+        try {
+          this.context.getNMStateStore().storeFinishedApplication(appID);
+        } catch (IOException e) {
+          LOG.error("Unable to update application state in store", e);
+        }
         this.dispatcher.getEventHandler().handle(
             new ApplicationFinishEvent(appID,
                 diagnostic));
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/application/ApplicationImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/application/ApplicationImpl.java
index a206591d80a..cc5544cc47a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/application/ApplicationImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/application/ApplicationImpl.java
@@ -18,6 +18,7 @@
 
 package org.apache.hadoop.yarn.server.nodemanager.containermanager.application;
 
+import java.io.IOException;
 import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.Map;
@@ -428,6 +429,11 @@ public void transition(ApplicationImpl app, ApplicationEvent event) {
       ApplicationId appId = event.getApplicationID();
       app.context.getApplications().remove(appId);
       app.aclsManager.removeApplication(appId);
+      try {
+        app.context.getNMStateStore().removeApplication(appId);
+      } catch (IOException e) {
+        LOG.error("Unable to remove application from state store", e);
+      }
     }
   }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMLeveldbStateStoreService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMLeveldbStateStoreService.java
index cc7656c0826..c3fc272d7f5 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMLeveldbStateStoreService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMLeveldbStateStoreService.java
@@ -42,6 +42,7 @@
 import org.apache.hadoop.yarn.proto.YarnProtos.LocalResourceProto;
 import org.apache.hadoop.yarn.proto.YarnServerCommonProtos.MasterKeyProto;
 import org.apache.hadoop.yarn.proto.YarnServerCommonProtos.VersionProto;
+import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.ContainerManagerApplicationProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.DeletionServiceDeleteTaskProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.LocalizedResourceProto;
 import org.apache.hadoop.yarn.server.api.records.MasterKey;
@@ -74,6 +75,11 @@ public class NMLeveldbStateStoreService extends NMStateStoreService {
   private static final String DELETION_TASK_KEY_PREFIX =
       "DeletionService/deltask_";
 
+  private static final String APPLICATIONS_KEY_PREFIX =
+      "ContainerManager/applications/";
+  private static final String FINISHED_APPS_KEY_PREFIX =
+      "ContainerManager/finishedApps/";
+
   private static final String LOCALIZATION_KEY_PREFIX = "Localization/";
   private static final String LOCALIZATION_PUBLIC_KEY_PREFIX =
       LOCALIZATION_KEY_PREFIX + "public/";
@@ -116,6 +122,92 @@ protected void closeStorage() throws IOException {
   }
 
 
+  @Override
+  public RecoveredApplicationsState loadApplicationsState()
+      throws IOException {
+    RecoveredApplicationsState state = new RecoveredApplicationsState();
+    state.applications = new ArrayList<ContainerManagerApplicationProto>();
+    String keyPrefix = APPLICATIONS_KEY_PREFIX;
+    LeveldbIterator iter = null;
+    try {
+      iter = new LeveldbIterator(db);
+      iter.seek(bytes(keyPrefix));
+      while (iter.hasNext()) {
+        Entry<byte[], byte[]> entry = iter.next();
+        String key = asString(entry.getKey());
+        if (!key.startsWith(keyPrefix)) {
+          break;
+        }
+        state.applications.add(
+            ContainerManagerApplicationProto.parseFrom(entry.getValue()));
+      }
+
+      state.finishedApplications = new ArrayList<ApplicationId>();
+      keyPrefix = FINISHED_APPS_KEY_PREFIX;
+      iter.seek(bytes(keyPrefix));
+      while (iter.hasNext()) {
+        Entry<byte[], byte[]> entry = iter.next();
+        String key = asString(entry.getKey());
+        if (!key.startsWith(keyPrefix)) {
+          break;
+        }
+        ApplicationId appId =
+            ConverterUtils.toApplicationId(key.substring(keyPrefix.length()));
+        state.finishedApplications.add(appId);
+      }
+    } catch (DBException e) {
+      throw new IOException(e);
+    } finally {
+      if (iter != null) {
+        iter.close();
+      }
+    }
+
+    return state;
+  }
+
+  @Override
+  public void storeApplication(ApplicationId appId,
+      ContainerManagerApplicationProto p) throws IOException {
+    String key = APPLICATIONS_KEY_PREFIX + appId;
+    try {
+      db.put(bytes(key), p.toByteArray());
+    } catch (DBException e) {
+      throw new IOException(e);
+    }
+  }
+
+  @Override
+  public void storeFinishedApplication(ApplicationId appId)
+      throws IOException {
+    String key = FINISHED_APPS_KEY_PREFIX + appId;
+    try {
+      db.put(bytes(key), new byte[0]);
+    } catch (DBException e) {
+      throw new IOException(e);
+    }
+  }
+
+  @Override
+  public void removeApplication(ApplicationId appId)
+      throws IOException {
+    try {
+      WriteBatch batch = db.createWriteBatch();
+      try {
+        String key = APPLICATIONS_KEY_PREFIX + appId;
+        batch.delete(bytes(key));
+        key = FINISHED_APPS_KEY_PREFIX + appId;
+        batch.delete(bytes(key));
+        db.write(batch);
+      } finally {
+        batch.close();
+      }
+    } catch (DBException e) {
+      throw new IOException(e);
+    }
+  }
+
+
   @Override
   public RecoveredLocalizationState loadLocalizationState()
       throws IOException {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMNullStateStoreService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMNullStateStoreService.java
index 89205b1f637..3bb1e2189fc 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMNullStateStoreService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMNullStateStoreService.java
@@ -26,6 +26,7 @@
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.proto.YarnProtos.LocalResourceProto;
+import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.ContainerManagerApplicationProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.DeletionServiceDeleteTaskProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.LocalizedResourceProto;
 import org.apache.hadoop.yarn.server.api.records.MasterKey;
@@ -42,6 +43,25 @@ public boolean canRecover() {
     return false;
   }
 
+  @Override
+  public RecoveredApplicationsState loadApplicationsState() throws IOException {
+    throw new UnsupportedOperationException(
+        "Recovery not supported by this state store");
+  }
+
+  @Override
+  public void storeApplication(ApplicationId appId,
+      ContainerManagerApplicationProto p) throws IOException {
+  }
+
+  @Override
+  public void storeFinishedApplication(ApplicationId appId) {
+  }
+
+  @Override
+  public void removeApplication(ApplicationId appId) throws IOException {
+  }
+
   @Override
   public RecoveredLocalizationState loadLocalizationState()
       throws IOException {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMStateStoreService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMStateStoreService.java
index 87c438b59bd..f0988e36172 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMStateStoreService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMStateStoreService.java
@@ -33,6 +33,7 @@
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.proto.YarnProtos.LocalResourceProto;
+import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.ContainerManagerApplicationProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.DeletionServiceDeleteTaskProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.LocalizedResourceProto;
 import org.apache.hadoop.yarn.server.api.records.MasterKey;
@@ -45,6 +46,19 @@ public NMStateStoreService(String name) {
     super(name);
   }
 
+  public static class RecoveredApplicationsState {
+    List<ContainerManagerApplicationProto> applications;
+    List<ApplicationId> finishedApplications;
+
+    public List<ContainerManagerApplicationProto> getApplications() {
+      return applications;
+    }
+
+    public List<ApplicationId> getFinishedApplications() {
+      return finishedApplications;
+    }
+  }
+
   public static class LocalResourceTrackerState {
     List<LocalizedResourceProto> localizedResources =
         new ArrayList<LocalizedResourceProto>();
@@ -162,6 +176,19 @@ public boolean canRecover() {
   }
 
 
+  public abstract RecoveredApplicationsState loadApplicationsState()
+      throws IOException;
+
+  public abstract void storeApplication(ApplicationId appId,
+      ContainerManagerApplicationProto p) throws IOException;
+
+  public abstract void storeFinishedApplication(ApplicationId appId)
+      throws IOException;
+
+  public abstract void removeApplication(ApplicationId appId)
+      throws IOException;
+
+
   /**
    * Load the state of localized resources
    * @return recovered localized resource state
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/proto/yarn_server_nodemanager_recovery.proto b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/proto/yarn_server_nodemanager_recovery.proto
index 460c4932342..e6f39f6c5f8 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/proto/yarn_server_nodemanager_recovery.proto
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/proto/yarn_server_nodemanager_recovery.proto
@@ -24,6 +24,13 @@ package hadoop.yarn;
 
 import "yarn_protos.proto";
 
+message ContainerManagerApplicationProto {
+  optional ApplicationIdProto id = 1;
+  optional string user = 2;
+  optional bytes credentials = 3;
+  repeated ApplicationACLMapProto acls = 4;
+}
+
 message DeletionServiceDeleteTaskProto {
   optional int32 id = 1;
   optional string user = 2;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestNodeStatusUpdater.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestNodeStatusUpdater.java
index 772bc05cb9f..fecc837cfab 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestNodeStatusUpdater.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestNodeStatusUpdater.java
@@ -82,6 +82,8 @@
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerImpl;
 import org.apache.hadoop.yarn.server.nodemanager.metrics.NodeManagerMetrics;
+import org.apache.hadoop.yarn.server.nodemanager.recovery.NMNullStateStoreService;
+import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService;
 import org.apache.hadoop.yarn.server.nodemanager.security.NMContainerTokenSecretManager;
 import org.apache.hadoop.yarn.server.nodemanager.security.NMTokenSecretManagerInNM;
 import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
@@ -91,8 +93,6 @@
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
-import org.apache.hadoop.yarn.server.nodemanager.recovery.NMNullStateStoreService;
-import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService;
 
 @SuppressWarnings("rawtypes")
 public class TestNodeStatusUpdater {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/TestContainerManagerRecovery.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/TestContainerManagerRecovery.java
new file mode 100644
index 00000000000..00eb2fe288b
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/TestContainerManagerRecovery.java
@@ -0,0 +1,323 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.nodemanager.containermanager;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+
+import java.nio.ByteBuffer;
+import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.io.DataOutputBuffer;
+import org.apache.hadoop.security.Credentials;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest;
+import org.apache.hadoop.yarn.api.protocolrecords.StartContainersRequest;
+import org.apache.hadoop.yarn.api.protocolrecords.StartContainersResponse;
+import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
+import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
+import org.apache.hadoop.yarn.api.records.ApplicationId;
+import org.apache.hadoop.yarn.api.records.ContainerId;
+import org.apache.hadoop.yarn.api.records.ContainerLaunchContext;
+import org.apache.hadoop.yarn.api.records.LocalResource;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.security.NMTokenIdentifier;
+import org.apache.hadoop.yarn.server.api.records.MasterKey;
+import org.apache.hadoop.yarn.server.api.records.impl.pb.MasterKeyPBImpl;
+import org.apache.hadoop.yarn.server.nodemanager.CMgrCompletedAppsEvent;
+import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor;
+import org.apache.hadoop.yarn.server.nodemanager.Context;
+import org.apache.hadoop.yarn.server.nodemanager.DeletionService;
+import org.apache.hadoop.yarn.server.nodemanager.NodeManager.NMContext;
+import org.apache.hadoop.yarn.server.nodemanager.NodeStatusUpdater;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.application.Application;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.application.ApplicationEvent;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.application.ApplicationEventType;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.application.ApplicationState;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainersLauncher;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainersLauncherEvent;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.ResourceLocalizationService;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.event.LocalizationEvent;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.loghandler.LogHandler;
+import org.apache.hadoop.yarn.server.nodemanager.metrics.NodeManagerMetrics;
+import org.apache.hadoop.yarn.server.nodemanager.recovery.NMMemoryStateStoreService;
+import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService;
+import org.apache.hadoop.yarn.server.nodemanager.security.NMContainerTokenSecretManager;
+import org.apache.hadoop.yarn.server.nodemanager.security.NMTokenSecretManagerInNM;
+import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
+import org.junit.Test;
+
+public class TestContainerManagerRecovery {
+
+  private NodeManagerMetrics metrics = NodeManagerMetrics.create();
+
+  @Test
+  public void testApplicationRecovery() throws Exception {
+    YarnConfiguration conf = new YarnConfiguration();
+    conf.setBoolean(YarnConfiguration.NM_RECOVERY_ENABLED, true);
+    conf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
+    conf.set(YarnConfiguration.YARN_ADMIN_ACL, "yarn_admin_user");
+    NMStateStoreService stateStore = new NMMemoryStateStoreService();
+    stateStore.init(conf);
+    stateStore.start();
+    Context context = new NMContext(new NMContainerTokenSecretManager(
+        conf), new NMTokenSecretManagerInNM(), null,
+        new ApplicationACLsManager(conf), stateStore);
+    ContainerManagerImpl cm = createContainerManager(context);
+    cm.init(conf);
+    cm.start();
+
+    // simulate registration with RM
+    MasterKey masterKey = new MasterKeyPBImpl();
+    masterKey.setKeyId(123);
+    masterKey.setBytes(ByteBuffer.wrap(new byte[] { new Integer(123)
+      .byteValue() }));
+    context.getContainerTokenSecretManager().setMasterKey(masterKey);
+    context.getNMTokenSecretManager().setMasterKey(masterKey);
+
+    // add an application by starting a container
+    String appUser = "app_user1";
+    String modUser = "modify_user1";
+    String viewUser = "view_user1";
+    String enemyUser = "enemy_user";
+    ApplicationId appId = ApplicationId.newInstance(0, 1);
+    ApplicationAttemptId attemptId =
+        ApplicationAttemptId.newInstance(appId, 1);
+    ContainerId cid = ContainerId.newInstance(attemptId, 1);
+    Map<String, LocalResource> localResources = Collections.emptyMap();
+    Map<String, String> containerEnv = Collections.emptyMap();
+    List<String> containerCmds = Collections.emptyList();
+    Map<String, ByteBuffer> serviceData = Collections.emptyMap();
+    Credentials containerCreds = new Credentials();
+    DataOutputBuffer dob = new DataOutputBuffer();
+    containerCreds.writeTokenStorageToStream(dob);
+    ByteBuffer containerTokens = ByteBuffer.wrap(dob.getData(), 0,
+        dob.getLength());
+    Map<ApplicationAccessType, String> acls =
+        new HashMap<ApplicationAccessType, String>();
+    acls.put(ApplicationAccessType.MODIFY_APP, modUser);
+    acls.put(ApplicationAccessType.VIEW_APP, viewUser);
+    ContainerLaunchContext clc = ContainerLaunchContext.newInstance(
+        localResources, containerEnv, containerCmds, serviceData,
+        containerTokens, acls);
+    StartContainersResponse startResponse = startContainer(context, cm, cid,
+        clc);
+    assertTrue(startResponse.getFailedRequests().isEmpty());
+    assertEquals(1, context.getApplications().size());
+    Application app = context.getApplications().get(appId);
+    assertNotNull(app);
+    waitForAppState(app, ApplicationState.INITING);
+    assertTrue(context.getApplicationACLsManager().checkAccess(
+        UserGroupInformation.createRemoteUser(modUser),
+        ApplicationAccessType.MODIFY_APP, appUser, appId));
+    assertFalse(context.getApplicationACLsManager().checkAccess(
+        UserGroupInformation.createRemoteUser(viewUser),
+        ApplicationAccessType.MODIFY_APP, appUser, appId));
+    assertTrue(context.getApplicationACLsManager().checkAccess(
+        UserGroupInformation.createRemoteUser(viewUser),
+        ApplicationAccessType.VIEW_APP, appUser, appId));
+    assertFalse(context.getApplicationACLsManager().checkAccess(
+        UserGroupInformation.createRemoteUser(enemyUser),
+        ApplicationAccessType.VIEW_APP, appUser, appId));
+
+    // reset container manager and verify app recovered with proper acls
+    cm.stop();
+    context = new NMContext(new NMContainerTokenSecretManager(
+        conf), new NMTokenSecretManagerInNM(), null,
+        new ApplicationACLsManager(conf), stateStore);
+    cm = createContainerManager(context);
+    cm.init(conf);
+    cm.start();
+    assertEquals(1, context.getApplications().size());
+    app = context.getApplications().get(appId);
+    assertNotNull(app);
+    waitForAppState(app, ApplicationState.INITING);
+    assertTrue(context.getApplicationACLsManager().checkAccess(
+        UserGroupInformation.createRemoteUser(modUser),
+        ApplicationAccessType.MODIFY_APP, appUser, appId));
+    assertFalse(context.getApplicationACLsManager().checkAccess(
+        UserGroupInformation.createRemoteUser(viewUser),
+        ApplicationAccessType.MODIFY_APP, appUser, appId));
+    assertTrue(context.getApplicationACLsManager().checkAccess(
+        UserGroupInformation.createRemoteUser(viewUser),
+        ApplicationAccessType.VIEW_APP, appUser, appId));
+    assertFalse(context.getApplicationACLsManager().checkAccess(
+        UserGroupInformation.createRemoteUser(enemyUser),
+        ApplicationAccessType.VIEW_APP, appUser, appId));
+
+    // simulate application completion
+    List<ApplicationId> finishedApps = new ArrayList<ApplicationId>();
+    finishedApps.add(appId);
+    cm.handle(new CMgrCompletedAppsEvent(finishedApps,
+        CMgrCompletedAppsEvent.Reason.BY_RESOURCEMANAGER));
+    waitForAppState(app, ApplicationState.APPLICATION_RESOURCES_CLEANINGUP);
+
+    // restart and verify app is marked for finishing
+    cm.stop();
+    context = new NMContext(new NMContainerTokenSecretManager(
+        conf), new NMTokenSecretManagerInNM(), null,
+        new ApplicationACLsManager(conf), stateStore);
+    cm = createContainerManager(context);
+    cm.init(conf);
+    cm.start();
+    assertEquals(1, context.getApplications().size());
+    app = context.getApplications().get(appId);
+    assertNotNull(app);
+    waitForAppState(app, ApplicationState.APPLICATION_RESOURCES_CLEANINGUP);
+    assertTrue(context.getApplicationACLsManager().checkAccess(
+        UserGroupInformation.createRemoteUser(modUser),
+        ApplicationAccessType.MODIFY_APP, appUser, appId));
+    assertFalse(context.getApplicationACLsManager().checkAccess(
+        UserGroupInformation.createRemoteUser(viewUser),
+        ApplicationAccessType.MODIFY_APP, appUser, appId));
+    assertTrue(context.getApplicationACLsManager().checkAccess(
+        UserGroupInformation.createRemoteUser(viewUser),
+        ApplicationAccessType.VIEW_APP, appUser, appId));
+    assertFalse(context.getApplicationACLsManager().checkAccess(
+        UserGroupInformation.createRemoteUser(enemyUser),
+        ApplicationAccessType.VIEW_APP, appUser, appId));
+
+    // simulate log aggregation completion
+    app.handle(new ApplicationEvent(app.getAppId(),
+        ApplicationEventType.APPLICATION_RESOURCES_CLEANEDUP));
+    assertEquals(app.getApplicationState(), ApplicationState.FINISHED);
+    app.handle(new ApplicationEvent(app.getAppId(),
+        ApplicationEventType.APPLICATION_LOG_HANDLING_FINISHED));
+
+    // restart and verify app is no longer present after recovery
+    cm.stop();
+    context = new NMContext(new NMContainerTokenSecretManager(
+        conf), new NMTokenSecretManagerInNM(), null,
+        new ApplicationACLsManager(conf), stateStore);
+    cm = createContainerManager(context);
+    cm.init(conf);
+    cm.start();
+    assertTrue(context.getApplications().isEmpty());
+    cm.stop();
+  }
+
+  private StartContainersResponse startContainer(Context context,
+      final ContainerManagerImpl cm, ContainerId cid,
+      ContainerLaunchContext clc) throws Exception {
+    UserGroupInformation user = UserGroupInformation.createRemoteUser(
+        cid.getApplicationAttemptId().toString());
+    StartContainerRequest scReq = StartContainerRequest.newInstance(
+        clc, TestContainerManager.createContainerToken(cid, 0,
+            context.getNodeId(), user.getShortUserName(),
+            context.getContainerTokenSecretManager()));
+    final List<StartContainerRequest> scReqList =
+        new ArrayList<StartContainerRequest>();
+    scReqList.add(scReq);
+    NMTokenIdentifier nmToken = new NMTokenIdentifier(
+        cid.getApplicationAttemptId(), context.getNodeId(),
+        user.getShortUserName(),
+        context.getNMTokenSecretManager().getCurrentKey().getKeyId());
+    user.addTokenIdentifier(nmToken);
+    return user.doAs(new PrivilegedExceptionAction<StartContainersResponse>() {
+      @Override
+      public StartContainersResponse run() throws Exception {
+        return cm.startContainers(
+            StartContainersRequest.newInstance(scReqList));
+      }
+    });
+  }
+
+  private void waitForAppState(Application app, ApplicationState state)
+      throws Exception {
+    final int msecPerSleep = 10;
+    int msecLeft = 5000;
+    while (app.getApplicationState() != state && msecLeft > 0) {
+      Thread.sleep(msecPerSleep);
+      msecLeft -= msecPerSleep;
+    }
+    assertEquals(state, app.getApplicationState());
+  }
+
+  private ContainerManagerImpl createContainerManager(Context context) {
+    final LogHandler logHandler = mock(LogHandler.class);
+    final ResourceLocalizationService rsrcSrv =
+        new ResourceLocalizationService(null, null, null, null,
+            context.getNMStateStore()) {
+          @Override
+          public void serviceInit(Configuration conf) throws Exception {
+          }
+
+          @Override
+          public void serviceStart() throws Exception {
+            // do nothing
+          }
+
+          @Override
+          public void serviceStop() throws Exception {
+            // do nothing
+          }
+
+          @Override
+          public void handle(LocalizationEvent event) {
+            // do nothing
+          }
+    };
+
+    final ContainersLauncher launcher = new ContainersLauncher(context, null,
+        null, null, null) {
+          @Override
+          public void handle(ContainersLauncherEvent event) {
+            // do nothing
+          }
+    };
+
+    return new ContainerManagerImpl(context,
+        mock(ContainerExecutor.class), mock(DeletionService.class),
+        mock(NodeStatusUpdater.class), metrics,
+        context.getApplicationACLsManager(), null) {
+          @Override
+          protected LogHandler createLogHandler(Configuration conf,
+              Context context, DeletionService deletionService) {
+            return logHandler;
+          }
+
+          @Override
+          protected ResourceLocalizationService createResourceLocalizationService(
+              ContainerExecutor exec, DeletionService deletionContext) {
+            return rsrcSrv;
+          }
+
+          @Override
+          protected ContainersLauncher createContainersLauncher(
+              Context context, ContainerExecutor exec) {
+            return launcher;
+          }
+
+          @Override
+          public void setBlockNewContainerRequests(
+              boolean blockNewContainerRequests) {
+            // do nothing
+          }
+    };
+  }
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/container/TestContainer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/container/TestContainer.java
index c43471fa2ee..e0239928221 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/container/TestContainer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/container/TestContainer.java
@@ -88,6 +88,7 @@
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.monitor.ContainersMonitorEvent;
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.monitor.ContainersMonitorEventType;
 import org.apache.hadoop.yarn.server.nodemanager.metrics.NodeManagerMetrics;
+import org.apache.hadoop.yarn.server.nodemanager.recovery.NMNullStateStoreService;
 import org.apache.hadoop.yarn.server.utils.BuilderUtils;
 import org.junit.Assert;
 import org.junit.Test;
@@ -722,6 +723,8 @@ private class WrappedContainer {
       Context context = mock(Context.class);
       when(context.getApplications()).thenReturn(
           new ConcurrentHashMap<ApplicationId, Application>());
+      NMNullStateStoreService stateStore = new NMNullStateStoreService();
+      when(context.getNMStateStore()).thenReturn(stateStore);
       ContainerExecutor executor = mock(ContainerExecutor.class);
       launcher =
           new ContainersLauncher(context, dispatcher, executor, null, null);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMMemoryStateStoreService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMMemoryStateStoreService.java
index fef2b12221f..5b5e1ef5bb8 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMMemoryStateStoreService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMMemoryStateStoreService.java
@@ -21,7 +21,9 @@
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
@@ -29,12 +31,15 @@
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.proto.YarnProtos.LocalResourceProto;
+import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.ContainerManagerApplicationProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.DeletionServiceDeleteTaskProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.LocalizedResourceProto;
 import org.apache.hadoop.yarn.server.api.records.MasterKey;
 import org.apache.hadoop.yarn.server.api.records.impl.pb.MasterKeyPBImpl;
 
 public class NMMemoryStateStoreService extends NMStateStoreService {
+  private Map<ApplicationId, ContainerManagerApplicationProto> apps;
+  private Set<ApplicationId> finishedApps;
   private Map<TrackerKey, TrackerState> trackerStates;
   private Map<Integer, DeletionServiceDeleteTaskProto> deleteTasks;
   private RecoveredNMTokensState nmTokenState;
@@ -44,6 +49,58 @@ public NMMemoryStateStoreService() {
     super(NMMemoryStateStoreService.class.getName());
   }
 
+  @Override
+  protected void initStorage(Configuration conf) {
+    apps = new HashMap<ApplicationId, ContainerManagerApplicationProto>();
+    finishedApps = new HashSet<ApplicationId>();
+    nmTokenState = new RecoveredNMTokensState();
+    nmTokenState.applicationMasterKeys =
+        new HashMap<ApplicationAttemptId, MasterKey>();
+    containerTokenState = new RecoveredContainerTokensState();
+    containerTokenState.activeTokens = new HashMap<ContainerId, Long>();
+    trackerStates = new HashMap<TrackerKey, TrackerState>();
+    deleteTasks = new HashMap<Integer, DeletionServiceDeleteTaskProto>();
+  }
+
+  @Override
+  protected void startStorage() {
+  }
+
+  @Override
+  protected void closeStorage() {
+  }
+
+
+  @Override
+  public RecoveredApplicationsState loadApplicationsState()
+      throws IOException {
+    RecoveredApplicationsState state = new RecoveredApplicationsState();
+    state.applications = new ArrayList<ContainerManagerApplicationProto>(
+        apps.values());
+    state.finishedApplications = new ArrayList<ApplicationId>(finishedApps);
+    return state;
+  }
+
+  @Override
+  public void storeApplication(ApplicationId appId,
+      ContainerManagerApplicationProto proto) throws IOException {
+    ContainerManagerApplicationProto protoCopy =
+        ContainerManagerApplicationProto.parseFrom(proto.toByteString());
+    apps.put(appId, protoCopy);
+  }
+
+  @Override
+  public void storeFinishedApplication(ApplicationId appId) {
+    finishedApps.add(appId);
+  }
+
+  @Override
+  public void removeApplication(ApplicationId appId) throws IOException {
+    apps.remove(appId);
+    finishedApps.remove(appId);
+  }
+
+
   private LocalResourceTrackerState loadTrackerState(TrackerState ts) {
     LocalResourceTrackerState result = new LocalResourceTrackerState();
     result.localizedResources.addAll(ts.localizedResources.values());
@@ -117,25 +174,6 @@ public synchronized void removeLocalizedResource(String user,
     }
   }
 
-  @Override
-  protected void initStorage(Configuration conf) {
-    nmTokenState = new RecoveredNMTokensState();
-    nmTokenState.applicationMasterKeys =
-        new HashMap<ApplicationAttemptId, MasterKey>();
-    containerTokenState = new RecoveredContainerTokensState();
-    containerTokenState.activeTokens = new HashMap<ContainerId, Long>();
-    trackerStates = new HashMap<TrackerKey, TrackerState>();
-    deleteTasks = new HashMap<Integer, DeletionServiceDeleteTaskProto>();
-  }
-
-  @Override
-  protected void startStorage() {
-  }
-
-  @Override
-  protected void closeStorage() {
-  }
-
 
   @Override
   public RecoveredDeletionServiceState loadDeletionServiceState()
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/TestNMLeveldbStateStoreService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/TestNMLeveldbStateStoreService.java
index 294f424b0f8..84a69069a30 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/TestNMLeveldbStateStoreService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/TestNMLeveldbStateStoreService.java
@@ -37,13 +37,16 @@
 import org.apache.hadoop.yarn.api.records.LocalResource;
 import org.apache.hadoop.yarn.api.records.LocalResourceType;
 import org.apache.hadoop.yarn.api.records.LocalResourceVisibility;
+import org.apache.hadoop.yarn.api.records.impl.pb.ApplicationIdPBImpl;
 import org.apache.hadoop.yarn.api.records.impl.pb.LocalResourcePBImpl;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.proto.YarnProtos.LocalResourceProto;
+import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.ContainerManagerApplicationProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.DeletionServiceDeleteTaskProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.LocalizedResourceProto;
 import org.apache.hadoop.yarn.server.api.records.MasterKey;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.LocalResourceTrackerState;
+import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredApplicationsState;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredContainerTokensState;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredDeletionServiceState;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredLocalizationState;
@@ -141,6 +144,54 @@ public void testCheckVersion() throws IOException {
     }
   }
 
+  @Test
+  public void testApplicationStorage() throws IOException {
+    // test empty when no state
+    RecoveredApplicationsState state = stateStore.loadApplicationsState();
+    assertTrue(state.getApplications().isEmpty());
+    assertTrue(state.getFinishedApplications().isEmpty());
+
+    // store an application and verify recovered
+    final ApplicationId appId1 = ApplicationId.newInstance(1234, 1);
+    ContainerManagerApplicationProto.Builder builder =
+        ContainerManagerApplicationProto.newBuilder();
+    builder.setId(((ApplicationIdPBImpl) appId1).getProto());
+    builder.setUser("user1");
+    ContainerManagerApplicationProto appProto1 = builder.build();
+    stateStore.storeApplication(appId1, appProto1);
+    restartStateStore();
+    state = stateStore.loadApplicationsState();
+    assertEquals(1, state.getApplications().size());
+    assertEquals(appProto1, state.getApplications().get(0));
+    assertTrue(state.getFinishedApplications().isEmpty());
+
+    // finish an application and add a new one
+    stateStore.storeFinishedApplication(appId1);
+    final ApplicationId appId2 = ApplicationId.newInstance(1234, 2);
+    builder = ContainerManagerApplicationProto.newBuilder();
+    builder.setId(((ApplicationIdPBImpl) appId2).getProto());
+    builder.setUser("user2");
+    ContainerManagerApplicationProto appProto2 = builder.build();
+    stateStore.storeApplication(appId2, appProto2);
+    restartStateStore();
+    state = stateStore.loadApplicationsState();
+    assertEquals(2, state.getApplications().size());
+    assertTrue(state.getApplications().contains(appProto1));
+    assertTrue(state.getApplications().contains(appProto2));
+    assertEquals(1, state.getFinishedApplications().size());
+    assertEquals(appId1, state.getFinishedApplications().get(0));
+
+    // test removing an application
+    stateStore.storeFinishedApplication(appId2);
+    stateStore.removeApplication(appId2);
+    restartStateStore();
+    state = stateStore.loadApplicationsState();
+    assertEquals(1, state.getApplications().size());
+    assertEquals(appProto1, state.getApplications().get(0));
+    assertEquals(1, state.getFinishedApplications().size());
+    assertEquals(appId1, state.getFinishedApplications().get(0));
+  }
+
   @Test
   public void testStartResourceLocalization() throws IOException {
     String user = "somebody";
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceTrackerService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceTrackerService.java
index 6eebb4d7bff..b532dd56309 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceTrackerService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceTrackerService.java
@@ -42,7 +42,6 @@
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.factories.RecordFactory;
 import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
-import org.apache.hadoop.yarn.ipc.RPCUtil;
 import org.apache.hadoop.yarn.ipc.YarnRPC;
 import org.apache.hadoop.yarn.server.api.ResourceTracker;
 import org.apache.hadoop.yarn.server.api.protocolrecords.NMContainerStatus;
@@ -312,7 +311,8 @@ public RegisterNodeManagerResponse registerNodeManager(
       LOG.info("Reconnect from the node at: " + host);
       this.nmLivelinessMonitor.unregister(nodeId);
       this.rmContext.getDispatcher().getEventHandler().handle(
-          new RMNodeReconnectEvent(nodeId, rmNode));
+          new RMNodeReconnectEvent(nodeId, rmNode,
+              request.getRunningApplications()));
     }
     // On every node manager register we will be clearing NMToken keys if
     // present for any running application.
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java
index efa1ee72808..7c7b7541b3e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java
@@ -1191,6 +1191,9 @@ public YarnApplicationState createApplicationState() {
   
   public static boolean isAppInFinalState(RMApp rmApp) {
     RMAppState appState = ((RMAppImpl) rmApp).getRecoveredFinalState();
+    if (appState == null) {
+      appState = rmApp.getState();
+    }
     return appState == RMAppState.FAILED || appState == RMAppState.FINISHED
         || appState == RMAppState.KILLED;
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeImpl.java
index e20adc5c4d4..cf81d727138 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeImpl.java
@@ -456,6 +456,24 @@ private void updateMetricsForDeactivatedNode(NodeState initialState,
     }
   }
 
+  private static void handleRunningAppOnNode(RMNodeImpl rmNode,
+      RMContext context, ApplicationId appId, NodeId nodeId) {
+    RMApp app = context.getRMApps().get(appId);
+
+    // if we failed getting app by appId, maybe something wrong happened, just
+    // add the app to the finishedApplications list so that the app can be
+    // cleaned up on the NM
+    if (null == app) {
+      LOG.warn("Cannot get RMApp by appId=" + appId
+          + ", just added it to finishedApplications list for cleanup");
+      rmNode.finishedApplications.add(appId);
+      return;
+    }
+
+    context.getDispatcher().getEventHandler()
+        .handle(new RMAppRunningOnNodeEvent(appId, nodeId));
+  }
+
   public static class AddNodeTransition implements
       SingleArcTransition<RMNodeImpl, RMNodeEvent> {
 
@@ -496,24 +514,6 @@ public void transition(RMNodeImpl rmNode, RMNodeEvent event) {
         new NodesListManagerEvent(
             NodesListManagerEventType.NODE_USABLE, rmNode));
     }
-
-    void handleRunningAppOnNode(RMNodeImpl rmNode, RMContext context,
-        ApplicationId appId, NodeId nodeId) {
-      RMApp app = context.getRMApps().get(appId);
-      
-      // if we failed getting app by appId, maybe something wrong happened, just
-      // add the app to the finishedApplications list so that the app can be
-      // cleaned up on the NM
-      if (null == app) {
-        LOG.warn("Cannot get RMApp by appId=" + appId
-            + ", just added it to finishedApplications list for cleanup");
-        rmNode.finishedApplications.add(appId);
-        return;
-      }
-
-      context.getDispatcher().getEventHandler()
-          .handle(new RMAppRunningOnNodeEvent(appId, nodeId));
-    }
   }
 
   public static class ReconnectNodeTransition implements
@@ -526,7 +526,8 @@ public void transition(RMNodeImpl rmNode, RMNodeEvent event) {
       rmNode.context.getDispatcher().getEventHandler().handle(
           new NodeRemovedSchedulerEvent(rmNode));
 
-      RMNode newNode = ((RMNodeReconnectEvent)event).getReconnectedNode();
+      RMNodeReconnectEvent reconnectEvent = (RMNodeReconnectEvent) event;
+      RMNode newNode = reconnectEvent.getReconnectedNode();
       rmNode.nodeManagerVersion = newNode.getNodeManagerVersion();
       if (rmNode.getTotalCapability().equals(newNode.getTotalCapability())
           && rmNode.getHttpPort() == newNode.getHttpPort()) {
@@ -551,6 +552,13 @@ public void transition(RMNodeImpl rmNode, RMNodeEvent event) {
         rmNode.context.getDispatcher().getEventHandler().handle(
             new RMNodeStartedEvent(newNode.getNodeID(), null, null));
       }
+
+      if (null != reconnectEvent.getRunningApplications()) {
+        for (ApplicationId appId : reconnectEvent.getRunningApplications()) {
+          handleRunningAppOnNode(rmNode, rmNode.context, appId, rmNode.nodeId);
+        }
+      }
+
       rmNode.context.getDispatcher().getEventHandler().handle(
           new NodesListManagerEvent(
               NodesListManagerEventType.NODE_USABLE, rmNode));
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeReconnectEvent.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeReconnectEvent.java
index b1fa0ad8c0c..ebbac9ab156 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeReconnectEvent.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeReconnectEvent.java
@@ -18,17 +18,27 @@
 
 package org.apache.hadoop.yarn.server.resourcemanager.rmnode;
 
+import java.util.List;
+
+import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.NodeId;
 
 public class RMNodeReconnectEvent extends RMNodeEvent {
   private RMNode reconnectedNode;
+  private List<ApplicationId> runningApplications;
 
-  public RMNodeReconnectEvent(NodeId nodeId, RMNode newNode) {
+  public RMNodeReconnectEvent(NodeId nodeId, RMNode newNode,
+      List<ApplicationId> runningApps) {
     super(nodeId, RMNodeEventType.RECONNECTED);
     reconnectedNode = newNode;
+    runningApplications = runningApps;
   }
 
   public RMNode getReconnectedNode() {
     return reconnectedNode;
   }
+
+  public List<ApplicationId> getRunningApplications() {
+    return runningApplications;
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestApplicationCleanup.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestApplicationCleanup.java
index e88ebd24f3b..c07882da0ad 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestApplicationCleanup.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestApplicationCleanup.java
@@ -449,6 +449,35 @@ protected Dispatcher createDispatcher() {
     rm2.stop();
   }
 
+  @Test (timeout = 60000)
+  public void testAppCleanupWhenNMReconnects() throws Exception {
+    conf.setInt(YarnConfiguration.RM_AM_MAX_ATTEMPTS, 1);
+    MemoryRMStateStore memStore = new MemoryRMStateStore();
+    memStore.init(conf);
+
+    // start RM
+    MockRM rm1 = new MockRM(conf, memStore);
+    rm1.start();
+    MockNM nm1 =
+        new MockNM("127.0.0.1:1234", 15120, rm1.getResourceTrackerService());
+    nm1.registerNode();
+
+    // create app and launch the AM
+    RMApp app0 = rm1.submitApp(200);
+    MockAM am0 = launchAM(app0, rm1, nm1);
+    nm1.nodeHeartbeat(am0.getApplicationAttemptId(), 1, ContainerState.COMPLETE);
+    rm1.waitForState(app0.getApplicationId(), RMAppState.FAILED);
+
+    // wait for application cleanup message received
+    waitForAppCleanupMessageRecved(nm1, app0.getApplicationId());
+
+    // reconnect NM with application still active
+    nm1.registerNode(Arrays.asList(app0.getApplicationId()));
+    waitForAppCleanupMessageRecved(nm1, app0.getApplicationId());
+
+    rm1.stop();
+  }
+
   public static void main(String[] args) throws Exception {
     TestApplicationCleanup t = new TestApplicationCleanup();
     t.testAppCleanup();
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMNodeTransitions.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMNodeTransitions.java
index 46693be36ca..aa2cfc2eba1 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMNodeTransitions.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMNodeTransitions.java
@@ -520,7 +520,7 @@ public void testReconnect() {
     int initialUnhealthy = cm.getUnhealthyNMs();
     int initialDecommissioned = cm.getNumDecommisionedNMs();
     int initialRebooted = cm.getNumRebootedNMs();
-    node.handle(new RMNodeReconnectEvent(node.getNodeID(), node));
+    node.handle(new RMNodeReconnectEvent(node.getNodeID(), node, null));
     Assert.assertEquals("Active Nodes", initialActive, cm.getNumActiveNMs());
     Assert.assertEquals("Lost Nodes", initialLost, cm.getNumLostNMs());
     Assert.assertEquals("Unhealthy Nodes",
@@ -542,7 +542,8 @@ public void testReconnnectUpdate() {
     RMNodeImpl node = getRunningNode(nmVersion1);
     Assert.assertEquals(nmVersion1, node.getNodeManagerVersion());
     RMNodeImpl reconnectingNode = getRunningNode(nmVersion2);
-    node.handle(new RMNodeReconnectEvent(node.getNodeID(), reconnectingNode));
+    node.handle(new RMNodeReconnectEvent(node.getNodeID(), reconnectingNode,
+        null));
     Assert.assertEquals(nmVersion2, node.getNodeManagerVersion());
   }
 }

From 431857d09dac2a9554f7ee8a6a92ae05844d0066 Mon Sep 17 00:00:00 2001
From: Uma Maheswara Rao G <umamahesh@apache.org>
Date: Mon, 4 Aug 2014 15:44:44 +0000
Subject: [PATCH 119/354] HDFS-6787. Remove duplicate code in
 FSDirectory#unprotectedConcat. Contributed by Yi Liu.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615622 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                    | 2 ++
 .../org/apache/hadoop/hdfs/server/namenode/FSDirectory.java    | 3 ---
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 9514f326a6f..3b2b5cea6f2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -355,6 +355,8 @@ Release 2.6.0 - UNRELEASED
     HDFS-6788. Improve synchronization in BPOfferService with read write lock.
     (Yongjun Zhang via wang)
 
+    HDFS-6787. Remove duplicate code in FSDirectory#unprotectedConcat. (Yi Liu via umamahesh)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index 4604a9a3df8..b0e4f669fb8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -1081,9 +1081,6 @@ void unprotectedConcat(String target, String [] srcs, long timestamp)
       count++;
     }
     
-    // update inodeMap
-    removeFromInodeMap(Arrays.asList(allSrcInodes));
-    
     trgInode.setModificationTime(timestamp, trgLatestSnapshot);
     trgParent.updateModificationTime(timestamp, trgLatestSnapshot);
     // update quota on the parent directory ('count' files removed, 0 space)

From 9ffc4b13c46ca607daae79b6afca3bda45309215 Mon Sep 17 00:00:00 2001
From: Eric Yang <eyang@apache.org>
Date: Mon, 4 Aug 2014 17:37:43 +0000
Subject: [PATCH 120/354] HADOOP-10759. Remove hardcoded JAVA_HEAP_MAX. (Eric
 Yang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615700 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt                 | 2 ++
 .../hadoop-common/src/main/bin/hadoop-config.sh                 | 2 --
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 0887d047d2a..0a920f40c83 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -199,6 +199,8 @@ Trunk (Unreleased)
 
   BUG FIXES
 
+    HADOOP-10759. Remove hardcoded JAVA_HEAP_MAX. (Eric Yang)
+
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
     (Junping Du via llu)
 
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh
index 6581ab4ada1..a0fb9d0c99d 100644
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh
@@ -149,8 +149,6 @@ if [[ -z $JAVA_HOME ]]; then
 fi
 
 JAVA=$JAVA_HOME/bin/java
-# some Java parameters
-JAVA_HEAP_MAX=-Xmx1000m 
 
 # check envvars which might override default args
 if [ "$HADOOP_HEAPSIZE" != "" ]; then

From c9aa74743773c61be938cc1a6ea811ae1404bca2 Mon Sep 17 00:00:00 2001
From: Brandon Li <brandonli@apache.org>
Date: Mon, 4 Aug 2014 17:40:02 +0000
Subject: [PATCH 121/354] HDFS-6451. NFS should not return NFS3ERR_IO for
 AccessControlException. Contributed by Abhiraj Butala

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615702 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java  | 459 ++++++++------
 .../hdfs/nfs/nfs3/TestRpcProgramNfs3.java     | 590 +++++++++++++++++-
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 3 files changed, 848 insertions(+), 204 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
index 1650b14724d..cccc464e550 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
@@ -140,7 +140,7 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
   public static final int DEFAULT_UMASK = 0022;
   public static final FsPermission umask = new FsPermission(
       (short) DEFAULT_UMASK);
-  
+
   static final Log LOG = LogFactory.getLog(RpcProgramNfs3.class);
 
   private final NfsConfiguration config;
@@ -149,14 +149,14 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
   private final DFSClientCache clientCache;
 
   private final NfsExports exports;
-  
+
   private final short replication;
   private final long blockSize;
   private final int bufferSize;
   private final boolean aixCompatMode;
   private Statistics statistics;
   private String writeDumpDir; // The dir save dump files
-  
+
   private final RpcCallCache rpcCallCache;
 
   public RpcProgramNfs3(NfsConfiguration config, DatagramSocket registrationSocket,
@@ -166,11 +166,11 @@ public RpcProgramNfs3(NfsConfiguration config, DatagramSocket registrationSocket
         NfsConfigKeys.DFS_NFS_SERVER_PORT_DEFAULT), Nfs3Constant.PROGRAM,
         Nfs3Constant.VERSION, Nfs3Constant.VERSION, registrationSocket,
         allowInsecurePorts);
-   
+
     this.config = config;
     config.set(FsPermission.UMASK_LABEL, "000");
     iug = new IdUserGroup(config);
-    
+
     aixCompatMode = config.getBoolean(
         NfsConfigKeys.AIX_COMPAT_MODE_KEY,
         NfsConfigKeys.AIX_COMPAT_MODE_DEFAULT);
@@ -184,7 +184,7 @@ public RpcProgramNfs3(NfsConfiguration config, DatagramSocket registrationSocket
     bufferSize = config.getInt(
         CommonConfigurationKeysPublic.IO_FILE_BUFFER_SIZE_KEY,
         CommonConfigurationKeysPublic.IO_FILE_BUFFER_SIZE_DEFAULT);
-    
+
     writeDumpDir = config.get(NfsConfigKeys.DFS_NFS_FILE_DUMP_DIR_KEY,
         NfsConfigKeys.DFS_NFS_FILE_DUMP_DIR_DEFAULT);
     boolean enableDump = config.getBoolean(NfsConfigKeys.DFS_NFS_FILE_DUMP_KEY,
@@ -216,12 +216,23 @@ private void clearDirectory(String writeDumpDir) throws IOException {
       throw new IOException("Cannot create dump directory " + dumpDir);
     }
   }
-  
+
   @Override
   public void startDaemons() {
      writeManager.startAsyncDataSerivce();
   }
-  
+
+  // Checks the type of IOException and maps it to appropriate Nfs3Status code.
+  private int mapErrorStatus(IOException e) {
+    if (e instanceof FileNotFoundException) {
+      return Nfs3Status.NFS3ERR_STALE;
+    } else if (e instanceof AccessControlException) {
+      return Nfs3Status.NFS3ERR_ACCES;
+    } else {
+      return Nfs3Status.NFS3ERR_IO;
+    }
+  }
+
   /******************************************************
    * RPC call handlers
    ******************************************************/
@@ -236,20 +247,25 @@ public NFS3Response nullProcedure() {
 
   @Override
   public GETATTR3Response getattr(XDR xdr, RpcInfo info) {
+    return getattr(xdr, getSecurityHandler(info), info.remoteAddress());
+  }
+
+  @VisibleForTesting
+  GETATTR3Response getattr(XDR xdr, SecurityHandler securityHandler,
+      SocketAddress remoteAddress) {
     GETATTR3Response response = new GETATTR3Response(Nfs3Status.NFS3_OK);
-    
-    if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
+
+    if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_ONLY)) {
       response.setStatus(Nfs3Status.NFS3ERR_ACCES);
       return response;
     }
-    
-    SecurityHandler securityHandler = getSecurityHandler(info);
+
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     GETATTR3Request request = null;
     try {
       request = new GETATTR3Request(xdr);
@@ -280,7 +296,8 @@ public GETATTR3Response getattr(XDR xdr, RpcInfo info) {
       }
     } catch (IOException e) {
       LOG.info("Can't get file attribute, fileId=" + handle.getFileId(), e);
-      response.setStatus(Nfs3Status.NFS3ERR_IO);
+      int status = mapErrorStatus(e);
+      response.setStatus(status);
       return response;
     }
     if (attrs == null) {
@@ -297,7 +314,7 @@ public GETATTR3Response getattr(XDR xdr, RpcInfo info) {
   private void setattrInternal(DFSClient dfsClient, String fileIdPath,
       SetAttr3 newAttr, boolean setMode) throws IOException {
     EnumSet<SetAttrField> updateFields = newAttr.getUpdateFields();
-    
+
     if (setMode && updateFields.contains(SetAttrField.MODE)) {
       if (LOG.isDebugEnabled()) {
         LOG.debug("set new mode:" + newAttr.getMode());
@@ -328,14 +345,19 @@ private void setattrInternal(DFSClient dfsClient, String fileIdPath,
 
   @Override
   public SETATTR3Response setattr(XDR xdr, RpcInfo info) {
+    return setattr(xdr, getSecurityHandler(info), info.remoteAddress());
+  }
+
+  @VisibleForTesting
+  SETATTR3Response setattr(XDR xdr, SecurityHandler securityHandler,
+      SocketAddress remoteAddress) {
     SETATTR3Response response = new SETATTR3Response(Nfs3Status.NFS3_OK);
-    SecurityHandler securityHandler = getSecurityHandler(info);
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     SETATTR3Request request = null;
     try {
       request = new SETATTR3Request(xdr);
@@ -373,9 +395,9 @@ public SETATTR3Response setattr(XDR xdr, RpcInfo info) {
           return new SETATTR3Response(Nfs3Status.NFS3ERR_NOT_SYNC, wccData);
         }
       }
-      
+
       // check the write access privilege
-      if (!checkAccessPrivilege(info, AccessPrivilege.READ_WRITE)) {
+      if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_WRITE)) {
         return new SETATTR3Response(Nfs3Status.NFS3ERR_ACCES, new WccData(
             preOpWcc, preOpAttr));
       }
@@ -394,30 +416,33 @@ public SETATTR3Response setattr(XDR xdr, RpcInfo info) {
       } catch (IOException e1) {
         LOG.info("Can't get postOpAttr for fileIdPath: " + fileIdPath, e1);
       }
-      if (e instanceof AccessControlException) {
-        return new SETATTR3Response(Nfs3Status.NFS3ERR_ACCES, wccData);
-      } else {
-        return new SETATTR3Response(Nfs3Status.NFS3ERR_IO, wccData);
-      }
+
+      int status = mapErrorStatus(e);
+      return new SETATTR3Response(status, wccData);
     }
   }
 
   @Override
   public LOOKUP3Response lookup(XDR xdr, RpcInfo info) {
+    return lookup(xdr, getSecurityHandler(info), info.remoteAddress());
+  }
+
+  @VisibleForTesting
+  LOOKUP3Response lookup(XDR xdr, SecurityHandler securityHandler,
+      SocketAddress remoteAddress) {
     LOOKUP3Response response = new LOOKUP3Response(Nfs3Status.NFS3_OK);
-    
-    if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
+
+    if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_ONLY)) {
       response.setStatus(Nfs3Status.NFS3ERR_ACCES);
       return response;
     }
-    
-    SecurityHandler securityHandler = getSecurityHandler(info);
+
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     LOOKUP3Request request = null;
     try {
       request = new LOOKUP3Request(xdr);
@@ -460,26 +485,32 @@ public LOOKUP3Response lookup(XDR xdr, RpcInfo info) {
 
     } catch (IOException e) {
       LOG.warn("Exception ", e);
-      return new LOOKUP3Response(Nfs3Status.NFS3ERR_IO);
+      int status = mapErrorStatus(e);
+      return new LOOKUP3Response(status);
     }
   }
-  
+
   @Override
   public ACCESS3Response access(XDR xdr, RpcInfo info) {
+    return access(xdr, getSecurityHandler(info), info.remoteAddress());
+  }
+
+  @VisibleForTesting
+  ACCESS3Response access(XDR xdr, SecurityHandler securityHandler,
+      SocketAddress remoteAddress) {
     ACCESS3Response response = new ACCESS3Response(Nfs3Status.NFS3_OK);
-    
-    if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
+
+    if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_ONLY)) {
       response.setStatus(Nfs3Status.NFS3ERR_ACCES);
       return response;
     }
-    
-    SecurityHandler securityHandler = getSecurityHandler(info);
+
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     ACCESS3Request request = null;
     try {
       request = new ACCESS3Request(xdr);
@@ -493,7 +524,7 @@ public ACCESS3Response access(XDR xdr, RpcInfo info) {
 
     if (LOG.isDebugEnabled()) {
       LOG.debug("NFS ACCESS fileId: " + handle.getFileId());
-    } 
+    }
 
     try {
       // HDFS-5804 removed supserUserClient access
@@ -506,7 +537,7 @@ public ACCESS3Response access(XDR xdr, RpcInfo info) {
       int access = Nfs3Utils.getAccessRightsForUserGroup(
           securityHandler.getUid(), securityHandler.getGid(),
           securityHandler.getAuxGids(), attrs);
-      
+
       return new ACCESS3Response(Nfs3Status.NFS3_OK, attrs, access);
     } catch (RemoteException r) {
       LOG.warn("Exception ", r);
@@ -521,20 +552,26 @@ public ACCESS3Response access(XDR xdr, RpcInfo info) {
       }
     } catch (IOException e) {
       LOG.warn("Exception ", e);
-      return new ACCESS3Response(Nfs3Status.NFS3ERR_IO);
+      int status = mapErrorStatus(e);
+      return new ACCESS3Response(status);
     }
   }
 
   @Override
   public READLINK3Response readlink(XDR xdr, RpcInfo info) {
+    return readlink(xdr, getSecurityHandler(info), info.remoteAddress());
+  }
+
+  @VisibleForTesting
+  READLINK3Response readlink(XDR xdr, SecurityHandler securityHandler,
+      SocketAddress remoteAddress) {
     READLINK3Response response = new READLINK3Response(Nfs3Status.NFS3_OK);
 
-    if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
+    if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_ONLY)) {
       response.setStatus(Nfs3Status.NFS3ERR_ACCES);
       return response;
     }
 
-    SecurityHandler securityHandler = getSecurityHandler(info);
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@@ -588,39 +625,33 @@ public READLINK3Response readlink(XDR xdr, RpcInfo info) {
 
     } catch (IOException e) {
       LOG.warn("Readlink error: " + e.getClass(), e);
-      if (e instanceof FileNotFoundException) {
-        return new READLINK3Response(Nfs3Status.NFS3ERR_STALE);
-      } else if (e instanceof AccessControlException) {
-        return new READLINK3Response(Nfs3Status.NFS3ERR_ACCES);
-      }
-      return new READLINK3Response(Nfs3Status.NFS3ERR_IO);
+      int status = mapErrorStatus(e);
+      return new READLINK3Response(status);
     }
   }
 
   @Override
   public READ3Response read(XDR xdr, RpcInfo info) {
-    SecurityHandler securityHandler = getSecurityHandler(info);
-    SocketAddress remoteAddress = info.remoteAddress();
-    return read(xdr, securityHandler, remoteAddress);
+    return read(xdr, getSecurityHandler(info), info.remoteAddress());
   }
-  
+
   @VisibleForTesting
   READ3Response read(XDR xdr, SecurityHandler securityHandler,
       SocketAddress remoteAddress) {
     READ3Response response = new READ3Response(Nfs3Status.NFS3_OK);
     final String userName = securityHandler.getUser();
-    
+
     if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_ONLY)) {
       response.setStatus(Nfs3Status.NFS3ERR_ACCES);
       return response;
     }
-    
+
     DFSClient dfsClient = clientCache.getDfsClient(userName);
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     READ3Request request = null;
 
     try {
@@ -670,7 +701,7 @@ READ3Response read(XDR xdr, SecurityHandler securityHandler,
         return new READ3Response(Nfs3Status.NFS3ERR_ACCES);
       }
     }
-    
+
     // In case there is buffered data for the same file, flush it. This can be
     // optimized later by reading from the cache.
     int ret = writeManager.commitBeforeRead(dfsClient, handle, offset + count);
@@ -725,7 +756,8 @@ READ3Response read(XDR xdr, SecurityHandler securityHandler,
     } catch (IOException e) {
       LOG.warn("Read error: " + e.getClass() + " offset: " + offset
           + " count: " + count, e);
-      return new READ3Response(Nfs3Status.NFS3ERR_IO);
+      int status = mapErrorStatus(e);
+      return new READ3Response(status);
     }
   }
 
@@ -737,7 +769,7 @@ public WRITE3Response write(XDR xdr, RpcInfo info) {
     SocketAddress remoteAddress = info.remoteAddress();
     return write(xdr, info.channel(), xid, securityHandler, remoteAddress);
   }
-  
+
   @VisibleForTesting
   WRITE3Response write(XDR xdr, Channel channel, int xid,
       SecurityHandler securityHandler, SocketAddress remoteAddress) {
@@ -748,7 +780,7 @@ WRITE3Response write(XDR xdr, Channel channel, int xid,
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     WRITE3Request request = null;
 
     try {
@@ -781,13 +813,13 @@ WRITE3Response write(XDR xdr, Channel channel, int xid,
         LOG.error("Can't get path for fileId:" + handle.getFileId());
         return new WRITE3Response(Nfs3Status.NFS3ERR_STALE);
       }
-      
+
       if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_WRITE)) {
         return new WRITE3Response(Nfs3Status.NFS3ERR_ACCES, new WccData(
             Nfs3Utils.getWccAttr(preOpAttr), preOpAttr), 0, stableHow,
             Nfs3Constant.WRITE_COMMIT_VERF);
       }
-      
+
       if (LOG.isDebugEnabled()) {
         LOG.debug("requesed offset=" + offset + " and current filesize="
             + preOpAttr.getSize());
@@ -807,8 +839,10 @@ WRITE3Response write(XDR xdr, Channel channel, int xid,
       }
       WccAttr attr = preOpAttr == null ? null : Nfs3Utils.getWccAttr(preOpAttr);
       WccData fileWcc = new WccData(attr, postOpAttr);
-      return new WRITE3Response(Nfs3Status.NFS3ERR_IO, fileWcc, 0,
-          request.getStableHow(), Nfs3Constant.WRITE_COMMIT_VERF);
+
+      int status = mapErrorStatus(e);
+      return new WRITE3Response(status, fileWcc, 0, request.getStableHow(),
+          Nfs3Constant.WRITE_COMMIT_VERF);
     }
 
     return null;
@@ -816,11 +850,9 @@ WRITE3Response write(XDR xdr, Channel channel, int xid,
 
   @Override
   public CREATE3Response create(XDR xdr, RpcInfo info) {
-    SecurityHandler securityHandler = getSecurityHandler(info);
-    SocketAddress remoteAddress = info.remoteAddress();
-    return create(xdr, securityHandler, remoteAddress);
+    return create(xdr, getSecurityHandler(info), info.remoteAddress());
   }
-  
+
   @VisibleForTesting
   CREATE3Response create(XDR xdr, SecurityHandler securityHandler,
       SocketAddress remoteAddress) {
@@ -830,7 +862,7 @@ CREATE3Response create(XDR xdr, SecurityHandler securityHandler,
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     CREATE3Request request = null;
 
     try {
@@ -868,7 +900,7 @@ CREATE3Response create(XDR xdr, SecurityHandler securityHandler,
         LOG.error("Can't get path for dirHandle:" + dirHandle);
         return new CREATE3Response(Nfs3Status.NFS3ERR_STALE);
       }
-      
+
       if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_WRITE)) {
         return new CREATE3Response(Nfs3Status.NFS3ERR_ACCES, null,
             preOpDirAttr, new WccData(Nfs3Utils.getWccAttr(preOpDirAttr),
@@ -881,15 +913,15 @@ preOpDirAttr, new WccData(Nfs3Utils.getWccAttr(preOpDirAttr),
       FsPermission permission = setAttr3.getUpdateFields().contains(
           SetAttrField.MODE) ? new FsPermission((short) setAttr3.getMode())
           : FsPermission.getDefault().applyUMask(umask);
-          
+
       EnumSet<CreateFlag> flag = (createMode != Nfs3Constant.CREATE_EXCLUSIVE) ? 
           EnumSet.of(CreateFlag.CREATE, CreateFlag.OVERWRITE) : 
           EnumSet.of(CreateFlag.CREATE);
-      
+
       fos = new HdfsDataOutputStream(dfsClient.create(fileIdPath, permission,
           flag, false, replication, blockSize, null, bufferSize, null),
           statistics);
-      
+
       if ((createMode == Nfs3Constant.CREATE_UNCHECKED)
           || (createMode == Nfs3Constant.CREATE_GUARDED)) {
         // Set group if it's not specified in the request.
@@ -903,7 +935,7 @@ preOpDirAttr, new WccData(Nfs3Utils.getWccAttr(preOpDirAttr),
       postOpObjAttr = Nfs3Utils.getFileAttr(dfsClient, fileIdPath, iug);
       dirWcc = Nfs3Utils.createWccData(Nfs3Utils.getWccAttr(preOpDirAttr),
           dfsClient, dirFileIdPath, iug);
-      
+
       // Add open stream
       OpenFileCtx openFileCtx = new OpenFileCtx(fos, postOpObjAttr,
           writeDumpDir + "/" + postOpObjAttr.getFileId(), dfsClient, iug,
@@ -920,7 +952,7 @@ preOpDirAttr, new WccData(Nfs3Utils.getWccAttr(preOpDirAttr),
               + fileHandle.getFileId());
         }
       }
-      
+
     } catch (IOException e) {
       LOG.error("Exception", e);
       if (fos != null) {
@@ -940,29 +972,30 @@ preOpDirAttr, new WccData(Nfs3Utils.getWccAttr(preOpDirAttr),
               + dirHandle.getFileId(), e1);
         }
       }
-      if (e instanceof AccessControlException) {
-        return new CREATE3Response(Nfs3Status.NFS3ERR_ACCES, fileHandle,
-            postOpObjAttr, dirWcc);
-      } else {
-        return new CREATE3Response(Nfs3Status.NFS3ERR_IO, fileHandle,
-            postOpObjAttr, dirWcc);
-      }
+
+      int status = mapErrorStatus(e);
+      return new CREATE3Response(status, fileHandle, postOpObjAttr, dirWcc);
     }
-    
+
     return new CREATE3Response(Nfs3Status.NFS3_OK, fileHandle, postOpObjAttr,
         dirWcc);
   }
 
   @Override
   public MKDIR3Response mkdir(XDR xdr, RpcInfo info) {
+    return mkdir(xdr, getSecurityHandler(info), info.remoteAddress());
+  }
+
+  @VisibleForTesting
+  MKDIR3Response mkdir(XDR xdr, SecurityHandler securityHandler,
+      SocketAddress remoteAddress) {
     MKDIR3Response response = new MKDIR3Response(Nfs3Status.NFS3_OK);
-    SecurityHandler securityHandler = getSecurityHandler(info);
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     MKDIR3Request request = null;
 
     try {
@@ -992,11 +1025,11 @@ public MKDIR3Response mkdir(XDR xdr, RpcInfo info) {
         return new MKDIR3Response(Nfs3Status.NFS3ERR_STALE);
       }
 
-      if (!checkAccessPrivilege(info, AccessPrivilege.READ_WRITE)) {
+      if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_WRITE)) {
         return new MKDIR3Response(Nfs3Status.NFS3ERR_ACCES, null, preOpDirAttr,
             new WccData(Nfs3Utils.getWccAttr(preOpDirAttr), preOpDirAttr));
       }
-      
+
       final String fileIdPath = dirFileIdPath + "/" + fileName;
       SetAttr3 setAttr3 = request.getObjAttr();
       FsPermission permission = setAttr3.getUpdateFields().contains(
@@ -1015,7 +1048,7 @@ public MKDIR3Response mkdir(XDR xdr, RpcInfo info) {
         setAttr3.setGid(securityHandler.getGid());
       }
       setattrInternal(dfsClient, fileIdPath, setAttr3, false);
-      
+
       postOpObjAttr = Nfs3Utils.getFileAttr(dfsClient, fileIdPath, iug);
       objFileHandle = new FileHandle(postOpObjAttr.getFileId());
       WccData dirWcc = Nfs3Utils.createWccData(
@@ -1032,15 +1065,11 @@ public MKDIR3Response mkdir(XDR xdr, RpcInfo info) {
           LOG.info("Can't get postOpDirAttr for " + dirFileIdPath, e);
         }
       }
+
       WccData dirWcc = new WccData(Nfs3Utils.getWccAttr(preOpDirAttr),
           postOpDirAttr);
-      if (e instanceof AccessControlException) {
-        return new MKDIR3Response(Nfs3Status.NFS3ERR_PERM, objFileHandle,
-            postOpObjAttr, dirWcc);
-      } else {
-        return new MKDIR3Response(Nfs3Status.NFS3ERR_IO, objFileHandle,
-            postOpObjAttr, dirWcc);
-      }
+      int status = mapErrorStatus(e);
+      return new MKDIR3Response(status, objFileHandle, postOpObjAttr, dirWcc);
     }
   }
 
@@ -1048,21 +1077,22 @@ public MKDIR3Response mkdir(XDR xdr, RpcInfo info) {
   public READDIR3Response mknod(XDR xdr, RpcInfo info) {
     return new READDIR3Response(Nfs3Status.NFS3ERR_NOTSUPP);
   }
-  
+
   @Override
   public REMOVE3Response remove(XDR xdr, RpcInfo info) {
     return remove(xdr, getSecurityHandler(info), info.remoteAddress());
   }
- 
+
   @VisibleForTesting
-  REMOVE3Response remove(XDR xdr, SecurityHandler securityHandler, SocketAddress remoteAddress) {
+  REMOVE3Response remove(XDR xdr, SecurityHandler securityHandler,
+      SocketAddress remoteAddress) {
     REMOVE3Response response = new REMOVE3Response(Nfs3Status.NFS3_OK);
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     REMOVE3Request request = null;
     try {
       request = new REMOVE3Request(xdr);
@@ -1120,26 +1150,29 @@ REMOVE3Response remove(XDR xdr, SecurityHandler securityHandler, SocketAddress r
           LOG.info("Can't get postOpDirAttr for " + dirFileIdPath, e1);
         }
       }
+
       WccData dirWcc = new WccData(Nfs3Utils.getWccAttr(preOpDirAttr),
           postOpDirAttr);
-      if (e instanceof AccessControlException) {
-        return new REMOVE3Response(Nfs3Status.NFS3ERR_PERM, dirWcc);
-      } else {
-        return new REMOVE3Response(Nfs3Status.NFS3ERR_IO, dirWcc);
-      }
+      int status = mapErrorStatus(e);
+      return new REMOVE3Response(status, dirWcc);
     }
   }
 
   @Override
   public RMDIR3Response rmdir(XDR xdr, RpcInfo info) {
+    return rmdir(xdr, getSecurityHandler(info), info.remoteAddress());
+  }
+
+  @VisibleForTesting
+  RMDIR3Response rmdir(XDR xdr, SecurityHandler securityHandler,
+      SocketAddress remoteAddress) {
     RMDIR3Response response = new RMDIR3Response(Nfs3Status.NFS3_OK);
-    SecurityHandler securityHandler = getSecurityHandler(info);
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     RMDIR3Request request = null;
     try {
       request = new RMDIR3Request(xdr);
@@ -1164,10 +1197,10 @@ public RMDIR3Response rmdir(XDR xdr, RpcInfo info) {
         LOG.info("Can't get path for dir fileId:" + dirHandle.getFileId());
         return new RMDIR3Response(Nfs3Status.NFS3ERR_STALE);
       }
-      
+
       WccData errWcc = new WccData(Nfs3Utils.getWccAttr(preOpDirAttr),
           preOpDirAttr);
-      if (!checkAccessPrivilege(info, AccessPrivilege.READ_WRITE)) {
+      if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_WRITE)) {
         return new RMDIR3Response(Nfs3Status.NFS3ERR_ACCES, errWcc); 
       }
 
@@ -1179,7 +1212,7 @@ public RMDIR3Response rmdir(XDR xdr, RpcInfo info) {
       if (!fstat.isDir()) {
         return new RMDIR3Response(Nfs3Status.NFS3ERR_NOTDIR, errWcc);
       }
-      
+
       if (fstat.getChildrenNum() > 0) {
         return new RMDIR3Response(Nfs3Status.NFS3ERR_NOTEMPTY, errWcc);
       }
@@ -1202,26 +1235,29 @@ public RMDIR3Response rmdir(XDR xdr, RpcInfo info) {
           LOG.info("Can't get postOpDirAttr for " + dirFileIdPath, e1);
         }
       }
+
       WccData dirWcc = new WccData(Nfs3Utils.getWccAttr(preOpDirAttr),
           postOpDirAttr);
-      if (e instanceof AccessControlException) {
-        return new RMDIR3Response(Nfs3Status.NFS3ERR_PERM, dirWcc);
-      } else {
-        return new RMDIR3Response(Nfs3Status.NFS3ERR_IO, dirWcc);
-      }
+      int status = mapErrorStatus(e);
+      return new RMDIR3Response(status, dirWcc);
     }
   }
 
   @Override
   public RENAME3Response rename(XDR xdr, RpcInfo info) {
+    return rename(xdr, getSecurityHandler(info), info.remoteAddress());
+  }
+
+  @VisibleForTesting
+  RENAME3Response rename(XDR xdr, SecurityHandler securityHandler,
+      SocketAddress remoteAddress) {
     RENAME3Response response = new RENAME3Response(Nfs3Status.NFS3_OK);
-    SecurityHandler securityHandler = getSecurityHandler(info);
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     RENAME3Request request = null;
     try {
       request = new RENAME3Request(xdr);
@@ -1258,8 +1294,8 @@ public RENAME3Response rename(XDR xdr, RpcInfo info) {
         LOG.info("Can't get path for toHandle fileId:" + toHandle.getFileId());
         return new RENAME3Response(Nfs3Status.NFS3ERR_STALE);
       }
-      
-      if (!checkAccessPrivilege(info, AccessPrivilege.READ_WRITE)) {
+
+      if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_WRITE)) {
         WccData fromWcc = new WccData(Nfs3Utils.getWccAttr(fromPreOpAttr),
             fromPreOpAttr);
         WccData toWcc = new WccData(Nfs3Utils.getWccAttr(toPreOpAttr),
@@ -1280,7 +1316,7 @@ public RENAME3Response rename(XDR xdr, RpcInfo info) {
       return new RENAME3Response(Nfs3Status.NFS3_OK, fromDirWcc, toDirWcc);
     } catch (IOException e) {
       LOG.warn("Exception ", e);
-      // Try to return correct WccData      
+      // Try to return correct WccData
       try {
         fromDirWcc = Nfs3Utils.createWccData(
             Nfs3Utils.getWccAttr(fromPreOpAttr), dfsClient, fromDirFileIdPath,
@@ -1291,25 +1327,27 @@ public RENAME3Response rename(XDR xdr, RpcInfo info) {
         LOG.info("Can't get postOpDirAttr for " + fromDirFileIdPath + " or"
             + toDirFileIdPath, e1);
       }
-      if (e instanceof AccessControlException) {
-        return new RENAME3Response(Nfs3Status.NFS3ERR_PERM, fromDirWcc,
-            toDirWcc);
-      } else {
-        return new RENAME3Response(Nfs3Status.NFS3ERR_IO, fromDirWcc, toDirWcc);
-      }
+
+      int status = mapErrorStatus(e);
+      return new RENAME3Response(status, fromDirWcc, toDirWcc);
     }
   }
 
   @Override
   public SYMLINK3Response symlink(XDR xdr, RpcInfo info) {
+    return symlink(xdr, getSecurityHandler(info), info.remoteAddress());
+  }
+
+  @VisibleForTesting
+  SYMLINK3Response symlink(XDR xdr, SecurityHandler securityHandler,
+      SocketAddress remoteAddress) {
     SYMLINK3Response response = new SYMLINK3Response(Nfs3Status.NFS3_OK);
 
-    if (!checkAccessPrivilege(info, AccessPrivilege.READ_WRITE)) {
+    if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_WRITE)) {
       response.setStatus(Nfs3Status.NFS3ERR_ACCES);
       return response;
     }
 
-    SecurityHandler securityHandler = getSecurityHandler(info);
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@@ -1355,7 +1393,8 @@ public SYMLINK3Response symlink(XDR xdr, RpcInfo info) {
 
     } catch (IOException e) {
       LOG.warn("Exception:" + e);
-      response.setStatus(Nfs3Status.NFS3ERR_IO);
+      int status = mapErrorStatus(e);
+      response.setStatus(status);
       return response;
     }
   }
@@ -1387,28 +1426,27 @@ private DirectoryListing listPaths(DFSClient dfsClient, String dirFileIdPath,
     }
     return dlisting;
   }
-  
+
   @Override
   public READDIR3Response readdir(XDR xdr, RpcInfo info) {
-    SecurityHandler securityHandler = getSecurityHandler(info);
-    SocketAddress remoteAddress = info.remoteAddress();
-    return readdir(xdr, securityHandler, remoteAddress);
+    return readdir(xdr, getSecurityHandler(info), info.remoteAddress());
   }
+
   public READDIR3Response readdir(XDR xdr, SecurityHandler securityHandler,
       SocketAddress remoteAddress) {
     READDIR3Response response = new READDIR3Response(Nfs3Status.NFS3_OK);
-    
+
     if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_ONLY)) {
       response.setStatus(Nfs3Status.NFS3ERR_ACCES);
       return response;
     }
-    
+
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     READDIR3Request request = null;
     try {
       request = new READDIR3Request(xdr);
@@ -1427,7 +1465,7 @@ public READDIR3Response readdir(XDR xdr, SecurityHandler securityHandler,
       LOG.info("Nonpositive count in invalid READDIR request:" + count);
       return new READDIR3Response(Nfs3Status.NFS3_OK);
     }
-    
+
     if (LOG.isDebugEnabled()) {
       LOG.debug("NFS READDIR fileId: " + handle.getFileId() + " cookie: "
           + cookie + " count: " + count);
@@ -1492,7 +1530,7 @@ public READDIR3Response readdir(XDR xdr, SecurityHandler securityHandler,
         String inodeIdPath = Nfs3Utils.getFileIdPath(cookie);
         startAfter = inodeIdPath.getBytes();
       }
-      
+
       dlisting = listPaths(dfsClient, dirFileIdPath, startAfter);
       postOpAttr = Nfs3Utils.getFileAttr(dfsClient, dirFileIdPath, iug);
       if (postOpAttr == null) {
@@ -1501,21 +1539,22 @@ public READDIR3Response readdir(XDR xdr, SecurityHandler securityHandler,
       }
     } catch (IOException e) {
       LOG.warn("Exception ", e);
-      return new READDIR3Response(Nfs3Status.NFS3ERR_IO);
+      int status = mapErrorStatus(e);
+      return new READDIR3Response(status);
     }
 
     /**
      * Set up the dirents in the response. fileId is used as the cookie with one
      * exception. Linux client can either be stuck with "ls" command (on REHL)
      * or report "Too many levels of symbolic links" (Ubuntu).
-     * 
+     *
      * The problem is that, only two items returned, "." and ".." when the
      * namespace is empty. Both of them are "/" with the same cookie(root
      * fileId). Linux client doesn't think such a directory is a real directory.
      * Even though NFS protocol specifies cookie is an opaque data, Linux client
      * somehow doesn't like an empty dir returns same cookie for both "." and
      * "..".
-     * 
+     *
      * The workaround is to use 0 as the cookie for "." and always return "." as
      * the first entry in readdir/readdirplus response.
      */
@@ -1523,7 +1562,7 @@ public READDIR3Response readdir(XDR xdr, SecurityHandler securityHandler,
     int n = (int) Math.min(fstatus.length, count-2);
     boolean eof = (n < fstatus.length) ? false : (dlisting
         .getRemainingEntries() == 0);
-    
+
     Entry3[] entries;
     if (cookie == 0) {
       entries = new Entry3[n + 2];
@@ -1543,7 +1582,7 @@ public READDIR3Response readdir(XDR xdr, SecurityHandler securityHandler,
             fstatus[i].getLocalName(), fstatus[i].getFileId());
       }
     }
-    
+
     DirList3 dirList = new READDIR3Response.DirList3(entries, eof);
     return new READDIR3Response(Nfs3Status.NFS3_OK, postOpAttr,
         dirStatus.getModificationTime(), dirList);
@@ -1551,9 +1590,7 @@ public READDIR3Response readdir(XDR xdr, SecurityHandler securityHandler,
 
   @Override
   public READDIRPLUS3Response readdirplus(XDR xdr, RpcInfo info) {
-    SecurityHandler securityHandler = getSecurityHandler(info);
-    SocketAddress remoteAddress = info.remoteAddress();
-    return readdirplus(xdr, securityHandler, remoteAddress);
+    return readdirplus(xdr, getSecurityHandler(info), info.remoteAddress());
   }
 
   @VisibleForTesting
@@ -1562,12 +1599,12 @@ READDIRPLUS3Response readdirplus(XDR xdr, SecurityHandler securityHandler,
     if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_ONLY)) {
       return new READDIRPLUS3Response(Nfs3Status.NFS3ERR_ACCES);
     }
-    
+
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       return new READDIRPLUS3Response(Nfs3Status.NFS3ERR_SERVERFAULT);
     }
-    
+
     READDIRPLUS3Request request = null;
     try {
       request = new READDIRPLUS3Request(xdr);
@@ -1592,7 +1629,7 @@ READDIRPLUS3Response readdirplus(XDR xdr, SecurityHandler securityHandler,
       LOG.info("Nonpositive maxcount in invalid READDIRPLUS request:" + maxCount);
       return new READDIRPLUS3Response(Nfs3Status.NFS3ERR_INVAL);
     }
-    
+
     if (LOG.isDebugEnabled()) {
       LOG.debug("NFS READDIRPLUS fileId: " + handle.getFileId() + " cookie: "
           + cookie + " dirCount: " + dirCount + " maxCount: " + maxCount);
@@ -1655,7 +1692,7 @@ READDIRPLUS3Response readdirplus(XDR xdr, SecurityHandler securityHandler,
         String inodeIdPath = Nfs3Utils.getFileIdPath(cookie);
         startAfter = inodeIdPath.getBytes();
       }
-      
+
       dlisting = listPaths(dfsClient, dirFileIdPath, startAfter);
       postOpDirAttr = Nfs3Utils.getFileAttr(dfsClient, dirFileIdPath, iug);
       if (postOpDirAttr == null) {
@@ -1664,19 +1701,20 @@ READDIRPLUS3Response readdirplus(XDR xdr, SecurityHandler securityHandler,
       }
     } catch (IOException e) {
       LOG.warn("Exception ", e);
-      return new READDIRPLUS3Response(Nfs3Status.NFS3ERR_IO);
+      int status = mapErrorStatus(e);
+      return new READDIRPLUS3Response(status);
     }
-    
+
     // Set up the dirents in the response
     HdfsFileStatus[] fstatus = dlisting.getPartialListing();
     int n = (int) Math.min(fstatus.length, dirCount-2);
     boolean eof = (n < fstatus.length) ? false : (dlisting
         .getRemainingEntries() == 0);
-    
+
     READDIRPLUS3Response.EntryPlus3[] entries;
     if (cookie == 0) {
       entries = new READDIRPLUS3Response.EntryPlus3[n+2];
-      
+
       entries[0] = new READDIRPLUS3Response.EntryPlus3(
           postOpDirAttr.getFileId(), ".", 0, postOpDirAttr, new FileHandle(
               postOpDirAttr.getFileId()));
@@ -1720,23 +1758,28 @@ READDIRPLUS3Response readdirplus(XDR xdr, SecurityHandler securityHandler,
     return new READDIRPLUS3Response(Nfs3Status.NFS3_OK, postOpDirAttr,
         dirStatus.getModificationTime(), dirListPlus);
   }
-  
+
   @Override
   public FSSTAT3Response fsstat(XDR xdr, RpcInfo info) {
+    return fsstat(xdr, getSecurityHandler(info), info.remoteAddress());
+  }
+
+  @VisibleForTesting
+  FSSTAT3Response fsstat(XDR xdr, SecurityHandler securityHandler,
+      SocketAddress remoteAddress) {
     FSSTAT3Response response = new FSSTAT3Response(Nfs3Status.NFS3_OK);
-    
-    if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
+
+    if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_ONLY)) {
       response.setStatus(Nfs3Status.NFS3ERR_ACCES);
       return response;
     }
-    
-    SecurityHandler securityHandler = getSecurityHandler(info);
+
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     FSSTAT3Request request = null;
     try {
       request = new FSSTAT3Request(xdr);
@@ -1754,14 +1797,14 @@ public FSSTAT3Response fsstat(XDR xdr, RpcInfo info) {
       FsStatus fsStatus = dfsClient.getDiskStatus();
       long totalBytes = fsStatus.getCapacity();
       long freeBytes = fsStatus.getRemaining();
-      
+
       Nfs3FileAttributes attrs = writeManager.getFileAttr(dfsClient, handle,
           iug);
       if (attrs == null) {
         LOG.info("Can't get path for fileId:" + handle.getFileId());
         return new FSSTAT3Response(Nfs3Status.NFS3ERR_STALE);
       }
-      
+
       long maxFsObjects = config.getLong("dfs.max.objects", 0);
       if (maxFsObjects == 0) {
         // A value of zero in HDFS indicates no limit to the number
@@ -1769,7 +1812,7 @@ public FSSTAT3Response fsstat(XDR xdr, RpcInfo info) {
         // Long.MAX_VALUE so 32bit client won't complain.
         maxFsObjects = Integer.MAX_VALUE;
       }
-      
+
       return new FSSTAT3Response(Nfs3Status.NFS3_OK, attrs, totalBytes,
           freeBytes, freeBytes, maxFsObjects, maxFsObjects, maxFsObjects, 0);
     } catch (RemoteException r) {
@@ -1785,26 +1828,32 @@ public FSSTAT3Response fsstat(XDR xdr, RpcInfo info) {
       }
     } catch (IOException e) {
       LOG.warn("Exception ", e);
-      return new FSSTAT3Response(Nfs3Status.NFS3ERR_IO);
+      int status = mapErrorStatus(e);
+      return new FSSTAT3Response(status);
     }
   }
 
   @Override
   public FSINFO3Response fsinfo(XDR xdr, RpcInfo info) {
+    return fsinfo(xdr, getSecurityHandler(info), info.remoteAddress());
+  }
+
+  @VisibleForTesting
+  FSINFO3Response fsinfo(XDR xdr, SecurityHandler securityHandler,
+      SocketAddress remoteAddress) {
     FSINFO3Response response = new FSINFO3Response(Nfs3Status.NFS3_OK);
-    
-    if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
+
+    if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_ONLY)) {
       response.setStatus(Nfs3Status.NFS3ERR_ACCES);
       return response;
     }
-    
-    SecurityHandler securityHandler = getSecurityHandler(info);
+
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     FSINFO3Request request = null;
     try {
       request = new FSINFO3Request(xdr);
@@ -1835,7 +1884,7 @@ public FSINFO3Response fsinfo(XDR xdr, RpcInfo info) {
         LOG.info("Can't get path for fileId:" + handle.getFileId());
         return new FSINFO3Response(Nfs3Status.NFS3ERR_STALE);
       }
-      
+
       int fsProperty = Nfs3Constant.FSF3_CANSETTIME
           | Nfs3Constant.FSF3_HOMOGENEOUS;
 
@@ -1843,26 +1892,32 @@ public FSINFO3Response fsinfo(XDR xdr, RpcInfo info) {
           wtmax, wtmax, 1, dtperf, Long.MAX_VALUE, new NfsTime(1), fsProperty);
     } catch (IOException e) {
       LOG.warn("Exception ", e);
-      return new FSINFO3Response(Nfs3Status.NFS3ERR_IO);
+      int status = mapErrorStatus(e);
+      return new FSINFO3Response(status);
     }
   }
 
   @Override
   public PATHCONF3Response pathconf(XDR xdr, RpcInfo info) {
+    return pathconf(xdr, getSecurityHandler(info), info.remoteAddress());
+  }
+
+  @VisibleForTesting
+  PATHCONF3Response pathconf(XDR xdr, SecurityHandler securityHandler,
+      SocketAddress remoteAddress) {
     PATHCONF3Response response = new PATHCONF3Response(Nfs3Status.NFS3_OK);
-    
-    if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
+
+    if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_ONLY)) {
       response.setStatus(Nfs3Status.NFS3ERR_ACCES);
       return response;
     }
-    
-    SecurityHandler securityHandler = getSecurityHandler(info);
+
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     PATHCONF3Request request = null;
     try {
       request = new PATHCONF3Request(xdr);
@@ -1890,22 +1945,30 @@ public PATHCONF3Response pathconf(XDR xdr, RpcInfo info) {
           HdfsConstants.MAX_PATH_LENGTH, true, false, false, true);
     } catch (IOException e) {
       LOG.warn("Exception ", e);
-      return new PATHCONF3Response(Nfs3Status.NFS3ERR_IO);
+      int status = mapErrorStatus(e);
+      return new PATHCONF3Response(status);
     }
   }
 
   @Override
   public COMMIT3Response commit(XDR xdr, RpcInfo info) {
-    //Channel channel, int xid,
-    //    SecurityHandler securityHandler, InetAddress client) {
-    COMMIT3Response response = new COMMIT3Response(Nfs3Status.NFS3_OK);
     SecurityHandler securityHandler = getSecurityHandler(info);
+    RpcCall rpcCall = (RpcCall) info.header();
+    int xid = rpcCall.getXid();
+    SocketAddress remoteAddress = info.remoteAddress();
+    return commit(xdr, info.channel(), xid, securityHandler, remoteAddress);
+  }
+
+  @VisibleForTesting
+  COMMIT3Response commit(XDR xdr, Channel channel, int xid,
+      SecurityHandler securityHandler, SocketAddress remoteAddress) {
+    COMMIT3Response response = new COMMIT3Response(Nfs3Status.NFS3_OK);
     DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
     if (dfsClient == null) {
       response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
       return response;
     }
-    
+
     COMMIT3Request request = null;
     try {
       request = new COMMIT3Request(xdr);
@@ -1929,21 +1992,19 @@ public COMMIT3Response commit(XDR xdr, RpcInfo info) {
         LOG.info("Can't get path for fileId:" + handle.getFileId());
         return new COMMIT3Response(Nfs3Status.NFS3ERR_STALE);
       }
-      
-      if (!checkAccessPrivilege(info, AccessPrivilege.READ_WRITE)) {
+
+      if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_WRITE)) {
         return new COMMIT3Response(Nfs3Status.NFS3ERR_ACCES, new WccData(
             Nfs3Utils.getWccAttr(preOpAttr), preOpAttr),
             Nfs3Constant.WRITE_COMMIT_VERF);
       }
-      
+
       long commitOffset = (request.getCount() == 0) ? 0
           : (request.getOffset() + request.getCount());
-      
+
       // Insert commit as an async request
-      RpcCall rpcCall = (RpcCall) info.header();
-      int xid = rpcCall.getXid();
       writeManager.handleCommit(dfsClient, handle, commitOffset,
-          info.channel(), xid, preOpAttr);
+          channel, xid, preOpAttr);
       return null;
     } catch (IOException e) {
       LOG.warn("Exception ", e);
@@ -1953,9 +2014,11 @@ public COMMIT3Response commit(XDR xdr, RpcInfo info) {
       } catch (IOException e1) {
         LOG.info("Can't get postOpAttr for fileId: " + handle.getFileId(), e1);
       }
+
       WccData fileWcc = new WccData(Nfs3Utils.getWccAttr(preOpAttr), postOpAttr);
-      return new COMMIT3Response(Nfs3Status.NFS3ERR_IO, fileWcc,
-          Nfs3Constant.WRITE_COMMIT_VERF);
+      int status = mapErrorStatus(e);
+      return new COMMIT3Response(status, fileWcc,
+        Nfs3Constant.WRITE_COMMIT_VERF);
     }
   }
 
@@ -1973,7 +2036,7 @@ private SecurityHandler getSecurityHandler(RpcInfo info) {
     RpcCall rpcCall = (RpcCall) info.header();
     return getSecurityHandler(rpcCall.getCredential(), rpcCall.getVerifier());
   }
-  
+
   @Override
   public void handleInternal(ChannelHandlerContext ctx, RpcInfo info) {
     RpcCall rpcCall = (RpcCall) info.header();
@@ -1986,7 +2049,7 @@ public void handleInternal(ChannelHandlerContext ctx, RpcInfo info) {
     InetAddress client = ((InetSocketAddress) info.remoteAddress())
         .getAddress();
     Credentials credentials = rpcCall.getCredential();
-    
+
     // Ignore auth only for NFSPROC3_NULL, especially for Linux clients.
     if (nfsproc3 != NFSPROC3.NULL) {
       if (credentials.getFlavor() != AuthFlavor.AUTH_SYS
@@ -2023,7 +2086,7 @@ public void handleInternal(ChannelHandlerContext ctx, RpcInfo info) {
         }
       }
     }
-    
+
     NFS3Response response = null;
     if (nfsproc3 == NFSPROC3.NULL) {
       response = nullProcedure();
@@ -2040,7 +2103,7 @@ public void handleInternal(ChannelHandlerContext ctx, RpcInfo info) {
     } else if (nfsproc3 == NFSPROC3.READ) {
       if (LOG.isDebugEnabled()) {
           LOG.debug(Nfs3Utils.READ_RPC_START + xid);
-      }    
+      }
       response = read(xdr, info);
       if (LOG.isDebugEnabled() && (nfsproc3 == NFSPROC3.READ)) {
         LOG.debug(Nfs3Utils.READ_RPC_END + xid);
@@ -2053,7 +2116,7 @@ public void handleInternal(ChannelHandlerContext ctx, RpcInfo info) {
       // Write end debug trace is in Nfs3Utils.writeChannel
     } else if (nfsproc3 == NFSPROC3.CREATE) {
       response = create(xdr, info);
-    } else if (nfsproc3 == NFSPROC3.MKDIR) {      
+    } else if (nfsproc3 == NFSPROC3.MKDIR) {
       response = mkdir(xdr, info);
     } else if (nfsproc3 == NFSPROC3.SYMLINK) {
       response = symlink(xdr, info);
@@ -2104,18 +2167,12 @@ RpcAcceptedReply.AcceptState.PROC_UNAVAIL, new VerifierNone()).write(
 
     RpcUtil.sendRpcResponse(ctx, rsp);
   }
-  
+
   @Override
   protected boolean isIdempotent(RpcCall call) {
-    final NFSPROC3 nfsproc3 = NFSPROC3.fromValue(call.getProcedure()); 
+    final NFSPROC3 nfsproc3 = NFSPROC3.fromValue(call.getProcedure());
     return nfsproc3 == null || nfsproc3.isIdempotent();
   }
-  
-  private boolean checkAccessPrivilege(RpcInfo info,
-      final AccessPrivilege expected) {
-    SocketAddress remoteAddress = info.remoteAddress();
-    return checkAccessPrivilege(remoteAddress, expected);
-  }
 
   private boolean checkAccessPrivilege(SocketAddress remoteAddress,
       final AccessPrivilege expected) {
@@ -2139,7 +2196,7 @@ private boolean checkAccessPrivilege(SocketAddress remoteAddress,
     }
     return true;
   }
-  
+
   @VisibleForTesting
   WriteManager getWriteManager() {
     return this.writeManager;
diff --git a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestRpcProgramNfs3.java b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestRpcProgramNfs3.java
index 4634e4bae68..e89929b889f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestRpcProgramNfs3.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestRpcProgramNfs3.java
@@ -18,19 +18,603 @@
 package org.apache.hadoop.hdfs.nfs.nfs3;
 
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertEquals;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.nio.ByteBuffer;
+import org.jboss.netty.channel.Channel;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.mockito.Mockito;
 
 import org.apache.hadoop.fs.CommonConfigurationKeys;
-import org.apache.hadoop.hdfs.nfs.conf.NfsConfigKeys;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.DFSTestUtil;
+import org.apache.hadoop.hdfs.DistributedFileSystem;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.hadoop.hdfs.nfs.conf.NfsConfiguration;
+import org.apache.hadoop.hdfs.nfs.conf.NfsConfigKeys;
+import org.apache.hadoop.hdfs.protocol.HdfsFileStatus;
+import org.apache.hadoop.hdfs.server.namenode.NameNode;
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.nfs.nfs3.Nfs3Constant;
-import org.junit.Assert;
-import org.junit.Test;
+import org.apache.hadoop.nfs.nfs3.Nfs3Constant.WriteStableHow;
+import org.apache.hadoop.nfs.nfs3.Nfs3Status;
+import org.apache.hadoop.nfs.nfs3.request.LOOKUP3Request;
+import org.apache.hadoop.nfs.nfs3.request.READ3Request;
+import org.apache.hadoop.nfs.nfs3.request.WRITE3Request;
+import org.apache.hadoop.nfs.nfs3.response.ACCESS3Response;
+import org.apache.hadoop.nfs.nfs3.response.COMMIT3Response;
+import org.apache.hadoop.nfs.nfs3.response.CREATE3Response;
+import org.apache.hadoop.nfs.nfs3.response.FSSTAT3Response;
+import org.apache.hadoop.nfs.nfs3.response.FSINFO3Response;
+import org.apache.hadoop.nfs.nfs3.response.GETATTR3Response;
+import org.apache.hadoop.nfs.nfs3.response.LOOKUP3Response;
+import org.apache.hadoop.nfs.nfs3.response.PATHCONF3Response;
+import org.apache.hadoop.nfs.nfs3.response.READ3Response;
+import org.apache.hadoop.nfs.nfs3.response.REMOVE3Response;
+import org.apache.hadoop.nfs.nfs3.response.RMDIR3Response;
+import org.apache.hadoop.nfs.nfs3.response.RENAME3Response;
+import org.apache.hadoop.nfs.nfs3.response.READDIR3Response;
+import org.apache.hadoop.nfs.nfs3.response.READDIRPLUS3Response;
+import org.apache.hadoop.nfs.nfs3.response.READLINK3Response;
+import org.apache.hadoop.nfs.nfs3.response.SETATTR3Response;
+import org.apache.hadoop.nfs.nfs3.response.SYMLINK3Response;
+import org.apache.hadoop.nfs.nfs3.response.WRITE3Response;
+import org.apache.hadoop.nfs.nfs3.request.SetAttr3;
+import org.apache.hadoop.oncrpc.XDR;
+import org.apache.hadoop.oncrpc.security.SecurityHandler;
+import org.apache.hadoop.security.authorize.DefaultImpersonationProvider;
+import org.apache.hadoop.security.authorize.ProxyUsers;
 
 
 /**
  * Tests for {@link RpcProgramNfs3}
  */
 public class TestRpcProgramNfs3 {
+  static DistributedFileSystem hdfs;
+  static MiniDFSCluster cluster = null;
+  static NfsConfiguration config = new NfsConfiguration();
+  static NameNode nn;
+  static Nfs3 nfs;
+  static RpcProgramNfs3 nfsd;
+  static SecurityHandler securityHandler;
+  static SecurityHandler securityHandlerUnpriviledged;
+  static String testdir = "/tmp";
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    String currentUser = System.getProperty("user.name");
+
+    config.set("fs.permissions.umask-mode", "u=rwx,g=,o=");
+    config.set(DefaultImpersonationProvider.getTestProvider()
+        .getProxySuperuserGroupConfKey(currentUser), "*");
+    config.set(DefaultImpersonationProvider.getTestProvider()
+        .getProxySuperuserIpConfKey(currentUser), "*");
+    ProxyUsers.refreshSuperUserGroupsConfiguration(config);
+
+    cluster = new MiniDFSCluster.Builder(config).numDataNodes(1).build();
+    cluster.waitActive();
+    hdfs = cluster.getFileSystem();
+    nn = cluster.getNameNode();
+
+    // Use ephemeral ports in case tests are running in parallel
+    config.setInt("nfs3.mountd.port", 0);
+    config.setInt("nfs3.server.port", 0);
+
+    // Start NFS with allowed.hosts set to "* rw"
+    config.set("dfs.nfs.exports.allowed.hosts", "* rw");
+    nfs = new Nfs3(config);
+    nfs.startServiceInternal(false);
+    nfsd = (RpcProgramNfs3) nfs.getRpcProgram();
+
+
+    // Mock SecurityHandler which returns system user.name
+    securityHandler = Mockito.mock(SecurityHandler.class);
+    Mockito.when(securityHandler.getUser()).thenReturn(currentUser);
+
+    // Mock SecurityHandler which returns a dummy username "harry"
+    securityHandlerUnpriviledged = Mockito.mock(SecurityHandler.class);
+    Mockito.when(securityHandlerUnpriviledged.getUser()).thenReturn("harry");
+  }
+
+  @AfterClass
+  public static void shutdown() throws Exception {
+    if (cluster != null) {
+      cluster.shutdown();
+    }
+  }
+
+  @Before
+  public void createFiles() throws IllegalArgumentException, IOException {
+    hdfs.delete(new Path(testdir), true);
+    hdfs.mkdirs(new Path(testdir));
+    hdfs.mkdirs(new Path(testdir + "/foo"));
+    DFSTestUtil.createFile(hdfs, new Path(testdir + "/bar"), 0, (short) 1, 0);
+  }
+
+  @Test(timeout = 60000)
+  public void testGetattr() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo("/tmp/bar");
+    long dirId = status.getFileId();
+    FileHandle handle = new FileHandle(dirId);
+    XDR xdr_req = new XDR();
+    handle.serialize(xdr_req);
+
+    // Attempt by an unpriviledged user should fail.
+    GETATTR3Response response1 = nfsd.getattr(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    GETATTR3Response response2 = nfsd.getattr(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testSetattr() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo(testdir);
+    long dirId = status.getFileId();
+    XDR xdr_req = new XDR();
+    FileHandle handle = new FileHandle(dirId);
+    handle.serialize(xdr_req);
+    xdr_req.writeString("bar");
+    SetAttr3 symAttr = new SetAttr3();
+    symAttr.serialize(xdr_req);
+    xdr_req.writeBoolean(false);
+
+    // Attempt by an unpriviledged user should fail.
+    SETATTR3Response response1 = nfsd.setattr(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    SETATTR3Response response2 = nfsd.setattr(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testLookup() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo(testdir);
+    long dirId = status.getFileId();
+    FileHandle handle = new FileHandle(dirId);
+    LOOKUP3Request lookupReq = new LOOKUP3Request(handle, "bar");
+    XDR xdr_req = new XDR();
+    lookupReq.serialize(xdr_req);
+
+    // Attempt by an unpriviledged user should fail.
+    LOOKUP3Response response1 = nfsd.lookup(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    LOOKUP3Response response2 = nfsd.lookup(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testAccess() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo("/tmp/bar");
+    long dirId = status.getFileId();
+    FileHandle handle = new FileHandle(dirId);
+    XDR xdr_req = new XDR();
+    handle.serialize(xdr_req);
+
+    // Attempt by an unpriviledged user should fail.
+    ACCESS3Response response1 = nfsd.access(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    ACCESS3Response response2 = nfsd.access(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testReadlink() throws Exception {
+    // Create a symlink first.
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo(testdir);
+    long dirId = status.getFileId();
+    XDR xdr_req = new XDR();
+    FileHandle handle = new FileHandle(dirId);
+    handle.serialize(xdr_req);
+    xdr_req.writeString("fubar");
+    SetAttr3 symAttr = new SetAttr3();
+    symAttr.serialize(xdr_req);
+    xdr_req.writeString("bar");
+
+    SYMLINK3Response response = nfsd.symlink(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response.getStatus());
+
+    // Now perform readlink operations.
+    FileHandle handle2 = response.getObjFileHandle();
+    XDR xdr_req2 = new XDR();
+    handle2.serialize(xdr_req2);
+
+    // Attempt by an unpriviledged user should fail.
+    READLINK3Response response1 = nfsd.readlink(xdr_req2.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    READLINK3Response response2 = nfsd.readlink(xdr_req2.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testRead() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo("/tmp/bar");
+    long dirId = status.getFileId();
+    FileHandle handle = new FileHandle(dirId);
+
+    READ3Request readReq = new READ3Request(handle, 0, 5);
+    XDR xdr_req = new XDR();
+    readReq.serialize(xdr_req);
+
+    // Attempt by an unpriviledged user should fail.
+    /* Hits HDFS-6582. It needs to be fixed first.
+    READ3Response response1 = nfsd.read(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+    */
+
+    // Attempt by a priviledged user should pass.
+    READ3Response response2 = nfsd.read(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testWrite() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo("/tmp/bar");
+    long dirId = status.getFileId();
+    FileHandle handle = new FileHandle(dirId);
+
+    byte[] buffer = new byte[10];
+    for (int i = 0; i < 10; i++) {
+      buffer[i] = (byte) i;
+    }
+
+    WRITE3Request writeReq = new WRITE3Request(handle, 0, 10,
+        WriteStableHow.DATA_SYNC, ByteBuffer.wrap(buffer));
+    XDR xdr_req = new XDR();
+    writeReq.serialize(xdr_req);
+
+    // Attempt by an unpriviledged user should fail.
+    WRITE3Response response1 = nfsd.write(xdr_req.asReadOnlyWrap(),
+        null, 1, securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    WRITE3Response response2 = nfsd.write(xdr_req.asReadOnlyWrap(),
+        null, 1, securityHandler,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect response:", null, response2);
+  }
+
+  @Test(timeout = 60000)
+  public void testCreate() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo(testdir);
+    long dirId = status.getFileId();
+    XDR xdr_req = new XDR();
+    FileHandle handle = new FileHandle(dirId);
+    handle.serialize(xdr_req);
+    xdr_req.writeString("fubar");
+    xdr_req.writeInt(Nfs3Constant.CREATE_UNCHECKED);
+    SetAttr3 symAttr = new SetAttr3();
+    symAttr.serialize(xdr_req);
+
+    // Attempt by an unpriviledged user should fail.
+    CREATE3Response response1 = nfsd.create(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    CREATE3Response response2 = nfsd.create(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testMkdir() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo(testdir);
+    long dirId = status.getFileId();
+    XDR xdr_req = new XDR();
+    FileHandle handle = new FileHandle(dirId);
+    handle.serialize(xdr_req);
+    xdr_req.writeString("fubar");
+    SetAttr3 symAttr = new SetAttr3();
+    symAttr.serialize(xdr_req);
+    xdr_req.writeString("bar");
+
+    // Attempt to remove by an unpriviledged user should fail.
+    SYMLINK3Response response1 = nfsd.symlink(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt to remove by a priviledged user should pass.
+    SYMLINK3Response response2 = nfsd.symlink(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testSymlink() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo(testdir);
+    long dirId = status.getFileId();
+    XDR xdr_req = new XDR();
+    FileHandle handle = new FileHandle(dirId);
+    handle.serialize(xdr_req);
+    xdr_req.writeString("fubar");
+    SetAttr3 symAttr = new SetAttr3();
+    symAttr.serialize(xdr_req);
+    xdr_req.writeString("bar");
+
+    // Attempt by an unpriviledged user should fail.
+    SYMLINK3Response response1 = nfsd.symlink(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    SYMLINK3Response response2 = nfsd.symlink(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testRemove() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo(testdir);
+    long dirId = status.getFileId();
+    XDR xdr_req = new XDR();
+    FileHandle handle = new FileHandle(dirId);
+    handle.serialize(xdr_req);
+    xdr_req.writeString("bar");
+
+    // Attempt by an unpriviledged user should fail.
+    REMOVE3Response response1 = nfsd.remove(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    REMOVE3Response response2 = nfsd.remove(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testRmdir() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo(testdir);
+    long dirId = status.getFileId();
+    XDR xdr_req = new XDR();
+    FileHandle handle = new FileHandle(dirId);
+    handle.serialize(xdr_req);
+    xdr_req.writeString("foo");
+
+    // Attempt by an unpriviledged user should fail.
+    RMDIR3Response response1 = nfsd.rmdir(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    RMDIR3Response response2 = nfsd.rmdir(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testRename() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo(testdir);
+    long dirId = status.getFileId();
+    XDR xdr_req = new XDR();
+    FileHandle handle = new FileHandle(dirId);
+    handle.serialize(xdr_req);
+    xdr_req.writeString("bar");
+    handle.serialize(xdr_req);
+    xdr_req.writeString("fubar");
+
+    // Attempt by an unpriviledged user should fail.
+    RENAME3Response response1 = nfsd.rename(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    RENAME3Response response2 = nfsd.rename(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testReaddir() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo(testdir);
+    long dirId = status.getFileId();
+    FileHandle handle = new FileHandle(dirId);
+    XDR xdr_req = new XDR();
+    handle.serialize(xdr_req);
+    xdr_req.writeLongAsHyper(0);
+    xdr_req.writeLongAsHyper(0);
+    xdr_req.writeInt(100);
+
+    // Attempt by an unpriviledged user should fail.
+    READDIR3Response response1 = nfsd.readdir(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    READDIR3Response response2 = nfsd.readdir(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testReaddirplus() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo(testdir);
+    long dirId = status.getFileId();
+    FileHandle handle = new FileHandle(dirId);
+    XDR xdr_req = new XDR();
+    handle.serialize(xdr_req);
+    xdr_req.writeLongAsHyper(0);
+    xdr_req.writeLongAsHyper(0);
+    xdr_req.writeInt(3);
+    xdr_req.writeInt(2);
+
+    // Attempt by an unpriviledged user should fail.
+    READDIRPLUS3Response response1 = nfsd.readdirplus(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    READDIRPLUS3Response response2 = nfsd.readdirplus(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testFsstat() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo("/tmp/bar");
+    long dirId = status.getFileId();
+    FileHandle handle = new FileHandle(dirId);
+    XDR xdr_req = new XDR();
+    handle.serialize(xdr_req);
+
+    // Attempt by an unpriviledged user should fail.
+    FSSTAT3Response response1 = nfsd.fsstat(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    FSSTAT3Response response2 = nfsd.fsstat(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testFsinfo() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo("/tmp/bar");
+    long dirId = status.getFileId();
+    FileHandle handle = new FileHandle(dirId);
+    XDR xdr_req = new XDR();
+    handle.serialize(xdr_req);
+
+    // Attempt by an unpriviledged user should fail.
+    FSINFO3Response response1 = nfsd.fsinfo(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    FSINFO3Response response2 = nfsd.fsinfo(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testPathconf() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo("/tmp/bar");
+    long dirId = status.getFileId();
+    FileHandle handle = new FileHandle(dirId);
+    XDR xdr_req = new XDR();
+    handle.serialize(xdr_req);
+
+    // Attempt by an unpriviledged user should fail.
+    PATHCONF3Response response1 = nfsd.pathconf(xdr_req.asReadOnlyWrap(),
+        securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    PATHCONF3Response response2 = nfsd.pathconf(xdr_req.asReadOnlyWrap(),
+        securityHandler, new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
+        response2.getStatus());
+  }
+
+  @Test(timeout = 60000)
+  public void testCommit() throws Exception {
+    HdfsFileStatus status = nn.getRpcServer().getFileInfo("/tmp/bar");
+    long dirId = status.getFileId();
+    FileHandle handle = new FileHandle(dirId);
+    XDR xdr_req = new XDR();
+    handle.serialize(xdr_req);
+    xdr_req.writeLongAsHyper(0);
+    xdr_req.writeInt(5);
+
+    Channel ch = Mockito.mock(Channel.class);
+
+    // Attempt by an unpriviledged user should fail.
+    COMMIT3Response response1 = nfsd.commit(xdr_req.asReadOnlyWrap(),
+        ch, 1, securityHandlerUnpriviledged,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
+        response1.getStatus());
+
+    // Attempt by a priviledged user should pass.
+    COMMIT3Response response2 = nfsd.commit(xdr_req.asReadOnlyWrap(),
+        ch, 1, securityHandler,
+        new InetSocketAddress("localhost", 1234));
+    assertEquals("Incorrect COMMIT3Response:", null, response2);
+  }
+
   @Test(timeout=1000)
   public void testIdempotent() {
     Object[][] procedures = {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 3b2b5cea6f2..94e6e3fa6ea 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -437,6 +437,9 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-5185. DN fails to startup if one of the data dir is full. (vinayakumarb)
 
+    HDFS-6451. NFS should not return NFS3ERR_IO for AccessControlException 
+    (Abhiraj Butala via brandonli)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES

From ff189d9f31dbb6d6e8ccd8c3d31abe2972e730c6 Mon Sep 17 00:00:00 2001
From: Eric Yang <eyang@apache.org>
Date: Mon, 4 Aug 2014 17:44:41 +0000
Subject: [PATCH 122/354] HADOOP-10759. Remove hardcoded JAVA_HEAP_MAX. (Sam
 Liu via Eric Yang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615707 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 0a920f40c83..4a9492c975c 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -199,8 +199,6 @@ Trunk (Unreleased)
 
   BUG FIXES
 
-    HADOOP-10759. Remove hardcoded JAVA_HEAP_MAX. (Eric Yang)
-
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
     (Junping Du via llu)
 
@@ -658,6 +656,8 @@ Release 2.5.0 - UNRELEASED
 
   BUG FIXES 
 
+    HADOOP-10759. Remove hardcoded JAVA_HEAP_MAX. (Sam Liu via Eric Yang)
+
     HADOOP-10378. Typo in help printed by hdfs dfs -help.
     (Mit Desai via suresh)
 

From e2cb6e3c70e581f733968c582aecc43f7782a645 Mon Sep 17 00:00:00 2001
From: Brandon Li <brandonli@apache.org>
Date: Mon, 4 Aug 2014 21:30:42 +0000
Subject: [PATCH 123/354] commit the additional doc change for HDFS-6717

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615801 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm  | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
index 863ba39a739..4375895649b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
@@ -47,18 +47,21 @@ HDFS NFS Gateway
    The NFS-gateway uses proxy user to proxy all the users accessing the NFS mounts. 
    In non-secure mode, the user running the gateway is the proxy user, while in secure mode the
    user in Kerberos keytab is the proxy user. Suppose the proxy user is 'nfsserver'
-   and users belonging to the groups 'nfs-users1'
-   and 'nfs-users2' use the NFS mounts, then in core-site.xml of the NameNode, the following
+   and users belonging to the groups 'users-group1'
+   and 'users-group2' use the NFS mounts, then in core-site.xml of the NameNode, the following
    two properities must be set and only NameNode needs restart after the configuration change
    (NOTE: replace the string 'nfsserver' with the proxy user name in your cluster):
 
 ----
 <property>
   <name>hadoop.proxyuser.nfsserver.groups</name>
-  <value>nfs-users1,nfs-users2</value>
+  <value>root,users-group1,users-group2</value>
   <description>
-         The 'nfsserver' user is allowed to proxy all members of the 'nfs-users1' and 
-         'nfs-users2' groups. Set this to '*' to allow nfsserver user to proxy any group.
+         The 'nfsserver' user is allowed to proxy all members of the 'users-group1' and 
+         'users-group2' groups. Note that in most cases you will need to include the
+         group "root" because the user "root" (which usually belonges to "root" group) will
+         generally be the user that initially executes the mount on the NFS client system. 
+         Set this to '*' to allow nfsserver user to proxy any group.
   </description>
 </property>
 ----

From d7b5709bcb1db615fee56e2bb7acb9955a6f8cc2 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Mon, 4 Aug 2014 21:45:26 +0000
Subject: [PATCH 124/354] HADOOP-10928. Incorrect usage on . Contributed by
 Josh Elser.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615808 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt                | 3 +++
 .../java/org/apache/hadoop/security/alias/CredentialShell.java | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 4a9492c975c..6542cb7f84c 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -516,6 +516,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10876. The constructor of Path should not take an empty URL as a
     parameter. (Zhihai Xu via wang)
 
+    HADOOP-10928. Incorrect usage on `hadoop credential list`.
+    (Josh Elser via wang)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialShell.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialShell.java
index 2c1a792d5a3..0ac39943179 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialShell.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialShell.java
@@ -188,7 +188,7 @@ protected void warnIfTransientProvider() {
   }
 
   private class ListCommand extends Command {
-    public static final String USAGE = "list <alias> [-provider] [-help]";
+    public static final String USAGE = "list [-provider] [-help]";
     public static final String DESC =
         "The list subcommand displays the aliases contained within \n" +
         "a particular provider - as configured in core-site.xml or " +

From c8abf5f20a7ca802e3e7c93c8c5d260902cb4052 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 5 Aug 2014 00:20:30 +0000
Subject: [PATCH 125/354] HADOOP-10927. Fix CredentialShell help behavior and
 error codes. Contributed by Josh Elser.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615827 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  3 ++
 .../hadoop-common/src/main/bin/hadoop         |  1 +
 .../security/alias/CredentialShell.java       | 29 ++++++++++++-------
 .../hadoop/security/alias/TestCredShell.java  | 29 +++++++++++++++----
 4 files changed, 46 insertions(+), 16 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 6542cb7f84c..c9726dff072 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -519,6 +519,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10928. Incorrect usage on `hadoop credential list`.
     (Josh Elser via wang)
 
+    HADOOP-10927. Fix CredentialShell help behavior and error codes.
+    (Josh Elser via wang)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop b/hadoop-common-project/hadoop-common/src/main/bin/hadoop
index 55c843ff77d..b1e2018f611 100755
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop
@@ -35,6 +35,7 @@ function print_usage(){
   echo "  distcp <srcurl> <desturl> copy file or directories recursively"
   echo "  archive -archiveName NAME -p <parent path> <src>* <dest> create a hadoop archive"
   echo "  classpath            prints the class path needed to get the"
+  echo "  credential           interact with credential providers"
   echo "                       Hadoop jar and the required libraries"
   echo "  daemonlog            get/set the log level for each daemon"
   echo " or"
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialShell.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialShell.java
index 0ac39943179..6d9c6af2631 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialShell.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialShell.java
@@ -67,11 +67,11 @@ public int run(String[] args) throws Exception {
       if (command.validate()) {
           command.execute();
       } else {
-        exitCode = -1;
+        exitCode = 1;
       }
     } catch (Exception e) {
       e.printStackTrace(err);
-      return -1;
+      return 1;
     }
     return exitCode;
   }
@@ -79,29 +79,36 @@ public int run(String[] args) throws Exception {
   /**
    * Parse the command line arguments and initialize the data
    * <pre>
-   * % hadoop alias create alias [-provider providerPath]
-   * % hadoop alias list [-provider providerPath]
-   * % hadoop alias delete alias [-provider providerPath] [-i]
+   * % hadoop credential create alias [-provider providerPath]
+   * % hadoop credential list [-provider providerPath]
+   * % hadoop credential delete alias [-provider providerPath] [-i]
    * </pre>
    * @param args
-   * @return
+   * @return 0 if the argument(s) were recognized, 1 otherwise
    * @throws IOException
    */
-  private int init(String[] args) throws IOException {
+  protected int init(String[] args) throws IOException {
+    // no args should print the help message
+    if (0 == args.length) {
+      printCredShellUsage();
+      ToolRunner.printGenericCommandUsage(System.err);
+      return 1;
+    }
+
     for (int i = 0; i < args.length; i++) { // parse command line
       if (args[i].equals("create")) {
         String alias = args[++i];
         command = new CreateCommand(alias);
         if (alias.equals("-help")) {
           printCredShellUsage();
-          return -1;
+          return 0;
         }
       } else if (args[i].equals("delete")) {
         String alias = args[++i];
         command = new DeleteCommand(alias);
         if (alias.equals("-help")) {
           printCredShellUsage();
-          return -1;
+          return 0;
         }
       } else if (args[i].equals("list")) {
         command = new ListCommand();
@@ -115,11 +122,11 @@ private int init(String[] args) throws IOException {
         value = args[++i];
       } else if (args[i].equals("-help")) {
         printCredShellUsage();
-        return -1;
+        return 0;
       } else {
         printCredShellUsage();
         ToolRunner.printGenericCommandUsage(System.err);
-        return -1;
+        return 1;
       }
     }
     return 0;
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/alias/TestCredShell.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/alias/TestCredShell.java
index 05eb7b8c2a0..b9f0dc937cb 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/alias/TestCredShell.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/alias/TestCredShell.java
@@ -17,16 +17,18 @@
  */
 package org.apache.hadoop.security.alias;
 
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
 
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.PrintStream;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 
 import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.alias.CredentialShell.PasswordReader;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -87,7 +89,7 @@ public void testInvalidProvider() throws Exception {
     CredentialShell cs = new CredentialShell();
     cs.setConf(new Configuration());
     rc = cs.run(args1);
-    assertEquals(-1, rc);
+    assertEquals(1, rc);
     assertTrue(outContent.toString().contains("There are no valid " +
     		"CredentialProviders configured."));
   }
@@ -122,7 +124,7 @@ public void testTransientProviderOnlyConfig() throws Exception {
     config.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, "user:///");
     cs.setConf(config);
     rc = cs.run(args1);
-    assertEquals(-1, rc);
+    assertEquals(1, rc);
     assertTrue(outContent.toString().contains("There are no valid " +
     		"CredentialProviders configured."));
   }
@@ -139,7 +141,7 @@ public void testPromptForCredentialWithEmptyPasswd() throws Exception {
     shell.setConf(new Configuration());
     shell.setPasswordReader(new MockPasswordReader(passwords));
     rc = shell.run(args1);
-    assertEquals(outContent.toString(), -1, rc);
+    assertEquals(outContent.toString(), 1, rc);
     assertTrue(outContent.toString().contains("Passwords don't match"));
   }
 
@@ -186,4 +188,21 @@ public void format(String message) {
       System.out.println(message);
     }
   }
+
+  @Test
+  public void testEmptyArgList() throws Exception {
+    CredentialShell shell = new CredentialShell();
+    shell.setConf(new Configuration());
+    assertEquals(1, shell.init(new String[0]));
+  }
+
+  @Test
+  public void testCommandHelpExitsNormally() throws Exception {
+    for (String cmd : Arrays.asList("create", "list", "delete")) {
+      CredentialShell shell = new CredentialShell();
+      shell.setConf(new Configuration());
+      assertEquals("Expected help argument on " + cmd + " to return 0",
+              0, shell.init(new String[] {cmd, "-help"}));
+    }
+  }
 }

From 513dc29ce833f574895a6c40036758ba16823942 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 5 Aug 2014 02:21:28 +0000
Subject: [PATCH 126/354] HADOOP-10937. Need to set version name correctly
 before decrypting EEK. Contributed by Arun Suresh.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615841 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt       |  3 +++
 .../hadoop/crypto/key/KeyProviderCryptoExtension.java | 11 ++++++++++-
 .../hadoop/crypto/key/kms/KMSClientProvider.java      |  2 +-
 .../crypto/key/TestKeyProviderCryptoExtension.java    | 11 +++++++++--
 4 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index c9726dff072..85aeaf40f45 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -522,6 +522,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10927. Fix CredentialShell help behavior and error codes.
     (Josh Elser via wang)
 
+    HADOOP-10937. Need to set version name correctly before decrypting EEK.
+    (Arun Suresh via wang)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
index 227e19b4841..e2b25ae8ed6 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
@@ -21,11 +21,13 @@
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.SecureRandom;
+
 import javax.crypto.Cipher;
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 
 import com.google.common.base.Preconditions;
+
 import org.apache.hadoop.classification.InterfaceAudience;
 
 /**
@@ -97,7 +99,7 @@ protected EncryptedKeyVersion(String keyName,
     public static EncryptedKeyVersion createForDecryption(String
         encryptionKeyVersionName, byte[] encryptedKeyIv,
         byte[] encryptedKeyMaterial) {
-      KeyVersion encryptedKeyVersion = new KeyVersion(null, null,
+      KeyVersion encryptedKeyVersion = new KeyVersion(null, EEK,
           encryptedKeyMaterial);
       return new EncryptedKeyVersion(null, encryptionKeyVersionName,
           encryptedKeyIv, encryptedKeyVersion);
@@ -258,6 +260,13 @@ public KeyVersion decryptEncryptedKey(
           keyProvider.getKeyVersion(encryptionKeyVersionName);
       Preconditions.checkNotNull(encryptionKey,
           "KeyVersion name '%s' does not exist", encryptionKeyVersionName);
+      Preconditions.checkArgument(
+              encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
+                    .equals(KeyProviderCryptoExtension.EEK),
+                "encryptedKey version name must be '%s', is '%s'",
+                KeyProviderCryptoExtension.EEK,
+                encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
+            );
       final byte[] encryptionKeyMaterial = encryptionKey.getMaterial();
       // Encryption key IV is determined from encrypted key's IV
       final byte[] encryptionIV =
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
index 06521a43591..c5624ee1c41 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@@ -653,7 +653,7 @@ public KeyVersion decryptEncryptedKey(
         encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
             .equals(KeyProviderCryptoExtension.EEK),
         "encryptedKey version name must be '%s', is '%s'",
-        KeyProviderCryptoExtension.EK,
+        KeyProviderCryptoExtension.EEK,
         encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
     );
     checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java
index a0da98b4fc6..70ec6feaf10 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java
@@ -26,10 +26,10 @@
 import javax.crypto.spec.SecretKeySpec;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
-
 import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
@@ -118,8 +118,15 @@ public void testEncryptDecrypt() throws Exception {
         new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
             .deriveIV(encryptedKeyIv)));
     final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);
+
+    // Test the createForDecryption factory method
+    EncryptedKeyVersion eek2 =
+        EncryptedKeyVersion.createForDecryption(
+            eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(),
+            eek.getEncryptedKeyVersion().getMaterial());
+
     // Decrypt it with the API
-    KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek);
+    KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2);
     final byte[] apiMaterial = decryptedKey.getMaterial();
 
     assertArrayEquals("Wrong key material from decryptEncryptedKey",

From b7e67db37238e775150180ff4de65da27a99e282 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 5 Aug 2014 02:32:44 +0000
Subject: [PATCH 127/354] HADOOP-10936. Change default KeyProvider bitlength to
 128. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615850 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt      |  2 ++
 .../org/apache/hadoop/crypto/key/KeyProvider.java    | 12 +++++++++++-
 .../java/org/apache/hadoop/crypto/key/KeyShell.java  |  5 +++--
 .../org/apache/hadoop/crypto/key/TestKeyShell.java   |  8 ++++----
 .../hadoop/crypto/key/kms/server/KMSWebApp.java      |  9 ++++++++-
 5 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 85aeaf40f45..f7f20ede41f 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -197,6 +197,8 @@ Trunk (Unreleased)
 
     HADOOP-10793. KeyShell args should use single-dash style. (wang)
 
+    HADOOP-10936. Change default KeyProvider bitlength to 128. (wang)
+
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java
index 3576badada3..a34ae10a71a 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java
@@ -54,7 +54,7 @@ public abstract class KeyProvider {
   public static final String DEFAULT_CIPHER = "AES/CTR/NoPadding";
   public static final String DEFAULT_BITLENGTH_NAME =
       "hadoop.security.key.default.bitlength";
-  public static final int DEFAULT_BITLENGTH = 256;
+  public static final int DEFAULT_BITLENGTH = 128;
 
   /**
    * The combination of both the key version name and the key material.
@@ -341,6 +341,16 @@ public String getDescription() {
     public Map<String, String> getAttributes() {
       return (attributes == null) ? Collections.EMPTY_MAP : attributes;
     }
+
+    @Override
+    public String toString() {
+      return "Options{" +
+          "cipher='" + cipher + '\'' +
+          ", bitLength=" + bitLength +
+          ", description='" + description + '\'' +
+          ", attributes=" + attributes +
+          '}';
+    }
   }
 
   /**
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyShell.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyShell.java
index 6d50c9168d8..1fb91c65e74 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyShell.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyShell.java
@@ -445,7 +445,7 @@ private class CreateCommand extends Command {
       "by the <keyname> argument within the provider specified by the\n" +
       "-provider argument. You may specify a cipher with the -cipher\n" +
       "argument. The default cipher is currently \"AES/CTR/NoPadding\".\n" +
-      "The default keysize is 256. You may specify the requested key\n" +
+      "The default keysize is 128. You may specify the requested key\n" +
       "length using the -size argument. Arbitrary attribute=value\n" +
       "style attributes may be specified using the -attr argument.\n" +
       "-attr may be specified multiple times, once per attribute.\n";
@@ -479,7 +479,8 @@ public void execute() throws IOException, NoSuchAlgorithmException {
       warnIfTransientProvider();
       try {
         provider.createKey(keyName, options);
-        out.println(keyName + " has been successfully created.");
+        out.println(keyName + " has been successfully created with options "
+            + options.toString() + ".");
         provider.flush();
         printProviderWritten();
       } catch (InvalidParameterException e) {
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyShell.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyShell.java
index 5981a2a6a38..d65d9b212be 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyShell.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyShell.java
@@ -110,7 +110,7 @@ public void testKeySuccessfulKeyLifecycle() throws Exception {
     rc = ks.run(args1);
     assertEquals(0, rc);
     assertTrue(outContent.toString().contains(keyName + " has been " +
-            "successfully created."));
+            "successfully created"));
 
     String listOut = listKeys(ks, false);
     assertTrue(listOut.contains(keyName));
@@ -145,7 +145,7 @@ public void testKeySuccessfulCreationWithDescription() throws Exception {
     rc = ks.run(args1);
     assertEquals(0, rc);
     assertTrue(outContent.toString().contains("key1 has been successfully " +
-        "created."));
+        "created"));
 
     String listOut = listKeys(ks, true);
     assertTrue(listOut.contains("description"));
@@ -233,7 +233,7 @@ public void testFullCipher() throws Exception {
     rc = ks.run(args1);
     assertEquals(0, rc);
     assertTrue(outContent.toString().contains(keyName + " has been " +
-            "successfully " +	"created."));
+            "successfully created"));
 
     deleteKey(ks, keyName);
   }
@@ -250,7 +250,7 @@ public void testAttributes() throws Exception {
     rc = ks.run(args1);
     assertEquals(0, rc);
     assertTrue(outContent.toString().contains("keyattr1 has been " +
-            "successfully " + "created."));
+            "successfully created"));
 
     /* ...and list to see that we have the attr */
     String listOut = listKeys(ks, true);
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java
index 571ab965351..aaf90e8cff1 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java
@@ -181,12 +181,19 @@ public void contextInitialized(ServletContextEvent sce) {
         keyProvider = new CachingKeyProvider(keyProvider, keyTimeOutMillis,
             currKeyTimeOutMillis);
       }
+      LOG.info("Initialized KeyProvider " + keyProvider);
+
       keyProviderCryptoExtension = KeyProviderCryptoExtension.
           createKeyProviderCryptoExtension(keyProvider);
       keyProviderCryptoExtension = 
           new EagerKeyGeneratorKeyProviderCryptoExtension(kmsConf, 
               keyProviderCryptoExtension);
-
+      LOG.info("Initialized KeyProviderCryptoExtension "
+          + keyProviderCryptoExtension);
+      final int defaultBitlength = kmsConf
+          .getInt(KeyProvider.DEFAULT_BITLENGTH_NAME,
+              KeyProvider.DEFAULT_BITLENGTH);
+      LOG.info("Default key bitlength is {}", defaultBitlength);
       LOG.info("KMS Started");
     } catch (Throwable ex) {
       System.out.println();

From b9984e59d832cd4673dd0edb260a1aa65bb8758d Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Tue, 5 Aug 2014 20:58:25 +0000
Subject: [PATCH 128/354] HADOOP-10918. JMXJsonServlet fails when used within
 Tomcat. (tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616002 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  2 ++
 .../org/apache/hadoop/http/HttpServer2.java   |  4 +--
 .../org/apache/hadoop/jmx/JMXJsonServlet.java |  9 +++--
 .../apache/hadoop/http/TestHttpServer.java    |  6 ++--
 .../crypto/key/kms/server/KMSJMXServlet.java  | 33 +++++++++++++++++++
 .../src/main/webapp/WEB-INF/web.xml           |  2 +-
 6 files changed, 48 insertions(+), 8 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJMXServlet.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index f7f20ede41f..601fe93fd20 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -527,6 +527,8 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10937. Need to set version name correctly before decrypting EEK.
     (Arun Suresh via wang)
 
+    HADOOP-10918. JMXJsonServlet fails when used within Tomcat. (tucu)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
index d2664dcf2b0..f84ade00374 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
@@ -1005,7 +1005,7 @@ public static boolean hasAdministratorAccess(
 
     String remoteUser = request.getRemoteUser();
     if (remoteUser == null) {
-      response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
+      response.sendError(HttpServletResponse.SC_FORBIDDEN,
                          "Unauthenticated users are not " +
                          "authorized to access this page.");
       return false;
@@ -1013,7 +1013,7 @@ public static boolean hasAdministratorAccess(
 
     if (servletContext.getAttribute(ADMINS_ACL) != null &&
         !userHasAdministratorAccess(servletContext, remoteUser)) {
-      response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User "
+      response.sendError(HttpServletResponse.SC_FORBIDDEN, "User "
           + remoteUser + " is unauthorized to access this page.");
       return false;
     }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
index 44ebbdd3f29..f775dd71beb 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
@@ -143,6 +143,12 @@ public void init() throws ServletException {
     jsonFactory = new JsonFactory();
   }
 
+  protected boolean isInstrumentationAccessAllowed(HttpServletRequest request, 
+      HttpServletResponse response) throws IOException {
+    return HttpServer2.isInstrumentationAccessAllowed(getServletContext(),
+        request, response);
+  }
+  
   /**
    * Process a GET request for the specified resource.
    * 
@@ -154,8 +160,7 @@ public void init() throws ServletException {
   @Override
   public void doGet(HttpServletRequest request, HttpServletResponse response) {
     try {
-      if (!HttpServer2.isInstrumentationAccessAllowed(getServletContext(),
-                                                     request, response)) {
+      if (!isInstrumentationAccessAllowed(request, response)) {
         return;
       }
       JsonGenerator jg = null;
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
index 64823fd7431..ac03968c2d4 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
@@ -414,7 +414,7 @@ public void testAuthorizationOfDefaultServlets() throws Exception {
         assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
             + servlet, user));
       }
-      assertEquals(HttpURLConnection.HTTP_UNAUTHORIZED, getHttpStatusCode(
+      assertEquals(HttpURLConnection.HTTP_FORBIDDEN, getHttpStatusCode(
           serverURL + servlet, "userE"));
     }
     myServer.stop();
@@ -474,7 +474,7 @@ public void testHasAdministratorAccess() throws Exception {
     response = Mockito.mock(HttpServletResponse.class);
     conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true);
     Assert.assertFalse(HttpServer2.hasAdministratorAccess(context, request, response));
-    Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED), Mockito.anyString());
+    Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_FORBIDDEN), Mockito.anyString());
 
     //authorization ON & user NOT NULL & ACLs NULL
     response = Mockito.mock(HttpServletResponse.class);
@@ -487,7 +487,7 @@ public void testHasAdministratorAccess() throws Exception {
     Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(false);
     Mockito.when(context.getAttribute(HttpServer2.ADMINS_ACL)).thenReturn(acls);
     Assert.assertFalse(HttpServer2.hasAdministratorAccess(context, request, response));
-    Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED), Mockito.anyString());
+    Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_FORBIDDEN), Mockito.anyString());
 
     //authorization ON & user NOT NULL & ACLs NOT NULL & user in in ACLs
     response = Mockito.mock(HttpServletResponse.class);
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJMXServlet.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJMXServlet.java
new file mode 100644
index 00000000000..c8556af193e
--- /dev/null
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJMXServlet.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.key.kms.server;
+
+import org.apache.hadoop.jmx.JMXJsonServlet;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class KMSJMXServlet extends JMXJsonServlet {
+
+  @Override
+  protected boolean isInstrumentationAccessAllowed(HttpServletRequest request,
+      HttpServletResponse response) throws IOException {
+    return true;
+  }
+}
diff --git a/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml b/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml
index 4ec5cffc8a6..d081764217e 100644
--- a/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml
+++ b/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml
@@ -42,7 +42,7 @@
 
   <servlet>
     <servlet-name>jmx-servlet</servlet-name>
-    <servlet-class>org.apache.hadoop.jmx.JMXJsonServlet</servlet-class>
+    <servlet-class>org.apache.hadoop.crypto.key.kms.server.KMSJMXServlet</servlet-class>
   </servlet>
 
   <servlet-mapping>

From 2d7dcff6f42020cb91c58c5dd460d030188b8a18 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Tue, 5 Aug 2014 21:21:03 +0000
Subject: [PATCH 129/354] HADOOP-10791. AuthenticationFilter should support
 externalizing the secret for signing and provide rotation support. (rkanter
 via tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616005 13f79535-47bb-0310-9956-ffa450edef68
---
 .../dev-support/findbugsExcludeFile.xml       |  38 +++++
 hadoop-common-project/hadoop-auth/pom.xml     |   7 +
 .../server/AuthenticationFilter.java          |  80 +++++++++-
 .../util/RandomSignerSecretProvider.java      |  49 ++++++
 .../util/RolloverSignerSecretProvider.java    | 139 ++++++++++++++++++
 .../security/authentication/util/Signer.java  |  46 ++++--
 .../util/SignerSecretProvider.java            |  62 ++++++++
 .../util/StringSignerSecretProvider.java      |  49 ++++++
 .../server/TestAuthenticationFilter.java      | 118 ++++++++++++++-
 .../util/TestRandomSignerSecretProvider.java  |  63 ++++++++
 .../TestRolloverSignerSecretProvider.java     |  79 ++++++++++
 .../authentication/util/TestSigner.java       |  85 +++++++++--
 .../util/TestStringSignerSecretProvider.java  |  33 +++++
 .../hadoop-common/CHANGES.txt                 |   3 +
 .../fs/http/server/TestHttpFSServer.java      |   3 +-
 15 files changed, 807 insertions(+), 47 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-auth/dev-support/findbugsExcludeFile.xml
 create mode 100644 hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/RandomSignerSecretProvider.java
 create mode 100644 hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/RolloverSignerSecretProvider.java
 create mode 100644 hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/SignerSecretProvider.java
 create mode 100644 hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/StringSignerSecretProvider.java
 create mode 100644 hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestRandomSignerSecretProvider.java
 create mode 100644 hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestRolloverSignerSecretProvider.java
 create mode 100644 hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestStringSignerSecretProvider.java

diff --git a/hadoop-common-project/hadoop-auth/dev-support/findbugsExcludeFile.xml b/hadoop-common-project/hadoop-auth/dev-support/findbugsExcludeFile.xml
new file mode 100644
index 00000000000..1ecf37a5776
--- /dev/null
+++ b/hadoop-common-project/hadoop-auth/dev-support/findbugsExcludeFile.xml
@@ -0,0 +1,38 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+<FindBugsFilter>
+  <!--
+    Caller is not supposed to modify returned values even though there's nothing
+    stopping them; we do this for performance reasons.
+  -->
+  <Match>
+    <Class name="org.apache.hadoop.security.authentication.util.RolloverSignerSecretProvider" />
+    <Method name="getAllSecrets" />
+    <Bug pattern="EI_EXPOSE_REP" />
+  </Match>
+  <Match>
+    <Class name="org.apache.hadoop.security.authentication.util.StringSignerSecretProvider" />
+    <Method name="getAllSecrets" />
+    <Bug pattern="EI_EXPOSE_REP" />
+  </Match>
+  <Match>
+    <Class name="org.apache.hadoop.security.authentication.util.StringSignerSecretProvider" />
+    <Method name="getCurrentSecret" />
+    <Bug pattern="EI_EXPOSE_REP" />
+  </Match>
+
+</FindBugsFilter>
diff --git a/hadoop-common-project/hadoop-auth/pom.xml b/hadoop-common-project/hadoop-auth/pom.xml
index a501799ea15..b3f83e34d66 100644
--- a/hadoop-common-project/hadoop-auth/pom.xml
+++ b/hadoop-common-project/hadoop-auth/pom.xml
@@ -150,6 +150,13 @@
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>findbugs-maven-plugin</artifactId>
+        <configuration>
+          <excludeFilterFile>${basedir}/dev-support/findbugsExcludeFile.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
     </plugins>
   </build>
 
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
index b4e0270d316..2a5d4aef85c 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
@@ -19,6 +19,9 @@
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authentication.util.Signer;
 import org.apache.hadoop.security.authentication.util.SignerException;
+import org.apache.hadoop.security.authentication.util.RandomSignerSecretProvider;
+import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
+import org.apache.hadoop.security.authentication.util.StringSignerSecretProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -107,11 +110,28 @@ public class AuthenticationFilter implements Filter {
    */
   public static final String COOKIE_PATH = "cookie.path";
 
-  private static final Random RAN = new Random();
+  /**
+   * Constant for the configuration property that indicates the name of the
+   * SignerSecretProvider class to use.  If not specified, SIGNATURE_SECRET
+   * will be used or a random secret.
+   */
+  public static final String SIGNER_SECRET_PROVIDER_CLASS =
+          "signer.secret.provider";
+
+  /**
+   * Constant for the attribute that can be used for providing a custom
+   * object that subclasses the SignerSecretProvider.  Note that this should be
+   * set in the ServletContext and the class should already be initialized.  
+   * If not specified, SIGNER_SECRET_PROVIDER_CLASS will be used.
+   */
+  public static final String SIGNATURE_PROVIDER_ATTRIBUTE =
+      "org.apache.hadoop.security.authentication.util.SignerSecretProvider";
 
   private Signer signer;
+  private SignerSecretProvider secretProvider;
   private AuthenticationHandler authHandler;
   private boolean randomSecret;
+  private boolean customSecretProvider;
   private long validity;
   private String cookieDomain;
   private String cookiePath;
@@ -159,14 +179,46 @@ public void init(FilterConfig filterConfig) throws ServletException {
     } catch (IllegalAccessException ex) {
       throw new ServletException(ex);
     }
-    String signatureSecret = config.getProperty(configPrefix + SIGNATURE_SECRET);
-    if (signatureSecret == null) {
-      signatureSecret = Long.toString(RAN.nextLong());
-      randomSecret = true;
-      LOG.warn("'signature.secret' configuration not set, using a random value as secret");
+
+    validity = Long.parseLong(config.getProperty(AUTH_TOKEN_VALIDITY, "36000"))
+        * 1000; //10 hours
+    secretProvider = (SignerSecretProvider) filterConfig.getServletContext().
+        getAttribute(SIGNATURE_PROVIDER_ATTRIBUTE);
+    if (secretProvider == null) {
+      String signerSecretProviderClassName =
+          config.getProperty(configPrefix + SIGNER_SECRET_PROVIDER_CLASS, null);
+      if (signerSecretProviderClassName == null) {
+        String signatureSecret =
+            config.getProperty(configPrefix + SIGNATURE_SECRET, null);
+        if (signatureSecret != null) {
+          secretProvider = new StringSignerSecretProvider(signatureSecret);
+        } else {
+          secretProvider = new RandomSignerSecretProvider();
+          randomSecret = true;
+        }
+      } else {
+        try {
+          Class<?> klass = Thread.currentThread().getContextClassLoader().
+              loadClass(signerSecretProviderClassName);
+          secretProvider = (SignerSecretProvider) klass.newInstance();
+          customSecretProvider = true;
+        } catch (ClassNotFoundException ex) {
+          throw new ServletException(ex);
+        } catch (InstantiationException ex) {
+          throw new ServletException(ex);
+        } catch (IllegalAccessException ex) {
+          throw new ServletException(ex);
+        }
+      }
+      try {
+        secretProvider.init(config, validity);
+      } catch (Exception ex) {
+        throw new ServletException(ex);
+      }
+    } else {
+      customSecretProvider = true;
     }
-    signer = new Signer(signatureSecret.getBytes());
-    validity = Long.parseLong(config.getProperty(AUTH_TOKEN_VALIDITY, "36000")) * 1000; //10 hours
+    signer = new Signer(secretProvider);
 
     cookieDomain = config.getProperty(COOKIE_DOMAIN, null);
     cookiePath = config.getProperty(COOKIE_PATH, null);
@@ -190,6 +242,15 @@ protected boolean isRandomSecret() {
     return randomSecret;
   }
 
+  /**
+   * Returns if a custom implementation of a SignerSecretProvider is being used.
+   *
+   * @return if a custom implementation of a SignerSecretProvider is being used.
+   */
+  protected boolean isCustomSignerSecretProvider() {
+    return customSecretProvider;
+  }
+
   /**
    * Returns the validity time of the generated tokens.
    *
@@ -228,6 +289,9 @@ public void destroy() {
       authHandler.destroy();
       authHandler = null;
     }
+    if (secretProvider != null) {
+      secretProvider.destroy();
+    }
   }
 
   /**
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/RandomSignerSecretProvider.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/RandomSignerSecretProvider.java
new file mode 100644
index 00000000000..5491a8671bf
--- /dev/null
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/RandomSignerSecretProvider.java
@@ -0,0 +1,49 @@
+/**
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. See accompanying LICENSE file.
+ */
+package org.apache.hadoop.security.authentication.util;
+
+import java.util.Random;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+
+/**
+ * A SignerSecretProvider that uses a random number as it's secret.  It rolls
+ * the secret at a regular interval.
+ */
+@InterfaceStability.Unstable
+@InterfaceAudience.Private
+public class RandomSignerSecretProvider extends RolloverSignerSecretProvider {
+
+  private final Random rand;
+
+  public RandomSignerSecretProvider() {
+    super();
+    rand = new Random();
+  }
+
+  /**
+   * This constructor lets you set the seed of the Random Number Generator and
+   * is meant for testing.
+   * @param seed the seed for the random number generator
+   */
+  public RandomSignerSecretProvider(long seed) {
+    super();
+    rand = new Random(seed);
+  }
+
+  @Override
+  protected byte[] generateNewSecret() {
+    return Long.toString(rand.nextLong()).getBytes();
+  }
+}
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/RolloverSignerSecretProvider.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/RolloverSignerSecretProvider.java
new file mode 100644
index 00000000000..ec6e601b4d9
--- /dev/null
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/RolloverSignerSecretProvider.java
@@ -0,0 +1,139 @@
+/**
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. See accompanying LICENSE file.
+ */
+package org.apache.hadoop.security.authentication.util;
+
+import java.util.Properties;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * An abstract SignerSecretProvider that can be use used as the base for a
+ * rolling secret.  The secret will roll over at the same interval as the token
+ * validity, so there are only ever a maximum of two valid secrets at any
+ * given time.  This class handles storing and returning the secrets, as well
+ * as the rolling over.  At a minimum, subclasses simply need to implement the
+ * generateNewSecret() method.  More advanced implementations can override
+ * other methods to provide more advanced behavior, but should be careful when
+ * doing so.
+ */
+@InterfaceStability.Unstable
+@InterfaceAudience.Private
+public abstract class RolloverSignerSecretProvider
+    extends SignerSecretProvider {
+
+  private static Logger LOG = LoggerFactory.getLogger(
+    RolloverSignerSecretProvider.class);
+  /**
+   * Stores the currently valid secrets.  The current secret is the 0th element
+   * in the array.
+   */
+  private volatile byte[][] secrets;
+  private ScheduledExecutorService scheduler;
+  private boolean schedulerRunning;
+  private boolean isDestroyed;
+
+  public RolloverSignerSecretProvider() {
+    schedulerRunning = false;
+    isDestroyed = false;
+  }
+
+  /**
+   * Initialize the SignerSecretProvider.  It initializes the current secret
+   * and starts the scheduler for the rollover to run at an interval of
+   * tokenValidity.
+   * @param config filter configuration
+   * @param tokenValidity The amount of time a token is valid for
+   * @throws Exception
+   */
+  @Override
+  public void init(Properties config, long tokenValidity) throws Exception {
+    initSecrets(generateNewSecret(), null);
+    startScheduler(tokenValidity, tokenValidity);
+  }
+
+  /**
+   * Initializes the secrets array.  This should typically be called only once,
+   * during init but some implementations may wish to call it other times.
+   * previousSecret can be null if there isn't a previous secret, but
+   * currentSecret should never be null.
+   * @param currentSecret The current secret
+   * @param previousSecret The previous secret
+   */
+  protected void initSecrets(byte[] currentSecret, byte[] previousSecret) {
+    secrets = new byte[][]{currentSecret, previousSecret};
+  }
+
+  /**
+   * Starts the scheduler for the rollover to run at an interval.
+   * @param initialDelay The initial delay in the rollover in milliseconds
+   * @param period The interval for the rollover in milliseconds
+   */
+  protected synchronized void startScheduler(long initialDelay, long period) {
+    if (!schedulerRunning) {
+      schedulerRunning = true;
+      scheduler = Executors.newSingleThreadScheduledExecutor();
+      scheduler.scheduleAtFixedRate(new Runnable() {
+        @Override
+        public void run() {
+          rollSecret();
+        }
+      }, initialDelay, period, TimeUnit.MILLISECONDS);
+    }
+  }
+
+  @Override
+  public synchronized void destroy() {
+    if (!isDestroyed) {
+      isDestroyed = true;
+      if (scheduler != null) {
+        scheduler.shutdown();
+      }
+      schedulerRunning = false;
+      super.destroy();
+    }
+  }
+
+  /**
+   * Rolls the secret.  It is called automatically at the rollover interval.
+   */
+  protected synchronized void rollSecret() {
+    if (!isDestroyed) {
+      LOG.debug("rolling secret");
+      byte[] newSecret = generateNewSecret();
+      secrets = new byte[][]{newSecret, secrets[0]};
+    }
+  }
+
+  /**
+   * Subclasses should implement this to return a new secret.  It will be called
+   * automatically at the secret rollover interval. It should never return null.
+   * @return a new secret
+   */
+  protected abstract byte[] generateNewSecret();
+
+  @Override
+  public byte[] getCurrentSecret() {
+    return secrets[0];
+  }
+
+  @Override
+  public byte[][] getAllSecrets() {
+    return secrets;
+  }
+}
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/Signer.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/Signer.java
index 10c9a8e2385..e29301bc4ba 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/Signer.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/Signer.java
@@ -24,18 +24,19 @@
 public class Signer {
   private static final String SIGNATURE = "&s=";
 
-  private byte[] secret;
+  private SignerSecretProvider secretProvider;
 
   /**
-   * Creates a Signer instance using the specified secret.
+   * Creates a Signer instance using the specified SignerSecretProvider.  The
+   * SignerSecretProvider should already be initialized.
    *
-   * @param secret secret to use for creating the digest.
+   * @param secretProvider The SignerSecretProvider to use
    */
-  public Signer(byte[] secret) {
-    if (secret == null) {
-      throw new IllegalArgumentException("secret cannot be NULL");
+  public Signer(SignerSecretProvider secretProvider) {
+    if (secretProvider == null) {
+      throw new IllegalArgumentException("secretProvider cannot be NULL");
     }
-    this.secret = secret.clone();
+    this.secretProvider = secretProvider;
   }
 
   /**
@@ -47,11 +48,12 @@ public Signer(byte[] secret) {
    *
    * @return the signed string.
    */
-  public String sign(String str) {
+  public synchronized String sign(String str) {
     if (str == null || str.length() == 0) {
       throw new IllegalArgumentException("NULL or empty string to sign");
     }
-    String signature = computeSignature(str);
+    byte[] secret = secretProvider.getCurrentSecret();
+    String signature = computeSignature(secret, str);
     return str + SIGNATURE + signature;
   }
 
@@ -71,21 +73,19 @@ public String verifyAndExtract(String signedStr) throws SignerException {
     }
     String originalSignature = signedStr.substring(index + SIGNATURE.length());
     String rawValue = signedStr.substring(0, index);
-    String currentSignature = computeSignature(rawValue);
-    if (!originalSignature.equals(currentSignature)) {
-      throw new SignerException("Invalid signature");
-    }
+    checkSignatures(rawValue, originalSignature);
     return rawValue;
   }
 
   /**
    * Returns then signature of a string.
    *
+   * @param secret The secret to use
    * @param str string to sign.
    *
    * @return the signature for the string.
    */
-  protected String computeSignature(String str) {
+  protected String computeSignature(byte[] secret, String str) {
     try {
       MessageDigest md = MessageDigest.getInstance("SHA");
       md.update(str.getBytes());
@@ -97,4 +97,22 @@ protected String computeSignature(String str) {
     }
   }
 
+  protected void checkSignatures(String rawValue, String originalSignature)
+      throws SignerException {
+    boolean isValid = false;
+    byte[][] secrets = secretProvider.getAllSecrets();
+    for (int i = 0; i < secrets.length; i++) {
+      byte[] secret = secrets[i];
+      if (secret != null) {
+        String currentSignature = computeSignature(secret, rawValue);
+        if (originalSignature.equals(currentSignature)) {
+          isValid = true;
+          break;
+        }
+      }
+    }
+    if (!isValid) {
+      throw new SignerException("Invalid signature");
+    }
+  }
 }
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/SignerSecretProvider.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/SignerSecretProvider.java
new file mode 100644
index 00000000000..a4d98d784f8
--- /dev/null
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/SignerSecretProvider.java
@@ -0,0 +1,62 @@
+/**
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. See accompanying LICENSE file.
+ */
+package org.apache.hadoop.security.authentication.util;
+
+import java.util.Properties;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+
+/**
+ * The SignerSecretProvider is an abstract way to provide a secret to be used
+ * by the Signer so that we can have different implementations that potentially
+ * do more complicated things in the backend.
+ * See the RolloverSignerSecretProvider class for an implementation that
+ * supports rolling over the secret at a regular interval.
+ */
+@InterfaceStability.Unstable
+@InterfaceAudience.Private
+public abstract class SignerSecretProvider {
+
+  /**
+   * Initialize the SignerSecretProvider
+   * @param config filter configuration
+   * @param tokenValidity The amount of time a token is valid for
+   * @throws Exception
+   */
+  public abstract void init(Properties config, long tokenValidity)
+      throws Exception;
+
+  /**
+   * Will be called on shutdown; subclasses should perform any cleanup here.
+   */
+  public void destroy() {}
+
+  /**
+   * Returns the current secret to be used by the Signer for signing new
+   * cookies.  This should never return null.
+   * <p>
+   * Callers should be careful not to modify the returned value.
+   * @return the current secret
+   */
+  public abstract byte[] getCurrentSecret();
+
+  /**
+   * Returns all secrets that a cookie could have been signed with and are still
+   * valid; this should include the secret returned by getCurrentSecret().
+   * <p>
+   * Callers should be careful not to modify the returned value.
+   * @return the secrets
+   */
+  public abstract byte[][] getAllSecrets();
+}
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/StringSignerSecretProvider.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/StringSignerSecretProvider.java
new file mode 100644
index 00000000000..230059b645b
--- /dev/null
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/StringSignerSecretProvider.java
@@ -0,0 +1,49 @@
+/**
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. See accompanying LICENSE file.
+ */
+package org.apache.hadoop.security.authentication.util;
+
+import java.util.Properties;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+
+/**
+ * A SignerSecretProvider that simply creates a secret based on a given String.
+ */
+@InterfaceStability.Unstable
+@InterfaceAudience.Private
+public class StringSignerSecretProvider extends SignerSecretProvider {
+
+  private byte[] secret;
+  private byte[][] secrets;
+
+  public StringSignerSecretProvider(String secretStr) {
+    secret = secretStr.getBytes();
+    secrets = new byte[][]{secret};
+  }
+
+  @Override
+  public void init(Properties config, long tokenValidity) throws Exception {
+    // do nothing
+  }
+
+  @Override
+  public byte[] getCurrentSecret() {
+    return secret;
+  }
+
+  @Override
+  public byte[][] getAllSecrets() {
+    return secrets;
+  }
+}
diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
index 2cc36587c85..a9a5e8c738f 100644
--- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
@@ -23,6 +23,7 @@
 
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
@@ -33,6 +34,8 @@
 import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authentication.util.Signer;
+import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
+import org.apache.hadoop.security.authentication.util.StringSignerSecretProvider;
 import org.junit.Assert;
 import org.junit.Test;
 import org.mockito.Mockito;
@@ -157,9 +160,14 @@ public void testInit() throws Exception {
       Mockito.when(config.getInitParameterNames()).thenReturn(
         new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                                  AuthenticationFilter.AUTH_TOKEN_VALIDITY)).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
       Assert.assertEquals(PseudoAuthenticationHandler.class, filter.getAuthenticationHandler().getClass());
       Assert.assertTrue(filter.isRandomSecret());
+      Assert.assertFalse(filter.isCustomSignerSecretProvider());
       Assert.assertNull(filter.getCookieDomain());
       Assert.assertNull(filter.getCookiePath());
       Assert.assertEquals(TOKEN_VALIDITY_SEC, filter.getValidity());
@@ -167,6 +175,26 @@ public void testInit() throws Exception {
       filter.destroy();
     }
 
+    // string secret
+    filter = new AuthenticationFilter();
+    try {
+      FilterConfig config = Mockito.mock(FilterConfig.class);
+      Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn("simple");
+      Mockito.when(config.getInitParameter(AuthenticationFilter.SIGNATURE_SECRET)).thenReturn("secret");
+      Mockito.when(config.getInitParameterNames()).thenReturn(
+        new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
+                                 AuthenticationFilter.SIGNATURE_SECRET)).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
+      filter.init(config);
+      Assert.assertFalse(filter.isRandomSecret());
+      Assert.assertFalse(filter.isCustomSignerSecretProvider());
+    } finally {
+      filter.destroy();
+    }
+
     // custom secret
     filter = new AuthenticationFilter();
     try {
@@ -176,8 +204,26 @@ public void testInit() throws Exception {
       Mockito.when(config.getInitParameterNames()).thenReturn(
         new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                                  AuthenticationFilter.SIGNATURE_SECRET)).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(
+            new SignerSecretProvider() {
+              @Override
+              public void init(Properties config, long tokenValidity) {
+              }
+              @Override
+              public byte[] getCurrentSecret() {
+                return null;
+              }
+              @Override
+              public byte[][] getAllSecrets() {
+                return null;
+              }
+            });
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
       Assert.assertFalse(filter.isRandomSecret());
+      Assert.assertTrue(filter.isCustomSignerSecretProvider());
     } finally {
       filter.destroy();
     }
@@ -193,6 +239,10 @@ public void testInit() throws Exception {
         new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                                  AuthenticationFilter.COOKIE_DOMAIN,
                                  AuthenticationFilter.COOKIE_PATH)).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
       Assert.assertEquals(".foo.com", filter.getCookieDomain());
       Assert.assertEquals("/bar", filter.getCookiePath());
@@ -213,6 +263,10 @@ public void testInit() throws Exception {
         new Vector<String>(
           Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                         "management.operation.return")).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
       Assert.assertTrue(DummyAuthenticationHandler.init);
     } finally {
@@ -248,6 +302,10 @@ public void testInitCaseSensitivity() throws Exception {
       Mockito.when(config.getInitParameterNames()).thenReturn(
           new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
               AuthenticationFilter.AUTH_TOKEN_VALIDITY)).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
 
       filter.init(config);
       Assert.assertEquals(PseudoAuthenticationHandler.class, 
@@ -270,6 +328,10 @@ public void testGetRequestURL() throws Exception {
         new Vector<String>(
           Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                         "management.operation.return")).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
 
       HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@@ -297,11 +359,15 @@ public void testGetToken() throws Exception {
           Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                         AuthenticationFilter.SIGNATURE_SECRET,
                         "management.operation.return")).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
 
       AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE);
       token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC);
-      Signer signer = new Signer("secret".getBytes());
+      Signer signer = new Signer(new StringSignerSecretProvider("secret"));
       String tokenSigned = signer.sign(token.toString());
 
       Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned);
@@ -330,12 +396,16 @@ public void testGetTokenExpired() throws Exception {
           Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                         AuthenticationFilter.SIGNATURE_SECRET,
                         "management.operation.return")).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
 
       AuthenticationToken token =
           new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE);
       token.setExpires(System.currentTimeMillis() - TOKEN_VALIDITY_SEC);
-      Signer signer = new Signer("secret".getBytes());
+      Signer signer = new Signer(new StringSignerSecretProvider("secret"));
       String tokenSigned = signer.sign(token.toString());
 
       Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned);
@@ -371,11 +441,15 @@ public void testGetTokenInvalidType() throws Exception {
           Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                         AuthenticationFilter.SIGNATURE_SECRET,
                         "management.operation.return")).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
 
       AuthenticationToken token = new AuthenticationToken("u", "p", "invalidtype");
       token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC);
-      Signer signer = new Signer("secret".getBytes());
+      Signer signer = new Signer(new StringSignerSecretProvider("secret"));
       String tokenSigned = signer.sign(token.toString());
 
       Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned);
@@ -409,6 +483,10 @@ public void testDoFilterNotAuthenticated() throws Exception {
         new Vector<String>(
           Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                         "management.operation.return")).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
 
       HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@@ -458,6 +536,10 @@ private void _testDoFilterAuthentication(boolean withDomainPath,
             AuthenticationFilter.AUTH_TOKEN_VALIDITY,
             AuthenticationFilter.SIGNATURE_SECRET, "management.operation" +
             ".return", "expired.token")).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
 
     if (withDomainPath) {
       Mockito.when(config.getInitParameter(AuthenticationFilter
@@ -511,7 +593,7 @@ public Object answer(InvocationOnMock invocation) throws Throwable {
         Mockito.verify(chain).doFilter(Mockito.any(ServletRequest.class),
                 Mockito.any(ServletResponse.class));
 
-        Signer signer = new Signer("secret".getBytes());
+        Signer signer = new Signer(new StringSignerSecretProvider("secret"));
         String value = signer.verifyAndExtract(v);
         AuthenticationToken token = AuthenticationToken.parse(value);
         assertThat(token.getExpires(), not(0L));
@@ -578,6 +660,10 @@ public void testDoFilterAuthenticated() throws Exception {
         new Vector<String>(
           Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                         "management.operation.return")).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
 
       HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@@ -585,7 +671,7 @@ public void testDoFilterAuthenticated() throws Exception {
 
       AuthenticationToken token = new AuthenticationToken("u", "p", "t");
       token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC);
-      Signer signer = new Signer("secret".getBytes());
+      Signer signer = new Signer(new StringSignerSecretProvider("secret"));
       String tokenSigned = signer.sign(token.toString());
 
       Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned);
@@ -628,6 +714,10 @@ public void testDoFilterAuthenticationFailure() throws Exception {
         new Vector<String>(
           Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                         "management.operation.return")).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
 
       HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@@ -691,6 +781,10 @@ public void testDoFilterAuthenticatedExpired() throws Exception {
           Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                         AuthenticationFilter.SIGNATURE_SECRET,
                         "management.operation.return")).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
 
       HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@@ -698,7 +792,7 @@ public void testDoFilterAuthenticatedExpired() throws Exception {
 
       AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE);
       token.setExpires(System.currentTimeMillis() - TOKEN_VALIDITY_SEC);
-      Signer signer = new Signer(secret.getBytes());
+      Signer signer = new Signer(new StringSignerSecretProvider(secret));
       String tokenSigned = signer.sign(token.toString());
 
       Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned);
@@ -758,6 +852,10 @@ public void testDoFilterAuthenticatedInvalidType() throws Exception {
           Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                         AuthenticationFilter.SIGNATURE_SECRET,
                         "management.operation.return")).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
 
       HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@@ -765,7 +863,7 @@ public void testDoFilterAuthenticatedInvalidType() throws Exception {
 
       AuthenticationToken token = new AuthenticationToken("u", "p", "invalidtype");
       token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC);
-      Signer signer = new Signer(secret.getBytes());
+      Signer signer = new Signer(new StringSignerSecretProvider(secret));
       String tokenSigned = signer.sign(token.toString());
 
       Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned);
@@ -793,6 +891,10 @@ public void testManagementOperation() throws Exception {
         new Vector<String>(
           Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                         "management.operation.return")).elements());
+      ServletContext context = Mockito.mock(ServletContext.class);
+      Mockito.when(context.getAttribute(
+          AuthenticationFilter.SIGNATURE_PROVIDER_ATTRIBUTE)).thenReturn(null);
+      Mockito.when(config.getServletContext()).thenReturn(context);
       filter.init(config);
 
       HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@@ -812,7 +914,7 @@ public void testManagementOperation() throws Exception {
 
       AuthenticationToken token = new AuthenticationToken("u", "p", "t");
       token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC);
-      Signer signer = new Signer("secret".getBytes());
+      Signer signer = new Signer(new StringSignerSecretProvider("secret"));
       String tokenSigned = signer.sign(token.toString());
       Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned);
       Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie});
diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestRandomSignerSecretProvider.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestRandomSignerSecretProvider.java
new file mode 100644
index 00000000000..c3384ad03bf
--- /dev/null
+++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestRandomSignerSecretProvider.java
@@ -0,0 +1,63 @@
+/**
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. See accompanying LICENSE file.
+ */
+package org.apache.hadoop.security.authentication.util;
+
+import java.util.Random;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestRandomSignerSecretProvider {
+
+  @Test
+  public void testGetAndRollSecrets() throws Exception {
+    long rolloverFrequency = 15 * 1000; // rollover every 15 sec
+    // use the same seed so we can predict the RNG
+    long seed = System.currentTimeMillis();
+    Random rand = new Random(seed);
+    byte[] secret1 = Long.toString(rand.nextLong()).getBytes();
+    byte[] secret2 = Long.toString(rand.nextLong()).getBytes();
+    byte[] secret3 = Long.toString(rand.nextLong()).getBytes();
+    RandomSignerSecretProvider secretProvider =
+        new RandomSignerSecretProvider(seed);
+    try {
+      secretProvider.init(null, rolloverFrequency);
+
+      byte[] currentSecret = secretProvider.getCurrentSecret();
+      byte[][] allSecrets = secretProvider.getAllSecrets();
+      Assert.assertArrayEquals(secret1, currentSecret);
+      Assert.assertEquals(2, allSecrets.length);
+      Assert.assertArrayEquals(secret1, allSecrets[0]);
+      Assert.assertNull(allSecrets[1]);
+      Thread.sleep(rolloverFrequency + 2000);
+
+      currentSecret = secretProvider.getCurrentSecret();
+      allSecrets = secretProvider.getAllSecrets();
+      Assert.assertArrayEquals(secret2, currentSecret);
+      Assert.assertEquals(2, allSecrets.length);
+      Assert.assertArrayEquals(secret2, allSecrets[0]);
+      Assert.assertArrayEquals(secret1, allSecrets[1]);
+      Thread.sleep(rolloverFrequency + 2000);
+
+      currentSecret = secretProvider.getCurrentSecret();
+      allSecrets = secretProvider.getAllSecrets();
+      Assert.assertArrayEquals(secret3, currentSecret);
+      Assert.assertEquals(2, allSecrets.length);
+      Assert.assertArrayEquals(secret3, allSecrets[0]);
+      Assert.assertArrayEquals(secret2, allSecrets[1]);
+      Thread.sleep(rolloverFrequency + 2000);
+    } finally {
+      secretProvider.destroy();
+    }
+  }
+}
diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestRolloverSignerSecretProvider.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestRolloverSignerSecretProvider.java
new file mode 100644
index 00000000000..2a2986af9c1
--- /dev/null
+++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestRolloverSignerSecretProvider.java
@@ -0,0 +1,79 @@
+/**
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. See accompanying LICENSE file.
+ */
+package org.apache.hadoop.security.authentication.util;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestRolloverSignerSecretProvider {
+
+  @Test
+  public void testGetAndRollSecrets() throws Exception {
+    long rolloverFrequency = 15 * 1000; // rollover every 15 sec
+    byte[] secret1 = "doctor".getBytes();
+    byte[] secret2 = "who".getBytes();
+    byte[] secret3 = "tardis".getBytes();
+    TRolloverSignerSecretProvider secretProvider =
+        new TRolloverSignerSecretProvider(
+            new byte[][]{secret1, secret2, secret3});
+    try {
+      secretProvider.init(null, rolloverFrequency);
+
+      byte[] currentSecret = secretProvider.getCurrentSecret();
+      byte[][] allSecrets = secretProvider.getAllSecrets();
+      Assert.assertArrayEquals(secret1, currentSecret);
+      Assert.assertEquals(2, allSecrets.length);
+      Assert.assertArrayEquals(secret1, allSecrets[0]);
+      Assert.assertNull(allSecrets[1]);
+      Thread.sleep(rolloverFrequency + 2000);
+
+      currentSecret = secretProvider.getCurrentSecret();
+      allSecrets = secretProvider.getAllSecrets();
+      Assert.assertArrayEquals(secret2, currentSecret);
+      Assert.assertEquals(2, allSecrets.length);
+      Assert.assertArrayEquals(secret2, allSecrets[0]);
+      Assert.assertArrayEquals(secret1, allSecrets[1]);
+      Thread.sleep(rolloverFrequency + 2000);
+
+      currentSecret = secretProvider.getCurrentSecret();
+      allSecrets = secretProvider.getAllSecrets();
+      Assert.assertArrayEquals(secret3, currentSecret);
+      Assert.assertEquals(2, allSecrets.length);
+      Assert.assertArrayEquals(secret3, allSecrets[0]);
+      Assert.assertArrayEquals(secret2, allSecrets[1]);
+      Thread.sleep(rolloverFrequency + 2000);
+    } finally {
+      secretProvider.destroy();
+    }
+  }
+
+  class TRolloverSignerSecretProvider extends RolloverSignerSecretProvider {
+
+    private byte[][] newSecretSequence;
+    private int newSecretSequenceIndex;
+
+    public TRolloverSignerSecretProvider(byte[][] newSecretSequence)
+        throws Exception {
+      super();
+      this.newSecretSequence = newSecretSequence;
+      this.newSecretSequenceIndex = 0;
+    }
+
+    @Override
+    protected byte[] generateNewSecret() {
+      return newSecretSequence[newSecretSequenceIndex++];
+    }
+
+  }
+}
diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestSigner.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestSigner.java
index e7cd0e1a8ed..1e2c960a925 100644
--- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestSigner.java
+++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestSigner.java
@@ -13,24 +13,15 @@
  */
 package org.apache.hadoop.security.authentication.util;
 
+import java.util.Properties;
 import org.junit.Assert;
 import org.junit.Test;
 
 public class TestSigner {
 
-  @Test
-  public void testNoSecret() throws Exception {
-    try {
-      new Signer(null);
-      Assert.fail();
-    }
-    catch (IllegalArgumentException ex) {
-    }
-  }
-
   @Test
   public void testNullAndEmptyString() throws Exception {
-    Signer signer = new Signer("secret".getBytes());
+    Signer signer = new Signer(new StringSignerSecretProvider("secret"));
     try {
       signer.sign(null);
       Assert.fail();
@@ -51,17 +42,17 @@ public void testNullAndEmptyString() throws Exception {
 
   @Test
   public void testSignature() throws Exception {
-    Signer signer = new Signer("secret".getBytes());
+    Signer signer = new Signer(new StringSignerSecretProvider("secret"));
     String s1 = signer.sign("ok");
     String s2 = signer.sign("ok");
     String s3 = signer.sign("wrong");
     Assert.assertEquals(s1, s2);
-    Assert.assertNotSame(s1, s3);
+    Assert.assertNotEquals(s1, s3);
   }
 
   @Test
   public void testVerify() throws Exception {
-    Signer signer = new Signer("secret".getBytes());
+    Signer signer = new Signer(new StringSignerSecretProvider("secret"));
     String t = "test";
     String s = signer.sign(t);
     String e = signer.verifyAndExtract(s);
@@ -70,7 +61,7 @@ public void testVerify() throws Exception {
 
   @Test
   public void testInvalidSignedText() throws Exception {
-    Signer signer = new Signer("secret".getBytes());
+    Signer signer = new Signer(new StringSignerSecretProvider("secret"));
     try {
       signer.verifyAndExtract("test");
       Assert.fail();
@@ -83,7 +74,7 @@ public void testInvalidSignedText() throws Exception {
 
   @Test
   public void testTampering() throws Exception {
-    Signer signer = new Signer("secret".getBytes());
+    Signer signer = new Signer(new StringSignerSecretProvider("secret"));
     String t = "test";
     String s = signer.sign(t);
     s += "x";
@@ -96,4 +87,66 @@ public void testTampering() throws Exception {
       Assert.fail();
     }
   }
+
+  @Test
+  public void testMultipleSecrets() throws Exception {
+    TestSignerSecretProvider secretProvider = new TestSignerSecretProvider();
+    Signer signer = new Signer(secretProvider);
+    secretProvider.setCurrentSecret("secretB");
+    String t1 = "test";
+    String s1 = signer.sign(t1);
+    String e1 = signer.verifyAndExtract(s1);
+    Assert.assertEquals(t1, e1);
+    secretProvider.setPreviousSecret("secretA");
+    String t2 = "test";
+    String s2 = signer.sign(t2);
+    String e2 = signer.verifyAndExtract(s2);
+    Assert.assertEquals(t2, e2);
+    Assert.assertEquals(s1, s2); //check is using current secret for signing
+    secretProvider.setCurrentSecret("secretC");
+    secretProvider.setPreviousSecret("secretB");
+    String t3 = "test";
+    String s3 = signer.sign(t3);
+    String e3 = signer.verifyAndExtract(s3);
+    Assert.assertEquals(t3, e3);
+    Assert.assertNotEquals(s1, s3); //check not using current secret for signing
+    String e1b = signer.verifyAndExtract(s1);
+    Assert.assertEquals(t1, e1b); // previous secret still valid
+    secretProvider.setCurrentSecret("secretD");
+    secretProvider.setPreviousSecret("secretC");
+    try {
+      signer.verifyAndExtract(s1);  // previous secret no longer valid
+      Assert.fail();
+    } catch (SignerException ex) {
+      // Expected
+    }
+  }
+
+  class TestSignerSecretProvider extends SignerSecretProvider {
+
+    private byte[] currentSecret;
+    private byte[] previousSecret;
+
+    @Override
+    public void init(Properties config, long tokenValidity) {
+    }
+
+    @Override
+    public byte[] getCurrentSecret() {
+      return currentSecret;
+    }
+
+    @Override
+    public byte[][] getAllSecrets() {
+      return new byte[][]{currentSecret, previousSecret};
+    }
+
+    public void setCurrentSecret(String secretStr) {
+      currentSecret = secretStr.getBytes();
+    }
+
+    public void setPreviousSecret(String previousSecretStr) {
+      previousSecret = previousSecretStr.getBytes();
+    }
+  }
 }
diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestStringSignerSecretProvider.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestStringSignerSecretProvider.java
new file mode 100644
index 00000000000..c1170060baf
--- /dev/null
+++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestStringSignerSecretProvider.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. See accompanying LICENSE file.
+ */
+package org.apache.hadoop.security.authentication.util;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestStringSignerSecretProvider {
+
+  @Test
+  public void testGetSecrets() throws Exception {
+    String secretStr = "secret";
+    StringSignerSecretProvider secretProvider
+        = new StringSignerSecretProvider(secretStr);
+    secretProvider.init(null, -1);
+    byte[] secretBytes = secretStr.getBytes();
+    Assert.assertArrayEquals(secretBytes, secretProvider.getCurrentSecret());
+    byte[][] allSecrets = secretProvider.getAllSecrets();
+    Assert.assertEquals(1, allSecrets.length);
+    Assert.assertArrayEquals(secretBytes, allSecrets[0]);
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 601fe93fd20..1388a62d2a8 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -484,6 +484,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10903. Enhance hadoop classpath command to expand wildcards or write
     classpath into jar manifest. (cnauroth)
 
+    HADOOP-10791. AuthenticationFilter should support externalizing the 
+    secret for signing and provide rotation support. (rkanter via tucu)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSServer.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSServer.java
index 346cd4d12bd..3e08662a9b5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSServer.java
@@ -65,6 +65,7 @@
 import org.mortbay.jetty.webapp.WebAppContext;
 
 import com.google.common.collect.Maps;
+import org.apache.hadoop.security.authentication.util.StringSignerSecretProvider;
 
 public class TestHttpFSServer extends HFSTestCase {
 
@@ -683,7 +684,7 @@ public void testDelegationTokenOperations() throws Exception {
       new AuthenticationToken("u", "p",
         HttpFSKerberosAuthenticationHandlerForTesting.TYPE);
     token.setExpires(System.currentTimeMillis() + 100000000);
-    Signer signer = new Signer("secret".getBytes());
+    Signer signer = new Signer(new StringSignerSecretProvider("secret"));
     String tokenSigned = signer.sign(token.toString());
 
     url = new URL(TestJettyHelper.getJettyURL(),

From a6cfaab5aa18c235db8543ecf65607f5f38cabc8 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Tue, 5 Aug 2014 21:29:55 +0000
Subject: [PATCH 130/354] HADOOP-10933. FileBasedKeyStoresFactory Should use
 Configuration.getPassword for SSL Passwords. (lmccay via tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616008 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  3 +
 .../ssl/FileBasedKeyStoresFactory.java        | 22 ++++++-
 .../hadoop/security/ssl/KeyStoreTestUtil.java | 41 +++++++++++++
 .../hadoop/security/ssl/TestSSLFactory.java   | 58 ++++++++++++++++++-
 4 files changed, 120 insertions(+), 4 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 1388a62d2a8..612aba77fc4 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -532,6 +532,9 @@ Release 2.6.0 - UNRELEASED
 
     HADOOP-10918. JMXJsonServlet fails when used within Tomcat. (tucu)
 
+    HADOOP-10933. FileBasedKeyStoresFactory Should use Configuration.getPassword 
+    for SSL Passwords. (lmccay via tucu)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java
index ea22a881e3e..aabb815db32 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java
@@ -150,7 +150,7 @@ public void init(SSLFactory.Mode mode)
       }
       String passwordProperty =
         resolvePropertyName(mode, SSL_KEYSTORE_PASSWORD_TPL_KEY);
-      String keystorePassword = conf.get(passwordProperty, "");
+      String keystorePassword = getPassword(conf, passwordProperty, "");
       if (keystorePassword.isEmpty()) {
         throw new GeneralSecurityException("The property '" + passwordProperty +
           "' has not been set in the ssl configuration file.");
@@ -160,7 +160,8 @@ public void init(SSLFactory.Mode mode)
       // Key password defaults to the same value as store password for
       // compatibility with legacy configurations that did not use a separate
       // configuration property for key password.
-      keystoreKeyPassword = conf.get(keyPasswordProperty, keystorePassword);
+      keystoreKeyPassword = getPassword(
+          conf, keyPasswordProperty, keystorePassword);
       LOG.debug(mode.toString() + " KeyStore: " + keystoreLocation);
 
       InputStream is = new FileInputStream(keystoreLocation);
@@ -191,7 +192,7 @@ public void init(SSLFactory.Mode mode)
     if (!truststoreLocation.isEmpty()) {
       String passwordProperty = resolvePropertyName(mode,
           SSL_TRUSTSTORE_PASSWORD_TPL_KEY);
-      String truststorePassword = conf.get(passwordProperty, "");
+      String truststorePassword = getPassword(conf, passwordProperty, "");
       if (truststorePassword.isEmpty()) {
         throw new GeneralSecurityException("The property '" + passwordProperty +
             "' has not been set in the ssl configuration file.");
@@ -217,6 +218,21 @@ public void init(SSLFactory.Mode mode)
     }
   }
 
+  String getPassword(Configuration conf, String alias, String defaultPass) {
+    String password = defaultPass;
+    try {
+      char[] passchars = conf.getPassword(alias);
+      if (passchars != null) {
+        password = new String(passchars);
+      }
+    }
+    catch (IOException ioe) {
+      LOG.warn("Exception while trying to get password for alias " + alias +
+          ": " + ioe.getMessage());
+    }
+    return password;
+  }
+
   /**
    * Releases any resources being used.
    */
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java
index a07faebe033..5f72f9e95eb 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java
@@ -19,6 +19,10 @@
 package org.apache.hadoop.security.ssl;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.alias.CredentialProvider;
+import org.apache.hadoop.security.alias.CredentialProviderFactory;
+import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
+
 import sun.security.x509.AlgorithmId;
 import sun.security.x509.CertificateAlgorithmId;
 import sun.security.x509.CertificateIssuerName;
@@ -382,4 +386,41 @@ public static void saveConfig(File file, Configuration conf)
       writer.close();
     }
   }
+
+  public static void provisionPasswordsToCredentialProvider() throws Exception {
+    File testDir = new File(System.getProperty("test.build.data",
+        "target/test-dir"));
+
+    Configuration conf = new Configuration();
+    final String ourUrl =
+    JavaKeyStoreProvider.SCHEME_NAME + "://file/" + testDir + "/test.jks";
+
+    File file = new File(testDir, "test.jks");
+    file.delete();
+    conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
+
+    CredentialProvider provider =
+        CredentialProviderFactory.getProviders(conf).get(0);
+    char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
+    char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
+
+    // create new aliases
+    try {
+      provider.createCredentialEntry(
+          FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER,
+              FileBasedKeyStoresFactory.SSL_KEYSTORE_PASSWORD_TPL_KEY),
+              storepass);
+
+      provider.createCredentialEntry(
+          FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER,
+              FileBasedKeyStoresFactory.SSL_KEYSTORE_KEYPASSWORD_TPL_KEY),
+              keypass);
+
+      // write out so that it can be found in checks
+      provider.flush();
+    } catch (Exception e) {
+      e.printStackTrace();
+      throw e;
+    }
+  }
 }
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java
index d719170d551..3c428fea282 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java
@@ -17,8 +17,14 @@
  */
 package org.apache.hadoop.security.ssl;
 
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileUtil;
+import org.apache.hadoop.security.alias.CredentialProvider;
+import org.apache.hadoop.security.alias.CredentialProviderFactory;
+import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
@@ -211,6 +217,13 @@ public void testClientKeyPasswordDefaultsToPassword() throws Exception {
       "password", "password", null);
   }
 
+  @Test
+  public void testServerCredProviderPasswords() throws Exception {
+    KeyStoreTestUtil.provisionPasswordsToCredentialProvider();
+    checkSSLFactoryInitWithPasswords(SSLFactory.Mode.SERVER,
+        "storepass", "keypass", null, null, true);
+  }
+
   /**
    * Checks that SSLFactory initialization is successful with the given
    * arguments.  This is a helper method for writing test cases that cover
@@ -218,7 +231,7 @@ public void testClientKeyPasswordDefaultsToPassword() throws Exception {
    * It takes care of bootstrapping a keystore, a truststore, and SSL client or
    * server configuration.  Then, it initializes an SSLFactory.  If no exception
    * is thrown, then initialization was successful.
-   * 
+   *
    * @param mode SSLFactory.Mode mode to test
    * @param password String store password to set on keystore
    * @param keyPassword String key password to set on keystore
@@ -231,6 +244,34 @@ public void testClientKeyPasswordDefaultsToPassword() throws Exception {
   private void checkSSLFactoryInitWithPasswords(SSLFactory.Mode mode,
       String password, String keyPassword, String confPassword,
       String confKeyPassword) throws Exception {
+    checkSSLFactoryInitWithPasswords(mode, password, keyPassword,
+        confPassword, confKeyPassword, false);
+  }
+
+ /**
+   * Checks that SSLFactory initialization is successful with the given
+   * arguments.  This is a helper method for writing test cases that cover
+   * different combinations of settings for the store password and key password.
+   * It takes care of bootstrapping a keystore, a truststore, and SSL client or
+   * server configuration.  Then, it initializes an SSLFactory.  If no exception
+   * is thrown, then initialization was successful.
+   *
+   * @param mode SSLFactory.Mode mode to test
+   * @param password String store password to set on keystore
+   * @param keyPassword String key password to set on keystore
+   * @param confPassword String store password to set in SSL config file, or null
+   *   to avoid setting in SSL config file
+   * @param confKeyPassword String key password to set in SSL config file, or
+   *   null to avoid setting in SSL config file
+   * @param useCredProvider boolean to indicate whether passwords should be set
+   * into the config or not. When set to true nulls are set and aliases are
+   * expected to be resolved through credential provider API through the
+   * Configuration.getPassword method
+   * @throws Exception for any error
+   */
+  private void checkSSLFactoryInitWithPasswords(SSLFactory.Mode mode,
+      String password, String keyPassword, String confPassword,
+      String confKeyPassword, boolean useCredProvider) throws Exception {
     String keystore = new File(KEYSTORES_DIR, "keystore.jks").getAbsolutePath();
     String truststore = new File(KEYSTORES_DIR, "truststore.jks")
       .getAbsolutePath();
@@ -249,10 +290,25 @@ private void checkSSLFactoryInitWithPasswords(SSLFactory.Mode mode,
     // Create SSL configuration file, for either server or client.
     final String sslConfFileName;
     final Configuration sslConf;
+
+    // if the passwords are provisioned in a cred provider then don't set them
+    // in the configuration properly - expect them to be resolved through the
+    // provider
+    if (useCredProvider) {
+      confPassword = null;
+      confKeyPassword = null;
+    }
     if (mode == SSLFactory.Mode.SERVER) {
       sslConfFileName = "ssl-server.xml";
       sslConf = KeyStoreTestUtil.createServerSSLConfig(keystore, confPassword,
         confKeyPassword, truststore);
+      if (useCredProvider) {
+        File testDir = new File(System.getProperty("test.build.data",
+            "target/test-dir"));
+        final String ourUrl =
+            JavaKeyStoreProvider.SCHEME_NAME + "://file/" + testDir + "/test.jks";
+        sslConf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
+      }
     } else {
       sslConfFileName = "ssl-client.xml";
       sslConf = KeyStoreTestUtil.createClientSSLConfig(keystore, confPassword,

From ac47ad11de83013eacbe303a39d1cc9593da6785 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 5 Aug 2014 21:49:31 +0000
Subject: [PATCH 131/354] HDFS-6394. HDFS encryption documentation. (wang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1616016 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   2 +
 .../apache/hadoop/hdfs/tools/CryptoAdmin.java |   4 +-
 .../src/site/apt/TransparentEncryption.apt.vm | 206 ++++++++++++++++++
 hadoop-project/src/site/site.xml              |   1 +
 4 files changed, 211 insertions(+), 2 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/site/apt/TransparentEncryption.apt.vm

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index b88b619247d..4673fac180f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -74,6 +74,8 @@ fs-encryption (Unreleased)
 
     HDFS-6780. Batch the encryption zones listing API. (wang)
 
+    HDFS-6394. HDFS encryption documentation. (wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
index fcad730075e..bb52ddd1531 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/CryptoAdmin.java
@@ -125,7 +125,7 @@ public String getName() {
 
     @Override
     public String getShortUsage() {
-      return "[" + getName() + " -keyName <keyName> -path <path> " + "]\n";
+      return "[" + getName() + " -keyName <keyName> -path <path>]\n";
     }
 
     @Override
@@ -187,7 +187,7 @@ public String getShortUsage() {
     @Override
     public String getLongUsage() {
       return getShortUsage() + "\n" +
-        "List all encryption zones.\n\n";
+        "List all encryption zones. Requires superuser permissions.\n\n";
     }
 
     @Override
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/TransparentEncryption.apt.vm b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/TransparentEncryption.apt.vm
new file mode 100644
index 00000000000..3689a775efe
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/TransparentEncryption.apt.vm
@@ -0,0 +1,206 @@
+~~ Licensed under the Apache License, Version 2.0 (the "License");
+~~ you may not use this file except in compliance with the License.
+~~ You may obtain a copy of the License at
+~~
+~~   http://www.apache.org/licenses/LICENSE-2.0
+~~
+~~ Unless required by applicable law or agreed to in writing, software
+~~ distributed under the License is distributed on an "AS IS" BASIS,
+~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+~~ See the License for the specific language governing permissions and
+~~ limitations under the License. See accompanying LICENSE file.
+
+  ---
+  Hadoop Distributed File System-${project.version} - Transparent Encryption in HDFS
+  ---
+  ---
+  ${maven.build.timestamp}
+
+Transparent Encryption in HDFS
+
+%{toc|section=1|fromDepth=2|toDepth=3}
+
+* {Overview}
+
+  HDFS implements <transparent>, <end-to-end> encryption.
+  Once configured, data read from and written to HDFS is <transparently> encrypted and decrypted without requiring changes to user application code.
+  This encryption is also <end-to-end>, which means the data can only be encrypted and decrypted by the client.
+  HDFS never stores or has access to unencrypted data or data encryption keys.
+  This satisfies two typical requirements for encryption: <at-rest encryption> (meaning data on persistent media, such as a disk) as well as <in-transit encryption> (e.g. when data is travelling over the network).
+
+* {Use Cases}
+
+  Data encryption is required by a number of different government, financial, and regulatory entities.
+  For example, the health-care industry has HIPAA regulations, the card payment industry has PCI DSS regulations, and the US government has FISMA regulations.
+  Having transparent encryption built into HDFS makes it easier for organizations to comply with these regulations.
+
+  Encryption can also be performed at the application-level, but by integrating it into HDFS, existing applications can operate on encrypted data without changes.
+  This integrated architecture implies stronger encrypted file semantics and better coordination with other HDFS functions.
+
+* {Architecture}
+
+** {Key Management Server, KeyProvider, EDEKs}
+
+  A new cluster service is required to store, manage, and access encryption keys: the Hadoop <Key Management Server (KMS)>.
+  The KMS is a proxy that interfaces with a backing key store on behalf of HDFS daemons and clients.
+  Both the backing key store and the KMS implement the Hadoop KeyProvider client API.
+  See the {{{../../hadoop-kms/index.html}KMS documentation}} for more information.
+
+  In the KeyProvider API, each encryption key has a unique <key name>.
+  Because keys can be rolled, a key can have multiple <key versions>, where each key version has its own <key material> (the actual secret bytes used during encryption and decryption).
+  An encryption key can be fetched by either its key name, returning the latest version of the key, or by a specific key version.
+
+  The KMS implements additional functionality which enables creation and decryption of <encrypted encryption keys (EEKs)>.
+  Creation and decryption of EEKs happens entirely on the KMS.
+  Importantly, the client requesting creation or decryption of an EEK never handles the EEK's encryption key.
+  To create a new EEK, the KMS generates a new random key, encrypts it with the specified key, and returns the EEK to the client.
+  To decrypt an EEK, the KMS checks that the user has access to the encryption key, uses it to decrypt the EEK, and returns the decrypted encryption key.
+
+  In the context of HDFS encryption, EEKs are <encrypted data encryption keys (EDEKs)>, where a <data encryption key (DEK)> is what is used to encrypt and decrypt file data.
+  Typically, the key store is configured to only allow end users access to the keys used to encrypt DEKs.
+  This means that EDEKs can be safely stored and handled by HDFS, since the HDFS user will not have access to EDEK encryption keys.
+
+** {Encryption zones}
+
+  For transparent encryption, we introduce a new abstraction to HDFS: the <encryption zone>.
+  An encryption zone is a special directory whose contents will be transparently encrypted upon write and transparently decrypted upon read.
+  Each encryption zone is associated with a single <encryption zone key> which is specified when the zone is created.
+  Each file within an encryption zone has its own unique EDEK.
+
+  When creating a new file in an encryption zone, the NameNode asks the KMS to generate a new EDEK encrypted with the encryption zone's key.
+  The EDEK is then stored persistently as part of the file's metadata on the NameNode.
+
+  When reading a file within an encryption zone, the NameNode provides the client with the file's EDEK and the encryption zone key version used to encrypt the EDEK.
+  The client then asks the KMS to decrypt the EDEK, which involves checking that the client has permission to access the encryption zone key version.
+  Assuming that is successful, the client uses the DEK to decrypt the file's contents.
+
+  All of the above steps for the read and write path happen automatically through interactions between the DFSClient, the NameNode, and the KMS.
+
+  Access to encrypted file data and metadata is controlled by normal HDFS filesystem permissions.
+  This means that if HDFS is compromised (for example, by gaining unauthorized access to an HDFS superuser account), a malicious user only gains access to ciphertext and encrypted keys.
+  However, since access to encryption zone keys is controlled by a separate set of permissions on the KMS and key store, this does not pose a security threat.
+
+* {Configuration}
+
+  A necessary prerequisite is an instance of the KMS, as well as a backing key store for the KMS.
+  See the {{{../../hadoop-kms/index.html}KMS documentation}} for more information.
+
+** Selecting an encryption algorithm and codec
+
+*** hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE
+
+  The prefix for a given crypto codec, contains a comma-separated list of implementation classes for a given crypto codec (eg EXAMPLECIPHERSUITE).
+  The first implementation will be used if available, others are fallbacks.
+
+*** hadoop.security.crypto.codec.classes.aes.ctr.nopadding
+
+  Default: <<<org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec,org.apache.hadoop.crypto.JceAesCtrCryptoCodec>>>
+
+  Comma-separated list of crypto codec implementations for AES/CTR/NoPadding.
+  The first implementation will be used if available, others are fallbacks.
+
+*** hadoop.security.crypto.cipher.suite
+
+  Default: <<<AES/CTR/NoPadding>>>
+
+  Cipher suite for crypto codec.
+
+*** hadoop.security.crypto.jce.provider
+
+  Default: None
+
+  The JCE provider name used in CryptoCodec.
+
+*** hadoop.security.crypto.buffer.size
+
+  Default: <<<8192>>>
+
+  The buffer size used by CryptoInputStream and CryptoOutputStream. 
+
+** Namenode configuration
+
+*** dfs.namenode.list.encryption.zones.num.responses
+
+  Default: <<<100>>>
+
+  When listing encryption zones, the maximum number of zones that will be returned in a batch.
+  Fetching the list incrementally in batches improves namenode performance.
+
+* {<<<crypto>>> command-line interface}
+
+** {createZone}
+
+  Usage: <<<[-createZone -keyName <keyName> -path <path>]>>>
+
+  Create a new encryption zone.
+
+*--+--+
+<path> | The path of the encryption zone to create. It must be an empty directory.
+*--+--+
+<keyName> | Name of the key to use for the encryption zone.
+*--+--+
+
+** {listZones}
+
+  Usage: <<<[-listZones]>>>
+
+  List all encryption zones. Requires superuser permissions.
+
+* {Attack vectors}
+
+** {Hardware access exploits}
+
+  These exploits assume that attacker has gained physical access to hard drives from cluster machines, i.e. datanodes and namenodes.
+
+  [[1]] Access to swap files of processes containing data encryption keys.
+
+        * By itself, this does not expose cleartext, as it also requires access to encrypted block files.
+
+        * This can be mitigated by disabling swap, using encrypted swap, or using mlock to prevent keys from being swapped out.
+
+  [[1]] Access to encrypted block files.
+
+        * By itself, this does not expose cleartext, as it also requires access to DEKs.
+
+** {Root access exploits}
+
+  These exploits assume that attacker has gained root shell access to cluster machines, i.e. datanodes and namenodes.
+  Many of these exploits cannot be addressed in HDFS, since a malicious root user has access to the in-memory state of processes holding encryption keys and cleartext.
+  For these exploits, the only mitigation technique is carefully restricting and monitoring root shell access.
+
+  [[1]] Access to encrypted block files.
+
+        * By itself, this does not expose cleartext, as it also requires access to encryption keys.
+
+  [[1]] Dump memory of client processes to obtain DEKs, delegation tokens, cleartext.
+
+        * No mitigation.
+
+  [[1]] Recording network traffic to sniff encryption keys and encrypted data in transit.
+
+        * By itself, insufficient to read cleartext without the EDEK encryption key.
+
+  [[1]] Dump memory of datanode process to obtain encrypted block data.
+
+        * By itself, insufficient to read cleartext without the DEK.
+
+  [[1]] Dump memory of namenode process to obtain encrypted data encryption keys.
+
+        * By itself, insufficient to read cleartext without the EDEK's encryption key and encrypted block files.
+
+** {HDFS admin exploits}
+
+  These exploits assume that the attacker has compromised HDFS, but does not have root or <<<hdfs>>> user shell access.
+
+  [[1]] Access to encrypted block files.
+
+        * By itself, insufficient to read cleartext without the EDEK and EDEK encryption key.
+
+  [[1]] Access to encryption zone and encrypted file metadata (including encrypted data encryption keys), via -fetchImage.
+
+        * By itself, insufficient to read cleartext without EDEK encryption keys.
+
+** {Rogue user exploits}
+
+  A rogue user can collect keys to which they have access, and use them later to decrypt encrypted data.
+  This can be mitigated through periodic key rolling policies.
diff --git a/hadoop-project/src/site/site.xml b/hadoop-project/src/site/site.xml
index ec9329216d6..628250f06d6 100644
--- a/hadoop-project/src/site/site.xml
+++ b/hadoop-project/src/site/site.xml
@@ -89,6 +89,7 @@
       <item name="HDFS NFS Gateway" href="hadoop-project-dist/hadoop-hdfs/HdfsNfsGateway.html"/>
       <item name="HDFS Rolling Upgrade" href="hadoop-project-dist/hadoop-hdfs/HdfsRollingUpgrade.html"/>
       <item name="Extended Attributes" href="hadoop-project-dist/hadoop-hdfs/ExtendedAttributes.html"/>
+      <item name="Transparent Encryption" href="hadoop-project-dist/hadoop-hdfs/TransparentEncryption.html"/>
       <item name="HDFS Support for Multihoming" href="hadoop-project-dist/hadoop-hdfs/HdfsMultihoming.html"/>
     </menu>
 

From 857d134fda8b7bb7faa6eb3606639554de4db47a Mon Sep 17 00:00:00 2001
From: Jason Darrell Lowe <jlowe@apache.org>
Date: Tue, 5 Aug 2014 21:52:22 +0000
Subject: [PATCH 132/354] MAPREDUCE-6014. New task status field in task
 attempts table can lead to an empty web page. Contributed by Mit Desai

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616018 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt                          | 3 +++
 .../org/apache/hadoop/mapreduce/v2/app/webapp/TaskPage.java   | 3 ++-
 .../org/apache/hadoop/mapreduce/v2/app/webapp/TasksBlock.java | 4 +++-
 .../org/apache/hadoop/mapreduce/v2/app/webapp/TestBlocks.java | 3 +++
 .../org/apache/hadoop/mapreduce/v2/hs/webapp/HsTaskPage.java  | 3 ++-
 .../org/apache/hadoop/mapreduce/v2/hs/webapp/TestBlocks.java  | 4 +++-
 6 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 86ae7139b8c..707a9c4b3c5 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -181,6 +181,9 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-5756. CombineFileInputFormat.getSplits() including directories
     in its results (Jason Dere via jlowe)
 
+    MAPREDUCE-6014. New task status field in task attempts table can lead to
+    an empty web page (Mit Desai via jlowe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/TaskPage.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/TaskPage.java
index 47d9f1ea59f..8aa8bb6d258 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/TaskPage.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/TaskPage.java
@@ -85,7 +85,8 @@ protected void render(Block html) {
         .append(ta.getId()).append("\",\"")
         .append(progress).append("\",\"")
         .append(ta.getState().toString()).append("\",\"")
-        .append(ta.getStatus()).append("\",\"")
+        .append(StringEscapeUtils.escapeJavaScript(
+              StringEscapeUtils.escapeHtml(ta.getStatus()))).append("\",\"")
 
         .append(nodeHttpAddr == null ? "N/A" :
           "<a class='nodelink' href='" + MRWebAppUtil.getYARNWebappScheme() + nodeHttpAddr + "'>"
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/TasksBlock.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/TasksBlock.java
index a2b19e4ae44..64aae59cab4 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/TasksBlock.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/TasksBlock.java
@@ -25,6 +25,7 @@
 import static org.apache.hadoop.yarn.webapp.view.JQueryUI.C_PROGRESSBAR;
 import static org.apache.hadoop.yarn.webapp.view.JQueryUI.C_PROGRESSBAR_VALUE;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.hadoop.mapreduce.v2.api.records.TaskType;
 import org.apache.hadoop.mapreduce.v2.app.job.Task;
 import org.apache.hadoop.mapreduce.v2.app.webapp.dao.TaskInfo;
@@ -102,7 +103,8 @@ public class TasksBlock extends HtmlBlock {
       .append(join(pct, '%')).append("'> ").append("<div class='")
       .append(C_PROGRESSBAR_VALUE).append("' style='")
       .append(join("width:", pct, '%')).append("'> </div> </div>\",\"")
-      .append(info.getStatus()).append("\",\"")
+      .append(StringEscapeUtils.escapeJavaScript(
+              StringEscapeUtils.escapeHtml(info.getStatus()))).append("\",\"")
 
       .append(info.getState()).append("\",\"")
       .append(info.getStartTime()).append("\",\"")
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/webapp/TestBlocks.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/webapp/TestBlocks.java
index b46a0e7efbf..13f91e03569 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/webapp/TestBlocks.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/webapp/TestBlocks.java
@@ -106,6 +106,7 @@ public void testTasksBlock() throws Exception {
     when(report.getTaskState()).thenReturn(TaskState.SUCCEEDED);
     when(report.getStartTime()).thenReturn(100001L);
     when(report.getFinishTime()).thenReturn(100011L);
+    when(report.getStatus()).thenReturn("Dummy Status \n*");
 
 
     when(task.getReport()).thenReturn(report);
@@ -134,6 +135,8 @@ public void testTasksBlock() throws Exception {
     assertTrue(data.toString().contains("SUCCEEDED"));
     assertTrue(data.toString().contains("100001"));
     assertTrue(data.toString().contains("100011"));
+    assertFalse(data.toString().contains("Dummy Status \n*"));
+    assertTrue(data.toString().contains("Dummy Status \\n*"));
 
 
   }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsTaskPage.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsTaskPage.java
index fde3a3a03f5..5bd8684449a 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsTaskPage.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsTaskPage.java
@@ -149,7 +149,8 @@ protected void render(Block html) {
         attemptsTableData.append("[\"")
         .append(sortId + " ").append(taid).append("\",\"")
         .append(ta.getState()).append("\",\"")
-        .append(ta.getStatus()).append("\",\"")
+        .append(StringEscapeUtils.escapeJavaScript(
+              StringEscapeUtils.escapeHtml(ta.getStatus()))).append("\",\"")
 
         .append("<a class='nodelink' href='" + MRWebAppUtil.getYARNWebappScheme() + nodeHttpAddr + "'>")
         .append(nodeRackName + "/" + nodeHttpAddr + "</a>\",\"")
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/webapp/TestBlocks.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/webapp/TestBlocks.java
index 241bdb246fd..82d578aa12a 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/webapp/TestBlocks.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/webapp/TestBlocks.java
@@ -159,7 +159,7 @@ public void testAttemptsBlock() {
     when(taReport.getSortFinishTime()).thenReturn(taSortFinishTime);
     when(taReport.getContainerId()).thenReturn(containerId);
     when(taReport.getProgress()).thenReturn(1.0f);
-    when(taReport.getStateString()).thenReturn("Processed 128/128 records");
+    when(taReport.getStateString()).thenReturn("Processed 128/128 records <p> \n");
     when(taReport.getTaskAttemptState()).thenReturn(taState);
     when(taReport.getDiagnosticInfo()).thenReturn("");
 
@@ -184,6 +184,8 @@ public void testAttemptsBlock() {
     // should be printed information about attempts
     assertTrue(data.toString().contains("0 attempt_0_0001_r_000000_0"));
     assertTrue(data.toString().contains("SUCCEEDED"));
+    assertFalse(data.toString().contains("Processed 128/128 records <p> \n"));
+    assertTrue(data.toString().contains("Processed 128\\/128 records &lt;p&gt; \\n"));
     assertTrue(data.toString().contains(
             "_0005_01_000001:attempt_0_0001_r_000000_0:User:"));
     assertTrue(data.toString().contains("100002"));

From 34e3bbae9fb303e5aa32da06dea59b176e5b1aea Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 5 Aug 2014 22:06:48 +0000
Subject: [PATCH 133/354] HADOOP-10939. Fix TestKeyProviderFactory testcases to
 use default 128 bit length keys. Contributed by Arun Suresh.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616021 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt    |  3 +++
 .../hadoop/crypto/key/TestKeyProviderFactory.java  | 14 +++++++-------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 612aba77fc4..5a4cd367929 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -418,6 +418,9 @@ Trunk (Unreleased)
     HADOOP-10925. Compilation fails in native link0 function on Windows.
     (cnauroth)
 
+    HADOOP-10939. Fix TestKeyProviderFactory testcases to use default 128 bit
+    length keys. (Arun Suresh via wang)
+
   OPTIMIZATIONS
 
     HADOOP-7761. Improve the performance of raw comparisons. (todd)
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
index d33247bf8a5..7efaa8333b9 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
@@ -100,9 +100,9 @@ public void testUriErrors() throws Exception {
   static void checkSpecificProvider(Configuration conf,
                                    String ourUrl) throws Exception {
     KeyProvider provider = KeyProviderFactory.getProviders(conf).get(0);
-    byte[] key1 = new byte[32];
-    byte[] key2 = new byte[32];
-    byte[] key3 = new byte[32];
+    byte[] key1 = new byte[16];
+    byte[] key2 = new byte[16];
+    byte[] key3 = new byte[16];
     for(int i =0; i < key1.length; ++i) {
       key1[i] = (byte) i;
       key2[i] = (byte) (i * 2);
@@ -146,7 +146,7 @@ static void checkSpecificProvider(Configuration conf,
           KeyProvider.options(conf).setBitLength(8));
       assertTrue("should throw", false);
     } catch (IOException e) {
-      assertEquals("Wrong key length. Required 8, but got 256", e.getMessage());
+      assertEquals("Wrong key length. Required 8, but got 128", e.getMessage());
     }
     provider.createKey("key4", new byte[]{1},
         KeyProvider.options(conf).setBitLength(8));
@@ -162,7 +162,7 @@ static void checkSpecificProvider(Configuration conf,
       provider.rollNewVersion("key4", key1);
       assertTrue("should throw", false);
     } catch (IOException e) {
-      assertEquals("Wrong key length. Required 8, but got 256", e.getMessage());
+      assertEquals("Wrong key length. Required 8, but got 128", e.getMessage());
     }
     try {
       provider.rollNewVersion("no-such-key", key1);
@@ -228,7 +228,7 @@ public void testJksProvider() throws Exception {
   public void checkPermissionRetention(Configuration conf, String ourUrl, Path path) throws Exception {
     KeyProvider provider = KeyProviderFactory.getProviders(conf).get(0);
     // let's add a new key and flush and check that permissions are still set to 777
-    byte[] key = new byte[32];
+    byte[] key = new byte[16];
     for(int i =0; i < key.length; ++i) {
       key[i] = (byte) i;
     }
@@ -261,7 +261,7 @@ public void testJksProviderPasswordViaConfig() throws Exception {
       conf.set(JavaKeyStoreProvider.KEYSTORE_PASSWORD_FILE_KEY,
           "javakeystoreprovider.password");
       KeyProvider provider = KeyProviderFactory.getProviders(conf).get(0);
-      provider.createKey("key3", new byte[32], KeyProvider.options(conf));
+      provider.createKey("key3", new byte[16], KeyProvider.options(conf));
       provider.flush();
     } catch (Exception ex) {
       Assert.fail("could not create keystore with password file");

From 4869fa2cfadbbe96fdc14bc82489ff49cfea377d Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Tue, 5 Aug 2014 22:47:46 +0000
Subject: [PATCH 134/354] Edit CHANGES.txt files to move HADOOP-10759 and
 HDFS-6717 from 2.5.0 to 2.6.0

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616036 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt | 4 ++--
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt     | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 5a4cd367929..1b6964e4e60 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -538,6 +538,8 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10933. FileBasedKeyStoresFactory Should use Configuration.getPassword 
     for SSL Passwords. (lmccay via tucu)
 
+    HADOOP-10759. Remove hardcoded JAVA_HEAP_MAX. (Sam Liu via Eric Yang)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
@@ -678,8 +680,6 @@ Release 2.5.0 - UNRELEASED
 
   BUG FIXES 
 
-    HADOOP-10759. Remove hardcoded JAVA_HEAP_MAX. (Sam Liu via Eric Yang)
-
     HADOOP-10378. Typo in help printed by hdfs dfs -help.
     (Mit Desai via suresh)
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 94e6e3fa6ea..e5ccc0ad706 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -440,6 +440,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6451. NFS should not return NFS3ERR_IO for AccessControlException 
     (Abhiraj Butala via brandonli)
 
+    HDFS-6717. JIRA HDFS-5804 breaks default nfs-gateway behavior for unsecured config
+    (brandonli)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
@@ -992,9 +995,6 @@ Release 2.5.0 - UNRELEASED
     HDFS-6723. New NN webUI no longer displays decommissioned state for dead node.
     (Ming Ma via wheat9)
 
-    HDFS-6717. JIRA HDFS-5804 breaks default nfs-gateway behavior for unsecured config
-    (brandonli)
-
     HDFS-6768. Fix a few unit tests that use hard-coded port numbers. (Arpit
     Agarwal)
 

From a4f1292a53da3c0bbb75de459bc141ef722dd148 Mon Sep 17 00:00:00 2001
From: Brandon Li <brandonli@apache.org>
Date: Tue, 5 Aug 2014 23:55:30 +0000
Subject: [PATCH 135/354] HADOOP-10905. LdapGroupsMapping Should use
 configuration.getPassword for SSL and LDAP Passwords. Contributed by Larry
 McCay

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616054 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  3 +
 .../hadoop/security/LdapGroupsMapping.java    | 26 +++++++--
 .../security/TestLdapGroupsMapping.java       | 58 +++++++++++++++++++
 3 files changed, 83 insertions(+), 4 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 1b6964e4e60..bef2f765108 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -540,6 +540,9 @@ Release 2.6.0 - UNRELEASED
 
     HADOOP-10759. Remove hardcoded JAVA_HEAP_MAX. (Sam Liu via Eric Yang)
 
+    HADOOP-10905. LdapGroupsMapping Should use configuration.getPassword for SSL
+    and LDAP Passwords. (lmccay via brandonli)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
index d92c469e5ab..76f53804b33 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
@@ -312,15 +312,15 @@ public synchronized void setConf(Configuration conf) {
     useSsl = conf.getBoolean(LDAP_USE_SSL_KEY, LDAP_USE_SSL_DEFAULT);
     keystore = conf.get(LDAP_KEYSTORE_KEY, LDAP_KEYSTORE_DEFAULT);
     
-    keystorePass =
-        conf.get(LDAP_KEYSTORE_PASSWORD_KEY, LDAP_KEYSTORE_PASSWORD_DEFAULT);
+    keystorePass = getPassword(conf, LDAP_KEYSTORE_PASSWORD_KEY,
+        LDAP_KEYSTORE_PASSWORD_DEFAULT);
     if (keystorePass.isEmpty()) {
       keystorePass = extractPassword(conf.get(LDAP_KEYSTORE_PASSWORD_FILE_KEY,
           LDAP_KEYSTORE_PASSWORD_FILE_DEFAULT));
     }
     
     bindUser = conf.get(BIND_USER_KEY, BIND_USER_DEFAULT);
-    bindPassword = conf.get(BIND_PASSWORD_KEY, BIND_PASSWORD_DEFAULT);
+    bindPassword = getPassword(conf, BIND_PASSWORD_KEY, BIND_PASSWORD_DEFAULT);
     if (bindPassword.isEmpty()) {
       bindPassword = extractPassword(
           conf.get(BIND_PASSWORD_FILE_KEY, BIND_PASSWORD_FILE_DEFAULT));
@@ -341,7 +341,25 @@ public synchronized void setConf(Configuration conf) {
 
     this.conf = conf;
   }
-  
+
+  String getPassword(Configuration conf, String alias, String defaultPass) {
+    String password = null;
+    try {
+      char[] passchars = conf.getPassword(alias);
+      if (passchars != null) {
+        password = new String(passchars);
+      }
+      else {
+        password = defaultPass;
+      }
+    }
+    catch (IOException ioe) {
+      LOG.warn("Exception while trying to password for alias " + alias + ": "
+          + ioe.getMessage());
+    }
+    return password;
+  }
+
   String extractPassword(String pwFile) {
     if (pwFile.isEmpty()) {
       // If there is no password file defined, we'll assume that we should do
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
index 331e288e8ba..95cbc0ae201 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
@@ -17,6 +17,8 @@
  */
 package org.apache.hadoop.security;
 
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
 import static org.mockito.Mockito.*;
 
 import java.io.File;
@@ -38,6 +40,9 @@
 import javax.naming.directory.SearchResult;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.alias.CredentialProvider;
+import org.apache.hadoop.security.alias.CredentialProviderFactory;
+import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
@@ -154,4 +159,57 @@ public void testExtractPassword() throws IOException {
     Assert.assertEquals("hadoop",
         mapping.extractPassword(secretFile.getPath()));
   }
+
+  @Test
+  public void testConfGetPassword() throws Exception {
+    File testDir = new File(System.getProperty("test.build.data",
+                                               "target/test-dir"));
+    Configuration conf = new Configuration();
+    final String ourUrl =
+        JavaKeyStoreProvider.SCHEME_NAME + "://file/" + testDir + "/test.jks";
+
+    File file = new File(testDir, "test.jks");
+    file.delete();
+    conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
+
+    CredentialProvider provider =
+        CredentialProviderFactory.getProviders(conf).get(0);
+    char[] bindpass = {'b', 'i', 'n', 'd', 'p', 'a', 's', 's'};
+    char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
+
+    // ensure that we get nulls when the key isn't there
+    assertEquals(null, provider.getCredentialEntry(
+        LdapGroupsMapping.BIND_PASSWORD_KEY));
+    assertEquals(null, provider.getCredentialEntry
+        (LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY));
+
+    // create new aliases
+    try {
+      provider.createCredentialEntry(
+          LdapGroupsMapping.BIND_PASSWORD_KEY, bindpass);
+
+      provider.createCredentialEntry(
+          LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY, storepass);
+      provider.flush();
+    } catch (Exception e) {
+      e.printStackTrace();
+      throw e;
+    }
+    // make sure we get back the right key
+    assertArrayEquals(bindpass, provider.getCredentialEntry(
+        LdapGroupsMapping.BIND_PASSWORD_KEY).getCredential());
+    assertArrayEquals(storepass, provider.getCredentialEntry(
+        LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY).getCredential());
+
+    LdapGroupsMapping mapping = new LdapGroupsMapping();
+    Assert.assertEquals("bindpass",
+        mapping.getPassword(conf, LdapGroupsMapping.BIND_PASSWORD_KEY, ""));
+    Assert.assertEquals("storepass",
+        mapping.getPassword(conf, LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY,
+           ""));
+    // let's make sure that a password that doesn't exist returns an
+    // empty string as currently expected and used to trigger a call to
+    // extract password
+    Assert.assertEquals("", mapping.getPassword(conf,"invalid-alias", ""));
+  }
 }

From 812ac91add512c518394178c5162720d61957e1f Mon Sep 17 00:00:00 2001
From: Brandon Li <brandonli@apache.org>
Date: Wed, 6 Aug 2014 00:50:07 +0000
Subject: [PATCH 136/354] HDFS-6790. DFSUtil Should Use
 configuration.getPassword for SSL passwords. Contributed by Larry McCay

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616058 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +
 .../org/apache/hadoop/hdfs/DFSConfigKeys.java |  3 +
 .../java/org/apache/hadoop/hdfs/DFSUtil.java  | 31 +++++++-
 .../org/apache/hadoop/hdfs/TestDFSUtil.java   | 73 +++++++++++++++++++
 4 files changed, 107 insertions(+), 3 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index e5ccc0ad706..d3d6fb3e5c3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -443,6 +443,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6717. JIRA HDFS-5804 breaks default nfs-gateway behavior for unsecured config
     (brandonli)
 
+    HDFS-6790. DFSUtil Should Use configuration.getPassword for SSL passwords
+    (Larry McCay via brandonli)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
index 4fb5ca49c5b..ac46cb6be40 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
@@ -201,6 +201,9 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
   public static final String  DFS_ADMIN = "dfs.cluster.administrators";
   public static final String  DFS_SERVER_HTTPS_KEYSTORE_RESOURCE_KEY = "dfs.https.server.keystore.resource";
   public static final String  DFS_SERVER_HTTPS_KEYSTORE_RESOURCE_DEFAULT = "ssl-server.xml";
+  public static final String  DFS_SERVER_HTTPS_KEYPASSWORD_KEY = "ssl.server.keystore.keypassword";
+  public static final String  DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY = "ssl.server.keystore.password";
+  public static final String  DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY = "ssl.server.truststore.password";
   public static final String  DFS_NAMENODE_NAME_DIR_RESTORE_KEY = "dfs.namenode.name.dir.restore";
   public static final boolean DFS_NAMENODE_NAME_DIR_RESTORE_DEFAULT = false;
   public static final String  DFS_NAMENODE_SUPPORT_ALLOW_FORMAT_KEY = "dfs.namenode.support.allow.format";
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java
index 5e83575d733..09d0952c15f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java
@@ -33,6 +33,9 @@
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SERVICE_RPC_ADDRESS_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMESERVICES;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMESERVICE_ID;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_SERVER_HTTPS_KEYPASSWORD_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY;
 
 import java.io.IOException;
 import java.io.PrintStream;
@@ -1531,15 +1534,37 @@ public static HttpServer2.Builder loadSslConfToHttpServerBuilder(HttpServer2.Bui
         .needsClientAuth(
             sslConf.getBoolean(DFS_CLIENT_HTTPS_NEED_AUTH_KEY,
                 DFS_CLIENT_HTTPS_NEED_AUTH_DEFAULT))
-        .keyPassword(sslConf.get("ssl.server.keystore.keypassword"))
+        .keyPassword(getPassword(sslConf, DFS_SERVER_HTTPS_KEYPASSWORD_KEY))
         .keyStore(sslConf.get("ssl.server.keystore.location"),
-            sslConf.get("ssl.server.keystore.password"),
+            getPassword(sslConf, DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY),
             sslConf.get("ssl.server.keystore.type", "jks"))
         .trustStore(sslConf.get("ssl.server.truststore.location"),
-            sslConf.get("ssl.server.truststore.password"),
+            getPassword(sslConf, DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY),
             sslConf.get("ssl.server.truststore.type", "jks"));
   }
 
+  /**
+   * Leverages the Configuration.getPassword method to attempt to get
+   * passwords from the CredentialProvider API before falling back to
+   * clear text in config - if falling back is allowed.
+   * @param conf Configuration instance
+   * @param alias name of the credential to retreive
+   * @return String credential value or null
+   */
+  static String getPassword(Configuration conf, String alias) {
+    String password = null;
+    try {
+      char[] passchars = conf.getPassword(alias);
+      if (passchars != null) {
+        password = new String(passchars);
+      }
+    }
+    catch (IOException ioe) {
+      password = null;
+    }
+    return password;
+  }
+
   /**
    * Converts a Date into an ISO-8601 formatted datetime string.
    */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUtil.java
index cb32de0fccb..fb3fcaee959 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSUtil.java
@@ -30,8 +30,12 @@
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SERVICE_RPC_ADDRESS_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMESERVICES;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMESERVICE_ID;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_SERVER_HTTPS_KEYPASSWORD_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY;
 import static org.apache.hadoop.test.GenericTestUtils.assertExceptionContains;
 import static org.hamcrest.CoreMatchers.not;
+import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNull;
@@ -39,6 +43,7 @@
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
+import java.io.File;
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.URI;
@@ -61,8 +66,12 @@
 import org.apache.hadoop.hdfs.server.namenode.ha.ConfiguredFailoverProxyProvider;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.alias.CredentialProvider;
+import org.apache.hadoop.security.alias.CredentialProviderFactory;
+import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
 import org.apache.hadoop.test.GenericTestUtils;
 import org.apache.hadoop.util.Shell;
+import org.junit.Assert;
 import org.junit.Assume;
 import org.junit.Before;
 import org.junit.Test;
@@ -792,4 +801,68 @@ private static void checkAllResults(Long[] toCheck, boolean shouldSucceed) {
       }
     }
   }
+
+  @Test
+  public void testGetPassword() throws Exception {
+    File testDir = new File(System.getProperty("test.build.data",
+        "target/test-dir"));
+
+    Configuration conf = new Configuration();
+    final String ourUrl =
+    JavaKeyStoreProvider.SCHEME_NAME + "://file/" + testDir + "/test.jks";
+
+    File file = new File(testDir, "test.jks");
+    file.delete();
+    conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
+
+    CredentialProvider provider =
+        CredentialProviderFactory.getProviders(conf).get(0);
+    char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
+    char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
+    char[] trustpass = {'t', 'r', 'u', 's', 't', 'p', 'a', 's', 's'};
+
+    // ensure that we get nulls when the key isn't there
+    assertEquals(null, provider.getCredentialEntry(
+        DFS_SERVER_HTTPS_KEYPASSWORD_KEY));
+    assertEquals(null, provider.getCredentialEntry(
+        DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY));
+    assertEquals(null, provider.getCredentialEntry(
+        DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY));
+
+    // create new aliases
+    try {
+      provider.createCredentialEntry(
+          DFS_SERVER_HTTPS_KEYPASSWORD_KEY, keypass);
+
+      provider.createCredentialEntry(
+          DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY, storepass);
+
+      provider.createCredentialEntry(
+          DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY, trustpass);
+
+      // write out so that it can be found in checks
+      provider.flush();
+    } catch (Exception e) {
+      e.printStackTrace();
+      throw e;
+    }
+    // make sure we get back the right key directly from api
+    assertArrayEquals(keypass, provider.getCredentialEntry(
+        DFS_SERVER_HTTPS_KEYPASSWORD_KEY).getCredential());
+    assertArrayEquals(storepass, provider.getCredentialEntry(
+        DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY).getCredential());
+    assertArrayEquals(trustpass, provider.getCredentialEntry(
+        DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY).getCredential());
+
+    // use WebAppUtils as would be used by loadSslConfiguration
+    Assert.assertEquals("keypass",
+        DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_KEYPASSWORD_KEY));
+    Assert.assertEquals("storepass",
+        DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY));
+    Assert.assertEquals("trustpass",
+        DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY));
+
+    // let's make sure that a password that doesn't exist returns null
+    Assert.assertEquals(null, DFSUtil.getPassword(conf,"invalid-alias"));
+  }
 }

From 2b5e0444246e82093f58a9658b4508f272077379 Mon Sep 17 00:00:00 2001
From: Yi Liu <yliu@apache.org>
Date: Wed, 6 Aug 2014 04:43:58 +0000
Subject: [PATCH 137/354] HDFS-6817. Fix findbugs and other warnings. (yliu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1616092 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop/crypto/AesCtrCryptoCodec.java      | 12 ++++-------
 .../hadoop/crypto/random/OsSecureRandom.java  | 20 +++++++++----------
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |  2 ++
 .../namenode/EncryptionZoneManager.java       |  2 +-
 4 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AesCtrCryptoCodec.java
index b469fddaf2a..8f8bc661db7 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AesCtrCryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/AesCtrCryptoCodec.java
@@ -50,14 +50,10 @@ public void calculateIV(byte[] initIV, long counter, byte[] IV) {
     Preconditions.checkArgument(IV.length == AES_BLOCK_SIZE);
     
     System.arraycopy(initIV, 0, IV, 0, CTR_OFFSET);
-    long l = (initIV[CTR_OFFSET + 0] << 56)
-        + ((initIV[CTR_OFFSET + 1] & 0xFF) << 48)
-        + ((initIV[CTR_OFFSET + 2] & 0xFF) << 40)
-        + ((initIV[CTR_OFFSET + 3] & 0xFF) << 32)
-        + ((initIV[CTR_OFFSET + 4] & 0xFF) << 24)
-        + ((initIV[CTR_OFFSET + 5] & 0xFF) << 16)
-        + ((initIV[CTR_OFFSET + 6] & 0xFF) << 8)
-        + (initIV[CTR_OFFSET + 7] & 0xFF);
+    long l = 0;
+    for (int i = 0; i < 8; i++) {
+      l = ((l << 8) | (initIV[CTR_OFFSET + i] & 0xff));
+    }
     l += counter;
     IV[CTR_OFFSET + 0] = (byte) (l >>> 56);
     IV[CTR_OFFSET + 1] = (byte) (l >>> 48);
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OsSecureRandom.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OsSecureRandom.java
index 3fa61fbbdce..c6cb0a80e74 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OsSecureRandom.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OsSecureRandom.java
@@ -37,14 +37,15 @@
  */
 @InterfaceAudience.Private
 public class OsSecureRandom extends Random implements Closeable, Configurable {
+  private static final long serialVersionUID = 6391500337172057900L;
 
-  private Configuration conf;
+  private transient Configuration conf;
 
   private final int RESERVOIR_LENGTH = 8192;
 
   private String randomDevPath;
 
-  private FileInputStream stream;
+  private transient FileInputStream stream;
 
   private final byte[] reservoir = new byte[RESERVOIR_LENGTH];
 
@@ -65,7 +66,7 @@ public OsSecureRandom() {
   }
   
   @Override
-  public void setConf(Configuration conf) {
+  synchronized public void setConf(Configuration conf) {
     this.conf = conf;
     this.randomDevPath = conf.get(
         HADOOP_SECURITY_SECURE_RANDOM_DEVICE_FILE_PATH_KEY,
@@ -80,7 +81,7 @@ public void setConf(Configuration conf) {
   }
 
   @Override
-  public Configuration getConf() {
+  synchronized public Configuration getConf() {
     return conf;
   }
 
@@ -100,16 +101,15 @@ synchronized public void nextBytes(byte[] bytes) {
   @Override
   synchronized protected int next(int nbits) {
     fillReservoir(4);
-    int n = reservoir[pos] |
-        (reservoir[pos + 1] << 8) |
-        (reservoir[pos + 2] << 16) |
-        (reservoir[pos + 3] << 24);
-    pos += 4;
+    int n = 0;
+    for (int i = 0; i < 4; i++) {
+      n = ((n << 8) | (reservoir[pos++] & 0xff));
+    }
     return n & (0xffffffff >> (32 - nbits));
   }
 
   @Override
-  public void close() throws IOException {
+  synchronized public void close() throws IOException {
     stream.close();
   }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 4673fac180f..99613e996af 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -90,3 +90,5 @@ fs-encryption (Unreleased)
 
     HDFS-6814. Mistakenly dfs.namenode.list.encryption.zones.num.responses configured
     as boolean. (umamahesh)
+
+    HDFS-6817. Fix findbugs and other warnings. (yliu)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
index 143cc66c3ea..31cb53c40ce 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
@@ -41,7 +41,7 @@ public class EncryptionZoneManager {
    * external representation of an EZ is embodied in an EncryptionZone and
    * contains the EZ's pathname.
    */
-  private class EncryptionZoneInt {
+  private static class EncryptionZoneInt {
     private final String keyName;
     private final long inodeId;
 

From b47f65214c7a7b6ca8c77369ebc90dba67f9d885 Mon Sep 17 00:00:00 2001
From: Junping Du <junping_du@apache.org>
Date: Wed, 6 Aug 2014 05:48:32 +0000
Subject: [PATCH 138/354] YARN-2298. Move TimelineClient to yarn-common project
 (Contributed by Zhijie Shen)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616100 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |  3 +++
 .../hadoop-yarn/hadoop-yarn-client/pom.xml    |  8 -------
 .../hadoop-yarn/hadoop-yarn-common/pom.xml    |  8 +++++++
 .../yarn/client/api/TimelineClient.java       |  0
 .../api/impl/TimelineAuthenticator.java       |  0
 .../client/api/impl/TimelineClientImpl.java   |  0
 .../yarn/client/api/impl/package-info.java    | 21 +++++++++++++++++++
 .../hadoop/yarn/client/api/package-info.java  | 21 +++++++++++++++++++
 .../api/impl/TestTimelineAuthenticator.java   |  0
 .../client/api/impl/TestTimelineClient.java   |  0
 10 files changed, 53 insertions(+), 8 deletions(-)
 rename hadoop-yarn-project/hadoop-yarn/{hadoop-yarn-client => hadoop-yarn-common}/src/main/java/org/apache/hadoop/yarn/client/api/TimelineClient.java (100%)
 rename hadoop-yarn-project/hadoop-yarn/{hadoop-yarn-client => hadoop-yarn-common}/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineAuthenticator.java (100%)
 rename hadoop-yarn-project/hadoop-yarn/{hadoop-yarn-client => hadoop-yarn-common}/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java (100%)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/package-info.java
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/package-info.java
 rename hadoop-yarn-project/hadoop-yarn/{hadoop-yarn-client => hadoop-yarn-common}/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineAuthenticator.java (100%)
 rename hadoop-yarn-project/hadoop-yarn/{hadoop-yarn-client => hadoop-yarn-common}/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineClient.java (100%)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index eed76f7581f..5a1d8c242ca 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -88,6 +88,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2370. Fix comment in o.a.h.y.server.resourcemanager.schedulerAppSchedulingInfo 
     (Wenwu Peng via junping_du)
 
+    YARN-2298. Move TimelineClient to yarn-common project (Zhijie Shen via 
+    junping_du)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/pom.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/pom.xml
index 56b9981a3d9..b21ea520911 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/pom.xml
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/pom.xml
@@ -57,14 +57,6 @@
       <groupId>log4j</groupId>
       <artifactId>log4j</artifactId>
     </dependency>
-    <dependency>
-      <groupId>org.mortbay.jetty</groupId>
-      <artifactId>jetty-util</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.sun.jersey</groupId>
-      <artifactId>jersey-client</artifactId>
-    </dependency>
 
     <!-- 'mvn dependency:analyze' fails to detect use of this dependency -->
     <dependency>
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml
index aa12b3f55a4..04cf50debff 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml
@@ -66,10 +66,18 @@
       <groupId>commons-codec</groupId>
       <artifactId>commons-codec</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.mortbay.jetty</groupId>
+      <artifactId>jetty-util</artifactId>
+    </dependency>
     <dependency>
       <groupId>com.sun.jersey</groupId>
       <artifactId>jersey-core</artifactId>
     </dependency>
+    <dependency>
+      <groupId>com.sun.jersey</groupId>
+      <artifactId>jersey-client</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.codehaus.jackson</groupId>
       <artifactId>jackson-core-asl</artifactId>
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/TimelineClient.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/TimelineClient.java
similarity index 100%
rename from hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/TimelineClient.java
rename to hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/TimelineClient.java
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineAuthenticator.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineAuthenticator.java
similarity index 100%
rename from hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineAuthenticator.java
rename to hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineAuthenticator.java
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
similarity index 100%
rename from hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
rename to hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/package-info.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/package-info.java
new file mode 100644
index 00000000000..89b5b6b5877
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/package-info.java
@@ -0,0 +1,21 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+@InterfaceAudience.Public
+package org.apache.hadoop.yarn.client.api.impl;
+import org.apache.hadoop.classification.InterfaceAudience;
+
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/package-info.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/package-info.java
new file mode 100644
index 00000000000..efd7229d0b1
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/package-info.java
@@ -0,0 +1,21 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+@InterfaceAudience.Public
+package org.apache.hadoop.yarn.client.api;
+import org.apache.hadoop.classification.InterfaceAudience;
+
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineAuthenticator.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineAuthenticator.java
similarity index 100%
rename from hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineAuthenticator.java
rename to hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineAuthenticator.java
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineClient.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineClient.java
similarity index 100%
rename from hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineClient.java
rename to hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineClient.java

From d7a57c27c6b98ae9bbbb77f0d2bf74243bbf095e Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Wed, 6 Aug 2014 16:06:13 +0000
Subject: [PATCH 139/354] HDFS-6517. Remove hadoop-metrics2.properties from
 hdfs project (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616261 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index d3d6fb3e5c3..d657bfa7210 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -136,6 +136,9 @@ Trunk (Unreleased)
   OPTIMIZATIONS
 
   BUG FIXES
+ 
+    HDFS-6517. Remove hadoop-metrics2.properties from hdfs project (Akira 
+               AJISAKA via aw)
 
     HADOOP-9635 Fix potential Stack Overflow in DomainSocket.c (V. Karthik Kumar
                 via cmccabe)

From 6fa66f235742a6572f1c8389e6af3a2b65feb0b9 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Wed, 6 Aug 2014 16:07:52 +0000
Subject: [PATCH 140/354] HDFS-6517. Remove hadoop-metrics2.properties from
 hdfs project (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616262 13f79535-47bb-0310-9956-ffa450edef68
---
 .../src/main/conf/hadoop-metrics2.properties  | 44 -------------------
 1 file changed, 44 deletions(-)
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/conf/hadoop-metrics2.properties

diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/conf/hadoop-metrics2.properties b/hadoop-hdfs-project/hadoop-hdfs/src/main/conf/hadoop-metrics2.properties
deleted file mode 100644
index c3ffe314f07..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/conf/hadoop-metrics2.properties
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-#   Licensed to the Apache Software Foundation (ASF) under one or more
-#   contributor license agreements.  See the NOTICE file distributed with
-#   this work for additional information regarding copyright ownership.
-#   The ASF licenses this file to You under the Apache License, Version 2.0
-#   (the "License"); you may not use this file except in compliance with
-#   the License.  You may obtain a copy of the License at
-#
-#       http://www.apache.org/licenses/LICENSE-2.0
-#
-#   Unless required by applicable law or agreed to in writing, software
-#   distributed under the License is distributed on an "AS IS" BASIS,
-#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#   See the License for the specific language governing permissions and
-#   limitations under the License.
-#
-
-# syntax: [prefix].[source|sink].[instance].[options]
-# See javadoc of package-info.java for org.apache.hadoop.metrics2 for details
-
-*.sink.file.class=org.apache.hadoop.metrics2.sink.FileSink
-# default sampling period, in seconds
-*.period=10
-
-# The namenode-metrics.out will contain metrics from all context
-#namenode.sink.file.filename=namenode-metrics.out
-# Specifying a special sampling period for namenode:
-#namenode.sink.*.period=8
-
-#datanode.sink.file.filename=datanode-metrics.out
-
-# the following example split metrics of different
-# context to different sinks (in this case files)
-#jobtracker.sink.file_jvm.context=jvm
-#jobtracker.sink.file_jvm.filename=jobtracker-jvm-metrics.out
-#jobtracker.sink.file_mapred.context=mapred
-#jobtracker.sink.file_mapred.filename=jobtracker-mapred-metrics.out
-
-#tasktracker.sink.file.filename=tasktracker-metrics.out
-
-#maptask.sink.file.filename=maptask-metrics.out
-
-#reducetask.sink.file.filename=reducetask-metrics.out
-

From 9ebeac16eb43e46dc713af5d280cf24b8d31c933 Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Wed, 6 Aug 2014 18:58:50 +0000
Subject: [PATCH 141/354] YARN-2374. Fixed TestDistributedShell#testDSShell
 failure due to hostname dismatch. Contributed by Varun Vasudev

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616302 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |  3 +
 .../TestDistributedShell.java                 | 75 ++++++++++++++++++-
 2 files changed, 74 insertions(+), 4 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 5a1d8c242ca..1c84efbd7fb 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -134,6 +134,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2051. Fix bug in PBimpls and add more unit tests with reflection. 
     (Binglin Chang via junping_du)
 
+    YARN-2374. Fixed TestDistributedShell#testDSShell failure due to hostname
+    dismatch. (Varun Vasudev via jianhe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/test/java/org/apache/hadoop/yarn/applications/distributedshell/TestDistributedShell.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/test/java/org/apache/hadoop/yarn/applications/distributedshell/TestDistributedShell.java
index 3445e2721dc..d7a174516a2 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/test/java/org/apache/hadoop/yarn/applications/distributedshell/TestDistributedShell.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/test/java/org/apache/hadoop/yarn/applications/distributedshell/TestDistributedShell.java
@@ -26,13 +26,13 @@
 import java.io.IOException;
 import java.io.OutputStream;
 import java.io.PrintWriter;
+import java.net.InetAddress;
 import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.atomic.AtomicBoolean;
 
 import org.junit.Assert;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
@@ -169,7 +169,9 @@ public void run() {
     yarnClient.init(new Configuration(yarnCluster.getConfig()));
     yarnClient.start();
     String hostName = NetUtils.getHostname();
+
     boolean verified = false;
+    String errorMessage = "";
     while(!verified) {
       List<ApplicationReport> apps = yarnClient.getApplications();
       if (apps.size() == 0 ) {
@@ -177,15 +179,22 @@ public void run() {
         continue;
       }
       ApplicationReport appReport = apps.get(0);
-      if (appReport.getHost().startsWith(hostName)
-          && appReport.getRpcPort() == -1) {
+      if(appReport.getHost().equals("N/A")) {
+        Thread.sleep(10);
+        continue;
+      }
+      errorMessage =
+          "Expected host name to start with '" + hostName + "', was '"
+              + appReport.getHost() + "'. Expected rpc port to be '-1', was '"
+              + appReport.getRpcPort() + "'.";
+      if (checkHostname(appReport.getHost()) && appReport.getRpcPort() == -1) {
         verified = true;
       }
       if (appReport.getYarnApplicationState() == YarnApplicationState.FINISHED) {
         break;
       }
     }
-    Assert.assertTrue(verified);
+    Assert.assertTrue(errorMessage, verified);
     t.join();
     LOG.info("Client run completed. Result=" + result);
     Assert.assertTrue(result.get());
@@ -212,6 +221,64 @@ public void run() {
         .toString(), ApplicationMaster.DSEntity.DS_CONTAINER.toString());
   }
 
+  /*
+   * NetUtils.getHostname() returns a string in the form "hostname/ip".
+   * Sometimes the hostname we get is the FQDN and sometimes the short name. In
+   * addition, on machines with multiple network interfaces, it runs any one of
+   * the ips. The function below compares the returns values for
+   * NetUtils.getHostname() accounting for the conditions mentioned.
+   */
+  private boolean checkHostname(String appHostname) throws Exception {
+
+    String hostname = NetUtils.getHostname();
+    if (hostname.equals(appHostname)) {
+      return true;
+    }
+
+    Assert.assertTrue("Unknown format for hostname " + appHostname,
+      appHostname.contains("/"));
+    Assert.assertTrue("Unknown format for hostname " + hostname,
+      hostname.contains("/"));
+
+    String[] appHostnameParts = appHostname.split("/");
+    String[] hostnameParts = hostname.split("/");
+
+    return (compareFQDNs(appHostnameParts[0], hostnameParts[0]) && checkIPs(
+      hostnameParts[0], hostnameParts[1], appHostnameParts[1]));
+  }
+
+  private boolean compareFQDNs(String appHostname, String hostname)
+      throws Exception {
+    if (appHostname.equals(hostname)) {
+      return true;
+    }
+    String appFQDN = InetAddress.getByName(appHostname).getCanonicalHostName();
+    String localFQDN = InetAddress.getByName(hostname).getCanonicalHostName();
+    return appFQDN.equals(localFQDN);
+  }
+
+  private boolean checkIPs(String hostname, String localIP, String appIP)
+      throws Exception {
+
+    if (localIP.equals(appIP)) {
+      return true;
+    }
+    boolean appIPCheck = false;
+    boolean localIPCheck = false;
+    InetAddress[] addresses = InetAddress.getAllByName(hostname);
+    for (InetAddress ia : addresses) {
+      if (ia.getHostAddress().equals(appIP)) {
+        appIPCheck = true;
+        continue;
+      }
+      if (ia.getHostAddress().equals(localIP)) {
+        localIPCheck = true;
+      }
+    }
+    return (appIPCheck && localIPCheck);
+
+  }
+
   @Test(timeout=90000)
   public void testDSRestartWithPreviousRunningContainers() throws Exception {
     String[] args = {

From efc73a0f13c513a41156a4bb0b955e98775c66a4 Mon Sep 17 00:00:00 2001
From: Jing Zhao <jing9@apache.org>
Date: Wed, 6 Aug 2014 19:03:07 +0000
Subject: [PATCH 142/354] HDFS-6791. A block could remain under replicated if
 all of its replicas are on decommissioned nodes. Contributed by Ming Ma.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616306 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +
 .../server/blockmanagement/BlockManager.java  |  9 ++
 .../blockmanagement/BlockManagerTestUtil.java | 10 ++
 .../namenode/TestDecommissioningStatus.java   | 95 +++++++++++++++++--
 4 files changed, 109 insertions(+), 8 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index d657bfa7210..00bbae4ab04 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -449,6 +449,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6790. DFSUtil Should Use configuration.getPassword for SSL passwords
     (Larry McCay via brandonli)
 
+    HDFS-6791. A block could remain under replicated if all of its replicas are on
+    decommissioned nodes. (Ming Ma via jing9)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
index 190ca892a06..8046d8ad0cd 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
@@ -3174,6 +3174,15 @@ boolean isReplicationInProgress(DatanodeDescriptor srcNode) {
         }
       }
     }
+
+    if (!status && !srcNode.isAlive) {
+      LOG.warn("srcNode " + srcNode + " is dead " +
+          "when decommission is in progress. Continue to mark " +
+          "it as decommission in progress. In that way, when it rejoins the " +
+          "cluster it can continue the decommission process.");
+      status = true;
+    }
+
     srcNode.decommissioningStatus.set(underReplicatedBlocks,
         decommissionOnlyReplicas, 
         underReplicatedInOpenFiles);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManagerTestUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManagerTestUtil.java
index 8ff716387ab..852c80b7801 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManagerTestUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManagerTestUtil.java
@@ -268,4 +268,14 @@ public static StorageReport[] getStorageReportsForDatanode(
     }
     return reports.toArray(StorageReport.EMPTY_ARRAY);
   }
+
+  /**
+   * Have DatanodeManager check decommission state.
+   * @param dm the DatanodeManager to manipulate
+   */
+  public static void checkDecommissionState(DatanodeManager dm,
+      DatanodeDescriptor node) {
+    dm.checkDecommissionState(node);
+  }
+
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestDecommissioningStatus.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestDecommissioningStatus.java
index b85dda19174..d01df75f794 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestDecommissioningStatus.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestDecommissioningStatus.java
@@ -31,19 +31,24 @@
 
 import org.apache.commons.io.output.ByteArrayOutputStream;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.BlockLocation;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 import org.apache.hadoop.fs.FSDataOutputStream;
 import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.LocatedFileStatus;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.RemoteIterator;
 import org.apache.hadoop.hdfs.DFSClient;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.DFSTestUtil;
 import org.apache.hadoop.hdfs.DistributedFileSystem;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.MiniDFSCluster.DataNodeProperties;
 import org.apache.hadoop.hdfs.protocol.DatanodeID;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
+import org.apache.hadoop.hdfs.server.blockmanagement.BlockManagerTestUtil;
 import org.apache.hadoop.hdfs.server.blockmanagement.DatanodeDescriptor;
 import org.apache.hadoop.hdfs.server.blockmanagement.DatanodeManager;
 import org.apache.hadoop.hdfs.tools.DFSAdmin;
@@ -89,6 +94,8 @@ public static void setUp() throws Exception {
         4);
     conf.setInt(DFSConfigKeys.DFS_NAMENODE_REPLICATION_INTERVAL_KEY, 1000);
     conf.setInt(DFSConfigKeys.DFS_NAMENODE_DECOMMISSION_INTERVAL_KEY, 1);
+    conf.setLong(DFSConfigKeys.DFS_DATANODE_BALANCE_BANDWIDTHPERSEC_KEY, 1);
+
     writeConfigFile(localFileSys, excludeFile, null);
     writeConfigFile(localFileSys, includeFile, null);
 
@@ -99,6 +106,7 @@ public static void setUp() throws Exception {
 
   @AfterClass
   public static void tearDown() throws Exception {
+    if (localFileSys != null ) cleanupFile(localFileSys, dir);
     if(fileSys != null) fileSys.close();
     if(cluster != null) cluster.shutdown();
   }
@@ -138,7 +146,8 @@ private FSDataOutputStream writeIncompleteFile(FileSystem fileSys, Path name,
     return stm;
   }
   
-  private void cleanupFile(FileSystem fileSys, Path name) throws IOException {
+  static private void cleanupFile(FileSystem fileSys, Path name)
+      throws IOException {
     assertTrue(fileSys.exists(name));
     fileSys.delete(name, true);
     assertTrue(!fileSys.exists(name));
@@ -147,19 +156,26 @@ private void cleanupFile(FileSystem fileSys, Path name) throws IOException {
   /*
    * Decommissions the node at the given index
    */
-  private String decommissionNode(FSNamesystem namesystem,
-      DFSClient client, FileSystem localFileSys, int nodeIndex)
-      throws IOException {
+  private String decommissionNode(FSNamesystem namesystem, DFSClient client,
+      FileSystem localFileSys, int nodeIndex) throws IOException {
     DatanodeInfo[] info = client.datanodeReport(DatanodeReportType.LIVE);
 
     String nodename = info[nodeIndex].getXferAddr();
-    System.out.println("Decommissioning node: " + nodename);
+    decommissionNode(namesystem, localFileSys, nodename);
+    return nodename;
+  }
+
+  /*
+   * Decommissions the node by name
+   */
+  private void decommissionNode(FSNamesystem namesystem,
+      FileSystem localFileSys, String dnName) throws IOException {
+    System.out.println("Decommissioning node: " + dnName);
 
     // write nodename into the exclude file.
     ArrayList<String> nodes = new ArrayList<String>(decommissionedNodes);
-    nodes.add(nodename);
+    nodes.add(dnName);
     writeConfigFile(localFileSys, excludeFile, nodes);
-    return nodename;
   }
 
   private void checkDecommissionStatus(DatanodeDescriptor decommNode,
@@ -276,6 +292,69 @@ public void testDecommissionStatus() throws IOException, InterruptedException {
     st1.close();
     cleanupFile(fileSys, file1);
     cleanupFile(fileSys, file2);
-    cleanupFile(localFileSys, dir);
+  }
+
+  /**
+   * Verify a DN remains in DECOMMISSION_INPROGRESS state if it is marked
+   * as dead before decommission has completed. That will allow DN to resume
+   * the replication process after it rejoins the cluster.
+   */
+  @Test(timeout=120000)
+  public void testDecommissionStatusAfterDNRestart()
+      throws IOException, InterruptedException {
+    DistributedFileSystem fileSys =
+        (DistributedFileSystem)cluster.getFileSystem();
+
+    // Create a file with one block. That block has one replica.
+    Path f = new Path("decommission.dat");
+    DFSTestUtil.createFile(fileSys, f, fileSize, fileSize, fileSize,
+        (short)1, seed);
+
+    // Find the DN that owns the only replica.
+    RemoteIterator<LocatedFileStatus> fileList = fileSys.listLocatedStatus(f);
+    BlockLocation[] blockLocations = fileList.next().getBlockLocations();
+    String dnName = blockLocations[0].getNames()[0];
+
+    // Decommission the DN.
+    FSNamesystem fsn = cluster.getNamesystem();
+    final DatanodeManager dm = fsn.getBlockManager().getDatanodeManager();
+    decommissionNode(fsn, localFileSys, dnName);
+    dm.refreshNodes(conf);
+
+    // Stop the DN when decommission is in progress.
+    // Given DFS_DATANODE_BALANCE_BANDWIDTHPERSEC_KEY is to 1 and the size of
+    // the block, it will take much longer time that test timeout value for
+    // the decommission to complete. So when stopDataNode is called,
+    // decommission should be in progress.
+    DataNodeProperties dataNodeProperties = cluster.stopDataNode(dnName);
+    final List<DatanodeDescriptor> dead = new ArrayList<DatanodeDescriptor>();
+    while (true) {
+      dm.fetchDatanodes(null, dead, false);
+      if (dead.size() == 1) {
+        break;
+      }
+      Thread.sleep(1000);
+    }
+
+    // Force removal of the dead node's blocks.
+    BlockManagerTestUtil.checkHeartbeat(fsn.getBlockManager());
+
+    // Force DatanodeManager to check decommission state.
+    BlockManagerTestUtil.checkDecommissionState(dm, dead.get(0));
+
+    // Verify that the DN remains in DECOMMISSION_INPROGRESS state.
+    assertTrue("the node is in decommissioned state ",
+        !dead.get(0).isDecommissioned());
+
+    // Add the node back
+    cluster.restartDataNode(dataNodeProperties, true);
+    cluster.waitActive();
+
+    // Call refreshNodes on FSNamesystem with empty exclude file.
+    // This will remove the datanodes from decommissioning list and
+    // make them available again.
+    writeConfigFile(localFileSys, excludeFile, null);
+    dm.refreshNodes(conf);
+    cleanupFile(fileSys, f);
   }
 }

From 8feddc4c840f32c1853bc3d982cc790a9c5f42f2 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Thu, 7 Aug 2014 00:06:17 +0000
Subject: [PATCH 143/354] YARN-2359. Application hangs when it fails to launch
 AM container. (Zhihai Xu via kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616375 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |  3 +++
 .../rmapp/attempt/RMAppAttemptImpl.java       |  8 +++++-
 .../attempt/TestRMAppAttemptTransitions.java  | 27 +++++++++++++++++++
 3 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 1c84efbd7fb..f19921db70f 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -137,6 +137,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2374. Fixed TestDistributedShell#testDSShell failure due to hostname
     dismatch. (Varun Vasudev via jianhe)
 
+    YARN-2359. Application hangs when it fails to launch AM container. 
+    (Zhihai Xu via kasha)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
index 50a0755be62..a37a441f8a3 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
@@ -217,7 +217,13 @@ RMAppAttemptEventType.RECOVER, new AttemptRecoveredTransition())
           RMAppAttemptEventType.KILL,
           new FinalSavingTransition(new BaseFinalTransition(
             RMAppAttemptState.KILLED), RMAppAttemptState.KILLED))
-          
+      .addTransition(RMAppAttemptState.SCHEDULED,
+          RMAppAttemptState.FINAL_SAVING,
+          RMAppAttemptEventType.CONTAINER_FINISHED,
+          new FinalSavingTransition(
+            new AMContainerCrashedBeforeRunningTransition(),
+            RMAppAttemptState.FAILED))
+
        // Transitions from ALLOCATED_SAVING State
       .addTransition(RMAppAttemptState.ALLOCATED_SAVING, 
           RMAppAttemptState.ALLOCATED,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java
index 01a6973e69c..95dfb025e31 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java
@@ -89,6 +89,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.Allocation;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerUtils;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.AppAttemptAddedSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.SchedulerEvent;
@@ -782,6 +783,32 @@ public void testScheduledToKilled() {
     testAppAttemptKilledState(null, EMPTY_DIAGNOSTICS);
   }
 
+  @Test
+  public void testAMCrashAtScheduled() {
+    // This is to test sending CONTAINER_FINISHED event at SCHEDULED state.
+    // Verify the state transition is correct.
+    scheduleApplicationAttempt();
+    ContainerStatus cs =
+        SchedulerUtils.createAbnormalContainerStatus(
+            BuilderUtils.newContainerId(
+                applicationAttempt.getAppAttemptId(), 1),
+            SchedulerUtils.LOST_CONTAINER);
+    // send CONTAINER_FINISHED event at SCHEDULED state,
+    // The state should be FINAL_SAVING with previous state SCHEDULED
+    applicationAttempt.handle(new RMAppAttemptContainerFinishedEvent(
+        applicationAttempt.getAppAttemptId(), cs));
+    // createApplicationAttemptState will return previous state (SCHEDULED),
+    // if the current state is FINAL_SAVING.
+    assertEquals(YarnApplicationAttemptState.SCHEDULED,
+        applicationAttempt.createApplicationAttemptState());
+    // send ATTEMPT_UPDATE_SAVED event,
+    // verify the state is changed to state FAILED.
+    sendAttemptUpdateSavedEvent(applicationAttempt);
+    assertEquals(RMAppAttemptState.FAILED,
+        applicationAttempt.getAppAttemptState());
+    verifyApplicationAttemptFinished(RMAppAttemptState.FAILED);
+  }
+
   @Test
   public void testAllocatedToKilled() {
     Container amContainer = allocateApplicationAttempt();

From be6360593b65019852c685d7975136c7cd2889ab Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Thu, 7 Aug 2014 05:36:50 +0000
Subject: [PATCH 144/354] YARN-2388. Fixed TestTimelineWebServices failure due
 to HADOOP-10791. Contributed by Zhijie Shen.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616405 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                                | 2 ++
 .../yarn/server/timeline/webapp/TestTimelineWebServices.java   | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index f19921db70f..a686a094917 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -140,6 +140,8 @@ Release 2.6.0 - UNRELEASED
     YARN-2359. Application hangs when it fails to launch AM container. 
     (Zhihai Xu via kasha)
 
+    YARN-2388. Fixed TestTimelineWebServices failure due to HADOOP-10791. (zjshen)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java
index b34197ca9be..2096bbb2060 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java
@@ -33,6 +33,7 @@
 import java.util.Set;
 
 import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.ws.rs.core.MediaType;
 
@@ -105,6 +106,8 @@ protected void configureServlets() {
           .thenReturn("simple");
       when(filterConfig.getInitParameter(
           PseudoAuthenticationHandler.ANONYMOUS_ALLOWED)).thenReturn("true");
+      ServletContext context = mock(ServletContext.class);
+      when(filterConfig.getServletContext()).thenReturn(context);
       Enumeration<Object> names = mock(Enumeration.class);
       when(names.hasMoreElements()).thenReturn(true, true, false);
       when(names.nextElement()).thenReturn(

From 83b9933db3349e6a6faf23bce35c9d4ce3f7bcf2 Mon Sep 17 00:00:00 2001
From: Tsz-wo Sze <szetszwo@apache.org>
Date: Thu, 7 Aug 2014 07:18:48 +0000
Subject: [PATCH 145/354] HDFS-6809. Move Balancer's inner classes MovedBlocks
 and Matcher as to standalone classes and separates KeyManager from
 NameNodeConnector.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616422 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   4 +
 .../hadoop/hdfs/server/balancer/Balancer.java | 188 ++++------------
 .../hdfs/server/balancer/KeyManager.java      | 173 +++++++++++++++
 .../hadoop/hdfs/server/balancer/Matcher.java  |  51 +++++
 .../hdfs/server/balancer/MovedBlocks.java     | 124 +++++++++++
 .../server/balancer/NameNodeConnector.java    | 209 ++++++------------
 6 files changed, 459 insertions(+), 290 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/KeyManager.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Matcher.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/MovedBlocks.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 00bbae4ab04..a84c320239d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -360,6 +360,10 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-6787. Remove duplicate code in FSDirectory#unprotectedConcat. (Yi Liu via umamahesh)
 
+    HDFS-6809. Move Balancer's inner classes MovedBlocks and Matcher as to
+    standalone classes and separates KeyManager from NameNodeConnector.
+    (szetszwo)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
index e5ff544ee75..33f7a0aacfa 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
@@ -58,6 +58,7 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.conf.Configured;
+import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.DFSUtil;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
@@ -85,7 +86,6 @@
 import org.apache.hadoop.io.IOUtils;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.net.NetworkTopology;
-import org.apache.hadoop.net.Node;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.util.HostsFileReader;
 import org.apache.hadoop.util.StringUtils;
@@ -195,10 +195,12 @@
 @InterfaceAudience.Private
 public class Balancer {
   static final Log LOG = LogFactory.getLog(Balancer.class);
-  final private static long GB = 1L << 30; //1GB
-  final private static long MAX_SIZE_TO_MOVE = 10*GB;
-  final private static long MAX_BLOCKS_SIZE_TO_FETCH = 2*GB;
-  private static long WIN_WIDTH = 5400*1000L; // 1.5 hour
+
+  private static final Path BALANCER_ID_PATH = new Path("/system/balancer.id");
+
+  private static final long GB = 1L << 30; //1GB
+  private static final long MAX_SIZE_TO_MOVE = 10*GB;
+  private static final long MAX_BLOCKS_SIZE_TO_FETCH = 2*GB;
 
   /** The maximum number of concurrent blocks moves for 
    * balancing purpose at a datanode
@@ -219,6 +221,8 @@ public class Balancer {
       + "\tIncludes only the specified datanodes.";
   
   private final NameNodeConnector nnc;
+  private final KeyManager keyManager;
+
   private final BalancingPolicy policy;
   private final SaslDataTransferClient saslClient;
   private final double threshold;
@@ -241,7 +245,8 @@ public class Balancer {
   
   private final Map<Block, BalancerBlock> globalBlockList
                  = new HashMap<Block, BalancerBlock>();
-  private final MovedBlocks movedBlocks = new MovedBlocks();
+  private final MovedBlocks<BalancerDatanode.StorageGroup> movedBlocks;
+
   /** Map (datanodeUuid,storageType -> StorageGroup) */
   private final StorageGroupMap storageGroupMap = new StorageGroupMap();
   
@@ -326,7 +331,7 @@ private boolean markMovedIfGoodBlock(BalancerBlock block) {
           if (isGoodBlockCandidate(source, target, block)) {
             this.block = block;
             if ( chooseProxySource() ) {
-              movedBlocks.add(block);
+              movedBlocks.put(block);
               if (LOG.isDebugEnabled()) {
                 LOG.debug("Decided to move " + this);
               }
@@ -399,10 +404,10 @@ private void dispatch() {
         
         OutputStream unbufOut = sock.getOutputStream();
         InputStream unbufIn = sock.getInputStream();
-        ExtendedBlock eb = new ExtendedBlock(nnc.blockpoolID, block.getBlock());
-        Token<BlockTokenIdentifier> accessToken = nnc.getAccessToken(eb);
+        ExtendedBlock eb = new ExtendedBlock(nnc.getBlockpoolID(), block.getBlock());
+        Token<BlockTokenIdentifier> accessToken = keyManager.getAccessToken(eb);
         IOStreamPair saslStreams = saslClient.socketSend(sock, unbufOut,
-          unbufIn, nnc, accessToken, target.getDatanode());
+          unbufIn, keyManager, accessToken, target.getDatanode());
         unbufOut = saslStreams.out;
         unbufIn = saslStreams.in;
         out = new DataOutputStream(new BufferedOutputStream(unbufOut,
@@ -483,47 +488,9 @@ public void run() {
   }
   
   /* A class for keeping track of blocks in the Balancer */
-  static private class BalancerBlock {
-    private final Block block; // the block
-    /** The locations of the replicas of the block. */
-    private final List<BalancerDatanode.StorageGroup> locations
-        = new ArrayList<BalancerDatanode.StorageGroup>(3);
-    
-    /* Constructor */
-    private BalancerBlock(Block block) {
-      this.block = block;
-    }
-    
-    /* clean block locations */
-    private synchronized void clearLocations() {
-      locations.clear();
-    }
-    
-    /* add a location */
-    private synchronized void addLocation(BalancerDatanode.StorageGroup g) {
-      if (!locations.contains(g)) {
-        locations.add(g);
-      }
-    }
-    
-    /** @return if the block is located on the given storage group. */
-    private synchronized boolean isLocatedOn(BalancerDatanode.StorageGroup g) {
-      return locations.contains(g);
-    }
-    
-    /* Return its locations */
-    private synchronized List<BalancerDatanode.StorageGroup> getLocations() {
-      return locations;
-    }
-    
-    /* Return the block */
-    private Block getBlock() {
-      return block;
-    }
-    
-    /* Return the length of the block */
-    private long getNumBytes() {
-      return block.getNumBytes();
+  static class BalancerBlock extends MovedBlocks.Locations<BalancerDatanode.StorageGroup> {
+    BalancerBlock(Block block) {
+      super(block);
     }
   }
   
@@ -735,7 +702,7 @@ private Iterator<BalancerBlock> getBlockIterator() {
      */
     private long getBlockList() throws IOException {
       final long size = Math.min(MAX_BLOCKS_SIZE_TO_FETCH, blocksToReceive);
-      final BlockWithLocations[] newBlocks = nnc.namenode.getBlocks(
+      final BlockWithLocations[] newBlocks = nnc.getNamenode().getBlocks(
           getDatanode(), size).getBlocks();
 
       long bytesReceived = 0;
@@ -819,7 +786,7 @@ private PendingBlockMove chooseNextBlockToMove() {
     private void filterMovedBlocks() {
       for (Iterator<BalancerBlock> blocks=getBlockIterator();
             blocks.hasNext();) {
-        if (movedBlocks.contains(blocks.next())) {
+        if (movedBlocks.contains(blocks.next().getBlock())) {
           blocks.remove();
         }
       }
@@ -925,6 +892,13 @@ private static void checkReplicationPolicyCompatibility(Configuration conf
     this.nodesToBeExcluded = p.nodesToBeExcluded;
     this.nodesToBeIncluded = p.nodesToBeIncluded;
     this.nnc = theblockpool;
+    this.keyManager = nnc.getKeyManager();
+    
+    final long movedWinWidth = conf.getLong(
+        DFSConfigKeys.DFS_BALANCER_MOVEDWINWIDTH_KEY, 
+        DFSConfigKeys.DFS_BALANCER_MOVEDWINWIDTH_DEFAULT);
+    movedBlocks = new MovedBlocks<BalancerDatanode.StorageGroup>(movedWinWidth);
+
     cluster = NetworkTopology.getInstance(conf);
 
     this.moverExecutor = Executors.newFixedThreadPool(
@@ -1094,36 +1068,6 @@ void logUtilizationCollection(String name, Collection<T> items) {
     LOG.info(items.size() + " " + name + ": " + items);
   }
 
-  /** A matcher interface for matching nodes. */
-  private interface Matcher {
-    /** Given the cluster topology, does the left node match the right node? */
-    boolean match(NetworkTopology cluster, Node left,  Node right);
-  }
-
-  /** Match datanodes in the same node group. */
-  static final Matcher SAME_NODE_GROUP = new Matcher() {
-    @Override
-    public boolean match(NetworkTopology cluster, Node left, Node right) {
-      return cluster.isOnSameNodeGroup(left, right);
-    }
-  };
-
-  /** Match datanodes in the same rack. */
-  static final Matcher SAME_RACK = new Matcher() {
-    @Override
-    public boolean match(NetworkTopology cluster, Node left, Node right) {
-      return cluster.isOnSameRack(left, right);
-    }
-  };
-
-  /** Match any datanode with any other datanode. */
-  static final Matcher ANY_OTHER = new Matcher() {
-    @Override
-    public boolean match(NetworkTopology cluster, Node left, Node right) {
-      return left != right;
-    }
-  };
-
   /**
    * Decide all <source, target> pairs and
    * the number of bytes to move from a source to a target
@@ -1134,13 +1078,13 @@ public boolean match(NetworkTopology cluster, Node left, Node right) {
   private long chooseStorageGroups() {
     // First, match nodes on the same node group if cluster is node group aware
     if (cluster.isNodeGroupAware()) {
-      chooseStorageGroups(SAME_NODE_GROUP);
+      chooseStorageGroups(Matcher.SAME_NODE_GROUP);
     }
     
     // Then, match nodes on the same rack
-    chooseStorageGroups(SAME_RACK);
+    chooseStorageGroups(Matcher.SAME_RACK);
     // At last, match all remaining nodes
-    chooseStorageGroups(ANY_OTHER);
+    chooseStorageGroups(Matcher.ANY_OTHER);
     
     Preconditions.checkState(storageGroupMap.size() >= sources.size() + targets.size(),
         "Mismatched number of datanodes (" + storageGroupMap.size() + " < "
@@ -1307,56 +1251,6 @@ private void waitForMoveCompletion() {
     } while (shouldWait);
   }
 
-  /** This window makes sure to keep blocks that have been moved within 1.5 hour.
-   * Old window has blocks that are older;
-   * Current window has blocks that are more recent;
-   * Cleanup method triggers the check if blocks in the old window are
-   * more than 1.5 hour old. If yes, purge the old window and then
-   * move blocks in current window to old window.
-   */ 
-  private static class MovedBlocks {
-    private long lastCleanupTime = Time.now();
-    final private static int CUR_WIN = 0;
-    final private static int OLD_WIN = 1;
-    final private static int NUM_WINS = 2;
-    final private List<HashMap<Block, BalancerBlock>> movedBlocks = 
-      new ArrayList<HashMap<Block, BalancerBlock>>(NUM_WINS);
-    
-    /* initialize the moved blocks collection */
-    private MovedBlocks() {
-      movedBlocks.add(new HashMap<Block,BalancerBlock>());
-      movedBlocks.add(new HashMap<Block,BalancerBlock>());
-    }
-
-    /* add a block thus marking a block to be moved */
-    synchronized private void add(BalancerBlock block) {
-      movedBlocks.get(CUR_WIN).put(block.getBlock(), block);
-    }
-
-    /* check if a block is marked as moved */
-    synchronized private boolean contains(BalancerBlock block) {
-      return contains(block.getBlock());
-    }
-
-    /* check if a block is marked as moved */
-    synchronized private boolean contains(Block block) {
-      return movedBlocks.get(CUR_WIN).containsKey(block) ||
-        movedBlocks.get(OLD_WIN).containsKey(block);
-    }
-
-    /* remove old blocks */
-    synchronized private void cleanup() {
-      long curTime = Time.now();
-      // check if old win is older than winWidth
-      if (lastCleanupTime + WIN_WIDTH <= curTime) {
-        // purge the old window
-        movedBlocks.set(OLD_WIN, movedBlocks.get(CUR_WIN));
-        movedBlocks.set(CUR_WIN, new HashMap<Block, BalancerBlock>());
-        lastCleanupTime = curTime;
-      }
-    }
-  }
-
   /* Decide if it is OK to move the given block from source to target
    * A block is a good candidate if
    * 1. the block is not in the process of being moved/has not been moved;
@@ -1369,7 +1263,7 @@ private boolean isGoodBlockCandidate(Source source,
       return false;
     }
     // check if the block is moved or not
-    if (movedBlocks.contains(block)) {
+    if (movedBlocks.contains(block.getBlock())) {
       return false;
     }
     if (block.isLocatedOn(target)) {
@@ -1387,7 +1281,7 @@ private boolean isGoodBlockCandidate(Source source,
     } else {
       boolean notOnSameRack = true;
       synchronized (block) {
-        for (BalancerDatanode.StorageGroup loc : block.locations) {
+        for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
           if (cluster.isOnSameRack(loc.getDatanode(), target.getDatanode())) {
             notOnSameRack = false;
             break;
@@ -1399,7 +1293,7 @@ private boolean isGoodBlockCandidate(Source source,
         goodBlock = true;
       } else {
         // good if source is on the same rack as on of the replicas
-        for (BalancerDatanode.StorageGroup loc : block.locations) {
+        for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
           if (loc != source && 
               cluster.isOnSameRack(loc.getDatanode(), source.getDatanode())) {
             goodBlock = true;
@@ -1425,7 +1319,7 @@ private boolean isGoodBlockCandidate(Source source,
   private boolean isOnSameNodeGroupWithReplicas(BalancerDatanode.StorageGroup target,
       BalancerBlock block, Source source) {
     final DatanodeInfo targetDn = target.getDatanode();
-    for (BalancerDatanode.StorageGroup loc : block.locations) {
+    for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
       if (loc != source && 
           cluster.isOnSameNodeGroup(loc.getDatanode(), targetDn)) {
         return true;
@@ -1489,7 +1383,7 @@ private ReturnStatus run(int iteration, Formatter formatter,
        * decide the number of bytes need to be moved
        */
       final long bytesLeftToMove = init(
-          nnc.client.getDatanodeStorageReport(DatanodeReportType.LIVE));
+          nnc.getClient().getDatanodeStorageReport(DatanodeReportType.LIVE));
       if (bytesLeftToMove == 0) {
         System.out.println("The cluster is balanced. Exiting...");
         return ReturnStatus.SUCCESS;
@@ -1558,8 +1452,8 @@ static int run(Collection<URI> namenodes, final Parameters p,
     final long sleeptime = 2000*conf.getLong(
         DFSConfigKeys.DFS_HEARTBEAT_INTERVAL_KEY,
         DFSConfigKeys.DFS_HEARTBEAT_INTERVAL_DEFAULT);
-    LOG.info("namenodes = " + namenodes);
-    LOG.info("p         = " + p);
+    LOG.info("namenodes  = " + namenodes);
+    LOG.info("parameters = " + p);
     
     final Formatter formatter = new Formatter(System.out);
     System.out.println("Time Stamp               Iteration#  Bytes Already Moved  Bytes Left To Move  Bytes Being Moved");
@@ -1568,7 +1462,10 @@ static int run(Collection<URI> namenodes, final Parameters p,
         = new ArrayList<NameNodeConnector>(namenodes.size());
     try {
       for (URI uri : namenodes) {
-        connectors.add(new NameNodeConnector(uri, conf));
+        final NameNodeConnector nnc = new NameNodeConnector(
+            Balancer.class.getSimpleName(), uri, BALANCER_ID_PATH, conf);
+        nnc.getKeyManager().startBlockKeyUpdater();
+        connectors.add(nnc);
       }
     
       boolean done = false;
@@ -1730,9 +1627,6 @@ static class Cli extends Configured implements Tool {
     public int run(String[] args) {
       final long startTime = Time.now();
       final Configuration conf = getConf();
-      WIN_WIDTH = conf.getLong(
-          DFSConfigKeys.DFS_BALANCER_MOVEDWINWIDTH_KEY, 
-          DFSConfigKeys.DFS_BALANCER_MOVEDWINWIDTH_DEFAULT);
 
       try {
         checkReplicationPolicyCompatibility(conf);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/KeyManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/KeyManager.java
new file mode 100644
index 00000000000..2ac8f483ee2
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/KeyManager.java
@@ -0,0 +1,173 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.server.balancer;
+
+import java.io.Closeable;
+import java.io.IOException;
+import java.util.EnumSet;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
+import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.DataEncryptionKeyFactory;
+import org.apache.hadoop.hdfs.security.token.block.BlockTokenIdentifier;
+import org.apache.hadoop.hdfs.security.token.block.BlockTokenSecretManager;
+import org.apache.hadoop.hdfs.security.token.block.BlockTokenSecretManager.AccessMode;
+import org.apache.hadoop.hdfs.security.token.block.DataEncryptionKey;
+import org.apache.hadoop.hdfs.security.token.block.ExportedBlockKeys;
+import org.apache.hadoop.hdfs.server.protocol.NamenodeProtocol;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.util.Daemon;
+import org.apache.hadoop.util.StringUtils;
+
+/**
+ * The class provides utilities for key and token management.
+ */
+@InterfaceAudience.Private
+public class KeyManager implements Closeable, DataEncryptionKeyFactory {
+  private static final Log LOG = LogFactory.getLog(KeyManager.class);
+
+  private final NamenodeProtocol namenode;
+
+  private final boolean isBlockTokenEnabled;
+  private final boolean encryptDataTransfer;
+  private boolean shouldRun;
+
+  private final BlockTokenSecretManager blockTokenSecretManager;
+  private final BlockKeyUpdater blockKeyUpdater;
+  private DataEncryptionKey encryptionKey;
+
+  public KeyManager(String blockpoolID, NamenodeProtocol namenode,
+      boolean encryptDataTransfer, Configuration conf) throws IOException {
+    this.namenode = namenode;
+    this.encryptDataTransfer = encryptDataTransfer;
+
+    final ExportedBlockKeys keys = namenode.getBlockKeys();
+    this.isBlockTokenEnabled = keys.isBlockTokenEnabled();
+    if (isBlockTokenEnabled) {
+      long updateInterval = keys.getKeyUpdateInterval();
+      long tokenLifetime = keys.getTokenLifetime();
+      LOG.info("Block token params received from NN: update interval="
+          + StringUtils.formatTime(updateInterval)
+          + ", token lifetime=" + StringUtils.formatTime(tokenLifetime));
+      String encryptionAlgorithm = conf.get(
+          DFSConfigKeys.DFS_DATA_ENCRYPTION_ALGORITHM_KEY);
+      this.blockTokenSecretManager = new BlockTokenSecretManager(
+          updateInterval, tokenLifetime, blockpoolID, encryptionAlgorithm);
+      this.blockTokenSecretManager.addKeys(keys);
+
+      // sync block keys with NN more frequently than NN updates its block keys
+      this.blockKeyUpdater = new BlockKeyUpdater(updateInterval / 4);
+      this.shouldRun = true;
+    } else {
+      this.blockTokenSecretManager = null;
+      this.blockKeyUpdater = null;
+    }
+  }
+  
+  public void startBlockKeyUpdater() {
+    if (blockKeyUpdater != null) {
+      blockKeyUpdater.daemon.start();
+    }
+  }
+
+  /** Get an access token for a block. */
+  public Token<BlockTokenIdentifier> getAccessToken(ExtendedBlock eb
+      ) throws IOException {
+    if (!isBlockTokenEnabled) {
+      return BlockTokenSecretManager.DUMMY_TOKEN;
+    } else {
+      if (!shouldRun) {
+        throw new IOException(
+            "Cannot get access token since BlockKeyUpdater is not running");
+      }
+      return blockTokenSecretManager.generateToken(null, eb,
+          EnumSet.of(AccessMode.REPLACE, AccessMode.COPY));
+    }
+  }
+
+  @Override
+  public DataEncryptionKey newDataEncryptionKey() {
+    if (encryptDataTransfer) {
+      synchronized (this) {
+        if (encryptionKey == null) {
+          encryptionKey = blockTokenSecretManager.generateDataEncryptionKey();
+        }
+        return encryptionKey;
+      }
+    } else {
+      return null;
+    }
+  }
+
+  @Override
+  public void close() {
+    shouldRun = false;
+    try {
+      if (blockKeyUpdater != null) {
+        blockKeyUpdater.daemon.interrupt();
+      }
+    } catch(Exception e) {
+      LOG.warn("Exception shutting down access key updater thread", e);
+    }
+  }
+
+  /**
+   * Periodically updates access keys.
+   */
+  class BlockKeyUpdater implements Runnable, Closeable {
+    private final Daemon daemon = new Daemon(this);
+    private final long sleepInterval;
+
+    BlockKeyUpdater(final long sleepInterval) {
+      this.sleepInterval = sleepInterval;
+      LOG.info("Update block keys every " + StringUtils.formatTime(sleepInterval));
+    }
+
+    @Override
+    public void run() {
+      try {
+        while (shouldRun) {
+          try {
+            blockTokenSecretManager.addKeys(namenode.getBlockKeys());
+          } catch (IOException e) {
+            LOG.error("Failed to set keys", e);
+          }
+          Thread.sleep(sleepInterval);
+        }
+      } catch (InterruptedException e) {
+        LOG.debug("InterruptedException in block key updater thread", e);
+      } catch (Throwable e) {
+        LOG.error("Exception in block key updater thread", e);
+        shouldRun = false;
+      }
+    }
+
+    @Override
+    public void close() throws IOException {
+      try {
+        daemon.interrupt();
+      } catch(Exception e) {
+        LOG.warn("Exception shutting down key updater thread", e);
+      }
+    }
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Matcher.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Matcher.java
new file mode 100644
index 00000000000..54febc6fee7
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Matcher.java
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.server.balancer;
+
+import org.apache.hadoop.net.NetworkTopology;
+import org.apache.hadoop.net.Node;
+
+/** A matcher interface for matching nodes. */
+public interface Matcher {
+  /** Given the cluster topology, does the left node match the right node? */
+  public boolean match(NetworkTopology cluster, Node left,  Node right);
+
+  /** Match datanodes in the same node group. */
+  public static final Matcher SAME_NODE_GROUP = new Matcher() {
+    @Override
+    public boolean match(NetworkTopology cluster, Node left, Node right) {
+      return cluster.isOnSameNodeGroup(left, right);
+    }
+  };
+
+  /** Match datanodes in the same rack. */
+  public static final Matcher SAME_RACK = new Matcher() {
+    @Override
+    public boolean match(NetworkTopology cluster, Node left, Node right) {
+      return cluster.isOnSameRack(left, right);
+    }
+  };
+
+  /** Match any datanode with any other datanode. */
+  public static final Matcher ANY_OTHER = new Matcher() {
+    @Override
+    public boolean match(NetworkTopology cluster, Node left, Node right) {
+      return left != right;
+    }
+  };
+}
\ No newline at end of file
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/MovedBlocks.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/MovedBlocks.java
new file mode 100644
index 00000000000..557bfd36ab0
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/MovedBlocks.java
@@ -0,0 +1,124 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.server.balancer;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.hadoop.hdfs.protocol.Block;
+import org.apache.hadoop.util.Time;
+
+/**
+ * This window makes sure to keep blocks that have been moved within a fixed
+ * time interval (default is 1.5 hour). Old window has blocks that are older;
+ * Current window has blocks that are more recent; Cleanup method triggers the
+ * check if blocks in the old window are more than the fixed time interval. If
+ * yes, purge the old window and then move blocks in current window to old
+ * window.
+ * 
+ * @param <L> Location type
+ */
+public class MovedBlocks<L> {
+  /** A class for keeping track of a block and its locations */
+  public static class Locations<L> {
+    private final Block block; // the block
+    /** The locations of the replicas of the block. */
+    private final List<L> locations = new ArrayList<L>(3);
+    
+    public Locations(Block block) {
+      this.block = block;
+    }
+    
+    /** clean block locations */
+    public synchronized void clearLocations() {
+      locations.clear();
+    }
+    
+    /** add a location */
+    public synchronized void addLocation(L loc) {
+      if (!locations.contains(loc)) {
+        locations.add(loc);
+      }
+    }
+    
+    /** @return if the block is located on the given location. */
+    public synchronized boolean isLocatedOn(L loc) {
+      return locations.contains(loc);
+    }
+    
+    /** @return its locations */
+    public synchronized List<L> getLocations() {
+      return locations;
+    }
+    
+    /* @return the block */
+    public Block getBlock() {
+      return block;
+    }
+    
+    /* Return the length of the block */
+    public long getNumBytes() {
+      return block.getNumBytes();
+    }
+  }
+
+  private static final int CUR_WIN = 0;
+  private static final int OLD_WIN = 1;
+  private static final int NUM_WINS = 2;
+
+  private final long winTimeInterval;
+  private long lastCleanupTime = Time.monotonicNow();
+  private final List<Map<Block, Locations<L>>> movedBlocks
+      = new ArrayList<Map<Block, Locations<L>>>(NUM_WINS);
+  
+  /** initialize the moved blocks collection */
+  public MovedBlocks(long winTimeInterval) {
+    this.winTimeInterval = winTimeInterval;
+    movedBlocks.add(newMap());
+    movedBlocks.add(newMap());
+  }
+
+  private Map<Block, Locations<L>> newMap() {
+    return new HashMap<Block, Locations<L>>();
+  }
+
+  /** add a block thus marking a block to be moved */
+  public synchronized void put(Locations<L> block) {
+    movedBlocks.get(CUR_WIN).put(block.getBlock(), block);
+  }
+
+  /** @return if a block is marked as moved */
+  public synchronized boolean contains(Block block) {
+    return movedBlocks.get(CUR_WIN).containsKey(block) ||
+      movedBlocks.get(OLD_WIN).containsKey(block);
+  }
+
+  /** remove old blocks */
+  public synchronized void cleanup() {
+    long curTime = Time.monotonicNow();
+    // check if old win is older than winWidth
+    if (lastCleanupTime + winTimeInterval <= curTime) {
+      // purge the old window
+      movedBlocks.set(OLD_WIN, movedBlocks.get(CUR_WIN));
+      movedBlocks.set(CUR_WIN, newMap());
+      lastCleanupTime = curTime;
+    }
+  }
+}
\ No newline at end of file
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/NameNodeConnector.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/NameNodeConnector.java
index fb322763d76..3d1c4e6946f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/NameNodeConnector.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/NameNodeConnector.java
@@ -17,113 +17,96 @@
  */
 package org.apache.hadoop.hdfs.server.balancer;
 
+import java.io.Closeable;
 import java.io.DataOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.net.InetAddress;
 import java.net.URI;
-import java.util.EnumSet;
 
 import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.FsServerDefaults;
 import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.NameNodeProxies;
 import org.apache.hadoop.hdfs.protocol.AlreadyBeingCreatedException;
 import org.apache.hadoop.hdfs.protocol.ClientProtocol;
-import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
-import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.DataEncryptionKeyFactory;
-import org.apache.hadoop.hdfs.security.token.block.DataEncryptionKey;
-import org.apache.hadoop.hdfs.security.token.block.BlockTokenIdentifier;
-import org.apache.hadoop.hdfs.security.token.block.BlockTokenSecretManager;
-import org.apache.hadoop.hdfs.security.token.block.ExportedBlockKeys;
 import org.apache.hadoop.hdfs.server.protocol.NamenodeProtocol;
 import org.apache.hadoop.hdfs.server.protocol.NamespaceInfo;
 import org.apache.hadoop.io.IOUtils;
 import org.apache.hadoop.ipc.RemoteException;
-import org.apache.hadoop.security.token.Token;
-import org.apache.hadoop.util.Daemon;
 
 /**
- * The class provides utilities for {@link Balancer} to access a NameNode
+ * The class provides utilities for accessing a NameNode.
  */
 @InterfaceAudience.Private
-class NameNodeConnector implements DataEncryptionKeyFactory {
-  private static final Log LOG = Balancer.LOG;
-  private static final Path BALANCER_ID_PATH = new Path("/system/balancer.id");
+public class NameNodeConnector implements Closeable {
+  private static final Log LOG = LogFactory.getLog(NameNodeConnector.class);
+
   private static final int MAX_NOT_CHANGED_ITERATIONS = 5;
 
-  final URI nameNodeUri;
-  final String blockpoolID;
+  private final URI nameNodeUri;
+  private final String blockpoolID;
 
-  final NamenodeProtocol namenode;
-  final ClientProtocol client;
-  final FileSystem fs;
-  final OutputStream out;
+  private final NamenodeProtocol namenode;
+  private final ClientProtocol client;
+  private final KeyManager keyManager;
+
+  private final FileSystem fs;
+  private final Path idPath;
+  private final OutputStream out;
 
-  private final boolean isBlockTokenEnabled;
-  private final boolean encryptDataTransfer;
-  private boolean shouldRun;
-  private long keyUpdaterInterval;
-  // used for balancer
   private int notChangedIterations = 0;
-  private BlockTokenSecretManager blockTokenSecretManager;
-  private Daemon keyupdaterthread; // AccessKeyUpdater thread
-  private DataEncryptionKey encryptionKey;
 
-  NameNodeConnector(URI nameNodeUri,
+  public NameNodeConnector(String name, URI nameNodeUri, Path idPath,
       Configuration conf) throws IOException {
     this.nameNodeUri = nameNodeUri;
+    this.idPath = idPath;
     
-    this.namenode =
-      NameNodeProxies.createProxy(conf, nameNodeUri, NamenodeProtocol.class)
-        .getProxy();
-    this.client =
-      NameNodeProxies.createProxy(conf, nameNodeUri, ClientProtocol.class)
-        .getProxy();
+    this.namenode = NameNodeProxies.createProxy(conf, nameNodeUri,
+        NamenodeProtocol.class).getProxy();
+    this.client = NameNodeProxies.createProxy(conf, nameNodeUri,
+        ClientProtocol.class).getProxy();
     this.fs = FileSystem.get(nameNodeUri, conf);
 
     final NamespaceInfo namespaceinfo = namenode.versionRequest();
     this.blockpoolID = namespaceinfo.getBlockPoolID();
 
-    final ExportedBlockKeys keys = namenode.getBlockKeys();
-    this.isBlockTokenEnabled = keys.isBlockTokenEnabled();
-    if (isBlockTokenEnabled) {
-      long blockKeyUpdateInterval = keys.getKeyUpdateInterval();
-      long blockTokenLifetime = keys.getTokenLifetime();
-      LOG.info("Block token params received from NN: keyUpdateInterval="
-          + blockKeyUpdateInterval / (60 * 1000) + " min(s), tokenLifetime="
-          + blockTokenLifetime / (60 * 1000) + " min(s)");
-      String encryptionAlgorithm = conf.get(
-          DFSConfigKeys.DFS_DATA_ENCRYPTION_ALGORITHM_KEY);
-      this.blockTokenSecretManager = new BlockTokenSecretManager(
-          blockKeyUpdateInterval, blockTokenLifetime, blockpoolID,
-          encryptionAlgorithm);
-      this.blockTokenSecretManager.addKeys(keys);
-      /*
-       * Balancer should sync its block keys with NN more frequently than NN
-       * updates its block keys
-       */
-      this.keyUpdaterInterval = blockKeyUpdateInterval / 4;
-      LOG.info("Balancer will update its block keys every "
-          + keyUpdaterInterval / (60 * 1000) + " minute(s)");
-      this.keyupdaterthread = new Daemon(new BlockKeyUpdater());
-      this.shouldRun = true;
-      this.keyupdaterthread.start();
-    }
-    this.encryptDataTransfer = fs.getServerDefaults(new Path("/"))
-        .getEncryptDataTransfer();
-    // Check if there is another balancer running.
+    final FsServerDefaults defaults = fs.getServerDefaults(new Path("/"));
+    this.keyManager = new KeyManager(blockpoolID, namenode,
+        defaults.getEncryptDataTransfer(), conf);
     // Exit if there is another one running.
-    out = checkAndMarkRunningBalancer(); 
+    out = checkAndMarkRunning(); 
     if (out == null) {
-      throw new IOException("Another balancer is running");
+      throw new IOException("Another " + name + " is running.");
     }
   }
 
-  boolean shouldContinue(long dispatchBlockMoveBytes) {
+  /** @return the block pool ID */
+  public String getBlockpoolID() {
+    return blockpoolID;
+  }
+
+  /** @return the namenode proxy. */
+  public NamenodeProtocol getNamenode() {
+    return namenode;
+  }
+
+  /** @return the client proxy. */
+  public ClientProtocol getClient() {
+    return client;
+  }
+
+  /** @return the key manager */
+  public KeyManager getKeyManager() {
+    return keyManager;
+  }
+
+  /** Should the instance continue running? */
+  public boolean shouldContinue(long dispatchBlockMoveBytes) {
     if (dispatchBlockMoveBytes > 0) {
       notChangedIterations = 0;
     } else {
@@ -137,53 +120,25 @@ boolean shouldContinue(long dispatchBlockMoveBytes) {
     return true;
   }
   
-  /** Get an access token for a block. */
-  Token<BlockTokenIdentifier> getAccessToken(ExtendedBlock eb
-      ) throws IOException {
-    if (!isBlockTokenEnabled) {
-      return BlockTokenSecretManager.DUMMY_TOKEN;
-    } else {
-      if (!shouldRun) {
-        throw new IOException(
-            "Can not get access token. BlockKeyUpdater is not running");
-      }
-      return blockTokenSecretManager.generateToken(null, eb,
-          EnumSet.of(BlockTokenSecretManager.AccessMode.REPLACE,
-          BlockTokenSecretManager.AccessMode.COPY));
-    }
-  }
 
-  @Override
-  public DataEncryptionKey newDataEncryptionKey() {
-    if (encryptDataTransfer) {
-      synchronized (this) {
-        if (encryptionKey == null) {
-          encryptionKey = blockTokenSecretManager.generateDataEncryptionKey();
-        }
-        return encryptionKey;
-      }
-    } else {
-      return null;
-    }
-  }
-
-  /* The idea for making sure that there is no more than one balancer
+  /**
+   * The idea for making sure that there is no more than one instance
    * running in an HDFS is to create a file in the HDFS, writes the hostname
-   * of the machine on which the balancer is running to the file, but did not
-   * close the file until the balancer exits. 
-   * This prevents the second balancer from running because it can not
+   * of the machine on which the instance is running to the file, but did not
+   * close the file until it exits. 
+   * 
+   * This prevents the second instance from running because it can not
    * creates the file while the first one is running.
    * 
-   * This method checks if there is any running balancer and 
-   * if no, mark yes if no.
+   * This method checks if there is any running instance. If no, mark yes.
    * Note that this is an atomic operation.
    * 
-   * Return null if there is a running balancer; otherwise the output stream
-   * to the newly created file.
+   * @return null if there is a running instance;
+   *         otherwise, the output stream to the newly created file.
    */
-  private OutputStream checkAndMarkRunningBalancer() throws IOException {
+  private OutputStream checkAndMarkRunning() throws IOException {
     try {
-      final DataOutputStream out = fs.create(BALANCER_ID_PATH);
+      final DataOutputStream out = fs.create(idPath);
       out.writeBytes(InetAddress.getLocalHost().getHostName());
       out.flush();
       return out;
@@ -196,24 +151,17 @@ private OutputStream checkAndMarkRunningBalancer() throws IOException {
     }
   }
 
-  /** Close the connection. */
-  void close() {
-    shouldRun = false;
-    try {
-      if (keyupdaterthread != null) {
-        keyupdaterthread.interrupt();
-      }
-    } catch(Exception e) {
-      LOG.warn("Exception shutting down access key updater thread", e);
-    }
+  @Override
+  public void close() {
+    keyManager.close();
 
     // close the output file
     IOUtils.closeStream(out); 
     if (fs != null) {
       try {
-        fs.delete(BALANCER_ID_PATH, true);
+        fs.delete(idPath, true);
       } catch(IOException ioe) {
-        LOG.warn("Failed to delete " + BALANCER_ID_PATH, ioe);
+        LOG.warn("Failed to delete " + idPath, ioe);
       }
     }
   }
@@ -221,31 +169,6 @@ void close() {
   @Override
   public String toString() {
     return getClass().getSimpleName() + "[namenodeUri=" + nameNodeUri
-        + ", id=" + blockpoolID
-        + "]";
-  }
-
-  /**
-   * Periodically updates access keys.
-   */
-  class BlockKeyUpdater implements Runnable {
-    @Override
-    public void run() {
-      try {
-        while (shouldRun) {
-          try {
-            blockTokenSecretManager.addKeys(namenode.getBlockKeys());
-          } catch (IOException e) {
-            LOG.error("Failed to set keys", e);
-          }
-          Thread.sleep(keyUpdaterInterval);
-        }
-      } catch (InterruptedException e) {
-        LOG.debug("InterruptedException in block key updater thread", e);
-      } catch (Throwable e) {
-        LOG.error("Exception in block key updater thread", e);
-        shouldRun = false;
-      }
-    }
+        + ", bpid=" + blockpoolID + "]";
   }
 }

From 0ed8732feef9f4027e9fc95b6d4852444c1f3426 Mon Sep 17 00:00:00 2001
From: Tsz-wo Sze <szetszwo@apache.org>
Date: Thu, 7 Aug 2014 07:30:53 +0000
Subject: [PATCH 146/354] HDFS-6812. Remove addBlock and replaceBlock from
 DatanodeDescriptor.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616426 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 ++
 .../server/blockmanagement/BlockInfo.java     |  9 ++---
 .../server/blockmanagement/BlocksMap.java     | 13 +++++--
 .../blockmanagement/CorruptReplicasMap.java   | 19 ++-------
 .../blockmanagement/DatanodeDescriptor.java   | 39 ++-----------------
 .../PendingDataNodeMessages.java              |  6 +--
 .../TestCorruptReplicaInfo.java               | 14 +++++--
 7 files changed, 35 insertions(+), 68 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index a84c320239d..ea49eaabe6c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -364,6 +364,9 @@ Release 2.6.0 - UNRELEASED
     standalone classes and separates KeyManager from NameNodeConnector.
     (szetszwo)
 
+    HDFS-6812. Remove addBlock and replaceBlock from DatanodeDescriptor.
+    (szetszwo)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java
index c6650bf66db..272cb1d48a1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java
@@ -21,7 +21,6 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.hdfs.protocol.Block;
-import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.BlockUCState;
 import org.apache.hadoop.util.LightWeightGSet;
 
@@ -254,18 +253,18 @@ int findDatanode(DatanodeDescriptor dn) {
   }
   /**
    * Find specified DatanodeStorageInfo.
-   * @return index or -1 if not found.
+   * @return DatanodeStorageInfo or null if not found.
    */
-  int findStorageInfo(DatanodeInfo dn) {
+  DatanodeStorageInfo findStorageInfo(DatanodeDescriptor dn) {
     int len = getCapacity();
     for(int idx = 0; idx < len; idx++) {
       DatanodeStorageInfo cur = getStorageInfo(idx);
       if(cur == null)
         break;
       if(cur.getDatanodeDescriptor() == dn)
-        return idx;
+        return cur;
     }
-    return -1;
+    return null;
   }
   
   /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlocksMap.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlocksMap.java
index b658f4f395d..a675635d5d4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlocksMap.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlocksMap.java
@@ -23,8 +23,8 @@
 import org.apache.hadoop.hdfs.server.protocol.DatanodeStorage;
 import org.apache.hadoop.util.GSet;
 import org.apache.hadoop.util.LightWeightGSet;
-import org.apache.hadoop.util.LightWeightGSet.SetIterator;
 
+import com.google.common.base.Preconditions;
 import com.google.common.base.Predicate;
 import com.google.common.collect.Iterables;
 
@@ -217,9 +217,14 @@ BlockInfo replaceBlock(BlockInfo newBlock) {
     BlockInfo currentBlock = blocks.get(newBlock);
     assert currentBlock != null : "the block if not in blocksMap";
     // replace block in data-node lists
-    for(int idx = currentBlock.numNodes()-1; idx >= 0; idx--) {
-      DatanodeDescriptor dn = currentBlock.getDatanode(idx);
-      dn.replaceBlock(currentBlock, newBlock);
+    for (int i = currentBlock.numNodes() - 1; i >= 0; i--) {
+      final DatanodeDescriptor dn = currentBlock.getDatanode(i);
+      final DatanodeStorageInfo storage = currentBlock.findStorageInfo(dn);
+      final boolean removed = storage.removeBlock(currentBlock);
+      Preconditions.checkState(removed, "currentBlock not found.");
+
+      final boolean added = storage.addBlock(newBlock);
+      Preconditions.checkState(added, "newBlock already exists.");
     }
     // replace block in the map itself
     blocks.put(newBlock);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/CorruptReplicasMap.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/CorruptReplicasMap.java
index c7b148b0ab7..9b7515dabe4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/CorruptReplicasMap.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/CorruptReplicasMap.java
@@ -48,18 +48,6 @@ public static enum Reason {
 
   private final SortedMap<Block, Map<DatanodeDescriptor, Reason>> corruptReplicasMap =
     new TreeMap<Block, Map<DatanodeDescriptor, Reason>>();
-  
-  /**
-   * Mark the block belonging to datanode as corrupt.
-   *
-   * @param blk Block to be added to CorruptReplicasMap
-   * @param dn DatanodeDescriptor which holds the corrupt replica
-   * @param reason a textual reason (for logging purposes)
-   */
-  public void addToCorruptReplicasMap(Block blk, DatanodeDescriptor dn,
-      String reason) {
-    addToCorruptReplicasMap(blk, dn, reason, Reason.NONE);
-  }
 
   /**
    * Mark the block belonging to datanode as corrupt.
@@ -69,7 +57,7 @@ public void addToCorruptReplicasMap(Block blk, DatanodeDescriptor dn,
    * @param reason a textual reason (for logging purposes)
    * @param reasonCode the enum representation of the reason
    */
-  public void addToCorruptReplicasMap(Block blk, DatanodeDescriptor dn,
+  void addToCorruptReplicasMap(Block blk, DatanodeDescriptor dn,
       String reason, Reason reasonCode) {
     Map <DatanodeDescriptor, Reason> nodes = corruptReplicasMap.get(blk);
     if (nodes == null) {
@@ -127,7 +115,6 @@ boolean removeFromCorruptReplicasMap(Block blk, DatanodeDescriptor datanode) {
   boolean removeFromCorruptReplicasMap(Block blk, DatanodeDescriptor datanode,
       Reason reason) {
     Map <DatanodeDescriptor, Reason> datanodes = corruptReplicasMap.get(blk);
-    boolean removed = false;
     if (datanodes==null)
       return false;
 
@@ -174,12 +161,12 @@ boolean isReplicaCorrupt(Block blk, DatanodeDescriptor node) {
     return ((nodes != null) && (nodes.contains(node)));
   }
 
-  public int numCorruptReplicas(Block blk) {
+  int numCorruptReplicas(Block blk) {
     Collection<DatanodeDescriptor> nodes = getNodes(blk);
     return (nodes == null) ? 0 : nodes.size();
   }
   
-  public int size() {
+  int size() {
     return corruptReplicasMap.size();
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeDescriptor.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeDescriptor.java
index d622905f0ba..34be727ff02 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeDescriptor.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeDescriptor.java
@@ -234,18 +234,6 @@ public DatanodeDescriptor(DatanodeID nodeID,
     updateHeartbeat(StorageReport.EMPTY_ARRAY, 0L, 0L, 0, 0);
   }
 
-  /**
-   * Add data-node to the block. Add block to the head of the list of blocks
-   * belonging to the data-node.
-   */
-  public boolean addBlock(String storageID, BlockInfo b) {
-    DatanodeStorageInfo s = getStorageInfo(storageID);
-    if (s != null) {
-      return s.addBlock(b);
-    }
-    return false;
-  }
-
   @VisibleForTesting
   public DatanodeStorageInfo getStorageInfo(String storageID) {
     synchronized (storageMap) {
@@ -284,13 +272,10 @@ boolean hasStaleStorages() {
    * data-node from the block.
    */
   boolean removeBlock(BlockInfo b) {
-    int index = b.findStorageInfo(this);
+    final DatanodeStorageInfo s = b.findStorageInfo(this);
     // if block exists on this datanode
-    if (index >= 0) {
-      DatanodeStorageInfo s = b.getStorageInfo(index);
-      if (s != null) {
-        return s.removeBlock(b);
-      }
+    if (s != null) {
+      return s.removeBlock(b);
     }
     return false;
   }
@@ -307,24 +292,6 @@ boolean removeBlock(String storageID, BlockInfo b) {
     return false;
   }
 
-  /**
-   * Replace specified old block with a new one in the DataNodeDescriptor.
-   *
-   * @param oldBlock - block to be replaced
-   * @param newBlock - a replacement block
-   * @return the new block
-   */
-  public BlockInfo replaceBlock(BlockInfo oldBlock, BlockInfo newBlock) {
-    int index = oldBlock.findStorageInfo(this);
-    DatanodeStorageInfo s = oldBlock.getStorageInfo(index);
-    boolean done = s.removeBlock(oldBlock);
-    assert done : "Old block should belong to the data-node when replacing";
-
-    done = s.addBlock(newBlock);
-    assert done : "New block should not belong to the data-node when replacing";
-    return newBlock;
-  }
-
   public void resetBlocks() {
     setCapacity(0);
     setRemaining(0);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/PendingDataNodeMessages.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/PendingDataNodeMessages.java
index 5f59f0267a6..133a28826b0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/PendingDataNodeMessages.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/PendingDataNodeMessages.java
@@ -23,9 +23,9 @@
 
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.ReplicaState;
+
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
-import org.apache.hadoop.hdfs.server.protocol.DatanodeStorage;
 
 /**
  * In the Standby Node, we can receive messages about blocks
@@ -123,7 +123,7 @@ private Queue<ReportedBlockInfo> getBlockQueue(Block block) {
     return queue;
   }
   
-  public int count() {
+  int count() {
     return count ;
   }
 
@@ -140,7 +140,7 @@ public String toString() {
     return sb.toString();
   }
 
-  public Iterable<ReportedBlockInfo> takeAll() {
+  Iterable<ReportedBlockInfo> takeAll() {
     List<ReportedBlockInfo> rbis = Lists.newArrayListWithCapacity(
         count);
     for (Queue<ReportedBlockInfo> q : queueByBlockId.values()) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestCorruptReplicaInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestCorruptReplicaInfo.java
index f646839dca3..21fb54e289c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestCorruptReplicaInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestCorruptReplicaInfo.java
@@ -33,6 +33,7 @@
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.hdfs.DFSTestUtil;
 import org.apache.hadoop.hdfs.protocol.Block;
+import org.apache.hadoop.hdfs.server.blockmanagement.CorruptReplicasMap.Reason;
 import org.junit.Test;
 
 
@@ -89,14 +90,14 @@ public void testCorruptReplicaInfo() throws IOException,
       DatanodeDescriptor dn1 = DFSTestUtil.getLocalDatanodeDescriptor();
       DatanodeDescriptor dn2 = DFSTestUtil.getLocalDatanodeDescriptor();
       
-      crm.addToCorruptReplicasMap(getBlock(0), dn1, "TEST");
+      addToCorruptReplicasMap(crm, getBlock(0), dn1);
       assertEquals("Number of corrupt blocks not returning correctly",
                    1, crm.size());
-      crm.addToCorruptReplicasMap(getBlock(1), dn1, "TEST");
+      addToCorruptReplicasMap(crm, getBlock(1), dn1);
       assertEquals("Number of corrupt blocks not returning correctly",
                    2, crm.size());
       
-      crm.addToCorruptReplicasMap(getBlock(1), dn2, "TEST");
+      addToCorruptReplicasMap(crm, getBlock(1), dn2);
       assertEquals("Number of corrupt blocks not returning correctly",
                    2, crm.size());
       
@@ -109,7 +110,7 @@ public void testCorruptReplicaInfo() throws IOException,
                    0, crm.size());
       
       for (Long block_id: block_ids) {
-        crm.addToCorruptReplicasMap(getBlock(block_id), dn1, "TEST");
+        addToCorruptReplicasMap(crm, getBlock(block_id), dn1);
       }
             
       assertEquals("Number of corrupt blocks not returning correctly",
@@ -127,4 +128,9 @@ public void testCorruptReplicaInfo() throws IOException,
                               crm.getCorruptReplicaBlockIds(10, 7L)));
       
   }
+  
+  private static void addToCorruptReplicasMap(CorruptReplicasMap crm,
+      Block blk, DatanodeDescriptor dn) {
+    crm.addToCorruptReplicasMap(blk, dn, "TEST", Reason.NONE);
+  }
 }

From 96fc3b3ecd4abb7c1e75151d47faad18aaef69cb Mon Sep 17 00:00:00 2001
From: Steve Loughran <stevel@apache.org>
Date: Thu, 7 Aug 2014 12:38:35 +0000
Subject: [PATCH 147/354] HADOOP-10931 compile error on tools/hadoop-openstack

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616482 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt | 2 ++
 hadoop-tools/hadoop-openstack/pom.xml           | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index bef2f765108..fb2741e049e 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -543,6 +543,8 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10905. LdapGroupsMapping Should use configuration.getPassword for SSL
     and LDAP Passwords. (lmccay via brandonli)
 
+    HADOOP-10931 compile error on tools/hadoop-openstack (xukun via stevel)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-tools/hadoop-openstack/pom.xml b/hadoop-tools/hadoop-openstack/pom.xml
index a8afc9ed011..bc43618a1ac 100644
--- a/hadoop-tools/hadoop-openstack/pom.xml
+++ b/hadoop-tools/hadoop-openstack/pom.xml
@@ -145,6 +145,11 @@
       <artifactId>junit</artifactId>
       <scope>compile</scope>
     </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-all</artifactId>
+      <scope>compile</scope>
+    </dependency>
     <dependency>
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>

From 3bfdb0091d3ab716f6c908364a1dc86c5b602166 Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Thu, 7 Aug 2014 17:02:26 +0000
Subject: [PATCH 148/354] YARN-2288. Made persisted data in LevelDB timeline
 store be versioned. Contributed by Junping Du.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616540 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |  3 +
 .../server/timeline/LeveldbTimelineStore.java | 74 ++++++++++++++++++-
 .../timeline/TestLeveldbTimelineStore.java    | 53 ++++++++++++-
 3 files changed, 124 insertions(+), 6 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index a686a094917..8283d48d6ae 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -91,6 +91,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2298. Move TimelineClient to yarn-common project (Zhijie Shen via 
     junping_du)
 
+    YARN-2288. Made persisted data in LevelDB timeline store be versioned. (Junping Du
+    via zjshen)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/LeveldbTimelineStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/LeveldbTimelineStore.java
index 94957009fba..b0feac1671e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/LeveldbTimelineStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/LeveldbTimelineStore.java
@@ -20,6 +20,7 @@
 
 import static org.apache.hadoop.yarn.server.timeline.GenericObjectMapper.readReverseOrderedLong;
 import static org.apache.hadoop.yarn.server.timeline.GenericObjectMapper.writeReverseOrderedLong;
+import static org.fusesource.leveldbjni.JniDBFactory.bytes;
 
 import java.io.ByteArrayOutputStream;
 import java.io.File;
@@ -60,8 +61,12 @@
 import org.apache.hadoop.yarn.api.records.timeline.TimelinePutResponse;
 import org.apache.hadoop.yarn.api.records.timeline.TimelinePutResponse.TimelinePutError;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.proto.YarnServerCommonProtos.VersionProto;
+import org.apache.hadoop.yarn.server.records.Version;
+import org.apache.hadoop.yarn.server.records.impl.pb.VersionPBImpl;
 import org.fusesource.leveldbjni.JniDBFactory;
 import org.iq80.leveldb.DB;
+import org.iq80.leveldb.DBException;
 import org.iq80.leveldb.DBIterator;
 import org.iq80.leveldb.Options;
 import org.iq80.leveldb.ReadOptions;
@@ -141,6 +146,11 @@ public class LeveldbTimelineStore extends AbstractService
       "z".getBytes();
 
   private static final byte[] EMPTY_BYTES = new byte[0];
+  
+  private static final String TIMELINE_STORE_VERSION_KEY = "timeline-store-version";
+  
+  private static final Version CURRENT_VERSION_INFO = Version
+      .newInstance(1, 0);
 
   @Private
   @VisibleForTesting
@@ -193,6 +203,7 @@ protected void serviceInit(Configuration conf) throws Exception {
     }
     LOG.info("Using leveldb path " + dbPath);
     db = factory.open(new File(dbPath.toString()), options);
+    checkVersion();
     startTimeWriteCache =
         Collections.synchronizedMap(new LRUMap(getStartTimeWriteCacheSize(
             conf)));
@@ -1270,8 +1281,6 @@ static int getStartTimeWriteCacheSize(Configuration conf) {
             DEFAULT_TIMELINE_SERVICE_LEVELDB_START_TIME_WRITE_CACHE_SIZE);
   }
 
-  // warning is suppressed to prevent eclipse from noting unclosed resource
-  @SuppressWarnings("resource")
   @VisibleForTesting
   List<String> getEntityTypes() throws IOException {
     DBIterator iterator = null;
@@ -1489,4 +1498,65 @@ DBIterator getDbIterator(boolean fillCache) {
     readOptions.fillCache(fillCache);
     return db.iterator(readOptions);
   }
+  
+  Version loadVersion() throws IOException {
+    byte[] data = db.get(bytes(TIMELINE_STORE_VERSION_KEY));
+    // if version is not stored previously, treat it as 1.0.
+    if (data == null || data.length == 0) {
+      return Version.newInstance(1, 0);
+    }
+    Version version =
+        new VersionPBImpl(VersionProto.parseFrom(data));
+    return version;
+  }
+  
+  // Only used for test
+  @VisibleForTesting
+  void storeVersion(Version state) throws IOException {
+    dbStoreVersion(state);
+  }
+  
+  private void dbStoreVersion(Version state) throws IOException {
+    String key = TIMELINE_STORE_VERSION_KEY;
+    byte[] data = 
+        ((VersionPBImpl) state).getProto().toByteArray();
+    try {
+      db.put(bytes(key), data);
+    } catch (DBException e) {
+      throw new IOException(e);
+    }
+  }
+
+  Version getCurrentVersion() {
+    return CURRENT_VERSION_INFO;
+  }
+  
+  /**
+   * 1) Versioning timeline store: major.minor. For e.g. 1.0, 1.1, 1.2...1.25, 2.0 etc.
+   * 2) Any incompatible change of TS-store is a major upgrade, and any
+   *    compatible change of TS-store is a minor upgrade.
+   * 3) Within a minor upgrade, say 1.1 to 1.2:
+   *    overwrite the version info and proceed as normal.
+   * 4) Within a major upgrade, say 1.2 to 2.0:
+   *    throw exception and indicate user to use a separate upgrade tool to
+   *    upgrade timeline store or remove incompatible old state.
+   */
+  private void checkVersion() throws IOException {
+    Version loadedVersion = loadVersion();
+    LOG.info("Loaded timeline store version info " + loadedVersion);
+    if (loadedVersion.equals(getCurrentVersion())) {
+      return;
+    }
+    if (loadedVersion.isCompatibleTo(getCurrentVersion())) {
+      LOG.info("Storing timeline store version info " + getCurrentVersion());
+      dbStoreVersion(CURRENT_VERSION_INFO);
+    } else {
+      String incompatibleMessage = 
+          "Incompatible version for timeline store: expecting version " 
+              + getCurrentVersion() + ", but loading version " + loadedVersion;
+      LOG.fatal(incompatibleMessage);
+      throw new IOException(incompatibleMessage);
+    }
+  }
+  
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/TestLeveldbTimelineStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/TestLeveldbTimelineStore.java
index 2adfeaf8dba..0c6e082c340 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/TestLeveldbTimelineStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/TestLeveldbTimelineStore.java
@@ -36,14 +36,17 @@
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.io.IOUtils;
+import org.apache.hadoop.service.ServiceStateException;
 import org.apache.hadoop.yarn.api.records.timeline.TimelineEntities;
 import org.apache.hadoop.yarn.api.records.timeline.TimelineEntity;
 import org.apache.hadoop.yarn.api.records.timeline.TimelinePutResponse;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.records.Version;
 import org.apache.hadoop.yarn.server.timeline.LeveldbTimelineStore;
 import org.apache.hadoop.yarn.server.timeline.NameValuePair;
 import org.iq80.leveldb.DBIterator;
 import org.junit.After;
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -52,19 +55,19 @@
 public class TestLeveldbTimelineStore extends TimelineStoreTestUtils {
   private FileContext fsContext;
   private File fsPath;
+  private Configuration config = new YarnConfiguration();
 
   @Before
   public void setup() throws Exception {
     fsContext = FileContext.getLocalFSFileContext();
-    Configuration conf = new YarnConfiguration();
     fsPath = new File("target", this.getClass().getSimpleName() +
         "-tmpDir").getAbsoluteFile();
     fsContext.delete(new Path(fsPath.getAbsolutePath()), true);
-    conf.set(YarnConfiguration.TIMELINE_SERVICE_LEVELDB_PATH,
+    config.set(YarnConfiguration.TIMELINE_SERVICE_LEVELDB_PATH,
         fsPath.getAbsolutePath());
-    conf.setBoolean(YarnConfiguration.TIMELINE_SERVICE_TTL_ENABLE, false);
+    config.setBoolean(YarnConfiguration.TIMELINE_SERVICE_TTL_ENABLE, false);
     store = new LeveldbTimelineStore();
-    store.init(conf);
+    store.init(config);
     store.start();
     loadTestData();
     loadVerificationData();
@@ -263,5 +266,47 @@ public void testFromTsWithDeletion()
     assertEquals(1, getEntities("type_2").size());
     assertEquals(2, getEntitiesWithPrimaryFilter("type_1", userFilter).size());
   }
+  
+  @Test
+  public void testCheckVersion() throws IOException {
+    LeveldbTimelineStore dbStore = (LeveldbTimelineStore) store;
+    // default version
+    Version defaultVersion = dbStore.getCurrentVersion();
+    Assert.assertEquals(defaultVersion, dbStore.loadVersion());
+
+    // compatible version
+    Version compatibleVersion =
+        Version.newInstance(defaultVersion.getMajorVersion(),
+          defaultVersion.getMinorVersion() + 2);
+    dbStore.storeVersion(compatibleVersion);
+    Assert.assertEquals(compatibleVersion, dbStore.loadVersion());
+    restartTimelineStore();
+    dbStore = (LeveldbTimelineStore) store;
+    // overwrite the compatible version
+    Assert.assertEquals(defaultVersion, dbStore.loadVersion());
+
+    // incompatible version
+    Version incompatibleVersion =
+      Version.newInstance(defaultVersion.getMajorVersion() + 1,
+          defaultVersion.getMinorVersion());
+    dbStore.storeVersion(incompatibleVersion);
+    try {
+      restartTimelineStore();
+      Assert.fail("Incompatible version, should expect fail here.");
+    } catch (ServiceStateException e) {
+      Assert.assertTrue("Exception message mismatch", 
+        e.getMessage().contains("Incompatible version for timeline store"));
+    }
+  }
+  
+  private void restartTimelineStore() throws IOException {
+    // need to close so leveldb releases database lock
+    if (store != null) {
+      store.close();
+    }
+    store = new LeveldbTimelineStore();
+    store.init(config);
+    store.start();
+  }
 
 }

From b98400df7b114dc393eb69f5c9496d532774bb32 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Thu, 7 Aug 2014 19:42:09 +0000
Subject: [PATCH 149/354] HDFS-6781. Separate HDFS commands from
 CommandsManual.apt.vm. (Contributed by Akira Ajisaka)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616575 13f79535-47bb-0310-9956-ffa450edef68
---
 .../src/site/apt/CommandsManual.apt.vm        | 195 +--------
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../src/site/apt/HDFSCommands.apt.vm          | 408 ++++++++++++++++++
 .../src/site/apt/HdfsUserGuide.apt.vm         |  29 +-
 hadoop-project/src/site/site.xml              |   1 +
 5 files changed, 442 insertions(+), 194 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HDFSCommands.apt.vm

diff --git a/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm
index 01ed6bcf39f..5ca5c2c5eb2 100644
--- a/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm
+++ b/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm
@@ -114,57 +114,18 @@ User Commands
 
 * <<<fs>>>
 
-   Usage: <<<hadoop fs [GENERIC_OPTIONS] [COMMAND_OPTIONS]>>>
-
-   Deprecated, use <<<hdfs dfs>>> instead.
-
-   Runs a generic filesystem user client.
-
-   The various COMMAND_OPTIONS can be found at File System Shell Guide.
+   Deprecated, use {{{../hadoop-hdfs/HDFSCommands.html#dfs}<<<hdfs dfs>>>}}
+   instead.
 
 * <<<fsck>>>
 
-   Runs a HDFS filesystem checking utility.
-   See {{{../hadoop-hdfs/HdfsUserGuide.html#fsck}fsck}} for more info.
-
-   Usage: <<<hadoop fsck [GENERIC_OPTIONS] <path> [-move | -delete | -openforwrite] [-files [-blocks [-locations | -racks]]] [-showprogress]>>>
-
-*------------------+---------------------------------------------+
-||  COMMAND_OPTION || Description
-*------------------+---------------------------------------------+
-|   <path>         | Start checking from this path.
-*------------------+---------------------------------------------+
-|   -move          | Move corrupted files to /lost+found
-*------------------+---------------------------------------------+
-|   -delete        | Delete corrupted files.
-*------------------+---------------------------------------------+
-|   -openforwrite  | Print out files opened for write.
-*------------------+---------------------------------------------+
-|   -files         | Print out files being checked.
-*------------------+---------------------------------------------+
-|   -blocks        | Print out block report.
-*------------------+---------------------------------------------+
-|   -locations     | Print out locations for every block.
-*------------------+---------------------------------------------+
-|   -racks         | Print out network topology for data-node locations.
-*------------------+---------------------------------------------+
-|   -showprogress  | Print out show progress in output. Default is OFF (no progress).
-*------------------+---------------------------------------------+
+   Deprecated, use {{{../hadoop-hdfs/HDFSCommands.html#fsck}<<<hdfs fsck>>>}}
+   instead.
 
 * <<<fetchdt>>>
 
-   Gets Delegation Token from a NameNode.
-   See {{{../hadoop-hdfs/HdfsUserGuide.html#fetchdt}fetchdt}} for more info.
-
-   Usage: <<<hadoop fetchdt [GENERIC_OPTIONS] [--webservice <namenode_http_addr>] <path> >>>
-
-*------------------------------+---------------------------------------------+
-|| COMMAND_OPTION              || Description
-*------------------------------+---------------------------------------------+
-| <fileName>                   | File name to store the token into.
-*------------------------------+---------------------------------------------+
-| --webservice <https_address> | use http protocol instead of RPC
-*------------------------------+---------------------------------------------+
+   Deprecated, use {{{../hadoop-hdfs/HDFSCommands.html#fetchdt}
+   <<<hdfs fetchdt>>>}} instead.
 
 * <<<jar>>>
 
@@ -321,23 +282,8 @@ Administration Commands
 
 * <<<balancer>>>
 
-   Runs a cluster balancing utility. An administrator can simply press Ctrl-C
-   to stop the rebalancing process. See
-   {{{../hadoop-hdfs/HdfsUserGuide.html#Balancer}Balancer}} for more details.
-
-   Usage: <<<hadoop balancer [-threshold <threshold>] [-policy <policy>]>>>
-
-*------------------------+-----------------------------------------------------------+
-|| COMMAND_OPTION        | Description
-*------------------------+-----------------------------------------------------------+
-| -threshold <threshold> | Percentage of disk capacity. This overwrites the
-                         | default threshold.
-*------------------------+-----------------------------------------------------------+
-| -policy <policy>       | <<<datanode>>> (default): Cluster is balanced if each datanode is balanced. \
-                         | <<<blockpool>>>: Cluster is balanced if each block pool in each datanode is balanced.
-*------------------------+-----------------------------------------------------------+
-
-   Note that the <<<blockpool>>> policy is more strict than the <<<datanode>>> policy.
+   Deprecated, use {{{../hadoop-hdfs/HDFSCommands.html#balancer}
+   <<<hdfs balancer>>>}} instead.
 
 * <<<daemonlog>>>
 
@@ -360,84 +306,13 @@ Administration Commands
 
 * <<<datanode>>>
 
-   Runs a HDFS datanode.
-
-   Usage: <<<hadoop datanode [-rollback]>>>
-
-*-----------------+-----------------------------------------------------------+
-|| COMMAND_OPTION || Description
-*-----------------+-----------------------------------------------------------+
-| -rollback       | Rollsback the datanode to the previous version. This should
-                  | be used after stopping the datanode and distributing the old
-                  | hadoop version.
-*-----------------+-----------------------------------------------------------+
+   Deprecated, use {{{../hadoop-hdfs/HDFSCommands.html#datanode}
+   <<<hdfs datanode>>>}} instead.
 
 * <<<dfsadmin>>>
 
-   Runs a HDFS dfsadmin client.
-
-   Usage: <<<hadoop dfsadmin [GENERIC_OPTIONS] [-report] [-safemode enter | leave | get | wait] [-refreshNodes] [-finalizeUpgrade] [-upgradeProgress status | details | force] [-metasave filename] [-setQuota <quota> <dirname>...<dirname>] [-clrQuota <dirname>...<dirname>] [-restoreFailedStorage true|false|check] [-help [cmd]]>>>
-
-*-----------------+-----------------------------------------------------------+
-|| COMMAND_OPTION || Description
-*-----------------+-----------------------------------------------------------+
-| -report         | Reports basic filesystem information and statistics.
-*-----------------+-----------------------------------------------------------+
-| -safemode enter / leave / get / wait | Safe mode maintenance command. Safe
-                  | mode is a Namenode state in which it \
-                  | 1. does not accept changes to the name space (read-only) \
-                  | 2. does not replicate or delete blocks. \
-                  | Safe mode is entered automatically at Namenode startup, and
-                  | leaves safe mode automatically when the configured minimum
-                  | percentage of blocks satisfies the minimum replication
-                  | condition. Safe mode can also be entered manually, but then
-                  | it can only be turned off manually as well.
-*-----------------+-----------------------------------------------------------+
-| -refreshNodes   | Re-read the hosts and exclude files to update the set of
-                  | Datanodes that are allowed to connect to the Namenode and
-                  | those that should be decommissioned or recommissioned.
-*-----------------+-----------------------------------------------------------+
-| -finalizeUpgrade| Finalize upgrade of HDFS. Datanodes delete their previous
-                  | version working directories, followed by Namenode doing the
-                  | same. This completes the upgrade process.
-*-----------------+-----------------------------------------------------------+
-| -upgradeProgress status / details / force | Request current distributed
-                  | upgrade status, a detailed status or force the upgrade to
-                  | proceed.
-*-----------------+-----------------------------------------------------------+
-| -metasave filename | Save Namenode's primary data structures to <filename> in
-                  | the directory specified by hadoop.log.dir property.
-                  | <filename> is overwritten if it exists.
-                  | <filename> will contain one line for each of the following\
-                  | 1. Datanodes heart beating with Namenode\
-                  | 2. Blocks waiting to be replicated\
-                  | 3. Blocks currrently being replicated\
-                  | 4. Blocks waiting to be deleted\
-*-----------------+-----------------------------------------------------------+
-| -setQuota <quota> <dirname>...<dirname> | Set the quota <quota> for each
-                  | directory <dirname>. The directory quota is a long integer
-                  | that puts a hard limit on the number of names in the
-                  | directory tree.  Best effort for the directory, with faults
-                  | reported if \
-                  | 1. N is not a positive integer, or \
-                  | 2. user is not an administrator, or \
-                  | 3. the directory does not exist or is a file, or \
-                  | 4. the directory would immediately exceed the new quota. \
-*-----------------+-----------------------------------------------------------+
-| -clrQuota <dirname>...<dirname> | Clear the quota for each directory
-                  | <dirname>.  Best effort for the directory. with fault
-                  | reported if \
-                  | 1. the directory does not exist or is a file, or \
-                  | 2. user is not an administrator.  It does not fault if the
-                  | directory has no quota.
-*-----------------+-----------------------------------------------------------+
-| -restoreFailedStorage true / false / check | This option will turn on/off automatic attempt to restore failed storage replicas.
-                  | If a failed storage becomes available again the system will attempt to restore
-                  | edits and/or fsimage during checkpoint. 'check' option will return current setting.
-*-----------------+-----------------------------------------------------------+
-| -help [cmd]     | Displays help for the given command or all commands if none
-                  | is specified.
-*-----------------+-----------------------------------------------------------+
+   Deprecated, use {{{../hadoop-hdfs/HDFSCommands.html#dfsadmin}
+   <<<hdfs dfsadmin>>>}} instead.
 
 * <<<mradmin>>>
 
@@ -470,51 +345,13 @@ Administration Commands
 
 * <<<namenode>>>
 
-   Runs the namenode. More info about the upgrade, rollback and finalize is
-   at {{{../hadoop-hdfs/HdfsUserGuide.html#Upgrade_and_Rollback}Upgrade Rollback}}.
-
-   Usage: <<<hadoop namenode [-format] | [-upgrade] | [-rollback] | [-finalize] | [-importCheckpoint]>>>
-
-*--------------------+-----------------------------------------------------------+
-|| COMMAND_OPTION    || Description
-*--------------------+-----------------------------------------------------------+
-| -format            | Formats the namenode. It starts the namenode, formats
-                     | it and then shut it down.
-*--------------------+-----------------------------------------------------------+
-| -upgrade           | Namenode should be started with upgrade option after
-                     | the distribution of new hadoop version.
-*--------------------+-----------------------------------------------------------+
-| -rollback          | Rollsback the namenode to the previous version. This
-                     | should be used after stopping the cluster and
-                     | distributing the old hadoop version.
-*--------------------+-----------------------------------------------------------+
-| -finalize          | Finalize will remove the previous state of the files
-                     | system. Recent upgrade will become permanent.  Rollback
-                     | option will not be available anymore. After finalization
-                     | it shuts the namenode down.
-*--------------------+-----------------------------------------------------------+
-| -importCheckpoint  | Loads image from a checkpoint directory and save it
-                     | into the current one. Checkpoint dir is read from
-                     | property fs.checkpoint.dir
-*--------------------+-----------------------------------------------------------+
+   Deprecated, use {{{../hadoop-hdfs/HDFSCommands.html#namenode}
+   <<<hdfs namenode>>>}} instead.
 
 * <<<secondarynamenode>>>
 
-   Runs the HDFS secondary namenode.
-   See {{{../hadoop-hdfs/HdfsUserGuide.html#Secondary_NameNode}Secondary Namenode}}
-   for more info.
-
-   Usage: <<<hadoop secondarynamenode [-checkpoint [force]] | [-geteditsize]>>>
-
-*----------------------+-----------------------------------------------------------+
-|| COMMAND_OPTION      || Description
-*----------------------+-----------------------------------------------------------+
-| -checkpoint [-force] | Checkpoints the Secondary namenode if EditLog size
-                       | >= fs.checkpoint.size. If <<<-force>>> is used,
-                       | checkpoint irrespective of EditLog size.
-*----------------------+-----------------------------------------------------------+
-| -geteditsize         | Prints the EditLog size.
-*----------------------+-----------------------------------------------------------+
+   Deprecated, use {{{../hadoop-hdfs/HDFSCommands.html#secondarynamenode}
+   <<<hdfs secondarynamenode>>>}} instead.
 
 * <<<tasktracker>>>
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index ea49eaabe6c..4047a51905e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -367,6 +367,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6812. Remove addBlock and replaceBlock from DatanodeDescriptor.
     (szetszwo)
 
+    HDFS-6781. Separate HDFS commands from CommandsManual.apt.vm. (Akira
+    Ajisaka via Arpit Agarwal)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HDFSCommands.apt.vm b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HDFSCommands.apt.vm
new file mode 100644
index 00000000000..6eb60f0a1b5
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HDFSCommands.apt.vm
@@ -0,0 +1,408 @@
+~~ Licensed under the Apache License, Version 2.0 (the "License");
+~~ you may not use this file except in compliance with the License.
+~~ You may obtain a copy of the License at
+~~
+~~   http://www.apache.org/licenses/LICENSE-2.0
+~~
+~~ Unless required by applicable law or agreed to in writing, software
+~~ distributed under the License is distributed on an "AS IS" BASIS,
+~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+~~ See the License for the specific language governing permissions and
+~~ limitations under the License. See accompanying LICENSE file.
+
+  ---
+  HDFS Commands Guide
+  ---
+  ---
+  ${maven.build.timestamp}
+
+HDFS Commands Guide
+
+%{toc|section=1|fromDepth=2|toDepth=4}
+
+* Overview
+
+   All HDFS commands are invoked by the <<<bin/hdfs>>> script. Running the
+   hdfs script without any arguments prints the description for all
+   commands.
+
+   Usage: <<<hdfs [--config confdir] [COMMAND] [GENERIC_OPTIONS]
+          [COMMAND_OPTIONS]>>>
+
+   Hadoop has an option parsing framework that employs parsing generic options
+   as well as running classes.
+
+*-----------------------+---------------+
+|| COMMAND_OPTION       || Description
+*-----------------------+---------------+
+| <<<--config confdir>>>| Overwrites the default Configuration directory.
+|                       | Default is <<<${HADOOP_HOME}/conf>>>.
+*-----------------------+---------------+
+| GENERIC_OPTIONS       | The common set of options supported by multiple
+|                       | commands. Full list is
+|                       | {{{../hadoop-common/CommandsManual.html#Generic_Options}here}}.
+*-----------------------+---------------+
+| COMMAND_OPTIONS       | Various commands with their options are described in
+|                       | the following sections. The commands have been
+|                       | grouped into {{{User Commands}}} and
+|                       | {{{Administration Commands}}}.
+*-----------------------+---------------+
+
+* User Commands
+
+   Commands useful for users of a hadoop cluster.
+
+** <<<dfs>>>
+
+   Usage: <<<hdfs dfs [GENERIC_OPTIONS] [COMMAND_OPTIONS]>>>
+
+   Run a filesystem command on the file system supported in Hadoop.
+   The various COMMAND_OPTIONS can be found at
+   {{{../hadoop-common/FileSystemShell.html}File System Shell Guide}}.
+
+** <<<fetchdt>>>
+
+   Gets Delegation Token from a NameNode.
+   See {{{./HdfsUserGuide.html#fetchdt}fetchdt}} for more info.
+
+   Usage: <<<hdfs fetchdt [GENERIC_OPTIONS]
+          [--webservice <namenode_http_addr>] <path> >>>
+
+*------------------------------+---------------------------------------------+
+|| COMMAND_OPTION              || Description
+*------------------------------+---------------------------------------------+
+| <fileName>                   | File name to store the token into.
+*------------------------------+---------------------------------------------+
+| --webservice <https_address> | use http protocol instead of RPC
+*------------------------------+---------------------------------------------+
+
+** <<<fsck>>>
+
+   Runs a HDFS filesystem checking utility.
+   See {{{./HdfsUserGuide.html#fsck}fsck}} for more info.
+
+   Usage: <<<hdfs fsck [GENERIC_OPTIONS] <path>
+          [-move | -delete | -openforwrite]
+          [-files [-blocks [-locations | -racks]]]
+          [-showprogress]>>>
+
+*------------------+---------------------------------------------+
+||  COMMAND_OPTION || Description
+*------------------+---------------------------------------------+
+|   <path>         | Start checking from this path.
+*------------------+---------------------------------------------+
+|   -move          | Move corrupted files to /lost+found
+*------------------+---------------------------------------------+
+|   -delete        | Delete corrupted files.
+*------------------+---------------------------------------------+
+|   -openforwrite  | Print out files opened for write.
+*------------------+---------------------------------------------+
+|   -files         | Print out files being checked.
+*------------------+---------------------------------------------+
+|   -blocks        | Print out block report.
+*------------------+---------------------------------------------+
+|   -locations     | Print out locations for every block.
+*------------------+---------------------------------------------+
+|   -racks         | Print out network topology for data-node locations.
+*------------------+---------------------------------------------+
+|   -showprogress  | Print out dots for progress in output. Default is OFF
+|                  | (no progress).
+*------------------+---------------------------------------------+
+
+* Administration Commands
+
+   Commands useful for administrators of a hadoop cluster.
+
+** <<<balancer>>>
+
+   Runs a cluster balancing utility. An administrator can simply press Ctrl-C
+   to stop the rebalancing process. See
+   {{{./HdfsUserGuide.html#Balancer}Balancer}} for more details.
+
+   Usage: <<<hdfs balancer [-threshold <threshold>] [-policy <policy>]>>>
+
+*------------------------+----------------------------------------------------+
+|| COMMAND_OPTION        | Description
+*------------------------+----------------------------------------------------+
+| -threshold <threshold> | Percentage of disk capacity. This overwrites the
+|                        | default threshold.
+*------------------------+----------------------------------------------------+
+| -policy <policy>       | <<<datanode>>> (default): Cluster is balanced if
+|                        | each datanode is balanced. \
+|                        | <<<blockpool>>>: Cluster is balanced if each block
+|                        | pool in each datanode is balanced.
+*------------------------+----------------------------------------------------+
+
+   Note that the <<<blockpool>>> policy is more strict than the <<<datanode>>>
+   policy.
+
+** <<<datanode>>>
+
+   Runs a HDFS datanode.
+
+   Usage: <<<hdfs datanode [-regular | -rollback | -rollingupgrace rollback]>>>
+
+*-----------------+-----------------------------------------------------------+
+|| COMMAND_OPTION || Description
+*-----------------+-----------------------------------------------------------+
+| -regular        | Normal datanode startup (default).
+*-----------------+-----------------------------------------------------------+
+| -rollback       | Rollsback the datanode to the previous version. This should
+|                 | be used after stopping the datanode and distributing the
+|                 | old hadoop version.
+*-----------------+-----------------------------------------------------------+
+| -rollingupgrade rollback | Rollsback a rolling upgrade operation.
+*-----------------+-----------------------------------------------------------+
+
+** <<<dfsadmin>>>
+
+   Runs a HDFS dfsadmin client.
+
+   Usage: <<<hdfs dfsadmin [GENERIC_OPTIONS]
+          [-report [-live] [-dead] [-decommissioning]]
+          [-safemode enter | leave | get | wait]
+          [-saveNamespace]
+          [-rollEdits]
+          [-restoreFailedStorage true|false|check]
+          [-refreshNodes]
+          [-setQuota <quota> <dirname>...<dirname>]
+          [-clrQuota <dirname>...<dirname>]
+          [-setSpaceQuota <quota> <dirname>...<dirname>]
+          [-clrSpaceQuota <dirname>...<dirname>]
+          [-finalizeUpgrade]
+          [-rollingUpgrade [<query>|<prepare>|<finalize>]]
+          [-metasave filename]
+          [-refreshServiceAcl]
+          [-refreshUserToGroupsMappings]
+          [-refreshSuperUserGroupsConfiguration]
+          [-refreshCallQueue]
+          [-refresh <host:ipc_port> <key> [arg1..argn]]
+          [-printTopology]
+          [-refreshNamenodes datanodehost:port]
+          [-deleteBlockPool datanode-host:port blockpoolId [force]]
+          [-setBalancerBandwidth <bandwidth in bytes per second>]
+          [-allowSnapshot <snapshotDir>]
+          [-disallowSnapshot <snapshotDir>]
+          [-fetchImage <local directory>]
+          [-shutdownDatanode <datanode_host:ipc_port> [upgrade]]
+          [-getDatanodeInfo <datanode_host:ipc_port>]
+          [-help [cmd]]>>>
+
+*-----------------+-----------------------------------------------------------+
+|| COMMAND_OPTION || Description
+*-----------------+-----------------------------------------------------------+
+| -report [-live] [-dead] [-decommissioning] | Reports basic filesystem
+                  | information and statistics. Optional flags may be used to
+                  | filter the list of displayed DataNodes.
+*-----------------+-----------------------------------------------------------+
+| -safemode enter\|leave\|get\|wait | Safe mode maintenance command. Safe
+                  | mode is a Namenode state in which it \
+                  | 1. does not accept changes to the name space (read-only) \
+                  | 2. does not replicate or delete blocks. \
+                  | Safe mode is entered automatically at Namenode startup, and
+                  | leaves safe mode automatically when the configured minimum
+                  | percentage of blocks satisfies the minimum replication
+                  | condition. Safe mode can also be entered manually, but then
+                  | it can only be turned off manually as well.
+*-----------------+-----------------------------------------------------------+
+| -saveNamespace  | Save current namespace into storage directories and reset
+                  | edits log. Requires safe mode.
+*-----------------+-----------------------------------------------------------+
+| -rollEdits      | Rolls the edit log on the active NameNode.
+*-----------------+-----------------------------------------------------------+
+| -restoreFailedStorage true\|false\|check | This option will turn on/off
+                  | automatic attempt to restore failed storage replicas.
+                  | If a failed storage becomes available again the system will
+                  | attempt to restore edits and/or fsimage during checkpoint.
+                  | 'check' option will return current setting.
+*-----------------+-----------------------------------------------------------+
+| -refreshNodes   | Re-read the hosts and exclude files to update the set of
+                  | Datanodes that are allowed to connect to the Namenode and
+                  | those that should be decommissioned or recommissioned.
+*-----------------+-----------------------------------------------------------+
+| -setQuota \<quota\> \<dirname\>...\<dirname\> | See
+                  | {{{../hadoop-hdfs/HdfsQuotaAdminGuide.html#Administrative_Commands}HDFS Quotas Guide}}
+                  | for the detail.
+*-----------------+-----------------------------------------------------------+
+| -clrQuota \<dirname\>...\<dirname\> | See
+                  | {{{../hadoop-hdfs/HdfsQuotaAdminGuide.html#Administrative_Commands}HDFS Quotas Guide}}
+                  | for the detail.
+*-----------------+-----------------------------------------------------------+
+| -setSpaceQuota \<quota\> \<dirname\>...\<dirname\> | See
+                  | {{{../hadoop-hdfs/HdfsQuotaAdminGuide.html#Administrative_Commands}HDFS Quotas Guide}}
+                  | for the detail.
+*-----------------+-----------------------------------------------------------+
+| -clrSpaceQuota \<dirname\>...\<dirname\> | See
+                  | {{{../hadoop-hdfs/HdfsQuotaAdminGuide.html#Administrative_Commands}HDFS Quotas Guide}}
+                  | for the detail.
+*-----------------+-----------------------------------------------------------+
+| -finalizeUpgrade| Finalize upgrade of HDFS. Datanodes delete their previous
+                  | version working directories, followed by Namenode doing the
+                  | same. This completes the upgrade process.
+*-----------------+-----------------------------------------------------------+
+| -rollingUpgrade [\<query\>\|\<prepare\>\|\<finalize\>] | See
+                  | {{{../hadoop-hdfs/HdfsRollingUpgrade.html#dfsadmin_-rollingUpgrade}Rolling Upgrade document}}
+                  | for the detail.
+*-----------------+-----------------------------------------------------------+
+| -metasave filename | Save Namenode's primary data structures to <filename> in
+                  | the directory specified by hadoop.log.dir property.
+                  | <filename> is overwritten if it exists.
+                  | <filename> will contain one line for each of the following\
+                  | 1. Datanodes heart beating with Namenode\
+                  | 2. Blocks waiting to be replicated\
+                  | 3. Blocks currrently being replicated\
+                  | 4. Blocks waiting to be deleted
+*-----------------+-----------------------------------------------------------+
+| -refreshServiceAcl | Reload the service-level authorization policy file.
+*-----------------+-----------------------------------------------------------+
+| -refreshUserToGroupsMappings | Refresh user-to-groups mappings.
+*-----------------+-----------------------------------------------------------+
+| -refreshSuperUserGroupsConfiguration |Refresh superuser proxy groups mappings
+*-----------------+-----------------------------------------------------------+
+| -refreshCallQueue | Reload the call queue from config.
+*-----------------+-----------------------------------------------------------+
+| -refresh \<host:ipc_port\> \<key\> [arg1..argn] | Triggers a runtime-refresh
+                  | of the resource specified by \<key\> on \<host:ipc_port\>.
+                  | All other args after are sent to the host.
+*-----------------+-----------------------------------------------------------+
+| -printTopology  | Print a tree of the racks and their nodes as reported by
+                  | the Namenode
+*-----------------+-----------------------------------------------------------+
+| -refreshNamenodes datanodehost:port | For the given datanode, reloads the
+                  | configuration files, stops serving the removed block-pools
+                  | and starts serving new block-pools.
+*-----------------+-----------------------------------------------------------+
+| -deleteBlockPool datanode-host:port blockpoolId [force] | If force is passed,
+                  | block pool directory for the given blockpool id on the
+                  | given datanode is deleted along with its contents,
+                  | otherwise the directory is deleted only if it is empty.
+                  | The command will fail if datanode is still serving the
+                  | block pool. Refer to refreshNamenodes to shutdown a block
+                  | pool service on a datanode.
+*-----------------+-----------------------------------------------------------+
+| -setBalancerBandwidth \<bandwidth in bytes per second\> | Changes the network
+                  | bandwidth used by each datanode during HDFS block
+                  | balancing. \<bandwidth\> is the maximum number of bytes per
+                  | second that will be used by each datanode. This value
+                  | overrides the dfs.balance.bandwidthPerSec parameter.\
+                  | NOTE: The new value is not persistent on the DataNode.
+*-----------------+-----------------------------------------------------------+
+| -allowSnapshot \<snapshotDir\> | Allowing snapshots of a directory to be
+                  | created. If the operation completes successfully, the
+                  | directory becomes snapshottable.
+*-----------------+-----------------------------------------------------------+
+| -disallowSnapshot \<snapshotDir\> | Disallowing snapshots of a directory to
+                  | be created. All snapshots of the directory must be deleted
+                  | before disallowing snapshots.
+*-----------------+-----------------------------------------------------------+
+| -fetchImage \<local directory\> | Downloads the most recent fsimage from the
+                  | NameNode and saves it in the specified local directory.
+*-----------------+-----------------------------------------------------------+
+| -shutdownDatanode \<datanode_host:ipc_port\> [upgrade] | Submit a shutdown
+                  | request for the given datanode. See
+                  | {{{./HdfsRollingUpgrade.html#dfsadmin_-shutdownDatanode}Rolling Upgrade document}}
+                  | for the detail.
+*-----------------+-----------------------------------------------------------+
+| -getDatanodeInfo \<datanode_host:ipc_port\> | Get the information about the
+                  | given datanode. See
+                  | {{{./HdfsRollingUpgrade.html#dfsadmin_-getDatanodeInfo}Rolling Upgrade document}}
+                  | for the detail.
+*-----------------+-----------------------------------------------------------+
+| -help [cmd]     | Displays help for the given command or all commands if none
+                  | is specified.
+*-----------------+-----------------------------------------------------------+
+
+** <<<namenode>>>
+
+   Runs the namenode. More info about the upgrade, rollback and finalize is at
+   {{{./HdfsUserGuide.html#Upgrade_and_Rollback}Upgrade Rollback}}.
+
+   Usage: <<<hdfs namenode [-backup] |
+          [-checkpoint] |
+          [-format [-clusterid cid ] [-force] [-nonInteractive] ] |
+          [-upgrade [-clusterid cid] [-renameReserved<k-v pairs>] ] |
+          [-upgradeOnly [-clusterid cid] [-renameReserved<k-v pairs>] ] |
+          [-rollback] |
+          [-rollingUpgrade <downgrade|rollback> ] |
+          [-finalize] |
+          [-importCheckpoint] |
+          [-initializeSharedEdits] |
+          [-bootstrapStandby] |
+          [-recover [-force] ] |
+          [-metadataVersion ]>>>
+
+*--------------------+--------------------------------------------------------+
+|| COMMAND_OPTION    || Description
+*--------------------+--------------------------------------------------------+
+| -backup            | Start backup node.
+*--------------------+--------------------------------------------------------+
+| -checkpoint        | Start checkpoint node.
+*--------------------+--------------------------------------------------------+
+| -format [-clusterid cid] [-force] [-nonInteractive] | Formats the specified
+                     | NameNode. It starts the NameNode, formats it and then
+                     | shut it down. -force option formats if the name
+                     | directory exists. -nonInteractive option aborts if the
+                     | name directory exists, unless -force option is specified.
+*--------------------+--------------------------------------------------------+
+| -upgrade [-clusterid cid] [-renameReserved\<k-v pairs\>] | Namenode should be
+                     | started with upgrade option after
+                     | the distribution of new Hadoop version.
+*--------------------+--------------------------------------------------------+
+| -upgradeOnly [-clusterid cid] [-renameReserved\<k-v pairs\>] | Upgrade the
+                     | specified NameNode and then shutdown it.
+*--------------------+--------------------------------------------------------+
+| -rollback          | Rollsback the NameNode to the previous version. This
+                     | should be used after stopping the cluster and
+                     | distributing the old Hadoop version.
+*--------------------+--------------------------------------------------------+
+| -rollingUpgrade \<downgrade\|rollback\|started\> | See
+                     | {{{./HdfsRollingUpgrade.html#NameNode_Startup_Options}Rolling Upgrade document}}
+                     | for the detail.
+*--------------------+--------------------------------------------------------+
+| -finalize          | Finalize will remove the previous state of the files
+                     | system. Recent upgrade will become permanent.  Rollback
+                     | option will not be available anymore. After finalization
+                     | it shuts the NameNode down.
+*--------------------+--------------------------------------------------------+
+| -importCheckpoint  | Loads image from a checkpoint directory and save it
+                     | into the current one. Checkpoint dir is read from
+                     | property fs.checkpoint.dir
+*--------------------+--------------------------------------------------------+
+| -initializeSharedEdits | Format a new shared edits dir and copy in enough
+                     | edit log segments so that the standby NameNode can start
+                     | up.
+*--------------------+--------------------------------------------------------+
+| -bootstrapStandby  | Allows the standby NameNode's storage directories to be
+                     | bootstrapped by copying the latest namespace snapshot
+                     | from the active NameNode. This is used when first
+                     | configuring an HA cluster.
+*--------------------+--------------------------------------------------------+
+| -recover [-force]  | Recover lost metadata on a corrupt filesystem. See
+                     | {{{./HdfsUserGuide.html#Recovery_Mode}HDFS User Guide}}
+                     | for the detail.
+*--------------------+--------------------------------------------------------+
+| -metadataVersion   | Verify that configured directories exist, then print the
+                     | metadata versions of the software and the image.
+*--------------------+--------------------------------------------------------+
+
+** <<<secondarynamenode>>>
+
+   Runs the HDFS secondary namenode.
+   See {{{./HdfsUserGuide.html#Secondary_NameNode}Secondary Namenode}}
+   for more info.
+
+   Usage: <<<hdfs secondarynamenode [-checkpoint [force]] | [-format] |
+          [-geteditsize]>>>
+
+*----------------------+------------------------------------------------------+
+|| COMMAND_OPTION      || Description
+*----------------------+------------------------------------------------------+
+| -checkpoint [force]  | Checkpoints the SecondaryNameNode if EditLog size
+                       | >= fs.checkpoint.size. If <<<force>>> is used,
+                       | checkpoint irrespective of EditLog size.
+*----------------------+------------------------------------------------------+
+| -format              | Format the local storage during startup.
+*----------------------+------------------------------------------------------+
+| -geteditsize         | Prints the number of uncheckpointed transactions on
+                       | the NameNode.
+*----------------------+------------------------------------------------------+
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsUserGuide.apt.vm b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsUserGuide.apt.vm
index 443ace6bae7..55208c93eed 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsUserGuide.apt.vm
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsUserGuide.apt.vm
@@ -143,8 +143,8 @@ HDFS Users Guide
 
 **  DFSAdmin Command
 
-   The <<<bin/hadoop dfsadmin>>> command supports a few HDFS administration
-   related operations. The <<<bin/hadoop dfsadmin -help>>> command lists all the
+   The <<<bin/hdfs dfsadmin>>> command supports a few HDFS administration
+   related operations. The <<<bin/hdfs dfsadmin -help>>> command lists all the
    commands currently supported. For e.g.:
 
      * <<<-report>>>: reports basic statistics of HDFS. Some of this
@@ -172,7 +172,7 @@ HDFS Users Guide
        of racks and datanodes attached to the tracks as viewed by the
        NameNode.
 
-   For command usage, see {{{../hadoop-common/CommandsManual.html#dfsadmin}dfsadmin}}.
+   For command usage, see {{{./HDFSCommands.html#dfsadmin}dfsadmin}}.
 
 * Secondary NameNode
 
@@ -207,7 +207,7 @@ HDFS Users Guide
    primary NameNode if necessary.
 
    For command usage,
-   see {{{../hadoop-common/CommandsManual.html#secondarynamenode}secondarynamenode}}.
+   see {{{./HDFSCommands.html#secondarynamenode}secondarynamenode}}.
 
 * Checkpoint Node
 
@@ -249,7 +249,7 @@ HDFS Users Guide
    Multiple checkpoint nodes may be specified in the cluster configuration
    file.
 
-   For command usage, see {{{../hadoop-common/CommandsManual.html#namenode}namenode}}.
+   For command usage, see {{{./HDFSCommands.html#namenode}namenode}}.
 
 * Backup Node
 
@@ -291,7 +291,7 @@ HDFS Users Guide
 
    For a complete discussion of the motivation behind the creation of the
    Backup node and Checkpoint node, see {{{https://issues.apache.org/jira/browse/HADOOP-4539}HADOOP-4539}}.
-   For command usage, see {{{../hadoop-common/CommandsManual.html#namenode}namenode}}.
+   For command usage, see {{{./HDFSCommands.html#namenode}namenode}}.
 
 * Import Checkpoint
 
@@ -314,7 +314,7 @@ HDFS Users Guide
    verifies that the image in <<<dfs.namenode.checkpoint.dir>>> is consistent,
    but does not modify it in any way.
 
-   For command usage, see {{{../hadoop-common/CommandsManual.html#namenode}namenode}}.
+   For command usage, see {{{./HDFSCommands.html#namenode}namenode}}.
 
 * Balancer
 
@@ -341,7 +341,7 @@ HDFS Users Guide
    A brief administrator's guide for balancer is available at 
    {{{https://issues.apache.org/jira/browse/HADOOP-1652}HADOOP-1652}}.
 
-   For command usage, see {{{../hadoop-common/CommandsManual.html#balancer}balancer}}.
+   For command usage, see {{{./HDFSCommands.html#balancer}balancer}}.
 
 * Rack Awareness
 
@@ -368,7 +368,7 @@ HDFS Users Guide
    allow any modifications to file system or blocks. Normally the NameNode
    leaves Safemode automatically after the DataNodes have reported that
    most file system blocks are available. If required, HDFS could be
-   placed in Safemode explicitly using <<<bin/hadoop dfsadmin -safemode>>>
+   placed in Safemode explicitly using <<<bin/hdfs dfsadmin -safemode>>>
    command. NameNode front page shows whether Safemode is on or off. A
    more detailed description and configuration is maintained as JavaDoc
    for <<<setSafeMode()>>>.
@@ -383,8 +383,8 @@ HDFS Users Guide
    most of the recoverable failures. By default fsck ignores open files
    but provides an option to select all files during reporting. The HDFS
    fsck command is not a Hadoop shell command. It can be run as
-   <<<bin/hadoop fsck>>>. For command usage, see 
-   {{{../hadoop-common/CommandsManual.html#fsck}fsck}}. fsck can be run on
+   <<<bin/hdfs fsck>>>. For command usage, see
+   {{{./HDFSCommands.html#fsck}fsck}}. fsck can be run on
    the whole file system or on a subset of files.
 
 * fetchdt
@@ -395,11 +395,11 @@ HDFS Users Guide
    Utility uses either RPC or HTTPS (over Kerberos) to get the token, and
    thus requires kerberos tickets to be present before the run (run kinit
    to get the tickets). The HDFS fetchdt command is not a Hadoop shell
-   command. It can be run as <<<bin/hadoop fetchdt DTfile>>>. After you got
+   command. It can be run as <<<bin/hdfs fetchdt DTfile>>>. After you got
    the token you can run an HDFS command without having Kerberos tickets,
    by pointing <<<HADOOP_TOKEN_FILE_LOCATION>>> environmental variable to the
    delegation token file. For command usage, see
-   {{{../hadoop-common/CommandsManual.html#fetchdt}fetchdt}} command.
+   {{{./HDFSCommands.html#fetchdt}fetchdt}} command.
 
 * Recovery Mode
 
@@ -533,5 +533,4 @@ HDFS Users Guide
      * Explore {{{./hdfs-default.xml}hdfs-default.xml}}. It includes
        brief description of most of the configuration variables available.
 
-     * {{{../hadoop-common/CommandsManual.html}Hadoop Commands Guide}}:
-       Hadoop commands usage.
+     * {{{./HDFSCommands.html}HDFS Commands Guide}}: HDFS commands usage.
diff --git a/hadoop-project/src/site/site.xml b/hadoop-project/src/site/site.xml
index ec9329216d6..89f230fbc27 100644
--- a/hadoop-project/src/site/site.xml
+++ b/hadoop-project/src/site/site.xml
@@ -69,6 +69,7 @@
     
     <menu name="HDFS" inherit="top">
       <item name="HDFS User Guide" href="hadoop-project-dist/hadoop-hdfs/HdfsUserGuide.html"/>
+      <item name="HDFS Commands Reference" href="hadoop-project-dist/hadoop-hdfs/HDFSCommands.html"/>
       <item name="High Availability With QJM" href="hadoop-project-dist/hadoop-hdfs/HDFSHighAvailabilityWithQJM.html"/>
       <item name="High Availability With NFS" href="hadoop-project-dist/hadoop-hdfs/HDFSHighAvailabilityWithNFS.html"/>
       <item name="Federation" href="hadoop-project-dist/hadoop-hdfs/Federation.html"/>

From 8437df8ba943e348b6a5d6370b4e0a74ff350a90 Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Thu, 7 Aug 2014 20:00:04 +0000
Subject: [PATCH 150/354] YARN-2008. Fixed CapacityScheduler to calculate
 headroom based on max available capacity instead of configured max capacity.
 Contributed by Craig Welch

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616580 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../resource/DefaultResourceCalculator.java   |   7 +
 .../resource/DominantResourceCalculator.java  |   8 +
 .../util/resource/ResourceCalculator.java     |   9 +
 .../hadoop/yarn/util/resource/Resources.java  |   5 +
 .../scheduler/capacity/CSQueueUtils.java      |  53 ++++
 .../scheduler/capacity/LeafQueue.java         |   9 +-
 .../scheduler/capacity/TestCSQueueUtils.java  | 262 ++++++++++++++++++
 8 files changed, 354 insertions(+), 2 deletions(-)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCSQueueUtils.java

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 8283d48d6ae..a5b77545d8a 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -145,6 +145,9 @@ Release 2.6.0 - UNRELEASED
 
     YARN-2388. Fixed TestTimelineWebServices failure due to HADOOP-10791. (zjshen)
 
+    YARN-2008. Fixed CapacityScheduler to calculate headroom based on max available
+    capacity instead of configured max capacity. (Craig Welch via jianhe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/DefaultResourceCalculator.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/DefaultResourceCalculator.java
index 294e6215efb..c2fc1f0e73a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/DefaultResourceCalculator.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/DefaultResourceCalculator.java
@@ -42,6 +42,13 @@ public float divide(Resource unused,
       Resource numerator, Resource denominator) {
     return ratio(numerator, denominator);
   }
+  
+  public boolean isInvalidDivisor(Resource r) {
+    if (r.getMemory() == 0.0f) {
+      return true;
+    }
+    return false;
+  }
 
   @Override
   public float ratio(Resource a, Resource b) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/DominantResourceCalculator.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/DominantResourceCalculator.java
index d0f58331230..6f5b40eebfd 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/DominantResourceCalculator.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/DominantResourceCalculator.java
@@ -109,6 +109,14 @@ public float divide(Resource clusterResource,
         getResourceAsValue(clusterResource, numerator, true) / 
         getResourceAsValue(clusterResource, denominator, true);
   }
+  
+  @Override
+  public boolean isInvalidDivisor(Resource r) {
+    if (r.getMemory() == 0.0f || r.getVirtualCores() == 0.0f) {
+      return true;
+    }
+    return false;
+  }
 
   @Override
   public float ratio(Resource a, Resource b) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/ResourceCalculator.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/ResourceCalculator.java
index 490cd38c14c..cb076997d24 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/ResourceCalculator.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/ResourceCalculator.java
@@ -149,6 +149,15 @@ public abstract Resource normalize(Resource r, Resource minimumResource,
   public abstract float divide(
       Resource clusterResource, Resource numerator, Resource denominator);
   
+  /**
+   * Determine if a resource is not suitable for use as a divisor
+   * (will result in divide by 0, etc)
+   *
+   * @param r resource
+   * @return true if divisor is invalid (should not be used), false else
+   */
+  public abstract boolean isInvalidDivisor(Resource r);
+
   /**
    * Ratio of resource <code>a</code> to resource <code>b</code>.
    * 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/Resources.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/Resources.java
index 800fa34e570..077c9628831 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/Resources.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/resource/Resources.java
@@ -184,6 +184,11 @@ public static Resource roundDown(
     return calculator.roundDown(lhs, factor);
   }
   
+  public static boolean isInvalidDivisor(
+      ResourceCalculator resourceCalculator, Resource divisor) {
+    return resourceCalculator.isInvalidDivisor(divisor);
+  }
+
   public static float ratio(
       ResourceCalculator resourceCalculator, Resource lhs, Resource rhs) {
     return resourceCalculator.ratio(lhs, rhs);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueueUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueueUtils.java
index 1dd55862b9c..737062bbcdd 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueueUtils.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueueUtils.java
@@ -17,6 +17,9 @@
 */
 package org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
 import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.server.utils.Lock;
 import org.apache.hadoop.yarn.util.resource.ResourceCalculator;
@@ -24,6 +27,8 @@
 
 class CSQueueUtils {
   
+  private static final Log LOG = LogFactory.getLog(CSQueueUtils.class);
+
   final static float EPSILON = 0.0001f;
   
   public static void checkMaxCapacity(String queueName, 
@@ -113,4 +118,52 @@ public static void updateQueueStatistics(
             )
         );
    }
+
+   public static float getAbsoluteMaxAvailCapacity(
+      ResourceCalculator resourceCalculator, Resource clusterResource, CSQueue queue) {
+      CSQueue parent = queue.getParent();
+      if (parent == null) {
+        return queue.getAbsoluteMaximumCapacity();
+      }
+
+      //Get my parent's max avail, needed to determine my own
+      float parentMaxAvail = getAbsoluteMaxAvailCapacity(
+        resourceCalculator, clusterResource, parent);
+      //...and as a resource
+      Resource parentResource = Resources.multiply(clusterResource, parentMaxAvail);
+
+      //check for no resources parent before dividing, if so, max avail is none
+      if (Resources.isInvalidDivisor(resourceCalculator, parentResource)) {
+        return 0.0f;
+      }
+      //sibling used is parent used - my used...
+      float siblingUsedCapacity = Resources.ratio(
+                 resourceCalculator,
+                 Resources.subtract(parent.getUsedResources(), queue.getUsedResources()),
+                 parentResource);
+      //my max avail is the lesser of my max capacity and what is unused from my parent
+      //by my siblings (if they are beyond their base capacity)
+      float maxAvail = Math.min(
+        queue.getMaximumCapacity(),
+        1.0f - siblingUsedCapacity);
+      //and, mutiply by parent to get absolute (cluster relative) value
+      float absoluteMaxAvail = maxAvail * parentMaxAvail;
+
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("qpath " + queue.getQueuePath());
+        LOG.debug("parentMaxAvail " + parentMaxAvail);
+        LOG.debug("siblingUsedCapacity " + siblingUsedCapacity);
+        LOG.debug("getAbsoluteMaximumCapacity " + queue.getAbsoluteMaximumCapacity());
+        LOG.debug("maxAvail " + maxAvail);
+        LOG.debug("absoluteMaxAvail " + absoluteMaxAvail);
+      }
+
+      if (absoluteMaxAvail < 0.0f) {
+        absoluteMaxAvail = 0.0f;
+      } else if (absoluteMaxAvail > 1.0f) {
+        absoluteMaxAvail = 1.0f;
+      }
+
+      return absoluteMaxAvail;
+   }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java
index 65938aab8dc..4fd8b490577 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java
@@ -976,13 +976,18 @@ private Resource computeUserLimitAndSetHeadroom(
 
     Resource userLimit =                          // User limit
         computeUserLimit(application, clusterResource, required);
-    
+
+    //Max avail capacity needs to take into account usage by ancestor-siblings
+    //which are greater than their base capacity, so we are interested in "max avail"
+    //capacity
+    float absoluteMaxAvailCapacity = CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, this);
 
     Resource queueMaxCap =                        // Queue Max-Capacity
         Resources.multiplyAndNormalizeDown(
             resourceCalculator, 
             clusterResource, 
-            absoluteMaxCapacity, 
+            absoluteMaxAvailCapacity,
             minimumAllocation);
     
     Resource userConsumed = getUser(user).getConsumedResources(); 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCSQueueUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCSQueueUtils.java
new file mode 100644
index 00000000000..7260afd9bcc
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCSQueueUtils.java
@@ -0,0 +1,262 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+import static org.mockito.Matchers.any;
+import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.doAnswer;
+import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.inOrder;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.reset;
+import static org.mockito.Mockito.when;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.junit.Assert;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.yarn.api.records.Resource;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.util.resource.DefaultResourceCalculator;
+import org.apache.hadoop.yarn.util.resource.DominantResourceCalculator;
+import org.apache.hadoop.yarn.util.resource.ResourceCalculator;
+import org.apache.hadoop.yarn.util.resource.Resources;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.InOrder;
+import org.mockito.invocation.InvocationOnMock;
+import org.mockito.stubbing.Answer;
+
+public class TestCSQueueUtils {
+
+  private static final Log LOG = LogFactory.getLog(TestCSQueueUtils.class);
+
+  final static int GB = 1024;
+
+  @Test
+  public void testAbsoluteMaxAvailCapacityInvalidDivisor() throws Exception {
+    runInvalidDivisorTest(false);
+    runInvalidDivisorTest(true);
+  }
+    
+  public void runInvalidDivisorTest(boolean useDominant) throws Exception {
+  
+    ResourceCalculator resourceCalculator;
+    Resource clusterResource;
+    if (useDominant) {
+      resourceCalculator = new DominantResourceCalculator();
+      clusterResource = Resources.createResource(10, 0);
+    } else {
+      resourceCalculator = new DefaultResourceCalculator();
+      clusterResource = Resources.createResource(0, 99);
+    }
+    
+    YarnConfiguration conf = new YarnConfiguration();
+    CapacitySchedulerConfiguration csConf = new CapacitySchedulerConfiguration();
+  
+    CapacitySchedulerContext csContext = mock(CapacitySchedulerContext.class);
+    when(csContext.getConf()).thenReturn(conf);
+    when(csContext.getConfiguration()).thenReturn(csConf);
+    when(csContext.getClusterResource()).thenReturn(clusterResource);
+    when(csContext.getResourceCalculator()).thenReturn(resourceCalculator);
+    when(csContext.getMinimumResourceCapability()).
+        thenReturn(Resources.createResource(GB, 1));
+    when(csContext.getMaximumResourceCapability()).
+        thenReturn(Resources.createResource(0, 0));
+  
+    final String L1Q1 = "L1Q1";
+    csConf.setQueues(CapacitySchedulerConfiguration.ROOT, new String[] {L1Q1});
+    
+    final String L1Q1P = CapacitySchedulerConfiguration.ROOT + "." + L1Q1;
+    csConf.setCapacity(L1Q1P, 90);
+    csConf.setMaximumCapacity(L1Q1P, 90);
+    
+    ParentQueue root = new ParentQueue(csContext, 
+        CapacitySchedulerConfiguration.ROOT, null, null);
+    LeafQueue l1q1 = new LeafQueue(csContext, L1Q1, root, null);
+    
+    LOG.info("t1 root " + CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, root));
+    
+    LOG.info("t1 l1q1 " + CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, l1q1));
+    
+    assertEquals(0.0f, CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, l1q1), 0.000001f);
+    
+  }
+  
+  @Test
+  public void testAbsoluteMaxAvailCapacityNoUse() throws Exception {
+    
+    ResourceCalculator resourceCalculator = new DefaultResourceCalculator();
+    Resource clusterResource = Resources.createResource(100 * 16 * GB, 100 * 32);
+    
+    YarnConfiguration conf = new YarnConfiguration();
+    CapacitySchedulerConfiguration csConf = new CapacitySchedulerConfiguration();
+    
+    CapacitySchedulerContext csContext = mock(CapacitySchedulerContext.class);
+    when(csContext.getConf()).thenReturn(conf);
+    when(csContext.getConfiguration()).thenReturn(csConf);
+    when(csContext.getClusterResource()).thenReturn(clusterResource);
+    when(csContext.getResourceCalculator()).thenReturn(resourceCalculator);
+    when(csContext.getMinimumResourceCapability()).
+        thenReturn(Resources.createResource(GB, 1));
+    when(csContext.getMaximumResourceCapability()).
+        thenReturn(Resources.createResource(16*GB, 32));
+    
+    final String L1Q1 = "L1Q1";
+    csConf.setQueues(CapacitySchedulerConfiguration.ROOT, new String[] {L1Q1});
+    
+    final String L1Q1P = CapacitySchedulerConfiguration.ROOT + "." + L1Q1;
+    csConf.setCapacity(L1Q1P, 90);
+    csConf.setMaximumCapacity(L1Q1P, 90);
+    
+    ParentQueue root = new ParentQueue(csContext, 
+        CapacitySchedulerConfiguration.ROOT, null, null);
+    LeafQueue l1q1 = new LeafQueue(csContext, L1Q1, root, null);
+    
+    LOG.info("t1 root " + CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, root));
+    
+    LOG.info("t1 l1q1 " + CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, l1q1));
+    
+    assertEquals(1.0f, CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, root), 0.000001f);
+    
+    assertEquals(0.9f, CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, l1q1), 0.000001f);
+    
+  }
+  
+  @Test
+  public void testAbsoluteMaxAvailCapacityWithUse() throws Exception {
+    
+    ResourceCalculator resourceCalculator = new DefaultResourceCalculator();
+    Resource clusterResource = Resources.createResource(100 * 16 * GB, 100 * 32);
+    
+    YarnConfiguration conf = new YarnConfiguration();
+    CapacitySchedulerConfiguration csConf = new CapacitySchedulerConfiguration();
+    
+    CapacitySchedulerContext csContext = mock(CapacitySchedulerContext.class);
+    when(csContext.getConf()).thenReturn(conf);
+    when(csContext.getConfiguration()).thenReturn(csConf);
+    when(csContext.getClusterResource()).thenReturn(clusterResource);
+    when(csContext.getResourceCalculator()).thenReturn(resourceCalculator);
+    when(csContext.getMinimumResourceCapability()).
+        thenReturn(Resources.createResource(GB, 1));
+    when(csContext.getMaximumResourceCapability()).
+        thenReturn(Resources.createResource(16*GB, 32));
+    
+    final String L1Q1 = "L1Q1";
+    final String L1Q2 = "L1Q2";
+    final String L2Q1 = "L2Q1";
+    final String L2Q2 = "L2Q2";
+    csConf.setQueues(CapacitySchedulerConfiguration.ROOT, new String[] {L1Q1, L1Q2,
+                     L2Q1, L2Q2});
+    
+    final String L1Q1P = CapacitySchedulerConfiguration.ROOT + "." + L1Q1;
+    csConf.setCapacity(L1Q1P, 80);
+    csConf.setMaximumCapacity(L1Q1P, 80);
+    
+    final String L1Q2P = CapacitySchedulerConfiguration.ROOT + "." + L1Q2;
+    csConf.setCapacity(L1Q2P, 20);
+    csConf.setMaximumCapacity(L1Q2P, 100);
+    
+    final String L2Q1P = L1Q1P + "." + L2Q1;
+    csConf.setCapacity(L2Q1P, 50);
+    csConf.setMaximumCapacity(L2Q1P, 50);
+    
+    final String L2Q2P = L1Q1P + "." + L2Q2;
+    csConf.setCapacity(L2Q2P, 50);
+    csConf.setMaximumCapacity(L2Q2P, 50);
+    
+    float result;
+    
+    ParentQueue root = new ParentQueue(csContext, 
+        CapacitySchedulerConfiguration.ROOT, null, null);
+    
+    LeafQueue l1q1 = new LeafQueue(csContext, L1Q1, root, null);
+    LeafQueue l1q2 = new LeafQueue(csContext, L1Q2, root, null);
+    LeafQueue l2q2 = new LeafQueue(csContext, L2Q2, l1q1, null);
+    LeafQueue l2q1 = new LeafQueue(csContext, L2Q1, l1q1, null);
+    
+    //no usage, all based on maxCapacity (prior behavior)
+    result = CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, l2q2);
+    assertEquals( 0.4f, result, 0.000001f);
+    LOG.info("t2 l2q2 " + result);
+    
+    //some usage, but below the base capacity
+    Resources.addTo(root.getUsedResources(), Resources.multiply(clusterResource, 0.1f));
+    Resources.addTo(l1q2.getUsedResources(), Resources.multiply(clusterResource, 0.1f));
+    result = CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, l2q2);
+    assertEquals( 0.4f, result, 0.000001f);
+    LOG.info("t2 l2q2 " + result);
+    
+    //usage gt base on parent sibling
+    Resources.addTo(root.getUsedResources(), Resources.multiply(clusterResource, 0.3f));
+    Resources.addTo(l1q2.getUsedResources(), Resources.multiply(clusterResource, 0.3f));
+    result = CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, l2q2);
+    assertEquals( 0.3f, result, 0.000001f);
+    LOG.info("t2 l2q2 " + result);
+    
+    //same as last, but with usage also on direct parent
+    Resources.addTo(root.getUsedResources(), Resources.multiply(clusterResource, 0.1f));
+    Resources.addTo(l1q1.getUsedResources(), Resources.multiply(clusterResource, 0.1f));
+    result = CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, l2q2);
+    assertEquals( 0.3f, result, 0.000001f);
+    LOG.info("t2 l2q2 " + result);
+    
+    //add to direct sibling, below the threshold of effect at present
+    Resources.addTo(root.getUsedResources(), Resources.multiply(clusterResource, 0.2f));
+    Resources.addTo(l1q1.getUsedResources(), Resources.multiply(clusterResource, 0.2f));
+    Resources.addTo(l2q1.getUsedResources(), Resources.multiply(clusterResource, 0.2f));
+    result = CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, l2q2);
+    assertEquals( 0.3f, result, 0.000001f);
+    LOG.info("t2 l2q2 " + result);
+    
+    //add to direct sibling, now above the threshold of effect
+    //(it's cumulative with prior tests)
+    Resources.addTo(root.getUsedResources(), Resources.multiply(clusterResource, 0.2f));
+    Resources.addTo(l1q1.getUsedResources(), Resources.multiply(clusterResource, 0.2f));
+    Resources.addTo(l2q1.getUsedResources(), Resources.multiply(clusterResource, 0.2f));
+    result = CSQueueUtils.getAbsoluteMaxAvailCapacity(
+      resourceCalculator, clusterResource, l2q2);
+    assertEquals( 0.1f, result, 0.000001f);
+    LOG.info("t2 l2q2 " + result);
+    
+    
+  }
+
+}

From de2595833cef21e3445fa7a4cb0ce7bc3f41fbd9 Mon Sep 17 00:00:00 2001
From: Jason Darrell Lowe <jlowe@apache.org>
Date: Thu, 7 Aug 2014 20:15:56 +0000
Subject: [PATCH 151/354] MAPREDUCE-6021. MR AM should have working directory
 in LD_LIBRARY_PATH. Contributed by Jason Lowe

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616585 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt          |   3 +
 .../org/apache/hadoop/mapred/YARNRunner.java  |   9 ++
 .../apache/hadoop/mapred/TestYARNRunner.java  | 104 ++++++++++++------
 3 files changed, 85 insertions(+), 31 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 707a9c4b3c5..5bb579745a0 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -184,6 +184,9 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-6014. New task status field in task attempts table can lead to
     an empty web page (Mit Desai via jlowe)
 
+    MAPREDUCE-6021. MR AM should have working directory in LD_LIBRARY_PATH
+    (jlowe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/main/java/org/apache/hadoop/mapred/YARNRunner.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/main/java/org/apache/hadoop/mapred/YARNRunner.java
index 80765cf55b4..5120c85f41b 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/main/java/org/apache/hadoop/mapred/YARNRunner.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/main/java/org/apache/hadoop/mapred/YARNRunner.java
@@ -447,6 +447,15 @@ public ApplicationSubmissionContext createApplicationSubmissionContext(
     Map<String, String> environment = new HashMap<String, String>();
     MRApps.setClasspath(environment, conf);
 
+    // Shell
+    environment.put(Environment.SHELL.name(),
+        conf.get(MRJobConfig.MAPRED_ADMIN_USER_SHELL,
+            MRJobConfig.DEFAULT_SHELL));
+
+    // Add the container working directory at the front of LD_LIBRARY_PATH
+    MRApps.addToEnvironment(environment, Environment.LD_LIBRARY_PATH.name(),
+        MRApps.crossPlatformifyMREnv(conf, Environment.PWD), conf);
+
     // Setup the environment variables for Admin first
     MRApps.setEnvFromInputString(environment, 
         conf.get(MRJobConfig.MR_AM_ADMIN_USER_ENV), conf);
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestYARNRunner.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestYARNRunner.java
index 39dec0607b4..38a79fbb9a7 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestYARNRunner.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestYARNRunner.java
@@ -29,6 +29,7 @@
 
 import java.io.ByteArrayOutputStream;
 import java.io.File;
+import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
@@ -36,6 +37,7 @@
 import java.nio.ByteBuffer;
 import java.security.PrivilegedExceptionAction;
 import java.util.List;
+import java.util.Map;
 
 import junit.framework.TestCase;
 
@@ -44,22 +46,27 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 import org.apache.hadoop.fs.FileContext;
+import org.apache.hadoop.fs.FileUtil;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.mapreduce.JobID;
 import org.apache.hadoop.mapreduce.JobPriority;
 import org.apache.hadoop.mapreduce.JobStatus.State;
+import org.apache.hadoop.mapreduce.MRConfig;
 import org.apache.hadoop.mapreduce.MRJobConfig;
 import org.apache.hadoop.mapreduce.TypeConverter;
 import org.apache.hadoop.mapreduce.v2.api.MRClientProtocol;
 import org.apache.hadoop.mapreduce.v2.api.MRDelegationTokenIdentifier;
 import org.apache.hadoop.mapreduce.v2.api.protocolrecords.GetDelegationTokenRequest;
 import org.apache.hadoop.mapreduce.v2.api.protocolrecords.GetDelegationTokenResponse;
+import org.apache.hadoop.mapreduce.v2.util.MRApps;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.api.ApplicationConstants;
+import org.apache.hadoop.yarn.api.ApplicationConstants.Environment;
 import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsResponse;
 import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest;
@@ -94,6 +101,7 @@
 import org.apache.log4j.Logger;
 import org.apache.log4j.SimpleLayout;
 import org.apache.log4j.WriterAppender;
+import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.mockito.invocation.InvocationOnMock;
@@ -146,8 +154,12 @@ public ApplicationSubmissionContext answer(InvocationOnMock invocation)
       FileContext.getLocalFSFileContext().delete(new Path(testWorkDir.toString()), true);
     }
     testWorkDir.mkdirs();
-   }
+  }
 
+  @After
+  public void cleanup() {
+    FileUtil.fullyDelete(testWorkDir);
+  }
 
   @Test(timeout=20000)
   public void testJobKill() throws Exception {
@@ -397,21 +409,8 @@ public void testAMAdminCommandOpts() throws Exception {
     
     YARNRunner yarnRunner = new YARNRunner(jobConf);
     
-    File jobxml = new File(testWorkDir, MRJobConfig.JOB_CONF_FILE);
-    OutputStream out = new FileOutputStream(jobxml);
-    conf.writeXml(out);
-    out.close();
-    
-    File jobsplit = new File(testWorkDir, MRJobConfig.JOB_SPLIT);
-    out = new FileOutputStream(jobsplit);
-    out.close();
-    
-    File jobsplitmetainfo = new File(testWorkDir, MRJobConfig.JOB_SPLIT_METAINFO);
-    out = new FileOutputStream(jobsplitmetainfo);
-    out.close();
-    
-    ApplicationSubmissionContext submissionContext = 
-        yarnRunner.createApplicationSubmissionContext(jobConf, testWorkDir.toString(), new Credentials());
+    ApplicationSubmissionContext submissionContext =
+        buildSubmitContext(yarnRunner, jobConf);
     
     ContainerLaunchContext containerSpec = submissionContext.getAMContainerSpec();
     List<String> commands = containerSpec.getCommands();
@@ -463,22 +462,9 @@ public void testWarnCommandOpts() throws Exception {
     
     YARNRunner yarnRunner = new YARNRunner(jobConf);
     
-    File jobxml = new File(testWorkDir, MRJobConfig.JOB_CONF_FILE);
-    OutputStream out = new FileOutputStream(jobxml);
-    conf.writeXml(out);
-    out.close();
-    
-    File jobsplit = new File(testWorkDir, MRJobConfig.JOB_SPLIT);
-    out = new FileOutputStream(jobsplit);
-    out.close();
-    
-    File jobsplitmetainfo = new File(testWorkDir, MRJobConfig.JOB_SPLIT_METAINFO);
-    out = new FileOutputStream(jobsplitmetainfo);
-    out.close();
-    
     @SuppressWarnings("unused")
-    ApplicationSubmissionContext submissionContext = 
-        yarnRunner.createApplicationSubmissionContext(jobConf, testWorkDir.toString(), new Credentials());
+    ApplicationSubmissionContext submissionContext =
+        buildSubmitContext(yarnRunner, jobConf);
    
     String logMsg = bout.toString();
     assertTrue(logMsg.contains("WARN - Usage of -Djava.library.path in " + 
@@ -492,4 +478,60 @@ public void testWarnCommandOpts() throws Exception {
         "be set as part of the LD_LIBRARY_PATH in the app master JVM env " +
         "using yarn.app.mapreduce.am.env config settings."));
   }
+
+  @Test
+  public void testAMStandardEnv() throws Exception {
+    final String ADMIN_LIB_PATH = "foo";
+    final String USER_LIB_PATH = "bar";
+    final String USER_SHELL = "shell";
+    JobConf jobConf = new JobConf();
+
+    jobConf.set(MRJobConfig.MR_AM_ADMIN_USER_ENV, "LD_LIBRARY_PATH=" +
+        ADMIN_LIB_PATH);
+    jobConf.set(MRJobConfig.MR_AM_ENV, "LD_LIBRARY_PATH="
+        + USER_LIB_PATH);
+    jobConf.set(MRJobConfig.MAPRED_ADMIN_USER_SHELL, USER_SHELL);
+
+    YARNRunner yarnRunner = new YARNRunner(jobConf);
+    ApplicationSubmissionContext appSubCtx =
+        buildSubmitContext(yarnRunner, jobConf);
+
+    // make sure PWD is first in the lib path
+    ContainerLaunchContext clc = appSubCtx.getAMContainerSpec();
+    Map<String, String> env = clc.getEnvironment();
+    String libPath = env.get(Environment.LD_LIBRARY_PATH.name());
+    assertNotNull("LD_LIBRARY_PATH not set", libPath);
+    String cps = jobConf.getBoolean(
+        MRConfig.MAPREDUCE_APP_SUBMISSION_CROSS_PLATFORM,
+        MRConfig.DEFAULT_MAPREDUCE_APP_SUBMISSION_CROSS_PLATFORM)
+        ? ApplicationConstants.CLASS_PATH_SEPARATOR : File.pathSeparator;
+    assertEquals("Bad AM LD_LIBRARY_PATH setting",
+        MRApps.crossPlatformifyMREnv(conf, Environment.PWD)
+        + cps + ADMIN_LIB_PATH + cps + USER_LIB_PATH, libPath);
+
+    // make sure SHELL is set
+    String shell = env.get(Environment.SHELL.name());
+    assertNotNull("SHELL not set", shell);
+    assertEquals("Bad SHELL setting", USER_SHELL, shell);
+  }
+
+  private ApplicationSubmissionContext buildSubmitContext(
+      YARNRunner yarnRunner, JobConf jobConf) throws IOException {
+    File jobxml = new File(testWorkDir, MRJobConfig.JOB_CONF_FILE);
+    OutputStream out = new FileOutputStream(jobxml);
+    conf.writeXml(out);
+    out.close();
+
+    File jobsplit = new File(testWorkDir, MRJobConfig.JOB_SPLIT);
+    out = new FileOutputStream(jobsplit);
+    out.close();
+
+    File jobsplitmetainfo = new File(testWorkDir,
+        MRJobConfig.JOB_SPLIT_METAINFO);
+    out = new FileOutputStream(jobsplitmetainfo);
+    out.close();
+
+    return yarnRunner.createApplicationSubmissionContext(jobConf,
+        testWorkDir.toString(), new Credentials());
+  }
 }

From eca80dca3ee0888304519ec96e9e4113cc35b112 Mon Sep 17 00:00:00 2001
From: Aaron Myers <atm@apache.org>
Date: Thu, 7 Aug 2014 22:46:51 +0000
Subject: [PATCH 152/354] HDFS-6728. Dynamically add new volumes to
 DataStorage, formatted if necessary. Contributed by Lei Xu.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616615 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../datanode/BlockPoolSliceStorage.java       |  13 +-
 .../hdfs/server/datanode/DataStorage.java     | 181 ++++++++++++---
 .../hdfs/server/datanode/TestDataStorage.java | 210 ++++++++++++++++++
 4 files changed, 369 insertions(+), 38 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDataStorage.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 4047a51905e..97cfbd1b6de 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -370,6 +370,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6781. Separate HDFS commands from CommandsManual.apt.vm. (Akira
     Ajisaka via Arpit Agarwal)
 
+    HDFS-6728. Dynamically add new volumes to DataStorage, formatted if
+    necessary. (Lei Xu via atm)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
index d065b5736e6..8e65dd0b548 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
@@ -36,8 +36,10 @@
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.Properties;
+import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -106,13 +108,22 @@ private BlockPoolSliceStorage() {
   void recoverTransitionRead(DataNode datanode, NamespaceInfo nsInfo,
       Collection<File> dataDirs, StartupOption startOpt) throws IOException {
     LOG.info("Analyzing storage directories for bpid " + nsInfo.getBlockPoolID());
+    Set<String> existingStorageDirs = new HashSet<String>();
+    for (int i = 0; i < getNumStorageDirs(); i++) {
+      existingStorageDirs.add(getStorageDir(i).getRoot().getAbsolutePath());
+    }
+
     // 1. For each BP data directory analyze the state and
     // check whether all is consistent before transitioning.
-    this.storageDirs = new ArrayList<StorageDirectory>(dataDirs.size());
     ArrayList<StorageState> dataDirStates = new ArrayList<StorageState>(
         dataDirs.size());
     for (Iterator<File> it = dataDirs.iterator(); it.hasNext();) {
       File dataDir = it.next();
+      if (existingStorageDirs.contains(dataDir.getAbsolutePath())) {
+        LOG.info("Storage directory " + dataDir + " has already been used.");
+        it.remove();
+        continue;
+      }
       StorageDirectory sd = new StorageDirectory(dataDir, null, true);
       StorageState curState;
       try {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataStorage.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataStorage.java
index 5a55d094e11..4b9656eb8e9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataStorage.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataStorage.java
@@ -55,6 +55,7 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
@@ -172,43 +173,99 @@ public String getTrashDirectoryForBlockFile(String bpid, File blockFile) {
   }
   
   /**
-   * Analyze storage directories.
-   * Recover from previous transitions if required. 
-   * Perform fs state transition if necessary depending on the namespace info.
-   * Read storage info.
-   * <br>
-   * This method should be synchronized between multiple DN threads.  Only the 
-   * first DN thread does DN level storage dir recoverTransitionRead.
-   * 
+   * {{@inheritDoc org.apache.hadoop.hdfs.server.common.Storage#writeAll()}}
+   */
+  private void writeAll(Collection<StorageDirectory> dirs) throws IOException {
+    this.layoutVersion = getServiceLayoutVersion();
+    for (StorageDirectory dir : dirs) {
+      writeProperties(dir);
+    }
+  }
+
+  /**
+   * Add a list of volumes to be managed by DataStorage. If the volume is empty,
+   * format it, otherwise recover it from previous transitions if required.
+   *
+   * @param datanode the reference to DataNode.
    * @param nsInfo namespace information
    * @param dataDirs array of data storage directories
    * @param startOpt startup option
    * @throws IOException
    */
-  synchronized void recoverTransitionRead(DataNode datanode,
+  synchronized void addStorageLocations(DataNode datanode,
       NamespaceInfo nsInfo, Collection<StorageLocation> dataDirs,
       StartupOption startOpt)
       throws IOException {
-    if (initialized) {
-      // DN storage has been initialized, no need to do anything
-      return;
+    // Similar to recoverTransitionRead, it first ensures the datanode level
+    // format is completed.
+    List<StorageLocation> tmpDataDirs =
+        new ArrayList<StorageLocation>(dataDirs);
+    addStorageLocations(datanode, nsInfo, tmpDataDirs, startOpt, false, true);
+
+    Collection<File> bpDataDirs = new ArrayList<File>();
+    String bpid = nsInfo.getBlockPoolID();
+    for (StorageLocation dir : dataDirs) {
+      File dnRoot = dir.getFile();
+      File bpRoot = BlockPoolSliceStorage.getBpRoot(bpid, new File(dnRoot,
+          STORAGE_DIR_CURRENT));
+      bpDataDirs.add(bpRoot);
     }
-    LOG.info("Data-node version: " + HdfsConstants.DATANODE_LAYOUT_VERSION
-        + " and name-node layout version: " + nsInfo.getLayoutVersion());
-    
-    // 1. For each data directory calculate its state and 
-    // check whether all is consistent before transitioning.
-    // Format and recover.
-    this.storageDirs = new ArrayList<StorageDirectory>(dataDirs.size());
-    ArrayList<StorageState> dataDirStates = new ArrayList<StorageState>(dataDirs.size());
+    // mkdir for the list of BlockPoolStorage
+    makeBlockPoolDataDir(bpDataDirs, null);
+    BlockPoolSliceStorage bpStorage = this.bpStorageMap.get(bpid);
+    if (bpStorage == null) {
+      bpStorage = new BlockPoolSliceStorage(
+          nsInfo.getNamespaceID(), bpid, nsInfo.getCTime(),
+          nsInfo.getClusterID());
+    }
+
+    bpStorage.recoverTransitionRead(datanode, nsInfo, bpDataDirs, startOpt);
+    addBlockPoolStorage(bpid, bpStorage);
+  }
+
+  /**
+   * Add a list of volumes to be managed by this DataStorage. If the volume is
+   * empty, it formats the volume, otherwise it recovers it from previous
+   * transitions if required.
+   *
+   * If isInitialize is false, only the directories that have finished the
+   * doTransition() process will be added into DataStorage.
+   *
+   * @param datanode the reference to DataNode.
+   * @param nsInfo namespace information
+   * @param dataDirs array of data storage directories
+   * @param startOpt startup option
+   * @param isInitialize whether it is called when DataNode starts up.
+   * @throws IOException
+   */
+  private synchronized void addStorageLocations(DataNode datanode,
+      NamespaceInfo nsInfo, Collection<StorageLocation> dataDirs,
+      StartupOption startOpt, boolean isInitialize, boolean ignoreExistingDirs)
+      throws IOException {
+    Set<String> existingStorageDirs = new HashSet<String>();
+    for (int i = 0; i < getNumStorageDirs(); i++) {
+      existingStorageDirs.add(getStorageDir(i).getRoot().getAbsolutePath());
+    }
+
+    // 1. For each data directory calculate its state and check whether all is
+    // consistent before transitioning. Format and recover.
+    ArrayList<StorageState> dataDirStates =
+        new ArrayList<StorageState>(dataDirs.size());
+    List<StorageDirectory> addedStorageDirectories =
+        new ArrayList<StorageDirectory>();
     for(Iterator<StorageLocation> it = dataDirs.iterator(); it.hasNext();) {
       File dataDir = it.next().getFile();
+      if (existingStorageDirs.contains(dataDir.getAbsolutePath())) {
+        LOG.info("Storage directory " + dataDir + " has already been used.");
+        it.remove();
+        continue;
+      }
       StorageDirectory sd = new StorageDirectory(dataDir);
       StorageState curState;
       try {
         curState = sd.analyzeStorage(startOpt, this);
         // sd is locked but not opened
-        switch(curState) {
+        switch (curState) {
         case NORMAL:
           break;
         case NON_EXISTENT:
@@ -217,7 +274,8 @@ synchronized void recoverTransitionRead(DataNode datanode,
           it.remove();
           continue;
         case NOT_FORMATTED: // format
-          LOG.info("Storage directory " + dataDir + " is not formatted");
+          LOG.info("Storage directory " + dataDir + " is not formatted for "
+            + nsInfo.getBlockPoolID());
           LOG.info("Formatting ...");
           format(sd, nsInfo, datanode.getDatanodeUuid());
           break;
@@ -231,33 +289,82 @@ synchronized void recoverTransitionRead(DataNode datanode,
         //continue with other good dirs
         continue;
       }
-      // add to the storage list
-      addStorageDir(sd);
+      if (isInitialize) {
+        addStorageDir(sd);
+      }
+      addedStorageDirectories.add(sd);
       dataDirStates.add(curState);
     }
 
-    if (dataDirs.size() == 0 || dataDirStates.size() == 0)  // none of the data dirs exist
+    if (dataDirs.size() == 0 || dataDirStates.size() == 0) {
+      // none of the data dirs exist
+      if (ignoreExistingDirs) {
+        return;
+      }
       throw new IOException(
           "All specified directories are not accessible or do not exist.");
+    }
 
     // 2. Do transitions
     // Each storage directory is treated individually.
-    // During startup some of them can upgrade or rollback 
-    // while others could be uptodate for the regular startup.
-    try {
-      for (int idx = 0; idx < getNumStorageDirs(); idx++) {
-        doTransition(datanode, getStorageDir(idx), nsInfo, startOpt);
-        createStorageID(getStorageDir(idx));
+    // During startup some of them can upgrade or rollback
+    // while others could be up-to-date for the regular startup.
+    for (Iterator<StorageDirectory> it = addedStorageDirectories.iterator();
+        it.hasNext(); ) {
+      StorageDirectory sd = it.next();
+      try {
+        doTransition(datanode, sd, nsInfo, startOpt);
+        createStorageID(sd);
+      } catch (IOException e) {
+        if (!isInitialize) {
+          sd.unlock();
+          it.remove();
+          continue;
+        }
+        unlockAll();
+        throw e;
       }
-    } catch (IOException e) {
-      unlockAll();
-      throw e;
     }
 
-    // 3. Update all storages. Some of them might have just been formatted.
-    this.writeAll();
+    // 3. Update all successfully loaded storages. Some of them might have just
+    // been formatted.
+    this.writeAll(addedStorageDirectories);
+
+    // 4. Make newly loaded storage directories visible for service.
+    if (!isInitialize) {
+      this.storageDirs.addAll(addedStorageDirectories);
+    }
+  }
+
+  /**
+   * Analyze storage directories.
+   * Recover from previous transitions if required.
+   * Perform fs state transition if necessary depending on the namespace info.
+   * Read storage info.
+   * <br>
+   * This method should be synchronized between multiple DN threads.  Only the
+   * first DN thread does DN level storage dir recoverTransitionRead.
+   *
+   * @param nsInfo namespace information
+   * @param dataDirs array of data storage directories
+   * @param startOpt startup option
+   * @throws IOException
+   */
+  synchronized void recoverTransitionRead(DataNode datanode,
+      NamespaceInfo nsInfo, Collection<StorageLocation> dataDirs,
+      StartupOption startOpt)
+      throws IOException {
+    if (initialized) {
+      // DN storage has been initialized, no need to do anything
+      return;
+    }
+    LOG.info("DataNode version: " + HdfsConstants.DATANODE_LAYOUT_VERSION
+        + " and NameNode layout version: " + nsInfo.getLayoutVersion());
+
+    this.storageDirs = new ArrayList<StorageDirectory>(dataDirs.size());
+    addStorageLocations(datanode, nsInfo, dataDirs, startOpt, true, false);
     
-    // 4. mark DN storage is initialized
+    // mark DN storage is initialized
     this.initialized = true;
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDataStorage.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDataStorage.java
new file mode 100644
index 00000000000..1d700e3cdfc
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDataStorage.java
@@ -0,0 +1,210 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.server.datanode;
+
+import org.apache.hadoop.fs.FileUtil;
+import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.StartupOption;
+import org.apache.hadoop.hdfs.server.common.Storage;
+import org.apache.hadoop.hdfs.server.protocol.NamespaceInfo;
+import org.apache.hadoop.test.GenericTestUtils;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class TestDataStorage {
+  private final static String DEFAULT_BPID = "bp-0";
+  private final static String CLUSTER_ID = "cluster0";
+  private final static String BUILD_VERSION = "2.0";
+  private final static String SOFTWARE_VERSION = "2.0";
+  private final static long CTIME = 1;
+  private final static File TEST_DIR =
+      new File(System.getProperty("test.build.data") + "/dstest");
+  private final static StartupOption START_OPT = StartupOption.REGULAR;
+
+  private DataNode mockDN = Mockito.mock(DataNode.class);
+  private NamespaceInfo nsInfo;
+  private DataStorage storage;
+
+  @Before
+  public void setUp() throws IOException {
+    storage = new DataStorage();
+    nsInfo = new NamespaceInfo(0, CLUSTER_ID, DEFAULT_BPID, CTIME,
+        BUILD_VERSION, SOFTWARE_VERSION);
+    FileUtil.fullyDelete(TEST_DIR);
+    assertTrue("Failed to make test dir.", TEST_DIR.mkdirs());
+  }
+
+  @After
+  public void tearDown() throws IOException {
+    FileUtil.fullyDelete(TEST_DIR);
+  }
+
+  private static List<StorageLocation> createStorageLocations(int numLocs)
+      throws IOException {
+    return createStorageLocations(numLocs, false);
+  }
+
+  /**
+   * Create a list of StorageLocations.
+   * If asFile sets to true, create StorageLocation as regular files, otherwise
+   * create directories for each location.
+   * @param numLocs the total number of StorageLocations to be created.
+   * @param asFile set to true to create as file.
+   * @return a list of StorageLocations.
+   */
+  private static List<StorageLocation> createStorageLocations(
+      int numLocs, boolean asFile) throws IOException {
+    List<StorageLocation> locations = new ArrayList<StorageLocation>();
+    for (int i = 0; i < numLocs; i++) {
+      String uri = TEST_DIR + "/data" + i;
+      File file = new File(uri);
+      if (asFile) {
+        file.getParentFile().mkdirs();
+        file.createNewFile();
+      } else {
+        file.mkdirs();
+      }
+      StorageLocation loc = StorageLocation.parse(uri);
+      locations.add(loc);
+    }
+    return locations;
+  }
+
+  private static List<NamespaceInfo> createNamespaceInfos(int num) {
+    List<NamespaceInfo> nsInfos = new ArrayList<NamespaceInfo>();
+    for (int i = 0; i < num; i++) {
+      String bpid = "bp-" + i;
+      nsInfos.add(new NamespaceInfo(0, CLUSTER_ID, bpid, CTIME, BUILD_VERSION,
+          SOFTWARE_VERSION));
+    }
+    return nsInfos;
+  }
+
+  /** Check whether the path is a valid DataNode data directory. */
+  private static void checkDir(File dataDir) {
+    Storage.StorageDirectory sd = new Storage.StorageDirectory(dataDir);
+    assertTrue(sd.getRoot().isDirectory());
+    assertTrue(sd.getCurrentDir().isDirectory());
+    assertTrue(sd.getVersionFile().isFile());
+  }
+
+  /** Check whether the root is a valid BlockPoolSlice storage. */
+  private static void checkDir(File root, String bpid) {
+    Storage.StorageDirectory sd = new Storage.StorageDirectory(root);
+    File bpRoot = new File(sd.getCurrentDir(), bpid);
+    Storage.StorageDirectory bpSd = new Storage.StorageDirectory(bpRoot);
+    assertTrue(bpSd.getRoot().isDirectory());
+    assertTrue(bpSd.getCurrentDir().isDirectory());
+    assertTrue(bpSd.getVersionFile().isFile());
+  }
+
+  @Test
+  public void testAddStorageDirectories() throws IOException,
+      URISyntaxException {
+    final int numLocations = 3;
+    final int numNamespace = 3;
+    List<StorageLocation> locations = createStorageLocations(numLocations);
+
+    // Add volumes for multiple namespaces.
+    List<NamespaceInfo> namespaceInfos = createNamespaceInfos(numNamespace);
+    for (NamespaceInfo ni : namespaceInfos) {
+      storage.addStorageLocations(mockDN, ni, locations, START_OPT);
+      for (StorageLocation sl : locations) {
+        checkDir(sl.getFile());
+        checkDir(sl.getFile(), ni.getBlockPoolID());
+      }
+    }
+
+    assertEquals(numLocations, storage.getNumStorageDirs());
+
+    locations = createStorageLocations(numLocations);
+    try {
+      storage.addStorageLocations(mockDN, namespaceInfos.get(0),
+          locations, START_OPT);
+      fail("Expected to throw IOException: adding active directories.");
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains(
+          "All specified directories are not accessible or do not exist.", e);
+    }
+    // The number of active storage dirs has not changed, since it tries to
+    // add the storage dirs that are under service.
+    assertEquals(numLocations, storage.getNumStorageDirs());
+
+    // Add more directories.
+    locations = createStorageLocations(6);
+    storage.addStorageLocations(mockDN, nsInfo, locations, START_OPT);
+    assertEquals(6, storage.getNumStorageDirs());
+  }
+
+  @Test
+  public void testRecoverTransitionReadFailure() throws IOException {
+    final int numLocations = 3;
+    List<StorageLocation> locations =
+        createStorageLocations(numLocations, true);
+
+    try {
+      storage.recoverTransitionRead(mockDN, nsInfo, locations, START_OPT);
+      fail("An IOException should throw: all StorageLocations are NON_EXISTENT");
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains(
+          "All specified directories are not accessible or do not exist.", e);
+    }
+    assertEquals(0, storage.getNumStorageDirs());
+  }
+
+  /**
+   * This test enforces the behavior that if there is an exception from
+   * doTransition() during DN starts up, the storage directories that have
+   * already been processed are still visible, i.e., in
+   * DataStorage.storageDirs().
+   */
+  @Test
+  public void testRecoverTransitionReadDoTransitionFailure()
+      throws IOException {
+    final int numLocations = 3;
+    List<StorageLocation> locations = createStorageLocations(numLocations);
+    String bpid = nsInfo.getBlockPoolID();
+    // Prepare volumes
+    storage.recoverTransitionRead(mockDN, bpid, nsInfo, locations, START_OPT);
+
+    // Reset DataStorage
+    storage.unlockAll();
+    storage = new DataStorage();
+    // Trigger an exception from doTransition().
+    nsInfo.clusterID = "cluster1";
+    try {
+      storage.recoverTransitionRead(mockDN, bpid, nsInfo, locations, START_OPT);
+      fail("Expect to throw an exception from doTransition()");
+    } catch (IOException e) {
+      GenericTestUtils.assertExceptionContains("Incompatible clusterIDs", e);
+    }
+    assertEquals(numLocations, storage.getNumStorageDirs());
+  }
+}

From 8b32f84e87500a6b11a4e738e4be2dc65efbf28c Mon Sep 17 00:00:00 2001
From: Brandon Li <brandonli@apache.org>
Date: Thu, 7 Aug 2014 22:47:52 +0000
Subject: [PATCH 153/354] HADOOP-10929. Typo in
 Configuration.getPasswordFromCredentialProviders. Contributed by Larry McCay

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616616 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt               | 3 +++
 .../src/main/java/org/apache/hadoop/conf/Configuration.java   | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index fb2741e049e..5b877e6078f 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -545,6 +545,9 @@ Release 2.6.0 - UNRELEASED
 
     HADOOP-10931 compile error on tools/hadoop-openstack (xukun via stevel)
 
+    HADOOP-10929. Typo in Configuration.getPasswordFromCredentialProviders
+    (lmccay via brandonli)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java
index 31c40f60f30..ea15e81639f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java
@@ -1781,7 +1781,7 @@ public void setStrings(String name, String... values) {
   public char[] getPassword(String name) throws IOException {
     char[] pass = null;
 
-    pass = getPasswordFromCredenitalProviders(name);
+    pass = getPasswordFromCredentialProviders(name);
 
     if (pass == null) {
       pass = getPasswordFromConfig(name);
@@ -1797,7 +1797,7 @@ public char[] getPassword(String name) throws IOException {
    * @return password or null if not found
    * @throws IOException
    */
-  protected char[] getPasswordFromCredenitalProviders(String name)
+  protected char[] getPasswordFromCredentialProviders(String name)
       throws IOException {
     char[] pass = null;
     try {

From d758be1f35f6c1c7e9edd491af559721a3b8b8f8 Mon Sep 17 00:00:00 2001
From: Aaron Myers <atm@apache.org>
Date: Thu, 7 Aug 2014 22:59:59 +0000
Subject: [PATCH 154/354] HDFS-6740. Make FSDataset support adding data volumes
 dynamically. Contributed by Lei Xu.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616623 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../hdfs/server/datanode/StorageLocation.java |   2 +-
 .../datanode/fsdataset/FsDatasetSpi.java      |   6 +
 .../impl/FsDatasetAsyncDiskService.java       |  69 +++++++-----
 .../fsdataset/impl/FsDatasetImpl.java         |  76 ++++++++++---
 .../datanode/fsdataset/impl/FsVolumeList.java |  22 ++--
 .../server/datanode/SimulatedFSDataset.java   |   6 +
 .../fsdataset/impl/TestFsDatasetImpl.java     | 103 ++++++++++++++++++
 8 files changed, 231 insertions(+), 56 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/TestFsDatasetImpl.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 97cfbd1b6de..42ce130ae7a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -373,6 +373,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6728. Dynamically add new volumes to DataStorage, formatted if
     necessary. (Lei Xu via atm)
 
+    HDFS-6740. Make FSDataset support adding data volumes dynamically. (Lei
+    Xu via atm)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/StorageLocation.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/StorageLocation.java
index f85fcb115ef..feb5ac9ac26 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/StorageLocation.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/StorageLocation.java
@@ -78,7 +78,7 @@ public File getFile() {
    * @return A StorageLocation object if successfully parsed, null otherwise.
    *         Does not throw any exceptions.
    */
-  static StorageLocation parse(String rawLocation)
+  public static StorageLocation parse(String rawLocation)
       throws IOException, SecurityException {
     Matcher matcher = regex.matcher(rawLocation);
     StorageType storageType = StorageType.DEFAULT;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/FsDatasetSpi.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/FsDatasetSpi.java
index 5e4f55e7339..a64f9c0d589 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/FsDatasetSpi.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/FsDatasetSpi.java
@@ -22,6 +22,7 @@
 import java.io.FileDescriptor;
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 
@@ -39,6 +40,7 @@
 import org.apache.hadoop.hdfs.server.datanode.FinalizedReplica;
 import org.apache.hadoop.hdfs.server.datanode.Replica;
 import org.apache.hadoop.hdfs.server.datanode.ReplicaInPipelineInterface;
+import org.apache.hadoop.hdfs.server.datanode.StorageLocation;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.impl.FsDatasetFactory;
 import org.apache.hadoop.hdfs.server.datanode.metrics.FSDatasetMBean;
 import org.apache.hadoop.hdfs.server.protocol.BlockRecoveryCommand.RecoveringBlock;
@@ -91,6 +93,10 @@ public RollingLogs createRollingLogs(String bpid, String prefix
   /** @return a list of volumes. */
   public List<V> getVolumes();
 
+  /** Add an array of StorageLocation to FsDataset. */
+  public void addVolumes(Collection<StorageLocation> volumes)
+      throws IOException;
+
   /** @return a storage with the given storage ID */
   public DatanodeStorage getStorage(final String storageUuid);
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetAsyncDiskService.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetAsyncDiskService.java
index b76cee48ed6..539e97be4a7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetAsyncDiskService.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetAsyncDiskService.java
@@ -61,6 +61,7 @@ class FsDatasetAsyncDiskService {
   private static final long THREADS_KEEP_ALIVE_SECONDS = 60; 
   
   private final DataNode datanode;
+  private final ThreadGroup threadGroup;
   private Map<File, ThreadPoolExecutor> executors
       = new HashMap<File, ThreadPoolExecutor>();
   
@@ -70,42 +71,52 @@ class FsDatasetAsyncDiskService {
    * 
    * The AsyncDiskServices uses one ThreadPool per volume to do the async
    * disk operations.
-   * 
-   * @param volumes The roots of the data volumes.
    */
-  FsDatasetAsyncDiskService(DataNode datanode, File[] volumes) {
+  FsDatasetAsyncDiskService(DataNode datanode) {
     this.datanode = datanode;
+    this.threadGroup = new ThreadGroup(getClass().getSimpleName());
+  }
 
-    final ThreadGroup threadGroup = new ThreadGroup(getClass().getSimpleName());
-    // Create one ThreadPool per volume
-    for (int v = 0 ; v < volumes.length; v++) {
-      final File vol = volumes[v];
-      ThreadFactory threadFactory = new ThreadFactory() {
-          int counter = 0;
+  private void addExecutorForVolume(final File volume) {
+    ThreadFactory threadFactory = new ThreadFactory() {
+      int counter = 0;
 
-          @Override
-          public Thread newThread(Runnable r) {
-            int thisIndex;
-            synchronized (this) {
-              thisIndex = counter++;
-            }
-            Thread t = new Thread(threadGroup, r);
-            t.setName("Async disk worker #" + thisIndex +
-                      " for volume " + vol);
-            return t;
-          }
-        };
+      @Override
+      public Thread newThread(Runnable r) {
+        int thisIndex;
+        synchronized (this) {
+          thisIndex = counter++;
+        }
+        Thread t = new Thread(threadGroup, r);
+        t.setName("Async disk worker #" + thisIndex +
+            " for volume " + volume);
+        return t;
+      }
+    };
 
-      ThreadPoolExecutor executor = new ThreadPoolExecutor(
-          CORE_THREADS_PER_VOLUME, MAXIMUM_THREADS_PER_VOLUME, 
-          THREADS_KEEP_ALIVE_SECONDS, TimeUnit.SECONDS, 
-          new LinkedBlockingQueue<Runnable>(), threadFactory);
+    ThreadPoolExecutor executor = new ThreadPoolExecutor(
+        CORE_THREADS_PER_VOLUME, MAXIMUM_THREADS_PER_VOLUME,
+        THREADS_KEEP_ALIVE_SECONDS, TimeUnit.SECONDS,
+        new LinkedBlockingQueue<Runnable>(), threadFactory);
 
-      // This can reduce the number of running threads
-      executor.allowCoreThreadTimeOut(true);
-      executors.put(vol, executor);
+    // This can reduce the number of running threads
+    executor.allowCoreThreadTimeOut(true);
+    executors.put(volume, executor);
+  }
+
+  /**
+   * Starts AsyncDiskService for a new volume
+   * @param volume the root of the new data volume.
+   */
+  synchronized void addVolume(File volume) {
+    if (executors == null) {
+      throw new RuntimeException("AsyncDiskService is already shutdown");
     }
-    
+    ThreadPoolExecutor executor = executors.get(volume);
+    if (executor != null) {
+      throw new RuntimeException("Volume " + volume + " is already existed.");
+    }
+    addExecutorForVolume(volume);
   }
   
   synchronized long countPendingDeletions() {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
index a43ef849202..148055c6f9e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
@@ -202,6 +202,7 @@ public LengthInputStream getMetaDataInputStream(ExtendedBlock b)
   final Map<String, DatanodeStorage> storageMap;
   final FsDatasetAsyncDiskService asyncDiskService;
   final FsDatasetCache cacheManager;
+  private final Configuration conf;
   private final int validVolsRequired;
 
   final ReplicaMap volumeMap;
@@ -216,6 +217,7 @@ public LengthInputStream getMetaDataInputStream(ExtendedBlock b)
       ) throws IOException {
     this.datanode = datanode;
     this.dataStorage = storage;
+    this.conf = conf;
     // The number of volumes required for operation is the total number 
     // of volumes minus the number of failed volumes we can tolerate.
     final int volFailuresTolerated =
@@ -242,38 +244,76 @@ public LengthInputStream getMetaDataInputStream(ExtendedBlock b)
     }
 
     storageMap = new HashMap<String, DatanodeStorage>();
-    final List<FsVolumeImpl> volArray = new ArrayList<FsVolumeImpl>(
-        storage.getNumStorageDirs());
-    for (int idx = 0; idx < storage.getNumStorageDirs(); idx++) {
-      Storage.StorageDirectory sd = storage.getStorageDir(idx);
-      final File dir = sd.getCurrentDir();
-      final StorageType storageType = getStorageTypeFromLocations(dataLocations, sd.getRoot());
-      volArray.add(new FsVolumeImpl(this, sd.getStorageUuid(), dir, conf,
-          storageType));
-      LOG.info("Added volume - " + dir + ", StorageType: " + storageType);
-      storageMap.put(sd.getStorageUuid(),
-          new DatanodeStorage(sd.getStorageUuid(), DatanodeStorage.State.NORMAL, storageType));
-    }
     volumeMap = new ReplicaMap(this);
-
     @SuppressWarnings("unchecked")
     final VolumeChoosingPolicy<FsVolumeImpl> blockChooserImpl =
         ReflectionUtils.newInstance(conf.getClass(
             DFSConfigKeys.DFS_DATANODE_FSDATASET_VOLUME_CHOOSING_POLICY_KEY,
             RoundRobinVolumeChoosingPolicy.class,
             VolumeChoosingPolicy.class), conf);
-    volumes = new FsVolumeList(volArray, volsFailed, blockChooserImpl);
-    volumes.initializeReplicaMaps(volumeMap);
+    volumes = new FsVolumeList(volsFailed, blockChooserImpl);
+    asyncDiskService = new FsDatasetAsyncDiskService(datanode);
 
-    File[] roots = new File[storage.getNumStorageDirs()];
     for (int idx = 0; idx < storage.getNumStorageDirs(); idx++) {
-      roots[idx] = storage.getStorageDir(idx).getCurrentDir();
+      addVolume(dataLocations, storage.getStorageDir(idx));
     }
-    asyncDiskService = new FsDatasetAsyncDiskService(datanode, roots);
+
     cacheManager = new FsDatasetCache(this);
     registerMBean(datanode.getDatanodeUuid());
   }
 
+  private void addVolume(Collection<StorageLocation> dataLocations,
+      Storage.StorageDirectory sd) throws IOException {
+    final File dir = sd.getCurrentDir();
+    final StorageType storageType =
+        getStorageTypeFromLocations(dataLocations, sd.getRoot());
+
+    // If IOException raises from FsVolumeImpl() or getVolumeMap(), there is
+    // nothing needed to be rolled back to make various data structures, e.g.,
+    // storageMap and asyncDiskService, consistent.
+    FsVolumeImpl fsVolume = new FsVolumeImpl(
+        this, sd.getStorageUuid(), dir, this.conf, storageType);
+    fsVolume.getVolumeMap(volumeMap);
+
+    volumes.addVolume(fsVolume);
+    storageMap.put(sd.getStorageUuid(),
+        new DatanodeStorage(sd.getStorageUuid(),
+                            DatanodeStorage.State.NORMAL,
+                            storageType));
+    asyncDiskService.addVolume(sd.getCurrentDir());
+
+    LOG.info("Added volume - " + dir + ", StorageType: " + storageType);
+  }
+
+  /**
+   * Add an array of StorageLocation to FsDataset.
+   *
+   * @pre dataStorage must have these volumes.
+   * @param volumes
+   * @throws IOException
+   */
+  @Override
+  public synchronized void addVolumes(Collection<StorageLocation> volumes)
+      throws IOException {
+    final Collection<StorageLocation> dataLocations =
+        DataNode.getStorageLocations(this.conf);
+    Map<String, Storage.StorageDirectory> allStorageDirs =
+        new HashMap<String, Storage.StorageDirectory>();
+    for (int idx = 0; idx < dataStorage.getNumStorageDirs(); idx++) {
+      Storage.StorageDirectory sd = dataStorage.getStorageDir(idx);
+      allStorageDirs.put(sd.getRoot().getAbsolutePath(), sd);
+    }
+
+    for (StorageLocation vol : volumes) {
+      String key = vol.getFile().getAbsolutePath();
+      if (!allStorageDirs.containsKey(key)) {
+        LOG.warn("Attempt to add an invalid volume: " + vol.getFile());
+      } else {
+        addVolume(dataLocations, allStorageDirs.get(key));
+      }
+    }
+  }
+
   private StorageType getStorageTypeFromLocations(
       Collection<StorageLocation> dataLocations, File dir) {
     for (StorageLocation dataLocation : dataLocations) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeList.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeList.java
index 59a5c9021cd..d4f8adc0113 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeList.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeList.java
@@ -40,9 +40,8 @@ class FsVolumeList {
   private final VolumeChoosingPolicy<FsVolumeImpl> blockChooser;
   private volatile int numFailedVolumes;
 
-  FsVolumeList(List<FsVolumeImpl> volumes, int failedVols,
+  FsVolumeList(int failedVols,
       VolumeChoosingPolicy<FsVolumeImpl> blockChooser) {
-    this.volumes = Collections.unmodifiableList(volumes);
     this.blockChooser = blockChooser;
     this.numFailedVolumes = failedVols;
   }
@@ -101,12 +100,6 @@ long getRemaining() throws IOException {
     }
     return remaining;
   }
-    
-  void initializeReplicaMaps(ReplicaMap globalReplicaMap) throws IOException {
-    for (FsVolumeImpl v : volumes) {
-      v.getVolumeMap(globalReplicaMap);
-    }
-  }
   
   void getAllVolumesMap(final String bpid, final ReplicaMap volumeMap) throws IOException {
     long totalStartTime = Time.monotonicNow();
@@ -205,6 +198,19 @@ public String toString() {
     return volumes.toString();
   }
 
+  /**
+   * Dynamically add new volumes to the existing volumes that this DN manages.
+   * @param newVolume the instance of new FsVolumeImpl.
+   */
+  synchronized void addVolume(FsVolumeImpl newVolume) {
+    // Make a copy of volumes to add new volumes.
+    final List<FsVolumeImpl> volumeList = volumes == null ?
+        new ArrayList<FsVolumeImpl>() :
+        new ArrayList<FsVolumeImpl>(volumes);
+    volumeList.add(newVolume);
+    volumes = Collections.unmodifiableList(volumeList);
+    FsDatasetImpl.LOG.info("Added new volume: " + newVolume.toString());
+  }
 
   void addBlockPool(final String bpid, final Configuration conf) throws IOException {
     long totalStartTime = Time.monotonicNow();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/SimulatedFSDataset.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/SimulatedFSDataset.java
index e3db5350029..109a0394fc6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/SimulatedFSDataset.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/SimulatedFSDataset.java
@@ -23,6 +23,7 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedList;
@@ -1082,6 +1083,11 @@ public List<FsVolumeSpi> getVolumes() {
     throw new UnsupportedOperationException();
   }
 
+  @Override
+  public void addVolumes(Collection<StorageLocation> volumes) {
+    throw new UnsupportedOperationException();
+  }
+
   @Override
   public DatanodeStorage getStorage(final String storageUuid) {
     return storageUuid.equals(storage.getStorageUuid()) ?
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/TestFsDatasetImpl.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/TestFsDatasetImpl.java
new file mode 100644
index 00000000000..d9e99078be1
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/TestFsDatasetImpl.java
@@ -0,0 +1,103 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.server.datanode.fsdataset.impl;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.server.common.Storage;
+import org.apache.hadoop.hdfs.server.datanode.DNConf;
+import org.apache.hadoop.hdfs.server.datanode.DataNode;
+import org.apache.hadoop.hdfs.server.datanode.DataStorage;
+import org.apache.hadoop.hdfs.server.datanode.StorageLocation;
+import org.apache.hadoop.util.StringUtils;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.junit.Assert.assertEquals;
+import static org.mockito.Mockito.when;
+
+public class TestFsDatasetImpl {
+  private static final String BASE_DIR =
+      System.getProperty("test.build.dir") + "/fsdatasetimpl";
+  private static final int NUM_INIT_VOLUMES = 2;
+
+  private DataStorage storage;
+  private FsDatasetImpl dataset;
+
+  private static void createStorageDirs(DataStorage storage, Configuration conf,
+      int numDirs) throws IOException {
+    List<Storage.StorageDirectory> dirs =
+        new ArrayList<Storage.StorageDirectory>();
+    List<String> dirStrings = new ArrayList<String>();
+    for (int i = 0; i < numDirs; i++) {
+      String loc = BASE_DIR + "/data" + i;
+      dirStrings.add(loc);
+      dirs.add(new Storage.StorageDirectory(new File(loc)));
+      when(storage.getStorageDir(i)).thenReturn(dirs.get(i));
+    }
+
+    String dataDir = StringUtils.join(",", dirStrings);
+    conf.set(DFSConfigKeys.DFS_DATANODE_DATA_DIR_KEY, dataDir);
+    when(storage.getNumStorageDirs()).thenReturn(numDirs);
+  }
+
+  @Before
+  public void setUp() throws IOException {
+    final DataNode datanode = Mockito.mock(DataNode.class);
+    storage = Mockito.mock(DataStorage.class);
+    Configuration conf = new Configuration();
+    final DNConf dnConf = new DNConf(conf);
+
+    when(datanode.getConf()).thenReturn(conf);
+    when(datanode.getDnConf()).thenReturn(dnConf);
+
+    createStorageDirs(storage, conf, NUM_INIT_VOLUMES);
+    dataset = new FsDatasetImpl(datanode, storage, conf);
+
+    assertEquals(NUM_INIT_VOLUMES, dataset.getVolumes().size());
+    assertEquals(0, dataset.getNumFailedVolumes());
+  }
+
+  @Test
+  public void testAddVolumes() throws IOException {
+    final int numNewVolumes = 3;
+    final int numExistingVolumes = dataset.getVolumes().size();
+    final int totalVolumes = numNewVolumes + numExistingVolumes;
+    List<StorageLocation> newLocations = new ArrayList<StorageLocation>();
+    for (int i = 0; i < numNewVolumes; i++) {
+      String path = BASE_DIR + "/newData" + i;
+      newLocations.add(StorageLocation.parse(path));
+      when(storage.getStorageDir(numExistingVolumes + i))
+          .thenReturn(new Storage.StorageDirectory(new File(path)));
+    }
+    when(storage.getNumStorageDirs()).thenReturn(totalVolumes);
+
+    dataset.addVolumes(newLocations);
+    assertEquals(totalVolumes, dataset.getVolumes().size());
+    for (int i = 0; i < numNewVolumes; i++) {
+      assertEquals(newLocations.get(i).getFile().getPath(),
+          dataset.getVolumes().get(numExistingVolumes + i).getBasePath());
+    }
+  }
+}

From 041b8326a1511b721958792a6b94ecfe27d7a1fb Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Fri, 8 Aug 2014 01:32:18 +0000
Subject: [PATCH 155/354] MAPREDUCE-6007. Add support to distcp to preserve
 raw.* namespace extended attributes. (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1616657 13f79535-47bb-0310-9956-ffa450edef68
---
 .../CHANGES-fs-encryption.txt                 |   3 +
 .../src/site/markdown/DistCp.md.vm            |  20 +++
 .../apache/hadoop/tools/DistCpConstants.java  |   6 +
 .../hadoop/tools/DistCpOptionSwitch.java      |   6 +-
 .../apache/hadoop/tools/DistCpOptions.java    |  21 ++-
 .../hadoop/tools/SimpleCopyListing.java       |  48 ++++-
 .../hadoop/tools/mapred/CopyCommitter.java    |   9 +-
 .../hadoop/tools/mapred/CopyMapper.java       |  10 +-
 .../apache/hadoop/tools/util/DistCpUtils.java |  48 +++--
 .../hadoop/tools/TestDistCpWithRawXAttrs.java | 170 ++++++++++++++++++
 .../hadoop/tools/TestDistCpWithXAttrs.java    |  71 ++------
 .../hadoop/tools/util/DistCpTestUtils.java    |  89 +++++++++
 .../hadoop/tools/util/TestDistCpUtils.java    |   6 +-
 13 files changed, 423 insertions(+), 84 deletions(-)
 create mode 100644 hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/TestDistCpWithRawXAttrs.java
 create mode 100644 hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/util/DistCpTestUtils.java

diff --git a/hadoop-mapreduce-project/CHANGES-fs-encryption.txt b/hadoop-mapreduce-project/CHANGES-fs-encryption.txt
index 83fdc1ef804..9127a24ee32 100644
--- a/hadoop-mapreduce-project/CHANGES-fs-encryption.txt
+++ b/hadoop-mapreduce-project/CHANGES-fs-encryption.txt
@@ -11,5 +11,8 @@ fs-encryption (Unreleased)
 
   IMPROVEMENTS
 
+    MAPREDUCE-6007. Add support to distcp to preserve raw.* namespace
+    extended attributes. (clamb)
+
   BUG FIXES
 
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/DistCp.md.vm b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/DistCp.md.vm
index 6271a927a47..75b48388cad 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/DistCp.md.vm
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/DistCp.md.vm
@@ -191,6 +191,26 @@ $H3 Update and Overwrite
 
   If `-update` is used, `1` is overwritten as well.
 
+$H3 raw Namespace Extended Attribute Preservation
+
+  This section only applies to HDFS.
+
+  If the target and all of the source pathnames are in the /.reserved/raw
+  hierarchy, then 'raw' namespace extended attributes will be preserved.
+  'raw' xattrs are used by the system for internal functions such as encryption
+  meta data. They are only visible to users when accessed through the
+  /.reserved/raw hierarchy.
+
+  raw xattrs are preserved based solely on whether /.reserved/raw prefixes are
+  supplied. The -p (preserve, see below) flag does not impact preservation of
+  raw xattrs.
+
+  To prevent raw xattrs from being preserved, simply do not use the
+  /.reserved/raw prefix on any of the source and target paths.
+
+  If the /.reserved/raw prefix is specified on only a subset of the source and
+  target paths, an error will be displayed and a non-0 exit code returned.
+
 Command Line Options
 --------------------
 
diff --git a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/DistCpConstants.java b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/DistCpConstants.java
index d1dba19f2f7..7e71096952d 100644
--- a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/DistCpConstants.java
+++ b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/DistCpConstants.java
@@ -42,6 +42,8 @@ public class DistCpConstants {
   public static final String CONF_LABEL_LOG_PATH = "distcp.log.path";
   public static final String CONF_LABEL_IGNORE_FAILURES = "distcp.ignore.failures";
   public static final String CONF_LABEL_PRESERVE_STATUS = "distcp.preserve.status";
+  public static final String CONF_LABEL_PRESERVE_RAWXATTRS =
+      "distcp.preserve.rawxattrs";
   public static final String CONF_LABEL_SYNC_FOLDERS = "distcp.sync.folders";
   public static final String CONF_LABEL_DELETE_MISSING = "distcp.delete.missing.source";
   public static final String CONF_LABEL_SSL_CONF = "distcp.keystore.resource";
@@ -128,4 +130,8 @@ public class DistCpConstants {
   public static final int MIN_RECORDS_PER_CHUNK_DEFAULT = 5;
   public static final int SPLIT_RATIO_DEFAULT  = 2;
 
+  /**
+   * Value of reserved raw HDFS directory when copying raw.* xattrs.
+   */
+  static final String HDFS_RESERVED_RAW_DIRECTORY_NAME = "/.reserved/raw";
 }
diff --git a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/DistCpOptionSwitch.java b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/DistCpOptionSwitch.java
index e77b6e183f0..c5448132678 100644
--- a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/DistCpOptionSwitch.java
+++ b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/DistCpOptionSwitch.java
@@ -48,7 +48,11 @@ public enum DistCpOptionSwitch {
       new Option("p", true, "preserve status (rbugpcax)(replication, " +
           "block-size, user, group, permission, checksum-type, ACL, XATTR).  " +
           "If -p is specified with no <arg>, then preserves replication, " +
-          "block size, user, group, permission and checksum type.")),
+          "block size, user, group, permission and checksum type." +
+          "raw.* xattrs are preserved when both the source and destination " +
+          "paths are in the /.reserved/raw hierarchy (HDFS only). raw.* xattr" +
+          "preservation is independent of the -p flag." +
+          "Refer to the DistCp documentation for more details.")),
 
   /**
    * Update target location by copying only files that are missing
diff --git a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/DistCpOptions.java b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/DistCpOptions.java
index 1ed9ccdb3cb..a2a5be3a0b7 100644
--- a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/DistCpOptions.java
+++ b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/DistCpOptions.java
@@ -52,6 +52,8 @@ public class DistCpOptions {
 
   private EnumSet<FileAttribute> preserveStatus = EnumSet.noneOf(FileAttribute.class);
 
+  private boolean preserveRawXattrs;
+
   private Path atomicWorkPath;
 
   private Path logPath;
@@ -123,6 +125,7 @@ public DistCpOptions(DistCpOptions that) {
       this.sslConfigurationFile = that.getSslConfigurationFile();
       this.copyStrategy = that.copyStrategy;
       this.preserveStatus = that.preserveStatus;
+      this.preserveRawXattrs = that.preserveRawXattrs;
       this.atomicWorkPath = that.getAtomicWorkPath();
       this.logPath = that.getLogPath();
       this.sourceFileListing = that.getSourceFileListing();
@@ -345,7 +348,7 @@ public Iterator<FileAttribute> preserveAttributes() {
   }
 
   /**
-   * Checks if the input attibute should be preserved or not
+   * Checks if the input attribute should be preserved or not
    *
    * @param attribute - Attribute to check
    * @return True if attribute should be preserved, false otherwise
@@ -369,6 +372,21 @@ public void preserve(FileAttribute fileAttribute) {
     preserveStatus.add(fileAttribute);
   }
 
+  /**
+   * Return true if raw.* xattrs should be preserved.
+   * @return true if raw.* xattrs should be preserved.
+   */
+  public boolean shouldPreserveRawXattrs() {
+    return preserveRawXattrs;
+  }
+
+  /**
+   * Indicate that raw.* xattrs should be preserved
+   */
+  public void preserveRawXattrs() {
+    preserveRawXattrs = true;
+  }
+
   /** Get work path for atomic commit. If null, the work
    * path would be parentOf(targetPath) + "/._WIP_" + nameOf(targetPath)
    *
@@ -565,6 +583,7 @@ public String toString() {
         ", sourcePaths=" + sourcePaths +
         ", targetPath=" + targetPath +
         ", targetPathExists=" + targetPathExists +
+        ", preserveRawXattrs=" + preserveRawXattrs +
         '}';
   }
 
diff --git a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/SimpleCopyListing.java b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/SimpleCopyListing.java
index ad299422066..f9cfc86d9ea 100644
--- a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/SimpleCopyListing.java
+++ b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/SimpleCopyListing.java
@@ -37,6 +37,9 @@
 import java.io.*;
 import java.util.Stack;
 
+import static org.apache.hadoop.tools.DistCpConstants
+        .HDFS_RESERVED_RAW_DIRECTORY_NAME;
+
 /**
  * The SimpleCopyListing is responsible for making the exhaustive list of
  * all files/directories under its specified list of input-paths.
@@ -67,6 +70,10 @@ protected void validatePaths(DistCpOptions options)
     Path targetPath = options.getTargetPath();
     FileSystem targetFS = targetPath.getFileSystem(getConf());
     boolean targetIsFile = targetFS.isFile(targetPath);
+    targetPath = targetFS.makeQualified(targetPath);
+    final boolean targetIsReservedRaw =
+        Path.getPathWithoutSchemeAndAuthority(targetPath).toString().
+            startsWith(HDFS_RESERVED_RAW_DIRECTORY_NAME);
 
     //If target is a file, then source has to be single file
     if (targetIsFile) {
@@ -93,6 +100,27 @@ protected void validatePaths(DistCpOptions options)
       if (!fs.exists(path)) {
         throw new InvalidInputException(path + " doesn't exist");
       }
+      if (Path.getPathWithoutSchemeAndAuthority(path).toString().
+          startsWith(HDFS_RESERVED_RAW_DIRECTORY_NAME)) {
+        if (!targetIsReservedRaw) {
+          final String msg = "The source path '" + path + "' starts with " +
+              HDFS_RESERVED_RAW_DIRECTORY_NAME + " but the target path '" +
+              targetPath + "' does not. Either all or none of the paths must " +
+              "have this prefix.";
+          throw new InvalidInputException(msg);
+        }
+      } else if (targetIsReservedRaw) {
+        final String msg = "The target path '" + targetPath + "' starts with " +
+                HDFS_RESERVED_RAW_DIRECTORY_NAME + " but the source path '" +
+                path + "' does not. Either all or none of the paths must " +
+                "have this prefix.";
+        throw new InvalidInputException(msg);
+      }
+    }
+
+    if (targetIsReservedRaw) {
+      options.preserveRawXattrs();
+      getConf().setBoolean(DistCpConstants.CONF_LABEL_PRESERVE_RAWXATTRS, true);
     }
 
     /* This is requires to allow map tasks to access each of the source
@@ -135,6 +163,9 @@ public void doBuildListing(SequenceFile.Writer fileListWriter,
     try {
       for (Path path: options.getSourcePaths()) {
         FileSystem sourceFS = path.getFileSystem(getConf());
+        final boolean preserveAcls = options.shouldPreserve(FileAttribute.ACL);
+        final boolean preserveXAttrs = options.shouldPreserve(FileAttribute.XATTR);
+        final boolean preserveRawXAttrs = options.shouldPreserveRawXattrs();
         path = makeQualified(path);
 
         FileStatus rootStatus = sourceFS.getFileStatus(path);
@@ -145,8 +176,7 @@ public void doBuildListing(SequenceFile.Writer fileListWriter,
         if (!explore || rootStatus.isDirectory()) {
           CopyListingFileStatus rootCopyListingStatus =
             DistCpUtils.toCopyListingFileStatus(sourceFS, rootStatus,
-              options.shouldPreserve(FileAttribute.ACL), 
-              options.shouldPreserve(FileAttribute.XATTR));
+                preserveAcls, preserveXAttrs, preserveRawXAttrs);
           writeToFileListingRoot(fileListWriter, rootCopyListingStatus,
               sourcePathRoot, options);
         }
@@ -157,9 +187,9 @@ public void doBuildListing(SequenceFile.Writer fileListWriter,
             }
             CopyListingFileStatus sourceCopyListingStatus =
               DistCpUtils.toCopyListingFileStatus(sourceFS, sourceStatus,
-                options.shouldPreserve(FileAttribute.ACL) &&
-                sourceStatus.isDirectory(), options.shouldPreserve(
-                    FileAttribute.XATTR) && sourceStatus.isDirectory());
+                  preserveAcls && sourceStatus.isDirectory(),
+                  preserveXAttrs && sourceStatus.isDirectory(),
+                  preserveRawXAttrs && sourceStatus.isDirectory());
             writeToFileListing(fileListWriter, sourceCopyListingStatus,
                 sourcePathRoot, options);
 
@@ -261,6 +291,9 @@ private void traverseNonEmptyDirectory(SequenceFile.Writer fileListWriter,
                                          DistCpOptions options)
                                          throws IOException {
     FileSystem sourceFS = sourcePathRoot.getFileSystem(getConf());
+    final boolean preserveAcls = options.shouldPreserve(FileAttribute.ACL);
+    final boolean preserveXAttrs = options.shouldPreserve(FileAttribute.XATTR);
+    final boolean preserveRawXattrs = options.shouldPreserveRawXattrs();
     Stack<FileStatus> pathStack = new Stack<FileStatus>();
     pathStack.push(sourceStatus);
 
@@ -271,8 +304,9 @@ private void traverseNonEmptyDirectory(SequenceFile.Writer fileListWriter,
                     + sourceStatus.getPath() + " for copy.");
         CopyListingFileStatus childCopyListingStatus =
           DistCpUtils.toCopyListingFileStatus(sourceFS, child,
-            options.shouldPreserve(FileAttribute.ACL) && child.isDirectory(), 
-            options.shouldPreserve(FileAttribute.XATTR) && child.isDirectory());
+            preserveAcls && child.isDirectory(),
+            preserveXAttrs && child.isDirectory(),
+            preserveRawXattrs && child.isDirectory());
         writeToFileListing(fileListWriter, childCopyListingStatus,
              sourcePathRoot, options);
         if (isDirectoryAndNotEmpty(sourceFS, child)) {
diff --git a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/mapred/CopyCommitter.java b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/mapred/CopyCommitter.java
index 4d16445d0ea..197edd91c32 100644
--- a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/mapred/CopyCommitter.java
+++ b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/mapred/CopyCommitter.java
@@ -83,7 +83,9 @@ public void commitJob(JobContext jobContext) throws IOException {
     cleanupTempFiles(jobContext);
 
     String attributes = conf.get(DistCpConstants.CONF_LABEL_PRESERVE_STATUS);
-    if (attributes != null && !attributes.isEmpty()) {
+    final boolean preserveRawXattrs =
+        conf.getBoolean(DistCpConstants.CONF_LABEL_PRESERVE_RAWXATTRS, false);
+    if ((attributes != null && !attributes.isEmpty()) || preserveRawXattrs) {
       preserveFileAttributesForDirectories(conf);
     }
 
@@ -167,6 +169,8 @@ private void preserveFileAttributesForDirectories(Configuration conf) throws IOE
     LOG.info("About to preserve attributes: " + attrSymbols);
 
     EnumSet<FileAttribute> attributes = DistCpUtils.unpackAttributes(attrSymbols);
+    final boolean preserveRawXattrs =
+        conf.getBoolean(DistCpConstants.CONF_LABEL_PRESERVE_RAWXATTRS, false);
 
     Path sourceListing = new Path(conf.get(DistCpConstants.CONF_LABEL_LISTING_FILE_PATH));
     FileSystem clusterFS = sourceListing.getFileSystem(conf);
@@ -194,7 +198,8 @@ private void preserveFileAttributesForDirectories(Configuration conf) throws IOE
         if (targetRoot.equals(targetFile) && syncOrOverwrite) continue;
 
         FileSystem targetFS = targetFile.getFileSystem(conf);
-        DistCpUtils.preserve(targetFS, targetFile, srcFileStatus,  attributes);
+        DistCpUtils.preserve(targetFS, targetFile, srcFileStatus, attributes,
+            preserveRawXattrs);
 
         taskAttemptContext.progress();
         taskAttemptContext.setStatus("Preserving status on directory entries. [" +
diff --git a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/mapred/CopyMapper.java b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/mapred/CopyMapper.java
index 4ee003d9161..ab57127ed78 100644
--- a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/mapred/CopyMapper.java
+++ b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/mapred/CopyMapper.java
@@ -200,6 +200,8 @@ public void map(Text relPath, CopyListingFileStatus sourceFileStatus,
 
     EnumSet<DistCpOptions.FileAttribute> fileAttributes
             = getFileAttributeSettings(context);
+    final boolean preserveRawXattrs = context.getConfiguration().getBoolean(
+        DistCpConstants.CONF_LABEL_PRESERVE_RAWXATTRS, false);
 
     final String description = "Copying " + sourcePath + " to " + target;
     context.setStatus(description);
@@ -211,10 +213,12 @@ public void map(Text relPath, CopyListingFileStatus sourceFileStatus,
       FileSystem sourceFS;
       try {
         sourceFS = sourcePath.getFileSystem(conf);
+        final boolean preserveXAttrs =
+            fileAttributes.contains(FileAttribute.XATTR);
         sourceCurrStatus = DistCpUtils.toCopyListingFileStatus(sourceFS,
           sourceFS.getFileStatus(sourcePath),
           fileAttributes.contains(FileAttribute.ACL), 
-          fileAttributes.contains(FileAttribute.XATTR));
+          preserveXAttrs, preserveRawXattrs);
       } catch (FileNotFoundException e) {
         throw new IOException(new RetriableFileCopyCommand.CopyReadException(e));
       }
@@ -249,8 +253,8 @@ public void map(Text relPath, CopyListingFileStatus sourceFileStatus,
             action, fileAttributes);
       }
 
-      DistCpUtils.preserve(target.getFileSystem(conf), target,
-                           sourceCurrStatus, fileAttributes);
+      DistCpUtils.preserve(target.getFileSystem(conf), target, sourceCurrStatus,
+          fileAttributes, preserveRawXattrs);
     } catch (IOException exception) {
       handleFailures(exception, sourceFileStatus, target, context);
     }
diff --git a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/util/DistCpUtils.java b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/util/DistCpUtils.java
index c7b29a1088d..abd30eee913 100644
--- a/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/util/DistCpUtils.java
+++ b/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/util/DistCpUtils.java
@@ -18,6 +18,7 @@
 
 package org.apache.hadoop.tools.util;
 
+import com.google.common.collect.Maps;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
@@ -25,6 +26,7 @@
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.FileChecksum;
+import org.apache.hadoop.fs.XAttr;
 import org.apache.hadoop.fs.permission.AclEntry;
 import org.apache.hadoop.fs.permission.AclUtil;
 import org.apache.hadoop.fs.permission.FsPermission;
@@ -151,7 +153,7 @@ public static String getRelativePath(Path sourceRootPath, Path childPath) {
    * @return - String containing first letters of each attribute to preserve
    */
   public static String packAttributes(EnumSet<FileAttribute> attributes) {
-    StringBuffer buffer = new StringBuffer(5);
+    StringBuffer buffer = new StringBuffer(FileAttribute.values().length);
     int len = 0;
     for (FileAttribute attribute : attributes) {
       buffer.append(attribute.name().charAt(0));
@@ -186,13 +188,15 @@ public static EnumSet<FileAttribute> unpackAttributes(String attributes) {
    * @param targetFS - File system
    * @param path - Path that needs to preserve original file status
    * @param srcFileStatus - Original file status
-   * @param attributes - Attribute set that need to be preserved
+   * @param attributes - Attribute set that needs to be preserved
+   * @param preserveRawXattrs if true, raw.* xattrs should be preserved
    * @throws IOException - Exception if any (particularly relating to group/owner
    *                       change or any transient error)
    */
   public static void preserve(FileSystem targetFS, Path path,
                               CopyListingFileStatus srcFileStatus,
-                              EnumSet<FileAttribute> attributes) throws IOException {
+                              EnumSet<FileAttribute> attributes,
+                              boolean preserveRawXattrs) throws IOException {
 
     FileStatus targetFileStatus = targetFS.getFileStatus(path);
     String group = targetFileStatus.getGroup();
@@ -214,15 +218,20 @@ public static void preserve(FileSystem targetFS, Path path,
       !srcFileStatus.getPermission().equals(targetFileStatus.getPermission())) {
       targetFS.setPermission(path, srcFileStatus.getPermission());
     }
-    
-    if (attributes.contains(FileAttribute.XATTR)) {
+
+    final boolean preserveXAttrs = attributes.contains(FileAttribute.XATTR);
+    if (preserveXAttrs || preserveRawXattrs) {
+      final String rawNS = XAttr.NameSpace.RAW.name().toLowerCase();
       Map<String, byte[]> srcXAttrs = srcFileStatus.getXAttrs();
       Map<String, byte[]> targetXAttrs = getXAttrs(targetFS, path);
-      if (!srcXAttrs.equals(targetXAttrs)) {
+      if (srcXAttrs != null && !srcXAttrs.equals(targetXAttrs)) {
         Iterator<Entry<String, byte[]>> iter = srcXAttrs.entrySet().iterator();
         while (iter.hasNext()) {
           Entry<String, byte[]> entry = iter.next();
-          targetFS.setXAttr(path, entry.getKey(), entry.getValue());
+          final String xattrName = entry.getKey();
+          if (xattrName.startsWith(rawNS) || preserveXAttrs) {
+            targetFS.setXAttr(path, entry.getKey(), entry.getValue());
+          }
         }
       }
     }
@@ -286,11 +295,12 @@ public static Map<String, byte[]> getXAttrs(FileSystem fileSystem,
    * @param fileStatus FileStatus of file
    * @param preserveAcls boolean true if preserving ACLs
    * @param preserveXAttrs boolean true if preserving XAttrs
+   * @param preserveRawXAttrs boolean true if preserving raw.* XAttrs
    * @throws IOException if there is an I/O error
    */
   public static CopyListingFileStatus toCopyListingFileStatus(
       FileSystem fileSystem, FileStatus fileStatus, boolean preserveAcls, 
-      boolean preserveXAttrs) throws IOException {
+      boolean preserveXAttrs, boolean preserveRawXAttrs) throws IOException {
     CopyListingFileStatus copyListingFileStatus =
       new CopyListingFileStatus(fileStatus);
     if (preserveAcls) {
@@ -301,9 +311,25 @@ public static CopyListingFileStatus toCopyListingFileStatus(
         copyListingFileStatus.setAclEntries(aclEntries);
       }
     }
-    if (preserveXAttrs) {
-      Map<String, byte[]> xAttrs = fileSystem.getXAttrs(fileStatus.getPath());
-      copyListingFileStatus.setXAttrs(xAttrs);
+    if (preserveXAttrs || preserveRawXAttrs) {
+      Map<String, byte[]> srcXAttrs = fileSystem.getXAttrs(fileStatus.getPath());
+      if (preserveXAttrs && preserveRawXAttrs) {
+         copyListingFileStatus.setXAttrs(srcXAttrs);
+      } else {
+        Map<String, byte[]> trgXAttrs = Maps.newHashMap();
+        final String rawNS = XAttr.NameSpace.RAW.name().toLowerCase();
+        for (Map.Entry<String, byte[]> ent : srcXAttrs.entrySet()) {
+          final String xattrName = ent.getKey();
+          if (xattrName.startsWith(rawNS)) {
+            if (preserveRawXAttrs) {
+              trgXAttrs.put(xattrName, ent.getValue());
+            }
+          } else if (preserveXAttrs) {
+            trgXAttrs.put(xattrName, ent.getValue());
+          }
+        }
+        copyListingFileStatus.setXAttrs(trgXAttrs);
+      }
     }
     return copyListingFileStatus;
   }
diff --git a/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/TestDistCpWithRawXAttrs.java b/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/TestDistCpWithRawXAttrs.java
new file mode 100644
index 00000000000..5aef51a830e
--- /dev/null
+++ b/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/TestDistCpWithRawXAttrs.java
@@ -0,0 +1,170 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.tools;
+
+import java.util.Map;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.io.IOUtils;
+import org.apache.hadoop.tools.util.DistCpTestUtils;
+
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Maps;
+
+/**
+ * Tests distcp in combination with HDFS raw.* XAttrs.
+ */
+public class TestDistCpWithRawXAttrs {
+
+  private static MiniDFSCluster cluster;
+  private static Configuration conf;
+  private static FileSystem fs;
+
+  private static final String rawName1 = "raw.a1";
+  private static final byte[] rawValue1 = {0x37, 0x38, 0x39};
+  private static final String userName1 = "user.a1";
+  private static final byte[] userValue1 = {0x38, 0x38, 0x38};
+
+  private static final Path dir1 = new Path("/src/dir1");
+  private static final Path subDir1 = new Path(dir1, "subdir1");
+  private static final Path file1 = new Path("/src/file1");
+  private static final String rawRootName = "/.reserved/raw";
+  private static final String rootedDestName = "/dest";
+  private static final String rootedSrcName = "/src";
+  private static final String rawDestName = "/.reserved/raw/dest";
+  private static final String rawSrcName = "/.reserved/raw/src";
+
+  @BeforeClass
+  public static void init() throws Exception {
+    conf = new Configuration();
+    conf.setBoolean(DFSConfigKeys.DFS_NAMENODE_XATTRS_ENABLED_KEY, true);
+    cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).format(true)
+            .build();
+    cluster.waitActive();
+    fs = cluster.getFileSystem();
+  }
+
+  @AfterClass
+  public static void shutdown() {
+    IOUtils.cleanup(null, fs);
+    if (cluster != null) {
+      cluster.shutdown();
+    }
+  }
+
+  /* Test that XAttrs and raw.* XAttrs are preserved when appropriate. */
+  @Test
+  public void testPreserveRawXAttrs1() throws Exception {
+    final String relSrc = "/./.reserved/../.reserved/raw/../raw/src/../src";
+    final String relDst = "/./.reserved/../.reserved/raw/../raw/dest/../dest";
+    doTestPreserveRawXAttrs(relSrc, relDst, "-px", true, true,
+        DistCpConstants.SUCCESS);
+    doTestPreserveRawXAttrs(rootedSrcName, rootedDestName, "-px",
+        false, true, DistCpConstants.SUCCESS);
+    doTestPreserveRawXAttrs(rootedSrcName, rawDestName, "-px",
+        false, true, DistCpConstants.INVALID_ARGUMENT);
+    doTestPreserveRawXAttrs(rawSrcName, rootedDestName, "-px",
+        false, true, DistCpConstants.INVALID_ARGUMENT);
+    doTestPreserveRawXAttrs(rawSrcName, rawDestName, "-px",
+        true, true, DistCpConstants.SUCCESS);
+    final Path savedWd = fs.getWorkingDirectory();
+    try {
+      fs.setWorkingDirectory(new Path("/.reserved/raw"));
+      doTestPreserveRawXAttrs("../.." + rawSrcName, "../.." + rawDestName,
+              "-px", true, true, DistCpConstants.SUCCESS);
+    } finally {
+      fs.setWorkingDirectory(savedWd);
+    }
+  }
+
+  /* Test that XAttrs are not preserved and raw.* are when appropriate. */
+  @Test
+  public void testPreserveRawXAttrs2() throws Exception {
+    doTestPreserveRawXAttrs(rootedSrcName, rootedDestName, "-p",
+        false, false, DistCpConstants.SUCCESS);
+    doTestPreserveRawXAttrs(rootedSrcName, rawDestName, "-p",
+        false, false, DistCpConstants.INVALID_ARGUMENT);
+    doTestPreserveRawXAttrs(rawSrcName, rootedDestName, "-p",
+        false, false, DistCpConstants.INVALID_ARGUMENT);
+    doTestPreserveRawXAttrs(rawSrcName, rawDestName, "-p",
+        true, false, DistCpConstants.SUCCESS);
+  }
+
+  /* Test that XAttrs are not preserved and raw.* are when appropriate. */
+  @Test
+  public void testPreserveRawXAttrs3() throws Exception {
+    doTestPreserveRawXAttrs(rootedSrcName, rootedDestName, null,
+        false, false, DistCpConstants.SUCCESS);
+    doTestPreserveRawXAttrs(rootedSrcName, rawDestName, null,
+        false, false, DistCpConstants.INVALID_ARGUMENT);
+    doTestPreserveRawXAttrs(rawSrcName, rootedDestName, null,
+        false, false, DistCpConstants.INVALID_ARGUMENT);
+    doTestPreserveRawXAttrs(rawSrcName, rawDestName, null,
+        true, false, DistCpConstants.SUCCESS);
+  }
+
+  private static Path[] pathnames = { new Path("dir1"),
+                                      new Path("dir1/subdir1"),
+                                      new Path("file1") };
+
+  private static void makeFilesAndDirs(FileSystem fs) throws Exception {
+    fs.delete(new Path("/src"), true);
+    fs.delete(new Path("/dest"), true);
+    fs.mkdirs(subDir1);
+    fs.create(file1).close();
+  }
+
+  private void initXAttrs() throws Exception {
+    makeFilesAndDirs(fs);
+    for (Path p : pathnames) {
+      fs.setXAttr(new Path(rawRootName + "/src", p), rawName1, rawValue1);
+      fs.setXAttr(new Path(rawRootName + "/src", p), userName1, userValue1);
+    }
+  }
+
+  private void doTestPreserveRawXAttrs(String src, String dest,
+      String preserveOpts, boolean expectRaw, boolean expectUser,
+      int expectedExitCode) throws Exception {
+    initXAttrs();
+
+    DistCpTestUtils.assertRunDistCp(expectedExitCode, src, dest,
+        preserveOpts, conf);
+
+    if (expectedExitCode == DistCpConstants.SUCCESS) {
+      Map<String, byte[]> xAttrs = Maps.newHashMap();
+      for (Path p : pathnames) {
+        xAttrs.clear();
+        if (expectRaw) {
+          xAttrs.put(rawName1, rawValue1);
+        }
+        if (expectUser) {
+          xAttrs.put(userName1, userValue1);
+        }
+        DistCpTestUtils.assertXAttrs(new Path(dest, p), fs, xAttrs);
+      }
+    }
+  }
+}
diff --git a/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/TestDistCpWithXAttrs.java b/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/TestDistCpWithXAttrs.java
index cc13b8fc228..6b0e2b22151 100644
--- a/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/TestDistCpWithXAttrs.java
+++ b/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/TestDistCpWithXAttrs.java
@@ -18,13 +18,9 @@
 
 package org.apache.hadoop.tools;
 
-import static org.junit.Assert.*;
-
 import java.io.IOException;
 import java.net.URI;
-import java.util.Iterator;
 import java.util.Map;
-import java.util.Map.Entry;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
@@ -37,8 +33,8 @@
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.hadoop.io.IOUtils;
+import org.apache.hadoop.tools.util.DistCpTestUtils;
 import org.apache.hadoop.util.Progressable;
-import org.apache.hadoop.util.ToolRunner;
 
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
@@ -79,6 +75,7 @@ public class TestDistCpWithXAttrs {
   private static final Path dstFile2 = new Path(dstDir2, "file2");
   private static final Path dstFile3 = new Path(dstDir2, "file3");
   private static final Path dstFile4 = new Path(dstDir2, "file4");
+  private static final String rootedSrcName = "/src";
 
   @BeforeClass
   public static void init() throws Exception {
@@ -125,55 +122,56 @@ public static void shutdown() {
 
   @Test
   public void testPreserveXAttrs() throws Exception {
-    assertRunDistCp(DistCpConstants.SUCCESS, "/dstPreserveXAttrs");
+    DistCpTestUtils.assertRunDistCp(DistCpConstants.SUCCESS, rootedSrcName,
+        "/dstPreserveXAttrs", "-px", conf);
 
     // dstDir1
     Map<String, byte[]> xAttrs = Maps.newHashMap();
     xAttrs.put(name1, value1);
     xAttrs.put(name2, value2);
-    assertXAttrs(dstDir1, xAttrs);
+    DistCpTestUtils.assertXAttrs(dstDir1, fs, xAttrs);
     
     // dstSubDir1
     xAttrs.clear();
     xAttrs.put(name1, value1);
     xAttrs.put(name3, new byte[0]);
-    assertXAttrs(dstSubDir1, xAttrs);
+    DistCpTestUtils.assertXAttrs(dstSubDir1, fs, xAttrs);
     
     // dstFile1
     xAttrs.clear();
     xAttrs.put(name1, value1);
     xAttrs.put(name2, value2);
     xAttrs.put(name3, new byte[0]);
-    assertXAttrs(dstFile1, xAttrs);
+    DistCpTestUtils.assertXAttrs(dstFile1, fs, xAttrs);
     
     // dstDir2
     xAttrs.clear();
     xAttrs.put(name2, value2);
-    assertXAttrs(dstDir2, xAttrs);
+    DistCpTestUtils.assertXAttrs(dstDir2, fs, xAttrs);
     
     // dstFile2
     xAttrs.clear();
     xAttrs.put(name1, value1);
     xAttrs.put(name4, new byte[0]);
-    assertXAttrs(dstFile2, xAttrs);
+    DistCpTestUtils.assertXAttrs(dstFile2, fs, xAttrs);
     
     // dstFile3
     xAttrs.clear();
     xAttrs.put(name3, new byte[0]);
     xAttrs.put(name4, new byte[0]);
-    assertXAttrs(dstFile3, xAttrs);
+    DistCpTestUtils.assertXAttrs(dstFile3, fs, xAttrs);
     
     // dstFile4
     xAttrs.clear();
-    assertXAttrs(dstFile4, xAttrs);
+    DistCpTestUtils.assertXAttrs(dstFile4, fs, xAttrs);
   }
 
   @Test
   public void testXAttrsNotEnabled() throws Exception {
     try {
       restart(false);
-      assertRunDistCp(DistCpConstants.XATTRS_NOT_SUPPORTED, 
-          "/dstXAttrsNotEnabled");
+      DistCpTestUtils.assertRunDistCp(DistCpConstants.XATTRS_NOT_SUPPORTED,
+          rootedSrcName, "/dstXAttrsNotEnabled", "-px", conf);
     } finally {
       restart(true);
     }
@@ -181,8 +179,8 @@ public void testXAttrsNotEnabled() throws Exception {
 
   @Test
   public void testXAttrsNotImplemented() throws Exception {
-    assertRunDistCp(DistCpConstants.XATTRS_NOT_SUPPORTED,
-        "stubfs://dstXAttrsNotImplemented");
+    DistCpTestUtils.assertRunDistCp(DistCpConstants.XATTRS_NOT_SUPPORTED,
+        rootedSrcName, "stubfs://dstXAttrsNotImplemented", "-px", conf);
   }
 
   /**
@@ -251,45 +249,6 @@ public void setWorkingDirectory(Path dir) {
     }
   }
 
-  /**
-   * Asserts the XAttrs returned by getXAttrs for a specific path.
-   * 
-   * @param path String path to check
-   * @param xAttrs XAttr[] expected xAttrs
-   * @throws Exception if there is any error
-   */
-  private static void assertXAttrs(Path path, Map<String, byte[]> expectedXAttrs)
-      throws Exception {
-    Map<String, byte[]> xAttrs = fs.getXAttrs(path);
-    assertEquals(expectedXAttrs.size(), xAttrs.size());
-    Iterator<Entry<String, byte[]>> i = expectedXAttrs.entrySet().iterator();
-    while (i.hasNext()) {
-      Entry<String, byte[]> e = i.next();
-      String name = e.getKey();
-      byte[] value = e.getValue();
-      if (value == null) {
-        assertTrue(xAttrs.containsKey(name) && xAttrs.get(name) == null);
-      } else {
-        assertArrayEquals(value, xAttrs.get(name));
-      }
-    }
-  }
-
-  /**
-   * Runs distcp from /src to specified destination, preserving XAttrs. Asserts
-   * expected exit code.
-   * 
-   * @param int exitCode expected exit code
-   * @param dst String distcp destination
-   * @throws Exception if there is any error
-   */
-  private static void assertRunDistCp(int exitCode, String dst)
-      throws Exception {
-    DistCp distCp = new DistCp(conf, null);
-    assertEquals(exitCode,
-        ToolRunner.run(conf, distCp, new String[] { "-px", "/src", dst }));
-  }
-
   /**
    * Initialize the cluster, wait for it to become active, and get FileSystem.
    * 
diff --git a/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/util/DistCpTestUtils.java b/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/util/DistCpTestUtils.java
new file mode 100644
index 00000000000..27216381d1b
--- /dev/null
+++ b/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/util/DistCpTestUtils.java
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.tools.util;
+
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+
+import org.apache.hadoop.tools.DistCp;
+import org.apache.hadoop.util.ToolRunner;
+
+/**
+ * Utility class for DistCpTests
+ */
+public class DistCpTestUtils {
+
+   /**
+    * Asserts the XAttrs returned by getXAttrs for a specific path match an
+    * expected set of XAttrs.
+    *
+    * @param path String path to check
+    * @param fs FileSystem to use for the path
+    * @param expectedXAttrs XAttr[] expected xAttrs
+    * @throws Exception if there is any error
+    */
+  public static void assertXAttrs(Path path, FileSystem fs,
+      Map<String, byte[]> expectedXAttrs)
+      throws Exception {
+    Map<String, byte[]> xAttrs = fs.getXAttrs(path);
+    assertEquals(path.toString(), expectedXAttrs.size(), xAttrs.size());
+    Iterator<Entry<String, byte[]>> i = expectedXAttrs.entrySet().iterator();
+    while (i.hasNext()) {
+      Entry<String, byte[]> e = i.next();
+      String name = e.getKey();
+      byte[] value = e.getValue();
+      if (value == null) {
+        assertTrue(xAttrs.containsKey(name) && xAttrs.get(name) == null);
+      } else {
+        assertArrayEquals(value, xAttrs.get(name));
+      }
+    }
+  }
+
+  /**
+   * Runs distcp from src to dst, preserving XAttrs. Asserts the
+   * expected exit code.
+   *
+   * @param exitCode expected exit code
+   * @param src distcp src path
+   * @param dst distcp destination
+   * @param options distcp command line options
+   * @param conf Configuration to use
+   * @throws Exception if there is any error
+   */
+  public static void assertRunDistCp(int exitCode, String src, String dst,
+      String options, Configuration conf)
+      throws Exception {
+    DistCp distCp = new DistCp(conf, null);
+    String[] optsArr = options == null ?
+        new String[] { src, dst } :
+        new String[] { options, src, dst };
+    assertEquals(exitCode,
+        ToolRunner.run(conf, distCp, optsArr));
+  }
+}
diff --git a/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/util/TestDistCpUtils.java b/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/util/TestDistCpUtils.java
index 4825e15cee2..c4b64b9dffd 100644
--- a/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/util/TestDistCpUtils.java
+++ b/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/util/TestDistCpUtils.java
@@ -114,14 +114,14 @@ public void testPreserve() {
       fs.setPermission(path, noPerm);
       fs.setOwner(path, "nobody", "nobody");
 
-      DistCpUtils.preserve(fs, path, srcStatus, attributes);
+      DistCpUtils.preserve(fs, path, srcStatus, attributes, false);
       FileStatus target = fs.getFileStatus(path);
       Assert.assertEquals(target.getPermission(), noPerm);
       Assert.assertEquals(target.getOwner(), "nobody");
       Assert.assertEquals(target.getGroup(), "nobody");
 
       attributes.add(FileAttribute.PERMISSION);
-      DistCpUtils.preserve(fs, path, srcStatus, attributes);
+      DistCpUtils.preserve(fs, path, srcStatus, attributes, false);
       target = fs.getFileStatus(path);
       Assert.assertEquals(target.getPermission(), srcStatus.getPermission());
       Assert.assertEquals(target.getOwner(), "nobody");
@@ -129,7 +129,7 @@ public void testPreserve() {
 
       attributes.add(FileAttribute.GROUP);
       attributes.add(FileAttribute.USER);
-      DistCpUtils.preserve(fs, path, srcStatus, attributes);
+      DistCpUtils.preserve(fs, path, srcStatus, attributes, false);
       target = fs.getFileStatus(path);
       Assert.assertEquals(target.getPermission(), srcStatus.getPermission());
       Assert.assertEquals(target.getOwner(), srcStatus.getOwner());

From 17e43657561638a37a326b946ce312e018bc5662 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 8 Aug 2014 01:37:59 +0000
Subject: [PATCH 156/354] Revert HADOOP-10876.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616658 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  3 ---
 .../main/java/org/apache/hadoop/fs/Path.java  | 16 +------------
 .../java/org/apache/hadoop/fs/TestPath.java   | 24 -------------------
 3 files changed, 1 insertion(+), 42 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 5b877e6078f..c981a28e58b 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -521,9 +521,6 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10830. Missing lock in JavaKeyStoreProvider.createCredentialEntry.
     (Benoy Antony via umamahesh)
 
-    HADOOP-10876. The constructor of Path should not take an empty URL as a
-    parameter. (Zhihai Xu via wang)
-
     HADOOP-10928. Incorrect usage on `hadoop credential list`.
     (Josh Elser via wang)
 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Path.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Path.java
index 0e8db1df11e..54ddedaff1d 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Path.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Path.java
@@ -128,20 +128,7 @@ private void checkPathArg( String path ) throws IllegalArgumentException {
            "Can not create a Path from an empty string");
     }   
   }
-
-  /** check URI parameter of Path constructor. */
-  private void checkPathArg(URI aUri) throws IllegalArgumentException {
-    // disallow construction of a Path from an empty URI
-    if (aUri == null) {
-      throw new IllegalArgumentException(
-          "Can not create a Path from a null URI");
-    }
-    if (aUri.toString().isEmpty()) {
-      throw new IllegalArgumentException(
-          "Can not create a Path from an empty URI");
-    }
-  }
-
+  
   /** Construct a path from a String.  Path strings are URIs, but with
    * unescaped elements and some additional normalization. */
   public Path(String pathString) throws IllegalArgumentException {
@@ -189,7 +176,6 @@ public Path(String pathString) throws IllegalArgumentException {
    * Construct a path from a URI
    */
   public Path(URI aUri) {
-    checkPathArg(aUri);
     uri = aUri.normalize();
   }
   
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestPath.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestPath.java
index 54d25c995bd..94908da7a38 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestPath.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestPath.java
@@ -26,13 +26,11 @@
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.io.AvroTestUtil;
-import org.apache.hadoop.test.GenericTestUtils;
 import org.apache.hadoop.util.Shell;
 
 import com.google.common.base.Joiner;
 
 import junit.framework.TestCase;
-import static org.junit.Assert.fail;
 
 public class TestPath extends TestCase {
   /**
@@ -307,28 +305,6 @@ public void testURI() throws URISyntaxException, IOException {
     // if the child uri is absolute path
     assertEquals("foo://bar/fud#boo", new Path(new Path(new URI(
         "foo://bar/baz#bud")), new Path(new URI("/fud#boo"))).toString());
-
-    // empty URI
-    URI uri3 = new URI("");
-    assertEquals("", uri3.toString());
-    try {
-      path = new Path(uri3);
-      fail("Expected exception for empty URI");
-    } catch (IllegalArgumentException e) {
-      // expect to receive an IllegalArgumentException
-      GenericTestUtils.assertExceptionContains("Can not create a Path"
-          + " from an empty URI", e);
-    }
-    // null URI
-    uri3 = null;
-    try {
-      path = new Path(uri3);
-      fail("Expected exception for null URI");
-    } catch (IllegalArgumentException e) {
-      // expect to receive an IllegalArgumentException
-      GenericTestUtils.assertExceptionContains("Can not create a Path"
-          + " from a null URI", e);
-    }
   }
 
   /** Test URIs created from Path objects */

From 2ac640ec751f665365d548104b3713e414f53351 Mon Sep 17 00:00:00 2001
From: Haohui Mai <wheat9@apache.org>
Date: Fri, 8 Aug 2014 04:27:47 +0000
Subject: [PATCH 157/354] HDFS-6722. Display readable last contact time for
 dead nodes on NN webUI. Contributed by Ming Ma.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616669 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 ++
 .../src/main/webapps/hdfs/dfshealth.html      |  2 +-
 .../src/main/webapps/hdfs/dfshealth.js        | 11 ++++-
 .../server/namenode/TestNameNodeMXBean.java   | 45 +++++++++++++++++--
 4 files changed, 56 insertions(+), 5 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 42ce130ae7a..3b179032457 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -376,6 +376,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6740. Make FSDataset support adding data volumes dynamically. (Lei
     Xu via atm)
 
+    HDFS-6722. Display readable last contact time for dead nodes on NN webUI.
+    (Ming Ma via wheat9)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html b/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
index 25895261982..02858f18265 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
@@ -281,7 +281,7 @@
   {#DeadNodes}
   <tr class="danger">
     <td>{name} ({xferaddr})</td>
-    <td>{lastContact}</td>
+    <td>{#helper_lastcontact_tostring value="{lastContact}"/}</td>
     <td>Dead{?decommissioned}, Decommissioned{/decommissioned}</td>
     <td>-</td>
     <td>-</td>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.js b/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.js
index 04d3922b1f2..e63c279b936 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.js
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.js
@@ -139,6 +139,14 @@
   }
 
   function load_datanode_info() {
+
+    var HELPERS = {
+      'helper_lastcontact_tostring' : function (chunk, ctx, bodies, params) {
+        var value = dust.helpers.tap(params.value, chunk, ctx);
+        return chunk.write('' + new Date(Date.now()-1000*Number(value)));
+      }
+    };
+
     function workaround(r) {
       function node_map_to_array(nodes) {
         var res = [];
@@ -160,7 +168,8 @@
       '/jmx?qry=Hadoop:service=NameNode,name=NameNodeInfo',
       guard_with_startup_progress(function (resp) {
         var data = workaround(resp.beans[0]);
-        dust.render('datanode-info', data, function(err, out) {
+        var base = dust.makeBase(HELPERS);
+        dust.render('datanode-info', base.push(data), function(err, out) {
           $('#tab-datanode').html(out);
           $('#ui-tabs a[href="#tab-datanode"]').tab('show');
         });
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNameNodeMXBean.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNameNodeMXBean.java
index d459d30dc55..4e078549b44 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNameNodeMXBean.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNameNodeMXBean.java
@@ -30,9 +30,13 @@
 import javax.management.ObjectName;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.FileUtil;
+import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.DFSTestUtil;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.server.datanode.DataNode;
 import org.apache.hadoop.io.nativeio.NativeIO;
 import org.apache.hadoop.io.nativeio.NativeIO.POSIX.NoMlockCacheManipulator;
 import org.apache.hadoop.util.VersionInfo;
@@ -58,11 +62,14 @@ public class TestNameNodeMXBean {
   public void testNameNodeMXBeanInfo() throws Exception {
     Configuration conf = new Configuration();
     conf.setLong(DFSConfigKeys.DFS_DATANODE_MAX_LOCKED_MEMORY_KEY,
-      NativeIO.POSIX.getCacheManipulator().getMemlockLimit());
+        NativeIO.POSIX.getCacheManipulator().getMemlockLimit());
+    conf.setInt(DFSConfigKeys.DFS_HEARTBEAT_INTERVAL_KEY, 1);
+    conf.setInt(DFSConfigKeys.DFS_NAMENODE_HEARTBEAT_RECHECK_INTERVAL_KEY, 1);
+
     MiniDFSCluster cluster = null;
 
     try {
-      cluster = new MiniDFSCluster.Builder(conf).build();
+      cluster = new MiniDFSCluster.Builder(conf).numDataNodes(3).build();
       cluster.waitActive();
 
       FSNamesystem fsn = cluster.getNameNode().namesystem;
@@ -70,6 +77,29 @@ public void testNameNodeMXBeanInfo() throws Exception {
       MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
       ObjectName mxbeanName = new ObjectName(
           "Hadoop:service=NameNode,name=NameNodeInfo");
+
+      // Define include file to generate deadNodes metrics
+      FileSystem localFileSys = FileSystem.getLocal(conf);
+      Path workingDir = localFileSys.getWorkingDirectory();
+      Path dir = new Path(workingDir,
+          "build/test/data/temp/TestNameNodeMXBean");
+      Path includeFile = new Path(dir, "include");
+      assertTrue(localFileSys.mkdirs(dir));
+      StringBuilder includeHosts = new StringBuilder();
+      for(DataNode dn : cluster.getDataNodes()) {
+        includeHosts.append(dn.getDisplayName()).append("\n");
+      }
+      DFSTestUtil.writeFile(localFileSys, includeFile, includeHosts.toString());
+      conf.set(DFSConfigKeys.DFS_HOSTS, includeFile.toUri().getPath());
+      fsn.getBlockManager().getDatanodeManager().refreshNodes(conf);
+
+      cluster.stopDataNode(0);
+      while (fsn.getNumDatanodesInService() != 2) {
+        try {
+          Thread.sleep(1000);
+        } catch (InterruptedException e) {}
+      }
+
       // get attribute "ClusterId"
       String clusterId = (String) mbs.getAttribute(mxbeanName, "ClusterId");
       assertEquals(fsn.getClusterId(), clusterId);
@@ -121,6 +151,15 @@ public void testNameNodeMXBeanInfo() throws Exception {
       String deadnodeinfo = (String) (mbs.getAttribute(mxbeanName,
           "DeadNodes"));
       assertEquals(fsn.getDeadNodes(), deadnodeinfo);
+      Map<String, Map<String, Object>> deadNodes =
+          (Map<String, Map<String, Object>>) JSON.parse(deadnodeinfo);
+      assertTrue(deadNodes.size() > 0);
+      for (Map<String, Object> deadNode : deadNodes.values()) {
+        assertTrue(deadNode.containsKey("lastContact"));
+        assertTrue(deadNode.containsKey("decommissioned"));
+        assertTrue(deadNode.containsKey("xferaddr"));
+      }
+
       // get attribute NodeUsage
       String nodeUsage = (String) (mbs.getAttribute(mxbeanName,
           "NodeUsage"));
@@ -181,7 +220,7 @@ public void testNameNodeMXBeanInfo() throws Exception {
       assertEquals(1, statusMap.get("active").size());
       assertEquals(1, statusMap.get("failed").size());
       assertEquals(0L, mbs.getAttribute(mxbeanName, "CacheUsed"));
-      assertEquals(NativeIO.POSIX.getCacheManipulator().getMemlockLimit() * 
+      assertEquals(NativeIO.POSIX.getCacheManipulator().getMemlockLimit() *
           cluster.getDataNodes().size(),
               mbs.getAttribute(mxbeanName, "CacheCapacity"));
     } finally {

From 4e7c4a6e1fd00767d966cd2482a364b2eacbd35b Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Fri, 8 Aug 2014 04:55:38 +0000
Subject: [PATCH 158/354] HADOOP-10771. Refactor HTTP delegation support out of
 httpfs to common, PART 1. (tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616671 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  2 +
 .../DelegationTokenAuthenticationFilter.java  |  0
 .../DelegationTokenAuthenticationHandler.java |  0
 .../web/DelegationTokenAuthenticator.java     |  0
 .../web}/DelegationTokenIdentifier.java       |  0
 .../web/DelegationTokenManager.java           |  0
 .../PseudoDelegationTokenAuthenticator.java   |  0
 ...onTokenAuthenticationHandlerWithMocks.java |  0
 .../web/TestDelegationTokenManager.java       |  0
 .../lib/service/DelegationTokenManager.java   | 78 ---------------
 .../DelegationTokenManagerException.java      | 51 ----------
 .../http/server/TestHttpFSCustomUserName.java | 94 -------------------
 12 files changed, 2 insertions(+), 223 deletions(-)
 rename hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSAuthenticationFilter.java => hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java (100%)
 rename hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSKerberosAuthenticationHandler.java => hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java (100%)
 rename hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSKerberosAuthenticator.java => hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java (100%)
 rename {hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service => hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web}/DelegationTokenIdentifier.java (100%)
 rename hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/security/DelegationTokenManagerService.java => hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java (100%)
 rename hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSPseudoAuthenticator.java => hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/PseudoDelegationTokenAuthenticator.java (100%)
 rename hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSKerberosAuthenticationHandler.java => hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java (100%)
 rename hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/lib/service/security/TestDelegationTokenManagerService.java => hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenManager.java (100%)
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/DelegationTokenManager.java
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/DelegationTokenManagerException.java
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSCustomUserName.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index c981a28e58b..84a35228e9f 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -490,6 +490,8 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10791. AuthenticationFilter should support externalizing the 
     secret for signing and provide rotation support. (rkanter via tucu)
 
+    HADOOP-10771. Refactor HTTP delegation support out of httpfs to common, PART 1. (tucu)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSAuthenticationFilter.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
similarity index 100%
rename from hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSAuthenticationFilter.java
rename to hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSKerberosAuthenticationHandler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
similarity index 100%
rename from hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSKerberosAuthenticationHandler.java
rename to hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSKerberosAuthenticator.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java
similarity index 100%
rename from hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSKerberosAuthenticator.java
rename to hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/DelegationTokenIdentifier.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenIdentifier.java
similarity index 100%
rename from hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/DelegationTokenIdentifier.java
rename to hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenIdentifier.java
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/security/DelegationTokenManagerService.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java
similarity index 100%
rename from hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/security/DelegationTokenManagerService.java
rename to hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSPseudoAuthenticator.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/PseudoDelegationTokenAuthenticator.java
similarity index 100%
rename from hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSPseudoAuthenticator.java
rename to hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/PseudoDelegationTokenAuthenticator.java
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSKerberosAuthenticationHandler.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java
similarity index 100%
rename from hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSKerberosAuthenticationHandler.java
rename to hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/lib/service/security/TestDelegationTokenManagerService.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenManager.java
similarity index 100%
rename from hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/lib/service/security/TestDelegationTokenManagerService.java
rename to hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenManager.java
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/DelegationTokenManager.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/DelegationTokenManager.java
deleted file mode 100644
index a163baf16ca..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/DelegationTokenManager.java
+++ /dev/null
@@ -1,78 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.lib.service;
-
-import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.token.Token;
-
-/**
- * Service interface to manage HttpFS delegation tokens.
- */
-@InterfaceAudience.Private
-public interface DelegationTokenManager {
-
-  /**
-   * Creates a delegation token.
-   *
-   * @param ugi UGI creating the token.
-   * @param renewer token renewer.
-   * @return new delegation token.
-   * @throws DelegationTokenManagerException thrown if the token could not be
-   * created.
-   */
-  public Token<DelegationTokenIdentifier> createToken(UserGroupInformation ugi,
-                                                      String renewer)
-    throws DelegationTokenManagerException;
-
-  /**
-   * Renews a delegation token.
-   *
-   * @param token delegation token to renew.
-   * @param renewer token renewer.
-   * @return epoc expiration time.
-   * @throws DelegationTokenManagerException thrown if the token could not be
-   * renewed.
-   */
-  public long renewToken(Token<DelegationTokenIdentifier> token, String renewer)
-    throws DelegationTokenManagerException;
-
-  /**
-   * Cancels a delegation token.
-   *
-   * @param token delegation token to cancel.
-   * @param canceler token canceler.
-   * @throws DelegationTokenManagerException thrown if the token could not be
-   * canceled.
-   */
-  public void cancelToken(Token<DelegationTokenIdentifier> token,
-                          String canceler)
-    throws DelegationTokenManagerException;
-
-  /**
-   * Verifies a delegation token.
-   *
-   * @param token delegation token to verify.
-   * @return the UGI for the token.
-   * @throws DelegationTokenManagerException thrown if the token could not be
-   * verified.
-   */
-  public UserGroupInformation verifyToken(Token<DelegationTokenIdentifier> token)
-    throws DelegationTokenManagerException;
-
-}
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/DelegationTokenManagerException.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/DelegationTokenManagerException.java
deleted file mode 100644
index 62ec2f920bc..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/DelegationTokenManagerException.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.lib.service;
-
-import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.lib.lang.XException;
-
-/**
- * Exception thrown by the {@link DelegationTokenManager} service implementation.
- */
-@InterfaceAudience.Private
-public class DelegationTokenManagerException extends XException {
-
-  public enum ERROR implements XException.ERROR {
-    DT01("Could not verify delegation token, {0}"),
-    DT02("Could not renew delegation token, {0}"),
-    DT03("Could not cancel delegation token, {0}"),
-    DT04("Could not create delegation token, {0}");
-
-    private String template;
-
-    ERROR(String template) {
-      this.template = template;
-    }
-
-    @Override
-    public String getTemplate() {
-      return template;
-    }
-  }
-
-  public DelegationTokenManagerException(ERROR error, Object... params) {
-    super(error, params);
-  }
-
-}
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSCustomUserName.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSCustomUserName.java
deleted file mode 100644
index e8407fc30cd..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSCustomUserName.java
+++ /dev/null
@@ -1,94 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.fs.http.server;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.fs.http.client.HttpFSKerberosAuthenticator;
-import org.apache.hadoop.lib.server.Service;
-import org.apache.hadoop.lib.server.ServiceException;
-import org.apache.hadoop.lib.service.Groups;
-import org.apache.hadoop.lib.wsrs.UserProvider;
-import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
-import org.apache.hadoop.security.authentication.server.AuthenticationToken;
-import org.apache.hadoop.security.authentication.util.Signer;
-import org.apache.hadoop.test.HFSTestCase;
-import org.apache.hadoop.test.HadoopUsersConfTestHelper;
-import org.apache.hadoop.test.TestDir;
-import org.apache.hadoop.test.TestDirHelper;
-import org.apache.hadoop.test.TestHdfs;
-import org.apache.hadoop.test.TestHdfsHelper;
-import org.apache.hadoop.test.TestJetty;
-import org.apache.hadoop.test.TestJettyHelper;
-import org.json.simple.JSONObject;
-import org.json.simple.parser.JSONParser;
-import org.junit.Assert;
-import org.junit.Test;
-import org.mortbay.jetty.Server;
-import org.mortbay.jetty.webapp.WebAppContext;
-
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.FileWriter;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.OutputStream;
-import java.io.Writer;
-import java.net.HttpURLConnection;
-import java.net.URL;
-import java.text.MessageFormat;
-import java.util.Arrays;
-import java.util.List;
-
-public class TestHttpFSCustomUserName extends HFSTestCase {
-
-  @Test
-  @TestDir
-  @TestJetty
-  public void defaultUserName() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-
-    Configuration httpfsConf = new Configuration(false);
-    HttpFSServerWebApp server = 
-      new HttpFSServerWebApp(dir, dir, dir, dir, httpfsConf);
-    server.init();
-    Assert.assertEquals(UserProvider.USER_PATTERN_DEFAULT, 
-      UserProvider.getUserPattern().pattern());
-    server.destroy();
-  }
-
-  @Test
-  @TestDir
-  @TestJetty
-  public void customUserName() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-
-    Configuration httpfsConf = new Configuration(false);
-    httpfsConf.set(UserProvider.USER_PATTERN_KEY, "1");
-    HttpFSServerWebApp server =
-      new HttpFSServerWebApp(dir, dir, dir, dir, httpfsConf);
-    server.init();
-    Assert.assertEquals("1", UserProvider.getUserPattern().pattern());
-    server.destroy();
-  }
-
-}

From be9c67930b57c516723d566625f9036a88a84055 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Fri, 8 Aug 2014 04:58:58 +0000
Subject: [PATCH 159/354] HADOOP-10771. Refactor HTTP delegation support out of
 httpfs to common, PART 2. (tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616672 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-auth/pom.xml     |   9 +
 .../client/AuthenticatedURL.java              |  36 +-
 .../server/KerberosAuthenticationHandler.java |  21 +-
 .../server/PseudoAuthenticationHandler.java   |  21 +-
 .../client/TestAuthenticatedURL.java          |  38 +-
 hadoop-common-project/hadoop-common/pom.xml   |  11 +
 .../web/DelegationTokenAuthenticatedURL.java  | 330 ++++++++
 .../DelegationTokenAuthenticationFilter.java  | 115 +--
 .../DelegationTokenAuthenticationHandler.java | 345 ++++++---
 .../web/DelegationTokenAuthenticator.java     | 246 +++---
 .../web/DelegationTokenIdentifier.java        |  17 +-
 .../web/DelegationTokenManager.java           | 299 +++----
 ...sDelegationTokenAuthenticationHandler.java |  54 ++
 .../KerberosDelegationTokenAuthenticator.java |  46 ++
 ...oDelegationTokenAuthenticationHandler.java |  55 ++
 .../PseudoDelegationTokenAuthenticator.java   |  43 +-
 .../token/delegation/web/ServletUtils.java    |  59 ++
 ...onTokenAuthenticationHandlerWithMocks.java | 346 +++++----
 .../web/TestDelegationTokenManager.java       |  58 +-
 .../web/TestWebDelegationToken.java           | 727 ++++++++++++++++++
 .../fs/http/client/HttpFSFileSystem.java      | 127 +--
 .../server/HttpFSAuthenticationFilter.java    |  94 +++
 .../src/main/resources/httpfs-default.xml     |   9 -
 ...rberosAuthenticationHandlerForTesting.java |   6 +-
 .../fs/http/server/TestHttpFSServer.java      |   9 +-
 .../http/server/TestHttpFSWithKerberos.java   |   6 +-
 hadoop-project/pom.xml                        |   6 +
 27 files changed, 2313 insertions(+), 820 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticatedURL.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/KerberosDelegationTokenAuthenticationHandler.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/KerberosDelegationTokenAuthenticator.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/PseudoDelegationTokenAuthenticationHandler.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/ServletUtils.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSAuthenticationFilter.java

diff --git a/hadoop-common-project/hadoop-auth/pom.xml b/hadoop-common-project/hadoop-auth/pom.xml
index b3f83e34d66..2ff51d6ffee 100644
--- a/hadoop-common-project/hadoop-auth/pom.xml
+++ b/hadoop-common-project/hadoop-auth/pom.xml
@@ -144,6 +144,15 @@
         <artifactId>maven-jar-plugin</artifactId>
         <executions>
           <execution>
+            <id>prepare-jar</id>
+            <phase>prepare-package</phase>
+            <goals>
+              <goal>jar</goal>
+            </goals>
+          </execution>
+          <execution>
+            <id>prepare-test-jar</id>
+            <phase>prepare-package</phase>
             <goals>
               <goal>test-jar</goal>
             </goals>
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/AuthenticatedURL.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/AuthenticatedURL.java
index a43a7c9f9c6..cee951f8153 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/AuthenticatedURL.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/AuthenticatedURL.java
@@ -120,32 +120,6 @@ public String toString() {
       return token;
     }
 
-    /**
-     * Return the hashcode for the token.
-     *
-     * @return the hashcode for the token.
-     */
-    @Override
-    public int hashCode() {
-      return (token != null) ? token.hashCode() : 0;
-    }
-
-    /**
-     * Return if two token instances are equal.
-     *
-     * @param o the other token instance.
-     *
-     * @return if this instance and the other instance are equal.
-     */
-    @Override
-    public boolean equals(Object o) {
-      boolean eq = false;
-      if (o instanceof Token) {
-        Token other = (Token) o;
-        eq = (token == null && other.token == null) || (token != null && this.token.equals(other.token));
-      }
-      return eq;
-    }
   }
 
   private static Class<? extends Authenticator> DEFAULT_AUTHENTICATOR = KerberosAuthenticator.class;
@@ -208,6 +182,16 @@ public AuthenticatedURL(Authenticator authenticator,
     this.authenticator.setConnectionConfigurator(connConfigurator);
   }
 
+  /**
+   * Returns the {@link Authenticator} instance used by the
+   * <code>AuthenticatedURL</code>.
+   *
+   * @return the {@link Authenticator} instance
+   */
+  protected Authenticator getAuthenticator() {
+    return authenticator;
+  }
+
   /**
    * Returns an authenticated {@link HttpURLConnection}.
    *
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
index 48273905429..98524608b40 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
@@ -142,11 +142,30 @@ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
    */
   public static final String NAME_RULES = TYPE + ".name.rules";
 
+  private String type;
   private String keytab;
   private GSSManager gssManager;
   private Subject serverSubject = new Subject();
   private List<LoginContext> loginContexts = new ArrayList<LoginContext>();
 
+  /**
+   * Creates a Kerberos SPNEGO authentication handler with the default
+   * auth-token type, <code>kerberos</code>.
+   */
+  public KerberosAuthenticationHandler() {
+    this(TYPE);
+  }
+
+  /**
+   * Creates a Kerberos SPNEGO authentication handler with a custom auth-token
+   * type.
+   *
+   * @param type auth-token type.
+   */
+  public KerberosAuthenticationHandler(String type) {
+    this.type = type;
+  }
+
   /**
    * Initializes the authentication handler instance.
    * <p/>
@@ -249,7 +268,7 @@ public void destroy() {
    */
   @Override
   public String getType() {
-    return TYPE;
+    return type;
   }
 
   /**
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java
index 235081b9618..0b329e04ce3 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java
@@ -55,6 +55,25 @@ public class PseudoAuthenticationHandler implements AuthenticationHandler {
 
   private static final Charset UTF8_CHARSET = Charset.forName("UTF-8");
   private boolean acceptAnonymous;
+  private String type;
+
+  /**
+   * Creates a Hadoop pseudo authentication handler with the default auth-token
+   * type, <code>simple</code>.
+   */
+  public PseudoAuthenticationHandler() {
+    this(TYPE);
+  }
+
+  /**
+   * Creates a Hadoop pseudo authentication handler with a custom auth-token
+   * type.
+   *
+   * @param type auth-token type.
+   */
+  public PseudoAuthenticationHandler(String type) {
+    this.type = type;
+  }
 
   /**
    * Initializes the authentication handler instance.
@@ -96,7 +115,7 @@ public void destroy() {
    */
   @Override
   public String getType() {
-    return TYPE;
+    return type;
   }
 
   /**
diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/TestAuthenticatedURL.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/TestAuthenticatedURL.java
index 5be0b382f2f..b56fc65b25b 100644
--- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/TestAuthenticatedURL.java
+++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/TestAuthenticatedURL.java
@@ -33,36 +33,6 @@ public void testToken() throws Exception {
     token = new AuthenticatedURL.Token("foo");
     Assert.assertTrue(token.isSet());
     Assert.assertEquals("foo", token.toString());
-
-    AuthenticatedURL.Token token1 = new AuthenticatedURL.Token();
-    AuthenticatedURL.Token token2 = new AuthenticatedURL.Token();
-    Assert.assertEquals(token1.hashCode(), token2.hashCode());
-    Assert.assertTrue(token1.equals(token2));
-
-    token1 = new AuthenticatedURL.Token();
-    token2 = new AuthenticatedURL.Token("foo");
-    Assert.assertNotSame(token1.hashCode(), token2.hashCode());
-    Assert.assertFalse(token1.equals(token2));
-
-    token1 = new AuthenticatedURL.Token("foo");
-    token2 = new AuthenticatedURL.Token();
-    Assert.assertNotSame(token1.hashCode(), token2.hashCode());
-    Assert.assertFalse(token1.equals(token2));
-
-    token1 = new AuthenticatedURL.Token("foo");
-    token2 = new AuthenticatedURL.Token("foo");
-    Assert.assertEquals(token1.hashCode(), token2.hashCode());
-    Assert.assertTrue(token1.equals(token2));
-
-    token1 = new AuthenticatedURL.Token("bar");
-    token2 = new AuthenticatedURL.Token("foo");
-    Assert.assertNotSame(token1.hashCode(), token2.hashCode());
-    Assert.assertFalse(token1.equals(token2));
-
-    token1 = new AuthenticatedURL.Token("foo");
-    token2 = new AuthenticatedURL.Token("bar");
-    Assert.assertNotSame(token1.hashCode(), token2.hashCode());
-    Assert.assertFalse(token1.equals(token2));
   }
 
   @Test
@@ -137,4 +107,12 @@ public void testConnectionConfigurator() throws Exception {
     Mockito.verify(connConf).configure(Mockito.<HttpURLConnection>any());
   }
 
+  @Test
+  public void testGetAuthenticator() throws Exception {
+    Authenticator authenticator = Mockito.mock(Authenticator.class);
+
+    AuthenticatedURL aURL = new AuthenticatedURL(authenticator);
+    Assert.assertEquals(authenticator, aURL.getAuthenticator());
+  }
+
 }
diff --git a/hadoop-common-project/hadoop-common/pom.xml b/hadoop-common-project/hadoop-common/pom.xml
index c48bb8e3f15..fe8aba1b1ab 100644
--- a/hadoop-common-project/hadoop-common/pom.xml
+++ b/hadoop-common-project/hadoop-common/pom.xml
@@ -203,6 +203,17 @@
       <artifactId>hadoop-auth</artifactId>
       <scope>compile</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-auth</artifactId>
+      <type>test-jar</type>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-minikdc</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>com.jcraft</groupId>
       <artifactId>jsch</artifactId>
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticatedURL.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticatedURL.java
new file mode 100644
index 00000000000..ca2476f33ac
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticatedURL.java
@@ -0,0 +1,330 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.token.delegation.web;
+
+import com.google.common.base.Preconditions;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.security.Credentials;
+import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
+import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.client.ConnectionConfigurator;
+import org.apache.hadoop.security.token.TokenIdentifier;
+import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.InetSocketAddress;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * The <code>DelegationTokenAuthenticatedURL</code> is a
+ * {@link AuthenticatedURL} sub-class with built-in Hadoop Delegation Token
+ * functionality.
+ * <p/>
+ * The authentication mechanisms supported by default are Hadoop Simple
+ * authentication (also known as pseudo authentication) and Kerberos SPNEGO
+ * authentication.
+ * <p/>
+ * Additional authentication mechanisms can be supported via {@link
+ * DelegationTokenAuthenticator} implementations.
+ * <p/>
+ * The default {@link DelegationTokenAuthenticator} is the {@link
+ * KerberosDelegationTokenAuthenticator} class which supports
+ * automatic fallback from Kerberos SPNEGO to Hadoop Simple authentication via
+ * the {@link PseudoDelegationTokenAuthenticator} class.
+ * <p/>
+ * <code>AuthenticatedURL</code> instances are not thread-safe.
+ */
+@InterfaceAudience.Public
+@InterfaceStability.Unstable
+public class DelegationTokenAuthenticatedURL extends AuthenticatedURL {
+
+  /**
+   * Client side authentication token that handles Delegation Tokens.
+   */
+  @InterfaceAudience.Public
+  @InterfaceStability.Unstable
+  public static class Token extends AuthenticatedURL.Token {
+    private
+    org.apache.hadoop.security.token.Token<AbstractDelegationTokenIdentifier>
+        delegationToken;
+
+    org.apache.hadoop.security.token.Token<AbstractDelegationTokenIdentifier>
+    getDelegationToken() {
+      return delegationToken;
+    }
+
+  }
+
+  private static Class<? extends DelegationTokenAuthenticator>
+      DEFAULT_AUTHENTICATOR = KerberosDelegationTokenAuthenticator.class;
+
+  /**
+   * Sets the default {@link DelegationTokenAuthenticator} class to use when an
+   * {@link DelegationTokenAuthenticatedURL} instance is created without
+   * specifying one.
+   *
+   * The default class is {@link KerberosDelegationTokenAuthenticator}
+   *
+   * @param authenticator the authenticator class to use as default.
+   */
+  public static void setDefaultDelegationTokenAuthenticator(
+      Class<? extends DelegationTokenAuthenticator> authenticator) {
+    DEFAULT_AUTHENTICATOR = authenticator;
+  }
+
+  /**
+   * Returns the default {@link DelegationTokenAuthenticator} class to use when
+   * an {@link DelegationTokenAuthenticatedURL} instance is created without
+   * specifying one.
+   * <p/>
+   * The default class is {@link KerberosDelegationTokenAuthenticator}
+   *
+   * @return the delegation token authenticator class to use as default.
+   */
+  public static Class<? extends DelegationTokenAuthenticator>
+      getDefaultDelegationTokenAuthenticator() {
+    return DEFAULT_AUTHENTICATOR;
+  }
+
+  private static DelegationTokenAuthenticator
+      obtainDelegationTokenAuthenticator(DelegationTokenAuthenticator dta) {
+    try {
+      return (dta != null) ? dta : DEFAULT_AUTHENTICATOR.newInstance();
+    } catch (Exception ex) {
+      throw new IllegalArgumentException(ex);
+    }
+  }
+
+  /**
+   * Creates an <code>DelegationTokenAuthenticatedURL</code>.
+   * <p/>
+   * An instance of the default {@link DelegationTokenAuthenticator} will be
+   * used.
+   */
+  public DelegationTokenAuthenticatedURL() {
+    this(null, null);
+  }
+
+  /**
+   * Creates an <code>DelegationTokenAuthenticatedURL</code>.
+   *
+   * @param authenticator the {@link DelegationTokenAuthenticator} instance to
+   * use, if <code>null</code> the default one will be used.
+   */
+  public DelegationTokenAuthenticatedURL(
+      DelegationTokenAuthenticator authenticator) {
+    this(authenticator, null);
+  }
+
+  /**
+   * Creates an <code>DelegationTokenAuthenticatedURL</code> using the default
+   * {@link DelegationTokenAuthenticator} class.
+   *
+   * @param connConfigurator a connection configurator.
+   */
+  public DelegationTokenAuthenticatedURL(
+      ConnectionConfigurator connConfigurator) {
+    this(null, connConfigurator);
+  }
+
+  /**
+   * Creates an <code>DelegationTokenAuthenticatedURL</code>.
+   *
+   * @param authenticator the {@link DelegationTokenAuthenticator} instance to
+   * use, if <code>null</code> the default one will be used.
+   * @param connConfigurator a connection configurator.
+   */
+  public DelegationTokenAuthenticatedURL(
+      DelegationTokenAuthenticator authenticator,
+      ConnectionConfigurator connConfigurator) {
+    super(obtainDelegationTokenAuthenticator(authenticator), connConfigurator);
+  }
+
+  /**
+   * Returns an authenticated {@link HttpURLConnection}, it uses a Delegation
+   * Token only if the given auth token is an instance of {@link Token} and
+   * it contains a Delegation Token, otherwise use the configured
+   * {@link DelegationTokenAuthenticator} to authenticate the connection.
+   *
+   * @param url the URL to connect to. Only HTTP/S URLs are supported.
+   * @param token the authentication token being used for the user.
+   * @return an authenticated {@link HttpURLConnection}.
+   * @throws IOException if an IO error occurred.
+   * @throws AuthenticationException if an authentication exception occurred.
+   */
+  @Override
+  public HttpURLConnection openConnection(URL url, AuthenticatedURL.Token token)
+      throws IOException, AuthenticationException {
+    return (token instanceof Token) ? openConnection(url, (Token) token)
+                                    : super.openConnection(url ,token);
+  }
+
+  /**
+   * Returns an authenticated {@link HttpURLConnection}. If the Delegation
+   * Token is present, it will be used taking precedence over the configured
+   * <code>Authenticator</code>.
+   *
+   * @param url the URL to connect to. Only HTTP/S URLs are supported.
+   * @param token the authentication token being used for the user.
+   * @return an authenticated {@link HttpURLConnection}.
+   * @throws IOException if an IO error occurred.
+   * @throws AuthenticationException if an authentication exception occurred.
+   */
+  public HttpURLConnection openConnection(URL url, Token token)
+      throws IOException, AuthenticationException {
+    return openConnection(url, token, null);
+  }
+
+  private URL augmentURL(URL url, Map<String, String> params)
+      throws IOException {
+    if (params != null && params.size() > 0) {
+      String urlStr = url.toExternalForm();
+      StringBuilder sb = new StringBuilder(urlStr);
+      String separator = (urlStr.contains("?")) ? "&" : "?";
+      for (Map.Entry<String, String> param : params.entrySet()) {
+        sb.append(separator).append(param.getKey()).append("=").append(
+            param.getValue());
+        separator = "&";
+      }
+      url = new URL(sb.toString());
+    }
+    return url;
+  }
+
+  /**
+   * Returns an authenticated {@link HttpURLConnection}. If the Delegation
+   * Token is present, it will be used taking precedence over the configured
+   * <code>Authenticator</code>. If the <code>doAs</code> parameter is not NULL,
+   * the request will be done on behalf of the specified <code>doAs</code> user.
+   *
+   * @param url the URL to connect to. Only HTTP/S URLs are supported.
+   * @param token the authentication token being used for the user.
+   * @param doAs user to do the the request on behalf of, if NULL the request is
+   * as self.
+   * @return an authenticated {@link HttpURLConnection}.
+   * @throws IOException if an IO error occurred.
+   * @throws AuthenticationException if an authentication exception occurred.
+   */
+  public HttpURLConnection openConnection(URL url, Token token, String doAs)
+      throws IOException, AuthenticationException {
+    Preconditions.checkNotNull(url, "url");
+    Preconditions.checkNotNull(token, "token");
+    Map<String, String> extraParams = new HashMap<String, String>();
+
+    // delegation token
+    Credentials creds = UserGroupInformation.getCurrentUser().getCredentials();
+    if (!creds.getAllTokens().isEmpty()) {
+      InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
+          url.getPort());
+      Text service = SecurityUtil.buildTokenService(serviceAddr);
+      org.apache.hadoop.security.token.Token<? extends TokenIdentifier> dt =
+          creds.getToken(service);
+      if (dt != null) {
+        extraParams.put(KerberosDelegationTokenAuthenticator.DELEGATION_PARAM,
+            dt.encodeToUrlString());
+      }
+    }
+
+    url = augmentURL(url, extraParams);
+    return super.openConnection(url, token);
+  }
+
+  /**
+   * Requests a delegation token using the configured <code>Authenticator</code>
+   * for authentication.
+   *
+   * @param url the URL to get the delegation token from. Only HTTP/S URLs are
+   * supported.
+   * @param token the authentication token being used for the user where the
+   * Delegation token will be stored.
+   * @return a delegation token.
+   * @throws IOException if an IO error occurred.
+   * @throws AuthenticationException if an authentication exception occurred.
+   */
+  public org.apache.hadoop.security.token.Token<AbstractDelegationTokenIdentifier>
+      getDelegationToken(URL url, Token token, String renewer)
+          throws IOException, AuthenticationException {
+    Preconditions.checkNotNull(url, "url");
+    Preconditions.checkNotNull(token, "token");
+    try {
+      token.delegationToken =
+          ((KerberosDelegationTokenAuthenticator) getAuthenticator()).
+              getDelegationToken(url, token, renewer);
+      return token.delegationToken;
+    } catch (IOException ex) {
+      token.delegationToken = null;
+      throw ex;
+    }
+  }
+
+  /**
+   * Renews a delegation token from the server end-point using the
+   * configured <code>Authenticator</code> for authentication.
+   *
+   * @param url the URL to renew the delegation token from. Only HTTP/S URLs are
+   * supported.
+   * @param token the authentication token with the Delegation Token to renew.
+   * @throws IOException if an IO error occurred.
+   * @throws AuthenticationException if an authentication exception occurred.
+   */
+  public long renewDelegationToken(URL url, Token token)
+      throws IOException, AuthenticationException {
+    Preconditions.checkNotNull(url, "url");
+    Preconditions.checkNotNull(token, "token");
+    Preconditions.checkNotNull(token.delegationToken,
+        "No delegation token available");
+    try {
+      return ((KerberosDelegationTokenAuthenticator) getAuthenticator()).
+          renewDelegationToken(url, token, token.delegationToken);
+    } catch (IOException ex) {
+      token.delegationToken = null;
+      throw ex;
+    }
+  }
+
+  /**
+   * Cancels a delegation token from the server end-point. It does not require
+   * being authenticated by the configured <code>Authenticator</code>.
+   *
+   * @param url the URL to cancel the delegation token from. Only HTTP/S URLs
+   * are supported.
+   * @param token the authentication token with the Delegation Token to cancel.
+   * @throws IOException if an IO error occurred.
+   */
+  public void cancelDelegationToken(URL url, Token token)
+      throws IOException {
+    Preconditions.checkNotNull(url, "url");
+    Preconditions.checkNotNull(token, "token");
+    Preconditions.checkNotNull(token.delegationToken,
+        "No delegation token available");
+    try {
+      ((KerberosDelegationTokenAuthenticator) getAuthenticator()).
+          cancelDelegationToken(url, token, token.delegationToken);
+    } finally {
+      token.delegationToken = null;
+    }
+  }
+
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
index 545654c2f78..5e85adef85f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
@@ -15,79 +15,88 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.hadoop.fs.http.server;
+package org.apache.hadoop.security.token.delegation.web;
 
 import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
+import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
+
 import javax.servlet.FilterConfig;
-import java.io.FileReader;
-import java.io.IOException;
-import java.io.Reader;
-import java.util.Map;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
 import java.util.Properties;
 
 /**
- * Subclass of hadoop-auth <code>AuthenticationFilter</code> that obtains its configuration
- * from HttpFSServer's server configuration.
+ *  The <code>DelegationTokenAuthenticationFilter</code> filter is a
+ *  {@link AuthenticationFilter} with Hadoop Delegation Token support.
+ *  <p/>
+ *  By default it uses it own instance of the {@link
+ *  AbstractDelegationTokenSecretManager}. For situations where an external
+ *  <code>AbstractDelegationTokenSecretManager</code> is required (i.e. one that
+ *  shares the secret with <code>AbstractDelegationTokenSecretManager</code>
+ *  instance running in other services), the external
+ *  <code>AbstractDelegationTokenSecretManager</code> must be set as an
+ *  attribute in the {@link ServletContext} of the web application using the
+ *  {@link #DELEGATION_TOKEN_SECRET_MANAGER_ATTR} attribute name (
+ *  'hadoop.http.delegation-token-secret-manager').
  */
 @InterfaceAudience.Private
-public class HttpFSAuthenticationFilter extends AuthenticationFilter {
-  private static final String CONF_PREFIX = "httpfs.authentication.";
-
-  private static final String SIGNATURE_SECRET_FILE = SIGNATURE_SECRET + ".file";
+@InterfaceStability.Evolving
+public class DelegationTokenAuthenticationFilter
+    extends AuthenticationFilter {
 
   /**
-   * Returns the hadoop-auth configuration from HttpFSServer's configuration.
+   * Sets an external <code>DelegationTokenSecretManager</code> instance to
+   * manage creation and verification of Delegation Tokens.
    * <p/>
-   * It returns all HttpFSServer's configuration properties prefixed with
-   * <code>httpfs.authentication</code>. The <code>httpfs.authentication</code>
-   * prefix is removed from the returned property names.
+   * This is useful for use cases where secrets must be shared across multiple
+   * services.
+   */
+
+  public static final String DELEGATION_TOKEN_SECRET_MANAGER_ATTR =
+      "hadoop.http.delegation-token-secret-manager";
+
+  /**
+   * It delegates to
+   * {@link AuthenticationFilter#getConfiguration(String, FilterConfig)} and
+   * then overrides the {@link AuthenticationHandler} to use if authentication
+   * type is set to <code>simple</code> or <code>kerberos</code> in order to use
+   * the corresponding implementation with delegation token support.
    *
    * @param configPrefix parameter not used.
    * @param filterConfig parameter not used.
-   *
-   * @return hadoop-auth configuration read from HttpFSServer's configuration.
+   * @return hadoop-auth de-prefixed configuration for the filter and handler.
    */
   @Override
-  protected Properties getConfiguration(String configPrefix, FilterConfig filterConfig) {
-    Properties props = new Properties();
-    Configuration conf = HttpFSServerWebApp.get().getConfig();
-
-    props.setProperty(AuthenticationFilter.COOKIE_PATH, "/");
-    for (Map.Entry<String, String> entry : conf) {
-      String name = entry.getKey();
-      if (name.startsWith(CONF_PREFIX)) {
-        String value = conf.get(name);
-        name = name.substring(CONF_PREFIX.length());
-        props.setProperty(name, value);
-      }
-    }
-
-    if (props.getProperty(AUTH_TYPE).equals("kerberos")) {
+  protected Properties getConfiguration(String configPrefix,
+      FilterConfig filterConfig) throws ServletException {
+    Properties props = super.getConfiguration(configPrefix, filterConfig);
+    String authType = props.getProperty(AUTH_TYPE);
+    if (authType.equals(PseudoAuthenticationHandler.TYPE)) {
       props.setProperty(AUTH_TYPE,
-                        HttpFSKerberosAuthenticationHandler.class.getName());
-    }
-
-    String signatureSecretFile = props.getProperty(SIGNATURE_SECRET_FILE, null);
-    if (signatureSecretFile == null) {
-      throw new RuntimeException("Undefined property: " + SIGNATURE_SECRET_FILE);
-    }
-
-    try {
-      StringBuilder secret = new StringBuilder();
-      Reader reader = new FileReader(signatureSecretFile);
-      int c = reader.read();
-      while (c > -1) {
-        secret.append((char)c);
-        c = reader.read();
-      }
-      reader.close();
-      props.setProperty(AuthenticationFilter.SIGNATURE_SECRET, secret.toString());
-    } catch (IOException ex) {
-      throw new RuntimeException("Could not read HttpFS signature secret file: " + signatureSecretFile);
+          PseudoDelegationTokenAuthenticationHandler.class.getName());
+    } else if (authType.equals(KerberosAuthenticationHandler.TYPE)) {
+      props.setProperty(AUTH_TYPE,
+          KerberosDelegationTokenAuthenticationHandler.class.getName());
     }
     return props;
   }
 
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    super.init(filterConfig);
+    AbstractDelegationTokenSecretManager dtSecretManager =
+        (AbstractDelegationTokenSecretManager) filterConfig.getServletContext().
+            getAttribute(DELEGATION_TOKEN_SECRET_MANAGER_ATTR);
+    if (dtSecretManager != null && getAuthenticationHandler()
+        instanceof DelegationTokenAuthenticationHandler) {
+      DelegationTokenAuthenticationHandler handler =
+          (DelegationTokenAuthenticationHandler) getAuthenticationHandler();
+      handler.setExternalDelegationTokenSecretManager(dtSecretManager);
+    }
+  }
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
index fc2649ce79a..5f3b1a49091 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
@@ -15,22 +15,23 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.hadoop.fs.http.server;
+package org.apache.hadoop.security.token.delegation.web;
 
+import com.google.common.annotations.VisibleForTesting;
 import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.fs.http.client.HttpFSFileSystem;
-import org.apache.hadoop.fs.http.client.HttpFSKerberosAuthenticator;
-import org.apache.hadoop.fs.http.client.HttpFSKerberosAuthenticator.DelegationTokenOperation;
-import org.apache.hadoop.lib.service.DelegationTokenIdentifier;
-import org.apache.hadoop.lib.service.DelegationTokenManager;
-import org.apache.hadoop.lib.service.DelegationTokenManagerException;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
 import org.apache.hadoop.security.authentication.server.AuthenticationToken;
 import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
 import org.apache.hadoop.security.token.Token;
-import org.json.simple.JSONObject;
+import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
+import org.codehaus.jackson.map.ObjectMapper;
 
+import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.core.MediaType;
@@ -41,41 +42,136 @@
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.Properties;
 import java.util.Set;
 
 /**
- * Server side <code>AuthenticationHandler</code> that authenticates requests
- * using the incoming delegation token as a 'delegation' query string parameter.
+ * An {@link AuthenticationHandler} that implements Kerberos SPNEGO mechanism
+ * for HTTP and supports Delegation Token functionality.
  * <p/>
- * If not delegation token is present in the request it delegates to the
- * {@link KerberosAuthenticationHandler}
+ * In addition to the wrapped {@link AuthenticationHandler} configuration
+ * properties, this handler supports the following properties prefixed
+ * with the type of the wrapped <code>AuthenticationHandler</code>:
+ * <ul>
+ * <li>delegation-token.token-kind: the token kind for generated tokens
+ * (no default, required property).</li>
+ * <li>delegation-token.update-interval.sec: secret manager master key
+ * update interval in seconds (default 1 day).</li>
+ * <li>delegation-token.max-lifetime.sec: maximum life of a delegation
+ * token in seconds (default 7 days).</li>
+ * <li>delegation-token.renewal-interval.sec: renewal interval for
+ * delegation tokens in seconds (default 1 day).</li>
+ * <li>delegation-token.removal-scan-interval.sec: delegation tokens
+ * removal scan interval in seconds (default 1 hour).</li>
+ * </ul>
+ *
  */
 @InterfaceAudience.Private
-public class HttpFSKerberosAuthenticationHandler
-  extends KerberosAuthenticationHandler {
+@InterfaceStability.Evolving
+public abstract class DelegationTokenAuthenticationHandler
+    implements AuthenticationHandler {
 
-  static final Set<String> DELEGATION_TOKEN_OPS =
-    new HashSet<String>();
+  protected static final String TYPE_POSTFIX = "-dt";
+
+  public static final String PREFIX = "delegation-token.";
+
+  public static final String TOKEN_KIND = PREFIX + "token-kind.sec";
+
+  public static final String UPDATE_INTERVAL = PREFIX + "update-interval.sec";
+  public static final long UPDATE_INTERVAL_DEFAULT = 24 * 60 * 60;
+
+  public static final String MAX_LIFETIME = PREFIX + "max-lifetime.sec";
+  public static final long MAX_LIFETIME_DEFAULT = 7 * 24 * 60 * 60;
+
+  public static final String RENEW_INTERVAL = PREFIX + "renew-interval.sec";
+  public static final long RENEW_INTERVAL_DEFAULT = 24 * 60 * 60;
+
+  public static final String REMOVAL_SCAN_INTERVAL = PREFIX +
+      "removal-scan-interval.sec";
+  public static final long REMOVAL_SCAN_INTERVAL_DEFAULT = 60 * 60;
+
+  private static final Set<String> DELEGATION_TOKEN_OPS = new HashSet<String>();
 
   static {
-    DELEGATION_TOKEN_OPS.add(
-      DelegationTokenOperation.GETDELEGATIONTOKEN.toString());
-    DELEGATION_TOKEN_OPS.add(
-      DelegationTokenOperation.RENEWDELEGATIONTOKEN.toString());
-    DELEGATION_TOKEN_OPS.add(
-      DelegationTokenOperation.CANCELDELEGATIONTOKEN.toString());
+    DELEGATION_TOKEN_OPS.add(KerberosDelegationTokenAuthenticator.
+        DelegationTokenOperation.GETDELEGATIONTOKEN.toString());
+    DELEGATION_TOKEN_OPS.add(KerberosDelegationTokenAuthenticator.
+        DelegationTokenOperation.RENEWDELEGATIONTOKEN.toString());
+    DELEGATION_TOKEN_OPS.add(KerberosDelegationTokenAuthenticator.
+        DelegationTokenOperation.CANCELDELEGATIONTOKEN.toString());
   }
 
-  public static final String TYPE = "kerberos-dt";
+  private AuthenticationHandler authHandler;
+  private DelegationTokenManager tokenManager;
+  private String authType;
+
+  public DelegationTokenAuthenticationHandler(AuthenticationHandler handler) {
+    authHandler = handler;
+    authType = handler.getType();
+  }
+
+  @VisibleForTesting
+  DelegationTokenManager getTokenManager() {
+    return tokenManager;
+  }
+
+  @Override
+  public void init(Properties config) throws ServletException {
+    authHandler.init(config);
+    initTokenManager(config);
+  }
 
   /**
-   * Returns authentication type of the handler.
+   * Sets an external <code>DelegationTokenSecretManager</code> instance to
+   * manage creation and verification of Delegation Tokens.
+   * <p/>
+   * This is useful for use cases where secrets must be shared across multiple
+   * services.
    *
-   * @return <code>delegationtoken-kerberos</code>
+   * @param secretManager a <code>DelegationTokenSecretManager</code> instance
    */
+  public void setExternalDelegationTokenSecretManager(
+      AbstractDelegationTokenSecretManager secretManager) {
+    tokenManager.setExternalDelegationTokenSecretManager(secretManager);
+  }
+
+  @VisibleForTesting
+  @SuppressWarnings("unchecked")
+  public void initTokenManager(Properties config) {
+    String configPrefix = authHandler.getType() + ".";
+    Configuration conf = new Configuration(false);
+    for (Map.Entry entry : config.entrySet()) {
+      conf.set((String) entry.getKey(), (String) entry.getValue());
+    }
+    String tokenKind = conf.get(TOKEN_KIND);
+    if (tokenKind == null) {
+      throw new IllegalArgumentException(
+          "The configuration does not define the token kind");
+    }
+    tokenKind = tokenKind.trim();
+    long updateInterval = conf.getLong(configPrefix + UPDATE_INTERVAL,
+        UPDATE_INTERVAL_DEFAULT);
+    long maxLifeTime = conf.getLong(configPrefix + MAX_LIFETIME,
+        MAX_LIFETIME_DEFAULT);
+    long renewInterval = conf.getLong(configPrefix + RENEW_INTERVAL,
+        RENEW_INTERVAL_DEFAULT);
+    long removalScanInterval = conf.getLong(
+        configPrefix + REMOVAL_SCAN_INTERVAL, REMOVAL_SCAN_INTERVAL_DEFAULT);
+    tokenManager = new DelegationTokenManager(new Text(tokenKind),
+        updateInterval * 1000, maxLifeTime * 1000, renewInterval * 1000,
+        removalScanInterval * 1000);
+    tokenManager.init();
+  }
+
+  @Override
+  public void destroy() {
+    tokenManager.destroy();
+    authHandler.destroy();
+  }
+
   @Override
   public String getType() {
-    return TYPE;
+    return authType;
   }
 
   private static final String ENTER = System.getProperty("line.separator");
@@ -84,87 +180,118 @@ public String getType() {
   @SuppressWarnings("unchecked")
   public boolean managementOperation(AuthenticationToken token,
       HttpServletRequest request, HttpServletResponse response)
-    throws IOException, AuthenticationException {
+      throws IOException, AuthenticationException {
     boolean requestContinues = true;
-    String op = request.getParameter(HttpFSFileSystem.OP_PARAM);
+    String op = ServletUtils.getParameter(request,
+        KerberosDelegationTokenAuthenticator.OP_PARAM);
     op = (op != null) ? op.toUpperCase() : null;
     if (DELEGATION_TOKEN_OPS.contains(op) &&
         !request.getMethod().equals("OPTIONS")) {
-      DelegationTokenOperation dtOp =
-        DelegationTokenOperation.valueOf(op);
+      KerberosDelegationTokenAuthenticator.DelegationTokenOperation dtOp =
+          KerberosDelegationTokenAuthenticator.
+              DelegationTokenOperation.valueOf(op);
       if (dtOp.getHttpMethod().equals(request.getMethod())) {
+        boolean doManagement;
         if (dtOp.requiresKerberosCredentials() && token == null) {
-          response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
-            MessageFormat.format(
-              "Operation [{0}] requires SPNEGO authentication established",
-              dtOp));
-          requestContinues = false;
+          token = authenticate(request, response);
+          if (token == null) {
+            requestContinues = false;
+            doManagement = false;
+          } else {
+            doManagement = true;
+          }
         } else {
-          DelegationTokenManager tokenManager =
-            HttpFSServerWebApp.get().get(DelegationTokenManager.class);
-          try {
-            Map map = null;
-            switch (dtOp) {
-              case GETDELEGATIONTOKEN:
-                String renewerParam =
-                  request.getParameter(HttpFSKerberosAuthenticator.RENEWER_PARAM);
-                if (renewerParam == null) {
-                  renewerParam = token.getUserName();
-                }
-                Token<?> dToken = tokenManager.createToken(
-                  UserGroupInformation.getCurrentUser(), renewerParam);
-                map = delegationTokenToJSON(dToken);
-                break;
-              case RENEWDELEGATIONTOKEN:
-              case CANCELDELEGATIONTOKEN:
-                String tokenParam =
-                  request.getParameter(HttpFSKerberosAuthenticator.TOKEN_PARAM);
-                if (tokenParam == null) {
-                  response.sendError(HttpServletResponse.SC_BAD_REQUEST,
-                    MessageFormat.format(
-                      "Operation [{0}] requires the parameter [{1}]",
-                      dtOp, HttpFSKerberosAuthenticator.TOKEN_PARAM));
-                  requestContinues = false;
-                } else {
-                  if (dtOp == DelegationTokenOperation.CANCELDELEGATIONTOKEN) {
-                    Token<DelegationTokenIdentifier> dt =
-                      new Token<DelegationTokenIdentifier>();
-                    dt.decodeFromUrlString(tokenParam);
-                    tokenManager.cancelToken(dt,
-                      UserGroupInformation.getCurrentUser().getUserName());
-                  } else {
-                    Token<DelegationTokenIdentifier> dt =
-                      new Token<DelegationTokenIdentifier>();
-                    dt.decodeFromUrlString(tokenParam);
-                    long expirationTime =
-                      tokenManager.renewToken(dt, token.getUserName());
-                    map = new HashMap();
-                    map.put("long", expirationTime);
-                  }
-                }
-                break;
-            }
-            if (requestContinues) {
-              response.setStatus(HttpServletResponse.SC_OK);
-              if (map != null) {
-                response.setContentType(MediaType.APPLICATION_JSON);
-                Writer writer = response.getWriter();
-                JSONObject.writeJSONString(map, writer);
-                writer.write(ENTER);
-                writer.flush();
-
+          doManagement = true;
+        }
+        if (doManagement) {
+          UserGroupInformation requestUgi = (token != null)
+              ? UserGroupInformation.createRemoteUser(token.getUserName())
+              : null;
+          Map map = null;
+          switch (dtOp) {
+            case GETDELEGATIONTOKEN:
+              if (requestUgi == null) {
+                throw new IllegalStateException("request UGI cannot be NULL");
               }
-              requestContinues = false;
+              String renewer = ServletUtils.getParameter(request,
+                  KerberosDelegationTokenAuthenticator.RENEWER_PARAM);
+              try {
+                Token<?> dToken = tokenManager.createToken(requestUgi, renewer);
+                map = delegationTokenToJSON(dToken);
+              } catch (IOException ex) {
+                throw new AuthenticationException(ex.toString(), ex);
+              }
+              break;
+            case RENEWDELEGATIONTOKEN:
+              if (requestUgi == null) {
+                throw new IllegalStateException("request UGI cannot be NULL");
+              }
+              String tokenToRenew = ServletUtils.getParameter(request,
+                  KerberosDelegationTokenAuthenticator.TOKEN_PARAM);
+              if (tokenToRenew == null) {
+                response.sendError(HttpServletResponse.SC_BAD_REQUEST,
+                    MessageFormat.format(
+                        "Operation [{0}] requires the parameter [{1}]", dtOp,
+                        KerberosDelegationTokenAuthenticator.TOKEN_PARAM)
+                );
+                requestContinues = false;
+              } else {
+                Token<DelegationTokenIdentifier> dt =
+                    new Token<DelegationTokenIdentifier>();
+                try {
+                  dt.decodeFromUrlString(tokenToRenew);
+                  long expirationTime = tokenManager.renewToken(dt,
+                      requestUgi.getShortUserName());
+                  map = new HashMap();
+                  map.put("long", expirationTime);
+                } catch (IOException ex) {
+                  throw new AuthenticationException(ex.toString(), ex);
+                }
+              }
+              break;
+            case CANCELDELEGATIONTOKEN:
+              String tokenToCancel = ServletUtils.getParameter(request,
+                  KerberosDelegationTokenAuthenticator.TOKEN_PARAM);
+              if (tokenToCancel == null) {
+                response.sendError(HttpServletResponse.SC_BAD_REQUEST,
+                    MessageFormat.format(
+                        "Operation [{0}] requires the parameter [{1}]", dtOp,
+                        KerberosDelegationTokenAuthenticator.TOKEN_PARAM)
+                );
+                requestContinues = false;
+              } else {
+                Token<DelegationTokenIdentifier> dt =
+                    new Token<DelegationTokenIdentifier>();
+                try {
+                  dt.decodeFromUrlString(tokenToCancel);
+                  tokenManager.cancelToken(dt, (requestUgi != null)
+                      ? requestUgi.getShortUserName() : null);
+                } catch (IOException ex) {
+                  response.sendError(HttpServletResponse.SC_NOT_FOUND,
+                      "Invalid delegation token, cannot cancel");
+                  requestContinues = false;
+                }
+              }
+              break;
+          }
+          if (requestContinues) {
+            response.setStatus(HttpServletResponse.SC_OK);
+            if (map != null) {
+              response.setContentType(MediaType.APPLICATION_JSON);
+              Writer writer = response.getWriter();
+              ObjectMapper jsonMapper = new ObjectMapper();
+              jsonMapper.writeValue(writer, map);
+              writer.write(ENTER);
+              writer.flush();
             }
-          } catch (DelegationTokenManagerException ex) {
-            throw new AuthenticationException(ex.toString(), ex);
+            requestContinues = false;
           }
         }
       } else {
         response.sendError(HttpServletResponse.SC_BAD_REQUEST,
-          MessageFormat.format(
-            "Wrong HTTP method [{0}] for operation [{1}], it should be [{2}]",
-            request.getMethod(), dtOp, dtOp.getHttpMethod()));
+            MessageFormat.format(
+                "Wrong HTTP method [{0}] for operation [{1}], it should be " +
+                    "[{2}]", request.getMethod(), dtOp, dtOp.getHttpMethod()));
         requestContinues = false;
       }
     }
@@ -174,13 +301,15 @@ public boolean managementOperation(AuthenticationToken token,
   @SuppressWarnings("unchecked")
   private static Map delegationTokenToJSON(Token token) throws IOException {
     Map json = new LinkedHashMap();
-    json.put(HttpFSKerberosAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON,
-             token.encodeToUrlString());
+    json.put(
+        KerberosDelegationTokenAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON,
+        token.encodeToUrlString());
     Map response = new LinkedHashMap();
-    response.put(HttpFSKerberosAuthenticator.DELEGATION_TOKEN_JSON, json);
+    response.put(KerberosDelegationTokenAuthenticator.DELEGATION_TOKEN_JSON,
+        json);
     return response;
   }
-  
+
   /**
    * Authenticates a request looking for the <code>delegation</code>
    * query-string parameter and verifying it is a valid token. If there is not
@@ -190,41 +319,37 @@ private static Map delegationTokenToJSON(Token token) throws IOException {
    *
    * @param request the HTTP client request.
    * @param response the HTTP client response.
-   *
    * @return the authentication token for the authenticated request.
    * @throws IOException thrown if an IO error occurred.
    * @throws AuthenticationException thrown if the authentication failed.
    */
   @Override
   public AuthenticationToken authenticate(HttpServletRequest request,
-                                          HttpServletResponse response)
-    throws IOException, AuthenticationException {
+      HttpServletResponse response)
+      throws IOException, AuthenticationException {
     AuthenticationToken token;
-    String delegationParam =
-      request.getParameter(HttpFSKerberosAuthenticator.DELEGATION_PARAM);
+    String delegationParam = ServletUtils.getParameter(request,
+        KerberosDelegationTokenAuthenticator.DELEGATION_PARAM);
     if (delegationParam != null) {
       try {
         Token<DelegationTokenIdentifier> dt =
-          new Token<DelegationTokenIdentifier>();
+            new Token<DelegationTokenIdentifier>();
         dt.decodeFromUrlString(delegationParam);
-        DelegationTokenManager tokenManager =
-          HttpFSServerWebApp.get().get(DelegationTokenManager.class);
         UserGroupInformation ugi = tokenManager.verifyToken(dt);
         final String shortName = ugi.getShortUserName();
 
         // creating a ephemeral token
         token = new AuthenticationToken(shortName, ugi.getUserName(),
-                                        getType());
+            getType());
         token.setExpires(0);
       } catch (Throwable ex) {
         throw new AuthenticationException("Could not verify DelegationToken, " +
-                                          ex.toString(), ex);
+            ex.toString(), ex);
       }
     } else {
-      token = super.authenticate(request, response);
+      token = authHandler.authenticate(request, response);
     }
     return token;
   }
 
-
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java
index a6f7c54a9a7..ec192dab8ca 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java
@@ -15,49 +15,47 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.hadoop.fs.http.client;
-
+package org.apache.hadoop.security.token.delegation.web;
 
 import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authentication.client.Authenticator;
-import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
+import org.apache.hadoop.security.authentication.client.ConnectionConfigurator;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
-import org.json.simple.JSONObject;
+import org.codehaus.jackson.map.ObjectMapper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.InetSocketAddress;
-import java.net.URI;
 import java.net.URL;
+import java.net.URLEncoder;
 import java.util.HashMap;
 import java.util.Map;
 
 /**
- * A <code>KerberosAuthenticator</code> subclass that fallback to
- * {@link HttpFSPseudoAuthenticator}.
+ * {@link Authenticator} wrapper that enhances an {@link Authenticator} with
+ * Delegation Token support.
  */
-@InterfaceAudience.Private
-public class HttpFSKerberosAuthenticator extends KerberosAuthenticator {
-
-  /**
-   * Returns the fallback authenticator if the server does not use
-   * Kerberos SPNEGO HTTP authentication.
-   *
-   * @return a {@link HttpFSPseudoAuthenticator} instance.
-   */
-  @Override
-  protected Authenticator getFallBackAuthenticator() {
-    return new HttpFSPseudoAuthenticator();
-  }
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public abstract class DelegationTokenAuthenticator implements Authenticator {
+  private static Logger LOG = 
+      LoggerFactory.getLogger(DelegationTokenAuthenticator.class);
+  
+  private static final String CONTENT_TYPE = "Content-Type";
+  private static final String APPLICATION_JSON_MIME = "application/json";
 
   private static final String HTTP_GET = "GET";
   private static final String HTTP_PUT = "PUT";
 
+  public static final String OP_PARAM = "op";
+
   public static final String DELEGATION_PARAM = "delegation";
   public static final String TOKEN_PARAM = "token";
   public static final String RENEWER_PARAM = "renewer";
@@ -78,7 +76,7 @@ public static enum DelegationTokenOperation {
     private boolean requiresKerberosCredentials;
 
     private DelegationTokenOperation(String httpMethod,
-                                     boolean requiresKerberosCredentials) {
+        boolean requiresKerberosCredentials) {
       this.httpMethod = httpMethod;
       this.requiresKerberosCredentials = requiresKerberosCredentials;
     }
@@ -90,98 +88,162 @@ public String getHttpMethod() {
     public boolean requiresKerberosCredentials() {
       return requiresKerberosCredentials;
     }
-
   }
 
-  public static void injectDelegationToken(Map<String, String> params,
-                                          Token<?> dtToken)
-    throws IOException {
-    if (dtToken != null) {
-      params.put(DELEGATION_PARAM, dtToken.encodeToUrlString());
-    }
+  private Authenticator authenticator;
+
+  public DelegationTokenAuthenticator(Authenticator authenticator) {
+    this.authenticator = authenticator;
+  }
+
+  @Override
+  public void setConnectionConfigurator(ConnectionConfigurator configurator) {
+    authenticator.setConnectionConfigurator(configurator);
   }
 
   private boolean hasDelegationToken(URL url) {
-    return url.getQuery().contains(DELEGATION_PARAM + "=");
+    String queryStr = url.getQuery();
+    return (queryStr != null) && queryStr.contains(DELEGATION_PARAM + "=");
   }
 
   @Override
   public void authenticate(URL url, AuthenticatedURL.Token token)
-    throws IOException, AuthenticationException {
+      throws IOException, AuthenticationException {
     if (!hasDelegationToken(url)) {
-      super.authenticate(url, token);
+      authenticator.authenticate(url, token);
     }
   }
 
-  public static final String OP_PARAM = "op";
-
-  public static Token<?> getDelegationToken(URI fsURI,
-    InetSocketAddress httpFSAddr, AuthenticatedURL.Token token,
-    String renewer) throws IOException {
-    DelegationTokenOperation op = 
-      DelegationTokenOperation.GETDELEGATIONTOKEN;
-    Map<String, String> params = new HashMap<String, String>();
-    params.put(OP_PARAM, op.toString());
-    params.put(RENEWER_PARAM,renewer);
-    URL url = HttpFSUtils.createURL(new Path(fsURI), params);
-    AuthenticatedURL aUrl =
-      new AuthenticatedURL(new HttpFSKerberosAuthenticator());
-    try {
-      HttpURLConnection conn = aUrl.openConnection(url, token);
-      conn.setRequestMethod(op.getHttpMethod());
-      HttpFSUtils.validateResponse(conn, HttpURLConnection.HTTP_OK);
-      JSONObject json = (JSONObject) ((JSONObject)
-        HttpFSUtils.jsonParse(conn)).get(DELEGATION_TOKEN_JSON);
-      String tokenStr = (String)
-        json.get(DELEGATION_TOKEN_URL_STRING_JSON);
-      Token<AbstractDelegationTokenIdentifier> dToken =
+  /**
+   * Requests a delegation token using the configured <code>Authenticator</code>
+   * for authentication.
+   *
+   * @param url the URL to get the delegation token from. Only HTTP/S URLs are
+   * supported.
+   * @param token the authentication token being used for the user where the
+   * Delegation token will be stored.
+   * @throws IOException if an IO error occurred.
+   * @throws AuthenticationException if an authentication exception occurred.
+   */
+  public Token<AbstractDelegationTokenIdentifier> getDelegationToken(URL url,
+      AuthenticatedURL.Token token, String renewer)
+      throws IOException, AuthenticationException {
+    Map json = doDelegationTokenOperation(url, token,
+        DelegationTokenOperation.GETDELEGATIONTOKEN, renewer, null, true);
+    json = (Map) json.get(DELEGATION_TOKEN_JSON);
+    String tokenStr = (String) json.get(DELEGATION_TOKEN_URL_STRING_JSON);
+    Token<AbstractDelegationTokenIdentifier> dToken =
         new Token<AbstractDelegationTokenIdentifier>();
-      dToken.decodeFromUrlString(tokenStr);
-      SecurityUtil.setTokenService(dToken, httpFSAddr);
-      return dToken;
+    dToken.decodeFromUrlString(tokenStr);
+    InetSocketAddress service = new InetSocketAddress(url.getHost(),
+        url.getPort());
+    SecurityUtil.setTokenService(dToken, service);
+    return dToken;
+  }
+
+  /**
+   * Renews a delegation token from the server end-point using the
+   * configured <code>Authenticator</code> for authentication.
+   *
+   * @param url the URL to renew the delegation token from. Only HTTP/S URLs are
+   * supported.
+   * @param token the authentication token with the Delegation Token to renew.
+   * @throws IOException if an IO error occurred.
+   * @throws AuthenticationException if an authentication exception occurred.
+   */
+  public long renewDelegationToken(URL url,
+      AuthenticatedURL.Token token,
+      Token<AbstractDelegationTokenIdentifier> dToken)
+      throws IOException, AuthenticationException {
+    Map json = doDelegationTokenOperation(url, token,
+        DelegationTokenOperation.RENEWDELEGATIONTOKEN, null, dToken, true);
+    return (Long) json.get(RENEW_DELEGATION_TOKEN_JSON);
+  }
+
+  /**
+   * Cancels a delegation token from the server end-point. It does not require
+   * being authenticated by the configured <code>Authenticator</code>.
+   *
+   * @param url the URL to cancel the delegation token from. Only HTTP/S URLs
+   * are supported.
+   * @param token the authentication token with the Delegation Token to cancel.
+   * @throws IOException if an IO error occurred.
+   */
+  public void cancelDelegationToken(URL url,
+      AuthenticatedURL.Token token,
+      Token<AbstractDelegationTokenIdentifier> dToken)
+      throws IOException {
+    try {
+      doDelegationTokenOperation(url, token,
+          DelegationTokenOperation.CANCELDELEGATIONTOKEN, null, dToken, false);
     } catch (AuthenticationException ex) {
-      throw new IOException(ex.toString(), ex);
+      throw new IOException("This should not happen: " + ex.getMessage(), ex);
     }
   }
 
-  public static long renewDelegationToken(URI fsURI,
-    AuthenticatedURL.Token token, Token<?> dToken) throws IOException {
+  private Map doDelegationTokenOperation(URL url,
+      AuthenticatedURL.Token token, DelegationTokenOperation operation,
+      String renewer, Token<?> dToken, boolean hasResponse)
+      throws IOException, AuthenticationException {
+    Map ret = null;
     Map<String, String> params = new HashMap<String, String>();
-    params.put(OP_PARAM,
-               DelegationTokenOperation.RENEWDELEGATIONTOKEN.toString());
-    params.put(TOKEN_PARAM, dToken.encodeToUrlString());
-    URL url = HttpFSUtils.createURL(new Path(fsURI), params);
-    AuthenticatedURL aUrl =
-      new AuthenticatedURL(new HttpFSKerberosAuthenticator());
-    try {
-      HttpURLConnection conn = aUrl.openConnection(url, token);
-      conn.setRequestMethod(
-        DelegationTokenOperation.RENEWDELEGATIONTOKEN.getHttpMethod());
-      HttpFSUtils.validateResponse(conn, HttpURLConnection.HTTP_OK);
-      JSONObject json = (JSONObject) ((JSONObject)
-        HttpFSUtils.jsonParse(conn)).get(DELEGATION_TOKEN_JSON);
-      return (Long)(json.get(RENEW_DELEGATION_TOKEN_JSON));
-    } catch (AuthenticationException ex) {
-      throw new IOException(ex.toString(), ex);
+    params.put(OP_PARAM, operation.toString());
+    if (renewer != null) {
+      params.put(RENEWER_PARAM, renewer);
     }
+    if (dToken != null) {
+      params.put(TOKEN_PARAM, dToken.encodeToUrlString());
+    }
+    String urlStr = url.toExternalForm();
+    StringBuilder sb = new StringBuilder(urlStr);
+    String separator = (urlStr.contains("?")) ? "&" : "?";
+    for (Map.Entry<String, String> entry : params.entrySet()) {
+      sb.append(separator).append(entry.getKey()).append("=").
+          append(URLEncoder.encode(entry.getValue(), "UTF8"));
+      separator = "&";
+    }
+    url = new URL(sb.toString());
+    AuthenticatedURL aUrl = new AuthenticatedURL(this);
+    HttpURLConnection conn = aUrl.openConnection(url, token);
+    conn.setRequestMethod(operation.getHttpMethod());
+    validateResponse(conn, HttpURLConnection.HTTP_OK);
+    if (hasResponse) {
+      String contentType = conn.getHeaderField(CONTENT_TYPE);
+      contentType = (contentType != null) ? contentType.toLowerCase()
+                                          : null;
+      if (contentType != null &&
+          contentType.contains(APPLICATION_JSON_MIME)) {
+        try {
+          ObjectMapper mapper = new ObjectMapper();
+          ret = mapper.readValue(conn.getInputStream(), Map.class);
+        } catch (Exception ex) {
+          throw new AuthenticationException(String.format(
+              "'%s' did not handle the '%s' delegation token operation: %s",
+              url.getAuthority(), operation, ex.getMessage()), ex);
+        }
+      } else {
+        throw new AuthenticationException(String.format("'%s' did not " +
+                "respond with JSON to the '%s' delegation token operation",
+            url.getAuthority(), operation));
+      }
+    }
+    return ret;
   }
 
-  public static void cancelDelegationToken(URI fsURI,
-    AuthenticatedURL.Token token, Token<?> dToken) throws IOException {
-    Map<String, String> params = new HashMap<String, String>();
-    params.put(OP_PARAM,
-               DelegationTokenOperation.CANCELDELEGATIONTOKEN.toString());
-    params.put(TOKEN_PARAM, dToken.encodeToUrlString());
-    URL url = HttpFSUtils.createURL(new Path(fsURI), params);
-    AuthenticatedURL aUrl =
-      new AuthenticatedURL(new HttpFSKerberosAuthenticator());
-    try {
-      HttpURLConnection conn = aUrl.openConnection(url, token);
-      conn.setRequestMethod(
-        DelegationTokenOperation.CANCELDELEGATIONTOKEN.getHttpMethod());
-      HttpFSUtils.validateResponse(conn, HttpURLConnection.HTTP_OK);
-    } catch (AuthenticationException ex) {
-      throw new IOException(ex.toString(), ex);
+  @SuppressWarnings("unchecked")
+  private static void validateResponse(HttpURLConnection conn, int expected)
+      throws IOException {
+    int status = conn.getResponseCode();
+    if (status != expected) {
+      try {
+        conn.getInputStream().close();
+      } catch (IOException ex) {
+        //NOP
+      }
+      String msg = String.format("HTTP status, expected [%d], got [%d]: %s", 
+          expected, status, conn.getResponseMessage());
+      LOG.debug(msg);
+      throw new IOException(msg);
     }
   }
 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenIdentifier.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenIdentifier.java
index baa4603bc48..2836b9ab730 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenIdentifier.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenIdentifier.java
@@ -15,21 +15,24 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.hadoop.lib.service;
+package org.apache.hadoop.security.token.delegation.web;
 
 import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.hdfs.web.WebHdfsFileSystem;
+import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
 
 /**
- * HttpFS <code>DelegationTokenIdentifier</code> implementation.
+ * Concrete delegation token identifier used by {@link DelegationTokenManager},
+ * {@link KerberosDelegationTokenAuthenticationHandler} and
+ * {@link DelegationTokenAuthenticationFilter}.
  */
 @InterfaceAudience.Private
+@InterfaceStability.Evolving
 public class DelegationTokenIdentifier
-  extends AbstractDelegationTokenIdentifier {
+    extends AbstractDelegationTokenIdentifier {
 
-  private Text kind = WebHdfsFileSystem.TOKEN_KIND;
+  private Text kind;
 
   public DelegationTokenIdentifier(Text kind) {
     this.kind = kind;
@@ -50,8 +53,8 @@ public DelegationTokenIdentifier(Text kind, Text owner, Text renewer,
   }
 
   /**
-   * Returns the kind, <code>TOKEN_KIND</code>.
-   * @return returns <code>TOKEN_KIND</code>.
+   * Return the delegation token kind
+   * @return returns the delegation token kind
    */
   @Override
   public Text getKind() {
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java
index dca13d4a07e..2e6b46e4136 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java
@@ -15,20 +15,11 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.hadoop.lib.service.security;
+package org.apache.hadoop.security.token.delegation.web;
 
 import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.fs.http.server.HttpFSServerWebApp;
-import org.apache.hadoop.hdfs.web.SWebHdfsFileSystem;
-import org.apache.hadoop.hdfs.web.WebHdfsFileSystem;
+import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.io.Text;
-import org.apache.hadoop.lib.server.BaseService;
-import org.apache.hadoop.lib.server.ServerException;
-import org.apache.hadoop.lib.server.ServiceException;
-import org.apache.hadoop.lib.service.DelegationTokenIdentifier;
-import org.apache.hadoop.lib.service.DelegationTokenManager;
-import org.apache.hadoop.lib.service.DelegationTokenManagerException;
-import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
@@ -38,197 +29,26 @@
 import java.io.IOException;
 
 /**
- * DelegationTokenManager service implementation.
+ * Delegation Token Manager used by the
+ * {@link KerberosDelegationTokenAuthenticationHandler}.
+ *
  */
 @InterfaceAudience.Private
-public class DelegationTokenManagerService extends BaseService
-  implements DelegationTokenManager {
-
-  private static final String PREFIX = "delegation.token.manager";
-
-  private static final String UPDATE_INTERVAL = "update.interval";
-
-  private static final String MAX_LIFETIME = "max.lifetime";
-
-  private static final String RENEW_INTERVAL = "renew.interval";
-
-  private static final long HOUR = 60 * 60 * 1000;
-  private static final long DAY = 24 * HOUR;
-
-  DelegationTokenSecretManager secretManager = null;
-
-  private Text tokenKind;
-
-  public DelegationTokenManagerService() {
-    super(PREFIX);
-  }
-
-  /**
-   * Initializes the service.
-   *
-   * @throws ServiceException thrown if the service could not be initialized.
-   */
-  @Override
-  protected void init() throws ServiceException {
-
-    long updateInterval = getServiceConfig().getLong(UPDATE_INTERVAL, DAY);
-    long maxLifetime = getServiceConfig().getLong(MAX_LIFETIME, 7 * DAY);
-    long renewInterval = getServiceConfig().getLong(RENEW_INTERVAL, DAY);
-    tokenKind = (HttpFSServerWebApp.get().isSslEnabled())
-                ? SWebHdfsFileSystem.TOKEN_KIND : WebHdfsFileSystem.TOKEN_KIND;
-    secretManager = new DelegationTokenSecretManager(tokenKind, updateInterval,
-                                                     maxLifetime,
-                                                     renewInterval, HOUR);
-    try {
-      secretManager.startThreads();
-    } catch (IOException ex) {
-      throw new ServiceException(ServiceException.ERROR.S12,
-                                 DelegationTokenManager.class.getSimpleName(),
-                                 ex.toString(), ex);
-    }
-  }
-
-  /**
-   * Destroys the service.
-   */
-  @Override
-  public void destroy() {
-    secretManager.stopThreads();
-    super.destroy();
-  }
-
-  /**
-   * Returns the service interface.
-   *
-   * @return the service interface.
-   */
-  @Override
-  public Class getInterface() {
-    return DelegationTokenManager.class;
-  }
-
-  /**
-   * Creates a delegation token.
-   *
-   * @param ugi UGI creating the token.
-   * @param renewer token renewer.
-   * @return new delegation token.
-   * @throws DelegationTokenManagerException thrown if the token could not be
-   * created.
-   */
-  @Override
-  public Token<DelegationTokenIdentifier> createToken(UserGroupInformation ugi,
-                                                      String renewer)
-    throws DelegationTokenManagerException {
-    renewer = (renewer == null) ? ugi.getShortUserName() : renewer;
-    String user = ugi.getUserName();
-    Text owner = new Text(user);
-    Text realUser = null;
-    if (ugi.getRealUser() != null) {
-      realUser = new Text(ugi.getRealUser().getUserName());
-    }
-    DelegationTokenIdentifier tokenIdentifier =
-      new DelegationTokenIdentifier(tokenKind, owner, new Text(renewer), realUser);
-    Token<DelegationTokenIdentifier> token =
-      new Token<DelegationTokenIdentifier>(tokenIdentifier, secretManager);
-    try {
-      SecurityUtil.setTokenService(token,
-                                   HttpFSServerWebApp.get().getAuthority());
-    } catch (ServerException ex) {
-      throw new DelegationTokenManagerException(
-        DelegationTokenManagerException.ERROR.DT04, ex.toString(), ex);
-    }
-    return token;
-  }
-
-  /**
-   * Renews a delegation token.
-   *
-   * @param token delegation token to renew.
-   * @param renewer token renewer.
-   * @return epoc expiration time.
-   * @throws DelegationTokenManagerException thrown if the token could not be
-   * renewed.
-   */
-  @Override
-  public long renewToken(Token<DelegationTokenIdentifier> token, String renewer)
-    throws DelegationTokenManagerException {
-    try {
-      return secretManager.renewToken(token, renewer);
-    } catch (IOException ex) {
-      throw new DelegationTokenManagerException(
-        DelegationTokenManagerException.ERROR.DT02, ex.toString(), ex);
-    }
-  }
-
-  /**
-   * Cancels a delegation token.
-   *
-   * @param token delegation token to cancel.
-   * @param canceler token canceler.
-   * @throws DelegationTokenManagerException thrown if the token could not be
-   * canceled.
-   */
-  @Override
-  public void cancelToken(Token<DelegationTokenIdentifier> token,
-                          String canceler)
-    throws DelegationTokenManagerException {
-    try {
-      secretManager.cancelToken(token, canceler);
-    } catch (IOException ex) {
-      throw new DelegationTokenManagerException(
-        DelegationTokenManagerException.ERROR.DT03, ex.toString(), ex);
-    }
-  }
-
-  /**
-   * Verifies a delegation token.
-   *
-   * @param token delegation token to verify.
-   * @return the UGI for the token.
-   * @throws DelegationTokenManagerException thrown if the token could not be
-   * verified.
-   */
-  @Override
-  public UserGroupInformation verifyToken(Token<DelegationTokenIdentifier> token)
-    throws DelegationTokenManagerException {
-    ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
-    DataInputStream dis = new DataInputStream(buf);
-    DelegationTokenIdentifier id = new DelegationTokenIdentifier(tokenKind);
-    try {
-      id.readFields(dis);
-      dis.close();
-      secretManager.verifyToken(id, token.getPassword());
-    } catch (Exception ex) {
-      throw new DelegationTokenManagerException(
-        DelegationTokenManagerException.ERROR.DT01, ex.toString(), ex);
-    }
-    return id.getUser();
-  }
+@InterfaceStability.Evolving
+class DelegationTokenManager {
 
   private static class DelegationTokenSecretManager
-    extends AbstractDelegationTokenSecretManager<DelegationTokenIdentifier> {
+      extends AbstractDelegationTokenSecretManager<DelegationTokenIdentifier> {
 
     private Text tokenKind;
 
-    /**
-     * Create a secret manager
-     *
-     * @param delegationKeyUpdateInterval the number of seconds for rolling new
-     * secret keys.
-     * @param delegationTokenMaxLifetime the maximum lifetime of the delegation
-     * tokens
-     * @param delegationTokenRenewInterval how often the tokens must be renewed
-     * @param delegationTokenRemoverScanInterval how often the tokens are
-     * scanned
-     * for expired tokens
-     */
-    public DelegationTokenSecretManager(Text tokenKind, long delegationKeyUpdateInterval,
-                                        long delegationTokenMaxLifetime,
-                                        long delegationTokenRenewInterval,
-                                        long delegationTokenRemoverScanInterval) {
+    public DelegationTokenSecretManager(Text tokenKind,
+        long delegationKeyUpdateInterval,
+        long delegationTokenMaxLifetime,
+        long delegationTokenRenewInterval,
+        long delegationTokenRemoverScanInterval) {
       super(delegationKeyUpdateInterval, delegationTokenMaxLifetime,
-            delegationTokenRenewInterval, delegationTokenRemoverScanInterval);
+          delegationTokenRenewInterval, delegationTokenRemoverScanInterval);
       this.tokenKind = tokenKind;
     }
 
@@ -239,4 +59,95 @@ public DelegationTokenIdentifier createIdentifier() {
 
   }
 
+  private AbstractDelegationTokenSecretManager secretManager = null;
+  private boolean managedSecretManager;
+  private Text tokenKind;
+
+  public DelegationTokenManager(Text tokenKind,
+      long delegationKeyUpdateInterval,
+      long delegationTokenMaxLifetime,
+      long delegationTokenRenewInterval,
+      long delegationTokenRemoverScanInterval) {
+    this.secretManager = new DelegationTokenSecretManager(tokenKind,
+        delegationKeyUpdateInterval, delegationTokenMaxLifetime,
+        delegationTokenRenewInterval, delegationTokenRemoverScanInterval);
+    this.tokenKind = tokenKind;
+    managedSecretManager = true;
+  }
+
+  /**
+   * Sets an external <code>DelegationTokenSecretManager</code> instance to
+   * manage creation and verification of Delegation Tokens.
+   * <p/>
+   * This is useful for use cases where secrets must be shared across multiple
+   * services.
+   *
+   * @param secretManager a <code>DelegationTokenSecretManager</code> instance
+   */
+  public void setExternalDelegationTokenSecretManager(
+      AbstractDelegationTokenSecretManager secretManager) {
+    this.secretManager.stopThreads();
+    this.secretManager = secretManager;
+    this.tokenKind = secretManager.createIdentifier().getKind();
+    managedSecretManager = false;
+  }
+
+  public void init() {
+    if (managedSecretManager) {
+      try {
+        secretManager.startThreads();
+      } catch (IOException ex) {
+        throw new RuntimeException("Could not start " +
+            secretManager.getClass() + ": " + ex.toString(), ex);
+      }
+    }
+  }
+
+  public void destroy() {
+    if (managedSecretManager) {
+      secretManager.stopThreads();
+    }
+  }
+
+  @SuppressWarnings("unchecked")
+  public Token<DelegationTokenIdentifier> createToken(UserGroupInformation ugi,
+      String renewer) {
+    renewer = (renewer == null) ? ugi.getShortUserName() : renewer;
+    String user = ugi.getUserName();
+    Text owner = new Text(user);
+    Text realUser = null;
+    if (ugi.getRealUser() != null) {
+      realUser = new Text(ugi.getRealUser().getUserName());
+    }
+    DelegationTokenIdentifier tokenIdentifier = new DelegationTokenIdentifier(
+        tokenKind, owner, new Text(renewer), realUser);
+    return new Token<DelegationTokenIdentifier>(tokenIdentifier, secretManager);
+  }
+
+  @SuppressWarnings("unchecked")
+  public long renewToken(Token<DelegationTokenIdentifier> token, String renewer)
+      throws IOException {
+    return secretManager.renewToken(token, renewer);
+  }
+
+  @SuppressWarnings("unchecked")
+  public void cancelToken(Token<DelegationTokenIdentifier> token,
+      String canceler) throws IOException {
+    canceler = (canceler != null) ? canceler :
+               verifyToken(token).getShortUserName();
+    secretManager.cancelToken(token, canceler);
+  }
+
+  @SuppressWarnings("unchecked")
+  public UserGroupInformation verifyToken(Token<DelegationTokenIdentifier>
+      token) throws IOException {
+    ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
+    DataInputStream dis = new DataInputStream(buf);
+    DelegationTokenIdentifier id = new DelegationTokenIdentifier(tokenKind);
+    id.readFields(dis);
+    dis.close();
+    secretManager.verifyToken(id, token.getPassword());
+    return id.getUser();
+  }
+
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/KerberosDelegationTokenAuthenticationHandler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/KerberosDelegationTokenAuthenticationHandler.java
new file mode 100644
index 00000000000..395d2f2f270
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/KerberosDelegationTokenAuthenticationHandler.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.token.delegation.web;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+
+/**
+ * An {@link AuthenticationHandler} that implements Kerberos SPNEGO mechanism
+ * for HTTP and supports Delegation Token functionality.
+ * <p/>
+ * In addition to the {@link KerberosAuthenticationHandler} configuration
+ * properties, this handler supports:
+ * <ul>
+ * <li>kerberos.delegation-token.token-kind: the token kind for generated tokens
+ * (no default, required property).</li>
+ * <li>kerberos.delegation-token.update-interval.sec: secret manager master key
+ * update interval in seconds (default 1 day).</li>
+ * <li>kerberos.delegation-token.max-lifetime.sec: maximum life of a delegation
+ * token in seconds (default 7 days).</li>
+ * <li>kerberos.delegation-token.renewal-interval.sec: renewal interval for
+ * delegation tokens in seconds (default 1 day).</li>
+ * <li>kerberos.delegation-token.removal-scan-interval.sec: delegation tokens
+ * removal scan interval in seconds (default 1 hour).</li>
+ * </ul>
+ */
+@InterfaceAudience.Private
+@InterfaceStability.Evolving
+public class KerberosDelegationTokenAuthenticationHandler
+    extends DelegationTokenAuthenticationHandler {
+
+  public KerberosDelegationTokenAuthenticationHandler() {
+    super(new KerberosAuthenticationHandler(KerberosAuthenticationHandler.TYPE +
+        TYPE_POSTFIX));
+  }
+
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/KerberosDelegationTokenAuthenticator.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/KerberosDelegationTokenAuthenticator.java
new file mode 100644
index 00000000000..7e0e2661092
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/KerberosDelegationTokenAuthenticator.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.token.delegation.web;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.security.authentication.client.Authenticator;
+import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
+
+/**
+ * The <code>KerberosDelegationTokenAuthenticator</code> provides support for
+ * Kerberos SPNEGO authentication mechanism and support for Hadoop Delegation
+ * Token operations.
+ * <p/>
+ * It falls back to the {@link PseudoDelegationTokenAuthenticator} if the HTTP
+ * endpoint does not trigger a SPNEGO authentication
+ */
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public class KerberosDelegationTokenAuthenticator
+    extends DelegationTokenAuthenticator {
+
+  public KerberosDelegationTokenAuthenticator() {
+    super(new KerberosAuthenticator() {
+      @Override
+      protected Authenticator getFallBackAuthenticator() {
+        return new PseudoDelegationTokenAuthenticator();
+      }
+    });
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/PseudoDelegationTokenAuthenticationHandler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/PseudoDelegationTokenAuthenticationHandler.java
new file mode 100644
index 00000000000..6846fdb87e9
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/PseudoDelegationTokenAuthenticationHandler.java
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.token.delegation.web;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
+
+/**
+ * An {@link AuthenticationHandler} that implements Kerberos SPNEGO mechanism
+ * for HTTP and supports Delegation Token functionality.
+ * <p/>
+ * In addition to the {@link KerberosAuthenticationHandler} configuration
+ * properties, this handler supports:
+ * <ul>
+ * <li>simple.delegation-token.token-kind: the token kind for generated tokens
+ * (no default, required property).</li>
+ * <li>simple.delegation-token.update-interval.sec: secret manager master key
+ * update interval in seconds (default 1 day).</li>
+ * <li>simple.delegation-token.max-lifetime.sec: maximum life of a delegation
+ * token in seconds (default 7 days).</li>
+ * <li>simple.delegation-token.renewal-interval.sec: renewal interval for
+ * delegation tokens in seconds (default 1 day).</li>
+ * <li>simple.delegation-token.removal-scan-interval.sec: delegation tokens
+ * removal scan interval in seconds (default 1 hour).</li>
+ * </ul>
+ */
+@InterfaceAudience.Private
+@InterfaceStability.Evolving
+public class PseudoDelegationTokenAuthenticationHandler
+    extends DelegationTokenAuthenticationHandler {
+
+  public PseudoDelegationTokenAuthenticationHandler() {
+    super(new PseudoAuthenticationHandler(PseudoAuthenticationHandler.TYPE +
+        TYPE_POSTFIX));
+  }
+
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/PseudoDelegationTokenAuthenticator.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/PseudoDelegationTokenAuthenticator.java
index 180149c8e27..8713aa47b80 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/PseudoDelegationTokenAuthenticator.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/PseudoDelegationTokenAuthenticator.java
@@ -15,33 +15,40 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-package org.apache.hadoop.fs.http.client;
+package org.apache.hadoop.security.token.delegation.web;
 
 import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.client.PseudoAuthenticator;
 
 import java.io.IOException;
 
 /**
- * A <code>PseudoAuthenticator</code> subclass that uses FileSystemAccess's
- * <code>UserGroupInformation</code> to obtain the client user name (the UGI's login user).
+ * The <code>PseudoDelegationTokenAuthenticator</code> provides support for
+ * Hadoop's pseudo authentication mechanism that accepts
+ * the user name specified as a query string parameter and support for Hadoop
+ * Delegation Token operations.
+ * <p/>
+ * This mimics the model of Hadoop Simple authentication trusting the
+ * {@link UserGroupInformation#getCurrentUser()} value.
  */
-@InterfaceAudience.Private
-public class HttpFSPseudoAuthenticator extends PseudoAuthenticator {
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public class PseudoDelegationTokenAuthenticator
+    extends DelegationTokenAuthenticator {
 
-  /**
-   * Return the client user name.
-   *
-   * @return the client user name.
-   */
-  @Override
-  protected String getUserName() {
-    try {
-      return UserGroupInformation.getLoginUser().getUserName();
-    } catch (IOException ex) {
-      throw new SecurityException("Could not obtain current user, " + ex.getMessage(), ex);
-    }
+  public PseudoDelegationTokenAuthenticator() {
+    super(new PseudoAuthenticator() {
+      @Override
+      protected String getUserName() {
+        try {
+          return UserGroupInformation.getCurrentUser().getShortUserName();
+        } catch (IOException ex) {
+          throw new RuntimeException(ex);
+        }
+      }
+    });
   }
+
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/ServletUtils.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/ServletUtils.java
new file mode 100644
index 00000000000..16137accc80
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/ServletUtils.java
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.token.delegation.web;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.http.NameValuePair;
+import org.apache.http.client.utils.URLEncodedUtils;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.nio.charset.Charset;
+import java.util.List;
+
+/**
+ * Servlet utility methods.
+ */
+@InterfaceAudience.Private
+class ServletUtils {
+  private static final Charset UTF8_CHARSET = Charset.forName("UTF-8");
+
+  /**
+   * Extract a query string parameter without triggering http parameters
+   * processing by the servlet container.
+   *
+   * @param request the request
+   * @param name the parameter to get the value.
+   * @return the parameter value, or <code>NULL</code> if the parameter is not
+   * defined.
+   * @throws IOException thrown if there was an error parsing the query string.
+   */
+  public static String getParameter(HttpServletRequest request, String name)
+      throws IOException {
+    List<NameValuePair> list = URLEncodedUtils.parse(request.getQueryString(),
+        UTF8_CHARSET);
+    if (list != null) {
+      for (NameValuePair nv : list) {
+        if (name.equals(nv.getName())) {
+          return nv.getValue();
+        }
+      }
+    }
+    return null;
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java
index 25612a0f3c3..c9d255dc5aa 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java
@@ -15,141 +15,162 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+package org.apache.hadoop.security.token.delegation.web;
 
-package org.apache.hadoop.fs.http.server;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.http.client.HttpFSFileSystem;
-import org.apache.hadoop.fs.http.client.HttpFSKerberosAuthenticator;
-import org.apache.hadoop.fs.http.client.HttpFSKerberosAuthenticator.DelegationTokenOperation;
-import org.apache.hadoop.hdfs.web.SWebHdfsFileSystem;
-import org.apache.hadoop.hdfs.web.WebHdfsFileSystem;
 import org.apache.hadoop.io.Text;
-import org.apache.hadoop.lib.service.DelegationTokenIdentifier;
-import org.apache.hadoop.lib.service.DelegationTokenManager;
-import org.apache.hadoop.lib.service.DelegationTokenManagerException;
-import org.apache.hadoop.lib.servlet.ServerWebApp;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
 import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
 import org.apache.hadoop.security.authentication.server.AuthenticationToken;
+import org.apache.hadoop.security.token.SecretManager;
 import org.apache.hadoop.security.token.Token;
-import org.apache.hadoop.test.HFSTestCase;
-import org.apache.hadoop.test.TestDir;
-import org.apache.hadoop.test.TestDirHelper;
-import org.json.simple.JSONObject;
-import org.json.simple.parser.JSONParser;
+import org.codehaus.jackson.map.ObjectMapper;
+import org.junit.After;
 import org.junit.Assert;
+import org.junit.Before;
 import org.junit.Test;
 import org.mockito.Mockito;
 
+import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.core.MediaType;
+import java.io.IOException;
 import java.io.PrintWriter;
 import java.io.StringWriter;
-import java.net.InetAddress;
-import java.net.InetSocketAddress;
+import java.util.Map;
+import java.util.Properties;
 
-public class TestHttpFSKerberosAuthenticationHandler extends HFSTestCase {
+public class TestDelegationTokenAuthenticationHandlerWithMocks {
 
-  @Test
-  @TestDir
-  public void testManagementOperationsWebHdfsFileSystem() throws Exception {
-    testManagementOperations(WebHdfsFileSystem.TOKEN_KIND);
+  public static class MockDelegationTokenAuthenticationHandler
+      extends DelegationTokenAuthenticationHandler {
+
+    public MockDelegationTokenAuthenticationHandler() {
+      super(new AuthenticationHandler() {
+        @Override
+        public String getType() {
+          return "T";
+        }
+
+        @Override
+        public void init(Properties config) throws ServletException {
+
+        }
+
+        @Override
+        public void destroy() {
+
+        }
+
+        @Override
+        public boolean managementOperation(AuthenticationToken token,
+            HttpServletRequest request, HttpServletResponse response)
+            throws IOException, AuthenticationException {
+          return false;
+        }
+
+        @Override
+        public AuthenticationToken authenticate(HttpServletRequest request,
+            HttpServletResponse response)
+            throws IOException, AuthenticationException {
+          response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+          response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, "mock");
+          return null;
+        }
+      });
+    }
+
+  }
+
+  private DelegationTokenAuthenticationHandler handler;
+
+  @Before
+  public void setUp() throws Exception {
+    Properties conf = new Properties();
+
+    conf.put(KerberosDelegationTokenAuthenticationHandler.TOKEN_KIND, "foo");
+    handler = new MockDelegationTokenAuthenticationHandler();
+    handler.initTokenManager(conf);
+  }
+
+  @After
+  public void cleanUp() {
+      handler.destroy();
   }
 
   @Test
-  @TestDir
-  public void testManagementOperationsSWebHdfsFileSystem() throws Exception {
-    try {
-      System.setProperty(HttpFSServerWebApp.NAME +
-          ServerWebApp.SSL_ENABLED, "true");
-      testManagementOperations(SWebHdfsFileSystem.TOKEN_KIND);
-    } finally {
-      System.getProperties().remove(HttpFSServerWebApp.NAME +
-          ServerWebApp.SSL_ENABLED);
-    }
+  public void testManagementOperations() throws Exception {
+      testNonManagementOperation();
+      testManagementOperationErrors();
+      testGetToken(null, new Text("foo"));
+      testGetToken("bar", new Text("foo"));
+      testCancelToken();
+      testRenewToken();
   }
 
-  private void testManagementOperations(Text expectedTokenKind) throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-
-    Configuration httpfsConf = new Configuration(false);
-    HttpFSServerWebApp server =
-      new HttpFSServerWebApp(dir, dir, dir, dir, httpfsConf);
-    server.setAuthority(new InetSocketAddress(InetAddress.getLocalHost(), 
-                                              14000));
-    AuthenticationHandler handler =
-      new HttpFSKerberosAuthenticationHandlerForTesting();
-    try {
-      server.init();
-      handler.init(null);
-
-      testNonManagementOperation(handler);
-      testManagementOperationErrors(handler);
-      testGetToken(handler, null, expectedTokenKind);
-      testGetToken(handler, "foo", expectedTokenKind);
-      testCancelToken(handler);
-      testRenewToken(handler);
-
-    } finally {
-      if (handler != null) {
-        handler.destroy();
-      }
-    server.destroy();
-    }
-  }
-
-  private void testNonManagementOperation(AuthenticationHandler handler)
-    throws Exception {
+  private void testNonManagementOperation() throws Exception {
     HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
-    Mockito.when(request.getParameter(HttpFSFileSystem.OP_PARAM)).
-      thenReturn(null);
+    Mockito.when(request.getParameter(
+        DelegationTokenAuthenticator.OP_PARAM)).thenReturn(null);
     Assert.assertTrue(handler.managementOperation(null, request, null));
-    Mockito.when(request.getParameter(HttpFSFileSystem.OP_PARAM)).
-      thenReturn(HttpFSFileSystem.Operation.CREATE.toString());
+    Mockito.when(request.getParameter(
+        DelegationTokenAuthenticator.OP_PARAM)).thenReturn("CREATE");
     Assert.assertTrue(handler.managementOperation(null, request, null));
   }
 
-  private void testManagementOperationErrors(AuthenticationHandler handler)
-    throws Exception {
+  private void testManagementOperationErrors() throws Exception {
     HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
     HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
-    Mockito.when(request.getParameter(HttpFSFileSystem.OP_PARAM)).
-      thenReturn(DelegationTokenOperation.GETDELEGATIONTOKEN.toString());
+    Mockito.when(request.getQueryString()).thenReturn(
+        DelegationTokenAuthenticator.OP_PARAM + "=" +
+            DelegationTokenAuthenticator.DelegationTokenOperation.
+                GETDELEGATIONTOKEN.toString()
+    );
     Mockito.when(request.getMethod()).thenReturn("FOO");
     Assert.assertFalse(handler.managementOperation(null, request, response));
     Mockito.verify(response).sendError(
-      Mockito.eq(HttpServletResponse.SC_BAD_REQUEST),
-      Mockito.startsWith("Wrong HTTP method"));
+        Mockito.eq(HttpServletResponse.SC_BAD_REQUEST),
+        Mockito.startsWith("Wrong HTTP method"));
 
     Mockito.reset(response);
-    Mockito.when(request.getMethod()).
-      thenReturn(DelegationTokenOperation.GETDELEGATIONTOKEN.getHttpMethod());
+    Mockito.when(request.getMethod()).thenReturn(
+        DelegationTokenAuthenticator.DelegationTokenOperation.
+            GETDELEGATIONTOKEN.getHttpMethod()
+    );
     Assert.assertFalse(handler.managementOperation(null, request, response));
-    Mockito.verify(response).sendError(
-      Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED),
-      Mockito.contains("requires SPNEGO"));
+    Mockito.verify(response).setStatus(
+        Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED));
+    Mockito.verify(response).setHeader(
+        Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE),
+        Mockito.eq("mock"));
   }
 
-  private void testGetToken(AuthenticationHandler handler, String renewer,
-      Text expectedTokenKind) throws Exception {
-    DelegationTokenOperation op = DelegationTokenOperation.GETDELEGATIONTOKEN;
+  private void testGetToken(String renewer, Text expectedTokenKind)
+      throws Exception {
+    DelegationTokenAuthenticator.DelegationTokenOperation op =
+        DelegationTokenAuthenticator.DelegationTokenOperation.
+            GETDELEGATIONTOKEN;
     HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
     HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
-    Mockito.when(request.getParameter(HttpFSFileSystem.OP_PARAM)).
-      thenReturn(op.toString());
-    Mockito.when(request.getMethod()).
-      thenReturn(op.getHttpMethod());
+    Mockito.when(request.getQueryString()).
+        thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString());
+    Mockito.when(request.getMethod()).thenReturn(op.getHttpMethod());
 
     AuthenticationToken token = Mockito.mock(AuthenticationToken.class);
     Mockito.when(token.getUserName()).thenReturn("user");
-    Assert.assertFalse(handler.managementOperation(null, request, response));
-    Mockito.when(request.getParameter(HttpFSKerberosAuthenticator.RENEWER_PARAM)).
-      thenReturn(renewer);
+    Mockito.when(response.getWriter()).thenReturn(new PrintWriter(
+        new StringWriter()));
+    Assert.assertFalse(handler.managementOperation(token, request, response));
+
+    Mockito.when(request.getQueryString()).
+        thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() +
+        "&" + DelegationTokenAuthenticator.RENEWER_PARAM + "=" + renewer);
 
     Mockito.reset(response);
+    Mockito.reset(token);
+    Mockito.when(token.getUserName()).thenReturn("user");
     StringWriter writer = new StringWriter();
     PrintWriter pwriter = new PrintWriter(writer);
     Mockito.when(response.getWriter()).thenReturn(pwriter);
@@ -157,151 +178,140 @@ private void testGetToken(AuthenticationHandler handler, String renewer,
     if (renewer == null) {
       Mockito.verify(token).getUserName();
     } else {
-      Mockito.verify(token, Mockito.never()).getUserName();
+      Mockito.verify(token).getUserName();
     }
     Mockito.verify(response).setStatus(HttpServletResponse.SC_OK);
     Mockito.verify(response).setContentType(MediaType.APPLICATION_JSON);
     pwriter.close();
     String responseOutput = writer.toString();
-    String tokenLabel = HttpFSKerberosAuthenticator.DELEGATION_TOKEN_JSON;
+    String tokenLabel = DelegationTokenAuthenticator.
+        DELEGATION_TOKEN_JSON;
     Assert.assertTrue(responseOutput.contains(tokenLabel));
     Assert.assertTrue(responseOutput.contains(
-      HttpFSKerberosAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON));
-    JSONObject json = (JSONObject) new JSONParser().parse(responseOutput);
-    json = (JSONObject) json.get(tokenLabel);
+        DelegationTokenAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON));
+    ObjectMapper jsonMapper = new ObjectMapper();
+    Map json = jsonMapper.readValue(responseOutput, Map.class);
+    json = (Map) json.get(tokenLabel);
     String tokenStr;
-    tokenStr = (String)
-      json.get(HttpFSKerberosAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON);
+    tokenStr = (String) json.get(DelegationTokenAuthenticator.
+        DELEGATION_TOKEN_URL_STRING_JSON);
     Token<DelegationTokenIdentifier> dt = new Token<DelegationTokenIdentifier>();
     dt.decodeFromUrlString(tokenStr);
-    HttpFSServerWebApp.get().get(DelegationTokenManager.class).verifyToken(dt);
+    handler.getTokenManager().verifyToken(dt);
     Assert.assertEquals(expectedTokenKind, dt.getKind());
   }
 
-  private void testCancelToken(AuthenticationHandler handler)
-    throws Exception {
-    DelegationTokenOperation op =
-      DelegationTokenOperation.CANCELDELEGATIONTOKEN;
+  private void testCancelToken() throws Exception {
+    DelegationTokenAuthenticator.DelegationTokenOperation op =
+        DelegationTokenAuthenticator.DelegationTokenOperation.
+            CANCELDELEGATIONTOKEN;
     HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
     HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
-    Mockito.when(request.getParameter(HttpFSFileSystem.OP_PARAM)).
-      thenReturn(op.toString());
+    Mockito.when(request.getQueryString()).thenReturn(
+        DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString());
     Mockito.when(request.getMethod()).
-      thenReturn(op.getHttpMethod());
+        thenReturn(op.getHttpMethod());
 
     Assert.assertFalse(handler.managementOperation(null, request, response));
     Mockito.verify(response).sendError(
-      Mockito.eq(HttpServletResponse.SC_BAD_REQUEST),
-      Mockito.contains("requires the parameter [token]"));
+        Mockito.eq(HttpServletResponse.SC_BAD_REQUEST),
+        Mockito.contains("requires the parameter [token]"));
 
     Mockito.reset(response);
     Token<DelegationTokenIdentifier> token =
-      HttpFSServerWebApp.get().get(DelegationTokenManager.class).createToken(
-        UserGroupInformation.getCurrentUser(), "foo");
-    Mockito.when(request.getParameter(HttpFSKerberosAuthenticator.TOKEN_PARAM)).
-      thenReturn(token.encodeToUrlString());
+        handler.getTokenManager().createToken(
+            UserGroupInformation.getCurrentUser(), "foo");
+    Mockito.when(request.getQueryString()).thenReturn(
+        DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() + "&" +
+            DelegationTokenAuthenticator.TOKEN_PARAM + "=" +
+            token.encodeToUrlString());
     Assert.assertFalse(handler.managementOperation(null, request, response));
     Mockito.verify(response).setStatus(HttpServletResponse.SC_OK);
     try {
-      HttpFSServerWebApp.get().get(DelegationTokenManager.class).verifyToken(token);
+      handler.getTokenManager().verifyToken(token);
+      Assert.fail();
+    } catch (SecretManager.InvalidToken ex) {
+      //NOP
+    } catch (Throwable ex) {
       Assert.fail();
-    }
-    catch (DelegationTokenManagerException ex) {
-      Assert.assertTrue(ex.toString().contains("DT01"));
     }
   }
 
-  private void testRenewToken(AuthenticationHandler handler)
-    throws Exception {
-    DelegationTokenOperation op =
-      DelegationTokenOperation.RENEWDELEGATIONTOKEN;
+  private void testRenewToken() throws Exception {
+    DelegationTokenAuthenticator.DelegationTokenOperation op =
+        DelegationTokenAuthenticator.DelegationTokenOperation.
+            RENEWDELEGATIONTOKEN;
     HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
     HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
-    Mockito.when(request.getParameter(HttpFSFileSystem.OP_PARAM)).
-      thenReturn(op.toString());
+    Mockito.when(request.getQueryString()).
+        thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString());
     Mockito.when(request.getMethod()).
-      thenReturn(op.getHttpMethod());
+        thenReturn(op.getHttpMethod());
 
     Assert.assertFalse(handler.managementOperation(null, request, response));
-    Mockito.verify(response).sendError(
-      Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED),
-      Mockito.contains("equires SPNEGO authentication established"));
+    Mockito.verify(response).setStatus(
+        Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED));
+    Mockito.verify(response).setHeader(Mockito.eq(
+            KerberosAuthenticator.WWW_AUTHENTICATE),
+        Mockito.eq("mock")
+    );
 
     Mockito.reset(response);
     AuthenticationToken token = Mockito.mock(AuthenticationToken.class);
     Mockito.when(token.getUserName()).thenReturn("user");
     Assert.assertFalse(handler.managementOperation(token, request, response));
     Mockito.verify(response).sendError(
-      Mockito.eq(HttpServletResponse.SC_BAD_REQUEST),
-      Mockito.contains("requires the parameter [token]"));
+        Mockito.eq(HttpServletResponse.SC_BAD_REQUEST),
+        Mockito.contains("requires the parameter [token]"));
 
     Mockito.reset(response);
     StringWriter writer = new StringWriter();
     PrintWriter pwriter = new PrintWriter(writer);
     Mockito.when(response.getWriter()).thenReturn(pwriter);
     Token<DelegationTokenIdentifier> dToken =
-      HttpFSServerWebApp.get().get(DelegationTokenManager.class).createToken(
-        UserGroupInformation.getCurrentUser(), "user");
-    Mockito.when(request.getParameter(HttpFSKerberosAuthenticator.TOKEN_PARAM)).
-      thenReturn(dToken.encodeToUrlString());
+        handler.getTokenManager().createToken(
+            UserGroupInformation.getCurrentUser(), "user");
+    Mockito.when(request.getQueryString()).
+        thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() +
+        "&" + DelegationTokenAuthenticator.TOKEN_PARAM + "=" +
+        dToken.encodeToUrlString());
     Assert.assertFalse(handler.managementOperation(token, request, response));
     Mockito.verify(response).setStatus(HttpServletResponse.SC_OK);
     pwriter.close();
     Assert.assertTrue(writer.toString().contains("long"));
-    HttpFSServerWebApp.get().get(DelegationTokenManager.class).verifyToken(dToken);
+    handler.getTokenManager().verifyToken(dToken);
   }
 
   @Test
-  @TestDir
   public void testAuthenticate() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-
-    Configuration httpfsConf = new Configuration(false);
-    HttpFSServerWebApp server =
-      new HttpFSServerWebApp(dir, dir, dir, dir, httpfsConf);
-    server.setAuthority(new InetSocketAddress(InetAddress.getLocalHost(),
-                                              14000));
-    AuthenticationHandler handler =
-      new HttpFSKerberosAuthenticationHandlerForTesting();
-    try {
-      server.init();
-      handler.init(null);
-
-      testValidDelegationToken(handler);
-      testInvalidDelegationToken(handler);
-    } finally {
-      if (handler != null) {
-        handler.destroy();
-      }
-    server.destroy();
-    }
+    testValidDelegationToken();
+    testInvalidDelegationToken();
   }
 
-  private void testValidDelegationToken(AuthenticationHandler handler)
-    throws Exception {
+  private void testValidDelegationToken() throws Exception {
     HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
     HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
     Token<DelegationTokenIdentifier> dToken =
-      HttpFSServerWebApp.get().get(DelegationTokenManager.class).createToken(
-        UserGroupInformation.getCurrentUser(), "user");
-    Mockito.when(request.getParameter(HttpFSKerberosAuthenticator.DELEGATION_PARAM)).
-      thenReturn(dToken.encodeToUrlString());
+        handler.getTokenManager().createToken(
+            UserGroupInformation.getCurrentUser(), "user");
+    Mockito.when(request.getQueryString()).thenReturn(
+        DelegationTokenAuthenticator.DELEGATION_PARAM + "=" +
+        dToken.encodeToUrlString());
 
     AuthenticationToken token = handler.authenticate(request, response);
-    Assert.assertEquals(UserGroupInformation.getCurrentUser().getShortUserName(),
-                        token.getUserName());
+    Assert.assertEquals(UserGroupInformation.getCurrentUser().
+            getShortUserName(), token.getUserName());
     Assert.assertEquals(0, token.getExpires());
-    Assert.assertEquals(HttpFSKerberosAuthenticationHandler.TYPE,
-                        token.getType());
+    Assert.assertEquals(handler.getType(),
+        token.getType());
     Assert.assertTrue(token.isExpired());
   }
 
-  private void testInvalidDelegationToken(AuthenticationHandler handler)
-    throws Exception {
+  private void testInvalidDelegationToken() throws Exception {
     HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
     HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
-    Mockito.when(request.getParameter(HttpFSKerberosAuthenticator.DELEGATION_PARAM)).
-      thenReturn("invalid");
+    Mockito.when(request.getQueryString()).thenReturn(
+        DelegationTokenAuthenticator.DELEGATION_PARAM + "=invalid");
 
     try {
       handler.authenticate(request, response);
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenManager.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenManager.java
index da588e01149..4a0e8342f21 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenManager.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenManager.java
@@ -15,62 +15,32 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-package org.apache.hadoop.lib.service.security;
+package org.apache.hadoop.security.token.delegation.web;
 
 import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.http.server.HttpFSServerWebApp;
-import org.apache.hadoop.lib.server.Server;
-import org.apache.hadoop.lib.service.DelegationTokenManager;
-import org.apache.hadoop.lib.service.DelegationTokenManagerException;
-import org.apache.hadoop.lib.service.hadoop.FileSystemAccessService;
-import org.apache.hadoop.lib.service.instrumentation.InstrumentationService;
-import org.apache.hadoop.lib.service.scheduler.SchedulerService;
+import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
-import org.apache.hadoop.test.HTestCase;
-import org.apache.hadoop.test.TestDir;
-import org.apache.hadoop.test.TestDirHelper;
 import org.apache.hadoop.util.StringUtils;
 import org.junit.Assert;
 import org.junit.Test;
 
+import java.io.IOException;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.util.Arrays;
 
-public class TestDelegationTokenManagerService extends HTestCase {
+public class TestDelegationTokenManager {
+
+  private static final long DAY_IN_SECS = 86400;
 
   @Test
-  @TestDir
-  public void service() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("httpfs.services", StringUtils.join(",",
-      Arrays.asList(InstrumentationService.class.getName(),
-          SchedulerService.class.getName(),
-          FileSystemAccessService.class.getName(),
-          DelegationTokenManagerService.class.getName())));
-    Server server = new HttpFSServerWebApp(dir, dir, dir, dir, conf);
-    server.init();
-    DelegationTokenManager tm = server.get(DelegationTokenManager.class);
-    Assert.assertNotNull(tm);
-    server.destroy();
-  }
-
-  @Test
-  @TestDir
-  @SuppressWarnings("unchecked")
-  public void tokens() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("server.services", StringUtils.join(",",
-      Arrays.asList(DelegationTokenManagerService.class.getName())));
-    HttpFSServerWebApp server = new HttpFSServerWebApp(dir, dir, dir, dir, conf);
-    server.setAuthority(new InetSocketAddress(InetAddress.getLocalHost(), 14000));
-    server.init();
-    DelegationTokenManager tm = server.get(DelegationTokenManager.class);
-    Token token = tm.createToken(UserGroupInformation.getCurrentUser(), "foo");
+  public void testDTManager() throws Exception {
+    DelegationTokenManager tm = new DelegationTokenManager(new Text("foo"),
+        DAY_IN_SECS, DAY_IN_SECS, DAY_IN_SECS, DAY_IN_SECS);
+    tm.init();
+    Token<DelegationTokenIdentifier> token =
+        tm.createToken(UserGroupInformation.getCurrentUser(), "foo");
     Assert.assertNotNull(token);
     tm.verifyToken(token);
     Assert.assertTrue(tm.renewToken(token, "foo") > System.currentTimeMillis());
@@ -78,12 +48,12 @@ public void tokens() throws Exception {
     try {
       tm.verifyToken(token);
       Assert.fail();
-    } catch (DelegationTokenManagerException ex) {
+    } catch (IOException ex) {
       //NOP
     } catch (Exception ex) {
       Assert.fail();
     }
-    server.destroy();
+    tm.destroy();
   }
 
 }
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
new file mode 100644
index 00000000000..58b8df751dc
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
@@ -0,0 +1,727 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.token.delegation.web;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
+import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.AuthenticationToken;
+import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
+import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
+import org.codehaus.jackson.map.ObjectMapper;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mortbay.jetty.Connector;
+import org.mortbay.jetty.Server;
+import org.mortbay.jetty.servlet.Context;
+import org.mortbay.jetty.servlet.FilterHolder;
+import org.mortbay.jetty.servlet.ServletHolder;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginContext;
+import javax.servlet.Filter;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.File;
+import java.io.IOException;
+import java.io.Writer;
+import java.net.HttpURLConnection;
+import java.net.InetAddress;
+import java.net.ServerSocket;
+import java.net.URL;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import java.util.UUID;
+import java.util.concurrent.Callable;
+
+public class TestWebDelegationToken {
+  private Server jetty;
+
+  public static class DummyAuthenticationHandler
+      implements AuthenticationHandler {
+    @Override
+    public String getType() {
+      return "dummy";
+    }
+
+    @Override
+    public void init(Properties config) throws ServletException {
+    }
+
+    @Override
+    public void destroy() {
+    }
+
+    @Override
+    public boolean managementOperation(AuthenticationToken token,
+        HttpServletRequest request, HttpServletResponse response)
+        throws IOException, AuthenticationException {
+      return false;
+    }
+
+    @Override
+    public AuthenticationToken authenticate(HttpServletRequest request,
+        HttpServletResponse response)
+        throws IOException, AuthenticationException {
+      AuthenticationToken token = null;
+      if (request.getParameter("authenticated") != null) {
+        token = new AuthenticationToken(request.getParameter("authenticated"),
+            "U", "test");
+      } else {
+        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, "dummy");
+      }
+      return token;
+    }
+  }
+
+  public static class DummyDelegationTokenAuthenticationHandler extends
+      DelegationTokenAuthenticationHandler {
+    public DummyDelegationTokenAuthenticationHandler() {
+      super(new DummyAuthenticationHandler());
+    }
+
+    @Override
+    public void init(Properties config) throws ServletException {
+      Properties conf = new Properties(config);
+      conf.setProperty(TOKEN_KIND, "token-kind");
+      initTokenManager(conf);
+    }
+  }
+
+  public static class AFilter extends DelegationTokenAuthenticationFilter {
+
+    @Override
+    protected Properties getConfiguration(String configPrefix,
+        FilterConfig filterConfig) {
+      Properties conf = new Properties();
+      conf.setProperty(AUTH_TYPE,
+          DummyDelegationTokenAuthenticationHandler.class.getName());
+      return conf;
+    }
+  }
+
+  public static class PingServlet extends HttpServlet {
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp)
+        throws ServletException, IOException {
+      resp.setStatus(HttpServletResponse.SC_OK);
+      resp.getWriter().write("ping");
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp)
+        throws ServletException, IOException {
+      Writer writer = resp.getWriter();
+      writer.write("ping: ");
+      IOUtils.copy(req.getReader(), writer);
+      resp.setStatus(HttpServletResponse.SC_OK);
+    }
+  }
+
+  protected Server createJettyServer() {
+    try {
+      InetAddress localhost = InetAddress.getLocalHost();
+      ServerSocket ss = new ServerSocket(0, 50, localhost);
+      int port = ss.getLocalPort();
+      ss.close();
+      jetty = new Server(0);
+      jetty.getConnectors()[0].setHost("localhost");
+      jetty.getConnectors()[0].setPort(port);
+      return jetty;
+    } catch (Exception ex) {
+      throw new RuntimeException("Could not setup Jetty: " + ex.getMessage(),
+          ex);
+    }
+  }
+
+  protected String getJettyURL() {
+    Connector c = jetty.getConnectors()[0];
+    return "http://" + c.getHost() + ":" + c.getPort();
+  }
+
+  @Before
+  public void setUp() throws Exception {
+    // resetting hadoop security to simple
+    org.apache.hadoop.conf.Configuration conf =
+        new org.apache.hadoop.conf.Configuration();
+    UserGroupInformation.setConfiguration(conf);
+
+    jetty = createJettyServer();
+  }
+
+  @After
+  public void cleanUp() throws Exception {
+    jetty.stop();
+
+    // resetting hadoop security to simple
+    org.apache.hadoop.conf.Configuration conf =
+        new org.apache.hadoop.conf.Configuration();
+    UserGroupInformation.setConfiguration(conf);
+  }
+
+  protected Server getJetty() {
+    return jetty;
+  }
+
+  @Test
+  public void testRawHttpCalls() throws Exception {
+    final Server jetty = createJettyServer();
+    Context context = new Context();
+    context.setContextPath("/foo");
+    jetty.setHandler(context);
+    context.addFilter(new FilterHolder(AFilter.class), "/*", 0);
+    context.addServlet(new ServletHolder(PingServlet.class), "/bar");
+    try {
+      jetty.start();
+      URL nonAuthURL = new URL(getJettyURL() + "/foo/bar");
+      URL authURL = new URL(getJettyURL() + "/foo/bar?authenticated=foo");
+
+      // unauthenticated access to URL
+      HttpURLConnection conn = (HttpURLConnection) nonAuthURL.openConnection();
+      Assert.assertEquals(HttpURLConnection.HTTP_UNAUTHORIZED,
+          conn.getResponseCode());
+
+      // authenticated access to URL
+      conn = (HttpURLConnection) authURL.openConnection();
+      Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+
+      // unauthenticated access to get delegation token
+      URL url = new URL(nonAuthURL.toExternalForm() + "?op=GETDELEGATIONTOKEN");
+      conn = (HttpURLConnection) url.openConnection();
+      Assert.assertEquals(HttpURLConnection.HTTP_UNAUTHORIZED,
+          conn.getResponseCode());
+
+      // authenticated access to get delegation token
+      url = new URL(authURL.toExternalForm() +
+          "&op=GETDELEGATIONTOKEN&renewer=foo");
+      conn = (HttpURLConnection) url.openConnection();
+      Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+      ObjectMapper mapper = new ObjectMapper();
+      Map map = mapper.readValue(conn.getInputStream(), Map.class);
+      String dt = (String) ((Map) map.get("Token")).get("urlString");
+      Assert.assertNotNull(dt);
+
+      // delegation token access to URL
+      url = new URL(nonAuthURL.toExternalForm() + "?delegation=" + dt);
+      conn = (HttpURLConnection) url.openConnection();
+      Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+
+      // delegation token and authenticated access to URL
+      url = new URL(authURL.toExternalForm() + "&delegation=" + dt);
+      conn = (HttpURLConnection) url.openConnection();
+      Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+
+      // renewew delegation token, unauthenticated access to URL
+      url = new URL(nonAuthURL.toExternalForm() +
+          "?op=RENEWDELEGATIONTOKEN&token=" + dt);
+      conn = (HttpURLConnection) url.openConnection();
+      conn.setRequestMethod("PUT");
+      Assert.assertEquals(HttpURLConnection.HTTP_UNAUTHORIZED,
+          conn.getResponseCode());
+
+      // renewew delegation token, authenticated access to URL
+      url = new URL(authURL.toExternalForm() +
+          "&op=RENEWDELEGATIONTOKEN&token=" + dt);
+      conn = (HttpURLConnection) url.openConnection();
+      conn.setRequestMethod("PUT");
+      Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+
+      // renewew delegation token, authenticated access to URL, not renewer
+      url = new URL(getJettyURL() +
+          "/foo/bar?authenticated=bar&op=RENEWDELEGATIONTOKEN&token=" + dt);
+      conn = (HttpURLConnection) url.openConnection();
+      conn.setRequestMethod("PUT");
+      Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN,
+          conn.getResponseCode());
+
+      // cancel delegation token, nonauthenticated access to URL
+      url = new URL(nonAuthURL.toExternalForm() +
+          "?op=CANCELDELEGATIONTOKEN&token=" + dt);
+      conn = (HttpURLConnection) url.openConnection();
+      conn.setRequestMethod("PUT");
+      Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+
+      // cancel canceled delegation token, nonauthenticated access to URL
+      url = new URL(nonAuthURL.toExternalForm() +
+          "?op=CANCELDELEGATIONTOKEN&token=" + dt);
+      conn = (HttpURLConnection) url.openConnection();
+      conn.setRequestMethod("PUT");
+      Assert.assertEquals(HttpURLConnection.HTTP_NOT_FOUND,
+          conn.getResponseCode());
+
+      // get new delegation token
+      url = new URL(authURL.toExternalForm() +
+          "&op=GETDELEGATIONTOKEN&renewer=foo");
+      conn = (HttpURLConnection) url.openConnection();
+      Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+      mapper = new ObjectMapper();
+      map = mapper.readValue(conn.getInputStream(), Map.class);
+      dt = (String) ((Map) map.get("Token")).get("urlString");
+      Assert.assertNotNull(dt);
+
+      // cancel delegation token, authenticated access to URL
+      url = new URL(authURL.toExternalForm() +
+          "&op=CANCELDELEGATIONTOKEN&token=" + dt);
+      conn = (HttpURLConnection) url.openConnection();
+      conn.setRequestMethod("PUT");
+      Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+    } finally {
+      jetty.stop();
+    }
+  }
+
+  @Test
+  public void testDelegationTokenAuthenticatorCalls() throws Exception {
+    final Server jetty = createJettyServer();
+    Context context = new Context();
+    context.setContextPath("/foo");
+    jetty.setHandler(context);
+    context.addFilter(new FilterHolder(AFilter.class), "/*", 0);
+    context.addServlet(new ServletHolder(PingServlet.class), "/bar");
+
+    try {
+      jetty.start();
+      URL nonAuthURL = new URL(getJettyURL() + "/foo/bar");
+      URL authURL = new URL(getJettyURL() + "/foo/bar?authenticated=foo");
+      URL authURL2 = new URL(getJettyURL() + "/foo/bar?authenticated=bar");
+
+      DelegationTokenAuthenticatedURL.Token token =
+          new DelegationTokenAuthenticatedURL.Token();
+      DelegationTokenAuthenticatedURL aUrl =
+          new DelegationTokenAuthenticatedURL();
+
+      try {
+        aUrl.getDelegationToken(nonAuthURL, token, "foo");
+        Assert.fail();
+      } catch (Exception ex) {
+        Assert.assertTrue(ex.getMessage().contains("401"));
+      }
+
+      aUrl.getDelegationToken(authURL, token, "foo");
+      Assert.assertNotNull(token.getDelegationToken());
+      Assert.assertEquals(new Text("token-kind"),
+          token.getDelegationToken().getKind());
+
+      aUrl.renewDelegationToken(authURL, token);
+
+      try {
+        aUrl.renewDelegationToken(nonAuthURL, token);
+        Assert.fail();
+      } catch (Exception ex) {
+        Assert.assertTrue(ex.getMessage().contains("401"));
+      }
+
+      aUrl.getDelegationToken(authURL, token, "foo");
+
+      try {
+        aUrl.renewDelegationToken(authURL2, token);
+        Assert.fail();
+      } catch (Exception ex) {
+        Assert.assertTrue(ex.getMessage().contains("403"));
+      }
+
+      aUrl.getDelegationToken(authURL, token, "foo");
+
+      aUrl.cancelDelegationToken(authURL, token);
+
+      aUrl.getDelegationToken(authURL, token, "foo");
+
+      aUrl.cancelDelegationToken(nonAuthURL, token);
+
+      aUrl.getDelegationToken(authURL, token, "foo");
+
+      try {
+        aUrl.renewDelegationToken(nonAuthURL, token);
+      } catch (Exception ex) {
+        Assert.assertTrue(ex.getMessage().contains("401"));
+      }
+
+    } finally {
+      jetty.stop();
+    }
+  }
+
+  private static class DummyDelegationTokenSecretManager
+      extends AbstractDelegationTokenSecretManager<DelegationTokenIdentifier> {
+
+    public DummyDelegationTokenSecretManager() {
+      super(10000, 10000, 10000, 10000);
+    }
+
+    @Override
+    public DelegationTokenIdentifier createIdentifier() {
+      return new DelegationTokenIdentifier(new Text("fooKind"));
+    }
+
+  }
+
+  @Test
+  public void testExternalDelegationTokenSecretManager() throws Exception {
+    DummyDelegationTokenSecretManager secretMgr
+        = new DummyDelegationTokenSecretManager();
+    final Server jetty = createJettyServer();
+    Context context = new Context();
+    context.setContextPath("/foo");
+    jetty.setHandler(context);
+    context.addFilter(new FilterHolder(AFilter.class), "/*", 0);
+    context.addServlet(new ServletHolder(PingServlet.class), "/bar");
+    try {
+      secretMgr.startThreads();
+      context.setAttribute(DelegationTokenAuthenticationFilter.
+              DELEGATION_TOKEN_SECRET_MANAGER_ATTR, secretMgr);
+      jetty.start();
+      URL authURL = new URL(getJettyURL() + "/foo/bar?authenticated=foo");
+
+      DelegationTokenAuthenticatedURL.Token token =
+          new DelegationTokenAuthenticatedURL.Token();
+      DelegationTokenAuthenticatedURL aUrl =
+          new DelegationTokenAuthenticatedURL();
+
+      aUrl.getDelegationToken(authURL, token, "foo");
+      Assert.assertNotNull(token.getDelegationToken());
+      Assert.assertEquals(new Text("fooKind"),
+          token.getDelegationToken().getKind());
+
+    } finally {
+      jetty.stop();
+      secretMgr.stopThreads();
+    }
+  }
+
+  public static class NoDTFilter extends AuthenticationFilter {
+
+    @Override
+    protected Properties getConfiguration(String configPrefix,
+        FilterConfig filterConfig) {
+      Properties conf = new Properties();
+      conf.setProperty(AUTH_TYPE, PseudoAuthenticationHandler.TYPE);
+      return conf;
+    }
+  }
+
+
+  public static class NoDTHandlerDTAFilter
+      extends DelegationTokenAuthenticationFilter {
+
+    @Override
+    protected Properties getConfiguration(String configPrefix,
+        FilterConfig filterConfig) {
+      Properties conf = new Properties();
+      conf.setProperty(AUTH_TYPE, PseudoAuthenticationHandler.TYPE);
+      return conf;
+    }
+  }
+
+  public static class UserServlet extends HttpServlet {
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp)
+        throws ServletException, IOException {
+      resp.setStatus(HttpServletResponse.SC_OK);
+      resp.getWriter().write(req.getUserPrincipal().getName());
+    }
+  }
+
+  @Test
+  public void testDelegationTokenAuthenticationURLWithNoDTFilter()
+    throws Exception {
+    testDelegationTokenAuthenticatedURLWithNoDT(NoDTFilter.class);
+  }
+
+  @Test
+  public void testDelegationTokenAuthenticationURLWithNoDTHandler()
+      throws Exception {
+    testDelegationTokenAuthenticatedURLWithNoDT(NoDTHandlerDTAFilter.class);
+  }
+
+  // we are, also, implicitly testing  KerberosDelegationTokenAuthenticator
+  // fallback here
+  private void testDelegationTokenAuthenticatedURLWithNoDT(
+      Class<? extends Filter> filterClass)  throws Exception {
+    final Server jetty = createJettyServer();
+    Context context = new Context();
+    context.setContextPath("/foo");
+    jetty.setHandler(context);
+    context.addFilter(new FilterHolder(filterClass), "/*", 0);
+    context.addServlet(new ServletHolder(UserServlet.class), "/bar");
+
+    try {
+      jetty.start();
+      final URL url = new URL(getJettyURL() + "/foo/bar");
+
+      UserGroupInformation ugi = UserGroupInformation.createRemoteUser("foo");
+      ugi.doAs(new PrivilegedExceptionAction<Void>() {
+        @Override
+        public Void run() throws Exception {
+          DelegationTokenAuthenticatedURL.Token token =
+              new DelegationTokenAuthenticatedURL.Token();
+          DelegationTokenAuthenticatedURL aUrl =
+              new DelegationTokenAuthenticatedURL();
+          HttpURLConnection conn = aUrl.openConnection(url, token);
+          Assert.assertEquals(HttpURLConnection.HTTP_OK,
+              conn.getResponseCode());
+          List<String> ret = IOUtils.readLines(conn.getInputStream());
+          Assert.assertEquals(1, ret.size());
+          Assert.assertEquals("foo", ret.get(0));
+
+          try {
+            aUrl.getDelegationToken(url, token, "foo");
+            Assert.fail();
+          } catch (AuthenticationException ex) {
+            Assert.assertTrue(ex.getMessage().contains(
+                "delegation token operation"));
+          }
+          return null;
+        }
+      });
+    } finally {
+      jetty.stop();
+    }
+  }
+
+  public static class PseudoDTAFilter
+      extends DelegationTokenAuthenticationFilter {
+
+    @Override
+    protected Properties getConfiguration(String configPrefix,
+        FilterConfig filterConfig) {
+      Properties conf = new Properties();
+      conf.setProperty(AUTH_TYPE,
+          PseudoDelegationTokenAuthenticationHandler.class.getName());
+      conf.setProperty(DelegationTokenAuthenticationHandler.TOKEN_KIND,
+          "token-kind");
+      return conf;
+    }
+  }
+
+  @Test
+  public void testFallbackToPseudoDelegationTokenAuthenticator()
+      throws Exception {
+    final Server jetty = createJettyServer();
+    Context context = new Context();
+    context.setContextPath("/foo");
+    jetty.setHandler(context);
+    context.addFilter(new FilterHolder(PseudoDTAFilter.class), "/*", 0);
+    context.addServlet(new ServletHolder(UserServlet.class), "/bar");
+
+    try {
+      jetty.start();
+      final URL url = new URL(getJettyURL() + "/foo/bar");
+
+      UserGroupInformation ugi = UserGroupInformation.createRemoteUser("foo");
+      ugi.doAs(new PrivilegedExceptionAction<Void>() {
+        @Override
+        public Void run() throws Exception {
+          DelegationTokenAuthenticatedURL.Token token =
+              new DelegationTokenAuthenticatedURL.Token();
+          DelegationTokenAuthenticatedURL aUrl =
+              new DelegationTokenAuthenticatedURL();
+          HttpURLConnection conn = aUrl.openConnection(url, token);
+          Assert.assertEquals(HttpURLConnection.HTTP_OK,
+              conn.getResponseCode());
+          List<String> ret = IOUtils.readLines(conn.getInputStream());
+          Assert.assertEquals(1, ret.size());
+          Assert.assertEquals("foo", ret.get(0));
+
+          aUrl.getDelegationToken(url, token, "foo");
+          Assert.assertNotNull(token.getDelegationToken());
+          Assert.assertEquals(new Text("token-kind"),
+              token.getDelegationToken().getKind());
+          return null;
+        }
+      });
+    } finally {
+      jetty.stop();
+    }
+  }
+
+  public static class KDTAFilter extends DelegationTokenAuthenticationFilter {
+    static String keytabFile;
+
+    @Override
+    protected Properties getConfiguration(String configPrefix,
+        FilterConfig filterConfig) {
+      Properties conf = new Properties();
+      conf.setProperty(AUTH_TYPE,
+          KerberosDelegationTokenAuthenticationHandler.class.getName());
+      conf.setProperty(KerberosAuthenticationHandler.KEYTAB, keytabFile);
+      conf.setProperty(KerberosAuthenticationHandler.PRINCIPAL,
+          "HTTP/localhost");
+      conf.setProperty(KerberosDelegationTokenAuthenticationHandler.TOKEN_KIND,
+          "token-kind");
+      return conf;
+    }
+  }
+
+  private static class KerberosConfiguration extends Configuration {
+    private String principal;
+    private String keytab;
+
+    public KerberosConfiguration(String principal, String keytab) {
+      this.principal = principal;
+      this.keytab = keytab;
+    }
+
+    @Override
+    public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+      Map<String, String> options = new HashMap<String, String>();
+      options.put("principal", principal);
+      options.put("keyTab", keytab);
+      options.put("useKeyTab", "true");
+      options.put("storeKey", "true");
+      options.put("doNotPrompt", "true");
+      options.put("useTicketCache", "true");
+      options.put("renewTGT", "true");
+      options.put("refreshKrb5Config", "true");
+      options.put("isInitiator", "true");
+      String ticketCache = System.getenv("KRB5CCNAME");
+      if (ticketCache != null) {
+        options.put("ticketCache", ticketCache);
+      }
+      options.put("debug", "true");
+
+      return new AppConfigurationEntry[]{
+          new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
+              AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+              options),};
+    }
+  }
+
+  public static <T> T doAsKerberosUser(String principal, String keytab,
+      final Callable<T> callable) throws Exception {
+    LoginContext loginContext = null;
+    try {
+      Set<Principal> principals = new HashSet<Principal>();
+      principals.add(new KerberosPrincipal(principal));
+      Subject subject = new Subject(false, principals, new HashSet<Object>(),
+          new HashSet<Object>());
+      loginContext = new LoginContext("", subject, null,
+          new KerberosConfiguration(principal, keytab));
+      loginContext.login();
+      subject = loginContext.getSubject();
+      return Subject.doAs(subject, new PrivilegedExceptionAction<T>() {
+        @Override
+        public T run() throws Exception {
+          return callable.call();
+        }
+      });
+    } catch (PrivilegedActionException ex) {
+      throw ex.getException();
+    } finally {
+      if (loginContext != null) {
+        loginContext.logout();
+      }
+    }
+  }
+
+  @Test
+  public void testKerberosDelegationTokenAuthenticator() throws Exception {
+    // setting hadoop security to kerberos
+    org.apache.hadoop.conf.Configuration conf =
+        new org.apache.hadoop.conf.Configuration();
+    conf.set("hadoop.security.authentication", "kerberos");
+    UserGroupInformation.setConfiguration(conf);
+
+    File testDir = new File("target/" + UUID.randomUUID().toString());
+    Assert.assertTrue(testDir.mkdirs());
+    MiniKdc kdc = new MiniKdc(MiniKdc.createConf(), testDir);
+    final Server jetty = createJettyServer();
+    Context context = new Context();
+    context.setContextPath("/foo");
+    jetty.setHandler(context);
+    context.addFilter(new FilterHolder(KDTAFilter.class), "/*", 0);
+    context.addServlet(new ServletHolder(UserServlet.class), "/bar");
+    try {
+      kdc.start();
+      File keytabFile = new File(testDir, "test.keytab");
+      kdc.createPrincipal(keytabFile, "client", "HTTP/localhost");
+      KDTAFilter.keytabFile = keytabFile.getAbsolutePath();
+      jetty.start();
+
+      final DelegationTokenAuthenticatedURL.Token token =
+          new DelegationTokenAuthenticatedURL.Token();
+      final DelegationTokenAuthenticatedURL aUrl =
+          new DelegationTokenAuthenticatedURL();
+      final URL url = new URL(getJettyURL() + "/foo/bar");
+
+      try {
+        aUrl.getDelegationToken(url, token, "foo");
+        Assert.fail();
+      } catch (AuthenticationException ex) {
+        Assert.assertTrue(ex.getMessage().contains("GSSException"));
+      }
+
+      doAsKerberosUser("client", keytabFile.getAbsolutePath(),
+          new Callable<Void>() {
+            @Override
+            public Void call() throws Exception {
+              aUrl.getDelegationToken(url, token, "client");
+              Assert.assertNotNull(token.getDelegationToken());
+
+              aUrl.renewDelegationToken(url, token);
+              Assert.assertNotNull(token.getDelegationToken());
+
+              aUrl.getDelegationToken(url, token, "foo");
+              Assert.assertNotNull(token.getDelegationToken());
+
+              try {
+                aUrl.renewDelegationToken(url, token);
+                Assert.fail();
+              } catch (Exception ex) {
+                Assert.assertTrue(ex.getMessage().contains("403"));
+              }
+
+              aUrl.getDelegationToken(url, token, "foo");
+
+              aUrl.cancelDelegationToken(url, token);
+              Assert.assertNull(token.getDelegationToken());
+
+              return null;
+            }
+          });
+    } finally {
+      jetty.stop();
+      kdc.stop();
+    }
+  }
+
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSFileSystem.java
index e637972cb1f..3749bc333a6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSFileSystem.java
@@ -39,12 +39,14 @@
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.lib.wsrs.EnumSetParam;
-import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
-import org.apache.hadoop.security.authentication.client.Authenticator;
+import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
+import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
+import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL;
+import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator;
+import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticator;
 import org.apache.hadoop.util.Progressable;
 import org.apache.hadoop.util.ReflectionUtils;
 import org.apache.hadoop.util.StringUtils;
@@ -67,7 +69,6 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.net.HttpURLConnection;
-import java.net.InetSocketAddress;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
@@ -75,7 +76,6 @@
 import java.text.MessageFormat;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.concurrent.Callable;
 
 /**
  * HttpFSServer implementation of the FileSystemAccess FileSystem.
@@ -217,34 +217,15 @@ public String getMethod() {
 
   }
 
-
-  private AuthenticatedURL.Token authToken = new AuthenticatedURL.Token();
+  private DelegationTokenAuthenticatedURL authURL;
+  private DelegationTokenAuthenticatedURL.Token authToken =
+      new DelegationTokenAuthenticatedURL.Token();
   private URI uri;
-  private InetSocketAddress httpFSAddr;
   private Path workingDir;
   private UserGroupInformation realUser;
   private String doAs;
-  private Token<?> delegationToken;
 
-  //This method enables handling UGI doAs with SPNEGO, we have to
-  //fallback to the realuser who logged in with Kerberos credentials
-  private <T> T doAsRealUserIfNecessary(final Callable<T> callable)
-    throws IOException {
-    try {
-      if (realUser.getShortUserName().equals(doAs)) {
-        return callable.call();
-      } else {
-        return realUser.doAs(new PrivilegedExceptionAction<T>() {
-          @Override
-          public T run() throws Exception {
-            return callable.call();
-          }
-        });
-      }
-    } catch (Exception ex) {
-      throw new IOException(ex.toString(), ex);
-    }
-  }
+
 
   /**
    * Convenience method that creates a <code>HttpURLConnection</code> for the
@@ -291,20 +272,26 @@ private HttpURLConnection getConnection(final String method,
   private HttpURLConnection getConnection(final String method,
       Map<String, String> params, Map<String, List<String>> multiValuedParams,
       Path path, boolean makeQualified) throws IOException {
-    if (!realUser.getShortUserName().equals(doAs)) {
-      params.put(DO_AS_PARAM, doAs);
-    }
-    HttpFSKerberosAuthenticator.injectDelegationToken(params, delegationToken);
     if (makeQualified) {
       path = makeQualified(path);
     }
     final URL url = HttpFSUtils.createURL(path, params, multiValuedParams);
-    return doAsRealUserIfNecessary(new Callable<HttpURLConnection>() {
-      @Override
-      public HttpURLConnection call() throws Exception {
-        return getConnection(url, method);
+    try {
+      return UserGroupInformation.getCurrentUser().doAs(
+          new PrivilegedExceptionAction<HttpURLConnection>() {
+            @Override
+            public HttpURLConnection run() throws Exception {
+              return getConnection(url, method);
+            }
+          }
+      );
+    } catch (Exception ex) {
+      if (ex instanceof IOException) {
+        throw (IOException) ex;
+      } else {
+        throw new IOException(ex);
       }
-    });
+    }
   }
 
   /**
@@ -321,12 +308,8 @@ public HttpURLConnection call() throws Exception {
    * @throws IOException thrown if an IO error occurrs.
    */
   private HttpURLConnection getConnection(URL url, String method) throws IOException {
-    Class<? extends Authenticator> klass =
-      getConf().getClass("httpfs.authenticator.class",
-                         HttpFSKerberosAuthenticator.class, Authenticator.class);
-    Authenticator authenticator = ReflectionUtils.newInstance(klass, getConf());
     try {
-      HttpURLConnection conn = new AuthenticatedURL(authenticator).openConnection(url, authToken);
+      HttpURLConnection conn = authURL.openConnection(url, authToken);
       conn.setRequestMethod(method);
       if (method.equals(HTTP_POST) || method.equals(HTTP_PUT)) {
         conn.setDoOutput(true);
@@ -357,10 +340,17 @@ public void initialize(URI name, Configuration conf) throws IOException {
     super.initialize(name, conf);
     try {
       uri = new URI(name.getScheme() + "://" + name.getAuthority());
-      httpFSAddr = NetUtils.createSocketAddr(getCanonicalUri().toString());
     } catch (URISyntaxException ex) {
       throw new IOException(ex);
     }
+
+    Class<? extends DelegationTokenAuthenticator> klass =
+        getConf().getClass("httpfs.authenticator.class",
+            KerberosDelegationTokenAuthenticator.class,
+            DelegationTokenAuthenticator.class);
+    DelegationTokenAuthenticator authenticator =
+        ReflectionUtils.newInstance(klass, getConf());
+    authURL = new DelegationTokenAuthenticatedURL(authenticator);
   }
 
   @Override
@@ -1059,38 +1049,57 @@ public void readFields(DataInput in) throws IOException {
   @Override
   public Token<?> getDelegationToken(final String renewer)
     throws IOException {
-    return doAsRealUserIfNecessary(new Callable<Token<?>>() {
-      @Override
-      public Token<?> call() throws Exception {
-        return HttpFSKerberosAuthenticator.
-          getDelegationToken(uri, httpFSAddr, authToken, renewer);
+    try {
+      return UserGroupInformation.getCurrentUser().doAs(
+          new PrivilegedExceptionAction<Token<?>>() {
+            @Override
+            public Token<?> run() throws Exception {
+              return authURL.getDelegationToken(uri.toURL(), authToken,
+                  renewer);
+            }
+          }
+      );
+    } catch (Exception ex) {
+      if (ex instanceof IOException) {
+        throw (IOException) ex;
+      } else {
+        throw new IOException(ex);
       }
-    });
+    }
   }
 
   public long renewDelegationToken(final Token<?> token) throws IOException {
-    return doAsRealUserIfNecessary(new Callable<Long>() {
-      @Override
-      public Long call() throws Exception {
-        return HttpFSKerberosAuthenticator.
-          renewDelegationToken(uri,  authToken, token);
+    try {
+      return UserGroupInformation.getCurrentUser().doAs(
+          new PrivilegedExceptionAction<Long>() {
+            @Override
+            public Long run() throws Exception {
+              return authURL.renewDelegationToken(uri.toURL(), authToken);
+            }
+          }
+      );
+    } catch (Exception ex) {
+      if (ex instanceof IOException) {
+        throw (IOException) ex;
+      } else {
+        throw new IOException(ex);
       }
-    });
+    }
   }
 
   public void cancelDelegationToken(final Token<?> token) throws IOException {
-    HttpFSKerberosAuthenticator.
-      cancelDelegationToken(uri, authToken, token);
+    authURL.cancelDelegationToken(uri.toURL(), authToken);
   }
 
   @Override
   public Token<?> getRenewToken() {
-    return delegationToken;
+    return null; //TODO : for renewer
   }
 
   @Override
+  @SuppressWarnings("unchecked")
   public <T extends TokenIdentifier> void setDelegationToken(Token<T> token) {
-    delegationToken = token;
+    //TODO : for renewer
   }
 
   @Override
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSAuthenticationFilter.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSAuthenticationFilter.java
new file mode 100644
index 00000000000..d65616d45c6
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSAuthenticationFilter.java
@@ -0,0 +1,94 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.fs.http.server;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.Reader;
+import java.util.Map;
+import java.util.Properties;
+
+/**
+ * Subclass of hadoop-auth <code>AuthenticationFilter</code> that obtains its configuration
+ * from HttpFSServer's server configuration.
+ */
+@InterfaceAudience.Private
+public class HttpFSAuthenticationFilter
+    extends DelegationTokenAuthenticationFilter {
+
+  private static final String CONF_PREFIX = "httpfs.authentication.";
+
+  private static final String SIGNATURE_SECRET_FILE = SIGNATURE_SECRET + ".file";
+
+  /**
+   * Returns the hadoop-auth configuration from HttpFSServer's configuration.
+   * <p/>
+   * It returns all HttpFSServer's configuration properties prefixed with
+   * <code>httpfs.authentication</code>. The <code>httpfs.authentication</code>
+   * prefix is removed from the returned property names.
+   *
+   * @param configPrefix parameter not used.
+   * @param filterConfig parameter not used.
+   *
+   * @return hadoop-auth configuration read from HttpFSServer's configuration.
+   */
+  @Override
+  protected Properties getConfiguration(String configPrefix,
+      FilterConfig filterConfig) throws ServletException{
+    Properties props = new Properties();
+    Configuration conf = HttpFSServerWebApp.get().getConfig();
+
+    props.setProperty(AuthenticationFilter.COOKIE_PATH, "/");
+    for (Map.Entry<String, String> entry : conf) {
+      String name = entry.getKey();
+      if (name.startsWith(CONF_PREFIX)) {
+        String value = conf.get(name);
+        name = name.substring(CONF_PREFIX.length());
+        props.setProperty(name, value);
+      }
+    }
+
+    String signatureSecretFile = props.getProperty(SIGNATURE_SECRET_FILE, null);
+    if (signatureSecretFile == null) {
+      throw new RuntimeException("Undefined property: " + SIGNATURE_SECRET_FILE);
+    }
+
+    try {
+      StringBuilder secret = new StringBuilder();
+      Reader reader = new FileReader(signatureSecretFile);
+      int c = reader.read();
+      while (c > -1) {
+        secret.append((char)c);
+        c = reader.read();
+      }
+      reader.close();
+      props.setProperty(AuthenticationFilter.SIGNATURE_SECRET, secret.toString());
+    } catch (IOException ex) {
+      throw new RuntimeException("Could not read HttpFS signature secret file: " + signatureSecretFile);
+    }
+    return props;
+  }
+
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/resources/httpfs-default.xml b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/resources/httpfs-default.xml
index 87cd73020d1..05e1400ca93 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/resources/httpfs-default.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/resources/httpfs-default.xml
@@ -35,7 +35,6 @@
       org.apache.hadoop.lib.service.scheduler.SchedulerService,
       org.apache.hadoop.lib.service.security.GroupsService,
       org.apache.hadoop.lib.service.security.ProxyUserService,
-      org.apache.hadoop.lib.service.security.DelegationTokenManagerService,
       org.apache.hadoop.lib.service.hadoop.FileSystemAccessService
     </value>
     <description>
@@ -226,12 +225,4 @@
     </description>
   </property>
 
-  <property>
-    <name>httpfs.user.provider.user.pattern</name>
-    <value>^[A-Za-z_][A-Za-z0-9._-]*[$]?$</value>
-    <description>
-      Valid pattern for user and group names, it must be a valid java regex.
-    </description>
-  </property>
-
 </configuration>
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/HttpFSKerberosAuthenticationHandlerForTesting.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/HttpFSKerberosAuthenticationHandlerForTesting.java
index 760cfd548a4..9a51bd386b0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/HttpFSKerberosAuthenticationHandlerForTesting.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/HttpFSKerberosAuthenticationHandlerForTesting.java
@@ -17,15 +17,19 @@
  */
 package org.apache.hadoop.fs.http.server;
 
+import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticationHandler;
+
 import javax.servlet.ServletException;
 import java.util.Properties;
 
 public class HttpFSKerberosAuthenticationHandlerForTesting
-  extends HttpFSKerberosAuthenticationHandler {
+  extends KerberosDelegationTokenAuthenticationHandler {
 
   @Override
   public void init(Properties config) throws ServletException {
     //NOP overwrite to avoid Kerberos initialization
+    config.setProperty(TOKEN_KIND, "t");
+    initTokenManager(config);
   }
 
   @Override
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSServer.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSServer.java
index 3e08662a9b5..c6c0d19d2ad 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSServer.java
@@ -18,6 +18,8 @@
 package org.apache.hadoop.fs.http.server;
 
 import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator;
+import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticationHandler;
 import org.json.simple.JSONArray;
 import org.junit.Assert;
 
@@ -43,7 +45,6 @@
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.XAttrCodec;
-import org.apache.hadoop.fs.http.client.HttpFSKerberosAuthenticator;
 import org.apache.hadoop.lib.server.Service;
 import org.apache.hadoop.lib.server.ServiceException;
 import org.apache.hadoop.lib.service.Groups;
@@ -682,7 +683,7 @@ public void testDelegationTokenOperations() throws Exception {
 
     AuthenticationToken token =
       new AuthenticationToken("u", "p",
-        HttpFSKerberosAuthenticationHandlerForTesting.TYPE);
+          new KerberosDelegationTokenAuthenticationHandler().getType());
     token.setExpires(System.currentTimeMillis() + 100000000);
     Signer signer = new Signer(new StringSignerSecretProvider("secret"));
     String tokenSigned = signer.sign(token.toString());
@@ -706,9 +707,9 @@ public void testDelegationTokenOperations() throws Exception {
     JSONObject json = (JSONObject)
       new JSONParser().parse(new InputStreamReader(conn.getInputStream()));
     json = (JSONObject)
-      json.get(HttpFSKerberosAuthenticator.DELEGATION_TOKEN_JSON);
+      json.get(DelegationTokenAuthenticator.DELEGATION_TOKEN_JSON);
     String tokenStr = (String)
-        json.get(HttpFSKerberosAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON);
+        json.get(DelegationTokenAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON);
 
     url = new URL(TestJettyHelper.getJettyURL(),
                   "/webhdfs/v1/?op=GETHOMEDIRECTORY&delegation=" + tokenStr);
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSWithKerberos.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSWithKerberos.java
index 45ce8ed7302..757e3fd7e73 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSWithKerberos.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSWithKerberos.java
@@ -23,11 +23,11 @@
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.http.client.HttpFSFileSystem;
-import org.apache.hadoop.fs.http.client.HttpFSKerberosAuthenticator;
 import org.apache.hadoop.hdfs.web.WebHdfsFileSystem;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
 import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator;
 import org.apache.hadoop.test.HFSTestCase;
 import org.apache.hadoop.test.KerberosTestUtils;
 import org.apache.hadoop.test.TestDir;
@@ -166,9 +166,9 @@ public Void call() throws Exception {
           .parse(new InputStreamReader(conn.getInputStream()));
         json =
           (JSONObject) json
-            .get(HttpFSKerberosAuthenticator.DELEGATION_TOKEN_JSON);
+            .get(DelegationTokenAuthenticator.DELEGATION_TOKEN_JSON);
         String tokenStr = (String) json
-          .get(HttpFSKerberosAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON);
+          .get(DelegationTokenAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON);
 
         //access httpfs using the delegation token
         url = new URL(TestJettyHelper.getJettyURL(),
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index 63705e94568..c540cc1469c 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -102,6 +102,12 @@
         <artifactId>hadoop-auth</artifactId>
         <version>${project.version}</version>
       </dependency>
+      <dependency>
+        <groupId>org.apache.hadoop</groupId>
+        <artifactId>hadoop-auth</artifactId>
+        <version>${project.version}</version>
+        <type>test-jar</type>
+      </dependency>
       <dependency>
         <groupId>org.apache.hadoop</groupId>
         <artifactId>hadoop-nfs</artifactId>

From d3a2fe280775e9320181b671d5951f06837bddad Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Fri, 8 Aug 2014 05:41:38 +0000
Subject: [PATCH 160/354] HDFS-6772. Get DN storages out of blockContentsStale
 state faster after NN restarts. (Contributed by Ming Ma)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616680 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 ++
 .../blockmanagement/DatanodeManager.java      | 21 +++++++++-
 .../blockmanagement/HeartbeatManager.java     |  8 ++++
 .../hdfs/server/datanode/BPOfferService.java  |  2 +-
 .../hdfs/server/datanode/BPServiceActor.java  | 15 ++++++-
 .../hdfs/server/namenode/FSNamesystem.java    | 10 ++++-
 .../namenode/metrics/FSNamesystemMBean.java   |  7 ++++
 .../hdfs/server/protocol/RegisterCommand.java |  3 ++
 .../namenode/TestFSNamesystemMBean.java       |  2 +
 .../hdfs/server/namenode/TestStartup.java     | 41 +++++++++++++++++++
 10 files changed, 108 insertions(+), 4 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 3b179032457..a146e407ee7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -379,6 +379,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6722. Display readable last contact time for dead nodes on NN webUI.
     (Ming Ma via wheat9)
 
+    HDFS-6772. Get DN storages out of blockContentsStale state faster after
+    NN restarts. (Ming Ma via Arpit Agarwal)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeManager.java
index 69b2b695415..709f060d237 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeManager.java
@@ -135,7 +135,10 @@ public class DatanodeManager {
   
   /** The number of stale DataNodes */
   private volatile int numStaleNodes;
-  
+
+  /** The number of stale storages */
+  private volatile int numStaleStorages;
+
   /**
    * Whether or not this cluster has ever consisted of more than 1 rack,
    * according to the NetworkTopology.
@@ -1142,6 +1145,22 @@ public int getNumStaleNodes() {
     return this.numStaleNodes;
   }
 
+  /**
+   * Get the number of content stale storages.
+   */
+  public int getNumStaleStorages() {
+    return numStaleStorages;
+  }
+
+  /**
+   * Set the number of content stale storages.
+   *
+   * @param numStaleStorages The number of content stale storages.
+   */
+  void setNumStaleStorages(int numStaleStorages) {
+    this.numStaleStorages = numStaleStorages;
+  }
+
   /** Fetch live and dead datanodes. */
   public void fetchDatanodes(final List<DatanodeDescriptor> live, 
       final List<DatanodeDescriptor> dead, final boolean removeDecommissionNode) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/HeartbeatManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/HeartbeatManager.java
index 901f7e3653d..a4f839afd31 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/HeartbeatManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/HeartbeatManager.java
@@ -256,6 +256,7 @@ void heartbeatCheck() {
       DatanodeID dead = null;
       // check the number of stale nodes
       int numOfStaleNodes = 0;
+      int numOfStaleStorages = 0;
       synchronized(this) {
         for (DatanodeDescriptor d : datanodes) {
           if (dead == null && dm.isDatanodeDead(d)) {
@@ -265,10 +266,17 @@ void heartbeatCheck() {
           if (d.isStale(dm.getStaleInterval())) {
             numOfStaleNodes++;
           }
+          DatanodeStorageInfo[] storageInfos = d.getStorageInfos();
+          for(DatanodeStorageInfo storageInfo : storageInfos) {
+            if (storageInfo.areBlockContentsStale()) {
+              numOfStaleStorages++;
+            }
+          }
         }
         
         // Set the number of stale nodes in the DatanodeManager
         dm.setNumStaleNodes(numOfStaleNodes);
+        dm.setNumStaleStorages(numOfStaleStorages);
       }
 
       allAlive = dead == null;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPOfferService.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPOfferService.java
index 39e842ccfd4..822c03d8c3f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPOfferService.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPOfferService.java
@@ -601,7 +601,7 @@ boolean processCommandFromActor(DatanodeCommand cmd,
       LOG.info("DatanodeCommand action : DNA_REGISTER from " + actor.nnAddr
           + " with " + actor.state + " state");
       actor.reRegister();
-      return true;
+      return false;
     }
     writeLock();
     try {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPServiceActor.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPServiceActor.java
index 83237e60cc7..59ca11a5404 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPServiceActor.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BPServiceActor.java
@@ -222,7 +222,19 @@ private void connectToNNAndHandshake() throws IOException {
     // Second phase of the handshake with the NN.
     register();
   }
-  
+
+  // This is useful to make sure NN gets Heartbeat before Blockreport
+  // upon NN restart while DN keeps retrying Otherwise,
+  // 1. NN restarts.
+  // 2. Heartbeat RPC will retry and succeed. NN asks DN to reregister.
+  // 3. After reregistration completes, DN will send Blockreport first.
+  // 4. Given NN receives Blockreport after Heartbeat, it won't mark
+  //    DatanodeStorageInfo#blockContentsStale to false until the next
+  //    Blockreport.
+  void scheduleHeartbeat() {
+    lastHeartbeat = 0;
+  }
+
   /**
    * This methods  arranges for the data node to send the block report at 
    * the next heartbeat.
@@ -902,6 +914,7 @@ void reRegister() throws IOException {
       retrieveNamespaceInfo();
       // and re-register
       register();
+      scheduleHeartbeat();
     }
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index edfdfc1c894..5d9a3bd050f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -6088,7 +6088,6 @@ void shutdown() {
       blockManager.shutdown();
     }
   }
-  
 
   @Override // FSNamesystemMBean
   public int getNumLiveDataNodes() {
@@ -6135,6 +6134,15 @@ public int getNumStaleDataNodes() {
     return getBlockManager().getDatanodeManager().getNumStaleNodes();
   }
 
+  /**
+   * Storages are marked as "content stale" after NN restart or fails over and
+   * before NN receives the first Heartbeat followed by the first Blockreport.
+   */
+  @Override // FSNamesystemMBean
+  public int getNumStaleStorages() {
+    return getBlockManager().getDatanodeManager().getNumStaleStorages();
+  }
+
   /**
    * Sets the current generation stamp for legacy blocks
    */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/metrics/FSNamesystemMBean.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/metrics/FSNamesystemMBean.java
index f02eb846930..587746df154 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/metrics/FSNamesystemMBean.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/metrics/FSNamesystemMBean.java
@@ -151,4 +151,11 @@ public interface FSNamesystemMBean {
    * @return number of blocks pending deletion
    */
   long getPendingDeletionBlocks();
+
+  /**
+   * Number of content stale storages.
+   * @return number of content stale storages
+   */
+  public int getNumStaleStorages();
+
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/RegisterCommand.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/RegisterCommand.java
index a6cd4498fc9..a102c8291bc 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/RegisterCommand.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/protocol/RegisterCommand.java
@@ -22,6 +22,9 @@
 
 /**
  * A BlockCommand is an instruction to a datanode to register with the namenode.
+ * This command can't be combined with other commands in the same response.
+ * This is because after the datanode processes RegisterCommand, it will skip
+ * the rest of the DatanodeCommands in the same HeartbeatResponse.
  */
 @InterfaceAudience.Private
 @InterfaceStability.Evolving
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSNamesystemMBean.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSNamesystemMBean.java
index 100e2fedfcc..39e1165359d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSNamesystemMBean.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSNamesystemMBean.java
@@ -94,6 +94,8 @@ public void run() {
             "SnapshotStats"));
         Long MaxObjects = (Long) (mbs.getAttribute(mxbeanNameFsns,
             "MaxObjects"));
+        Integer numStaleStorages = (Integer) (mbs.getAttribute(
+            mxbeanNameFsns, "NumStaleStorages"));
 
         // Metrics that belong to "NameNodeInfo".
         // These are metrics that FSNamesystem registers directly with MBeanServer.
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestStartup.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestStartup.java
index 93935d4930b..db8b3a94085 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestStartup.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestStartup.java
@@ -26,6 +26,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.lang.management.ManagementFactory;
 import java.net.InetAddress;
 import java.net.URI;
 import java.util.ArrayList;
@@ -49,6 +50,7 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.SafeModeAction;
+import org.apache.hadoop.hdfs.server.blockmanagement.BlockManagerTestUtil;
 import org.apache.hadoop.hdfs.server.common.Storage;
 import org.apache.hadoop.hdfs.server.common.Storage.StorageDirectory;
 import org.apache.hadoop.hdfs.server.namenode.NNStorage.NameNodeDirType;
@@ -64,6 +66,9 @@
 import org.junit.Before;
 import org.junit.Test;
 
+import javax.management.MBeanServer;
+import javax.management.ObjectName;
+
 /**
  * Startup and checkpoint tests
  * 
@@ -684,4 +689,40 @@ public void testXattrConfiguration() throws Exception {
       }
     }
   }
+
+
+  /**
+   * Verify the following scenario.
+   * 1. NN restarts.
+   * 2. Heartbeat RPC will retry and succeed. NN asks DN to reregister.
+   * 3. After reregistration completes, DN will send Heartbeat, followed by
+   *    Blockreport.
+   * 4. NN will mark DatanodeStorageInfo#blockContentsStale to false.
+   * @throws Exception
+   */
+  @Test(timeout = 60000)
+  public void testStorageBlockContentsStaleAfterNNRestart() throws Exception {
+    MiniDFSCluster dfsCluster = null;
+    try {
+      Configuration config = new Configuration();
+      dfsCluster = new MiniDFSCluster.Builder(config).numDataNodes(1).build();
+      dfsCluster.waitActive();
+      dfsCluster.restartNameNode(true);
+      BlockManagerTestUtil.checkHeartbeat(
+          dfsCluster.getNamesystem().getBlockManager());
+      MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
+      ObjectName mxbeanNameFsns = new ObjectName(
+          "Hadoop:service=NameNode,name=FSNamesystemState");
+      Integer numStaleStorages = (Integer) (mbs.getAttribute(
+          mxbeanNameFsns, "NumStaleStorages"));
+      assertEquals(0, numStaleStorages.intValue());
+    } finally {
+      if (dfsCluster != null) {
+        dfsCluster.shutdown();
+      }
+    }
+
+    return;
+  }
+
 }

From 1fa2d6c4ba780e0093f9379f627ba2a2abd6f827 Mon Sep 17 00:00:00 2001
From: Uma Maheswara Rao G <umamahesh@apache.org>
Date: Fri, 8 Aug 2014 11:35:16 +0000
Subject: [PATCH 161/354] HDFS-6834. Improve the configuration guidance in
 DFSClient when there are no Codec classes found in configs. Contributed by
 Uma Maheswara Rao G.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1616721 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |  3 +++
 .../org/apache/hadoop/hdfs/DFSClient.java     | 22 +++++++++++++++----
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 99613e996af..96ac01fda30 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -76,6 +76,9 @@ fs-encryption (Unreleased)
 
     HDFS-6394. HDFS encryption documentation. (wang)
 
+    HDFS-6834. Improve the configuration guidance in DFSClient when there 
+    are no Codec classes found in configs. (umamahesh)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index f27342053c0..39f988ccab1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -20,6 +20,8 @@
 import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 import static org.apache.hadoop.crypto.key.KeyProviderCryptoExtension
     .EncryptedKeyVersion;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_KEY;
 import static org.apache.hadoop.fs.CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT;
 import static org.apache.hadoop.fs.CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY;
 import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_BLOCK_SIZE_DEFAULT;
@@ -1338,8 +1340,14 @@ public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
       KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
       CryptoCodec codec = CryptoCodec
           .getInstance(conf, feInfo.getCipherSuite());
-      Preconditions.checkNotNull(codec == null,
-          "No crypto codec classes with cipher suite configured.");
+      if (codec == null) {
+        throw new IOException("No configuration found for the cipher suite "
+            + feInfo.getCipherSuite().getConfigSuffix() + " prefixed with "
+            + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
+            + ". Please see the example configuration "
+            + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
+            + "at core-default.xml for details.");
+      }
       final CryptoInputStream cryptoIn =
           new CryptoInputStream(dfsis, codec, decrypted.getMaterial(),
               feInfo.getIV());
@@ -1367,8 +1375,14 @@ public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos,
       FileSystem.Statistics statistics, long startPos) throws IOException {
     final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo();
     if (feInfo != null) {
-      Preconditions.checkNotNull(codec == null,
-          "No crypto codec classes with cipher suite configured.");
+      if (codec == null) {
+        throw new IOException("No configuration found for the cipher suite "
+            + HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_KEY + " value prefixed with "
+            + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
+            + ". Please see the example configuration "
+            + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
+            + "at core-default.xml for details.");
+      }
       // File is encrypted, wrap the stream in a crypto stream.
       KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
       final CryptoOutputStream cryptoOut =

From 14864e9c7c879c15b5fa2d1776614ec83152918f Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Fri, 8 Aug 2014 14:17:54 +0000
Subject: [PATCH 162/354] YARN-2352. FairScheduler: Collect metrics on duration
 of critical methods that affect performance. (kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616769 13f79535-47bb-0310-9956-ffa450edef68
---
 .../metrics2/impl/MetricsCollectorImpl.java   |  6 ++-
 .../hadoop/metrics2/lib/MutableStat.java      |  8 ++++
 hadoop-yarn-project/CHANGES.txt               |  3 ++
 .../dev-support/findbugs-exclude.xml          |  7 ++++
 .../scheduler/fair/FairScheduler.java         | 37 +++++++++++++++----
 .../scheduler/fair/TestFairScheduler.java     | 11 ++++++
 6 files changed, 64 insertions(+), 8 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics2/impl/MetricsCollectorImpl.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics2/impl/MetricsCollectorImpl.java
index 5f536298021..be442edb1b8 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics2/impl/MetricsCollectorImpl.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics2/impl/MetricsCollectorImpl.java
@@ -21,14 +21,18 @@
 import java.util.Iterator;
 import java.util.List;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.Lists;
 
+import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.metrics2.MetricsInfo;
 import org.apache.hadoop.metrics2.MetricsCollector;
 import org.apache.hadoop.metrics2.MetricsFilter;
 import static org.apache.hadoop.metrics2.lib.Interns.*;
 
-class MetricsCollectorImpl implements MetricsCollector,
+@InterfaceAudience.Private
+@VisibleForTesting
+public class MetricsCollectorImpl implements MetricsCollector,
     Iterable<MetricsRecordBuilderImpl> {
 
   private final List<MetricsRecordBuilderImpl> rbs = Lists.newArrayList();
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics2/lib/MutableStat.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics2/lib/MutableStat.java
index b8ba435bf45..ba377570efb 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics2/lib/MutableStat.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics2/lib/MutableStat.java
@@ -89,6 +89,14 @@ public MutableStat(String name, String description,
     this(name, description, sampleName, valueName, false);
   }
 
+  /**
+   * Set whether to display the extended stats (stdev, min/max etc.) or not
+   * @param extended enable/disable displaying extended stats
+   */
+  public synchronized void setExtended(boolean extended) {
+    this.extended = extended;
+  }
+
   /**
    * Add a number of samples and their sum to the running stat
    * @param numSamples  number of samples
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index a5b77545d8a..eb9079d9f60 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -94,6 +94,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2288. Made persisted data in LevelDB timeline store be versioned. (Junping Du
     via zjshen)
 
+    YARN-2352. FairScheduler: Collect metrics on duration of critical methods that 
+    affect performance. (kasha)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/dev-support/findbugs-exclude.xml b/hadoop-yarn-project/hadoop-yarn/dev-support/findbugs-exclude.xml
index 781d7a35922..6609a260130 100644
--- a/hadoop-yarn-project/hadoop-yarn/dev-support/findbugs-exclude.xml
+++ b/hadoop-yarn-project/hadoop-yarn/dev-support/findbugs-exclude.xml
@@ -200,6 +200,13 @@
     <Field name="updateInterval" />
     <Bug pattern="IS2_INCONSISTENT_SYNC" />
   </Match>
+  <!-- Inconsistent sync warning - callDurationMetrics is only initialized once and never changed -->
+  <Match>
+    <Class name="org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler" />
+    <Field name="fsOpDurations" />
+    <Bug pattern="IS2_INCONSISTENT_SYNC" />
+  </Match>
+
   <!-- Inconsistent sync warning - numRetries is only initialized once and never changed -->
   <Match>
     <Class name="org.apache.hadoop.yarn.server.resourcemanager.recovery.ZKRMStateStore" />
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
index 4e1c244730a..8765ba04dc7 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
@@ -149,6 +149,7 @@ public class FairScheduler extends
 
   // Aggregate metrics
   FSQueueMetrics rootMetrics;
+  FSOpDurations fsOpDurations;
 
   // Time when we last updated preemption vars
   protected long lastPreemptionUpdateTime;
@@ -256,8 +257,11 @@ public void run() {
       while (!Thread.currentThread().isInterrupted()) {
         try {
           Thread.sleep(updateInterval);
+          long start = getClock().getTime();
           update();
           preemptTasksIfNecessary();
+          long duration = getClock().getTime() - start;
+          fsOpDurations.addUpdateThreadRunDuration(duration);
         } catch (InterruptedException ie) {
           LOG.warn("Update thread interrupted. Exiting.");
           return;
@@ -294,6 +298,7 @@ public void run() {
    * required resources per job.
    */
   protected synchronized void update() {
+    long start = getClock().getTime();
     updatePreemptionVariables(); // Determine if any queues merit preemption
 
     FSQueue rootQueue = queueMgr.getRootQueue();
@@ -317,6 +322,9 @@ protected synchronized void update() {
             "  Demand: " + rootQueue.getDemand());
       }
     }
+
+    long duration = getClock().getTime() - start;
+    fsOpDurations.addUpdateCallDuration(duration);
   }
 
   /**
@@ -325,7 +333,7 @@ protected synchronized void update() {
    * for each type of task.
    */
   private void updatePreemptionVariables() {
-    long now = clock.getTime();
+    long now = getClock().getTime();
     lastPreemptionUpdateTime = now;
     for (FSLeafQueue sched : queueMgr.getLeafQueues()) {
       if (!isStarvedForMinShare(sched)) {
@@ -352,7 +360,8 @@ boolean isStarvedForMinShare(FSLeafQueue sched) {
    * defined as being below half its fair share.
    */
   boolean isStarvedForFairShare(FSLeafQueue sched) {
-    Resource desiredFairShare = Resources.min(RESOURCE_CALCULATOR, clusterResource,
+    Resource desiredFairShare = Resources.min(RESOURCE_CALCULATOR,
+        clusterResource,
         Resources.multiply(sched.getFairShare(), .5), sched.getDemand());
     return Resources.lessThan(RESOURCE_CALCULATOR, clusterResource,
         sched.getResourceUsage(), desiredFairShare);
@@ -370,7 +379,7 @@ protected synchronized void preemptTasksIfNecessary() {
       return;
     }
 
-    long curTime = clock.getTime();
+    long curTime = getClock().getTime();
     if (curTime - lastPreemptCheckTime < preemptionInterval) {
       return;
     }
@@ -398,6 +407,7 @@ protected synchronized void preemptTasksIfNecessary() {
    * We make sure that no queue is placed below its fair share in the process.
    */
   protected void preemptResources(Resource toPreempt) {
+    long start = getClock().getTime();
     if (Resources.equals(toPreempt, Resources.none())) {
       return;
     }
@@ -448,6 +458,9 @@ protected void preemptResources(Resource toPreempt) {
         }
       }
     }
+
+    long duration = getClock().getTime() - start;
+    fsOpDurations.addPreemptCallDuration(duration);
   }
   
   protected void warnOrKillContainer(RMContainer container) {
@@ -463,7 +476,7 @@ protected void warnOrKillContainer(RMContainer container) {
     if (time != null) {
       // if we asked for preemption more than maxWaitTimeBeforeKill ms ago,
       // proceed with kill
-      if (time + waitTimeBeforeKill < clock.getTime()) {
+      if (time + waitTimeBeforeKill < getClock().getTime()) {
         ContainerStatus status =
           SchedulerUtils.createPreemptedContainerStatus(
             container.getContainerId(), SchedulerUtils.PREEMPTED_CONTAINER);
@@ -474,11 +487,11 @@ protected void warnOrKillContainer(RMContainer container) {
         completedContainer(container, status, RMContainerEventType.KILL);
         LOG.info("Killing container" + container +
             " (after waiting for premption for " +
-            (clock.getTime() - time) + "ms)");
+            (getClock().getTime() - time) + "ms)");
       }
     } else {
       // track the request in the FSSchedulerApp itself
-      app.addPreemption(container, clock.getTime());
+      app.addPreemption(container, getClock().getTime());
     }
   }
 
@@ -659,7 +672,7 @@ queue, new ActiveUsersManager(getRootQueueMetrics()),
             rmContext);
     if (transferStateFromPreviousAttempt) {
       attempt.transferStateFromPreviousAttempt(application
-        .getCurrentAppAttempt());
+          .getCurrentAppAttempt());
     }
     application.setCurrentAppAttempt(attempt);
 
@@ -960,6 +973,7 @@ public Allocation allocate(ApplicationAttemptId appAttemptId,
    * Process a heartbeat update from a node.
    */
   private synchronized void nodeUpdate(RMNode nm) {
+    long start = getClock().getTime();
     if (LOG.isDebugEnabled()) {
       LOG.debug("nodeUpdate: " + nm + " cluster capacity: " + clusterResource);
     }
@@ -996,9 +1010,13 @@ private synchronized void nodeUpdate(RMNode nm) {
     } else {
       attemptScheduling(node);
     }
+
+    long duration = getClock().getTime() - start;
+    fsOpDurations.addNodeUpdateDuration(duration);
   }
 
   void continuousSchedulingAttempt() throws InterruptedException {
+    long start = getClock().getTime();
     List<NodeId> nodeIdList = new ArrayList<NodeId>(nodes.keySet());
     // Sort the nodes by space available on them, so that we offer
     // containers on emptier nodes first, facilitating an even spread. This
@@ -1021,6 +1039,9 @@ void continuousSchedulingAttempt() throws InterruptedException {
             ": " + ex.toString(), ex);
       }
     }
+
+    long duration = getClock().getTime() - start;
+    fsOpDurations.addContinuousSchedulingRunDuration(duration);
   }
 
   /** Sort nodes by available resource */
@@ -1244,6 +1265,8 @@ private synchronized void initScheduler(Configuration conf)
     }
 
     rootMetrics = FSQueueMetrics.forQueue("root", null, true, conf);
+    fsOpDurations = FSOpDurations.getInstance(true);
+
     // This stores per-application scheduling information
     this.applications =
         new ConcurrentHashMap<ApplicationId,SchedulerApplication<FSSchedulerApp>>();
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
index 23c928c8f37..f3289ccea1c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
@@ -18,6 +18,7 @@
 
 package org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair;
 
+import org.apache.hadoop.metrics2.impl.MetricsCollectorImpl;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotEquals;
@@ -3366,4 +3367,14 @@ public void testThreadLifeCycle() throws InterruptedException {
 
     assertNotEquals("One of the threads is still alive", 0, numRetries);
   }
+
+  @Test
+  public void testPerfMetricsInited() {
+    scheduler.init(conf);
+    scheduler.start();
+    MetricsCollectorImpl collector = new MetricsCollectorImpl();
+    scheduler.fsOpDurations.getMetrics(collector, true);
+    assertEquals("Incorrect number of perf metrics", 1,
+        collector.getRecords().size());
+  }
 }

From 6d39525f6b7171db726373106cfda10e47f66d97 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Fri, 8 Aug 2014 14:38:18 +0000
Subject: [PATCH 163/354] YARN-2352. Add missing file. FairScheduler: Collect
 metrics on duration of critical methods that affect performance. (kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616784 13f79535-47bb-0310-9956-ffa450edef68
---
 .../scheduler/fair/FSOpDurations.java         | 119 ++++++++++++++++++
 1 file changed, 119 insertions(+)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSOpDurations.java

diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSOpDurations.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSOpDurations.java
new file mode 100644
index 00000000000..c2282fdb736
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSOpDurations.java
@@ -0,0 +1,119 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.metrics2.MetricsCollector;
+import org.apache.hadoop.metrics2.MetricsInfo;
+import org.apache.hadoop.metrics2.MetricsSource;
+import org.apache.hadoop.metrics2.MetricsSystem;
+import org.apache.hadoop.metrics2.annotation.Metric;
+import org.apache.hadoop.metrics2.annotation.Metrics;
+import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
+import org.apache.hadoop.metrics2.lib.MetricsRegistry;
+
+import static org.apache.hadoop.metrics2.lib.Interns.info;
+import org.apache.hadoop.metrics2.lib.MutableRate;
+
+/**
+ * Class to capture the performance metrics of FairScheduler.
+ * This should be a singleton.
+ */
+@InterfaceAudience.Private
+@InterfaceStability.Unstable
+@Metrics(context="fairscheduler-op-durations")
+public class FSOpDurations implements MetricsSource {
+
+  @Metric("Duration for a continuous scheduling run")
+  MutableRate continuousSchedulingRun;
+
+  @Metric("Duration to handle a node update")
+  MutableRate nodeUpdateCall;
+
+  @Metric("Duration for a update thread run")
+  MutableRate updateThreadRun;
+
+  @Metric("Duration for an update call")
+  MutableRate updateCall;
+
+  @Metric("Duration for a preempt call")
+  MutableRate preemptCall;
+
+  private static final MetricsInfo RECORD_INFO =
+      info("FSOpDurations", "Durations of FairScheduler calls or thread-runs");
+
+  private final MetricsRegistry registry;
+
+  private boolean isExtended = false;
+
+  private static final FSOpDurations INSTANCE = new FSOpDurations();
+
+  public static FSOpDurations getInstance(boolean isExtended) {
+    INSTANCE.setExtended(isExtended);
+    return INSTANCE;
+  }
+
+  private FSOpDurations() {
+    registry = new MetricsRegistry(RECORD_INFO);
+    registry.tag(RECORD_INFO, "FSOpDurations");
+
+    MetricsSystem ms = DefaultMetricsSystem.instance();
+    if (ms != null) {
+      ms.register(RECORD_INFO.name(), RECORD_INFO.description(), this);
+    }
+  }
+
+  private synchronized void setExtended(boolean isExtended) {
+    if (isExtended == INSTANCE.isExtended)
+      return;
+
+    continuousSchedulingRun.setExtended(isExtended);
+    nodeUpdateCall.setExtended(isExtended);
+    updateThreadRun.setExtended(isExtended);
+    updateCall.setExtended(isExtended);
+    preemptCall.setExtended(isExtended);
+
+    INSTANCE.isExtended = isExtended;
+  }
+
+  @Override
+  public synchronized void getMetrics(MetricsCollector collector, boolean all) {
+    registry.snapshot(collector.addRecord(registry.info()), all);
+  }
+
+  public void addContinuousSchedulingRunDuration(long value) {
+    continuousSchedulingRun.add(value);
+  }
+
+  public void addNodeUpdateDuration(long value) {
+    nodeUpdateCall.add(value);
+  }
+
+  public void addUpdateThreadRunDuration(long value) {
+    updateThreadRun.add(value);
+  }
+
+  public void addUpdateCallDuration(long value) {
+    updateCall.add(value);
+  }
+
+  public void addPreemptCallDuration(long value) {
+    preemptCall.add(value);
+  }
+}

From 70d453602cfd6f2b3f109c5961d2338301fc950f Mon Sep 17 00:00:00 2001
From: Chris Nauroth <cnauroth@apache.org>
Date: Fri, 8 Aug 2014 16:26:45 +0000
Subject: [PATCH 164/354] HDFS-573. Porting libhdfs to Windows. Contributed by
 Chris Nauroth.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616814 13f79535-47bb-0310-9956-ffa450edef68
---
 BUILDING.txt                                  |   1 +
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   2 +
 hadoop-hdfs-project/hadoop-hdfs/pom.xml       | 117 ++++-
 .../hadoop-hdfs/src/CMakeLists.txt            |  74 +++-
 .../src/main/native/fuse-dfs/CMakeLists.txt   |   4 +
 .../src/main/native/libhdfs/common/htable.c   | 271 ++++++++++++
 .../src/main/native/libhdfs/common/htable.h   | 161 +++++++
 .../src/main/native/libhdfs/exception.c       |  65 +--
 .../src/main/native/libhdfs/exception.h       |  10 +-
 .../src/main/native/libhdfs/expect.c          |   8 +-
 .../src/main/native/libhdfs/expect.h          |  12 +
 .../src/main/native/libhdfs/hdfs.c            | 416 ++++++++++--------
 .../src/main/native/libhdfs/jni_helper.c      | 265 ++++-------
 .../src/main/native/libhdfs/jni_helper.h      |   2 -
 .../src/main/native/libhdfs/native_mini_dfs.c |   6 +-
 .../src/main/native/libhdfs/os/mutexes.h      |  55 +++
 .../main/native/libhdfs/os/posix/mutexes.c    |  43 ++
 .../main/native/libhdfs/os/posix/platform.h   |  34 ++
 .../src/main/native/libhdfs/os/posix/thread.c |  52 +++
 .../libhdfs/os/posix/thread_local_storage.c   |  80 ++++
 .../src/main/native/libhdfs/os/thread.h       |  54 +++
 .../native/libhdfs/os/thread_local_storage.h  |  75 ++++
 .../main/native/libhdfs/os/windows/inttypes.h |  28 ++
 .../main/native/libhdfs/os/windows/mutexes.c  |  52 +++
 .../main/native/libhdfs/os/windows/platform.h |  86 ++++
 .../main/native/libhdfs/os/windows/thread.c   |  66 +++
 .../libhdfs/os/windows/thread_local_storage.c | 164 +++++++
 .../main/native/libhdfs/os/windows/unistd.h   |  29 ++
 .../native/libhdfs/test/test_libhdfs_ops.c    | 230 +++++-----
 .../native/libhdfs/test/test_libhdfs_read.c   |  19 +-
 .../native/libhdfs/test/test_libhdfs_write.c  |  29 +-
 .../libhdfs/test/test_libhdfs_zerocopy.c      |  31 +-
 .../native/libhdfs/test_libhdfs_threaded.c    |  39 +-
 .../native/libhdfs/test_native_mini_dfs.c     |   2 +-
 34 files changed, 1965 insertions(+), 617 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/common/htable.c
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/common/htable.h
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/mutexes.h
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/mutexes.c
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/platform.h
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/thread.c
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/thread_local_storage.c
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/thread.h
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/thread_local_storage.h
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/inttypes.h
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/mutexes.c
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/platform.h
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/thread.c
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/thread_local_storage.c
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/unistd.h

diff --git a/BUILDING.txt b/BUILDING.txt
index bfb0e0852e7..59eb447e1b8 100644
--- a/BUILDING.txt
+++ b/BUILDING.txt
@@ -189,6 +189,7 @@ Requirements:
 * Maven 3.0 or later
 * Findbugs 1.3.9 (if running findbugs)
 * ProtocolBuffer 2.5.0
+* CMake 2.6 or newer
 * Windows SDK or Visual Studio 2010 Professional
 * Unix command-line tools from GnuWin32 or Cygwin: sh, mkdir, rm, cp, tar, gzip
 * zlib headers (if building native code bindings for zlib)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index a146e407ee7..bf8fc033554 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -382,6 +382,8 @@ Release 2.6.0 - UNRELEASED
     HDFS-6772. Get DN storages out of blockContentsStale state faster after
     NN restarts. (Ming Ma via Arpit Agarwal)
 
+    HDFS-573. Porting libhdfs to Windows. (cnauroth)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/pom.xml b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
index 2d48918d6ae..5a0d7a832ab 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/pom.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
@@ -360,16 +360,97 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
 
   <profiles>
     <profile>
-      <id>windows</id>
+      <id>native-win</id>
       <activation>
         <activeByDefault>false</activeByDefault>
         <os>
           <family>windows</family>
         </os>
       </activation>
-      <properties>
-        <windows.build>true</windows.build>
-      </properties>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-enforcer-plugin</artifactId>
+            <executions>
+              <execution>
+                <id>enforce-os</id>
+                <goals>
+                  <goal>enforce</goal>
+                </goals>
+                <configuration>
+                  <rules>
+                    <requireOS>
+                      <family>windows</family>
+                      <message>native-win build only supported on Windows</message>
+                    </requireOS>
+                  </rules>
+                  <fail>true</fail>
+                </configuration>
+              </execution>
+            </executions>
+          </plugin>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-antrun-plugin</artifactId>
+            <executions>
+              <execution>
+                <id>make</id>
+                <phase>compile</phase>
+                <goals>
+                  <goal>run</goal>
+                </goals>
+                <configuration>
+                  <target>
+                    <mkdir dir="${project.build.directory}/native"/>
+                    <exec executable="cmake" dir="${project.build.directory}/native"
+                        failonerror="true">
+                      <arg line="${basedir}/src/ -DGENERATED_JAVAH=${project.build.directory}/native/javah -DJVM_ARCH_DATA_MODEL=${sun.arch.data.model} -DREQUIRE_LIBWEBHDFS=${require.libwebhdfs} -DREQUIRE_FUSE=${require.fuse} -G 'Visual Studio 10 Win64'"/>
+                    </exec>
+                    <exec executable="msbuild" dir="${project.build.directory}/native"
+                        failonerror="true">
+                      <arg line="ALL_BUILD.vcxproj /nologo /p:Configuration=Release"/>
+                    </exec>
+                    <!-- Copy for inclusion in distribution. -->
+                    <copy todir="${project.build.directory}/bin">
+                      <fileset dir="${project.build.directory}/native/target/bin/Release"/>
+                    </copy>
+                  </target>
+                </configuration>
+              </execution>
+              <execution>
+                <id>native_tests</id>
+                <phase>test</phase>
+                <goals><goal>run</goal></goals>
+                <configuration>
+                  <skip>${skipTests}</skip>
+                  <target>
+                    <property name="compile_classpath" refid="maven.compile.classpath"/>
+                    <property name="test_classpath" refid="maven.test.classpath"/>
+                    <macrodef name="run-test">
+                      <attribute name="test"/>
+                      <sequential>
+                        <echo message="Running @{test}"/>
+                        <exec executable="${project.build.directory}/native/Release/@{test}" failonerror="true" dir="${project.build.directory}/native/">
+                          <env key="CLASSPATH" value="${test_classpath}:${compile_classpath}"/>
+                          <!-- HADOOP_HOME required to find winutils. -->
+                          <env key="HADOOP_HOME" value="${hadoop.common.build.dir}"/>
+                          <!-- Make sure hadoop.dll and jvm.dll are on PATH. -->
+                          <env key="PATH" value="${env.PATH};${hadoop.common.build.dir}/bin;${java.home}/jre/bin/server;${java.home}/bin/server"/>
+                        </exec>
+                        <echo message="Finished @{test}"/>
+                      </sequential>
+                    </macrodef>
+                    <run-test test="test_libhdfs_threaded"/>
+                    <echo message="Skipping test_libhdfs_zerocopy"/>
+                    <run-test test="test_native_mini_dfs"/>
+                  </target>
+                </configuration>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
     </profile>
     <profile>
       <id>native</id>
@@ -407,21 +488,25 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
                 <phase>test</phase>
                 <goals><goal>run</goal></goals>
                 <configuration>
+                  <skip>${skipTests}</skip>
                   <target>
                     <property name="compile_classpath" refid="maven.compile.classpath"/>
                     <property name="test_classpath" refid="maven.test.classpath"/>
-                    <exec executable="sh" failonerror="true" dir="${project.build.directory}/native/">
-                      <arg value="-c"/>
-                      <arg value="[ x$SKIPTESTS = xtrue ] || ${project.build.directory}/native/test_libhdfs_threaded"/>
-                      <env key="CLASSPATH" value="${test_classpath}:${compile_classpath}"/>
-                      <env key="SKIPTESTS" value="${skipTests}"/>
-                    </exec>
-                    <exec executable="sh" failonerror="true" dir="${project.build.directory}/native/">
-                        <arg value="-c"/>
-                        <arg value="[ x$SKIPTESTS = xtrue ] || ${project.build.directory}/native/test_native_mini_dfs"/>
-                      <env key="CLASSPATH" value="${test_classpath}:${compile_classpath}"/>
-                      <env key="SKIPTESTS" value="${skipTests}"/>
-                    </exec>
+                    <macrodef name="run-test">
+                      <attribute name="test"/>
+                      <sequential>
+                        <echo message="Running @{test}"/>
+                        <exec executable="${project.build.directory}/native/@{test}" failonerror="true" dir="${project.build.directory}/native/">
+                          <env key="CLASSPATH" value="${test_classpath}:${compile_classpath}"/>
+                          <!-- Make sure libhadoop.so is on LD_LIBRARY_PATH. -->
+                          <env key="LD_LIBRARY_PATH" value="${env.LD_LIBRARY_PATH}:${project.build.directory}/native/target/usr/local/lib:${hadoop.common.build.dir}/native/target/usr/local/lib"/>
+                        </exec>
+                        <echo message="Finished @{test}"/>
+                      </sequential>
+                    </macrodef>
+                    <run-test test="test_libhdfs_threaded"/>
+                    <run-test test="test_libhdfs_zerocopy"/>
+                    <run-test test="test_native_mini_dfs"/>
                   </target>
                 </configuration>
               </execution>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/CMakeLists.txt b/hadoop-hdfs-project/hadoop-hdfs/src/CMakeLists.txt
index fc5ebea4c0f..854988b9c54 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/CMakeLists.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/CMakeLists.txt
@@ -76,9 +76,39 @@ if (NOT GENERATED_JAVAH)
     MESSAGE(FATAL_ERROR "You must set the CMake variable GENERATED_JAVAH")
 endif (NOT GENERATED_JAVAH)
 
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -Wall -O2")
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_REENTRANT -D_GNU_SOURCE")
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64")
+if (WIN32)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /O2")
+
+    # Set warning level 4.
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /W4")
+
+    # Skip "unreferenced formal parameter".
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /wd4100")
+
+    # Skip "conditional expression is constant".
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /wd4127")
+
+    # Skip deprecated POSIX function warnings.
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_CRT_NONSTDC_NO_DEPRECATE")
+
+    # Skip CRT non-secure function warnings.  If we can convert usage of
+    # strerror, getenv and ctime to their secure CRT equivalents, then we can
+    # re-enable the CRT non-secure function warnings.
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_CRT_SECURE_NO_WARNINGS")
+
+    # Omit unneeded headers.
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWIN32_LEAN_AND_MEAN")
+
+    set(OS_DIR main/native/libhdfs/os/windows)
+    set(OUT_DIR target/bin)
+else (WIN32)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -Wall -O2")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_REENTRANT -D_GNU_SOURCE")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64")
+    set(OS_DIR main/native/libhdfs/os/posix)
+    set(OS_LINK_LIBRARIES pthread)
+    set(OUT_DIR target/usr/local/lib)
+endif (WIN32)
 
 include_directories(
     ${GENERATED_JAVAH}
@@ -87,6 +117,7 @@ include_directories(
     ${JNI_INCLUDE_DIRS}
     main/native
     main/native/libhdfs
+    ${OS_DIR}
 )
 
 set(_FUSE_DFS_VERSION 0.1.0)
@@ -96,6 +127,9 @@ add_dual_library(hdfs
     main/native/libhdfs/exception.c
     main/native/libhdfs/jni_helper.c
     main/native/libhdfs/hdfs.c
+    main/native/libhdfs/common/htable.c
+    ${OS_DIR}/mutexes.c
+    ${OS_DIR}/thread_local_storage.c
 )
 if (NEED_LINK_DL)
    set(LIB_DL dl)
@@ -104,17 +138,14 @@ endif(NEED_LINK_DL)
 target_link_dual_libraries(hdfs
     ${JAVA_JVM_LIBRARY}
     ${LIB_DL}
-    pthread
+    ${OS_LINK_LIBRARIES}
 )
-dual_output_directory(hdfs target/usr/local/lib)
+
+dual_output_directory(hdfs ${OUT_DIR})
 set(LIBHDFS_VERSION "0.0.0")
 set_target_properties(hdfs PROPERTIES
     SOVERSION ${LIBHDFS_VERSION})
 
-add_library(posix_util
-    main/native/util/posix_util.c
-)
-
 add_executable(test_libhdfs_ops
     main/native/libhdfs/test/test_libhdfs_ops.c
 )
@@ -156,11 +187,12 @@ target_link_libraries(test_native_mini_dfs
 add_executable(test_libhdfs_threaded
     main/native/libhdfs/expect.c
     main/native/libhdfs/test_libhdfs_threaded.c
+    ${OS_DIR}/thread.c
 )
 target_link_libraries(test_libhdfs_threaded
     hdfs
     native_mini_dfs
-    pthread
+    ${OS_LINK_LIBRARIES}
 )
 
 add_executable(test_libhdfs_zerocopy
@@ -170,17 +202,21 @@ add_executable(test_libhdfs_zerocopy
 target_link_libraries(test_libhdfs_zerocopy
     hdfs
     native_mini_dfs
-    pthread
+    ${OS_LINK_LIBRARIES}
 )
 
-add_executable(test_libhdfs_vecsum
-    main/native/libhdfs/test/vecsum.c
-)
-target_link_libraries(test_libhdfs_vecsum
-    hdfs
-    pthread
-    rt
-)
+# Skip vecsum on Windows.  This could be made to work in the future by
+# introducing an abstraction layer over the sys/mman.h functions.
+if (NOT WIN32)
+    add_executable(test_libhdfs_vecsum
+        main/native/libhdfs/test/vecsum.c
+    )
+    target_link_libraries(test_libhdfs_vecsum
+        hdfs
+        pthread
+        rt
+    )
+endif(NOT WIN32)
 
 IF(REQUIRE_LIBWEBHDFS)
     add_subdirectory(contrib/libwebhdfs)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/fuse-dfs/CMakeLists.txt b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/fuse-dfs/CMakeLists.txt
index dd3f1e62abc..8a8ea5b2b32 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/fuse-dfs/CMakeLists.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/fuse-dfs/CMakeLists.txt
@@ -37,6 +37,10 @@ ELSE (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
 ENDIF (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
 
 IF(FUSE_FOUND)
+    add_library(posix_util
+        ../util/posix_util.c
+    )
+
     add_executable(fuse_dfs
         fuse_dfs.c
         fuse_options.c 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/common/htable.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/common/htable.c
new file mode 100644
index 00000000000..8d3d3c548c6
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/common/htable.c
@@ -0,0 +1,271 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "common/htable.h"
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+struct htable_pair {
+    void *key;
+    void *val;
+};
+
+/**
+ * A hash table which uses linear probing.
+ */
+struct htable {
+    uint32_t capacity;
+    uint32_t used;
+    htable_hash_fn_t hash_fun;
+    htable_eq_fn_t eq_fun;
+    struct htable_pair *elem;
+};
+
+/**
+ * An internal function for inserting a value into the hash table.
+ *
+ * Note: this function assumes that you have made enough space in the table.
+ *
+ * @param nelem         The new element to insert.
+ * @param capacity      The capacity of the hash table.
+ * @param hash_fun      The hash function to use.
+ * @param key           The key to insert.
+ * @param val           The value to insert.
+ */
+static void htable_insert_internal(struct htable_pair *nelem, 
+        uint32_t capacity, htable_hash_fn_t hash_fun, void *key,
+        void *val)
+{
+    uint32_t i;
+
+    i = hash_fun(key, capacity);
+    while (1) {
+        if (!nelem[i].key) {
+            nelem[i].key = key;
+            nelem[i].val = val;
+            return;
+        }
+        i++;
+        if (i == capacity) {
+            i = 0;
+        }
+    }
+}
+
+static int htable_realloc(struct htable *htable, uint32_t new_capacity)
+{
+    struct htable_pair *nelem;
+    uint32_t i, old_capacity = htable->capacity;
+    htable_hash_fn_t hash_fun = htable->hash_fun;
+
+    nelem = calloc(new_capacity, sizeof(struct htable_pair));
+    if (!nelem) {
+        return ENOMEM;
+    }
+    for (i = 0; i < old_capacity; i++) {
+        struct htable_pair *pair = htable->elem + i;
+        htable_insert_internal(nelem, new_capacity, hash_fun,
+                               pair->key, pair->val);
+    }
+    free(htable->elem);
+    htable->elem = nelem;
+    htable->capacity = new_capacity;
+    return 0;
+}
+
+struct htable *htable_alloc(uint32_t size,
+                htable_hash_fn_t hash_fun, htable_eq_fn_t eq_fun)
+{
+    struct htable *htable;
+
+    htable = calloc(1, sizeof(*htable));
+    if (!htable) {
+        return NULL;
+    }
+    size = (size + 1) >> 1;
+    size = size << 1;
+    if (size < HTABLE_MIN_SIZE) {
+        size = HTABLE_MIN_SIZE;
+    }
+    htable->hash_fun = hash_fun;
+    htable->eq_fun = eq_fun;
+    htable->used = 0;
+    if (htable_realloc(htable, size)) {
+        free(htable);
+        return NULL;
+    }
+    return htable;
+}
+
+void htable_visit(struct htable *htable, visitor_fn_t fun, void *ctx)
+{
+    uint32_t i;
+
+    for (i = 0; i != htable->capacity; ++i) {
+        struct htable_pair *elem = htable->elem + i;
+        if (elem->key) {
+            fun(ctx, elem->key, elem->val);
+        }
+    }
+}
+
+void htable_free(struct htable *htable)
+{
+    if (htable) {
+        free(htable->elem);
+        free(htable);
+    }
+}
+
+int htable_put(struct htable *htable, void *key, void *val)
+{
+    int ret;
+    uint32_t nused;
+
+    // NULL is not a valid key value.
+    // This helps us implement htable_get_internal efficiently, since we know
+    // that we can stop when we encounter the first NULL key.
+    if (!key) {
+        return EINVAL;
+    }
+    // NULL is not a valid value.  Otherwise the results of htable_get would
+    // be confusing (does a NULL return mean entry not found, or that the
+    // entry was found and was NULL?) 
+    if (!val) {
+        return EINVAL;
+    }
+    // Re-hash if we have used more than half of the hash table
+    nused = htable->used + 1;
+    if (nused >= (htable->capacity / 2)) {
+        ret = htable_realloc(htable, htable->capacity * 2);
+        if (ret)
+            return ret;
+    }
+    htable_insert_internal(htable->elem, htable->capacity,
+                                htable->hash_fun, key, val);
+    htable->used++;
+    return 0;
+}
+
+static int htable_get_internal(const struct htable *htable,
+                               const void *key, uint32_t *out)
+{
+    uint32_t start_idx, idx;
+
+    start_idx = htable->hash_fun(key, htable->capacity);
+    idx = start_idx;
+    while (1) {
+        struct htable_pair *pair = htable->elem + idx;
+        if (!pair->key) {
+            // We always maintain the invariant that the entries corresponding
+            // to a given key are stored in a contiguous block, not separated
+            // by any NULLs.  So if we encounter a NULL, our search is over.
+            return ENOENT;
+        } else if (htable->eq_fun(pair->key, key)) {
+            *out = idx;
+            return 0;
+        }
+        idx++;
+        if (idx == htable->capacity) {
+            idx = 0;
+        }
+        if (idx == start_idx) {
+            return ENOENT;
+        }
+    }
+}
+
+void *htable_get(const struct htable *htable, const void *key)
+{
+    uint32_t idx;
+
+    if (htable_get_internal(htable, key, &idx)) {
+        return NULL;
+    }
+    return htable->elem[idx].val;
+}
+
+void htable_pop(struct htable *htable, const void *key,
+                void **found_key, void **found_val)
+{
+    uint32_t hole, i;
+    const void *nkey;
+
+    if (htable_get_internal(htable, key, &hole)) {
+        *found_key = NULL;
+        *found_val = NULL;
+        return;
+    }
+    i = hole;
+    htable->used--;
+    // We need to maintain the compactness invariant used in
+    // htable_get_internal.  This invariant specifies that the entries for any
+    // given key are never separated by NULLs (although they may be separated
+    // by entries for other keys.)
+    while (1) {
+        i++;
+        if (i == htable->capacity) {
+            i = 0;
+        }
+        nkey = htable->elem[i].key;
+        if (!nkey) {
+            *found_key = htable->elem[hole].key;
+            *found_val = htable->elem[hole].val;
+            htable->elem[hole].key = NULL;
+            htable->elem[hole].val = NULL;
+            return;
+        } else if (htable->eq_fun(key, nkey)) {
+            htable->elem[hole].key = htable->elem[i].key;
+            htable->elem[hole].val = htable->elem[i].val;
+            hole = i;
+        }
+    }
+}
+
+uint32_t htable_used(const struct htable *htable)
+{
+    return htable->used;
+}
+
+uint32_t htable_capacity(const struct htable *htable)
+{
+    return htable->capacity;
+}
+
+uint32_t ht_hash_string(const void *str, uint32_t max)
+{
+    const char *s = str;
+    uint32_t hash = 0;
+
+    while (*s) {
+        hash = (hash * 31) + *s;
+        s++;
+    }
+    return hash % max;
+}
+
+int ht_compare_string(const void *a, const void *b)
+{
+    return strcmp(a, b) == 0;
+}
+
+// vim: ts=4:sw=4:tw=79:et
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/common/htable.h b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/common/htable.h
new file mode 100644
index 00000000000..33f12290515
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/common/htable.h
@@ -0,0 +1,161 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef HADOOP_CORE_COMMON_HASH_TABLE
+#define HADOOP_CORE_COMMON_HASH_TABLE
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdint.h>
+
+#define HTABLE_MIN_SIZE 4
+
+struct htable;
+
+/**
+ * An HTable hash function.
+ *
+ * @param key       The key.
+ * @param capacity  The total capacity.
+ *
+ * @return          The hash slot.  Must be less than the capacity.
+ */
+typedef uint32_t (*htable_hash_fn_t)(const void *key, uint32_t capacity);
+
+/**
+ * An HTable equality function.  Compares two keys.
+ *
+ * @param a         First key.
+ * @param b         Second key.
+ *
+ * @return          nonzero if the keys are equal.
+ */
+typedef int (*htable_eq_fn_t)(const void *a, const void *b);
+
+/**
+ * Allocate a new hash table.
+ *
+ * @param capacity  The minimum suggested starting capacity.
+ * @param hash_fun  The hash function to use in this hash table.
+ * @param eq_fun    The equals function to use in this hash table.
+ *
+ * @return          The new hash table on success; NULL on OOM.
+ */
+struct htable *htable_alloc(uint32_t capacity, htable_hash_fn_t hash_fun,
+                            htable_eq_fn_t eq_fun);
+
+typedef void (*visitor_fn_t)(void *ctx, void *key, void *val);
+
+/**
+ * Visit all of the entries in the hash table.
+ *
+ * @param htable    The hash table.
+ * @param fun       The callback function to invoke on each key and value.
+ * @param ctx       Context pointer to pass to the callback.
+ */
+void htable_visit(struct htable *htable, visitor_fn_t fun, void *ctx);
+
+/**
+ * Free the hash table.
+ *
+ * It is up the calling code to ensure that the keys and values inside the
+ * table are de-allocated, if that is necessary.
+ *
+ * @param htable    The hash table.
+ */
+void htable_free(struct htable *htable);
+
+/**
+ * Add an entry to the hash table.
+ *
+ * @param htable    The hash table.
+ * @param key       The key to add.  This cannot be NULL.
+ * @param fun       The value to add.  This cannot be NULL.
+ *
+ * @return          0 on success;
+ *                  EEXIST if the value already exists in the table;
+ *                  ENOMEM if there is not enough memory to add the element.
+ *                  EFBIG if the hash table has too many entries to fit in 32
+ *                      bits.
+ */
+int htable_put(struct htable *htable, void *key, void *val);
+
+/**
+ * Get an entry from the hash table.
+ *
+ * @param htable    The hash table.
+ * @param key       The key to find.
+ *
+ * @return          NULL if there is no such entry; the entry otherwise.
+ */
+void *htable_get(const struct htable *htable, const void *key);
+
+/**
+ * Get an entry from the hash table and remove it.
+ *
+ * @param htable    The hash table.
+ * @param key       The key for the entry find and remove.
+ * @param found_key (out param) NULL if the entry was not found; the found key
+ *                      otherwise.
+ * @param found_val (out param) NULL if the entry was not found; the found
+ *                      value otherwise.
+ */
+void htable_pop(struct htable *htable, const void *key,
+                void **found_key, void **found_val);
+
+/**
+ * Get the number of entries used in the hash table.
+ *
+ * @param htable    The hash table.
+ *
+ * @return          The number of entries used in the hash table.
+ */
+uint32_t htable_used(const struct htable *htable);
+
+/**
+ * Get the capacity of the hash table.
+ *
+ * @param htable    The hash table.
+ *
+ * @return          The capacity of the hash table.
+ */
+uint32_t htable_capacity(const struct htable *htable);
+
+/**
+ * Hash a string.
+ *
+ * @param str       The string.
+ * @param max       Maximum hash value
+ *
+ * @return          A number less than max.
+ */
+uint32_t ht_hash_string(const void *str, uint32_t max);
+
+/**
+ * Compare two strings.
+ *
+ * @param a         The first string.
+ * @param b         The second string.
+ *
+ * @return          1 if the strings are identical; 0 otherwise.
+ */
+int ht_compare_string(const void *a, const void *b);
+
+#endif
+
+// vim: ts=4:sw=4:tw=79:et
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/exception.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/exception.c
index d7e17208454..2373aa78024 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/exception.c
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/exception.c
@@ -19,8 +19,8 @@
 #include "exception.h"
 #include "hdfs.h"
 #include "jni_helper.h"
+#include "platform.h"
 
-#include <inttypes.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -35,54 +35,54 @@ struct ExceptionInfo {
 
 static const struct ExceptionInfo gExceptionInfo[] = {
     {
-        .name = "java.io.FileNotFoundException",
-        .noPrintFlag = NOPRINT_EXC_FILE_NOT_FOUND,
-        .excErrno = ENOENT,
+        "java.io.FileNotFoundException",
+        NOPRINT_EXC_FILE_NOT_FOUND,
+        ENOENT,
     },
     {
-        .name = "org.apache.hadoop.security.AccessControlException",
-        .noPrintFlag = NOPRINT_EXC_ACCESS_CONTROL,
-        .excErrno = EACCES,
+        "org.apache.hadoop.security.AccessControlException",
+        NOPRINT_EXC_ACCESS_CONTROL,
+        EACCES,
     },
     {
-        .name = "org.apache.hadoop.fs.UnresolvedLinkException",
-        .noPrintFlag = NOPRINT_EXC_UNRESOLVED_LINK,
-        .excErrno = ENOLINK,
+        "org.apache.hadoop.fs.UnresolvedLinkException",
+        NOPRINT_EXC_UNRESOLVED_LINK,
+        ENOLINK,
     },
     {
-        .name = "org.apache.hadoop.fs.ParentNotDirectoryException",
-        .noPrintFlag = NOPRINT_EXC_PARENT_NOT_DIRECTORY,
-        .excErrno = ENOTDIR,
+        "org.apache.hadoop.fs.ParentNotDirectoryException",
+        NOPRINT_EXC_PARENT_NOT_DIRECTORY,
+        ENOTDIR,
     },
     {
-        .name = "java.lang.IllegalArgumentException",
-        .noPrintFlag = NOPRINT_EXC_ILLEGAL_ARGUMENT,
-        .excErrno = EINVAL,
+        "java.lang.IllegalArgumentException",
+        NOPRINT_EXC_ILLEGAL_ARGUMENT,
+        EINVAL,
     },
     {
-        .name = "java.lang.OutOfMemoryError",
-        .noPrintFlag = 0,
-        .excErrno = ENOMEM,
+        "java.lang.OutOfMemoryError",
+        0,
+        ENOMEM,
     },
     {
-        .name = "org.apache.hadoop.hdfs.server.namenode.SafeModeException",
-        .noPrintFlag = 0,
-        .excErrno = EROFS,
+        "org.apache.hadoop.hdfs.server.namenode.SafeModeException",
+        0,
+        EROFS,
     },
     {
-        .name = "org.apache.hadoop.fs.FileAlreadyExistsException",
-        .noPrintFlag = 0,
-        .excErrno = EEXIST,
+        "org.apache.hadoop.fs.FileAlreadyExistsException",
+        0,
+        EEXIST,
     },
     {
-        .name = "org.apache.hadoop.hdfs.protocol.QuotaExceededException",
-        .noPrintFlag = 0,
-        .excErrno = EDQUOT,
+        "org.apache.hadoop.hdfs.protocol.QuotaExceededException",
+        0,
+        EDQUOT,
     },
     {
-        .name = "org.apache.hadoop.hdfs.server.namenode.LeaseExpiredException",
-        .noPrintFlag = 0,
-        .excErrno = ESTALE,
+        "org.apache.hadoop.hdfs.server.namenode.LeaseExpiredException",
+        0,
+        ESTALE,
     },
 };
 
@@ -113,6 +113,7 @@ int printExceptionAndFreeV(JNIEnv *env, jthrowable exc, int noPrintFlags,
     jstring jStr = NULL;
     jvalue jVal;
     jthrowable jthr;
+    const char *stackTrace;
 
     jthr = classNameOfObject(exc, env, &className);
     if (jthr) {
@@ -148,7 +149,7 @@ int printExceptionAndFreeV(JNIEnv *env, jthrowable exc, int noPrintFlags,
             destroyLocalReference(env, jthr);
         } else {
             jStr = jVal.l;
-            const char *stackTrace = (*env)->GetStringUTFChars(env, jStr, NULL);
+            stackTrace = (*env)->GetStringUTFChars(env, jStr, NULL);
             if (!stackTrace) {
                 fprintf(stderr, "(unable to get stack trace for %s exception: "
                         "GetStringUTFChars error.)\n", className);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/exception.h b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/exception.h
index e36151314e7..5fa7fa6ebd8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/exception.h
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/exception.h
@@ -34,13 +34,14 @@
  * usually not what you want.)
  */
 
+#include "platform.h"
+
 #include <jni.h>
 #include <stdio.h>
 
 #include <stdlib.h>
 #include <stdarg.h>
 #include <search.h>
-#include <pthread.h>
 #include <errno.h>
 
 /**
@@ -109,7 +110,7 @@ int printExceptionAndFreeV(JNIEnv *env, jthrowable exc, int noPrintFlags,
  *                        object.
  */
 int printExceptionAndFree(JNIEnv *env, jthrowable exc, int noPrintFlags,
-        const char *fmt, ...) __attribute__((format(printf, 4, 5)));  
+        const char *fmt, ...) TYPE_CHECKED_PRINTF_FORMAT(4, 5);
 
 /**
  * Print out information about the pending exception and free it.
@@ -124,7 +125,7 @@ int printExceptionAndFree(JNIEnv *env, jthrowable exc, int noPrintFlags,
  *                        object.
  */
 int printPendingExceptionAndFree(JNIEnv *env, int noPrintFlags,
-        const char *fmt, ...) __attribute__((format(printf, 3, 4)));  
+        const char *fmt, ...) TYPE_CHECKED_PRINTF_FORMAT(3, 4);
 
 /**
  * Get a local reference to the pending exception and clear it.
@@ -150,6 +151,7 @@ jthrowable getPendingExceptionAndClear(JNIEnv *env);
  * @return                A local reference to a RuntimeError
  */
 jthrowable newRuntimeError(JNIEnv *env, const char *fmt, ...)
-        __attribute__((format(printf, 2, 3)));
+        TYPE_CHECKED_PRINTF_FORMAT(2, 3);
 
+#undef TYPE_CHECKED_PRINTF_FORMAT
 #endif
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/expect.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/expect.c
index 6b80ea90a20..576e9ef3639 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/expect.c
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/expect.c
@@ -49,18 +49,18 @@ int expectFileStats(hdfsFile file,
             stats->totalShortCircuitBytesRead,
             stats->totalZeroCopyBytesRead);
     if (expectedTotalBytesRead != UINT64_MAX) {
-        EXPECT_INT64_EQ(expectedTotalBytesRead, stats->totalBytesRead);
+        EXPECT_UINT64_EQ(expectedTotalBytesRead, stats->totalBytesRead);
     }
     if (expectedTotalLocalBytesRead != UINT64_MAX) {
-        EXPECT_INT64_EQ(expectedTotalLocalBytesRead,
+        EXPECT_UINT64_EQ(expectedTotalLocalBytesRead,
                       stats->totalLocalBytesRead);
     }
     if (expectedTotalShortCircuitBytesRead != UINT64_MAX) {
-        EXPECT_INT64_EQ(expectedTotalShortCircuitBytesRead,
+        EXPECT_UINT64_EQ(expectedTotalShortCircuitBytesRead,
                       stats->totalShortCircuitBytesRead);
     }
     if (expectedTotalZeroCopyBytesRead != UINT64_MAX) {
-        EXPECT_INT64_EQ(expectedTotalZeroCopyBytesRead,
+        EXPECT_UINT64_EQ(expectedTotalZeroCopyBytesRead,
                       stats->totalZeroCopyBytesRead);
     }
     hdfsFileFreeReadStatistics(stats);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/expect.h b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/expect.h
index 15fa510630c..e64b108e200 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/expect.h
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/expect.h
@@ -126,6 +126,18 @@ struct hdfsFile_internal;
         } \
     } while (0);
 
+#define EXPECT_UINT64_EQ(x, y) \
+    do { \
+        uint64_t __my_ret__ = y; \
+        int __my_errno__ = errno; \
+        if (__my_ret__ != (x)) { \
+            fprintf(stderr, "TEST_ERROR: failed on %s:%d with return " \
+              "value %"PRIu64" (errno: %d): expected %"PRIu64"\n", \
+               __FILE__, __LINE__, __my_ret__, __my_errno__, (x)); \
+            return -1; \
+        } \
+    } while (0);
+
 #define RETRY_ON_EINTR_GET_ERRNO(ret, expr) do { \
     ret = expr; \
     if (!ret) \
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/hdfs.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/hdfs.c
index 07088d09c41..c382b9a34ed 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/hdfs.c
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/hdfs.c
@@ -19,7 +19,9 @@
 #include "exception.h"
 #include "hdfs.h"
 #include "jni_helper.h"
+#include "platform.h"
 
+#include <fcntl.h>
 #include <inttypes.h>
 #include <stdio.h>
 #include <string.h>
@@ -63,9 +65,9 @@ static void hdfsFreeFileInfoEntry(hdfsFileInfo *hdfsFileInfo);
  */
 enum hdfsStreamType
 {
-    UNINITIALIZED = 0,
-    INPUT = 1,
-    OUTPUT = 2,
+    HDFS_STREAM_UNINITIALIZED = 0,
+    HDFS_STREAM_INPUT = 1,
+    HDFS_STREAM_OUTPUT = 2,
 };
 
 /**
@@ -79,7 +81,7 @@ struct hdfsFile_internal {
 
 int hdfsFileIsOpenForRead(hdfsFile file)
 {
-    return (file->type == INPUT);
+    return (file->type == HDFS_STREAM_INPUT);
 }
 
 int hdfsFileGetReadStatistics(hdfsFile file,
@@ -96,7 +98,7 @@ int hdfsFileGetReadStatistics(hdfsFile file,
         errno = EINTERNAL;
         return -1;
     }
-    if (file->type != INPUT) {
+    if (file->type != HDFS_STREAM_INPUT) {
         ret = EINVAL;
         goto done;
     }
@@ -180,7 +182,7 @@ void hdfsFileFreeReadStatistics(struct hdfsReadStatistics *stats)
 
 int hdfsFileIsOpenForWrite(hdfsFile file)
 {
-    return (file->type == OUTPUT);
+    return (file->type == HDFS_STREAM_OUTPUT);
 }
 
 int hdfsFileUsesDirectRead(hdfsFile file)
@@ -441,7 +443,7 @@ void hdfsBuilderSetKerbTicketCachePath(struct hdfsBuilder *bld,
     bld->kerbTicketCachePath = kerbTicketCachePath;
 }
 
-hdfsFS hdfsConnect(const char* host, tPort port)
+hdfsFS hdfsConnect(const char *host, tPort port)
 {
     struct hdfsBuilder *bld = hdfsNewBuilder();
     if (!bld)
@@ -452,7 +454,7 @@ hdfsFS hdfsConnect(const char* host, tPort port)
 }
 
 /** Always return a new FileSystem handle */
-hdfsFS hdfsConnectNewInstance(const char* host, tPort port)
+hdfsFS hdfsConnectNewInstance(const char *host, tPort port)
 {
     struct hdfsBuilder *bld = hdfsNewBuilder();
     if (!bld)
@@ -463,7 +465,7 @@ hdfsFS hdfsConnectNewInstance(const char* host, tPort port)
     return hdfsBuilderConnect(bld);
 }
 
-hdfsFS hdfsConnectAsUser(const char* host, tPort port, const char *user)
+hdfsFS hdfsConnectAsUser(const char *host, tPort port, const char *user)
 {
     struct hdfsBuilder *bld = hdfsNewBuilder();
     if (!bld)
@@ -475,7 +477,7 @@ hdfsFS hdfsConnectAsUser(const char* host, tPort port, const char *user)
 }
 
 /** Always return a new FileSystem handle */
-hdfsFS hdfsConnectAsUserNewInstance(const char* host, tPort port,
+hdfsFS hdfsConnectAsUserNewInstance(const char *host, tPort port,
         const char *user)
 {
     struct hdfsBuilder *bld = hdfsNewBuilder();
@@ -518,7 +520,7 @@ static int calcEffectiveURI(struct hdfsBuilder *bld, char ** uri)
     if (bld->port == 0) {
         suffix[0] = '\0';
     } else {
-        lastColon = rindex(bld->nn, ':');
+        lastColon = strrchr(bld->nn, ':');
         if (lastColon && (strspn(lastColon + 1, "0123456789") ==
                           strlen(lastColon + 1))) {
             fprintf(stderr, "port %d was given, but URI '%s' already "
@@ -737,6 +739,8 @@ int hdfsDisconnect(hdfsFS fs)
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     int ret;
+    jobject jFS;
+    jthrowable jthr;
 
     if (env == NULL) {
       errno = EINTERNAL;
@@ -744,7 +748,7 @@ int hdfsDisconnect(hdfsFS fs)
     }
 
     //Parameters
-    jobject jFS = (jobject)fs;
+    jFS = (jobject)fs;
 
     //Sanity check
     if (fs == NULL) {
@@ -752,7 +756,7 @@ int hdfsDisconnect(hdfsFS fs)
         return -1;
     }
 
-    jthrowable jthr = invokeMethod(env, NULL, INSTANCE, jFS, HADOOP_FS,
+    jthr = invokeMethod(env, NULL, INSTANCE, jFS, HADOOP_FS,
                      "close", "()V");
     if (jthr) {
         ret = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
@@ -792,7 +796,7 @@ static jthrowable getDefaultBlockSize(JNIEnv *env, jobject jFS,
     return NULL;
 }
 
-hdfsFile hdfsOpenFile(hdfsFS fs, const char* path, int flags, 
+hdfsFile hdfsOpenFile(hdfsFS fs, const char *path, int flags, 
                       int bufferSize, short replication, tSize blockSize)
 {
     /*
@@ -801,15 +805,7 @@ hdfsFile hdfsOpenFile(hdfsFS fs, const char* path, int flags,
        FSData{Input|Output}Stream f{is|os} = fs.create(f);
        return f{is|os};
     */
-    /* Get the JNIEnv* corresponding to current thread */
-    JNIEnv* env = getJNIEnv();
     int accmode = flags & O_ACCMODE;
-
-    if (env == NULL) {
-      errno = EINTERNAL;
-      return NULL;
-    }
-
     jstring jStrBufferSize = NULL, jStrReplication = NULL;
     jobject jConfiguration = NULL, jPath = NULL, jFile = NULL;
     jobject jFS = (jobject)fs;
@@ -817,6 +813,20 @@ hdfsFile hdfsOpenFile(hdfsFS fs, const char* path, int flags,
     jvalue jVal;
     hdfsFile file = NULL;
     int ret;
+    jint jBufferSize = bufferSize;
+    jshort jReplication = replication;
+
+    /* The hadoop java api/signature */
+    const char *method = NULL;
+    const char *signature = NULL;
+
+    /* Get the JNIEnv* corresponding to current thread */
+    JNIEnv* env = getJNIEnv();
+    if (env == NULL) {
+      errno = EINTERNAL;
+      return NULL;
+    }
+
 
     if (accmode == O_RDONLY || accmode == O_WRONLY) {
 	/* yay */
@@ -834,10 +844,6 @@ hdfsFile hdfsOpenFile(hdfsFS fs, const char* path, int flags,
       fprintf(stderr, "WARN: hdfs does not truly support O_CREATE && O_EXCL\n");
     }
 
-    /* The hadoop java api/signature */
-    const char* method = NULL;
-    const char* signature = NULL;
-
     if (accmode == O_RDONLY) {
 	method = "open";
         signature = JMETHOD2(JPARAM(HADOOP_PATH), "I", JPARAM(HADOOP_ISTRM));
@@ -867,8 +873,6 @@ hdfsFile hdfsOpenFile(hdfsFS fs, const char* path, int flags,
     }
     jConfiguration = jVal.l;
 
-    jint jBufferSize = bufferSize;
-    jshort jReplication = replication;
     jStrBufferSize = (*env)->NewStringUTF(env, "io.file.buffer.size"); 
     if (!jStrBufferSize) {
         ret = printPendingExceptionAndFree(env, PRINT_EXC_ALL, "OOM");
@@ -905,7 +909,7 @@ hdfsFile hdfsOpenFile(hdfsFS fs, const char* path, int flags,
                     path);
                 goto done;
             }
-            jReplication = jVal.i;
+            jReplication = (jshort)jVal.i;
         }
     }
  
@@ -955,7 +959,8 @@ hdfsFile hdfsOpenFile(hdfsFS fs, const char* path, int flags,
             "hdfsOpenFile(%s): NewGlobalRef", path); 
         goto done;
     }
-    file->type = (((flags & O_WRONLY) == 0) ? INPUT : OUTPUT);
+    file->type = (((flags & O_WRONLY) == 0) ? HDFS_STREAM_INPUT :
+        HDFS_STREAM_OUTPUT);
     file->flags = 0;
 
     if ((flags & O_WRONLY) == 0) {
@@ -998,31 +1003,33 @@ int hdfsCloseFile(hdfsFS fs, hdfsFile file)
     // JAVA EQUIVALENT:
     //  file.close 
 
+    //The interface whose 'close' method to be called
+    const char *interface;
+    const char *interfaceShortName;
+
+    //Caught exception
+    jthrowable jthr;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
-
     if (env == NULL) {
         errno = EINTERNAL;
         return -1;
     }
 
-    //Caught exception
-    jthrowable jthr;
-
     //Sanity check
-    if (!file || file->type == UNINITIALIZED) {
+    if (!file || file->type == HDFS_STREAM_UNINITIALIZED) {
         errno = EBADF;
         return -1;
     }
 
-    //The interface whose 'close' method to be called
-    const char* interface = (file->type == INPUT) ? 
+    interface = (file->type == HDFS_STREAM_INPUT) ?
         HADOOP_ISTRM : HADOOP_OSTRM;
   
     jthr = invokeMethod(env, NULL, INSTANCE, file->file, interface,
                      "close", "()V");
     if (jthr) {
-        const char *interfaceShortName = (file->type == INPUT) ? 
+        interfaceShortName = (file->type == HDFS_STREAM_INPUT) ? 
             "FSDataInputStream" : "FSDataOutputStream";
         ret = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
                 "%s#close", interfaceShortName);
@@ -1044,15 +1051,15 @@ int hdfsCloseFile(hdfsFS fs, hdfsFile file)
 int hdfsExists(hdfsFS fs, const char *path)
 {
     JNIEnv *env = getJNIEnv();
-    if (env == NULL) {
-        errno = EINTERNAL;
-        return -1;
-    }
-
     jobject jPath;
     jvalue  jVal;
     jobject jFS = (jobject)fs;
     jthrowable jthr;
+
+    if (env == NULL) {
+        errno = EINTERNAL;
+        return -1;
+    }
     
     if (path == NULL) {
         errno = EINVAL;
@@ -1088,13 +1095,13 @@ static int readPrepare(JNIEnv* env, hdfsFS fs, hdfsFile f,
     *jInputStream = (jobject)(f ? f->file : NULL);
 
     //Sanity check
-    if (!f || f->type == UNINITIALIZED) {
+    if (!f || f->type == HDFS_STREAM_UNINITIALIZED) {
       errno = EBADF;
       return -1;
     }
 
     //Error checking... make sure that this file is 'readable'
-    if (f->type != INPUT) {
+    if (f->type != HDFS_STREAM_INPUT) {
       fprintf(stderr, "Cannot read from a non-InputStream object!\n");
       errno = EINVAL;
       return -1;
@@ -1105,6 +1112,13 @@ static int readPrepare(JNIEnv* env, hdfsFS fs, hdfsFile f,
 
 tSize hdfsRead(hdfsFS fs, hdfsFile f, void* buffer, tSize length)
 {
+    jobject jInputStream;
+    jbyteArray jbRarray;
+    jint noReadBytes = length;
+    jvalue jVal;
+    jthrowable jthr;
+    JNIEnv* env;
+
     if (length == 0) {
         return 0;
     } else if (length < 0) {
@@ -1120,23 +1134,17 @@ tSize hdfsRead(hdfsFS fs, hdfsFile f, void* buffer, tSize length)
     //  fis.read(bR);
 
     //Get the JNIEnv* corresponding to current thread
-    JNIEnv* env = getJNIEnv();
+    env = getJNIEnv();
     if (env == NULL) {
       errno = EINTERNAL;
       return -1;
     }
 
     //Parameters
-    jobject jInputStream;
     if (readPrepare(env, fs, f, &jInputStream) == -1) {
       return -1;
     }
 
-    jbyteArray jbRarray;
-    jint noReadBytes = length;
-    jvalue jVal;
-    jthrowable jthr;
-
     //Read the requisite bytes
     jbRarray = (*env)->NewByteArray(env, length);
     if (!jbRarray) {
@@ -1179,6 +1187,11 @@ tSize readDirect(hdfsFS fs, hdfsFile f, void* buffer, tSize length)
     //  ByteBuffer bbuffer = ByteBuffer.allocateDirect(length) // wraps C buffer
     //  fis.read(bbuffer);
 
+    jobject jInputStream;
+    jvalue jVal;
+    jthrowable jthr;
+    jobject bb;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1186,16 +1199,12 @@ tSize readDirect(hdfsFS fs, hdfsFile f, void* buffer, tSize length)
       return -1;
     }
 
-    jobject jInputStream;
     if (readPrepare(env, fs, f, &jInputStream) == -1) {
       return -1;
     }
 
-    jvalue jVal;
-    jthrowable jthr;
-
     //Read the requisite bytes
-    jobject bb = (*env)->NewDirectByteBuffer(env, buffer, length);
+    bb = (*env)->NewDirectByteBuffer(env, buffer, length);
     if (bb == NULL) {
         errno = printPendingExceptionAndFree(env, PRINT_EXC_ALL,
             "readDirect: NewDirectByteBuffer");
@@ -1227,7 +1236,7 @@ tSize hdfsPread(hdfsFS fs, hdfsFile f, tOffset position,
         errno = EINVAL;
         return -1;
     }
-    if (!f || f->type == UNINITIALIZED) {
+    if (!f || f->type == HDFS_STREAM_UNINITIALIZED) {
         errno = EBADF;
         return -1;
     }
@@ -1239,7 +1248,7 @@ tSize hdfsPread(hdfsFS fs, hdfsFile f, tOffset position,
     }
 
     //Error checking... make sure that this file is 'readable'
-    if (f->type != INPUT) {
+    if (f->type != HDFS_STREAM_INPUT) {
         fprintf(stderr, "Cannot read from a non-InputStream object!\n");
         errno = EINVAL;
         return -1;
@@ -1287,6 +1296,10 @@ tSize hdfsWrite(hdfsFS fs, hdfsFile f, const void* buffer, tSize length)
     // byte b[] = str.getBytes();
     // fso.write(b);
 
+    jobject jOutputStream;
+    jbyteArray jbWarray;
+    jthrowable jthr;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1295,14 +1308,12 @@ tSize hdfsWrite(hdfsFS fs, hdfsFile f, const void* buffer, tSize length)
     }
 
     //Sanity check
-    if (!f || f->type == UNINITIALIZED) {
+    if (!f || f->type == HDFS_STREAM_UNINITIALIZED) {
         errno = EBADF;
         return -1;
     }
 
-    jobject jOutputStream = f->file;
-    jbyteArray jbWarray;
-    jthrowable jthr;
+    jOutputStream = f->file;
     
     if (length < 0) {
     	errno = EINVAL;
@@ -1310,7 +1321,7 @@ tSize hdfsWrite(hdfsFS fs, hdfsFile f, const void* buffer, tSize length)
     }
 
     //Error checking... make sure that this file is 'writable'
-    if (f->type != OUTPUT) {
+    if (f->type != HDFS_STREAM_OUTPUT) {
         fprintf(stderr, "Cannot write into a non-OutputStream object!\n");
         errno = EINVAL;
         return -1;
@@ -1355,6 +1366,9 @@ int hdfsSeek(hdfsFS fs, hdfsFile f, tOffset desiredPos)
     // JAVA EQUIVALENT
     //  fis.seek(pos);
 
+    jobject jInputStream;
+    jthrowable jthr;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1363,13 +1377,13 @@ int hdfsSeek(hdfsFS fs, hdfsFile f, tOffset desiredPos)
     }
 
     //Sanity check
-    if (!f || f->type != INPUT) {
+    if (!f || f->type != HDFS_STREAM_INPUT) {
         errno = EBADF;
         return -1;
     }
 
-    jobject jInputStream = f->file;
-    jthrowable jthr = invokeMethod(env, NULL, INSTANCE, jInputStream,
+    jInputStream = f->file;
+    jthr = invokeMethod(env, NULL, INSTANCE, jInputStream,
             HADOOP_ISTRM, "seek", "(J)V", desiredPos);
     if (jthr) {
         errno = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
@@ -1387,6 +1401,11 @@ tOffset hdfsTell(hdfsFS fs, hdfsFile f)
     // JAVA EQUIVALENT
     //  pos = f.getPos();
 
+    jobject jStream;
+    const char *interface;
+    jvalue jVal;
+    jthrowable jthr;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1395,22 +1414,21 @@ tOffset hdfsTell(hdfsFS fs, hdfsFile f)
     }
 
     //Sanity check
-    if (!f || f->type == UNINITIALIZED) {
+    if (!f || f->type == HDFS_STREAM_UNINITIALIZED) {
         errno = EBADF;
         return -1;
     }
 
     //Parameters
-    jobject jStream = f->file;
-    const char* interface = (f->type == INPUT) ?
+    jStream = f->file;
+    interface = (f->type == HDFS_STREAM_INPUT) ?
         HADOOP_ISTRM : HADOOP_OSTRM;
-    jvalue jVal;
-    jthrowable jthr = invokeMethod(env, &jVal, INSTANCE, jStream,
+    jthr = invokeMethod(env, &jVal, INSTANCE, jStream,
                      interface, "getPos", "()J");
     if (jthr) {
         errno = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
             "hdfsTell: %s#getPos",
-            ((f->type == INPUT) ? "FSDataInputStream" :
+            ((f->type == HDFS_STREAM_INPUT) ? "FSDataInputStream" :
                                  "FSDataOutputStream"));
         return -1;
     }
@@ -1422,6 +1440,8 @@ int hdfsFlush(hdfsFS fs, hdfsFile f)
     // JAVA EQUIVALENT
     //  fos.flush();
 
+    jthrowable jthr;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1430,11 +1450,11 @@ int hdfsFlush(hdfsFS fs, hdfsFile f)
     }
 
     //Sanity check
-    if (!f || f->type != OUTPUT) {
+    if (!f || f->type != HDFS_STREAM_OUTPUT) {
         errno = EBADF;
         return -1;
     }
-    jthrowable jthr = invokeMethod(env, NULL, INSTANCE, f->file, 
+    jthr = invokeMethod(env, NULL, INSTANCE, f->file,
                      HADOOP_OSTRM, "flush", "()V");
     if (jthr) {
         errno = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
@@ -1446,6 +1466,9 @@ int hdfsFlush(hdfsFS fs, hdfsFile f)
 
 int hdfsHFlush(hdfsFS fs, hdfsFile f)
 {
+    jobject jOutputStream;
+    jthrowable jthr;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1454,13 +1477,13 @@ int hdfsHFlush(hdfsFS fs, hdfsFile f)
     }
 
     //Sanity check
-    if (!f || f->type != OUTPUT) {
+    if (!f || f->type != HDFS_STREAM_OUTPUT) {
         errno = EBADF;
         return -1;
     }
 
-    jobject jOutputStream = f->file;
-    jthrowable jthr = invokeMethod(env, NULL, INSTANCE, jOutputStream,
+    jOutputStream = f->file;
+    jthr = invokeMethod(env, NULL, INSTANCE, jOutputStream,
                      HADOOP_OSTRM, "hflush", "()V");
     if (jthr) {
         errno = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
@@ -1472,6 +1495,9 @@ int hdfsHFlush(hdfsFS fs, hdfsFile f)
 
 int hdfsHSync(hdfsFS fs, hdfsFile f)
 {
+    jobject jOutputStream;
+    jthrowable jthr;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1480,13 +1506,13 @@ int hdfsHSync(hdfsFS fs, hdfsFile f)
     }
 
     //Sanity check
-    if (!f || f->type != OUTPUT) {
+    if (!f || f->type != HDFS_STREAM_OUTPUT) {
         errno = EBADF;
         return -1;
     }
 
-    jobject jOutputStream = f->file;
-    jthrowable jthr = invokeMethod(env, NULL, INSTANCE, jOutputStream,
+    jOutputStream = f->file;
+    jthr = invokeMethod(env, NULL, INSTANCE, jOutputStream,
                      HADOOP_OSTRM, "hsync", "()V");
     if (jthr) {
         errno = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
@@ -1501,6 +1527,10 @@ int hdfsAvailable(hdfsFS fs, hdfsFile f)
     // JAVA EQUIVALENT
     //  fis.available();
 
+    jobject jInputStream;
+    jvalue jVal;
+    jthrowable jthr;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1509,15 +1539,14 @@ int hdfsAvailable(hdfsFS fs, hdfsFile f)
     }
 
     //Sanity check
-    if (!f || f->type != INPUT) {
+    if (!f || f->type != HDFS_STREAM_INPUT) {
         errno = EBADF;
         return -1;
     }
 
     //Parameters
-    jobject jInputStream = f->file;
-    jvalue jVal;
-    jthrowable jthr = invokeMethod(env, &jVal, INSTANCE, jInputStream,
+    jInputStream = f->file;
+    jthr = invokeMethod(env, &jVal, INSTANCE, jInputStream,
                      HADOOP_ISTRM, "available", "()I");
     if (jthr) {
         errno = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
@@ -1527,20 +1556,13 @@ int hdfsAvailable(hdfsFS fs, hdfsFile f)
     return jVal.i;
 }
 
-static int hdfsCopyImpl(hdfsFS srcFS, const char* src, hdfsFS dstFS,
-        const char* dst, jboolean deleteSource)
+static int hdfsCopyImpl(hdfsFS srcFS, const char *src, hdfsFS dstFS,
+        const char *dst, jboolean deleteSource)
 {
     //JAVA EQUIVALENT
     //  FileUtil#copy(srcFS, srcPath, dstFS, dstPath,
     //                 deleteSource = false, conf)
 
-    //Get the JNIEnv* corresponding to current thread
-    JNIEnv* env = getJNIEnv();
-    if (env == NULL) {
-      errno = EINTERNAL;
-      return -1;
-    }
-
     //Parameters
     jobject jSrcFS = (jobject)srcFS;
     jobject jDstFS = (jobject)dstFS;
@@ -1549,6 +1571,13 @@ static int hdfsCopyImpl(hdfsFS srcFS, const char* src, hdfsFS dstFS,
     jvalue jVal;
     int ret;
 
+    //Get the JNIEnv* corresponding to current thread
+    JNIEnv* env = getJNIEnv();
+    if (env == NULL) {
+      errno = EINTERNAL;
+      return -1;
+    }
+
     jthr = constructNewObjectOfPath(env, src, &jSrcPath);
     if (jthr) {
         ret = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
@@ -1603,22 +1632,28 @@ done:
     return 0;
 }
 
-int hdfsCopy(hdfsFS srcFS, const char* src, hdfsFS dstFS, const char* dst)
+int hdfsCopy(hdfsFS srcFS, const char *src, hdfsFS dstFS, const char *dst)
 {
     return hdfsCopyImpl(srcFS, src, dstFS, dst, 0);
 }
 
-int hdfsMove(hdfsFS srcFS, const char* src, hdfsFS dstFS, const char* dst)
+int hdfsMove(hdfsFS srcFS, const char *src, hdfsFS dstFS, const char *dst)
 {
     return hdfsCopyImpl(srcFS, src, dstFS, dst, 1);
 }
 
-int hdfsDelete(hdfsFS fs, const char* path, int recursive)
+int hdfsDelete(hdfsFS fs, const char *path, int recursive)
 {
     // JAVA EQUIVALENT:
     //  Path p = new Path(path);
     //  bool retval = fs.delete(p, recursive);
 
+    jobject jFS = (jobject)fs;
+    jthrowable jthr;
+    jobject jPath;
+    jvalue jVal;
+    jboolean jRecursive;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1626,18 +1661,13 @@ int hdfsDelete(hdfsFS fs, const char* path, int recursive)
       return -1;
     }
 
-    jobject jFS = (jobject)fs;
-    jthrowable jthr;
-    jobject jPath;
-    jvalue jVal;
-
     jthr = constructNewObjectOfPath(env, path, &jPath);
     if (jthr) {
         errno = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
             "hdfsDelete(path=%s): constructNewObjectOfPath", path);
         return -1;
     }
-    jboolean jRecursive = recursive ? JNI_TRUE : JNI_FALSE;
+    jRecursive = recursive ? JNI_TRUE : JNI_FALSE;
     jthr = invokeMethod(env, &jVal, INSTANCE, jFS, HADOOP_FS,
                      "delete", "(Lorg/apache/hadoop/fs/Path;Z)Z",
                      jPath, jRecursive);
@@ -1657,13 +1687,19 @@ int hdfsDelete(hdfsFS fs, const char* path, int recursive)
 
 
 
-int hdfsRename(hdfsFS fs, const char* oldPath, const char* newPath)
+int hdfsRename(hdfsFS fs, const char *oldPath, const char *newPath)
 {
     // JAVA EQUIVALENT:
     //  Path old = new Path(oldPath);
     //  Path new = new Path(newPath);
     //  fs.rename(old, new);
 
+    jobject jFS = (jobject)fs;
+    jthrowable jthr;
+    jobject jOldPath = NULL, jNewPath = NULL;
+    int ret = -1;
+    jvalue jVal;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1671,12 +1707,6 @@ int hdfsRename(hdfsFS fs, const char* oldPath, const char* newPath)
       return -1;
     }
 
-    jobject jFS = (jobject)fs;
-    jthrowable jthr;
-    jobject jOldPath = NULL, jNewPath = NULL;
-    int ret = -1;
-    jvalue jVal;
-
     jthr = constructNewObjectOfPath(env, oldPath, &jOldPath );
     if (jthr) {
         errno = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
@@ -1721,13 +1751,6 @@ char* hdfsGetWorkingDirectory(hdfsFS fs, char* buffer, size_t bufferSize)
     //  Path p = fs.getWorkingDirectory(); 
     //  return p.toString()
 
-    //Get the JNIEnv* corresponding to current thread
-    JNIEnv* env = getJNIEnv();
-    if (env == NULL) {
-      errno = EINTERNAL;
-      return NULL;
-    }
-
     jobject jPath = NULL;
     jstring jPathString = NULL;
     jobject jFS = (jobject)fs;
@@ -1736,6 +1759,13 @@ char* hdfsGetWorkingDirectory(hdfsFS fs, char* buffer, size_t bufferSize)
     int ret;
     const char *jPathChars = NULL;
 
+    //Get the JNIEnv* corresponding to current thread
+    JNIEnv* env = getJNIEnv();
+    if (env == NULL) {
+      errno = EINTERNAL;
+      return NULL;
+    }
+
     //FileSystem#getWorkingDirectory()
     jthr = invokeMethod(env, &jVal, INSTANCE, jFS,
                      HADOOP_FS, "getWorkingDirectory",
@@ -1794,11 +1824,15 @@ done:
 
 
 
-int hdfsSetWorkingDirectory(hdfsFS fs, const char* path)
+int hdfsSetWorkingDirectory(hdfsFS fs, const char *path)
 {
     // JAVA EQUIVALENT:
     //  fs.setWorkingDirectory(Path(path)); 
 
+    jobject jFS = (jobject)fs;
+    jthrowable jthr;
+    jobject jPath;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1806,10 +1840,6 @@ int hdfsSetWorkingDirectory(hdfsFS fs, const char* path)
       return -1;
     }
 
-    jobject jFS = (jobject)fs;
-    jthrowable jthr;
-    jobject jPath;
-
     //Create an object of org.apache.hadoop.fs.Path
     jthr = constructNewObjectOfPath(env, path, &jPath);
     if (jthr) {
@@ -1835,11 +1865,16 @@ int hdfsSetWorkingDirectory(hdfsFS fs, const char* path)
 
 
 
-int hdfsCreateDirectory(hdfsFS fs, const char* path)
+int hdfsCreateDirectory(hdfsFS fs, const char *path)
 {
     // JAVA EQUIVALENT:
     //  fs.mkdirs(new Path(path));
 
+    jobject jFS = (jobject)fs;
+    jobject jPath;
+    jthrowable jthr;
+    jvalue jVal;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1847,10 +1882,6 @@ int hdfsCreateDirectory(hdfsFS fs, const char* path)
       return -1;
     }
 
-    jobject jFS = (jobject)fs;
-    jobject jPath;
-    jthrowable jthr;
-
     //Create an object of org.apache.hadoop.fs.Path
     jthr = constructNewObjectOfPath(env, path, &jPath);
     if (jthr) {
@@ -1860,7 +1891,6 @@ int hdfsCreateDirectory(hdfsFS fs, const char* path)
     }
 
     //Create the directory
-    jvalue jVal;
     jVal.z = 0;
     jthr = invokeMethod(env, &jVal, INSTANCE, jFS, HADOOP_FS,
                      "mkdirs", "(Lorg/apache/hadoop/fs/Path;)Z",
@@ -1886,11 +1916,16 @@ int hdfsCreateDirectory(hdfsFS fs, const char* path)
 }
 
 
-int hdfsSetReplication(hdfsFS fs, const char* path, int16_t replication)
+int hdfsSetReplication(hdfsFS fs, const char *path, int16_t replication)
 {
     // JAVA EQUIVALENT:
     //  fs.setReplication(new Path(path), replication);
 
+    jobject jFS = (jobject)fs;
+    jthrowable jthr;
+    jobject jPath;
+    jvalue jVal;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1898,11 +1933,7 @@ int hdfsSetReplication(hdfsFS fs, const char* path, int16_t replication)
       return -1;
     }
 
-    jobject jFS = (jobject)fs;
-    jthrowable jthr;
-
     //Create an object of org.apache.hadoop.fs.Path
-    jobject jPath;
     jthr = constructNewObjectOfPath(env, path, &jPath);
     if (jthr) {
         errno = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
@@ -1911,7 +1942,6 @@ int hdfsSetReplication(hdfsFS fs, const char* path, int16_t replication)
     }
 
     //Create the directory
-    jvalue jVal;
     jthr = invokeMethod(env, &jVal, INSTANCE, jFS, HADOOP_FS,
                      "setReplication", "(Lorg/apache/hadoop/fs/Path;S)Z",
                      jPath, replication);
@@ -1932,11 +1962,17 @@ int hdfsSetReplication(hdfsFS fs, const char* path, int16_t replication)
     return 0;
 }
 
-int hdfsChown(hdfsFS fs, const char* path, const char *owner, const char *group)
+int hdfsChown(hdfsFS fs, const char *path, const char *owner, const char *group)
 {
     // JAVA EQUIVALENT:
     //  fs.setOwner(path, owner, group)
 
+    jobject jFS = (jobject)fs;
+    jobject jPath = NULL;
+    jstring jOwner = NULL, jGroup = NULL;
+    jthrowable jthr;
+    int ret;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -1948,12 +1984,6 @@ int hdfsChown(hdfsFS fs, const char* path, const char *owner, const char *group)
       return 0;
     }
 
-    jobject jFS = (jobject)fs;
-    jobject jPath = NULL;
-    jstring jOwner = NULL, jGroup = NULL;
-    jthrowable jthr;
-    int ret;
-
     jthr = constructNewObjectOfPath(env, path, &jPath);
     if (jthr) {
         ret = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
@@ -2001,12 +2031,17 @@ done:
     return 0;
 }
 
-int hdfsChmod(hdfsFS fs, const char* path, short mode)
+int hdfsChmod(hdfsFS fs, const char *path, short mode)
 {
     int ret;
     // JAVA EQUIVALENT:
     //  fs.setPermission(path, FsPermission)
 
+    jthrowable jthr;
+    jobject jPath = NULL, jPermObj = NULL;
+    jobject jFS = (jobject)fs;
+    jshort jmode = mode;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -2014,12 +2049,7 @@ int hdfsChmod(hdfsFS fs, const char* path, short mode)
       return -1;
     }
 
-    jthrowable jthr;
-    jobject jPath = NULL, jPermObj = NULL;
-    jobject jFS = (jobject)fs;
-
     // construct jPerm = FsPermission.createImmutable(short mode);
-    jshort jmode = mode;
     jthr = constructNewObjectOfClass(env, &jPermObj,
                 HADOOP_FSPERM,"(S)V",jmode);
     if (jthr) {
@@ -2061,11 +2091,16 @@ done:
     return 0;
 }
 
-int hdfsUtime(hdfsFS fs, const char* path, tTime mtime, tTime atime)
+int hdfsUtime(hdfsFS fs, const char *path, tTime mtime, tTime atime)
 {
     // JAVA EQUIVALENT:
     //  fs.setTimes(src, mtime, atime)
+
     jthrowable jthr;
+    jobject jFS = (jobject)fs;
+    jobject jPath;
+    static const tTime NO_CHANGE = -1;
+    jlong jmtime, jatime;
 
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
@@ -2074,10 +2109,7 @@ int hdfsUtime(hdfsFS fs, const char* path, tTime mtime, tTime atime)
       return -1;
     }
 
-    jobject jFS = (jobject)fs;
-
     //Create an object of org.apache.hadoop.fs.Path
-    jobject jPath;
     jthr = constructNewObjectOfPath(env, path, &jPath);
     if (jthr) {
         errno = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
@@ -2085,9 +2117,8 @@ int hdfsUtime(hdfsFS fs, const char* path, tTime mtime, tTime atime)
         return -1;
     }
 
-    const tTime NO_CHANGE = -1;
-    jlong jmtime = (mtime == NO_CHANGE) ? -1 : (mtime * (jlong)1000);
-    jlong jatime = (atime == NO_CHANGE) ? -1 : (atime * (jlong)1000);
+    jmtime = (mtime == NO_CHANGE) ? -1 : (mtime * (jlong)1000);
+    jatime = (atime == NO_CHANGE) ? -1 : (atime * (jlong)1000);
 
     jthr = invokeMethod(env, NULL, INSTANCE, jFS, HADOOP_FS,
             "setTimes", JMETHOD3(JPARAM(HADOOP_PATH), "J", "J", JAVA_VOID),
@@ -2397,7 +2428,7 @@ struct hadoopRzBuffer* hadoopReadZero(hdfsFile file,
         errno = EINTERNAL;
         return NULL;
     }
-    if (file->type != INPUT) {
+    if (file->type != HDFS_STREAM_INPUT) {
         fputs("Cannot read from a non-InputStream object!\n", stderr);
         ret = EINVAL;
         goto done;
@@ -2495,10 +2526,12 @@ void hadoopRzBufferFree(hdfsFile file, struct hadoopRzBuffer *buffer)
 }
 
 char***
-hdfsGetHosts(hdfsFS fs, const char* path, tOffset start, tOffset length)
+hdfsGetHosts(hdfsFS fs, const char *path, tOffset start, tOffset length)
 {
     // JAVA EQUIVALENT:
     //  fs.getFileBlockLoctions(new Path(path), start, length);
+
+    jobject jFS = (jobject)fs;
     jthrowable jthr;
     jobject jPath = NULL;
     jobject jFileStatus = NULL;
@@ -2508,6 +2541,9 @@ hdfsGetHosts(hdfsFS fs, const char* path, tOffset start, tOffset length)
     char*** blockHosts = NULL;
     int i, j, ret;
     jsize jNumFileBlocks = 0;
+    jobject jFileBlock;
+    jsize jNumBlockHosts;
+    const char *hostName;
 
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
@@ -2516,8 +2552,6 @@ hdfsGetHosts(hdfsFS fs, const char* path, tOffset start, tOffset length)
       return NULL;
     }
 
-    jobject jFS = (jobject)fs;
-
     //Create an object of org.apache.hadoop.fs.Path
     jthr = constructNewObjectOfPath(env, path, &jPath);
     if (jthr) {
@@ -2567,7 +2601,7 @@ hdfsGetHosts(hdfsFS fs, const char* path, tOffset start, tOffset length)
 
     //Now parse each block to get hostnames
     for (i = 0; i < jNumFileBlocks; ++i) {
-        jobject jFileBlock =
+        jFileBlock =
             (*env)->GetObjectArrayElement(env, jBlockLocations, i);
         if (!jFileBlock) {
             ret = printPendingExceptionAndFree(env, PRINT_EXC_ALL,
@@ -2593,7 +2627,7 @@ hdfsGetHosts(hdfsFS fs, const char* path, tOffset start, tOffset length)
             goto done;
         }
         //Figure out no of hosts in jFileBlockHosts, and allocate the memory
-        jsize jNumBlockHosts = (*env)->GetArrayLength(env, jFileBlockHosts);
+        jNumBlockHosts = (*env)->GetArrayLength(env, jFileBlockHosts);
         blockHosts[i] = calloc(jNumBlockHosts + 1, sizeof(char*));
         if (!blockHosts[i]) {
             ret = ENOMEM;
@@ -2601,7 +2635,6 @@ hdfsGetHosts(hdfsFS fs, const char* path, tOffset start, tOffset length)
         }
 
         //Now parse each hostname
-        const char *hostName;
         for (j = 0; j < jNumBlockHosts; ++j) {
             jHost = (*env)->GetObjectArrayElement(env, jFileBlockHosts, j);
             if (!jHost) {
@@ -2669,6 +2702,10 @@ tOffset hdfsGetDefaultBlockSize(hdfsFS fs)
     // JAVA EQUIVALENT:
     //  fs.getDefaultBlockSize();
 
+    jobject jFS = (jobject)fs;
+    jvalue jVal;
+    jthrowable jthr;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -2676,11 +2713,7 @@ tOffset hdfsGetDefaultBlockSize(hdfsFS fs)
       return -1;
     }
 
-    jobject jFS = (jobject)fs;
-
     //FileSystem#getDefaultBlockSize()
-    jvalue jVal;
-    jthrowable jthr;
     jthr = invokeMethod(env, &jVal, INSTANCE, jFS, HADOOP_FS,
                      "getDefaultBlockSize", "()J");
     if (jthr) {
@@ -2732,6 +2765,11 @@ tOffset hdfsGetCapacity(hdfsFS fs)
     //  FsStatus fss = fs.getStatus();
     //  return Fss.getCapacity();
 
+    jobject jFS = (jobject)fs;
+    jvalue  jVal;
+    jthrowable jthr;
+    jobject fss;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -2739,11 +2777,7 @@ tOffset hdfsGetCapacity(hdfsFS fs)
       return -1;
     }
 
-    jobject jFS = (jobject)fs;
-
     //FileSystem#getStatus
-    jvalue  jVal;
-    jthrowable jthr;
     jthr = invokeMethod(env, &jVal, INSTANCE, jFS, HADOOP_FS,
                      "getStatus", "()Lorg/apache/hadoop/fs/FsStatus;");
     if (jthr) {
@@ -2751,7 +2785,7 @@ tOffset hdfsGetCapacity(hdfsFS fs)
             "hdfsGetCapacity: FileSystem#getStatus");
         return -1;
     }
-    jobject fss = (jobject)jVal.l;
+    fss = (jobject)jVal.l;
     jthr = invokeMethod(env, &jVal, INSTANCE, fss, HADOOP_FSSTATUS,
                      "getCapacity", "()J");
     destroyLocalReference(env, fss);
@@ -2771,6 +2805,11 @@ tOffset hdfsGetUsed(hdfsFS fs)
     //  FsStatus fss = fs.getStatus();
     //  return Fss.getUsed();
 
+    jobject jFS = (jobject)fs;
+    jvalue  jVal;
+    jthrowable jthr;
+    jobject fss;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -2778,11 +2817,7 @@ tOffset hdfsGetUsed(hdfsFS fs)
       return -1;
     }
 
-    jobject jFS = (jobject)fs;
-
     //FileSystem#getStatus
-    jvalue  jVal;
-    jthrowable jthr;
     jthr = invokeMethod(env, &jVal, INSTANCE, jFS, HADOOP_FS,
                      "getStatus", "()Lorg/apache/hadoop/fs/FsStatus;");
     if (jthr) {
@@ -2790,7 +2825,7 @@ tOffset hdfsGetUsed(hdfsFS fs)
             "hdfsGetUsed: FileSystem#getStatus");
         return -1;
     }
-    jobject fss = (jobject)jVal.l;
+    fss = (jobject)jVal.l;
     jthr = invokeMethod(env, &jVal, INSTANCE, fss, HADOOP_FSSTATUS,
                      "getUsed", "()J");
     destroyLocalReference(env, fss);
@@ -2814,6 +2849,9 @@ getFileInfoFromStat(JNIEnv *env, jobject jStat, hdfsFileInfo *fileInfo)
     jstring jUserName = NULL;
     jstring jGroupName = NULL;
     jobject jPermission = NULL;
+    const char *cPathName;
+    const char *cUserName;
+    const char *cGroupName;
 
     jthr = invokeMethod(env, &jVal, INSTANCE, jStat,
                      HADOOP_STAT, "isDir", "()Z");
@@ -2869,7 +2907,7 @@ getFileInfoFromStat(JNIEnv *env, jobject jStat, hdfsFileInfo *fileInfo)
     if (jthr)
         goto done;
     jPathName = jVal.l;
-    const char *cPathName = 
+    cPathName =
         (const char*) ((*env)->GetStringUTFChars(env, jPathName, NULL));
     if (!cPathName) {
         jthr = getPendingExceptionAndClear(env);
@@ -2882,7 +2920,7 @@ getFileInfoFromStat(JNIEnv *env, jobject jStat, hdfsFileInfo *fileInfo)
     if (jthr)
         goto done;
     jUserName = jVal.l;
-    const char* cUserName = 
+    cUserName =
         (const char*) ((*env)->GetStringUTFChars(env, jUserName, NULL));
     if (!cUserName) {
         jthr = getPendingExceptionAndClear(env);
@@ -2891,7 +2929,6 @@ getFileInfoFromStat(JNIEnv *env, jobject jStat, hdfsFileInfo *fileInfo)
     fileInfo->mOwner = strdup(cUserName);
     (*env)->ReleaseStringUTFChars(env, jUserName, cUserName);
 
-    const char* cGroupName;
     jthr = invokeMethod(env, &jVal, INSTANCE, jStat, HADOOP_STAT,
                     "getGroup", "()Ljava/lang/String;");
     if (jthr)
@@ -2978,13 +3015,15 @@ getFileInfo(JNIEnv *env, jobject jFS, jobject jPath, hdfsFileInfo **fileInfo)
 
 
 
-hdfsFileInfo* hdfsListDirectory(hdfsFS fs, const char* path, int *numEntries)
+hdfsFileInfo* hdfsListDirectory(hdfsFS fs, const char *path, int *numEntries)
 {
     // JAVA EQUIVALENT:
     //  Path p(path);
     //  Path []pathList = fs.listPaths(p)
     //  foreach path in pathList 
     //    getFileInfo(path)
+
+    jobject jFS = (jobject)fs;
     jthrowable jthr;
     jobject jPath = NULL;
     hdfsFileInfo *pathList = NULL; 
@@ -2992,6 +3031,8 @@ hdfsFileInfo* hdfsListDirectory(hdfsFS fs, const char* path, int *numEntries)
     jvalue jVal;
     jsize jPathListSize = 0;
     int ret;
+    jsize i;
+    jobject tmpStat;
 
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
@@ -3000,8 +3041,6 @@ hdfsFileInfo* hdfsListDirectory(hdfsFS fs, const char* path, int *numEntries)
       return NULL;
     }
 
-    jobject jFS = (jobject)fs;
-
     //Create an object of org.apache.hadoop.fs.Path
     jthr = constructNewObjectOfPath(env, path, &jPath);
     if (jthr) {
@@ -3037,8 +3076,6 @@ hdfsFileInfo* hdfsListDirectory(hdfsFS fs, const char* path, int *numEntries)
     }
 
     //Save path information in pathList
-    jsize i;
-    jobject tmpStat;
     for (i=0; i < jPathListSize; ++i) {
         tmpStat = (*env)->GetObjectArrayElement(env, jPathList, i);
         if (!tmpStat) {
@@ -3073,7 +3110,7 @@ done:
 
 
 
-hdfsFileInfo *hdfsGetPathInfo(hdfsFS fs, const char* path)
+hdfsFileInfo *hdfsGetPathInfo(hdfsFS fs, const char *path)
 {
     // JAVA EQUIVALENT:
     //  File f(path);
@@ -3082,6 +3119,11 @@ hdfsFileInfo *hdfsGetPathInfo(hdfsFS fs, const char* path)
     //  fs.getLength(f)
     //  f.getPath()
 
+    jobject jFS = (jobject)fs;
+    jobject jPath;
+    jthrowable jthr;
+    hdfsFileInfo *fileInfo;
+
     //Get the JNIEnv* corresponding to current thread
     JNIEnv* env = getJNIEnv();
     if (env == NULL) {
@@ -3089,17 +3131,13 @@ hdfsFileInfo *hdfsGetPathInfo(hdfsFS fs, const char* path)
       return NULL;
     }
 
-    jobject jFS = (jobject)fs;
-
     //Create an object of org.apache.hadoop.fs.Path
-    jobject jPath;
-    jthrowable jthr = constructNewObjectOfPath(env, path, &jPath);
+    jthr = constructNewObjectOfPath(env, path, &jPath);
     if (jthr) {
         errno = printExceptionAndFree(env, jthr, PRINT_EXC_ALL,
             "hdfsGetPathInfo(%s): constructNewObjectOfPath", path);
         return NULL;
     }
-    hdfsFileInfo *fileInfo;
     jthr = getFileInfo(env, jFS, jPath, &fileInfo);
     destroyLocalReference(env, jPath);
     if (jthr) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/jni_helper.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/jni_helper.c
index 878289f96d1..50d968169cf 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/jni_helper.c
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/jni_helper.c
@@ -19,20 +19,18 @@
 #include "config.h"
 #include "exception.h"
 #include "jni_helper.h"
+#include "platform.h"
+#include "common/htable.h"
+#include "os/mutexes.h"
+#include "os/thread_local_storage.h"
 
 #include <stdio.h> 
 #include <string.h> 
 
-static pthread_mutex_t hdfsHashMutex = PTHREAD_MUTEX_INITIALIZER;
-static pthread_mutex_t jvmMutex = PTHREAD_MUTEX_INITIALIZER;
-static volatile int hashTableInited = 0;
-
-#define LOCK_HASH_TABLE() pthread_mutex_lock(&hdfsHashMutex)
-#define UNLOCK_HASH_TABLE() pthread_mutex_unlock(&hdfsHashMutex)
-
+static struct htable *gClassRefHTable = NULL;
 
 /** The Native return types that methods could return */
-#define VOID          'V'
+#define JVOID         'V'
 #define JOBJECT       'L'
 #define JARRAYOBJECT  '['
 #define JBOOLEAN      'Z'
@@ -51,40 +49,10 @@ static volatile int hashTableInited = 0;
  */
 #define MAX_HASH_TABLE_ELEM 4096
 
-/** Key that allows us to retrieve thread-local storage */
-static pthread_key_t gTlsKey;
-
-/** nonzero if we succeeded in initializing gTlsKey. Protected by the jvmMutex */
-static int gTlsKeyInitialized = 0;
-
-/** Pthreads thread-local storage for each library thread. */
-struct hdfsTls {
-    JNIEnv *env;
-};
-
 /**
- * The function that is called whenever a thread with libhdfs thread local data
- * is destroyed.
- *
- * @param v         The thread-local data
+ * Length of buffer for retrieving created JVMs.  (We only ever create one.)
  */
-static void hdfsThreadDestructor(void *v)
-{
-    struct hdfsTls *tls = v;
-    JavaVM *vm;
-    JNIEnv *env = tls->env;
-    jint ret;
-
-    ret = (*env)->GetJavaVM(env, &vm);
-    if (ret) {
-        fprintf(stderr, "hdfsThreadDestructor: GetJavaVM failed with "
-                "error %d\n", ret);
-        (*env)->ExceptionDescribe(env);
-    } else {
-        (*vm)->DetachCurrentThread(vm);
-    }
-    free(tls);
-}
+#define VM_BUF_LENGTH 1
 
 void destroyLocalReference(JNIEnv *env, jobject jObject)
 {
@@ -138,67 +106,6 @@ jthrowable newCStr(JNIEnv *env, jstring jstr, char **out)
     return NULL;
 }
 
-static int hashTableInit(void)
-{
-    if (!hashTableInited) {
-        LOCK_HASH_TABLE();
-        if (!hashTableInited) {
-            if (hcreate(MAX_HASH_TABLE_ELEM) == 0) {
-                fprintf(stderr, "error creating hashtable, <%d>: %s\n",
-                        errno, strerror(errno));
-                UNLOCK_HASH_TABLE();
-                return 0;
-            } 
-            hashTableInited = 1;
-        }
-        UNLOCK_HASH_TABLE();
-    }
-    return 1;
-}
-
-
-static int insertEntryIntoTable(const char *key, void *data)
-{
-    ENTRY e, *ep;
-    if (key == NULL || data == NULL) {
-        return 0;
-    }
-    if (! hashTableInit()) {
-      return -1;
-    }
-    e.data = data;
-    e.key = (char*)key;
-    LOCK_HASH_TABLE();
-    ep = hsearch(e, ENTER);
-    UNLOCK_HASH_TABLE();
-    if (ep == NULL) {
-        fprintf(stderr, "warn adding key (%s) to hash table, <%d>: %s\n",
-                key, errno, strerror(errno));
-    }  
-    return 0;
-}
-
-
-
-static void* searchEntryFromTable(const char *key)
-{
-    ENTRY e,*ep;
-    if (key == NULL) {
-        return NULL;
-    }
-    hashTableInit();
-    e.key = (char*)key;
-    LOCK_HASH_TABLE();
-    ep = hsearch(e, FIND);
-    UNLOCK_HASH_TABLE();
-    if (ep != NULL) {
-        return ep->data;
-    }
-    return NULL;
-}
-
-
-
 jthrowable invokeMethod(JNIEnv *env, jvalue *retval, MethType methType,
                  jobject instObj, const char *className,
                  const char *methName, const char *methSignature, ...)
@@ -235,7 +142,7 @@ jthrowable invokeMethod(JNIEnv *env, jvalue *retval, MethType methType,
         }
         retval->l = jobj;
     }
-    else if (returnType == VOID) {
+    else if (returnType == JVOID) {
         if (methType == STATIC) {
             (*env)->CallStaticVoidMethodV(env, cls, mid, args);
         }
@@ -325,11 +232,11 @@ jthrowable methodIdFromClass(const char *className, const char *methName,
 {
     jclass cls;
     jthrowable jthr;
+    jmethodID mid = 0;
 
     jthr = globalClassReference(className, env, &cls);
     if (jthr)
         return jthr;
-    jmethodID mid = 0;
     jthr = validateMethodType(env, methType);
     if (jthr)
         return jthr;
@@ -350,25 +257,50 @@ jthrowable methodIdFromClass(const char *className, const char *methName,
 
 jthrowable globalClassReference(const char *className, JNIEnv *env, jclass *out)
 {
-    jclass clsLocalRef;
-    jclass cls = searchEntryFromTable(className);
-    if (cls) {
-        *out = cls;
-        return NULL;
+    jthrowable jthr = NULL;
+    jclass local_clazz = NULL;
+    jclass clazz = NULL;
+    int ret;
+
+    mutexLock(&hdfsHashMutex);
+    if (!gClassRefHTable) {
+        gClassRefHTable = htable_alloc(MAX_HASH_TABLE_ELEM, ht_hash_string,
+            ht_compare_string);
+        if (!gClassRefHTable) {
+            jthr = newRuntimeError(env, "htable_alloc failed\n");
+            goto done;
+        }
     }
-    clsLocalRef = (*env)->FindClass(env,className);
-    if (clsLocalRef == NULL) {
-        return getPendingExceptionAndClear(env);
+    clazz = htable_get(gClassRefHTable, className);
+    if (clazz) {
+        *out = clazz;
+        goto done;
     }
-    cls = (*env)->NewGlobalRef(env, clsLocalRef);
-    if (cls == NULL) {
-        (*env)->DeleteLocalRef(env, clsLocalRef);
-        return getPendingExceptionAndClear(env);
+    local_clazz = (*env)->FindClass(env,className);
+    if (!local_clazz) {
+        jthr = getPendingExceptionAndClear(env);
+        goto done;
     }
-    (*env)->DeleteLocalRef(env, clsLocalRef);
-    insertEntryIntoTable(className, cls);
-    *out = cls;
-    return NULL;
+    clazz = (*env)->NewGlobalRef(env, local_clazz);
+    if (!clazz) {
+        jthr = getPendingExceptionAndClear(env);
+        goto done;
+    }
+    ret = htable_put(gClassRefHTable, (void*)className, clazz);
+    if (ret) {
+        jthr = newRuntimeError(env, "htable_put failed with error "
+                               "code %d\n", ret);
+        goto done;
+    }
+    *out = clazz;
+    jthr = NULL;
+done:
+    mutexUnlock(&hdfsHashMutex);
+    (*env)->DeleteLocalRef(env, local_clazz);
+    if (jthr && clazz) {
+        (*env)->DeleteGlobalRef(env, clazz);
+    }
+    return jthr;
 }
 
 jthrowable classNameOfObject(jobject jobj, JNIEnv *env, char **name)
@@ -436,14 +368,24 @@ done:
  */
 static JNIEnv* getGlobalJNIEnv(void)
 {
-    const jsize vmBufLength = 1;
-    JavaVM* vmBuf[vmBufLength]; 
+    JavaVM* vmBuf[VM_BUF_LENGTH]; 
     JNIEnv *env;
     jint rv = 0; 
     jint noVMs = 0;
     jthrowable jthr;
+    char *hadoopClassPath;
+    const char *hadoopClassPathVMArg = "-Djava.class.path=";
+    size_t optHadoopClassPathLen;
+    char *optHadoopClassPath;
+    int noArgs = 1;
+    char *hadoopJvmArgs;
+    char jvmArgDelims[] = " ";
+    char *str, *token, *savePtr;
+    JavaVMInitArgs vm_args;
+    JavaVM *vm;
+    JavaVMOption *options;
 
-    rv = JNI_GetCreatedJavaVMs(&(vmBuf[0]), vmBufLength, &noVMs);
+    rv = JNI_GetCreatedJavaVMs(&(vmBuf[0]), VM_BUF_LENGTH, &noVMs);
     if (rv != 0) {
         fprintf(stderr, "JNI_GetCreatedJavaVMs failed with error: %d\n", rv);
         return NULL;
@@ -451,23 +393,19 @@ static JNIEnv* getGlobalJNIEnv(void)
 
     if (noVMs == 0) {
         //Get the environment variables for initializing the JVM
-        char *hadoopClassPath = getenv("CLASSPATH");
+        hadoopClassPath = getenv("CLASSPATH");
         if (hadoopClassPath == NULL) {
             fprintf(stderr, "Environment variable CLASSPATH not set!\n");
             return NULL;
         } 
-        char *hadoopClassPathVMArg = "-Djava.class.path=";
-        size_t optHadoopClassPathLen = strlen(hadoopClassPath) + 
+        optHadoopClassPathLen = strlen(hadoopClassPath) + 
           strlen(hadoopClassPathVMArg) + 1;
-        char *optHadoopClassPath = malloc(sizeof(char)*optHadoopClassPathLen);
+        optHadoopClassPath = malloc(sizeof(char)*optHadoopClassPathLen);
         snprintf(optHadoopClassPath, optHadoopClassPathLen,
                 "%s%s", hadoopClassPathVMArg, hadoopClassPath);
 
         // Determine the # of LIBHDFS_OPTS args
-        int noArgs = 1;
-        char *hadoopJvmArgs = getenv("LIBHDFS_OPTS");
-        char jvmArgDelims[] = " ";
-        char *str, *token, *savePtr;
+        hadoopJvmArgs = getenv("LIBHDFS_OPTS");
         if (hadoopJvmArgs != NULL)  {
           hadoopJvmArgs = strdup(hadoopJvmArgs);
           for (noArgs = 1, str = hadoopJvmArgs; ; noArgs++, str = NULL) {
@@ -480,7 +418,12 @@ static JNIEnv* getGlobalJNIEnv(void)
         }
 
         // Now that we know the # args, populate the options array
-        JavaVMOption options[noArgs];
+        options = calloc(noArgs, sizeof(JavaVMOption));
+        if (!options) {
+          fputs("Call to calloc failed\n", stderr);
+          free(optHadoopClassPath);
+          return NULL;
+        }
         options[0].optionString = optHadoopClassPath;
         hadoopJvmArgs = getenv("LIBHDFS_OPTS");
 	if (hadoopJvmArgs != NULL)  {
@@ -495,8 +438,6 @@ static JNIEnv* getGlobalJNIEnv(void)
         }
 
         //Create the VM
-        JavaVMInitArgs vm_args;
-        JavaVM *vm;
         vm_args.version = JNI_VERSION_1_2;
         vm_args.options = options;
         vm_args.nOptions = noArgs; 
@@ -508,6 +449,7 @@ static JNIEnv* getGlobalJNIEnv(void)
           free(hadoopJvmArgs);
         }
         free(optHadoopClassPath);
+        free(options);
 
         if (rv != 0) {
             fprintf(stderr, "Call to JNI_CreateJavaVM failed "
@@ -523,7 +465,7 @@ static JNIEnv* getGlobalJNIEnv(void)
     }
     else {
         //Attach this thread to the VM
-        JavaVM* vm = vmBuf[0];
+        vm = vmBuf[0];
         rv = (*vm)->AttachCurrentThread(vm, (void*)&env, 0);
         if (rv != 0) {
             fprintf(stderr, "Call to AttachCurrentThread "
@@ -557,54 +499,27 @@ static JNIEnv* getGlobalJNIEnv(void)
 JNIEnv* getJNIEnv(void)
 {
     JNIEnv *env;
-    struct hdfsTls *tls;
-    int ret;
-
-#ifdef HAVE_BETTER_TLS
-    static __thread struct hdfsTls *quickTls = NULL;
-    if (quickTls)
-        return quickTls->env;
-#endif
-    pthread_mutex_lock(&jvmMutex);
-    if (!gTlsKeyInitialized) {
-        ret = pthread_key_create(&gTlsKey, hdfsThreadDestructor);
-        if (ret) {
-            pthread_mutex_unlock(&jvmMutex);
-            fprintf(stderr, "getJNIEnv: pthread_key_create failed with "
-                "error %d\n", ret);
-            return NULL;
-        }
-        gTlsKeyInitialized = 1;
+    THREAD_LOCAL_STORAGE_GET_QUICK();
+    mutexLock(&jvmMutex);
+    if (threadLocalStorageGet(&env)) {
+      mutexUnlock(&jvmMutex);
+      return NULL;
     }
-    tls = pthread_getspecific(gTlsKey);
-    if (tls) {
-        pthread_mutex_unlock(&jvmMutex);
-        return tls->env;
+    if (env) {
+      mutexUnlock(&jvmMutex);
+      return env;
     }
 
     env = getGlobalJNIEnv();
-    pthread_mutex_unlock(&jvmMutex);
+    mutexUnlock(&jvmMutex);
     if (!env) {
-        fprintf(stderr, "getJNIEnv: getGlobalJNIEnv failed\n");
-        return NULL;
+      fprintf(stderr, "getJNIEnv: getGlobalJNIEnv failed\n");
+      return NULL;
     }
-    tls = calloc(1, sizeof(struct hdfsTls));
-    if (!tls) {
-        fprintf(stderr, "getJNIEnv: OOM allocating %zd bytes\n",
-                sizeof(struct hdfsTls));
-        return NULL;
+    if (threadLocalStorageSet(env)) {
+      return NULL;
     }
-    tls->env = env;
-    ret = pthread_setspecific(gTlsKey, tls);
-    if (ret) {
-        fprintf(stderr, "getJNIEnv: pthread_setspecific failed with "
-            "error code %d\n", ret);
-        hdfsThreadDestructor(tls);
-        return NULL;
-    }
-#ifdef HAVE_BETTER_TLS
-    quickTls = tls;
-#endif
+    THREAD_LOCAL_STORAGE_SET_QUICK(env);
     return env;
 }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/jni_helper.h b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/jni_helper.h
index c09f6a38cbb..90accc7c9c3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/jni_helper.h
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/jni_helper.h
@@ -24,8 +24,6 @@
 
 #include <stdlib.h>
 #include <stdarg.h>
-#include <search.h>
-#include <pthread.h>
 #include <errno.h>
 
 #define PATH_SEPARATOR ':'
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/native_mini_dfs.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/native_mini_dfs.c
index 77e2f0766d9..2c42fa5f204 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/native_mini_dfs.c
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/native_mini_dfs.c
@@ -21,6 +21,7 @@
 #include "hdfs_test.h"
 #include "jni_helper.h"
 #include "native_mini_dfs.h"
+#include "platform.h"
 
 #include <errno.h>
 #include <jni.h>
@@ -347,10 +348,11 @@ error_dlr_nn:
 int nmdConfigureHdfsBuilder(struct NativeMiniDfsCluster *cl,
                             struct hdfsBuilder *bld)
 {
-    int port, ret;
+    int ret;
+    tPort port;
 
     hdfsBuilderSetNameNode(bld, "localhost");
-    port = nmdGetNameNodePort(cl);
+    port = (tPort)nmdGetNameNodePort(cl);
     if (port < 0) {
       fprintf(stderr, "nmdGetNameNodePort failed with error %d\n", -port);
       return EIO;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/mutexes.h b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/mutexes.h
new file mode 100644
index 00000000000..da30bf4974f
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/mutexes.h
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef LIBHDFS_MUTEXES_H
+#define LIBHDFS_MUTEXES_H
+
+/*
+ * Defines abstraction over platform-specific mutexes.  libhdfs has no formal
+ * initialization function that users would call from a single-threaded context
+ * to initialize the library.  This creates a challenge for bootstrapping the
+ * mutexes.  To address this, all required mutexes are pre-defined here with
+ * external storage.  Platform-specific implementations must guarantee that the
+ * mutexes are initialized via static initialization.
+ */
+
+#include "platform.h"
+
+/** Mutex protecting the class reference hash table. */
+extern mutex hdfsHashMutex;
+
+/** Mutex protecting singleton JVM instance. */
+extern mutex jvmMutex;
+
+/**
+ * Locks a mutex.
+ *
+ * @param m mutex
+ * @return 0 if successful, non-zero otherwise
+ */
+int mutexLock(mutex *m);
+
+/**
+ * Unlocks a mutex.
+ *
+ * @param m mutex
+ * @return 0 if successful, non-zero otherwise
+ */
+int mutexUnlock(mutex *m);
+
+#endif
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/mutexes.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/mutexes.c
new file mode 100644
index 00000000000..c4c2f262135
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/mutexes.c
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "os/mutexes.h"
+
+#include <pthread.h>
+#include <stdio.h>
+
+mutex hdfsHashMutex = PTHREAD_MUTEX_INITIALIZER;
+mutex jvmMutex = PTHREAD_MUTEX_INITIALIZER;
+
+int mutexLock(mutex *m) {
+  int ret = pthread_mutex_lock(m);
+  if (ret) {
+    fprintf(stderr, "mutexLock: pthread_mutex_lock failed with error %d\n",
+      ret);
+  }
+  return ret;
+}
+
+int mutexUnlock(mutex *m) {
+  int ret = pthread_mutex_unlock(m);
+  if (ret) {
+    fprintf(stderr, "mutexUnlock: pthread_mutex_unlock failed with error %d\n",
+      ret);
+  }
+  return ret;
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/platform.h b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/platform.h
new file mode 100644
index 00000000000..c63bbf9e0e0
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/platform.h
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef LIBHDFS_PLATFORM_H
+#define LIBHDFS_PLATFORM_H
+
+#include <pthread.h>
+
+/* Use gcc type-checked format arguments. */
+#define TYPE_CHECKED_PRINTF_FORMAT(formatArg, varArgs) \
+  __attribute__((format(printf, formatArg, varArgs)))
+
+/*
+ * Mutex and thread data types defined by pthreads.
+ */
+typedef pthread_mutex_t mutex;
+typedef pthread_t threadId;
+
+#endif
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/thread.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/thread.c
new file mode 100644
index 00000000000..af0c61f03da
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/thread.c
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "os/thread.h"
+
+#include <pthread.h>
+#include <stdio.h>
+
+/**
+ * Defines a helper function that adapts function pointer provided by caller to
+ * the type required by pthread_create.
+ *
+ * @param toRun thread to run
+ * @return void* result of running thread (always NULL)
+ */
+static void* runThread(void *toRun) {
+  const thread *t = toRun;
+  t->start(t->arg);
+  return NULL;
+}
+
+int threadCreate(thread *t) {
+  int ret;
+  ret = pthread_create(&t->id, NULL, runThread, t);
+  if (ret) {
+    fprintf(stderr, "threadCreate: pthread_create failed with error %d\n", ret);
+  }
+  return ret;
+}
+
+int threadJoin(const thread *t) {
+  int ret = pthread_join(t->id, NULL);
+  if (ret) {
+    fprintf(stderr, "threadJoin: pthread_join failed with error %d\n", ret);
+  }
+  return ret;
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/thread_local_storage.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/thread_local_storage.c
new file mode 100644
index 00000000000..2f70e2cb1d0
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/posix/thread_local_storage.c
@@ -0,0 +1,80 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "os/thread_local_storage.h"
+
+#include <jni.h>
+#include <pthread.h>
+#include <stdio.h>
+
+/** Key that allows us to retrieve thread-local storage */
+static pthread_key_t gTlsKey;
+
+/** nonzero if we succeeded in initializing gTlsKey. Protected by the jvmMutex */
+static int gTlsKeyInitialized = 0;
+
+/**
+ * The function that is called whenever a thread with libhdfs thread local data
+ * is destroyed.
+ *
+ * @param v         The thread-local data
+ */
+static void hdfsThreadDestructor(void *v)
+{
+  JavaVM *vm;
+  JNIEnv *env = v;
+  jint ret;
+
+  ret = (*env)->GetJavaVM(env, &vm);
+  if (ret) {
+    fprintf(stderr, "hdfsThreadDestructor: GetJavaVM failed with error %d\n",
+      ret);
+    (*env)->ExceptionDescribe(env);
+  } else {
+    (*vm)->DetachCurrentThread(vm);
+  }
+}
+
+int threadLocalStorageGet(JNIEnv **env)
+{
+  int ret = 0;
+  if (!gTlsKeyInitialized) {
+    ret = pthread_key_create(&gTlsKey, hdfsThreadDestructor);
+    if (ret) {
+      fprintf(stderr,
+        "threadLocalStorageGet: pthread_key_create failed with error %d\n",
+        ret);
+      return ret;
+    }
+    gTlsKeyInitialized = 1;
+  }
+  *env = pthread_getspecific(gTlsKey);
+  return ret;
+}
+
+int threadLocalStorageSet(JNIEnv *env)
+{
+  int ret = pthread_setspecific(gTlsKey, env);
+  if (ret) {
+    fprintf(stderr,
+      "threadLocalStorageSet: pthread_setspecific failed with error %d\n",
+      ret);
+    hdfsThreadDestructor(env);
+  }
+  return ret;
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/thread.h b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/thread.h
new file mode 100644
index 00000000000..ae425d35641
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/thread.h
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef LIBHDFS_THREAD_H
+#define LIBHDFS_THREAD_H
+
+/*
+ * Defines abstraction over platform-specific threads.
+ */
+
+#include "platform.h"
+
+/** Pointer to function to run in thread. */
+typedef void (*threadProcedure)(void *);
+
+/** Structure containing a thread's ID, starting address and argument. */
+typedef struct {
+  threadId id;
+  threadProcedure start;
+  void *arg;
+} thread;
+
+/**
+ * Creates and immediately starts a new thread.
+ *
+ * @param t thread to create
+ * @return 0 if successful, non-zero otherwise
+ */
+int threadCreate(thread *t);
+
+/**
+ * Joins to the given thread, blocking if necessary.
+ *
+ * @param t thread to join
+ * @return 0 if successful, non-zero otherwise
+ */
+int threadJoin(const thread *t);
+
+#endif
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/thread_local_storage.h b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/thread_local_storage.h
new file mode 100644
index 00000000000..a40d5671b9b
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/thread_local_storage.h
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef LIBHDFS_THREAD_LOCAL_STORAGE_H
+#define LIBHDFS_THREAD_LOCAL_STORAGE_H
+
+/*
+ * Defines abstraction over platform-specific thread-local storage.  libhdfs
+ * currently only needs thread-local storage for a single piece of data: the
+ * thread's JNIEnv.  For simplicity, this interface is defined in terms of
+ * JNIEnv, not general-purpose thread-local storage of any arbitrary data.
+ */
+
+#include <jni.h>
+
+/*
+ * Most operating systems support the more efficient __thread construct, which
+ * is initialized by the linker.  The following macros use this technique on the
+ * operating systems that support it.
+ */
+#ifdef HAVE_BETTER_TLS
+  #define THREAD_LOCAL_STORAGE_GET_QUICK() \
+    static __thread JNIEnv *quickTlsEnv = NULL; \
+    { \
+      if (quickTlsEnv) { \
+        return quickTlsEnv; \
+      } \
+    }
+
+  #define THREAD_LOCAL_STORAGE_SET_QUICK(env) \
+    { \
+      quickTlsEnv = (env); \
+    }
+#else
+  #define THREAD_LOCAL_STORAGE_GET_QUICK()
+  #define THREAD_LOCAL_STORAGE_SET_QUICK(env)
+#endif
+
+/**
+ * Gets the JNIEnv in thread-local storage for the current thread.  If the call
+ * succeeds, and there is a JNIEnv associated with this thread, then returns 0
+ * and populates env.  If the call succeeds, but there is no JNIEnv associated
+ * with this thread, then returns 0 and sets JNIEnv to NULL.  If the call fails,
+ * then returns non-zero.  Only one thread at a time may execute this function.
+ * The caller is responsible for enforcing mutual exclusion.
+ *
+ * @param env JNIEnv out parameter
+ * @return 0 if successful, non-zero otherwise
+ */
+int threadLocalStorageGet(JNIEnv **env);
+
+/**
+ * Sets the JNIEnv in thread-local storage for the current thread.
+ *
+ * @param env JNIEnv to set
+ * @return 0 if successful, non-zero otherwise
+ */
+int threadLocalStorageSet(JNIEnv *env);
+
+#endif
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/inttypes.h b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/inttypes.h
new file mode 100644
index 00000000000..a520d15a247
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/inttypes.h
@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef LIBHDFS_INTTYPES_H
+#define LIBHDFS_INTTYPES_H
+
+/* On Windows, inttypes.h does not exist, so manually define what we need. */
+
+#define PRId64 "I64d"
+#define PRIu64 "I64u"
+typedef unsigned __int64 uint64_t;
+
+#endif
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/mutexes.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/mutexes.c
new file mode 100644
index 00000000000..875f03386a8
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/mutexes.c
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "os/mutexes.h"
+
+#include <windows.h>
+
+mutex hdfsHashMutex;
+mutex jvmMutex;
+
+/**
+ * Unfortunately, there is no simple static initializer for a critical section.
+ * Instead, the API requires calling InitializeCriticalSection.  Since libhdfs
+ * lacks an explicit initialization function, there is no obvious existing place
+ * for the InitializeCriticalSection calls.  To work around this, we define an
+ * initialization function and instruct the linker to set a pointer to that
+ * function as a user-defined global initializer.  See discussion of CRT
+ * Initialization:
+ * http://msdn.microsoft.com/en-us/library/bb918180.aspx
+ */
+static void __cdecl initializeMutexes(void) {
+  InitializeCriticalSection(&hdfsHashMutex);
+  InitializeCriticalSection(&jvmMutex);
+}
+#pragma section(".CRT$XCU", read)
+__declspec(allocate(".CRT$XCU"))
+const void (__cdecl *pInitialize)(void) = initializeMutexes;
+
+int mutexLock(mutex *m) {
+  EnterCriticalSection(m);
+  return 0;
+}
+
+int mutexUnlock(mutex *m) {
+  LeaveCriticalSection(m);
+  return 0;
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/platform.h b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/platform.h
new file mode 100644
index 00000000000..9eedfdecdab
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/platform.h
@@ -0,0 +1,86 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef LIBHDFS_PLATFORM_H
+#define LIBHDFS_PLATFORM_H
+
+#include <stdio.h>
+#include <windows.h>
+#include <winsock.h>
+
+/*
+ * O_ACCMODE defined to match Linux definition.
+ */
+#ifndef O_ACCMODE
+#define O_ACCMODE 0x0003
+#endif
+
+/*
+ * Windows has a different name for its maximum path length constant.
+ */
+#ifndef PATH_MAX
+#define PATH_MAX MAX_PATH
+#endif
+
+/*
+ * Windows does not define EDQUOT and ESTALE in errno.h.  The closest equivalents
+ * are these constants from winsock.h.
+ */
+#ifndef EDQUOT
+#define EDQUOT WSAEDQUOT
+#endif
+
+#ifndef ESTALE
+#define ESTALE WSAESTALE
+#endif
+
+/*
+ * gcc-style type-checked format arguments are not supported on Windows, so just
+ * stub this macro.
+ */
+#define TYPE_CHECKED_PRINTF_FORMAT(formatArg, varArgs)
+
+/*
+ * Define macros for various string formatting functions not defined on Windows.
+ * Where possible, we reroute to one of the secure CRT variants.  On Windows,
+ * the preprocessor does support variadic macros, even though they weren't
+ * defined until C99.
+ */
+#define snprintf(str, size, format, ...) \
+  _snprintf_s((str), (size), _TRUNCATE, (format), __VA_ARGS__)
+#define strncpy(dest, src, n) \
+  strncpy_s((dest), (n), (src), _TRUNCATE)
+#define strtok_r(str, delim, saveptr) \
+  strtok_s((str), (delim), (saveptr))
+#define vsnprintf(str, size, format, ...) \
+  vsnprintf_s((str), (size), _TRUNCATE, (format), __VA_ARGS__)
+
+/*
+ * Mutex data type defined as Windows CRITICAL_SECTION.   A critical section (not
+ * Windows mutex) is used, because libhdfs only needs synchronization of multiple
+ * threads within a single process, not synchronization across process
+ * boundaries.
+ */
+typedef CRITICAL_SECTION mutex;
+
+/*
+ * Thread data type defined as HANDLE to a Windows thread.
+ */
+typedef HANDLE threadId;
+
+#endif
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/thread.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/thread.c
new file mode 100644
index 00000000000..90450d84731
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/thread.c
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "os/thread.h"
+
+#include <stdio.h>
+#include <windows.h>
+
+/**
+ * Defines a helper function that adapts function pointer provided by caller to
+ * the type required by CreateThread.
+ *
+ * @param toRun thread to run
+ * @return DWORD result of running thread (always 0)
+ */
+static DWORD runThread(LPVOID toRun) {
+  const thread *t = toRun;
+  t->start(t->arg);
+  return 0;
+}
+
+int threadCreate(thread *t) {
+  DWORD ret = 0;
+  HANDLE h;
+  h = CreateThread(NULL, 0, runThread, t, 0, NULL);
+  if (h) {
+    t->id = h;
+  } else {
+    ret = GetLastError();
+    fprintf(stderr, "threadCreate: CreateThread failed with error %d\n", ret);
+  }
+  return ret;
+}
+
+int threadJoin(const thread *t) {
+  DWORD ret = WaitForSingleObject(t->id, INFINITE);
+  switch (ret) {
+  case WAIT_OBJECT_0:
+    break;
+  case WAIT_FAILED:
+    ret = GetLastError();
+    fprintf(stderr, "threadJoin: WaitForSingleObject failed with error %d\n",
+      ret);
+    break;
+  default:
+    fprintf(stderr, "threadJoin: WaitForSingleObject unexpected error %d\n",
+      ret);
+    break;
+  }
+  return ret;
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/thread_local_storage.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/thread_local_storage.c
new file mode 100644
index 00000000000..70ad1524071
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/thread_local_storage.c
@@ -0,0 +1,164 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "os/thread_local_storage.h"
+
+#include <jni.h>
+#include <stdio.h>
+#include <windows.h>
+
+/** Key that allows us to retrieve thread-local storage */
+static DWORD gTlsIndex = TLS_OUT_OF_INDEXES;
+
+/**
+ * If the current thread has a JNIEnv in thread-local storage, then detaches the
+ * current thread from the JVM.
+ */
+static void detachCurrentThreadFromJvm()
+{
+  JNIEnv *env = NULL;
+  JavaVM *vm;
+  jint ret;
+  if (threadLocalStorageGet(&env) || !env) {
+    return;
+  }
+  ret = (*env)->GetJavaVM(env, &vm);
+  if (ret) {
+    fprintf(stderr,
+      "detachCurrentThreadFromJvm: GetJavaVM failed with error %d\n",
+      ret);
+    (*env)->ExceptionDescribe(env);
+  } else {
+    (*vm)->DetachCurrentThread(vm);
+  }
+}
+
+/**
+ * Unlike pthreads, the Windows API does not seem to provide a convenient way to
+ * hook a callback onto thread shutdown.  However, the Windows portable
+ * executable format does define a concept of thread-local storage callbacks.
+ * Here, we define a function and instruct the linker to set a pointer to that
+ * function in the segment for thread-local storage callbacks.  See page 85 of
+ * Microsoft Portable Executable and Common Object File Format Specification:
+ * http://msdn.microsoft.com/en-us/gg463119.aspx
+ * This technique only works for implicit linking (OS loads DLL on demand), not
+ * for explicit linking (user code calls LoadLibrary directly).  This effectively
+ * means that we have a known limitation: libhdfs may not work correctly if a
+ * Windows application attempts to use it via explicit linking.
+ *
+ * @param h module handle
+ * @param reason the reason for calling the callback
+ * @param pv reserved, unused
+ */
+static void NTAPI tlsCallback(PVOID h, DWORD reason, PVOID pv)
+{
+  DWORD tlsIndex;
+  switch (reason) {
+  case DLL_THREAD_DETACH:
+    detachCurrentThreadFromJvm();
+    break;
+  case DLL_PROCESS_DETACH:
+    detachCurrentThreadFromJvm();
+    tlsIndex = gTlsIndex;
+    gTlsIndex = TLS_OUT_OF_INDEXES;
+    if (!TlsFree(tlsIndex)) {
+      fprintf(stderr, "tlsCallback: TlsFree failed with error %d\n",
+        GetLastError());
+    }
+    break;
+  default:
+    break;
+  }
+}
+
+/*
+ * A variable named _tls_used contains the TLS directory, which contains a list
+ * of pointers to callback functions.  Normally, the linker won't retain this
+ * variable unless the executable has implicit thread-local variables, defined
+ * using the __declspec(thread) extended storage-class modifier.  libhdfs
+ * doesn't use __declspec(thread), and we have no guarantee that the executable
+ * linked to libhdfs will use __declspec(thread).  By forcing the linker to
+ * reference _tls_used, we guarantee that the binary retains the TLS directory.
+ * See Microsoft Visual Studio 10.0/VC/crt/src/tlssup.c .
+ */
+#pragma comment(linker, "/INCLUDE:_tls_used")
+
+/*
+ * We must retain a pointer to the callback function.  Force the linker to keep
+ * this symbol, even though it appears that nothing in our source code uses it.
+ */
+#pragma comment(linker, "/INCLUDE:pTlsCallback")
+
+/*
+ * Define constant pointer to our callback, and tell the linker to pin it into
+ * the TLS directory so that it receives thread callbacks.  Use external linkage
+ * to protect against the linker discarding the seemingly unused symbol.
+ */
+#pragma const_seg(".CRT$XLB")
+extern const PIMAGE_TLS_CALLBACK pTlsCallback;
+const PIMAGE_TLS_CALLBACK pTlsCallback = tlsCallback;
+#pragma const_seg()
+
+int threadLocalStorageGet(JNIEnv **env)
+{
+  LPVOID tls;
+  DWORD ret;
+  if (TLS_OUT_OF_INDEXES == gTlsIndex) {
+    gTlsIndex = TlsAlloc();
+    if (TLS_OUT_OF_INDEXES == gTlsIndex) {
+      fprintf(stderr,
+        "threadLocalStorageGet: TlsAlloc failed with error %d\n",
+        TLS_OUT_OF_INDEXES);
+      return TLS_OUT_OF_INDEXES;
+    }
+  }
+  tls = TlsGetValue(gTlsIndex);
+  if (tls) {
+    *env = tls;
+    return 0;
+  } else {
+    ret = GetLastError();
+    if (ERROR_SUCCESS == ret) {
+      /* Thread-local storage contains NULL, because we haven't set it yet. */
+      *env = NULL;
+      return 0;
+    } else {
+      /*
+       * The API call failed.  According to documentation, TlsGetValue cannot
+       * fail as long as the index is a valid index from a successful TlsAlloc
+       * call.  This error handling is purely defensive.
+       */
+      fprintf(stderr,
+        "threadLocalStorageGet: TlsGetValue failed with error %d\n", ret);
+      return ret;
+    }
+  }
+}
+
+int threadLocalStorageSet(JNIEnv *env)
+{
+  DWORD ret = 0;
+  if (!TlsSetValue(gTlsIndex, (LPVOID)env)) {
+    ret = GetLastError();
+    fprintf(stderr,
+      "threadLocalStorageSet: TlsSetValue failed with error %d\n",
+      ret);
+    detachCurrentThreadFromJvm(env);
+  }
+  return ret;
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/unistd.h b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/unistd.h
new file mode 100644
index 00000000000..b82ce48968d
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/os/windows/unistd.h
@@ -0,0 +1,29 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef LIBHDFS_UNISTD_H
+#define LIBHDFS_UNISTD_H
+
+/* On Windows, unistd.h does not exist, so manually define what we need. */
+
+#include <process.h> /* Declares getpid(). */
+#include <windows.h>
+
+/* Re-route sleep to Sleep, converting units from seconds to milliseconds. */
+#define sleep(seconds) Sleep((seconds) * 1000)
+#endif
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_ops.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_ops.c
index c2a0cbd218f..a6e1a13abbe 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_ops.c
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_ops.c
@@ -18,6 +18,7 @@
 
 #include "hdfs.h" 
 #include "hdfs_test.h" 
+#include "platform.h"
 
 #include <inttypes.h>
 #include <jni.h>
@@ -28,12 +29,13 @@
 #include <unistd.h>
 
 void permission_disp(short permissions, char *rtr) {
-  rtr[9] = '\0';
   int i;
+  short permissionsId;
+  char* perm;
+  rtr[9] = '\0';
   for(i=2;i>=0;i--)
     {
-      short permissionsId = permissions >> (i * 3) & (short)7;
-      char* perm;
+      permissionsId = permissions >> (i * 3) & (short)7;
       switch(permissionsId) {
       case 7:
         perm = "rwx"; break;
@@ -60,35 +62,56 @@ void permission_disp(short permissions, char *rtr) {
 } 
 
 int main(int argc, char **argv) {
-    char buffer[32];
-    tSize num_written_bytes;
+    const char *writePath = "/tmp/testfile.txt";
+    const char *fileContents = "Hello, World!";
+    const char *readPath = "/tmp/testfile.txt";
+    const char *srcPath = "/tmp/testfile.txt";
+    const char *dstPath = "/tmp/testfile2.txt";
+    const char *slashTmp = "/tmp";
+    const char *newDirectory = "/tmp/newdir";
+    const char *newOwner = "root";
+    const char *tuser = "nobody";
+    const char *appendPath = "/tmp/appends";
+    const char *userPath = "/tmp/usertestfile.txt";
 
-    hdfsFS fs = hdfsConnectNewInstance("default", 0);
+    char buffer[32], buffer2[256], rdbuffer[32];
+    tSize num_written_bytes, num_read_bytes;
+    hdfsFS fs, lfs;
+    hdfsFile writeFile, readFile, localFile, appendFile, userFile;
+    tOffset currentPos, seekPos;
+    int exists, totalResult, result, numEntries, i, j;
+    const char *resp;
+    hdfsFileInfo *fileInfo, *fileList, *finfo;
+    char *buffer3;
+    char permissions[10];
+    char ***hosts;
+    short newPerm = 0666;
+    tTime newMtime, newAtime;
+
+    fs = hdfsConnectNewInstance("default", 0);
     if(!fs) {
         fprintf(stderr, "Oops! Failed to connect to hdfs!\n");
         exit(-1);
     } 
  
-    hdfsFS lfs = hdfsConnectNewInstance(NULL, 0);
+    lfs = hdfsConnectNewInstance(NULL, 0);
     if(!lfs) {
         fprintf(stderr, "Oops! Failed to connect to 'local' hdfs!\n");
         exit(-1);
     } 
 
-    const char* writePath = "/tmp/testfile.txt";
-    const char* fileContents = "Hello, World!";
-
     {
         //Write tests
         
-        hdfsFile writeFile = hdfsOpenFile(fs, writePath, O_WRONLY|O_CREAT, 0, 0, 0);
+        writeFile = hdfsOpenFile(fs, writePath, O_WRONLY|O_CREAT, 0, 0, 0);
         if(!writeFile) {
             fprintf(stderr, "Failed to open %s for writing!\n", writePath);
             exit(-1);
         }
         fprintf(stderr, "Opened %s for writing successfully...\n", writePath);
         num_written_bytes =
-          hdfsWrite(fs, writeFile, (void*)fileContents, strlen(fileContents)+1);
+          hdfsWrite(fs, writeFile, (void*)fileContents,
+            (tSize)(strlen(fileContents)+1));
         if (num_written_bytes != strlen(fileContents) + 1) {
           fprintf(stderr, "Failed to write correct number of bytes - expected %d, got %d\n",
                   (int)(strlen(fileContents) + 1), (int)num_written_bytes);
@@ -96,7 +119,7 @@ int main(int argc, char **argv) {
         }
         fprintf(stderr, "Wrote %d bytes\n", num_written_bytes);
 
-        tOffset currentPos = -1;
+        currentPos = -1;
         if ((currentPos = hdfsTell(fs, writeFile)) == -1) {
             fprintf(stderr, 
                     "Failed to get current file position correctly! Got %ld!\n",
@@ -123,15 +146,14 @@ int main(int argc, char **argv) {
     {
         //Read tests
         
-        const char* readPath = "/tmp/testfile.txt";
-        int exists = hdfsExists(fs, readPath);
+        exists = hdfsExists(fs, readPath);
 
         if (exists) {
           fprintf(stderr, "Failed to validate existence of %s\n", readPath);
           exit(-1);
         }
 
-        hdfsFile readFile = hdfsOpenFile(fs, readPath, O_RDONLY, 0, 0, 0);
+        readFile = hdfsOpenFile(fs, readPath, O_RDONLY, 0, 0, 0);
         if (!readFile) {
             fprintf(stderr, "Failed to open %s for reading!\n", readPath);
             exit(-1);
@@ -146,13 +168,13 @@ int main(int argc, char **argv) {
 
         fprintf(stderr, "hdfsAvailable: %d\n", hdfsAvailable(fs, readFile));
 
-        tOffset seekPos = 1;
+        seekPos = 1;
         if(hdfsSeek(fs, readFile, seekPos)) {
             fprintf(stderr, "Failed to seek %s for reading!\n", readPath);
             exit(-1);
         }
 
-        tOffset currentPos = -1;
+        currentPos = -1;
         if((currentPos = hdfsTell(fs, readFile)) != seekPos) {
             fprintf(stderr, 
                     "Failed to get current file position correctly! Got %ld!\n", 
@@ -175,7 +197,7 @@ int main(int argc, char **argv) {
             exit(-1);
         }
         memset(buffer, 0, sizeof(buffer));
-        tSize num_read_bytes = hdfsRead(fs, readFile, (void*)buffer,
+        num_read_bytes = hdfsRead(fs, readFile, (void*)buffer,
                 sizeof(buffer));
         if (strncmp(fileContents, buffer, strlen(fileContents)) != 0) {
             fprintf(stderr, "Failed to read (direct). Expected %s but got %s (%d bytes)\n",
@@ -208,14 +230,14 @@ int main(int argc, char **argv) {
         hdfsCloseFile(fs, readFile);
 
         // Test correct behaviour for unsupported filesystems
-        hdfsFile localFile = hdfsOpenFile(lfs, writePath, O_WRONLY|O_CREAT, 0, 0, 0);
+        localFile = hdfsOpenFile(lfs, writePath, O_WRONLY|O_CREAT, 0, 0, 0);
         if(!localFile) {
             fprintf(stderr, "Failed to open %s for writing!\n", writePath);
             exit(-1);
         }
 
         num_written_bytes = hdfsWrite(lfs, localFile, (void*)fileContents,
-                                      strlen(fileContents) + 1);
+                                      (tSize)(strlen(fileContents) + 1));
 
         hdfsCloseFile(lfs, localFile);
         localFile = hdfsOpenFile(lfs, writePath, O_RDONLY, 0, 0, 0);
@@ -229,50 +251,43 @@ int main(int argc, char **argv) {
         hdfsCloseFile(lfs, localFile);
     }
 
-    int totalResult = 0;
-    int result = 0;
+    totalResult = 0;
+    result = 0;
     {
         //Generic file-system operations
 
-        const char* srcPath = "/tmp/testfile.txt";
-        const char* dstPath = "/tmp/testfile2.txt";
-
-        fprintf(stderr, "hdfsCopy(remote-local): %s\n", ((result = hdfsCopy(fs, srcPath, lfs, srcPath)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsCopy(remote-local): %s\n", ((result = hdfsCopy(fs, srcPath, lfs, srcPath)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
-        fprintf(stderr, "hdfsCopy(remote-remote): %s\n", ((result = hdfsCopy(fs, srcPath, fs, dstPath)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsCopy(remote-remote): %s\n", ((result = hdfsCopy(fs, srcPath, fs, dstPath)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
-        fprintf(stderr, "hdfsMove(local-local): %s\n", ((result = hdfsMove(lfs, srcPath, lfs, dstPath)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsMove(local-local): %s\n", ((result = hdfsMove(lfs, srcPath, lfs, dstPath)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
-        fprintf(stderr, "hdfsMove(remote-local): %s\n", ((result = hdfsMove(fs, srcPath, lfs, srcPath)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsMove(remote-local): %s\n", ((result = hdfsMove(fs, srcPath, lfs, srcPath)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
 
-        fprintf(stderr, "hdfsRename: %s\n", ((result = hdfsRename(fs, dstPath, srcPath)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsRename: %s\n", ((result = hdfsRename(fs, dstPath, srcPath)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
-        fprintf(stderr, "hdfsCopy(remote-remote): %s\n", ((result = hdfsCopy(fs, srcPath, fs, dstPath)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsCopy(remote-remote): %s\n", ((result = hdfsCopy(fs, srcPath, fs, dstPath)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
 
-        const char* slashTmp = "/tmp";
-        const char* newDirectory = "/tmp/newdir";
-        fprintf(stderr, "hdfsCreateDirectory: %s\n", ((result = hdfsCreateDirectory(fs, newDirectory)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsCreateDirectory: %s\n", ((result = hdfsCreateDirectory(fs, newDirectory)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
 
-        fprintf(stderr, "hdfsSetReplication: %s\n", ((result = hdfsSetReplication(fs, srcPath, 2)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsSetReplication: %s\n", ((result = hdfsSetReplication(fs, srcPath, 2)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
 
-        char buffer[256];
-        const char *resp;
-        fprintf(stderr, "hdfsGetWorkingDirectory: %s\n", ((resp = hdfsGetWorkingDirectory(fs, buffer, sizeof(buffer))) ? buffer : "Failed!"));
+        fprintf(stderr, "hdfsGetWorkingDirectory: %s\n", ((resp = hdfsGetWorkingDirectory(fs, buffer2, sizeof(buffer2))) != 0 ? buffer2 : "Failed!"));
         totalResult += (resp ? 0 : 1);
-        fprintf(stderr, "hdfsSetWorkingDirectory: %s\n", ((result = hdfsSetWorkingDirectory(fs, slashTmp)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsSetWorkingDirectory: %s\n", ((result = hdfsSetWorkingDirectory(fs, slashTmp)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
-        fprintf(stderr, "hdfsGetWorkingDirectory: %s\n", ((resp = hdfsGetWorkingDirectory(fs, buffer, sizeof(buffer))) ? buffer : "Failed!"));
+        fprintf(stderr, "hdfsGetWorkingDirectory: %s\n", ((resp = hdfsGetWorkingDirectory(fs, buffer2, sizeof(buffer2))) != 0 ? buffer2 : "Failed!"));
         totalResult += (resp ? 0 : 1);
 
         fprintf(stderr, "hdfsGetDefaultBlockSize: %ld\n", hdfsGetDefaultBlockSize(fs));
         fprintf(stderr, "hdfsGetCapacity: %ld\n", hdfsGetCapacity(fs));
         fprintf(stderr, "hdfsGetUsed: %ld\n", hdfsGetUsed(fs));
 
-        hdfsFileInfo *fileInfo = NULL;
+        fileInfo = NULL;
         if((fileInfo = hdfsGetPathInfo(fs, slashTmp)) != NULL) {
             fprintf(stderr, "hdfsGetPathInfo - SUCCESS!\n");
             fprintf(stderr, "Name: %s, ", fileInfo->mName);
@@ -283,7 +298,6 @@ int main(int argc, char **argv) {
             fprintf(stderr, "LastMod: %s", ctime(&fileInfo->mLastMod)); 
             fprintf(stderr, "Owner: %s, ", fileInfo->mOwner);
             fprintf(stderr, "Group: %s, ", fileInfo->mGroup);
-            char permissions[10];
             permission_disp(fileInfo->mPermissions, permissions);
             fprintf(stderr, "Permissions: %d (%s)\n", fileInfo->mPermissions, permissions);
             hdfsFreeFileInfo(fileInfo, 1);
@@ -292,10 +306,8 @@ int main(int argc, char **argv) {
             fprintf(stderr, "waah! hdfsGetPathInfo for %s - FAILED!\n", slashTmp);
         }
 
-        hdfsFileInfo *fileList = 0;
-        int numEntries = 0;
+        fileList = 0;
         if((fileList = hdfsListDirectory(fs, slashTmp, &numEntries)) != NULL) {
-            int i = 0;
             for(i=0; i < numEntries; ++i) {
                 fprintf(stderr, "Name: %s, ", fileList[i].mName);
                 fprintf(stderr, "Type: %c, ", (char)fileList[i].mKind);
@@ -305,7 +317,6 @@ int main(int argc, char **argv) {
                 fprintf(stderr, "LastMod: %s", ctime(&fileList[i].mLastMod));
                 fprintf(stderr, "Owner: %s, ", fileList[i].mOwner);
                 fprintf(stderr, "Group: %s, ", fileList[i].mGroup);
-                char permissions[10];
                 permission_disp(fileList[i].mPermissions, permissions);
                 fprintf(stderr, "Permissions: %d (%s)\n", fileList[i].mPermissions, permissions);
             }
@@ -319,12 +330,12 @@ int main(int argc, char **argv) {
             }
         }
 
-        char*** hosts = hdfsGetHosts(fs, srcPath, 0, 1);
+        hosts = hdfsGetHosts(fs, srcPath, 0, 1);
         if(hosts) {
             fprintf(stderr, "hdfsGetHosts - SUCCESS! ... \n");
-            int i=0; 
+            i=0; 
             while(hosts[i]) {
-                int j = 0;
+                j = 0;
                 while(hosts[i][j]) {
                     fprintf(stderr, 
                             "\thosts[%d][%d] - %s\n", i, j, hosts[i][j]);
@@ -337,131 +348,129 @@ int main(int argc, char **argv) {
             fprintf(stderr, "waah! hdfsGetHosts - FAILED!\n");
         }
        
-        char *newOwner = "root";
         // setting tmp dir to 777 so later when connectAsUser nobody, we can write to it
-        short newPerm = 0666;
 
         // chown write
-        fprintf(stderr, "hdfsChown: %s\n", ((result = hdfsChown(fs, writePath, NULL, "users")) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsChown: %s\n", ((result = hdfsChown(fs, writePath, NULL, "users")) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
-        fprintf(stderr, "hdfsChown: %s\n", ((result = hdfsChown(fs, writePath, newOwner, NULL)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsChown: %s\n", ((result = hdfsChown(fs, writePath, newOwner, NULL)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
         // chmod write
-        fprintf(stderr, "hdfsChmod: %s\n", ((result = hdfsChmod(fs, writePath, newPerm)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsChmod: %s\n", ((result = hdfsChmod(fs, writePath, newPerm)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
 
 
 
         sleep(2);
-        tTime newMtime = time(NULL);
-        tTime newAtime = time(NULL);
+        newMtime = time(NULL);
+        newAtime = time(NULL);
 
         // utime write
-        fprintf(stderr, "hdfsUtime: %s\n", ((result = hdfsUtime(fs, writePath, newMtime, newAtime)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsUtime: %s\n", ((result = hdfsUtime(fs, writePath, newMtime, newAtime)) != 0 ? "Failed!" : "Success!"));
 
         totalResult += result;
 
         // chown/chmod/utime read
-        hdfsFileInfo *finfo = hdfsGetPathInfo(fs, writePath);
+        finfo = hdfsGetPathInfo(fs, writePath);
 
-        fprintf(stderr, "hdfsChown read: %s\n", ((result = (strcmp(finfo->mOwner, newOwner) != 0)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsChown read: %s\n", ((result = (strcmp(finfo->mOwner, newOwner))) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
 
-        fprintf(stderr, "hdfsChmod read: %s\n", ((result = (finfo->mPermissions != newPerm)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsChmod read: %s\n", ((result = (finfo->mPermissions != newPerm)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
 
         // will later use /tmp/ as a different user so enable it
-        fprintf(stderr, "hdfsChmod: %s\n", ((result = hdfsChmod(fs, "/tmp/", 0777)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsChmod: %s\n", ((result = hdfsChmod(fs, "/tmp/", 0777)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
 
         fprintf(stderr,"newMTime=%ld\n",newMtime);
         fprintf(stderr,"curMTime=%ld\n",finfo->mLastMod);
 
 
-        fprintf(stderr, "hdfsUtime read (mtime): %s\n", ((result = (finfo->mLastMod != newMtime)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsUtime read (mtime): %s\n", ((result = (finfo->mLastMod != newMtime)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
 
         // No easy way to turn on access times from hdfs_test right now
-        //        fprintf(stderr, "hdfsUtime read (atime): %s\n", ((result = (finfo->mLastAccess != newAtime)) ? "Failed!" : "Success!"));
+        //        fprintf(stderr, "hdfsUtime read (atime): %s\n", ((result = (finfo->mLastAccess != newAtime)) != 0 ? "Failed!" : "Success!"));
         //        totalResult += result;
 
         hdfsFreeFileInfo(finfo, 1);
 
         // Clean up
-        fprintf(stderr, "hdfsDelete: %s\n", ((result = hdfsDelete(fs, newDirectory, 1)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsDelete: %s\n", ((result = hdfsDelete(fs, newDirectory, 1)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
-        fprintf(stderr, "hdfsDelete: %s\n", ((result = hdfsDelete(fs, srcPath, 1)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsDelete: %s\n", ((result = hdfsDelete(fs, srcPath, 1)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
-        fprintf(stderr, "hdfsDelete: %s\n", ((result = hdfsDelete(lfs, srcPath, 1)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsDelete: %s\n", ((result = hdfsDelete(lfs, srcPath, 1)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
-        fprintf(stderr, "hdfsDelete: %s\n", ((result = hdfsDelete(lfs, dstPath, 1)) ? "Failed!" : "Success!"));
+        fprintf(stderr, "hdfsDelete: %s\n", ((result = hdfsDelete(lfs, dstPath, 1)) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
-        fprintf(stderr, "hdfsExists: %s\n", ((result = hdfsExists(fs, newDirectory)) ? "Success!" : "Failed!"));
+        fprintf(stderr, "hdfsExists: %s\n", ((result = hdfsExists(fs, newDirectory)) != 0 ? "Success!" : "Failed!"));
         totalResult += (result ? 0 : 1);
     }
 
     {
       // TEST APPENDS
-      const char *writePath = "/tmp/appends";
 
       // CREATE
-      hdfsFile writeFile = hdfsOpenFile(fs, writePath, O_WRONLY, 0, 0, 0);
-      if(!writeFile) {
-        fprintf(stderr, "Failed to open %s for writing!\n", writePath);
+      appendFile = hdfsOpenFile(fs, appendPath, O_WRONLY, 0, 0, 0);
+      if(!appendFile) {
+        fprintf(stderr, "Failed to open %s for writing!\n", appendPath);
         exit(-1);
       }
-      fprintf(stderr, "Opened %s for writing successfully...\n", writePath);
+      fprintf(stderr, "Opened %s for writing successfully...\n", appendPath);
 
-      char* buffer = "Hello,";
-      tSize num_written_bytes = hdfsWrite(fs, writeFile, (void*)buffer, strlen(buffer));
+      buffer3 = "Hello,";
+      num_written_bytes = hdfsWrite(fs, appendFile, (void*)buffer3,
+        (tSize)strlen(buffer3));
       fprintf(stderr, "Wrote %d bytes\n", num_written_bytes);
 
-      if (hdfsFlush(fs, writeFile)) {
-        fprintf(stderr, "Failed to 'flush' %s\n", writePath); 
+      if (hdfsFlush(fs, appendFile)) {
+        fprintf(stderr, "Failed to 'flush' %s\n", appendPath); 
         exit(-1);
         }
-      fprintf(stderr, "Flushed %s successfully!\n", writePath); 
+      fprintf(stderr, "Flushed %s successfully!\n", appendPath); 
 
-      hdfsCloseFile(fs, writeFile);
+      hdfsCloseFile(fs, appendFile);
 
       // RE-OPEN
-      writeFile = hdfsOpenFile(fs, writePath, O_WRONLY|O_APPEND, 0, 0, 0);
-      if(!writeFile) {
-        fprintf(stderr, "Failed to open %s for writing!\n", writePath);
+      appendFile = hdfsOpenFile(fs, appendPath, O_WRONLY|O_APPEND, 0, 0, 0);
+      if(!appendFile) {
+        fprintf(stderr, "Failed to open %s for writing!\n", appendPath);
         exit(-1);
       }
-      fprintf(stderr, "Opened %s for writing successfully...\n", writePath);
+      fprintf(stderr, "Opened %s for writing successfully...\n", appendPath);
 
-      buffer = " World";
-      num_written_bytes = hdfsWrite(fs, writeFile, (void*)buffer, strlen(buffer) + 1);
+      buffer3 = " World";
+      num_written_bytes = hdfsWrite(fs, appendFile, (void*)buffer3,
+        (tSize)(strlen(buffer3) + 1));
       fprintf(stderr, "Wrote %d bytes\n", num_written_bytes);
 
-      if (hdfsFlush(fs, writeFile)) {
-        fprintf(stderr, "Failed to 'flush' %s\n", writePath); 
+      if (hdfsFlush(fs, appendFile)) {
+        fprintf(stderr, "Failed to 'flush' %s\n", appendPath); 
         exit(-1);
       }
-      fprintf(stderr, "Flushed %s successfully!\n", writePath); 
+      fprintf(stderr, "Flushed %s successfully!\n", appendPath); 
 
-      hdfsCloseFile(fs, writeFile);
+      hdfsCloseFile(fs, appendFile);
 
       // CHECK size
-      hdfsFileInfo *finfo = hdfsGetPathInfo(fs, writePath);
-      fprintf(stderr, "fileinfo->mSize: == total %s\n", ((result = (finfo->mSize == strlen("Hello, World") + 1)) ? "Success!" : "Failed!"));
+      finfo = hdfsGetPathInfo(fs, appendPath);
+      fprintf(stderr, "fileinfo->mSize: == total %s\n", ((result = (finfo->mSize == (tOffset)(strlen("Hello, World") + 1))) == 1 ? "Success!" : "Failed!"));
       totalResult += (result ? 0 : 1);
 
       // READ and check data
-      hdfsFile readFile = hdfsOpenFile(fs, writePath, O_RDONLY, 0, 0, 0);
+      readFile = hdfsOpenFile(fs, appendPath, O_RDONLY, 0, 0, 0);
       if (!readFile) {
-        fprintf(stderr, "Failed to open %s for reading!\n", writePath);
+        fprintf(stderr, "Failed to open %s for reading!\n", appendPath);
         exit(-1);
       }
 
-      char rdbuffer[32];
-      tSize num_read_bytes = hdfsRead(fs, readFile, (void*)rdbuffer, sizeof(rdbuffer));
+      num_read_bytes = hdfsRead(fs, readFile, (void*)rdbuffer, sizeof(rdbuffer));
       fprintf(stderr, "Read following %d bytes:\n%s\n", 
               num_read_bytes, rdbuffer);
 
-      fprintf(stderr, "read == Hello, World %s\n", (result = (strcmp(rdbuffer, "Hello, World") == 0)) ? "Success!" : "Failed!");
+      fprintf(stderr, "read == Hello, World %s\n", ((result = (strcmp(rdbuffer, "Hello, World"))) == 0 ? "Success!" : "Failed!"));
 
       hdfsCloseFile(fs, readFile);
 
@@ -478,36 +487,33 @@ int main(int argc, char **argv) {
       // the actual fs user capabilities. Thus just create a file and read
       // the owner is correct.
 
-      const char *tuser = "nobody";
-      const char* writePath = "/tmp/usertestfile.txt";
-
       fs = hdfsConnectAsUserNewInstance("default", 0, tuser);
       if(!fs) {
         fprintf(stderr, "Oops! Failed to connect to hdfs as user %s!\n",tuser);
         exit(-1);
       } 
 
-        hdfsFile writeFile = hdfsOpenFile(fs, writePath, O_WRONLY|O_CREAT, 0, 0, 0);
-        if(!writeFile) {
-            fprintf(stderr, "Failed to open %s for writing!\n", writePath);
+        userFile = hdfsOpenFile(fs, userPath, O_WRONLY|O_CREAT, 0, 0, 0);
+        if(!userFile) {
+            fprintf(stderr, "Failed to open %s for writing!\n", userPath);
             exit(-1);
         }
-        fprintf(stderr, "Opened %s for writing successfully...\n", writePath);
+        fprintf(stderr, "Opened %s for writing successfully...\n", userPath);
 
-        char* buffer = "Hello, World!";
-        tSize num_written_bytes = hdfsWrite(fs, writeFile, (void*)buffer, strlen(buffer)+1);
+        num_written_bytes = hdfsWrite(fs, userFile, (void*)fileContents,
+          (tSize)(strlen(fileContents)+1));
         fprintf(stderr, "Wrote %d bytes\n", num_written_bytes);
 
-        if (hdfsFlush(fs, writeFile)) {
-            fprintf(stderr, "Failed to 'flush' %s\n", writePath); 
+        if (hdfsFlush(fs, userFile)) {
+            fprintf(stderr, "Failed to 'flush' %s\n", userPath); 
             exit(-1);
         }
-        fprintf(stderr, "Flushed %s successfully!\n", writePath); 
+        fprintf(stderr, "Flushed %s successfully!\n", userPath); 
 
-        hdfsCloseFile(fs, writeFile);
+        hdfsCloseFile(fs, userFile);
 
-        hdfsFileInfo *finfo = hdfsGetPathInfo(fs, writePath);
-        fprintf(stderr, "hdfs new file user is correct: %s\n", ((result = (strcmp(finfo->mOwner, tuser) != 0)) ? "Failed!" : "Success!"));
+        finfo = hdfsGetPathInfo(fs, userPath);
+        fprintf(stderr, "hdfs new file user is correct: %s\n", ((result = (strcmp(finfo->mOwner, tuser))) != 0 ? "Failed!" : "Success!"));
         totalResult += result;
     }
     
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_read.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_read.c
index 464a4d142ff..6e44741c3bf 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_read.c
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_read.c
@@ -22,35 +22,38 @@
 #include <stdlib.h>
 
 int main(int argc, char **argv) {
+    hdfsFS fs;
+    const char *rfile = argv[1];
+    tSize bufferSize = strtoul(argv[3], NULL, 10);
+    hdfsFile readFile;
+    char* buffer;
+    tSize curSize;
 
     if (argc != 4) {
         fprintf(stderr, "Usage: hdfs_read <filename> <filesize> <buffersize>\n");
         exit(-1);
     }
     
-    hdfsFS fs = hdfsConnect("default", 0);
+    fs = hdfsConnect("default", 0);
     if (!fs) {
         fprintf(stderr, "Oops! Failed to connect to hdfs!\n");
         exit(-1);
     } 
- 
-    const char* rfile = argv[1];
-    tSize bufferSize = strtoul(argv[3], NULL, 10);
-   
-    hdfsFile readFile = hdfsOpenFile(fs, rfile, O_RDONLY, bufferSize, 0, 0);
+
+    readFile = hdfsOpenFile(fs, rfile, O_RDONLY, bufferSize, 0, 0);
     if (!readFile) {
         fprintf(stderr, "Failed to open %s for writing!\n", rfile);
         exit(-2);
     }
 
     // data to be written to the file
-    char* buffer = malloc(sizeof(char) * bufferSize);
+    buffer = malloc(sizeof(char) * bufferSize);
     if(buffer == NULL) {
         return -2;
     }
     
     // read from the file
-    tSize curSize = bufferSize;
+    curSize = bufferSize;
     for (; curSize == bufferSize;) {
         curSize = hdfsRead(fs, readFile, (void*)buffer, curSize);
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_write.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_write.c
index b0f320c525a..42b3df75f6d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_write.c
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_write.c
@@ -21,23 +21,31 @@
 #include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <sys/types.h>
 
 int main(int argc, char **argv) {
+    hdfsFS fs;
+    const char *writeFileName = argv[1];
+    off_t fileTotalSize = strtoul(argv[2], NULL, 10);
+    long long tmpBufferSize = strtoul(argv[3], NULL, 10);
+    tSize bufferSize;
+    hdfsFile writeFile;
+    char* buffer;
+    int i;
+    off_t nrRemaining;
+    tSize curSize;
+    tSize written;
 
     if (argc != 4) {
         fprintf(stderr, "Usage: hdfs_write <filename> <filesize> <buffersize>\n");
         exit(-1);
     }
     
-    hdfsFS fs = hdfsConnect("default", 0);
+    fs = hdfsConnect("default", 0);
     if (!fs) {
         fprintf(stderr, "Oops! Failed to connect to hdfs!\n");
         exit(-1);
     } 
- 
-    const char* writeFileName = argv[1];
-    off_t fileTotalSize = strtoul(argv[2], NULL, 10);
-    long long tmpBufferSize = strtoul(argv[3], NULL, 10);
 
     // sanity check
     if(fileTotalSize == ULONG_MAX && errno == ERANGE) {
@@ -51,30 +59,27 @@ int main(int argc, char **argv) {
       exit(-3);
     }
 
-    tSize bufferSize = tmpBufferSize;
+    bufferSize = (tSize)tmpBufferSize;
 
-    hdfsFile writeFile = hdfsOpenFile(fs, writeFileName, O_WRONLY, bufferSize, 0, 0);
+    writeFile = hdfsOpenFile(fs, writeFileName, O_WRONLY, bufferSize, 0, 0);
     if (!writeFile) {
         fprintf(stderr, "Failed to open %s for writing!\n", writeFileName);
         exit(-2);
     }
 
     // data to be written to the file
-    char* buffer = malloc(sizeof(char) * bufferSize);
+    buffer = malloc(sizeof(char) * bufferSize);
     if(buffer == NULL) {
         fprintf(stderr, "Could not allocate buffer of size %d\n", bufferSize);
         return -2;
     }
-    int i = 0;
     for (i=0; i < bufferSize; ++i) {
         buffer[i] = 'a' + (i%26);
     }
 
     // write to the file
-    off_t nrRemaining;
     for (nrRemaining = fileTotalSize; nrRemaining > 0; nrRemaining -= bufferSize ) {
-      tSize curSize = ( bufferSize < nrRemaining ) ? bufferSize : (tSize)nrRemaining; 
-      tSize written;
+      curSize = ( bufferSize < nrRemaining ) ? bufferSize : (tSize)nrRemaining; 
       if ((written = hdfsWrite(fs, writeFile, (void*)buffer, curSize)) != curSize) {
         fprintf(stderr, "ERROR: hdfsWrite returned an error on write: %d\n", written);
         exit(-3);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_zerocopy.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_zerocopy.c
index f9ee331a1ad..3774417c837 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_zerocopy.c
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test/test_libhdfs_zerocopy.c
@@ -19,12 +19,12 @@
 #include "expect.h"
 #include "hdfs.h"
 #include "native_mini_dfs.h"
+#include "platform.h"
 
 #include <errno.h>
 #include <inttypes.h>
-#include <semaphore.h>
-#include <pthread.h>
 #include <unistd.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -53,7 +53,7 @@ static uint8_t *getZeroCopyBlockData(int blockIdx)
         exit(1);
     }
     for (i = 0; i < TEST_ZEROCOPY_FULL_BLOCK_SIZE; i++) {
-      buf[i] = blockIdx + (i % 17);
+      buf[i] = (uint8_t)(blockIdx + (i % 17));
     }
     return buf;
 }
@@ -69,18 +69,6 @@ static int getZeroCopyBlockLen(int blockIdx)
     }
 }
 
-static void printBuf(const uint8_t *buf, size_t len) __attribute__((unused));
-
-static void printBuf(const uint8_t *buf, size_t len)
-{
-  size_t i;
-
-  for (i = 0; i < len; i++) {
-    fprintf(stderr, "%02x", buf[i]);
-  }
-  fprintf(stderr, "\n");
-}
-
 static int doTestZeroCopyReads(hdfsFS fs, const char *fileName)
 {
     hdfsFile file = NULL;
@@ -127,8 +115,9 @@ static int doTestZeroCopyReads(hdfsFS fs, const char *fileName)
     EXPECT_NONNULL(block);
     EXPECT_ZERO(memcmp(block, hadoopRzBufferGet(buffer), SMALL_READ_LEN));
     hadoopRzBufferFree(file, buffer);
-    EXPECT_INT_EQ(TEST_ZEROCOPY_FULL_BLOCK_SIZE + SMALL_READ_LEN,
-                  hdfsTell(fs, file));
+    EXPECT_INT64_EQ(
+          (int64_t)TEST_ZEROCOPY_FULL_BLOCK_SIZE + (int64_t)SMALL_READ_LEN,
+          hdfsTell(fs, file));
     EXPECT_ZERO(expectFileStats(file,
           TEST_ZEROCOPY_FULL_BLOCK_SIZE + SMALL_READ_LEN,
           TEST_ZEROCOPY_FULL_BLOCK_SIZE + SMALL_READ_LEN,
@@ -165,7 +154,7 @@ static int doTestZeroCopyReads(hdfsFS fs, const char *fileName)
     free(block);
     block = getZeroCopyBlockData(2);
     EXPECT_NONNULL(block);
-    EXPECT_ZERO(memcmp(block, hadoopRzBufferGet(buffer) +
+    EXPECT_ZERO(memcmp(block, (uint8_t*)hadoopRzBufferGet(buffer) +
         (TEST_ZEROCOPY_FULL_BLOCK_SIZE - SMALL_READ_LEN), SMALL_READ_LEN));
     hadoopRzBufferFree(file, buffer);
 
@@ -219,8 +208,10 @@ int main(void)
 {
     int port;
     struct NativeMiniDfsConf conf = {
-        .doFormat = 1,
-        .configureShortCircuit = 1,
+        1, /* doFormat */
+        0, /* webhdfsEnabled */
+        0, /* namenodeHttpPort */
+        1, /* configureShortCircuit */
     };
     char testFileName[TEST_FILE_NAME_LENGTH];
     hdfsFS fs;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test_libhdfs_threaded.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test_libhdfs_threaded.c
index c4ea060ec7d..cf605e3e2df 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test_libhdfs_threaded.c
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test_libhdfs_threaded.c
@@ -19,11 +19,11 @@
 #include "expect.h"
 #include "hdfs.h"
 #include "native_mini_dfs.h"
+#include "os/thread.h"
 
 #include <errno.h>
 #include <inttypes.h>
-#include <semaphore.h>
-#include <pthread.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -35,8 +35,6 @@
 
 #define TLH_DEFAULT_BLOCK_SIZE 134217728
 
-static sem_t tlhSem;
-
 static struct NativeMiniDfsCluster* tlhCluster;
 
 struct tlhThreadInfo {
@@ -44,18 +42,19 @@ struct tlhThreadInfo {
     int threadIdx;
     /** 0 = thread was successful; error code otherwise */
     int success;
-    /** pthread identifier */
-    pthread_t thread;
+    /** thread identifier */
+    thread theThread;
 };
 
 static int hdfsSingleNameNodeConnect(struct NativeMiniDfsCluster *cl, hdfsFS *fs,
                                      const char *username)
 {
-    int ret, port;
+    int ret;
+    tPort port;
     hdfsFS hdfs;
     struct hdfsBuilder *bld;
     
-    port = nmdGetNameNodePort(cl);
+    port = (tPort)nmdGetNameNodePort(cl);
     if (port < 0) {
         fprintf(stderr, "hdfsSingleNameNodeConnect: nmdGetNameNodePort "
                 "returned error %d\n", port);
@@ -164,7 +163,7 @@ static int doTestHdfsOperations(struct tlhThreadInfo *ti, hdfsFS fs,
     EXPECT_NONNULL(file);
 
     /* TODO: implement writeFully and use it here */
-    expected = strlen(paths->prefix);
+    expected = (int)strlen(paths->prefix);
     ret = hdfsWrite(fs, file, paths->prefix, expected);
     if (ret < 0) {
         ret = errno;
@@ -186,9 +185,9 @@ static int doTestHdfsOperations(struct tlhThreadInfo *ti, hdfsFS fs,
 
     EXPECT_ZERO(hdfsFileGetReadStatistics(file, &readStats));
     errno = 0;
-    EXPECT_ZERO(readStats->totalBytesRead);
-    EXPECT_ZERO(readStats->totalLocalBytesRead);
-    EXPECT_ZERO(readStats->totalShortCircuitBytesRead);
+    EXPECT_UINT64_EQ(UINT64_C(0), readStats->totalBytesRead);
+    EXPECT_UINT64_EQ(UINT64_C(0), readStats->totalLocalBytesRead);
+    EXPECT_UINT64_EQ(UINT64_C(0), readStats->totalShortCircuitBytesRead);
     hdfsFileFreeReadStatistics(readStats);
     /* TODO: implement readFully and use it here */
     ret = hdfsRead(fs, file, tmp, sizeof(tmp));
@@ -204,7 +203,7 @@ static int doTestHdfsOperations(struct tlhThreadInfo *ti, hdfsFS fs,
     }
     EXPECT_ZERO(hdfsFileGetReadStatistics(file, &readStats));
     errno = 0;
-    EXPECT_INT_EQ(expected, readStats->totalBytesRead);
+    EXPECT_UINT64_EQ((uint64_t)expected, readStats->totalBytesRead);
     hdfsFileFreeReadStatistics(readStats);
     EXPECT_ZERO(memcmp(paths->prefix, tmp, expected));
     EXPECT_ZERO(hdfsCloseFile(fs, file));
@@ -262,12 +261,11 @@ static int testHdfsOperationsImpl(struct tlhThreadInfo *ti)
     return 0;
 }
 
-static void *testHdfsOperations(void *v)
+static void testHdfsOperations(void *v)
 {
     struct tlhThreadInfo *ti = (struct tlhThreadInfo*)v;
     int ret = testHdfsOperationsImpl(ti);
     ti->success = ret;
-    return NULL;
 }
 
 static int checkFailures(struct tlhThreadInfo *ti, int tlhNumThreads)
@@ -304,7 +302,7 @@ int main(void)
     const char *tlhNumThreadsStr;
     struct tlhThreadInfo ti[TLH_MAX_THREADS];
     struct NativeMiniDfsConf conf = {
-        .doFormat = 1,
+        1, /* doFormat */
     };
 
     tlhNumThreadsStr = getenv("TLH_NUM_THREADS");
@@ -323,21 +321,20 @@ int main(void)
         ti[i].threadIdx = i;
     }
 
-    EXPECT_ZERO(sem_init(&tlhSem, 0, tlhNumThreads));
     tlhCluster = nmdCreate(&conf);
     EXPECT_NONNULL(tlhCluster);
     EXPECT_ZERO(nmdWaitClusterUp(tlhCluster));
 
     for (i = 0; i < tlhNumThreads; i++) {
-        EXPECT_ZERO(pthread_create(&ti[i].thread, NULL,
-            testHdfsOperations, &ti[i]));
+        ti[i].theThread.start = testHdfsOperations;
+        ti[i].theThread.arg = &ti[i];
+        EXPECT_ZERO(threadCreate(&ti[i].theThread));
     }
     for (i = 0; i < tlhNumThreads; i++) {
-        EXPECT_ZERO(pthread_join(ti[i].thread, NULL));
+        EXPECT_ZERO(threadJoin(&ti[i].theThread));
     }
 
     EXPECT_ZERO(nmdShutdown(tlhCluster));
     nmdFree(tlhCluster);
-    EXPECT_ZERO(sem_destroy(&tlhSem));
     return checkFailures(ti, tlhNumThreads);
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test_native_mini_dfs.c b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test_native_mini_dfs.c
index b97ef953ac6..850b0fcb647 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test_native_mini_dfs.c
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/native/libhdfs/test_native_mini_dfs.c
@@ -22,7 +22,7 @@
 #include <errno.h>
 
 static struct NativeMiniDfsConf conf = {
-    .doFormat = 1,
+    1, /* doFormat */
 };
 
 /**

From e6bdb33784530f57a41e1b3cd1b0a1f601ca5b88 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Fri, 8 Aug 2014 17:58:01 +0000
Subject: [PATCH 165/354] HADOOP-10919. Copy command should preserve raw.*
 namespace extended attributes. (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1616840 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |   3 +
 .../fs/shell/CommandWithDestination.java      |  75 +++++++-
 .../apache/hadoop/fs/shell/CopyCommands.java  |   6 +-
 .../src/site/apt/FileSystemShell.apt.vm       |  11 +-
 .../org/apache/hadoop/hdfs/TestDFSShell.java  | 177 +++++++++++++++++-
 5 files changed, 254 insertions(+), 18 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index 498307e6bc7..1a4965b5495 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -46,6 +46,9 @@ fs-encryption (Unreleased)
     HADOOP-10853. Refactor get instance of CryptoCodec and support create via
     algorithm/mode/padding. (Yi Liu)
 
+    HADOOP-10919. Copy command should preserve raw.* namespace
+    extended attributes. (clamb)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/CommandWithDestination.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/CommandWithDestination.java
index ac3b1e6c09e..1097994f7df 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/CommandWithDestination.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/CommandWithDestination.java
@@ -57,6 +57,17 @@ abstract class CommandWithDestination extends FsCommand {
   private boolean verifyChecksum = true;
   private boolean writeChecksum = true;
   
+  /**
+   * The name of the raw xattr namespace. It would be nice to use
+   * XAttr.RAW.name() but we can't reference the hadoop-hdfs project.
+   */
+  private final String RAW = "raw.";
+
+  /**
+   * The name of the reserved raw directory.
+   */
+  private final String RESERVED_RAW = "/.reserved/raw";
+
   /**
    * 
    * This method is used to enable the force(-f)  option while copying the files.
@@ -231,7 +242,7 @@ protected void processPath(PathData src) throws IOException {
   /**
    * Called with a source and target destination pair
    * @param src for the operation
-   * @param target for the operation
+   * @param dst for the operation
    * @throws IOException if anything goes wrong
    */
   protected void processPath(PathData src, PathData dst) throws IOException {
@@ -253,6 +264,8 @@ protected void recursePath(PathData src) throws IOException {
       // modify dst as we descend to append the basename of the
       // current directory being processed
       dst = getTargetPath(src);
+      final boolean preserveRawXattrs =
+          checkPathsForReservedRaw(src.path, dst.path);
       if (dst.exists) {
         if (!dst.stat.isDirectory()) {
           throw new PathIsNotDirectoryException(dst.toString());
@@ -268,7 +281,7 @@ protected void recursePath(PathData src) throws IOException {
       }      
       super.recursePath(src);
       if (dst.stat.isDirectory()) {
-        preserveAttributes(src, dst);
+        preserveAttributes(src, dst, preserveRawXattrs);
       }
     } finally {
       dst = savedDst;
@@ -295,18 +308,60 @@ protected PathData getTargetPath(PathData src) throws IOException {
    * @param target where to copy the item
    * @throws IOException if copy fails
    */ 
-  protected void copyFileToTarget(PathData src, PathData target) throws IOException {
+  protected void copyFileToTarget(PathData src, PathData target)
+      throws IOException {
+    final boolean preserveRawXattrs =
+        checkPathsForReservedRaw(src.path, target.path);
     src.fs.setVerifyChecksum(verifyChecksum);
     InputStream in = null;
     try {
       in = src.fs.open(src.path);
       copyStreamToTarget(in, target);
-      preserveAttributes(src, target);
+      preserveAttributes(src, target, preserveRawXattrs);
     } finally {
       IOUtils.closeStream(in);
     }
   }
   
+  /**
+   * Check the source and target paths to ensure that they are either both in
+   * /.reserved/raw or neither in /.reserved/raw. If neither src nor target are
+   * in /.reserved/raw, then return false, indicating not to preserve raw.*
+   * xattrs. If both src/target are in /.reserved/raw, then return true,
+   * indicating raw.* xattrs should be preserved. If only one of src/target is
+   * in /.reserved/raw then throw an exception.
+   *
+   * @param src The source path to check. This should be a fully-qualified
+   *            path, not relative.
+   * @param target The target path to check. This should be a fully-qualified
+   *               path, not relative.
+   * @return true if raw.* xattrs should be preserved.
+   * @throws PathOperationException is only one of src/target are in
+   * /.reserved/raw.
+   */
+  private boolean checkPathsForReservedRaw(Path src, Path target)
+      throws PathOperationException {
+    final boolean srcIsRR = Path.getPathWithoutSchemeAndAuthority(src).
+        toString().startsWith(RESERVED_RAW);
+    final boolean dstIsRR = Path.getPathWithoutSchemeAndAuthority(target).
+        toString().startsWith(RESERVED_RAW);
+    boolean preserveRawXattrs = false;
+    if (srcIsRR && !dstIsRR) {
+      final String s = "' copy from '" + RESERVED_RAW + "' to non '" +
+          RESERVED_RAW + "'. Either both source and target must be in '" +
+          RESERVED_RAW + "' or neither.";
+      throw new PathOperationException("'" + src.toString() + s);
+    } else if (!srcIsRR && dstIsRR) {
+      final String s = "' copy from non '" + RESERVED_RAW +"' to '" +
+          RESERVED_RAW + "'. Either both source and target must be in '" +
+          RESERVED_RAW + "' or neither.";
+      throw new PathOperationException("'" + dst.toString() + s);
+    } else if (srcIsRR && dstIsRR) {
+      preserveRawXattrs = true;
+    }
+    return preserveRawXattrs;
+  }
+
   /**
    * Copies the stream contents to a temporary file.  If the copy is
    * successful, the temporary file will be renamed to the real path,
@@ -337,9 +392,11 @@ protected void copyStreamToTarget(InputStream in, PathData target)
    * attribute to preserve.
    * @param src source to preserve
    * @param target where to preserve attributes
+   * @param preserveRawXAttrs true if raw.* xattrs should be preserved
    * @throws IOException if fails to preserve attributes
    */
-  protected void preserveAttributes(PathData src, PathData target)
+  protected void preserveAttributes(PathData src, PathData target,
+      boolean preserveRawXAttrs)
       throws IOException {
     if (shouldPreserve(FileAttribute.TIMESTAMPS)) {
       target.fs.setTimes(
@@ -369,13 +426,17 @@ protected void preserveAttributes(PathData src, PathData target)
         target.fs.setAcl(target.path, srcFullEntries);
       }
     }
-    if (shouldPreserve(FileAttribute.XATTR)) {
+    final boolean preserveXAttrs = shouldPreserve(FileAttribute.XATTR);
+    if (preserveXAttrs || preserveRawXAttrs) {
       Map<String, byte[]> srcXAttrs = src.fs.getXAttrs(src.path);
       if (srcXAttrs != null) {
         Iterator<Entry<String, byte[]>> iter = srcXAttrs.entrySet().iterator();
         while (iter.hasNext()) {
           Entry<String, byte[]> entry = iter.next();
-          target.fs.setXAttr(target.path, entry.getKey(), entry.getValue());
+          final String xattrName = entry.getKey();
+          if (xattrName.startsWith(RAW) || preserveXAttrs) {
+            target.fs.setXAttr(target.path, entry.getKey(), entry.getValue());
+          }
         }
       }
     }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/CopyCommands.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/CopyCommands.java
index 4dd2f4a4a89..3fd870c1cf6 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/CopyCommands.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/CopyCommands.java
@@ -143,7 +143,11 @@ static class Cp extends CommandWithDestination {
       "timestamps, ownership, permission. If -pa is specified, " +
       "then preserves permission also because ACL is a super-set of " +
       "permission. Passing -f overwrites the destination if it " +
-      "already exists.\n";
+      "already exists. raw namespace extended attributes are preserved " +
+      "if (1) they are supported (HDFS only) and, (2) all of the source and " +
+      "target pathnames are in the /.reserved/raw hierarchy. raw namespace " +
+      "xattr preservation is determined solely by the presence (or absence) " +
+      "of the /.reserved/raw prefix and not by the -p option.\n";
 
     @Override
     protected void processOptions(LinkedList<String> args) throws IOException {
diff --git a/hadoop-common-project/hadoop-common/src/site/apt/FileSystemShell.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/FileSystemShell.apt.vm
index 4a82884fb37..acc70c49b2b 100644
--- a/hadoop-common-project/hadoop-common/src/site/apt/FileSystemShell.apt.vm
+++ b/hadoop-common-project/hadoop-common/src/site/apt/FileSystemShell.apt.vm
@@ -164,15 +164,22 @@ cp
    Copy files from source to destination. This command allows multiple sources
    as well in which case the destination must be a directory.
 
+   'raw.*' namespace extended attributes are preserved if (1) the source and
+   destination filesystems support them (HDFS only), and (2) all source and
+   destination pathnames are in the /.reserved/raw hierarchy. Determination of
+   whether raw.* namespace xattrs are preserved is independent of the
+   -p (preserve) flag.
+
     Options:
 
       * The -f option will overwrite the destination if it already exists.
       
-      * The -p option will preserve file attributes [topx] (timestamps, 
+      * The -p option will preserve file attributes [topx] (timestamps,
         ownership, permission, ACL, XAttr). If -p is specified with no <arg>,
         then preserves timestamps, ownership, permission. If -pa is specified,
         then preserves permission also because ACL is a super-set of
-        permission.
+        permission. Determination of whether raw namespace extended attributes
+        are preserved is independent of the -p flag.
 
    Example:
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSShell.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSShell.java
index aac16f4e5e3..2daf69dd6a0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSShell.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSShell.java
@@ -77,6 +77,13 @@ public class TestDFSShell {
 
   static final String TEST_ROOT_DIR = PathUtils.getTestDirName(TestDFSShell.class);
 
+  private static final String RAW_A1 = "raw.a1";
+  private static final String TRUSTED_A1 = "trusted.a1";
+  private static final String USER_A1 = "user.a1";
+  private static final byte[] RAW_A1_VALUE = new byte[]{0x32, 0x32, 0x32};
+  private static final byte[] TRUSTED_A1_VALUE = new byte[]{0x31, 0x31, 0x31};
+  private static final byte[] USER_A1_VALUE = new byte[]{0x31, 0x32, 0x33};
+
   static Path writeFile(FileSystem fs, Path f) throws IOException {
     DataOutputStream out = fs.create(f);
     out.writeBytes("dhruba: " + f);
@@ -1664,8 +1671,8 @@ public void testCopyCommandsWithPreserveOption() throws Exception {
       final String group = status.getGroup();
       final FsPermission perm = status.getPermission();
       
-      fs.setXAttr(src, "user.a1", new byte[]{0x31, 0x32, 0x33});
-      fs.setXAttr(src, "trusted.a1", new byte[]{0x31, 0x31, 0x31});
+      fs.setXAttr(src, USER_A1, USER_A1_VALUE);
+      fs.setXAttr(src, TRUSTED_A1, TRUSTED_A1_VALUE);
       
       shell = new FsShell(conf);
       
@@ -1722,8 +1729,8 @@ public void testCopyCommandsWithPreserveOption() throws Exception {
       assertTrue(perm.equals(targetPerm));
       xattrs = fs.getXAttrs(target3);
       assertEquals(xattrs.size(), 2);
-      assertArrayEquals(new byte[]{0x31, 0x32, 0x33}, xattrs.get("user.a1"));
-      assertArrayEquals(new byte[]{0x31, 0x31, 0x31}, xattrs.get("trusted.a1"));
+      assertArrayEquals(USER_A1_VALUE, xattrs.get(USER_A1));
+      assertArrayEquals(TRUSTED_A1_VALUE, xattrs.get(TRUSTED_A1));
       acls = fs.getAclStatus(target3).getEntries();
       assertTrue(acls.isEmpty());
       assertFalse(targetPerm.getAclBit());
@@ -1780,6 +1787,160 @@ public void testCopyCommandsWithPreserveOption() throws Exception {
     }
   }
 
+  @Test (timeout = 120000)
+  public void testCopyCommandsWithRawXAttrs() throws Exception {
+    final Configuration conf = new Configuration();
+    conf.setBoolean(DFSConfigKeys.DFS_NAMENODE_XATTRS_ENABLED_KEY, true);
+    final MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).
+      numDataNodes(1).format(true).build();
+    FsShell shell = null;
+    FileSystem fs = null;
+    final String testdir = "/tmp/TestDFSShell-testCopyCommandsWithRawXAttrs-"
+      + counter.getAndIncrement();
+    final Path hdfsTestDir = new Path(testdir);
+    final Path rawHdfsTestDir = new Path("/.reserved/raw" + testdir);
+    try {
+      fs = cluster.getFileSystem();
+      fs.mkdirs(hdfsTestDir);
+      final Path src = new Path(hdfsTestDir, "srcfile");
+      final String rawSrcBase = "/.reserved/raw" + testdir;
+      final Path rawSrc = new Path(rawSrcBase, "srcfile");
+      fs.create(src).close();
+
+      final Path srcDir = new Path(hdfsTestDir, "srcdir");
+      final Path rawSrcDir = new Path("/.reserved/raw" + testdir, "srcdir");
+      fs.mkdirs(srcDir);
+      final Path srcDirFile = new Path(srcDir, "srcfile");
+      final Path rawSrcDirFile =
+              new Path("/.reserved/raw" + srcDirFile);
+      fs.create(srcDirFile).close();
+
+      final Path[] paths = { rawSrc, rawSrcDir, rawSrcDirFile };
+      final String[] xattrNames = { USER_A1, RAW_A1 };
+      final byte[][] xattrVals = { USER_A1_VALUE, RAW_A1_VALUE };
+
+      for (int i = 0; i < paths.length; i++) {
+        for (int j = 0; j < xattrNames.length; j++) {
+          fs.setXAttr(paths[i], xattrNames[j], xattrVals[j]);
+        }
+      }
+
+      shell = new FsShell(conf);
+
+      /* Check that a file as the source path works ok. */
+      doTestCopyCommandsWithRawXAttrs(shell, fs, src, hdfsTestDir, false);
+      doTestCopyCommandsWithRawXAttrs(shell, fs, rawSrc, hdfsTestDir, false);
+      doTestCopyCommandsWithRawXAttrs(shell, fs, src, rawHdfsTestDir, false);
+      doTestCopyCommandsWithRawXAttrs(shell, fs, rawSrc, rawHdfsTestDir, true);
+
+      /* Use a relative /.reserved/raw path. */
+      final Path savedWd = fs.getWorkingDirectory();
+      try {
+        fs.setWorkingDirectory(new Path(rawSrcBase));
+        final Path relRawSrc = new Path("../srcfile");
+        final Path relRawHdfsTestDir = new Path("..");
+        doTestCopyCommandsWithRawXAttrs(shell, fs, relRawSrc, relRawHdfsTestDir,
+                true);
+      } finally {
+        fs.setWorkingDirectory(savedWd);
+      }
+
+      /* Check that a directory as the source path works ok. */
+      doTestCopyCommandsWithRawXAttrs(shell, fs, srcDir, hdfsTestDir, false);
+      doTestCopyCommandsWithRawXAttrs(shell, fs, rawSrcDir, hdfsTestDir, false);
+      doTestCopyCommandsWithRawXAttrs(shell, fs, srcDir, rawHdfsTestDir, false);
+      doTestCopyCommandsWithRawXAttrs(shell, fs, rawSrcDir, rawHdfsTestDir,
+        true);
+
+      /* Use relative in an absolute path. */
+      final String relRawSrcDir = "./.reserved/../.reserved/raw/../raw" +
+          testdir + "/srcdir";
+      final String relRawDstDir = "./.reserved/../.reserved/raw/../raw" +
+          testdir;
+      doTestCopyCommandsWithRawXAttrs(shell, fs, new Path(relRawSrcDir),
+          new Path(relRawDstDir), true);
+    } finally {
+      if (null != shell) {
+        shell.close();
+      }
+
+      if (null != fs) {
+        fs.delete(hdfsTestDir, true);
+        fs.close();
+      }
+      cluster.shutdown();
+    }
+  }
+
+  private void doTestCopyCommandsWithRawXAttrs(FsShell shell, FileSystem fs,
+      Path src, Path hdfsTestDir, boolean expectRaw) throws Exception {
+    Path target;
+    boolean srcIsRaw;
+    if (src.isAbsolute()) {
+      srcIsRaw = src.toString().contains("/.reserved/raw");
+    } else {
+      srcIsRaw = new Path(fs.getWorkingDirectory(), src).
+          toString().contains("/.reserved/raw");
+    }
+    final boolean destIsRaw = hdfsTestDir.toString().contains("/.reserved/raw");
+    final boolean srcDestMismatch = srcIsRaw ^ destIsRaw;
+
+    // -p (possibly preserve raw if src & dst are both /.r/r */
+    if (srcDestMismatch) {
+      doCopyAndTest(shell, hdfsTestDir, src, "-p", ERROR);
+    } else {
+      target = doCopyAndTest(shell, hdfsTestDir, src, "-p", SUCCESS);
+      checkXAttrs(fs, target, expectRaw, false);
+    }
+
+    // -px (possibly preserve raw, always preserve non-raw xattrs. */
+    if (srcDestMismatch) {
+      doCopyAndTest(shell, hdfsTestDir, src, "-px", ERROR);
+    } else {
+      target = doCopyAndTest(shell, hdfsTestDir, src, "-px", SUCCESS);
+      checkXAttrs(fs, target, expectRaw, true);
+    }
+
+    // no args (possibly preserve raw, never preserve non-raw xattrs. */
+    if (srcDestMismatch) {
+      doCopyAndTest(shell, hdfsTestDir, src, null, ERROR);
+    } else {
+      target = doCopyAndTest(shell, hdfsTestDir, src, null, SUCCESS);
+      checkXAttrs(fs, target, expectRaw, false);
+    }
+  }
+
+  private Path doCopyAndTest(FsShell shell, Path dest, Path src,
+      String cpArgs, int expectedExitCode) throws Exception {
+    final Path target = new Path(dest, "targetfile" +
+        counter.getAndIncrement());
+    final String[] argv = cpArgs == null ?
+        new String[] { "-cp",         src.toUri().toString(),
+            target.toUri().toString() } :
+        new String[] { "-cp", cpArgs, src.toUri().toString(),
+            target.toUri().toString() };
+    final int ret = ToolRunner.run(shell, argv);
+    assertEquals("cp -p is not working", expectedExitCode, ret);
+    return target;
+  }
+
+  private void checkXAttrs(FileSystem fs, Path target, boolean expectRaw,
+      boolean expectVanillaXAttrs) throws Exception {
+    final Map<String, byte[]> xattrs = fs.getXAttrs(target);
+    int expectedCount = 0;
+    if (expectRaw) {
+      assertArrayEquals("raw.a1 has incorrect value",
+          RAW_A1_VALUE, xattrs.get(RAW_A1));
+      expectedCount++;
+    }
+    if (expectVanillaXAttrs) {
+      assertArrayEquals("user.a1 has incorrect value",
+          USER_A1_VALUE, xattrs.get(USER_A1));
+      expectedCount++;
+    }
+    assertEquals("xattrs size mismatch", expectedCount, xattrs.size());
+  }
+
   // verify cp -ptopxa option will preserve directory attributes.
   @Test (timeout = 120000)
   public void testCopyCommandsToDirectoryWithPreserveOption()
@@ -1825,8 +1986,8 @@ public void testCopyCommandsToDirectoryWithPreserveOption()
       final String group = status.getGroup();
       final FsPermission perm = status.getPermission();
 
-      fs.setXAttr(srcDir, "user.a1", new byte[]{0x31, 0x32, 0x33});
-      fs.setXAttr(srcDir, "trusted.a1", new byte[]{0x31, 0x31, 0x31});
+      fs.setXAttr(srcDir, USER_A1, USER_A1_VALUE);
+      fs.setXAttr(srcDir, TRUSTED_A1, TRUSTED_A1_VALUE);
 
       shell = new FsShell(conf);
 
@@ -1883,8 +2044,8 @@ public void testCopyCommandsToDirectoryWithPreserveOption()
       assertTrue(perm.equals(targetPerm));
       xattrs = fs.getXAttrs(targetDir3);
       assertEquals(xattrs.size(), 2);
-      assertArrayEquals(new byte[]{0x31, 0x32, 0x33}, xattrs.get("user.a1"));
-      assertArrayEquals(new byte[]{0x31, 0x31, 0x31}, xattrs.get("trusted.a1"));
+      assertArrayEquals(USER_A1_VALUE, xattrs.get(USER_A1));
+      assertArrayEquals(TRUSTED_A1_VALUE, xattrs.get(TRUSTED_A1));
       acls = fs.getAclStatus(targetDir3).getEntries();
       assertTrue(acls.isEmpty());
       assertFalse(targetPerm.getAclBit());

From 6da830cfdff62307e722bd995e5a481fd704d268 Mon Sep 17 00:00:00 2001
From: Ravi Prakash <raviprak@apache.org>
Date: Fri, 8 Aug 2014 18:21:18 +0000
Subject: [PATCH 166/354] HDFS-6823. dfs.web.authentication.kerberos.principal
 shows up in logs for insecure HDFS

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616845 13f79535-47bb-0310-9956-ffa450edef68
---
 .../src/main/java/org/apache/hadoop/hdfs/DFSUtil.java     | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java
index 09d0952c15f..cfc5ca7dc3b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java
@@ -1668,9 +1668,11 @@ public static HttpServer2.Builder httpServerTemplateForNNAndJN(
         .setKeytabConfKey(getSpnegoKeytabKey(conf, spnegoKeytabFileKey));
 
     // initialize the webserver for uploading/downloading files.
-    LOG.info("Starting web server as: "
-        + SecurityUtil.getServerPrincipal(conf.get(spnegoUserNameKey),
-            httpAddr.getHostName()));
+    if (UserGroupInformation.isSecurityEnabled()) {
+      LOG.info("Starting web server as: "
+          + SecurityUtil.getServerPrincipal(conf.get(spnegoUserNameKey),
+              httpAddr.getHostName()));
+    }
 
     if (policy.isHttpEnabled()) {
       if (httpAddr.getPort() == 0) {

From a42231d19b85ba8e4039cc652f7085d439b4f527 Mon Sep 17 00:00:00 2001
From: Ravi Prakash <raviprak@apache.org>
Date: Fri, 8 Aug 2014 18:24:10 +0000
Subject: [PATCH 167/354] HDFS-6823. dfs.web.authentication.kerberos.principal
 shows up in logs for insecure HDFS

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616846 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index bf8fc033554..04834af39a5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -390,6 +390,9 @@ Release 2.6.0 - UNRELEASED
 
   BUG FIXES
 
+    HDFS-6823. dfs.web.authentication.kerberos.principal shows up in logs for 
+    insecure HDFS (Allen Wittenauer via raviprak)
+
     HDFS-6617. Flake TestDFSZKFailoverController.testManualFailoverWithDFSHAAdmin
     due to a long edit log sync op. (Liang Xie via cnauroth)
 

From a70c9de3f1fcb5930a5eab5a92085055d79edbf5 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Fri, 8 Aug 2014 21:20:19 +0000
Subject: [PATCH 168/354] HDFS-6830. BlockInfo.addStorage fails when DN changes
 the storage for a block replica. (Arpit Agarwal)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616883 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +++
 .../server/blockmanagement/BlockInfo.java     | 26 ++++++-------------
 .../server/blockmanagement/BlockManager.java  |  4 +--
 .../blockmanagement/DatanodeStorageInfo.java  | 22 +++++++++++++---
 .../server/blockmanagement/TestBlockInfo.java | 20 +++++++++-----
 5 files changed, 46 insertions(+), 29 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 04834af39a5..5b934360c16 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -479,6 +479,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6791. A block could remain under replicated if all of its replicas are on
     decommissioned nodes. (Ming Ma via jing9)
 
+    HDFS-6830. BlockInfo.addStorage fails when DN changes the storage for a
+    block replica. (Arpit Agarwal)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java
index 272cb1d48a1..0ce112118c1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java
@@ -194,24 +194,12 @@ public int numNodes() {
    * Add a {@link DatanodeStorageInfo} location for a block
    */
   boolean addStorage(DatanodeStorageInfo storage) {
-    boolean added = true;
-    int idx = findDatanode(storage.getDatanodeDescriptor());
-    if(idx >= 0) {
-      if (getStorageInfo(idx) == storage) { // the storage is already there
-        return false;
-      } else {
-        // The block is on the DN but belongs to a different storage.
-        // Update our state.
-        removeStorage(getStorageInfo(idx));
-        added = false;      // Just updating storage. Return false.
-      }
-    }
     // find the last null node
     int lastNode = ensureCapacity(1);
     setStorageInfo(lastNode, storage);
     setNext(lastNode, null);
     setPrevious(lastNode, null);
-    return added;
+    return true;
   }
 
   /**
@@ -240,16 +228,18 @@ assert getPrevious(dnIndex) == null && getNext(dnIndex) == null :
    * Find specified DatanodeDescriptor.
    * @return index or -1 if not found.
    */
-  int findDatanode(DatanodeDescriptor dn) {
+  boolean findDatanode(DatanodeDescriptor dn) {
     int len = getCapacity();
     for(int idx = 0; idx < len; idx++) {
       DatanodeDescriptor cur = getDatanode(idx);
-      if(cur == dn)
-        return idx;
-      if(cur == null)
+      if(cur == dn) {
+        return true;
+      }
+      if(cur == null) {
         break;
+      }
     }
-    return -1;
+    return false;
   }
   /**
    * Find specified DatanodeStorageInfo.
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
index 8046d8ad0cd..6fdec77be69 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
@@ -2065,7 +2065,7 @@ private BlockInfo processReportedBlock(
     // Add replica if appropriate. If the replica was previously corrupt
     // but now okay, it might need to be updated.
     if (reportedState == ReplicaState.FINALIZED
-        && (storedBlock.findDatanode(dn) < 0
+        && (!storedBlock.findDatanode(dn)
         || corruptReplicas.isReplicaCorrupt(storedBlock, dn))) {
       toAdd.add(storedBlock);
     }
@@ -2246,7 +2246,7 @@ void addStoredBlockUnderConstruction(StatefulBlockInfo ucBlock,
         storageInfo, ucBlock.reportedBlock, ucBlock.reportedState);
 
     if (ucBlock.reportedState == ReplicaState.FINALIZED &&
-        block.findDatanode(storageInfo.getDatanodeDescriptor()) < 0) {
+        !block.findDatanode(storageInfo.getDatanodeDescriptor())) {
       addStoredBlock(block, storageInfo, null, true);
     }
   } 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
index 791fc3157d9..9e442c7e1f7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
@@ -208,12 +208,28 @@ long getBlockPoolUsed() {
   }
 
   public boolean addBlock(BlockInfo b) {
-    if(!b.addStorage(this))
-      return false;
+    // First check whether the block belongs to a different storage
+    // on the same DN.
+    boolean replaced = false;
+    DatanodeStorageInfo otherStorage =
+        b.findStorageInfo(getDatanodeDescriptor());
+
+    if (otherStorage != null) {
+      if (otherStorage != this) {
+        // The block belongs to a different storage. Remove it first.
+        otherStorage.removeBlock(b);
+        replaced = true;
+      } else {
+        // The block is already associated with this storage.
+        return false;
+      }
+    }
+
     // add to the head of the data-node list
+    b.addStorage(this);
     blockList = b.listInsert(blockList, this);
     numBlocks++;
-    return true;
+    return !replaced;
   }
 
   boolean removeBlock(BlockInfo b) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockInfo.java
index 7cfe423c6e4..61094dfc8ff 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockInfo.java
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.hdfs.server.blockmanagement;
 
+import static org.hamcrest.core.Is.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 
@@ -59,17 +60,24 @@ public void testAddStorage() throws Exception {
 
 
   @Test
-  public void testReplaceStorageIfDifferetnOneAlreadyExistedFromSameDataNode() throws Exception {
-    BlockInfo blockInfo = new BlockInfo(3);
+  public void testReplaceStorage() throws Exception {
 
+    // Create two dummy storages.
     final DatanodeStorageInfo storage1 = DFSTestUtil.createDatanodeStorageInfo("storageID1", "127.0.0.1");
     final DatanodeStorageInfo storage2 = new DatanodeStorageInfo(storage1.getDatanodeDescriptor(), new DatanodeStorage("storageID2"));
+    final int NUM_BLOCKS = 10;
+    BlockInfo[] blockInfos = new BlockInfo[NUM_BLOCKS];
 
-    blockInfo.addStorage(storage1);
-    boolean added = blockInfo.addStorage(storage2);
+    // Create a few dummy blocks and add them to the first storage.
+    for (int i = 0; i < NUM_BLOCKS; ++i) {
+      blockInfos[i] = new BlockInfo(3);
+      storage1.addBlock(blockInfos[i]);
+    }
 
-    Assert.assertFalse(added);
-    Assert.assertEquals(storage2, blockInfo.getStorageInfo(0));
+    // Try to move one of the blocks to a different storage.
+    boolean added = storage2.addBlock(blockInfos[NUM_BLOCKS/2]);
+    Assert.assertThat(added, is(false));
+    Assert.assertThat(blockInfos[NUM_BLOCKS/2].getStorageInfo(0), is(storage2));
   }
 
   @Test

From 05d1bf4157e6660610f11951845e59899260596e Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Fri, 8 Aug 2014 21:22:48 +0000
Subject: [PATCH 169/354] HDFS-6830. Revert accidental checkin

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616884 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 ---
 .../server/blockmanagement/BlockInfo.java     | 26 +++++++++++++------
 .../server/blockmanagement/BlockManager.java  |  4 +--
 .../blockmanagement/DatanodeStorageInfo.java  | 22 +++-------------
 .../server/blockmanagement/TestBlockInfo.java | 20 +++++---------
 5 files changed, 29 insertions(+), 46 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 5b934360c16..04834af39a5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -479,9 +479,6 @@ Release 2.6.0 - UNRELEASED
     HDFS-6791. A block could remain under replicated if all of its replicas are on
     decommissioned nodes. (Ming Ma via jing9)
 
-    HDFS-6830. BlockInfo.addStorage fails when DN changes the storage for a
-    block replica. (Arpit Agarwal)
-
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java
index 0ce112118c1..272cb1d48a1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java
@@ -194,12 +194,24 @@ public int numNodes() {
    * Add a {@link DatanodeStorageInfo} location for a block
    */
   boolean addStorage(DatanodeStorageInfo storage) {
+    boolean added = true;
+    int idx = findDatanode(storage.getDatanodeDescriptor());
+    if(idx >= 0) {
+      if (getStorageInfo(idx) == storage) { // the storage is already there
+        return false;
+      } else {
+        // The block is on the DN but belongs to a different storage.
+        // Update our state.
+        removeStorage(getStorageInfo(idx));
+        added = false;      // Just updating storage. Return false.
+      }
+    }
     // find the last null node
     int lastNode = ensureCapacity(1);
     setStorageInfo(lastNode, storage);
     setNext(lastNode, null);
     setPrevious(lastNode, null);
-    return true;
+    return added;
   }
 
   /**
@@ -228,18 +240,16 @@ assert getPrevious(dnIndex) == null && getNext(dnIndex) == null :
    * Find specified DatanodeDescriptor.
    * @return index or -1 if not found.
    */
-  boolean findDatanode(DatanodeDescriptor dn) {
+  int findDatanode(DatanodeDescriptor dn) {
     int len = getCapacity();
     for(int idx = 0; idx < len; idx++) {
       DatanodeDescriptor cur = getDatanode(idx);
-      if(cur == dn) {
-        return true;
-      }
-      if(cur == null) {
+      if(cur == dn)
+        return idx;
+      if(cur == null)
         break;
-      }
     }
-    return false;
+    return -1;
   }
   /**
    * Find specified DatanodeStorageInfo.
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
index 6fdec77be69..8046d8ad0cd 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
@@ -2065,7 +2065,7 @@ private BlockInfo processReportedBlock(
     // Add replica if appropriate. If the replica was previously corrupt
     // but now okay, it might need to be updated.
     if (reportedState == ReplicaState.FINALIZED
-        && (!storedBlock.findDatanode(dn)
+        && (storedBlock.findDatanode(dn) < 0
         || corruptReplicas.isReplicaCorrupt(storedBlock, dn))) {
       toAdd.add(storedBlock);
     }
@@ -2246,7 +2246,7 @@ void addStoredBlockUnderConstruction(StatefulBlockInfo ucBlock,
         storageInfo, ucBlock.reportedBlock, ucBlock.reportedState);
 
     if (ucBlock.reportedState == ReplicaState.FINALIZED &&
-        !block.findDatanode(storageInfo.getDatanodeDescriptor())) {
+        block.findDatanode(storageInfo.getDatanodeDescriptor()) < 0) {
       addStoredBlock(block, storageInfo, null, true);
     }
   } 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
index 9e442c7e1f7..791fc3157d9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
@@ -208,28 +208,12 @@ long getBlockPoolUsed() {
   }
 
   public boolean addBlock(BlockInfo b) {
-    // First check whether the block belongs to a different storage
-    // on the same DN.
-    boolean replaced = false;
-    DatanodeStorageInfo otherStorage =
-        b.findStorageInfo(getDatanodeDescriptor());
-
-    if (otherStorage != null) {
-      if (otherStorage != this) {
-        // The block belongs to a different storage. Remove it first.
-        otherStorage.removeBlock(b);
-        replaced = true;
-      } else {
-        // The block is already associated with this storage.
-        return false;
-      }
-    }
-
+    if(!b.addStorage(this))
+      return false;
     // add to the head of the data-node list
-    b.addStorage(this);
     blockList = b.listInsert(blockList, this);
     numBlocks++;
-    return !replaced;
+    return true;
   }
 
   boolean removeBlock(BlockInfo b) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockInfo.java
index 61094dfc8ff..7cfe423c6e4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockInfo.java
@@ -17,7 +17,6 @@
  */
 package org.apache.hadoop.hdfs.server.blockmanagement;
 
-import static org.hamcrest.core.Is.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 
@@ -60,24 +59,17 @@ public void testAddStorage() throws Exception {
 
 
   @Test
-  public void testReplaceStorage() throws Exception {
+  public void testReplaceStorageIfDifferetnOneAlreadyExistedFromSameDataNode() throws Exception {
+    BlockInfo blockInfo = new BlockInfo(3);
 
-    // Create two dummy storages.
     final DatanodeStorageInfo storage1 = DFSTestUtil.createDatanodeStorageInfo("storageID1", "127.0.0.1");
     final DatanodeStorageInfo storage2 = new DatanodeStorageInfo(storage1.getDatanodeDescriptor(), new DatanodeStorage("storageID2"));
-    final int NUM_BLOCKS = 10;
-    BlockInfo[] blockInfos = new BlockInfo[NUM_BLOCKS];
 
-    // Create a few dummy blocks and add them to the first storage.
-    for (int i = 0; i < NUM_BLOCKS; ++i) {
-      blockInfos[i] = new BlockInfo(3);
-      storage1.addBlock(blockInfos[i]);
-    }
+    blockInfo.addStorage(storage1);
+    boolean added = blockInfo.addStorage(storage2);
 
-    // Try to move one of the blocks to a different storage.
-    boolean added = storage2.addBlock(blockInfos[NUM_BLOCKS/2]);
-    Assert.assertThat(added, is(false));
-    Assert.assertThat(blockInfos[NUM_BLOCKS/2].getStorageInfo(0), is(storage2));
+    Assert.assertFalse(added);
+    Assert.assertEquals(storage2, blockInfo.getStorageInfo(0));
   }
 
   @Test

From c3cf331dc91e2beef2afeed11105084843b02858 Mon Sep 17 00:00:00 2001
From: Jing Zhao <jing9@apache.org>
Date: Fri, 8 Aug 2014 21:33:57 +0000
Subject: [PATCH 170/354] HDFS-6828. Separate block replica dispatching from
 Balancer. Contributed by Tsz Wo Nicholas Sze.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616889 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |    3 +
 .../hadoop/hdfs/server/balancer/Balancer.java | 1034 +---------------
 .../hdfs/server/balancer/Dispatcher.java      | 1060 +++++++++++++++++
 .../server/balancer/NameNodeConnector.java    |   18 +-
 .../hdfs/server/balancer/TestBalancer.java    |    6 +-
 .../balancer/TestBalancerWithHANameNodes.java |    2 +-
 .../TestBalancerWithMultipleNameNodes.java    |    2 +-
 .../balancer/TestBalancerWithNodeGroup.java   |    2 +-
 8 files changed, 1111 insertions(+), 1016 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 04834af39a5..eca0009be90 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -384,6 +384,9 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-573. Porting libhdfs to Windows. (cnauroth)
 
+    HDFS-6828. Separate block replica dispatching from Balancer. (szetszwo via
+    jing9)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
index 33f7a0aacfa..391d7edefc1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
@@ -18,19 +18,9 @@
 package org.apache.hadoop.hdfs.server.balancer;
 
 import static com.google.common.base.Preconditions.checkArgument;
-import static org.apache.hadoop.fs.CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT;
-import static org.apache.hadoop.fs.CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY;
-import static org.apache.hadoop.hdfs.protocolPB.PBHelper.vintPrefixed;
 
-import java.io.BufferedInputStream;
-import java.io.BufferedOutputStream;
-import java.io.DataInputStream;
-import java.io.DataOutputStream;
 import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
 import java.io.PrintStream;
-import java.net.Socket;
 import java.net.URI;
 import java.text.DateFormat;
 import java.util.ArrayList;
@@ -38,20 +28,11 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
-import java.util.EnumMap;
 import java.util.Formatter;
-import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Iterator;
 import java.util.LinkedList;
 import java.util.List;
-import java.util.Map;
 import java.util.Set;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
-import java.util.concurrent.atomic.AtomicLong;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -63,31 +44,15 @@
 import org.apache.hadoop.hdfs.DFSUtil;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.StorageType;
-import org.apache.hadoop.hdfs.protocol.Block;
-import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
-import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
-import org.apache.hadoop.hdfs.protocol.HdfsConstants;
-import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
-import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair;
-import org.apache.hadoop.hdfs.protocol.datatransfer.Sender;
-import org.apache.hadoop.hdfs.protocol.datatransfer.TrustedChannelResolver;
-import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.DataTransferSaslUtil;
-import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferClient;
-import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.BlockOpResponseProto;
-import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.Status;
-import org.apache.hadoop.hdfs.security.token.block.BlockTokenIdentifier;
+import org.apache.hadoop.hdfs.server.balancer.Dispatcher.BalancerDatanode;
+import org.apache.hadoop.hdfs.server.balancer.Dispatcher.Source;
+import org.apache.hadoop.hdfs.server.balancer.Dispatcher.Task;
+import org.apache.hadoop.hdfs.server.balancer.Dispatcher.Util;
 import org.apache.hadoop.hdfs.server.blockmanagement.BlockPlacementPolicy;
 import org.apache.hadoop.hdfs.server.blockmanagement.BlockPlacementPolicyDefault;
-import org.apache.hadoop.hdfs.server.common.HdfsServerConstants;
 import org.apache.hadoop.hdfs.server.namenode.UnsupportedActionException;
-import org.apache.hadoop.hdfs.server.protocol.BlocksWithLocations.BlockWithLocations;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
 import org.apache.hadoop.hdfs.server.protocol.StorageReport;
-import org.apache.hadoop.io.IOUtils;
-import org.apache.hadoop.net.NetUtils;
-import org.apache.hadoop.net.NetworkTopology;
-import org.apache.hadoop.security.token.Token;
-import org.apache.hadoop.util.HostsFileReader;
 import org.apache.hadoop.util.StringUtils;
 import org.apache.hadoop.util.Time;
 import org.apache.hadoop.util.Tool;
@@ -200,15 +165,7 @@ public class Balancer {
 
   private static final long GB = 1L << 30; //1GB
   private static final long MAX_SIZE_TO_MOVE = 10*GB;
-  private static final long MAX_BLOCKS_SIZE_TO_FETCH = 2*GB;
 
-  /** The maximum number of concurrent blocks moves for 
-   * balancing purpose at a datanode
-   */
-  private static final int MAX_NO_PENDING_BLOCK_ITERATIONS = 5;
-  public static final long DELAY_AFTER_ERROR = 10 * 1000L; //10 seconds
-  public static final int BLOCK_MOVE_READ_TIMEOUT=20*60*1000; // 20 minutes
-  
   private static final String USAGE = "Usage: java "
       + Balancer.class.getSimpleName()
       + "\n\t[-policy <policy>]\tthe balancing policy: "
@@ -220,16 +177,9 @@ public class Balancer {
       + "\n\t[-include [-f <hosts-file> | comma-sperated list of hosts]]"
       + "\tIncludes only the specified datanodes.";
   
-  private final NameNodeConnector nnc;
-  private final KeyManager keyManager;
-
+  private final Dispatcher dispatcher;
   private final BalancingPolicy policy;
-  private final SaslDataTransferClient saslClient;
   private final double threshold;
-  // set of data nodes to be excluded from balancing operations.
-  Set<String> nodesToBeExcluded;
-  //Restrict balancing to the following nodes.
-  Set<String> nodesToBeIncluded;
   
   // all data node lists
   private final Collection<Source> overUtilized = new LinkedList<Source>();
@@ -238,634 +188,6 @@ public class Balancer {
       = new LinkedList<BalancerDatanode.StorageGroup>();
   private final Collection<BalancerDatanode.StorageGroup> underUtilized
       = new LinkedList<BalancerDatanode.StorageGroup>();
-  
-  private final Collection<Source> sources = new HashSet<Source>();
-  private final Collection<BalancerDatanode.StorageGroup> targets
-      = new HashSet<BalancerDatanode.StorageGroup>();
-  
-  private final Map<Block, BalancerBlock> globalBlockList
-                 = new HashMap<Block, BalancerBlock>();
-  private final MovedBlocks<BalancerDatanode.StorageGroup> movedBlocks;
-
-  /** Map (datanodeUuid,storageType -> StorageGroup) */
-  private final StorageGroupMap storageGroupMap = new StorageGroupMap();
-  
-  private NetworkTopology cluster;
-
-  private final ExecutorService moverExecutor;
-  private final ExecutorService dispatcherExecutor;
-  private final int maxConcurrentMovesPerNode;
-
-
-  private static class StorageGroupMap {
-    private static String toKey(String datanodeUuid, StorageType storageType) {
-      return datanodeUuid + ":" + storageType;
-    }
-
-    private final Map<String, BalancerDatanode.StorageGroup> map
-        = new HashMap<String, BalancerDatanode.StorageGroup>();
-    
-    BalancerDatanode.StorageGroup get(String datanodeUuid, StorageType storageType) {
-      return map.get(toKey(datanodeUuid, storageType));
-    }
-    
-    void put(BalancerDatanode.StorageGroup g) {
-      final String key = toKey(g.getDatanode().getDatanodeUuid(), g.storageType);
-      final BalancerDatanode.StorageGroup existing = map.put(key, g);
-      Preconditions.checkState(existing == null);
-    }
-    
-    int size() {
-      return map.size();
-    }
-    
-    void clear() {
-      map.clear();
-    }
-  }
-  /* This class keeps track of a scheduled block move */
-  private class PendingBlockMove {
-    private BalancerBlock block;
-    private Source source;
-    private BalancerDatanode proxySource;
-    private BalancerDatanode.StorageGroup target;
-    
-    /** constructor */
-    private PendingBlockMove() {
-    }
-    
-    @Override
-    public String toString() {
-      final Block b = block.getBlock();
-      return b + " with size=" + b.getNumBytes() + " from "
-          + source.getDisplayName() + " to " + target.getDisplayName()
-          + " through " + proxySource.datanode;
-    }
-
-    /* choose a block & a proxy source for this pendingMove 
-     * whose source & target have already been chosen.
-     * 
-     * Return true if a block and its proxy are chosen; false otherwise
-     */
-    private boolean chooseBlockAndProxy() {
-      // iterate all source's blocks until find a good one
-      for (Iterator<BalancerBlock> blocks=
-        source.getBlockIterator(); blocks.hasNext();) {
-        if (markMovedIfGoodBlock(blocks.next())) {
-          blocks.remove();
-          return true;
-        }
-      }
-      return false;
-    }
-    
-    /* Return true if the given block is good for the tentative move;
-     * If it is good, add it to the moved list to marked as "Moved".
-     * A block is good if
-     * 1. it is a good candidate; see isGoodBlockCandidate
-     * 2. can find a proxy source that's not busy for this move
-     */
-    private boolean markMovedIfGoodBlock(BalancerBlock block) {
-      synchronized(block) {
-        synchronized(movedBlocks) {
-          if (isGoodBlockCandidate(source, target, block)) {
-            this.block = block;
-            if ( chooseProxySource() ) {
-              movedBlocks.put(block);
-              if (LOG.isDebugEnabled()) {
-                LOG.debug("Decided to move " + this);
-              }
-              return true;
-            }
-          }
-        }
-      }
-      return false;
-    }
-    
-    /* Now we find out source, target, and block, we need to find a proxy
-     * 
-     * @return true if a proxy is found; otherwise false
-     */
-    private boolean chooseProxySource() {
-      final DatanodeInfo targetDN = target.getDatanode();
-      // if node group is supported, first try add nodes in the same node group
-      if (cluster.isNodeGroupAware()) {
-        for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
-          if (cluster.isOnSameNodeGroup(loc.getDatanode(), targetDN) && addTo(loc)) {
-            return true;
-          }
-        }
-      }
-      // check if there is replica which is on the same rack with the target
-      for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
-        if (cluster.isOnSameRack(loc.getDatanode(), targetDN) && addTo(loc)) {
-          return true;
-        }
-      }
-      // find out a non-busy replica
-      for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
-        if (addTo(loc)) {
-          return true;
-        }
-      }
-      return false;
-    }
-    
-    /** add to a proxy source for specific block movement */
-    private boolean addTo(BalancerDatanode.StorageGroup g) {
-      final BalancerDatanode bdn = g.getBalancerDatanode();
-      if (bdn.addPendingBlock(this)) {
-        proxySource = bdn;
-        return true;
-      }
-      return false;
-    }
-    
-    /* Dispatch the block move task to the proxy source & wait for the response
-     */
-    private void dispatch() {
-      Socket sock = new Socket();
-      DataOutputStream out = null;
-      DataInputStream in = null;
-      try {
-        sock.connect(
-            NetUtils.createSocketAddr(target.getDatanode().getXferAddr()),
-            HdfsServerConstants.READ_TIMEOUT);
-        /* Unfortunately we don't have a good way to know if the Datanode is
-         * taking a really long time to move a block, OR something has
-         * gone wrong and it's never going to finish. To deal with this 
-         * scenario, we set a long timeout (20 minutes) to avoid hanging
-         * the balancer indefinitely.
-         */
-        sock.setSoTimeout(BLOCK_MOVE_READ_TIMEOUT);
-
-        sock.setKeepAlive(true);
-        
-        OutputStream unbufOut = sock.getOutputStream();
-        InputStream unbufIn = sock.getInputStream();
-        ExtendedBlock eb = new ExtendedBlock(nnc.getBlockpoolID(), block.getBlock());
-        Token<BlockTokenIdentifier> accessToken = keyManager.getAccessToken(eb);
-        IOStreamPair saslStreams = saslClient.socketSend(sock, unbufOut,
-          unbufIn, keyManager, accessToken, target.getDatanode());
-        unbufOut = saslStreams.out;
-        unbufIn = saslStreams.in;
-        out = new DataOutputStream(new BufferedOutputStream(unbufOut,
-            HdfsConstants.IO_FILE_BUFFER_SIZE));
-        in = new DataInputStream(new BufferedInputStream(unbufIn,
-            HdfsConstants.IO_FILE_BUFFER_SIZE));
-        
-        sendRequest(out, eb, StorageType.DEFAULT, accessToken);
-        receiveResponse(in);
-        bytesMoved.addAndGet(block.getNumBytes());
-        LOG.info("Successfully moved " + this);
-      } catch (IOException e) {
-        LOG.warn("Failed to move " + this + ": " + e.getMessage());
-        /* proxy or target may have an issue, insert a small delay
-         * before using these nodes further. This avoids a potential storm
-         * of "threads quota exceeded" Warnings when the balancer
-         * gets out of sync with work going on in datanode.
-         */
-        proxySource.activateDelay(DELAY_AFTER_ERROR);
-        target.getBalancerDatanode().activateDelay(DELAY_AFTER_ERROR);
-      } finally {
-        IOUtils.closeStream(out);
-        IOUtils.closeStream(in);
-        IOUtils.closeSocket(sock);
-        
-        proxySource.removePendingBlock(this);
-        target.getBalancerDatanode().removePendingBlock(this);
-
-        synchronized (this ) {
-          reset();
-        }
-        synchronized (Balancer.this) {
-          Balancer.this.notifyAll();
-        }
-      }
-    }
-    
-    /* Send a block replace request to the output stream*/
-    private void sendRequest(DataOutputStream out, ExtendedBlock eb,
-        StorageType storageType, 
-        Token<BlockTokenIdentifier> accessToken) throws IOException {
-      new Sender(out).replaceBlock(eb, storageType, accessToken,
-          source.getDatanode().getDatanodeUuid(), proxySource.datanode);
-    }
-    
-    /* Receive a block copy response from the input stream */ 
-    private void receiveResponse(DataInputStream in) throws IOException {
-      BlockOpResponseProto response = BlockOpResponseProto.parseFrom(
-          vintPrefixed(in));
-      if (response.getStatus() != Status.SUCCESS) {
-        if (response.getStatus() == Status.ERROR_ACCESS_TOKEN)
-          throw new IOException("block move failed due to access token error");
-        throw new IOException("block move is failed: " +
-            response.getMessage());
-      }
-    }
-
-    /* reset the object */
-    private void reset() {
-      block = null;
-      source = null;
-      proxySource = null;
-      target = null;
-    }
-    
-    /* start a thread to dispatch the block move */
-    private void scheduleBlockMove() {
-      moverExecutor.execute(new Runnable() {
-        @Override
-        public void run() {
-          if (LOG.isDebugEnabled()) {
-            LOG.debug("Start moving " + PendingBlockMove.this);
-          }
-          dispatch();
-        }
-      });
-    }
-  }
-  
-  /* A class for keeping track of blocks in the Balancer */
-  static class BalancerBlock extends MovedBlocks.Locations<BalancerDatanode.StorageGroup> {
-    BalancerBlock(Block block) {
-      super(block);
-    }
-  }
-  
-  /* The class represents a desired move of bytes between two nodes 
-   * and the target.
-   * An object of this class is stored in a source. 
-   */
-  static private class Task {
-    private final BalancerDatanode.StorageGroup target;
-    private long size;  //bytes scheduled to move
-    
-    /* constructor */
-    private Task(BalancerDatanode.StorageGroup target, long size) {
-      this.target = target;
-      this.size = size;
-    }
-  }
-  
-  
-  /* A class that keeps track of a datanode in Balancer */
-  private static class BalancerDatanode {
-    
-    /** A group of storages in a datanode with the same storage type. */
-    private class StorageGroup {
-      final StorageType storageType;
-      final double utilization;
-      final long maxSize2Move;
-      private long scheduledSize = 0L;
-
-      private StorageGroup(StorageType storageType, double utilization,
-          long maxSize2Move) {
-        this.storageType = storageType;
-        this.utilization = utilization;
-        this.maxSize2Move = maxSize2Move;
-      }
-      
-      BalancerDatanode getBalancerDatanode() {
-        return BalancerDatanode.this;
-      }
-
-      DatanodeInfo getDatanode() {
-        return BalancerDatanode.this.datanode;
-      }
-
-      /** Decide if still need to move more bytes */
-      protected synchronized boolean hasSpaceForScheduling() {
-        return availableSizeToMove() > 0L;
-      }
-
-      /** @return the total number of bytes that need to be moved */
-      synchronized long availableSizeToMove() {
-        return maxSize2Move - scheduledSize;
-      }
-      
-      /** increment scheduled size */
-      synchronized void incScheduledSize(long size) {
-        scheduledSize += size;
-      }
-      
-      /** @return scheduled size */
-      synchronized long getScheduledSize() {
-        return scheduledSize;
-      }
-      
-      /** Reset scheduled size to zero. */
-      synchronized void resetScheduledSize() {
-        scheduledSize = 0L;
-      }
-
-      /** @return the name for display */
-      String getDisplayName() {
-        return datanode + ":" + storageType;
-      }
-      
-      @Override
-      public String toString() {
-        return "" + utilization;
-      }
-    }
-
-    final DatanodeInfo datanode;
-    final EnumMap<StorageType, StorageGroup> storageMap
-        = new EnumMap<StorageType, StorageGroup>(StorageType.class);
-    protected long delayUntil = 0L;
-    //  blocks being moved but not confirmed yet
-    private final List<PendingBlockMove> pendingBlocks;
-    private final int maxConcurrentMoves;
-    
-    @Override
-    public String toString() {
-      return getClass().getSimpleName() + ":" + datanode + ":" + storageMap;
-    }
-
-    /* Constructor 
-     * Depending on avgutil & threshold, calculate maximum bytes to move 
-     */
-    private BalancerDatanode(DatanodeStorageReport report,
-        double threshold, int maxConcurrentMoves) {
-      this.datanode = report.getDatanodeInfo();
-      this.maxConcurrentMoves = maxConcurrentMoves;
-      this.pendingBlocks = new ArrayList<PendingBlockMove>(maxConcurrentMoves);
-    }
-    
-    private void put(StorageType storageType, StorageGroup g) {
-      final StorageGroup existing = storageMap.put(storageType, g);
-      Preconditions.checkState(existing == null);
-    }
-
-    StorageGroup addStorageGroup(StorageType storageType, double utilization,
-        long maxSize2Move) {
-      final StorageGroup g = new StorageGroup(storageType, utilization,
-          maxSize2Move);
-      put(storageType, g);
-      return g;
-    }
-
-    Source addSource(StorageType storageType, double utilization,
-        long maxSize2Move, Balancer balancer) {
-      final Source s = balancer.new Source(storageType, utilization,
-          maxSize2Move, this);
-      put(storageType, s);
-      return s;
-    }
-
-    synchronized private void activateDelay(long delta) {
-      delayUntil = Time.now() + delta;
-    }
-
-    synchronized private boolean isDelayActive() {
-      if (delayUntil == 0 || Time.now() > delayUntil){
-        delayUntil = 0;
-        return false;
-      }
-        return true;
-    }
-    
-    /* Check if the node can schedule more blocks to move */
-    synchronized private boolean isPendingQNotFull() {
-      if ( pendingBlocks.size() < this.maxConcurrentMoves ) {
-        return true;
-      }
-      return false;
-    }
-    
-    /* Check if all the dispatched moves are done */
-    synchronized private boolean isPendingQEmpty() {
-      return pendingBlocks.isEmpty();
-    }
-    
-    /* Add a scheduled block move to the node */
-    private synchronized boolean addPendingBlock(
-        PendingBlockMove pendingBlock) {
-      if (!isDelayActive() && isPendingQNotFull()) {
-        return pendingBlocks.add(pendingBlock);
-      }
-      return false;
-    }
-    
-    /* Remove a scheduled block move from the node */
-    private synchronized boolean  removePendingBlock(
-        PendingBlockMove pendingBlock) {
-      return pendingBlocks.remove(pendingBlock);
-    }
-  }
-
-  /** A node that can be the sources of a block move */
-  private class Source extends BalancerDatanode.StorageGroup {
-    
-    /* A thread that initiates a block move 
-     * and waits for block move to complete */
-    private class BlockMoveDispatcher implements Runnable {
-      @Override
-      public void run() {
-        dispatchBlocks();
-      }
-    }
-    
-    private final List<Task> tasks = new ArrayList<Task>(2);
-    private long blocksToReceive = 0L;
-    /* source blocks point to balancerBlocks in the global list because
-     * we want to keep one copy of a block in balancer and be aware that
-     * the locations are changing over time.
-     */
-    private final List<BalancerBlock> srcBlockList
-            = new ArrayList<BalancerBlock>();
-    
-    /* constructor */
-    private Source(StorageType storageType, double utilization,
-        long maxSize2Move, BalancerDatanode dn) {
-      dn.super(storageType, utilization, maxSize2Move);
-    }
-    
-    /** Add a task */
-    private void addTask(Task task) {
-      Preconditions.checkState(task.target != this,
-          "Source and target are the same storage group " + getDisplayName());
-      incScheduledSize(task.size);
-      tasks.add(task);
-    }
-    
-    /* Return an iterator to this source's blocks */
-    private Iterator<BalancerBlock> getBlockIterator() {
-      return srcBlockList.iterator();
-    }
-    
-    /* fetch new blocks of this source from namenode and
-     * update this source's block list & the global block list
-     * Return the total size of the received blocks in the number of bytes.
-     */
-    private long getBlockList() throws IOException {
-      final long size = Math.min(MAX_BLOCKS_SIZE_TO_FETCH, blocksToReceive);
-      final BlockWithLocations[] newBlocks = nnc.getNamenode().getBlocks(
-          getDatanode(), size).getBlocks();
-
-      long bytesReceived = 0;
-      for (BlockWithLocations blk : newBlocks) {
-        bytesReceived += blk.getBlock().getNumBytes();
-        BalancerBlock block;
-        synchronized(globalBlockList) {
-          block = globalBlockList.get(blk.getBlock());
-          if (block==null) {
-            block = new BalancerBlock(blk.getBlock());
-            globalBlockList.put(blk.getBlock(), block);
-          } else {
-            block.clearLocations();
-          }
-        
-          synchronized (block) {
-            // update locations
-            final String[] datanodeUuids = blk.getDatanodeUuids();
-            final StorageType[] storageTypes = blk.getStorageTypes();
-            for (int i = 0; i < datanodeUuids.length; i++) {
-              final BalancerDatanode.StorageGroup g = storageGroupMap.get(
-                  datanodeUuids[i], storageTypes[i]);
-              if (g != null) { // not unknown
-                block.addLocation(g);
-              }
-            }
-          }
-          if (!srcBlockList.contains(block) && isGoodBlockCandidate(block)) {
-            // filter bad candidates
-            srcBlockList.add(block);
-          }
-        }
-      }
-      return bytesReceived;
-    }
-
-    /* Decide if the given block is a good candidate to move or not */
-    private boolean isGoodBlockCandidate(BalancerBlock block) {
-      for (Task t : tasks) {
-        if (Balancer.this.isGoodBlockCandidate(this, t.target, block)) {
-          return true;
-        }
-      }
-      return false;
-    }
-
-    /* Return a block that's good for the source thread to dispatch immediately
-     * The block's source, target, and proxy source are determined too.
-     * When choosing proxy and target, source & target throttling
-     * has been considered. They are chosen only when they have the capacity
-     * to support this block move.
-     * The block should be dispatched immediately after this method is returned.
-     */
-    private PendingBlockMove chooseNextBlockToMove() {
-      for (Iterator<Task> i = tasks.iterator(); i.hasNext();) {
-        final Task task = i.next();
-        final BalancerDatanode target = task.target.getBalancerDatanode();
-        PendingBlockMove pendingBlock = new PendingBlockMove();
-        if (target.addPendingBlock(pendingBlock)) { 
-          // target is not busy, so do a tentative block allocation
-          pendingBlock.source = this;
-          pendingBlock.target = task.target;
-          if ( pendingBlock.chooseBlockAndProxy() ) {
-            long blockSize = pendingBlock.block.getNumBytes();
-            incScheduledSize(-blockSize);
-            task.size -= blockSize;
-            if (task.size == 0) {
-              i.remove();
-            }
-            return pendingBlock;
-          } else {
-            // cancel the tentative move
-            target.removePendingBlock(pendingBlock);
-          }
-        }
-      }
-      return null;
-    }
-
-    /* iterate all source's blocks to remove moved ones */    
-    private void filterMovedBlocks() {
-      for (Iterator<BalancerBlock> blocks=getBlockIterator();
-            blocks.hasNext();) {
-        if (movedBlocks.contains(blocks.next().getBlock())) {
-          blocks.remove();
-        }
-      }
-    }
-    
-    private static final int SOURCE_BLOCK_LIST_MIN_SIZE=5;
-    /* Return if should fetch more blocks from namenode */
-    private boolean shouldFetchMoreBlocks() {
-      return srcBlockList.size()<SOURCE_BLOCK_LIST_MIN_SIZE &&
-                 blocksToReceive>0;
-    }
-    
-    /* This method iteratively does the following:
-     * it first selects a block to move,
-     * then sends a request to the proxy source to start the block move
-     * when the source's block list falls below a threshold, it asks
-     * the namenode for more blocks.
-     * It terminates when it has dispatch enough block move tasks or
-     * it has received enough blocks from the namenode, or 
-     * the elapsed time of the iteration has exceeded the max time limit.
-     */ 
-    private static final long MAX_ITERATION_TIME = 20*60*1000L; //20 mins
-    private void dispatchBlocks() {
-      long startTime = Time.now();
-      long scheduledSize = getScheduledSize();
-      this.blocksToReceive = 2*scheduledSize;
-      boolean isTimeUp = false;
-      int noPendingBlockIteration = 0;
-      while(!isTimeUp && getScheduledSize()>0 &&
-          (!srcBlockList.isEmpty() || blocksToReceive>0)) {
-        PendingBlockMove pendingBlock = chooseNextBlockToMove();
-        if (pendingBlock != null) {
-          // move the block
-          pendingBlock.scheduleBlockMove();
-          continue;
-        }
-        
-        /* Since we can not schedule any block to move,
-         * filter any moved blocks from the source block list and
-         * check if we should fetch more blocks from the namenode
-         */
-        filterMovedBlocks(); // filter already moved blocks
-        if (shouldFetchMoreBlocks()) {
-          // fetch new blocks
-          try {
-            blocksToReceive -= getBlockList();
-            continue;
-          } catch (IOException e) {
-            LOG.warn("Exception while getting block list", e);
-            return;
-          }
-        } else {
-          // source node cannot find a pendingBlockToMove, iteration +1
-          noPendingBlockIteration++;
-          // in case no blocks can be moved for source node's task,
-          // jump out of while-loop after 5 iterations.
-          if (noPendingBlockIteration >= MAX_NO_PENDING_BLOCK_ITERATIONS) {
-            resetScheduledSize();
-          }
-        }
-        
-        // check if time is up or not
-        if (Time.now()-startTime > MAX_ITERATION_TIME) {
-          isTimeUp = true;
-          continue;
-        }
-        
-        /* Now we can not schedule any block to move and there are
-         * no new blocks added to the source block list, so we wait. 
-         */
-        try {
-          synchronized(Balancer.this) {
-            Balancer.this.wait(1000);  // wait for targets/sources to be idle
-          }
-        } catch (InterruptedException ignored) {
-        }
-      }
-    }
-  }
 
   /* Check that this Balancer is compatible with the Block Placement Policy
    * used by the Namenode.
@@ -887,38 +209,12 @@ private static void checkReplicationPolicyCompatibility(Configuration conf
    * when connection fails.
    */
   Balancer(NameNodeConnector theblockpool, Parameters p, Configuration conf) {
+    this.dispatcher = new Dispatcher(theblockpool, p.nodesToBeIncluded,
+        p.nodesToBeExcluded, conf);
     this.threshold = p.threshold;
     this.policy = p.policy;
-    this.nodesToBeExcluded = p.nodesToBeExcluded;
-    this.nodesToBeIncluded = p.nodesToBeIncluded;
-    this.nnc = theblockpool;
-    this.keyManager = nnc.getKeyManager();
-    
-    final long movedWinWidth = conf.getLong(
-        DFSConfigKeys.DFS_BALANCER_MOVEDWINWIDTH_KEY, 
-        DFSConfigKeys.DFS_BALANCER_MOVEDWINWIDTH_DEFAULT);
-    movedBlocks = new MovedBlocks<BalancerDatanode.StorageGroup>(movedWinWidth);
-
-    cluster = NetworkTopology.getInstance(conf);
-
-    this.moverExecutor = Executors.newFixedThreadPool(
-            conf.getInt(DFSConfigKeys.DFS_BALANCER_MOVERTHREADS_KEY,
-                        DFSConfigKeys.DFS_BALANCER_MOVERTHREADS_DEFAULT));
-    this.dispatcherExecutor = Executors.newFixedThreadPool(
-            conf.getInt(DFSConfigKeys.DFS_BALANCER_DISPATCHERTHREADS_KEY,
-                        DFSConfigKeys.DFS_BALANCER_DISPATCHERTHREADS_DEFAULT));
-    this.maxConcurrentMovesPerNode =
-        conf.getInt(DFSConfigKeys.DFS_DATANODE_BALANCE_MAX_NUM_CONCURRENT_MOVES_KEY,
-        DFSConfigKeys.DFS_DATANODE_BALANCE_MAX_NUM_CONCURRENT_MOVES_DEFAULT);
-    this.saslClient = new SaslDataTransferClient(
-      DataTransferSaslUtil.getSaslPropertiesResolver(conf),
-      TrustedChannelResolver.getInstance(conf),
-      conf.getBoolean(
-        IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY,
-        IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT));
   }
   
-  
   private static long getCapacity(DatanodeStorageReport report, StorageType t) {
     long capacity = 0L;
     for(StorageReport r : report.getStorageReports()) {
@@ -939,26 +235,6 @@ private static long getRemaining(DatanodeStorageReport report, StorageType t) {
     return remaining;
   }
 
-  private boolean shouldIgnore(DatanodeInfo dn) {
-    //ignore decommissioned nodes
-    final boolean decommissioned = dn.isDecommissioned();
-    //ignore decommissioning nodes
-    final boolean decommissioning = dn.isDecommissionInProgress();
-    // ignore nodes in exclude list
-    final boolean excluded = Util.shouldBeExcluded(nodesToBeExcluded, dn);
-    // ignore nodes not in the include list (if include list is not empty)
-    final boolean notIncluded = !Util.shouldBeIncluded(nodesToBeIncluded, dn);
-    
-    if (decommissioned || decommissioning || excluded || notIncluded) {
-      if (LOG.isTraceEnabled()) {
-        LOG.trace("Excluding datanode " + dn + ": " + decommissioned + ", "
-            + decommissioning + ", " + excluded + ", " + notIncluded);
-      }
-      return true;
-    }
-    return false;
-  }
-
   /**
    * Given a datanode storage set, build a network topology and decide
    * over-utilized storages, above average utilized storages, 
@@ -966,16 +242,11 @@ private boolean shouldIgnore(DatanodeInfo dn) {
    * The input datanode storage set is shuffled in order to randomize
    * to the storage matching later on.
    *
-   * @return the total number of bytes that are 
-   *                needed to move to make the cluster balanced.
-   * @param reports a set of datanode storage reports
+   * @return the number of bytes needed to move in order to balance the cluster.
    */
-  private long init(DatanodeStorageReport[] reports) {
+  private long init(List<DatanodeStorageReport> reports) {
     // compute average utilization
     for (DatanodeStorageReport r : reports) {
-      if (shouldIgnore(r.getDatanodeInfo())) {
-        continue; 
-      }
       policy.accumulateSpaces(r);
     }
     policy.initAvgUtilization();
@@ -983,15 +254,8 @@ private long init(DatanodeStorageReport[] reports) {
     // create network topology and classify utilization collections: 
     //   over-utilized, above-average, below-average and under-utilized.
     long overLoadedBytes = 0L, underLoadedBytes = 0L;
-    for(DatanodeStorageReport r : DFSUtil.shuffle(reports)) {
-      final DatanodeInfo datanode = r.getDatanodeInfo();
-      if (shouldIgnore(datanode)) {
-        continue; // ignore decommissioning or decommissioned nodes
-      }
-      cluster.add(datanode);
-
-      final BalancerDatanode dn = new BalancerDatanode(r, underLoadedBytes,
-          maxConcurrentMovesPerNode);
+    for(DatanodeStorageReport r : reports) {
+      final BalancerDatanode dn = dispatcher.newDatanode(r);
       for(StorageType t : StorageType.asList()) {
         final Double utilization = policy.getUtilization(r, t);
         if (utilization == null) { // datanode does not have such storage type 
@@ -1006,7 +270,7 @@ private long init(DatanodeStorageReport[] reports) {
 
         final BalancerDatanode.StorageGroup g;
         if (utilizationDiff > 0) {
-          final Source s = dn.addSource(t, utilization, maxSize2Move, this);
+          final Source s = dn.addSource(t, utilization, maxSize2Move, dispatcher);
           if (thresholdDiff <= 0) { // within threshold
             aboveAvgUtilized.add(s);
           } else {
@@ -1023,14 +287,15 @@ private long init(DatanodeStorageReport[] reports) {
             underUtilized.add(g);
           }
         }
-        storageGroupMap.put(g);
+        dispatcher.getStorageGroupMap().put(g);
       }
     }
 
     logUtilizationCollections();
     
-    Preconditions.checkState(storageGroupMap.size() == overUtilized.size()
-        + underUtilized.size() + aboveAvgUtilized.size() + belowAvgUtilized.size(),
+    Preconditions.checkState(dispatcher.getStorageGroupMap().size()
+        == overUtilized.size() + underUtilized.size() + aboveAvgUtilized.size()
+           + belowAvgUtilized.size(),
         "Mismatched number of storage groups");
     
     // return number of bytes to be moved in order to make the cluster balanced
@@ -1077,7 +342,7 @@ void logUtilizationCollection(String name, Collection<T> items) {
    */
   private long chooseStorageGroups() {
     // First, match nodes on the same node group if cluster is node group aware
-    if (cluster.isNodeGroupAware()) {
+    if (dispatcher.getCluster().isNodeGroupAware()) {
       chooseStorageGroups(Matcher.SAME_NODE_GROUP);
     }
     
@@ -1086,15 +351,7 @@ private long chooseStorageGroups() {
     // At last, match all remaining nodes
     chooseStorageGroups(Matcher.ANY_OTHER);
     
-    Preconditions.checkState(storageGroupMap.size() >= sources.size() + targets.size(),
-        "Mismatched number of datanodes (" + storageGroupMap.size() + " < "
-            + sources.size() + " sources, " + targets.size() + " targets)");
-
-    long bytesToMove = 0L;
-    for (Source src : sources) {
-      bytesToMove += src.getScheduledSize();
-    }
-    return bytesToMove;
+    return dispatcher.bytesToMove();
   }
 
   /** Decide all <source, target> pairs according to the matcher. */
@@ -1166,9 +423,8 @@ private void matchSourceWithTargetToMove(Source source,
     long size = Math.min(source.availableSizeToMove(), target.availableSizeToMove());
     final Task task = new Task(target, size);
     source.addTask(task);
-    target.incScheduledSize(task.size);
-    sources.add(source);
-    targets.add(target);
+    target.incScheduledSize(task.getSize());
+    dispatcher.add(source, target);
     LOG.info("Decided to move "+StringUtils.byteDesc(size)+" bytes from "
         + source.getDisplayName() + " to " + target.getDisplayName());
   }
@@ -1182,7 +438,8 @@ C chooseCandidate(G g, Iterator<C> candidates, Matcher matcher) {
         final C c = candidates.next();
         if (!c.hasSpaceForScheduling()) {
           candidates.remove();
-        } else if (matcher.match(cluster, g.getDatanode(), c.getDatanode())) {
+        } else if (matcher.match(dispatcher.getCluster(),
+            g.getDatanode(), c.getDatanode())) {
           return c;
         }
       }
@@ -1190,172 +447,16 @@ C chooseCandidate(G g, Iterator<C> candidates, Matcher matcher) {
     return null;
   }
 
-  private final AtomicLong bytesMoved = new AtomicLong();
-  
-  /* Start a thread to dispatch block moves for each source. 
-   * The thread selects blocks to move & sends request to proxy source to
-   * initiate block move. The process is flow controlled. Block selection is
-   * blocked if there are too many un-confirmed block moves.
-   * Return the total number of bytes successfully moved in this iteration.
-   */
-  private long dispatchBlockMoves() throws InterruptedException {
-    long bytesLastMoved = bytesMoved.get();
-    Future<?>[] futures = new Future<?>[sources.size()];
-    int i=0;
-    for (Source source : sources) {
-      futures[i++] = dispatcherExecutor.submit(source.new BlockMoveDispatcher());
-    }
-    
-    // wait for all dispatcher threads to finish
-    for (Future<?> future : futures) {
-      try {
-        future.get();
-      } catch (ExecutionException e) {
-        LOG.warn("Dispatcher thread failed", e.getCause());
-      }
-    }
-    
-    // wait for all block moving to be done
-    waitForMoveCompletion();
-    
-    return bytesMoved.get()-bytesLastMoved;
-  }
-  
-  // The sleeping period before checking if block move is completed again
-  static private long blockMoveWaitTime = 30000L;
-  
-  /** set the sleeping period for block move completion check */
-  static void setBlockMoveWaitTime(long time) {
-    blockMoveWaitTime = time;
-  }
-  
-  /* wait for all block move confirmations 
-   * by checking each target's pendingMove queue 
-   */
-  private void waitForMoveCompletion() {
-    boolean shouldWait;
-    do {
-      shouldWait = false;
-      for (BalancerDatanode.StorageGroup target : targets) {
-        if (!target.getBalancerDatanode().isPendingQEmpty()) {
-          shouldWait = true;
-          break;
-        }
-      }
-      if (shouldWait) {
-        try {
-          Thread.sleep(blockMoveWaitTime);
-        } catch (InterruptedException ignored) {
-        }
-      }
-    } while (shouldWait);
-  }
-
-  /* Decide if it is OK to move the given block from source to target
-   * A block is a good candidate if
-   * 1. the block is not in the process of being moved/has not been moved;
-   * 2. the block does not have a replica on the target;
-   * 3. doing the move does not reduce the number of racks that the block has
-   */
-  private boolean isGoodBlockCandidate(Source source, 
-      BalancerDatanode.StorageGroup target, BalancerBlock block) {
-    if (source.storageType != target.storageType) {
-      return false;
-    }
-    // check if the block is moved or not
-    if (movedBlocks.contains(block.getBlock())) {
-      return false;
-    }
-    if (block.isLocatedOn(target)) {
-      return false;
-    }
-    if (cluster.isNodeGroupAware() && 
-        isOnSameNodeGroupWithReplicas(target, block, source)) {
-      return false;
-    }
-
-    boolean goodBlock = false;
-    if (cluster.isOnSameRack(source.getDatanode(), target.getDatanode())) {
-      // good if source and target are on the same rack
-      goodBlock = true;
-    } else {
-      boolean notOnSameRack = true;
-      synchronized (block) {
-        for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
-          if (cluster.isOnSameRack(loc.getDatanode(), target.getDatanode())) {
-            notOnSameRack = false;
-            break;
-          }
-        }
-      }
-      if (notOnSameRack) {
-        // good if target is target is not on the same rack as any replica
-        goodBlock = true;
-      } else {
-        // good if source is on the same rack as on of the replicas
-        for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
-          if (loc != source && 
-              cluster.isOnSameRack(loc.getDatanode(), source.getDatanode())) {
-            goodBlock = true;
-            break;
-          }
-        }
-      }
-    }
-    return goodBlock;
-  }
-
-  /**
-   * Check if there are any replica (other than source) on the same node group
-   * with target. If true, then target is not a good candidate for placing 
-   * specific block replica as we don't want 2 replicas under the same nodegroup 
-   * after balance.
-   * @param target targetDataNode
-   * @param block dataBlock
-   * @param source sourceDataNode
-   * @return true if there are any replica (other than source) on the same node
-   * group with target
-   */
-  private boolean isOnSameNodeGroupWithReplicas(BalancerDatanode.StorageGroup target,
-      BalancerBlock block, Source source) {
-    final DatanodeInfo targetDn = target.getDatanode();
-    for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
-      if (loc != source && 
-          cluster.isOnSameNodeGroup(loc.getDatanode(), targetDn)) {
-        return true;
-      }
-    }
-    return false;
-  }
-
   /* reset all fields in a balancer preparing for the next iteration */
   private void resetData(Configuration conf) {
-    this.cluster = NetworkTopology.getInstance(conf);
     this.overUtilized.clear();
     this.aboveAvgUtilized.clear();
     this.belowAvgUtilized.clear();
     this.underUtilized.clear();
-    this.storageGroupMap.clear();
-    this.sources.clear();
-    this.targets.clear();  
     this.policy.reset();
-    cleanGlobalBlockList();
-    this.movedBlocks.cleanup();
+    dispatcher.reset(conf);;
   }
   
-  /* Remove all blocks from the global block list except for the ones in the
-   * moved list.
-   */
-  private void cleanGlobalBlockList() {
-    for (Iterator<Block> globalBlockListIterator=globalBlockList.keySet().iterator();
-    globalBlockListIterator.hasNext();) {
-      Block block = globalBlockListIterator.next();
-      if(!movedBlocks.contains(block)) {
-        globalBlockListIterator.remove();
-      }
-    }
-  }
-
   // Exit status
   enum ReturnStatus {
     // These int values will map directly to the balancer process's exit code.
@@ -1379,11 +480,8 @@ enum ReturnStatus {
   private ReturnStatus run(int iteration, Formatter formatter,
       Configuration conf) {
     try {
-      /* get all live datanodes of a cluster and their disk usage
-       * decide the number of bytes need to be moved
-       */
-      final long bytesLeftToMove = init(
-          nnc.getClient().getDatanodeStorageReport(DatanodeReportType.LIVE));
+      final List<DatanodeStorageReport> reports = dispatcher.init();
+      final long bytesLeftToMove = init(reports);
       if (bytesLeftToMove == 0) {
         System.out.println("The cluster is balanced. Exiting...");
         return ReturnStatus.SUCCESS;
@@ -1409,7 +507,7 @@ private ReturnStatus run(int iteration, Formatter formatter,
       formatter.format("%-24s %10d  %19s  %18s  %17s%n",
           DateFormat.getDateTimeInstance().format(new Date()),
           iteration,
-          StringUtils.byteDesc(bytesMoved.get()),
+          StringUtils.byteDesc(dispatcher.getBytesMoved()),
           StringUtils.byteDesc(bytesLeftToMove),
           StringUtils.byteDesc(bytesToMove)
           );
@@ -1420,7 +518,7 @@ private ReturnStatus run(int iteration, Formatter formatter,
        * available to move.
        * Exit no byte has been moved for 5 consecutive iterations.
        */
-      if (!this.nnc.shouldContinue(dispatchBlockMoves())) {
+      if (!dispatcher.dispatchAndCheckContinue()) {
         return ReturnStatus.NO_MOVE_PROGRESS;
       }
 
@@ -1435,9 +533,7 @@ private ReturnStatus run(int iteration, Formatter formatter,
       System.out.println(e + ".  Exiting ...");
       return ReturnStatus.INTERRUPTED;
     } finally {
-      // shutdown thread pools
-      dispatcherExecutor.shutdownNow();
-      moverExecutor.shutdownNow();
+      dispatcher.shutdownNow();
     }
   }
 
@@ -1546,76 +642,6 @@ public String toString() {
     }
   }
 
-  static class Util {
-
-    /**
-     * @param datanode
-     * @return returns true if data node is part of the excludedNodes.
-     */
-    static boolean shouldBeExcluded(Set<String> excludedNodes, DatanodeInfo datanode) {
-      return isIn(excludedNodes, datanode);
-    }
-
-    /**
-     * @param datanode
-     * @return returns true if includedNodes is empty or data node is part of the includedNodes.
-     */
-    static boolean shouldBeIncluded(Set<String> includedNodes, DatanodeInfo datanode) {
-      return (includedNodes.isEmpty() ||
-          isIn(includedNodes, datanode));
-    }
-    /**
-     * Match is checked using host name , ip address with and without port number.
-     * @param datanodeSet
-     * @param datanode
-     * @return true if the datanode's transfer address matches the set of nodes.
-     */
-    private static boolean isIn(Set<String> datanodeSet, DatanodeInfo datanode) {
-      return isIn(datanodeSet, datanode.getPeerHostName(), datanode.getXferPort()) ||
-          isIn(datanodeSet, datanode.getIpAddr(), datanode.getXferPort()) ||
-          isIn(datanodeSet, datanode.getHostName(), datanode.getXferPort());
-    }
-
-    /**
-     * returns true if nodes contains host or host:port
-     * @param nodes
-     * @param host
-     * @param port
-     * @return
-     */
-    private static boolean isIn(Set<String> nodes, String host, int port) {
-      if (host == null) {
-        return false;
-      }
-      return (nodes.contains(host) || nodes.contains(host +":"+ port));
-    }
-
-    /**
-     * parse a comma separated string to obtain set of host names
-     * @param string
-     * @return
-     */
-    static Set<String> parseHostList(String string) {
-      String[] addrs = StringUtils.getTrimmedStrings(string);
-      return new HashSet<String>(Arrays.asList(addrs));
-    }
-
-    /**
-     * read set of host names from a file
-     * @param fileName
-     * @return
-     */
-    static Set<String> getHostListFromFile(String fileName) {
-      Set<String> nodes = new HashSet <String> ();
-      try {
-        HostsFileReader.readFileToSet("nodes", fileName, nodes);
-        return StringUtils.getTrimmedStrings(nodes);
-      } catch (IOException e) {
-        throw new IllegalArgumentException("Unable to open file: " + fileName);
-      }
-    }
-  }
-
   static class Cli extends Configured implements Tool {
     /**
      * Parse arguments and then run Balancer.
@@ -1688,7 +714,7 @@ static Parameters parse(String[] args) {
                 checkArgument(++i < args.length,
                     "File containing nodes to exclude is not specified: args = "
                     + Arrays.toString(args));
-                nodesTobeExcluded = Util.getHostListFromFile(args[i]);
+                nodesTobeExcluded = Util.getHostListFromFile(args[i], "exclude");
               } else {
                 nodesTobeExcluded = Util.parseHostList(args[i]);
               }
@@ -1700,7 +726,7 @@ static Parameters parse(String[] args) {
                 checkArgument(++i < args.length,
                     "File containing nodes to include is not specified: args = "
                     + Arrays.toString(args));
-                nodesTobeIncluded = Util.getHostListFromFile(args[i]);
+                nodesTobeIncluded = Util.getHostListFromFile(args[i], "include");
                } else {
                 nodesTobeIncluded = Util.parseHostList(args[i]);
               }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
new file mode 100644
index 00000000000..e8236bbe1c0
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
@@ -0,0 +1,1060 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.server.balancer;
+
+import static org.apache.hadoop.hdfs.protocolPB.PBHelper.vintPrefixed;
+
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.Socket;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.EnumMap;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.atomic.AtomicLong;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeys;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.DFSUtil;
+import org.apache.hadoop.hdfs.StorageType;
+import org.apache.hadoop.hdfs.protocol.Block;
+import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
+import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
+import org.apache.hadoop.hdfs.protocol.HdfsConstants;
+import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair;
+import org.apache.hadoop.hdfs.protocol.datatransfer.Sender;
+import org.apache.hadoop.hdfs.protocol.datatransfer.TrustedChannelResolver;
+import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.DataTransferSaslUtil;
+import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferClient;
+import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.BlockOpResponseProto;
+import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.Status;
+import org.apache.hadoop.hdfs.security.token.block.BlockTokenIdentifier;
+import org.apache.hadoop.hdfs.server.common.HdfsServerConstants;
+import org.apache.hadoop.hdfs.server.protocol.BlocksWithLocations;
+import org.apache.hadoop.hdfs.server.protocol.BlocksWithLocations.BlockWithLocations;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
+import org.apache.hadoop.io.IOUtils;
+import org.apache.hadoop.net.NetUtils;
+import org.apache.hadoop.net.NetworkTopology;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.util.HostsFileReader;
+import org.apache.hadoop.util.StringUtils;
+import org.apache.hadoop.util.Time;
+
+import com.google.common.base.Preconditions;
+
+/** Dispatching block replica moves between datanodes. */
+@InterfaceAudience.Private
+public class Dispatcher {
+  static final Log LOG = LogFactory.getLog(Dispatcher.class);
+
+  private static final long GB = 1L << 30; // 1GB
+  private static final long MAX_BLOCKS_SIZE_TO_FETCH = 2 * GB;
+
+  private static final int MAX_NO_PENDING_MOVE_ITERATIONS = 5;
+  private static final long DELAY_AFTER_ERROR = 10 * 1000L; // 10 seconds
+  private static final int BLOCK_MOVE_READ_TIMEOUT = 20 * 60 * 1000; // 20
+                                                                     // minutes
+
+  private final NameNodeConnector nnc;
+  private final KeyManager keyManager;
+  private final SaslDataTransferClient saslClient;
+
+  /** Set of datanodes to be excluded. */
+  private final Set<String> excludedNodes;
+  /** Restrict to the following nodes. */
+  private final Set<String> includedNodes;
+
+  private final Collection<Source> sources = new HashSet<Source>();
+  private final Collection<BalancerDatanode.StorageGroup> targets
+      = new HashSet<BalancerDatanode.StorageGroup>();
+
+  private final GlobalBlockMap globalBlocks = new GlobalBlockMap();
+  private final MovedBlocks<BalancerDatanode.StorageGroup> movedBlocks;
+
+  /** Map (datanodeUuid,storageType -> StorageGroup) */
+  private final StorageGroupMap storageGroupMap = new StorageGroupMap();
+
+  private NetworkTopology cluster;
+
+  private final ExecutorService moveExecutor;
+  private final ExecutorService dispatchExecutor;
+  /** The maximum number of concurrent blocks moves at a datanode */
+  private final int maxConcurrentMovesPerNode;
+
+  private final AtomicLong bytesMoved = new AtomicLong();
+
+  private static class GlobalBlockMap {
+    private final Map<Block, DBlock> map = new HashMap<Block, DBlock>();
+
+    /**
+     * Get the block from the map;
+     * if the block is not found, create a new block and put it in the map.
+     */
+    private DBlock get(Block b) {
+      DBlock block = map.get(b);
+      if (block == null) {
+        block = new DBlock(b);
+        map.put(b, block);
+      }
+      return block;
+    }
+    
+    /** Remove all blocks except for the moved blocks. */
+    private void removeAllButRetain(
+        MovedBlocks<BalancerDatanode.StorageGroup> movedBlocks) {
+      for (Iterator<Block> i = map.keySet().iterator(); i.hasNext();) {
+        if (!movedBlocks.contains(i.next())) {
+          i.remove();
+        }
+      }
+    }
+  }
+
+  static class StorageGroupMap {
+    private static String toKey(String datanodeUuid, StorageType storageType) {
+      return datanodeUuid + ":" + storageType;
+    }
+
+    private final Map<String, BalancerDatanode.StorageGroup> map
+        = new HashMap<String, BalancerDatanode.StorageGroup>();
+
+    BalancerDatanode.StorageGroup get(String datanodeUuid,
+        StorageType storageType) {
+      return map.get(toKey(datanodeUuid, storageType));
+    }
+
+    void put(BalancerDatanode.StorageGroup g) {
+      final String key = toKey(g.getDatanode().getDatanodeUuid(), g.storageType);
+      final BalancerDatanode.StorageGroup existing = map.put(key, g);
+      Preconditions.checkState(existing == null);
+    }
+
+    int size() {
+      return map.size();
+    }
+
+    void clear() {
+      map.clear();
+    }
+  }
+
+  /** This class keeps track of a scheduled block move */
+  private class PendingMove {
+    private DBlock block;
+    private Source source;
+    private BalancerDatanode proxySource;
+    private BalancerDatanode.StorageGroup target;
+
+    private PendingMove() {
+    }
+
+    @Override
+    public String toString() {
+      final Block b = block.getBlock();
+      return b + " with size=" + b.getNumBytes() + " from "
+          + source.getDisplayName() + " to " + target.getDisplayName()
+          + " through " + proxySource.datanode;
+    }
+
+    /**
+     * Choose a block & a proxy source for this pendingMove whose source &
+     * target have already been chosen.
+     * 
+     * @return true if a block and its proxy are chosen; false otherwise
+     */
+    private boolean chooseBlockAndProxy() {
+      // iterate all source's blocks until find a good one
+      for (Iterator<DBlock> i = source.getBlockIterator(); i.hasNext();) {
+        if (markMovedIfGoodBlock(i.next())) {
+          i.remove();
+          return true;
+        }
+      }
+      return false;
+    }
+
+    /**
+     * @return true if the given block is good for the tentative move.
+     */
+    private boolean markMovedIfGoodBlock(DBlock block) {
+      synchronized (block) {
+        synchronized (movedBlocks) {
+          if (isGoodBlockCandidate(source, target, block)) {
+            this.block = block;
+            if (chooseProxySource()) {
+              movedBlocks.put(block);
+              if (LOG.isDebugEnabled()) {
+                LOG.debug("Decided to move " + this);
+              }
+              return true;
+            }
+          }
+        }
+      }
+      return false;
+    }
+
+    /**
+     * Choose a proxy source.
+     * 
+     * @return true if a proxy is found; otherwise false
+     */
+    private boolean chooseProxySource() {
+      final DatanodeInfo targetDN = target.getDatanode();
+      // if node group is supported, first try add nodes in the same node group
+      if (cluster.isNodeGroupAware()) {
+        for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
+          if (cluster.isOnSameNodeGroup(loc.getDatanode(), targetDN)
+              && addTo(loc)) {
+            return true;
+          }
+        }
+      }
+      // check if there is replica which is on the same rack with the target
+      for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
+        if (cluster.isOnSameRack(loc.getDatanode(), targetDN) && addTo(loc)) {
+          return true;
+        }
+      }
+      // find out a non-busy replica
+      for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
+        if (addTo(loc)) {
+          return true;
+        }
+      }
+      return false;
+    }
+
+    /** add to a proxy source for specific block movement */
+    private boolean addTo(BalancerDatanode.StorageGroup g) {
+      final BalancerDatanode bdn = g.getBalancerDatanode();
+      if (bdn.addPendingBlock(this)) {
+        proxySource = bdn;
+        return true;
+      }
+      return false;
+    }
+
+    /** Dispatch the move to the proxy source & wait for the response. */
+    private void dispatch() {
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("Start moving " + this);
+      }
+
+      Socket sock = new Socket();
+      DataOutputStream out = null;
+      DataInputStream in = null;
+      try {
+        sock.connect(
+            NetUtils.createSocketAddr(target.getDatanode().getXferAddr()),
+            HdfsServerConstants.READ_TIMEOUT);
+        /*
+         * Unfortunately we don't have a good way to know if the Datanode is
+         * taking a really long time to move a block, OR something has gone
+         * wrong and it's never going to finish. To deal with this scenario, we
+         * set a long timeout (20 minutes) to avoid hanging the balancer
+         * indefinitely.
+         */
+        sock.setSoTimeout(BLOCK_MOVE_READ_TIMEOUT);
+
+        sock.setKeepAlive(true);
+
+        OutputStream unbufOut = sock.getOutputStream();
+        InputStream unbufIn = sock.getInputStream();
+        ExtendedBlock eb = new ExtendedBlock(nnc.getBlockpoolID(),
+            block.getBlock());
+        Token<BlockTokenIdentifier> accessToken = keyManager.getAccessToken(eb);
+        IOStreamPair saslStreams = saslClient.socketSend(sock, unbufOut,
+            unbufIn, keyManager, accessToken, target.getDatanode());
+        unbufOut = saslStreams.out;
+        unbufIn = saslStreams.in;
+        out = new DataOutputStream(new BufferedOutputStream(unbufOut,
+            HdfsConstants.IO_FILE_BUFFER_SIZE));
+        in = new DataInputStream(new BufferedInputStream(unbufIn,
+            HdfsConstants.IO_FILE_BUFFER_SIZE));
+
+        sendRequest(out, eb, accessToken);
+        receiveResponse(in);
+        bytesMoved.addAndGet(block.getNumBytes());
+        LOG.info("Successfully moved " + this);
+      } catch (IOException e) {
+        LOG.warn("Failed to move " + this + ": " + e.getMessage());
+        /*
+         * proxy or target may have an issue, insert a small delay before using
+         * these nodes further. This avoids a potential storm of
+         * "threads quota exceeded" Warnings when the balancer gets out of sync
+         * with work going on in datanode.
+         */
+        proxySource.activateDelay(DELAY_AFTER_ERROR);
+        target.getBalancerDatanode().activateDelay(DELAY_AFTER_ERROR);
+      } finally {
+        IOUtils.closeStream(out);
+        IOUtils.closeStream(in);
+        IOUtils.closeSocket(sock);
+
+        proxySource.removePendingBlock(this);
+        target.getBalancerDatanode().removePendingBlock(this);
+
+        synchronized (this) {
+          reset();
+        }
+        synchronized (Dispatcher.this) {
+          Dispatcher.this.notifyAll();
+        }
+      }
+    }
+
+    /** Send a block replace request to the output stream */
+    private void sendRequest(DataOutputStream out, ExtendedBlock eb,
+        Token<BlockTokenIdentifier> accessToken) throws IOException {
+      new Sender(out).replaceBlock(eb, target.storageType, accessToken, source
+          .getDatanode().getDatanodeUuid(), proxySource.datanode);
+    }
+
+    /** Receive a block copy response from the input stream */
+    private void receiveResponse(DataInputStream in) throws IOException {
+      BlockOpResponseProto response = BlockOpResponseProto
+          .parseFrom(vintPrefixed(in));
+      if (response.getStatus() != Status.SUCCESS) {
+        if (response.getStatus() == Status.ERROR_ACCESS_TOKEN) {
+          throw new IOException("block move failed due to access token error");
+        }
+        throw new IOException("block move is failed: " + response.getMessage());
+      }
+    }
+
+    /** reset the object */
+    private void reset() {
+      block = null;
+      source = null;
+      proxySource = null;
+      target = null;
+    }
+  }
+
+  /** A class for keeping track of block locations in the dispatcher. */
+  private static class DBlock extends
+      MovedBlocks.Locations<BalancerDatanode.StorageGroup> {
+    DBlock(Block block) {
+      super(block);
+    }
+  }
+
+  /** The class represents a desired move. */
+  static class Task {
+    private final BalancerDatanode.StorageGroup target;
+    private long size; // bytes scheduled to move
+
+    Task(BalancerDatanode.StorageGroup target, long size) {
+      this.target = target;
+      this.size = size;
+    }
+
+    long getSize() {
+      return size;
+    }
+  }
+
+  /** A class that keeps track of a datanode. */
+  static class BalancerDatanode {
+
+    /** A group of storages in a datanode with the same storage type. */
+    class StorageGroup {
+      final StorageType storageType;
+      final double utilization;
+      final long maxSize2Move;
+      private long scheduledSize = 0L;
+
+      private StorageGroup(StorageType storageType, double utilization,
+          long maxSize2Move) {
+        this.storageType = storageType;
+        this.utilization = utilization;
+        this.maxSize2Move = maxSize2Move;
+      }
+
+      BalancerDatanode getBalancerDatanode() {
+        return BalancerDatanode.this;
+      }
+
+      DatanodeInfo getDatanode() {
+        return BalancerDatanode.this.datanode;
+      }
+
+      /** Decide if still need to move more bytes */
+      synchronized boolean hasSpaceForScheduling() {
+        return availableSizeToMove() > 0L;
+      }
+
+      /** @return the total number of bytes that need to be moved */
+      synchronized long availableSizeToMove() {
+        return maxSize2Move - scheduledSize;
+      }
+
+      /** increment scheduled size */
+      synchronized void incScheduledSize(long size) {
+        scheduledSize += size;
+      }
+
+      /** @return scheduled size */
+      synchronized long getScheduledSize() {
+        return scheduledSize;
+      }
+
+      /** Reset scheduled size to zero. */
+      synchronized void resetScheduledSize() {
+        scheduledSize = 0L;
+      }
+
+      /** @return the name for display */
+      String getDisplayName() {
+        return datanode + ":" + storageType;
+      }
+
+      @Override
+      public String toString() {
+        return "" + utilization;
+      }
+    }
+
+    final DatanodeInfo datanode;
+    final EnumMap<StorageType, StorageGroup> storageMap
+        = new EnumMap<StorageType, StorageGroup>(StorageType.class);
+    protected long delayUntil = 0L;
+    /** blocks being moved but not confirmed yet */
+    private final List<PendingMove> pendings;
+    private final int maxConcurrentMoves;
+
+    @Override
+    public String toString() {
+      return getClass().getSimpleName() + ":" + datanode + ":" + storageMap;
+    }
+
+    private BalancerDatanode(DatanodeStorageReport r, int maxConcurrentMoves) {
+      this.datanode = r.getDatanodeInfo();
+      this.maxConcurrentMoves = maxConcurrentMoves;
+      this.pendings = new ArrayList<PendingMove>(maxConcurrentMoves);
+    }
+
+    private void put(StorageType storageType, StorageGroup g) {
+      final StorageGroup existing = storageMap.put(storageType, g);
+      Preconditions.checkState(existing == null);
+    }
+
+    StorageGroup addStorageGroup(StorageType storageType, double utilization,
+        long maxSize2Move) {
+      final StorageGroup g = new StorageGroup(storageType, utilization,
+          maxSize2Move);
+      put(storageType, g);
+      return g;
+    }
+
+    Source addSource(StorageType storageType, double utilization,
+        long maxSize2Move, Dispatcher balancer) {
+      final Source s = balancer.new Source(storageType, utilization,
+          maxSize2Move, this);
+      put(storageType, s);
+      return s;
+    }
+
+    synchronized private void activateDelay(long delta) {
+      delayUntil = Time.monotonicNow() + delta;
+    }
+
+    synchronized private boolean isDelayActive() {
+      if (delayUntil == 0 || Time.monotonicNow() > delayUntil) {
+        delayUntil = 0;
+        return false;
+      }
+      return true;
+    }
+
+    /** Check if the node can schedule more blocks to move */
+    synchronized boolean isPendingQNotFull() {
+      return pendings.size() < maxConcurrentMoves;
+    }
+
+    /** Check if all the dispatched moves are done */
+    synchronized boolean isPendingQEmpty() {
+      return pendings.isEmpty();
+    }
+
+    /** Add a scheduled block move to the node */
+    synchronized boolean addPendingBlock(PendingMove pendingBlock) {
+      if (!isDelayActive() && isPendingQNotFull()) {
+        return pendings.add(pendingBlock);
+      }
+      return false;
+    }
+
+    /** Remove a scheduled block move from the node */
+    synchronized boolean removePendingBlock(PendingMove pendingBlock) {
+      return pendings.remove(pendingBlock);
+    }
+  }
+
+  /** A node that can be the sources of a block move */
+  class Source extends BalancerDatanode.StorageGroup {
+
+    private final List<Task> tasks = new ArrayList<Task>(2);
+    private long blocksToReceive = 0L;
+    /**
+     * Source blocks point to the objects in {@link Dispatcher#globalBlocks}
+     * because we want to keep one copy of a block and be aware that the
+     * locations are changing over time.
+     */
+    private final List<DBlock> srcBlocks = new ArrayList<DBlock>();
+
+    private Source(StorageType storageType, double utilization,
+        long maxSize2Move, BalancerDatanode dn) {
+      dn.super(storageType, utilization, maxSize2Move);
+    }
+
+    /** Add a task */
+    void addTask(Task task) {
+      Preconditions.checkState(task.target != this,
+          "Source and target are the same storage group " + getDisplayName());
+      incScheduledSize(task.size);
+      tasks.add(task);
+    }
+
+    /** @return an iterator to this source's blocks */
+    Iterator<DBlock> getBlockIterator() {
+      return srcBlocks.iterator();
+    }
+
+    /**
+     * Fetch new blocks of this source from namenode and update this source's
+     * block list & {@link Dispatcher#globalBlocks}.
+     * 
+     * @return the total size of the received blocks in the number of bytes.
+     */
+    private long getBlockList() throws IOException {
+      final long size = Math.min(MAX_BLOCKS_SIZE_TO_FETCH, blocksToReceive);
+      final BlocksWithLocations newBlocks = nnc.getBlocks(getDatanode(), size);
+
+      long bytesReceived = 0;
+      for (BlockWithLocations blk : newBlocks.getBlocks()) {
+        bytesReceived += blk.getBlock().getNumBytes();
+        synchronized (globalBlocks) {
+          final DBlock block = globalBlocks.get(blk.getBlock());
+          synchronized (block) {
+            block.clearLocations();
+
+            // update locations
+            final String[] datanodeUuids = blk.getDatanodeUuids();
+            final StorageType[] storageTypes = blk.getStorageTypes();
+            for (int i = 0; i < datanodeUuids.length; i++) {
+              final BalancerDatanode.StorageGroup g = storageGroupMap.get(
+                  datanodeUuids[i], storageTypes[i]);
+              if (g != null) { // not unknown
+                block.addLocation(g);
+              }
+            }
+          }
+          if (!srcBlocks.contains(block) && isGoodBlockCandidate(block)) {
+            // filter bad candidates
+            srcBlocks.add(block);
+          }
+        }
+      }
+      return bytesReceived;
+    }
+
+    /** Decide if the given block is a good candidate to move or not */
+    private boolean isGoodBlockCandidate(DBlock block) {
+      for (Task t : tasks) {
+        if (Dispatcher.this.isGoodBlockCandidate(this, t.target, block)) {
+          return true;
+        }
+      }
+      return false;
+    }
+
+    /**
+     * Choose a move for the source. The block's source, target, and proxy
+     * are determined too. When choosing proxy and target, source &
+     * target throttling has been considered. They are chosen only when they
+     * have the capacity to support this block move. The block should be
+     * dispatched immediately after this method is returned.
+     * 
+     * @return a move that's good for the source to dispatch immediately.
+     */
+    private PendingMove chooseNextMove() {
+      for (Iterator<Task> i = tasks.iterator(); i.hasNext();) {
+        final Task task = i.next();
+        final BalancerDatanode target = task.target.getBalancerDatanode();
+        PendingMove pendingBlock = new PendingMove();
+        if (target.addPendingBlock(pendingBlock)) {
+          // target is not busy, so do a tentative block allocation
+          pendingBlock.source = this;
+          pendingBlock.target = task.target;
+          if (pendingBlock.chooseBlockAndProxy()) {
+            long blockSize = pendingBlock.block.getNumBytes();
+            incScheduledSize(-blockSize);
+            task.size -= blockSize;
+            if (task.size == 0) {
+              i.remove();
+            }
+            return pendingBlock;
+          } else {
+            // cancel the tentative move
+            target.removePendingBlock(pendingBlock);
+          }
+        }
+      }
+      return null;
+    }
+
+    /** Iterate all source's blocks to remove moved ones */
+    private void removeMovedBlocks() {
+      for (Iterator<DBlock> i = getBlockIterator(); i.hasNext();) {
+        if (movedBlocks.contains(i.next().getBlock())) {
+          i.remove();
+        }
+      }
+    }
+
+    private static final int SOURCE_BLOCKS_MIN_SIZE = 5;
+
+    /** @return if should fetch more blocks from namenode */
+    private boolean shouldFetchMoreBlocks() {
+      return srcBlocks.size() < SOURCE_BLOCKS_MIN_SIZE && blocksToReceive > 0;
+    }
+
+    private static final long MAX_ITERATION_TIME = 20 * 60 * 1000L; // 20 mins
+
+    /**
+     * This method iteratively does the following: it first selects a block to
+     * move, then sends a request to the proxy source to start the block move
+     * when the source's block list falls below a threshold, it asks the
+     * namenode for more blocks. It terminates when it has dispatch enough block
+     * move tasks or it has received enough blocks from the namenode, or the
+     * elapsed time of the iteration has exceeded the max time limit.
+     */
+    private void dispatchBlocks() {
+      final long startTime = Time.monotonicNow();
+      this.blocksToReceive = 2 * getScheduledSize();
+      boolean isTimeUp = false;
+      int noPendingBlockIteration = 0;
+      while (!isTimeUp && getScheduledSize() > 0
+          && (!srcBlocks.isEmpty() || blocksToReceive > 0)) {
+        final PendingMove p = chooseNextMove();
+        if (p != null) {
+          // move the block
+          moveExecutor.execute(new Runnable() {
+            @Override
+            public void run() {
+              p.dispatch();
+            }
+          });
+          continue;
+        }
+
+        // Since we cannot schedule any block to move,
+        // remove any moved blocks from the source block list and
+        removeMovedBlocks(); // filter already moved blocks
+        // check if we should fetch more blocks from the namenode
+        if (shouldFetchMoreBlocks()) {
+          // fetch new blocks
+          try {
+            blocksToReceive -= getBlockList();
+            continue;
+          } catch (IOException e) {
+            LOG.warn("Exception while getting block list", e);
+            return;
+          }
+        } else {
+          // source node cannot find a pendingBlockToMove, iteration +1
+          noPendingBlockIteration++;
+          // in case no blocks can be moved for source node's task,
+          // jump out of while-loop after 5 iterations.
+          if (noPendingBlockIteration >= MAX_NO_PENDING_MOVE_ITERATIONS) {
+            resetScheduledSize();
+          }
+        }
+
+        // check if time is up or not
+        if (Time.monotonicNow() - startTime > MAX_ITERATION_TIME) {
+          isTimeUp = true;
+          continue;
+        }
+
+        // Now we can not schedule any block to move and there are
+        // no new blocks added to the source block list, so we wait.
+        try {
+          synchronized (Dispatcher.this) {
+            Dispatcher.this.wait(1000); // wait for targets/sources to be idle
+          }
+        } catch (InterruptedException ignored) {
+        }
+      }
+    }
+  }
+
+  Dispatcher(NameNodeConnector theblockpool, Set<String> includedNodes,
+      Set<String> excludedNodes, Configuration conf) {
+    this.nnc = theblockpool;
+    this.keyManager = nnc.getKeyManager();
+    this.excludedNodes = excludedNodes;
+    this.includedNodes = includedNodes;
+
+    final long movedWinWidth = conf.getLong(
+        DFSConfigKeys.DFS_BALANCER_MOVEDWINWIDTH_KEY,
+        DFSConfigKeys.DFS_BALANCER_MOVEDWINWIDTH_DEFAULT);
+    movedBlocks = new MovedBlocks<BalancerDatanode.StorageGroup>(movedWinWidth);
+
+    this.cluster = NetworkTopology.getInstance(conf);
+
+    this.moveExecutor = Executors.newFixedThreadPool(conf.getInt(
+        DFSConfigKeys.DFS_BALANCER_MOVERTHREADS_KEY,
+        DFSConfigKeys.DFS_BALANCER_MOVERTHREADS_DEFAULT));
+    this.dispatchExecutor = Executors.newFixedThreadPool(conf.getInt(
+        DFSConfigKeys.DFS_BALANCER_DISPATCHERTHREADS_KEY,
+        DFSConfigKeys.DFS_BALANCER_DISPATCHERTHREADS_DEFAULT));
+    this.maxConcurrentMovesPerNode = conf.getInt(
+        DFSConfigKeys.DFS_DATANODE_BALANCE_MAX_NUM_CONCURRENT_MOVES_KEY,
+        DFSConfigKeys.DFS_DATANODE_BALANCE_MAX_NUM_CONCURRENT_MOVES_DEFAULT);
+
+    final boolean fallbackToSimpleAuthAllowed = conf.getBoolean(
+        CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY,
+        CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT);
+    this.saslClient = new SaslDataTransferClient(
+        DataTransferSaslUtil.getSaslPropertiesResolver(conf),
+        TrustedChannelResolver.getInstance(conf), fallbackToSimpleAuthAllowed);
+  }
+
+  StorageGroupMap getStorageGroupMap() {
+    return storageGroupMap;
+  }
+
+  NetworkTopology getCluster() {
+    return cluster;
+  }
+  
+  long getBytesMoved() {
+    return bytesMoved.get();
+  }
+
+  long bytesToMove() {
+    Preconditions.checkState(
+        storageGroupMap.size() >= sources.size() + targets.size(),
+        "Mismatched number of storage groups (" + storageGroupMap.size()
+            + " < " + sources.size() + " sources + " + targets.size()
+            + " targets)");
+
+    long b = 0L;
+    for (Source src : sources) {
+      b += src.getScheduledSize();
+    }
+    return b;
+  }
+
+  void add(Source source, BalancerDatanode.StorageGroup target) {
+    sources.add(source);
+    targets.add(target);
+  }
+
+  private boolean shouldIgnore(DatanodeInfo dn) {
+    // ignore decommissioned nodes
+    final boolean decommissioned = dn.isDecommissioned();
+    // ignore decommissioning nodes
+    final boolean decommissioning = dn.isDecommissionInProgress();
+    // ignore nodes in exclude list
+    final boolean excluded = Util.isExcluded(excludedNodes, dn);
+    // ignore nodes not in the include list (if include list is not empty)
+    final boolean notIncluded = !Util.isIncluded(includedNodes, dn);
+
+    if (decommissioned || decommissioning || excluded || notIncluded) {
+      if (LOG.isTraceEnabled()) {
+        LOG.trace("Excluding datanode " + dn + ": " + decommissioned + ", "
+            + decommissioning + ", " + excluded + ", " + notIncluded);
+      }
+      return true;
+    }
+    return false;
+  }
+
+  /** Get live datanode storage reports and then build the network topology. */
+  List<DatanodeStorageReport> init() throws IOException {
+    final DatanodeStorageReport[] reports = nnc.getLiveDatanodeStorageReport();
+    final List<DatanodeStorageReport> trimmed = new ArrayList<DatanodeStorageReport>(); 
+    // create network topology and classify utilization collections:
+    // over-utilized, above-average, below-average and under-utilized.
+    for (DatanodeStorageReport r : DFSUtil.shuffle(reports)) {
+      final DatanodeInfo datanode = r.getDatanodeInfo();
+      if (shouldIgnore(datanode)) {
+        continue;
+      }
+      trimmed.add(r);
+      cluster.add(datanode);
+    }
+    return trimmed;
+  }
+
+  public BalancerDatanode newDatanode(DatanodeStorageReport r) {
+    return new BalancerDatanode(r, maxConcurrentMovesPerNode);
+  }
+
+  public boolean dispatchAndCheckContinue() throws InterruptedException {
+    return nnc.shouldContinue(dispatchBlockMoves());
+  }
+
+  /**
+   * Dispatch block moves for each source. The thread selects blocks to move &
+   * sends request to proxy source to initiate block move. The process is flow
+   * controlled. Block selection is blocked if there are too many un-confirmed
+   * block moves.
+   * 
+   * @return the total number of bytes successfully moved in this iteration.
+   */
+  private long dispatchBlockMoves() throws InterruptedException {
+    final long bytesLastMoved = bytesMoved.get();
+    final Future<?>[] futures = new Future<?>[sources.size()];
+
+    final Iterator<Source> i = sources.iterator();
+    for (int j = 0; j < futures.length; j++) {
+      final Source s = i.next();
+      futures[j] = dispatchExecutor.submit(new Runnable() {
+        @Override
+        public void run() {
+          s.dispatchBlocks();
+        }
+      });
+    }
+
+    // wait for all dispatcher threads to finish
+    for (Future<?> future : futures) {
+      try {
+        future.get();
+      } catch (ExecutionException e) {
+        LOG.warn("Dispatcher thread failed", e.getCause());
+      }
+    }
+
+    // wait for all block moving to be done
+    waitForMoveCompletion();
+
+    return bytesMoved.get() - bytesLastMoved;
+  }
+
+  /** The sleeping period before checking if block move is completed again */
+  static private long blockMoveWaitTime = 30000L;
+
+  /** set the sleeping period for block move completion check */
+  static void setBlockMoveWaitTime(long time) {
+    blockMoveWaitTime = time;
+  }
+
+  /** Wait for all block move confirmations. */
+  private void waitForMoveCompletion() {
+    for(;;) {
+      boolean empty = true;
+      for (BalancerDatanode.StorageGroup t : targets) {
+        if (!t.getBalancerDatanode().isPendingQEmpty()) {
+          empty = false;
+          break;
+        }
+      }
+      if (empty) {
+        return; //all pending queues are empty
+      }
+      try {
+        Thread.sleep(blockMoveWaitTime);
+      } catch (InterruptedException ignored) {
+      }
+    }
+  }
+
+  /**
+   * Decide if the block is a good candidate to be moved from source to target.
+   * A block is a good candidate if 
+   * 1. the block is not in the process of being moved/has not been moved;
+   * 2. the block does not have a replica on the target;
+   * 3. doing the move does not reduce the number of racks that the block has
+   */
+  private boolean isGoodBlockCandidate(Source source,
+      BalancerDatanode.StorageGroup target, DBlock block) {
+    if (source.storageType != target.storageType) {
+      return false;
+    }
+    // check if the block is moved or not
+    if (movedBlocks.contains(block.getBlock())) {
+      return false;
+    }
+    if (block.isLocatedOn(target)) {
+      return false;
+    }
+    if (cluster.isNodeGroupAware()
+        && isOnSameNodeGroupWithReplicas(target, block, source)) {
+      return false;
+    }
+    if (reduceNumOfRacks(source, target, block)) {
+      return false;
+    }
+    return true;
+  }
+
+  /**
+   * Determine whether moving the given block replica from source to target
+   * would reduce the number of racks of the block replicas.
+   */
+  private boolean reduceNumOfRacks(Source source,
+      BalancerDatanode.StorageGroup target, DBlock block) {
+    final DatanodeInfo sourceDn = source.getDatanode();
+    if (cluster.isOnSameRack(sourceDn, target.getDatanode())) {
+      // source and target are on the same rack
+      return false;
+    }
+    boolean notOnSameRack = true;
+    synchronized (block) {
+      for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
+        if (cluster.isOnSameRack(loc.getDatanode(), target.getDatanode())) {
+          notOnSameRack = false;
+          break;
+        }
+      }
+    }
+    if (notOnSameRack) {
+      // target is not on the same rack as any replica
+      return false;
+    }
+    for (BalancerDatanode.StorageGroup g : block.getLocations()) {
+      if (g != source && cluster.isOnSameRack(g.getDatanode(), sourceDn)) {
+        // source is on the same rack of another replica
+        return false;
+      }
+    }
+    return true;
+  }
+
+  /**
+   * Check if there are any replica (other than source) on the same node group
+   * with target. If true, then target is not a good candidate for placing
+   * specific replica as we don't want 2 replicas under the same nodegroup.
+   * 
+   * @return true if there are any replica (other than source) on the same node
+   *         group with target
+   */
+  private boolean isOnSameNodeGroupWithReplicas(
+      BalancerDatanode.StorageGroup target, DBlock block, Source source) {
+    final DatanodeInfo targetDn = target.getDatanode();
+    for (BalancerDatanode.StorageGroup g : block.getLocations()) {
+      if (g != source && cluster.isOnSameNodeGroup(g.getDatanode(), targetDn)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  /** Reset all fields in order to prepare for the next iteration */
+  void reset(Configuration conf) {
+    cluster = NetworkTopology.getInstance(conf);
+    storageGroupMap.clear();
+    sources.clear();
+    targets.clear();
+    globalBlocks.removeAllButRetain(movedBlocks);
+    movedBlocks.cleanup();
+  }
+
+  /** shutdown thread pools */
+  void shutdownNow() {
+    dispatchExecutor.shutdownNow();
+    moveExecutor.shutdownNow();
+  }
+
+  static class Util {
+    /** @return true if data node is part of the excludedNodes. */
+    static boolean isExcluded(Set<String> excludedNodes, DatanodeInfo dn) {
+      return isIn(excludedNodes, dn);
+    }
+
+    /**
+     * @return true if includedNodes is empty or data node is part of the
+     *         includedNodes.
+     */
+    static boolean isIncluded(Set<String> includedNodes, DatanodeInfo dn) {
+      return (includedNodes.isEmpty() || isIn(includedNodes, dn));
+    }
+
+    /**
+     * Match is checked using host name , ip address with and without port
+     * number.
+     * 
+     * @return true if the datanode's transfer address matches the set of nodes.
+     */
+    private static boolean isIn(Set<String> datanodes, DatanodeInfo dn) {
+      return isIn(datanodes, dn.getPeerHostName(), dn.getXferPort())
+          || isIn(datanodes, dn.getIpAddr(), dn.getXferPort())
+          || isIn(datanodes, dn.getHostName(), dn.getXferPort());
+    }
+
+    /** @return true if nodes contains host or host:port */
+    private static boolean isIn(Set<String> nodes, String host, int port) {
+      if (host == null) {
+        return false;
+      }
+      return (nodes.contains(host) || nodes.contains(host + ":" + port));
+    }
+
+    /**
+     * Parse a comma separated string to obtain set of host names
+     * 
+     * @return set of host names
+     */
+    static Set<String> parseHostList(String string) {
+      String[] addrs = StringUtils.getTrimmedStrings(string);
+      return new HashSet<String>(Arrays.asList(addrs));
+    }
+
+    /**
+     * Read set of host names from a file
+     * 
+     * @return set of host names
+     */
+    static Set<String> getHostListFromFile(String fileName, String type) {
+      Set<String> nodes = new HashSet<String>();
+      try {
+        HostsFileReader.readFileToSet(type, fileName, nodes);
+        return StringUtils.getTrimmedStrings(nodes);
+      } catch (IOException e) {
+        throw new IllegalArgumentException(
+            "Failed to read host list from file: " + fileName);
+      }
+    }
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/NameNodeConnector.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/NameNodeConnector.java
index 3d1c4e6946f..820a4edd579 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/NameNodeConnector.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/NameNodeConnector.java
@@ -34,6 +34,10 @@
 import org.apache.hadoop.hdfs.NameNodeProxies;
 import org.apache.hadoop.hdfs.protocol.AlreadyBeingCreatedException;
 import org.apache.hadoop.hdfs.protocol.ClientProtocol;
+import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
+import org.apache.hadoop.hdfs.protocol.HdfsConstants.DatanodeReportType;
+import org.apache.hadoop.hdfs.server.protocol.BlocksWithLocations;
+import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
 import org.apache.hadoop.hdfs.server.protocol.NamenodeProtocol;
 import org.apache.hadoop.hdfs.server.protocol.NamespaceInfo;
 import org.apache.hadoop.io.IOUtils;
@@ -90,14 +94,16 @@ public String getBlockpoolID() {
     return blockpoolID;
   }
 
-  /** @return the namenode proxy. */
-  public NamenodeProtocol getNamenode() {
-    return namenode;
+  /** @return blocks with locations. */
+  public BlocksWithLocations getBlocks(DatanodeInfo datanode, long size)
+      throws IOException {
+    return namenode.getBlocks(datanode, size);
   }
 
-  /** @return the client proxy. */
-  public ClientProtocol getClient() {
-    return client;
+  /** @return live datanode storage reports. */
+  public DatanodeStorageReport[] getLiveDatanodeStorageReport()
+      throws IOException {
+    return client.getDatanodeStorageReport(DatanodeReportType.LIVE);
   }
 
   /** @return the key manager */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
index 5da3cd177a2..2e59daf8d08 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
@@ -89,7 +89,7 @@ public class TestBalancer {
   private static final Random r = new Random();
 
   static {
-    Balancer.setBlockMoveWaitTime(1000L) ;
+    Dispatcher.setBlockMoveWaitTime(1000L) ;
   }
 
   static void initConf(Configuration conf) {
@@ -305,12 +305,12 @@ static void waitForBalancer(long totalUsedSpace, long totalCapacity,
       for (DatanodeInfo datanode : datanodeReport) {
         double nodeUtilization = ((double)datanode.getDfsUsed())
             / datanode.getCapacity();
-        if (Balancer.Util.shouldBeExcluded(p.nodesToBeExcluded, datanode)) {
+        if (Dispatcher.Util.isExcluded(p.nodesToBeExcluded, datanode)) {
           assertTrue(nodeUtilization == 0);
           actualExcludedNodeCount++;
           continue;
         }
-        if (!Balancer.Util.shouldBeIncluded(p.nodesToBeIncluded, datanode)) {
+        if (!Dispatcher.Util.isIncluded(p.nodesToBeIncluded, datanode)) {
           assertTrue(nodeUtilization == 0);
           actualExcludedNodeCount++;
           continue;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithHANameNodes.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithHANameNodes.java
index 9652f8636a0..c543f73695b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithHANameNodes.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithHANameNodes.java
@@ -44,7 +44,7 @@ public class TestBalancerWithHANameNodes {
   ClientProtocol client;
 
   static {
-    Balancer.setBlockMoveWaitTime(1000L);
+    Dispatcher.setBlockMoveWaitTime(1000L);
   }
 
   /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithMultipleNameNodes.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithMultipleNameNodes.java
index 1a7ddd331b1..9f8bb32a1b0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithMultipleNameNodes.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithMultipleNameNodes.java
@@ -73,7 +73,7 @@ public class TestBalancerWithMultipleNameNodes {
   private static final Random RANDOM = new Random();
 
   static {
-    Balancer.setBlockMoveWaitTime(1000L) ;
+    Dispatcher.setBlockMoveWaitTime(1000L) ;
   }
 
   /** Common objects used in various methods. */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithNodeGroup.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithNodeGroup.java
index 153ced3a243..ef21a7586d9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithNodeGroup.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithNodeGroup.java
@@ -75,7 +75,7 @@ public class TestBalancerWithNodeGroup {
   static final int DEFAULT_BLOCK_SIZE = 100;
 
   static {
-    Balancer.setBlockMoveWaitTime(1000L) ;
+    Dispatcher.setBlockMoveWaitTime(1000L) ;
   }
 
   static Configuration createConf() {

From eeb4acd955802e2a84ea94cecf2e2341b83d5efb Mon Sep 17 00:00:00 2001
From: Xuan Gong <xgong@apache.org>
Date: Fri, 8 Aug 2014 21:38:24 +0000
Subject: [PATCH 171/354] YARN-2212: ApplicationMaster needs to find a way to
 update the AMRMToken periodically. Contributed by Xuan Gong

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616892 13f79535-47bb-0310-9956-ffa450edef68
---
 .../v2/app/rm/RMContainerAllocator.java       |  26 ++-
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../api/protocolrecords/AllocateResponse.java |  32 ++++
 .../src/main/proto/yarn_service_protos.proto  |   1 +
 .../yarn/client/api/impl/AMRMClientImpl.java  |  19 +++
 .../yarn/client/api/impl/TestAMRMClient.java  | 135 +++++++++++++++-
 .../api/impl/TestAMRMClientOnRMRestart.java   | 151 ++++++++++++++++++
 .../impl/pb/AllocateResponsePBImpl.java       |  38 ++++-
 .../ApplicationMasterService.java             |  36 ++++-
 .../amlauncher/AMLauncher.java                |  11 +-
 .../recovery/FileSystemRMStateStore.java      |   6 +-
 .../recovery/RMStateStore.java                |   7 +-
 .../recovery/ZKRMStateStore.java              |   7 +-
 .../rmapp/attempt/RMAppAttemptImpl.java       |  53 +++---
 .../security/AMRMTokenSecretManager.java      |   5 +
 .../yarn/server/resourcemanager/MockRM.java   |  10 ++
 .../MockRMWithCustomAMLauncher.java           |   5 +-
 .../server/resourcemanager/TestRMRestart.java |  12 +-
 .../recovery/RMStateStoreTestBase.java        |  12 --
 .../attempt/TestRMAppAttemptTransitions.java  |   2 -
 .../security/TestAMRMTokens.java              |  51 +++++-
 21 files changed, 555 insertions(+), 67 deletions(-)

diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/rm/RMContainerAllocator.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/rm/RMContainerAllocator.java
index 307cdfe759c..6cb01918180 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/rm/RMContainerAllocator.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/rm/RMContainerAllocator.java
@@ -18,6 +18,7 @@
 
 package org.apache.hadoop.mapreduce.v2.app.rm;
 
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Comparator;
@@ -38,6 +39,7 @@
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.io.Text;
 import org.apache.hadoop.mapreduce.JobCounter;
 import org.apache.hadoop.mapreduce.MRJobConfig;
 import org.apache.hadoop.mapreduce.jobhistory.JobHistoryEvent;
@@ -58,6 +60,7 @@
 import org.apache.hadoop.mapreduce.v2.app.job.event.TaskAttemptEventType;
 import org.apache.hadoop.mapreduce.v2.app.job.event.TaskAttemptKillEvent;
 import org.apache.hadoop.mapreduce.v2.app.rm.preemption.AMPreemptionPolicy;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.util.StringInterner;
 import org.apache.hadoop.yarn.api.protocolrecords.AllocateResponse;
 import org.apache.hadoop.yarn.api.records.Container;
@@ -70,9 +73,11 @@
 import org.apache.hadoop.yarn.api.records.NodeState;
 import org.apache.hadoop.yarn.api.records.PreemptionMessage;
 import org.apache.hadoop.yarn.api.records.Priority;
+import org.apache.hadoop.yarn.api.records.Token;
 import org.apache.hadoop.yarn.client.api.NMTokenCache;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
+import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
 import org.apache.hadoop.yarn.util.Clock;
 import org.apache.hadoop.yarn.util.RackResolver;
 
@@ -674,7 +679,12 @@ private List<Container> getResources() throws Exception {
             nmToken.getToken());
       }
     }
-    
+
+    // Setting AMRMToken
+    if (response.getAMRMToken() != null) {
+      updateAMRMToken(response.getAMRMToken());
+    }
+
     List<ContainerStatus> finishedContainers = response.getCompletedContainersStatuses();
 
     // propagate preemption requests
@@ -726,7 +736,19 @@ private List<Container> getResources() throws Exception {
     }
     return newContainers;
   }
-  
+
+  private void updateAMRMToken(Token token) throws IOException {
+    org.apache.hadoop.security.token.Token<AMRMTokenIdentifier> amrmToken =
+        new org.apache.hadoop.security.token.Token<AMRMTokenIdentifier>(token
+          .getIdentifier().array(), token.getPassword().array(), new Text(
+          token.getKind()), new Text(token.getService()));
+    UserGroupInformation currentUGI = UserGroupInformation.getCurrentUser();
+    if (UserGroupInformation.isSecurityEnabled()) {
+      currentUGI = UserGroupInformation.getLoginUser();
+    }
+    currentUGI.addToken(amrmToken);
+  }
+
   @VisibleForTesting
   public TaskAttemptEvent createContainerFinishedEvent(ContainerStatus cont,
       TaskAttemptId attemptID) {
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index eb9079d9f60..700d9700ca2 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -97,6 +97,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2352. FairScheduler: Collect metrics on duration of critical methods that 
     affect performance. (kasha)
 
+    YARN-2212. ApplicationMaster needs to find a way to update the AMRMToken
+    periodically. (xgong)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/AllocateResponse.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/AllocateResponse.java
index 0e27f3248fe..e56ba6156b0 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/AllocateResponse.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/AllocateResponse.java
@@ -35,6 +35,7 @@
 import org.apache.hadoop.yarn.api.records.NodeReport;
 import org.apache.hadoop.yarn.api.records.PreemptionMessage;
 import org.apache.hadoop.yarn.api.records.Resource;
+import org.apache.hadoop.yarn.api.records.Token;
 import org.apache.hadoop.yarn.util.Records;
 
 /**
@@ -56,6 +57,7 @@
  *     <li>A list of nodes whose status has been updated.</li>
  *     <li>The number of available nodes in a cluster.</li>
  *     <li>A description of resources requested back by the cluster</li>
+ *     <li>AMRMToken, if AMRMToken has been rolled over</li>
  *   </ul>
  * </p>
  * 
@@ -102,6 +104,23 @@ public static AllocateResponse newInstance(int responseId,
     return response;
   }
 
+  @Private
+  @Unstable
+  public static AllocateResponse newInstance(int responseId,
+      List<ContainerStatus> completedContainers,
+      List<Container> allocatedContainers, List<NodeReport> updatedNodes,
+      Resource availResources, AMCommand command, int numClusterNodes,
+      PreemptionMessage preempt, List<NMToken> nmTokens, Token amRMToken,
+      List<ContainerResourceIncrease> increasedContainers,
+      List<ContainerResourceDecrease> decreasedContainers) {
+    AllocateResponse response =
+        newInstance(responseId, completedContainers, allocatedContainers,
+          updatedNodes, availResources, command, numClusterNodes, preempt,
+          nmTokens, increasedContainers, decreasedContainers);
+    response.setAMRMToken(amRMToken);
+    return response;
+  }
+
   /**
    * If the <code>ResourceManager</code> needs the
    * <code>ApplicationMaster</code> to take some action then it will send an
@@ -270,4 +289,17 @@ public abstract void setIncreasedContainers(
   @Unstable
   public abstract void setDecreasedContainers(
       List<ContainerResourceDecrease> decreasedContainers);
+
+  /**
+   * The AMRMToken that belong to this attempt
+   *
+   * @return The AMRMToken that belong to this attempt
+   */
+  @Public
+  @Unstable
+  public abstract Token getAMRMToken();
+
+  @Private
+  @Unstable
+  public abstract void setAMRMToken(Token amRMToken);
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_service_protos.proto b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_service_protos.proto
index a1f6d2e211d..df8784b1442 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_service_protos.proto
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_service_protos.proto
@@ -85,6 +85,7 @@ message AllocateResponseProto {
   repeated NMTokenProto nm_tokens = 9;
   repeated ContainerResourceIncreaseProto increased_containers = 10;
   repeated ContainerResourceDecreaseProto decreased_containers = 11;
+  optional hadoop.common.TokenProto am_rm_token = 12;
 }
 
 //////////////////////////////////////////////////////
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/AMRMClientImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/AMRMClientImpl.java
index 1db70545786..e36d7ade78c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/AMRMClientImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/AMRMClientImpl.java
@@ -39,7 +39,9 @@
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.io.Text;
 import org.apache.hadoop.ipc.RPC;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.yarn.api.ApplicationMasterProtocol;
 import org.apache.hadoop.yarn.api.protocolrecords.AllocateRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.AllocateResponse;
@@ -56,6 +58,7 @@
 import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.api.records.ResourceBlacklistRequest;
 import org.apache.hadoop.yarn.api.records.ResourceRequest;
+import org.apache.hadoop.yarn.api.records.Token;
 import org.apache.hadoop.yarn.client.ClientRMProxy;
 import org.apache.hadoop.yarn.client.api.AMRMClient;
 import org.apache.hadoop.yarn.client.api.AMRMClient.ContainerRequest;
@@ -64,6 +67,7 @@
 import org.apache.hadoop.yarn.exceptions.ApplicationMasterNotRegisteredException;
 import org.apache.hadoop.yarn.exceptions.YarnException;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
+import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
 import org.apache.hadoop.yarn.util.RackResolver;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -300,6 +304,9 @@ public AllocateResponse allocate(float progressIndicator)
         if (!allocateResponse.getNMTokens().isEmpty()) {
           populateNMTokens(allocateResponse.getNMTokens());
         }
+        if (allocateResponse.getAMRMToken() != null) {
+          updateAMRMToken(allocateResponse.getAMRMToken());
+        }
         if (!pendingRelease.isEmpty()
             && !allocateResponse.getCompletedContainersStatuses().isEmpty()) {
           removePendingReleaseRequests(allocateResponse
@@ -743,4 +750,16 @@ public synchronized void updateBlacklist(List<String> blacklistAdditions,
           "blacklistRemovals in updateBlacklist.");
     }
   }
+
+  private void updateAMRMToken(Token token) throws IOException {
+    org.apache.hadoop.security.token.Token<AMRMTokenIdentifier> amrmToken =
+        new org.apache.hadoop.security.token.Token<AMRMTokenIdentifier>(token
+          .getIdentifier().array(), token.getPassword().array(), new Text(
+          token.getKind()), new Text(token.getService()));
+    UserGroupInformation currentUGI = UserGroupInformation.getCurrentUser();
+    if (UserGroupInformation.isSecurityEnabled()) {
+      currentUGI = UserGroupInformation.getLoginUser();
+    }
+    currentUGI.addToken(amrmToken);
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestAMRMClient.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestAMRMClient.java
index 5961532728f..d7fb752bb4c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestAMRMClient.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestAMRMClient.java
@@ -27,19 +27,23 @@
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
 import java.util.TreeSet;
 
 import org.junit.Assert;
-
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.Credentials;
+import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.SecretManager.InvalidToken;
 import org.apache.hadoop.service.Service.STATE;
 import org.apache.hadoop.yarn.api.ApplicationMasterProtocol;
 import org.apache.hadoop.yarn.api.protocolrecords.AllocateRequest;
@@ -71,9 +75,12 @@
 import org.apache.hadoop.yarn.client.api.YarnClient;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnException;
+import org.apache.hadoop.yarn.ipc.YarnRPC;
+import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
 import org.apache.hadoop.yarn.server.MiniYARNCluster;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
+import org.apache.hadoop.yarn.server.resourcemanager.security.AMRMTokenSecretManager;
 import org.apache.hadoop.yarn.server.utils.BuilderUtils;
 import org.apache.hadoop.yarn.util.Records;
 import org.junit.After;
@@ -93,6 +100,9 @@ public class TestAMRMClient {
   static ApplicationAttemptId attemptId = null;
   static int nodeCount = 3;
   
+  static final int rolling_interval_sec = 13;
+  static final long am_expire_ms = 4000;
+
   static Resource capability;
   static Priority priority;
   static Priority priority2;
@@ -106,6 +116,10 @@ public class TestAMRMClient {
   public static void setup() throws Exception {
     // start minicluster
     conf = new YarnConfiguration();
+    conf.setLong(
+      YarnConfiguration.RM_AMRM_TOKEN_MASTER_KEY_ROLLING_INTERVAL_SECS,
+      rolling_interval_sec);
+    conf.setLong(YarnConfiguration.RM_AM_EXPIRY_INTERVAL_MS, am_expire_ms);
     conf.setInt(YarnConfiguration.RM_NM_HEARTBEAT_INTERVAL_MS, 100);
     conf.setLong(YarnConfiguration.NM_LOG_RETAIN_SECONDS, 1);
     yarnCluster = new MiniYARNCluster(TestAMRMClient.class.getName(), nodeCount, 1, 1);
@@ -809,4 +823,123 @@ private void sleep(int sleepTime) {
     }
   }
 
+  @Test(timeout = 60000)
+  public void testAMRMClientOnAMRMTokenRollOver() throws YarnException,
+      IOException {
+    AMRMClient<ContainerRequest> amClient = null;
+    try {
+      AMRMTokenSecretManager amrmTokenSecretManager =
+          yarnCluster.getResourceManager().getRMContext()
+            .getAMRMTokenSecretManager();
+
+      // start am rm client
+      amClient = AMRMClient.<ContainerRequest> createAMRMClient();
+
+      amClient.init(conf);
+      amClient.start();
+
+      Long startTime = System.currentTimeMillis();
+      amClient.registerApplicationMaster("Host", 10000, "");
+
+      org.apache.hadoop.security.token.Token<AMRMTokenIdentifier> amrmToken_1 =
+          getAMRMToken();
+      Assert.assertNotNull(amrmToken_1);
+      Assert.assertEquals(amrmToken_1.decodeIdentifier().getKeyId(),
+        amrmTokenSecretManager.getMasterKey().getMasterKey().getKeyId());
+
+      // Wait for enough time and make sure the roll_over happens
+      // At mean time, the old AMRMToken should continue to work
+      while (System.currentTimeMillis() - startTime <
+          rolling_interval_sec * 1000) {
+        amClient.allocate(0.1f);
+        try {
+          Thread.sleep(1000);
+        } catch (InterruptedException e) {
+          // TODO Auto-generated catch block
+          e.printStackTrace();
+        }
+      }
+      amClient.allocate(0.1f);
+
+      org.apache.hadoop.security.token.Token<AMRMTokenIdentifier> amrmToken_2 =
+          getAMRMToken();
+      Assert.assertNotNull(amrmToken_2);
+      Assert.assertEquals(amrmToken_2.decodeIdentifier().getKeyId(),
+        amrmTokenSecretManager.getMasterKey().getMasterKey().getKeyId());
+
+      Assert.assertNotEquals(amrmToken_1, amrmToken_2);
+
+      // can do the allocate call with latest AMRMToken
+      amClient.allocate(0.1f);
+
+      // Make sure previous token has been rolled-over
+      // and can not use this rolled-over token to make a allocate all.
+      while (true) {
+        if (amrmToken_2.decodeIdentifier().getKeyId() != amrmTokenSecretManager
+          .getCurrnetMasterKeyData().getMasterKey().getKeyId()) {
+          if (amrmTokenSecretManager.getNextMasterKeyData() == null) {
+            break;
+          } else if (amrmToken_2.decodeIdentifier().getKeyId() !=
+              amrmTokenSecretManager.getNextMasterKeyData().getMasterKey()
+              .getKeyId()) {
+            break;
+          }
+        }
+        amClient.allocate(0.1f);
+        try {
+          Thread.sleep(1000);
+        } catch (InterruptedException e) {
+          // DO NOTHING
+        }
+      }
+
+      try {
+        UserGroupInformation testUser =
+            UserGroupInformation.createRemoteUser("testUser");
+        SecurityUtil.setTokenService(amrmToken_2, yarnCluster
+          .getResourceManager().getApplicationMasterService().getBindAddress());
+        testUser.addToken(amrmToken_2);
+        testUser.doAs(new PrivilegedAction<ApplicationMasterProtocol>() {
+          @Override
+          public ApplicationMasterProtocol run() {
+            return (ApplicationMasterProtocol) YarnRPC.create(conf).getProxy(
+              ApplicationMasterProtocol.class,
+              yarnCluster.getResourceManager().getApplicationMasterService()
+                .getBindAddress(), conf);
+          }
+        }).allocate(Records.newRecord(AllocateRequest.class));
+        Assert.fail("The old Token should not work");
+      } catch (Exception ex) {
+        Assert.assertTrue(ex instanceof InvalidToken);
+        Assert.assertTrue(ex.getMessage().contains(
+          "Invalid AMRMToken from "
+              + amrmToken_2.decodeIdentifier().getApplicationAttemptId()));
+      }
+
+      amClient.unregisterApplicationMaster(FinalApplicationStatus.SUCCEEDED,
+        null, null);
+
+    } finally {
+      if (amClient != null && amClient.getServiceState() == STATE.STARTED) {
+        amClient.stop();
+      }
+    }
+  }
+
+  @SuppressWarnings("unchecked")
+  private org.apache.hadoop.security.token.Token<AMRMTokenIdentifier>
+      getAMRMToken() throws IOException {
+    Credentials credentials =
+        UserGroupInformation.getCurrentUser().getCredentials();
+    Iterator<org.apache.hadoop.security.token.Token<?>> iter =
+        credentials.getAllTokens().iterator();
+    while (iter.hasNext()) {
+      org.apache.hadoop.security.token.Token<?> token = iter.next();
+      if (token.getKind().equals(AMRMTokenIdentifier.KIND_NAME)) {
+        return (org.apache.hadoop.security.token.Token<AMRMTokenIdentifier>)
+            token;
+      }
+    }
+    return null;
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestAMRMClientOnRMRestart.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestAMRMClientOnRMRestart.java
index 0e343574d10..dfad6d6c662 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestAMRMClientOnRMRestart.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestAMRMClientOnRMRestart.java
@@ -19,6 +19,7 @@
 package org.apache.hadoop.yarn.client.api.impl;
 
 import java.io.IOException;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Iterator;
@@ -26,7 +27,11 @@
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.net.NetworkTopology;
+import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.SecretManager.InvalidToken;
+import org.apache.hadoop.yarn.api.ApplicationMasterProtocol;
+import org.apache.hadoop.yarn.api.protocolrecords.AllocateRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.AllocateResponse;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.Container;
@@ -42,10 +47,12 @@
 import org.apache.hadoop.yarn.event.Dispatcher;
 import org.apache.hadoop.yarn.event.DrainDispatcher;
 import org.apache.hadoop.yarn.event.EventHandler;
+import org.apache.hadoop.yarn.ipc.YarnRPC;
 import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
 import org.apache.hadoop.yarn.server.api.protocolrecords.NMContainerStatus;
 import org.apache.hadoop.yarn.server.api.protocolrecords.NodeHeartbeatResponse;
 import org.apache.hadoop.yarn.server.api.records.NodeAction;
+import org.apache.hadoop.yarn.server.resourcemanager.ApplicationMasterService;
 import org.apache.hadoop.yarn.server.resourcemanager.MockNM;
 import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
@@ -58,12 +65,16 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.SchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler;
+import org.apache.hadoop.yarn.server.resourcemanager.security.AMRMTokenSecretManager;
+import org.apache.hadoop.yarn.util.Records;
 import org.junit.Assert;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
 public class TestAMRMClientOnRMRestart {
   static Configuration conf = null;
+  static final int rolling_interval_sec = 13;
+  static final long am_expire_ms = 4000;
 
   @BeforeClass
   public static void setup() throws Exception {
@@ -362,6 +373,134 @@ public void testAMRMClientForUnregisterAMOnRMRestart() throws Exception {
 
   }
 
+
+  // Test verify for AM issued with rolled-over AMRMToken
+  // is still able to communicate with restarted RM.
+  @Test(timeout = 30000)
+  public void testAMRMClientOnAMRMTokenRollOverOnRMRestart() throws Exception {
+    conf.setLong(
+      YarnConfiguration.RM_AMRM_TOKEN_MASTER_KEY_ROLLING_INTERVAL_SECS,
+      rolling_interval_sec);
+    conf.setLong(YarnConfiguration.RM_AM_EXPIRY_INTERVAL_MS, am_expire_ms);
+    MemoryRMStateStore memStore = new MemoryRMStateStore();
+    memStore.init(conf);
+
+    // start first RM
+    MyResourceManager2 rm1 = new MyResourceManager2(conf, memStore);
+    rm1.start();
+    DrainDispatcher dispatcher =
+        (DrainDispatcher) rm1.getRMContext().getDispatcher();
+    Long startTime = System.currentTimeMillis();
+    // Submit the application
+    RMApp app = rm1.submitApp(1024);
+    dispatcher.await();
+
+    MockNM nm1 = new MockNM("h1:1234", 15120, rm1.getResourceTrackerService());
+    nm1.registerNode();
+    nm1.nodeHeartbeat(true); // Node heartbeat
+    dispatcher.await();
+
+    ApplicationAttemptId appAttemptId =
+        app.getCurrentAppAttempt().getAppAttemptId();
+    rm1.sendAMLaunched(appAttemptId);
+    dispatcher.await();
+
+    AMRMTokenSecretManager amrmTokenSecretManagerForRM1 =
+        rm1.getRMContext().getAMRMTokenSecretManager();
+    org.apache.hadoop.security.token.Token<AMRMTokenIdentifier> token =
+        amrmTokenSecretManagerForRM1.createAndGetAMRMToken(appAttemptId);
+    UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+    ugi.addTokenIdentifier(token.decodeIdentifier());
+
+    AMRMClient<ContainerRequest> amClient = new MyAMRMClientImpl(rm1);
+    amClient.init(conf);
+    amClient.start();
+
+    amClient.registerApplicationMaster("h1", 10000, "");
+    amClient.allocate(0.1f);
+
+    // Wait for enough time and make sure the roll_over happens
+    // At mean time, the old AMRMToken should continue to work
+    while (System.currentTimeMillis() - startTime < rolling_interval_sec * 1000) {
+      amClient.allocate(0.1f);
+      try {
+        Thread.sleep(1000);
+      } catch (InterruptedException e) {
+        // DO NOTHING
+      }
+    }
+    Assert.assertTrue(amrmTokenSecretManagerForRM1.getMasterKey()
+      .getMasterKey().getKeyId() != token.decodeIdentifier().getKeyId());
+
+    amClient.allocate(0.1f);
+
+    // active the nextMasterKey, and replace the currentMasterKey
+    org.apache.hadoop.security.token.Token<AMRMTokenIdentifier> newToken =
+        amrmTokenSecretManagerForRM1.createAndGetAMRMToken(appAttemptId);
+    int waitCount = 0;
+    while (waitCount++ <= 50) {
+      if (amrmTokenSecretManagerForRM1.getCurrnetMasterKeyData().getMasterKey()
+        .getKeyId() != token.decodeIdentifier().getKeyId()) {
+        break;
+      }
+      try {
+        amClient.allocate(0.1f);
+      } catch (Exception ex) {
+        break;
+      }
+      Thread.sleep(500);
+    }
+    Assert
+      .assertTrue(amrmTokenSecretManagerForRM1.getNextMasterKeyData() == null);
+    Assert.assertTrue(amrmTokenSecretManagerForRM1.getCurrnetMasterKeyData()
+      .getMasterKey().getKeyId() == newToken.decodeIdentifier().getKeyId());
+
+    // start 2nd RM
+    conf.set(YarnConfiguration.RM_SCHEDULER_ADDRESS, "0.0.0.0:9030");
+    final MyResourceManager2 rm2 = new MyResourceManager2(conf, memStore);
+    rm2.start();
+    nm1.setResourceTrackerService(rm2.getResourceTrackerService());
+    ((MyAMRMClientImpl) amClient).updateRMProxy(rm2);
+    dispatcher = (DrainDispatcher) rm2.getRMContext().getDispatcher();
+
+    AMRMTokenSecretManager amrmTokenSecretManagerForRM2 =
+        rm2.getRMContext().getAMRMTokenSecretManager();
+    Assert.assertTrue(amrmTokenSecretManagerForRM2.getCurrnetMasterKeyData()
+      .getMasterKey().getKeyId() == newToken.decodeIdentifier().getKeyId());
+    Assert
+      .assertTrue(amrmTokenSecretManagerForRM2.getNextMasterKeyData() == null);
+
+    try {
+      UserGroupInformation testUser =
+          UserGroupInformation.createRemoteUser("testUser");
+      SecurityUtil.setTokenService(token, rm2.getApplicationMasterService()
+        .getBindAddress());
+      testUser.addToken(token);
+      testUser.doAs(new PrivilegedAction<ApplicationMasterProtocol>() {
+        @Override
+        public ApplicationMasterProtocol run() {
+          return (ApplicationMasterProtocol) YarnRPC.create(conf).getProxy(
+            ApplicationMasterProtocol.class,
+            rm2.getApplicationMasterService().getBindAddress(), conf);
+        }
+      }).allocate(Records.newRecord(AllocateRequest.class));
+      Assert.fail("The old Token should not work");
+    } catch (Exception ex) {
+      Assert.assertTrue(ex instanceof InvalidToken);
+      Assert.assertTrue(ex.getMessage().contains(
+        "Invalid AMRMToken from "
+            + token.decodeIdentifier().getApplicationAttemptId()));
+    }
+
+    // make sure the recovered AMRMToken works for new RM
+    amClient.allocate(0.1f);
+    amClient.unregisterApplicationMaster(FinalApplicationStatus.SUCCEEDED,
+      null, null);
+    amClient.stop();
+    rm1.stop();
+    rm2.stop();
+  }
+
   private static class MyFifoScheduler extends FifoScheduler {
 
     public MyFifoScheduler(RMContext rmContext) {
@@ -445,6 +584,18 @@ MyFifoScheduler getMyFifoScheduler() {
     }
   }
 
+  private static class MyResourceManager2 extends MyResourceManager {
+
+    public MyResourceManager2(Configuration conf, RMStateStore store) {
+      super(conf, store);
+    }
+
+    @Override
+    protected ApplicationMasterService createApplicationMasterService() {
+      return new ApplicationMasterService(getRMContext(), scheduler);
+    }
+  }
+
   private static class MyAMRMClientImpl extends
       AMRMClientImpl<ContainerRequest> {
     private MyResourceManager rm;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/AllocateResponsePBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/AllocateResponsePBImpl.java
index 4d7c0a3439b..f2796fd788c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/AllocateResponsePBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/AllocateResponsePBImpl.java
@@ -25,6 +25,7 @@
 
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
+import org.apache.hadoop.security.proto.SecurityProtos.TokenProto;
 import org.apache.hadoop.yarn.api.protocolrecords.AllocateResponse;
 import org.apache.hadoop.yarn.api.records.AMCommand;
 import org.apache.hadoop.yarn.api.records.Container;
@@ -35,6 +36,7 @@
 import org.apache.hadoop.yarn.api.records.NodeReport;
 import org.apache.hadoop.yarn.api.records.PreemptionMessage;
 import org.apache.hadoop.yarn.api.records.Resource;
+import org.apache.hadoop.yarn.api.records.Token;
 import org.apache.hadoop.yarn.api.records.impl.pb.ContainerPBImpl;
 import org.apache.hadoop.yarn.api.records.impl.pb.ContainerResourceDecreasePBImpl;
 import org.apache.hadoop.yarn.api.records.impl.pb.ContainerResourceIncreasePBImpl;
@@ -44,6 +46,7 @@
 import org.apache.hadoop.yarn.api.records.impl.pb.PreemptionMessagePBImpl;
 import org.apache.hadoop.yarn.api.records.impl.pb.ProtoUtils;
 import org.apache.hadoop.yarn.api.records.impl.pb.ResourcePBImpl;
+import org.apache.hadoop.yarn.api.records.impl.pb.TokenPBImpl;
 import org.apache.hadoop.yarn.proto.YarnProtos.ContainerProto;
 import org.apache.hadoop.yarn.proto.YarnProtos.ContainerResourceDecreaseProto;
 import org.apache.hadoop.yarn.proto.YarnProtos.ContainerResourceIncreaseProto;
@@ -74,7 +77,7 @@ public class AllocateResponsePBImpl extends AllocateResponse {
 
   private List<NodeReport> updatedNodes = null;
   private PreemptionMessage preempt;
-  
+  private Token amrmToken = null;
   
   public AllocateResponsePBImpl() {
     builder = AllocateResponseProto.newBuilder();
@@ -154,6 +157,9 @@ private synchronized void mergeLocalToBuilder() {
           getChangeProtoIterable(this.decreasedContainers);
       builder.addAllDecreasedContainers(iterable);
     }
+    if (this.amrmToken != null) {
+      builder.setAmRmToken(convertToProtoFormat(this.amrmToken));
+    }
   }
 
   private synchronized void mergeLocalToProto() {
@@ -357,6 +363,28 @@ public synchronized void setDecreasedContainers(
     this.decreasedContainers.addAll(decreasedContainers);
   }
 
+  @Override
+  public synchronized Token getAMRMToken() {
+    AllocateResponseProtoOrBuilder p = viaProto ? proto : builder;
+    if (amrmToken != null) {
+      return amrmToken;
+    }
+    if (!p.hasAmRmToken()) {
+      return null;
+    }
+    this.amrmToken = convertFromProtoFormat(p.getAmRmToken());
+    return amrmToken;
+  }
+
+  @Override
+  public synchronized void setAMRMToken(Token amRMToken) {
+    maybeInitBuilder();
+    if (amRMToken == null) {
+      builder.clearAmRmToken();
+    }
+    this.amrmToken = amRMToken;
+  }
+
   private synchronized void initLocalIncreasedContainerList() {
     if (this.increasedContainers != null) {
       return;
@@ -699,4 +727,12 @@ private synchronized NMTokenProto convertToProtoFormat(NMToken token) {
   private synchronized NMToken convertFromProtoFormat(NMTokenProto proto) {
     return new NMTokenPBImpl(proto);
   }
+
+  private TokenPBImpl convertFromProtoFormat(TokenProto p) {
+    return new TokenPBImpl(p);
+  }
+
+  private TokenProto convertToProtoFormat(Token t) {
+    return ((TokenPBImpl)t).getProto();
+  }
 }  
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ApplicationMasterService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ApplicationMasterService.java
index eda4c7b658e..d77180cd6c3 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ApplicationMasterService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ApplicationMasterService.java
@@ -39,6 +39,7 @@
 import org.apache.hadoop.security.SaslRpcServer;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authorize.PolicyProvider;
+import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.hadoop.service.AbstractService;
 import org.apache.hadoop.util.StringUtils;
@@ -80,6 +81,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.AMLivelinessMonitor;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptRegistrationEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptStatusupdateEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptUnregistrationEvent;
@@ -89,6 +91,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerNodeReport;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler;
 import org.apache.hadoop.yarn.server.resourcemanager.security.authorize.RMPolicyProvider;
+import org.apache.hadoop.yarn.server.security.MasterKeyData;
 import org.apache.hadoop.yarn.server.utils.BuilderUtils;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -189,7 +192,7 @@ private AMRMTokenIdentifier selectAMRMTokenIdentifier(
     return result;
   }
 
-  private ApplicationAttemptId authorizeRequest()
+  private AMRMTokenIdentifier authorizeRequest()
       throws YarnException {
 
     UserGroupInformation remoteUgi;
@@ -226,7 +229,7 @@ private ApplicationAttemptId authorizeRequest()
       throw RPCUtil.getRemoteException(message);
     }
 
-    return appTokenIdentifier.getApplicationAttemptId();
+    return appTokenIdentifier;
   }
 
   @Override
@@ -234,7 +237,9 @@ public RegisterApplicationMasterResponse registerApplicationMaster(
       RegisterApplicationMasterRequest request) throws YarnException,
       IOException {
 
-    ApplicationAttemptId applicationAttemptId = authorizeRequest();
+    AMRMTokenIdentifier amrmTokenIdentifier = authorizeRequest();
+    ApplicationAttemptId applicationAttemptId =
+        amrmTokenIdentifier.getApplicationAttemptId();
 
     ApplicationId appID = applicationAttemptId.getApplicationId();
     AllocateResponseLock lock = responseMap.get(applicationAttemptId);
@@ -333,7 +338,8 @@ public FinishApplicationMasterResponse finishApplicationMaster(
       FinishApplicationMasterRequest request) throws YarnException,
       IOException {
 
-    ApplicationAttemptId applicationAttemptId = authorizeRequest();
+    ApplicationAttemptId applicationAttemptId =
+        authorizeRequest().getApplicationAttemptId();
 
     AllocateResponseLock lock = responseMap.get(applicationAttemptId);
     if (lock == null) {
@@ -408,7 +414,10 @@ public boolean hasApplicationMasterRegistered(
   public AllocateResponse allocate(AllocateRequest request)
       throws YarnException, IOException {
 
-    ApplicationAttemptId appAttemptId = authorizeRequest();
+    AMRMTokenIdentifier amrmTokenIdentifier = authorizeRequest();
+
+    ApplicationAttemptId appAttemptId =
+        amrmTokenIdentifier.getApplicationAttemptId();
 
     this.amLivelinessMonitor.receivedPing(appAttemptId);
 
@@ -557,6 +566,23 @@ public AllocateResponse allocate(AllocateRequest request)
       allocateResponse
           .setPreemptionMessage(generatePreemptionMessage(allocation));
 
+      // update AMRMToken if the token is rolled-up
+      MasterKeyData nextMasterKey =
+          this.rmContext.getAMRMTokenSecretManager().getNextMasterKeyData();
+
+      if (nextMasterKey != null
+          && nextMasterKey.getMasterKey().getKeyId() != amrmTokenIdentifier
+            .getKeyId()) {
+        Token<AMRMTokenIdentifier> amrmToken =
+            rmContext.getAMRMTokenSecretManager().createAndGetAMRMToken(
+              appAttemptId);
+        ((RMAppAttemptImpl)appAttempt).setAMRMToken(amrmToken);
+        allocateResponse.setAMRMToken(org.apache.hadoop.yarn.api.records.Token
+          .newInstance(amrmToken.getIdentifier(), amrmToken.getKind()
+            .toString(), amrmToken.getPassword(), amrmToken.getService()
+            .toString()));
+      }
+
       /*
        * As we are updating the response inside the lock object so we don't
        * need to worry about unregister call occurring in between (which
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/amlauncher/AMLauncher.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/amlauncher/AMLauncher.java
index a1c1a40d1bf..0dd9ba15d24 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/amlauncher/AMLauncher.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/amlauncher/AMLauncher.java
@@ -58,6 +58,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEventType;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptLaunchFailedEvent;
 import org.apache.hadoop.yarn.util.ConverterUtils;
 
@@ -226,7 +227,7 @@ private void setupTokens(
     }
 
     // Add AMRMToken
-    Token<AMRMTokenIdentifier> amrmToken = getAMRMToken();
+    Token<AMRMTokenIdentifier> amrmToken = createAndSetAMRMToken();
     if (amrmToken != null) {
       credentials.addToken(amrmToken.getService(), amrmToken);
     }
@@ -236,8 +237,12 @@ private void setupTokens(
   }
 
   @VisibleForTesting
-  protected Token<AMRMTokenIdentifier> getAMRMToken() {
-    return application.getAMRMToken();
+  protected Token<AMRMTokenIdentifier> createAndSetAMRMToken() {
+    Token<AMRMTokenIdentifier> amrmToken =
+        this.rmContext.getAMRMTokenSecretManager().createAndGetAMRMToken(
+          application.getAppAttemptId());
+    ((RMAppAttemptImpl)application).setAMRMToken(amrmToken);
+    return amrmToken;
   }
   
   @SuppressWarnings("unchecked")
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
index 2f8a944f666..d57669cce6e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
@@ -71,6 +71,10 @@
  * FileSystem interface. Does not use directories so that simple key-value
  * stores can be used. The retry policy for the real filesystem client must be
  * configured separately to enable retry of filesystem operations when needed.
+ *
+ * Changes from 1.1 to 1.2, AMRMTokenSecretManager state has been saved
+ * separately. The currentMasterkey and nextMasterkey have been stored.
+ * Also, AMRMToken has been removed from ApplicationAttemptState.
  */
 public class FileSystemRMStateStore extends RMStateStore {
 
@@ -78,7 +82,7 @@ public class FileSystemRMStateStore extends RMStateStore {
 
   protected static final String ROOT_DIR_NAME = "FSRMStateRoot";
   protected static final Version CURRENT_VERSION_INFO = Version
-    .newInstance(1, 1);
+    .newInstance(1, 2);
   protected static final String AMRMTOKEN_SECRET_MANAGER_NODE =
       "AMRMTokenSecretManagerNode";
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java
index da08d80466d..876a2ea87d7 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java
@@ -32,7 +32,6 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.Credentials;
-import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.delegation.DelegationKey;
 import org.apache.hadoop.service.AbstractService;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
@@ -45,7 +44,6 @@
 import org.apache.hadoop.yarn.event.AsyncDispatcher;
 import org.apache.hadoop.yarn.event.Dispatcher;
 import org.apache.hadoop.yarn.event.EventHandler;
-import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
 import org.apache.hadoop.yarn.server.records.Version;
 import org.apache.hadoop.yarn.server.resourcemanager.RMFatalEvent;
@@ -769,10 +767,7 @@ protected abstract void removeApplicationStateInternal(
   
   public Credentials getCredentialsFromAppAttempt(RMAppAttempt appAttempt) {
     Credentials credentials = new Credentials();
-    Token<AMRMTokenIdentifier> appToken = appAttempt.getAMRMToken();
-    if(appToken != null){
-      credentials.addToken(AM_RM_TOKEN_SERVICE, appToken);
-    }
+
     SecretKey clientTokenMasterKey =
         appAttempt.getClientTokenMasterKey();
     if(clientTokenMasterKey != null){
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
index bb379c5b8b9..1544dcc3458 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
@@ -78,6 +78,11 @@
 
 import com.google.common.annotations.VisibleForTesting;
 
+/**
+ * Changes from 1.1 to 1.2, AMRMTokenSecretManager state has been saved
+ * separately. The currentMasterkey and nextMasterkey have been stored.
+ * Also, AMRMToken has been removed from ApplicationAttemptState.
+ */
 @Private
 @Unstable
 public class ZKRMStateStore extends RMStateStore {
@@ -87,7 +92,7 @@ public class ZKRMStateStore extends RMStateStore {
 
   protected static final String ROOT_ZNODE_NAME = "ZKRMStateRoot";
   protected static final Version CURRENT_VERSION_INFO = Version
-      .newInstance(1, 1);
+      .newInstance(1, 2);
   private static final String RM_DELEGATION_TOKENS_ROOT_ZNODE_NAME =
       "RMDelegationTokensRoot";
   private static final String RM_DT_SEQUENTIAL_NUMBER_ZNODE_NAME =
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
index a37a441f8a3..46a9766a4a0 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
@@ -37,6 +37,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.UserGroupInformation;
@@ -559,7 +560,22 @@ public SecretKey getClientTokenMasterKey() {
 
   @Override
   public Token<AMRMTokenIdentifier> getAMRMToken() {
-    return this.amrmToken;
+    this.readLock.lock();
+    try {
+      return this.amrmToken;
+    } finally {
+      this.readLock.unlock();
+    }
+  }
+
+  @Private
+  public void setAMRMToken(Token<AMRMTokenIdentifier> lastToken) {
+    this.writeLock.lock();
+    try {
+      this.amrmToken = lastToken;
+    } finally {
+      this.writeLock.unlock();
+    }
   }
 
   @Override
@@ -713,7 +729,8 @@ public void recover(RMState state) throws Exception {
       this.attemptMetrics.setIsPreempted();
     }
     setMasterContainer(attemptState.getMasterContainer());
-    recoverAppAttemptCredentials(attemptState.getAppAttemptCredentials());
+    recoverAppAttemptCredentials(attemptState.getAppAttemptCredentials(),
+      attemptState.getState());
     this.recoveredFinalState = attemptState.getState();
     this.originalTrackingUrl = attemptState.getFinalTrackingUrl();
     this.proxiedTrackingUrl = generateProxyUriWithScheme(originalTrackingUrl);
@@ -725,9 +742,11 @@ public void transferStateFromPreviousAttempt(RMAppAttempt attempt) {
     this.justFinishedContainers = attempt.getJustFinishedContainers();
   }
 
-  private void recoverAppAttemptCredentials(Credentials appAttemptTokens)
-      throws IOException {
-    if (appAttemptTokens == null) {
+  private void recoverAppAttemptCredentials(Credentials appAttemptTokens,
+      RMAppAttemptState state) throws IOException {
+    if (appAttemptTokens == null || state == RMAppAttemptState.FAILED
+        || state == RMAppAttemptState.FINISHED
+        || state == RMAppAttemptState.KILLED) {
       return;
     }
 
@@ -738,12 +757,9 @@ private void recoverAppAttemptCredentials(Credentials appAttemptTokens)
           .registerMasterKey(applicationAttemptId, clientTokenMasterKeyBytes);
     }
 
-    // Only one AMRMToken is stored per-attempt, so this should be fine. Can't
-    // use TokenSelector as service may change - think fail-over.
     this.amrmToken =
-        (Token<AMRMTokenIdentifier>) appAttemptTokens
-          .getToken(RMStateStore.AM_RM_TOKEN_SERVICE);
-    rmContext.getAMRMTokenSecretManager().addPersistedPassword(this.amrmToken);
+        rmContext.getAMRMTokenSecretManager().createAndGetAMRMToken(
+          applicationAttemptId);
   }
 
   private static class BaseTransition implements
@@ -779,11 +795,6 @@ public void transition(RMAppAttemptImpl appAttempt,
               .createMasterKey(appAttempt.applicationAttemptId);
       }
 
-      // create AMRMToken
-      appAttempt.amrmToken =
-          appAttempt.rmContext.getAMRMTokenSecretManager().createAndGetAMRMToken(
-            appAttempt.applicationAttemptId);
-
       // Add the applicationAttempt to the scheduler and inform the scheduler
       // whether to transfer the state from previous attempt.
       appAttempt.eventHandler.handle(new AppAttemptAddedSchedulerEvent(
@@ -896,6 +907,7 @@ private static final class AttemptStoredTransition extends BaseTransition {
     public void transition(RMAppAttemptImpl appAttempt,
                                                     RMAppAttemptEvent event) {
       appAttempt.checkAttemptStoreError(event);
+
       appAttempt.launchAttempt();
     }
   }
@@ -1185,11 +1197,12 @@ private static final class UnmanagedAMAttemptSavedTransition
     public void transition(RMAppAttemptImpl appAttempt,
                             RMAppAttemptEvent event) {
       appAttempt.checkAttemptStoreError(event);
-      // TODO Today unmanaged AM client is waiting for app state to be Accepted to
-      // launch the AM. This is broken since we changed to start the attempt
-      // after the application is Accepted. We may need to introduce an attempt
-      // report that client can rely on to query the attempt state and choose to
-      // launch the unmanaged AM.
+
+      // create AMRMToken
+      appAttempt.amrmToken =
+          appAttempt.rmContext.getAMRMTokenSecretManager().createAndGetAMRMToken(
+            appAttempt.applicationAttemptId);
+
       super.transition(appAttempt, event);
     }    
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/AMRMTokenSecretManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/AMRMTokenSecretManager.java
index a3132bc19e0..56143386b52 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/AMRMTokenSecretManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/AMRMTokenSecretManager.java
@@ -167,6 +167,11 @@ public void activateNextMasterKey() {
           + this.nextMasterKey.getMasterKey().getKeyId());
       this.currentMasterKey = this.nextMasterKey;
       this.nextMasterKey = null;
+      AMRMTokenSecretManagerState state =
+          AMRMTokenSecretManagerState.newInstance(
+            this.currentMasterKey.getMasterKey(), null);
+      rmContext.getStateStore().storeOrUpdateAMRMTokenSecretManagerState(state,
+        true);
     } finally {
       this.writeLock.unlock();
     }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRM.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRM.java
index 6949a812b26..a7f624029b2 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRM.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRM.java
@@ -28,6 +28,7 @@
 import org.apache.hadoop.io.DataOutputBuffer;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
 import org.apache.hadoop.yarn.api.protocolrecords.FinishApplicationMasterRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest;
@@ -53,6 +54,7 @@
 import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnException;
+import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
 import org.apache.hadoop.yarn.server.api.protocolrecords.NMContainerStatus;
 import org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncherEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.amlauncher.ApplicationMasterLauncher;
@@ -62,6 +64,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEventType;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptLaunchFailedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
@@ -412,6 +415,13 @@ public MockAM sendAMLaunched(ApplicationAttemptId appAttemptId)
       throws Exception {
     MockAM am = new MockAM(getRMContext(), masterService, appAttemptId);
     am.waitForState(RMAppAttemptState.ALLOCATED);
+    //create and set AMRMToken
+    Token<AMRMTokenIdentifier> amrmToken =
+        this.rmContext.getAMRMTokenSecretManager().createAndGetAMRMToken(
+          appAttemptId);
+    ((RMAppAttemptImpl) this.rmContext.getRMApps()
+      .get(appAttemptId.getApplicationId()).getRMAppAttempt(appAttemptId))
+      .setAMRMToken(amrmToken);
     getRMContext()
         .getDispatcher()
         .getEventHandler()
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRMWithCustomAMLauncher.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRMWithCustomAMLauncher.java
index 0ea2b5ef4e9..0c4d2623009 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRMWithCustomAMLauncher.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRMWithCustomAMLauncher.java
@@ -59,8 +59,9 @@ protected ContainerManagementProtocol getContainerMgrProxy(
             return containerManager;
           }
           @Override
-          protected Token<AMRMTokenIdentifier> getAMRMToken() {
-            Token<AMRMTokenIdentifier> amRmToken = super.getAMRMToken();
+          protected Token<AMRMTokenIdentifier> createAndSetAMRMToken() {
+            Token<AMRMTokenIdentifier> amRmToken =
+                super.createAndSetAMRMToken();
             InetSocketAddress serviceAddr =
                 getConfig().getSocketAddr(
                   YarnConfiguration.RM_SCHEDULER_ADDRESS,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMRestart.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMRestart.java
index dc3e9f18178..e60ac6adf21 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMRestart.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMRestart.java
@@ -1208,18 +1208,13 @@ public void testAppAttemptTokensRestoredOnRMRestart() throws Exception {
     Assert.assertEquals(BuilderUtils.newContainerId(attemptId1, 1),
       attemptState.getMasterContainer().getId());
 
-    // the appToken and clientTokenMasterKey that are generated when
+    // the clientTokenMasterKey that are generated when
     // RMAppAttempt is created,
-    HashSet<Token<?>> tokenSet = new HashSet<Token<?>>();
-    tokenSet.add(attempt1.getAMRMToken());
     byte[] clientTokenMasterKey =
         attempt1.getClientTokenMasterKey().getEncoded();
 
     // assert application credentials are saved
     Credentials savedCredentials = attemptState.getAppAttemptCredentials();
-    HashSet<Token<?>> savedTokens = new HashSet<Token<?>>();
-    savedTokens.addAll(savedCredentials.getAllTokens());
-    Assert.assertEquals(tokenSet, savedTokens);
     Assert.assertArrayEquals("client token master key not saved",
         clientTokenMasterKey, savedCredentials.getSecretKey(
             RMStateStore.AM_CLIENT_TOKEN_MASTER_KEY_NAME));
@@ -1232,11 +1227,8 @@ public void testAppAttemptTokensRestoredOnRMRestart() throws Exception {
         rm2.getRMContext().getRMApps().get(app1.getApplicationId());
     RMAppAttempt loadedAttempt1 = loadedApp1.getRMAppAttempt(attemptId1);
 
-    // assert loaded attempt recovered attempt tokens
+    // assert loaded attempt recovered
     Assert.assertNotNull(loadedAttempt1);
-    savedTokens.clear();
-    savedTokens.add(loadedAttempt1.getAMRMToken());
-    Assert.assertEquals(tokenSet, savedTokens);
 
     // assert client token master key is recovered back to api-versioned
     // client token master key
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java
index 5d3e51a398e..0da3c55b23e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java
@@ -198,8 +198,6 @@ void testRMAppStateStore(RMStateStoreHelper stateStoreHelper)
     // create application token and client token key for attempt1
     Token<AMRMTokenIdentifier> appAttemptToken1 =
         generateAMRMToken(attemptId1, appTokenMgr);
-    HashSet<Token<?>> attemptTokenSet1 = new HashSet<Token<?>>();
-    attemptTokenSet1.add(appAttemptToken1);
     SecretKey clientTokenKey1 =
         clientToAMTokenMgr.createMasterKey(attemptId1);
 
@@ -214,8 +212,6 @@ void testRMAppStateStore(RMStateStoreHelper stateStoreHelper)
     // create application token and client token key for attempt2
     Token<AMRMTokenIdentifier> appAttemptToken2 =
         generateAMRMToken(attemptId2, appTokenMgr);
-    HashSet<Token<?>> attemptTokenSet2 = new HashSet<Token<?>>();
-    attemptTokenSet2.add(appAttemptToken2);
     SecretKey clientTokenKey2 =
         clientToAMTokenMgr.createMasterKey(attemptId2);
 
@@ -280,10 +276,6 @@ void testRMAppStateStore(RMStateStoreHelper stateStoreHelper)
     assertEquals(-1000, attemptState.getAMContainerExitStatus());
     // attempt1 container is loaded correctly
     assertEquals(containerId1, attemptState.getMasterContainer().getId());
-    // attempt1 applicationToken is loaded correctly
-    HashSet<Token<?>> savedTokens = new HashSet<Token<?>>();
-    savedTokens.addAll(attemptState.getAppAttemptCredentials().getAllTokens());
-    assertEquals(attemptTokenSet1, savedTokens);
     // attempt1 client token master key is loaded correctly
     assertArrayEquals(clientTokenKey1.getEncoded(),
         attemptState.getAppAttemptCredentials()
@@ -295,10 +287,6 @@ void testRMAppStateStore(RMStateStoreHelper stateStoreHelper)
     assertEquals(attemptId2, attemptState.getAttemptId());
     // attempt2 container is loaded correctly
     assertEquals(containerId2, attemptState.getMasterContainer().getId());
-    // attempt2 applicationToken is loaded correctly
-    savedTokens.clear();
-    savedTokens.addAll(attemptState.getAppAttemptCredentials().getAllTokens());
-    assertEquals(attemptTokenSet2, savedTokens);
     // attempt2 client token master key is loaded correctly
     assertArrayEquals(clientTokenKey2.getEncoded(),
         attemptState.getAppAttemptCredentials()
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java
index 95dfb025e31..9a2fed8aeb6 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java
@@ -349,7 +349,6 @@ private void testAppAttemptSubmittedState() {
       assertNull(applicationAttempt.createClientToken("some client"));
     }
     assertNull(applicationAttempt.createClientToken(null));
-    assertNotNull(applicationAttempt.getAMRMToken());
     // Check events
     verify(masterService).
         registerAppAttempt(applicationAttempt.getAppAttemptId());
@@ -445,7 +444,6 @@ private void testAppAttemptAllocatedState(Container amContainer) {
     assertEquals(RMAppAttemptState.ALLOCATED, 
         applicationAttempt.getAppAttemptState());
     assertEquals(amContainer, applicationAttempt.getMasterContainer());
-    
     // Check events
     verify(applicationMasterLauncher).handle(any(AMLauncherEvent.class));
     verify(scheduler, times(2)).
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestAMRMTokens.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestAMRMTokens.java
index 14385c4c69b..b3dc35f3cfd 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestAMRMTokens.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestAMRMTokens.java
@@ -18,15 +18,16 @@
 
 package org.apache.hadoop.yarn.server.resourcemanager.security;
 
+import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.security.PrivilegedAction;
 import java.util.Arrays;
 import java.util.Collection;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
@@ -34,6 +35,7 @@
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.hadoop.yarn.api.ApplicationMasterProtocol;
 import org.apache.hadoop.yarn.api.protocolrecords.AllocateRequest;
+import org.apache.hadoop.yarn.api.protocolrecords.AllocateResponse;
 import org.apache.hadoop.yarn.api.protocolrecords.FinishApplicationMasterRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.RegisterApplicationMasterRequest;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
@@ -43,6 +45,7 @@
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.ipc.YarnRPC;
 import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
+import org.apache.hadoop.yarn.server.resourcemanager.MockAM;
 import org.apache.hadoop.yarn.server.resourcemanager.MockNM;
 import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
 import org.apache.hadoop.yarn.server.resourcemanager.TestAMAuthorization.MockRMWithAMS;
@@ -53,6 +56,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptContainerFinishedEvent;
 import org.apache.hadoop.yarn.server.security.MasterKeyData;
 import org.apache.hadoop.yarn.server.utils.BuilderUtils;
+import org.apache.hadoop.yarn.util.ConverterUtils;
 import org.apache.hadoop.yarn.util.Records;
 import org.junit.Assert;
 import org.junit.Test;
@@ -328,6 +332,51 @@ public void testMasterKeyRollOver() throws Exception {
     }
   }
 
+  @Test (timeout = 20000)
+  public void testAMRMMasterKeysUpdate() throws Exception {
+    MockRM rm = new MockRM(conf) {
+      @Override
+      protected void doSecureLogin() throws IOException {
+        // Skip the login.
+      }
+    };
+    rm.start();
+    MockNM nm = rm.registerNode("127.0.0.1:1234", 8000);
+    RMApp app = rm.submitApp(200);
+    MockAM am = MockRM.launchAndRegisterAM(app, rm, nm);
+
+    // Do allocate. Should not update AMRMToken
+    AllocateResponse response =
+        am.allocate(Records.newRecord(AllocateRequest.class));
+    Assert.assertNull(response.getAMRMToken());
+
+    // roll over the master key
+    // Do allocate again. the AM should get the latest AMRMToken
+    rm.getRMContext().getAMRMTokenSecretManager().rollMasterKey();
+    response = am.allocate(Records.newRecord(AllocateRequest.class));
+    Assert.assertNotNull(response.getAMRMToken());
+
+    Token<AMRMTokenIdentifier> amrmToken =
+        ConverterUtils.convertFromYarn(response.getAMRMToken(), new Text(
+          response.getAMRMToken().getService()));
+
+    Assert.assertEquals(amrmToken.decodeIdentifier().getKeyId(), rm
+      .getRMContext().getAMRMTokenSecretManager().getMasterKey().getMasterKey()
+      .getKeyId());
+
+    // Do allocate again. The master key does not update.
+    // AM should not update its AMRMToken either
+    response = am.allocate(Records.newRecord(AllocateRequest.class));
+    Assert.assertNull(response.getAMRMToken());
+
+    // Activate the next master key. Since there is new master key generated
+    // in AMRMTokenSecretManager. The AMRMToken will not get updated for AM
+    rm.getRMContext().getAMRMTokenSecretManager().activateNextMasterKey();
+    response = am.allocate(Records.newRecord(AllocateRequest.class));
+    Assert.assertNull(response.getAMRMToken());
+    rm.stop();
+  }
+
   private ApplicationMasterProtocol createRMClient(final MockRM rm,
       final Configuration conf, final YarnRPC rpc,
       UserGroupInformation currentUser) {

From 021ae471153ce2566924b0f6d29809669074c06d Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Fri, 8 Aug 2014 23:10:11 +0000
Subject: [PATCH 172/354] HADOOP-10862. Miscellaneous trivial corrections to
 KMS classes. (asuresh via tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616903 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  3 +
 .../crypto/key/kms/KMSClientProvider.java     |  4 +-
 .../crypto/key/kms/KMSRESTConstants.java      |  2 +-
 .../hadoop/crypto/key/kms/server/KMS.java     | 80 +++++++++----------
 .../crypto/key/kms/server/KMSAudit.java       | 25 +++---
 .../key/kms/server/KMSConfiguration.java      |  2 +
 .../crypto/key/kms/server/KMSJMXServlet.java  |  3 +
 .../crypto/key/kms/server/TestKMSAudit.java   | 35 ++++----
 8 files changed, 79 insertions(+), 75 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 84a35228e9f..104f2b77285 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -421,6 +421,9 @@ Trunk (Unreleased)
     HADOOP-10939. Fix TestKeyProviderFactory testcases to use default 128 bit
     length keys. (Arun Suresh via wang)
 
+    HADOOP-10862. Miscellaneous trivial corrections to KMS classes. 
+    (asuresh via tucu)
+
   OPTIMIZATIONS
 
     HADOOP-7761. Improve the performance of raw comparisons. (todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
index c5624ee1c41..cf5b11315fa 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@@ -512,7 +512,7 @@ private List<String[]> createKeySets(String[] keyNames) {
     List<String> batch = new ArrayList<String>();
     int batchLen = 0;
     for (String name : keyNames) {
-      int additionalLen = KMSRESTConstants.KEY_OP.length() + 1 + name.length();
+      int additionalLen = KMSRESTConstants.KEY.length() + 1 + name.length();
       batchLen += additionalLen;
       // topping at 1500 to account for initial URL and encoded names
       if (batchLen > 1500) {
@@ -536,7 +536,7 @@ public Metadata[] getKeysMetadata(String ... keyNames) throws IOException {
     for (String[] keySet : keySets) {
       if (keyNames.length > 0) {
         Map<String, Object> queryStr = new HashMap<String, Object>();
-        queryStr.put(KMSRESTConstants.KEY_OP, keySet);
+        queryStr.put(KMSRESTConstants.KEY, keySet);
         URL url = createURL(KMSRESTConstants.KEYS_METADATA_RESOURCE, null,
             null, queryStr);
         HttpURLConnection conn = createConnection(url, HTTP_GET);
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSRESTConstants.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSRESTConstants.java
index b949ab91b52..b7d78987351 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSRESTConstants.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSRESTConstants.java
@@ -37,7 +37,7 @@ public class KMSRESTConstants {
   public static final String EEK_SUB_RESOURCE = "_eek";
   public static final String CURRENT_VERSION_SUB_RESOURCE = "_currentversion";
 
-  public static final String KEY_OP = "key";
+  public static final String KEY = "key";
   public static final String EEK_OP = "eek_op";
   public static final String EEK_GENERATE = "generate";
   public static final String EEK_DECRYPT = "decrypt";
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
index 9c4e7940929..08cb91f6504 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
@@ -47,7 +47,6 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.security.Principal;
-import java.text.MessageFormat;
 import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;
@@ -59,19 +58,14 @@
 @Path(KMSRESTConstants.SERVICE_VERSION)
 @InterfaceAudience.Private
 public class KMS {
-  public static final String CREATE_KEY = "CREATE_KEY";
-  public static final String DELETE_KEY = "DELETE_KEY";
-  public static final String ROLL_NEW_VERSION = "ROLL_NEW_VERSION";
-  public static final String GET_KEYS = "GET_KEYS";
-  public static final String GET_KEYS_METADATA = "GET_KEYS_METADATA";
-  public static final String GET_KEY_VERSIONS = "GET_KEY_VERSIONS";
-  public static final String GET_METADATA = "GET_METADATA";
 
-  public static final String GET_KEY_VERSION = "GET_KEY_VERSION";
-  public static final String GET_CURRENT_KEY = "GET_CURRENT_KEY";
-  public static final String GENERATE_EEK = "GENERATE_EEK";
-  public static final String DECRYPT_EEK = "DECRYPT_EEK";
-  
+  public static enum KMSOp {
+    CREATE_KEY, DELETE_KEY, ROLL_NEW_VERSION,
+    GET_KEYS, GET_KEYS_METADATA,
+    GET_KEY_VERSIONS, GET_METADATA, GET_KEY_VERSION, GET_CURRENT_KEY,
+    GENERATE_EEK, DECRYPT_EEK
+  }
+
   private KeyProviderCryptoExtension provider;
   private KMSAudit kmsAudit;
 
@@ -91,22 +85,22 @@ private static Principal getPrincipal(SecurityContext securityContext)
 
 
   private static final String UNAUTHORIZED_MSG_WITH_KEY = 
-      "User:{0} not allowed to do ''{1}'' on ''{2}''";
+      "User:%s not allowed to do '%s' on '%s'";
   
   private static final String UNAUTHORIZED_MSG_WITHOUT_KEY = 
-      "User:{0} not allowed to do ''{1}''";
+      "User:%s not allowed to do '%s'";
 
   private void assertAccess(KMSACLs.Type aclType, Principal principal,
-      String operation) throws AccessControlException {
+      KMSOp operation) throws AccessControlException {
     assertAccess(aclType, principal, operation, null);
   }
 
   private void assertAccess(KMSACLs.Type aclType, Principal principal,
-      String operation, String key) throws AccessControlException {
+      KMSOp operation, String key) throws AccessControlException {
     if (!KMSWebApp.getACLs().hasAccess(aclType, principal.getName())) {
       KMSWebApp.getUnauthorizedCallsMeter().mark();
       kmsAudit.unauthorized(principal, operation, key);
-      throw new AuthorizationException(MessageFormat.format(
+      throw new AuthorizationException(String.format(
           (key != null) ? UNAUTHORIZED_MSG_WITH_KEY 
                         : UNAUTHORIZED_MSG_WITHOUT_KEY,
           principal.getName(), operation, key));
@@ -135,7 +129,7 @@ public Response createKey(@Context SecurityContext securityContext,
     Principal user = getPrincipal(securityContext);
     String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD);
     KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);
-    assertAccess(KMSACLs.Type.CREATE, user, CREATE_KEY, name);
+    assertAccess(KMSACLs.Type.CREATE, user, KMSOp.CREATE_KEY, name);
     String cipher = (String) jsonKey.get(KMSRESTConstants.CIPHER_FIELD);
     String material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD);
     int length = (jsonKey.containsKey(KMSRESTConstants.LENGTH_FIELD))
@@ -146,7 +140,7 @@ public Response createKey(@Context SecurityContext securityContext,
         jsonKey.get(KMSRESTConstants.ATTRIBUTES_FIELD);
     if (material != null) {
       assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
-          CREATE_KEY + " with user provided material", name);
+          KMSOp.CREATE_KEY, name);
     }
     KeyProvider.Options options = new KeyProvider.Options(
         KMSWebApp.getConfiguration());
@@ -165,7 +159,7 @@ public Response createKey(@Context SecurityContext securityContext,
 
     provider.flush();
 
-    kmsAudit.ok(user, CREATE_KEY, name, "UserProvidedMaterial:" +
+    kmsAudit.ok(user, KMSOp.CREATE_KEY, name, "UserProvidedMaterial:" +
         (material != null) + " Description:" + description);
 
     if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user.getName())) {
@@ -186,12 +180,12 @@ public Response deleteKey(@Context SecurityContext securityContext,
       @PathParam("name") String name) throws Exception {
     KMSWebApp.getAdminCallsMeter().mark();
     Principal user = getPrincipal(securityContext);
-    assertAccess(KMSACLs.Type.DELETE, user, DELETE_KEY, name);
+    assertAccess(KMSACLs.Type.DELETE, user, KMSOp.DELETE_KEY, name);
     KMSClientProvider.checkNotEmpty(name, "name");
     provider.deleteKey(name);
     provider.flush();
 
-    kmsAudit.ok(user, DELETE_KEY, name, "");
+    kmsAudit.ok(user, KMSOp.DELETE_KEY, name, "");
 
     return Response.ok().build();
   }
@@ -205,13 +199,13 @@ public Response rolloverKey(@Context SecurityContext securityContext,
       throws Exception {
     KMSWebApp.getAdminCallsMeter().mark();
     Principal user = getPrincipal(securityContext);
-    assertAccess(KMSACLs.Type.ROLLOVER, user, ROLL_NEW_VERSION, name);
+    assertAccess(KMSACLs.Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name);
     KMSClientProvider.checkNotEmpty(name, "name");
     String material = (String)
         jsonMaterial.get(KMSRESTConstants.MATERIAL_FIELD);
     if (material != null) {
       assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
-          ROLL_NEW_VERSION + " with user provided material", name);
+          KMSOp.ROLL_NEW_VERSION, name);
     }
     KeyProvider.KeyVersion keyVersion = (material != null)
         ? provider.rollNewVersion(name, Base64.decodeBase64(material))
@@ -219,7 +213,7 @@ public Response rolloverKey(@Context SecurityContext securityContext,
 
     provider.flush();
 
-    kmsAudit.ok(user, ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
+    kmsAudit.ok(user, KMSOp.ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
         (material != null) + " NewVersion:" + keyVersion.getVersionName());
 
     if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user.getName())) {
@@ -233,15 +227,15 @@ public Response rolloverKey(@Context SecurityContext securityContext,
   @Path(KMSRESTConstants.KEYS_METADATA_RESOURCE)
   @Produces(MediaType.APPLICATION_JSON)
   public Response getKeysMetadata(@Context SecurityContext securityContext,
-      @QueryParam(KMSRESTConstants.KEY_OP) List<String> keyNamesList)
+      @QueryParam(KMSRESTConstants.KEY) List<String> keyNamesList)
       throws Exception {
     KMSWebApp.getAdminCallsMeter().mark();
     Principal user = getPrincipal(securityContext);
     String[] keyNames = keyNamesList.toArray(new String[keyNamesList.size()]);
-    assertAccess(KMSACLs.Type.GET_METADATA, user, GET_KEYS_METADATA);
+    assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA);
     KeyProvider.Metadata[] keysMeta = provider.getKeysMetadata(keyNames);
     Object json = KMSServerJSONUtils.toJSON(keyNames, keysMeta);
-    kmsAudit.ok(user, GET_KEYS_METADATA, "");
+    kmsAudit.ok(user, KMSOp.GET_KEYS_METADATA, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
 
@@ -252,9 +246,9 @@ public Response getKeyNames(@Context SecurityContext securityContext)
       throws Exception {
     KMSWebApp.getAdminCallsMeter().mark();
     Principal user = getPrincipal(securityContext);
-    assertAccess(KMSACLs.Type.GET_KEYS, user, GET_KEYS);
+    assertAccess(KMSACLs.Type.GET_KEYS, user, KMSOp.GET_KEYS);
     Object json = provider.getKeys();
-    kmsAudit.ok(user, GET_KEYS, "");
+    kmsAudit.ok(user, KMSOp.GET_KEYS, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
 
@@ -276,9 +270,9 @@ public Response getMetadata(@Context SecurityContext securityContext,
     Principal user = getPrincipal(securityContext);
     KMSClientProvider.checkNotEmpty(name, "name");
     KMSWebApp.getAdminCallsMeter().mark();
-    assertAccess(KMSACLs.Type.GET_METADATA, user, GET_METADATA, name);
+    assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_METADATA, name);
     Object json = KMSServerJSONUtils.toJSON(name, provider.getMetadata(name));
-    kmsAudit.ok(user, GET_METADATA, name, "");
+    kmsAudit.ok(user, KMSOp.GET_METADATA, name, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
 
@@ -292,9 +286,9 @@ public Response getCurrentVersion(@Context SecurityContext securityContext,
     Principal user = getPrincipal(securityContext);
     KMSClientProvider.checkNotEmpty(name, "name");
     KMSWebApp.getKeyCallsMeter().mark();
-    assertAccess(KMSACLs.Type.GET, user, GET_CURRENT_KEY, name);
+    assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_CURRENT_KEY, name);
     Object json = KMSServerJSONUtils.toJSON(provider.getCurrentKey(name));
-    kmsAudit.ok(user, GET_CURRENT_KEY, name, "");
+    kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
 
@@ -308,9 +302,9 @@ public Response getKeyVersion(@Context SecurityContext securityContext,
     KMSClientProvider.checkNotEmpty(versionName, "versionName");
     KMSWebApp.getKeyCallsMeter().mark();
     KeyVersion keyVersion = provider.getKeyVersion(versionName);
-    assertAccess(KMSACLs.Type.GET, user, GET_KEY_VERSION);
+    assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSION);
     if (keyVersion != null) {
-      kmsAudit.ok(user, GET_KEY_VERSION, keyVersion.getName(), "");
+      kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), "");
     }
     Object json = KMSServerJSONUtils.toJSON(keyVersion);
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
@@ -334,7 +328,7 @@ public Response generateEncryptedKeys(
 
     Object retJSON;
     if (edekOp.equals(KMSRESTConstants.EEK_GENERATE)) {
-      assertAccess(KMSACLs.Type.GENERATE_EEK, user, GENERATE_EEK, name);
+      assertAccess(KMSACLs.Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name);
 
       List<EncryptedKeyVersion> retEdeks =
           new LinkedList<EncryptedKeyVersion>();
@@ -345,7 +339,7 @@ public Response generateEncryptedKeys(
       } catch (Exception e) {
         throw new IOException(e);
       }
-      kmsAudit.ok(user, GENERATE_EEK, name, "");
+      kmsAudit.ok(user, KMSOp.GENERATE_EEK, name, "");
       retJSON = new ArrayList();
       for (EncryptedKeyVersion edek : retEdeks) {
         ((ArrayList)retJSON).add(KMSServerJSONUtils.toJSON(edek));
@@ -380,7 +374,7 @@ public Response decryptEncryptedKey(@Context SecurityContext securityContext,
         (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
     Object retJSON;
     if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
-      assertAccess(KMSACLs.Type.DECRYPT_EEK, user, DECRYPT_EEK, keyName);
+      assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName);
       KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
       byte[] iv = Base64.decodeBase64(ivStr);
       KMSClientProvider.checkNotNull(encMaterialStr,
@@ -391,7 +385,7 @@ public Response decryptEncryptedKey(@Context SecurityContext securityContext,
               new KMSClientProvider.KMSEncryptedKeyVersion(keyName, versionName,
                   iv, KeyProviderCryptoExtension.EEK, encMaterial));
       retJSON = KMSServerJSONUtils.toJSON(retKeyVersion);
-      kmsAudit.ok(user, DECRYPT_EEK, keyName, "");
+      kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, "");
     } else {
       throw new IllegalArgumentException("Wrong " + KMSRESTConstants.EEK_OP +
           " value, it must be " + KMSRESTConstants.EEK_GENERATE + " or " +
@@ -412,9 +406,9 @@ public Response getKeyVersions(@Context SecurityContext securityContext,
     Principal user = getPrincipal(securityContext);
     KMSClientProvider.checkNotEmpty(name, "name");
     KMSWebApp.getKeyCallsMeter().mark();
-    assertAccess(KMSACLs.Type.GET, user, GET_KEY_VERSIONS, name);
+    assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSIONS, name);
     Object json = KMSServerJSONUtils.toJSON(provider.getKeyVersions(name));
-    kmsAudit.ok(user, GET_KEY_VERSIONS, name, "");
+    kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
 
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
index 3d387eb354b..30d340d785a 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
@@ -50,11 +50,11 @@ private static class AuditEvent {
     private final AtomicLong accessCount = new AtomicLong(-1);
     private final String keyName;
     private final String user;
-    private final String op;
+    private final KMS.KMSOp op;
     private final String extraMsg;
     private final long startTime = System.currentTimeMillis();
 
-    private AuditEvent(String keyName, String user, String op, String msg) {
+    private AuditEvent(String keyName, String user, KMS.KMSOp op, String msg) {
       this.keyName = keyName;
       this.user = user;
       this.op = op;
@@ -77,7 +77,7 @@ public String getUser() {
       return user;
     }
 
-    public String getOp() {
+    public KMS.KMSOp getOp() {
       return op;
     }
 
@@ -90,8 +90,9 @@ public static enum OpStatus {
     OK, UNAUTHORIZED, UNAUTHENTICATED, ERROR;
   }
 
-  private static Set<String> AGGREGATE_OPS_WHITELIST = Sets.newHashSet(
-    KMS.GET_KEY_VERSION, KMS.GET_CURRENT_KEY, KMS.DECRYPT_EEK, KMS.GENERATE_EEK
+  private static Set<KMS.KMSOp> AGGREGATE_OPS_WHITELIST = Sets.newHashSet(
+    KMS.KMSOp.GET_KEY_VERSION, KMS.KMSOp.GET_CURRENT_KEY,
+    KMS.KMSOp.DECRYPT_EEK, KMS.KMSOp.GENERATE_EEK
   );
 
   private Cache<String, AuditEvent> cache;
@@ -137,10 +138,10 @@ private void logEvent(AuditEvent event) {
         event.getExtraMsg());
   }
 
-  private void op(OpStatus opStatus, final String op, final String user,
+  private void op(OpStatus opStatus, final KMS.KMSOp op, final String user,
       final String key, final String extraMsg) {
     if (!Strings.isNullOrEmpty(user) && !Strings.isNullOrEmpty(key)
-        && !Strings.isNullOrEmpty(op)
+        && (op != null)
         && AGGREGATE_OPS_WHITELIST.contains(op)) {
       String cacheKey = createCacheKey(user, key, op);
       if (opStatus == OpStatus.UNAUTHORIZED) {
@@ -167,7 +168,7 @@ public AuditEvent call() throws Exception {
       }
     } else {
       List<String> kvs = new LinkedList<String>();
-      if (!Strings.isNullOrEmpty(op)) {
+      if (op != null) {
         kvs.add("op=" + op);
       }
       if (!Strings.isNullOrEmpty(key)) {
@@ -185,16 +186,16 @@ public AuditEvent call() throws Exception {
     }
   }
 
-  public void ok(Principal user, String op, String key,
+  public void ok(Principal user, KMS.KMSOp op, String key,
       String extraMsg) {
     op(OpStatus.OK, op, user.getName(), key, extraMsg);
   }
 
-  public void ok(Principal user, String op, String extraMsg) {
+  public void ok(Principal user, KMS.KMSOp op, String extraMsg) {
     op(OpStatus.OK, op, user.getName(), null, extraMsg);
   }
 
-  public void unauthorized(Principal user, String op, String key) {
+  public void unauthorized(Principal user, KMS.KMSOp op, String key) {
     op(OpStatus.UNAUTHORIZED, op, user.getName(), key, "");
   }
 
@@ -211,7 +212,7 @@ public void unauthenticated(String remoteHost, String method,
         + " URL:" + url + " ErrorMsg:'" + extraMsg + "'");
   }
 
-  private static String createCacheKey(String user, String key, String op) {
+  private static String createCacheKey(String user, String key, KMS.KMSOp op) {
     return user + "#" + key + "#" + op;
   }
 
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
index 30d742e7fe8..35dccfc489f 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.crypto.key.kms.server;
 
+import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 
 import java.io.File;
@@ -26,6 +27,7 @@
 /**
  * Utility class to load KMS configuration files.
  */
+@InterfaceAudience.Private
 public class KMSConfiguration {
 
   public static final String KMS_CONFIG_DIR = "kms.config.dir";
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJMXServlet.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJMXServlet.java
index c8556af193e..6918015a90e 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJMXServlet.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJMXServlet.java
@@ -17,12 +17,15 @@
  */
 package org.apache.hadoop.crypto.key.kms.server;
 
+import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.jmx.JMXJsonServlet;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+
 import java.io.IOException;
 
+@InterfaceAudience.Private
 public class KMSJMXServlet extends JMXJsonServlet {
 
   @Override
diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
index b5d9a36d198..857884d4e14 100644
--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
@@ -23,6 +23,7 @@
 import java.io.PrintStream;
 import java.security.Principal;
 
+import org.apache.hadoop.crypto.key.kms.server.KMS.KMSOp;
 import org.apache.log4j.LogManager;
 import org.apache.log4j.PropertyConfigurator;
 import org.junit.After;
@@ -82,16 +83,16 @@ private String getAndResetLogOutput() {
   public void testAggregation() throws Exception {
     Principal luser = Mockito.mock(Principal.class);
     Mockito.when(luser.getName()).thenReturn("luser");
-    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
-    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
-    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
-    kmsAudit.ok(luser, KMS.DELETE_KEY, "k1", "testmsg");
-    kmsAudit.ok(luser, KMS.ROLL_NEW_VERSION, "k1", "testmsg");
-    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
-    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
-    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
+    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
+    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
+    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
+    kmsAudit.ok(luser, KMSOp.DELETE_KEY, "k1", "testmsg");
+    kmsAudit.ok(luser, KMSOp.ROLL_NEW_VERSION, "k1", "testmsg");
+    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
+    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
+    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
     Thread.sleep(1500);
-    kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
+    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
     Thread.sleep(1500);
     String out = getAndResetLogOutput();
     System.out.println(out);
@@ -110,15 +111,15 @@ public void testAggregation() throws Exception {
   public void testAggregationUnauth() throws Exception {
     Principal luser = Mockito.mock(Principal.class);
     Mockito.when(luser.getName()).thenReturn("luser");
-    kmsAudit.unauthorized(luser, KMS.GENERATE_EEK, "k2");
+    kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k2");
     Thread.sleep(1000);
-    kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
-    kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
-    kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
-    kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
-    kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
-    kmsAudit.unauthorized(luser, KMS.GENERATE_EEK, "k3");
-    kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
+    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
+    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
+    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
+    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
+    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
+    kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k3");
+    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
     Thread.sleep(2000);
     String out = getAndResetLogOutput();
     System.out.println(out);

From 74fe84393d9a8c412f69bbf0cd0ad06f3cc85e85 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Sat, 9 Aug 2014 00:00:32 +0000
Subject: [PATCH 173/354] HADOOP-10224. JavaKeyStoreProvider has to protect
 against corrupting underlying store. (asuresh via tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616908 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   3 +
 .../crypto/key/JavaKeyStoreProvider.java      | 247 ++++++++++++++++--
 .../crypto/key/TestKeyProviderFactory.java    |  65 +++++
 3 files changed, 296 insertions(+), 19 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 104f2b77285..849857664c7 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -199,6 +199,9 @@ Trunk (Unreleased)
 
     HADOOP-10936. Change default KeyProvider bitlength to 128. (wang)
 
+    HADOOP-10224. JavaKeyStoreProvider has to protect against corrupting 
+    underlying store. (asuresh via tucu)
+
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java
index 529a21287ce..250315177a2 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java
@@ -27,8 +27,11 @@
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.security.ProviderUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import javax.crypto.spec.SecretKeySpec;
+
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
@@ -80,6 +83,9 @@
 @InterfaceAudience.Private
 public class JavaKeyStoreProvider extends KeyProvider {
   private static final String KEY_METADATA = "KeyMetadata";
+  private static Logger LOG =
+      LoggerFactory.getLogger(JavaKeyStoreProvider.class);
+
   public static final String SCHEME_NAME = "jceks";
 
   public static final String KEYSTORE_PASSWORD_FILE_KEY =
@@ -115,6 +121,10 @@ private JavaKeyStoreProvider(URI uri, Configuration conf) throws IOException {
       if (pwFile != null) {
         ClassLoader cl = Thread.currentThread().getContextClassLoader();
         URL pwdFile = cl.getResource(pwFile);
+        if (pwdFile == null) {
+          // Provided Password file does not exist
+          throw new IOException("Password file does not exists");
+        }
         if (pwdFile != null) {
           InputStream is = pwdFile.openStream();
           try {
@@ -129,19 +139,25 @@ private JavaKeyStoreProvider(URI uri, Configuration conf) throws IOException {
       password = KEYSTORE_PASSWORD_DEFAULT;
     }
     try {
+      Path oldPath = constructOldPath(path);
+      Path newPath = constructNewPath(path);
       keyStore = KeyStore.getInstance(SCHEME_NAME);
+      FsPermission perm = null;
       if (fs.exists(path)) {
-        // save off permissions in case we need to
-        // rewrite the keystore in flush()
-        FileStatus s = fs.getFileStatus(path);
-        permissions = s.getPermission();
-
-        keyStore.load(fs.open(path), password);
+        // flush did not proceed to completion
+        // _NEW should not exist
+        if (fs.exists(newPath)) {
+          throw new IOException(
+              String.format("Keystore not loaded due to some inconsistency "
+              + "('%s' and '%s' should not exist together)!!", path, newPath));
+        }
+        perm = tryLoadFromPath(path, oldPath);
       } else {
-        permissions = new FsPermission("700");
-        // required to create an empty keystore. *sigh*
-        keyStore.load(null, password);
+        perm = tryLoadIncompleteFlush(oldPath, newPath);
       }
+      // Need to save off permissions in case we need to
+      // rewrite the keystore in flush()
+      permissions = perm;
     } catch (KeyStoreException e) {
       throw new IOException("Can't create keystore", e);
     } catch (NoSuchAlgorithmException e) {
@@ -154,6 +170,136 @@ private JavaKeyStoreProvider(URI uri, Configuration conf) throws IOException {
     writeLock = lock.writeLock();
   }
 
+  /**
+   * Try loading from the user specified path, else load from the backup
+   * path in case Exception is not due to bad/wrong password
+   * @param path Actual path to load from
+   * @param backupPath Backup path (_OLD)
+   * @return The permissions of the loaded file
+   * @throws NoSuchAlgorithmException
+   * @throws CertificateException
+   * @throws IOException
+   */
+  private FsPermission tryLoadFromPath(Path path, Path backupPath)
+      throws NoSuchAlgorithmException, CertificateException,
+      IOException {
+    FsPermission perm = null;
+    try {
+      perm = loadFromPath(path, password);
+      // Remove _OLD if exists
+      if (fs.exists(backupPath)) {
+        fs.delete(backupPath, true);
+      }
+      LOG.debug("KeyStore loaded successfully !!");
+    } catch (IOException ioe) {
+      // If file is corrupted for some reason other than
+      // wrong password try the _OLD file if exits
+      if (!isBadorWrongPassword(ioe)) {
+        perm = loadFromPath(backupPath, password);
+        // Rename CURRENT to CORRUPTED
+        renameOrFail(path, new Path(path.toString() + "_CORRUPTED_"
+            + System.currentTimeMillis()));
+        renameOrFail(backupPath, path);
+        LOG.debug(String.format(
+            "KeyStore loaded successfully from '%s' since '%s'"
+                + "was corrupted !!", backupPath, path));
+      } else {
+        throw ioe;
+      }
+    }
+    return perm;
+  }
+
+  /**
+   * The KeyStore might have gone down during a flush, In which case either the
+   * _NEW or _OLD files might exists. This method tries to load the KeyStore
+   * from one of these intermediate files.
+   * @param oldPath the _OLD file created during flush
+   * @param newPath the _NEW file created during flush
+   * @return The permissions of the loaded file
+   * @throws IOException
+   * @throws NoSuchAlgorithmException
+   * @throws CertificateException
+   */
+  private FsPermission tryLoadIncompleteFlush(Path oldPath, Path newPath)
+      throws IOException, NoSuchAlgorithmException, CertificateException {
+    FsPermission perm = null;
+    // Check if _NEW exists (in case flush had finished writing but not
+    // completed the re-naming)
+    if (fs.exists(newPath)) {
+      perm = loadAndReturnPerm(newPath, oldPath);
+    }
+    // try loading from _OLD (An earlier Flushing MIGHT not have completed
+    // writing completely)
+    if ((perm == null) && fs.exists(oldPath)) {
+      perm = loadAndReturnPerm(oldPath, newPath);
+    }
+    // If not loaded yet,
+    // required to create an empty keystore. *sigh*
+    if (perm == null) {
+      keyStore.load(null, password);
+      LOG.debug("KeyStore initialized anew successfully !!");
+      perm = new FsPermission("700");
+    }
+    return perm;
+  }
+
+  private FsPermission loadAndReturnPerm(Path pathToLoad, Path pathToDelete)
+      throws NoSuchAlgorithmException, CertificateException,
+      IOException {
+    FsPermission perm = null;
+    try {
+      perm = loadFromPath(pathToLoad, password);
+      renameOrFail(pathToLoad, path);
+      LOG.debug(String.format("KeyStore loaded successfully from '%s'!!",
+          pathToLoad));
+      if (fs.exists(pathToDelete)) {
+        fs.delete(pathToDelete, true);
+      }
+    } catch (IOException e) {
+      // Check for password issue : don't want to trash file due
+      // to wrong password
+      if (isBadorWrongPassword(e)) {
+        throw e;
+      }
+    }
+    return perm;
+  }
+
+  private boolean isBadorWrongPassword(IOException ioe) {
+    // As per documentation this is supposed to be the way to figure
+    // if password was correct
+    if (ioe.getCause() instanceof UnrecoverableKeyException) {
+      return true;
+    }
+    // Unfortunately that doesn't seem to work..
+    // Workaround :
+    if ((ioe.getCause() == null)
+        && (ioe.getMessage() != null)
+        && ((ioe.getMessage().contains("Keystore was tampered")) || (ioe
+            .getMessage().contains("password was incorrect")))) {
+      return true;
+    }
+    return false;
+  }
+
+  private FsPermission loadFromPath(Path p, char[] password)
+      throws IOException, NoSuchAlgorithmException, CertificateException {
+    FileStatus s = fs.getFileStatus(p);
+    keyStore.load(fs.open(p), password);
+    return s.getPermission();
+  }
+
+  private Path constructNewPath(Path path) {
+    Path newPath = new Path(path.toString() + "_NEW");
+    return newPath;
+  }
+
+  private Path constructOldPath(Path path) {
+    Path oldPath = new Path(path.toString() + "_OLD");
+    return oldPath;
+  }
+
   @Override
   public KeyVersion getKeyVersion(String versionName) throws IOException {
     readLock.lock();
@@ -352,11 +498,22 @@ public KeyVersion rollNewVersion(String name,
 
   @Override
   public void flush() throws IOException {
+    Path newPath = constructNewPath(path);
+    Path oldPath = constructOldPath(path);
     writeLock.lock();
     try {
       if (!changed) {
         return;
       }
+      // Might exist if a backup has been restored etc.
+      if (fs.exists(newPath)) {
+        renameOrFail(newPath, new Path(newPath.toString()
+            + "_ORPHANED_" + System.currentTimeMillis()));
+      }
+      if (fs.exists(oldPath)) {
+        renameOrFail(oldPath, new Path(oldPath.toString()
+            + "_ORPHANED_" + System.currentTimeMillis()));
+      }
       // put all of the updates into the keystore
       for(Map.Entry<String, Metadata> entry: cache.entrySet()) {
         try {
@@ -366,25 +523,77 @@ public void flush() throws IOException {
           throw new IOException("Can't set metadata key " + entry.getKey(),e );
         }
       }
+
+      // Save old File first
+      boolean fileExisted = backupToOld(oldPath);
       // write out the keystore
-      FSDataOutputStream out = FileSystem.create(fs, path, permissions);
+      // Write to _NEW path first :
       try {
-        keyStore.store(out, password);
-      } catch (KeyStoreException e) {
-        throw new IOException("Can't store keystore " + this, e);
-      } catch (NoSuchAlgorithmException e) {
-        throw new IOException("No such algorithm storing keystore " + this, e);
-      } catch (CertificateException e) {
-        throw new IOException("Certificate exception storing keystore " + this,
-            e);
+        writeToNew(newPath);
+      } catch (IOException ioe) {
+        // rename _OLD back to curent and throw Exception
+        revertFromOld(oldPath, fileExisted);
+        throw ioe;
       }
-      out.close();
+      // Rename _NEW to CURRENT and delete _OLD
+      cleanupNewAndOld(newPath, oldPath);
       changed = false;
     } finally {
       writeLock.unlock();
     }
   }
 
+  private void cleanupNewAndOld(Path newPath, Path oldPath) throws IOException {
+    // Rename _NEW to CURRENT
+    renameOrFail(newPath, path);
+    // Delete _OLD
+    if (fs.exists(oldPath)) {
+      fs.delete(oldPath, true);
+    }
+  }
+
+  private void writeToNew(Path newPath) throws IOException {
+    FSDataOutputStream out =
+        FileSystem.create(fs, newPath, permissions);
+    try {
+      keyStore.store(out, password);
+    } catch (KeyStoreException e) {
+      throw new IOException("Can't store keystore " + this, e);
+    } catch (NoSuchAlgorithmException e) {
+      throw new IOException(
+          "No such algorithm storing keystore " + this, e);
+    } catch (CertificateException e) {
+      throw new IOException(
+          "Certificate exception storing keystore " + this, e);
+    }
+    out.close();
+  }
+
+  private void revertFromOld(Path oldPath, boolean fileExisted)
+      throws IOException {
+    if (fileExisted) {
+      renameOrFail(oldPath, path);
+    }
+  }
+
+  private boolean backupToOld(Path oldPath)
+      throws IOException {
+    boolean fileExisted = false;
+    if (fs.exists(path)) {
+      renameOrFail(path, oldPath);
+      fileExisted = true;
+    }
+    return fileExisted;
+  }
+
+  private void renameOrFail(Path src, Path dest)
+      throws IOException {
+    if (!fs.rename(src, dest)) {
+      throw new IOException("Rename unsuccessful : "
+          + String.format("'%s' to '%s'", src, dest));
+    }
+  }
+
   @Override
   public String toString() {
     return uri.toString();
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
index 7efaa8333b9..d72ac51999d 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
@@ -220,11 +220,76 @@ public void testJksProvider() throws Exception {
     assertTrue(s.getPermission().toString().equals("rwx------"));
     assertTrue(file + " should exist", file.isFile());
 
+    // Corrupt file and Check if JKS can reload from _OLD file
+    File oldFile = new File(file.getPath() + "_OLD");
+    file.renameTo(oldFile);
+    file.delete();
+    file.createNewFile();
+    assertTrue(oldFile.exists());
+    KeyProvider provider = KeyProviderFactory.getProviders(conf).get(0);
+    assertTrue(file.exists());
+    assertTrue(oldFile + "should be deleted", !oldFile.exists());
+    verifyAfterReload(file, provider);
+    assertTrue(!oldFile.exists());
+
+    // _NEW and current file should not exist together
+    File newFile = new File(file.getPath() + "_NEW");
+    newFile.createNewFile();
+    try {
+      provider = KeyProviderFactory.getProviders(conf).get(0);
+      Assert.fail("_NEW and current file should not exist together !!");
+    } catch (Exception e) {
+      // Ignore
+    } finally {
+      if (newFile.exists()) {
+        newFile.delete();
+      }
+    }
+
+    // Load from _NEW file
+    file.renameTo(newFile);
+    file.delete();
+    try {
+      provider = KeyProviderFactory.getProviders(conf).get(0);
+      Assert.assertFalse(newFile.exists());
+      Assert.assertFalse(oldFile.exists());
+    } catch (Exception e) {
+      Assert.fail("JKS should load from _NEW file !!");
+      // Ignore
+    }
+    verifyAfterReload(file, provider);
+
+    // _NEW exists but corrupt.. must load from _OLD
+    newFile.createNewFile();
+    file.renameTo(oldFile);
+    file.delete();
+    try {
+      provider = KeyProviderFactory.getProviders(conf).get(0);
+      Assert.assertFalse(newFile.exists());
+      Assert.assertFalse(oldFile.exists());
+    } catch (Exception e) {
+      Assert.fail("JKS should load from _OLD file !!");
+      // Ignore
+    } finally {
+      if (newFile.exists()) {
+        newFile.delete();
+      }
+    }
+    verifyAfterReload(file, provider);
+
     // check permission retention after explicit change
     fs.setPermission(path, new FsPermission("777"));
     checkPermissionRetention(conf, ourUrl, path);
   }
 
+  private void verifyAfterReload(File file, KeyProvider provider)
+      throws IOException {
+    List<String> existingKeys = provider.getKeys();
+    assertTrue(existingKeys.contains("key4"));
+    assertTrue(existingKeys.contains("key3"));
+    assertTrue(file.exists());
+  }
+
   public void checkPermissionRetention(Configuration conf, String ourUrl, Path path) throws Exception {
     KeyProvider provider = KeyProviderFactory.getProviders(conf).get(0);
     // let's add a new key and flush and check that permissions are still set to 777

From a7643f4de7e0ac8eeb00f74cf73bd83137944e3f Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Sat, 9 Aug 2014 02:10:00 +0000
Subject: [PATCH 174/354] YARN-2026. Fair scheduler: Consider only active
 queues for computing fairshare. (Ashwin Shankar via kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616915 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../scheduler/fair/Schedulable.java           |  12 +
 .../fair/policies/ComputeFairShares.java      |  29 +-
 .../scheduler/fair/TestFairScheduler.java     |  46 ++-
 .../fair/TestFairSchedulerFairShare.java      | 308 ++++++++++++++++++
 5 files changed, 381 insertions(+), 17 deletions(-)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerFairShare.java

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 700d9700ca2..a62e05ca752 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -100,6 +100,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2212. ApplicationMaster needs to find a way to update the AMRMToken
     periodically. (xgong)
 
+    YARN-2026. Fair scheduler: Consider only active queues for computing fairshare. 
+    (Ashwin Shankar via kasha)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/Schedulable.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/Schedulable.java
index 4f8ac1e6374..5134be4dce9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/Schedulable.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/Schedulable.java
@@ -116,6 +116,18 @@ public Resource getFairShare() {
     return fairShare;
   }
 
+  /**
+   * Returns true if queue has atleast one app running. Always returns true for
+   * AppSchedulables.
+   */
+  public boolean isActive() {
+    if (this instanceof FSQueue) {
+      FSQueue queue = (FSQueue) this;
+      return queue.getNumRunnableApps() > 0;
+    }
+    return true;
+  }
+
   /** Convenient toString implementation for debugging. */
   @Override
   public String toString() {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/ComputeFairShares.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/ComputeFairShares.java
index 77dad493265..6363ec0218c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/ComputeFairShares.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/ComputeFairShares.java
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.policies;
 
+import java.util.ArrayList;
 import java.util.Collection;
 
 import org.apache.hadoop.yarn.api.records.Resource;
@@ -33,7 +34,31 @@
 public class ComputeFairShares {
   
   private static final int COMPUTE_FAIR_SHARES_ITERATIONS = 25;
-  
+
+  /**
+   * Compute fair share of the given schedulables.Fair share is an allocation of
+   * shares considering only active schedulables ie schedulables which have
+   * running apps.
+   * 
+   * @param schedulables
+   * @param totalResources
+   * @param type
+   */
+  public static void computeShares(
+      Collection<? extends Schedulable> schedulables, Resource totalResources,
+      ResourceType type) {
+    Collection<Schedulable> activeSchedulables = new ArrayList<Schedulable>();
+    for (Schedulable sched : schedulables) {
+      if (sched.isActive()) {
+        activeSchedulables.add(sched);
+      } else {
+        setResourceValue(0, sched.getFairShare(), type);
+      }
+    }
+
+    computeSharesInternal(activeSchedulables, totalResources, type);
+  }
+
   /**
    * Given a set of Schedulables and a number of slots, compute their weighted
    * fair shares. The min and max shares and of the Schedulables are assumed to
@@ -75,7 +100,7 @@ public class ComputeFairShares {
    * because resourceUsedWithWeightToResourceRatio is linear-time and the number of
    * iterations of binary search is a constant (dependent on desired precision).
    */
-  public static void computeShares(
+  private static void computeSharesInternal(
       Collection<? extends Schedulable> schedulables, Resource totalResources,
       ResourceType type) {
     if (schedulables.isEmpty()) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
index f3289ccea1c..0ada021aa20 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
@@ -292,6 +292,7 @@ public void testSimpleFairShareCalculation() throws IOException {
     // Have two queues which want entire cluster capacity
     createSchedulingRequest(10 * 1024, "queue1", "user1");
     createSchedulingRequest(10 * 1024, "queue2", "user1");
+    createSchedulingRequest(10 * 1024, "root.default", "user1");
 
     scheduler.update();
 
@@ -322,6 +323,7 @@ public void testSimpleHierarchicalFairShareCalculation() throws IOException {
     // Have two queues which want entire cluster capacity
     createSchedulingRequest(10 * 1024, "parent.queue2", "user1");
     createSchedulingRequest(10 * 1024, "parent.queue3", "user1");
+    createSchedulingRequest(10 * 1024, "root.default", "user1");
 
     scheduler.update();
 
@@ -766,8 +768,10 @@ public void testFairShareAndWeightsInNestedUserQueueRule() throws Exception {
     scheduler.handle(nodeEvent1);
 
     // user1,user2 submit their apps to parentq and create user queues
-    scheduler.assignToQueue(rmApp1, "root.parentq", "user1");
-    scheduler.assignToQueue(rmApp2, "root.parentq", "user2");
+    createSchedulingRequest(10 * 1024, "root.parentq", "user1");
+    createSchedulingRequest(10 * 1024, "root.parentq", "user2");
+    // user3 submits app in default queue
+    createSchedulingRequest(10 * 1024, "root.default", "user3");
 
     scheduler.update();
 
@@ -1287,7 +1291,7 @@ public void testPreemptionIsNotDelayedToNextRound() throws Exception {
     scheduler.update();
     Resource toPreempt = scheduler.resToPreempt(scheduler.getQueueManager()
         .getLeafQueue("queueA.queueA2", false), clock.getTime());
-    assertEquals(2980, toPreempt.getMemory());
+    assertEquals(3277, toPreempt.getMemory());
 
     // verify if the 3 containers required by queueA2 are preempted in the same
     // round
@@ -2446,8 +2450,12 @@ public void testQueueMaxAMShare() throws Exception {
     scheduler.update();
 
     FSLeafQueue queue1 = scheduler.getQueueManager().getLeafQueue("queue1", true);
-    assertEquals("Queue queue1's fair share should be 10240",
-        10240, queue1.getFairShare().getMemory());
+    assertEquals("Queue queue1's fair share should be 0", 0, queue1
+        .getFairShare().getMemory());
+
+    createSchedulingRequest(1 * 1024, "root.default", "user1");
+    scheduler.update();
+    scheduler.handle(updateEvent);
 
     Resource amResource1 = Resource.newInstance(1024, 1);
     Resource amResource2 = Resource.newInstance(2048, 2);
@@ -2635,24 +2643,32 @@ public void testQueueMaxAMShareDefault() throws Exception {
 
     FSLeafQueue queue1 =
         scheduler.getQueueManager().getLeafQueue("queue1", true);
-    assertEquals("Queue queue1's fair share should be 1366",
-        1366, queue1.getFairShare().getMemory());
+    assertEquals("Queue queue1's fair share should be 0", 0, queue1
+        .getFairShare().getMemory());
     FSLeafQueue queue2 =
         scheduler.getQueueManager().getLeafQueue("queue2", true);
-    assertEquals("Queue queue2's fair share should be 1366",
-        1366, queue2.getFairShare().getMemory());
+    assertEquals("Queue queue2's fair share should be 0", 0, queue2
+        .getFairShare().getMemory());
     FSLeafQueue queue3 =
         scheduler.getQueueManager().getLeafQueue("queue3", true);
-    assertEquals("Queue queue3's fair share should be 1366",
-        1366, queue3.getFairShare().getMemory());
+    assertEquals("Queue queue3's fair share should be 0", 0, queue3
+        .getFairShare().getMemory());
     FSLeafQueue queue4 =
         scheduler.getQueueManager().getLeafQueue("queue4", true);
-    assertEquals("Queue queue4's fair share should be 1366",
-        1366, queue4.getFairShare().getMemory());
+    assertEquals("Queue queue4's fair share should be 0", 0, queue4
+        .getFairShare().getMemory());
     FSLeafQueue queue5 =
         scheduler.getQueueManager().getLeafQueue("queue5", true);
-    assertEquals("Queue queue5's fair share should be 1366",
-        1366, queue5.getFairShare().getMemory());
+    assertEquals("Queue queue5's fair share should be 0", 0, queue5
+        .getFairShare().getMemory());
+
+    List<String> queues = Arrays.asList("root.default", "root.queue3",
+        "root.queue4", "root.queue5");
+    for (String queue : queues) {
+      createSchedulingRequest(1 * 1024, queue, "user1");
+      scheduler.update();
+      scheduler.handle(updateEvent);
+    }
 
     Resource amResource1 = Resource.newInstance(2048, 1);
     int amPriority = RMAppAttemptImpl.AM_CONTAINER_PRIORITY.getPriority();
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerFairShare.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerFairShare.java
new file mode 100644
index 00000000000..8b8ce93b506
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerFairShare.java
@@ -0,0 +1,308 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Collection;
+
+import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
+import org.apache.hadoop.yarn.server.resourcemanager.MockNodes;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
+import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNode;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.AppAttemptRemovedSchedulerEvent;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeAddedSchedulerEvent;
+import org.apache.hadoop.yarn.util.resource.Resources;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+public class TestFairSchedulerFairShare extends FairSchedulerTestBase {
+  private final static String ALLOC_FILE = new File(TEST_DIR,
+      TestFairSchedulerFairShare.class.getName() + ".xml").getAbsolutePath();
+
+  @Before
+  public void setup() throws IOException {
+    conf = createConfiguration();
+    conf.set(FairSchedulerConfiguration.ALLOCATION_FILE, ALLOC_FILE);
+  }
+
+  @After
+  public void teardown() {
+    if (resourceManager != null) {
+      resourceManager.stop();
+      resourceManager = null;
+    }
+    conf = null;
+  }
+
+  private void createClusterWithQueuesAndOneNode(int mem, String policy)
+      throws IOException {
+    createClusterWithQueuesAndOneNode(mem, 0, policy);
+  }
+
+  private void createClusterWithQueuesAndOneNode(int mem, int vCores,
+      String policy) throws IOException {
+    PrintWriter out = new PrintWriter(new FileWriter(ALLOC_FILE));
+    out.println("<?xml version=\"1.0\"?>");
+    out.println("<allocations>");
+    out.println("<queue name=\"root\" >");
+    out.println("   <queue name=\"parentA\" >");
+    out.println("       <weight>8</weight>");
+    out.println("       <queue name=\"childA1\" />");
+    out.println("       <queue name=\"childA2\" />");
+    out.println("       <queue name=\"childA3\" />");
+    out.println("       <queue name=\"childA4\" />");
+    out.println("   </queue>");
+    out.println("   <queue name=\"parentB\" >");
+    out.println("       <weight>1</weight>");
+    out.println("       <queue name=\"childB1\" />");
+    out.println("       <queue name=\"childB2\" />");
+    out.println("   </queue>");
+    out.println("</queue>");
+    out.println("<defaultQueueSchedulingPolicy>" + policy
+        + "</defaultQueueSchedulingPolicy>");
+    out.println("</allocations>");
+    out.close();
+
+    resourceManager = new MockRM(conf);
+    resourceManager.start();
+    scheduler = (FairScheduler) resourceManager.getResourceScheduler();
+
+    RMNode node1 = MockNodes.newNodeInfo(1,
+        Resources.createResource(mem, vCores), 1, "127.0.0.1");
+    NodeAddedSchedulerEvent nodeEvent1 = new NodeAddedSchedulerEvent(node1);
+    scheduler.handle(nodeEvent1);
+  }
+
+  @Test
+  public void testFairShareNoAppsRunning() throws IOException {
+    int nodeCapacity = 16 * 1024;
+    createClusterWithQueuesAndOneNode(nodeCapacity, "fair");
+
+    scheduler.update();
+    // No apps are running in the cluster,verify if fair share is zero
+    // for all queues under parentA and parentB.
+    Collection<FSLeafQueue> leafQueues = scheduler.getQueueManager()
+        .getLeafQueues();
+
+    for (FSLeafQueue leaf : leafQueues) {
+      if (leaf.getName().startsWith("root.parentA")) {
+        assertEquals(0, (double) leaf.getFairShare().getMemory() / nodeCapacity
+            * 100, 0);
+      } else if (leaf.getName().startsWith("root.parentB")) {
+        assertEquals(0, (double) leaf.getFairShare().getMemory() / nodeCapacity
+            * 100, 0.1);
+      }
+    }
+  }
+
+  @Test
+  public void testFairShareOneAppRunning() throws IOException {
+    int nodeCapacity = 16 * 1024;
+    createClusterWithQueuesAndOneNode(nodeCapacity, "fair");
+
+    // Run a app in a childA1. Verify whether fair share is 100% in childA1,
+    // since it is the only active queue.
+    // Also verify if fair share is 0 for childA2. since no app is
+    // running in it.
+    createSchedulingRequest(2 * 1024, "root.parentA.childA1", "user1");
+
+    scheduler.update();
+
+    assertEquals(
+        100,
+        (double) scheduler.getQueueManager()
+            .getLeafQueue("root.parentA.childA1", false).getFairShare()
+            .getMemory()
+            / nodeCapacity * 100, 0.1);
+    assertEquals(
+        0,
+        (double) scheduler.getQueueManager()
+            .getLeafQueue("root.parentA.childA2", false).getFairShare()
+            .getMemory()
+            / nodeCapacity * 100, 0.1);
+  }
+
+  @Test
+  public void testFairShareMultipleActiveQueuesUnderSameParent()
+      throws IOException {
+    int nodeCapacity = 16 * 1024;
+    createClusterWithQueuesAndOneNode(nodeCapacity, "fair");
+
+    // Run apps in childA1,childA2,childA3
+    createSchedulingRequest(2 * 1024, "root.parentA.childA1", "user1");
+    createSchedulingRequest(2 * 1024, "root.parentA.childA2", "user2");
+    createSchedulingRequest(2 * 1024, "root.parentA.childA3", "user3");
+
+    scheduler.update();
+
+    // Verify if fair share is 100 / 3 = 33%
+    for (int i = 1; i <= 3; i++) {
+      assertEquals(
+          33,
+          (double) scheduler.getQueueManager()
+              .getLeafQueue("root.parentA.childA" + i, false).getFairShare()
+              .getMemory()
+              / nodeCapacity * 100, .9);
+    }
+  }
+
+  @Test
+  public void testFairShareMultipleActiveQueuesUnderDifferentParent()
+      throws IOException {
+    int nodeCapacity = 16 * 1024;
+    createClusterWithQueuesAndOneNode(nodeCapacity, "fair");
+
+    // Run apps in childA1,childA2 which are under parentA
+    createSchedulingRequest(2 * 1024, "root.parentA.childA1", "user1");
+    createSchedulingRequest(3 * 1024, "root.parentA.childA2", "user2");
+
+    // Run app in childB1 which is under parentB
+    createSchedulingRequest(1 * 1024, "root.parentB.childB1", "user3");
+
+    // Run app in root.default queue
+    createSchedulingRequest(1 * 1024, "root.default", "user4");
+
+    scheduler.update();
+
+    // The two active child queues under parentA would
+    // get fair share of 80/2=40%
+    for (int i = 1; i <= 2; i++) {
+      assertEquals(
+          40,
+          (double) scheduler.getQueueManager()
+              .getLeafQueue("root.parentA.childA" + i, false).getFairShare()
+              .getMemory()
+              / nodeCapacity * 100, .9);
+    }
+
+    // The child queue under parentB would get a fair share of 10%,
+    // basically all of parentB's fair share
+    assertEquals(
+        10,
+        (double) scheduler.getQueueManager()
+            .getLeafQueue("root.parentB.childB1", false).getFairShare()
+            .getMemory()
+            / nodeCapacity * 100, .9);
+  }
+
+  @Test
+  public void testFairShareResetsToZeroWhenAppsComplete() throws IOException {
+    int nodeCapacity = 16 * 1024;
+    createClusterWithQueuesAndOneNode(nodeCapacity, "fair");
+
+    // Run apps in childA1,childA2 which are under parentA
+    ApplicationAttemptId app1 = createSchedulingRequest(2 * 1024,
+        "root.parentA.childA1", "user1");
+    ApplicationAttemptId app2 = createSchedulingRequest(3 * 1024,
+        "root.parentA.childA2", "user2");
+
+    scheduler.update();
+
+    // Verify if both the active queues under parentA get 50% fair
+    // share
+    for (int i = 1; i <= 2; i++) {
+      assertEquals(
+          50,
+          (double) scheduler.getQueueManager()
+              .getLeafQueue("root.parentA.childA" + i, false).getFairShare()
+              .getMemory()
+              / nodeCapacity * 100, .9);
+    }
+    // Let app under childA1 complete. This should cause the fair share
+    // of queue childA1 to be reset to zero,since the queue has no apps running.
+    // Queue childA2's fair share would increase to 100% since its the only
+    // active queue.
+    AppAttemptRemovedSchedulerEvent appRemovedEvent1 = new AppAttemptRemovedSchedulerEvent(
+        app1, RMAppAttemptState.FINISHED, false);
+
+    scheduler.handle(appRemovedEvent1);
+    scheduler.update();
+
+    assertEquals(
+        0,
+        (double) scheduler.getQueueManager()
+            .getLeafQueue("root.parentA.childA1", false).getFairShare()
+            .getMemory()
+            / nodeCapacity * 100, 0);
+    assertEquals(
+        100,
+        (double) scheduler.getQueueManager()
+            .getLeafQueue("root.parentA.childA2", false).getFairShare()
+            .getMemory()
+            / nodeCapacity * 100, 0.1);
+  }
+
+  @Test
+  public void testFairShareWithDRFMultipleActiveQueuesUnderDifferentParent()
+      throws IOException {
+    int nodeMem = 16 * 1024;
+    int nodeVCores = 10;
+    createClusterWithQueuesAndOneNode(nodeMem, nodeVCores, "drf");
+
+    // Run apps in childA1,childA2 which are under parentA
+    createSchedulingRequest(2 * 1024, "root.parentA.childA1", "user1");
+    createSchedulingRequest(3 * 1024, "root.parentA.childA2", "user2");
+
+    // Run app in childB1 which is under parentB
+    createSchedulingRequest(1 * 1024, "root.parentB.childB1", "user3");
+
+    // Run app in root.default queue
+    createSchedulingRequest(1 * 1024, "root.default", "user4");
+
+    scheduler.update();
+
+    // The two active child queues under parentA would
+    // get 80/2=40% memory and vcores
+    for (int i = 1; i <= 2; i++) {
+      assertEquals(
+          40,
+          (double) scheduler.getQueueManager()
+              .getLeafQueue("root.parentA.childA" + i, false).getFairShare()
+              .getMemory()
+              / nodeMem * 100, .9);
+      assertEquals(
+          40,
+          (double) scheduler.getQueueManager()
+              .getLeafQueue("root.parentA.childA" + i, false).getFairShare()
+              .getVirtualCores()
+              / nodeVCores * 100, .9);
+    }
+
+    // The only active child queue under parentB would get 10% memory and vcores
+    assertEquals(
+        10,
+        (double) scheduler.getQueueManager()
+            .getLeafQueue("root.parentB.childB1", false).getFairShare()
+            .getMemory()
+            / nodeMem * 100, .9);
+    assertEquals(
+        10,
+        (double) scheduler.getQueueManager()
+            .getLeafQueue("root.parentB.childB1", false).getFairShare()
+            .getVirtualCores()
+            / nodeVCores * 100, .9);
+  }
+}

From ee3825e2783149db7a3d648f31cb1a483de64c0f Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Sat, 9 Aug 2014 18:44:51 +0000
Subject: [PATCH 175/354] YARN-1954. Added waitFor to AMRMClient(Async).
 Contributed by Tsuyoshi Ozawa.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617002 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |  2 +
 .../hadoop/yarn/client/api/AMRMClient.java    | 63 +++++++++++++++
 .../client/api/async/AMRMClientAsync.java     | 64 ++++++++++++++++
 .../api/async/impl/TestAMRMClientAsync.java   | 76 ++++++++++++++++++-
 .../yarn/client/api/impl/TestAMRMClient.java  | 35 +++++++++
 5 files changed, 237 insertions(+), 3 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index a62e05ca752..c47acfde65f 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -103,6 +103,8 @@ Release 2.6.0 - UNRELEASED
     YARN-2026. Fair scheduler: Consider only active queues for computing fairshare. 
     (Ashwin Shankar via kasha)
 
+    YARN-1954. Added waitFor to AMRMClient(Async). (Tsuyoshi Ozawa via zjshen)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/AMRMClient.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/AMRMClient.java
index 3daa1568963..f41c018cea4 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/AMRMClient.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/AMRMClient.java
@@ -22,6 +22,8 @@
 import java.util.Collection;
 import java.util.List;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceAudience.Public;
@@ -37,12 +39,14 @@
 import org.apache.hadoop.yarn.exceptions.YarnException;
 
 import com.google.common.base.Preconditions;
+import com.google.common.base.Supplier;
 import com.google.common.collect.ImmutableList;
 
 @InterfaceAudience.Public
 @InterfaceStability.Stable
 public abstract class AMRMClient<T extends AMRMClient.ContainerRequest> extends
     AbstractService {
+  private static final Log LOG = LogFactory.getLog(AMRMClient.class);
 
   /**
    * Create a new instance of AMRMClient.
@@ -336,4 +340,63 @@ public NMTokenCache getNMTokenCache() {
     return nmTokenCache;
   }
 
+  /**
+   * Wait for <code>check</code> to return true for each 1000 ms.
+   * See also {@link #waitFor(com.google.common.base.Supplier, int)}
+   * and {@link #waitFor(com.google.common.base.Supplier, int, int)}
+   * @param check
+   */
+  public void waitFor(Supplier<Boolean> check) throws InterruptedException {
+    waitFor(check, 1000);
+  }
+
+  /**
+   * Wait for <code>check</code> to return true for each
+   * <code>checkEveryMillis</code> ms.
+   * See also {@link #waitFor(com.google.common.base.Supplier, int, int)}
+   * @param check user defined checker
+   * @param checkEveryMillis interval to call <code>check</code>
+   */
+  public void waitFor(Supplier<Boolean> check, int checkEveryMillis)
+      throws InterruptedException {
+    waitFor(check, checkEveryMillis, 1);
+  }
+
+  /**
+   * Wait for <code>check</code> to return true for each
+   * <code>checkEveryMillis</code> ms. In the main loop, this method will log
+   * the message "waiting in main loop" for each <code>logInterval</code> times
+   * iteration to confirm the thread is alive.
+   * @param check user defined checker
+   * @param checkEveryMillis interval to call <code>check</code>
+   * @param logInterval interval to log for each
+   */
+  public void waitFor(Supplier<Boolean> check, int checkEveryMillis,
+      int logInterval) throws InterruptedException {
+    Preconditions.checkNotNull(check, "check should not be null");
+    Preconditions.checkArgument(checkEveryMillis >= 0,
+        "checkEveryMillis should be positive value");
+    Preconditions.checkArgument(logInterval >= 0,
+        "logInterval should be positive value");
+
+    int loggingCounter = logInterval;
+    do {
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("Check the condition for main loop.");
+      }
+
+      boolean result = check.get();
+      if (result) {
+        LOG.info("Exits the main loop.");
+        return;
+      }
+      if (--loggingCounter <= 0) {
+        LOG.info("Waiting in main loop.");
+        loggingCounter = logInterval;
+      }
+
+      Thread.sleep(checkEveryMillis);
+    } while (true);
+  }
+
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/async/AMRMClientAsync.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/async/AMRMClientAsync.java
index e726b73651a..af26da1799a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/async/AMRMClientAsync.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/async/AMRMClientAsync.java
@@ -18,11 +18,15 @@
 
 package org.apache.hadoop.yarn.client.api.async;
 
+import com.google.common.base.Preconditions;
+import com.google.common.base.Supplier;
 import java.io.IOException;
 import java.util.Collection;
 import java.util.List;
 import java.util.concurrent.atomic.AtomicInteger;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceAudience.Public;
 import org.apache.hadoop.classification.InterfaceStability.Stable;
@@ -90,6 +94,7 @@
 @Stable
 public abstract class AMRMClientAsync<T extends ContainerRequest> 
 extends AbstractService {
+  private static final Log LOG = LogFactory.getLog(AMRMClientAsync.class);
   
   protected final AMRMClient<T> client;
   protected final CallbackHandler handler;
@@ -189,6 +194,65 @@ public abstract void unregisterApplicationMaster(
    */
   public abstract int getClusterNodeCount();
 
+  /**
+   * Wait for <code>check</code> to return true for each 1000 ms.
+   * See also {@link #waitFor(com.google.common.base.Supplier, int)}
+   * and {@link #waitFor(com.google.common.base.Supplier, int, int)}
+   * @param check
+   */
+  public void waitFor(Supplier<Boolean> check) throws InterruptedException {
+    waitFor(check, 1000);
+  }
+
+  /**
+   * Wait for <code>check</code> to return true for each
+   * <code>checkEveryMillis</code> ms.
+   * See also {@link #waitFor(com.google.common.base.Supplier, int, int)}
+   * @param check user defined checker
+   * @param checkEveryMillis interval to call <code>check</code>
+   */
+  public void waitFor(Supplier<Boolean> check, int checkEveryMillis)
+      throws InterruptedException {
+    waitFor(check, checkEveryMillis, 1);
+  };
+
+  /**
+   * Wait for <code>check</code> to return true for each
+   * <code>checkEveryMillis</code> ms. In the main loop, this method will log
+   * the message "waiting in main loop" for each <code>logInterval</code> times
+   * iteration to confirm the thread is alive.
+   * @param check user defined checker
+   * @param checkEveryMillis interval to call <code>check</code>
+   * @param logInterval interval to log for each
+   */
+  public void waitFor(Supplier<Boolean> check, int checkEveryMillis,
+      int logInterval) throws InterruptedException {
+    Preconditions.checkNotNull(check, "check should not be null");
+    Preconditions.checkArgument(checkEveryMillis >= 0,
+        "checkEveryMillis should be positive value");
+    Preconditions.checkArgument(logInterval >= 0,
+        "logInterval should be positive value");
+
+    int loggingCounter = logInterval;
+    do {
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("Check the condition for main loop.");
+      }
+
+      boolean result = check.get();
+      if (result) {
+        LOG.info("Exits the main loop.");
+        return;
+      }
+      if (--loggingCounter <= 0) {
+        LOG.info("Waiting in main loop.");
+        loggingCounter = logInterval;
+      }
+
+      Thread.sleep(checkEveryMillis);
+    } while (true);
+  }
+
   public interface CallbackHandler {
     
     /**
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/async/impl/TestAMRMClientAsync.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/async/impl/TestAMRMClientAsync.java
index 728a558df3b..79f53fc4f43 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/async/impl/TestAMRMClientAsync.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/async/impl/TestAMRMClientAsync.java
@@ -18,6 +18,7 @@
 
 package org.apache.hadoop.yarn.client.api.async.impl;
 
+import com.google.common.base.Supplier;
 import static org.mockito.Matchers.anyFloat;
 import static org.mockito.Matchers.anyInt;
 import static org.mockito.Matchers.anyString;
@@ -180,7 +181,7 @@ private void runHeartBeatThrowOutException(Exception ex) throws Exception{
     AMRMClient<ContainerRequest> client = mock(AMRMClientImpl.class);
     when(client.allocate(anyFloat())).thenThrow(ex);
 
-    AMRMClientAsync<ContainerRequest> asyncClient = 
+    AMRMClientAsync<ContainerRequest> asyncClient =
         AMRMClientAsync.createAMRMClientAsync(client, 20, callbackHandler);
     asyncClient.init(conf);
     asyncClient.start();
@@ -228,6 +229,41 @@ public void testAMRMClientAsyncShutDown() throws Exception {
     asyncClient.stop();
   }
 
+  @Test (timeout = 10000)
+  public void testAMRMClientAsyncShutDownWithWaitFor() throws Exception {
+    Configuration conf = new Configuration();
+    final TestCallbackHandler callbackHandler = new TestCallbackHandler();
+    @SuppressWarnings("unchecked")
+    AMRMClient<ContainerRequest> client = mock(AMRMClientImpl.class);
+
+    final AllocateResponse shutDownResponse = createAllocateResponse(
+        new ArrayList<ContainerStatus>(), new ArrayList<Container>(), null);
+    shutDownResponse.setAMCommand(AMCommand.AM_SHUTDOWN);
+    when(client.allocate(anyFloat())).thenReturn(shutDownResponse);
+
+    AMRMClientAsync<ContainerRequest> asyncClient =
+        AMRMClientAsync.createAMRMClientAsync(client, 10, callbackHandler);
+    asyncClient.init(conf);
+    asyncClient.start();
+
+    Supplier<Boolean> checker = new Supplier<Boolean>() {
+      @Override
+      public Boolean get() {
+        return callbackHandler.reboot;
+      }
+    };
+
+    asyncClient.registerApplicationMaster("localhost", 1234, null);
+    asyncClient.waitFor(checker);
+
+    asyncClient.stop();
+    // stopping should have joined all threads and completed all callbacks
+    Assert.assertTrue(callbackHandler.callbackCount == 0);
+
+    verify(client, times(1)).allocate(anyFloat());
+    asyncClient.stop();
+  }
+
   @Test (timeout = 5000)
   public void testCallAMRMClientAsyncStopFromCallbackHandler()
       throws YarnException, IOException, InterruptedException {
@@ -262,6 +298,40 @@ public void testCallAMRMClientAsyncStopFromCallbackHandler()
     }
   }
 
+  @Test (timeout = 5000)
+  public void testCallAMRMClientAsyncStopFromCallbackHandlerWithWaitFor()
+      throws YarnException, IOException, InterruptedException {
+    Configuration conf = new Configuration();
+    final TestCallbackHandler2 callbackHandler = new TestCallbackHandler2();
+    @SuppressWarnings("unchecked")
+    AMRMClient<ContainerRequest> client = mock(AMRMClientImpl.class);
+
+    List<ContainerStatus> completed = Arrays.asList(
+        ContainerStatus.newInstance(newContainerId(0, 0, 0, 0),
+            ContainerState.COMPLETE, "", 0));
+    final AllocateResponse response = createAllocateResponse(completed,
+        new ArrayList<Container>(), null);
+
+    when(client.allocate(anyFloat())).thenReturn(response);
+
+    AMRMClientAsync<ContainerRequest> asyncClient =
+        AMRMClientAsync.createAMRMClientAsync(client, 20, callbackHandler);
+    callbackHandler.asynClient = asyncClient;
+    asyncClient.init(conf);
+    asyncClient.start();
+
+    Supplier<Boolean> checker = new Supplier<Boolean>() {
+      @Override
+      public Boolean get() {
+        return callbackHandler.notify;
+      }
+    };
+
+    asyncClient.registerApplicationMaster("localhost", 1234, null);
+    asyncClient.waitFor(checker);
+    Assert.assertTrue(checker.get());
+  }
+
   void runCallBackThrowOutException(TestCallbackHandler2 callbackHandler) throws
         InterruptedException, YarnException, IOException {
     Configuration conf = new Configuration();
@@ -342,7 +412,7 @@ private class TestCallbackHandler implements AMRMClientAsync.CallbackHandler {
     private volatile List<ContainerStatus> completedContainers;
     private volatile List<Container> allocatedContainers;
     Exception savedException = null;
-    boolean reboot = false;
+    volatile boolean reboot = false;
     Object notifier = new Object();
     
     int callbackCount = 0;
@@ -432,7 +502,7 @@ private class TestCallbackHandler2 implements AMRMClientAsync.CallbackHandler {
     @SuppressWarnings("rawtypes")
     AMRMClientAsync asynClient;
     boolean stop = true;
-    boolean notify = false;
+    volatile boolean notify = false;
     boolean throwOutException = false;
 
     @Override
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestAMRMClient.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestAMRMClient.java
index d7fb752bb4c..38dbf79da99 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestAMRMClient.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestAMRMClient.java
@@ -18,6 +18,7 @@
 
 package org.apache.hadoop.yarn.client.api.impl;
 
+import com.google.common.base.Supplier;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
@@ -814,6 +815,40 @@ public AllocateResponse answer(InvocationOnMock invocation)
     assertEquals(0, amClient.ask.size());
     assertEquals(0, amClient.release.size());
   }
+
+  class CountDownSupplier implements Supplier<Boolean> {
+    int counter = 0;
+    @Override
+    public Boolean get() {
+      counter++;
+      if (counter >= 3) {
+        return true;
+      } else {
+        return false;
+      }
+    }
+  };
+
+  @Test
+  public void testWaitFor() throws InterruptedException {
+    AMRMClientImpl<ContainerRequest> amClient = null;
+    CountDownSupplier countDownChecker = new CountDownSupplier();
+
+    try {
+      // start am rm client
+      amClient =
+          (AMRMClientImpl<ContainerRequest>) AMRMClient
+              .<ContainerRequest> createAMRMClient();
+      amClient.init(new YarnConfiguration());
+      amClient.start();
+      amClient.waitFor(countDownChecker, 1000);
+      assertEquals(3, countDownChecker.counter);
+    } finally {
+      if (amClient != null) {
+        amClient.stop();
+      }
+    }
+  }
   
   private void sleep(int sleepTime) {
     try {

From 743f7f30dae4fd9607e21568019bbad89450c325 Mon Sep 17 00:00:00 2001
From: Xuan Gong <xgong@apache.org>
Date: Sat, 9 Aug 2014 23:31:11 +0000
Subject: [PATCH 176/354] YARN-2400. Fixed TestAMRestart fails intermittently.
 Contributed by Jian He:

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617028 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                                | 2 ++
 .../resourcemanager/applicationsmanager/TestAMRestart.java     | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index c47acfde65f..b866b2f88b3 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -159,6 +159,8 @@ Release 2.6.0 - UNRELEASED
     YARN-2008. Fixed CapacityScheduler to calculate headroom based on max available
     capacity instead of configured max capacity. (Craig Welch via jianhe)
 
+    YARN-2400. Fixed TestAMRestart fails intermittently. (Jian He via xgong)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/TestAMRestart.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/TestAMRestart.java
index de0987808e6..5f1693fe894 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/TestAMRestart.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/TestAMRestart.java
@@ -386,7 +386,8 @@ public void testShouldNotCountFailureToMaxAttemptRetry() throws Exception {
     ApplicationState appState =
         memStore.getState().getApplicationState().get(app1.getApplicationId());
     // AM should be restarted even though max-am-attempt is 1.
-    MockAM am2 = MockRM.launchAndRegisterAM(app1, rm1, nm1);
+    MockAM am2 =
+        rm1.waitForNewAMToLaunchAndRegister(app1.getApplicationId(), 2, nm1);
     RMAppAttempt attempt2 = app1.getCurrentAppAttempt();
     Assert.assertTrue(((RMAppAttemptImpl) attempt2).mayBeLastAttempt());
 

From e91d099c4a4182c25c1a19237aff28e4d1bc1357 Mon Sep 17 00:00:00 2001
From: Junping Du <junping_du@apache.org>
Date: Sun, 10 Aug 2014 07:21:15 +0000
Subject: [PATCH 177/354] YARN-2302. Refactor TimelineWebServices. (Contributed
 by Zhijie Shen)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617055 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   2 +
 .../ApplicationHistoryServer.java             |  77 +++--
 .../webapp/AHSWebApp.java                     |  25 +-
 .../server/timeline/TimelineDataManager.java  | 319 ++++++++++++++++++
 .../timeline/webapp/TimelineWebServices.java  | 255 ++------------
 .../TestApplicationHistoryClientService.java  |   2 +-
 .../webapp/TestTimelineWebServices.java       |   6 +-
 7 files changed, 406 insertions(+), 280 deletions(-)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/TimelineDataManager.java

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index b866b2f88b3..9df803b1ef8 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -105,6 +105,8 @@ Release 2.6.0 - UNRELEASED
 
     YARN-1954. Added waitFor to AMRMClient(Async). (Tsuyoshi Ozawa via zjshen)
 
+    YARN-2302. Refactor TimelineWebServices. (Zhijie Shen via junping_du)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
index ce05d503986..29bbd217338 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
@@ -39,6 +39,7 @@
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.server.applicationhistoryservice.webapp.AHSWebApp;
 import org.apache.hadoop.yarn.server.timeline.LeveldbTimelineStore;
+import org.apache.hadoop.yarn.server.timeline.TimelineDataManager;
 import org.apache.hadoop.yarn.server.timeline.TimelineStore;
 import org.apache.hadoop.yarn.server.timeline.security.TimelineACLsManager;
 import org.apache.hadoop.yarn.server.timeline.security.TimelineAuthenticationFilterInitializer;
@@ -59,12 +60,12 @@ public class ApplicationHistoryServer extends CompositeService {
   private static final Log LOG = LogFactory
     .getLog(ApplicationHistoryServer.class);
 
-  protected ApplicationHistoryClientService ahsClientService;
-  protected ApplicationHistoryManager historyManager;
-  protected TimelineStore timelineStore;
-  protected TimelineDelegationTokenSecretManagerService secretManagerService;
-  protected TimelineACLsManager timelineACLsManager;
-  protected WebApp webApp;
+  private ApplicationHistoryClientService ahsClientService;
+  private ApplicationHistoryManager historyManager;
+  private TimelineStore timelineStore;
+  private TimelineDelegationTokenSecretManagerService secretManagerService;
+  private TimelineDataManager timelineDataManager;
+  private WebApp webApp;
 
   public ApplicationHistoryServer() {
     super(ApplicationHistoryServer.class.getName());
@@ -72,15 +73,18 @@ public ApplicationHistoryServer() {
 
   @Override
   protected void serviceInit(Configuration conf) throws Exception {
-    historyManager = createApplicationHistory();
-    ahsClientService = createApplicationHistoryClientService(historyManager);
-    addService(ahsClientService);
-    addService((Service) historyManager);
+    // init timeline services first
     timelineStore = createTimelineStore(conf);
     addIfService(timelineStore);
     secretManagerService = createTimelineDelegationTokenSecretManagerService(conf);
     addService(secretManagerService);
-    timelineACLsManager = createTimelineACLsManager(conf);
+    timelineDataManager = createTimelineDataManager(conf);
+
+    // init generic history service afterwards
+    historyManager = createApplicationHistoryManager(conf);
+    ahsClientService = createApplicationHistoryClientService(historyManager);
+    addService(ahsClientService);
+    addService((Service) historyManager);
 
     DefaultMetricsSystem.initialize("ApplicationHistoryServer");
     JvmMetrics.initSingleton("ApplicationHistoryServer", null);
@@ -111,21 +115,22 @@ protected void serviceStop() throws Exception {
 
   @Private
   @VisibleForTesting
-  public ApplicationHistoryClientService getClientService() {
+  ApplicationHistoryClientService getClientService() {
     return this.ahsClientService;
   }
 
-  protected ApplicationHistoryClientService
-      createApplicationHistoryClientService(
-          ApplicationHistoryManager historyManager) {
-    return new ApplicationHistoryClientService(historyManager);
+  /**
+   * @return ApplicationTimelineStore
+   */
+  @Private
+  @VisibleForTesting
+  public TimelineStore getTimelineStore() {
+    return timelineStore;
   }
 
-  protected ApplicationHistoryManager createApplicationHistory() {
-    return new ApplicationHistoryManagerImpl();
-  }
-
-  protected ApplicationHistoryManager getApplicationHistory() {
+  @Private
+  @VisibleForTesting
+  ApplicationHistoryManager getApplicationHistoryManager() {
     return this.historyManager;
   }
 
@@ -154,28 +159,35 @@ public static void main(String[] args) {
     launchAppHistoryServer(args);
   }
 
-  protected ApplicationHistoryManager createApplicationHistoryManager(
+  private ApplicationHistoryClientService
+      createApplicationHistoryClientService(
+          ApplicationHistoryManager historyManager) {
+    return new ApplicationHistoryClientService(historyManager);
+  }
+
+  private ApplicationHistoryManager createApplicationHistoryManager(
       Configuration conf) {
     return new ApplicationHistoryManagerImpl();
   }
 
-  protected TimelineStore createTimelineStore(
+  private TimelineStore createTimelineStore(
       Configuration conf) {
     return ReflectionUtils.newInstance(conf.getClass(
         YarnConfiguration.TIMELINE_SERVICE_STORE, LeveldbTimelineStore.class,
         TimelineStore.class), conf);
   }
 
-  protected TimelineDelegationTokenSecretManagerService
+  private TimelineDelegationTokenSecretManagerService
       createTimelineDelegationTokenSecretManagerService(Configuration conf) {
     return new TimelineDelegationTokenSecretManagerService();
   }
 
-  protected TimelineACLsManager createTimelineACLsManager(Configuration conf) {
-    return new TimelineACLsManager(conf);
+  private TimelineDataManager createTimelineDataManager(Configuration conf) {
+    return new TimelineDataManager(
+        timelineStore, new TimelineACLsManager(conf));
   }
 
-  protected void startWebApp() {
+  private void startWebApp() {
     Configuration conf = getConfig();
     // Always load pseudo authentication filter to parse "user.name" in an URL
     // to identify a HTTP request's user in insecure mode.
@@ -199,9 +211,8 @@ protected void startWebApp() {
     try {
       AHSWebApp ahsWebApp = AHSWebApp.getInstance();
       ahsWebApp.setApplicationHistoryManager(historyManager);
-      ahsWebApp.setTimelineStore(timelineStore);
       ahsWebApp.setTimelineDelegationTokenSecretManagerService(secretManagerService);
-      ahsWebApp.setTimelineACLsManager(timelineACLsManager);
+      ahsWebApp.setTimelineDataManager(timelineDataManager);
       webApp =
           WebApps
             .$for("applicationhistory", ApplicationHistoryClientService.class,
@@ -213,14 +224,6 @@ protected void startWebApp() {
       throw new YarnRuntimeException(msg, e);
     }
   }
-  /**
-   * @return ApplicationTimelineStore
-   */
-  @Private
-  @VisibleForTesting
-  public TimelineStore getTimelineStore() {
-    return timelineStore;
-  }
 
   private void doSecureLogin(Configuration conf) throws IOException {
     InetSocketAddress socAddr = getBindAddress(conf);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/webapp/AHSWebApp.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/webapp/AHSWebApp.java
index 9901eeb4254..68541d83529 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/webapp/AHSWebApp.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/webapp/AHSWebApp.java
@@ -22,8 +22,7 @@
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.yarn.server.api.ApplicationContext;
 import org.apache.hadoop.yarn.server.applicationhistoryservice.ApplicationHistoryManager;
-import org.apache.hadoop.yarn.server.timeline.TimelineStore;
-import org.apache.hadoop.yarn.server.timeline.security.TimelineACLsManager;
+import org.apache.hadoop.yarn.server.timeline.TimelineDataManager;
 import org.apache.hadoop.yarn.server.timeline.security.TimelineDelegationTokenSecretManagerService;
 import org.apache.hadoop.yarn.server.timeline.webapp.TimelineWebServices;
 import org.apache.hadoop.yarn.webapp.GenericExceptionHandler;
@@ -36,9 +35,8 @@
 public class AHSWebApp extends WebApp implements YarnWebParams {
 
   private ApplicationHistoryManager applicationHistoryManager;
-  private TimelineStore timelineStore;
   private TimelineDelegationTokenSecretManagerService secretManagerService;
-  private TimelineACLsManager timelineACLsManager;
+  private TimelineDataManager timelineDataManager;
 
   private static AHSWebApp instance = null;
 
@@ -68,14 +66,6 @@ public void setApplicationHistoryManager(
     this.applicationHistoryManager = applicationHistoryManager;
   }
 
-  public TimelineStore getTimelineStore() {
-    return timelineStore;
-  }
-
-  public void setTimelineStore(TimelineStore timelineStore) {
-    this.timelineStore = timelineStore;
-  }
-
   public TimelineDelegationTokenSecretManagerService
       getTimelineDelegationTokenSecretManagerService() {
     return secretManagerService;
@@ -86,12 +76,12 @@ public void setTimelineDelegationTokenSecretManagerService(
     this.secretManagerService = secretManagerService;
   }
 
-  public TimelineACLsManager getTimelineACLsManager() {
-    return timelineACLsManager;
+  public TimelineDataManager getTimelineDataManager() {
+    return timelineDataManager;
   }
 
-  public void setTimelineACLsManager(TimelineACLsManager timelineACLsManager) {
-    this.timelineACLsManager = timelineACLsManager;
+  public void setTimelineDataManager(TimelineDataManager timelineDataManager) {
+    this.timelineDataManager = timelineDataManager;
   }
 
   @Override
@@ -101,10 +91,9 @@ public void setup() {
     bind(TimelineWebServices.class);
     bind(GenericExceptionHandler.class);
     bind(ApplicationContext.class).toInstance(applicationHistoryManager);
-    bind(TimelineStore.class).toInstance(timelineStore);
     bind(TimelineDelegationTokenSecretManagerService.class).toInstance(
         secretManagerService);
-    bind(TimelineACLsManager.class).toInstance(timelineACLsManager);
+    bind(TimelineDataManager.class).toInstance(timelineDataManager);
     route("/", AHSController.class);
     route(pajoin("/apps", APP_STATE), AHSController.class);
     route(pajoin("/app", APPLICATION_ID), AHSController.class, "app");
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/TimelineDataManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/TimelineDataManager.java
new file mode 100644
index 00000000000..e68e8604182
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/TimelineDataManager.java
@@ -0,0 +1,319 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.timeline;
+
+import static org.apache.hadoop.yarn.util.StringHelper.CSV_JOINER;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.EnumSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.SortedSet;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.records.timeline.TimelineEntities;
+import org.apache.hadoop.yarn.api.records.timeline.TimelineEntity;
+import org.apache.hadoop.yarn.api.records.timeline.TimelineEvents;
+import org.apache.hadoop.yarn.api.records.timeline.TimelinePutResponse;
+import org.apache.hadoop.yarn.exceptions.YarnException;
+import org.apache.hadoop.yarn.server.timeline.TimelineReader.Field;
+import org.apache.hadoop.yarn.server.timeline.security.TimelineACLsManager;
+import org.apache.hadoop.yarn.util.timeline.TimelineUtils;
+
+/**
+ * The class wrap over the timeline store and the ACLs manager. It does some non
+ * trivial manipulation of the timeline data before putting or after getting it
+ * from the timeline store, and checks the user's access to it.
+ * 
+ */
+public class TimelineDataManager {
+
+  private static final Log LOG = LogFactory.getLog(TimelineDataManager.class);
+
+  private TimelineStore store;
+  private TimelineACLsManager timelineACLsManager;
+
+  public TimelineDataManager(TimelineStore store,
+      TimelineACLsManager timelineACLsManager) {
+    this.store = store;
+    this.timelineACLsManager = timelineACLsManager;
+  }
+
+  /**
+   * Get the timeline entities that the given user have access to. The meaning
+   * of each argument has been documented with
+   * {@link TimelineReader#getEntities}.
+   * 
+   * @see TimelineReader#getEntities
+   */
+  public TimelineEntities getEntities(
+      String entityType,
+      NameValuePair primaryFilter,
+      Collection<NameValuePair> secondaryFilter,
+      Long windowStart,
+      Long windowEnd,
+      String fromId,
+      Long fromTs,
+      Long limit,
+      EnumSet<Field> fields,
+      UserGroupInformation callerUGI) throws YarnException, IOException {
+    TimelineEntities entities = null;
+    boolean modified = extendFields(fields);
+    entities = store.getEntities(
+        entityType,
+        limit,
+        windowStart,
+        windowEnd,
+        fromId,
+        fromTs,
+        primaryFilter,
+        secondaryFilter,
+        fields);
+    if (entities != null) {
+      Iterator<TimelineEntity> entitiesItr =
+          entities.getEntities().iterator();
+      while (entitiesItr.hasNext()) {
+        TimelineEntity entity = entitiesItr.next();
+        try {
+          // check ACLs
+          if (!timelineACLsManager.checkAccess(callerUGI, entity)) {
+            entitiesItr.remove();
+          } else {
+            // clean up system data
+            if (modified) {
+              entity.setPrimaryFilters(null);
+            } else {
+              cleanupOwnerInfo(entity);
+            }
+          }
+        } catch (YarnException e) {
+          LOG.error("Error when verifying access for user " + callerUGI
+              + " on the events of the timeline entity "
+              + new EntityIdentifier(entity.getEntityId(),
+                  entity.getEntityType()), e);
+          entitiesItr.remove();
+        }
+      }
+    }
+    if (entities == null) {
+      return new TimelineEntities();
+    }
+    return entities;
+  }
+
+  /**
+   * Get the single timeline entity that the given user has access to. The
+   * meaning of each argument has been documented with
+   * {@link TimelineReader#getEntity}.
+   * 
+   * @see TimelineReader#getEntity
+   */
+  public TimelineEntity getEntity(
+      String entityType,
+      String entityId,
+      EnumSet<Field> fields,
+      UserGroupInformation callerUGI) throws YarnException, IOException {
+    TimelineEntity entity = null;
+    boolean modified = extendFields(fields);
+    entity =
+        store.getEntity(entityId, entityType, fields);
+    if (entity != null) {
+      // check ACLs
+      if (!timelineACLsManager.checkAccess(callerUGI, entity)) {
+        entity = null;
+      } else {
+        // clean up the system data
+        if (modified) {
+          entity.setPrimaryFilters(null);
+        } else {
+          cleanupOwnerInfo(entity);
+        }
+      }
+    }
+    return entity;
+  }
+
+  /**
+   * Get the events whose entities the given user has access to. The meaning of
+   * each argument has been documented with
+   * {@link TimelineReader#getEntityTimelines}.
+   * 
+   * @see TimelineReader#getEntityTimelines
+   */
+  public TimelineEvents getEvents(
+      String entityType,
+      SortedSet<String> entityIds,
+      SortedSet<String> eventTypes,
+      Long windowStart,
+      Long windowEnd,
+      Long limit,
+      UserGroupInformation callerUGI) throws YarnException, IOException {
+    TimelineEvents events = null;
+    events = store.getEntityTimelines(
+        entityType,
+        entityIds,
+        limit,
+        windowStart,
+        windowEnd,
+        eventTypes);
+    if (events != null) {
+      Iterator<TimelineEvents.EventsOfOneEntity> eventsItr =
+          events.getAllEvents().iterator();
+      while (eventsItr.hasNext()) {
+        TimelineEvents.EventsOfOneEntity eventsOfOneEntity = eventsItr.next();
+        try {
+          TimelineEntity entity = store.getEntity(
+              eventsOfOneEntity.getEntityId(),
+              eventsOfOneEntity.getEntityType(),
+              EnumSet.of(Field.PRIMARY_FILTERS));
+          // check ACLs
+          if (!timelineACLsManager.checkAccess(callerUGI, entity)) {
+            eventsItr.remove();
+          }
+        } catch (Exception e) {
+          LOG.error("Error when verifying access for user " + callerUGI
+              + " on the events of the timeline entity "
+              + new EntityIdentifier(eventsOfOneEntity.getEntityId(),
+                  eventsOfOneEntity.getEntityType()), e);
+          eventsItr.remove();
+        }
+      }
+    }
+    if (events == null) {
+      return new TimelineEvents();
+    }
+    return events;
+  }
+
+  /**
+   * Store the timeline entities into the store and set the owner of them to the
+   * given user.
+   */
+  public TimelinePutResponse postEntities(
+      TimelineEntities entities,
+      UserGroupInformation callerUGI) throws YarnException, IOException {
+    if (entities == null) {
+      return new TimelinePutResponse();
+    }
+    List<EntityIdentifier> entityIDs = new ArrayList<EntityIdentifier>();
+    TimelineEntities entitiesToPut = new TimelineEntities();
+    List<TimelinePutResponse.TimelinePutError> errors =
+        new ArrayList<TimelinePutResponse.TimelinePutError>();
+    for (TimelineEntity entity : entities.getEntities()) {
+      EntityIdentifier entityID =
+          new EntityIdentifier(entity.getEntityId(), entity.getEntityType());
+
+      // check if there is existing entity
+      TimelineEntity existingEntity = null;
+      try {
+        existingEntity =
+            store.getEntity(entityID.getId(), entityID.getType(),
+                EnumSet.of(Field.PRIMARY_FILTERS));
+        if (existingEntity != null
+            && !timelineACLsManager.checkAccess(callerUGI, existingEntity)) {
+          throw new YarnException("The timeline entity " + entityID
+              + " was not put by " + callerUGI + " before");
+        }
+      } catch (Exception e) {
+        // Skip the entity which already exists and was put by others
+        LOG.error("Skip the timeline entity: " + entityID + ", because "
+            + e.getMessage());
+        TimelinePutResponse.TimelinePutError error =
+            new TimelinePutResponse.TimelinePutError();
+        error.setEntityId(entityID.getId());
+        error.setEntityType(entityID.getType());
+        error.setErrorCode(
+            TimelinePutResponse.TimelinePutError.ACCESS_DENIED);
+        errors.add(error);
+        continue;
+      }
+
+      // inject owner information for the access check if this is the first
+      // time to post the entity, in case it's the admin who is updating
+      // the timeline data.
+      try {
+        if (existingEntity == null) {
+          injectOwnerInfo(entity, callerUGI.getShortUserName());
+        }
+      } catch (YarnException e) {
+        // Skip the entity which messes up the primary filter and record the
+        // error
+        LOG.error("Skip the timeline entity: " + entityID + ", because "
+            + e.getMessage());
+        TimelinePutResponse.TimelinePutError error =
+            new TimelinePutResponse.TimelinePutError();
+        error.setEntityId(entityID.getId());
+        error.setEntityType(entityID.getType());
+        error.setErrorCode(
+            TimelinePutResponse.TimelinePutError.SYSTEM_FILTER_CONFLICT);
+        errors.add(error);
+        continue;
+      }
+
+      entityIDs.add(entityID);
+      entitiesToPut.addEntity(entity);
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("Storing the entity " + entityID + ", JSON-style content: "
+            + TimelineUtils.dumpTimelineRecordtoJSON(entity));
+      }
+    }
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("Storing entities: " + CSV_JOINER.join(entityIDs));
+    }
+    TimelinePutResponse response = store.put(entitiesToPut);
+    // add the errors of timeline system filter key conflict
+    response.addErrors(errors);
+    return response;
+  }
+
+  private static boolean extendFields(EnumSet<Field> fieldEnums) {
+    boolean modified = false;
+    if (fieldEnums != null && !fieldEnums.contains(Field.PRIMARY_FILTERS)) {
+      fieldEnums.add(Field.PRIMARY_FILTERS);
+      modified = true;
+    }
+    return modified;
+  }
+
+  private static void injectOwnerInfo(TimelineEntity timelineEntity,
+      String owner) throws YarnException {
+    if (timelineEntity.getPrimaryFilters() != null &&
+        timelineEntity.getPrimaryFilters().containsKey(
+            TimelineStore.SystemFilter.ENTITY_OWNER.toString())) {
+      throw new YarnException(
+          "User should not use the timeline system filter key: "
+              + TimelineStore.SystemFilter.ENTITY_OWNER);
+    }
+    timelineEntity.addPrimaryFilter(
+        TimelineStore.SystemFilter.ENTITY_OWNER
+            .toString(), owner);
+  }
+
+  private static void cleanupOwnerInfo(TimelineEntity timelineEntity) {
+    if (timelineEntity.getPrimaryFilters() != null) {
+      timelineEntity.getPrimaryFilters().remove(
+          TimelineStore.SystemFilter.ENTITY_OWNER.toString());
+    }
+  }
+
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/TimelineWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/TimelineWebServices.java
index ad739c94c6f..c5e6d49c8c5 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/TimelineWebServices.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/TimelineWebServices.java
@@ -18,14 +18,10 @@
 
 package org.apache.hadoop.yarn.server.timeline.webapp;
 
-import static org.apache.hadoop.yarn.util.StringHelper.CSV_JOINER;
-
-import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.EnumSet;
 import java.util.HashSet;
-import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
 import java.util.SortedSet;
@@ -58,14 +54,11 @@
 import org.apache.hadoop.yarn.api.records.timeline.TimelineEntity;
 import org.apache.hadoop.yarn.api.records.timeline.TimelineEvents;
 import org.apache.hadoop.yarn.api.records.timeline.TimelinePutResponse;
-import org.apache.hadoop.yarn.exceptions.YarnException;
 import org.apache.hadoop.yarn.server.timeline.EntityIdentifier;
 import org.apache.hadoop.yarn.server.timeline.GenericObjectMapper;
 import org.apache.hadoop.yarn.server.timeline.NameValuePair;
+import org.apache.hadoop.yarn.server.timeline.TimelineDataManager;
 import org.apache.hadoop.yarn.server.timeline.TimelineReader.Field;
-import org.apache.hadoop.yarn.server.timeline.TimelineStore;
-import org.apache.hadoop.yarn.server.timeline.security.TimelineACLsManager;
-import org.apache.hadoop.yarn.util.timeline.TimelineUtils;
 import org.apache.hadoop.yarn.webapp.BadRequestException;
 import org.apache.hadoop.yarn.webapp.ForbiddenException;
 import org.apache.hadoop.yarn.webapp.NotFoundException;
@@ -80,14 +73,11 @@ public class TimelineWebServices {
 
   private static final Log LOG = LogFactory.getLog(TimelineWebServices.class);
 
-  private TimelineStore store;
-  private TimelineACLsManager timelineACLsManager;
+  private TimelineDataManager timelineDataManager;
 
   @Inject
-  public TimelineWebServices(TimelineStore store,
-      TimelineACLsManager timelineACLsManager) {
-    this.store = store;
-    this.timelineACLsManager = timelineACLsManager;
+  public TimelineWebServices(TimelineDataManager timelineDataManager) {
+    this.timelineDataManager = timelineDataManager;
   }
 
   @XmlRootElement(name = "about")
@@ -148,61 +138,28 @@ public TimelineEntities getEntities(
       @QueryParam("limit") String limit,
       @QueryParam("fields") String fields) {
     init(res);
-    TimelineEntities entities = null;
     try {
-      EnumSet<Field> fieldEnums = parseFieldsStr(fields, ",");
-      boolean modified = extendFields(fieldEnums);
-      UserGroupInformation callerUGI = getUser(req);
-      entities = store.getEntities(
+      return timelineDataManager.getEntities(
           parseStr(entityType),
-          parseLongStr(limit),
+          parsePairStr(primaryFilter, ":"),
+          parsePairsStr(secondaryFilter, ",", ":"),
           parseLongStr(windowStart),
           parseLongStr(windowEnd),
           parseStr(fromId),
           parseLongStr(fromTs),
-          parsePairStr(primaryFilter, ":"),
-          parsePairsStr(secondaryFilter, ",", ":"),
-          fieldEnums);
-      if (entities != null) {
-        Iterator<TimelineEntity> entitiesItr =
-            entities.getEntities().iterator();
-        while (entitiesItr.hasNext()) {
-          TimelineEntity entity = entitiesItr.next();
-          try {
-            // check ACLs
-            if (!timelineACLsManager.checkAccess(callerUGI, entity)) {
-              entitiesItr.remove();
-            } else {
-              // clean up system data
-              if (modified) {
-                entity.setPrimaryFilters(null);
-              } else {
-                cleanupOwnerInfo(entity);
-              }
-            }
-          } catch (YarnException e) {
-            LOG.error("Error when verifying access for user " + callerUGI
-                + " on the events of the timeline entity "
-                + new EntityIdentifier(entity.getEntityId(),
-                    entity.getEntityType()), e);
-            entitiesItr.remove();
-          }
-        }
-      }
+          parseLongStr(limit),
+          parseFieldsStr(fields, ","),
+          getUser(req));
     } catch (NumberFormatException e) {
       throw new BadRequestException(
           "windowStart, windowEnd or limit is not a numeric value.");
     } catch (IllegalArgumentException e) {
       throw new BadRequestException("requested invalid field.");
-    } catch (IOException e) {
+    } catch (Exception e) {
       LOG.error("Error getting entities", e);
       throw new WebApplicationException(e,
           Response.Status.INTERNAL_SERVER_ERROR);
     }
-    if (entities == null) {
-      return new TimelineEntities();
-    }
-    return entities;
   }
 
   /**
@@ -220,33 +177,15 @@ public TimelineEntity getEntity(
     init(res);
     TimelineEntity entity = null;
     try {
-      EnumSet<Field> fieldEnums = parseFieldsStr(fields, ",");
-      boolean modified = extendFields(fieldEnums);
-      entity =
-          store.getEntity(parseStr(entityId), parseStr(entityType),
-              fieldEnums);
-      if (entity != null) {
-        // check ACLs
-        UserGroupInformation callerUGI = getUser(req);
-        if (!timelineACLsManager.checkAccess(callerUGI, entity)) {
-          entity = null;
-        } else {
-          // clean up the system data
-          if (modified) {
-            entity.setPrimaryFilters(null);
-          } else {
-            cleanupOwnerInfo(entity);
-          }
-        }
-      }
+      entity = timelineDataManager.getEntity(
+          parseStr(entityType),
+          parseStr(entityId),
+          parseFieldsStr(fields, ","),
+          getUser(req));
     } catch (IllegalArgumentException e) {
       throw new BadRequestException(
           "requested invalid field.");
-    } catch (IOException e) {
-      LOG.error("Error getting entity", e);
-      throw new WebApplicationException(e,
-          Response.Status.INTERNAL_SERVER_ERROR);
-    } catch (YarnException e) {
+    } catch (Exception e) {
       LOG.error("Error getting entity", e);
       throw new WebApplicationException(e,
           Response.Status.INTERNAL_SERVER_ERROR);
@@ -275,51 +214,23 @@ public TimelineEvents getEvents(
       @QueryParam("windowEnd") String windowEnd,
       @QueryParam("limit") String limit) {
     init(res);
-    TimelineEvents events = null;
     try {
-      UserGroupInformation callerUGI = getUser(req);
-      events = store.getEntityTimelines(
+      return timelineDataManager.getEvents(
           parseStr(entityType),
           parseArrayStr(entityId, ","),
-          parseLongStr(limit),
+          parseArrayStr(eventType, ","),
           parseLongStr(windowStart),
           parseLongStr(windowEnd),
-          parseArrayStr(eventType, ","));
-      if (events != null) {
-        Iterator<TimelineEvents.EventsOfOneEntity> eventsItr =
-            events.getAllEvents().iterator();
-        while (eventsItr.hasNext()) {
-          TimelineEvents.EventsOfOneEntity eventsOfOneEntity = eventsItr.next();
-          try {
-            TimelineEntity entity = store.getEntity(
-                eventsOfOneEntity.getEntityId(),
-                eventsOfOneEntity.getEntityType(),
-                EnumSet.of(Field.PRIMARY_FILTERS));
-            // check ACLs
-            if (!timelineACLsManager.checkAccess(callerUGI, entity)) {
-              eventsItr.remove();
-            }
-          } catch (Exception e) {
-            LOG.error("Error when verifying access for user " + callerUGI
-                + " on the events of the timeline entity "
-                + new EntityIdentifier(eventsOfOneEntity.getEntityId(),
-                    eventsOfOneEntity.getEntityType()), e);
-            eventsItr.remove();
-          }
-        }
-      }
+          parseLongStr(limit),
+          getUser(req));
     } catch (NumberFormatException e) {
       throw new BadRequestException(
           "windowStart, windowEnd or limit is not a numeric value.");
-    } catch (IOException e) {
+    } catch (Exception e) {
       LOG.error("Error getting entity timelines", e);
       throw new WebApplicationException(e,
           Response.Status.INTERNAL_SERVER_ERROR);
     }
-    if (events == null) {
-      return new TimelineEvents();
-    }
-    return events;
   }
 
   /**
@@ -333,9 +244,6 @@ public TimelinePutResponse postEntities(
       @Context HttpServletResponse res,
       TimelineEntities entities) {
     init(res);
-    if (entities == null) {
-      return new TimelinePutResponse();
-    }
     UserGroupInformation callerUGI = getUser(req);
     if (callerUGI == null) {
       String msg = "The owner of the posted timeline entities is not set";
@@ -343,76 +251,8 @@ public TimelinePutResponse postEntities(
       throw new ForbiddenException(msg);
     }
     try {
-      List<EntityIdentifier> entityIDs = new ArrayList<EntityIdentifier>();
-      TimelineEntities entitiesToPut = new TimelineEntities();
-      List<TimelinePutResponse.TimelinePutError> errors =
-          new ArrayList<TimelinePutResponse.TimelinePutError>();
-      for (TimelineEntity entity : entities.getEntities()) {
-        EntityIdentifier entityID =
-            new EntityIdentifier(entity.getEntityId(), entity.getEntityType());
-
-        // check if there is existing entity
-        TimelineEntity existingEntity = null;
-        try {
-          existingEntity =
-              store.getEntity(entityID.getId(), entityID.getType(),
-                  EnumSet.of(Field.PRIMARY_FILTERS));
-          if (existingEntity != null
-              && !timelineACLsManager.checkAccess(callerUGI, existingEntity)) {
-            throw new YarnException("The timeline entity " + entityID
-                + " was not put by " + callerUGI + " before");
-          }
-        } catch (Exception e) {
-          // Skip the entity which already exists and was put by others
-          LOG.warn("Skip the timeline entity: " + entityID + ", because "
-              + e.getMessage());
-          TimelinePutResponse.TimelinePutError error =
-              new TimelinePutResponse.TimelinePutError();
-          error.setEntityId(entityID.getId());
-          error.setEntityType(entityID.getType());
-          error.setErrorCode(
-              TimelinePutResponse.TimelinePutError.ACCESS_DENIED);
-          errors.add(error);
-          continue;
-        }
-
-        // inject owner information for the access check if this is the first
-        // time to post the entity, in case it's the admin who is updating
-        // the timeline data.
-        try {
-          if (existingEntity == null) {
-            injectOwnerInfo(entity, callerUGI.getShortUserName());
-          }
-        } catch (YarnException e) {
-          // Skip the entity which messes up the primary filter and record the
-          // error
-          LOG.warn("Skip the timeline entity: " + entityID + ", because "
-              + e.getMessage());
-          TimelinePutResponse.TimelinePutError error =
-              new TimelinePutResponse.TimelinePutError();
-          error.setEntityId(entityID.getId());
-          error.setEntityType(entityID.getType());
-          error.setErrorCode(
-              TimelinePutResponse.TimelinePutError.SYSTEM_FILTER_CONFLICT);
-          errors.add(error);
-          continue;
-        }
-
-        entityIDs.add(entityID);
-        entitiesToPut.addEntity(entity);
-        if (LOG.isDebugEnabled()) {
-          LOG.debug("Storing the entity " + entityID + ", JSON-style content: "
-              + TimelineUtils.dumpTimelineRecordtoJSON(entity));
-        }
-      }
-      if (LOG.isDebugEnabled()) {
-        LOG.debug("Storing entities: " + CSV_JOINER.join(entityIDs));
-      }
-      TimelinePutResponse response =  store.put(entitiesToPut);
-      // add the errors of timeline system filter key conflict
-      response.addErrors(errors);
-      return response;
-    } catch (IOException e) {
+      return timelineDataManager.postEntities(entities, callerUGI);
+    } catch (Exception e) {
       LOG.error("Error putting entities", e);
       throw new WebApplicationException(e,
           Response.Status.INTERNAL_SERVER_ERROR);
@@ -423,6 +263,15 @@ private void init(HttpServletResponse response) {
     response.setContentType(null);
   }
 
+  private static UserGroupInformation getUser(HttpServletRequest req) {
+    String remoteUser = req.getRemoteUser();
+    UserGroupInformation callerUGI = null;
+    if (remoteUser != null) {
+      callerUGI = UserGroupInformation.createRemoteUser(remoteUser);
+    }
+    return callerUGI;
+  }
+
   private static SortedSet<String> parseArrayStr(String str, String delimiter) {
     if (str == null) {
       return null;
@@ -495,14 +344,6 @@ private static EnumSet<Field> parseFieldsStr(String str, String delimiter) {
     }
   }
 
-  private static boolean extendFields(EnumSet<Field> fieldEnums) {
-    boolean modified = false;
-    if (fieldEnums != null && !fieldEnums.contains(Field.PRIMARY_FILTERS)) {
-      fieldEnums.add(Field.PRIMARY_FILTERS);
-      modified = true;
-    }
-    return modified;
-  }
   private static Long parseLongStr(String str) {
     return str == null ? null : Long.parseLong(str.trim());
   }
@@ -511,34 +352,4 @@ private static String parseStr(String str) {
     return str == null ? null : str.trim();
   }
 
-  private static UserGroupInformation getUser(HttpServletRequest req) {
-    String remoteUser = req.getRemoteUser();
-    UserGroupInformation callerUGI = null;
-    if (remoteUser != null) {
-      callerUGI = UserGroupInformation.createRemoteUser(remoteUser);
-    }
-    return callerUGI;
-  }
-
-  private static void injectOwnerInfo(TimelineEntity timelineEntity,
-      String owner) throws YarnException {
-    if (timelineEntity.getPrimaryFilters() != null &&
-        timelineEntity.getPrimaryFilters().containsKey(
-            TimelineStore.SystemFilter.ENTITY_OWNER.toString())) {
-      throw new YarnException(
-          "User should not use the timeline system filter key: "
-              + TimelineStore.SystemFilter.ENTITY_OWNER);
-    }
-    timelineEntity.addPrimaryFilter(
-        TimelineStore.SystemFilter.ENTITY_OWNER
-            .toString(), owner);
-  }
-
-  private static void cleanupOwnerInfo(TimelineEntity timelineEntity) {
-    if (timelineEntity.getPrimaryFilters() != null) {
-      timelineEntity.getPrimaryFilters().remove(
-          TimelineStore.SystemFilter.ENTITY_OWNER.toString());
-    }
-  }
-
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestApplicationHistoryClientService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestApplicationHistoryClientService.java
index 3f3c08a55df..7b5b74b6755 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestApplicationHistoryClientService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestApplicationHistoryClientService.java
@@ -69,7 +69,7 @@ public void setup() {
     historyServer.init(config);
     historyServer.start();
     store =
-        ((ApplicationHistoryManagerImpl) historyServer.getApplicationHistory())
+        ((ApplicationHistoryManagerImpl) historyServer.getApplicationHistoryManager())
           .getHistoryStore();
   }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java
index 2096bbb2060..549cfe13025 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java
@@ -49,6 +49,7 @@
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.security.AdminACLsManager;
 import org.apache.hadoop.yarn.server.timeline.TestMemoryTimelineStore;
+import org.apache.hadoop.yarn.server.timeline.TimelineDataManager;
 import org.apache.hadoop.yarn.server.timeline.TimelineStore;
 import org.apache.hadoop.yarn.server.timeline.security.TimelineACLsManager;
 import org.apache.hadoop.yarn.server.timeline.security.TimelineAuthenticationFilter;
@@ -89,14 +90,15 @@ protected void configureServlets() {
       } catch (Exception e) {
         Assert.fail();
       }
-      bind(TimelineStore.class).toInstance(store);
       Configuration conf = new YarnConfiguration();
       conf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, false);
       timelineACLsManager = new TimelineACLsManager(conf);
       conf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
       conf.set(YarnConfiguration.YARN_ADMIN_ACL, "admin");
       adminACLsManager = new AdminACLsManager(conf);
-      bind(TimelineACLsManager.class).toInstance(timelineACLsManager);
+      TimelineDataManager timelineDataManager =
+          new TimelineDataManager(store, timelineACLsManager);
+      bind(TimelineDataManager.class).toInstance(timelineDataManager);
       serve("/*").with(GuiceContainer.class);
       TimelineAuthenticationFilter taFilter = new TimelineAuthenticationFilter();
       FilterConfig filterConfig = mock(FilterConfig.class);

From af6d70966456e7b481c90e5b8453118767f95a32 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Sun, 10 Aug 2014 21:49:42 +0000
Subject: [PATCH 178/354] HADOOP-10402. Configuration.getValByRegex does not
 substitute for variables. (Robert Kanter via kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617166 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt           | 3 +++
 .../main/java/org/apache/hadoop/conf/Configuration.java   | 3 ++-
 .../java/org/apache/hadoop/conf/TestConfiguration.java    | 8 ++++++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 849857664c7..e648aae207b 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -553,6 +553,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10929. Typo in Configuration.getPasswordFromCredentialProviders
     (lmccay via brandonli)
 
+    HADOOP-10402. Configuration.getValByRegex does not substitute for
+    variables. (Robert Kanter via kasha)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java
index ea15e81639f..cf5ec1a53ee 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java
@@ -2755,7 +2755,8 @@ public Map<String,String> getValByRegex(String regex) {
           item.getValue() instanceof String) {
         m = p.matcher((String)item.getKey());
         if(m.find()) { // match
-          result.put((String) item.getKey(), (String) item.getValue());
+          result.put((String) item.getKey(),
+              substituteVars(getProps().getProperty((String) item.getKey())));
         }
       }
     }
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/conf/TestConfiguration.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/conf/TestConfiguration.java
index 60b86e44426..08c1791008b 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/conf/TestConfiguration.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/conf/TestConfiguration.java
@@ -178,6 +178,14 @@ public void testVariableSubstitution() throws IOException {
     // check that expansion also occurs for getInt()
     assertTrue(conf.getInt("intvar", -1) == 42);
     assertTrue(conf.getInt("my.int", -1) == 42);
+
+    Map<String, String> results = conf.getValByRegex("^my.*file$");
+    assertTrue(results.keySet().contains("my.relfile"));
+    assertTrue(results.keySet().contains("my.fullfile"));
+    assertTrue(results.keySet().contains("my.file"));
+    assertEquals(-1, results.get("my.relfile").indexOf("${"));
+    assertEquals(-1, results.get("my.fullfile").indexOf("${"));
+    assertEquals(-1, results.get("my.file").indexOf("${"));
   }
 
   public void testFinalParam() throws IOException {

From bdd3e2ce4975dda3fc33644dfb330ae7395003de Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Mon, 11 Aug 2014 00:13:27 +0000
Subject: [PATCH 179/354] YARN-2337. ResourceManager sets ClientRMService in
 RMContext multiple times. (Zhihai Xu via kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617183 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                                | 3 +++
 .../hadoop/yarn/server/resourcemanager/ResourceManager.java    | 1 -
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 9df803b1ef8..bc2ef29a835 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -107,6 +107,9 @@ Release 2.6.0 - UNRELEASED
 
     YARN-2302. Refactor TimelineWebServices. (Zhijie Shen via junping_du)
 
+    YARN-2337. ResourceManager sets ClientRMService in RMContext multiple times.
+    (Zhihai Xu via kasha)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
index 40e346c680a..90441d6c947 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
@@ -461,7 +461,6 @@ protected void serviceInit(Configuration configuration) throws Exception {
       rmDispatcher.register(RMAppManagerEventType.class, rmAppManager);
 
       clientRM = createClientRMService();
-      rmContext.setClientRMService(clientRM);
       addService(clientRM);
       rmContext.setClientRMService(clientRM);
 

From da7b508ffc3378b8f721074fdfaccd622e19cb25 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Mon, 11 Aug 2014 01:42:26 +0000
Subject: [PATCH 180/354] YARN-2361. RMAppAttempt state machine entries for
 KILLED state has duplicate event entries. (Zhihai Xu via kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617190 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                                | 3 +++
 .../server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java | 1 -
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index bc2ef29a835..c149ef5d42a 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -166,6 +166,9 @@ Release 2.6.0 - UNRELEASED
 
     YARN-2400. Fixed TestAMRestart fails intermittently. (Jian He via xgong)
 
+    YARN-2361. RMAppAttempt state machine entries for KILLED state has duplicate
+    event entries. (Zhihai Xu via kasha)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
index 46a9766a4a0..54a210da8ca 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
@@ -398,7 +398,6 @@ RMAppAttemptEventType.STATUS_UPDATE, new StatusUpdateTransition())
           RMAppAttemptState.KILLED,
           RMAppAttemptState.KILLED,
           EnumSet.of(RMAppAttemptEventType.ATTEMPT_ADDED,
-              RMAppAttemptEventType.EXPIRE,
               RMAppAttemptEventType.LAUNCHED,
               RMAppAttemptEventType.LAUNCH_FAILED,
               RMAppAttemptEventType.EXPIRE,

From 946be75704ede6b04177f756b7017cf894947d14 Mon Sep 17 00:00:00 2001
From: Xuan Gong <xgong@apache.org>
Date: Mon, 11 Aug 2014 17:42:53 +0000
Subject: [PATCH 181/354] YARN-2400: Addendum fix for TestAMRestart failure.
 Contributed by Jian He

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617333 13f79535-47bb-0310-9956-ffa450edef68
---
 .../resourcemanager/applicationsmanager/TestAMRestart.java  | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/TestAMRestart.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/TestAMRestart.java
index 5f1693fe894..6c5c818e589 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/TestAMRestart.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/TestAMRestart.java
@@ -399,7 +399,8 @@ public void testShouldNotCountFailureToMaxAttemptRetry() throws Exception {
     am2.waitForState(RMAppAttemptState.FAILED);
     Assert.assertTrue(! attempt2.shouldCountTowardsMaxAttemptRetry());
     rm1.waitForState(app1.getApplicationId(), RMAppState.ACCEPTED);
-    MockAM am3 = MockRM.launchAndRegisterAM(app1, rm1, nm1);
+    MockAM am3 =
+        rm1.waitForNewAMToLaunchAndRegister(app1.getApplicationId(), 3, nm1);
     RMAppAttempt attempt3 = app1.getCurrentAppAttempt();
     Assert.assertTrue(((RMAppAttemptImpl) attempt3).mayBeLastAttempt());
 
@@ -422,7 +423,8 @@ public void testShouldNotCountFailureToMaxAttemptRetry() throws Exception {
         .getAMContainerExitStatus());
 
     rm1.waitForState(app1.getApplicationId(), RMAppState.ACCEPTED);
-    MockAM am4 = MockRM.launchAndRegisterAM(app1, rm1, nm1);
+    MockAM am4 =
+        rm1.waitForNewAMToLaunchAndRegister(app1.getApplicationId(), 4, nm1);
     RMAppAttempt attempt4 = app1.getCurrentAppAttempt();
     Assert.assertTrue(((RMAppAttemptImpl) attempt4).mayBeLastAttempt());
 

From e60673697d5046c29c52bbabdfe80506f99773e4 Mon Sep 17 00:00:00 2001
From: Jing Zhao <jing9@apache.org>
Date: Mon, 11 Aug 2014 18:01:14 +0000
Subject: [PATCH 182/354] HDFS-6837. Code cleanup for Balancer and Dispatcher.
 Contributed by Tsz Wo Nicholas Sze.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617337 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../hadoop/hdfs/server/balancer/Balancer.java | 102 ++++-----
 .../hdfs/server/balancer/Dispatcher.java      | 200 ++++++++----------
 .../hdfs/server/balancer/ExitStatus.java      |  44 ++++
 .../hdfs/server/balancer/TestBalancer.java    |   6 +-
 .../balancer/TestBalancerWithHANameNodes.java |   2 +-
 .../TestBalancerWithMultipleNameNodes.java    |   2 +-
 .../balancer/TestBalancerWithNodeGroup.java   |   6 +-
 8 files changed, 189 insertions(+), 176 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/ExitStatus.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index eca0009be90..8f70bb1df60 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -387,6 +387,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6828. Separate block replica dispatching from Balancer. (szetszwo via
     jing9)
 
+    HDFS-6837. Code cleanup for Balancer and Dispatcher. (szetszwo via
+    jing9)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
index 391d7edefc1..7661d25ee7f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Balancer.java
@@ -44,7 +44,8 @@
 import org.apache.hadoop.hdfs.DFSUtil;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.StorageType;
-import org.apache.hadoop.hdfs.server.balancer.Dispatcher.BalancerDatanode;
+import org.apache.hadoop.hdfs.server.balancer.Dispatcher.DDatanode;
+import org.apache.hadoop.hdfs.server.balancer.Dispatcher.DDatanode.StorageGroup;
 import org.apache.hadoop.hdfs.server.balancer.Dispatcher.Source;
 import org.apache.hadoop.hdfs.server.balancer.Dispatcher.Task;
 import org.apache.hadoop.hdfs.server.balancer.Dispatcher.Util;
@@ -184,10 +185,10 @@ public class Balancer {
   // all data node lists
   private final Collection<Source> overUtilized = new LinkedList<Source>();
   private final Collection<Source> aboveAvgUtilized = new LinkedList<Source>();
-  private final Collection<BalancerDatanode.StorageGroup> belowAvgUtilized
-      = new LinkedList<BalancerDatanode.StorageGroup>();
-  private final Collection<BalancerDatanode.StorageGroup> underUtilized
-      = new LinkedList<BalancerDatanode.StorageGroup>();
+  private final Collection<StorageGroup> belowAvgUtilized
+      = new LinkedList<StorageGroup>();
+  private final Collection<StorageGroup> underUtilized
+      = new LinkedList<StorageGroup>();
 
   /* Check that this Balancer is compatible with the Block Placement Policy
    * used by the Namenode.
@@ -209,8 +210,22 @@ private static void checkReplicationPolicyCompatibility(Configuration conf
    * when connection fails.
    */
   Balancer(NameNodeConnector theblockpool, Parameters p, Configuration conf) {
+    final long movedWinWidth = conf.getLong(
+        DFSConfigKeys.DFS_BALANCER_MOVEDWINWIDTH_KEY,
+        DFSConfigKeys.DFS_BALANCER_MOVEDWINWIDTH_DEFAULT);
+    final int moverThreads = conf.getInt(
+        DFSConfigKeys.DFS_BALANCER_MOVERTHREADS_KEY,
+        DFSConfigKeys.DFS_BALANCER_MOVERTHREADS_DEFAULT);
+    final int dispatcherThreads = conf.getInt(
+        DFSConfigKeys.DFS_BALANCER_DISPATCHERTHREADS_KEY,
+        DFSConfigKeys.DFS_BALANCER_DISPATCHERTHREADS_DEFAULT);
+    final int maxConcurrentMovesPerNode = conf.getInt(
+        DFSConfigKeys.DFS_DATANODE_BALANCE_MAX_NUM_CONCURRENT_MOVES_KEY,
+        DFSConfigKeys.DFS_DATANODE_BALANCE_MAX_NUM_CONCURRENT_MOVES_DEFAULT);
+
     this.dispatcher = new Dispatcher(theblockpool, p.nodesToBeIncluded,
-        p.nodesToBeExcluded, conf);
+        p.nodesToBeExcluded, movedWinWidth, moverThreads, dispatcherThreads,
+        maxConcurrentMovesPerNode, conf);
     this.threshold = p.threshold;
     this.policy = p.policy;
   }
@@ -255,7 +270,7 @@ private long init(List<DatanodeStorageReport> reports) {
     //   over-utilized, above-average, below-average and under-utilized.
     long overLoadedBytes = 0L, underLoadedBytes = 0L;
     for(DatanodeStorageReport r : reports) {
-      final BalancerDatanode dn = dispatcher.newDatanode(r);
+      final DDatanode dn = dispatcher.newDatanode(r);
       for(StorageType t : StorageType.asList()) {
         final Double utilization = policy.getUtilization(r, t);
         if (utilization == null) { // datanode does not have such storage type 
@@ -268,9 +283,9 @@ private long init(List<DatanodeStorageReport> reports) {
         final long maxSize2Move = computeMaxSize2Move(capacity,
             getRemaining(r, t), utilizationDiff, threshold);
 
-        final BalancerDatanode.StorageGroup g;
+        final StorageGroup g;
         if (utilizationDiff > 0) {
-          final Source s = dn.addSource(t, utilization, maxSize2Move, dispatcher);
+          final Source s = dn.addSource(t, maxSize2Move, dispatcher);
           if (thresholdDiff <= 0) { // within threshold
             aboveAvgUtilized.add(s);
           } else {
@@ -279,7 +294,7 @@ private long init(List<DatanodeStorageReport> reports) {
           }
           g = s;
         } else {
-          g = dn.addStorageGroup(t, utilization, maxSize2Move);
+          g = dn.addStorageGroup(t, maxSize2Move);
           if (thresholdDiff <= 0) { // within threshold
             belowAvgUtilized.add(g);
           } else {
@@ -328,7 +343,7 @@ private void logUtilizationCollections() {
     logUtilizationCollection("underutilized", underUtilized);
   }
 
-  private static <T extends BalancerDatanode.StorageGroup>
+  private static <T extends StorageGroup>
       void logUtilizationCollection(String name, Collection<T> items) {
     LOG.info(items.size() + " " + name + ": " + items);
   }
@@ -381,8 +396,7 @@ private void chooseStorageGroups(final Matcher matcher) {
    * datanodes or the candidates are source nodes with (utilization > Avg), and
    * the others are target nodes with (utilization < Avg).
    */
-  private <G extends BalancerDatanode.StorageGroup,
-           C extends BalancerDatanode.StorageGroup>
+  private <G extends StorageGroup, C extends StorageGroup>
       void chooseStorageGroups(Collection<G> groups, Collection<C> candidates,
           Matcher matcher) {
     for(final Iterator<G> i = groups.iterator(); i.hasNext();) {
@@ -398,9 +412,8 @@ void chooseStorageGroups(Collection<G> groups, Collection<C> candidates,
    * For the given datanode, choose a candidate and then schedule it.
    * @return true if a candidate is chosen; false if no candidates is chosen.
    */
-  private <C extends BalancerDatanode.StorageGroup>
-      boolean choose4One(BalancerDatanode.StorageGroup g,
-          Collection<C> candidates, Matcher matcher) {
+  private <C extends StorageGroup> boolean choose4One(StorageGroup g,
+      Collection<C> candidates, Matcher matcher) {
     final Iterator<C> i = candidates.iterator();
     final C chosen = chooseCandidate(g, i, matcher);
   
@@ -418,8 +431,7 @@ boolean choose4One(BalancerDatanode.StorageGroup g,
     return true;
   }
   
-  private void matchSourceWithTargetToMove(Source source,
-      BalancerDatanode.StorageGroup target) {
+  private void matchSourceWithTargetToMove(Source source, StorageGroup target) {
     long size = Math.min(source.availableSizeToMove(), target.availableSizeToMove());
     final Task task = new Task(target, size);
     source.addTask(task);
@@ -430,8 +442,7 @@ private void matchSourceWithTargetToMove(Source source,
   }
   
   /** Choose a candidate for the given datanode. */
-  private <G extends BalancerDatanode.StorageGroup,
-           C extends BalancerDatanode.StorageGroup>
+  private <G extends StorageGroup, C extends StorageGroup>
       C chooseCandidate(G g, Iterator<C> candidates, Matcher matcher) {
     if (g.hasSpaceForScheduling()) {
       for(; candidates.hasNext(); ) {
@@ -439,7 +450,7 @@ C chooseCandidate(G g, Iterator<C> candidates, Matcher matcher) {
         if (!c.hasSpaceForScheduling()) {
           candidates.remove();
         } else if (matcher.match(dispatcher.getCluster(),
-            g.getDatanode(), c.getDatanode())) {
+            g.getDatanodeInfo(), c.getDatanodeInfo())) {
           return c;
         }
       }
@@ -457,34 +468,15 @@ private void resetData(Configuration conf) {
     dispatcher.reset(conf);;
   }
   
-  // Exit status
-  enum ReturnStatus {
-    // These int values will map directly to the balancer process's exit code.
-    SUCCESS(0),
-    IN_PROGRESS(1),
-    ALREADY_RUNNING(-1),
-    NO_MOVE_BLOCK(-2),
-    NO_MOVE_PROGRESS(-3),
-    IO_EXCEPTION(-4),
-    ILLEGAL_ARGS(-5),
-    INTERRUPTED(-6);
-
-    final int code;
-
-    ReturnStatus(int code) {
-      this.code = code;
-    }
-  }
-
   /** Run an iteration for all datanodes. */
-  private ReturnStatus run(int iteration, Formatter formatter,
+  private ExitStatus run(int iteration, Formatter formatter,
       Configuration conf) {
     try {
       final List<DatanodeStorageReport> reports = dispatcher.init();
       final long bytesLeftToMove = init(reports);
       if (bytesLeftToMove == 0) {
         System.out.println("The cluster is balanced. Exiting...");
-        return ReturnStatus.SUCCESS;
+        return ExitStatus.SUCCESS;
       } else {
         LOG.info( "Need to move "+ StringUtils.byteDesc(bytesLeftToMove)
             + " to make the cluster balanced." );
@@ -498,7 +490,7 @@ private ReturnStatus run(int iteration, Formatter formatter,
       final long bytesToMove = chooseStorageGroups();
       if (bytesToMove == 0) {
         System.out.println("No block can be moved. Exiting...");
-        return ReturnStatus.NO_MOVE_BLOCK;
+        return ExitStatus.NO_MOVE_BLOCK;
       } else {
         LOG.info( "Will move " + StringUtils.byteDesc(bytesToMove) +
             " in this iteration");
@@ -519,19 +511,19 @@ private ReturnStatus run(int iteration, Formatter formatter,
        * Exit no byte has been moved for 5 consecutive iterations.
        */
       if (!dispatcher.dispatchAndCheckContinue()) {
-        return ReturnStatus.NO_MOVE_PROGRESS;
+        return ExitStatus.NO_MOVE_PROGRESS;
       }
 
-      return ReturnStatus.IN_PROGRESS;
+      return ExitStatus.IN_PROGRESS;
     } catch (IllegalArgumentException e) {
       System.out.println(e + ".  Exiting ...");
-      return ReturnStatus.ILLEGAL_ARGS;
+      return ExitStatus.ILLEGAL_ARGUMENTS;
     } catch (IOException e) {
       System.out.println(e + ".  Exiting ...");
-      return ReturnStatus.IO_EXCEPTION;
+      return ExitStatus.IO_EXCEPTION;
     } catch (InterruptedException e) {
       System.out.println(e + ".  Exiting ...");
-      return ReturnStatus.INTERRUPTED;
+      return ExitStatus.INTERRUPTED;
     } finally {
       dispatcher.shutdownNow();
     }
@@ -570,14 +562,14 @@ static int run(Collection<URI> namenodes, final Parameters p,
         Collections.shuffle(connectors);
         for(NameNodeConnector nnc : connectors) {
           final Balancer b = new Balancer(nnc, p, conf);
-          final ReturnStatus r = b.run(iteration, formatter, conf);
+          final ExitStatus r = b.run(iteration, formatter, conf);
           // clean all lists
           b.resetData(conf);
-          if (r == ReturnStatus.IN_PROGRESS) {
+          if (r == ExitStatus.IN_PROGRESS) {
             done = false;
-          } else if (r != ReturnStatus.SUCCESS) {
+          } else if (r != ExitStatus.SUCCESS) {
             //must be an error statue, return.
-            return r.code;
+            return r.getExitCode();
           }
         }
 
@@ -590,7 +582,7 @@ static int run(Collection<URI> namenodes, final Parameters p,
         nnc.close();
       }
     }
-    return ReturnStatus.SUCCESS.code;
+    return ExitStatus.SUCCESS.getExitCode();
   }
 
   /* Given elaspedTime in ms, return a printable string */
@@ -661,10 +653,10 @@ public int run(String[] args) {
         return Balancer.run(namenodes, parse(args), conf);
       } catch (IOException e) {
         System.out.println(e + ".  Exiting ...");
-        return ReturnStatus.IO_EXCEPTION.code;
+        return ExitStatus.IO_EXCEPTION.getExitCode();
       } catch (InterruptedException e) {
         System.out.println(e + ".  Exiting ...");
-        return ReturnStatus.INTERRUPTED.code;
+        return ExitStatus.INTERRUPTED.getExitCode();
       } finally {
         System.out.format("%-24s ", DateFormat.getDateTimeInstance().format(new Date()));
         System.out.println("Balancing took " + time2Str(Time.now()-startTime));
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
index e8236bbe1c0..4a6f96be7e5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
@@ -48,7 +48,6 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
-import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.DFSUtil;
 import org.apache.hadoop.hdfs.StorageType;
 import org.apache.hadoop.hdfs.protocol.Block;
@@ -63,6 +62,7 @@
 import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.BlockOpResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.Status;
 import org.apache.hadoop.hdfs.security.token.block.BlockTokenIdentifier;
+import org.apache.hadoop.hdfs.server.balancer.Dispatcher.DDatanode.StorageGroup;
 import org.apache.hadoop.hdfs.server.common.HdfsServerConstants;
 import org.apache.hadoop.hdfs.server.protocol.BlocksWithLocations;
 import org.apache.hadoop.hdfs.server.protocol.BlocksWithLocations.BlockWithLocations;
@@ -91,7 +91,6 @@ public class Dispatcher {
                                                                      // minutes
 
   private final NameNodeConnector nnc;
-  private final KeyManager keyManager;
   private final SaslDataTransferClient saslClient;
 
   /** Set of datanodes to be excluded. */
@@ -100,11 +99,10 @@ public class Dispatcher {
   private final Set<String> includedNodes;
 
   private final Collection<Source> sources = new HashSet<Source>();
-  private final Collection<BalancerDatanode.StorageGroup> targets
-      = new HashSet<BalancerDatanode.StorageGroup>();
+  private final Collection<StorageGroup> targets = new HashSet<StorageGroup>();
 
   private final GlobalBlockMap globalBlocks = new GlobalBlockMap();
-  private final MovedBlocks<BalancerDatanode.StorageGroup> movedBlocks;
+  private final MovedBlocks<StorageGroup> movedBlocks;
 
   /** Map (datanodeUuid,storageType -> StorageGroup) */
   private final StorageGroupMap storageGroupMap = new StorageGroupMap();
@@ -135,8 +133,7 @@ private DBlock get(Block b) {
     }
     
     /** Remove all blocks except for the moved blocks. */
-    private void removeAllButRetain(
-        MovedBlocks<BalancerDatanode.StorageGroup> movedBlocks) {
+    private void removeAllButRetain(MovedBlocks<StorageGroup> movedBlocks) {
       for (Iterator<Block> i = map.keySet().iterator(); i.hasNext();) {
         if (!movedBlocks.contains(i.next())) {
           i.remove();
@@ -150,17 +147,15 @@ private static String toKey(String datanodeUuid, StorageType storageType) {
       return datanodeUuid + ":" + storageType;
     }
 
-    private final Map<String, BalancerDatanode.StorageGroup> map
-        = new HashMap<String, BalancerDatanode.StorageGroup>();
+    private final Map<String, StorageGroup> map = new HashMap<String, StorageGroup>();
 
-    BalancerDatanode.StorageGroup get(String datanodeUuid,
-        StorageType storageType) {
+    StorageGroup get(String datanodeUuid, StorageType storageType) {
       return map.get(toKey(datanodeUuid, storageType));
     }
 
-    void put(BalancerDatanode.StorageGroup g) {
-      final String key = toKey(g.getDatanode().getDatanodeUuid(), g.storageType);
-      final BalancerDatanode.StorageGroup existing = map.put(key, g);
+    void put(StorageGroup g) {
+      final String key = toKey(g.getDatanodeInfo().getDatanodeUuid(), g.storageType);
+      final StorageGroup existing = map.put(key, g);
       Preconditions.checkState(existing == null);
     }
 
@@ -177,8 +172,8 @@ void clear() {
   private class PendingMove {
     private DBlock block;
     private Source source;
-    private BalancerDatanode proxySource;
-    private BalancerDatanode.StorageGroup target;
+    private DDatanode proxySource;
+    private StorageGroup target;
 
     private PendingMove() {
     }
@@ -235,24 +230,24 @@ private boolean markMovedIfGoodBlock(DBlock block) {
      * @return true if a proxy is found; otherwise false
      */
     private boolean chooseProxySource() {
-      final DatanodeInfo targetDN = target.getDatanode();
+      final DatanodeInfo targetDN = target.getDatanodeInfo();
       // if node group is supported, first try add nodes in the same node group
       if (cluster.isNodeGroupAware()) {
-        for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
-          if (cluster.isOnSameNodeGroup(loc.getDatanode(), targetDN)
+        for (StorageGroup loc : block.getLocations()) {
+          if (cluster.isOnSameNodeGroup(loc.getDatanodeInfo(), targetDN)
               && addTo(loc)) {
             return true;
           }
         }
       }
       // check if there is replica which is on the same rack with the target
-      for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
-        if (cluster.isOnSameRack(loc.getDatanode(), targetDN) && addTo(loc)) {
+      for (StorageGroup loc : block.getLocations()) {
+        if (cluster.isOnSameRack(loc.getDatanodeInfo(), targetDN) && addTo(loc)) {
           return true;
         }
       }
       // find out a non-busy replica
-      for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
+      for (StorageGroup loc : block.getLocations()) {
         if (addTo(loc)) {
           return true;
         }
@@ -261,10 +256,10 @@ && addTo(loc)) {
     }
 
     /** add to a proxy source for specific block movement */
-    private boolean addTo(BalancerDatanode.StorageGroup g) {
-      final BalancerDatanode bdn = g.getBalancerDatanode();
-      if (bdn.addPendingBlock(this)) {
-        proxySource = bdn;
+    private boolean addTo(StorageGroup g) {
+      final DDatanode dn = g.getDDatanode();
+      if (dn.addPendingBlock(this)) {
+        proxySource = dn;
         return true;
       }
       return false;
@@ -281,14 +276,13 @@ private void dispatch() {
       DataInputStream in = null;
       try {
         sock.connect(
-            NetUtils.createSocketAddr(target.getDatanode().getXferAddr()),
+            NetUtils.createSocketAddr(target.getDatanodeInfo().getXferAddr()),
             HdfsServerConstants.READ_TIMEOUT);
         /*
          * Unfortunately we don't have a good way to know if the Datanode is
          * taking a really long time to move a block, OR something has gone
          * wrong and it's never going to finish. To deal with this scenario, we
-         * set a long timeout (20 minutes) to avoid hanging the balancer
-         * indefinitely.
+         * set a long timeout (20 minutes) to avoid hanging indefinitely.
          */
         sock.setSoTimeout(BLOCK_MOVE_READ_TIMEOUT);
 
@@ -298,9 +292,10 @@ private void dispatch() {
         InputStream unbufIn = sock.getInputStream();
         ExtendedBlock eb = new ExtendedBlock(nnc.getBlockpoolID(),
             block.getBlock());
-        Token<BlockTokenIdentifier> accessToken = keyManager.getAccessToken(eb);
+        final KeyManager km = nnc.getKeyManager(); 
+        Token<BlockTokenIdentifier> accessToken = km.getAccessToken(eb);
         IOStreamPair saslStreams = saslClient.socketSend(sock, unbufOut,
-            unbufIn, keyManager, accessToken, target.getDatanode());
+            unbufIn, km, accessToken, target.getDatanodeInfo());
         unbufOut = saslStreams.out;
         unbufIn = saslStreams.in;
         out = new DataOutputStream(new BufferedOutputStream(unbufOut,
@@ -314,21 +309,19 @@ private void dispatch() {
         LOG.info("Successfully moved " + this);
       } catch (IOException e) {
         LOG.warn("Failed to move " + this + ": " + e.getMessage());
-        /*
-         * proxy or target may have an issue, insert a small delay before using
-         * these nodes further. This avoids a potential storm of
-         * "threads quota exceeded" Warnings when the balancer gets out of sync
-         * with work going on in datanode.
-         */
+        // Proxy or target may have some issues, delay before using these nodes
+        // further in order to avoid a potential storm of "threads quota
+        // exceeded" warnings when the dispatcher gets out of sync with work
+        // going on in datanodes.
         proxySource.activateDelay(DELAY_AFTER_ERROR);
-        target.getBalancerDatanode().activateDelay(DELAY_AFTER_ERROR);
+        target.getDDatanode().activateDelay(DELAY_AFTER_ERROR);
       } finally {
         IOUtils.closeStream(out);
         IOUtils.closeStream(in);
         IOUtils.closeSocket(sock);
 
         proxySource.removePendingBlock(this);
-        target.getBalancerDatanode().removePendingBlock(this);
+        target.getDDatanode().removePendingBlock(this);
 
         synchronized (this) {
           reset();
@@ -342,8 +335,8 @@ private void dispatch() {
     /** Send a block replace request to the output stream */
     private void sendRequest(DataOutputStream out, ExtendedBlock eb,
         Token<BlockTokenIdentifier> accessToken) throws IOException {
-      new Sender(out).replaceBlock(eb, target.storageType, accessToken, source
-          .getDatanode().getDatanodeUuid(), proxySource.datanode);
+      new Sender(out).replaceBlock(eb, target.storageType, accessToken,
+          source.getDatanodeInfo().getDatanodeUuid(), proxySource.datanode);
     }
 
     /** Receive a block copy response from the input stream */
@@ -368,8 +361,7 @@ private void reset() {
   }
 
   /** A class for keeping track of block locations in the dispatcher. */
-  private static class DBlock extends
-      MovedBlocks.Locations<BalancerDatanode.StorageGroup> {
+  private static class DBlock extends MovedBlocks.Locations<StorageGroup> {
     DBlock(Block block) {
       super(block);
     }
@@ -377,10 +369,10 @@ private static class DBlock extends
 
   /** The class represents a desired move. */
   static class Task {
-    private final BalancerDatanode.StorageGroup target;
+    private final StorageGroup target;
     private long size; // bytes scheduled to move
 
-    Task(BalancerDatanode.StorageGroup target, long size) {
+    Task(StorageGroup target, long size) {
       this.target = target;
       this.size = size;
     }
@@ -391,28 +383,25 @@ long getSize() {
   }
 
   /** A class that keeps track of a datanode. */
-  static class BalancerDatanode {
+  static class DDatanode {
 
     /** A group of storages in a datanode with the same storage type. */
     class StorageGroup {
       final StorageType storageType;
-      final double utilization;
       final long maxSize2Move;
       private long scheduledSize = 0L;
 
-      private StorageGroup(StorageType storageType, double utilization,
-          long maxSize2Move) {
+      private StorageGroup(StorageType storageType, long maxSize2Move) {
         this.storageType = storageType;
-        this.utilization = utilization;
         this.maxSize2Move = maxSize2Move;
       }
 
-      BalancerDatanode getBalancerDatanode() {
-        return BalancerDatanode.this;
+      private DDatanode getDDatanode() {
+        return DDatanode.this;
       }
 
-      DatanodeInfo getDatanode() {
-        return BalancerDatanode.this.datanode;
+      DatanodeInfo getDatanodeInfo() {
+        return DDatanode.this.datanode;
       }
 
       /** Decide if still need to move more bytes */
@@ -447,7 +436,7 @@ String getDisplayName() {
 
       @Override
       public String toString() {
-        return "" + utilization;
+        return getDisplayName();
       }
     }
 
@@ -461,10 +450,10 @@ public String toString() {
 
     @Override
     public String toString() {
-      return getClass().getSimpleName() + ":" + datanode + ":" + storageMap;
+      return getClass().getSimpleName() + ":" + datanode + ":" + storageMap.values();
     }
 
-    private BalancerDatanode(DatanodeStorageReport r, int maxConcurrentMoves) {
+    private DDatanode(DatanodeStorageReport r, int maxConcurrentMoves) {
       this.datanode = r.getDatanodeInfo();
       this.maxConcurrentMoves = maxConcurrentMoves;
       this.pendings = new ArrayList<PendingMove>(maxConcurrentMoves);
@@ -475,18 +464,14 @@ private void put(StorageType storageType, StorageGroup g) {
       Preconditions.checkState(existing == null);
     }
 
-    StorageGroup addStorageGroup(StorageType storageType, double utilization,
-        long maxSize2Move) {
-      final StorageGroup g = new StorageGroup(storageType, utilization,
-          maxSize2Move);
+    StorageGroup addStorageGroup(StorageType storageType, long maxSize2Move) {
+      final StorageGroup g = new StorageGroup(storageType, maxSize2Move);
       put(storageType, g);
       return g;
     }
 
-    Source addSource(StorageType storageType, double utilization,
-        long maxSize2Move, Dispatcher balancer) {
-      final Source s = balancer.new Source(storageType, utilization,
-          maxSize2Move, this);
+    Source addSource(StorageType storageType, long maxSize2Move, Dispatcher d) {
+      final Source s = d.new Source(storageType, maxSize2Move, this);
       put(storageType, s);
       return s;
     }
@@ -528,7 +513,7 @@ synchronized boolean removePendingBlock(PendingMove pendingBlock) {
   }
 
   /** A node that can be the sources of a block move */
-  class Source extends BalancerDatanode.StorageGroup {
+  class Source extends DDatanode.StorageGroup {
 
     private final List<Task> tasks = new ArrayList<Task>(2);
     private long blocksToReceive = 0L;
@@ -539,9 +524,8 @@ class Source extends BalancerDatanode.StorageGroup {
      */
     private final List<DBlock> srcBlocks = new ArrayList<DBlock>();
 
-    private Source(StorageType storageType, double utilization,
-        long maxSize2Move, BalancerDatanode dn) {
-      dn.super(storageType, utilization, maxSize2Move);
+    private Source(StorageType storageType, long maxSize2Move, DDatanode dn) {
+      dn.super(storageType, maxSize2Move);
     }
 
     /** Add a task */
@@ -565,7 +549,7 @@ Iterator<DBlock> getBlockIterator() {
      */
     private long getBlockList() throws IOException {
       final long size = Math.min(MAX_BLOCKS_SIZE_TO_FETCH, blocksToReceive);
-      final BlocksWithLocations newBlocks = nnc.getBlocks(getDatanode(), size);
+      final BlocksWithLocations newBlocks = nnc.getBlocks(getDatanodeInfo(), size);
 
       long bytesReceived = 0;
       for (BlockWithLocations blk : newBlocks.getBlocks()) {
@@ -579,7 +563,7 @@ private long getBlockList() throws IOException {
             final String[] datanodeUuids = blk.getDatanodeUuids();
             final StorageType[] storageTypes = blk.getStorageTypes();
             for (int i = 0; i < datanodeUuids.length; i++) {
-              final BalancerDatanode.StorageGroup g = storageGroupMap.get(
+              final StorageGroup g = storageGroupMap.get(
                   datanodeUuids[i], storageTypes[i]);
               if (g != null) { // not unknown
                 block.addLocation(g);
@@ -617,7 +601,7 @@ private boolean isGoodBlockCandidate(DBlock block) {
     private PendingMove chooseNextMove() {
       for (Iterator<Task> i = tasks.iterator(); i.hasNext();) {
         final Task task = i.next();
-        final BalancerDatanode target = task.target.getBalancerDatanode();
+        final DDatanode target = task.target.getDDatanode();
         PendingMove pendingBlock = new PendingMove();
         if (target.addPendingBlock(pendingBlock)) {
           // target is not busy, so do a tentative block allocation
@@ -670,7 +654,7 @@ private void dispatchBlocks() {
       final long startTime = Time.monotonicNow();
       this.blocksToReceive = 2 * getScheduledSize();
       boolean isTimeUp = false;
-      int noPendingBlockIteration = 0;
+      int noPendingMoveIteration = 0;
       while (!isTimeUp && getScheduledSize() > 0
           && (!srcBlocks.isEmpty() || blocksToReceive > 0)) {
         final PendingMove p = chooseNextMove();
@@ -699,11 +683,11 @@ public void run() {
             return;
           }
         } else {
-          // source node cannot find a pendingBlockToMove, iteration +1
-          noPendingBlockIteration++;
+          // source node cannot find a pending block to move, iteration +1
+          noPendingMoveIteration++;
           // in case no blocks can be moved for source node's task,
           // jump out of while-loop after 5 iterations.
-          if (noPendingBlockIteration >= MAX_NO_PENDING_MOVE_ITERATIONS) {
+          if (noPendingMoveIteration >= MAX_NO_PENDING_MOVE_ITERATIONS) {
             resetScheduledSize();
           }
         }
@@ -726,29 +710,19 @@ public void run() {
     }
   }
 
-  Dispatcher(NameNodeConnector theblockpool, Set<String> includedNodes,
-      Set<String> excludedNodes, Configuration conf) {
-    this.nnc = theblockpool;
-    this.keyManager = nnc.getKeyManager();
+  public Dispatcher(NameNodeConnector nnc, Set<String> includedNodes,
+      Set<String> excludedNodes, long movedWinWidth, int moverThreads,
+      int dispatcherThreads, int maxConcurrentMovesPerNode, Configuration conf) {
+    this.nnc = nnc;
     this.excludedNodes = excludedNodes;
     this.includedNodes = includedNodes;
-
-    final long movedWinWidth = conf.getLong(
-        DFSConfigKeys.DFS_BALANCER_MOVEDWINWIDTH_KEY,
-        DFSConfigKeys.DFS_BALANCER_MOVEDWINWIDTH_DEFAULT);
-    movedBlocks = new MovedBlocks<BalancerDatanode.StorageGroup>(movedWinWidth);
+    this.movedBlocks = new MovedBlocks<StorageGroup>(movedWinWidth);
 
     this.cluster = NetworkTopology.getInstance(conf);
 
-    this.moveExecutor = Executors.newFixedThreadPool(conf.getInt(
-        DFSConfigKeys.DFS_BALANCER_MOVERTHREADS_KEY,
-        DFSConfigKeys.DFS_BALANCER_MOVERTHREADS_DEFAULT));
-    this.dispatchExecutor = Executors.newFixedThreadPool(conf.getInt(
-        DFSConfigKeys.DFS_BALANCER_DISPATCHERTHREADS_KEY,
-        DFSConfigKeys.DFS_BALANCER_DISPATCHERTHREADS_DEFAULT));
-    this.maxConcurrentMovesPerNode = conf.getInt(
-        DFSConfigKeys.DFS_DATANODE_BALANCE_MAX_NUM_CONCURRENT_MOVES_KEY,
-        DFSConfigKeys.DFS_DATANODE_BALANCE_MAX_NUM_CONCURRENT_MOVES_DEFAULT);
+    this.moveExecutor = Executors.newFixedThreadPool(moverThreads);
+    this.dispatchExecutor = Executors.newFixedThreadPool(dispatcherThreads);
+    this.maxConcurrentMovesPerNode = maxConcurrentMovesPerNode;
 
     final boolean fallbackToSimpleAuthAllowed = conf.getBoolean(
         CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY,
@@ -784,7 +758,7 @@ long bytesToMove() {
     return b;
   }
 
-  void add(Source source, BalancerDatanode.StorageGroup target) {
+  void add(Source source, StorageGroup target) {
     sources.add(source);
     targets.add(target);
   }
@@ -826,8 +800,8 @@ List<DatanodeStorageReport> init() throws IOException {
     return trimmed;
   }
 
-  public BalancerDatanode newDatanode(DatanodeStorageReport r) {
-    return new BalancerDatanode(r, maxConcurrentMovesPerNode);
+  public DDatanode newDatanode(DatanodeStorageReport r) {
+    return new DDatanode(r, maxConcurrentMovesPerNode);
   }
 
   public boolean dispatchAndCheckContinue() throws InterruptedException {
@@ -884,8 +858,8 @@ static void setBlockMoveWaitTime(long time) {
   private void waitForMoveCompletion() {
     for(;;) {
       boolean empty = true;
-      for (BalancerDatanode.StorageGroup t : targets) {
-        if (!t.getBalancerDatanode().isPendingQEmpty()) {
+      for (StorageGroup t : targets) {
+        if (!t.getDDatanode().isPendingQEmpty()) {
           empty = false;
           break;
         }
@@ -907,8 +881,8 @@ private void waitForMoveCompletion() {
    * 2. the block does not have a replica on the target;
    * 3. doing the move does not reduce the number of racks that the block has
    */
-  private boolean isGoodBlockCandidate(Source source,
-      BalancerDatanode.StorageGroup target, DBlock block) {
+  private boolean isGoodBlockCandidate(Source source, StorageGroup target,
+      DBlock block) {
     if (source.storageType != target.storageType) {
       return false;
     }
@@ -933,17 +907,17 @@ && isOnSameNodeGroupWithReplicas(target, block, source)) {
    * Determine whether moving the given block replica from source to target
    * would reduce the number of racks of the block replicas.
    */
-  private boolean reduceNumOfRacks(Source source,
-      BalancerDatanode.StorageGroup target, DBlock block) {
-    final DatanodeInfo sourceDn = source.getDatanode();
-    if (cluster.isOnSameRack(sourceDn, target.getDatanode())) {
+  private boolean reduceNumOfRacks(Source source, StorageGroup target,
+      DBlock block) {
+    final DatanodeInfo sourceDn = source.getDatanodeInfo();
+    if (cluster.isOnSameRack(sourceDn, target.getDatanodeInfo())) {
       // source and target are on the same rack
       return false;
     }
     boolean notOnSameRack = true;
     synchronized (block) {
-      for (BalancerDatanode.StorageGroup loc : block.getLocations()) {
-        if (cluster.isOnSameRack(loc.getDatanode(), target.getDatanode())) {
+      for (StorageGroup loc : block.getLocations()) {
+        if (cluster.isOnSameRack(loc.getDatanodeInfo(), target.getDatanodeInfo())) {
           notOnSameRack = false;
           break;
         }
@@ -953,8 +927,8 @@ private boolean reduceNumOfRacks(Source source,
       // target is not on the same rack as any replica
       return false;
     }
-    for (BalancerDatanode.StorageGroup g : block.getLocations()) {
-      if (g != source && cluster.isOnSameRack(g.getDatanode(), sourceDn)) {
+    for (StorageGroup g : block.getLocations()) {
+      if (g != source && cluster.isOnSameRack(g.getDatanodeInfo(), sourceDn)) {
         // source is on the same rack of another replica
         return false;
       }
@@ -971,10 +945,10 @@ private boolean reduceNumOfRacks(Source source,
    *         group with target
    */
   private boolean isOnSameNodeGroupWithReplicas(
-      BalancerDatanode.StorageGroup target, DBlock block, Source source) {
-    final DatanodeInfo targetDn = target.getDatanode();
-    for (BalancerDatanode.StorageGroup g : block.getLocations()) {
-      if (g != source && cluster.isOnSameNodeGroup(g.getDatanode(), targetDn)) {
+      StorageGroup target, DBlock block, Source source) {
+    final DatanodeInfo targetDn = target.getDatanodeInfo();
+    for (StorageGroup g : block.getLocations()) {
+      if (g != source && cluster.isOnSameNodeGroup(g.getDatanodeInfo(), targetDn)) {
         return true;
       }
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/ExitStatus.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/ExitStatus.java
new file mode 100644
index 00000000000..e36258ffca7
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/ExitStatus.java
@@ -0,0 +1,44 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.server.balancer;
+
+/**
+ * Exit status - The values associated with each exit status is directly mapped
+ * to the process's exit code in command line.
+ */
+public enum ExitStatus {
+  SUCCESS(0),
+  IN_PROGRESS(1),
+  ALREADY_RUNNING(-1),
+  NO_MOVE_BLOCK(-2),
+  NO_MOVE_PROGRESS(-3),
+  IO_EXCEPTION(-4),
+  ILLEGAL_ARGUMENTS(-5),
+  INTERRUPTED(-6);
+
+  private final int code;
+
+  private ExitStatus(int code) {
+    this.code = code;
+  }
+  
+  /** @return the command line exit code. */
+  public int getExitCode() {
+    return code;
+  }
+}
\ No newline at end of file
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
index 2e59daf8d08..d509668bdc3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancer.java
@@ -570,10 +570,10 @@ private void runBalancer(Configuration conf,
     final int r = Balancer.run(namenodes, p, conf);
     if (conf.getInt(DFSConfigKeys.DFS_DATANODE_BALANCE_MAX_NUM_CONCURRENT_MOVES_KEY, 
         DFSConfigKeys.DFS_DATANODE_BALANCE_MAX_NUM_CONCURRENT_MOVES_DEFAULT) ==0) {
-      assertEquals(Balancer.ReturnStatus.NO_MOVE_PROGRESS.code, r);
+      assertEquals(ExitStatus.NO_MOVE_PROGRESS.getExitCode(), r);
       return;
     } else {
-      assertEquals(Balancer.ReturnStatus.SUCCESS.code, r);
+      assertEquals(ExitStatus.SUCCESS.getExitCode(), r);
     }
     waitForHeartBeat(totalUsedSpace, totalCapacity, client, cluster);
     LOG.info("Rebalancing with default ctor.");
@@ -717,7 +717,7 @@ public void testUnknownDatanode() throws Exception {
           Balancer.Parameters.DEFAULT.threshold,
           datanodes, Balancer.Parameters.DEFAULT.nodesToBeIncluded);
       final int r = Balancer.run(namenodes, p, conf);
-      assertEquals(Balancer.ReturnStatus.SUCCESS.code, r);
+      assertEquals(ExitStatus.SUCCESS.getExitCode(), r);
     } finally {
       cluster.shutdown();
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithHANameNodes.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithHANameNodes.java
index c543f73695b..d9d70d1a3ce 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithHANameNodes.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithHANameNodes.java
@@ -98,7 +98,7 @@ public void testBalancerWithHANameNodes() throws Exception {
       assertEquals(1, namenodes.size());
       assertTrue(namenodes.contains(HATestUtil.getLogicalUri(cluster)));
       final int r = Balancer.run(namenodes, Balancer.Parameters.DEFAULT, conf);
-      assertEquals(Balancer.ReturnStatus.SUCCESS.code, r);
+      assertEquals(ExitStatus.SUCCESS.getExitCode(), r);
       TestBalancer.waitForBalancer(totalUsedSpace, totalCapacity, client,
           cluster, Balancer.Parameters.DEFAULT);
     } finally {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithMultipleNameNodes.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithMultipleNameNodes.java
index 9f8bb32a1b0..a16a9791009 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithMultipleNameNodes.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithMultipleNameNodes.java
@@ -160,7 +160,7 @@ static void runBalancer(Suite s,
     // start rebalancing
     final Collection<URI> namenodes = DFSUtil.getNsServiceRpcUris(s.conf);
     final int r = Balancer.run(namenodes, Balancer.Parameters.DEFAULT, s.conf);
-    Assert.assertEquals(Balancer.ReturnStatus.SUCCESS.code, r);
+    Assert.assertEquals(ExitStatus.SUCCESS.getExitCode(), r);
 
     LOG.info("BALANCER 2");
     wait(s.clients, totalUsed, totalCapacity);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithNodeGroup.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithNodeGroup.java
index ef21a7586d9..9961a2e2704 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithNodeGroup.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/balancer/TestBalancerWithNodeGroup.java
@@ -176,7 +176,7 @@ private void runBalancer(Configuration conf,
     // start rebalancing
     Collection<URI> namenodes = DFSUtil.getNsServiceRpcUris(conf);
     final int r = Balancer.run(namenodes, Balancer.Parameters.DEFAULT, conf);
-    assertEquals(Balancer.ReturnStatus.SUCCESS.code, r);
+    assertEquals(ExitStatus.SUCCESS.getExitCode(), r);
 
     waitForHeartBeat(totalUsedSpace, totalCapacity);
     LOG.info("Rebalancing with default factor.");
@@ -190,8 +190,8 @@ private void runBalancerCanFinish(Configuration conf,
     // start rebalancing
     Collection<URI> namenodes = DFSUtil.getNsServiceRpcUris(conf);
     final int r = Balancer.run(namenodes, Balancer.Parameters.DEFAULT, conf);
-    Assert.assertTrue(r == Balancer.ReturnStatus.SUCCESS.code ||
-        (r == Balancer.ReturnStatus.NO_MOVE_PROGRESS.code));
+    Assert.assertTrue(r == ExitStatus.SUCCESS.getExitCode() ||
+        (r == ExitStatus.NO_MOVE_PROGRESS.getExitCode()));
     waitForHeartBeat(totalUsedSpace, totalCapacity);
     LOG.info("Rebalancing with default factor.");
   }

From c4dc6853439d54076c6875e66accfc61dddf74d1 Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Mon, 11 Aug 2014 18:24:24 +0000
Subject: [PATCH 183/354] YARN-2138. Cleaned up notifyDone* APIs in
 RMStateStore. Contributed by Varun Saxena

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617341 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |  3 +
 .../recovery/RMStateStore.java                | 71 ++++++++-----------
 .../resourcemanager/rmapp/RMAppImpl.java      | 18 -----
 .../rmapp/RMAppNewSavedEvent.java             | 36 ----------
 .../rmapp/RMAppUpdateSavedEvent.java          | 36 ----------
 .../rmapp/attempt/RMAppAttemptImpl.java       | 26 -------
 .../event/RMAppAttemptNewSavedEvent.java      | 39 ----------
 .../event/RMAppAttemptUpdateSavedEvent.java   | 38 ----------
 .../recovery/RMStateStoreTestBase.java        |  9 +--
 .../rmapp/TestRMAppTransitions.java           | 13 ++--
 .../attempt/TestRMAppAttemptTransitions.java  | 16 ++---
 11 files changed, 47 insertions(+), 258 deletions(-)
 delete mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppNewSavedEvent.java
 delete mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppUpdateSavedEvent.java
 delete mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/event/RMAppAttemptNewSavedEvent.java
 delete mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/event/RMAppAttemptUpdateSavedEvent.java

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index c149ef5d42a..daa5197f893 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -110,6 +110,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2337. ResourceManager sets ClientRMService in RMContext multiple times.
     (Zhihai Xu via kasha)
 
+    YARN-2138. Cleaned up notifyDone* APIs in RMStateStore. (Varun Saxena via
+    jianhe)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java
index 876a2ea87d7..714a108ecec 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java
@@ -52,13 +52,13 @@
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationAttemptStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppNewSavedEvent;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEvent;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEventType;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppUpdateSavedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEvent;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEventType;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptNewSavedEvent;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptUpdateSavedEvent;
 import org.apache.hadoop.yarn.state.InvalidStateTransitonException;
 import org.apache.hadoop.yarn.state.SingleArcTransition;
 import org.apache.hadoop.yarn.state.StateMachine;
@@ -132,7 +132,8 @@ public void transition(RMStateStore store, RMStateStoreEvent event) {
       LOG.info("Storing info for app: " + appId);
       try {
         store.storeApplicationStateInternal(appId, appStateData);
-        store.notifyDoneStoringApplication(appId, null);
+        store.notifyApplication(new RMAppEvent(appId,
+               RMAppEventType.APP_NEW_SAVED));
       } catch (Exception e) {
         LOG.error("Error storing app: " + appId, e);
         store.notifyStoreOperationFailed(e);
@@ -156,7 +157,8 @@ public void transition(RMStateStore store, RMStateStoreEvent event) {
       LOG.info("Updating info for app: " + appId);
       try {
         store.updateApplicationStateInternal(appId, appStateData);
-        store.notifyDoneUpdatingApplication(appId, null);
+        store.notifyApplication(new RMAppEvent(appId,
+               RMAppEventType.APP_UPDATE_SAVED));
       } catch (Exception e) {
         LOG.error("Error updating app: " + appId, e);
         store.notifyStoreOperationFailed(e);
@@ -205,8 +207,9 @@ public void transition(RMStateStore store, RMStateStoreEvent event) {
         }
         store.storeApplicationAttemptStateInternal(attemptState.getAttemptId(),
             attemptStateData);
-        store.notifyDoneStoringApplicationAttempt(attemptState.getAttemptId(),
-            null);
+        store.notifyApplicationAttempt(new RMAppAttemptEvent
+               (attemptState.getAttemptId(),
+               RMAppAttemptEventType.ATTEMPT_NEW_SAVED));
       } catch (Exception e) {
         LOG.error("Error storing appAttempt: " + attemptState.getAttemptId(), e);
         store.notifyStoreOperationFailed(e);
@@ -233,8 +236,9 @@ public void transition(RMStateStore store, RMStateStoreEvent event) {
         }
         store.updateApplicationAttemptStateInternal(attemptState.getAttemptId(),
             attemptStateData);
-        store.notifyDoneUpdatingApplicationAttempt(attemptState.getAttemptId(),
-            null);
+        store.notifyApplicationAttempt(new RMAppAttemptEvent
+               (attemptState.getAttemptId(),
+               RMAppAttemptEventType.ATTEMPT_UPDATE_SAVED));
       } catch (Exception e) {
         LOG.error("Error updating appAttempt: " + attemptState.getAttemptId(), e);
         store.notifyStoreOperationFailed(e);
@@ -801,47 +805,28 @@ protected void notifyStoreOperationFailed(Exception failureCause) {
     }
     rmDispatcher.getEventHandler().handle(new RMFatalEvent(type, failureCause));
   }
-
+ 
   @SuppressWarnings("unchecked")
   /**
-   * In (@link handleStoreEvent}, this method is called to notify the
-   * application that new application is stored in state store
-   * @param appId id of the application that has been saved
-   * @param storedException the exception that is thrown when storing the
-   * application
+   * This method is called to notify the application that
+   * new application is stored or updated in state store
+   * @param event App event containing the app id and event type
    */
-  private void notifyDoneStoringApplication(ApplicationId appId,
-                                                  Exception storedException) {
-    rmDispatcher.getEventHandler().handle(
-        new RMAppNewSavedEvent(appId, storedException));
+  private void notifyApplication(RMAppEvent event) {
+    rmDispatcher.getEventHandler().handle(event);
   }
-
-  @SuppressWarnings("unchecked")
-  private void notifyDoneUpdatingApplication(ApplicationId appId,
-      Exception storedException) {
-    rmDispatcher.getEventHandler().handle(
-      new RMAppUpdateSavedEvent(appId, storedException));
-  }
-
+  
   @SuppressWarnings("unchecked")
   /**
-   * In (@link handleStoreEvent}, this method is called to notify the
-   * application attempt that new attempt is stored in state store
-   * @param appAttempt attempt that has been saved
+   * This method is called to notify the application attempt
+   * that new attempt is stored or updated in state store
+   * @param event App attempt event containing the app attempt
+   * id and event type
    */
-  private void notifyDoneStoringApplicationAttempt(ApplicationAttemptId attemptId,
-                                                  Exception storedException) {
-    rmDispatcher.getEventHandler().handle(
-        new RMAppAttemptNewSavedEvent(attemptId, storedException));
+  private void notifyApplicationAttempt(RMAppAttemptEvent event) {
+    rmDispatcher.getEventHandler().handle(event);
   }
-
-  @SuppressWarnings("unchecked")
-  private void notifyDoneUpdatingApplicationAttempt(ApplicationAttemptId attemptId,
-      Exception updatedException) {
-    rmDispatcher.getEventHandler().handle(
-      new RMAppAttemptUpdateSavedEvent(attemptId, updatedException));
-  }
-
+  
   /**
    * EventHandler implementation which forward events to the FSRMStateStore
    * This hides the EventHandle methods of the store from its public interface 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java
index 7c7b7541b3e..45c89592af8 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java
@@ -820,17 +820,6 @@ private static final class AddApplicationToSchedulerTransition extends
       RMAppTransition {
     @Override
     public void transition(RMAppImpl app, RMAppEvent event) {
-      if (event instanceof RMAppNewSavedEvent) {
-        RMAppNewSavedEvent storeEvent = (RMAppNewSavedEvent) event;
-        // For HA this exception needs to be handled by giving up
-        // master status if we got fenced
-        if (((RMAppNewSavedEvent) event).getStoredException() != null) {
-          LOG.error(
-            "Failed to store application: " + storeEvent.getApplicationId(),
-            storeEvent.getStoredException());
-          ExitUtil.terminate(1, storeEvent.getStoredException());
-        }
-      }
       app.handler.handle(new AppAddedSchedulerEvent(app.applicationId,
         app.submissionContext.getQueue(), app.user));
     }
@@ -848,13 +837,6 @@ private static final class FinalStateSavedTransition implements
 
     @Override
     public RMAppState transition(RMAppImpl app, RMAppEvent event) {
-      RMAppUpdateSavedEvent storeEvent = (RMAppUpdateSavedEvent) event;
-      if (storeEvent.getUpdatedException() != null) {
-        LOG.error("Failed to update the final state of application"
-              + storeEvent.getApplicationId(), storeEvent.getUpdatedException());
-        ExitUtil.terminate(1, storeEvent.getUpdatedException());
-      }
-
       if (app.transitionTodo instanceof SingleArcTransition) {
         ((SingleArcTransition) app.transitionTodo).transition(app,
           app.eventCausingFinalSaving);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppNewSavedEvent.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppNewSavedEvent.java
deleted file mode 100644
index 4d1ed146005..00000000000
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppNewSavedEvent.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.yarn.server.resourcemanager.rmapp;
-
-import org.apache.hadoop.yarn.api.records.ApplicationId;
-
-public class RMAppNewSavedEvent extends RMAppEvent {
-
-  private final Exception storedException;
-
-  public RMAppNewSavedEvent(ApplicationId appId, Exception storedException) {
-    super(appId, RMAppEventType.APP_NEW_SAVED);
-    this.storedException = storedException;
-  }
-
-  public Exception getStoredException() {
-    return storedException;
-  }
-
-}
\ No newline at end of file
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppUpdateSavedEvent.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppUpdateSavedEvent.java
deleted file mode 100644
index 42072f8cf6a..00000000000
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppUpdateSavedEvent.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.yarn.server.resourcemanager.rmapp;
-
-import org.apache.hadoop.yarn.api.records.ApplicationId;
-
-public class RMAppUpdateSavedEvent extends RMAppEvent {
-
-  private final Exception updatedException;
-
-  public RMAppUpdateSavedEvent(ApplicationId appId, Exception updatedException) {
-    super(appId, RMAppEventType.APP_UPDATE_SAVED);
-    this.updatedException = updatedException;
-  }
-
-  public Exception getUpdatedException() {
-    return updatedException;
-  }
-
-}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
index 54a210da8ca..19fc8004a55 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
@@ -80,11 +80,9 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptContainerAllocatedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptContainerFinishedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptLaunchFailedEvent;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptNewSavedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptRegistrationEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptStatusupdateEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptUnregistrationEvent;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptUpdateSavedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.Allocation;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler;
@@ -905,8 +903,6 @@ private static final class AttemptStoredTransition extends BaseTransition {
     @Override
     public void transition(RMAppAttemptImpl appAttempt,
                                                     RMAppAttemptEvent event) {
-      appAttempt.checkAttemptStoreError(event);
-
       appAttempt.launchAttempt();
     }
   }
@@ -1058,14 +1054,6 @@ private static class FinalStateSavedTransition implements
     @Override
     public RMAppAttemptState transition(RMAppAttemptImpl appAttempt,
         RMAppAttemptEvent event) {
-      RMAppAttemptUpdateSavedEvent storeEvent = (RMAppAttemptUpdateSavedEvent) event;
-      if (storeEvent.getUpdatedException() != null) {
-        LOG.error("Failed to update the final state of application attempt: "
-            + storeEvent.getApplicationAttemptId(),
-          storeEvent.getUpdatedException());
-        ExitUtil.terminate(1, storeEvent.getUpdatedException());
-      }
-
       RMAppAttemptEvent causeEvent = appAttempt.eventCausingFinalSaving;
 
       if (appAttempt.transitionTodo instanceof SingleArcTransition) {
@@ -1195,8 +1183,6 @@ private static final class UnmanagedAMAttemptSavedTransition
     @Override
     public void transition(RMAppAttemptImpl appAttempt,
                             RMAppAttemptEvent event) {
-      appAttempt.checkAttemptStoreError(event);
-
       // create AMRMToken
       appAttempt.amrmToken =
           appAttempt.rmContext.getAMRMTokenSecretManager().createAndGetAMRMToken(
@@ -1689,18 +1675,6 @@ private void attemptLaunched() {
     rmContext.getAMLivelinessMonitor().register(getAppAttemptId());
   }
   
-  private void checkAttemptStoreError(RMAppAttemptEvent event) {
-    RMAppAttemptNewSavedEvent storeEvent = (RMAppAttemptNewSavedEvent) event;
-    if(storeEvent.getStoredException() != null)
-    {
-      // This needs to be handled for HA and give up master status if we got
-      // fenced
-      LOG.error("Failed to store attempt: " + getAppAttemptId(),
-                storeEvent.getStoredException());
-      ExitUtil.terminate(1, storeEvent.getStoredException());
-    }
-  }
-
   private void storeAttempt() {
     // store attempt data in a non-blocking manner to prevent dispatcher
     // thread starvation and wait for state to be saved
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/event/RMAppAttemptNewSavedEvent.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/event/RMAppAttemptNewSavedEvent.java
deleted file mode 100644
index 97611bc34a6..00000000000
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/event/RMAppAttemptNewSavedEvent.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event;
-
-import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEvent;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEventType;
-
-public class RMAppAttemptNewSavedEvent extends RMAppAttemptEvent {
-
-  final Exception storedException;
-  
-  public RMAppAttemptNewSavedEvent(ApplicationAttemptId appAttemptId,
-                                 Exception storedException) {
-    super(appAttemptId, RMAppAttemptEventType.ATTEMPT_NEW_SAVED);
-    this.storedException = storedException;
-  }
-  
-  public Exception getStoredException() {
-    return storedException;
-  }
-
-}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/event/RMAppAttemptUpdateSavedEvent.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/event/RMAppAttemptUpdateSavedEvent.java
deleted file mode 100644
index 043f067c9b6..00000000000
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/event/RMAppAttemptUpdateSavedEvent.java
+++ /dev/null
@@ -1,38 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event;
-
-import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEvent;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEventType;
-
-public class RMAppAttemptUpdateSavedEvent extends RMAppAttemptEvent {
-
-  final Exception updatedException;
-
-  public RMAppAttemptUpdateSavedEvent(ApplicationAttemptId appAttemptId,
-      Exception updatedException) {
-    super(appAttemptId, RMAppAttemptEventType.ATTEMPT_UPDATE_SAVED);
-    this.updatedException = updatedException;
-  }
-
-  public Exception getUpdatedException() {
-    return updatedException;
-  }
-}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java
index 0da3c55b23e..620ba9f232c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreTestBase.java
@@ -65,8 +65,8 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptNewSavedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.security.AMRMTokenSecretManager;
 import org.apache.hadoop.yarn.server.resourcemanager.security.ClientToAMTokenSecretManagerInRM;
 import org.apache.hadoop.yarn.server.security.MasterKeyData;
@@ -77,10 +77,9 @@ public class RMStateStoreTestBase extends ClientBaseWithFixes{
   public static final Log LOG = LogFactory.getLog(RMStateStoreTestBase.class);
 
   static class TestDispatcher implements
-      Dispatcher, EventHandler<RMAppAttemptNewSavedEvent> {
+      Dispatcher, EventHandler<RMAppAttemptEvent> {
 
     ApplicationAttemptId attemptId;
-    Exception storedException;
 
     boolean notified = false;
 
@@ -91,9 +90,8 @@ public void register(Class<? extends Enum> eventType,
     }
 
     @Override
-    public void handle(RMAppAttemptNewSavedEvent event) {
+    public void handle(RMAppAttemptEvent event) {
       assertEquals(attemptId, event.getApplicationAttemptId());
-      assertEquals(storedException, event.getStoredException());
       notified = true;
       synchronized (this) {
         notifyAll();
@@ -163,7 +161,6 @@ ContainerId storeAttempt(RMStateStore store, ApplicationAttemptId attemptId,
     when(mockAttempt.getClientTokenMasterKey())
         .thenReturn(clientTokenMasterKey);
     dispatcher.attemptId = attemptId;
-    dispatcher.storedException = null;
     store.storeNewApplicationAttempt(mockAttempt);
     waitNotify(dispatcher);
     return container.getId();
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/TestRMAppTransitions.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/TestRMAppTransitions.java
index 9ea51b120fa..2fc44319a6f 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/TestRMAppTransitions.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/TestRMAppTransitions.java
@@ -60,7 +60,6 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEventType;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptUpdateSavedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.ContainerAllocationExpirer;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.AppRemovedSchedulerEvent;
@@ -328,15 +327,15 @@ private void assertFailed(RMApp application, String regex) {
 
   private void sendAppUpdateSavedEvent(RMApp application) {
     RMAppEvent event =
-        new RMAppUpdateSavedEvent(application.getApplicationId(), null);
+        new RMAppEvent(application.getApplicationId(), RMAppEventType.APP_UPDATE_SAVED);
     application.handle(event);
     rmDispatcher.await();
   }
 
   private void sendAttemptUpdateSavedEvent(RMApp application) {
     application.getCurrentAppAttempt().handle(
-      new RMAppAttemptUpdateSavedEvent(application.getCurrentAppAttempt()
-        .getAppAttemptId(), null));
+        new RMAppAttemptEvent(application.getCurrentAppAttempt().getAppAttemptId(),
+            RMAppAttemptEventType.ATTEMPT_UPDATE_SAVED));
   }
 
   protected RMApp testCreateAppNewSaving(
@@ -357,7 +356,7 @@ protected RMApp testCreateAppSubmittedNoRecovery(
   RMApp application = testCreateAppNewSaving(submissionContext);
     // NEW_SAVING => SUBMITTED event RMAppEventType.APP_SAVED
     RMAppEvent event =
-        new RMAppNewSavedEvent(application.getApplicationId(), null);
+        new RMAppEvent(application.getApplicationId(), RMAppEventType.APP_NEW_SAVED);
     application.handle(event);
     assertStartTimeSet(application);
     assertAppState(RMAppState.SUBMITTED, application);
@@ -422,7 +421,7 @@ protected RMApp testCreateAppFinishing(
     RMApp application = testCreateAppFinalSaving(submissionContext);
     // FINAL_SAVING => FINISHING event RMAppEventType.APP_UPDATED
     RMAppEvent appUpdated =
-        new RMAppUpdateSavedEvent(application.getApplicationId(), null);
+        new RMAppEvent(application.getApplicationId(), RMAppEventType.APP_UPDATE_SAVED);
     application.handle(appUpdated);
     assertAppState(RMAppState.FINISHING, application);
     assertTimesAtFinish(application);
@@ -763,7 +762,7 @@ public void testAppFinalSavingToFinished() throws IOException {
     application.handle(event);
     assertAppState(RMAppState.FINAL_SAVING, application);
     RMAppEvent appUpdated =
-        new RMAppUpdateSavedEvent(application.getApplicationId(), null);
+        new RMAppEvent(application.getApplicationId(), RMAppEventType.APP_UPDATE_SAVED);
     application.handle(appUpdated);
     assertAppState(RMAppState.FINISHED, application);
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java
index 9a2fed8aeb6..efcecd96e37 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java
@@ -81,10 +81,8 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptContainerAllocatedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptContainerFinishedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptLaunchFailedEvent;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptNewSavedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptRegistrationEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptUnregistrationEvent;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptUpdateSavedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.ContainerAllocationExpirer;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerImpl;
@@ -570,15 +568,15 @@ private void scheduleApplicationAttempt() {
     submitApplicationAttempt();
     applicationAttempt.handle(
         new RMAppAttemptEvent(
-            applicationAttempt.getAppAttemptId(), 
+            applicationAttempt.getAppAttemptId(),
             RMAppAttemptEventType.ATTEMPT_ADDED));
     
     if(unmanagedAM){
       assertEquals(RMAppAttemptState.LAUNCHED_UNMANAGED_SAVING, 
           applicationAttempt.getAppAttemptState());
       applicationAttempt.handle(
-          new RMAppAttemptNewSavedEvent(
-              applicationAttempt.getAppAttemptId(), null));
+        new RMAppAttemptEvent(applicationAttempt.getAppAttemptId(),
+            RMAppAttemptEventType.ATTEMPT_NEW_SAVED));
     }
     
     testAppAttemptScheduledState();
@@ -616,8 +614,8 @@ private Container allocateApplicationAttempt() {
     assertEquals(RMAppAttemptState.ALLOCATED_SAVING, 
         applicationAttempt.getAppAttemptState());
     applicationAttempt.handle(
-        new RMAppAttemptNewSavedEvent(
-            applicationAttempt.getAppAttemptId(), null));
+        new RMAppAttemptEvent(applicationAttempt.getAppAttemptId(),
+            RMAppAttemptEventType.ATTEMPT_NEW_SAVED));
     
     testAppAttemptAllocatedState(container);
     
@@ -696,8 +694,8 @@ private void sendAttemptUpdateSavedEvent(RMAppAttempt applicationAttempt) {
     assertEquals(RMAppAttemptState.FINAL_SAVING,
       applicationAttempt.getAppAttemptState());
     applicationAttempt.handle(
-      new RMAppAttemptUpdateSavedEvent(
-          applicationAttempt.getAppAttemptId(), null));
+      new RMAppAttemptEvent(applicationAttempt.getAppAttemptId(), 
+          RMAppAttemptEventType.ATTEMPT_UPDATE_SAVED));
   }
 
   @Test

From 80691b073fe7c104a8684c0a8900a1657bcdc03f Mon Sep 17 00:00:00 2001
From: Haohui Mai <wheat9@apache.org>
Date: Mon, 11 Aug 2014 21:28:33 +0000
Subject: [PATCH 184/354] HDFS-6838. Code cleanup for unnecessary INode
 replacement. Contributed by Jing Zhao.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617361 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +
 .../hdfs/server/namenode/FSDirectory.java     | 12 ++--
 .../hdfs/server/namenode/FSNamesystem.java    |  4 +-
 .../hadoop/hdfs/server/namenode/INode.java    | 59 +++++++++----------
 .../hdfs/server/namenode/INodeDirectory.java  |  3 +-
 .../hdfs/server/namenode/INodeFile.java       | 12 ++--
 .../hadoop/hdfs/server/namenode/INodeMap.java |  3 +-
 .../hdfs/server/namenode/INodeReference.java  |  4 +-
 .../hdfs/server/namenode/INodeSymlink.java    |  3 +-
 9 files changed, 46 insertions(+), 57 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 8f70bb1df60..9e5010b2042 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -390,6 +390,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6837. Code cleanup for Balancer and Dispatcher. (szetszwo via
     jing9)
 
+    HDFS-6838. Code cleanup for unnecessary INode replacement.
+    (Jing Zhao via wheat9)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index b0e4f669fb8..77805258a1a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -764,8 +764,6 @@ private static void validateRenameSource(String src, INodesInPath srcIIP)
     checkSnapshot(srcInode, null);
   }
 
-
-
   private class RenameOperation {
     private final INodesInPath srcIIP;
     private final INodesInPath dstIIP;
@@ -798,7 +796,7 @@ private RenameOperation(String src, String dst, INodesInPath srcIIP, INodesInPat
       // snapshot is taken on the dst tree, changes will be recorded in the latest
       // snapshot of the src tree.
       if (isSrcInSnapshot) {
-        srcChild = srcChild.recordModification(srcIIP.getLatestSnapshotId());
+        srcChild.recordModification(srcIIP.getLatestSnapshotId());
       }
 
       // check srcChild for reference
@@ -928,8 +926,7 @@ Block[] unprotectedSetReplication(String src, short replication,
       updateCount(iip, 0, dsDelta, true);
     }
 
-    file = file.setFileReplication(replication, iip.getLatestSnapshotId(),
-        inodeMap);
+    file.setFileReplication(replication, iip.getLatestSnapshotId());
     
     final short newBR = file.getBlockReplication(); 
     // check newBR < oldBR case. 
@@ -1212,8 +1209,7 @@ long unprotectedDelete(INodesInPath iip, BlocksMapUpdateInfo collectedBlocks,
 
     // record modification
     final int latestSnapshot = iip.getLatestSnapshotId();
-    targetNode = targetNode.recordModification(latestSnapshot);
-    iip.setLastINode(targetNode);
+    targetNode.recordModification(latestSnapshot);
 
     // Remove the node from the namespace
     long removed = removeLastINode(iip);
@@ -2122,7 +2118,7 @@ INodeDirectory unprotectedSetQuota(String src, long nsQuota, long dsQuota)
       }
 
       final int latest = iip.getLatestSnapshotId();
-      dirNode = dirNode.recordModification(latest);
+      dirNode.recordModification(latest);
       dirNode.setQuota(nsQuota, dsQuota);
       return dirNode;
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 5d9a3bd050f..b9cda6cefc9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -2516,7 +2516,7 @@ LocatedBlock prepareFileForWrite(String src, INodeFile file,
                                    boolean writeToEditLog,
                                    int latestSnapshot, boolean logRetryCache)
       throws IOException {
-    file = file.recordModification(latestSnapshot);
+    file.recordModification(latestSnapshot);
     final INodeFile cons = file.toUnderConstruction(leaseHolder, clientMachine);
 
     leaseManager.addLease(cons.getFileUnderConstructionFeature()
@@ -4211,7 +4211,7 @@ private void finalizeINodeFileUnderConstruction(String src,
     Preconditions.checkArgument(uc != null);
     leaseManager.removeLease(uc.getClientName(), src);
     
-    pendingFile = pendingFile.recordModification(latestSnapshot);
+    pendingFile.recordModification(latestSnapshot);
 
     // The file is no longer pending.
     // Create permanent INode, update blocks. No need to replace the inode here
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INode.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INode.java
index b1e4982165e..c346be9c681 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INode.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INode.java
@@ -97,9 +97,9 @@ public final String getUserName() {
   /** Set user */
   final INode setUser(String user, int latestSnapshotId)
       throws QuotaExceededException {
-    final INode nodeToUpdate = recordModification(latestSnapshotId);
-    nodeToUpdate.setUser(user);
-    return nodeToUpdate;
+    recordModification(latestSnapshotId);
+    setUser(user);
+    return this;
   }
   /**
    * @param snapshotId
@@ -122,9 +122,9 @@ public final String getGroupName() {
   /** Set group */
   final INode setGroup(String group, int latestSnapshotId)
       throws QuotaExceededException {
-    final INode nodeToUpdate = recordModification(latestSnapshotId);
-    nodeToUpdate.setGroup(group);
-    return nodeToUpdate;
+    recordModification(latestSnapshotId);
+    setGroup(group);
+    return this;
   }
 
   /**
@@ -148,9 +148,9 @@ public final FsPermission getFsPermission() {
   /** Set the {@link FsPermission} of this {@link INode} */
   INode setPermission(FsPermission permission, int latestSnapshotId) 
       throws QuotaExceededException {
-    final INode nodeToUpdate = recordModification(latestSnapshotId);
-    nodeToUpdate.setPermission(permission);
-    return nodeToUpdate;
+    recordModification(latestSnapshotId);
+    setPermission(permission);
+    return this;
   }
 
   abstract AclFeature getAclFeature(int snapshotId);
@@ -164,18 +164,18 @@ public final AclFeature getAclFeature() {
 
   final INode addAclFeature(AclFeature aclFeature, int latestSnapshotId)
       throws QuotaExceededException {
-    final INode nodeToUpdate = recordModification(latestSnapshotId);
-    nodeToUpdate.addAclFeature(aclFeature);
-    return nodeToUpdate;
+    recordModification(latestSnapshotId);
+    addAclFeature(aclFeature);
+    return this;
   }
 
   abstract void removeAclFeature();
 
   final INode removeAclFeature(int latestSnapshotId)
       throws QuotaExceededException {
-    final INode nodeToUpdate = recordModification(latestSnapshotId);
-    nodeToUpdate.removeAclFeature();
-    return nodeToUpdate;
+    recordModification(latestSnapshotId);
+    removeAclFeature();
+    return this;
   }
 
   /**
@@ -199,9 +199,9 @@ public final XAttrFeature getXAttrFeature() {
   
   final INode addXAttrFeature(XAttrFeature xAttrFeature, int latestSnapshotId) 
       throws QuotaExceededException {
-    final INode nodeToUpdate = recordModification(latestSnapshotId);
-    nodeToUpdate.addXAttrFeature(xAttrFeature);
-    return nodeToUpdate;
+    recordModification(latestSnapshotId);
+    addXAttrFeature(xAttrFeature);
+    return this;
   }
   
   /**
@@ -211,9 +211,9 @@ final INode addXAttrFeature(XAttrFeature xAttrFeature, int latestSnapshotId)
   
   final INode removeXAttrFeature(int lastestSnapshotId)
       throws QuotaExceededException {
-    final INode nodeToUpdate = recordModification(lastestSnapshotId);
-    nodeToUpdate.removeXAttrFeature();
-    return nodeToUpdate;
+    recordModification(lastestSnapshotId);
+    removeXAttrFeature();
+    return this;
   }
   
   /**
@@ -298,11 +298,8 @@ public final boolean shouldRecordInSrcSnapshot(final int latestInDst) {
    * @param latestSnapshotId The id of the latest snapshot that has been taken.
    *                         Note that it is {@link Snapshot#CURRENT_STATE_ID} 
    *                         if no snapshots have been taken.
-   * @return The current inode, which usually is the same object of this inode.
-   *         However, in some cases, this inode may be replaced with a new inode
-   *         for maintaining snapshots. The current inode is then the new inode.
    */
-  abstract INode recordModification(final int latestSnapshotId)
+  abstract void recordModification(final int latestSnapshotId)
       throws QuotaExceededException;
 
   /** Check whether it's a reference. */
@@ -652,9 +649,9 @@ public abstract INode updateModificationTime(long mtime, int latestSnapshotId)
   /** Set the last modification time of inode. */
   public final INode setModificationTime(long modificationTime,
       int latestSnapshotId) throws QuotaExceededException {
-    final INode nodeToUpdate = recordModification(latestSnapshotId);
-    nodeToUpdate.setModificationTime(modificationTime);
-    return nodeToUpdate;
+    recordModification(latestSnapshotId);
+    setModificationTime(modificationTime);
+    return this;
   }
 
   /**
@@ -682,9 +679,9 @@ public final long getAccessTime() {
    */
   public final INode setAccessTime(long accessTime, int latestSnapshotId)
       throws QuotaExceededException {
-    final INode nodeToUpdate = recordModification(latestSnapshotId);
-    nodeToUpdate.setAccessTime(accessTime);
-    return nodeToUpdate;
+    recordModification(latestSnapshotId);
+    setAccessTime(accessTime);
+    return this;
   }
 
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeDirectory.java
index 1d773470518..5e6a4b4f78f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeDirectory.java
@@ -318,7 +318,7 @@ INodeReference.WithName replaceChild4ReferenceWithName(INode oldChild,
   }
 
   @Override
-  public INodeDirectory recordModification(int latestSnapshotId) 
+  public void recordModification(int latestSnapshotId)
       throws QuotaExceededException {
     if (isInLatestSnapshot(latestSnapshotId)
         && !shouldRecordInSrcSnapshot(latestSnapshotId)) {
@@ -330,7 +330,6 @@ public INodeDirectory recordModification(int latestSnapshotId)
       // record self in the diff list if necessary
       sf.getDiffs().saveSelf2Snapshot(latestSnapshotId, this, null);
     }
-    return this;
   }
 
   /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeFile.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeFile.java
index 730746013a2..94fa686709e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeFile.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeFile.java
@@ -284,7 +284,7 @@ public INodeFileAttributes getSnapshotINode(final int snapshotId) {
   }
 
   @Override
-  public INodeFile recordModification(final int latestSnapshotId) 
+  public void recordModification(final int latestSnapshotId)
       throws QuotaExceededException {
     if (isInLatestSnapshot(latestSnapshotId)
         && !shouldRecordInSrcSnapshot(latestSnapshotId)) {
@@ -296,7 +296,6 @@ public INodeFile recordModification(final int latestSnapshotId)
       // record self in the diff list if necessary
       sf.getDiffs().saveSelf2Snapshot(latestSnapshotId, this, null);
     }
-    return this;
   }
   
   public FileDiffList getDiffs() {
@@ -344,11 +343,10 @@ public final void setFileReplication(short replication) {
 
   /** Set the replication factor of this file. */
   public final INodeFile setFileReplication(short replication,
-      int latestSnapshotId, final INodeMap inodeMap)
-      throws QuotaExceededException {
-    final INodeFile nodeToUpdate = recordModification(latestSnapshotId);
-    nodeToUpdate.setFileReplication(replication);
-    return nodeToUpdate;
+      int latestSnapshotId) throws QuotaExceededException {
+    recordModification(latestSnapshotId);
+    setFileReplication(replication);
+    return this;
   }
 
   /** @return preferred block size (in bytes) of the file. */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeMap.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeMap.java
index bd0355b6618..02c0815c55e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeMap.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeMap.java
@@ -93,9 +93,8 @@ public INode get(long id) {
         "", "", new FsPermission((short) 0)), 0, 0) {
       
       @Override
-      INode recordModification(int latestSnapshotId)
+      void recordModification(int latestSnapshotId)
           throws QuotaExceededException {
-        return null;
       }
       
       @Override
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeReference.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeReference.java
index ac0f19d0321..05e144d21ba 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeReference.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeReference.java
@@ -287,11 +287,9 @@ public final void setAccessTime(long accessTime) {
   }
 
   @Override
-  final INode recordModification(int latestSnapshotId)
+  final void recordModification(int latestSnapshotId)
       throws QuotaExceededException {
     referred.recordModification(latestSnapshotId);
-    // reference is never replaced 
-    return this;
   }
 
   @Override // used by WithCount
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeSymlink.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeSymlink.java
index deb3ada16e7..6729cd256ce 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeSymlink.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeSymlink.java
@@ -47,12 +47,11 @@ public class INodeSymlink extends INodeWithAdditionalFields {
   }
 
   @Override
-  INode recordModification(int latestSnapshotId) throws QuotaExceededException {
+  void recordModification(int latestSnapshotId) throws QuotaExceededException {
     if (isInLatestSnapshot(latestSnapshotId)) {
       INodeDirectory parent = getParent();
       parent.saveChild2Snapshot(this, latestSnapshotId, new INodeSymlink(this));
     }
-    return this;
   }
 
   /** @return true unconditionally. */

From b760f20af122b3e403bf3f5c7fd6320d1e82242f Mon Sep 17 00:00:00 2001
From: Brandon Li <brandonli@apache.org>
Date: Mon, 11 Aug 2014 21:34:02 +0000
Subject: [PATCH 185/354] HDFS-6582. Missing null check in
 RpcProgramNfs3#read(XDR, SecurityHandler). Contributed by Abhiraj Butala

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617366 13f79535-47bb-0310-9956-ffa450edef68
---
 .../java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java  | 4 ++++
 .../org/apache/hadoop/hdfs/nfs/nfs3/TestRpcProgramNfs3.java   | 2 --
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                   | 3 +++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
index cccc464e550..3ef9240263f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
@@ -724,6 +724,10 @@ READ3Response read(XDR xdr, SecurityHandler securityHandler,
         FSDataInputStream fis = clientCache.getDfsInputStream(userName,
             Nfs3Utils.getFileIdPath(handle));
 
+        if (fis == null) {
+            return new READ3Response(Nfs3Status.NFS3ERR_ACCES);
+        }
+
         try {
           readCount = fis.read(offset, readbuffer, 0, count);
         } catch (IOException e) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestRpcProgramNfs3.java b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestRpcProgramNfs3.java
index e89929b889f..3fc0d991883 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestRpcProgramNfs3.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestRpcProgramNfs3.java
@@ -278,13 +278,11 @@ public void testRead() throws Exception {
     readReq.serialize(xdr_req);
 
     // Attempt by an unpriviledged user should fail.
-    /* Hits HDFS-6582. It needs to be fixed first.
     READ3Response response1 = nfsd.read(xdr_req.asReadOnlyWrap(),
         securityHandlerUnpriviledged,
         new InetSocketAddress("localhost", 1234));
     assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
         response1.getStatus());
-    */
 
     // Attempt by a priviledged user should pass.
     READ3Response response2 = nfsd.read(xdr_req.asReadOnlyWrap(),
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 9e5010b2042..65253c299f7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -488,6 +488,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6791. A block could remain under replicated if all of its replicas are on
     decommissioned nodes. (Ming Ma via jing9)
 
+    HDFS-6582. Missing null check in RpcProgramNfs3#read(XDR, SecurityHandler)
+    (Abhiraj Butala via brandonli)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES

From 6d7a6766bd55b355e44dbdcc4dfa22b050b1a509 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Tue, 12 Aug 2014 00:10:15 +0000
Subject: [PATCH 186/354] HADOOP-10835. Implement HTTP proxyuser support in
 HTTP authentication client/server libraries. (tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617384 13f79535-47bb-0310-9956-ffa450edef68
---
 .../server/AuthenticationFilter.java          |  25 ++-
 .../hadoop-common/CHANGES.txt                 |   6 +-
 .../web/DelegationTokenAuthenticatedURL.java  |  13 ++
 .../DelegationTokenAuthenticationFilter.java  | 178 +++++++++++++++++-
 .../DelegationTokenAuthenticationHandler.java |   4 +
 .../web/HttpUserGroupInformation.java         |  43 +++++
 .../web/TestWebDelegationToken.java           | 174 +++++++++++++++--
 7 files changed, 421 insertions(+), 22 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/HttpUserGroupInformation.java

diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
index 2a5d4aef85c..316cd60a256 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
@@ -127,6 +127,7 @@ public class AuthenticationFilter implements Filter {
   public static final String SIGNATURE_PROVIDER_ATTRIBUTE =
       "org.apache.hadoop.security.authentication.util.SignerSecretProvider";
 
+  private Properties config;
   private Signer signer;
   private SignerSecretProvider secretProvider;
   private AuthenticationHandler authHandler;
@@ -150,7 +151,7 @@ public class AuthenticationFilter implements Filter {
   public void init(FilterConfig filterConfig) throws ServletException {
     String configPrefix = filterConfig.getInitParameter(CONFIG_PREFIX);
     configPrefix = (configPrefix != null) ? configPrefix + "." : "";
-    Properties config = getConfiguration(configPrefix, filterConfig);
+    config = getConfiguration(configPrefix, filterConfig);
     String authHandlerName = config.getProperty(AUTH_TYPE, null);
     String authHandlerClassName;
     if (authHandlerName == null) {
@@ -224,6 +225,17 @@ public void init(FilterConfig filterConfig) throws ServletException {
     cookiePath = config.getProperty(COOKIE_PATH, null);
   }
 
+  /**
+   * Returns the configuration properties of the {@link AuthenticationFilter}
+   * without the prefix. The returned properties are the same that the
+   * {@link #getConfiguration(String, FilterConfig)} method returned.
+   *
+   * @return the configuration properties.
+   */
+  protected Properties getConfiguration() {
+    return config;
+  }
+
   /**
    * Returns the authentication handler being used.
    *
@@ -457,7 +469,7 @@ public Principal getUserPrincipal() {
             createAuthCookie(httpResponse, signedToken, getCookieDomain(),
                     getCookiePath(), token.getExpires(), isHttps);
           }
-          filterChain.doFilter(httpRequest, httpResponse);
+          doFilter(filterChain, httpRequest, httpResponse);
         }
       } else {
         unauthorizedResponse = false;
@@ -481,6 +493,15 @@ public Principal getUserPrincipal() {
     }
   }
 
+  /**
+   * Delegates call to the servlet filter chain. Sub-classes my override this
+   * method to perform pre and post tasks.
+   */
+  protected void doFilter(FilterChain filterChain, HttpServletRequest request,
+      HttpServletResponse response) throws IOException, ServletException {
+    filterChain.doFilter(request, response);
+  }
+
   /**
    * Creates the Hadoop authentication HTTP cookie.
    *
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index e648aae207b..c29934be445 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -496,7 +496,11 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10791. AuthenticationFilter should support externalizing the 
     secret for signing and provide rotation support. (rkanter via tucu)
 
-    HADOOP-10771. Refactor HTTP delegation support out of httpfs to common, PART 1. (tucu)
+    HADOOP-10771. Refactor HTTP delegation support out of httpfs to common. 
+    (tucu)
+
+    HADOOP-10835. Implement HTTP proxyuser support in HTTP authentication 
+    client/server libraries. (tucu)
 
   OPTIMIZATIONS
 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticatedURL.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticatedURL.java
index ca2476f33ac..d955ada8571 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticatedURL.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticatedURL.java
@@ -34,6 +34,7 @@
 import java.net.HttpURLConnection;
 import java.net.InetSocketAddress;
 import java.net.URL;
+import java.net.URLEncoder;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -60,6 +61,13 @@
 @InterfaceStability.Unstable
 public class DelegationTokenAuthenticatedURL extends AuthenticatedURL {
 
+  /**
+   * Constant used in URL's query string to perform a proxy user request, the
+   * value of the <code>DO_AS</code> parameter is the user the request will be
+   * done on behalf of.
+   */
+  static final String DO_AS = "doAs";
+
   /**
    * Client side authentication token that handles Delegation Tokens.
    */
@@ -247,6 +255,11 @@ public HttpURLConnection openConnection(URL url, Token token, String doAs)
       }
     }
 
+    // proxyuser
+    if (doAs != null) {
+      extraParams.put(DO_AS, URLEncoder.encode(doAs, "UTF-8"));
+    }
+
     url = augmentURL(url, extraParams);
     return super.openConnection(url, token);
   }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
index 5e85adef85f..2411d3fbf4e 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
@@ -17,17 +17,39 @@
  */
 package org.apache.hadoop.security.token.delegation.web;
 
+import com.google.common.annotations.VisibleForTesting;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.SaslRpcServer;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
 import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.AuthenticationToken;
 import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
 import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
+import org.apache.hadoop.security.authorize.AuthorizationException;
+import org.apache.hadoop.security.authorize.ProxyUsers;
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
+import org.apache.http.NameValuePair;
+import org.apache.http.client.utils.URLEncodedUtils;
+import org.codehaus.jackson.map.ObjectMapper;
 
+import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.Writer;
+import java.nio.charset.Charset;
+import java.security.Principal;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 import java.util.Properties;
 
 /**
@@ -49,6 +71,10 @@
 public class DelegationTokenAuthenticationFilter
     extends AuthenticationFilter {
 
+  private static final String APPLICATION_JSON_MIME = "application/json";
+  private static final String ERROR_EXCEPTION_JSON = "exception";
+  private static final String ERROR_MESSAGE_JSON = "message";
+
   /**
    * Sets an external <code>DelegationTokenSecretManager</code> instance to
    * manage creation and verification of Delegation Tokens.
@@ -60,6 +86,14 @@ public class DelegationTokenAuthenticationFilter
   public static final String DELEGATION_TOKEN_SECRET_MANAGER_ATTR =
       "hadoop.http.delegation-token-secret-manager";
 
+  private static final Charset UTF8_CHARSET = Charset.forName("UTF-8");
+
+  private static final ThreadLocal<UserGroupInformation> UGI_TL =
+      new ThreadLocal<UserGroupInformation>();
+  public static final String PROXYUSER_PREFIX = "proxyuser";
+
+  private SaslRpcServer.AuthMethod handlerAuthMethod;
+
   /**
    * It delegates to
    * {@link AuthenticationFilter#getConfiguration(String, FilterConfig)} and
@@ -86,17 +120,155 @@ protected Properties getConfiguration(String configPrefix,
     return props;
   }
 
+  /**
+   * Returns the proxyuser configuration. All returned properties must start
+   * with <code>proxyuser.</code>'
+   * <p/>
+   * Subclasses may override this method if the proxyuser configuration is 
+   * read from other place than the filter init parameters.
+   *
+   * @param filterConfig filter configuration object
+   * @return the proxyuser configuration properties.
+   * @throws ServletException thrown if the configuration could not be created.
+   */
+  protected Configuration getProxyuserConfiguration(FilterConfig filterConfig)
+      throws ServletException {
+    // this filter class gets the configuration from the filter configs, we are
+    // creating an empty configuration and injecting the proxyuser settings in
+    // it. In the initialization of the filter, the returned configuration is
+    // passed to the ProxyUsers which only looks for 'proxyusers.' properties.
+    Configuration conf = new Configuration(false);
+    Enumeration<?> names = filterConfig.getInitParameterNames();
+    while (names.hasMoreElements()) {
+      String name = (String) names.nextElement();
+      if (name.startsWith(PROXYUSER_PREFIX + ".")) {
+        String value = filterConfig.getInitParameter(name);
+        conf.set(name, value);
+      }
+    }
+    return conf;
+  }
+
+
   @Override
   public void init(FilterConfig filterConfig) throws ServletException {
     super.init(filterConfig);
+    AuthenticationHandler handler = getAuthenticationHandler();
     AbstractDelegationTokenSecretManager dtSecretManager =
         (AbstractDelegationTokenSecretManager) filterConfig.getServletContext().
             getAttribute(DELEGATION_TOKEN_SECRET_MANAGER_ATTR);
-    if (dtSecretManager != null && getAuthenticationHandler()
+    if (dtSecretManager != null && handler
         instanceof DelegationTokenAuthenticationHandler) {
-      DelegationTokenAuthenticationHandler handler =
+      DelegationTokenAuthenticationHandler dtHandler =
           (DelegationTokenAuthenticationHandler) getAuthenticationHandler();
-      handler.setExternalDelegationTokenSecretManager(dtSecretManager);
+      dtHandler.setExternalDelegationTokenSecretManager(dtSecretManager);
+    }
+    if (handler instanceof PseudoAuthenticationHandler ||
+        handler instanceof PseudoDelegationTokenAuthenticationHandler) {
+      setHandlerAuthMethod(SaslRpcServer.AuthMethod.SIMPLE);
+    }
+    if (handler instanceof KerberosAuthenticationHandler ||
+        handler instanceof KerberosDelegationTokenAuthenticationHandler) {
+      setHandlerAuthMethod(SaslRpcServer.AuthMethod.KERBEROS);
+    }
+
+    // proxyuser configuration
+    Configuration conf = getProxyuserConfiguration(filterConfig);
+    ProxyUsers.refreshSuperUserGroupsConfiguration(conf, PROXYUSER_PREFIX);
+  }
+
+  protected void setHandlerAuthMethod(SaslRpcServer.AuthMethod authMethod) {
+    this.handlerAuthMethod = authMethod;
+  }
+
+  @VisibleForTesting
+  static String getDoAs(HttpServletRequest request) {
+    List<NameValuePair> list = URLEncodedUtils.parse(request.getQueryString(),
+        UTF8_CHARSET);
+    if (list != null) {
+      for (NameValuePair nv : list) {
+        if (DelegationTokenAuthenticatedURL.DO_AS.equals(nv.getName())) {
+          return nv.getValue();
+        }
+      }
+    }
+    return null;
+  }
+
+  static UserGroupInformation getHttpUserGroupInformationInContext() {
+    return UGI_TL.get();
+  }
+
+  @Override
+  protected void doFilter(FilterChain filterChain, HttpServletRequest request,
+      HttpServletResponse response) throws IOException, ServletException {
+    boolean requestCompleted = false;
+    UserGroupInformation ugi = null;
+    AuthenticationToken authToken = (AuthenticationToken)
+        request.getUserPrincipal();
+    if (authToken != null && authToken != AuthenticationToken.ANONYMOUS) {
+      // if the request was authenticated because of a delegation token,
+      // then we ignore proxyuser (this is the same as the RPC behavior).
+      ugi = (UserGroupInformation) request.getAttribute(
+          DelegationTokenAuthenticationHandler.DELEGATION_TOKEN_UGI_ATTRIBUTE);
+      if (ugi == null) {
+        String realUser = request.getUserPrincipal().getName();
+        ugi = UserGroupInformation.createRemoteUser(realUser,
+            handlerAuthMethod);
+        String doAsUser = getDoAs(request);
+        if (doAsUser != null) {
+          ugi = UserGroupInformation.createProxyUser(doAsUser, ugi);
+          try {
+            ProxyUsers.authorize(ugi, request.getRemoteHost());
+          } catch (AuthorizationException ex) {
+            String msg = String.format(
+                "User '%s' from host '%s' not allowed to impersonate user '%s'",
+                realUser, request.getRemoteHost(), doAsUser);
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            response.setContentType(APPLICATION_JSON_MIME);
+            Map<String, String> json = new HashMap<String, String>();
+            json.put(ERROR_EXCEPTION_JSON,
+                AuthorizationException.class.getName());
+            json.put(ERROR_MESSAGE_JSON, msg);
+            Writer writer = response.getWriter();
+            ObjectMapper jsonMapper = new ObjectMapper();
+            jsonMapper.writeValue(writer, json);
+            requestCompleted = true;
+          }
+        }
+      }
+      UGI_TL.set(ugi);
+    }
+    if (!requestCompleted) {
+      final UserGroupInformation ugiF = ugi;
+      try {
+        request = new HttpServletRequestWrapper(request) {
+
+          @Override
+          public String getAuthType() {
+            return (ugiF != null) ? handlerAuthMethod.toString() : null;
+          }
+
+          @Override
+          public String getRemoteUser() {
+            return (ugiF != null) ? ugiF.getShortUserName() : null;
+          }
+
+          @Override
+          public Principal getUserPrincipal() {
+            return (ugiF != null) ? new Principal() {
+              @Override
+              public String getName() {
+                return ugiF.getUserName();
+              }
+            } : null;
+          }
+        };
+        super.doFilter(filterChain, request, response);
+      } finally {
+        UGI_TL.remove();
+      }
     }
   }
+
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
index 5f3b1a49091..3b6c289df5f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
@@ -92,6 +92,9 @@ public abstract class DelegationTokenAuthenticationHandler
 
   private static final Set<String> DELEGATION_TOKEN_OPS = new HashSet<String>();
 
+  static final String DELEGATION_TOKEN_UGI_ATTRIBUTE =
+      "hadoop.security.delegation-token.ugi";
+
   static {
     DELEGATION_TOKEN_OPS.add(KerberosDelegationTokenAuthenticator.
         DelegationTokenOperation.GETDELEGATIONTOKEN.toString());
@@ -342,6 +345,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
         token = new AuthenticationToken(shortName, ugi.getUserName(),
             getType());
         token.setExpires(0);
+        request.setAttribute(DELEGATION_TOKEN_UGI_ATTRIBUTE, ugi);
       } catch (Throwable ex) {
         throw new AuthenticationException("Could not verify DelegationToken, " +
             ex.toString(), ex);
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/HttpUserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/HttpUserGroupInformation.java
new file mode 100644
index 00000000000..614c0d3b36b
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/HttpUserGroupInformation.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.token.delegation.web;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Util class that returns the remote {@link UserGroupInformation} in scope
+ * for the HTTP request.
+ */
+@InterfaceAudience.Private
+public class HttpUserGroupInformation {
+
+  /**
+   * Returns the remote {@link UserGroupInformation} in context for the current
+   * HTTP request, taking into account proxy user requests.
+   *
+   * @return the remote {@link UserGroupInformation}, <code>NULL</code> if none.
+   */
+  public static UserGroupInformation get() {
+    return DelegationTokenAuthenticationFilter.
+        getHttpUserGroupInformationInContext();
+  }
+
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
index 58b8df751dc..1b452f18241 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
@@ -72,6 +72,10 @@
 import java.util.concurrent.Callable;
 
 public class TestWebDelegationToken {
+  private static final String OK_USER = "ok-user";
+  private static final String FAIL_USER = "fail-user";
+  private static final String FOO_USER = "foo";
+  
   private Server jetty;
 
   public static class DummyAuthenticationHandler
@@ -330,13 +334,13 @@ public void testDelegationTokenAuthenticatorCalls() throws Exception {
           new DelegationTokenAuthenticatedURL();
 
       try {
-        aUrl.getDelegationToken(nonAuthURL, token, "foo");
+        aUrl.getDelegationToken(nonAuthURL, token, FOO_USER);
         Assert.fail();
       } catch (Exception ex) {
         Assert.assertTrue(ex.getMessage().contains("401"));
       }
 
-      aUrl.getDelegationToken(authURL, token, "foo");
+      aUrl.getDelegationToken(authURL, token, FOO_USER);
       Assert.assertNotNull(token.getDelegationToken());
       Assert.assertEquals(new Text("token-kind"),
           token.getDelegationToken().getKind());
@@ -350,7 +354,7 @@ public void testDelegationTokenAuthenticatorCalls() throws Exception {
         Assert.assertTrue(ex.getMessage().contains("401"));
       }
 
-      aUrl.getDelegationToken(authURL, token, "foo");
+      aUrl.getDelegationToken(authURL, token, FOO_USER);
 
       try {
         aUrl.renewDelegationToken(authURL2, token);
@@ -359,15 +363,15 @@ public void testDelegationTokenAuthenticatorCalls() throws Exception {
         Assert.assertTrue(ex.getMessage().contains("403"));
       }
 
-      aUrl.getDelegationToken(authURL, token, "foo");
+      aUrl.getDelegationToken(authURL, token, FOO_USER);
 
       aUrl.cancelDelegationToken(authURL, token);
 
-      aUrl.getDelegationToken(authURL, token, "foo");
+      aUrl.getDelegationToken(authURL, token, FOO_USER);
 
       aUrl.cancelDelegationToken(nonAuthURL, token);
 
-      aUrl.getDelegationToken(authURL, token, "foo");
+      aUrl.getDelegationToken(authURL, token, FOO_USER);
 
       try {
         aUrl.renewDelegationToken(nonAuthURL, token);
@@ -416,7 +420,7 @@ public void testExternalDelegationTokenSecretManager() throws Exception {
       DelegationTokenAuthenticatedURL aUrl =
           new DelegationTokenAuthenticatedURL();
 
-      aUrl.getDelegationToken(authURL, token, "foo");
+      aUrl.getDelegationToken(authURL, token, FOO_USER);
       Assert.assertNotNull(token.getDelegationToken());
       Assert.assertEquals(new Text("fooKind"),
           token.getDelegationToken().getKind());
@@ -488,7 +492,7 @@ private void testDelegationTokenAuthenticatedURLWithNoDT(
       jetty.start();
       final URL url = new URL(getJettyURL() + "/foo/bar");
 
-      UserGroupInformation ugi = UserGroupInformation.createRemoteUser("foo");
+      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(FOO_USER);
       ugi.doAs(new PrivilegedExceptionAction<Void>() {
         @Override
         public Void run() throws Exception {
@@ -501,10 +505,10 @@ public Void run() throws Exception {
               conn.getResponseCode());
           List<String> ret = IOUtils.readLines(conn.getInputStream());
           Assert.assertEquals(1, ret.size());
-          Assert.assertEquals("foo", ret.get(0));
+          Assert.assertEquals(FOO_USER, ret.get(0));
 
           try {
-            aUrl.getDelegationToken(url, token, "foo");
+            aUrl.getDelegationToken(url, token, FOO_USER);
             Assert.fail();
           } catch (AuthenticationException ex) {
             Assert.assertTrue(ex.getMessage().contains(
@@ -531,6 +535,16 @@ protected Properties getConfiguration(String configPrefix,
           "token-kind");
       return conf;
     }
+
+    @Override
+    protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration(
+        FilterConfig filterConfig) throws ServletException {
+      org.apache.hadoop.conf.Configuration conf =
+          new org.apache.hadoop.conf.Configuration(false);
+      conf.set("proxyuser.foo.users", OK_USER);
+      conf.set("proxyuser.foo.hosts", "localhost");
+      return conf;
+    }
   }
 
   @Test
@@ -547,7 +561,7 @@ public void testFallbackToPseudoDelegationTokenAuthenticator()
       jetty.start();
       final URL url = new URL(getJettyURL() + "/foo/bar");
 
-      UserGroupInformation ugi = UserGroupInformation.createRemoteUser("foo");
+      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(FOO_USER);
       ugi.doAs(new PrivilegedExceptionAction<Void>() {
         @Override
         public Void run() throws Exception {
@@ -560,9 +574,9 @@ public Void run() throws Exception {
               conn.getResponseCode());
           List<String> ret = IOUtils.readLines(conn.getInputStream());
           Assert.assertEquals(1, ret.size());
-          Assert.assertEquals("foo", ret.get(0));
+          Assert.assertEquals(FOO_USER, ret.get(0));
 
-          aUrl.getDelegationToken(url, token, "foo");
+          aUrl.getDelegationToken(url, token, FOO_USER);
           Assert.assertNotNull(token.getDelegationToken());
           Assert.assertEquals(new Text("token-kind"),
               token.getDelegationToken().getKind());
@@ -684,7 +698,7 @@ public void testKerberosDelegationTokenAuthenticator() throws Exception {
       final URL url = new URL(getJettyURL() + "/foo/bar");
 
       try {
-        aUrl.getDelegationToken(url, token, "foo");
+        aUrl.getDelegationToken(url, token, FOO_USER);
         Assert.fail();
       } catch (AuthenticationException ex) {
         Assert.assertTrue(ex.getMessage().contains("GSSException"));
@@ -700,7 +714,7 @@ public Void call() throws Exception {
               aUrl.renewDelegationToken(url, token);
               Assert.assertNotNull(token.getDelegationToken());
 
-              aUrl.getDelegationToken(url, token, "foo");
+              aUrl.getDelegationToken(url, token, FOO_USER);
               Assert.assertNotNull(token.getDelegationToken());
 
               try {
@@ -710,7 +724,7 @@ public Void call() throws Exception {
                 Assert.assertTrue(ex.getMessage().contains("403"));
               }
 
-              aUrl.getDelegationToken(url, token, "foo");
+              aUrl.getDelegationToken(url, token, FOO_USER);
 
               aUrl.cancelDelegationToken(url, token);
               Assert.assertNull(token.getDelegationToken());
@@ -724,4 +738,132 @@ public Void call() throws Exception {
     }
   }
 
+  @Test
+  public void testProxyUser() throws Exception {
+    final Server jetty = createJettyServer();
+    Context context = new Context();
+    context.setContextPath("/foo");
+    jetty.setHandler(context);
+    context.addFilter(new FilterHolder(PseudoDTAFilter.class), "/*", 0);
+    context.addServlet(new ServletHolder(UserServlet.class), "/bar");
+
+    try {
+      jetty.start();
+      final URL url = new URL(getJettyURL() + "/foo/bar");
+
+      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(FOO_USER);
+      ugi.doAs(new PrivilegedExceptionAction<Void>() {
+        @Override
+        public Void run() throws Exception {
+          DelegationTokenAuthenticatedURL.Token token =
+              new DelegationTokenAuthenticatedURL.Token();
+          DelegationTokenAuthenticatedURL aUrl =
+              new DelegationTokenAuthenticatedURL();
+
+          // proxyuser using authentication handler authentication
+          HttpURLConnection conn = aUrl.openConnection(url, token, OK_USER);
+          Assert.assertEquals(HttpURLConnection.HTTP_OK,
+              conn.getResponseCode());
+          List<String> ret = IOUtils.readLines(conn.getInputStream());
+          Assert.assertEquals(1, ret.size());
+          Assert.assertEquals(OK_USER, ret.get(0));
+
+          // unauthorized proxy user using authentication handler authentication
+          conn = aUrl.openConnection(url, token, FAIL_USER);
+          Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN,
+              conn.getResponseCode());
+
+          // proxy using delegation token authentication
+          aUrl.getDelegationToken(url, token, FOO_USER);
+
+          UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+          ugi.addToken(token.getDelegationToken());
+          token = new DelegationTokenAuthenticatedURL.Token();
+
+          // requests using delegation token as auth do not honor doAs
+          conn = aUrl.openConnection(url, token, OK_USER);
+          Assert.assertEquals(HttpURLConnection.HTTP_OK,
+              conn.getResponseCode());
+          ret = IOUtils.readLines(conn.getInputStream());
+          Assert.assertEquals(1, ret.size());
+          Assert.assertEquals(FOO_USER, ret.get(0));
+
+          return null;
+        }
+      });
+    } finally {
+      jetty.stop();
+    }
+  }
+
+
+  public static class UGIServlet extends HttpServlet {
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp)
+        throws ServletException, IOException {
+      UserGroupInformation ugi = HttpUserGroupInformation.get();
+      if (ugi != null) {
+        String ret = "remoteuser=" + req.getRemoteUser() + ":ugi=" +
+            ugi.getShortUserName();
+        if (ugi.getAuthenticationMethod() ==
+            UserGroupInformation.AuthenticationMethod.PROXY) {
+          ret = "realugi=" + ugi.getRealUser().getShortUserName() + ":" + ret;
+        }
+        resp.setStatus(HttpServletResponse.SC_OK);
+        resp.getWriter().write(ret);
+      } else {
+        resp.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+      }
+    }
+  }
+
+  @Test
+  public void testHttpUGI() throws Exception {
+    final Server jetty = createJettyServer();
+    Context context = new Context();
+    context.setContextPath("/foo");
+    jetty.setHandler(context);
+    context.addFilter(new FilterHolder(PseudoDTAFilter.class), "/*", 0);
+    context.addServlet(new ServletHolder(UGIServlet.class), "/bar");
+
+    try {
+      jetty.start();
+      final URL url = new URL(getJettyURL() + "/foo/bar");
+
+      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(FOO_USER);
+      ugi.doAs(new PrivilegedExceptionAction<Void>() {
+        @Override
+        public Void run() throws Exception {
+          DelegationTokenAuthenticatedURL.Token token =
+              new DelegationTokenAuthenticatedURL.Token();
+          DelegationTokenAuthenticatedURL aUrl =
+              new DelegationTokenAuthenticatedURL();
+
+          // user foo
+          HttpURLConnection conn = aUrl.openConnection(url, token);
+          Assert.assertEquals(HttpURLConnection.HTTP_OK,
+              conn.getResponseCode());
+          List<String> ret = IOUtils.readLines(conn.getInputStream());
+          Assert.assertEquals(1, ret.size());
+          Assert.assertEquals("remoteuser=" + FOO_USER+ ":ugi=" + FOO_USER, 
+              ret.get(0));
+
+          // user ok-user via proxyuser foo
+          conn = aUrl.openConnection(url, token, OK_USER);
+          Assert.assertEquals(HttpURLConnection.HTTP_OK,
+              conn.getResponseCode());
+          ret = IOUtils.readLines(conn.getInputStream());
+          Assert.assertEquals(1, ret.size());
+          Assert.assertEquals("realugi=" + FOO_USER +":remoteuser=" + OK_USER + 
+                  ":ugi=" + OK_USER, ret.get(0));
+
+          return null;
+        }
+      });
+    } finally {
+      jetty.stop();
+    }
+  }
+
 }

From c2febdcbaa12078db42403fe8fd74180fb58a84b Mon Sep 17 00:00:00 2001
From: Junping Du <junping_du@apache.org>
Date: Tue, 12 Aug 2014 10:56:13 +0000
Subject: [PATCH 187/354] YARN-1337. Recover containers upon nodemanager
 restart. (Contributed by Jason Lowe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617448 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../server/nodemanager/ContainerExecutor.java |  73 ++++++-
 .../nodemanager/DefaultContainerExecutor.java |  59 +++++-
 .../nodemanager/LinuxContainerExecutor.java   |   7 +
 .../server/nodemanager/NodeStatusUpdater.java |  23 +++
 .../nodemanager/NodeStatusUpdaterImpl.java    |  34 ++--
 .../ContainerManagerImpl.java                 | 167 ++++++++++++----
 .../container/ContainerImpl.java              | 165 ++++++++++++----
 .../launcher/ContainerLaunch.java             |  46 +++--
 .../launcher/ContainersLauncher.java          |  15 +-
 .../launcher/ContainersLauncherEventType.java |   1 +
 .../launcher/RecoveredContainerLaunch.java    | 126 ++++++++++++
 .../logaggregation/AppLogAggregator.java      |   2 +
 .../logaggregation/AppLogAggregatorImpl.java  |  14 +-
 .../logaggregation/LogAggregationService.java |  10 +-
 .../recovery/NMLeveldbStateStoreService.java  | 167 ++++++++++++++++
 .../recovery/NMNullStateStoreService.java     |  38 ++++
 .../recovery/NMStateStoreService.java         | 185 ++++++++++++++++++
 .../impl/container-executor.c                 |  99 ++++++++++
 .../nodemanager/TestNodeStatusUpdater.java    |  13 +-
 .../BaseContainerManagerTest.java             |   2 +-
 .../containermanager/TestAuxServices.java     |   3 +-
 .../TestContainerManagerRecovery.java         |   1 +
 .../container/TestContainer.java              |   3 +-
 .../recovery/NMMemoryStateStoreService.java   |  76 +++++++
 .../TestNMLeveldbStateStoreService.java       | 124 ++++++++++++
 .../nodemanager/webapp/TestNMWebServer.java   |   2 +-
 .../resourcemanager/rmnode/RMNodeImpl.java    |  38 +---
 .../scheduler/SchedulerUtils.java             |   7 +-
 .../scheduler/capacity/CapacityScheduler.java |   5 +-
 .../TestResourceTrackerService.java           |   2 +-
 31 files changed, 1341 insertions(+), 169 deletions(-)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/RecoveredContainerLaunch.java

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index daa5197f893..f583143f060 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -38,6 +38,9 @@ Release 2.6.0 - UNRELEASED
     YARN-1354. Recover applications upon nodemanager restart. (Jason Lowe via 
     junping_du)
 
+    YARN-1337. Recover containers upon nodemanager restart. (Jason Lowe via 
+    junping_du)
+
   IMPROVEMENTS
 
     YARN-2242. Improve exception information on AM launch crashes. (Li Lu 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java
index ee72fbc6647..7391872f680 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java
@@ -18,6 +18,7 @@
 
 package org.apache.hadoop.yarn.server.nodemanager;
 
+import java.io.File;
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.util.ArrayList;
@@ -29,17 +30,18 @@
 import java.util.concurrent.locks.ReentrantReadWriteLock.ReadLock;
 import java.util.concurrent.locks.ReentrantReadWriteLock.WriteLock;
 
+import org.apache.commons.io.FileUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configurable;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsPermission;
-import org.apache.hadoop.util.Shell.ShellCommandExecutor;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerDiagnosticsUpdateEvent;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch;
 import org.apache.hadoop.yarn.server.nodemanager.util.ProcessIdFileReader;
 import org.apache.hadoop.util.Shell;
 import org.apache.hadoop.util.StringUtils;
@@ -126,9 +128,76 @@ public abstract boolean signalContainer(String user, String pid,
   public abstract void deleteAsUser(String user, Path subDir, Path... basedirs)
       throws IOException, InterruptedException;
 
+  public abstract boolean isContainerProcessAlive(String user, String pid)
+      throws IOException;
+
+  /**
+   * Recover an already existing container. This is a blocking call and returns
+   * only when the container exits.  Note that the container must have been
+   * activated prior to this call.
+   * @param user the user of the container
+   * @param containerId The ID of the container to reacquire
+   * @return The exit code of the pre-existing container
+   * @throws IOException
+   */
+  public int reacquireContainer(String user, ContainerId containerId)
+      throws IOException {
+    Path pidPath = getPidFilePath(containerId);
+    if (pidPath == null) {
+      LOG.warn(containerId + " is not active, returning terminated error");
+      return ExitCode.TERMINATED.getExitCode();
+    }
+
+    String pid = null;
+    pid = ProcessIdFileReader.getProcessId(pidPath);
+    if (pid == null) {
+      throw new IOException("Unable to determine pid for " + containerId);
+    }
+
+    LOG.info("Reacquiring " + containerId + " with pid " + pid);
+    try {
+      while(isContainerProcessAlive(user, pid)) {
+        Thread.sleep(1000);
+      }
+    } catch (InterruptedException e) {
+      throw new IOException("Interrupted while waiting for process " + pid
+          + " to exit", e);
+    }
+
+    // wait for exit code file to appear
+    String exitCodeFile = ContainerLaunch.getExitCodeFile(pidPath.toString());
+    File file = new File(exitCodeFile);
+    final int sleepMsec = 100;
+    int msecLeft = 2000;
+    while (!file.exists() && msecLeft >= 0) {
+      if (!isContainerActive(containerId)) {
+        LOG.info(containerId + " was deactivated");
+        return ExitCode.TERMINATED.getExitCode();
+      }
+      try {
+        Thread.sleep(sleepMsec);
+      } catch (InterruptedException e) {
+        throw new IOException(
+            "Interrupted while waiting for exit code from " + containerId, e);
+      }
+      msecLeft -= sleepMsec;
+    }
+    if (msecLeft < 0) {
+      throw new IOException("Timeout while waiting for exit code from "
+          + containerId);
+    }
+
+    try {
+      return Integer.parseInt(FileUtils.readFileToString(file).trim());
+    } catch (NumberFormatException e) {
+      throw new IOException("Error parsing exit code from pid " + pid, e);
+    }
+  }
+
   public enum ExitCode {
     FORCE_KILLED(137),
-    TERMINATED(143);
+    TERMINATED(143),
+    LOST(154);
     private final int code;
 
     private ExitCode(int exitCode) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/DefaultContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/DefaultContainerExecutor.java
index d45371ad0d4..a7af1c59b6e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/DefaultContainerExecutor.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/DefaultContainerExecutor.java
@@ -273,25 +273,57 @@ protected LocalWrapperScriptBuilder(Path containerWorkDir) {
 
   private final class UnixLocalWrapperScriptBuilder
       extends LocalWrapperScriptBuilder {
+    private final Path sessionScriptPath;
 
     public UnixLocalWrapperScriptBuilder(Path containerWorkDir) {
       super(containerWorkDir);
+      this.sessionScriptPath = new Path(containerWorkDir,
+          Shell.appendScriptExtension("default_container_executor_session"));
+    }
+
+    @Override
+    public void writeLocalWrapperScript(Path launchDst, Path pidFile)
+        throws IOException {
+      writeSessionScript(launchDst, pidFile);
+      super.writeLocalWrapperScript(launchDst, pidFile);
     }
 
     @Override
     public void writeLocalWrapperScript(Path launchDst, Path pidFile,
         PrintStream pout) {
-
-      // We need to do a move as writing to a file is not atomic
-      // Process reading a file being written to may get garbled data
-      // hence write pid to tmp file first followed by a mv
+      String exitCodeFile = ContainerLaunch.getExitCodeFile(
+          pidFile.toString());
+      String tmpFile = exitCodeFile + ".tmp";
       pout.println("#!/bin/bash");
-      pout.println();
-      pout.println("echo $$ > " + pidFile.toString() + ".tmp");
-      pout.println("/bin/mv -f " + pidFile.toString() + ".tmp " + pidFile);
-      String exec = Shell.isSetsidAvailable? "exec setsid" : "exec";
-      pout.println(exec + " /bin/bash \"" +
-        launchDst.toUri().getPath().toString() + "\"");
+      pout.println("/bin/bash \"" + sessionScriptPath.toString() + "\"");
+      pout.println("rc=$?");
+      pout.println("echo $rc > \"" + tmpFile + "\"");
+      pout.println("/bin/mv -f \"" + tmpFile + "\" \"" + exitCodeFile + "\"");
+      pout.println("exit $rc");
+    }
+
+    private void writeSessionScript(Path launchDst, Path pidFile)
+        throws IOException {
+      DataOutputStream out = null;
+      PrintStream pout = null;
+      try {
+        out = lfs.create(sessionScriptPath, EnumSet.of(CREATE, OVERWRITE));
+        pout = new PrintStream(out);
+        // We need to do a move as writing to a file is not atomic
+        // Process reading a file being written to may get garbled data
+        // hence write pid to tmp file first followed by a mv
+        pout.println("#!/bin/bash");
+        pout.println();
+        pout.println("echo $$ > " + pidFile.toString() + ".tmp");
+        pout.println("/bin/mv -f " + pidFile.toString() + ".tmp " + pidFile);
+        String exec = Shell.isSetsidAvailable? "exec setsid" : "exec";
+        pout.println(exec + " /bin/bash \"" +
+            launchDst.toUri().getPath().toString() + "\"");
+      } finally {
+        IOUtils.cleanup(LOG, pout, out);
+      }
+      lfs.setPermission(sessionScriptPath,
+          ContainerExecutor.TASK_LAUNCH_SCRIPT_PERMISSION);
     }
   }
 
@@ -310,6 +342,7 @@ public WindowsLocalWrapperScriptBuilder(String containerIdStr,
     @Override
     public void writeLocalWrapperScript(Path launchDst, Path pidFile,
         PrintStream pout) {
+      // TODO: exit code script for Windows
 
       // On Windows, the pid is the container ID, so that it can also serve as
       // the name of the job object created by winutils for task management.
@@ -342,6 +375,12 @@ public boolean signalContainer(String user, String pid, Signal signal)
     return true;
   }
 
+  @Override
+  public boolean isContainerProcessAlive(String user, String pid)
+      throws IOException {
+    return containerIsAlive(pid);
+  }
+
   /**
    * Returns true if the process with the specified pid is alive.
    * 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java
index e03562678c7..7962da28c8c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java
@@ -403,6 +403,13 @@ public void deleteAsUser(String user, Path dir, Path... baseDirs) {
     }
   }
   
+  @Override
+  public boolean isContainerProcessAlive(String user, String pid)
+      throws IOException {
+    // Send a test signal to the process as the user to see if it's alive
+    return signalContainer(user, pid, Signal.NULL);
+  }
+
   public void mountCgroups(List<String> cgroupKVs, String hierarchy)
          throws IOException {
     List<String> command = new ArrayList<String>(
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/NodeStatusUpdater.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/NodeStatusUpdater.java
index 2439450c9e3..f0b99ecf342 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/NodeStatusUpdater.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/NodeStatusUpdater.java
@@ -23,11 +23,34 @@
 
 public interface NodeStatusUpdater extends Service {
 
+  /**
+   * Schedule a heartbeat to the ResourceManager outside of the normal,
+   * periodic heartbeating process. This is typically called when the state
+   * of containers on the node has changed to notify the RM sooner.
+   */
   void sendOutofBandHeartBeat();
 
+  /**
+   * Get the ResourceManager identifier received during registration
+   * @return the ResourceManager ID
+   */
   long getRMIdentifier();
   
+  /**
+   * Query if a container has recently completed
+   * @param containerId the container ID
+   * @return true if the container has recently completed
+   */
   public boolean isContainerRecentlyStopped(ContainerId containerId);
   
+  /**
+   * Add a container to the list of containers that have recently completed
+   * @param containerId the ID of the completed container
+   */
+  public void addCompletedContainer(ContainerId containerId);
+
+  /**
+   * Clear the list of recently completed containers
+   */
   public void clearFinishedContainersFromCache();
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/NodeStatusUpdaterImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/NodeStatusUpdaterImpl.java
index 0b8f5b4277a..b52b0fbf6e9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/NodeStatusUpdaterImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/NodeStatusUpdaterImpl.java
@@ -364,8 +364,7 @@ protected List<ContainerStatus> getContainerStatuses() {
         // Adding to finished containers cache. Cache will keep it around at
         // least for #durationToTrackStoppedContainers duration. In the
         // subsequent call to stop container it will get removed from cache.
-        updateStoppedContainersInCache(container.getContainerId());
-        addCompletedContainer(container);
+        addCompletedContainer(container.getContainerId());
       }
     }
     if (LOG.isDebugEnabled()) {
@@ -393,8 +392,7 @@ private List<NMContainerStatus> getNMContainerStatuses() {
         // Adding to finished containers cache. Cache will keep it around at
         // least for #durationToTrackStoppedContainers duration. In the
         // subsequent call to stop container it will get removed from cache.
-        updateStoppedContainersInCache(container.getContainerId());
-        addCompletedContainer(container);
+        addCompletedContainer(container.getContainerId());
       }
     }
     LOG.info("Sending out " + containerStatuses.size()
@@ -402,9 +400,15 @@ private List<NMContainerStatus> getNMContainerStatuses() {
     return containerStatuses;
   }
 
-  private void addCompletedContainer(Container container) {
+  @Override
+  public void addCompletedContainer(ContainerId containerId) {
     synchronized (previousCompletedContainers) {
-      previousCompletedContainers.add(container.getContainerId());
+      previousCompletedContainers.add(containerId);
+    }
+    synchronized (recentlyStoppedContainers) {
+      removeVeryOldStoppedContainersFromCache();
+      recentlyStoppedContainers.put(containerId,
+        System.currentTimeMillis() + durationToTrackStoppedContainers);
     }
   }
 
@@ -451,16 +455,6 @@ public boolean isContainerRecentlyStopped(ContainerId containerId) {
     }
   }
   
-  @Private
-  @VisibleForTesting
-  public void updateStoppedContainersInCache(ContainerId containerId) {
-    synchronized (recentlyStoppedContainers) {
-      removeVeryOldStoppedContainersFromCache();
-      recentlyStoppedContainers.put(containerId,
-        System.currentTimeMillis() + durationToTrackStoppedContainers);
-    }
-  }
-  
   @Override
   public void clearFinishedContainersFromCache() {
     synchronized (recentlyStoppedContainers) {
@@ -476,8 +470,14 @@ public void removeVeryOldStoppedContainersFromCache() {
       Iterator<ContainerId> i =
           recentlyStoppedContainers.keySet().iterator();
       while (i.hasNext()) {
-        if (recentlyStoppedContainers.get(i.next()) < currentTime) {
+        ContainerId cid = i.next();
+        if (recentlyStoppedContainers.get(cid) < currentTime) {
           i.remove();
+          try {
+            context.getNMStateStore().removeContainer(cid);
+          } catch (IOException e) {
+            LOG.error("Unable to remove container " + cid + " in store", e);
+          }
         } else {
           break;
         }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
index aee4e9a78a0..12166e0fa65 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
@@ -127,6 +127,8 @@
 import org.apache.hadoop.yarn.server.nodemanager.metrics.NodeManagerMetrics;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredApplicationsState;
+import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredContainerState;
+import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredContainerStatus;
 import org.apache.hadoop.yarn.server.nodemanager.security.authorize.NMPolicyProvider;
 import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
 import org.apache.hadoop.yarn.server.utils.BuilderUtils;
@@ -246,6 +248,10 @@ private void recover() throws IOException, URISyntaxException {
         recoverApplication(proto);
       }
 
+      for (RecoveredContainerState rcs : stateStore.loadContainersState()) {
+        recoverContainer(rcs);
+      }
+
       String diagnostic = "Application marked finished during recovery";
       for (ApplicationId appId : appsState.getFinishedApplications()) {
         dispatcher.getEventHandler().handle(
@@ -276,6 +282,60 @@ private void recoverApplication(ContainerManagerApplicationProto p)
     app.handle(new ApplicationInitEvent(appId, acls));
   }
 
+  @SuppressWarnings("unchecked")
+  private void recoverContainer(RecoveredContainerState rcs)
+      throws IOException {
+    StartContainerRequest req = rcs.getStartRequest();
+    ContainerLaunchContext launchContext = req.getContainerLaunchContext();
+    ContainerTokenIdentifier token =
+        BuilderUtils.newContainerTokenIdentifier(req.getContainerToken());
+    ContainerId containerId = token.getContainerID();
+    ApplicationId appId =
+        containerId.getApplicationAttemptId().getApplicationId();
+
+    LOG.info("Recovering " + containerId + " in state " + rcs.getStatus()
+        + " with exit code " + rcs.getExitCode());
+
+    if (context.getApplications().containsKey(appId)) {
+      Credentials credentials = parseCredentials(launchContext);
+      Container container = new ContainerImpl(getConfig(), dispatcher,
+          context.getNMStateStore(), req.getContainerLaunchContext(),
+          credentials, metrics, token, rcs.getStatus(), rcs.getExitCode(),
+          rcs.getDiagnostics(), rcs.getKilled());
+      context.getContainers().put(containerId, container);
+      dispatcher.getEventHandler().handle(
+          new ApplicationContainerInitEvent(container));
+    } else {
+      if (rcs.getStatus() != RecoveredContainerStatus.COMPLETED) {
+        LOG.warn(containerId + " has no corresponding application!");
+      }
+      LOG.info("Adding " + containerId + " to recently stopped containers");
+      nodeStatusUpdater.addCompletedContainer(containerId);
+    }
+  }
+
+  private void waitForRecoveredContainers() throws InterruptedException {
+    final int sleepMsec = 100;
+    int waitIterations = 100;
+    List<ContainerId> newContainers = new ArrayList<ContainerId>();
+    while (--waitIterations >= 0) {
+      newContainers.clear();
+      for (Container container : context.getContainers().values()) {
+        if (container.getContainerState() == org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerState.NEW) {
+          newContainers.add(container.getContainerId());
+        }
+      }
+      if (newContainers.isEmpty()) {
+        break;
+      }
+      LOG.info("Waiting for containers: " + newContainers);
+      Thread.sleep(sleepMsec);
+    }
+    if (waitIterations < 0) {
+      LOG.warn("Timeout waiting for recovered containers");
+    }
+  }
+
   protected LogHandler createLogHandler(Configuration conf, Context context,
       DeletionService deletionService) {
     if (conf.getBoolean(YarnConfiguration.LOG_AGGREGATION_ENABLED,
@@ -309,6 +369,23 @@ protected void serviceStart() throws Exception {
     // Enqueue user dirs in deletion context
 
     Configuration conf = getConfig();
+    final InetSocketAddress initialAddress = conf.getSocketAddr(
+        YarnConfiguration.NM_BIND_HOST,
+        YarnConfiguration.NM_ADDRESS,
+        YarnConfiguration.DEFAULT_NM_ADDRESS,
+        YarnConfiguration.DEFAULT_NM_PORT);
+    boolean usingEphemeralPort = (initialAddress.getPort() == 0);
+    if (context.getNMStateStore().canRecover() && usingEphemeralPort) {
+      throw new IllegalArgumentException("Cannot support recovery with an "
+          + "ephemeral server port. Check the setting of "
+          + YarnConfiguration.NM_ADDRESS);
+    }
+    // If recovering then delay opening the RPC service until the recovery
+    // of resources and containers have completed, otherwise requests from
+    // clients during recovery can interfere with the recovery process.
+    final boolean delayedRpcServerStart =
+        context.getNMStateStore().canRecover();
+
     Configuration serverConf = new Configuration(conf);
 
     // always enforce it to be token-based.
@@ -318,12 +395,6 @@ protected void serviceStart() throws Exception {
     
     YarnRPC rpc = YarnRPC.create(conf);
 
-    InetSocketAddress initialAddress = conf.getSocketAddr(
-        YarnConfiguration.NM_BIND_HOST,
-        YarnConfiguration.NM_ADDRESS,
-        YarnConfiguration.DEFAULT_NM_ADDRESS,
-        YarnConfiguration.DEFAULT_NM_PORT);
-
     server =
         rpc.getServer(ContainerManagementProtocol.class, this, initialAddress, 
             serverConf, this.context.getNMTokenSecretManager(),
@@ -340,32 +411,61 @@ protected void serviceStart() throws Exception {
     LOG.info("Blocking new container-requests as container manager rpc" +
     		" server is still starting.");
     this.setBlockNewContainerRequests(true);
-    server.start();
-    
-    InetSocketAddress connectAddress;
+
     String bindHost = conf.get(YarnConfiguration.NM_BIND_HOST);
     String nmAddress = conf.getTrimmed(YarnConfiguration.NM_ADDRESS);
-    if (bindHost == null || bindHost.isEmpty() ||
-	nmAddress == null || nmAddress.isEmpty()) {
-      connectAddress = NetUtils.getConnectAddress(server);
-    } else {
-      //a bind-host case with an address, to support overriding the first hostname
-      //found when querying for our hostname with the specified address, combine
-      //the specified address with the actual port listened on by the server
-      connectAddress = NetUtils.getConnectAddress(
-	new InetSocketAddress(nmAddress.split(":")[0],
-			      server.getListenerAddress().getPort()));
+    String hostOverride = null;
+    if (bindHost != null && !bindHost.isEmpty()
+        && nmAddress != null && !nmAddress.isEmpty()) {
+      //a bind-host case with an address, to support overriding the first
+      //hostname found when querying for our hostname with the specified
+      //address, combine the specified address with the actual port listened
+      //on by the server
+      hostOverride = nmAddress.split(":")[0];
     }
 
-    NodeId nodeId = NodeId.newInstance(
-        connectAddress.getAddress().getCanonicalHostName(),
-        connectAddress.getPort());
+    // setup node ID
+    InetSocketAddress connectAddress;
+    if (delayedRpcServerStart) {
+      connectAddress = NetUtils.getConnectAddress(initialAddress);
+    } else {
+      server.start();
+      connectAddress = NetUtils.getConnectAddress(server);
+    }
+    NodeId nodeId = buildNodeId(connectAddress, hostOverride);
     ((NodeManager.NMContext)context).setNodeId(nodeId);
     this.context.getNMTokenSecretManager().setNodeId(nodeId);
     this.context.getContainerTokenSecretManager().setNodeId(nodeId);
+
+    // start remaining services
+    super.serviceStart();
+
+    if (delayedRpcServerStart) {
+      waitForRecoveredContainers();
+      server.start();
+
+      // check that the node ID is as previously advertised
+      connectAddress = NetUtils.getConnectAddress(server);
+      NodeId serverNode = buildNodeId(connectAddress, hostOverride);
+      if (!serverNode.equals(nodeId)) {
+        throw new IOException("Node mismatch after server started, expected '"
+            + nodeId + "' but found '" + serverNode + "'");
+      }
+    }
+
     LOG.info("ContainerManager started at " + connectAddress);
     LOG.info("ContainerManager bound to " + initialAddress);
-    super.serviceStart();
+  }
+
+  private NodeId buildNodeId(InetSocketAddress connectAddress,
+      String hostOverride) {
+    if (hostOverride != null) {
+      connectAddress = NetUtils.getConnectAddress(
+          new InetSocketAddress(hostOverride, connectAddress.getPort()));
+    }
+    return NodeId.newInstance(
+        connectAddress.getAddress().getCanonicalHostName(),
+        connectAddress.getPort());
   }
 
   void refreshServiceAcls(Configuration configuration, 
@@ -704,7 +804,8 @@ private void startContainerInternal(NMTokenIdentifier nmTokenIdentifier,
     Credentials credentials = parseCredentials(launchContext);
 
     Container container =
-        new ContainerImpl(getConfig(), this.dispatcher, launchContext,
+        new ContainerImpl(getConfig(), this.dispatcher,
+            context.getNMStateStore(), launchContext,
           credentials, metrics, containerTokenIdentifier);
     ApplicationId applicationID =
         containerId.getApplicationAttemptId().getApplicationId();
@@ -733,6 +834,7 @@ private void startContainerInternal(NMTokenIdentifier nmTokenIdentifier,
             new ApplicationInitEvent(applicationID, appAcls));
         }
 
+        this.context.getNMStateStore().storeContainer(containerId, request);
         dispatcher.getEventHandler().handle(
           new ApplicationContainerInitEvent(container));
 
@@ -780,7 +882,7 @@ protected void updateNMTokenIdentifier(NMTokenIdentifier nmTokenIdentifier)
   }
 
   private Credentials parseCredentials(ContainerLaunchContext launchContext)
-      throws YarnException {
+      throws IOException {
     Credentials credentials = new Credentials();
     // //////////// Parse credentials
     ByteBuffer tokens = launchContext.getTokens();
@@ -789,15 +891,11 @@ private Credentials parseCredentials(ContainerLaunchContext launchContext)
       DataInputByteBuffer buf = new DataInputByteBuffer();
       tokens.rewind();
       buf.reset(tokens);
-      try {
-        credentials.readTokenStorageStream(buf);
-        if (LOG.isDebugEnabled()) {
-          for (Token<? extends TokenIdentifier> tk : credentials.getAllTokens()) {
-            LOG.debug(tk.getService() + " = " + tk.toString());
-          }
+      credentials.readTokenStorageStream(buf);
+      if (LOG.isDebugEnabled()) {
+        for (Token<? extends TokenIdentifier> tk : credentials.getAllTokens()) {
+          LOG.debug(tk.getService() + " = " + tk.toString());
         }
-      } catch (IOException e) {
-        throw RPCUtil.getRemoteException(e);
       }
     }
     // //////////// End of parsing credentials
@@ -830,7 +928,7 @@ public StopContainersResponse stopContainers(StopContainersRequest requests)
 
   @SuppressWarnings("unchecked")
   private void stopContainerInternal(NMTokenIdentifier nmTokenIdentifier,
-      ContainerId containerID) throws YarnException {
+      ContainerId containerID) throws YarnException, IOException {
     String containerIDStr = containerID.toString();
     Container container = this.context.getContainers().get(containerID);
     LOG.info("Stopping container with container Id: " + containerIDStr);
@@ -843,6 +941,7 @@ private void stopContainerInternal(NMTokenIdentifier nmTokenIdentifier,
           + " is not handled by this NodeManager");
       }
     } else {
+      context.getNMStateStore().storeContainerKilled(containerID);
       dispatcher.getEventHandler().handle(
         new ContainerKillEvent(containerID,
             ContainerExitStatus.KILLED_BY_APPMASTER,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/container/ContainerImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/container/ContainerImpl.java
index c565cf92347..fa54ee19b9e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/container/ContainerImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/container/ContainerImpl.java
@@ -18,6 +18,7 @@
 
 package org.apache.hadoop.yarn.server.nodemanager.containermanager.container;
 
+import java.io.IOException;
 import java.net.URISyntaxException;
 import java.nio.ByteBuffer;
 import java.util.ArrayList;
@@ -62,6 +63,8 @@
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.monitor.ContainerStartMonitoringEvent;
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.monitor.ContainerStopMonitoringEvent;
 import org.apache.hadoop.yarn.server.nodemanager.metrics.NodeManagerMetrics;
+import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService;
+import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredContainerStatus;
 import org.apache.hadoop.yarn.server.utils.BuilderUtils;
 import org.apache.hadoop.yarn.state.InvalidStateTransitonException;
 import org.apache.hadoop.yarn.state.MultipleArcTransition;
@@ -75,6 +78,7 @@ public class ContainerImpl implements Container {
   private final Lock readLock;
   private final Lock writeLock;
   private final Dispatcher dispatcher;
+  private final NMStateStoreService stateStore;
   private final Credentials credentials;
   private final NodeManagerMetrics metrics;
   private final ContainerLaunchContext launchContext;
@@ -101,12 +105,19 @@ public class ContainerImpl implements Container {
   private final List<LocalResourceRequest> appRsrcs =
     new ArrayList<LocalResourceRequest>();
 
+  // whether container has been recovered after a restart
+  private RecoveredContainerStatus recoveredStatus =
+      RecoveredContainerStatus.REQUESTED;
+  // whether container was marked as killed after recovery
+  private boolean recoveredAsKilled = false;
+
   public ContainerImpl(Configuration conf, Dispatcher dispatcher,
-      ContainerLaunchContext launchContext, Credentials creds,
-      NodeManagerMetrics metrics,
+      NMStateStoreService stateStore, ContainerLaunchContext launchContext,
+      Credentials creds, NodeManagerMetrics metrics,
       ContainerTokenIdentifier containerTokenIdentifier) {
     this.daemonConf = conf;
     this.dispatcher = dispatcher;
+    this.stateStore = stateStore;
     this.launchContext = launchContext;
     this.containerTokenIdentifier = containerTokenIdentifier;
     this.containerId = containerTokenIdentifier.getContainerID();
@@ -122,6 +133,21 @@ public ContainerImpl(Configuration conf, Dispatcher dispatcher,
     stateMachine = stateMachineFactory.make(this);
   }
 
+  // constructor for a recovered container
+  public ContainerImpl(Configuration conf, Dispatcher dispatcher,
+      NMStateStoreService stateStore, ContainerLaunchContext launchContext,
+      Credentials creds, NodeManagerMetrics metrics,
+      ContainerTokenIdentifier containerTokenIdentifier,
+      RecoveredContainerStatus recoveredStatus, int exitCode,
+      String diagnostics, boolean wasKilled) {
+    this(conf, dispatcher, stateStore, launchContext, creds, metrics,
+        containerTokenIdentifier);
+    this.recoveredStatus = recoveredStatus;
+    this.exitCode = exitCode;
+    this.recoveredAsKilled = wasKilled;
+    this.diagnostics.append(diagnostics);
+  }
+
   private static final ContainerDoneTransition CONTAINER_DONE_TRANSITION =
     new ContainerDoneTransition();
 
@@ -135,8 +161,10 @@ public ContainerImpl(Configuration conf, Dispatcher dispatcher,
       new StateMachineFactory<ContainerImpl, ContainerState, ContainerEventType, ContainerEvent>(ContainerState.NEW)
     // From NEW State
     .addTransition(ContainerState.NEW,
-        EnumSet.of(ContainerState.LOCALIZING, ContainerState.LOCALIZED,
-            ContainerState.LOCALIZATION_FAILED),
+        EnumSet.of(ContainerState.LOCALIZING,
+            ContainerState.LOCALIZED,
+            ContainerState.LOCALIZATION_FAILED,
+            ContainerState.DONE),
         ContainerEventType.INIT_CONTAINER, new RequestResourcesTransition())
     .addTransition(ContainerState.NEW, ContainerState.NEW,
         ContainerEventType.UPDATE_DIAGNOSTICS_MSG,
@@ -281,7 +309,9 @@ ContainerEventType.KILL_CONTAINER, new KillTransition())
         UPDATE_DIAGNOSTICS_TRANSITION)
     .addTransition(ContainerState.CONTAINER_CLEANEDUP_AFTER_KILL,
         ContainerState.CONTAINER_CLEANEDUP_AFTER_KILL,
-        ContainerEventType.KILL_CONTAINER)
+        EnumSet.of(ContainerEventType.KILL_CONTAINER,
+            ContainerEventType.CONTAINER_EXITED_WITH_SUCCESS,
+            ContainerEventType.CONTAINER_EXITED_WITH_FAILURE))
 
     // From DONE
     .addTransition(ContainerState.DONE, ContainerState.DONE,
@@ -295,7 +325,9 @@ ContainerEventType.KILL_CONTAINER, new KillTransition())
     // we notify container of failed localization if localizer thread (for
     // that container) fails for some reason
     .addTransition(ContainerState.DONE, ContainerState.DONE,
-        ContainerEventType.RESOURCE_FAILED)
+        EnumSet.of(ContainerEventType.RESOURCE_FAILED,
+            ContainerEventType.CONTAINER_EXITED_WITH_SUCCESS,
+            ContainerEventType.CONTAINER_EXITED_WITH_FAILURE))
 
     // create the topology tables
     .installTopology();
@@ -420,7 +452,7 @@ public ContainerTokenIdentifier getContainerTokenIdentifier() {
     }
   }
 
-  @SuppressWarnings({"fallthrough", "unchecked"})
+  @SuppressWarnings("fallthrough")
   private void finished() {
     ApplicationId applicationId =
         containerId.getApplicationAttemptId().getApplicationId();
@@ -458,7 +490,11 @@ private void finished() {
     }
 
     metrics.releaseContainer(this.resource);
+    sendFinishedEvents();
+  }
 
+  @SuppressWarnings("unchecked")
+  private void sendFinishedEvents() {
     // Inform the application
     @SuppressWarnings("rawtypes")
     EventHandler eventHandler = dispatcher.getEventHandler();
@@ -470,6 +506,45 @@ private void finished() {
       containerId, exitCode));
   }
 
+  @SuppressWarnings("unchecked") // dispatcher not typed
+  private void sendLaunchEvent() {
+    ContainersLauncherEventType launcherEvent =
+        ContainersLauncherEventType.LAUNCH_CONTAINER;
+    if (recoveredStatus == RecoveredContainerStatus.LAUNCHED) {
+      // try to recover a container that was previously launched
+      launcherEvent = ContainersLauncherEventType.RECOVER_CONTAINER;
+    }
+    dispatcher.getEventHandler().handle(
+        new ContainersLauncherEvent(this, launcherEvent));
+  }
+
+  // Inform the ContainersMonitor to start monitoring the container's
+  // resource usage.
+  @SuppressWarnings("unchecked") // dispatcher not typed
+  private void sendContainerMonitorStartEvent() {
+      long pmemBytes = getResource().getMemory() * 1024 * 1024L;
+      float pmemRatio = daemonConf.getFloat(
+          YarnConfiguration.NM_VMEM_PMEM_RATIO,
+          YarnConfiguration.DEFAULT_NM_VMEM_PMEM_RATIO);
+      long vmemBytes = (long) (pmemRatio * pmemBytes);
+
+      dispatcher.getEventHandler().handle(
+          new ContainerStartMonitoringEvent(containerId,
+              vmemBytes, pmemBytes));
+  }
+
+  private void addDiagnostics(String... diags) {
+    for (String s : diags) {
+      this.diagnostics.append(s);
+    }
+    try {
+      stateStore.storeContainerDiagnostics(containerId, diagnostics);
+    } catch (IOException e) {
+      LOG.warn("Unable to update diagnostics in state store for "
+          + containerId, e);
+    }
+  }
+
   @SuppressWarnings("unchecked") // dispatcher not typed
   public void cleanup() {
     Map<LocalResourceVisibility, Collection<LocalResourceRequest>> rsrc =
@@ -518,6 +593,16 @@ static class RequestResourcesTransition implements
     @Override
     public ContainerState transition(ContainerImpl container,
         ContainerEvent event) {
+      if (container.recoveredStatus == RecoveredContainerStatus.COMPLETED) {
+        container.sendFinishedEvents();
+        return ContainerState.DONE;
+      } else if (container.recoveredAsKilled &&
+          container.recoveredStatus == RecoveredContainerStatus.REQUESTED) {
+        // container was killed but never launched
+        container.finished();
+        return ContainerState.DONE;
+      }
+
       final ContainerLaunchContext ctxt = container.launchContext;
       container.metrics.initingContainer();
 
@@ -593,9 +678,7 @@ public ContainerState transition(ContainerImpl container,
               new ContainerLocalizationRequestEvent(container, req));
         return ContainerState.LOCALIZING;
       } else {
-        container.dispatcher.getEventHandler().handle(
-            new ContainersLauncherEvent(container,
-                ContainersLauncherEventType.LAUNCH_CONTAINER));
+        container.sendLaunchEvent();
         container.metrics.endInitingContainer();
         return ContainerState.LOCALIZED;
       }
@@ -606,7 +689,6 @@ public ContainerState transition(ContainerImpl container,
    * Transition when one of the requested resources for this container
    * has been successfully localized.
    */
-  @SuppressWarnings("unchecked") // dispatcher not typed
   static class LocalizedTransition implements
       MultipleArcTransition<ContainerImpl,ContainerEvent,ContainerState> {
     @Override
@@ -626,9 +708,8 @@ public ContainerState transition(ContainerImpl container,
       if (!container.pendingResources.isEmpty()) {
         return ContainerState.LOCALIZING;
       }
-      container.dispatcher.getEventHandler().handle(
-          new ContainersLauncherEvent(container,
-              ContainersLauncherEventType.LAUNCH_CONTAINER));
+
+      container.sendLaunchEvent();
       container.metrics.endInitingContainer();
       return ContainerState.LOCALIZED;
     }
@@ -638,24 +719,22 @@ public ContainerState transition(ContainerImpl container,
    * Transition from LOCALIZED state to RUNNING state upon receiving
    * a CONTAINER_LAUNCHED event
    */
-  @SuppressWarnings("unchecked") // dispatcher not typed
   static class LaunchTransition extends ContainerTransition {
+    @SuppressWarnings("unchecked")
     @Override
     public void transition(ContainerImpl container, ContainerEvent event) {
-      // Inform the ContainersMonitor to start monitoring the container's
-      // resource usage.
-      long pmemBytes =
-          container.getResource().getMemory() * 1024 * 1024L;
-      float pmemRatio = container.daemonConf.getFloat(
-          YarnConfiguration.NM_VMEM_PMEM_RATIO,
-          YarnConfiguration.DEFAULT_NM_VMEM_PMEM_RATIO);
-      long vmemBytes = (long) (pmemRatio * pmemBytes);
-      
-      container.dispatcher.getEventHandler().handle(
-          new ContainerStartMonitoringEvent(container.containerId,
-              vmemBytes, pmemBytes));
+      container.sendContainerMonitorStartEvent();
       container.metrics.runningContainer();
       container.wasLaunched  = true;
+
+      if (container.recoveredAsKilled) {
+        LOG.info("Killing " + container.containerId
+            + " due to recovered as killed");
+        container.addDiagnostics("Container recovered as killed.\n");
+        container.dispatcher.getEventHandler().handle(
+            new ContainersLauncherEvent(container,
+                ContainersLauncherEventType.CLEANUP_CONTAINER));
+      }
     }
   }
 
@@ -707,8 +786,7 @@ public void transition(ContainerImpl container, ContainerEvent event) {
       ContainerExitEvent exitEvent = (ContainerExitEvent) event;
       container.exitCode = exitEvent.getExitCode();
       if (exitEvent.getDiagnosticInfo() != null) {
-        container.diagnostics.append(exitEvent.getDiagnosticInfo())
-          .append('\n');
+        container.addDiagnostics(exitEvent.getDiagnosticInfo(), "\n");
       }
 
       // TODO: Add containerWorkDir to the deletion service.
@@ -735,7 +813,7 @@ static class KilledExternallyTransition extends ExitedWithFailureTransition {
     @Override
     public void transition(ContainerImpl container, ContainerEvent event) {
       super.transition(container, event);
-      container.diagnostics.append("Killed by external signal\n");
+      container.addDiagnostics("Killed by external signal\n");
     }
   }
 
@@ -750,9 +828,7 @@ public void transition(ContainerImpl container, ContainerEvent event) {
 
       ContainerResourceFailedEvent rsrcFailedEvent =
           (ContainerResourceFailedEvent) event;
-      container.diagnostics.append(rsrcFailedEvent.getDiagnosticMessage()
-          + "\n");
-          
+      container.addDiagnostics(rsrcFailedEvent.getDiagnosticMessage(), "\n");
 
       // Inform the localizer to decrement reference counts and cleanup
       // resources.
@@ -775,8 +851,8 @@ public void transition(ContainerImpl container, ContainerEvent event) {
       container.metrics.endInitingContainer();
       ContainerKillEvent killEvent = (ContainerKillEvent) event;
       container.exitCode = killEvent.getContainerExitStatus();
-      container.diagnostics.append(killEvent.getDiagnostic()).append("\n");
-      container.diagnostics.append("Container is killed before being launched.\n");
+      container.addDiagnostics(killEvent.getDiagnostic(), "\n");
+      container.addDiagnostics("Container is killed before being launched.\n");
     }
   }
 
@@ -817,7 +893,7 @@ public void transition(ContainerImpl container, ContainerEvent event) {
           new ContainersLauncherEvent(container,
               ContainersLauncherEventType.CLEANUP_CONTAINER));
       ContainerKillEvent killEvent = (ContainerKillEvent) event;
-      container.diagnostics.append(killEvent.getDiagnostic()).append("\n");
+      container.addDiagnostics(killEvent.getDiagnostic(), "\n");
       container.exitCode = killEvent.getContainerExitStatus();
     }
   }
@@ -836,8 +912,7 @@ public void transition(ContainerImpl container, ContainerEvent event) {
       }
 
       if (exitEvent.getDiagnosticInfo() != null) {
-        container.diagnostics.append(exitEvent.getDiagnosticInfo())
-          .append('\n');
+        container.addDiagnostics(exitEvent.getDiagnosticInfo(), "\n");
       }
 
       // The process/process-grp is killed. Decrement reference counts and
@@ -877,8 +952,8 @@ static class KillOnNewTransition extends ContainerDoneTransition {
     public void transition(ContainerImpl container, ContainerEvent event) {
       ContainerKillEvent killEvent = (ContainerKillEvent) event;
       container.exitCode = killEvent.getContainerExitStatus();
-      container.diagnostics.append(killEvent.getDiagnostic()).append("\n");
-      container.diagnostics.append("Container is killed before being launched.\n");
+      container.addDiagnostics(killEvent.getDiagnostic(), "\n");
+      container.addDiagnostics("Container is killed before being launched.\n");
       super.transition(container, event);
     }
   }
@@ -892,8 +967,14 @@ static class ContainerDiagnosticsUpdateTransition implements
     public void transition(ContainerImpl container, ContainerEvent event) {
       ContainerDiagnosticsUpdateEvent updateEvent =
           (ContainerDiagnosticsUpdateEvent) event;
-      container.diagnostics.append(updateEvent.getDiagnosticsUpdate())
-          .append("\n");
+      container.addDiagnostics(updateEvent.getDiagnosticsUpdate(), "\n");
+      try {
+        container.stateStore.storeContainerDiagnostics(container.containerId,
+            container.diagnostics);
+      } catch (IOException e) {
+        LOG.warn("Unable to update state store diagnostics for "
+            + container.containerId, e);
+      }
     }
   }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/ContainerLaunch.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/ContainerLaunch.java
index e252e35dfc8..cee6a40a558 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/ContainerLaunch.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/ContainerLaunch.java
@@ -87,22 +87,23 @@ public class ContainerLaunch implements Callable<Integer> {
   public static final String FINAL_CONTAINER_TOKENS_FILE = "container_tokens";
 
   private static final String PID_FILE_NAME_FMT = "%s.pid";
+  private static final String EXIT_CODE_FILE_SUFFIX = ".exitcode";
 
-  private final Dispatcher dispatcher;
-  private final ContainerExecutor exec;
+  protected final Dispatcher dispatcher;
+  protected final ContainerExecutor exec;
   private final Application app;
-  private final Container container;
+  protected final Container container;
   private final Configuration conf;
   private final Context context;
   private final ContainerManagerImpl containerManager;
   
-  private volatile AtomicBoolean shouldLaunchContainer = new AtomicBoolean(false);
-  private volatile AtomicBoolean completed = new AtomicBoolean(false);
+  protected AtomicBoolean shouldLaunchContainer = new AtomicBoolean(false);
+  protected AtomicBoolean completed = new AtomicBoolean(false);
 
   private long sleepDelayBeforeSigKill = 250;
   private long maxKillWaitTime = 2000;
 
-  private Path pidFilePath = null;
+  protected Path pidFilePath = null;
 
   private final LocalDirsHandlerService dirsHandler;
 
@@ -223,14 +224,11 @@ public Integer call() {
               + Path.SEPARATOR + containerIdStr,
               LocalDirAllocator.SIZE_UNKNOWN, false);
 
-      String pidFileSuffix = String.format(ContainerLaunch.PID_FILE_NAME_FMT,
-          containerIdStr);
+      String pidFileSubpath = getPidFileSubpath(appIdStr, containerIdStr);
 
       // pid file should be in nm private dir so that it is not 
       // accessible by users
-      pidFilePath = dirsHandler.getLocalPathForWrite(
-          ResourceLocalizationService.NM_PRIVATE_DIR + Path.SEPARATOR 
-          + pidFileSuffix);
+      pidFilePath = dirsHandler.getLocalPathForWrite(pidFileSubpath);
       List<String> localDirs = dirsHandler.getLocalDirs();
       List<String> logDirs = dirsHandler.getLogDirs();
 
@@ -288,6 +286,7 @@ public Integer call() {
       dispatcher.getEventHandler().handle(new ContainerEvent(
             containerID,
             ContainerEventType.CONTAINER_LAUNCHED));
+      context.getNMStateStore().storeContainerLaunched(containerID);
 
       // Check if the container is signalled to be killed.
       if (!shouldLaunchContainer.compareAndSet(false, true)) {
@@ -310,6 +309,11 @@ public Integer call() {
     } finally {
       completed.set(true);
       exec.deactivateContainer(containerID);
+      try {
+        context.getNMStateStore().storeContainerCompleted(containerID, ret);
+      } catch (IOException e) {
+        LOG.error("Unable to set exit code for container " + containerID);
+      }
     }
 
     if (LOG.isDebugEnabled()) {
@@ -342,6 +346,11 @@ public Integer call() {
             ContainerEventType.CONTAINER_EXITED_WITH_SUCCESS));
     return 0;
   }
+
+  protected String getPidFileSubpath(String appIdStr, String containerIdStr) {
+    return getContainerPrivateDir(appIdStr, containerIdStr) + Path.SEPARATOR
+        + String.format(ContainerLaunch.PID_FILE_NAME_FMT, containerIdStr);
+  }
   
   /**
    * Cleanup the container.
@@ -357,6 +366,13 @@ public void cleanupContainer() throws IOException {
     String containerIdStr = ConverterUtils.toString(containerId);
     LOG.info("Cleaning up container " + containerIdStr);
 
+    try {
+      context.getNMStateStore().storeContainerKilled(containerId);
+    } catch (IOException e) {
+      LOG.error("Unable to mark container " + containerId
+          + " killed in store", e);
+    }
+
     // launch flag will be set to true if process already launched
     boolean alreadyLaunched = !shouldLaunchContainer.compareAndSet(false, true);
     if (!alreadyLaunched) {
@@ -421,6 +437,7 @@ public void cleanupContainer() throws IOException {
       if (pidFilePath != null) {
         FileContext lfs = FileContext.getLocalFSFileContext();
         lfs.delete(pidFilePath, false);
+        lfs.delete(pidFilePath.suffix(EXIT_CODE_FILE_SUFFIX), false);
       }
     }
   }
@@ -479,6 +496,10 @@ private String getAppPrivateDir(String appIdStr) {
         + appIdStr;
   }
 
+  Context getContext() {
+    return context;
+  }
+
   @VisibleForTesting
   static abstract class ShellScriptBuilder {
     public static ShellScriptBuilder create() {
@@ -787,4 +808,7 @@ static void writeLaunchEnv(OutputStream out,
     }
   }
 
+  public static String getExitCodeFile(String pidFile) {
+    return pidFile + EXIT_CODE_FILE_SUFFIX;
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/ContainersLauncher.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/ContainersLauncher.java
index ce865e3f68f..6950aa9381a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/ContainersLauncher.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/ContainersLauncher.java
@@ -24,7 +24,6 @@
 import java.util.Map;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -32,21 +31,16 @@
 import org.apache.hadoop.fs.FileContext;
 import org.apache.hadoop.fs.UnsupportedFileSystemException;
 import org.apache.hadoop.service.AbstractService;
-import org.apache.hadoop.util.Shell;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.event.Dispatcher;
 import org.apache.hadoop.yarn.event.EventHandler;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor;
-import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor.ExitCode;
 import org.apache.hadoop.yarn.server.nodemanager.Context;
 import org.apache.hadoop.yarn.server.nodemanager.LocalDirsHandlerService;
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.ContainerManagerImpl;
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.application.Application;
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
-import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerEventType;
-import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerExitEvent;
-import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerState;
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.ResourceLocalizationService;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -107,7 +101,6 @@ protected  void serviceStop() throws Exception {
     super.serviceStop();
   }
 
-  @SuppressWarnings("unchecked")
   @Override
   public void handle(ContainersLauncherEvent event) {
     // TODO: ContainersLauncher launches containers one by one!!
@@ -125,6 +118,14 @@ public void handle(ContainersLauncherEvent event) {
         containerLauncher.submit(launch);
         running.put(containerId, launch);
         break;
+      case RECOVER_CONTAINER:
+        app = context.getApplications().get(
+            containerId.getApplicationAttemptId().getApplicationId());
+        launch = new RecoveredContainerLaunch(context, getConfig(), dispatcher,
+            exec, app, event.getContainer(), dirsHandler, containerManager);
+        containerLauncher.submit(launch);
+        running.put(containerId, launch);
+        break;
       case CLEANUP_CONTAINER:
         ContainerLaunch launcher = running.remove(containerId);
         if (launcher == null) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/ContainersLauncherEventType.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/ContainersLauncherEventType.java
index 6793bf75d20..385b5b2d9d2 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/ContainersLauncherEventType.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/ContainersLauncherEventType.java
@@ -20,5 +20,6 @@
 
 public enum ContainersLauncherEventType {
   LAUNCH_CONTAINER,
+  RECOVER_CONTAINER,
   CLEANUP_CONTAINER, // The process(grp) itself.
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/RecoveredContainerLaunch.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/RecoveredContainerLaunch.java
new file mode 100644
index 00000000000..446695a974c
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/launcher/RecoveredContainerLaunch.java
@@ -0,0 +1,126 @@
+/**
+* Licensed to the Apache Software Foundation (ASF) under one
+* or more contributor license agreements.  See the NOTICE file
+* distributed with this work for additional information
+* regarding copyright ownership.  The ASF licenses this file
+* to you under the Apache License, Version 2.0 (the
+* "License"); you may not use this file except in compliance
+* with the License.  You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher;
+
+import java.io.File;
+import java.io.IOException;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.yarn.api.records.ContainerId;
+import org.apache.hadoop.yarn.event.Dispatcher;
+import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor;
+import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor.ExitCode;
+import org.apache.hadoop.yarn.server.nodemanager.Context;
+import org.apache.hadoop.yarn.server.nodemanager.LocalDirsHandlerService;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.ContainerManagerImpl;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.application.Application;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerEvent;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerEventType;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerExitEvent;
+import org.apache.hadoop.yarn.util.ConverterUtils;
+
+/**
+ * This is a ContainerLaunch which has been recovered after an NM restart (for
+ * rolling upgrades)
+ */
+public class RecoveredContainerLaunch extends ContainerLaunch {
+
+  private static final Log LOG = LogFactory.getLog(
+    RecoveredContainerLaunch.class);
+
+  public RecoveredContainerLaunch(Context context, Configuration configuration,
+      Dispatcher dispatcher, ContainerExecutor exec, Application app,
+      Container container, LocalDirsHandlerService dirsHandler,
+      ContainerManagerImpl containerManager)
+  {
+    super(context, configuration, dispatcher, exec, app, container, dirsHandler,
+      containerManager);
+    this.shouldLaunchContainer.set(true);
+  }
+
+  /**
+   * Wait on the process specified in pid file and return its exit code
+   */
+  @SuppressWarnings("unchecked")
+  @Override
+  public Integer call() {
+    int retCode = ExitCode.LOST.getExitCode();
+    ContainerId containerId = container.getContainerId();
+    String appIdStr = ConverterUtils.toString(
+        containerId.getApplicationAttemptId().getApplicationId());
+    String containerIdStr = ConverterUtils.toString(containerId);
+
+    dispatcher.getEventHandler().handle(new ContainerEvent(containerId,
+        ContainerEventType.CONTAINER_LAUNCHED));
+
+    try {
+      File pidFile = locatePidFile(appIdStr, containerIdStr);
+      if (pidFile != null) {
+        String pidPathStr = pidFile.getPath();
+        pidFilePath = new Path(pidPathStr);
+        exec.activateContainer(containerId, pidFilePath);
+        retCode = exec.reacquireContainer(container.getUser(), containerId);
+      } else {
+        LOG.warn("Unable to locate pid file for container " + containerIdStr);
+      }
+    } catch (IOException e) {
+        LOG.error("Unable to recover container " + containerIdStr, e);
+    } finally {
+      this.completed.set(true);
+      exec.deactivateContainer(containerId);
+      try {
+        getContext().getNMStateStore().storeContainerCompleted(containerId,
+            retCode);
+      } catch (IOException e) {
+        LOG.error("Unable to set exit code for container " + containerId);
+      }
+    }
+
+    if (retCode != 0) {
+      LOG.warn("Recovered container exited with a non-zero exit code "
+          + retCode);
+      this.dispatcher.getEventHandler().handle(new ContainerExitEvent(
+          containerId,
+          ContainerEventType.CONTAINER_EXITED_WITH_FAILURE, retCode,
+          "Container exited with a non-zero exit code " + retCode));
+      return retCode;
+    }
+
+    LOG.info("Recovered container " + containerId + " succeeded");
+    dispatcher.getEventHandler().handle(
+        new ContainerEvent(containerId,
+            ContainerEventType.CONTAINER_EXITED_WITH_SUCCESS));
+    return 0;
+  }
+
+  private File locatePidFile(String appIdStr, String containerIdStr) {
+    String pidSubpath= getPidFileSubpath(appIdStr, containerIdStr);
+    for (String dir : getContext().getLocalDirsHandler().getLocalDirs()) {
+      File pidFile = new File(dir, pidSubpath);
+      if (pidFile.exists()) {
+        return pidFile;
+      }
+    }
+    return null;
+  }
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/logaggregation/AppLogAggregator.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/logaggregation/AppLogAggregator.java
index deb6c045c83..0b72a39b682 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/logaggregation/AppLogAggregator.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/logaggregation/AppLogAggregator.java
@@ -25,5 +25,7 @@ public interface AppLogAggregator extends Runnable {
   void startContainerLogAggregation(ContainerId containerId,
       boolean wasContainerSuccessful);
 
+  void abortLogAggregation();
+
   void finishLogAggregation();
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/logaggregation/AppLogAggregatorImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/logaggregation/AppLogAggregatorImpl.java
index 805b9e0b1ba..1af48bbf1e9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/logaggregation/AppLogAggregatorImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/logaggregation/AppLogAggregatorImpl.java
@@ -70,6 +70,7 @@ public class AppLogAggregatorImpl implements AppLogAggregator {
   private final BlockingQueue<ContainerId> pendingContainers;
   private final AtomicBoolean appFinishing = new AtomicBoolean();
   private final AtomicBoolean appAggregationFinished = new AtomicBoolean();
+  private final AtomicBoolean aborted = new AtomicBoolean();
   private final Map<ApplicationAccessType, String> appAcls;
 
   private LogWriter writer = null;
@@ -150,7 +151,7 @@ public void run() {
   private void doAppLogAggregation() {
     ContainerId containerId;
 
-    while (!this.appFinishing.get()) {
+    while (!this.appFinishing.get() && !this.aborted.get()) {
       synchronized(this) {
         try {
           wait(THREAD_SLEEP_TIME);
@@ -161,6 +162,10 @@ private void doAppLogAggregation() {
       }
     }
 
+    if (this.aborted.get()) {
+      return;
+    }
+
     // Application is finished. Finish pending-containers
     while ((containerId = this.pendingContainers.poll()) != null) {
       uploadLogsForContainer(containerId);
@@ -255,4 +260,11 @@ public synchronized void finishLogAggregation() {
     this.appFinishing.set(true);
     this.notifyAll();
   }
+
+  @Override
+  public synchronized void abortLogAggregation() {
+    LOG.info("Aborting log aggregation for " + this.applicationId);
+    this.aborted.set(true);
+    this.notifyAll();
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/logaggregation/LogAggregationService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/logaggregation/LogAggregationService.java
index efe8984694e..58e1837ebea 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/logaggregation/LogAggregationService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/logaggregation/LogAggregationService.java
@@ -142,9 +142,17 @@ protected void serviceStop() throws Exception {
    
   private void stopAggregators() {
     threadPool.shutdown();
+    // if recovery on restart is supported then leave outstanding aggregations
+    // to the next restart
+    boolean shouldAbort = context.getNMStateStore().canRecover()
+        && !context.getDecommissioned();
     // politely ask to finish
     for (AppLogAggregator aggregator : appLogAggregators.values()) {
-      aggregator.finishLogAggregation();
+      if (shouldAbort) {
+        aggregator.abortLogAggregation();
+      } else {
+        aggregator.finishLogAggregation();
+      }
     }
     while (!threadPool.isTerminated()) { // wait for all threads to finish
       for (ApplicationId appId : appLogAggregators.keySet()) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMLeveldbStateStoreService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMLeveldbStateStoreService.java
index c3fc272d7f5..7c95fff9986 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMLeveldbStateStoreService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMLeveldbStateStoreService.java
@@ -35,6 +35,8 @@
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest;
+import org.apache.hadoop.yarn.api.protocolrecords.impl.pb.StartContainerRequestPBImpl;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ContainerId;
@@ -45,6 +47,7 @@
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.ContainerManagerApplicationProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.DeletionServiceDeleteTaskProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.LocalizedResourceProto;
+import org.apache.hadoop.yarn.proto.YarnServiceProtos.StartContainerRequestProto;
 import org.apache.hadoop.yarn.server.api.records.MasterKey;
 import org.apache.hadoop.yarn.server.api.records.impl.pb.MasterKeyPBImpl;
 import org.apache.hadoop.yarn.server.records.Version;
@@ -90,6 +93,14 @@ public class NMLeveldbStateStoreService extends NMStateStoreService {
   private static final String LOCALIZATION_FILECACHE_SUFFIX = "filecache/";
   private static final String LOCALIZATION_APPCACHE_SUFFIX = "appcache/";
 
+  private static final String CONTAINERS_KEY_PREFIX =
+      "ContainerManager/containers/";
+  private static final String CONTAINER_REQUEST_KEY_SUFFIX = "/request";
+  private static final String CONTAINER_DIAGS_KEY_SUFFIX = "/diagnostics";
+  private static final String CONTAINER_LAUNCHED_KEY_SUFFIX = "/launched";
+  private static final String CONTAINER_KILLED_KEY_SUFFIX = "/killed";
+  private static final String CONTAINER_EXIT_CODE_KEY_SUFFIX = "/exitcode";
+
   private static final String CURRENT_MASTER_KEY_SUFFIX = "CurrentMasterKey";
   private static final String PREV_MASTER_KEY_SUFFIX = "PreviousMasterKey";
   private static final String NM_TOKENS_KEY_PREFIX = "NMTokens/";
@@ -104,6 +115,8 @@ public class NMLeveldbStateStoreService extends NMStateStoreService {
   private static final String CONTAINER_TOKENS_PREV_MASTER_KEY =
       CONTAINER_TOKENS_KEY_PREFIX + PREV_MASTER_KEY_SUFFIX;
 
+  private static final byte[] EMPTY_VALUE = new byte[0];
+
   private DB db;
 
   public NMLeveldbStateStoreService() {
@@ -122,6 +135,160 @@ protected void closeStorage() throws IOException {
   }
 
 
+  @Override
+  public List<RecoveredContainerState> loadContainersState()
+      throws IOException {
+    ArrayList<RecoveredContainerState> containers =
+        new ArrayList<RecoveredContainerState>();
+    LeveldbIterator iter = null;
+    try {
+      iter = new LeveldbIterator(db);
+      iter.seek(bytes(CONTAINERS_KEY_PREFIX));
+
+      while (iter.hasNext()) {
+        Entry<byte[],byte[]> entry = iter.peekNext();
+        String key = asString(entry.getKey());
+        if (!key.startsWith(CONTAINERS_KEY_PREFIX)) {
+          break;
+        }
+
+        int idEndPos = key.indexOf('/', CONTAINERS_KEY_PREFIX.length());
+        if (idEndPos < 0) {
+          throw new IOException("Unable to determine container in key: " + key);
+        }
+        ContainerId containerId = ConverterUtils.toContainerId(
+            key.substring(CONTAINERS_KEY_PREFIX.length(), idEndPos));
+        String keyPrefix = key.substring(0, idEndPos+1);
+        containers.add(loadContainerState(containerId, iter, keyPrefix));
+      }
+    } catch (DBException e) {
+      throw new IOException(e);
+    } finally {
+      if (iter != null) {
+        iter.close();
+      }
+    }
+
+    return containers;
+  }
+
+  private RecoveredContainerState loadContainerState(ContainerId containerId,
+      LeveldbIterator iter, String keyPrefix) throws IOException {
+    RecoveredContainerState rcs = new RecoveredContainerState();
+    rcs.status = RecoveredContainerStatus.REQUESTED;
+    while (iter.hasNext()) {
+      Entry<byte[],byte[]> entry = iter.peekNext();
+      String key = asString(entry.getKey());
+      if (!key.startsWith(keyPrefix)) {
+        break;
+      }
+      iter.next();
+
+      String suffix = key.substring(keyPrefix.length()-1);  // start with '/'
+      if (suffix.equals(CONTAINER_REQUEST_KEY_SUFFIX)) {
+        rcs.startRequest = new StartContainerRequestPBImpl(
+            StartContainerRequestProto.parseFrom(entry.getValue()));
+      } else if (suffix.equals(CONTAINER_DIAGS_KEY_SUFFIX)) {
+        rcs.diagnostics = asString(entry.getValue());
+      } else if (suffix.equals(CONTAINER_LAUNCHED_KEY_SUFFIX)) {
+        if (rcs.status == RecoveredContainerStatus.REQUESTED) {
+          rcs.status = RecoveredContainerStatus.LAUNCHED;
+        }
+      } else if (suffix.equals(CONTAINER_KILLED_KEY_SUFFIX)) {
+        rcs.killed = true;
+      } else if (suffix.equals(CONTAINER_EXIT_CODE_KEY_SUFFIX)) {
+        rcs.status = RecoveredContainerStatus.COMPLETED;
+        rcs.exitCode = Integer.parseInt(asString(entry.getValue()));
+      } else {
+        throw new IOException("Unexpected container state key: " + key);
+      }
+    }
+    return rcs;
+  }
+
+  @Override
+  public void storeContainer(ContainerId containerId,
+      StartContainerRequest startRequest) throws IOException {
+    String key = CONTAINERS_KEY_PREFIX + containerId.toString()
+        + CONTAINER_REQUEST_KEY_SUFFIX;
+    try {
+      db.put(bytes(key),
+        ((StartContainerRequestPBImpl) startRequest).getProto().toByteArray());
+    } catch (DBException e) {
+      throw new IOException(e);
+    }
+  }
+
+  @Override
+  public void storeContainerDiagnostics(ContainerId containerId,
+      StringBuilder diagnostics) throws IOException {
+    String key = CONTAINERS_KEY_PREFIX + containerId.toString()
+        + CONTAINER_DIAGS_KEY_SUFFIX;
+    try {
+      db.put(bytes(key), bytes(diagnostics.toString()));
+    } catch (DBException e) {
+      throw new IOException(e);
+    }
+  }
+
+  @Override
+  public void storeContainerLaunched(ContainerId containerId)
+      throws IOException {
+    String key = CONTAINERS_KEY_PREFIX + containerId.toString()
+        + CONTAINER_LAUNCHED_KEY_SUFFIX;
+    try {
+      db.put(bytes(key), EMPTY_VALUE);
+    } catch (DBException e) {
+      throw new IOException(e);
+    }
+  }
+
+  @Override
+  public void storeContainerKilled(ContainerId containerId)
+      throws IOException {
+    String key = CONTAINERS_KEY_PREFIX + containerId.toString()
+        + CONTAINER_KILLED_KEY_SUFFIX;
+    try {
+      db.put(bytes(key), EMPTY_VALUE);
+    } catch (DBException e) {
+      throw new IOException(e);
+    }
+  }
+
+  @Override
+  public void storeContainerCompleted(ContainerId containerId,
+      int exitCode) throws IOException {
+    String key = CONTAINERS_KEY_PREFIX + containerId.toString()
+        + CONTAINER_EXIT_CODE_KEY_SUFFIX;
+    try {
+      db.put(bytes(key), bytes(Integer.toString(exitCode)));
+    } catch (DBException e) {
+      throw new IOException(e);
+    }
+  }
+
+  @Override
+  public void removeContainer(ContainerId containerId)
+      throws IOException {
+    String keyPrefix = CONTAINERS_KEY_PREFIX + containerId.toString();
+    try {
+      WriteBatch batch = db.createWriteBatch();
+      try {
+        batch.delete(bytes(keyPrefix + CONTAINER_REQUEST_KEY_SUFFIX));
+        batch.delete(bytes(keyPrefix + CONTAINER_DIAGS_KEY_SUFFIX));
+        batch.delete(bytes(keyPrefix + CONTAINER_LAUNCHED_KEY_SUFFIX));
+        batch.delete(bytes(keyPrefix + CONTAINER_KILLED_KEY_SUFFIX));
+        batch.delete(bytes(keyPrefix + CONTAINER_EXIT_CODE_KEY_SUFFIX));
+        db.write(batch);
+      } finally {
+        batch.close();
+      }
+    } catch (DBException e) {
+      throw new IOException(e);
+    }
+  }
+
+
   @Override
   public RecoveredApplicationsState loadApplicationsState()
       throws IOException {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMNullStateStoreService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMNullStateStoreService.java
index 3bb1e2189fc..66469697987 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMNullStateStoreService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMNullStateStoreService.java
@@ -19,9 +19,11 @@
 package org.apache.hadoop.yarn.server.nodemanager.recovery;
 
 import java.io.IOException;
+import java.util.List;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ContainerId;
@@ -62,6 +64,42 @@ public void storeFinishedApplication(ApplicationId appId) {
   public void removeApplication(ApplicationId appId) throws IOException {
   }
 
+  @Override
+  public List<RecoveredContainerState> loadContainersState()
+      throws IOException {
+    throw new UnsupportedOperationException(
+        "Recovery not supported by this state store");
+  }
+
+  @Override
+  public void storeContainer(ContainerId containerId,
+      StartContainerRequest startRequest) throws IOException {
+  }
+
+  @Override
+  public void storeContainerDiagnostics(ContainerId containerId,
+      StringBuilder diagnostics) throws IOException {
+  }
+
+  @Override
+  public void storeContainerLaunched(ContainerId containerId)
+      throws IOException {
+  }
+
+  @Override
+  public void storeContainerKilled(ContainerId containerId)
+      throws IOException {
+  }
+
+  @Override
+  public void storeContainerCompleted(ContainerId containerId, int exitCode)
+      throws IOException {
+  }
+
+  @Override
+  public void removeContainer(ContainerId containerId) throws IOException {
+  }
+
   @Override
   public RecoveredLocalizationState loadLocalizationState()
       throws IOException {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMStateStoreService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMStateStoreService.java
index f0988e36172..a9699f370b4 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMStateStoreService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMStateStoreService.java
@@ -29,8 +29,10 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.service.AbstractService;
+import org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
+import org.apache.hadoop.yarn.api.records.ContainerExitStatus;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.proto.YarnProtos.LocalResourceProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.ContainerManagerApplicationProto;
@@ -59,6 +61,40 @@ public List<ApplicationId> getFinishedApplications() {
     }
   }
 
+  public enum RecoveredContainerStatus {
+    REQUESTED,
+    LAUNCHED,
+    COMPLETED
+  }
+
+  public static class RecoveredContainerState {
+    RecoveredContainerStatus status;
+    int exitCode = ContainerExitStatus.INVALID;
+    boolean killed = false;
+    String diagnostics = "";
+    StartContainerRequest startRequest;
+
+    public RecoveredContainerStatus getStatus() {
+      return status;
+    }
+
+    public int getExitCode() {
+      return exitCode;
+    }
+
+    public boolean getKilled() {
+      return killed;
+    }
+
+    public String getDiagnostics() {
+      return diagnostics;
+    }
+
+    public StartContainerRequest getStartRequest() {
+      return startRequest;
+    }
+  }
+
   public static class LocalResourceTrackerState {
     List<LocalizedResourceProto> localizedResources =
         new ArrayList<LocalizedResourceProto>();
@@ -176,19 +212,100 @@ public boolean canRecover() {
   }
 
 
+  /**
+   * Load the state of applications
+   * @return recovered state for applications
+   * @throws IOException
+   */
   public abstract RecoveredApplicationsState loadApplicationsState()
       throws IOException;
 
+  /**
+   * Record the start of an application
+   * @param appId the application ID
+   * @param p state to store for the application
+   * @throws IOException
+   */
   public abstract void storeApplication(ApplicationId appId,
       ContainerManagerApplicationProto p) throws IOException;
 
+  /**
+   * Record that an application has finished
+   * @param appId the application ID
+   * @throws IOException
+   */
   public abstract void storeFinishedApplication(ApplicationId appId)
       throws IOException;
 
+  /**
+   * Remove records corresponding to an application
+   * @param appId the application ID
+   * @throws IOException
+   */
   public abstract void removeApplication(ApplicationId appId)
       throws IOException;
 
 
+  /**
+   * Load the state of containers
+   * @return recovered state for containers
+   * @throws IOException
+   */
+  public abstract List<RecoveredContainerState> loadContainersState()
+      throws IOException;
+
+  /**
+   * Record a container start request
+   * @param containerId the container ID
+   * @param startRequest the container start request
+   * @throws IOException
+   */
+  public abstract void storeContainer(ContainerId containerId,
+      StartContainerRequest startRequest) throws IOException;
+
+  /**
+   * Record that a container has been launched
+   * @param containerId the container ID
+   * @throws IOException
+   */
+  public abstract void storeContainerLaunched(ContainerId containerId)
+      throws IOException;
+
+  /**
+   * Record that a container has completed
+   * @param containerId the container ID
+   * @param exitCode the exit code from the container
+   * @throws IOException
+   */
+  public abstract void storeContainerCompleted(ContainerId containerId,
+      int exitCode) throws IOException;
+
+  /**
+   * Record a request to kill a container
+   * @param containerId the container ID
+   * @throws IOException
+   */
+  public abstract void storeContainerKilled(ContainerId containerId)
+      throws IOException;
+
+  /**
+   * Record diagnostics for a container
+   * @param containerId the container ID
+   * @param diagnostics the container diagnostics
+   * @throws IOException
+   */
+  public abstract void storeContainerDiagnostics(ContainerId containerId,
+      StringBuilder diagnostics) throws IOException;
+
+  /**
+   * Remove records corresponding to a container
+   * @param containerId the container ID
+   * @throws IOException
+   */
+  public abstract void removeContainer(ContainerId containerId)
+      throws IOException;
+
+
   /**
    * Load the state of localized resources
    * @return recovered localized resource state
@@ -230,43 +347,111 @@ public abstract void removeLocalizedResource(String user,
       ApplicationId appId, Path localPath) throws IOException;
 
 
+  /**
+   * Load the state of the deletion service
+   * @return recovered deletion service state
+   * @throws IOException
+   */
   public abstract RecoveredDeletionServiceState loadDeletionServiceState()
       throws IOException;
 
+  /**
+   * Record a deletion task
+   * @param taskId the deletion task ID
+   * @param taskProto the deletion task protobuf
+   * @throws IOException
+   */
   public abstract void storeDeletionTask(int taskId,
       DeletionServiceDeleteTaskProto taskProto) throws IOException;
 
+  /**
+   * Remove records corresponding to a deletion task
+   * @param taskId the deletion task ID
+   * @throws IOException
+   */
   public abstract void removeDeletionTask(int taskId) throws IOException;
 
 
+  /**
+   * Load the state of NM tokens
+   * @return recovered state of NM tokens
+   * @throws IOException
+   */
   public abstract RecoveredNMTokensState loadNMTokensState()
       throws IOException;
 
+  /**
+   * Record the current NM token master key
+   * @param key the master key
+   * @throws IOException
+   */
   public abstract void storeNMTokenCurrentMasterKey(MasterKey key)
       throws IOException;
 
+  /**
+   * Record the previous NM token master key
+   * @param key the previous master key
+   * @throws IOException
+   */
   public abstract void storeNMTokenPreviousMasterKey(MasterKey key)
       throws IOException;
 
+  /**
+   * Record a master key corresponding to an application
+   * @param attempt the application attempt ID
+   * @param key the master key
+   * @throws IOException
+   */
   public abstract void storeNMTokenApplicationMasterKey(
       ApplicationAttemptId attempt, MasterKey key) throws IOException;
 
+  /**
+   * Remove a master key corresponding to an application
+   * @param attempt the application attempt ID
+   * @throws IOException
+   */
   public abstract void removeNMTokenApplicationMasterKey(
       ApplicationAttemptId attempt) throws IOException;
 
 
+  /**
+   * Load the state of container tokens
+   * @return recovered state of container tokens
+   * @throws IOException
+   */
   public abstract RecoveredContainerTokensState loadContainerTokensState()
       throws IOException;
 
+  /**
+   * Record the current container token master key
+   * @param key the master key
+   * @throws IOException
+   */
   public abstract void storeContainerTokenCurrentMasterKey(MasterKey key)
       throws IOException;
 
+  /**
+   * Record the previous container token master key
+   * @param key the previous master key
+   * @throws IOException
+   */
   public abstract void storeContainerTokenPreviousMasterKey(MasterKey key)
       throws IOException;
 
+  /**
+   * Record the expiration time for a container token
+   * @param containerId the container ID
+   * @param expirationTime the container token expiration time
+   * @throws IOException
+   */
   public abstract void storeContainerToken(ContainerId containerId,
       Long expirationTime) throws IOException;
 
+  /**
+   * Remove records for a container token
+   * @param containerId the container ID
+   * @throws IOException
+   */
   public abstract void removeContainerToken(ContainerId containerId)
       throws IOException;
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
index 16ede961edc..b64da19ae78 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
@@ -33,6 +33,7 @@
 #include <limits.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
+#include <sys/wait.h>
 
 static const int DEFAULT_MIN_USERID = 1000;
 
@@ -244,6 +245,85 @@ static int write_pid_to_file_as_nm(const char* pid_file, pid_t pid) {
   return 0;
 }
 
+/**
+ * Write the exit code of the container into the exit code file
+ * exit_code_file: Path to exit code file where exit code needs to be written
+ */
+static int write_exit_code_file(const char* exit_code_file, int exit_code) {
+  char *tmp_ecode_file = concatenate("%s.tmp", "exit_code_path", 1,
+      exit_code_file);
+  if (tmp_ecode_file == NULL) {
+    return -1;
+  }
+
+  // create with 700
+  int ecode_fd = open(tmp_ecode_file, O_WRONLY|O_CREAT|O_EXCL, S_IRWXU);
+  if (ecode_fd == -1) {
+    fprintf(LOGFILE, "Can't open file %s - %s\n", tmp_ecode_file,
+           strerror(errno));
+    free(tmp_ecode_file);
+    return -1;
+  }
+
+  char ecode_buf[21];
+  snprintf(ecode_buf, sizeof(ecode_buf), "%d", exit_code);
+  ssize_t written = write(ecode_fd, ecode_buf, strlen(ecode_buf));
+  close(ecode_fd);
+  if (written == -1) {
+    fprintf(LOGFILE, "Failed to write exit code to file %s - %s\n",
+       tmp_ecode_file, strerror(errno));
+    free(tmp_ecode_file);
+    return -1;
+  }
+
+  // rename temp file to actual exit code file
+  // use rename as atomic
+  if (rename(tmp_ecode_file, exit_code_file)) {
+    fprintf(LOGFILE, "Can't move exit code file from %s to %s - %s\n",
+        tmp_ecode_file, exit_code_file, strerror(errno));
+    unlink(tmp_ecode_file);
+    free(tmp_ecode_file);
+    return -1;
+  }
+
+  free(tmp_ecode_file);
+  return 0;
+}
+
+/**
+ * Wait for the container process to exit and write the exit code to
+ * the exit code file.
+ * Returns the exit code of the container process.
+ */
+static int wait_and_write_exit_code(pid_t pid, const char* exit_code_file) {
+  int child_status = -1;
+  int exit_code = -1;
+  int waitpid_result;
+
+  if (change_effective_user(nm_uid, nm_gid) != 0) {
+    return -1;
+  }
+  do {
+    waitpid_result = waitpid(pid, &child_status, 0);
+  } while (waitpid_result == -1 && errno == EINTR);
+  if (waitpid_result < 0) {
+    fprintf(LOGFILE, "Error waiting for container process %d - %s\n",
+        pid, strerror(errno));
+    return -1;
+  }
+  if (WIFEXITED(child_status)) {
+    exit_code = WEXITSTATUS(child_status);
+  } else if (WIFSIGNALED(child_status)) {
+    exit_code = 0x80 + WTERMSIG(child_status);
+  } else {
+    fprintf(LOGFILE, "Unable to determine exit status for pid %d\n", pid);
+  }
+  if (write_exit_code_file(exit_code_file, exit_code) < 0) {
+    return -1;
+  }
+  return exit_code;
+}
+
 /**
  * Change the real and effective user and group to abandon the super user
  * priviledges.
@@ -337,6 +417,10 @@ char *get_container_work_directory(const char *nm_root, const char *user,
                      nm_root, user, app_id, container_id);
 }
 
+char *get_exit_code_file(const char* pid_file) {
+  return concatenate("%s.exitcode", "exit_code_file", 1, pid_file);
+}
+
 char *get_container_launcher_file(const char* work_dir) {
   return concatenate("%s/%s", "container launcher", 2, work_dir, CONTAINER_SCRIPT);
 }
@@ -879,6 +963,8 @@ int launch_container_as_user(const char *user, const char *app_id,
   int exit_code = -1;
   char *script_file_dest = NULL;
   char *cred_file_dest = NULL;
+  char *exit_code_file = NULL;
+
   script_file_dest = get_container_launcher_file(work_dir);
   if (script_file_dest == NULL) {
     exit_code = OUT_OF_MEMORY;
@@ -889,6 +975,11 @@ int launch_container_as_user(const char *user, const char *app_id,
     exit_code = OUT_OF_MEMORY;
     goto cleanup;
   }
+  exit_code_file = get_exit_code_file(pid_file);
+  if (NULL == exit_code_file) {
+    exit_code = OUT_OF_MEMORY;
+    goto cleanup;
+  }
 
   // open launch script
   int container_file_source = open_file_as_nm(script_name);
@@ -902,6 +993,13 @@ int launch_container_as_user(const char *user, const char *app_id,
     goto cleanup;
   }
 
+  pid_t child_pid = fork();
+  if (child_pid != 0) {
+    // parent
+    exit_code = wait_and_write_exit_code(child_pid, exit_code_file);
+    goto cleanup;
+  }
+
   // setsid 
   pid_t pid = setsid();
   if (pid == -1) {
@@ -986,6 +1084,7 @@ int launch_container_as_user(const char *user, const char *app_id,
   exit_code = 0;
 
  cleanup:
+  free(exit_code_file);
   free(script_file_dest);
   free(cred_file_dest);
   return exit_code;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestNodeStatusUpdater.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestNodeStatusUpdater.java
index fecc837cfab..f2a3a4a8c0c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestNodeStatusUpdater.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestNodeStatusUpdater.java
@@ -201,6 +201,7 @@ public NodeHeartbeatResponse nodeHeartbeat(NodeHeartbeatRequest request)
       Dispatcher mockDispatcher = mock(Dispatcher.class);
       EventHandler mockEventHandler = mock(EventHandler.class);
       when(mockDispatcher.getEventHandler()).thenReturn(mockEventHandler);
+      NMStateStoreService stateStore = new NMNullStateStoreService();
       nodeStatus.setResponseId(heartBeatID++);
       Map<ApplicationId, List<ContainerStatus>> appToContainers =
           getAppToContainerStatusMap(nodeStatus.getContainersStatuses());
@@ -226,9 +227,8 @@ public NodeHeartbeatResponse nodeHeartbeat(NodeHeartbeatRequest request)
                 firstContainerID, InetAddress.getByName("localhost")
                     .getCanonicalHostName(), 1234, user, resource,
                 currentTime + 10000, 123, "password".getBytes(), currentTime));
-        Container container =
-            new ContainerImpl(conf, mockDispatcher, launchContext, null,
-              mockMetrics, containerToken);
+        Container container = new ContainerImpl(conf, mockDispatcher,
+            stateStore, launchContext, null, mockMetrics, containerToken);
         this.context.getContainers().put(firstContainerID, container);
       } else if (heartBeatID == 2) {
         // Checks on the RM end
@@ -257,9 +257,8 @@ public NodeHeartbeatResponse nodeHeartbeat(NodeHeartbeatRequest request)
                 secondContainerID, InetAddress.getByName("localhost")
                     .getCanonicalHostName(), 1234, user, resource,
                 currentTime + 10000, 123, "password".getBytes(), currentTime));
-        Container container =
-            new ContainerImpl(conf, mockDispatcher, launchContext, null,
-              mockMetrics, containerToken);
+        Container container = new ContainerImpl(conf, mockDispatcher,
+            stateStore, launchContext, null, mockMetrics, containerToken);
         this.context.getContainers().put(secondContainerID, container);
       } else if (heartBeatID == 3) {
         // Checks on the RM end
@@ -784,7 +783,7 @@ public void testRecentlyFinishedContainers() throws Exception {
     ContainerId cId = ContainerId.newInstance(appAttemptId, 0);               
                                                                               
                                                                               
-    nodeStatusUpdater.updateStoppedContainersInCache(cId);
+    nodeStatusUpdater.addCompletedContainer(cId);
     Assert.assertTrue(nodeStatusUpdater.isContainerRecentlyStopped(cId));     
                                                                               
     long time1 = System.currentTimeMillis();                                  
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/BaseContainerManagerTest.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/BaseContainerManagerTest.java
index fc92b36fd7e..1907e1a0c3f 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/BaseContainerManagerTest.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/BaseContainerManagerTest.java
@@ -233,7 +233,7 @@ public Map<String, ByteBuffer> getAuxServiceMetaData() {
   protected DeletionService createDeletionService() {
     return new DeletionService(exec) {
       @Override
-      public void delete(String user, Path subDir, Path[] baseDirs) {
+      public void delete(String user, Path subDir, Path... baseDirs) {
         // Don't do any deletions.
         LOG.info("Psuedo delete: user - " + user + ", subDir - " + subDir
             + ", baseDirs - " + baseDirs); 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/TestAuxServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/TestAuxServices.java
index 48e028180a7..59cc947e3b5 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/TestAuxServices.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/TestAuxServices.java
@@ -191,7 +191,8 @@ public void testAuxEventDispatch() {
     ContainerTokenIdentifier cti = new ContainerTokenIdentifier(
         ContainerId.newInstance(attemptId, 1), "", "",
         Resource.newInstance(1, 1), 0,0,0, Priority.newInstance(0), 0);
-    Container container = new ContainerImpl(null, null, null, null, null, cti);
+    Container container = new ContainerImpl(null, null, null, null, null,
+        null, cti);
     ContainerId containerId = container.getContainerId();
     Resource resource = container.getResource();
     event = new AuxServicesEvent(AuxServicesEventType.CONTAINER_INIT,container);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/TestContainerManagerRecovery.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/TestContainerManagerRecovery.java
index 00eb2fe288b..0319664c398 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/TestContainerManagerRecovery.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/TestContainerManagerRecovery.java
@@ -80,6 +80,7 @@ public class TestContainerManagerRecovery {
   public void testApplicationRecovery() throws Exception {
     YarnConfiguration conf = new YarnConfiguration();
     conf.setBoolean(YarnConfiguration.NM_RECOVERY_ENABLED, true);
+    conf.set(YarnConfiguration.NM_ADDRESS, "localhost:1234");
     conf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
     conf.set(YarnConfiguration.YARN_ADMIN_ACL, "yarn_admin_user");
     NMStateStoreService stateStore = new NMMemoryStateStoreService();
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/container/TestContainer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/container/TestContainer.java
index e0239928221..a813e9806c8 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/container/TestContainer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/container/TestContainer.java
@@ -780,7 +780,8 @@ private class WrappedContainer {
       }
       when(ctxt.getServiceData()).thenReturn(serviceData);
 
-      c = new ContainerImpl(conf, dispatcher, ctxt, null, metrics, identifier);
+      c = new ContainerImpl(conf, dispatcher, new NMNullStateStoreService(),
+          ctxt, null, metrics, identifier);
       dispatcher.register(ContainerEventType.class,
           new EventHandler<ContainerEvent>() {
             @Override
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMMemoryStateStoreService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMMemoryStateStoreService.java
index 5b5e1ef5bb8..d4040915ef7 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMMemoryStateStoreService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/NMMemoryStateStoreService.java
@@ -22,13 +22,16 @@
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
+import org.apache.hadoop.yarn.api.records.ContainerExitStatus;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.proto.YarnProtos.LocalResourceProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.ContainerManagerApplicationProto;
@@ -40,6 +43,7 @@
 public class NMMemoryStateStoreService extends NMStateStoreService {
   private Map<ApplicationId, ContainerManagerApplicationProto> apps;
   private Set<ApplicationId> finishedApps;
+  private Map<ContainerId, RecoveredContainerState> containerStates;
   private Map<TrackerKey, TrackerState> trackerStates;
   private Map<Integer, DeletionServiceDeleteTaskProto> deleteTasks;
   private RecoveredNMTokensState nmTokenState;
@@ -53,6 +57,7 @@ public NMMemoryStateStoreService() {
   protected void initStorage(Configuration conf) {
     apps = new HashMap<ApplicationId, ContainerManagerApplicationProto>();
     finishedApps = new HashSet<ApplicationId>();
+    containerStates = new HashMap<ContainerId, RecoveredContainerState>();
     nmTokenState = new RecoveredNMTokensState();
     nmTokenState.applicationMasterKeys =
         new HashMap<ApplicationAttemptId, MasterKey>();
@@ -100,6 +105,77 @@ public void removeApplication(ApplicationId appId) throws IOException {
     finishedApps.remove(appId);
   }
 
+  @Override
+  public List<RecoveredContainerState> loadContainersState()
+      throws IOException {
+    // return a copy so caller can't modify our state
+    List<RecoveredContainerState> result =
+        new ArrayList<RecoveredContainerState>(containerStates.size());
+    for (RecoveredContainerState rcs : containerStates.values()) {
+      RecoveredContainerState rcsCopy = new RecoveredContainerState();
+      rcsCopy.status = rcs.status;
+      rcsCopy.exitCode = rcs.exitCode;
+      rcsCopy.killed = rcs.killed;
+      rcsCopy.diagnostics = rcs.diagnostics;
+      rcsCopy.startRequest = rcs.startRequest;
+      result.add(rcsCopy);
+    }
+    return new ArrayList<RecoveredContainerState>();
+  }
+
+  @Override
+  public void storeContainer(ContainerId containerId,
+      StartContainerRequest startRequest) throws IOException {
+    RecoveredContainerState rcs = new RecoveredContainerState();
+    rcs.startRequest = startRequest;
+    containerStates.put(containerId, rcs);
+  }
+
+  @Override
+  public void storeContainerDiagnostics(ContainerId containerId,
+      StringBuilder diagnostics) throws IOException {
+    RecoveredContainerState rcs = getRecoveredContainerState(containerId);
+    rcs.diagnostics = diagnostics.toString();
+  }
+
+  @Override
+  public void storeContainerLaunched(ContainerId containerId)
+      throws IOException {
+    RecoveredContainerState rcs = getRecoveredContainerState(containerId);
+    if (rcs.exitCode != ContainerExitStatus.INVALID) {
+      throw new IOException("Container already completed");
+    }
+    rcs.status = RecoveredContainerStatus.LAUNCHED;
+  }
+
+  @Override
+  public void storeContainerKilled(ContainerId containerId)
+      throws IOException {
+    RecoveredContainerState rcs = getRecoveredContainerState(containerId);
+    rcs.killed = true;
+  }
+
+  @Override
+  public void storeContainerCompleted(ContainerId containerId, int exitCode)
+      throws IOException {
+    RecoveredContainerState rcs = getRecoveredContainerState(containerId);
+    rcs.status = RecoveredContainerStatus.COMPLETED;
+    rcs.exitCode = exitCode;
+  }
+
+  @Override
+  public void removeContainer(ContainerId containerId) throws IOException {
+    containerStates.remove(containerId);
+  }
+
+  private RecoveredContainerState getRecoveredContainerState(
+      ContainerId containerId) throws IOException {
+    RecoveredContainerState rcs = containerStates.get(containerId);
+    if (rcs == null) {
+      throw new IOException("No start request for " + containerId);
+    }
+    return rcs;
+  }
 
   private LocalResourceTrackerState loadTrackerState(TrackerState ts) {
     LocalResourceTrackerState result = new LocalResourceTrackerState();
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/TestNMLeveldbStateStoreService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/TestNMLeveldbStateStoreService.java
index 84a69069a30..d2cc36323a3 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/TestNMLeveldbStateStoreService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/recovery/TestNMLeveldbStateStoreService.java
@@ -25,18 +25,30 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileUtil;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.service.ServiceStateException;
+import org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest;
+import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
+import org.apache.hadoop.yarn.api.records.ContainerExitStatus;
 import org.apache.hadoop.yarn.api.records.ContainerId;
+import org.apache.hadoop.yarn.api.records.ContainerLaunchContext;
 import org.apache.hadoop.yarn.api.records.LocalResource;
 import org.apache.hadoop.yarn.api.records.LocalResourceType;
 import org.apache.hadoop.yarn.api.records.LocalResourceVisibility;
+import org.apache.hadoop.yarn.api.records.Priority;
+import org.apache.hadoop.yarn.api.records.Resource;
+import org.apache.hadoop.yarn.api.records.Token;
+import org.apache.hadoop.yarn.api.records.URL;
 import org.apache.hadoop.yarn.api.records.impl.pb.ApplicationIdPBImpl;
 import org.apache.hadoop.yarn.api.records.impl.pb.LocalResourcePBImpl;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
@@ -44,9 +56,12 @@
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.ContainerManagerApplicationProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.DeletionServiceDeleteTaskProto;
 import org.apache.hadoop.yarn.proto.YarnServerNodemanagerRecoveryProtos.LocalizedResourceProto;
+import org.apache.hadoop.yarn.security.ContainerTokenIdentifier;
 import org.apache.hadoop.yarn.server.api.records.MasterKey;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.LocalResourceTrackerState;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredApplicationsState;
+import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredContainerState;
+import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredContainerStatus;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredContainerTokensState;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredDeletionServiceState;
 import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredLocalizationState;
@@ -192,6 +207,115 @@ public void testApplicationStorage() throws IOException {
     assertEquals(appId1, state.getFinishedApplications().get(0));
   }
 
+  @Test
+  public void testContainerStorage() throws IOException {
+    // test empty when no state
+    List<RecoveredContainerState> recoveredContainers =
+        stateStore.loadContainersState();
+    assertTrue(recoveredContainers.isEmpty());
+
+    // create a container request
+    ApplicationId appId = ApplicationId.newInstance(1234, 3);
+    ApplicationAttemptId appAttemptId =
+        ApplicationAttemptId.newInstance(appId, 4);
+    ContainerId containerId = ContainerId.newInstance(appAttemptId, 5);
+    LocalResource lrsrc = LocalResource.newInstance(
+        URL.newInstance("hdfs", "somehost", 12345, "/some/path/to/rsrc"),
+        LocalResourceType.FILE, LocalResourceVisibility.APPLICATION, 123L,
+        1234567890L);
+    Map<String, LocalResource> localResources =
+        new HashMap<String, LocalResource>();
+    localResources.put("rsrc", lrsrc);
+    Map<String, String> env = new HashMap<String, String>();
+    env.put("somevar", "someval");
+    List<String> containerCmds = new ArrayList<String>();
+    containerCmds.add("somecmd");
+    containerCmds.add("somearg");
+    Map<String, ByteBuffer> serviceData = new HashMap<String, ByteBuffer>();
+    serviceData.put("someservice",
+        ByteBuffer.wrap(new byte[] { 0x1, 0x2, 0x3 }));
+    ByteBuffer containerTokens =
+        ByteBuffer.wrap(new byte[] { 0x7, 0x8, 0x9, 0xa });
+    Map<ApplicationAccessType, String> acls =
+        new HashMap<ApplicationAccessType, String>();
+    acls.put(ApplicationAccessType.VIEW_APP, "viewuser");
+    acls.put(ApplicationAccessType.MODIFY_APP, "moduser");
+    ContainerLaunchContext clc = ContainerLaunchContext.newInstance(
+        localResources, env, containerCmds, serviceData, containerTokens,
+        acls);
+    Resource containerRsrc = Resource.newInstance(1357, 3);
+    ContainerTokenIdentifier containerTokenId =
+        new ContainerTokenIdentifier(containerId, "host", "user",
+            containerRsrc, 9876543210L, 42, 2468, Priority.newInstance(7),
+            13579);
+    Token containerToken = Token.newInstance(containerTokenId.getBytes(),
+        ContainerTokenIdentifier.KIND.toString(), "password".getBytes(),
+        "tokenservice");
+    StartContainerRequest containerReq =
+        StartContainerRequest.newInstance(clc, containerToken);
+
+    // store a container and verify recovered
+    stateStore.storeContainer(containerId, containerReq);
+    restartStateStore();
+    recoveredContainers = stateStore.loadContainersState();
+    assertEquals(1, recoveredContainers.size());
+    RecoveredContainerState rcs = recoveredContainers.get(0);
+    assertEquals(RecoveredContainerStatus.REQUESTED, rcs.getStatus());
+    assertEquals(ContainerExitStatus.INVALID, rcs.getExitCode());
+    assertEquals(false, rcs.getKilled());
+    assertEquals(containerReq, rcs.getStartRequest());
+    assertTrue(rcs.getDiagnostics().isEmpty());
+
+    // launch the container, add some diagnostics, and verify recovered
+    StringBuilder diags = new StringBuilder();
+    stateStore.storeContainerLaunched(containerId);
+    diags.append("some diags for container");
+    stateStore.storeContainerDiagnostics(containerId, diags);
+    restartStateStore();
+    recoveredContainers = stateStore.loadContainersState();
+    assertEquals(1, recoveredContainers.size());
+    rcs = recoveredContainers.get(0);
+    assertEquals(RecoveredContainerStatus.LAUNCHED, rcs.getStatus());
+    assertEquals(ContainerExitStatus.INVALID, rcs.getExitCode());
+    assertEquals(false, rcs.getKilled());
+    assertEquals(containerReq, rcs.getStartRequest());
+    assertEquals(diags.toString(), rcs.getDiagnostics());
+
+    // mark the container killed, add some more diags, and verify recovered
+    diags.append("some more diags for container");
+    stateStore.storeContainerDiagnostics(containerId, diags);
+    stateStore.storeContainerKilled(containerId);
+    restartStateStore();
+    recoveredContainers = stateStore.loadContainersState();
+    assertEquals(1, recoveredContainers.size());
+    rcs = recoveredContainers.get(0);
+    assertEquals(RecoveredContainerStatus.LAUNCHED, rcs.getStatus());
+    assertEquals(ContainerExitStatus.INVALID, rcs.getExitCode());
+    assertTrue(rcs.getKilled());
+    assertEquals(containerReq, rcs.getStartRequest());
+    assertEquals(diags.toString(), rcs.getDiagnostics());
+
+    // add yet more diags, mark container completed, and verify recovered
+    diags.append("some final diags");
+    stateStore.storeContainerDiagnostics(containerId, diags);
+    stateStore.storeContainerCompleted(containerId, 21);
+    restartStateStore();
+    recoveredContainers = stateStore.loadContainersState();
+    assertEquals(1, recoveredContainers.size());
+    rcs = recoveredContainers.get(0);
+    assertEquals(RecoveredContainerStatus.COMPLETED, rcs.getStatus());
+    assertEquals(21, rcs.getExitCode());
+    assertTrue(rcs.getKilled());
+    assertEquals(containerReq, rcs.getStartRequest());
+    assertEquals(diags.toString(), rcs.getDiagnostics());
+
+    // remove the container and verify not recovered
+    stateStore.removeContainer(containerId);
+    restartStateStore();
+    recoveredContainers = stateStore.loadContainersState();
+    assertTrue(recoveredContainers.isEmpty());
+  }
+
   @Test
   public void testStartResourceLocalization() throws IOException {
     String user = "somebody";
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMWebServer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMWebServer.java
index 4d6ac7788d5..a7006e0fb5d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMWebServer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMWebServer.java
@@ -209,7 +209,7 @@ public boolean isPmemCheckEnabled() {
             BuilderUtils.newResource(1024, 1), currentTime + 10000L, 123,
             "password".getBytes(), currentTime);
       Container container =
-          new ContainerImpl(conf, dispatcher, launchContext,
+          new ContainerImpl(conf, dispatcher, stateStore, launchContext,
             null, metrics,
             BuilderUtils.newContainerTokenIdentifier(containerToken)) {
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeImpl.java
index cf81d727138..9ead898db40 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeImpl.java
@@ -93,9 +93,9 @@ public class RMNodeImpl implements RMNode, EventHandler<RMNodeEvent> {
   private final RMContext context;
   private final String hostName;
   private final int commandPort;
-  private final int httpPort;
+  private int httpPort;
   private final String nodeAddress; // The containerManager address
-  private final String httpAddress;
+  private String httpAddress;
   private volatile ResourceOption resourceOption;
   private final Node node;
 
@@ -521,37 +521,15 @@ public static class ReconnectNodeTransition implements
 
     @Override
     public void transition(RMNodeImpl rmNode, RMNodeEvent event) {
-      // Kill containers since node is rejoining.
-      rmNode.nodeUpdateQueue.clear();
-      rmNode.context.getDispatcher().getEventHandler().handle(
-          new NodeRemovedSchedulerEvent(rmNode));
-
       RMNodeReconnectEvent reconnectEvent = (RMNodeReconnectEvent) event;
       RMNode newNode = reconnectEvent.getReconnectedNode();
       rmNode.nodeManagerVersion = newNode.getNodeManagerVersion();
-      if (rmNode.getTotalCapability().equals(newNode.getTotalCapability())
-          && rmNode.getHttpPort() == newNode.getHttpPort()) {
-        // Reset heartbeat ID since node just restarted.
-        rmNode.getLastNodeHeartBeatResponse().setResponseId(0);
-        if (rmNode.getState() != NodeState.UNHEALTHY) {
-          // Only add new node if old state is not UNHEALTHY
-          rmNode.context.getDispatcher().getEventHandler().handle(
-              new NodeAddedSchedulerEvent(rmNode));
-        }
-      } else {
-        // Reconnected node differs, so replace old node and start new node
-        switch (rmNode.getState()) {
-        case RUNNING:
-          ClusterMetrics.getMetrics().decrNumActiveNodes();
-          break;
-        case UNHEALTHY:
-          ClusterMetrics.getMetrics().decrNumUnhealthyNMs();
-          break;
-        }
-        rmNode.context.getRMNodes().put(newNode.getNodeID(), newNode);
-        rmNode.context.getDispatcher().getEventHandler().handle(
-            new RMNodeStartedEvent(newNode.getNodeID(), null, null));
-      }
+      rmNode.httpPort = newNode.getHttpPort();
+      rmNode.httpAddress = newNode.getHttpAddress();
+      rmNode.resourceOption = newNode.getResourceOption();
+
+      // Reset heartbeat ID since node just restarted.
+      rmNode.getLastNodeHeartBeatResponse().setResponseId(0);
 
       if (null != reconnectEvent.getRunningApplications()) {
         for (ApplicationId appId : reconnectEvent.getRunningApplications()) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
index 572a9f92e40..d3df93fcc6e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
@@ -153,14 +153,17 @@ public static void normalizeRequest(
    * @param rmNode RMNode with new resource view
    * @param clusterResource the cluster's resource that need to update
    * @param log Scheduler's log for resource change
+   * @return true if the resources have changed
    */
-  public static void updateResourceIfChanged(SchedulerNode node, 
+  public static boolean updateResourceIfChanged(SchedulerNode node,
       RMNode rmNode, Resource clusterResource, Log log) {
+    boolean result = false;
     Resource oldAvailableResource = node.getAvailableResource();
     Resource newAvailableResource = Resources.subtract(
         rmNode.getTotalCapability(), node.getUsedResource());
     
     if (!newAvailableResource.equals(oldAvailableResource)) {
+      result = true;
       Resource deltaResource = Resources.subtract(newAvailableResource,
           oldAvailableResource);
       // Reflect resource change to scheduler node.
@@ -176,6 +179,8 @@ public static void updateResourceIfChanged(SchedulerNode node,
           + " with delta: CPU: " + deltaResource.getMemory() + "core, Memory: "
           + deltaResource.getMemory() +"MB");
     }
+
+    return result;
   }
 
   /**
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
index 26812388aaf..65ff81c0216 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
@@ -783,7 +783,10 @@ private synchronized void nodeUpdate(RMNode nm) {
     FiCaSchedulerNode node = getNode(nm.getNodeID());
     
     // Update resource if any change
-    SchedulerUtils.updateResourceIfChanged(node, nm, clusterResource, LOG);
+    if (SchedulerUtils.updateResourceIfChanged(node, nm, clusterResource,
+        LOG)) {
+      root.updateClusterResource(clusterResource);
+    }
     
     List<UpdatedContainerInfo> containerInfoList = nm.pullContainerUpdates();
     List<ContainerStatus> newlyLaunchedContainers = new ArrayList<ContainerStatus>();
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestResourceTrackerService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestResourceTrackerService.java
index 4360aefb066..48276205bf9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestResourceTrackerService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestResourceTrackerService.java
@@ -595,7 +595,7 @@ protected Dispatcher createDispatcher() {
     // reconnect of node with changed capability
     nm1 = rm.registerNode("host2:5678", 10240);
     dispatcher.await();
-    response = nm2.nodeHeartbeat(true);
+    response = nm1.nodeHeartbeat(true);
     dispatcher.await();
     Assert.assertTrue(NodeAction.NORMAL.equals(response.getNodeAction()));
     Assert.assertEquals(5120 + 10240, metrics.getAvailableMB());

From acc3d73a450f8bb959c4919d535e6317ba876c30 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Tue, 12 Aug 2014 16:50:18 +0000
Subject: [PATCH 188/354] HDFS-6839. Fix TestCLI to expect new output. (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1617526 13f79535-47bb-0310-9956-ffa450edef68
---
 .../src/test/resources/testConf.xml            | 18 +++++++++++++++++-
 .../hadoop-hdfs/CHANGES-fs-encryption.txt      |  2 ++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/src/test/resources/testConf.xml b/hadoop-common-project/hadoop-common/src/test/resources/testConf.xml
index a91f0416d67..827ecb30031 100644
--- a/hadoop-common-project/hadoop-common/src/test/resources/testConf.xml
+++ b/hadoop-common-project/hadoop-common/src/test/resources/testConf.xml
@@ -320,7 +320,23 @@
         </comparator>
         <comparator>
           <type>RegexpComparator</type>
-          <expected-output>^\s*permission. Passing -f overwrites the destination if it already exists.( )*</expected-output>
+          <expected-output>^( |\t)*permission. Passing -f overwrites the destination if it already exists. raw( )*</expected-output>
+        </comparator>
+        <comparator>
+          <type>RegexpComparator</type>
+          <expected-output>^( |\t)*namespace extended attributes are preserved if \(1\) they are supported \(HDFS( )*</expected-output>
+        </comparator>
+        <comparator>
+            <type>RegexpComparator</type>
+            <expected-output>^( |\t)*only\) and, \(2\) all of the source and target pathnames are in the \/\.reserved\/raw( )*</expected-output>
+        </comparator>
+        <comparator>
+          <type>RegexpComparator</type>
+          <expected-output>^( |\t)*hierarchy. raw namespace xattr preservation is determined solely by the presence( )*</expected-output>
+        </comparator>
+        <comparator>
+            <type>RegexpComparator</type>
+            <expected-output>^\s*\(or absence\) of the \/\.reserved\/raw prefix and not by the -p option.( )*</expected-output>
         </comparator>
       </comparators>
     </test>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index 96ac01fda30..e37732606de 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -95,3 +95,5 @@ fs-encryption (Unreleased)
     as boolean. (umamahesh)
 
     HDFS-6817. Fix findbugs and other warnings. (yliu)
+
+    HDFS-6839. Fix TestCLI to expect new output. (clamb)

From 0a2ee2fd53b4759e9041af8620717127a7e81fc3 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 12 Aug 2014 17:46:31 +0000
Subject: [PATCH 189/354] HADOOP-10820. Throw an exception in
 GenericOptionsParser when passed an empty Path. Contributed by Alex Holmes
 and Zhihai Xu.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617542 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  3 +
 .../hadoop/util/GenericOptionsParser.java     |  6 ++
 .../hadoop/util/TestGenericOptionsParser.java | 66 +++++++++++++++++++
 3 files changed, 75 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index c29934be445..08c981e1e58 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -502,6 +502,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10835. Implement HTTP proxyuser support in HTTP authentication 
     client/server libraries. (tucu)
 
+    HADOOP-10820. Throw an exception in GenericOptionsParser when passed
+    an empty Path. (Alex Holmes and Zhihai Xu via wang)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/GenericOptionsParser.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/GenericOptionsParser.java
index cb6f91c7c67..18acbf109a2 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/GenericOptionsParser.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/GenericOptionsParser.java
@@ -378,9 +378,15 @@ private String validateFiles(String files, Configuration conf)
     if (files == null) 
       return null;
     String[] fileArr = files.split(",");
+    if (fileArr.length == 0) {
+      throw new IllegalArgumentException("File name can't be empty string");
+    }
     String[] finalArr = new String[fileArr.length];
     for (int i =0; i < fileArr.length; i++) {
       String tmp = fileArr[i];
+      if (tmp.isEmpty()) {
+        throw new IllegalArgumentException("File name can't be empty string");
+      }
       String finalPath;
       URI pathURI;
       try {
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestGenericOptionsParser.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestGenericOptionsParser.java
index 48a419b3a52..779318acc8e 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestGenericOptionsParser.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestGenericOptionsParser.java
@@ -21,11 +21,14 @@
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.URI;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.List;
 import java.util.Map;
 
 import junit.framework.TestCase;
 
+import org.apache.commons.math3.util.Pair;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
@@ -34,12 +37,14 @@
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
+import org.apache.hadoop.test.GenericTestUtils;
 import org.apache.commons.cli.Option;
 import org.apache.commons.cli.OptionBuilder;
 import org.apache.commons.cli.Options;
 import org.junit.Assert;
 
 import com.google.common.collect.Maps;
+import static org.junit.Assert.fail;
 
 public class TestGenericOptionsParser extends TestCase {
   File testDir;
@@ -92,6 +97,67 @@ public void testFilesOption() throws Exception {
     assertNull("files is not null", files);
   }
 
+  /**
+   * Test the case where the libjars, files and archives arguments
+   * contains an empty token, which should create an IllegalArgumentException.
+   */
+  public void testEmptyFilenames() throws Exception {
+    List<Pair<String, String>> argsAndConfNames = new ArrayList<Pair<String, String>>();
+    argsAndConfNames.add(new Pair<String, String>("-libjars", "tmpjars"));
+    argsAndConfNames.add(new Pair<String, String>("-files", "tmpfiles"));
+    argsAndConfNames.add(new Pair<String, String>("-archives", "tmparchives"));
+    for (Pair<String, String> argAndConfName : argsAndConfNames) {
+      String arg = argAndConfName.getFirst();
+      String configName = argAndConfName.getSecond();
+
+      File tmpFileOne = new File(testDir, "tmpfile1");
+      Path tmpPathOne = new Path(tmpFileOne.toString());
+      File tmpFileTwo = new File(testDir, "tmpfile2");
+      Path tmpPathTwo = new Path(tmpFileTwo.toString());
+      localFs.create(tmpPathOne);
+      localFs.create(tmpPathTwo);
+      String[] args = new String[2];
+      args[0] = arg;
+      // create an empty path in between two valid files,
+      // which prior to HADOOP-10820 used to result in the
+      // working directory being added to "tmpjars" (or equivalent)
+      args[1] = String.format("%s,,%s",
+          tmpFileOne.toURI().toString(), tmpFileTwo.toURI().toString());
+      try {
+        new GenericOptionsParser(conf, args);
+        fail("Expected exception for empty filename");
+      } catch (IllegalArgumentException e) {
+        // expect to receive an IllegalArgumentException
+        GenericTestUtils.assertExceptionContains("File name can't be"
+            + " empty string", e);
+      }
+
+      // test zero file list length - it should create an exception
+      args[1] = ",,";
+      try {
+        new GenericOptionsParser(conf, args);
+        fail("Expected exception for zero file list length");
+      } catch (IllegalArgumentException e) {
+        // expect to receive an IllegalArgumentException
+        GenericTestUtils.assertExceptionContains("File name can't be"
+            + " empty string", e);
+      }
+
+      // test filename with space character
+      // it should create exception from parser in URI class
+      // due to URI syntax error
+      args[1] = String.format("%s, ,%s",
+          tmpFileOne.toURI().toString(), tmpFileTwo.toURI().toString());
+      try {
+        new GenericOptionsParser(conf, args);
+        fail("Expected exception for filename with space character");
+      } catch (IllegalArgumentException e) {
+        // expect to receive an IllegalArgumentException
+        GenericTestUtils.assertExceptionContains("URISyntaxException", e);
+      }
+    }
+  }
+
   /**
    * Test that options passed to the constructor are used.
    */

From 0c9b8f2d7ffa3e7c36bc317ff3facb992f7a154c Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Tue, 12 Aug 2014 18:29:42 +0000
Subject: [PATCH 190/354] YARN-2373. Changed WebAppUtils to use
 Configuration#getPassword for accessing SSL passwords. Contributed by Larry
 McCay

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617555 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../hadoop/yarn/webapp/util/WebAppUtils.java  |  51 +++++-
 .../yarn/webapp/util/TestWebAppUtils.java     | 148 ++++++++++++++++++
 3 files changed, 197 insertions(+), 5 deletions(-)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/util/TestWebAppUtils.java

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index f583143f060..c50e9eae313 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -116,6 +116,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2138. Cleaned up notifyDone* APIs in RMStateStore. (Varun Saxena via
     jianhe)
 
+    YARN-2373. Changed WebAppUtils to use Configuration#getPassword for
+    accessing SSL passwords. (Larry McCay via jianhe)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/util/WebAppUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/util/WebAppUtils.java
index 6cbe6f94d6f..a8f67ff569f 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/util/WebAppUtils.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/util/WebAppUtils.java
@@ -19,12 +19,12 @@
 
 import static org.apache.hadoop.yarn.util.StringHelper.PATH_JOINER;
 
+import java.io.IOException;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.UnknownHostException;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Map;
 
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceStability.Evolving;
@@ -40,6 +40,12 @@
 @Private
 @Evolving
 public class WebAppUtils {
+  public static final String WEB_APP_TRUSTSTORE_PASSWORD_KEY =
+      "ssl.server.truststore.password";
+  public static final String WEB_APP_KEYSTORE_PASSWORD_KEY =
+      "ssl.server.keystore.password";
+  public static final String WEB_APP_KEY_PASSWORD_KEY =
+      "ssl.server.keystore.keypassword";
   public static final String HTTPS_PREFIX = "https://";
   public static final String HTTP_PREFIX = "http://";
 
@@ -274,21 +280,56 @@ public static String getHttpSchemePrefix(Configuration conf) {
 
   /**
    * Load the SSL keystore / truststore into the HttpServer builder.
+   * @param builder the HttpServer2.Builder to populate with ssl config
    */
   public static HttpServer2.Builder loadSslConfiguration(
       HttpServer2.Builder builder) {
-    Configuration sslConf = new Configuration(false);
+    return loadSslConfiguration(builder, null);
+  }
+
+  /**
+   * Load the SSL keystore / truststore into the HttpServer builder.
+   * @param builder the HttpServer2.Builder to populate with ssl config
+   * @param sslConf the Configuration instance to use during loading of SSL conf
+   */
+  public static HttpServer2.Builder loadSslConfiguration(
+      HttpServer2.Builder builder, Configuration sslConf) {
+    if (sslConf == null) {
+      sslConf = new Configuration(false);
+    }
     boolean needsClientAuth = YarnConfiguration.YARN_SSL_CLIENT_HTTPS_NEED_AUTH_DEFAULT;
     sslConf.addResource(YarnConfiguration.YARN_SSL_SERVER_RESOURCE_DEFAULT);
 
     return builder
         .needsClientAuth(needsClientAuth)
-        .keyPassword(sslConf.get("ssl.server.keystore.keypassword"))
+        .keyPassword(getPassword(sslConf, WEB_APP_KEY_PASSWORD_KEY))
         .keyStore(sslConf.get("ssl.server.keystore.location"),
-            sslConf.get("ssl.server.keystore.password"),
+            getPassword(sslConf, WEB_APP_KEYSTORE_PASSWORD_KEY),
             sslConf.get("ssl.server.keystore.type", "jks"))
         .trustStore(sslConf.get("ssl.server.truststore.location"),
-            sslConf.get("ssl.server.truststore.password"),
+            getPassword(sslConf, WEB_APP_TRUSTSTORE_PASSWORD_KEY),
             sslConf.get("ssl.server.truststore.type", "jks"));
   }
+
+  /**
+   * Leverages the Configuration.getPassword method to attempt to get
+   * passwords from the CredentialProvider API before falling back to
+   * clear text in config - if falling back is allowed.
+   * @param conf Configuration instance
+   * @param alias name of the credential to retreive
+   * @return String credential value or null
+   */
+  static String getPassword(Configuration conf, String alias) {
+    String password = null;
+    try {
+      char[] passchars = conf.getPassword(alias);
+      if (passchars != null) {
+        password = new String(passchars);
+      }
+    }
+    catch (IOException ioe) {
+      password = null;
+    }
+    return password;
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/util/TestWebAppUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/util/TestWebAppUtils.java
new file mode 100644
index 00000000000..18600fdea68
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/util/TestWebAppUtils.java
@@ -0,0 +1,148 @@
+/**
+* Licensed to the Apache Software Foundation (ASF) under one
+* or more contributor license agreements.  See the NOTICE file
+* distributed with this work for additional information
+* regarding copyright ownership.  The ASF licenses this file
+* to you under the Apache License, Version 2.0 (the
+* "License"); you may not use this file except in compliance
+* with the License.  You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package org.apache.hadoop.yarn.webapp.util;
+
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+
+import java.io.File;
+import java.io.IOException;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.http.HttpServer2;
+import org.apache.hadoop.http.HttpServer2.Builder;
+import org.apache.hadoop.security.alias.CredentialProvider;
+import org.apache.hadoop.security.alias.CredentialProviderFactory;
+import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestWebAppUtils {
+
+  @Test
+  public void testGetPassword() throws Exception {
+    Configuration conf = provisionCredentialsForSSL();
+
+    // use WebAppUtils as would be used by loadSslConfiguration
+    Assert.assertEquals("keypass",
+        WebAppUtils.getPassword(conf, WebAppUtils.WEB_APP_KEY_PASSWORD_KEY));
+    Assert.assertEquals("storepass",
+        WebAppUtils.getPassword(conf, WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY));
+    Assert.assertEquals("trustpass",
+        WebAppUtils.getPassword(conf, WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY));
+
+    // let's make sure that a password that doesn't exist returns null
+    Assert.assertEquals(null, WebAppUtils.getPassword(conf,"invalid-alias"));
+  }
+
+  @Test
+  public void testLoadSslConfiguration() throws Exception {
+    Configuration conf = provisionCredentialsForSSL();
+    TestBuilder builder = (TestBuilder) new TestBuilder();
+
+    builder = (TestBuilder) WebAppUtils.loadSslConfiguration(
+        builder, conf);
+
+    String keypass = "keypass";
+    String storepass = "storepass";
+    String trustpass = "trustpass";    
+
+    // make sure we get the right passwords in the builder
+    assertEquals(keypass, ((TestBuilder)builder).keypass);
+    assertEquals(storepass, ((TestBuilder)builder).keystorePassword);
+    assertEquals(trustpass, ((TestBuilder)builder).truststorePassword);
+  }
+
+  protected Configuration provisionCredentialsForSSL() throws IOException,
+      Exception {
+    File testDir = new File(System.getProperty("test.build.data",
+        "target/test-dir"));
+
+    Configuration conf = new Configuration();
+    final String ourUrl =
+    JavaKeyStoreProvider.SCHEME_NAME + "://file/" + testDir + "/test.jks";
+
+    File file = new File(testDir, "test.jks");
+    file.delete();
+    conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
+
+    CredentialProvider provider =
+        CredentialProviderFactory.getProviders(conf).get(0);
+    char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
+    char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
+    char[] trustpass = {'t', 'r', 'u', 's', 't', 'p', 'a', 's', 's'};
+
+    // ensure that we get nulls when the key isn't there
+    assertEquals(null, provider.getCredentialEntry(
+        WebAppUtils.WEB_APP_KEY_PASSWORD_KEY));
+    assertEquals(null, provider.getCredentialEntry(
+        WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY));
+    assertEquals(null, provider.getCredentialEntry(
+        WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY));
+
+    // create new aliases
+    try {
+      provider.createCredentialEntry(
+          WebAppUtils.WEB_APP_KEY_PASSWORD_KEY, keypass);
+
+      provider.createCredentialEntry(
+          WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY, storepass);
+
+      provider.createCredentialEntry(
+          WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY, trustpass);
+
+      // write out so that it can be found in checks
+      provider.flush();
+    } catch (Exception e) {
+      e.printStackTrace();
+      throw e;
+    }
+    // make sure we get back the right key directly from api
+    assertArrayEquals(keypass, provider.getCredentialEntry(
+        WebAppUtils.WEB_APP_KEY_PASSWORD_KEY).getCredential());
+    assertArrayEquals(storepass, provider.getCredentialEntry(
+        WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY).getCredential());
+    assertArrayEquals(trustpass, provider.getCredentialEntry(
+        WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY).getCredential());
+    return conf;
+  }
+
+  public class TestBuilder extends HttpServer2.Builder {
+    public String keypass;
+    public String keystorePassword;
+    public String truststorePassword;
+
+    @Override
+    public Builder trustStore(String location, String password, String type) {
+      truststorePassword = password;
+      return super.trustStore(location, password, type);
+    }
+
+    @Override
+    public Builder keyStore(String location, String password, String type) {
+      keystorePassword = password;
+      return super.keyStore(location, password, type);
+    }
+
+    @Override
+    public Builder keyPassword(String password) {
+      keypass = password;
+      return super.keyPassword(password);
+    }
+  }
+}

From 7ad7ab1723e246c0959b5bdf28d1b0f7dcd8a9bc Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Tue, 12 Aug 2014 21:37:34 +0000
Subject: [PATCH 191/354] YARN-2317. Updated the document about how to write
 YARN applications. Contributed by Li Lu.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617594 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |    3 +
 .../site/apt/WritingYarnApplications.apt.vm   | 1317 ++++++++---------
 2 files changed, 644 insertions(+), 676 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index c50e9eae313..af0f9b56e32 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -119,6 +119,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2373. Changed WebAppUtils to use Configuration#getPassword for
     accessing SSL passwords. (Larry McCay via jianhe)
 
+    YARN-2317. Updated the document about how to write YARN applications. (Li Lu via
+    zjshen)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/WritingYarnApplications.apt.vm b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/WritingYarnApplications.apt.vm
index 12e4c3ff334..57a47fda59d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/WritingYarnApplications.apt.vm
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/WritingYarnApplications.apt.vm
@@ -11,8 +11,8 @@
 ~~ limitations under the License. See accompanying LICENSE file.
 
   ---
-  Hadoop Map Reduce Next Generation-${project.version} - Writing YARN 
-  Applications 
+  Hadoop Map Reduce Next Generation-${project.version} - Writing YARN
+  Applications
   ---
   ---
   ${maven.build.timestamp}
@@ -21,772 +21,737 @@ Hadoop MapReduce Next Generation - Writing YARN Applications
 
 %{toc|section=1|fromDepth=0}
 
-* Purpose 
+* Purpose
 
-  This document describes, at a high-level, the way to implement new 
+  This document describes, at a high-level, the way to implement new
   Applications for YARN.
 
 * Concepts and Flow
 
-  The general concept is that an 'Application Submission Client' submits an 
-  'Application' to the YARN Resource Manager. The client communicates with the 
-  ResourceManager using the 'ApplicationClientProtocol' to first acquire a new 
-  'ApplicationId' if needed via ApplicationClientProtocol#getNewApplication and then 
-  submit the 'Application' to be run via ApplicationClientProtocol#submitApplication. As 
-  part of the ApplicationClientProtocol#submitApplication call, the client needs to 
-  provide sufficient information to the ResourceManager to 'launch' the 
-  application's first container i.e. the ApplicationMaster. 
-  You need to provide information such as the details about the local 
-  files/jars that need to be available for your application to run, the actual 
-  command that needs to be executed (with the necessary command line arguments), 
-  any Unix environment settings (optional), etc. Effectively, you need to 
-  describe the Unix process(es) that needs to be launched for your 
-  ApplicationMaster. 
+  The general concept is that an <application submission client> submits an
+  <application> to the YARN <ResourceManager> (RM). This can be done through
+  setting up a <<<YarnClient>>> object. After <<<YarnClient>>> is started, the
+  client can then set up application context, prepare the very first container of
+  the application that contains the <ApplicationMaster> (AM), and then submit
+  the application. You need to provide information such as the details about the
+  local files/jars that need to be available for your application to run, the
+  actual command that needs to be executed (with the necessary command line
+  arguments), any OS environment settings (optional), etc. Effectively, you
+  need to describe the Unix process(es) that needs to be launched for your
+  ApplicationMaster.
 
-  The YARN ResourceManager will then launch the ApplicationMaster (as specified) 
-  on an allocated container. The ApplicationMaster is then expected to 
-  communicate with the ResourceManager using the 'ApplicationMasterProtocol'. Firstly, the 
-  ApplicationMaster needs to register itself with the ResourceManager. To 
-  complete the task assigned to it, the ApplicationMaster can then request for 
-  and receive containers via ApplicationMasterProtocol#allocate. After a container is 
-  allocated to it, the ApplicationMaster communicates with the NodeManager using 
-  ContainerManager#startContainer to launch the container for its task. As part 
-  of launching this container, the ApplicationMaster has to specify the 
-  ContainerLaunchContext which, similar to the ApplicationSubmissionContext, 
-  has the launch information such as command line specification, environment, 
-  etc. Once the task is completed, the ApplicationMaster has to signal the 
-  ResourceManager of its completion via the ApplicationMasterProtocol#finishApplicationMaster. 
+  The YARN ResourceManager will then launch the ApplicationMaster (as
+  specified) on an allocated container. The ApplicationMaster communicates with
+  YARN cluster, and handles application execution. It performs operations in an
+  asynchronous fashion. During application launch time, the main tasks of the
+  ApplicationMaster are: a) communicating with the ResourceManager to negotiate
+  and allocate resources for future containers, and b) after container
+  allocation, communicating YARN <NodeManager>s (NMs) to launch application
+  containers on them. Task a) can be performed asynchronously through an
+  <<<AMRMClientAsync>>> object, with event handling methods specified in a
+  <<<AMRMClientAsync.CallbackHandler>>> type of event handler. The event handler
+  needs to be set to the client explicitly. Task b) can be performed by launching
+  a runnable object that then launches containers when there are containers
+  allocated. As part of launching this container, the AM has to
+  specify the <<<ContainerLaunchContext>>> that has the launch information such as
+  command line specification, environment, etc.
 
-  Meanwhile, the client can monitor the application's status by querying the 
-  ResourceManager or by directly querying the ApplicationMaster if it supports 
-  such a service. If needed, it can also kill the application via 
-  ApplicationClientProtocol#forceKillApplication.  
+  During the execution of an application, the ApplicationMaster communicates
+  NodeManagers through <<<NMClientAsync>>> object. All container events are
+  handled by <<<NMClientAsync.CallbackHandler>>>, associated with
+  <<<NMClientAsync>>>. A typical callback handler handles client start, stop,
+  status update and error. ApplicationMaster also reports execution progress to
+  ResourceManager by handling the <<<getProgress()>>> method of
+  <<<AMRMClientAsync.CallbackHandler>>>.
+  
+  Other than asynchronous clients, there are synchronous versions for certain
+  workflows (<<<AMRMClient>>> and <<<NMClient>>>). The asynchronous clients are
+  recommended because of (subjectively) simpler usages, and this article
+  will mainly cover the asynchronous clients. Please refer to <<<AMRMClient>>>
+  and <<<NMClient>>> for more information on synchronous clients.
 
-* Interfaces 
+* Interfaces
 
   The interfaces you'd most like be concerned with are:
 
-  * ApplicationClientProtocol - Client\<--\>ResourceManager\
-    The protocol for a client that wishes to communicate with the 
-    ResourceManager to launch a new application (i.e. the ApplicationMaster), 
-    check on the status of the application or kill the application. For example, 
-    a job-client (a job launching program from the gateway) would use this 
-    protocol. 
+  * <<Client>>\<--\><<ResourceManager>>\
+    By using <<<YarnClient>>> objects.
+
+  * <<ApplicationMaster>>\<--\><<ResourceManager>>\
+    By using <<<AMRMClientAsync>>> objects, handling events asynchronously by
+    <<<AMRMClientAsync.CallbackHandler>>>
+
+  * <<ApplicationMaster>>\<--\><<NodeManager>>\
+    Launch containers. Communicate with NodeManagers
+    by using <<<NMClientAsync>>> objects, handling container events by
+    <<<NMClientAsync.CallbackHandler>>>
+
+  []
+
+  <<Note>>
   
-  * ApplicationMasterProtocol - ApplicationMaster\<--\>ResourceManager\
-    The protocol used by the ApplicationMaster to register/unregister itself 
-    to/from the ResourceManager as well as to request for resources from the 
-    Scheduler to complete its tasks. 
+    * The three main protocols for YARN application (ApplicationClientProtocol,
+      ApplicationMasterProtocol and ContainerManagementProtocol) are still
+      preserved. The 3 clients wrap these 3 protocols to provide simpler
+      programming model for YARN applications.
     
-  * ContainerManager - ApplicationMaster\<--\>NodeManager\
-    The protocol used by the ApplicationMaster to talk to the NodeManager to 
-    start/stop containers and get status updates on the containers if needed. 
+    * Under very rare circumstances, programmer may want to directly use the 3
+      protocols to implement an application. However, note that <such behaviors
+      are no longer encouraged for general use cases>.
+
+    []
 
 * Writing a Simple Yarn Application
 
 ** Writing a simple Client
 
-  * The first step that a client needs to do is to connect to the 
-    ResourceManager or to be more specific, the ApplicationsManager (AsM) 
-    interface of the ResourceManager. 
+  * The first step that a client needs to do is to initialize and start a
+    YarnClient.
 
 +---+
-    ApplicationClientProtocol applicationsManager; 
-    YarnConfiguration yarnConf = new YarnConfiguration(conf);
-    InetSocketAddress rmAddress = 
-        NetUtils.createSocketAddr(yarnConf.get(
-            YarnConfiguration.RM_ADDRESS,
-            YarnConfiguration.DEFAULT_RM_ADDRESS));		
-    LOG.info("Connecting to ResourceManager at " + rmAddress);
-    configuration appsManagerServerConf = new Configuration(conf);
-    appsManagerServerConf.setClass(
-        YarnConfiguration.YARN_SECURITY_INFO,
-        ClientRMSecurityInfo.class, SecurityInfo.class);
-    applicationsManager = ((ApplicationClientProtocol) rpc.getProxy(
-        ApplicationClientProtocol.class, rmAddress, appsManagerServerConf));    
+  YarnClient yarnClient = YarnClient.createYarnClient();
+  yarnClient.init(conf);
+  yarnClient.start();
 +---+
 
-  * Once a handle is obtained to the ASM, the client needs to request the 
-    ResourceManager for a new ApplicationId. 
+  * Once a client is set up, the client needs to create an application, and get
+    its application id.
 
 +---+
-    GetNewApplicationRequest request = 
-        Records.newRecord(GetNewApplicationRequest.class);		
-    GetNewApplicationResponse response = 
-        applicationsManager.getNewApplication(request);
-    LOG.info("Got new ApplicationId=" + response.getApplicationId());
+  YarnClientApplication app = yarnClient.createApplication();
+  GetNewApplicationResponse appResponse = app.getNewApplicationResponse();
 +---+
 
-  * The response from the ASM for a new application also contains information 
-    about the cluster such as the minimum/maximum resource capabilities of the 
-    cluster. This is required so that to ensure that you can correctly set the 
-    specifications of the container in which the ApplicationMaster would be 
-    launched. Please refer to GetNewApplicationResponse for more details. 
+  * The response from the <<<YarnClientApplication>>> for a new application also
+    contains information about the cluster such as the minimum/maximum resource
+    capabilities of the cluster. This is required so that to ensure that you can
+    correctly set the specifications of the container in which the
+    ApplicationMaster would be launched. Please refer to
+    <<<GetNewApplicationResponse>>> for more details.
 
-  * The main crux of a client is to setup the ApplicationSubmissionContext 
-    which defines all the information needed by the ResourceManager to launch 
-    the ApplicationMaster. A client needs to set the following into the context: 
-    
-    * Application Info: id, name
+  * The main crux of a client is to setup the <<<ApplicationSubmissionContext>>>
+    which defines all the information needed by the RM to launch the AM. A client
+    needs to set the following into the context:
 
-    * Queue, Priority info: Queue to which the application will be submitted, 
-      the priority to be assigned for the application. 
+    * Application info: id, name
 
-    * User: The user submitting the application 
+    * Queue, priority info: Queue to which the application will be submitted,
+      the priority to be assigned for the application.
 
-    * ContainerLaunchContext: The information defining the container in which 
-      the ApplicationMaster will be launched and run. The 
-      ContainerLaunchContext, as mentioned previously, defines all the required
-      information needed to run the ApplicationMaster such as the local 
-      resources (binaries, jars, files etc.), security tokens, environment 
-      settings (CLASSPATH etc.) and the command to be executed. 
-       
-    []   
+    * User: The user submitting the application
+
+    * <<<ContainerLaunchContext>>>: The information defining the container in
+      which the AM will be launched and run. The <<<ContainerLaunchContext>>>, as
+      mentioned previously, defines all the required information needed to run
+      the application such as the local <<R>>esources (binaries, jars, files
+      etc.), <<E>>nvironment settings (CLASSPATH etc.), the <<C>>ommand to be
+      executed and security <<T>>okens (<RECT>).
+
+    []
 
 +---+
-    // Create a new ApplicationSubmissionContext
-    ApplicationSubmissionContext appContext = 
-        Records.newRecord(ApplicationSubmissionContext.class);
-    // set the ApplicationId 
-    appContext.setApplicationId(appId);
-    // set the application name
-    appContext.setApplicationName(appName);
-    
-    // Create a new container launch context for the AM's container
-    ContainerLaunchContext amContainer = 
-        Records.newRecord(ContainerLaunchContext.class);
+  // set the application submission context
+  ApplicationSubmissionContext appContext = app.getApplicationSubmissionContext();
+  ApplicationId appId = appContext.getApplicationId();
 
-    // Define the local resources required 
-    Map<String, LocalResource> localResources = 
-        new HashMap<String, LocalResource>();
-    // Lets assume the jar we need for our ApplicationMaster is available in 
-    // HDFS at a certain known path to us and we want to make it available to
-    // the ApplicationMaster in the launched container 
-    Path jarPath; // <- known path to jar file  
-    FileStatus jarStatus = fs.getFileStatus(jarPath);
-    LocalResource amJarRsrc = Records.newRecord(LocalResource.class);
-    // Set the type of resource - file or archive
-    // archives are untarred at the destination by the framework
-    amJarRsrc.setType(LocalResourceType.FILE);
-    // Set visibility of the resource 
-    // Setting to most private option i.e. this file will only 
-    // be visible to this instance of the running application
-    amJarRsrc.setVisibility(LocalResourceVisibility.APPLICATION);	   
-    // Set the location of resource to be copied over into the 
-    // working directory
-    amJarRsrc.setResource(ConverterUtils.getYarnUrlFromPath(jarPath)); 
-    // Set timestamp and length of file so that the framework 
-    // can do basic sanity checks for the local resource 
-    // after it has been copied over to ensure it is the same 
-    // resource the client intended to use with the application
-    amJarRsrc.setTimestamp(jarStatus.getModificationTime());
-    amJarRsrc.setSize(jarStatus.getLen());
-    // The framework will create a symlink called AppMaster.jar in the 
-    // working directory that will be linked back to the actual file. 
-    // The ApplicationMaster, if needs to reference the jar file, would 
-    // need to use the symlink filename.  
-    localResources.put("AppMaster.jar",  amJarRsrc);    
-    // Set the local resources into the launch context    
-    amContainer.setLocalResources(localResources);
+  appContext.setKeepContainersAcrossApplicationAttempts(keepContainers);
+  appContext.setApplicationName(appName);
 
-    // Set up the environment needed for the launch context
-    Map<String, String> env = new HashMap<String, String>();    
-    // For example, we could setup the classpath needed.
-    // Assuming our classes or jars are available as local resources in the
-    // working directory from which the command will be run, we need to append
-    // "." to the path. 
-    // By default, all the hadoop specific classpaths will already be available 
-    // in $CLASSPATH, so we should be careful not to overwrite it.   
-    String classPathEnv = "$CLASSPATH:./*:";    
-    env.put("CLASSPATH", classPathEnv);
-    amContainer.setEnvironment(env);
-    
-    // Construct the command to be executed on the launched container 
-    String command = 
-        "${JAVA_HOME}" + /bin/java" +
-        " MyAppMaster" + 
-        " arg1 arg2 arg3" + 
-        " 1>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/stdout" +
-        " 2>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/stderr";                     
+  // set local resources for the application master
+  // local files or archives as needed
+  // In this scenario, the jar file for the application master is part of the local resources
+  Map<String, LocalResource> localResources = new HashMap<String, LocalResource>();
 
-    List<String> commands = new ArrayList<String>();
-    commands.add(command);
-    // add additional commands if needed		
+  LOG.info("Copy App Master jar from local filesystem and add to local environment");
+  // Copy the application master jar to the filesystem
+  // Create a local resource to point to the destination jar path
+  FileSystem fs = FileSystem.get(conf);
+  addToLocalResources(fs, appMasterJar, appMasterJarPath, appId.toString(),
+      localResources, null);
 
-    // Set the command array into the container spec
-    amContainer.setCommands(commands);
-    
-    // Define the resource requirements for the container
-    // For now, YARN only supports memory so we set the memory 
-    // requirements. 
-    // If the process takes more than its allocated memory, it will 
-    // be killed by the framework. 
-    // Memory being requested for should be less than max capability 
-    // of the cluster and all asks should be a multiple of the min capability. 
-    Resource capability = Records.newRecord(Resource.class);
-    capability.setMemory(amMemory);
-    amContainer.setResource(capability);
-    
-    // Set the container launch content into the ApplicationSubmissionContext
-    appContext.setAMContainerSpec(amContainer);
-+---+
+  // Set the log4j properties if needed
+  if (!log4jPropFile.isEmpty()) {
+    addToLocalResources(fs, log4jPropFile, log4jPath, appId.toString(),
+        localResources, null);
+  }
 
-  * After the setup process is complete, the client is finally ready to submit 
-    the application to the ASM.  
-     
-+---+
-    // Create the request to send to the ApplicationsManager 
-    SubmitApplicationRequest appRequest = 
-        Records.newRecord(SubmitApplicationRequest.class);
-    appRequest.setApplicationSubmissionContext(appContext);
+  // The shell script has to be made available on the final container(s)
+  // where it will be executed.
+  // To do this, we need to first copy into the filesystem that is visible
+  // to the yarn framework.
+  // We do not need to set this as a local resource for the application
+  // master as the application master does not need it.
+  String hdfsShellScriptLocation = "";
+  long hdfsShellScriptLen = 0;
+  long hdfsShellScriptTimestamp = 0;
+  if (!shellScriptPath.isEmpty()) {
+    Path shellSrc = new Path(shellScriptPath);
+    String shellPathSuffix =
+        appName + "/" + appId.toString() + "/" + SCRIPT_PATH;
+    Path shellDst =
+        new Path(fs.getHomeDirectory(), shellPathSuffix);
+    fs.copyFromLocalFile(false, true, shellSrc, shellDst);
+    hdfsShellScriptLocation = shellDst.toUri().toString();
+    FileStatus shellFileStatus = fs.getFileStatus(shellDst);
+    hdfsShellScriptLen = shellFileStatus.getLen();
+    hdfsShellScriptTimestamp = shellFileStatus.getModificationTime();
+  }
 
-    // Submit the application to the ApplicationsManager
-    // Ignore the response as either a valid response object is returned on 
-    // success or an exception thrown to denote the failure
-    applicationsManager.submitApplication(appRequest);
-+---+    
-   
-  * At this point, the ResourceManager will have accepted the application and 
-    in the background, will go through the process of allocating a container 
-    with the required specifications and then eventually setting up and 
-    launching the ApplicationMaster on the allocated container. 
-    
-  * There are multiple ways a client can track progress of the actual task. 
-  
-    * It can communicate with the ResourceManager and request for a report of 
-      the application via ApplicationClientProtocol#getApplicationReport. 
+  if (!shellCommand.isEmpty()) {
+    addToLocalResources(fs, null, shellCommandPath, appId.toString(),
+        localResources, shellCommand);
+  }
 
-+-----+     
-      GetApplicationReportRequest reportRequest = 
-          Records.newRecord(GetApplicationReportRequest.class);
-      reportRequest.setApplicationId(appId);
-      GetApplicationReportResponse reportResponse = 
-          applicationsManager.getApplicationReport(reportRequest);
-      ApplicationReport report = reportResponse.getApplicationReport();
-+-----+             
-  
-      The ApplicationReport received from the ResourceManager consists of the following: 
-      
-        * General application information: ApplicationId, queue to which the 
-          application was submitted, user who submitted the application and the 
-          start time for the application. 
-          
-        * ApplicationMaster details: the host on which the ApplicationMaster is 
-          running, the rpc port (if any) on which it is listening for requests 
-          from clients and a token that the client needs to communicate with 
-          the ApplicationMaster. 
-          
-        * Application tracking information: If the application supports some 
-          form of progress tracking, it can set a tracking url which is 
-          available via ApplicationReport#getTrackingUrl that a client can look 
-          at to monitor progress. 
-          
-        * ApplicationStatus: The state of the application as seen by the 
-          ResourceManager is available via 
-          ApplicationReport#getYarnApplicationState. If the 
-          YarnApplicationState is set to FINISHED, the client should refer to 
-          ApplicationReport#getFinalApplicationStatus to check for the actual 
-          success/failure of the application task itself. In case of failures, 
-          ApplicationReport#getDiagnostics may be useful to shed some more 
-          light on the the failure.      
- 
-    * If the ApplicationMaster supports it, a client can directly query the 
-      ApplicationMaster itself for progress updates via the host:rpcport 
-      information obtained from the ApplicationReport. It can also use the 
-      tracking url obtained from the report if available.
+  if (shellArgs.length > 0) {
+    addToLocalResources(fs, null, shellArgsPath, appId.toString(),
+        localResources, StringUtils.join(shellArgs, " "));
+  }
 
-  * In certain situations, if the application is taking too long or due to 
-    other factors, the client may wish to kill the application. The 
-    ApplicationClientProtocol supports the forceKillApplication call that allows a 
-    client to send a kill signal to the ApplicationMaster via the 
-    ResourceManager. An ApplicationMaster if so designed may also support an 
-    abort call via its rpc layer that a client may be able to leverage.
+  // Set the env variables to be setup in the env where the application master will be run
+  LOG.info("Set the environment for the application master");
+  Map<String, String> env = new HashMap<String, String>();
 
-+---+
-    KillApplicationRequest killRequest = 
-        Records.newRecord(KillApplicationRequest.class);		
-    killRequest.setApplicationId(appId);
-    applicationsManager.forceKillApplication(killRequest);	
-+---+
+  // put location of shell script into env
+  // using the env info, the application master will create the correct local resource for the
+  // eventual containers that will be launched to execute the shell scripts
+  env.put(DSConstants.DISTRIBUTEDSHELLSCRIPTLOCATION, hdfsShellScriptLocation);
+  env.put(DSConstants.DISTRIBUTEDSHELLSCRIPTTIMESTAMP, Long.toString(hdfsShellScriptTimestamp));
+  env.put(DSConstants.DISTRIBUTEDSHELLSCRIPTLEN, Long.toString(hdfsShellScriptLen));
 
-** Writing an ApplicationMaster
+  // Add AppMaster.jar location to classpath
+  // At some point we should not be required to add
+  // the hadoop specific classpaths to the env.
+  // It should be provided out of the box.
+  // For now setting all required classpaths including
+  // the classpath to "." for the application jar
+  StringBuilder classPathEnv = new StringBuilder(Environment.CLASSPATH.$$())
+    .append(ApplicationConstants.CLASS_PATH_SEPARATOR).append("./*");
+  for (String c : conf.getStrings(
+      YarnConfiguration.YARN_APPLICATION_CLASSPATH,
+      YarnConfiguration.DEFAULT_YARN_CROSS_PLATFORM_APPLICATION_CLASSPATH)) {
+    classPathEnv.append(ApplicationConstants.CLASS_PATH_SEPARATOR);
+    classPathEnv.append(c.trim());
+  }
+  classPathEnv.append(ApplicationConstants.CLASS_PATH_SEPARATOR).append(
+    "./log4j.properties");
 
-  * The ApplicationMaster is the actual owner of the job. It will be launched 
-    by the ResourceManager and via the client will be provided all the necessary 
-    information and resources about the job that it has been tasked with to 
-    oversee and complete.  
+  // Set the necessary command to execute the application master
+  Vector<CharSequence> vargs = new Vector<CharSequence>(30);
 
-  * As the ApplicationMaster is launched within a container that may (likely 
-    will) be sharing a physical host with other containers, given the 
-    multi-tenancy nature, amongst other issues, it cannot make any assumptions 
-    of things like pre-configured ports that it can listen on. 
-  
-  * When the ApplicationMaster starts up, several parameters are made available
-    to it via the environment. These include the ContainerId for the
-    ApplicationMaster container, the application submission time and details
-    about the NodeManager host running the Application Master.
-    Ref ApplicationConstants for parameter names.
+  // Set java executable command
+  LOG.info("Setting up app master command");
+  vargs.add(Environment.JAVA_HOME.$$() + "/bin/java");
+  // Set Xmx based on am memory size
+  vargs.add("-Xmx" + amMemory + "m");
+  // Set class name
+  vargs.add(appMasterMainClass);
+  // Set params for Application Master
+  vargs.add("--container_memory " + String.valueOf(containerMemory));
+  vargs.add("--container_vcores " + String.valueOf(containerVirtualCores));
+  vargs.add("--num_containers " + String.valueOf(numContainers));
+  vargs.add("--priority " + String.valueOf(shellCmdPriority));
 
-  * All interactions with the ResourceManager require an ApplicationAttemptId 
-    (there can be multiple attempts per application in case of failures). The 
-    ApplicationAttemptId can be obtained from the ApplicationMaster
-    containerId. There are helper apis to convert the value obtained from the
-    environment into objects.
-    
-+---+
-    Map<String, String> envs = System.getenv();
-    String containerIdString = 
-        envs.get(ApplicationConstants.AM_CONTAINER_ID_ENV);
-    if (containerIdString == null) {
-      // container id should always be set in the env by the framework 
-      throw new IllegalArgumentException(
-          "ContainerId not set in the environment");
+  for (Map.Entry<String, String> entry : shellEnv.entrySet()) {
+    vargs.add("--shell_env " + entry.getKey() + "=" + entry.getValue());
+  }
+  if (debugFlag) {
+    vargs.add("--debug");
+  }
+
+  vargs.add("1>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/AppMaster.stdout");
+  vargs.add("2>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/AppMaster.stderr");
+
+  // Get final commmand
+  StringBuilder command = new StringBuilder();
+  for (CharSequence str : vargs) {
+    command.append(str).append(" ");
+  }
+
+  LOG.info("Completed setting up app master command " + command.toString());
+  List<String> commands = new ArrayList<String>();
+  commands.add(command.toString());
+
+  // Set up the container launch context for the application master
+  ContainerLaunchContext amContainer = ContainerLaunchContext.newInstance(
+    localResources, env, commands, null, null, null);
+
+  // Set up resource type requirements
+  // For now, both memory and vcores are supported, so we set memory and
+  // vcores requirements
+  Resource capability = Resource.newInstance(amMemory, amVCores);
+  appContext.setResource(capability);
+
+  // Service data is a binary blob that can be passed to the application
+  // Not needed in this scenario
+  // amContainer.setServiceData(serviceData);
+
+  // Setup security tokens
+  if (UserGroupInformation.isSecurityEnabled()) {
+    // Note: Credentials class is marked as LimitedPrivate for HDFS and MapReduce
+    Credentials credentials = new Credentials();
+    String tokenRenewer = conf.get(YarnConfiguration.RM_PRINCIPAL);
+    if (tokenRenewer == null || tokenRenewer.length() == 0) {
+      throw new IOException(
+        "Can't get Master Kerberos principal for the RM to use as renewer");
     }
-    ContainerId containerId = ConverterUtils.toContainerId(containerIdString);
-    ApplicationAttemptId appAttemptID = containerId.getApplicationAttemptId();
-+---+     
-  
-  * After an ApplicationMaster has initialized itself completely, it needs to 
-    register with the ResourceManager via 
-    ApplicationMasterProtocol#registerApplicationMaster. The ApplicationMaster always 
-    communicate via the Scheduler interface of the ResourceManager. 
-  
-+---+
-    // Connect to the Scheduler of the ResourceManager. 
-    YarnConfiguration yarnConf = new YarnConfiguration(conf);
-    InetSocketAddress rmAddress = 
-        NetUtils.createSocketAddr(yarnConf.get(
-            YarnConfiguration.RM_SCHEDULER_ADDRESS,
-            YarnConfiguration.DEFAULT_RM_SCHEDULER_ADDRESS));		
-    LOG.info("Connecting to ResourceManager at " + rmAddress);
-    ApplicationMasterProtocol resourceManager = 
-        (ApplicationMasterProtocol) rpc.getProxy(ApplicationMasterProtocol.class, rmAddress, conf);
 
-    // Register the AM with the RM
-    // Set the required info into the registration request: 
-    // ApplicationAttemptId, 
-    // host on which the app master is running
-    // rpc port on which the app master accepts requests from the client 
-    // tracking url for the client to track app master progress
-    RegisterApplicationMasterRequest appMasterRequest = 
-        Records.newRecord(RegisterApplicationMasterRequest.class);
-    appMasterRequest.setApplicationAttemptId(appAttemptID);	
-    appMasterRequest.setHost(appMasterHostname);
-    appMasterRequest.setRpcPort(appMasterRpcPort);
-    appMasterRequest.setTrackingUrl(appMasterTrackingUrl);
+    // For now, only getting tokens for the default file-system.
+    final Token<?> tokens[] =
+        fs.addDelegationTokens(tokenRenewer, credentials);
+    if (tokens != null) {
+      for (Token<?> token : tokens) {
+        LOG.info("Got dt for " + fs.getUri() + "; " + token);
+      }
+    }
+    DataOutputBuffer dob = new DataOutputBuffer();
+    credentials.writeTokenStorageToStream(dob);
+    ByteBuffer fsTokens = ByteBuffer.wrap(dob.getData(), 0, dob.getLength());
+    amContainer.setTokens(fsTokens);
+  }
 
-    // The registration response is useful as it provides information about the 
-    // cluster. 
-    // Similar to the GetNewApplicationResponse in the client, it provides 
-    // information about the min/mx resource capabilities of the cluster that 
-    // would be needed by the ApplicationMaster when requesting for containers.
-    RegisterApplicationMasterResponse response = 
-        resourceManager.registerApplicationMaster(appMasterRequest);
+  appContext.setAMContainerSpec(amContainer);
 +---+
-     
-  * The ApplicationMaster has to emit heartbeats to the ResourceManager to keep 
-    it informed that the ApplicationMaster is alive and still running. The 
-    timeout expiry interval at the ResourceManager is defined by a config 
-    setting accessible via YarnConfiguration.RM_AM_EXPIRY_INTERVAL_MS with the 
-    default being defined by YarnConfiguration.DEFAULT_RM_AM_EXPIRY_INTERVAL_MS. 
-    The ApplicationMasterProtocol#allocate calls to the ResourceManager count as heartbeats 
-    as it also supports sending progress update information. Therefore, an 
-    allocate call with no containers requested and progress information updated 
-    if any is a valid way for making heartbeat calls to the ResourceManager. 
-    
-  * Based on the task requirements, the ApplicationMaster can ask for a set of 
-    containers to run its tasks on. The ApplicationMaster has to use the 
-    ResourceRequest class to define the following container specifications: 
-    
-    * Hostname: If containers are required to be hosted on a particular rack or 
-      a specific host. '*' is a special value that implies any host will do. 
-      
-    * Resource capability: Currently, YARN only supports memory based resource 
-      requirements so the request should define how much memory is needed. The 
-      value is defined in MB and has to less than the max capability of the 
+
+  * After the setup process is complete, the client is ready to submit
+    the application with specified priority and queue.
+
++---+
+  // Set the priority for the application master
+  Priority pri = Priority.newInstance(amPriority);
+  appContext.setPriority(pri);
+
+  // Set the queue to which this application is to be submitted in the RM
+  appContext.setQueue(amQueue);
+
+  // Submit the application to the applications manager
+  // SubmitApplicationResponse submitResp = applicationsManager.submitApplication(appRequest);
+
+  yarnClient.submitApplication(appContext);
++---+
+
+  * At this point, the RM will have accepted the application and in the
+    background, will go through the process of allocating a container with the
+    required specifications and then eventually setting up and launching the AM
+    on the allocated container.
+
+  * There are multiple ways a client can track progress of the actual task.
+
+    * It can communicate with the RM and request for a report of the application
+      via the <<<getApplicationReport()>>> method of <<<YarnClient>>>.
+
++-----+
+  // Get application report for the appId we are interested in
+  ApplicationReport report = yarnClient.getApplicationReport(appId);
++-----+
+
+      The <<<ApplicationReport>>> received from the RM consists of the following:
+
+        * General application information: Application id, queue to which the
+          application was submitted, user who submitted the application and the
+          start time for the application.
+
+        * ApplicationMaster details: the host on which the AM is running, the
+          rpc port (if any) on which it is listening for requests from clients
+          and a token that the client needs to communicate with the AM.
+
+        * Application tracking information: If the application supports some form
+          of progress tracking, it can set a tracking url which is available via
+          <<<ApplicationReport>>>'s <<<getTrackingUrl()>>> method that a client
+          can look at to monitor progress.
+
+        * Application status: The state of the application as seen by the
+          ResourceManager is available via
+          <<<ApplicationReport#getYarnApplicationState>>>. If the
+          <<<YarnApplicationState>>> is set to <<<FINISHED>>>, the client should
+          refer to <<<ApplicationReport#getFinalApplicationStatus>>> to check for
+          the actual success/failure of the application task itself. In case of
+          failures, <<<ApplicationReport#getDiagnostics>>> may be useful to shed
+          some more light on the the failure.
+
+    * If the ApplicationMaster supports it, a client can directly query the AM
+      itself for progress updates via the host:rpcport information obtained from
+      the application report. It can also use the tracking url obtained from the
+      report if available.
+
+  * In certain situations, if the application is taking too long or due to other
+    factors, the client may wish to kill the application. <<<YarnClient>>>
+    supports the <<<killApplication>>> call that allows a client to send a kill
+    signal to the AM via the ResourceManager. An ApplicationMaster if so
+    designed may also support an abort call via its rpc layer that a client may
+    be able to leverage.
+
++---+
+  yarnClient.killApplication(appId);
++---+
+
+** Writing an ApplicationMaster (AM)
+
+  * The AM is the actual owner of the job. It will be launched
+    by the RM and via the client will be provided all the
+    necessary information and resources about the job that it has been tasked
+    with to oversee and complete.
+
+  * As the AM is launched within a container that may (likely
+    will) be sharing a physical host with other containers, given the
+    multi-tenancy nature, amongst other issues, it cannot make any assumptions
+    of things like pre-configured ports that it can listen on.
+
+  * When the AM starts up, several parameters are made available
+    to it via the environment. These include the <<<ContainerId>>> for the
+    AM container, the application submission time and details
+    about the NM (NodeManager) host running the ApplicationMaster.
+    Ref <<<ApplicationConstants>>> for parameter names.
+
+  * All interactions with the RM require an <<<ApplicationAttemptId>>> (there can
+    be multiple attempts per application in case of failures). The
+    <<<ApplicationAttemptId>>> can be obtained from the AM's container id. There
+    are helper APIs to convert the value obtained from the environment into
+    objects.
+
++---+
+  Map<String, String> envs = System.getenv();
+  String containerIdString =
+      envs.get(ApplicationConstants.AM_CONTAINER_ID_ENV);
+  if (containerIdString == null) {
+    // container id should always be set in the env by the framework
+    throw new IllegalArgumentException(
+        "ContainerId not set in the environment");
+  }
+  ContainerId containerId = ConverterUtils.toContainerId(containerIdString);
+  ApplicationAttemptId appAttemptID = containerId.getApplicationAttemptId();
++---+
+
+  * After an AM has initialized itself completely, we can start the two clients:
+    one to ResourceManager, and one to NodeManagers. We set them up with our
+    customized event handler, and we will talk about those event handlers in
+    detail later in this article.
+
++---+
+  AMRMClientAsync.CallbackHandler allocListener = new RMCallbackHandler();
+  amRMClient = AMRMClientAsync.createAMRMClientAsync(1000, allocListener);
+  amRMClient.init(conf);
+  amRMClient.start();
+
+  containerListener = createNMCallbackHandler();
+  nmClientAsync = new NMClientAsyncImpl(containerListener);
+  nmClientAsync.init(conf);
+  nmClientAsync.start();
++---+
+
+  * The AM has to emit heartbeats to the RM to keep it informed that the AM is
+    alive and still running. The timeout expiry interval at the RM is defined by
+    a config setting accessible via
+    <<<YarnConfiguration.RM_AM_EXPIRY_INTERVAL_MS>>> with the default being
+    defined by <<<YarnConfiguration.DEFAULT_RM_AM_EXPIRY_INTERVAL_MS>>>. The
+    ApplicationMaster needs to register itself with the ResourceManager to
+    start hearbeating.
+
++---+
+  // Register self with ResourceManager
+  // This will start heartbeating to the RM
+  appMasterHostname = NetUtils.getHostname();
+  RegisterApplicationMasterResponse response = amRMClient
+      .registerApplicationMaster(appMasterHostname, appMasterRpcPort,
+          appMasterTrackingUrl);
++---+
+
+  * In the response of the registration, maximum resource capability if included. You may want to use this to check the application's request.
+
++---+
+  // Dump out information about cluster capability as seen by the
+  // resource manager
+  int maxMem = response.getMaximumResourceCapability().getMemory();
+  LOG.info("Max mem capabililty of resources in this cluster " + maxMem);
+
+  int maxVCores = response.getMaximumResourceCapability().getVirtualCores();
+  LOG.info("Max vcores capabililty of resources in this cluster " + maxVCores);
+
+  // A resource ask cannot exceed the max.
+  if (containerMemory > maxMem) {
+    LOG.info("Container memory specified above max threshold of cluster."
+        + " Using max value." + ", specified=" + containerMemory + ", max="
+        + maxMem);
+    containerMemory = maxMem;
+  }
+
+  if (containerVirtualCores > maxVCores) {
+    LOG.info("Container virtual cores specified above max threshold of  cluster."
+      + " Using max value." + ", specified=" + containerVirtualCores + ", max="
+      + maxVCores);
+    containerVirtualCores = maxVCores;
+  }
+  List<Container> previousAMRunningContainers =
+      response.getContainersFromPreviousAttempts();
+  LOG.info("Received " + previousAMRunningContainers.size()
+          + " previous AM's running containers on AM registration.");
++---+
+
+  * Based on the task requirements, the AM can ask for a set of containers to run
+    its tasks on. We can now calculate how many containers we need, and request
+    those many containers.
+
++---+
+  List<Container> previousAMRunningContainers =
+      response.getContainersFromPreviousAttempts();
+  List<Container> previousAMRunningContainers =
+      response.getContainersFromPreviousAttempts();
+  LOG.info("Received " + previousAMRunningContainers.size()
+      + " previous AM's running containers on AM registration.");
+
+  int numTotalContainersToRequest =
+      numTotalContainers - previousAMRunningContainers.size();
+  // Setup ask for containers from RM
+  // Send request for containers to RM
+  // Until we get our fully allocated quota, we keep on polling RM for
+  // containers
+  // Keep looping until all the containers are launched and shell script
+  // executed on them ( regardless of success/failure).
+  for (int i = 0; i < numTotalContainersToRequest; ++i) {
+    ContainerRequest containerAsk = setupContainerAskForRM();
+    amRMClient.addContainerRequest(containerAsk);
+  }
++---+
+
+  * In <<<setupContainerAskForRM()>>>, the follow two things need some set up:
+
+    * Resource capability: Currently, YARN supports memory based resource
+      requirements so the request should define how much memory is needed. The
+      value is defined in MB and has to less than the max capability of the
       cluster and an exact multiple of the min capability. Memory resources
-      correspond to physical memory limits imposed on the task containers.
-      
-    * Priority: When asking for sets of containers, an ApplicationMaster may 
-      define different priorities to each set. For example, the Map-Reduce 
-      ApplicationMaster may assign a higher priority to containers needed 
-      for the Map tasks and a lower priority for the Reduce tasks' containers.
-      
-    []     
-       
-+----+ 
-    // Resource Request
-    ResourceRequest rsrcRequest = Records.newRecord(ResourceRequest.class);
+      correspond to physical memory limits imposed on the task containers. It
+      will also support computation based resource (vCore), as shown in the code.
 
-    // setup requirements for hosts 
-    // whether a particular rack/host is needed 
-    // useful for applications that are sensitive
-    // to data locality 
-    rsrcRequest.setHostName("*");
+    * Priority: When asking for sets of containers, an AM may define different
+      priorities to each set. For example, the Map-Reduce AM may assign a higher
+      priority to containers needed for the Map tasks and a lower priority for
+      the Reduce tasks' containers.
 
+    []
+
++---+
+  private ContainerRequest setupContainerAskForRM() {
+    // setup requirements for hosts
+    // using * as any host will do for the distributed shell app
     // set the priority for the request
-    Priority pri = Records.newRecord(Priority.class);
-    pri.setPriority(requestPriority);
-    rsrcRequest.setPriority(pri);	    
+    Priority pri = Priority.newInstance(requestPriority);
 
     // Set up resource type requirements
-    // For now, only memory is supported so we set memory requirements
-    Resource capability = Records.newRecord(Resource.class);
-    capability.setMemory(containerMemory);
-    rsrcRequest.setCapability(capability);
-
-    // set no. of containers needed
-    // matching the specifications
-    rsrcRequest.setNumContainers(numContainers);
-+---+
-        
-  * After defining the container requirements, the ApplicationMaster has to 
-    construct an AllocateRequest to send to the ResourceManager. 
-    The AllocateRequest consists of:
-        
-    * Requested containers: The container specifications and the no. of 
-      containers being requested for by the ApplicationMaster from the 
-      ResourceManager. 
-    
-    * Released containers: There may be situations when the ApplicationMaster 
-      may have requested for more containers that it needs or due to failure 
-      issues, decide to use other containers allocated to it. In all such 
-      situations, it is beneficial to the cluster if the ApplicationMaster 
-      releases these containers back to the ResourceManager so that they can be 
-      re-allocated to other applications.   
-    
-    * ResponseId: The response id that will be sent back in the response from 
-      the allocate call.  
-     
-    * Progress update information: The ApplicationMaster can send its progress 
-      update (range between to 0 to 1) to the ResourceManager. 
-    
-    []
-    
-+---+
-    List<ResourceRequest> requestedContainers;
-    List<ContainerId> releasedContainers    
-    AllocateRequest req = Records.newRecord(AllocateRequest.class);
-
-    // The response id set in the request will be sent back in 
-    // the response so that the ApplicationMaster can 
-    // match it to its original ask and act appropriately.
-    req.setResponseId(rmRequestID);
-    
-    // Set ApplicationAttemptId 
-    req.setApplicationAttemptId(appAttemptID);
-    
-    // Add the list of containers being asked for 
-    req.addAllAsks(requestedContainers);
-    
-    // If the ApplicationMaster has no need for certain 
-    // containers due to over-allocation or for any other
-    // reason, it can release them back to the ResourceManager
-    req.addAllReleases(releasedContainers);
-    
-    // Assuming the ApplicationMaster can track its progress
-    req.setProgress(currentProgress);
-    
-    AllocateResponse allocateResponse = resourceManager.allocate(req);		     
-+---+
-    
-  * The AllocateResponse sent back from the ResourceManager provides the 
-    following information:
-  
-    * Reboot flag: For scenarios when the ApplicationMaster may get out of sync 
-      with the ResourceManager. 
-    
-    * Allocated containers: The containers that have been allocated to the 
-      ApplicationMaster.
-    
-    * Headroom: Headroom for resources in the cluster. Based on this information 
-      and knowing its needs, an ApplicationMaster can make intelligent decisions 
-      such as re-prioritizing sub-tasks to take advantage of currently allocated 
-      containers, bailing out faster if resources are not becoming available 
-      etc.         
-    
-    * Completed containers: Once an ApplicationMaster triggers a launch an 
-      allocated container, it will receive an update from the ResourceManager 
-      when the container completes. The ApplicationMaster can look into the 
-      status of the completed container and take appropriate actions such as 
-      re-trying a particular sub-task in case of a failure.
-
-    * Number of cluster nodes: The number of hosts available on the cluster.
-      
-    [] 
-      
-    One thing to note is that containers will not be immediately allocated to 
-    the ApplicationMaster. This does not imply that the ApplicationMaster should 
-    keep on asking the pending count of required containers. Once an allocate 
-    request has been sent, the ApplicationMaster will eventually be allocated 
-    the containers based on cluster capacity, priorities and the scheduling 
-    policy in place. The ApplicationMaster should only request for containers 
-    again if and only if its original estimate changed and it needs additional 
-    containers. 
+    // For now, memory and CPU are supported so we set memory and cpu requirements
+    Resource capability = Resource.newInstance(containerMemory,
+      containerVirtualCores);
 
+    ContainerRequest request = new ContainerRequest(capability, null, null,
+        pri);
+    LOG.info("Requested container ask: " + request.toString());
+    return request;
+  }
 +---+
 
-    // Retrieve list of allocated containers from the response 
-    // and on each allocated container, lets assume we are launching 
-    // the same job.
-    List<Container> allocatedContainers = allocateResponse.getAllocatedContainers();
+  * After container allocation requests have been sent by the application
+    manager, contailers will be launched asynchronously, by the event handler of
+    the <<<AMRMClientAsync>>> client. The handler should implement
+    <<<AMRMClientAsync.CallbackHandler>>> interface.
+
+    * When there are containers allocated, the handler sets up a thread that runs
+      the code to launch containers. Here we use the name
+      <<<LaunchContainerRunnable>>> to demonstrate. We will talk about the
+      <<<LaunchContainerRunnable>>> class in the following part of this article.
+
++---+
+  @Override
+  public void onContainersAllocated(List<Container> allocatedContainers) {
+    LOG.info("Got response from RM for container ask, allocatedCnt="
+        + allocatedContainers.size());
+    numAllocatedContainers.addAndGet(allocatedContainers.size());
     for (Container allocatedContainer : allocatedContainers) {
-      LOG.info("Launching shell command on a new container."
-          + ", containerId=" + allocatedContainer.getId()
-          + ", containerNode=" + allocatedContainer.getNodeId().getHost() 
-          + ":" + allocatedContainer.getNodeId().getPort()
-          + ", containerNodeURI=" + allocatedContainer.getNodeHttpAddress()
-          + ", containerState" + allocatedContainer.getState()
-          + ", containerResourceMemory"  
-          + allocatedContainer.getResource().getMemory());
-          
-          
-      // Launch and start the container on a separate thread to keep the main 
-      // thread unblocked as all containers may not be allocated at one go.
-      LaunchContainerRunnable runnableLaunchContainer = 
-          new LaunchContainerRunnable(allocatedContainer);
-      Thread launchThread = new Thread(runnableLaunchContainer);	
+      LaunchContainerRunnable runnableLaunchContainer =
+          new LaunchContainerRunnable(allocatedContainer, containerListener);
+      Thread launchThread = new Thread(runnableLaunchContainer);
+
+      // launch and start the container on a separate thread to keep
+      // the main thread unblocked
+      // as all containers may not be allocated at one go.
       launchThreads.add(launchThread);
       launchThread.start();
     }
-
-    // Check what the current available resources in the cluster are
-    Resource availableResources = allocateResponse.getAvailableResources();
-    // Based on this information, an ApplicationMaster can make appropriate 
-    // decisions
-
-    // Check the completed containers
-    // Let's assume we are keeping a count of total completed containers, 
-    // containers that failed and ones that completed successfully.  			
-    List<ContainerStatus> completedContainers = 
-        allocateResponse.getCompletedContainersStatuses();
-    for (ContainerStatus containerStatus : completedContainers) {				
-      LOG.info("Got container status for containerID= " 
-          + containerStatus.getContainerId()
-          + ", state=" + containerStatus.getState()	
-          + ", exitStatus=" + containerStatus.getExitStatus() 
-          + ", diagnostics=" + containerStatus.getDiagnostics());
-
-      int exitStatus = containerStatus.getExitStatus();
-      if (0 != exitStatus) {
-        // container failed 
-        // -100 is a special case where the container 
-        // was aborted/pre-empted for some reason 
-        if (-100 != exitStatus) {
-          // application job on container returned a non-zero exit code
-          // counts as completed 
-          numCompletedContainers.incrementAndGet();
-          numFailedContainers.incrementAndGet();							
-        }
-        else { 
-          // something else bad happened 
-          // app job did not complete for some reason 
-          // we should re-try as the container was lost for some reason
-          // decrementing the requested count so that we ask for an
-          // additional one in the next allocate call.          
-          numRequestedContainers.decrementAndGet();
-          // we do not need to release the container as that has already 
-          // been done by the ResourceManager/NodeManager. 
-        }
-        }
-        else { 
-          // nothing to do 
-          // container completed successfully 
-          numCompletedContainers.incrementAndGet();
-          numSuccessfulContainers.incrementAndGet();
-        }
-      }
-    }
-+---+      
-
-    
-  * After a container has been allocated to the ApplicationMaster, it needs to 
-    follow a similar process that the Client followed in setting up the 
-    ContainerLaunchContext for the eventual task that is going to be running on 
-    the allocated Container. Once the ContainerLaunchContext is defined, the 
-    ApplicationMaster can then communicate with the ContainerManager to start 
-    its allocated container.
-       
-+---+
-       
-    //Assuming an allocated Container obtained from AllocateResponse
-    Container container;   
-    // Connect to ContainerManager on the allocated container 
-    String cmIpPortStr = container.getNodeId().getHost() + ":" 
-        + container.getNodeId().getPort();		
-    InetSocketAddress cmAddress = NetUtils.createSocketAddr(cmIpPortStr);		
-    ContainerManager cm = 
-        (ContainerManager)rpc.getProxy(ContainerManager.class, cmAddress, conf);     
-
-    // Now we setup a ContainerLaunchContext  
-    ContainerLaunchContext ctx = 
-        Records.newRecord(ContainerLaunchContext.class);
-
-    ctx.setContainerId(container.getId());
-    ctx.setResource(container.getResource());
-
-    try {
-      ctx.setUser(UserGroupInformation.getCurrentUser().getShortUserName());
-    } catch (IOException e) {
-      LOG.info(
-          "Getting current user failed when trying to launch the container",
-          + e.getMessage());
-    }
-
-    // Set the environment 
-    Map<String, String> unixEnv;
-    // Setup the required env. 
-    // Please note that the launched container does not inherit 
-    // the environment of the ApplicationMaster so all the 
-    // necessary environment settings will need to be re-setup 
-    // for this allocated container.      
-    ctx.setEnvironment(unixEnv);
-
-    // Set the local resources 
-    Map<String, LocalResource> localResources = 
-        new HashMap<String, LocalResource>();
-    // Again, the local resources from the ApplicationMaster is not copied over 
-    // by default to the allocated container. Thus, it is the responsibility 
- 	  // of the ApplicationMaster to setup all the necessary local resources 
- 	  // needed by the job that will be executed on the allocated container. 
-      
-    // Assume that we are executing a shell script on the allocated container 
-    // and the shell script's location in the filesystem is known to us. 
-    Path shellScriptPath; 
-    LocalResource shellRsrc = Records.newRecord(LocalResource.class);
-    shellRsrc.setType(LocalResourceType.FILE);
-    shellRsrc.setVisibility(LocalResourceVisibility.APPLICATION);	   
-    shellRsrc.setResource(
-        ConverterUtils.getYarnUrlFromURI(new URI(shellScriptPath)));
-    shellRsrc.setTimestamp(shellScriptPathTimestamp);
-    shellRsrc.setSize(shellScriptPathLen);
-    localResources.put("MyExecShell.sh", shellRsrc);
-
-    ctx.setLocalResources(localResources);			
-
-    // Set the necessary command to execute on the allocated container 
-    String command = "/bin/sh ./MyExecShell.sh"
-        + " 1>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/stdout"
-        + " 2>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/stderr";
-
-    List<String> commands = new ArrayList<String>();
-    commands.add(command);
-    ctx.setCommands(commands);
-
-    // Send the start request to the ContainerManager
-    StartContainerRequest startReq = Records.newRecord(StartContainerRequest.class);
-    startReq.setContainerLaunchContext(ctx);
-    cm.startContainer(startReq);
-+---+                
-      
-  * The ApplicationMaster, as mentioned previously, will get updates of 
-    completed containers as part of the response from the ApplicationMasterProtocol#allocate 
-    calls. It can also monitor its launched containers pro-actively by querying 
-    the ContainerManager for the status. 
-    
+  }
 +---+
 
-    GetContainerStatusRequest statusReq = 
-        Records.newRecord(GetContainerStatusRequest.class);
-    statusReq.setContainerId(container.getId());
-    GetContainerStatusResponse statusResp = cm.getContainerStatus(statusReq);
-    LOG.info("Container Status"
-        + ", id=" + container.getId()
-        + ", status=" + statusResp.getStatus());
-+---+      
+    * On heart beat, the event handler reports the progress of the application.
+
++---+
+  @Override
+  public float getProgress() {
+    // set progress to deliver to RM on next heartbeat
+    float progress = (float) numCompletedContainers.get()
+        / numTotalContainers;
+    return progress;
+  }
++---+
+
+    []
+
+  * The container launch thread actually launches the containers on NMs. After a
+    container has been allocated to the AM, it needs to follow a similar process
+    that the client followed in setting up the <<<ContainerLaunchContext>>> for
+    the eventual task that is going to be running on the allocated Container.
+    Once the <<<ContainerLaunchContext>>> is defined, the AM can start it through
+    the <<<NMClientAsync>>>.
+
++---+
+  // Set the necessary command to execute on the allocated container
+  Vector<CharSequence> vargs = new Vector<CharSequence>(5);
+
+  // Set executable command
+  vargs.add(shellCommand);
+  // Set shell script path
+  if (!scriptPath.isEmpty()) {
+    vargs.add(Shell.WINDOWS ? ExecBatScripStringtPath
+      : ExecShellStringPath);
+  }
+
+  // Set args for the shell command if any
+  vargs.add(shellArgs);
+  // Add log redirect params
+  vargs.add("1>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/stdout");
+  vargs.add("2>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/stderr");
+
+  // Get final commmand
+  StringBuilder command = new StringBuilder();
+  for (CharSequence str : vargs) {
+    command.append(str).append(" ");
+  }
+
+  List<String> commands = new ArrayList<String>();
+  commands.add(command.toString());
+
+  // Set up ContainerLaunchContext, setting local resource, environment,
+  // command and token for constructor.
+
+  // Note for tokens: Set up tokens for the container too. Today, for normal
+  // shell commands, the container in distribute-shell doesn't need any
+  // tokens. We are populating them mainly for NodeManagers to be able to
+  // download anyfiles in the distributed file-system. The tokens are
+  // otherwise also useful in cases, for e.g., when one is running a
+  // "hadoop dfs" command inside the distributed shell.
+  ContainerLaunchContext ctx = ContainerLaunchContext.newInstance(
+    localResources, shellEnv, commands, null, allTokens.duplicate(), null);
+  containerListener.addContainer(container.getId(), container);
+  nmClientAsync.startContainerAsync(container, ctx);
++---+
+
+  * The <<<NMClientAsync>>> object, together with its event handler, handles container events. Including container start, stop, status update, and occurs an error.
+  
+  * After the ApplicationMaster determines the work is done, it needs to unregister itself through the AM-RM client, and then stops the client. 
+
++---+
+  try {
+    amRMClient.unregisterApplicationMaster(appStatus, appMessage, null);
+  } catch (YarnException ex) {
+    LOG.error("Failed to unregister application", ex);
+  } catch (IOException e) {
+    LOG.error("Failed to unregister application", e);
+  }
+  
+  amRMClient.stop();
++---+
 
 ~~** Defining the context in which your code runs
 
-~~*** Container Resource Requests 
+~~*** Container Resource Requests
 
-~~*** Local Resources 
+~~*** Local Resources
 
-~~*** Environment 
+~~*** Environment
 
-~~**** Managing the CLASSPATH 
+~~**** Managing the CLASSPATH
 
-~~** Security 
+~~** Security
 
-* FAQ 
+* FAQ
 
-** How can I distribute my application's jars to all of the nodes in the YARN 
+** How can I distribute my application's jars to all of the nodes in the YARN
    cluster that need it?
 
-  You can use the LocalResource to add resources to your application request. 
-  This will cause YARN to distribute the resource to the ApplicationMaster node. 
-  If the resource is a tgz, zip, or jar - you can have YARN unzip it. Then, all 
-  you need to do is add the unzipped folder to your classpath. 
-  For example, when creating your application request:
+  * You can use the LocalResource to add resources to your application request.
+    This will cause YARN to distribute the resource to the ApplicationMaster
+    node. If the resource is a tgz, zip, or jar - you can have YARN unzip it.
+    Then, all you need to do is add the unzipped folder to your classpath. For
+    example, when creating your application request:
 
 +---+
-    File packageFile = new File(packagePath);
-    Url packageUrl = ConverterUtils.getYarnUrlFromPath(
-        FileContext.getFileContext.makeQualified(new Path(packagePath)));
+  File packageFile = new File(packagePath);
+  Url packageUrl = ConverterUtils.getYarnUrlFromPath(
+      FileContext.getFileContext.makeQualified(new Path(packagePath)));
 
-    packageResource.setResource(packageUrl);
-    packageResource.setSize(packageFile.length());
-    packageResource.setTimestamp(packageFile.lastModified());
-    packageResource.setType(LocalResourceType.ARCHIVE);
-    packageResource.setVisibility(LocalResourceVisibility.APPLICATION);
+  packageResource.setResource(packageUrl);
+  packageResource.setSize(packageFile.length());
+  packageResource.setTimestamp(packageFile.lastModified());
+  packageResource.setType(LocalResourceType.ARCHIVE);
+  packageResource.setVisibility(LocalResourceVisibility.APPLICATION);
 
-    resource.setMemory(memory)
-    containerCtx.setResource(resource)
-    containerCtx.setCommands(ImmutableList.of(
-        "java -cp './package/*' some.class.to.Run "
-        + "1>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/stdout "
-        + "2>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/stderr"))
-    containerCtx.setLocalResources(
-        Collections.singletonMap("package", packageResource))
-    appCtx.setApplicationId(appId)
-    appCtx.setUser(user.getShortUserName)
-    appCtx.setAMContainerSpec(containerCtx)
-    request.setApplicationSubmissionContext(appCtx)
-    applicationsManager.submitApplication(request)
+  resource.setMemory(memory);
+  containerCtx.setResource(resource);
+  containerCtx.setCommands(ImmutableList.of(
+      "java -cp './package/*' some.class.to.Run "
+      + "1>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/stdout "
+      + "2>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/stderr"));
+  containerCtx.setLocalResources(
+      Collections.singletonMap("package", packageResource));
+  appCtx.setApplicationId(appId);
+  appCtx.setUser(user.getShortUserName);
+  appCtx.setAMContainerSpec(containerCtx);
+  yarnClient.submitApplication(appCtx);
 +---+
 
-  As you can see, the setLocalResources command takes a map of names to 
-  resources. The name becomes a sym link in your application's cwd, so you can 
-  just refer to the artifacts inside by using ./package/*. 
-  
-  Note: Java's classpath (cp) argument is VERY sensitive. 
+  As you can see, the <<<setLocalResources>>> command takes a map of names to
+  resources. The name becomes a sym link in your application's cwd, so you can
+  just refer to the artifacts inside by using ./package/*.
+
+  Note: Java's classpath (cp) argument is VERY sensitive.
   Make sure you get the syntax EXACTLY correct.
 
-  Once your package is distributed to your ApplicationMaster, you'll need to 
-  follow the same process whenever your ApplicationMaster starts a new container 
-  (assuming you want the resources to be sent to your container). The code for 
-  this is the same. You just need to make sure that you give your 
-  ApplicationMaster the package path (either HDFS, or local), so that it can 
-  send the resource URL along with the container ctx.
+  Once your package is distributed to your AM, you'll need to follow the same
+  process whenever your AM starts a new container (assuming you want the
+  resources to be sent to your container). The code for this is the same. You
+  just need to make sure that you give your AM the package path (either HDFS, or
+  local), so that it can send the resource URL along with the container ctx.
 
-** How do I get the ApplicationMaster's ApplicationAttemptId? 
+** How do I get the ApplicationMaster's <<<ApplicationAttemptId>>>?
 
+  * The <<<ApplicationAttemptId>>> will be passed to the AM via the environment
+    and the value from the environment can be converted into an
+    <<<ApplicationAttemptId>>> object via the ConverterUtils helper function.
 
-  The ApplicationAttemptId will be passed to the ApplicationMaster via the 
-  environment and the value from the environment can be converted into an 
-  ApplicationAttemptId object via the ConverterUtils helper function.
+** Why my container is killed by the NodeManager?
 
-** My container is being killed by the Node Manager
-
-  This is likely due to high memory usage exceeding your requested container 
-  memory size. There are a number of reasons that can cause this. First, look 
-  at the process tree that the node manager dumps when it kills your container. 
-  The two things you're interested in are physical memory and virtual memory. 
-  If you have exceeded physical memory limits your app is using too much physical 
-  memory. If you're running a Java app, you can use -hprof to look at what is 
-  taking up space in the heap. If you have exceeded virtual memory, you may
-  need to increase the value of the the cluster-wide configuration variable
-  <<<yarn.nodemanager.vmem-pmem-ratio>>>.
+  * This is likely due to high memory usage exceeding your requested container
+    memory size. There are a number of reasons that can cause this. First, look
+    at the process tree that the NodeManager dumps when it kills your container.
+    The two things you're interested in are physical memory and virtual memory.
+    If you have exceeded physical memory limits your app is using too much
+    physical memory. If you're running a Java app, you can use -hprof to look at
+    what is taking up space in the heap. If you have exceeded virtual memory, you
+    may need to increase the value of the the cluster-wide configuration variable
+    <<<yarn.nodemanager.vmem-pmem-ratio>>>.
 
 ** How do I include native libraries?
 
-
-  Setting -Djava.library.path on the command line while launching a container 
-  can cause native libraries used by Hadoop to not be loaded correctly and can
-  result in errors. It is cleaner to use LD_LIBRARY_PATH instead.
+  * Setting <<<-Djava.library.path>>> on the command line while launching a
+    container can cause native libraries used by Hadoop to not be loaded
+    correctly and can result in errors. It is cleaner to use
+    <<<LD_LIBRARY_PATH>>> instead.
 
 * Useful Links
 
-  * {{{https://issues.apache.org/jira/secure/attachment/12486023/MapReduce_NextGen_Architecture.pdf}Map Reduce Next Generation Architecture}}
+  * {{{http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YARN.html}YARN Architecture}}
 
-  * {{{http://developer.yahoo.com/blogs/hadoop/posts/2011/03/mapreduce-nextgen-scheduler/}Map Reduce Next Generation Scheduler}}
+  * {{{http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/CapacityScheduler.html}YARN Capacity Scheduler}}
+
+  * {{{http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/FairScheduler.html}YARN Fair Scheduler}}
+
+* Sample code
+
+  * Yarn distributed shell: in <<<hadoop-yarn-applications-distributedshell>>>
+    project after you set up your development environment.
 

From 662c5bb3af474a78688d0df523d11aff7ee756b6 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Tue, 12 Aug 2014 21:42:21 +0000
Subject: [PATCH 192/354] HDFS-6830. BlockInfo.addStorage fails when DN changes
 the storage for a block replica. (Arpit Agarwal)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617598 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +++
 .../server/blockmanagement/BlockInfo.java     | 26 ++++++-------------
 .../server/blockmanagement/BlockManager.java  |  4 +--
 .../blockmanagement/DatanodeStorageInfo.java  | 22 +++++++++++++---
 .../server/blockmanagement/TestBlockInfo.java | 20 +++++++++-----
 5 files changed, 46 insertions(+), 29 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 65253c299f7..e448ca6727d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -491,6 +491,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6582. Missing null check in RpcProgramNfs3#read(XDR, SecurityHandler)
     (Abhiraj Butala via brandonli)
 
+    HDFS-6830. BlockInfo.addStorage fails when DN changes the storage for a
+    block replica (Arpit Agarwal)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java
index 272cb1d48a1..0ce112118c1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfo.java
@@ -194,24 +194,12 @@ public int numNodes() {
    * Add a {@link DatanodeStorageInfo} location for a block
    */
   boolean addStorage(DatanodeStorageInfo storage) {
-    boolean added = true;
-    int idx = findDatanode(storage.getDatanodeDescriptor());
-    if(idx >= 0) {
-      if (getStorageInfo(idx) == storage) { // the storage is already there
-        return false;
-      } else {
-        // The block is on the DN but belongs to a different storage.
-        // Update our state.
-        removeStorage(getStorageInfo(idx));
-        added = false;      // Just updating storage. Return false.
-      }
-    }
     // find the last null node
     int lastNode = ensureCapacity(1);
     setStorageInfo(lastNode, storage);
     setNext(lastNode, null);
     setPrevious(lastNode, null);
-    return added;
+    return true;
   }
 
   /**
@@ -240,16 +228,18 @@ assert getPrevious(dnIndex) == null && getNext(dnIndex) == null :
    * Find specified DatanodeDescriptor.
    * @return index or -1 if not found.
    */
-  int findDatanode(DatanodeDescriptor dn) {
+  boolean findDatanode(DatanodeDescriptor dn) {
     int len = getCapacity();
     for(int idx = 0; idx < len; idx++) {
       DatanodeDescriptor cur = getDatanode(idx);
-      if(cur == dn)
-        return idx;
-      if(cur == null)
+      if(cur == dn) {
+        return true;
+      }
+      if(cur == null) {
         break;
+      }
     }
-    return -1;
+    return false;
   }
   /**
    * Find specified DatanodeStorageInfo.
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
index 8046d8ad0cd..6fdec77be69 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockManager.java
@@ -2065,7 +2065,7 @@ private BlockInfo processReportedBlock(
     // Add replica if appropriate. If the replica was previously corrupt
     // but now okay, it might need to be updated.
     if (reportedState == ReplicaState.FINALIZED
-        && (storedBlock.findDatanode(dn) < 0
+        && (!storedBlock.findDatanode(dn)
         || corruptReplicas.isReplicaCorrupt(storedBlock, dn))) {
       toAdd.add(storedBlock);
     }
@@ -2246,7 +2246,7 @@ void addStoredBlockUnderConstruction(StatefulBlockInfo ucBlock,
         storageInfo, ucBlock.reportedBlock, ucBlock.reportedState);
 
     if (ucBlock.reportedState == ReplicaState.FINALIZED &&
-        block.findDatanode(storageInfo.getDatanodeDescriptor()) < 0) {
+        !block.findDatanode(storageInfo.getDatanodeDescriptor())) {
       addStoredBlock(block, storageInfo, null, true);
     }
   } 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
index 791fc3157d9..9e442c7e1f7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/DatanodeStorageInfo.java
@@ -208,12 +208,28 @@ long getBlockPoolUsed() {
   }
 
   public boolean addBlock(BlockInfo b) {
-    if(!b.addStorage(this))
-      return false;
+    // First check whether the block belongs to a different storage
+    // on the same DN.
+    boolean replaced = false;
+    DatanodeStorageInfo otherStorage =
+        b.findStorageInfo(getDatanodeDescriptor());
+
+    if (otherStorage != null) {
+      if (otherStorage != this) {
+        // The block belongs to a different storage. Remove it first.
+        otherStorage.removeBlock(b);
+        replaced = true;
+      } else {
+        // The block is already associated with this storage.
+        return false;
+      }
+    }
+
     // add to the head of the data-node list
+    b.addStorage(this);
     blockList = b.listInsert(blockList, this);
     numBlocks++;
-    return true;
+    return !replaced;
   }
 
   boolean removeBlock(BlockInfo b) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockInfo.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockInfo.java
index 7cfe423c6e4..61094dfc8ff 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockInfo.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/blockmanagement/TestBlockInfo.java
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.hdfs.server.blockmanagement;
 
+import static org.hamcrest.core.Is.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 
@@ -59,17 +60,24 @@ public void testAddStorage() throws Exception {
 
 
   @Test
-  public void testReplaceStorageIfDifferetnOneAlreadyExistedFromSameDataNode() throws Exception {
-    BlockInfo blockInfo = new BlockInfo(3);
+  public void testReplaceStorage() throws Exception {
 
+    // Create two dummy storages.
     final DatanodeStorageInfo storage1 = DFSTestUtil.createDatanodeStorageInfo("storageID1", "127.0.0.1");
     final DatanodeStorageInfo storage2 = new DatanodeStorageInfo(storage1.getDatanodeDescriptor(), new DatanodeStorage("storageID2"));
+    final int NUM_BLOCKS = 10;
+    BlockInfo[] blockInfos = new BlockInfo[NUM_BLOCKS];
 
-    blockInfo.addStorage(storage1);
-    boolean added = blockInfo.addStorage(storage2);
+    // Create a few dummy blocks and add them to the first storage.
+    for (int i = 0; i < NUM_BLOCKS; ++i) {
+      blockInfos[i] = new BlockInfo(3);
+      storage1.addBlock(blockInfos[i]);
+    }
 
-    Assert.assertFalse(added);
-    Assert.assertEquals(storage2, blockInfo.getStorageInfo(0));
+    // Try to move one of the blocks to a different storage.
+    boolean added = storage2.addBlock(blockInfos[NUM_BLOCKS/2]);
+    Assert.assertThat(added, is(false));
+    Assert.assertThat(blockInfos[NUM_BLOCKS/2].getStorageInfo(0), is(storage2));
   }
 
   @Test

From 486e718fc1f5befd231494e2ec06bb360484f191 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Tue, 12 Aug 2014 21:43:27 +0000
Subject: [PATCH 193/354] YARN-2399. FairScheduler: Merge AppSchedulable and
 FSSchedulerApp into FSAppAttempt. (kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617600 13f79535-47bb-0310-9956-ffa450edef68
---
 .../sls/scheduler/FairSchedulerMetrics.java   |   8 +-
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../scheduler/fair/FSAppAttempt.java          | 768 ++++++++++++++++++
 .../scheduler/fair/FSLeafQueue.java           |  66 +-
 .../scheduler/fair/FSQueue.java               |  24 +-
 .../scheduler/fair/FSSchedulerNode.java       |   6 +-
 .../scheduler/fair/FairScheduler.java         |  68 +-
 .../scheduler/fair/FifoAppComparator.java     |   8 +-
 .../fair/MaxRunningAppsEnforcer.java          |  52 +-
 .../scheduler/fair/NewAppWeightBooster.java   |   2 +-
 .../scheduler/fair/Schedulable.java           |  70 +-
 .../scheduler/fair/WeightAdjuster.java        |   2 +-
 .../webapp/dao/FairSchedulerInfo.java         |   3 +-
 .../dao/FairSchedulerLeafQueueInfo.java       |   9 +-
 .../scheduler/fair/FakeSchedulable.java       |  18 +-
 .../scheduler/fair/TestFSAppAttempt.java      | 188 +++++
 .../scheduler/fair/TestFSLeafQueue.java       |   2 +-
 .../scheduler/fair/TestFairScheduler.java     | 109 ++-
 .../fair/TestMaxRunningAppsEnforcer.java      |  42 +-
 19 files changed, 1199 insertions(+), 249 deletions(-)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSAppAttempt.java
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFSAppAttempt.java

diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/FairSchedulerMetrics.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/FairSchedulerMetrics.java
index f427dcd557a..d100e1de583 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/FairSchedulerMetrics.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/FairSchedulerMetrics.java
@@ -22,10 +22,9 @@
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair
-        .AppSchedulable;
+    .FSAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FSQueue;
-import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair
-        .FairScheduler;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler;
 
 import com.codahale.metrics.Gauge;
 import org.apache.hadoop.yarn.sls.SLSRunner;
@@ -66,8 +65,7 @@ public FairSchedulerMetrics() {
   public void trackApp(ApplicationAttemptId appAttemptId, String oldAppId) {
     super.trackApp(appAttemptId, oldAppId);
     FairScheduler fair = (FairScheduler) scheduler;
-    final AppSchedulable app = fair.getSchedulerApp(appAttemptId)
-            .getAppSchedulable();
+    final FSAppAttempt app = fair.getSchedulerApp(appAttemptId);
     metrics.register("variable.app." + oldAppId + ".demand.memory",
       new Gauge<Integer>() {
         @Override
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index af0f9b56e32..d977127cd9d 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -122,6 +122,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2317. Updated the document about how to write YARN applications. (Li Lu via
     zjshen)
 
+    YARN-2399. FairScheduler: Merge AppSchedulable and FSSchedulerApp into 
+    FSAppAttempt. (kasha)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSAppAttempt.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSAppAttempt.java
new file mode 100644
index 00000000000..eb6f6413893
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSAppAttempt.java
@@ -0,0 +1,768 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair;
+
+import java.io.Serializable;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Comparator;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
+import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
+import org.apache.hadoop.yarn.api.records.Container;
+import org.apache.hadoop.yarn.api.records.ContainerId;
+import org.apache.hadoop.yarn.api.records.ContainerStatus;
+import org.apache.hadoop.yarn.api.records.NodeId;
+import org.apache.hadoop.yarn.api.records.Priority;
+import org.apache.hadoop.yarn.api.records.Resource;
+import org.apache.hadoop.yarn.api.records.ResourceRequest;
+import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger;
+import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants;
+import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
+import org.apache.hadoop.yarn.server.resourcemanager.resource.ResourceWeights;
+import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
+import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerEvent;
+import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerEventType;
+import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerFinishedEvent;
+import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerImpl;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ActiveUsersManager;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.NodeType;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.QueueMetrics;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerApplicationAttempt;
+import org.apache.hadoop.yarn.server.utils.BuilderUtils;
+import org.apache.hadoop.yarn.util.resource.DefaultResourceCalculator;
+import org.apache.hadoop.yarn.util.resource.Resources;
+
+/**
+ * Represents an application attempt from the viewpoint of the Fair Scheduler.
+ */
+@Private
+@Unstable
+public class FSAppAttempt extends SchedulerApplicationAttempt
+    implements Schedulable {
+
+  private static final Log LOG = LogFactory.getLog(FSAppAttempt.class);
+  private static final DefaultResourceCalculator RESOURCE_CALCULATOR
+      = new DefaultResourceCalculator();
+
+  private long startTime;
+  private Priority priority;
+  private ResourceWeights resourceWeights;
+  private Resource demand = Resources.createResource(0);
+  private FairScheduler scheduler;
+  private Resource fairShare = Resources.createResource(0, 0);
+  private Resource preemptedResources = Resources.createResource(0);
+  private RMContainerComparator comparator = new RMContainerComparator();
+  private final Map<RMContainer, Long> preemptionMap = new HashMap<RMContainer, Long>();
+
+  /**
+   * Delay scheduling: We often want to prioritize scheduling of node-local
+   * containers over rack-local or off-switch containers. To acheive this
+   * we first only allow node-local assigments for a given prioirty level,
+   * then relax the locality threshold once we've had a long enough period
+   * without succesfully scheduling. We measure both the number of "missed"
+   * scheduling opportunities since the last container was scheduled
+   * at the current allowed level and the time since the last container
+   * was scheduled. Currently we use only the former.
+   */
+  private final Map<Priority, NodeType> allowedLocalityLevel =
+      new HashMap<Priority, NodeType>();
+
+  public FSAppAttempt(FairScheduler scheduler,
+      ApplicationAttemptId applicationAttemptId, String user, FSLeafQueue queue,
+      ActiveUsersManager activeUsersManager, RMContext rmContext) {
+    super(applicationAttemptId, user, queue, activeUsersManager, rmContext);
+
+    this.scheduler = scheduler;
+    this.startTime = scheduler.getClock().getTime();
+    this.priority = Priority.newInstance(1);
+    this.resourceWeights = new ResourceWeights();
+  }
+
+  public ResourceWeights getResourceWeights() {
+    return resourceWeights;
+  }
+
+  /**
+   * Get metrics reference from containing queue.
+   */
+  public QueueMetrics getMetrics() {
+    return queue.getMetrics();
+  }
+
+  synchronized public void containerCompleted(RMContainer rmContainer,
+      ContainerStatus containerStatus, RMContainerEventType event) {
+    
+    Container container = rmContainer.getContainer();
+    ContainerId containerId = container.getId();
+    
+    // Remove from the list of newly allocated containers if found
+    newlyAllocatedContainers.remove(rmContainer);
+    
+    // Inform the container
+    rmContainer.handle(
+        new RMContainerFinishedEvent(
+            containerId,
+            containerStatus, 
+            event)
+        );
+    LOG.info("Completed container: " + rmContainer.getContainerId() + 
+        " in state: " + rmContainer.getState() + " event:" + event);
+    
+    // Remove from the list of containers
+    liveContainers.remove(rmContainer.getContainerId());
+
+    RMAuditLogger.logSuccess(getUser(), 
+        AuditConstants.RELEASE_CONTAINER, "SchedulerApp", 
+        getApplicationId(), containerId);
+    
+    // Update usage metrics 
+    Resource containerResource = rmContainer.getContainer().getResource();
+    queue.getMetrics().releaseResources(getUser(), 1, containerResource);
+    Resources.subtractFrom(currentConsumption, containerResource);
+
+    // remove from preemption map if it is completed
+    preemptionMap.remove(rmContainer);
+  }
+
+  private synchronized void unreserveInternal(
+      Priority priority, FSSchedulerNode node) {
+    Map<NodeId, RMContainer> reservedContainers = 
+        this.reservedContainers.get(priority);
+    RMContainer reservedContainer = reservedContainers.remove(node.getNodeID());
+    if (reservedContainers.isEmpty()) {
+      this.reservedContainers.remove(priority);
+    }
+    
+    // Reset the re-reservation count
+    resetReReservations(priority);
+
+    Resource resource = reservedContainer.getContainer().getResource();
+    Resources.subtractFrom(currentReservation, resource);
+
+    LOG.info("Application " + getApplicationId() + " unreserved " + " on node "
+        + node + ", currently has " + reservedContainers.size() + " at priority "
+        + priority + "; currentReservation " + currentReservation);
+  }
+
+  public synchronized float getLocalityWaitFactor(
+      Priority priority, int clusterNodes) {
+    // Estimate: Required unique resources (i.e. hosts + racks)
+    int requiredResources = 
+        Math.max(this.getResourceRequests(priority).size() - 1, 0);
+    
+    // waitFactor can't be more than '1' 
+    // i.e. no point skipping more than clustersize opportunities
+    return Math.min(((float)requiredResources / clusterNodes), 1.0f);
+  }
+
+  /**
+   * Return the level at which we are allowed to schedule containers, given the
+   * current size of the cluster and thresholds indicating how many nodes to
+   * fail at (as a fraction of cluster size) before relaxing scheduling
+   * constraints.
+   */
+  public synchronized NodeType getAllowedLocalityLevel(Priority priority,
+      int numNodes, double nodeLocalityThreshold, double rackLocalityThreshold) {
+    // upper limit on threshold
+    if (nodeLocalityThreshold > 1.0) { nodeLocalityThreshold = 1.0; }
+    if (rackLocalityThreshold > 1.0) { rackLocalityThreshold = 1.0; }
+
+    // If delay scheduling is not being used, can schedule anywhere
+    if (nodeLocalityThreshold < 0.0 || rackLocalityThreshold < 0.0) {
+      return NodeType.OFF_SWITCH;
+    }
+
+    // Default level is NODE_LOCAL
+    if (!allowedLocalityLevel.containsKey(priority)) {
+      allowedLocalityLevel.put(priority, NodeType.NODE_LOCAL);
+      return NodeType.NODE_LOCAL;
+    }
+
+    NodeType allowed = allowedLocalityLevel.get(priority);
+
+    // If level is already most liberal, we're done
+    if (allowed.equals(NodeType.OFF_SWITCH)) return NodeType.OFF_SWITCH;
+
+    double threshold = allowed.equals(NodeType.NODE_LOCAL) ? nodeLocalityThreshold :
+      rackLocalityThreshold;
+
+    // Relax locality constraints once we've surpassed threshold.
+    if (getSchedulingOpportunities(priority) > (numNodes * threshold)) {
+      if (allowed.equals(NodeType.NODE_LOCAL)) {
+        allowedLocalityLevel.put(priority, NodeType.RACK_LOCAL);
+        resetSchedulingOpportunities(priority);
+      }
+      else if (allowed.equals(NodeType.RACK_LOCAL)) {
+        allowedLocalityLevel.put(priority, NodeType.OFF_SWITCH);
+        resetSchedulingOpportunities(priority);
+      }
+    }
+    return allowedLocalityLevel.get(priority);
+  }
+
+  /**
+   * Return the level at which we are allowed to schedule containers.
+   * Given the thresholds indicating how much time passed before relaxing
+   * scheduling constraints.
+   */
+  public synchronized NodeType getAllowedLocalityLevelByTime(Priority priority,
+          long nodeLocalityDelayMs, long rackLocalityDelayMs,
+          long currentTimeMs) {
+
+    // if not being used, can schedule anywhere
+    if (nodeLocalityDelayMs < 0 || rackLocalityDelayMs < 0) {
+      return NodeType.OFF_SWITCH;
+    }
+
+    // default level is NODE_LOCAL
+    if (! allowedLocalityLevel.containsKey(priority)) {
+      allowedLocalityLevel.put(priority, NodeType.NODE_LOCAL);
+      return NodeType.NODE_LOCAL;
+    }
+
+    NodeType allowed = allowedLocalityLevel.get(priority);
+
+    // if level is already most liberal, we're done
+    if (allowed.equals(NodeType.OFF_SWITCH)) {
+      return NodeType.OFF_SWITCH;
+    }
+
+    // check waiting time
+    long waitTime = currentTimeMs;
+    if (lastScheduledContainer.containsKey(priority)) {
+      waitTime -= lastScheduledContainer.get(priority);
+    } else {
+      waitTime -= getStartTime();
+    }
+
+    long thresholdTime = allowed.equals(NodeType.NODE_LOCAL) ?
+            nodeLocalityDelayMs : rackLocalityDelayMs;
+
+    if (waitTime > thresholdTime) {
+      if (allowed.equals(NodeType.NODE_LOCAL)) {
+        allowedLocalityLevel.put(priority, NodeType.RACK_LOCAL);
+        resetSchedulingOpportunities(priority, currentTimeMs);
+      } else if (allowed.equals(NodeType.RACK_LOCAL)) {
+        allowedLocalityLevel.put(priority, NodeType.OFF_SWITCH);
+        resetSchedulingOpportunities(priority, currentTimeMs);
+      }
+    }
+    return allowedLocalityLevel.get(priority);
+  }
+
+  synchronized public RMContainer allocate(NodeType type, FSSchedulerNode node,
+      Priority priority, ResourceRequest request,
+      Container container) {
+    // Update allowed locality level
+    NodeType allowed = allowedLocalityLevel.get(priority);
+    if (allowed != null) {
+      if (allowed.equals(NodeType.OFF_SWITCH) &&
+          (type.equals(NodeType.NODE_LOCAL) ||
+              type.equals(NodeType.RACK_LOCAL))) {
+        this.resetAllowedLocalityLevel(priority, type);
+      }
+      else if (allowed.equals(NodeType.RACK_LOCAL) &&
+          type.equals(NodeType.NODE_LOCAL)) {
+        this.resetAllowedLocalityLevel(priority, type);
+      }
+    }
+
+    // Required sanity check - AM can call 'allocate' to update resource 
+    // request without locking the scheduler, hence we need to check
+    if (getTotalRequiredResources(priority) <= 0) {
+      return null;
+    }
+    
+    // Create RMContainer
+    RMContainer rmContainer = new RMContainerImpl(container, 
+        getApplicationAttemptId(), node.getNodeID(),
+        appSchedulingInfo.getUser(), rmContext);
+
+    // Add it to allContainers list.
+    newlyAllocatedContainers.add(rmContainer);
+    liveContainers.put(container.getId(), rmContainer);    
+
+    // Update consumption and track allocations
+    List<ResourceRequest> resourceRequestList = appSchedulingInfo.allocate(
+        type, node, priority, request, container);
+    Resources.addTo(currentConsumption, container.getResource());
+
+    // Update resource requests related to "request" and store in RMContainer
+    ((RMContainerImpl) rmContainer).setResourceRequests(resourceRequestList);
+
+    // Inform the container
+    rmContainer.handle(
+        new RMContainerEvent(container.getId(), RMContainerEventType.START));
+
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("allocate: applicationAttemptId=" 
+          + container.getId().getApplicationAttemptId() 
+          + " container=" + container.getId() + " host="
+          + container.getNodeId().getHost() + " type=" + type);
+    }
+    RMAuditLogger.logSuccess(getUser(), 
+        AuditConstants.ALLOC_CONTAINER, "SchedulerApp", 
+        getApplicationId(), container.getId());
+    
+    return rmContainer;
+  }
+
+  /**
+   * Should be called when the scheduler assigns a container at a higher
+   * degree of locality than the current threshold. Reset the allowed locality
+   * level to a higher degree of locality.
+   */
+  public synchronized void resetAllowedLocalityLevel(Priority priority,
+      NodeType level) {
+    NodeType old = allowedLocalityLevel.get(priority);
+    LOG.info("Raising locality level from " + old + " to " + level + " at " +
+        " priority " + priority);
+    allowedLocalityLevel.put(priority, level);
+  }
+
+  // related methods
+  public void addPreemption(RMContainer container, long time) {
+    assert preemptionMap.get(container) == null;
+    preemptionMap.put(container, time);
+    Resources.addTo(preemptedResources, container.getAllocatedResource());
+  }
+
+  public Long getContainerPreemptionTime(RMContainer container) {
+    return preemptionMap.get(container);
+  }
+
+  public Set<RMContainer> getPreemptionContainers() {
+    return preemptionMap.keySet();
+  }
+  
+  @Override
+  public FSLeafQueue getQueue() {
+    return (FSLeafQueue)super.getQueue();
+  }
+
+  public Resource getPreemptedResources() {
+    return preemptedResources;
+  }
+
+  public void resetPreemptedResources() {
+    preemptedResources = Resources.createResource(0);
+    for (RMContainer container : getPreemptionContainers()) {
+      Resources.addTo(preemptedResources, container.getAllocatedResource());
+    }
+  }
+
+  public void clearPreemptedResources() {
+    preemptedResources.setMemory(0);
+    preemptedResources.setVirtualCores(0);
+  }
+
+  /**
+   * Create and return a container object reflecting an allocation for the
+   * given appliction on the given node with the given capability and
+   * priority.
+   */
+  public Container createContainer(
+      FSSchedulerNode node, Resource capability, Priority priority) {
+
+    NodeId nodeId = node.getRMNode().getNodeID();
+    ContainerId containerId = BuilderUtils.newContainerId(
+        getApplicationAttemptId(), getNewContainerId());
+
+    // Create the container
+    Container container =
+        BuilderUtils.newContainer(containerId, nodeId, node.getRMNode()
+            .getHttpAddress(), capability, priority, null);
+
+    return container;
+  }
+
+  /**
+   * Reserve a spot for {@code container} on this {@code node}. If
+   * the container is {@code alreadyReserved} on the node, simply
+   * update relevant bookeeping. This dispatches ro relevant handlers
+   * in {@link FSSchedulerNode}..
+   */
+  private void reserve(Priority priority, FSSchedulerNode node,
+      Container container, boolean alreadyReserved) {
+    LOG.info("Making reservation: node=" + node.getNodeName() +
+        " app_id=" + getApplicationId());
+
+    if (!alreadyReserved) {
+      getMetrics().reserveResource(getUser(), container.getResource());
+      RMContainer rmContainer =
+          super.reserve(node, priority, null, container);
+      node.reserveResource(this, priority, rmContainer);
+    } else {
+      RMContainer rmContainer = node.getReservedContainer();
+      super.reserve(node, priority, rmContainer, container);
+      node.reserveResource(this, priority, rmContainer);
+    }
+  }
+
+  /**
+   * Remove the reservation on {@code node} at the given {@link Priority}.
+   * This dispatches SchedulerNode handlers as well.
+   */
+  public void unreserve(Priority priority, FSSchedulerNode node) {
+    RMContainer rmContainer = node.getReservedContainer();
+    unreserveInternal(priority, node);
+    node.unreserveResource(this);
+    getMetrics().unreserveResource(
+        getUser(), rmContainer.getContainer().getResource());
+  }
+
+  /**
+   * Assign a container to this node to facilitate {@code request}. If node does
+   * not have enough memory, create a reservation. This is called once we are
+   * sure the particular request should be facilitated by this node.
+   *
+   * @param node
+   *     The node to try placing the container on.
+   * @param request
+   *     The ResourceRequest we're trying to satisfy.
+   * @param type
+   *     The locality of the assignment.
+   * @param reserved
+   *     Whether there's already a container reserved for this app on the node.
+   * @return
+   *     If an assignment was made, returns the resources allocated to the
+   *     container.  If a reservation was made, returns
+   *     FairScheduler.CONTAINER_RESERVED.  If no assignment or reservation was
+   *     made, returns an empty resource.
+   */
+  private Resource assignContainer(
+      FSSchedulerNode node, ResourceRequest request, NodeType type,
+      boolean reserved) {
+
+    // How much does this request need?
+    Resource capability = request.getCapability();
+
+    // How much does the node have?
+    Resource available = node.getAvailableResource();
+
+    Container container = null;
+    if (reserved) {
+      container = node.getReservedContainer().getContainer();
+    } else {
+      container = createContainer(node, capability, request.getPriority());
+    }
+
+    // Can we allocate a container on this node?
+    if (Resources.fitsIn(capability, available)) {
+      // Inform the application of the new container for this request
+      RMContainer allocatedContainer =
+          allocate(type, node, request.getPriority(), request, container);
+      if (allocatedContainer == null) {
+        // Did the application need this resource?
+        if (reserved) {
+          unreserve(request.getPriority(), node);
+        }
+        return Resources.none();
+      }
+
+      // If we had previously made a reservation, delete it
+      if (reserved) {
+        unreserve(request.getPriority(), node);
+      }
+
+      // Inform the node
+      node.allocateContainer(allocatedContainer);
+
+      // If this container is used to run AM, update the leaf queue's AM usage
+      if (getLiveContainers().size() == 1 && !getUnmanagedAM()) {
+        getQueue().addAMResourceUsage(container.getResource());
+        setAmRunning(true);
+      }
+
+      return container.getResource();
+    } else {
+      // The desired container won't fit here, so reserve
+      reserve(request.getPriority(), node, container, reserved);
+
+      return FairScheduler.CONTAINER_RESERVED;
+    }
+  }
+
+  private Resource assignContainer(FSSchedulerNode node, boolean reserved) {
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("Node offered to app: " + getName() + " reserved: " + reserved);
+    }
+
+    Collection<Priority> prioritiesToTry = (reserved) ?
+        Arrays.asList(node.getReservedContainer().getReservedPriority()) :
+        getPriorities();
+
+    // For each priority, see if we can schedule a node local, rack local
+    // or off-switch request. Rack of off-switch requests may be delayed
+    // (not scheduled) in order to promote better locality.
+    synchronized (this) {
+      for (Priority priority : prioritiesToTry) {
+        if (getTotalRequiredResources(priority) <= 0 ||
+            !hasContainerForNode(priority, node)) {
+          continue;
+        }
+
+        addSchedulingOpportunity(priority);
+
+        // Check the AM resource usage for the leaf queue
+        if (getLiveContainers().size() == 0 && !getUnmanagedAM()) {
+          if (!getQueue().canRunAppAM(getAMResource())) {
+            return Resources.none();
+          }
+        }
+
+        ResourceRequest rackLocalRequest = getResourceRequest(priority,
+            node.getRackName());
+        ResourceRequest localRequest = getResourceRequest(priority,
+            node.getNodeName());
+
+        if (localRequest != null && !localRequest.getRelaxLocality()) {
+          LOG.warn("Relax locality off is not supported on local request: "
+              + localRequest);
+        }
+
+        NodeType allowedLocality;
+        if (scheduler.isContinuousSchedulingEnabled()) {
+          allowedLocality = getAllowedLocalityLevelByTime(priority,
+              scheduler.getNodeLocalityDelayMs(),
+              scheduler.getRackLocalityDelayMs(),
+              scheduler.getClock().getTime());
+        } else {
+          allowedLocality = getAllowedLocalityLevel(priority,
+              scheduler.getNumClusterNodes(),
+              scheduler.getNodeLocalityThreshold(),
+              scheduler.getRackLocalityThreshold());
+        }
+
+        if (rackLocalRequest != null && rackLocalRequest.getNumContainers() != 0
+            && localRequest != null && localRequest.getNumContainers() != 0) {
+          return assignContainer(node, localRequest,
+              NodeType.NODE_LOCAL, reserved);
+        }
+
+        if (rackLocalRequest != null && !rackLocalRequest.getRelaxLocality()) {
+          continue;
+        }
+
+        if (rackLocalRequest != null && rackLocalRequest.getNumContainers() != 0
+            && (allowedLocality.equals(NodeType.RACK_LOCAL) ||
+            allowedLocality.equals(NodeType.OFF_SWITCH))) {
+          return assignContainer(node, rackLocalRequest,
+              NodeType.RACK_LOCAL, reserved);
+        }
+
+        ResourceRequest offSwitchRequest =
+            getResourceRequest(priority, ResourceRequest.ANY);
+        if (offSwitchRequest != null && !offSwitchRequest.getRelaxLocality()) {
+          continue;
+        }
+
+        if (offSwitchRequest != null && offSwitchRequest.getNumContainers() != 0
+            && allowedLocality.equals(NodeType.OFF_SWITCH)) {
+          return assignContainer(node, offSwitchRequest,
+              NodeType.OFF_SWITCH, reserved);
+        }
+      }
+    }
+    return Resources.none();
+  }
+
+  /**
+   * Called when this application already has an existing reservation on the
+   * given node.  Sees whether we can turn the reservation into an allocation.
+   * Also checks whether the application needs the reservation anymore, and
+   * releases it if not.
+   *
+   * @param node
+   *     Node that the application has an existing reservation on
+   */
+  public Resource assignReservedContainer(FSSchedulerNode node) {
+    RMContainer rmContainer = node.getReservedContainer();
+    Priority priority = rmContainer.getReservedPriority();
+
+    // Make sure the application still needs requests at this priority
+    if (getTotalRequiredResources(priority) == 0) {
+      unreserve(priority, node);
+      return Resources.none();
+    }
+
+    // Fail early if the reserved container won't fit.
+    // Note that we have an assumption here that there's only one container size
+    // per priority.
+    if (!Resources.fitsIn(node.getReservedContainer().getReservedResource(),
+        node.getAvailableResource())) {
+      return Resources.none();
+    }
+
+    return assignContainer(node, true);
+  }
+
+
+  /**
+   * Whether this app has containers requests that could be satisfied on the
+   * given node, if the node had full space.
+   */
+  public boolean hasContainerForNode(Priority prio, FSSchedulerNode node) {
+    ResourceRequest anyRequest = getResourceRequest(prio, ResourceRequest.ANY);
+    ResourceRequest rackRequest = getResourceRequest(prio, node.getRackName());
+    ResourceRequest nodeRequest = getResourceRequest(prio, node.getNodeName());
+
+    return
+        // There must be outstanding requests at the given priority:
+        anyRequest != null && anyRequest.getNumContainers() > 0 &&
+            // If locality relaxation is turned off at *-level, there must be a
+            // non-zero request for the node's rack:
+            (anyRequest.getRelaxLocality() ||
+                (rackRequest != null && rackRequest.getNumContainers() > 0)) &&
+            // If locality relaxation is turned off at rack-level, there must be a
+            // non-zero request at the node:
+            (rackRequest == null || rackRequest.getRelaxLocality() ||
+                (nodeRequest != null && nodeRequest.getNumContainers() > 0)) &&
+            // The requested container must be able to fit on the node:
+            Resources.lessThanOrEqual(RESOURCE_CALCULATOR, null,
+                anyRequest.getCapability(), node.getRMNode().getTotalCapability());
+  }
+
+
+  static class RMContainerComparator implements Comparator<RMContainer>,
+      Serializable {
+    @Override
+    public int compare(RMContainer c1, RMContainer c2) {
+      int ret = c1.getContainer().getPriority().compareTo(
+          c2.getContainer().getPriority());
+      if (ret == 0) {
+        return c2.getContainerId().compareTo(c1.getContainerId());
+      }
+      return ret;
+    }
+  }
+
+  /* Schedulable methods implementation */
+
+  @Override
+  public String getName() {
+    return getApplicationId().toString();
+  }
+
+  @Override
+  public Resource getDemand() {
+    return demand;
+  }
+
+  @Override
+  public long getStartTime() {
+    return startTime;
+  }
+
+  @Override
+  public Resource getMinShare() {
+    return Resources.none();
+  }
+
+  @Override
+  public Resource getMaxShare() {
+    return Resources.unbounded();
+  }
+
+  @Override
+  public Resource getResourceUsage() {
+    // Here the getPreemptedResources() always return zero, except in
+    // a preemption round
+    return Resources.subtract(getCurrentConsumption(), getPreemptedResources());
+  }
+
+  @Override
+  public ResourceWeights getWeights() {
+    return scheduler.getAppWeight(this);
+  }
+
+  @Override
+  public Priority getPriority() {
+    // Right now per-app priorities are not passed to scheduler,
+    // so everyone has the same priority.
+    return priority;
+  }
+
+  @Override
+  public Resource getFairShare() {
+    return this.fairShare;
+  }
+
+  @Override
+  public void setFairShare(Resource fairShare) {
+    this.fairShare = fairShare;
+  }
+
+  @Override
+  public boolean isActive() {
+    return true;
+  }
+
+
+  @Override
+  public void updateDemand() {
+    demand = Resources.createResource(0);
+    // Demand is current consumption plus outstanding requests
+    Resources.addTo(demand, getCurrentConsumption());
+
+    // Add up outstanding resource requests
+    synchronized (this) {
+      for (Priority p : getPriorities()) {
+        for (ResourceRequest r : getResourceRequests(p).values()) {
+          Resource total = Resources.multiply(r.getCapability(), r.getNumContainers());
+          Resources.addTo(demand, total);
+        }
+      }
+    }
+  }
+
+  @Override
+  public Resource assignContainer(FSSchedulerNode node) {
+    return assignContainer(node, false);
+  }
+
+  /**
+   * Preempt a running container according to the priority
+   */
+  @Override
+  public RMContainer preemptContainer() {
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("App " + getName() + " is going to preempt a running " +
+          "container");
+    }
+
+    RMContainer toBePreempted = null;
+    for (RMContainer container : getLiveContainers()) {
+      if (!getPreemptionContainers().contains(container) &&
+          (toBePreempted == null ||
+              comparator.compare(toBePreempted, container) > 0)) {
+        toBePreempted = container;
+      }
+    }
+    return toBePreempted;
+  }
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java
index 3b3f6ce2296..49e8ef06122 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java
@@ -44,11 +44,11 @@
 public class FSLeafQueue extends FSQueue {
   private static final Log LOG = LogFactory.getLog(
       FSLeafQueue.class.getName());
-    
-  private final List<AppSchedulable> runnableAppScheds = // apps that are runnable
-      new ArrayList<AppSchedulable>();
-  private final List<AppSchedulable> nonRunnableAppScheds =
-      new ArrayList<AppSchedulable>();
+
+  private final List<FSAppAttempt> runnableApps = // apps that are runnable
+      new ArrayList<FSAppAttempt>();
+  private final List<FSAppAttempt> nonRunnableApps =
+      new ArrayList<FSAppAttempt>();
   
   private Resource demand = Resources.createResource(0);
   
@@ -70,33 +70,31 @@ public FSLeafQueue(String name, FairScheduler scheduler,
     amResourceUsage = Resource.newInstance(0, 0);
   }
   
-  public void addApp(FSSchedulerApp app, boolean runnable) {
-    AppSchedulable appSchedulable = new AppSchedulable(scheduler, app, this);
-    app.setAppSchedulable(appSchedulable);
+  public void addApp(FSAppAttempt app, boolean runnable) {
     if (runnable) {
-      runnableAppScheds.add(appSchedulable);
+      runnableApps.add(app);
     } else {
-      nonRunnableAppScheds.add(appSchedulable);
+      nonRunnableApps.add(app);
     }
   }
   
   // for testing
-  void addAppSchedulable(AppSchedulable appSched) {
-    runnableAppScheds.add(appSched);
+  void addAppSchedulable(FSAppAttempt appSched) {
+    runnableApps.add(appSched);
   }
   
   /**
    * Removes the given app from this queue.
    * @return whether or not the app was runnable
    */
-  public boolean removeApp(FSSchedulerApp app) {
-    if (runnableAppScheds.remove(app.getAppSchedulable())) {
+  public boolean removeApp(FSAppAttempt app) {
+    if (runnableApps.remove(app)) {
       // Update AM resource usage
       if (app.isAmRunning() && app.getAMResource() != null) {
         Resources.subtractFrom(amResourceUsage, app.getAMResource());
       }
       return true;
-    } else if (nonRunnableAppScheds.remove(app.getAppSchedulable())) {
+    } else if (nonRunnableApps.remove(app)) {
       return false;
     } else {
       throw new IllegalStateException("Given app to remove " + app +
@@ -104,22 +102,22 @@ public boolean removeApp(FSSchedulerApp app) {
     }
   }
   
-  public Collection<AppSchedulable> getRunnableAppSchedulables() {
-    return runnableAppScheds;
+  public Collection<FSAppAttempt> getRunnableAppSchedulables() {
+    return runnableApps;
   }
   
-  public List<AppSchedulable> getNonRunnableAppSchedulables() {
-    return nonRunnableAppScheds;
+  public List<FSAppAttempt> getNonRunnableAppSchedulables() {
+    return nonRunnableApps;
   }
   
   @Override
   public void collectSchedulerApplications(
       Collection<ApplicationAttemptId> apps) {
-    for (AppSchedulable appSched : runnableAppScheds) {
-      apps.add(appSched.getApp().getApplicationAttemptId());
+    for (FSAppAttempt appSched : runnableApps) {
+      apps.add(appSched.getApplicationAttemptId());
     }
-    for (AppSchedulable appSched : nonRunnableAppScheds) {
-      apps.add(appSched.getApp().getApplicationAttemptId());
+    for (FSAppAttempt appSched : nonRunnableApps) {
+      apps.add(appSched.getApplicationAttemptId());
     }
   }
 
@@ -145,10 +143,10 @@ public Resource getDemand() {
   @Override
   public Resource getResourceUsage() {
     Resource usage = Resources.createResource(0);
-    for (AppSchedulable app : runnableAppScheds) {
+    for (FSAppAttempt app : runnableApps) {
       Resources.addTo(usage, app.getResourceUsage());
     }
-    for (AppSchedulable app : nonRunnableAppScheds) {
+    for (FSAppAttempt app : nonRunnableApps) {
       Resources.addTo(usage, app.getResourceUsage());
     }
     return usage;
@@ -165,13 +163,13 @@ public void updateDemand() {
     Resource maxRes = scheduler.getAllocationConfiguration()
         .getMaxResources(getName());
     demand = Resources.createResource(0);
-    for (AppSchedulable sched : runnableAppScheds) {
+    for (FSAppAttempt sched : runnableApps) {
       if (Resources.equals(demand, maxRes)) {
         break;
       }
       updateDemandForApp(sched, maxRes);
     }
-    for (AppSchedulable sched : nonRunnableAppScheds) {
+    for (FSAppAttempt sched : nonRunnableApps) {
       if (Resources.equals(demand, maxRes)) {
         break;
       }
@@ -183,7 +181,7 @@ public void updateDemand() {
     }
   }
   
-  private void updateDemandForApp(AppSchedulable sched, Resource maxRes) {
+  private void updateDemandForApp(FSAppAttempt sched, Resource maxRes) {
     sched.updateDemand();
     Resource toAdd = sched.getDemand();
     if (LOG.isDebugEnabled()) {
@@ -207,9 +205,9 @@ public Resource assignContainer(FSSchedulerNode node) {
     }
 
     Comparator<Schedulable> comparator = policy.getComparator();
-    Collections.sort(runnableAppScheds, comparator);
-    for (AppSchedulable sched : runnableAppScheds) {
-      if (SchedulerAppUtils.isBlacklisted(sched.getApp(), node, LOG)) {
+    Collections.sort(runnableApps, comparator);
+    for (FSAppAttempt sched : runnableApps) {
+      if (SchedulerAppUtils.isBlacklisted(sched, node, LOG)) {
         continue;
       }
 
@@ -237,8 +235,8 @@ public RMContainer preemptContainer() {
 
     // Choose the app that is most over fair share
     Comparator<Schedulable> comparator = policy.getComparator();
-    AppSchedulable candidateSched = null;
-    for (AppSchedulable sched : runnableAppScheds) {
+    FSAppAttempt candidateSched = null;
+    for (FSAppAttempt sched : runnableApps) {
       if (candidateSched == null ||
           comparator.compare(sched, candidateSched) > 0) {
         candidateSched = sched;
@@ -291,7 +289,7 @@ public void setLastTimeAtHalfFairShare(long lastTimeAtHalfFairShare) {
 
   @Override
   public int getNumRunnableApps() {
-    return runnableAppScheds.size();
+    return runnableApps.size();
   }
   
   @Override
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java
index 1e94046100a..c071c73321d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java
@@ -39,7 +39,8 @@
 
 @Private
 @Unstable
-public abstract class FSQueue extends Schedulable implements Queue {
+public abstract class FSQueue implements Queue, Schedulable {
+  private Resource fairShare = Resources.createResource(0, 0);
   private final String name;
   protected final FairScheduler scheduler;
   private final FSQueueMetrics metrics;
@@ -139,10 +140,15 @@ public QueueInfo getQueueInfo(boolean includeChildQueues, boolean recursive) {
   public FSQueueMetrics getMetrics() {
     return metrics;
   }
-  
+
+  /** Get the fair share assigned to this Schedulable. */
+  public Resource getFairShare() {
+    return fairShare;
+  }
+
   @Override
   public void setFairShare(Resource fairShare) {
-    super.setFairShare(fairShare);
+    this.fairShare = fairShare;
     metrics.setFairShare(fairShare);
   }
   
@@ -187,4 +193,16 @@ protected boolean assignContainerPreCheck(FSSchedulerNode node) {
     }
     return true;
   }
+
+  @Override
+  public boolean isActive() {
+    return getNumRunnableApps() > 0;
+  }
+
+  /** Convenient toString implementation for debugging. */
+  @Override
+  public String toString() {
+    return String.format("[%s, demand=%s, running=%s, share=%s, w=%s]",
+        getName(), getDemand(), getResourceUsage(), fairShare, getWeights());
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSSchedulerNode.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSSchedulerNode.java
index 69f2ab3d844..be08dff397a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSSchedulerNode.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSSchedulerNode.java
@@ -35,7 +35,7 @@ public class FSSchedulerNode extends SchedulerNode {
 
   private static final Log LOG = LogFactory.getLog(FSSchedulerNode.class);
 
-  private AppSchedulable reservedAppSchedulable;
+  private FSAppAttempt reservedAppSchedulable;
 
   public FSSchedulerNode(RMNode node, boolean usePortForNodeName) {
     super(node, usePortForNodeName);
@@ -76,7 +76,7 @@ public synchronized void reserveResource(
           " on node " + this + " for application " + application);
     }
     setReservedContainer(container);
-    this.reservedAppSchedulable = ((FSSchedulerApp) application).getAppSchedulable();
+    this.reservedAppSchedulable = (FSAppAttempt) application;
   }
 
   @Override
@@ -98,7 +98,7 @@ public synchronized void unreserveResource(
     this.reservedAppSchedulable = null;
   }
 
-  public synchronized AppSchedulable getReservedAppSchedulable() {
+  public synchronized FSAppAttempt getReservedAppSchedulable() {
     return reservedAppSchedulable;
   }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
index 8765ba04dc7..4748d73e038 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
@@ -117,7 +117,7 @@
 @Unstable
 @SuppressWarnings("unchecked")
 public class FairScheduler extends
-    AbstractYarnScheduler<FSSchedulerApp, FSSchedulerNode> {
+    AbstractYarnScheduler<FSAppAttempt, FSSchedulerNode> {
   private FairSchedulerConfiguration conf;
 
   private Resource incrAllocation;
@@ -432,8 +432,8 @@ protected void preemptResources(Resource toPreempt) {
     try {
       // Reset preemptedResource for each app
       for (FSLeafQueue queue : getQueueManager().getLeafQueues()) {
-        for (AppSchedulable app : queue.getRunnableAppSchedulables()) {
-          app.getApp().resetPreemptedResources();
+        for (FSAppAttempt app : queue.getRunnableAppSchedulables()) {
+          app.resetPreemptedResources();
         }
       }
 
@@ -453,8 +453,8 @@ protected void preemptResources(Resource toPreempt) {
     } finally {
       // Clear preemptedResources for each app
       for (FSLeafQueue queue : getQueueManager().getLeafQueues()) {
-        for (AppSchedulable app : queue.getRunnableAppSchedulables()) {
-          app.getApp().clearPreemptedResources();
+        for (FSAppAttempt app : queue.getRunnableAppSchedulables()) {
+          app.clearPreemptedResources();
         }
       }
     }
@@ -465,7 +465,7 @@ protected void preemptResources(Resource toPreempt) {
   
   protected void warnOrKillContainer(RMContainer container) {
     ApplicationAttemptId appAttemptId = container.getApplicationAttemptId();
-    FSSchedulerApp app = getSchedulerApp(appAttemptId);
+    FSAppAttempt app = getSchedulerApp(appAttemptId);
     FSLeafQueue queue = app.getQueue();
     LOG.info("Preempting container (prio=" + container.getContainer().getPriority() +
         "res=" + container.getContainer().getResource() +
@@ -490,7 +490,7 @@ protected void warnOrKillContainer(RMContainer container) {
             (getClock().getTime() - time) + "ms)");
       }
     } else {
-      // track the request in the FSSchedulerApp itself
+      // track the request in the FSAppAttempt itself
       app.addPreemption(container, getClock().getTime());
     }
   }
@@ -541,7 +541,7 @@ protected Resource resToPreempt(FSLeafQueue sched, long curTime) {
   }
 
   // synchronized for sizeBasedWeight
-  public synchronized ResourceWeights getAppWeight(AppSchedulable app) {
+  public synchronized ResourceWeights getAppWeight(FSAppAttempt app) {
     double weight = 1.0;
     if (sizeBasedWeight) {
       // Set weight based on current memory demand
@@ -636,8 +636,8 @@ protected synchronized void addApplication(ApplicationId applicationId,
       return;
     }
   
-    SchedulerApplication<FSSchedulerApp> application =
-        new SchedulerApplication<FSSchedulerApp>(queue, user);
+    SchedulerApplication<FSAppAttempt> application =
+        new SchedulerApplication<FSAppAttempt>(queue, user);
     applications.put(applicationId, application);
     queue.getMetrics().submitApp(user);
 
@@ -661,13 +661,13 @@ protected synchronized void addApplicationAttempt(
       ApplicationAttemptId applicationAttemptId,
       boolean transferStateFromPreviousAttempt,
       boolean isAttemptRecovering) {
-    SchedulerApplication<FSSchedulerApp> application =
+    SchedulerApplication<FSAppAttempt> application =
         applications.get(applicationAttemptId.getApplicationId());
     String user = application.getUser();
     FSLeafQueue queue = (FSLeafQueue) application.getQueue();
 
-    FSSchedulerApp attempt =
-        new FSSchedulerApp(applicationAttemptId, user,
+    FSAppAttempt attempt =
+        new FSAppAttempt(this, applicationAttemptId, user,
             queue, new ActiveUsersManager(getRootQueueMetrics()),
             rmContext);
     if (transferStateFromPreviousAttempt) {
@@ -742,7 +742,7 @@ FSLeafQueue assignToQueue(RMApp rmApp, String queueName, String user) {
 
   private synchronized void removeApplication(ApplicationId applicationId,
       RMAppState finalState) {
-    SchedulerApplication<FSSchedulerApp> application =
+    SchedulerApplication<FSAppAttempt> application =
         applications.get(applicationId);
     if (application == null){
       LOG.warn("Couldn't find application " + applicationId);
@@ -757,9 +757,9 @@ private synchronized void removeApplicationAttempt(
       RMAppAttemptState rmAppAttemptFinalState, boolean keepContainers) {
     LOG.info("Application " + applicationAttemptId + " is done." +
         " finalState=" + rmAppAttemptFinalState);
-    SchedulerApplication<FSSchedulerApp> application =
+    SchedulerApplication<FSAppAttempt> application =
         applications.get(applicationAttemptId.getApplicationId());
-    FSSchedulerApp attempt = getSchedulerApp(applicationAttemptId);
+    FSAppAttempt attempt = getSchedulerApp(applicationAttemptId);
 
     if (attempt == null || application == null) {
       LOG.info("Unknown application " + applicationAttemptId + " has completed!");
@@ -820,7 +820,7 @@ private synchronized void completedContainer(RMContainer rmContainer,
     Container container = rmContainer.getContainer();
 
     // Get the application for the finished container
-    FSSchedulerApp application =
+    FSAppAttempt application =
         getCurrentAttemptForContainer(container.getId());
     ApplicationId appId =
         container.getId().getApplicationAttemptId().getApplicationId();
@@ -835,8 +835,7 @@ private synchronized void completedContainer(RMContainer rmContainer,
     FSSchedulerNode node = getFSSchedulerNode(container.getNodeId());
 
     if (rmContainer.getState() == RMContainerState.RESERVED) {
-      application.unreserve(node, rmContainer.getReservedPriority());
-      node.unreserveResource(application);
+      application.unreserve(rmContainer.getReservedPriority(), node);
     } else {
       application.containerCompleted(rmContainer, containerStatus, event);
       node.releaseContainer(container);
@@ -896,7 +895,7 @@ public Allocation allocate(ApplicationAttemptId appAttemptId,
       List<ResourceRequest> ask, List<ContainerId> release, List<String> blacklistAdditions, List<String> blacklistRemovals) {
 
     // Make sure this application exists
-    FSSchedulerApp application = getSchedulerApp(appAttemptId);
+    FSAppAttempt application = getSchedulerApp(appAttemptId);
     if (application == null) {
       LOG.info("Calling allocate on removed " +
           "or non existant application " + appAttemptId);
@@ -1066,13 +1065,13 @@ private synchronized void attemptScheduling(FSSchedulerNode node) {
     // 1. Check for reserved applications
     // 2. Schedule if there are no reservations
 
-    AppSchedulable reservedAppSchedulable = node.getReservedAppSchedulable();
+    FSAppAttempt reservedAppSchedulable = node.getReservedAppSchedulable();
     if (reservedAppSchedulable != null) {
       Priority reservedPriority = node.getReservedContainer().getReservedPriority();
       if (!reservedAppSchedulable.hasContainerForNode(reservedPriority, node)) {
         // Don't hold the reservation if app can no longer use it
         LOG.info("Releasing reservation that cannot be satisfied for application "
-            + reservedAppSchedulable.getApp().getApplicationAttemptId()
+            + reservedAppSchedulable.getApplicationAttemptId()
             + " on node " + node);
         reservedAppSchedulable.unreserve(reservedPriority, node);
         reservedAppSchedulable = null;
@@ -1080,7 +1079,7 @@ private synchronized void attemptScheduling(FSSchedulerNode node) {
         // Reservation exists; try to fulfill the reservation
         if (LOG.isDebugEnabled()) {
           LOG.debug("Trying to fulfill reservation for application "
-              + reservedAppSchedulable.getApp().getApplicationAttemptId()
+              + reservedAppSchedulable.getApplicationAttemptId()
               + " on node: " + node);
         }
         
@@ -1105,8 +1104,8 @@ private synchronized void attemptScheduling(FSSchedulerNode node) {
     updateRootQueueMetrics();
   }
 
-  public FSSchedulerApp getSchedulerApp(ApplicationAttemptId appAttemptId) {
-    return (FSSchedulerApp) super.getApplicationAttempt(appAttemptId);
+  public FSAppAttempt getSchedulerApp(ApplicationAttemptId appAttemptId) {
+    return super.getApplicationAttempt(appAttemptId);
   }
   
   /**
@@ -1268,8 +1267,8 @@ private synchronized void initScheduler(Configuration conf)
     fsOpDurations = FSOpDurations.getInstance(true);
 
     // This stores per-application scheduling information
-    this.applications =
-        new ConcurrentHashMap<ApplicationId,SchedulerApplication<FSSchedulerApp>>();
+    this.applications = new ConcurrentHashMap<
+        ApplicationId, SchedulerApplication<FSAppAttempt>>();
     this.eventLog = new FairSchedulerEventLog();
     eventLog.init(this.conf);
 
@@ -1369,7 +1368,7 @@ public QueueInfo getQueueInfo(String queueName, boolean includeChildQueues,
 
   @Override
   public List<QueueUserACLInfo> getQueueUserAclInfo() {
-    UserGroupInformation user = null;
+    UserGroupInformation user;
     try {
       user = UserGroupInformation.getCurrentUser();
     } catch (IOException ioe) {
@@ -1431,11 +1430,11 @@ public List<ApplicationAttemptId> getAppsInQueue(String queueName) {
   @Override
   public synchronized String moveApplication(ApplicationId appId,
       String queueName) throws YarnException {
-    SchedulerApplication<FSSchedulerApp> app = applications.get(appId);
+    SchedulerApplication<FSAppAttempt> app = applications.get(appId);
     if (app == null) {
       throw new YarnException("App to be moved " + appId + " not found.");
     }
-    FSSchedulerApp attempt = (FSSchedulerApp) app.getCurrentAppAttempt();
+    FSAppAttempt attempt = (FSAppAttempt) app.getCurrentAppAttempt();
     // To serialize with FairScheduler#allocate, synchronize on app attempt
     synchronized (attempt) {
       FSLeafQueue oldQueue = (FSLeafQueue) app.getQueue();
@@ -1448,8 +1447,7 @@ public synchronized String moveApplication(ApplicationId appId,
         return oldQueue.getQueueName();
       }
       
-      if (oldQueue.getRunnableAppSchedulables().contains(
-          attempt.getAppSchedulable())) {
+      if (oldQueue.getRunnableAppSchedulables().contains(attempt)) {
         verifyMoveDoesNotViolateConstraints(attempt, oldQueue, targetQueue);
       }
       
@@ -1458,7 +1456,7 @@ public synchronized String moveApplication(ApplicationId appId,
     }
   }
   
-  private void verifyMoveDoesNotViolateConstraints(FSSchedulerApp app,
+  private void verifyMoveDoesNotViolateConstraints(FSAppAttempt app,
       FSLeafQueue oldQueue, FSLeafQueue targetQueue) throws YarnException {
     String queueName = targetQueue.getQueueName();
     ApplicationAttemptId appAttId = app.getApplicationAttemptId();
@@ -1495,8 +1493,8 @@ private void verifyMoveDoesNotViolateConstraints(FSSchedulerApp app,
    * Helper for moveApplication, which has appropriate synchronization, so all
    * operations will be atomic.
    */
-  private void executeMove(SchedulerApplication<FSSchedulerApp> app,
-      FSSchedulerApp attempt, FSLeafQueue oldQueue, FSLeafQueue newQueue) {
+  private void executeMove(SchedulerApplication<FSAppAttempt> app,
+      FSAppAttempt attempt, FSLeafQueue oldQueue, FSLeafQueue newQueue) {
     boolean wasRunnable = oldQueue.removeApp(attempt);
     // if app was not runnable before, it may be runnable now
     boolean nowRunnable = maxRunningEnforcer.canAppBeRunnable(newQueue,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FifoAppComparator.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FifoAppComparator.java
index c87f4ca6b8c..1b75740a155 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FifoAppComparator.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FifoAppComparator.java
@@ -25,15 +25,15 @@
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 
 /**
- * Order {@link AppSchedulable} objects by priority and then by submit time, as
+ * Order {@link FSAppAttempt} objects by priority and then by submit time, as
  * in the default scheduler in Hadoop.
  */
 @Private
 @Unstable
-public class FifoAppComparator implements Comparator<AppSchedulable>, Serializable {
+public class FifoAppComparator implements Comparator<FSAppAttempt>, Serializable {
   private static final long serialVersionUID = 3428835083489547918L;
 
-  public int compare(AppSchedulable a1, AppSchedulable a2) {
+  public int compare(FSAppAttempt a1, FSAppAttempt a2) {
     int res = a1.getPriority().compareTo(a2.getPriority());
     if (res == 0) {
       if (a1.getStartTime() < a2.getStartTime()) {
@@ -44,7 +44,7 @@ public int compare(AppSchedulable a1, AppSchedulable a2) {
     }
     if (res == 0) {
       // If there is a tie, break it by app ID to get a deterministic order
-      res = a1.getApp().getApplicationId().compareTo(a2.getApp().getApplicationId());
+      res = a1.getApplicationId().compareTo(a2.getApplicationId());
     }
     return res;
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/MaxRunningAppsEnforcer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/MaxRunningAppsEnforcer.java
index 359519a2f29..feeda1e90c8 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/MaxRunningAppsEnforcer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/MaxRunningAppsEnforcer.java
@@ -43,7 +43,7 @@ public class MaxRunningAppsEnforcer {
   // Tracks the number of running applications by user.
   private final Map<String, Integer> usersNumRunnableApps;
   @VisibleForTesting
-  final ListMultimap<String, AppSchedulable> usersNonRunnableApps;
+  final ListMultimap<String, FSAppAttempt> usersNonRunnableApps;
 
   public MaxRunningAppsEnforcer(FairScheduler scheduler) {
     this.scheduler = scheduler;
@@ -80,7 +80,7 @@ public boolean canAppBeRunnable(FSQueue queue, String user) {
    * Tracks the given new runnable app for purposes of maintaining max running
    * app limits.
    */
-  public void trackRunnableApp(FSSchedulerApp app) {
+  public void trackRunnableApp(FSAppAttempt app) {
     String user = app.getUser();
     FSLeafQueue queue = app.getQueue();
     // Increment running counts for all parent queues
@@ -99,9 +99,9 @@ public void trackRunnableApp(FSSchedulerApp app) {
    * Tracks the given new non runnable app so that it can be made runnable when
    * it would not violate max running app limits.
    */
-  public void trackNonRunnableApp(FSSchedulerApp app) {
+  public void trackNonRunnableApp(FSAppAttempt app) {
     String user = app.getUser();
-    usersNonRunnableApps.put(user, app.getAppSchedulable());
+    usersNonRunnableApps.put(user, app);
   }
 
   /**
@@ -111,7 +111,7 @@ public void trackNonRunnableApp(FSSchedulerApp app) {
    * Runs in O(n log(n)) where n is the number of queues that are under the
    * highest queue that went from having no slack to having slack.
    */
-  public void updateRunnabilityOnAppRemoval(FSSchedulerApp app, FSLeafQueue queue) {
+  public void updateRunnabilityOnAppRemoval(FSAppAttempt app, FSLeafQueue queue) {
     AllocationConfiguration allocConf = scheduler.getAllocationConfiguration();
     
     // childqueueX might have no pending apps itself, but if a queue higher up
@@ -133,8 +133,8 @@ public void updateRunnabilityOnAppRemoval(FSSchedulerApp app, FSLeafQueue queue)
       parent = parent.getParent();
     }
 
-    List<List<AppSchedulable>> appsNowMaybeRunnable =
-        new ArrayList<List<AppSchedulable>>();
+    List<List<FSAppAttempt>> appsNowMaybeRunnable =
+        new ArrayList<List<FSAppAttempt>>();
 
     // Compile lists of apps which may now be runnable
     // We gather lists instead of building a set of all non-runnable apps so
@@ -150,26 +150,26 @@ public void updateRunnabilityOnAppRemoval(FSSchedulerApp app, FSLeafQueue queue)
       userNumRunning = 0;
     }
     if (userNumRunning == allocConf.getUserMaxApps(user) - 1) {
-      List<AppSchedulable> userWaitingApps = usersNonRunnableApps.get(user);
+      List<FSAppAttempt> userWaitingApps = usersNonRunnableApps.get(user);
       if (userWaitingApps != null) {
         appsNowMaybeRunnable.add(userWaitingApps);
       }
     }
 
     // Scan through and check whether this means that any apps are now runnable
-    Iterator<FSSchedulerApp> iter = new MultiListStartTimeIterator(
+    Iterator<FSAppAttempt> iter = new MultiListStartTimeIterator(
         appsNowMaybeRunnable);
-    FSSchedulerApp prev = null;
-    List<AppSchedulable> noLongerPendingApps = new ArrayList<AppSchedulable>();
+    FSAppAttempt prev = null;
+    List<FSAppAttempt> noLongerPendingApps = new ArrayList<FSAppAttempt>();
     while (iter.hasNext()) {
-      FSSchedulerApp next = iter.next();
+      FSAppAttempt next = iter.next();
       if (next == prev) {
         continue;
       }
 
       if (canAppBeRunnable(next.getQueue(), next.getUser())) {
         trackRunnableApp(next);
-        AppSchedulable appSched = next.getAppSchedulable();
+        FSAppAttempt appSched = next;
         next.getQueue().getRunnableAppSchedulables().add(appSched);
         noLongerPendingApps.add(appSched);
 
@@ -186,14 +186,14 @@ public void updateRunnabilityOnAppRemoval(FSSchedulerApp app, FSLeafQueue queue)
     // We remove the apps from their pending lists afterwards so that we don't
     // pull them out from under the iterator.  If they are not in these lists
     // in the first place, there is a bug.
-    for (AppSchedulable appSched : noLongerPendingApps) {
-      if (!appSched.getApp().getQueue().getNonRunnableAppSchedulables()
+    for (FSAppAttempt appSched : noLongerPendingApps) {
+      if (!appSched.getQueue().getNonRunnableAppSchedulables()
           .remove(appSched)) {
         LOG.error("Can't make app runnable that does not already exist in queue"
             + " as non-runnable: " + appSched + ". This should never happen.");
       }
       
-      if (!usersNonRunnableApps.remove(appSched.getApp().getUser(), appSched)) {
+      if (!usersNonRunnableApps.remove(appSched.getUser(), appSched)) {
         LOG.error("Waiting app " + appSched + " expected to be in "
         		+ "usersNonRunnableApps, but was not. This should never happen.");
       }
@@ -204,7 +204,7 @@ public void updateRunnabilityOnAppRemoval(FSSchedulerApp app, FSLeafQueue queue)
    * Updates the relevant tracking variables after a runnable app with the given
    * queue and user has been removed.
    */
-  public void untrackRunnableApp(FSSchedulerApp app) {
+  public void untrackRunnableApp(FSAppAttempt app) {
     // Update usersRunnableApps
     String user = app.getUser();
     int newUserNumRunning = usersNumRunnableApps.get(user) - 1;
@@ -226,8 +226,8 @@ public void untrackRunnableApp(FSSchedulerApp app) {
   /**
    * Stops tracking the given non-runnable app
    */
-  public void untrackNonRunnableApp(FSSchedulerApp app) {
-    usersNonRunnableApps.remove(app.getUser(), app.getAppSchedulable());
+  public void untrackNonRunnableApp(FSAppAttempt app) {
+    usersNonRunnableApps.remove(app.getUser(), app);
   }
 
   /**
@@ -235,7 +235,7 @@ public void untrackNonRunnableApp(FSSchedulerApp app) {
    * of non-runnable applications.
    */
   private void gatherPossiblyRunnableAppLists(FSQueue queue,
-      List<List<AppSchedulable>> appLists) {
+      List<List<FSAppAttempt>> appLists) {
     if (queue.getNumRunnableApps() < scheduler.getAllocationConfiguration()
         .getQueueMaxApps(queue.getName())) {
       if (queue instanceof FSLeafQueue) {
@@ -259,14 +259,14 @@ private void gatherPossiblyRunnableAppLists(FSQueue queue,
    * of O(num lists) time.
    */
   static class MultiListStartTimeIterator implements
-      Iterator<FSSchedulerApp> {
+      Iterator<FSAppAttempt> {
 
-    private List<AppSchedulable>[] appLists;
+    private List<FSAppAttempt>[] appLists;
     private int[] curPositionsInAppLists;
     private PriorityQueue<IndexAndTime> appListsByCurStartTime;
 
     @SuppressWarnings("unchecked")
-    public MultiListStartTimeIterator(List<List<AppSchedulable>> appListList) {
+    public MultiListStartTimeIterator(List<List<FSAppAttempt>> appListList) {
       appLists = appListList.toArray(new List[appListList.size()]);
       curPositionsInAppLists = new int[appLists.length];
       appListsByCurStartTime = new PriorityQueue<IndexAndTime>();
@@ -284,10 +284,10 @@ public boolean hasNext() {
     }
 
     @Override
-    public FSSchedulerApp next() {
+    public FSAppAttempt next() {
       IndexAndTime indexAndTime = appListsByCurStartTime.remove();
       int nextListIndex = indexAndTime.index;
-      AppSchedulable next = appLists[nextListIndex]
+      FSAppAttempt next = appLists[nextListIndex]
           .get(curPositionsInAppLists[nextListIndex]);
       curPositionsInAppLists[nextListIndex]++;
 
@@ -299,7 +299,7 @@ public FSSchedulerApp next() {
       }
       appListsByCurStartTime.add(indexAndTime);
 
-      return next.getApp();
+      return next;
     }
 
     @Override
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/NewAppWeightBooster.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/NewAppWeightBooster.java
index e77eed79568..fb32e565808 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/NewAppWeightBooster.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/NewAppWeightBooster.java
@@ -48,7 +48,7 @@ public void setConf(Configuration conf) {
     super.setConf(conf);
   }
 
-  public double adjustWeight(AppSchedulable app, double curWeight) {
+  public double adjustWeight(FSAppAttempt app, double curWeight) {
     long start = app.getStartTime();
     long now = System.currentTimeMillis();
     if (now - start < duration) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/Schedulable.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/Schedulable.java
index 5134be4dce9..122b986defc 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/Schedulable.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/Schedulable.java
@@ -27,20 +27,14 @@
 import org.apache.hadoop.yarn.util.resource.Resources;
 
 /**
- * A Schedulable represents an entity that can launch tasks, such as a job
- * or a queue. It provides a common interface so that algorithms such as fair
- * sharing can be applied both within a queue and across queues. There are
- * currently two types of Schedulables: JobSchedulables, which represent a
- * single job, and QueueSchedulables, which allocate among jobs in their queue.
- *
- * Separate sets of Schedulables are used for maps and reduces. Each queue has
- * both a mapSchedulable and a reduceSchedulable, and so does each job.
+ * A Schedulable represents an entity that can be scheduled such as an
+ * application or a queue. It provides a common interface so that algorithms
+ * such as fair sharing can be applied both within a queue and across queues.
  *
  * A Schedulable is responsible for three roles:
- * 1) It can launch tasks through assignTask().
- * 2) It provides information about the job/queue to the scheduler, including:
+ * 1) Assign resources through {@link #assignContainer}.
+ * 2) It provides information about the app/queue to the scheduler, including:
  *    - Demand (maximum number of tasks required)
- *    - Number of currently running tasks
  *    - Minimum share (for queues)
  *    - Job/queue weight (for fair sharing)
  *    - Start time and priority (for FIFO)
@@ -57,81 +51,61 @@
  */
 @Private
 @Unstable
-public abstract class Schedulable {
-  /** Fair share assigned to this Schedulable */
-  private Resource fairShare = Resources.createResource(0);
-
+public interface Schedulable {
   /**
    * Name of job/queue, used for debugging as well as for breaking ties in
    * scheduling order deterministically.
    */
-  public abstract String getName();
+  public String getName();
 
   /**
    * Maximum number of resources required by this Schedulable. This is defined as
    * number of currently utilized resources + number of unlaunched resources (that
    * are either not yet launched or need to be speculated).
    */
-  public abstract Resource getDemand();
+  public Resource getDemand();
 
   /** Get the aggregate amount of resources consumed by the schedulable. */
-  public abstract Resource getResourceUsage();
+  public Resource getResourceUsage();
 
   /** Minimum Resource share assigned to the schedulable. */
-  public abstract Resource getMinShare();
+  public Resource getMinShare();
 
   /** Maximum Resource share assigned to the schedulable. */
-  public abstract Resource getMaxShare();
+  public Resource getMaxShare();
 
   /** Job/queue weight in fair sharing. */
-  public abstract ResourceWeights getWeights();
+  public ResourceWeights getWeights();
 
   /** Start time for jobs in FIFO queues; meaningless for QueueSchedulables.*/
-  public abstract long getStartTime();
+  public long getStartTime();
 
  /** Job priority for jobs in FIFO queues; meaningless for QueueSchedulables. */
-  public abstract Priority getPriority();
+  public Priority getPriority();
 
   /** Refresh the Schedulable's demand and those of its children if any. */
-  public abstract void updateDemand();
+  public void updateDemand();
 
   /**
    * Assign a container on this node if possible, and return the amount of
    * resources assigned.
    */
-  public abstract Resource assignContainer(FSSchedulerNode node);
+  public Resource assignContainer(FSSchedulerNode node);
 
   /**
    * Preempt a container from this Schedulable if possible.
    */
-  public abstract RMContainer preemptContainer();
-
-  /** Assign a fair share to this Schedulable. */
-  public void setFairShare(Resource fairShare) {
-    this.fairShare = fairShare;
-  }
+  public RMContainer preemptContainer();
 
   /** Get the fair share assigned to this Schedulable. */
-  public Resource getFairShare() {
-    return fairShare;
-  }
+  public Resource getFairShare();
+
+  /** Assign a fair share to this Schedulable. */
+  public void setFairShare(Resource fairShare);
 
   /**
    * Returns true if queue has atleast one app running. Always returns true for
    * AppSchedulables.
    */
-  public boolean isActive() {
-    if (this instanceof FSQueue) {
-      FSQueue queue = (FSQueue) this;
-      return queue.getNumRunnableApps() > 0;
-    }
-    return true;
-  }
-
-  /** Convenient toString implementation for debugging. */
-  @Override
-  public String toString() {
-    return String.format("[%s, demand=%s, running=%s, share=%s, w=%s]",
-        getName(), getDemand(), getResourceUsage(), fairShare, getWeights());
-  }
+  public boolean isActive();
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/WeightAdjuster.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/WeightAdjuster.java
index 1a9467fc003..67364ed6e91 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/WeightAdjuster.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/WeightAdjuster.java
@@ -32,5 +32,5 @@
 @Private
 @Unstable
 public interface WeightAdjuster {
-  public double adjustWeight(AppSchedulable app, double curWeight);
+  public double adjustWeight(FSAppAttempt app, double curWeight);
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerInfo.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerInfo.java
index f136f940107..23f8c01c38a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerInfo.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerInfo.java
@@ -46,8 +46,7 @@ public FairSchedulerInfo(FairScheduler fs) {
   }
   
   public int getAppFairShare(ApplicationAttemptId appAttemptId) {
-    return scheduler.getSchedulerApp(appAttemptId).
-        getAppSchedulable().getFairShare().getMemory();
+    return scheduler.getSchedulerApp(appAttemptId).getFairShare().getMemory();
   }
   
   public FairSchedulerQueueInfo getRootQueueInfo() {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerLeafQueueInfo.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerLeafQueueInfo.java
index 5cdfb2abdf7..d389b9f0765 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerLeafQueueInfo.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerLeafQueueInfo.java
@@ -24,7 +24,8 @@
 import javax.xml.bind.annotation.XmlAccessorType;
 import javax.xml.bind.annotation.XmlRootElement;
 
-import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.AppSchedulable;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair
+    .FSAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FSLeafQueue;
 
@@ -39,9 +40,9 @@ public FairSchedulerLeafQueueInfo() {
   
   public FairSchedulerLeafQueueInfo(FSLeafQueue queue, FairScheduler scheduler) {
     super(queue, scheduler);
-    Collection<AppSchedulable> apps = queue.getRunnableAppSchedulables();
-    for (AppSchedulable app : apps) {
-      if (app.getApp().isPending()) {
+    Collection<FSAppAttempt> apps = queue.getRunnableAppSchedulables();
+    for (FSAppAttempt app : apps) {
+      if (app.isPending()) {
         numPendingApps++;
       } else {
         numActiveApps++;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FakeSchedulable.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FakeSchedulable.java
index dcfc2d3aa2f..5bd52ab7a07 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FakeSchedulable.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FakeSchedulable.java
@@ -28,10 +28,11 @@
 /**
  * Dummy implementation of Schedulable for unit testing.
  */
-public class FakeSchedulable extends Schedulable {
+public class FakeSchedulable implements Schedulable {
   private Resource usage;
   private Resource minShare;
   private Resource maxShare;
+  private Resource fairShare;
   private ResourceWeights weights;
   private Priority priority;
   private long startTime;
@@ -89,6 +90,21 @@ public RMContainer preemptContainer() {
     return null;
   }
 
+  @Override
+  public Resource getFairShare() {
+    return this.fairShare;
+  }
+
+  @Override
+  public void setFairShare(Resource fairShare) {
+    this.fairShare = fairShare;
+  }
+
+  @Override
+  public boolean isActive() {
+    return true;
+  }
+
   @Override
   public Resource getDemand() {
     return null;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFSAppAttempt.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFSAppAttempt.java
new file mode 100644
index 00000000000..0ab1f70147b
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFSAppAttempt.java
@@ -0,0 +1,188 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import static org.junit.Assert.assertEquals;
+
+import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
+import org.apache.hadoop.yarn.api.records.Priority;
+import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.NodeType;
+import org.apache.hadoop.yarn.util.Clock;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+public class TestFSAppAttempt extends FairSchedulerTestBase {
+
+  private class MockClock implements Clock {
+    private long time = 0;
+    @Override
+    public long getTime() {
+      return time;
+    }
+
+    public void tick(int seconds) {
+      time = time + seconds * 1000;
+    }
+
+  }
+
+  @Before
+  public void setup() {
+    Configuration conf = createConfiguration();
+    resourceManager = new MockRM(conf);
+    resourceManager.start();
+    scheduler = (FairScheduler) resourceManager.getResourceScheduler();
+  }
+
+  @Test
+  public void testDelayScheduling() {
+    FSLeafQueue queue = Mockito.mock(FSLeafQueue.class);
+    Priority prio = Mockito.mock(Priority.class);
+    Mockito.when(prio.getPriority()).thenReturn(1);
+    double nodeLocalityThreshold = .5;
+    double rackLocalityThreshold = .6;
+
+    ApplicationAttemptId applicationAttemptId = createAppAttemptId(1, 1);
+    RMContext rmContext = resourceManager.getRMContext();
+    FSAppAttempt schedulerApp =
+        new FSAppAttempt(scheduler, applicationAttemptId, "user1", queue ,
+            null, rmContext);
+
+    // Default level should be node-local
+    assertEquals(NodeType.NODE_LOCAL, schedulerApp.getAllowedLocalityLevel(
+        prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
+
+    // First five scheduling opportunities should remain node local
+    for (int i = 0; i < 5; i++) {
+      schedulerApp.addSchedulingOpportunity(prio);
+      assertEquals(NodeType.NODE_LOCAL, schedulerApp.getAllowedLocalityLevel(
+          prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
+    }
+
+    // After five it should switch to rack local
+    schedulerApp.addSchedulingOpportunity(prio);
+    assertEquals(NodeType.RACK_LOCAL, schedulerApp.getAllowedLocalityLevel(
+        prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
+
+    // Manually set back to node local
+    schedulerApp.resetAllowedLocalityLevel(prio, NodeType.NODE_LOCAL);
+    schedulerApp.resetSchedulingOpportunities(prio);
+    assertEquals(NodeType.NODE_LOCAL, schedulerApp.getAllowedLocalityLevel(
+        prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
+
+    // Now escalate again to rack-local, then to off-switch
+    for (int i = 0; i < 5; i++) {
+      schedulerApp.addSchedulingOpportunity(prio);
+      assertEquals(NodeType.NODE_LOCAL, schedulerApp.getAllowedLocalityLevel(
+          prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
+    }
+
+    schedulerApp.addSchedulingOpportunity(prio);
+    assertEquals(NodeType.RACK_LOCAL, schedulerApp.getAllowedLocalityLevel(
+        prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
+
+    for (int i = 0; i < 6; i++) {
+      schedulerApp.addSchedulingOpportunity(prio);
+      assertEquals(NodeType.RACK_LOCAL, schedulerApp.getAllowedLocalityLevel(
+          prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
+    }
+
+    schedulerApp.addSchedulingOpportunity(prio);
+    assertEquals(NodeType.OFF_SWITCH, schedulerApp.getAllowedLocalityLevel(
+        prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
+  }
+
+  @Test
+  public void testDelaySchedulingForContinuousScheduling()
+          throws InterruptedException {
+    FSLeafQueue queue = scheduler.getQueueManager().getLeafQueue("queue", true);
+    Priority prio = Mockito.mock(Priority.class);
+    Mockito.when(prio.getPriority()).thenReturn(1);
+
+    MockClock clock = new MockClock();
+    scheduler.setClock(clock);
+
+    long nodeLocalityDelayMs = 5 * 1000L;    // 5 seconds
+    long rackLocalityDelayMs = 6 * 1000L;    // 6 seconds
+
+    RMContext rmContext = resourceManager.getRMContext();
+    ApplicationAttemptId applicationAttemptId = createAppAttemptId(1, 1);
+    FSAppAttempt schedulerApp =
+            new FSAppAttempt(scheduler, applicationAttemptId, "user1", queue,
+                    null, rmContext);
+
+    // Default level should be node-local
+    assertEquals(NodeType.NODE_LOCAL,
+            schedulerApp.getAllowedLocalityLevelByTime(prio,
+                    nodeLocalityDelayMs, rackLocalityDelayMs, clock.getTime()));
+
+    // after 4 seconds should remain node local
+    clock.tick(4);
+    assertEquals(NodeType.NODE_LOCAL,
+            schedulerApp.getAllowedLocalityLevelByTime(prio,
+                    nodeLocalityDelayMs, rackLocalityDelayMs, clock.getTime()));
+
+    // after 6 seconds should switch to rack local
+    clock.tick(2);
+    assertEquals(NodeType.RACK_LOCAL,
+            schedulerApp.getAllowedLocalityLevelByTime(prio,
+                    nodeLocalityDelayMs, rackLocalityDelayMs, clock.getTime()));
+
+    // manually set back to node local
+    schedulerApp.resetAllowedLocalityLevel(prio, NodeType.NODE_LOCAL);
+    schedulerApp.resetSchedulingOpportunities(prio, clock.getTime());
+    assertEquals(NodeType.NODE_LOCAL,
+            schedulerApp.getAllowedLocalityLevelByTime(prio,
+                    nodeLocalityDelayMs, rackLocalityDelayMs, clock.getTime()));
+
+    // Now escalate again to rack-local, then to off-switch
+    clock.tick(6);
+    assertEquals(NodeType.RACK_LOCAL,
+            schedulerApp.getAllowedLocalityLevelByTime(prio,
+                    nodeLocalityDelayMs, rackLocalityDelayMs, clock.getTime()));
+
+    clock.tick(7);
+    assertEquals(NodeType.OFF_SWITCH,
+            schedulerApp.getAllowedLocalityLevelByTime(prio,
+                    nodeLocalityDelayMs, rackLocalityDelayMs, clock.getTime()));
+  }
+
+  @Test
+  /**
+   * Ensure that when negative paramaters are given (signaling delay scheduling
+   * no tin use), the least restrictive locality level is returned.
+   */
+  public void testLocalityLevelWithoutDelays() {
+    FSLeafQueue queue = Mockito.mock(FSLeafQueue.class);
+    Priority prio = Mockito.mock(Priority.class);
+    Mockito.when(prio.getPriority()).thenReturn(1);
+
+    RMContext rmContext = resourceManager.getRMContext();
+    ApplicationAttemptId applicationAttemptId = createAppAttemptId(1, 1);
+    FSAppAttempt schedulerApp =
+        new FSAppAttempt(scheduler, applicationAttemptId, "user1", queue ,
+            null, rmContext);
+    assertEquals(NodeType.OFF_SWITCH, schedulerApp.getAllowedLocalityLevel(
+        prio, 10, -1.0, -1.0));
+  }
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFSLeafQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFSLeafQueue.java
index 4c07ee885f6..7323b6ab050 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFSLeafQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFSLeafQueue.java
@@ -62,7 +62,7 @@ public void setup() throws IOException {
 
   @Test
   public void testUpdateDemand() {
-    AppSchedulable app = mock(AppSchedulable.class);
+    FSAppAttempt app = mock(FSAppAttempt.class);
     Mockito.when(app.getDemand()).thenReturn(maxResource);
 
     schedulable.addAppSchedulable(app);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
index 0ada021aa20..a7b1738cda7 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
@@ -58,7 +58,6 @@
 import org.apache.hadoop.yarn.api.records.Container;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.api.records.ContainerLaunchContext;
-import org.apache.hadoop.yarn.api.records.ContainerStatus;
 import org.apache.hadoop.yarn.api.records.FinalApplicationStatus;
 import org.apache.hadoop.yarn.api.records.NodeId;
 import org.apache.hadoop.yarn.api.records.Priority;
@@ -82,13 +81,11 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
-import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerEventType;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNode;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.AbstractYarnScheduler;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.QueueMetrics;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerApplicationAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerNode;
-import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerUtils;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.TestSchedulerUtils;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.AppAddedSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.AppAttemptAddedSchedulerEvent;
@@ -1539,7 +1536,7 @@ public void testReservationWhileMultiplePriorities() throws IOException {
     NodeUpdateSchedulerEvent updateEvent = new NodeUpdateSchedulerEvent(node1);
     scheduler.handle(updateEvent);
     
-    FSSchedulerApp app = scheduler.getSchedulerApp(attId);
+    FSAppAttempt app = scheduler.getSchedulerApp(attId);
     assertEquals(1, app.getLiveContainers().size());
     
     ContainerId containerId = scheduler.getSchedulerApp(attId)
@@ -1613,9 +1610,9 @@ public void testAclSubmitApplication() throws Exception {
     ApplicationAttemptId attId2 = createSchedulingRequest(1024, "queue1",
         "norealuserhasthisname2", 1);
 
-    FSSchedulerApp app1 = scheduler.getSchedulerApp(attId1);
+    FSAppAttempt app1 = scheduler.getSchedulerApp(attId1);
     assertNotNull("The application was not allowed", app1);
-    FSSchedulerApp app2 = scheduler.getSchedulerApp(attId2);
+    FSAppAttempt app2 = scheduler.getSchedulerApp(attId2);
     assertNull("The application was allowed", app2);
   }
   
@@ -1688,8 +1685,8 @@ public void testFifoWithinQueue() throws Exception {
         "user1", 2);
     ApplicationAttemptId attId2 = createSchedulingRequest(1024, "queue1",
         "user1", 2);
-    FSSchedulerApp app1 = scheduler.getSchedulerApp(attId1);
-    FSSchedulerApp app2 = scheduler.getSchedulerApp(attId2);
+    FSAppAttempt app1 = scheduler.getSchedulerApp(attId1);
+    FSAppAttempt app2 = scheduler.getSchedulerApp(attId2);
     
     FSLeafQueue queue1 = scheduler.getQueueManager().getLeafQueue("queue1", true);
     queue1.setPolicy(new FifoPolicy());
@@ -1731,7 +1728,7 @@ public void testMaxAssign() throws Exception {
 
     ApplicationAttemptId attId =
         createSchedulingRequest(1024, "root.default", "user", 8);
-    FSSchedulerApp app = scheduler.getSchedulerApp(attId);
+    FSAppAttempt app = scheduler.getSchedulerApp(attId);
 
     // set maxAssign to 2: only 2 containers should be allocated
     scheduler.maxAssign = 2;
@@ -1766,7 +1763,7 @@ public void testMaxAssignWithZeroMemoryContainers() throws Exception {
 
     ApplicationAttemptId attId =
         createSchedulingRequest(0, 1, "root.default", "user", 8);
-    FSSchedulerApp app = scheduler.getSchedulerApp(attId);
+    FSAppAttempt app = scheduler.getSchedulerApp(attId);
 
     // set maxAssign to 2: only 2 containers should be allocated
     scheduler.maxAssign = 2;
@@ -1830,10 +1827,10 @@ public void testAssignContainer() throws Exception {
     ApplicationAttemptId attId4 =
         createSchedulingRequest(1024, fifoQueue, user, 4);
 
-    FSSchedulerApp app1 = scheduler.getSchedulerApp(attId1);
-    FSSchedulerApp app2 = scheduler.getSchedulerApp(attId2);
-    FSSchedulerApp app3 = scheduler.getSchedulerApp(attId3);
-    FSSchedulerApp app4 = scheduler.getSchedulerApp(attId4);
+    FSAppAttempt app1 = scheduler.getSchedulerApp(attId1);
+    FSAppAttempt app2 = scheduler.getSchedulerApp(attId2);
+    FSAppAttempt app3 = scheduler.getSchedulerApp(attId3);
+    FSAppAttempt app4 = scheduler.getSchedulerApp(attId4);
 
     scheduler.getQueueManager().getLeafQueue(fifoQueue, true)
         .setPolicy(SchedulingPolicy.parse("fifo"));
@@ -1952,7 +1949,7 @@ public void testReservationThatDoesntFit() throws IOException {
     NodeUpdateSchedulerEvent updateEvent = new NodeUpdateSchedulerEvent(node1);
     scheduler.handle(updateEvent);
     
-    FSSchedulerApp app = scheduler.getSchedulerApp(attId);
+    FSAppAttempt app = scheduler.getSchedulerApp(attId);
     assertEquals(0, app.getLiveContainers().size());
     assertEquals(0, app.getReservedContainers().size());
     
@@ -2025,7 +2022,7 @@ public void testStrictLocality() throws IOException {
     NodeUpdateSchedulerEvent node2UpdateEvent = new NodeUpdateSchedulerEvent(node2);
 
     // no matter how many heartbeats, node2 should never get a container
-    FSSchedulerApp app = scheduler.getSchedulerApp(attId1);
+    FSAppAttempt app = scheduler.getSchedulerApp(attId1);
     for (int i = 0; i < 10; i++) {
       scheduler.handle(node2UpdateEvent);
       assertEquals(0, app.getLiveContainers().size());
@@ -2066,7 +2063,7 @@ public void testCancelStrictLocality() throws IOException {
     NodeUpdateSchedulerEvent node2UpdateEvent = new NodeUpdateSchedulerEvent(node2);
 
     // no matter how many heartbeats, node2 should never get a container
-    FSSchedulerApp app = scheduler.getSchedulerApp(attId1);
+    FSAppAttempt app = scheduler.getSchedulerApp(attId1);
     for (int i = 0; i < 10; i++) {
       scheduler.handle(node2UpdateEvent);
       assertEquals(0, app.getLiveContainers().size());
@@ -2101,7 +2098,7 @@ public void testReservationsStrictLocality() throws IOException {
 
     ApplicationAttemptId attId = createSchedulingRequest(1024, "queue1",
         "user1", 0);
-    FSSchedulerApp app = scheduler.getSchedulerApp(attId);
+    FSAppAttempt app = scheduler.getSchedulerApp(attId);
     
     ResourceRequest nodeRequest = createResourceRequest(1024, node2.getHostName(), 1, 2, true);
     ResourceRequest rackRequest = createResourceRequest(1024, "rack1", 1, 2, true);
@@ -2143,7 +2140,7 @@ public void testNoMoreCpuOnNode() throws IOException {
     
     ApplicationAttemptId attId = createSchedulingRequest(1024, 1, "default",
         "user1", 2);
-    FSSchedulerApp app = scheduler.getSchedulerApp(attId);
+    FSAppAttempt app = scheduler.getSchedulerApp(attId);
     scheduler.update();
 
     NodeUpdateSchedulerEvent updateEvent = new NodeUpdateSchedulerEvent(node1);
@@ -2165,10 +2162,10 @@ public void testBasicDRFAssignment() throws Exception {
 
     ApplicationAttemptId appAttId1 = createSchedulingRequest(2048, 1, "queue1",
         "user1", 2);
-    FSSchedulerApp app1 = scheduler.getSchedulerApp(appAttId1);
+    FSAppAttempt app1 = scheduler.getSchedulerApp(appAttId1);
     ApplicationAttemptId appAttId2 = createSchedulingRequest(1024, 2, "queue1",
         "user1", 2);
-    FSSchedulerApp app2 = scheduler.getSchedulerApp(appAttId2);
+    FSAppAttempt app2 = scheduler.getSchedulerApp(appAttId2);
 
     DominantResourceFairnessPolicy drfPolicy = new DominantResourceFairnessPolicy();
     drfPolicy.initialize(scheduler.getClusterResource());
@@ -2208,13 +2205,13 @@ public void testBasicDRFWithQueues() throws Exception {
 
     ApplicationAttemptId appAttId1 = createSchedulingRequest(3072, 1, "queue1",
         "user1", 2);
-    FSSchedulerApp app1 = scheduler.getSchedulerApp(appAttId1);
+    FSAppAttempt app1 = scheduler.getSchedulerApp(appAttId1);
     ApplicationAttemptId appAttId2 = createSchedulingRequest(2048, 2, "queue1",
         "user1", 2);
-    FSSchedulerApp app2 = scheduler.getSchedulerApp(appAttId2);
+    FSAppAttempt app2 = scheduler.getSchedulerApp(appAttId2);
     ApplicationAttemptId appAttId3 = createSchedulingRequest(1024, 2, "queue2",
         "user1", 2);
-    FSSchedulerApp app3 = scheduler.getSchedulerApp(appAttId3);
+    FSAppAttempt app3 = scheduler.getSchedulerApp(appAttId3);
     
     DominantResourceFairnessPolicy drfPolicy = new DominantResourceFairnessPolicy();
     drfPolicy.initialize(scheduler.getClusterResource());
@@ -2247,19 +2244,19 @@ public void testDRFHierarchicalQueues() throws Exception {
     ApplicationAttemptId appAttId1 = createSchedulingRequest(3074, 1, "queue1.subqueue1",
         "user1", 2);
     Thread.sleep(3); // so that start times will be different
-    FSSchedulerApp app1 = scheduler.getSchedulerApp(appAttId1);
+    FSAppAttempt app1 = scheduler.getSchedulerApp(appAttId1);
     ApplicationAttemptId appAttId2 = createSchedulingRequest(1024, 3, "queue1.subqueue1",
         "user1", 2);
     Thread.sleep(3); // so that start times will be different
-    FSSchedulerApp app2 = scheduler.getSchedulerApp(appAttId2);
+    FSAppAttempt app2 = scheduler.getSchedulerApp(appAttId2);
     ApplicationAttemptId appAttId3 = createSchedulingRequest(2048, 2, "queue1.subqueue2",
         "user1", 2);
     Thread.sleep(3); // so that start times will be different
-    FSSchedulerApp app3 = scheduler.getSchedulerApp(appAttId3);
+    FSAppAttempt app3 = scheduler.getSchedulerApp(appAttId3);
     ApplicationAttemptId appAttId4 = createSchedulingRequest(1024, 2, "queue2",
         "user1", 2);
     Thread.sleep(3); // so that start times will be different
-    FSSchedulerApp app4 = scheduler.getSchedulerApp(appAttId4);
+    FSAppAttempt app4 = scheduler.getSchedulerApp(appAttId4);
     
     DominantResourceFairnessPolicy drfPolicy = new DominantResourceFairnessPolicy();
     drfPolicy.initialize(scheduler.getClusterResource());
@@ -2341,7 +2338,7 @@ public void testHostPortNodeName() throws Exception {
         NodeUpdateSchedulerEvent(node2);
 
     // no matter how many heartbeats, node2 should never get a container  
-    FSSchedulerApp app = scheduler.getSchedulerApp(attId1);
+    FSAppAttempt app = scheduler.getSchedulerApp(attId1);
     for (int i = 0; i < 10; i++) {
       scheduler.handle(node2UpdateEvent);
       assertEquals(0, app.getLiveContainers().size());
@@ -2353,14 +2350,14 @@ public void testHostPortNodeName() throws Exception {
   }
 
   private void verifyAppRunnable(ApplicationAttemptId attId, boolean runnable) {
-    FSSchedulerApp app = scheduler.getSchedulerApp(attId);
+    FSAppAttempt app = scheduler.getSchedulerApp(attId);
     FSLeafQueue queue = app.getQueue();
-    Collection<AppSchedulable> runnableApps =
+    Collection<FSAppAttempt> runnableApps =
         queue.getRunnableAppSchedulables();
-    Collection<AppSchedulable> nonRunnableApps =
+    Collection<FSAppAttempt> nonRunnableApps =
         queue.getNonRunnableAppSchedulables();
-    assertEquals(runnable, runnableApps.contains(app.getAppSchedulable()));
-    assertEquals(!runnable, nonRunnableApps.contains(app.getAppSchedulable()));
+    assertEquals(runnable, runnableApps.contains(app));
+    assertEquals(!runnable, nonRunnableApps.contains(app));
   }
   
   private void verifyQueueNumRunnable(String queueName, int numRunnableInQueue,
@@ -2465,7 +2462,7 @@ public void testQueueMaxAMShare() throws Exception {
     ApplicationAttemptId attId1 = createAppAttemptId(1, 1);
     createApplicationWithAMResource(attId1, "queue1", "user1", amResource1);
     createSchedulingRequestExistingApplication(1024, 1, amPriority, attId1);
-    FSSchedulerApp app1 = scheduler.getSchedulerApp(attId1);
+    FSAppAttempt app1 = scheduler.getSchedulerApp(attId1);
     scheduler.update();
     scheduler.handle(updateEvent);
     assertEquals("Application1's AM requests 1024 MB memory",
@@ -2479,7 +2476,7 @@ public void testQueueMaxAMShare() throws Exception {
     ApplicationAttemptId attId2 = createAppAttemptId(2, 1);
     createApplicationWithAMResource(attId2, "queue1", "user1", amResource1);
     createSchedulingRequestExistingApplication(1024, 1, amPriority, attId2);
-    FSSchedulerApp app2 = scheduler.getSchedulerApp(attId2);
+    FSAppAttempt app2 = scheduler.getSchedulerApp(attId2);
     scheduler.update();
     scheduler.handle(updateEvent);
     assertEquals("Application2's AM requests 1024 MB memory",
@@ -2493,7 +2490,7 @@ public void testQueueMaxAMShare() throws Exception {
     ApplicationAttemptId attId3 = createAppAttemptId(3, 1);
     createApplicationWithAMResource(attId3, "queue1", "user1", amResource1);
     createSchedulingRequestExistingApplication(1024, 1, amPriority, attId3);
-    FSSchedulerApp app3 = scheduler.getSchedulerApp(attId3);
+    FSAppAttempt app3 = scheduler.getSchedulerApp(attId3);
     scheduler.update();
     scheduler.handle(updateEvent);
     assertEquals("Application3's AM requests 1024 MB memory",
@@ -2529,7 +2526,7 @@ public void testQueueMaxAMShare() throws Exception {
     ApplicationAttemptId attId4 = createAppAttemptId(4, 1);
     createApplicationWithAMResource(attId4, "queue1", "user1", amResource2);
     createSchedulingRequestExistingApplication(2048, 2, amPriority, attId4);
-    FSSchedulerApp app4 = scheduler.getSchedulerApp(attId4);
+    FSAppAttempt app4 = scheduler.getSchedulerApp(attId4);
     scheduler.update();
     scheduler.handle(updateEvent);
     assertEquals("Application4's AM requests 2048 MB memory",
@@ -2543,7 +2540,7 @@ public void testQueueMaxAMShare() throws Exception {
     ApplicationAttemptId attId5 = createAppAttemptId(5, 1);
     createApplicationWithAMResource(attId5, "queue1", "user1", amResource2);
     createSchedulingRequestExistingApplication(2048, 2, amPriority, attId5);
-    FSSchedulerApp app5 = scheduler.getSchedulerApp(attId5);
+    FSAppAttempt app5 = scheduler.getSchedulerApp(attId5);
     scheduler.update();
     scheduler.handle(updateEvent);
     assertEquals("Application5's AM requests 2048 MB memory",
@@ -2586,7 +2583,7 @@ public void testQueueMaxAMShare() throws Exception {
     ApplicationAttemptId attId6 = createAppAttemptId(6, 1);
     createApplicationWithAMResource(attId6, "queue1", "user1", amResource3);
     createSchedulingRequestExistingApplication(1860, 2, amPriority, attId6);
-    FSSchedulerApp app6 = scheduler.getSchedulerApp(attId6);
+    FSAppAttempt app6 = scheduler.getSchedulerApp(attId6);
     scheduler.update();
     scheduler.handle(updateEvent);
     assertEquals("Application6's AM should not be running",
@@ -2677,7 +2674,7 @@ public void testQueueMaxAMShareDefault() throws Exception {
     ApplicationAttemptId attId1 = createAppAttemptId(1, 1);
     createApplicationWithAMResource(attId1, "queue1", "test1", amResource1);
     createSchedulingRequestExistingApplication(2048, 1, amPriority, attId1);
-    FSSchedulerApp app1 = scheduler.getSchedulerApp(attId1);
+    FSAppAttempt app1 = scheduler.getSchedulerApp(attId1);
     scheduler.update();
     scheduler.handle(updateEvent);
     assertEquals("Application1's AM requests 2048 MB memory",
@@ -2691,7 +2688,7 @@ public void testQueueMaxAMShareDefault() throws Exception {
     ApplicationAttemptId attId2 = createAppAttemptId(2, 1);
     createApplicationWithAMResource(attId2, "queue2", "test1", amResource1);
     createSchedulingRequestExistingApplication(2048, 1, amPriority, attId2);
-    FSSchedulerApp app2 = scheduler.getSchedulerApp(attId2);
+    FSAppAttempt app2 = scheduler.getSchedulerApp(attId2);
     scheduler.update();
     scheduler.handle(updateEvent);
     assertEquals("Application2's AM requests 2048 MB memory",
@@ -2823,7 +2820,7 @@ public void testContinuousScheduling() throws Exception {
     // at least one pass
     Thread.sleep(fs.getConf().getContinuousSchedulingSleepMs() + 500);
 
-    FSSchedulerApp app = fs.getSchedulerApp(appAttemptId);
+    FSAppAttempt app = fs.getSchedulerApp(appAttemptId);
     // Wait until app gets resources.
     while (app.getCurrentConsumption().equals(Resources.none())) { }
 
@@ -3007,7 +3004,7 @@ public void testRecoverRequestAfterPreemption() throws Exception {
 
     assertEquals(1, scheduler.getSchedulerApp(appAttemptId).getLiveContainers()
         .size());
-    FSSchedulerApp app = scheduler.getSchedulerApp(appAttemptId);
+    FSAppAttempt app = scheduler.getSchedulerApp(appAttemptId);
 
     // ResourceRequest will be empty once NodeUpdate is completed
     Assert.assertNull(app.getResourceRequest(priority, host));
@@ -3063,7 +3060,7 @@ public void testBlacklistNodes() throws Exception {
 
     ApplicationAttemptId appAttemptId =
         createSchedulingRequest(GB, "root.default", "user", 1);
-    FSSchedulerApp app = scheduler.getSchedulerApp(appAttemptId);
+    FSAppAttempt app = scheduler.getSchedulerApp(appAttemptId);
 
     // Verify the blacklist can be updated independent of requesting containers
     scheduler.allocate(appAttemptId, Collections.<ResourceRequest>emptyList(),
@@ -3171,12 +3168,10 @@ public void testMoveRunnableApp() throws Exception {
     assertEquals(Resource.newInstance(3072, 3), oldQueue.getDemand());
     
     scheduler.moveApplication(appId, "queue2");
-    FSSchedulerApp app = scheduler.getSchedulerApp(appAttId);
+    FSAppAttempt app = scheduler.getSchedulerApp(appAttId);
     assertSame(targetQueue, app.getQueue());
-    assertFalse(oldQueue.getRunnableAppSchedulables()
-        .contains(app.getAppSchedulable()));
-    assertTrue(targetQueue.getRunnableAppSchedulables()
-        .contains(app.getAppSchedulable()));
+    assertFalse(oldQueue.getRunnableAppSchedulables().contains(app));
+    assertTrue(targetQueue.getRunnableAppSchedulables().contains(app));
     assertEquals(Resource.newInstance(0, 0), oldQueue.getResourceUsage());
     assertEquals(Resource.newInstance(1024, 1), targetQueue.getResourceUsage());
     assertEquals(0, oldQueue.getNumRunnableApps());
@@ -3224,17 +3219,13 @@ public void testMoveMakesAppRunnable() throws Exception {
     ApplicationAttemptId appAttId =
         createSchedulingRequest(1024, 1, "queue1", "user1", 3);
     
-    FSSchedulerApp app = scheduler.getSchedulerApp(appAttId);
-    assertTrue(oldQueue.getNonRunnableAppSchedulables()
-        .contains(app.getAppSchedulable()));
+    FSAppAttempt app = scheduler.getSchedulerApp(appAttId);
+    assertTrue(oldQueue.getNonRunnableAppSchedulables().contains(app));
     
     scheduler.moveApplication(appAttId.getApplicationId(), "queue2");
-    assertFalse(oldQueue.getNonRunnableAppSchedulables()
-        .contains(app.getAppSchedulable()));
-    assertFalse(targetQueue.getNonRunnableAppSchedulables()
-        .contains(app.getAppSchedulable()));
-    assertTrue(targetQueue.getRunnableAppSchedulables()
-        .contains(app.getAppSchedulable()));
+    assertFalse(oldQueue.getNonRunnableAppSchedulables().contains(app));
+    assertFalse(targetQueue.getNonRunnableAppSchedulables().contains(app));
+    assertTrue(targetQueue.getRunnableAppSchedulables().contains(app));
     assertEquals(1, targetQueue.getNumRunnableApps());
     assertEquals(1, queueMgr.getRootQueue().getNumRunnableApps());
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestMaxRunningAppsEnforcer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestMaxRunningAppsEnforcer.java
index cc738f5eb01..20ff2c9cd25 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestMaxRunningAppsEnforcer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestMaxRunningAppsEnforcer.java
@@ -42,12 +42,13 @@ public class TestMaxRunningAppsEnforcer {
   private int appNum;
   private TestFairScheduler.MockClock clock;
   private RMContext rmContext;
+  private FairScheduler scheduler;
   
   @Before
   public void setup() throws Exception {
     Configuration conf = new Configuration();
     clock = new TestFairScheduler.MockClock();
-    FairScheduler scheduler = mock(FairScheduler.class);
+    scheduler = mock(FairScheduler.class);
     when(scheduler.getConf()).thenReturn(
         new FairSchedulerConfiguration(conf));
     when(scheduler.getClock()).thenReturn(clock);
@@ -65,11 +66,11 @@ public void setup() throws Exception {
     when(rmContext.getEpoch()).thenReturn(0);
   }
   
-  private FSSchedulerApp addApp(FSLeafQueue queue, String user) {
+  private FSAppAttempt addApp(FSLeafQueue queue, String user) {
     ApplicationId appId = ApplicationId.newInstance(0l, appNum++);
     ApplicationAttemptId attId = ApplicationAttemptId.newInstance(appId, 0);
     boolean runnable = maxAppsEnforcer.canAppBeRunnable(queue, user);
-    FSSchedulerApp app = new FSSchedulerApp(attId, user, queue, null,
+    FSAppAttempt app = new FSAppAttempt(scheduler, attId, user, queue, null,
         rmContext);
     queue.addApp(app, runnable);
     if (runnable) {
@@ -80,7 +81,7 @@ private FSSchedulerApp addApp(FSLeafQueue queue, String user) {
     return app;
   }
   
-  private void removeApp(FSSchedulerApp app) {
+  private void removeApp(FSAppAttempt app) {
     app.getQueue().removeApp(app);
     maxAppsEnforcer.untrackRunnableApp(app);
     maxAppsEnforcer.updateRunnabilityOnAppRemoval(app, app.getQueue());
@@ -93,7 +94,7 @@ public void testRemoveDoesNotEnableAnyApp() {
     queueMaxApps.put("root", 2);
     queueMaxApps.put("root.queue1", 1);
     queueMaxApps.put("root.queue2", 1);
-    FSSchedulerApp app1 = addApp(leaf1, "user");
+    FSAppAttempt app1 = addApp(leaf1, "user");
     addApp(leaf2, "user");
     addApp(leaf2, "user");
     assertEquals(1, leaf1.getRunnableAppSchedulables().size());
@@ -110,7 +111,7 @@ public void testRemoveEnablesAppOnCousinQueue() {
     FSLeafQueue leaf1 = queueManager.getLeafQueue("root.queue1.subqueue1.leaf1", true);
     FSLeafQueue leaf2 = queueManager.getLeafQueue("root.queue1.subqueue2.leaf2", true);
     queueMaxApps.put("root.queue1", 2);
-    FSSchedulerApp app1 = addApp(leaf1, "user");
+    FSAppAttempt app1 = addApp(leaf1, "user");
     addApp(leaf2, "user");
     addApp(leaf2, "user");
     assertEquals(1, leaf1.getRunnableAppSchedulables().size());
@@ -128,7 +129,7 @@ public void testRemoveEnablesOneByQueueOneByUser() {
     FSLeafQueue leaf2 = queueManager.getLeafQueue("root.queue1.leaf2", true);
     queueMaxApps.put("root.queue1.leaf1", 2);
     userMaxApps.put("user1", 1);
-    FSSchedulerApp app1 = addApp(leaf1, "user1");
+    FSAppAttempt app1 = addApp(leaf1, "user1");
     addApp(leaf1, "user2");
     addApp(leaf1, "user3");
     addApp(leaf2, "user1");
@@ -147,7 +148,7 @@ public void testRemoveEnablingOrderedByStartTime() {
     FSLeafQueue leaf1 = queueManager.getLeafQueue("root.queue1.subqueue1.leaf1", true);
     FSLeafQueue leaf2 = queueManager.getLeafQueue("root.queue1.subqueue2.leaf2", true);
     queueMaxApps.put("root.queue1", 2);
-    FSSchedulerApp app1 = addApp(leaf1, "user");
+    FSAppAttempt app1 = addApp(leaf1, "user");
     addApp(leaf2, "user");
     addApp(leaf2, "user");
     clock.tick(20);
@@ -167,7 +168,7 @@ public void testMultipleAppsWaitingOnCousinQueue() {
     FSLeafQueue leaf1 = queueManager.getLeafQueue("root.queue1.subqueue1.leaf1", true);
     FSLeafQueue leaf2 = queueManager.getLeafQueue("root.queue1.subqueue2.leaf2", true);
     queueMaxApps.put("root.queue1", 2);
-    FSSchedulerApp app1 = addApp(leaf1, "user");
+    FSAppAttempt app1 = addApp(leaf1, "user");
     addApp(leaf2, "user");
     addApp(leaf2, "user");
     addApp(leaf2, "user");
@@ -182,21 +183,18 @@ public void testMultipleAppsWaitingOnCousinQueue() {
   
   @Test
   public void testMultiListStartTimeIteratorEmptyAppLists() {
-    List<List<AppSchedulable>> lists = new ArrayList<List<AppSchedulable>>();
-    lists.add(Arrays.asList(mockAppSched(1)));
-    lists.add(Arrays.asList(mockAppSched(2)));
-    Iterator<FSSchedulerApp> iter =
+    List<List<FSAppAttempt>> lists = new ArrayList<List<FSAppAttempt>>();
+    lists.add(Arrays.asList(mockAppAttempt(1)));
+    lists.add(Arrays.asList(mockAppAttempt(2)));
+    Iterator<FSAppAttempt> iter =
         new MaxRunningAppsEnforcer.MultiListStartTimeIterator(lists);
-    assertEquals(1, iter.next().getAppSchedulable().getStartTime());
-    assertEquals(2, iter.next().getAppSchedulable().getStartTime());
+    assertEquals(1, iter.next().getStartTime());
+    assertEquals(2, iter.next().getStartTime());
   }
   
-  private AppSchedulable mockAppSched(long startTime) {
-    AppSchedulable appSched = mock(AppSchedulable.class);
-    when(appSched.getStartTime()).thenReturn(startTime);
-    FSSchedulerApp schedApp = mock(FSSchedulerApp.class);
-    when(schedApp.getAppSchedulable()).thenReturn(appSched);
-    when(appSched.getApp()).thenReturn(schedApp);
-    return appSched;
+  private FSAppAttempt mockAppAttempt(long startTime) {
+    FSAppAttempt schedApp = mock(FSAppAttempt.class);
+    when(schedApp.getStartTime()).thenReturn(startTime);
+    return schedApp;
   }
 }

From a72fba5853d0537bcdbd7851181129173e440dbb Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Tue, 12 Aug 2014 21:49:48 +0000
Subject: [PATCH 194/354] HDFS-6836. HDFS INFO logging is verbose & uses file
 appenders. (Contributed by Xiaoyu Yao)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617603 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                 | 3 +++
 .../org/apache/hadoop/hdfs/server/datanode/BlockSender.java | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index e448ca6727d..8148052005b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -393,6 +393,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6838. Code cleanup for unnecessary INode replacement.
     (Jing Zhao via wheat9)
 
+    HDFS-6836. HDFS INFO logging is verbose & uses file appenders. (Xiaoyu
+    Yao via Arpit Agarwal)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockSender.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockSender.java
index 86d88c2a44e..febf2de0c3a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockSender.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockSender.java
@@ -687,7 +687,7 @@ long sendBlock(DataOutputStream out, OutputStream baseStream,
     // Trigger readahead of beginning of file if configured.
     manageOsCache();
 
-    final long startTime = ClientTraceLog.isInfoEnabled() ? System.nanoTime() : 0;
+    final long startTime = ClientTraceLog.isDebugEnabled() ? System.nanoTime() : 0;
     try {
       int maxChunksPerPacket;
       int pktBufSize = PacketHeader.PKT_MAX_HEADER_LEN;
@@ -733,9 +733,9 @@ long sendBlock(DataOutputStream out, OutputStream baseStream,
         sentEntireByteRange = true;
       }
     } finally {
-      if (clientTraceFmt != null) {
+      if ((clientTraceFmt != null) && ClientTraceLog.isDebugEnabled()) {
         final long endTime = System.nanoTime();
-        ClientTraceLog.info(String.format(clientTraceFmt, totalRead,
+        ClientTraceLog.debug(String.format(clientTraceFmt, totalRead,
             initialOffset, endTime - startTime));
       }
       close();

From d687f6f68990bfe5fb819e36a91a25aef2c3a63f Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Tue, 12 Aug 2014 22:30:48 +0000
Subject: [PATCH 195/354] HADOOP-10851. NetgroupCache does not remove group
 memberships. (Contributed by Benoy Antony)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617612 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   3 +
 .../apache/hadoop/security/NetgroupCache.java |  17 +--
 .../hadoop/security/TestNetgroupCache.java    | 127 ++++++++++++++++++
 3 files changed, 134 insertions(+), 13 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestNetgroupCache.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 08c981e1e58..c72b3de3d82 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -563,6 +563,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10402. Configuration.getValByRegex does not substitute for
     variables. (Robert Kanter via kasha)
 
+    HADOOP-10851. NetgroupCache does not remove group memberships. (Benoy
+    Antony via Arpit Agarwal)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/NetgroupCache.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/NetgroupCache.java
index d07ae2bd018..bd9c448da7f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/NetgroupCache.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/NetgroupCache.java
@@ -27,12 +27,9 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
 /**
  * Class that caches the netgroups and inverts group-to-user map
- * to user-to-group map, primarily intented for use with
+ * to user-to-group map, primarily intended for use with
  * netgroups (as returned by getent netgrgoup) which only returns
  * group to user mapping.
  */
@@ -69,9 +66,7 @@ public static void getNetgroups(final String user,
       }
     }
     if(userToNetgroupsMap.containsKey(user)) {
-      for(String netgroup : userToNetgroupsMap.get(user)) {
-        groups.add(netgroup);
-      }
+      groups.addAll(userToNetgroupsMap.get(user));
     }
   }
 
@@ -99,6 +94,7 @@ public static boolean isCached(String group) {
    */
   public static void clear() {
     netgroupToUsersMap.clear();
+    userToNetgroupsMap.clear();
   }
 
   /**
@@ -108,12 +104,7 @@ public static void clear() {
    * @param users list of users for a given group
    */
   public static void add(String group, List<String> users) {
-    if(!isCached(group)) {
-      netgroupToUsersMap.put(group, new HashSet<String>());
-      for(String user: users) {
-        netgroupToUsersMap.get(group).add(user);
-      }
-    }
+    netgroupToUsersMap.put(group, new HashSet<String>(users));
     netgroupToUsersMapUpdated = true; // at the end to avoid race
   }
 }
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestNetgroupCache.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestNetgroupCache.java
new file mode 100644
index 00000000000..bd95422e651
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestNetgroupCache.java
@@ -0,0 +1,127 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.security;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.junit.After;
+import org.junit.Test;
+
+public class TestNetgroupCache {
+
+  private static final String USER1 = "user1";
+  private static final String USER2 = "user2";
+  private static final String USER3 = "user3";
+  private static final String GROUP1 = "group1";
+  private static final String GROUP2 = "group2";
+
+  @After
+  public void teardown() {
+    NetgroupCache.clear();
+  }
+
+  /**
+   * Cache two groups with a set of users.
+   * Test membership correctness.
+   */
+  @Test
+  public void testMembership() {
+    List<String> users = new ArrayList<String>();
+    users.add(USER1);
+    users.add(USER2);
+    NetgroupCache.add(GROUP1, users);
+    users = new ArrayList<String>();
+    users.add(USER1);
+    users.add(USER3);
+    NetgroupCache.add(GROUP2, users);
+    verifyGroupMembership(USER1, 2, GROUP1);
+    verifyGroupMembership(USER1, 2, GROUP2);
+    verifyGroupMembership(USER2, 1, GROUP1);
+    verifyGroupMembership(USER3, 1, GROUP2);
+  }
+
+  /**
+   * Cache a group with a set of users.
+   * Test membership correctness.
+   * Clear cache, remove a user from the group and cache the group
+   * Test membership correctness.
+   */
+  @Test
+  public void testUserRemoval() {
+    List<String> users = new ArrayList<String>();
+    users.add(USER1);
+    users.add(USER2);
+    NetgroupCache.add(GROUP1, users);
+    verifyGroupMembership(USER1, 1, GROUP1);
+    verifyGroupMembership(USER2, 1, GROUP1);
+    users.remove(USER2);
+    NetgroupCache.clear();
+    NetgroupCache.add(GROUP1, users);
+    verifyGroupMembership(USER1, 1, GROUP1);
+    verifyGroupMembership(USER2, 0, null);
+  }
+
+  /**
+   * Cache two groups with a set of users.
+   * Test membership correctness.
+   * Clear cache, cache only one group.
+   * Test membership correctness.
+   */
+  @Test
+  public void testGroupRemoval() {
+    List<String> users = new ArrayList<String>();
+    users.add(USER1);
+    users.add(USER2);
+    NetgroupCache.add(GROUP1, users);
+    users = new ArrayList<String>();
+    users.add(USER1);
+    users.add(USER3);
+    NetgroupCache.add(GROUP2, users);
+    verifyGroupMembership(USER1, 2, GROUP1);
+    verifyGroupMembership(USER1, 2, GROUP2);
+    verifyGroupMembership(USER2, 1, GROUP1);
+    verifyGroupMembership(USER3, 1, GROUP2);
+    NetgroupCache.clear();
+    users = new ArrayList<String>();
+    users.add(USER1);
+    users.add(USER2);
+    NetgroupCache.add(GROUP1, users);
+    verifyGroupMembership(USER1, 1, GROUP1);
+    verifyGroupMembership(USER2, 1, GROUP1);
+    verifyGroupMembership(USER3, 0, null);
+  }
+
+  private void verifyGroupMembership(String user, int size, String group) {
+    List<String> groups = new ArrayList<String>();
+    NetgroupCache.getNetgroups(user, groups);
+    assertEquals(size, groups.size());
+    if (size > 0) {
+      boolean present = false;
+      for (String groupEntry:groups) {
+        if (groupEntry.equals(group)) {
+          present = true;
+          break;
+        }
+      }
+      assertTrue(present);
+    }
+  }
+}

From 4239695588f0e133bd514955c3404d3301eac6ce Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Tue, 12 Aug 2014 22:51:57 +0000
Subject: [PATCH 196/354] YARN-2399. Delete old versions of files.
 FairScheduler: Merge AppSchedulable and FSSchedulerApp into FSAppAttempt.
 (kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617619 13f79535-47bb-0310-9956-ffa450edef68
---
 .../scheduler/fair/AppSchedulable.java        | 463 ------------------
 .../scheduler/fair/FSSchedulerApp.java        | 360 --------------
 .../scheduler/fair/TestFSSchedulerApp.java    | 191 --------
 3 files changed, 1014 deletions(-)
 delete mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AppSchedulable.java
 delete mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSSchedulerApp.java
 delete mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFSSchedulerApp.java

diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AppSchedulable.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AppSchedulable.java
deleted file mode 100644
index 0c36c55892b..00000000000
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AppSchedulable.java
+++ /dev/null
@@ -1,463 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair;
-
-import java.io.Serializable;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Comparator;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.classification.InterfaceAudience.Private;
-import org.apache.hadoop.classification.InterfaceStability.Unstable;
-import org.apache.hadoop.yarn.api.records.Container;
-import org.apache.hadoop.yarn.api.records.ContainerId;
-import org.apache.hadoop.yarn.api.records.NodeId;
-import org.apache.hadoop.yarn.api.records.Priority;
-import org.apache.hadoop.yarn.api.records.Resource;
-import org.apache.hadoop.yarn.api.records.ResourceRequest;
-import org.apache.hadoop.yarn.server.resourcemanager.resource.ResourceWeights;
-import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
-import org.apache.hadoop.yarn.server.resourcemanager.scheduler.NodeType;
-import org.apache.hadoop.yarn.server.resourcemanager.scheduler.QueueMetrics;
-import org.apache.hadoop.yarn.server.resourcemanager.security.RMContainerTokenSecretManager;
-import org.apache.hadoop.yarn.server.utils.BuilderUtils;
-import org.apache.hadoop.yarn.util.resource.DefaultResourceCalculator;
-import org.apache.hadoop.yarn.util.resource.Resources;
-
-@Private
-@Unstable
-public class AppSchedulable extends Schedulable {
-  private static final DefaultResourceCalculator RESOURCE_CALCULATOR
-    = new DefaultResourceCalculator();
-  
-  private FairScheduler scheduler;
-  private FSSchedulerApp app;
-  private Resource demand = Resources.createResource(0);
-  private long startTime;
-  private static final Log LOG = LogFactory.getLog(AppSchedulable.class);
-  private FSLeafQueue queue;
-  private RMContainerTokenSecretManager containerTokenSecretManager;
-  private Priority priority;
-  private ResourceWeights resourceWeights;
-
-  private RMContainerComparator comparator = new RMContainerComparator();
-
-  public AppSchedulable(FairScheduler scheduler, FSSchedulerApp app, FSLeafQueue queue) {
-    this.scheduler = scheduler;
-    this.app = app;
-    this.startTime = scheduler.getClock().getTime();
-    this.queue = queue;
-    this.containerTokenSecretManager = scheduler.
-    		getContainerTokenSecretManager();
-    this.priority = Priority.newInstance(1);
-    this.resourceWeights = new ResourceWeights();
-  }
-
-  @Override
-  public String getName() {
-    return app.getApplicationId().toString();
-  }
-
-  public FSSchedulerApp getApp() {
-    return app;
-  }
-
-  public ResourceWeights getResourceWeights() {
-    return resourceWeights;
-  }
-
-  @Override
-  public void updateDemand() {
-    demand = Resources.createResource(0);
-    // Demand is current consumption plus outstanding requests
-    Resources.addTo(demand, app.getCurrentConsumption());
-
-    // Add up outstanding resource requests
-    synchronized (app) {
-      for (Priority p : app.getPriorities()) {
-        for (ResourceRequest r : app.getResourceRequests(p).values()) {
-          Resource total = Resources.multiply(r.getCapability(), r.getNumContainers());
-          Resources.addTo(demand, total);
-        }
-      }
-    }
-  }
-
-  @Override
-  public Resource getDemand() {
-    return demand;
-  }
-
-  @Override
-  public long getStartTime() {
-    return startTime;
-  }
-
-  @Override
-  public Resource getResourceUsage() {
-    // Here the getPreemptedResources() always return zero, except in
-    // a preemption round
-    return Resources.subtract(app.getCurrentConsumption(),
-        app.getPreemptedResources());
-  }
-
-
-  @Override
-  public Resource getMinShare() {
-    return Resources.none();
-  }
-  
-  @Override
-  public Resource getMaxShare() {
-    return Resources.unbounded();
-  }
-
-  /**
-   * Get metrics reference from containing queue.
-   */
-  public QueueMetrics getMetrics() {
-    return queue.getMetrics();
-  }
-
-  @Override
-  public ResourceWeights getWeights() {
-    return scheduler.getAppWeight(this);
-  }
-
-  @Override
-  public Priority getPriority() {
-    // Right now per-app priorities are not passed to scheduler,
-    // so everyone has the same priority.
-    return priority;
-  }
-
-  /**
-   * Create and return a container object reflecting an allocation for the
-   * given appliction on the given node with the given capability and
-   * priority.
-   */
-  public Container createContainer(
-      FSSchedulerApp application, FSSchedulerNode node,
-      Resource capability, Priority priority) {
-
-    NodeId nodeId = node.getRMNode().getNodeID();
-    ContainerId containerId = BuilderUtils.newContainerId(application
-        .getApplicationAttemptId(), application.getNewContainerId());
-
-    // Create the container
-    Container container =
-        BuilderUtils.newContainer(containerId, nodeId, node.getRMNode()
-          .getHttpAddress(), capability, priority, null);
-
-    return container;
-  }
-
-  /**
-   * Reserve a spot for {@code container} on this {@code node}. If
-   * the container is {@code alreadyReserved} on the node, simply
-   * update relevant bookeeping. This dispatches ro relevant handlers
-   * in the {@link FSSchedulerNode} and {@link SchedulerApp} classes.
-   */
-  private void reserve(Priority priority, FSSchedulerNode node,
-      Container container, boolean alreadyReserved) {
-    LOG.info("Making reservation: node=" + node.getNodeName() +
-                                 " app_id=" + app.getApplicationId());
-    if (!alreadyReserved) {
-      getMetrics().reserveResource(app.getUser(), container.getResource());
-      RMContainer rmContainer = app.reserve(node, priority, null,
-          container);
-      node.reserveResource(app, priority, rmContainer);
-    }
-
-    else {
-      RMContainer rmContainer = node.getReservedContainer();
-      app.reserve(node, priority, rmContainer, container);
-      node.reserveResource(app, priority, rmContainer);
-    }
-  }
-
-  /**
-   * Remove the reservation on {@code node} at the given
-   * {@link Priority}. This dispatches to the SchedulerApp and SchedulerNode
-   * handlers for an unreservation.
-   */
-  public void unreserve(Priority priority, FSSchedulerNode node) {
-    RMContainer rmContainer = node.getReservedContainer();
-    app.unreserve(node, priority);
-    node.unreserveResource(app);
-    getMetrics().unreserveResource(
-        app.getUser(), rmContainer.getContainer().getResource());
-  }
-
-  /**
-   * Assign a container to this node to facilitate {@code request}. If node does
-   * not have enough memory, create a reservation. This is called once we are
-   * sure the particular request should be facilitated by this node.
-   * 
-   * @param node
-   *     The node to try placing the container on.
-   * @param priority
-   *     The requested priority for the container.
-   * @param request
-   *     The ResourceRequest we're trying to satisfy.
-   * @param type
-   *     The locality of the assignment.
-   * @param reserved
-   *     Whether there's already a container reserved for this app on the node.
-   * @return
-   *     If an assignment was made, returns the resources allocated to the
-   *     container.  If a reservation was made, returns
-   *     FairScheduler.CONTAINER_RESERVED.  If no assignment or reservation was
-   *     made, returns an empty resource.
-   */
-  private Resource assignContainer(FSSchedulerNode node,
-      ResourceRequest request, NodeType type,
-      boolean reserved) {
-
-    // How much does this request need?
-    Resource capability = request.getCapability();
-
-    // How much does the node have?
-    Resource available = node.getAvailableResource();
-
-    Container container = null;
-    if (reserved) {
-      container = node.getReservedContainer().getContainer();
-    } else {
-      container = createContainer(app, node, capability, request.getPriority());
-    }
-
-    // Can we allocate a container on this node?
-    if (Resources.fitsIn(capability, available)) {
-      // Inform the application of the new container for this request
-      RMContainer allocatedContainer =
-          app.allocate(type, node, request.getPriority(), request, container);
-      if (allocatedContainer == null) {
-        // Did the application need this resource?
-        if (reserved) {
-          unreserve(request.getPriority(), node);
-        }
-        return Resources.none();
-      }
-
-      // If we had previously made a reservation, delete it
-      if (reserved) {
-        unreserve(request.getPriority(), node);
-      }
-
-      // Inform the node
-      node.allocateContainer(allocatedContainer);
-
-      // If this container is used to run AM, update the leaf queue's AM usage
-      if (app.getLiveContainers().size() == 1 &&
-          !app.getUnmanagedAM()) {
-        queue.addAMResourceUsage(container.getResource());
-        app.setAmRunning(true);
-      }
-
-      return container.getResource();
-    } else {
-      // The desired container won't fit here, so reserve
-      reserve(request.getPriority(), node, container, reserved);
-
-      return FairScheduler.CONTAINER_RESERVED;
-    }
-  }
-
-  private Resource assignContainer(FSSchedulerNode node, boolean reserved) {
-    if (LOG.isDebugEnabled()) {
-      LOG.debug("Node offered to app: " + getName() + " reserved: " + reserved);
-    }
-
-    Collection<Priority> prioritiesToTry = (reserved) ? 
-        Arrays.asList(node.getReservedContainer().getReservedPriority()) : 
-        app.getPriorities();
-    
-    // For each priority, see if we can schedule a node local, rack local
-    // or off-switch request. Rack of off-switch requests may be delayed
-    // (not scheduled) in order to promote better locality.
-    synchronized (app) {
-      for (Priority priority : prioritiesToTry) {
-        if (app.getTotalRequiredResources(priority) <= 0 ||
-            !hasContainerForNode(priority, node)) {
-          continue;
-        }
-        
-        app.addSchedulingOpportunity(priority);
-
-        // Check the AM resource usage for the leaf queue
-        if (app.getLiveContainers().size() == 0
-            && !app.getUnmanagedAM()) {
-          if (!queue.canRunAppAM(app.getAMResource())) {
-            return Resources.none();
-          }
-        }
-
-        ResourceRequest rackLocalRequest = app.getResourceRequest(priority,
-            node.getRackName());
-        ResourceRequest localRequest = app.getResourceRequest(priority,
-            node.getNodeName());
-        
-        if (localRequest != null && !localRequest.getRelaxLocality()) {
-          LOG.warn("Relax locality off is not supported on local request: "
-              + localRequest);
-        }
-        
-        NodeType allowedLocality;
-        if (scheduler.isContinuousSchedulingEnabled()) {
-          allowedLocality = app.getAllowedLocalityLevelByTime(priority,
-                  scheduler.getNodeLocalityDelayMs(),
-                  scheduler.getRackLocalityDelayMs(),
-                  scheduler.getClock().getTime());
-        } else {
-          allowedLocality = app.getAllowedLocalityLevel(priority,
-                  scheduler.getNumClusterNodes(),
-                  scheduler.getNodeLocalityThreshold(),
-                  scheduler.getRackLocalityThreshold());
-        }
-
-        if (rackLocalRequest != null && rackLocalRequest.getNumContainers() != 0
-            && localRequest != null && localRequest.getNumContainers() != 0) {
-          return assignContainer(node, localRequest,
-              NodeType.NODE_LOCAL, reserved);
-        }
-        
-        if (rackLocalRequest != null && !rackLocalRequest.getRelaxLocality()) {
-          continue;
-        }
-
-        if (rackLocalRequest != null && rackLocalRequest.getNumContainers() != 0
-            && (allowedLocality.equals(NodeType.RACK_LOCAL) ||
-                allowedLocality.equals(NodeType.OFF_SWITCH))) {
-          return assignContainer(node, rackLocalRequest,
-              NodeType.RACK_LOCAL, reserved);
-        }
-
-        ResourceRequest offSwitchRequest = app.getResourceRequest(priority,
-            ResourceRequest.ANY);
-        if (offSwitchRequest != null && !offSwitchRequest.getRelaxLocality()) {
-          continue;
-        }
-        
-        if (offSwitchRequest != null && offSwitchRequest.getNumContainers() != 0
-            && allowedLocality.equals(NodeType.OFF_SWITCH)) {
-          return assignContainer(node, offSwitchRequest,
-              NodeType.OFF_SWITCH, reserved);
-        }
-      }
-    }
-    return Resources.none();
-  }
-
-  /**
-   * Called when this application already has an existing reservation on the
-   * given node.  Sees whether we can turn the reservation into an allocation.
-   * Also checks whether the application needs the reservation anymore, and
-   * releases it if not.
-   * 
-   * @param node
-   *     Node that the application has an existing reservation on
-   */
-  public Resource assignReservedContainer(FSSchedulerNode node) {
-    RMContainer rmContainer = node.getReservedContainer();
-    Priority priority = rmContainer.getReservedPriority();
-
-    // Make sure the application still needs requests at this priority
-    if (app.getTotalRequiredResources(priority) == 0) {
-      unreserve(priority, node);
-      return Resources.none();
-    }
-    
-    // Fail early if the reserved container won't fit.
-    // Note that we have an assumption here that there's only one container size
-    // per priority.
-    if (!Resources.fitsIn(node.getReservedContainer().getReservedResource(),
-        node.getAvailableResource())) {
-      return Resources.none();
-    }
-    
-    return assignContainer(node, true);
-  }
-
-  @Override
-  public Resource assignContainer(FSSchedulerNode node) {
-    return assignContainer(node, false);
-  }
-  
-  /**
-   * Preempt a running container according to the priority
-   */
-  @Override
-  public RMContainer preemptContainer() {
-    if (LOG.isDebugEnabled()) {
-      LOG.debug("App " + getName() + " is going to preempt a running " +
-          "container");
-    }
-
-    RMContainer toBePreempted = null;
-    for (RMContainer container : app.getLiveContainers()) {
-      if (! app.getPreemptionContainers().contains(container) &&
-          (toBePreempted == null ||
-              comparator.compare(toBePreempted, container) > 0)) {
-        toBePreempted = container;
-      }
-    }
-    return toBePreempted;
-  }
-
-  /**
-   * Whether this app has containers requests that could be satisfied on the
-   * given node, if the node had full space.
-   */
-  public boolean hasContainerForNode(Priority prio, FSSchedulerNode node) {
-    ResourceRequest anyRequest = app.getResourceRequest(prio, ResourceRequest.ANY);
-    ResourceRequest rackRequest = app.getResourceRequest(prio, node.getRackName());
-    ResourceRequest nodeRequest = app.getResourceRequest(prio, node.getNodeName());
-
-    return
-        // There must be outstanding requests at the given priority:
-        anyRequest != null && anyRequest.getNumContainers() > 0 &&
-        // If locality relaxation is turned off at *-level, there must be a
-        // non-zero request for the node's rack:
-        (anyRequest.getRelaxLocality() ||
-            (rackRequest != null && rackRequest.getNumContainers() > 0)) &&
-        // If locality relaxation is turned off at rack-level, there must be a
-        // non-zero request at the node:
-        (rackRequest == null || rackRequest.getRelaxLocality() ||
-            (nodeRequest != null && nodeRequest.getNumContainers() > 0)) &&
-        // The requested container must be able to fit on the node:
-        Resources.lessThanOrEqual(RESOURCE_CALCULATOR, null,
-            anyRequest.getCapability(), node.getRMNode().getTotalCapability());
-  }
-
-  static class RMContainerComparator implements Comparator<RMContainer>,
-      Serializable {
-    @Override
-    public int compare(RMContainer c1, RMContainer c2) {
-      int ret = c1.getContainer().getPriority().compareTo(
-          c2.getContainer().getPriority());
-      if (ret == 0) {
-        return c2.getContainerId().compareTo(c1.getContainerId());
-      }
-      return ret;
-      }
-    }
-}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSSchedulerApp.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSSchedulerApp.java
deleted file mode 100644
index 20cf3952d2d..00000000000
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSSchedulerApp.java
+++ /dev/null
@@ -1,360 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair;
-
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.classification.InterfaceAudience.Private;
-import org.apache.hadoop.classification.InterfaceStability.Unstable;
-import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
-import org.apache.hadoop.yarn.api.records.Container;
-import org.apache.hadoop.yarn.api.records.ContainerId;
-import org.apache.hadoop.yarn.api.records.ContainerStatus;
-import org.apache.hadoop.yarn.api.records.NodeId;
-import org.apache.hadoop.yarn.api.records.Priority;
-import org.apache.hadoop.yarn.api.records.Resource;
-import org.apache.hadoop.yarn.api.records.ResourceRequest;
-import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger;
-import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants;
-import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
-import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
-import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerEvent;
-import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerEventType;
-import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerFinishedEvent;
-import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerImpl;
-import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ActiveUsersManager;
-import org.apache.hadoop.yarn.server.resourcemanager.scheduler.NodeType;
-import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerApplicationAttempt;
-import org.apache.hadoop.yarn.util.resource.Resources;
-
-/**
- * Represents an application attempt from the viewpoint of the Fair Scheduler.
- */
-@Private
-@Unstable
-public class FSSchedulerApp extends SchedulerApplicationAttempt {
-
-  private static final Log LOG = LogFactory.getLog(FSSchedulerApp.class);
-
-  private AppSchedulable appSchedulable;
-
-  final Map<RMContainer, Long> preemptionMap = new HashMap<RMContainer, Long>();
-
-  private Resource preemptedResources = Resources.createResource(0);
-  
-  public FSSchedulerApp(ApplicationAttemptId applicationAttemptId, 
-      String user, FSLeafQueue queue, ActiveUsersManager activeUsersManager,
-      RMContext rmContext) {
-    super(applicationAttemptId, user, queue, activeUsersManager, rmContext);
-  }
-
-  public void setAppSchedulable(AppSchedulable appSchedulable) {
-    this.appSchedulable = appSchedulable;
-  }
-  
-  public AppSchedulable getAppSchedulable() {
-    return appSchedulable;
-  }
-
-  synchronized public void containerCompleted(RMContainer rmContainer,
-      ContainerStatus containerStatus, RMContainerEventType event) {
-    
-    Container container = rmContainer.getContainer();
-    ContainerId containerId = container.getId();
-    
-    // Remove from the list of newly allocated containers if found
-    newlyAllocatedContainers.remove(rmContainer);
-    
-    // Inform the container
-    rmContainer.handle(
-        new RMContainerFinishedEvent(
-            containerId,
-            containerStatus, 
-            event)
-        );
-    LOG.info("Completed container: " + rmContainer.getContainerId() + 
-        " in state: " + rmContainer.getState() + " event:" + event);
-    
-    // Remove from the list of containers
-    liveContainers.remove(rmContainer.getContainerId());
-
-    RMAuditLogger.logSuccess(getUser(), 
-        AuditConstants.RELEASE_CONTAINER, "SchedulerApp", 
-        getApplicationId(), containerId);
-    
-    // Update usage metrics 
-    Resource containerResource = rmContainer.getContainer().getResource();
-    queue.getMetrics().releaseResources(getUser(), 1, containerResource);
-    Resources.subtractFrom(currentConsumption, containerResource);
-
-    // remove from preemption map if it is completed
-    preemptionMap.remove(rmContainer);
-  }
-
-  public synchronized void unreserve(FSSchedulerNode node, Priority priority) {
-    Map<NodeId, RMContainer> reservedContainers = 
-        this.reservedContainers.get(priority);
-    RMContainer reservedContainer = reservedContainers.remove(node.getNodeID());
-    if (reservedContainers.isEmpty()) {
-      this.reservedContainers.remove(priority);
-    }
-    
-    // Reset the re-reservation count
-    resetReReservations(priority);
-
-    Resource resource = reservedContainer.getContainer().getResource();
-    Resources.subtractFrom(currentReservation, resource);
-
-    LOG.info("Application " + getApplicationId() + " unreserved " + " on node "
-        + node + ", currently has " + reservedContainers.size() + " at priority "
-        + priority + "; currentReservation " + currentReservation);
-  }
-
-  public synchronized float getLocalityWaitFactor(
-      Priority priority, int clusterNodes) {
-    // Estimate: Required unique resources (i.e. hosts + racks)
-    int requiredResources = 
-        Math.max(this.getResourceRequests(priority).size() - 1, 0);
-    
-    // waitFactor can't be more than '1' 
-    // i.e. no point skipping more than clustersize opportunities
-    return Math.min(((float)requiredResources / clusterNodes), 1.0f);
-  }
-  
-  /**
-   * Delay scheduling: We often want to prioritize scheduling of node-local
-   * containers over rack-local or off-switch containers. To acheive this
-   * we first only allow node-local assigments for a given prioirty level,
-   * then relax the locality threshold once we've had a long enough period
-   * without succesfully scheduling. We measure both the number of "missed"
-   * scheduling opportunities since the last container was scheduled
-   * at the current allowed level and the time since the last container
-   * was scheduled. Currently we use only the former.
-   */
-
-  // Current locality threshold
-  final Map<Priority, NodeType> allowedLocalityLevel = new HashMap<
-      Priority, NodeType>();
-
-  /**
-   * Return the level at which we are allowed to schedule containers, given the
-   * current size of the cluster and thresholds indicating how many nodes to
-   * fail at (as a fraction of cluster size) before relaxing scheduling
-   * constraints.
-   */
-  public synchronized NodeType getAllowedLocalityLevel(Priority priority,
-      int numNodes, double nodeLocalityThreshold, double rackLocalityThreshold) {
-    // upper limit on threshold
-    if (nodeLocalityThreshold > 1.0) { nodeLocalityThreshold = 1.0; }
-    if (rackLocalityThreshold > 1.0) { rackLocalityThreshold = 1.0; }
-
-    // If delay scheduling is not being used, can schedule anywhere
-    if (nodeLocalityThreshold < 0.0 || rackLocalityThreshold < 0.0) {
-      return NodeType.OFF_SWITCH;
-    }
-
-    // Default level is NODE_LOCAL
-    if (!allowedLocalityLevel.containsKey(priority)) {
-      allowedLocalityLevel.put(priority, NodeType.NODE_LOCAL);
-      return NodeType.NODE_LOCAL;
-    }
-
-    NodeType allowed = allowedLocalityLevel.get(priority);
-
-    // If level is already most liberal, we're done
-    if (allowed.equals(NodeType.OFF_SWITCH)) return NodeType.OFF_SWITCH;
-
-    double threshold = allowed.equals(NodeType.NODE_LOCAL) ? nodeLocalityThreshold :
-      rackLocalityThreshold;
-
-    // Relax locality constraints once we've surpassed threshold.
-    if (getSchedulingOpportunities(priority) > (numNodes * threshold)) {
-      if (allowed.equals(NodeType.NODE_LOCAL)) {
-        allowedLocalityLevel.put(priority, NodeType.RACK_LOCAL);
-        resetSchedulingOpportunities(priority);
-      }
-      else if (allowed.equals(NodeType.RACK_LOCAL)) {
-        allowedLocalityLevel.put(priority, NodeType.OFF_SWITCH);
-        resetSchedulingOpportunities(priority);
-      }
-    }
-    return allowedLocalityLevel.get(priority);
-  }
-
-  /**
-   * Return the level at which we are allowed to schedule containers.
-   * Given the thresholds indicating how much time passed before relaxing
-   * scheduling constraints.
-   */
-  public synchronized NodeType getAllowedLocalityLevelByTime(Priority priority,
-          long nodeLocalityDelayMs, long rackLocalityDelayMs,
-          long currentTimeMs) {
-
-    // if not being used, can schedule anywhere
-    if (nodeLocalityDelayMs < 0 || rackLocalityDelayMs < 0) {
-      return NodeType.OFF_SWITCH;
-    }
-
-    // default level is NODE_LOCAL
-    if (! allowedLocalityLevel.containsKey(priority)) {
-      allowedLocalityLevel.put(priority, NodeType.NODE_LOCAL);
-      return NodeType.NODE_LOCAL;
-    }
-
-    NodeType allowed = allowedLocalityLevel.get(priority);
-
-    // if level is already most liberal, we're done
-    if (allowed.equals(NodeType.OFF_SWITCH)) {
-      return NodeType.OFF_SWITCH;
-    }
-
-    // check waiting time
-    long waitTime = currentTimeMs;
-    if (lastScheduledContainer.containsKey(priority)) {
-      waitTime -= lastScheduledContainer.get(priority);
-    } else {
-      waitTime -= appSchedulable.getStartTime();
-    }
-
-    long thresholdTime = allowed.equals(NodeType.NODE_LOCAL) ?
-            nodeLocalityDelayMs : rackLocalityDelayMs;
-
-    if (waitTime > thresholdTime) {
-      if (allowed.equals(NodeType.NODE_LOCAL)) {
-        allowedLocalityLevel.put(priority, NodeType.RACK_LOCAL);
-        resetSchedulingOpportunities(priority, currentTimeMs);
-      } else if (allowed.equals(NodeType.RACK_LOCAL)) {
-        allowedLocalityLevel.put(priority, NodeType.OFF_SWITCH);
-        resetSchedulingOpportunities(priority, currentTimeMs);
-      }
-    }
-    return allowedLocalityLevel.get(priority);
-  }
-
-  synchronized public RMContainer allocate(NodeType type, FSSchedulerNode node,
-      Priority priority, ResourceRequest request,
-      Container container) {
-    // Update allowed locality level
-    NodeType allowed = allowedLocalityLevel.get(priority);
-    if (allowed != null) {
-      if (allowed.equals(NodeType.OFF_SWITCH) &&
-          (type.equals(NodeType.NODE_LOCAL) ||
-              type.equals(NodeType.RACK_LOCAL))) {
-        this.resetAllowedLocalityLevel(priority, type);
-      }
-      else if (allowed.equals(NodeType.RACK_LOCAL) &&
-          type.equals(NodeType.NODE_LOCAL)) {
-        this.resetAllowedLocalityLevel(priority, type);
-      }
-    }
-
-    // Required sanity check - AM can call 'allocate' to update resource 
-    // request without locking the scheduler, hence we need to check
-    if (getTotalRequiredResources(priority) <= 0) {
-      return null;
-    }
-    
-    // Create RMContainer
-    RMContainer rmContainer = new RMContainerImpl(container, 
-        getApplicationAttemptId(), node.getNodeID(),
-        appSchedulingInfo.getUser(), rmContext);
-
-    // Add it to allContainers list.
-    newlyAllocatedContainers.add(rmContainer);
-    liveContainers.put(container.getId(), rmContainer);    
-
-    // Update consumption and track allocations
-    List<ResourceRequest> resourceRequestList = appSchedulingInfo.allocate(
-        type, node, priority, request, container);
-    Resources.addTo(currentConsumption, container.getResource());
-
-    // Update resource requests related to "request" and store in RMContainer
-    ((RMContainerImpl) rmContainer).setResourceRequests(resourceRequestList);
-
-    // Inform the container
-    rmContainer.handle(
-        new RMContainerEvent(container.getId(), RMContainerEventType.START));
-
-    if (LOG.isDebugEnabled()) {
-      LOG.debug("allocate: applicationAttemptId=" 
-          + container.getId().getApplicationAttemptId() 
-          + " container=" + container.getId() + " host="
-          + container.getNodeId().getHost() + " type=" + type);
-    }
-    RMAuditLogger.logSuccess(getUser(), 
-        AuditConstants.ALLOC_CONTAINER, "SchedulerApp", 
-        getApplicationId(), container.getId());
-    
-    return rmContainer;
-  }
-
-  /**
-   * Should be called when the scheduler assigns a container at a higher
-   * degree of locality than the current threshold. Reset the allowed locality
-   * level to a higher degree of locality.
-   */
-  public synchronized void resetAllowedLocalityLevel(Priority priority,
-      NodeType level) {
-    NodeType old = allowedLocalityLevel.get(priority);
-    LOG.info("Raising locality level from " + old + " to " + level + " at " +
-        " priority " + priority);
-    allowedLocalityLevel.put(priority, level);
-  }
-
-  // related methods
-  public void addPreemption(RMContainer container, long time) {
-    assert preemptionMap.get(container) == null;
-    preemptionMap.put(container, time);
-    Resources.addTo(preemptedResources, container.getAllocatedResource());
-  }
-
-  public Long getContainerPreemptionTime(RMContainer container) {
-    return preemptionMap.get(container);
-  }
-
-  public Set<RMContainer> getPreemptionContainers() {
-    return preemptionMap.keySet();
-  }
-  
-  @Override
-  public FSLeafQueue getQueue() {
-    return (FSLeafQueue)super.getQueue();
-  }
-
-  public Resource getPreemptedResources() {
-    return preemptedResources;
-  }
-
-  public void resetPreemptedResources() {
-    preemptedResources = Resources.createResource(0);
-    for (RMContainer container : getPreemptionContainers()) {
-      Resources.addTo(preemptedResources, container.getAllocatedResource());
-    }
-  }
-
-  public void clearPreemptedResources() {
-    preemptedResources.setMemory(0);
-    preemptedResources.setVirtualCores(0);
-  }
-}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFSSchedulerApp.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFSSchedulerApp.java
deleted file mode 100644
index 2d5a6d4bc8c..00000000000
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFSSchedulerApp.java
+++ /dev/null
@@ -1,191 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair;
-
-import static org.junit.Assert.assertEquals;
-
-import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
-import org.apache.hadoop.yarn.api.records.ApplicationId;
-import org.apache.hadoop.yarn.api.records.Priority;
-import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
-import org.apache.hadoop.yarn.server.resourcemanager.scheduler.NodeType;
-import org.apache.hadoop.yarn.util.Clock;
-import org.junit.Test;
-import org.mockito.Mockito;
-
-public class TestFSSchedulerApp {
-
-  private class MockClock implements Clock {
-    private long time = 0;
-    @Override
-    public long getTime() {
-      return time;
-    }
-
-    public void tick(int seconds) {
-      time = time + seconds * 1000;
-    }
-
-  }
-
-  private ApplicationAttemptId createAppAttemptId(int appId, int attemptId) {
-    ApplicationId appIdImpl = ApplicationId.newInstance(0, appId);
-    ApplicationAttemptId attId =
-        ApplicationAttemptId.newInstance(appIdImpl, attemptId);
-    return attId;
-  }
-
-  @Test
-  public void testDelayScheduling() {
-    FSLeafQueue queue = Mockito.mock(FSLeafQueue.class);
-    Priority prio = Mockito.mock(Priority.class);
-    Mockito.when(prio.getPriority()).thenReturn(1);
-    double nodeLocalityThreshold = .5;
-    double rackLocalityThreshold = .6;
-
-    ApplicationAttemptId applicationAttemptId = createAppAttemptId(1, 1);
-    RMContext rmContext = Mockito.mock(RMContext.class);
-    Mockito.when(rmContext.getEpoch()).thenReturn(0);
-    FSSchedulerApp schedulerApp =
-        new FSSchedulerApp(applicationAttemptId, "user1", queue , null,
-            rmContext);
-
-    // Default level should be node-local
-    assertEquals(NodeType.NODE_LOCAL, schedulerApp.getAllowedLocalityLevel(
-        prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
-
-    // First five scheduling opportunities should remain node local
-    for (int i = 0; i < 5; i++) {
-      schedulerApp.addSchedulingOpportunity(prio);
-      assertEquals(NodeType.NODE_LOCAL, schedulerApp.getAllowedLocalityLevel(
-          prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
-    }
-
-    // After five it should switch to rack local
-    schedulerApp.addSchedulingOpportunity(prio);
-    assertEquals(NodeType.RACK_LOCAL, schedulerApp.getAllowedLocalityLevel(
-        prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
-
-    // Manually set back to node local
-    schedulerApp.resetAllowedLocalityLevel(prio, NodeType.NODE_LOCAL);
-    schedulerApp.resetSchedulingOpportunities(prio);
-    assertEquals(NodeType.NODE_LOCAL, schedulerApp.getAllowedLocalityLevel(
-        prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
-
-    // Now escalate again to rack-local, then to off-switch
-    for (int i = 0; i < 5; i++) {
-      schedulerApp.addSchedulingOpportunity(prio);
-      assertEquals(NodeType.NODE_LOCAL, schedulerApp.getAllowedLocalityLevel(
-          prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
-    }
-
-    schedulerApp.addSchedulingOpportunity(prio);
-    assertEquals(NodeType.RACK_LOCAL, schedulerApp.getAllowedLocalityLevel(
-        prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
-
-    for (int i = 0; i < 6; i++) {
-      schedulerApp.addSchedulingOpportunity(prio);
-      assertEquals(NodeType.RACK_LOCAL, schedulerApp.getAllowedLocalityLevel(
-          prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
-    }
-
-    schedulerApp.addSchedulingOpportunity(prio);
-    assertEquals(NodeType.OFF_SWITCH, schedulerApp.getAllowedLocalityLevel(
-        prio, 10, nodeLocalityThreshold, rackLocalityThreshold));
-  }
-
-  @Test
-  public void testDelaySchedulingForContinuousScheduling()
-          throws InterruptedException {
-    FSLeafQueue queue = Mockito.mock(FSLeafQueue.class);
-    Priority prio = Mockito.mock(Priority.class);
-    Mockito.when(prio.getPriority()).thenReturn(1);
-
-    MockClock clock = new MockClock();
-
-    long nodeLocalityDelayMs = 5 * 1000L;    // 5 seconds
-    long rackLocalityDelayMs = 6 * 1000L;    // 6 seconds
-
-    RMContext rmContext = Mockito.mock(RMContext.class);
-    Mockito.when(rmContext.getEpoch()).thenReturn(0);
-    ApplicationAttemptId applicationAttemptId = createAppAttemptId(1, 1);
-    FSSchedulerApp schedulerApp =
-            new FSSchedulerApp(applicationAttemptId, "user1", queue,
-                    null, rmContext);
-    AppSchedulable appSchedulable = Mockito.mock(AppSchedulable.class);
-    long startTime = clock.getTime();
-    Mockito.when(appSchedulable.getStartTime()).thenReturn(startTime);
-    schedulerApp.setAppSchedulable(appSchedulable);
-
-    // Default level should be node-local
-    assertEquals(NodeType.NODE_LOCAL,
-            schedulerApp.getAllowedLocalityLevelByTime(prio,
-                    nodeLocalityDelayMs, rackLocalityDelayMs, clock.getTime()));
-
-    // after 4 seconds should remain node local
-    clock.tick(4);
-    assertEquals(NodeType.NODE_LOCAL,
-            schedulerApp.getAllowedLocalityLevelByTime(prio,
-                    nodeLocalityDelayMs, rackLocalityDelayMs, clock.getTime()));
-
-    // after 6 seconds should switch to rack local
-    clock.tick(2);
-    assertEquals(NodeType.RACK_LOCAL,
-            schedulerApp.getAllowedLocalityLevelByTime(prio,
-                    nodeLocalityDelayMs, rackLocalityDelayMs, clock.getTime()));
-
-    // manually set back to node local
-    schedulerApp.resetAllowedLocalityLevel(prio, NodeType.NODE_LOCAL);
-    schedulerApp.resetSchedulingOpportunities(prio, clock.getTime());
-    assertEquals(NodeType.NODE_LOCAL,
-            schedulerApp.getAllowedLocalityLevelByTime(prio,
-                    nodeLocalityDelayMs, rackLocalityDelayMs, clock.getTime()));
-
-    // Now escalate again to rack-local, then to off-switch
-    clock.tick(6);
-    assertEquals(NodeType.RACK_LOCAL,
-            schedulerApp.getAllowedLocalityLevelByTime(prio,
-                    nodeLocalityDelayMs, rackLocalityDelayMs, clock.getTime()));
-
-    clock.tick(7);
-    assertEquals(NodeType.OFF_SWITCH,
-            schedulerApp.getAllowedLocalityLevelByTime(prio,
-                    nodeLocalityDelayMs, rackLocalityDelayMs, clock.getTime()));
-  }
-
-  @Test
-  /**
-   * Ensure that when negative paramaters are given (signaling delay scheduling
-   * no tin use), the least restrictive locality level is returned.
-   */
-  public void testLocalityLevelWithoutDelays() {
-    FSLeafQueue queue = Mockito.mock(FSLeafQueue.class);
-    Priority prio = Mockito.mock(Priority.class);
-    Mockito.when(prio.getPriority()).thenReturn(1);
-
-    RMContext rmContext = Mockito.mock(RMContext.class);
-    Mockito.when(rmContext.getEpoch()).thenReturn(0);
-    ApplicationAttemptId applicationAttemptId = createAppAttemptId(1, 1);
-    FSSchedulerApp schedulerApp =
-        new FSSchedulerApp(applicationAttemptId, "user1", queue , null,
-            rmContext);
-    assertEquals(NodeType.OFF_SWITCH, schedulerApp.getAllowedLocalityLevel(
-        prio, 10, -1.0, -1.0));
-  }
-}

From f7ac928a7c4b44d15d00ddace27af3738fdd01a1 Mon Sep 17 00:00:00 2001
From: Colin McCabe <cmccabe@apache.org>
Date: Tue, 12 Aug 2014 23:03:06 +0000
Subject: [PATCH 197/354] HADOOP-10962. Flags for posix_fadvise are not valid
 in some architectures (David Villegas via Colin Patrick McCabe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617621 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  3 ++
 .../org/apache/hadoop/io/nativeio/NativeIO.c  | 31 ++++++++++++++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index c72b3de3d82..38bef36de79 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -566,6 +566,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10851. NetgroupCache does not remove group memberships. (Benoy
     Antony via Arpit Agarwal)
 
+    HADOOP-10962. Flags for posix_fadvise are not valid in some architectures
+    (David Villegas via Colin Patrick McCabe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c
index 23513bfd667..fa95047394f 100644
--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c
@@ -171,6 +171,35 @@ static void nioe_deinit(JNIEnv *env) {
   nioe_ctor = NULL;
 }
 
+/*
+ * Compatibility mapping for fadvise flags. Return the proper value from fnctl.h.
+ * If the value is not known, return the argument unchanged.
+ */
+static int map_fadvise_flag(jint flag) {
+  switch(flag) {
+    case org_apache_hadoop_io_nativeio_NativeIO_POSIX_POSIX_FADV_NORMAL:
+      return POSIX_FADV_NORMAL;
+      break;
+    case org_apache_hadoop_io_nativeio_NativeIO_POSIX_POSIX_FADV_RANDOM:
+      return POSIX_FADV_RANDOM;
+      break;
+    case org_apache_hadoop_io_nativeio_NativeIO_POSIX_POSIX_FADV_SEQUENTIAL:
+      return POSIX_FADV_SEQUENTIAL;
+      break;
+    case org_apache_hadoop_io_nativeio_NativeIO_POSIX_POSIX_FADV_WILLNEED:
+      return POSIX_FADV_WILLNEED;
+      break;
+    case org_apache_hadoop_io_nativeio_NativeIO_POSIX_POSIX_FADV_DONTNEED:
+      return POSIX_FADV_DONTNEED;
+      break;
+    case org_apache_hadoop_io_nativeio_NativeIO_POSIX_POSIX_FADV_NOREUSE:
+      return POSIX_FADV_NOREUSE;
+      break;
+    default:
+      return flag;
+  }
+}
+
 /*
  * private static native void initNative();
  *
@@ -303,7 +332,7 @@ Java_org_apache_hadoop_io_nativeio_NativeIO_00024POSIX_posix_1fadvise(
   PASS_EXCEPTIONS(env);
 
   int err = 0;
-  if ((err = posix_fadvise(fd, (off_t)offset, (off_t)len, flags))) {
+  if ((err = posix_fadvise(fd, (off_t)offset, (off_t)len, map_fadvise_flag(flags)))) {
 #ifdef __FreeBSD__
     throw_ioe(env, errno);
 #else

From e0a9e1bfb724b60af322666b8267c7a9121f84a7 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Wed, 13 Aug 2014 00:54:29 +0000
Subject: [PATCH 198/354] HADOOP-10281. Create a scheduler, which assigns
 schedulables a priority level. (Contributed by Chris Li)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617643 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   3 +
 .../apache/hadoop/ipc/DecayRpcScheduler.java  | 522 ++++++++++++++++++
 .../hadoop/ipc/DecayRpcSchedulerMXBean.java   |  30 +
 .../org/apache/hadoop/ipc/RpcScheduler.java   |  29 +
 .../hadoop/ipc/TestDecayRpcScheduler.java     | 225 ++++++++
 5 files changed, 809 insertions(+)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/DecayRpcScheduler.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/DecayRpcSchedulerMXBean.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/RpcScheduler.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestDecayRpcScheduler.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 38bef36de79..06e9c25e35c 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -505,6 +505,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10820. Throw an exception in GenericOptionsParser when passed
     an empty Path. (Alex Holmes and Zhihai Xu via wang)
 
+    HADOOP-10281. Create a scheduler, which assigns schedulables a priority
+    level. (Chris Li via Arpit Agarwal)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/DecayRpcScheduler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/DecayRpcScheduler.java
new file mode 100644
index 00000000000..d06b25cbbaf
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/DecayRpcScheduler.java
@@ -0,0 +1,522 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ipc;
+
+import java.lang.ref.WeakReference;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Timer;
+import java.util.TimerTask;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.atomic.AtomicLong;
+import java.util.concurrent.atomic.AtomicReference;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeys;
+import org.apache.hadoop.metrics2.util.MBeans;
+
+import org.codehaus.jackson.map.ObjectMapper;
+import com.google.common.annotations.VisibleForTesting;
+
+/**
+ * The decay RPC scheduler counts incoming requests in a map, then
+ * decays the counts at a fixed time interval. The scheduler is optimized
+ * for large periods (on the order of seconds), as it offloads work to the
+ * decay sweep.
+ */
+public class DecayRpcScheduler implements RpcScheduler, DecayRpcSchedulerMXBean {
+  /**
+   * Period controls how many milliseconds between each decay sweep.
+   */
+  public static final String IPC_CALLQUEUE_DECAYSCHEDULER_PERIOD_KEY =
+    "faircallqueue.decay-scheduler.period-ms";
+  public static final long   IPC_CALLQUEUE_DECAYSCHEDULER_PERIOD_DEFAULT =
+    5000L;
+
+  /**
+   * Decay factor controls how much each count is suppressed by on each sweep.
+   * Valid numbers are > 0 and < 1. Decay factor works in tandem with period
+   * to control how long the scheduler remembers an identity.
+   */
+  public static final String IPC_CALLQUEUE_DECAYSCHEDULER_FACTOR_KEY =
+    "faircallqueue.decay-scheduler.decay-factor";
+  public static final double IPC_CALLQUEUE_DECAYSCHEDULER_FACTOR_DEFAULT =
+    0.5;
+
+  /**
+   * Thresholds are specified as integer percentages, and specify which usage
+   * range each queue will be allocated to. For instance, specifying the list
+   *  10, 40, 80
+   * implies 4 queues, with
+   * - q3 from 80% up
+   * - q2 from 40 up to 80
+   * - q1 from 10 up to 40
+   * - q0 otherwise.
+   */
+  public static final String IPC_CALLQUEUE_DECAYSCHEDULER_THRESHOLDS_KEY =
+    "faircallqueue.decay-scheduler.thresholds";
+
+  // Specifies the identity to use when the IdentityProvider cannot handle
+  // a schedulable.
+  public static final String DECAYSCHEDULER_UNKNOWN_IDENTITY =
+    "IdentityProvider.Unknown";
+
+  public static final Log LOG = LogFactory.getLog(DecayRpcScheduler.class);
+
+  // Track the number of calls for each schedulable identity
+  private final ConcurrentHashMap<Object, AtomicLong> callCounts =
+    new ConcurrentHashMap<Object, AtomicLong>();
+
+  // Should be the sum of all AtomicLongs in callCounts
+  private final AtomicLong totalCalls = new AtomicLong();
+
+  // Pre-computed scheduling decisions during the decay sweep are
+  // atomically swapped in as a read-only map
+  private final AtomicReference<Map<Object, Integer>> scheduleCacheRef =
+    new AtomicReference<Map<Object, Integer>>();
+
+  // Tune the behavior of the scheduler
+  private final long decayPeriodMillis; // How long between each tick
+  private final double decayFactor; // nextCount = currentCount / decayFactor
+  private final int numQueues; // affects scheduling decisions, from 0 to numQueues - 1
+  private final double[] thresholds;
+  private final IdentityProvider identityProvider;
+
+  /**
+   * This TimerTask will call decayCurrentCounts until
+   * the scheduler has been garbage collected.
+   */
+  public static class DecayTask extends TimerTask {
+    private WeakReference<DecayRpcScheduler> schedulerRef;
+    private Timer timer;
+
+    public DecayTask(DecayRpcScheduler scheduler, Timer timer) {
+      this.schedulerRef = new WeakReference<DecayRpcScheduler>(scheduler);
+      this.timer = timer;
+    }
+
+    @Override
+    public void run() {
+      DecayRpcScheduler sched = schedulerRef.get();
+      if (sched != null) {
+        sched.decayCurrentCounts();
+      } else {
+        // Our scheduler was garbage collected since it is no longer in use,
+        // so we should terminate the timer as well
+        timer.cancel();
+        timer.purge();
+      }
+    }
+  }
+
+  /**
+   * Create a decay scheduler.
+   * @param numQueues number of queues to schedule for
+   * @param ns config prefix, so that we can configure multiple schedulers
+   *           in a single instance.
+   * @param conf configuration to use.
+   */
+  public DecayRpcScheduler(int numQueues, String ns, Configuration conf) {
+    if (numQueues < 1) {
+      throw new IllegalArgumentException("number of queues must be > 0");
+    }
+
+    this.numQueues = numQueues;
+    this.decayFactor = parseDecayFactor(ns, conf);
+    this.decayPeriodMillis = parseDecayPeriodMillis(ns, conf);
+    this.identityProvider = this.parseIdentityProvider(ns, conf);
+    this.thresholds = parseThresholds(ns, conf, numQueues);
+
+    // Setup delay timer
+    Timer timer = new Timer();
+    DecayTask task = new DecayTask(this, timer);
+    timer.scheduleAtFixedRate(task, 0, this.decayPeriodMillis);
+
+    MetricsProxy prox = MetricsProxy.getInstance(ns);
+    prox.setDelegate(this);
+  }
+
+  // Load configs
+  private IdentityProvider parseIdentityProvider(String ns, Configuration conf) {
+    List<IdentityProvider> providers = conf.getInstances(
+      ns + "." + CommonConfigurationKeys.IPC_CALLQUEUE_IDENTITY_PROVIDER_KEY,
+      IdentityProvider.class);
+
+    if (providers.size() < 1) {
+      LOG.info("IdentityProvider not specified, " +
+        "defaulting to UserIdentityProvider");
+      return new UserIdentityProvider();
+    }
+
+    return providers.get(0); // use the first
+  }
+
+  private static double parseDecayFactor(String ns, Configuration conf) {
+    double factor = conf.getDouble(ns + "." +
+        IPC_CALLQUEUE_DECAYSCHEDULER_FACTOR_KEY,
+      IPC_CALLQUEUE_DECAYSCHEDULER_FACTOR_DEFAULT
+    );
+
+    if (factor <= 0 || factor >= 1) {
+      throw new IllegalArgumentException("Decay Factor " +
+        "must be between 0 and 1");
+    }
+
+    return factor;
+  }
+
+  private static long parseDecayPeriodMillis(String ns, Configuration conf) {
+    long period = conf.getLong(ns + "." +
+        IPC_CALLQUEUE_DECAYSCHEDULER_PERIOD_KEY,
+      IPC_CALLQUEUE_DECAYSCHEDULER_PERIOD_DEFAULT
+    );
+
+    if (period <= 0) {
+      throw new IllegalArgumentException("Period millis must be >= 0");
+    }
+
+    return period;
+  }
+
+  private static double[] parseThresholds(String ns, Configuration conf,
+      int numQueues) {
+    int[] percentages = conf.getInts(ns + "." +
+      IPC_CALLQUEUE_DECAYSCHEDULER_THRESHOLDS_KEY);
+
+    if (percentages.length == 0) {
+      return getDefaultThresholds(numQueues);
+    } else if (percentages.length != numQueues-1) {
+      throw new IllegalArgumentException("Number of thresholds should be " +
+        (numQueues-1) + ". Was: " + percentages.length);
+    }
+
+    // Convert integer percentages to decimals
+    double[] decimals = new double[percentages.length];
+    for (int i = 0; i < percentages.length; i++) {
+      decimals[i] = percentages[i] / 100.0;
+    }
+
+    return decimals;
+  }
+
+  /**
+   * Generate default thresholds if user did not specify. Strategy is
+   * to halve each time, since queue usage tends to be exponential.
+   * So if numQueues is 4, we would generate: double[]{0.125, 0.25, 0.5}
+   * which specifies the boundaries between each queue's usage.
+   * @param numQueues number of queues to compute for
+   * @return array of boundaries of length numQueues - 1
+   */
+  private static double[] getDefaultThresholds(int numQueues) {
+    double[] ret = new double[numQueues - 1];
+    double div = Math.pow(2, numQueues - 1);
+
+    for (int i = 0; i < ret.length; i++) {
+      ret[i] = Math.pow(2, i)/div;
+    }
+    return ret;
+  }
+
+  /**
+   * Decay the stored counts for each user and clean as necessary.
+   * This method should be called periodically in order to keep
+   * counts current.
+   */
+  private void decayCurrentCounts() {
+    long total = 0;
+    Iterator<Map.Entry<Object, AtomicLong>> it =
+      callCounts.entrySet().iterator();
+
+    while (it.hasNext()) {
+      Map.Entry<Object, AtomicLong> entry = it.next();
+      AtomicLong count = entry.getValue();
+
+      // Compute the next value by reducing it by the decayFactor
+      long currentValue = count.get();
+      long nextValue = (long)(currentValue * decayFactor);
+      total += nextValue;
+      count.set(nextValue);
+
+      if (nextValue == 0) {
+        // We will clean up unused keys here. An interesting optimization might
+        // be to have an upper bound on keyspace in callCounts and only
+        // clean once we pass it.
+        it.remove();
+      }
+    }
+
+    // Update the total so that we remain in sync
+    totalCalls.set(total);
+
+    // Now refresh the cache of scheduling decisions
+    recomputeScheduleCache();
+  }
+
+  /**
+   * Update the scheduleCache to match current conditions in callCounts.
+   */
+  private void recomputeScheduleCache() {
+    Map<Object, Integer> nextCache = new HashMap<Object, Integer>();
+
+    for (Map.Entry<Object, AtomicLong> entry : callCounts.entrySet()) {
+      Object id = entry.getKey();
+      AtomicLong value = entry.getValue();
+
+      long snapshot = value.get();
+      int computedLevel = computePriorityLevel(snapshot);
+
+      nextCache.put(id, computedLevel);
+    }
+
+    // Swap in to activate
+    scheduleCacheRef.set(Collections.unmodifiableMap(nextCache));
+  }
+
+  /**
+   * Get the number of occurrences and increment atomically.
+   * @param identity the identity of the user to increment
+   * @return the value before incrementation
+   */
+  private long getAndIncrement(Object identity) throws InterruptedException {
+    // We will increment the count, or create it if no such count exists
+    AtomicLong count = this.callCounts.get(identity);
+    if (count == null) {
+      // Create the count since no such count exists.
+      count = new AtomicLong(0);
+
+      // Put it in, or get the AtomicInteger that was put in by another thread
+      AtomicLong otherCount = callCounts.putIfAbsent(identity, count);
+      if (otherCount != null) {
+        count = otherCount;
+      }
+    }
+
+    // Update the total
+    totalCalls.getAndIncrement();
+
+    // At this point value is guaranteed to be not null. It may however have
+    // been clobbered from callCounts. Nonetheless, we return what
+    // we have.
+    return count.getAndIncrement();
+  }
+
+  /**
+   * Given the number of occurrences, compute a scheduling decision.
+   * @param occurrences how many occurrences
+   * @return scheduling decision from 0 to numQueues - 1
+   */
+  private int computePriorityLevel(long occurrences) {
+    long totalCallSnapshot = totalCalls.get();
+
+    double proportion = 0;
+    if (totalCallSnapshot > 0) {
+      proportion = (double) occurrences / totalCallSnapshot;
+    }
+
+    // Start with low priority queues, since they will be most common
+    for(int i = (numQueues - 1); i > 0; i--) {
+      if (proportion >= this.thresholds[i - 1]) {
+        return i; // We've found our queue number
+      }
+    }
+
+    // If we get this far, we're at queue 0
+    return 0;
+  }
+
+  /**
+   * Returns the priority level for a given identity by first trying the cache,
+   * then computing it.
+   * @param identity an object responding to toString and hashCode
+   * @return integer scheduling decision from 0 to numQueues - 1
+   */
+  private int cachedOrComputedPriorityLevel(Object identity) {
+    try {
+      long occurrences = this.getAndIncrement(identity);
+
+      // Try the cache
+      Map<Object, Integer> scheduleCache = scheduleCacheRef.get();
+      if (scheduleCache != null) {
+        Integer priority = scheduleCache.get(identity);
+        if (priority != null) {
+          return priority;
+        }
+      }
+
+      // Cache was no good, compute it
+      return computePriorityLevel(occurrences);
+    } catch (InterruptedException ie) {
+      LOG.warn("Caught InterruptedException, returning low priority queue");
+      return numQueues - 1;
+    }
+  }
+
+  /**
+   * Compute the appropriate priority for a schedulable based on past requests.
+   * @param obj the schedulable obj to query and remember
+   * @return the queue index which we recommend scheduling in
+   */
+  @Override
+  public int getPriorityLevel(Schedulable obj) {
+    // First get the identity
+    String identity = this.identityProvider.makeIdentity(obj);
+    if (identity == null) {
+      // Identity provider did not handle this
+      identity = DECAYSCHEDULER_UNKNOWN_IDENTITY;
+    }
+
+    return cachedOrComputedPriorityLevel(identity);
+  }
+
+  // For testing
+  @VisibleForTesting
+  public double getDecayFactor() { return decayFactor; }
+
+  @VisibleForTesting
+  public long getDecayPeriodMillis() { return decayPeriodMillis; }
+
+  @VisibleForTesting
+  public double[] getThresholds() { return thresholds; }
+
+  @VisibleForTesting
+  public void forceDecay() { decayCurrentCounts(); }
+
+  @VisibleForTesting
+  public Map<Object, Long> getCallCountSnapshot() {
+    HashMap<Object, Long> snapshot = new HashMap<Object, Long>();
+
+    for (Map.Entry<Object, AtomicLong> entry : callCounts.entrySet()) {
+      snapshot.put(entry.getKey(), entry.getValue().get());
+    }
+
+    return Collections.unmodifiableMap(snapshot);
+  }
+
+  @VisibleForTesting
+  public long getTotalCallSnapshot() {
+    return totalCalls.get();
+  }
+
+  /**
+   * MetricsProxy is a singleton because we may init multiple schedulers and we
+   * want to clean up resources when a new scheduler replaces the old one.
+   */
+  private static final class MetricsProxy implements DecayRpcSchedulerMXBean {
+    // One singleton per namespace
+    private static final HashMap<String, MetricsProxy> INSTANCES =
+      new HashMap<String, MetricsProxy>();
+
+    // Weakref for delegate, so we don't retain it forever if it can be GC'd
+    private WeakReference<DecayRpcScheduler> delegate;
+
+    private MetricsProxy(String namespace) {
+      MBeans.register(namespace, "DecayRpcScheduler", this);
+    }
+
+    public static synchronized MetricsProxy getInstance(String namespace) {
+      MetricsProxy mp = INSTANCES.get(namespace);
+      if (mp == null) {
+        // We must create one
+        mp = new MetricsProxy(namespace);
+        INSTANCES.put(namespace, mp);
+      }
+      return mp;
+    }
+
+    public void setDelegate(DecayRpcScheduler obj) {
+      this.delegate = new WeakReference<DecayRpcScheduler>(obj);
+    }
+
+    @Override
+    public String getSchedulingDecisionSummary() {
+      DecayRpcScheduler scheduler = delegate.get();
+      if (scheduler == null) {
+        return "No Active Scheduler";
+      } else {
+        return scheduler.getSchedulingDecisionSummary();
+      }
+    }
+
+    @Override
+    public String getCallVolumeSummary() {
+      DecayRpcScheduler scheduler = delegate.get();
+      if (scheduler == null) {
+        return "No Active Scheduler";
+      } else {
+        return scheduler.getCallVolumeSummary();
+      }
+    }
+
+    @Override
+    public int getUniqueIdentityCount() {
+      DecayRpcScheduler scheduler = delegate.get();
+      if (scheduler == null) {
+        return -1;
+      } else {
+        return scheduler.getUniqueIdentityCount();
+      }
+    }
+
+    @Override
+    public long getTotalCallVolume() {
+      DecayRpcScheduler scheduler = delegate.get();
+      if (scheduler == null) {
+        return -1;
+      } else {
+        return scheduler.getTotalCallVolume();
+      }
+    }
+  }
+
+  public int getUniqueIdentityCount() {
+    return callCounts.size();
+  }
+
+  public long getTotalCallVolume() {
+    return totalCalls.get();
+  }
+
+  public String getSchedulingDecisionSummary() {
+    Map<Object, Integer> decisions = scheduleCacheRef.get();
+    if (decisions == null) {
+      return "{}";
+    } else {
+      try {
+        ObjectMapper om = new ObjectMapper();
+        return om.writeValueAsString(decisions);
+      } catch (Exception e) {
+        return "Error: " + e.getMessage();
+      }
+    }
+  }
+
+  public String getCallVolumeSummary() {
+    try {
+      ObjectMapper om = new ObjectMapper();
+      return om.writeValueAsString(callCounts);
+    } catch (Exception e) {
+      return "Error: " + e.getMessage();
+    }
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/DecayRpcSchedulerMXBean.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/DecayRpcSchedulerMXBean.java
new file mode 100644
index 00000000000..3481f19449d
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/DecayRpcSchedulerMXBean.java
@@ -0,0 +1,30 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ipc;
+
+/**
+ * Provides metrics for Decay scheduler.
+ */
+public interface DecayRpcSchedulerMXBean {
+  // Get an overview of the requests in history.
+  String getSchedulingDecisionSummary();
+  String getCallVolumeSummary();
+  int getUniqueIdentityCount();
+  long getTotalCallVolume();
+}
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/RpcScheduler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/RpcScheduler.java
new file mode 100644
index 00000000000..a1557061809
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/RpcScheduler.java
@@ -0,0 +1,29 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ipc;
+
+/**
+ * Implement this interface to be used for RPC scheduling in the fair call queues.
+ */
+public interface RpcScheduler {
+  /**
+   * Returns priority level greater than zero as a hint for scheduling.
+   */
+  int getPriorityLevel(Schedulable obj);
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestDecayRpcScheduler.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestDecayRpcScheduler.java
new file mode 100644
index 00000000000..edc3b0051ab
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestDecayRpcScheduler.java
@@ -0,0 +1,225 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ipc;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+import java.util.concurrent.atomic.AtomicInteger;
+import java.util.Arrays;
+import org.junit.Test;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.conf.Configuration;
+
+import org.apache.hadoop.fs.CommonConfigurationKeys;
+
+public class TestDecayRpcScheduler {
+  private Schedulable mockCall(String id) {
+    Schedulable mockCall = mock(Schedulable.class);
+    UserGroupInformation ugi = mock(UserGroupInformation.class);
+
+    when(ugi.getUserName()).thenReturn(id);
+    when(mockCall.getUserGroupInformation()).thenReturn(ugi);
+
+    return mockCall;
+  }
+
+  private DecayRpcScheduler scheduler;
+
+  @Test(expected=IllegalArgumentException.class)
+  public void testNegativeScheduler() {
+    scheduler = new DecayRpcScheduler(-1, "", new Configuration());
+  }
+
+  @Test(expected=IllegalArgumentException.class)
+  public void testZeroScheduler() {
+    scheduler = new DecayRpcScheduler(0, "", new Configuration());
+  }
+
+  @Test
+  public void testParsePeriod() {
+    // By default
+    scheduler = new DecayRpcScheduler(1, "", new Configuration());
+    assertEquals(DecayRpcScheduler.IPC_CALLQUEUE_DECAYSCHEDULER_PERIOD_DEFAULT,
+      scheduler.getDecayPeriodMillis());
+
+    // Custom
+    Configuration conf = new Configuration();
+    conf.setLong("ns." + DecayRpcScheduler.IPC_CALLQUEUE_DECAYSCHEDULER_PERIOD_KEY,
+      1058);
+    scheduler = new DecayRpcScheduler(1, "ns", conf);
+    assertEquals(1058L, scheduler.getDecayPeriodMillis());
+  }
+
+  @Test
+  public void testParseFactor() {
+    // Default
+    scheduler = new DecayRpcScheduler(1, "", new Configuration());
+    assertEquals(DecayRpcScheduler.IPC_CALLQUEUE_DECAYSCHEDULER_FACTOR_DEFAULT,
+      scheduler.getDecayFactor(), 0.00001);
+
+    // Custom
+    Configuration conf = new Configuration();
+    conf.set("prefix." + DecayRpcScheduler.IPC_CALLQUEUE_DECAYSCHEDULER_FACTOR_KEY,
+      "0.125");
+    scheduler = new DecayRpcScheduler(1, "prefix", conf);
+    assertEquals(0.125, scheduler.getDecayFactor(), 0.00001);
+  }
+
+  public void assertEqualDecimalArrays(double[] a, double[] b) {
+    assertEquals(a.length, b.length);
+    for(int i = 0; i < a.length; i++) {
+      assertEquals(a[i], b[i], 0.00001);
+    }
+  }
+
+  @Test
+  public void testParseThresholds() {
+    // Defaults vary by number of queues
+    Configuration conf = new Configuration();
+    scheduler = new DecayRpcScheduler(1, "", conf);
+    assertEqualDecimalArrays(new double[]{}, scheduler.getThresholds());
+
+    scheduler = new DecayRpcScheduler(2, "", conf);
+    assertEqualDecimalArrays(new double[]{0.5}, scheduler.getThresholds());
+
+    scheduler = new DecayRpcScheduler(3, "", conf);
+    assertEqualDecimalArrays(new double[]{0.25, 0.5}, scheduler.getThresholds());
+
+    scheduler = new DecayRpcScheduler(4, "", conf);
+    assertEqualDecimalArrays(new double[]{0.125, 0.25, 0.5}, scheduler.getThresholds());
+
+    // Custom
+    conf = new Configuration();
+    conf.set("ns." + DecayRpcScheduler.IPC_CALLQUEUE_DECAYSCHEDULER_THRESHOLDS_KEY,
+      "1, 10, 20, 50, 85");
+    scheduler = new DecayRpcScheduler(6, "ns", conf);
+    assertEqualDecimalArrays(new double[]{0.01, 0.1, 0.2, 0.5, 0.85}, scheduler.getThresholds());
+  }
+
+  @Test
+  public void testAccumulate() {
+    Configuration conf = new Configuration();
+    conf.set("ns." + DecayRpcScheduler.IPC_CALLQUEUE_DECAYSCHEDULER_PERIOD_KEY, "99999999"); // Never flush
+    scheduler = new DecayRpcScheduler(1, "ns", conf);
+
+    assertEquals(0, scheduler.getCallCountSnapshot().size()); // empty first
+
+    scheduler.getPriorityLevel(mockCall("A"));
+    assertEquals(1, scheduler.getCallCountSnapshot().get("A").longValue());
+    assertEquals(1, scheduler.getCallCountSnapshot().get("A").longValue());
+
+    scheduler.getPriorityLevel(mockCall("A"));
+    scheduler.getPriorityLevel(mockCall("B"));
+    scheduler.getPriorityLevel(mockCall("A"));
+
+    assertEquals(3, scheduler.getCallCountSnapshot().get("A").longValue());
+    assertEquals(1, scheduler.getCallCountSnapshot().get("B").longValue());
+  }
+
+  @Test
+  public void testDecay() {
+    Configuration conf = new Configuration();
+    conf.set("ns." + DecayRpcScheduler.IPC_CALLQUEUE_DECAYSCHEDULER_PERIOD_KEY, "999999999"); // Never
+    conf.set("ns." + DecayRpcScheduler.IPC_CALLQUEUE_DECAYSCHEDULER_FACTOR_KEY, "0.5");
+    scheduler = new DecayRpcScheduler(1, "ns", conf);
+
+    assertEquals(0, scheduler.getTotalCallSnapshot());
+
+    for (int i = 0; i < 4; i++) {
+      scheduler.getPriorityLevel(mockCall("A"));
+    }
+
+    for (int i = 0; i < 8; i++) {
+      scheduler.getPriorityLevel(mockCall("B"));
+    }
+
+    assertEquals(12, scheduler.getTotalCallSnapshot());
+    assertEquals(4, scheduler.getCallCountSnapshot().get("A").longValue());
+    assertEquals(8, scheduler.getCallCountSnapshot().get("B").longValue());
+
+    scheduler.forceDecay();
+
+    assertEquals(6, scheduler.getTotalCallSnapshot());
+    assertEquals(2, scheduler.getCallCountSnapshot().get("A").longValue());
+    assertEquals(4, scheduler.getCallCountSnapshot().get("B").longValue());
+
+    scheduler.forceDecay();
+
+    assertEquals(3, scheduler.getTotalCallSnapshot());
+    assertEquals(1, scheduler.getCallCountSnapshot().get("A").longValue());
+    assertEquals(2, scheduler.getCallCountSnapshot().get("B").longValue());
+
+    scheduler.forceDecay();
+
+    assertEquals(1, scheduler.getTotalCallSnapshot());
+    assertEquals(null, scheduler.getCallCountSnapshot().get("A"));
+    assertEquals(1, scheduler.getCallCountSnapshot().get("B").longValue());
+
+    scheduler.forceDecay();
+
+    assertEquals(0, scheduler.getTotalCallSnapshot());
+    assertEquals(null, scheduler.getCallCountSnapshot().get("A"));
+    assertEquals(null, scheduler.getCallCountSnapshot().get("B"));
+  }
+
+  @Test
+  public void testPriority() {
+    Configuration conf = new Configuration();
+    conf.set("ns." + DecayRpcScheduler.IPC_CALLQUEUE_DECAYSCHEDULER_PERIOD_KEY, "99999999"); // Never flush
+    conf.set("ns." + DecayRpcScheduler.IPC_CALLQUEUE_DECAYSCHEDULER_THRESHOLDS_KEY,
+      "25, 50, 75");
+    scheduler = new DecayRpcScheduler(4, "ns", conf);
+
+    assertEquals(0, scheduler.getPriorityLevel(mockCall("A")));
+    assertEquals(2, scheduler.getPriorityLevel(mockCall("A")));
+    assertEquals(0, scheduler.getPriorityLevel(mockCall("B")));
+    assertEquals(1, scheduler.getPriorityLevel(mockCall("B")));
+    assertEquals(0, scheduler.getPriorityLevel(mockCall("C")));
+    assertEquals(0, scheduler.getPriorityLevel(mockCall("C")));
+    assertEquals(1, scheduler.getPriorityLevel(mockCall("A")));
+    assertEquals(1, scheduler.getPriorityLevel(mockCall("A")));
+    assertEquals(1, scheduler.getPriorityLevel(mockCall("A")));
+    assertEquals(2, scheduler.getPriorityLevel(mockCall("A")));
+  }
+
+  @Test(timeout=2000)
+  public void testPeriodic() throws InterruptedException {
+    Configuration conf = new Configuration();
+    conf.set("ns." + DecayRpcScheduler.IPC_CALLQUEUE_DECAYSCHEDULER_PERIOD_KEY, "10");
+    conf.set("ns." + DecayRpcScheduler.IPC_CALLQUEUE_DECAYSCHEDULER_FACTOR_KEY, "0.5");
+    scheduler = new DecayRpcScheduler(1, "ns", conf);
+
+    assertEquals(10, scheduler.getDecayPeriodMillis());
+    assertEquals(0, scheduler.getTotalCallSnapshot());
+
+    for (int i = 0; i < 64; i++) {
+      scheduler.getPriorityLevel(mockCall("A"));
+    }
+
+    // It should eventually decay to zero
+    while (scheduler.getTotalCallSnapshot() > 0) {
+      Thread.sleep(10);
+    }
+  }
+}
\ No newline at end of file

From 5197f8c3c53f18701f041dd2301b454930a5025b Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Wed, 13 Aug 2014 01:38:59 +0000
Subject: [PATCH 199/354] YARN-1370. Fair scheduler to re-populate container
 allocation state. (Anubhav Dhoot via kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617645 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                          | 3 +++
 .../resourcemanager/scheduler/fair/FairScheduler.java    | 2 ++
 .../resourcemanager/TestWorkPreservingRMRestart.java     | 9 +++++++--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index d977127cd9d..55a61126fe2 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -125,6 +125,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2399. FairScheduler: Merge AppSchedulable and FSSchedulerApp into 
     FSAppAttempt. (kasha)
 
+    YARN-1370. Fair scheduler to re-populate container allocation state. 
+    (Anubhav Dhoot via kasha)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
index 4748d73e038..aa3f8240947 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
@@ -1150,6 +1150,8 @@ public void handle(SchedulerEvent event) {
       }
       NodeAddedSchedulerEvent nodeAddedEvent = (NodeAddedSchedulerEvent)event;
       addNode(nodeAddedEvent.getAddedRMNode());
+      recoverContainersOnNode(nodeAddedEvent.getContainerReports(),
+          nodeAddedEvent.getAddedRMNode());
       break;
     case NODE_REMOVED:
       if (!(event instanceof NodeRemovedSchedulerEvent)) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java
index 24a2f437953..9cae07c7fb6 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java
@@ -57,6 +57,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacitySchedulerConfiguration;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.LeafQueue;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.ParentQueue;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler;
 import org.apache.hadoop.yarn.util.resource.DominantResourceCalculator;
 import org.apache.hadoop.yarn.util.resource.ResourceCalculator;
@@ -107,7 +108,7 @@ public void tearDown() {
   @Parameterized.Parameters
   public static Collection<Object[]> getTestParameters() {
     return Arrays.asList(new Object[][] { { CapacityScheduler.class },
-        { FifoScheduler.class } });
+        { FifoScheduler.class }, {FairScheduler.class } });
   }
 
   public TestWorkPreservingRMRestart(Class<?> schedulerClass) {
@@ -224,7 +225,11 @@ public void testSchedulerRecovery() throws Exception {
     assertTrue(schedulerAttempt.getLiveContainers().contains(
       scheduler.getRMContainer(runningContainer.getContainerId())));
     assertEquals(schedulerAttempt.getCurrentConsumption(), usedResources);
-    assertEquals(availableResources, schedulerAttempt.getHeadroom());
+
+    // Until YARN-1959 is resolved
+    if (scheduler.getClass() != FairScheduler.class) {
+      assertEquals(availableResources, schedulerAttempt.getHeadroom());
+    }
 
     // *********** check appSchedulingInfo state ***********
     assertEquals((1 << 22) + 1, schedulerAttempt.getNewContainerId());

From a34dafe325902164c04de0bf9d34eccdf6a2cd88 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Wed, 13 Aug 2014 17:30:26 +0000
Subject: [PATCH 200/354] HADOOP-8944. Shell command fs -count should include
 human readable option (Jonathan Allen via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617775 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  3 ++
 .../org/apache/hadoop/fs/ContentSummary.java  | 48 +++++++++++++++----
 .../org/apache/hadoop/fs/shell/Count.java     | 36 ++++++++++++--
 .../src/site/apt/FileSystemShell.apt.vm       |  6 ++-
 .../src/test/resources/testConf.xml           |  6 ++-
 .../src/test/resources/testHDFSConf.xml       | 44 +++++++++++++++++
 6 files changed, 126 insertions(+), 17 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 06e9c25e35c..547f2318feb 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -202,6 +202,9 @@ Trunk (Unreleased)
     HADOOP-10224. JavaKeyStoreProvider has to protect against corrupting 
     underlying store. (asuresh via tucu)
 
+    HADOOP-8944. Shell command fs -count should include human readable option
+      (Jonathan Allen via aw)
+
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/ContentSummary.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/ContentSummary.java
index 0d685b43e1f..5d01637a0fb 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/ContentSummary.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/ContentSummary.java
@@ -24,6 +24,7 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.io.Writable;
+import org.apache.hadoop.util.StringUtils;
 
 /** Store the summary of a content (a directory or a file). */
 @InterfaceAudience.Public
@@ -102,7 +103,7 @@ public void readFields(DataInput in) throws IOException {
    * <----12----> <----12----> <-------18------->
    *    DIR_COUNT   FILE_COUNT       CONTENT_SIZE FILE_NAME    
    */
-  private static final String STRING_FORMAT = "%12d %12d %18d ";
+  private static final String STRING_FORMAT = "%12s %12s %18s ";
   /** 
    * Output format:
    * <----12----> <----15----> <----15----> <----15----> <----12----> <----12----> <-------18------->
@@ -117,7 +118,7 @@ public void readFields(DataInput in) throws IOException {
 
   private static final String QUOTA_HEADER = String.format(
       QUOTA_STRING_FORMAT + SPACE_QUOTA_STRING_FORMAT, 
-      "quota", "remaining quota", "space quota", "reamaining quota") +
+      "name quota", "rem name quota", "space quota", "rem space quota") +
       HEADER;
   
   /** Return the header of the output.
@@ -139,11 +140,25 @@ public String toString() {
   /** Return the string representation of the object in the output format.
    * if qOption is false, output directory count, file count, and content size;
    * if qOption is true, output quota and remaining quota as well.
-   * 
+   *
    * @param qOption a flag indicating if quota needs to be printed or not
    * @return the string representation of the object
-   */
+  */
   public String toString(boolean qOption) {
+    return toString(qOption, false);
+  }
+
+  /** Return the string representation of the object in the output format.
+   * if qOption is false, output directory count, file count, and content size;
+   * if qOption is true, output quota and remaining quota as well.
+   * if hOption is false file sizes are returned in bytes
+   * if hOption is true file sizes are returned in human readable 
+   * 
+   * @param qOption a flag indicating if quota needs to be printed or not
+   * @param hOption a flag indicating if human readable output if to be used
+   * @return the string representation of the object
+   */
+  public String toString(boolean qOption, boolean hOption) {
     String prefix = "";
     if (qOption) {
       String quotaStr = "none";
@@ -152,19 +167,32 @@ public String toString(boolean qOption) {
       String spaceQuotaRem = "inf";
       
       if (quota>0) {
-        quotaStr = Long.toString(quota);
-        quotaRem = Long.toString(quota-(directoryCount+fileCount));
+        quotaStr = formatSize(quota, hOption);
+        quotaRem = formatSize(quota-(directoryCount+fileCount), hOption);
       }
       if (spaceQuota>0) {
-        spaceQuotaStr = Long.toString(spaceQuota);
-        spaceQuotaRem = Long.toString(spaceQuota - spaceConsumed);        
+        spaceQuotaStr = formatSize(spaceQuota, hOption);
+        spaceQuotaRem = formatSize(spaceQuota - spaceConsumed, hOption);
       }
       
       prefix = String.format(QUOTA_STRING_FORMAT + SPACE_QUOTA_STRING_FORMAT, 
                              quotaStr, quotaRem, spaceQuotaStr, spaceQuotaRem);
     }
     
-    return prefix + String.format(STRING_FORMAT, directoryCount, 
-                                  fileCount, length);
+    return prefix + String.format(STRING_FORMAT,
+     formatSize(directoryCount, hOption),
+     formatSize(fileCount, hOption),
+     formatSize(length, hOption));
+  }
+  /**
+   * Formats a size to be human readable or in bytes
+   * @param size value to be formatted
+   * @param humanReadable flag indicating human readable or not
+   * @return String representation of the size
+  */
+  private String formatSize(long size, boolean humanReadable) {
+    return humanReadable
+      ? StringUtils.TraditionalBinaryPrefix.long2String(size, "", 1)
+      : String.valueOf(size);
   }
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/Count.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/Count.java
index b8ccc0c9ec9..ff7a10f2975 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/Count.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/Count.java
@@ -42,16 +42,22 @@ public static void registerCommands(CommandFactory factory) {
     factory.addClass(Count.class, "-count");
   }
 
+  private static final String OPTION_QUOTA = "q";
+  private static final String OPTION_HUMAN = "h";
+
   public static final String NAME = "count";
-  public static final String USAGE = "[-q] <path> ...";
+  public static final String USAGE =
+      "[-" + OPTION_QUOTA + "] [-" + OPTION_HUMAN + "] <path> ...";
   public static final String DESCRIPTION = 
       "Count the number of directories, files and bytes under the paths\n" +
       "that match the specified file pattern.  The output columns are:\n" +
       "DIR_COUNT FILE_COUNT CONTENT_SIZE FILE_NAME or\n" +
       "QUOTA REMAINING_QUOTA SPACE_QUOTA REMAINING_SPACE_QUOTA \n" +
-      "      DIR_COUNT FILE_COUNT CONTENT_SIZE FILE_NAME";
+      "      DIR_COUNT FILE_COUNT CONTENT_SIZE FILE_NAME\n" +
+      "The -h option shows file sizes in human readable format.";
   
   private boolean showQuotas;
+  private boolean humanReadable;
 
   /** Constructor */
   public Count() {}
@@ -70,17 +76,37 @@ public Count(String[] cmd, int pos, Configuration conf) {
 
   @Override
   protected void processOptions(LinkedList<String> args) {
-    CommandFormat cf = new CommandFormat(1, Integer.MAX_VALUE, "q");
+    CommandFormat cf = new CommandFormat(1, Integer.MAX_VALUE,
+      OPTION_QUOTA, OPTION_HUMAN);
     cf.parse(args);
     if (args.isEmpty()) { // default path is the current working directory
       args.add(".");
     }
-    showQuotas = cf.getOpt("q");
+    showQuotas = cf.getOpt(OPTION_QUOTA);
+    humanReadable = cf.getOpt(OPTION_HUMAN);
   }
 
   @Override
   protected void processPath(PathData src) throws IOException {
     ContentSummary summary = src.fs.getContentSummary(src.path);
-    out.println(summary.toString(showQuotas) + src);
+    out.println(summary.toString(showQuotas, isHumanReadable()) + src);
+  }
+  
+  /**
+   * Should quotas get shown as part of the report?
+   * @return if quotas should be shown then true otherwise false
+   */
+  @InterfaceAudience.Private
+  boolean isShowQuotas() {
+    return showQuotas;
+  }
+  
+  /**
+   * Should sizes be shown in human readable format rather than bytes?
+   * @return true if human readable format
+   */
+  @InterfaceAudience.Private
+  boolean isHumanReadable() {
+    return humanReadable;
   }
 }
diff --git a/hadoop-common-project/hadoop-common/src/site/apt/FileSystemShell.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/FileSystemShell.apt.vm
index 4a82884fb37..48e0b21220f 100644
--- a/hadoop-common-project/hadoop-common/src/site/apt/FileSystemShell.apt.vm
+++ b/hadoop-common-project/hadoop-common/src/site/apt/FileSystemShell.apt.vm
@@ -138,7 +138,7 @@ copyToLocal
 
 count
 
-   Usage: <<<hdfs dfs -count [-q] <paths> >>>
+   Usage: <<<hdfs dfs -count [-q] [-h] <paths> >>>
 
    Count the number of directories, files and bytes under the paths that match
    the specified file pattern.  The output columns with -count are: DIR_COUNT,
@@ -147,12 +147,16 @@ count
    The output columns with -count -q are: QUOTA, REMAINING_QUATA, SPACE_QUOTA,
    REMAINING_SPACE_QUOTA, DIR_COUNT, FILE_COUNT, CONTENT_SIZE, FILE_NAME
 
+   The -h option shows sizes in human readable format.
+
    Example:
 
      * <<<hdfs dfs -count hdfs://nn1.example.com/file1 hdfs://nn2.example.com/file2>>>
 
      * <<<hdfs dfs -count -q hdfs://nn1.example.com/file1>>>
 
+     * <<<hdfs dfs -count -q -h hdfs://nn1.example.com/file1>>>
+
    Exit Code:
 
    Returns 0 on success and -1 on error.
diff --git a/hadoop-common-project/hadoop-common/src/test/resources/testConf.xml b/hadoop-common-project/hadoop-common/src/test/resources/testConf.xml
index a91f0416d67..c44eddafe43 100644
--- a/hadoop-common-project/hadoop-common/src/test/resources/testConf.xml
+++ b/hadoop-common-project/hadoop-common/src/test/resources/testConf.xml
@@ -238,7 +238,7 @@
       <comparators>
         <comparator>
           <type>RegexpComparator</type>
-          <expected-output>^-count \[-q\] &lt;path&gt; \.\.\. :\s*</expected-output>
+          <expected-output>^-count \[-q\] \[-h\] &lt;path&gt; \.\.\. :( )*</expected-output>
         </comparator>
         <comparator>
           <type>RegexpComparator</type>
@@ -260,6 +260,10 @@
           <type>RegexpComparator</type>
           <expected-output>^( |\t)*DIR_COUNT FILE_COUNT CONTENT_SIZE FILE_NAME( )*</expected-output>
         </comparator>
+        <comparator>
+          <type>RegexpComparator</type>
+          <expected-output>^( |\t)*The -h option shows file sizes in human readable format.( )*</expected-output>
+        </comparator>
       </comparators>
     </test>
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testHDFSConf.xml b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testHDFSConf.xml
index 03083c50cea..087c3ab48aa 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testHDFSConf.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testHDFSConf.xml
@@ -8655,6 +8655,50 @@
       </comparators>
     </test>
 
+    <test> <!-- TESTED -->
+      <description>count: file using -h option</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir -p dir</command> <!-- make sure user home dir exists -->
+        <command>-fs NAMENODE -put CLITEST_DATA/data15bytes file1</command>
+        <command>-fs NAMENODE -put CLITEST_DATA/data1k file2</command>
+        <command>-fs NAMENODE -count -h file1 file2</command>
+      </test-commands>
+      <cleanup-commands>
+        <command>-fs NAMENODE -rm file1 file2</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>RegexpComparator</type>
+          <expected-output>( |\t)*0( |\t)*1( |\t)*15 file1</expected-output>
+        </comparator>
+      </comparators>
+      <comparators>
+        <comparator>
+          <type>RegexpComparator</type>
+          <expected-output>( |\t)*0( |\t)*1( |\t)*1\.0 K file2</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
+    <test> <!-- TESTED -->
+      <description>count: directory using -q and -h options</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /dir1</command>
+        <dfs-admin-command>-fs NAMENODE -setQuota 10 /dir1 </dfs-admin-command>
+        <dfs-admin-command>-fs NAMENODE -setSpaceQuota 1m /dir1 </dfs-admin-command>
+        <command>-fs NAMENODE -count -q -h /dir1</command>
+      </test-commands>
+      <cleanup-commands>
+        <command>-fs NAMENODE -rm -r /dir1</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>RegexpComparator</type>
+          <expected-output>( |\t)*10( |\t)*9( |\t)*1 M( |\t)*1 M( |\t)*1( |\t)*0( |\t)*0 /dir1</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+
     <!-- Tests for chmod -->
     <test> <!-- TESTED -->
       <description>chmod: change permission(octal mode) of file in absolute path</description>

From 03d8ff496a6fca15eca123d081361594bb47e0d8 Mon Sep 17 00:00:00 2001
From: Haohui Mai <wheat9@apache.org>
Date: Wed, 13 Aug 2014 17:45:47 +0000
Subject: [PATCH 201/354] HDFS-6567. Normalize the order of public final in
 HdfsFileStatus. Contributed by Tassapol Athiapinya.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617779 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 ++
 .../hadoop/hdfs/protocol/HdfsFileStatus.java  | 38 +++++++++----------
 .../hdfs/protocol/HdfsLocatedFileStatus.java  |  2 +-
 3 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 8148052005b..685cd6211d6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -396,6 +396,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6836. HDFS INFO logging is verbose & uses file appenders. (Xiaoyu
     Yao via Arpit Agarwal)
 
+    HDFS-6567. Normalize the order of public final in HdfsFileStatus.
+    (Tassapol Athiapinya via wheat9)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsFileStatus.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsFileStatus.java
index 66c56faa14b..0652de14aee 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsFileStatus.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsFileStatus.java
@@ -91,7 +91,7 @@ public HdfsFileStatus(long length, boolean isdir, int block_replication,
    * Get the length of this file, in bytes.
    * @return the length of this file, in bytes.
    */
-  final public long getLen() {
+  public final long getLen() {
     return length;
   }
 
@@ -99,7 +99,7 @@ final public long getLen() {
    * Is this a directory?
    * @return true if this is a directory
    */
-  final public boolean isDir() {
+  public final boolean isDir() {
     return isdir;
   }
 
@@ -115,7 +115,7 @@ public boolean isSymlink() {
    * Get the block size of the file.
    * @return the number of bytes
    */
-  final public long getBlockSize() {
+  public final long getBlockSize() {
     return blocksize;
   }
 
@@ -123,7 +123,7 @@ final public long getBlockSize() {
    * Get the replication factor of a file.
    * @return the replication factor of a file.
    */
-  final public short getReplication() {
+  public final short getReplication() {
     return block_replication;
   }
 
@@ -131,7 +131,7 @@ final public short getReplication() {
    * Get the modification time of the file.
    * @return the modification time of file in milliseconds since January 1, 1970 UTC.
    */
-  final public long getModificationTime() {
+  public final long getModificationTime() {
     return modification_time;
   }
 
@@ -139,7 +139,7 @@ final public long getModificationTime() {
    * Get the access time of the file.
    * @return the access time of file in milliseconds since January 1, 1970 UTC.
    */
-  final public long getAccessTime() {
+  public final long getAccessTime() {
     return access_time;
   }
 
@@ -147,7 +147,7 @@ final public long getAccessTime() {
    * Get FsPermission associated with the file.
    * @return permssion
    */
-  final public FsPermission getPermission() {
+  public final FsPermission getPermission() {
     return permission;
   }
   
@@ -155,7 +155,7 @@ final public FsPermission getPermission() {
    * Get the owner of the file.
    * @return owner of the file
    */
-  final public String getOwner() {
+  public final String getOwner() {
     return owner;
   }
   
@@ -163,7 +163,7 @@ final public String getOwner() {
    * Get the group associated with the file.
    * @return group for the file. 
    */
-  final public String getGroup() {
+  public final String getGroup() {
     return group;
   }
   
@@ -171,7 +171,7 @@ final public String getGroup() {
    * Check if the local name is empty
    * @return true if the name is empty
    */
-  final public boolean isEmptyLocalName() {
+  public final boolean isEmptyLocalName() {
     return path.length == 0;
   }
 
@@ -179,7 +179,7 @@ final public boolean isEmptyLocalName() {
    * Get the string representation of the local name
    * @return the local name in string
    */
-  final public String getLocalName() {
+  public final String getLocalName() {
     return DFSUtil.bytes2String(path);
   }
   
@@ -187,7 +187,7 @@ final public String getLocalName() {
    * Get the Java UTF8 representation of the local name
    * @return the local name in java UTF8
    */
-  final public byte[] getLocalNameInBytes() {
+  public final byte[] getLocalNameInBytes() {
     return path;
   }
 
@@ -196,7 +196,7 @@ final public byte[] getLocalNameInBytes() {
    * @param parent the parent path
    * @return the full path in string
    */
-  final public String getFullName(final String parent) {
+  public final String getFullName(final String parent) {
     if (isEmptyLocalName()) {
       return parent;
     }
@@ -214,7 +214,7 @@ final public String getFullName(final String parent) {
    * @param parent the parent path
    * @return the full path
    */
-  final public Path getFullPath(final Path parent) {
+  public final Path getFullPath(final Path parent) {
     if (isEmptyLocalName()) {
       return parent;
     }
@@ -226,23 +226,23 @@ final public Path getFullPath(final Path parent) {
    * Get the string representation of the symlink.
    * @return the symlink as a string.
    */
-  final public String getSymlink() {
+  public final String getSymlink() {
     return DFSUtil.bytes2String(symlink);
   }
   
-  final public byte[] getSymlinkInBytes() {
+  public final byte[] getSymlinkInBytes() {
     return symlink;
   }
   
-  final public long getFileId() {
+  public final long getFileId() {
     return fileId;
   }
   
-  final public int getChildrenNum() {
+  public final int getChildrenNum() {
     return childrenNum;
   }
 
-  final public FileStatus makeQualified(URI defaultUri, Path path) {
+  public final FileStatus makeQualified(URI defaultUri, Path path) {
     return new FileStatus(getLen(), isDir(), getReplication(),
         getBlockSize(), getModificationTime(),
         getAccessTime(),
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsLocatedFileStatus.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsLocatedFileStatus.java
index 0f90e435a43..6199b8eb0d5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsLocatedFileStatus.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/HdfsLocatedFileStatus.java
@@ -67,7 +67,7 @@ public LocatedBlocks getBlockLocations() {
     return locations;
   }
 
-  final public LocatedFileStatus makeQualifiedLocated(URI defaultUri,
+  public final LocatedFileStatus makeQualifiedLocated(URI defaultUri,
       Path path) {
     return new LocatedFileStatus(getLen(), isDir(), getReplication(),
         getBlockSize(), getModificationTime(),

From 471b1368e2a81b4d9850f0f4d98d31df1451354c Mon Sep 17 00:00:00 2001
From: Vinayakumar B <vinayakumarb@apache.org>
Date: Wed, 13 Aug 2014 18:06:33 +0000
Subject: [PATCH 202/354] HDFS-6847. Avoid timeouts for replaceBlock() call by
 sending intermediate responses to Balancer (Contributed by Vinayakumar B.)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617784 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 ++
 .../hdfs/server/balancer/Dispatcher.java      | 17 ++++------
 .../hdfs/server/datanode/BlockReceiver.java   | 32 ++++++++++++++++++-
 .../hdfs/server/datanode/DataXceiver.java     |  9 +++---
 .../src/main/proto/datatransfer.proto         |  1 +
 .../server/datanode/TestBlockReplacement.java |  6 ++--
 6 files changed, 50 insertions(+), 18 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 685cd6211d6..d1ed85182e7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -500,6 +500,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6830. BlockInfo.addStorage fails when DN changes the storage for a
     block replica (Arpit Agarwal)
 
+    HDFS-6847. Avoid timeouts for replaceBlock() call by sending intermediate
+    responses to Balancer (vinayakumarb)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
index 4a6f96be7e5..b7dceb6f48d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
@@ -87,8 +87,6 @@ public class Dispatcher {
 
   private static final int MAX_NO_PENDING_MOVE_ITERATIONS = 5;
   private static final long DELAY_AFTER_ERROR = 10 * 1000L; // 10 seconds
-  private static final int BLOCK_MOVE_READ_TIMEOUT = 20 * 60 * 1000; // 20
-                                                                     // minutes
 
   private final NameNodeConnector nnc;
   private final SaslDataTransferClient saslClient;
@@ -278,13 +276,6 @@ private void dispatch() {
         sock.connect(
             NetUtils.createSocketAddr(target.getDatanodeInfo().getXferAddr()),
             HdfsServerConstants.READ_TIMEOUT);
-        /*
-         * Unfortunately we don't have a good way to know if the Datanode is
-         * taking a really long time to move a block, OR something has gone
-         * wrong and it's never going to finish. To deal with this scenario, we
-         * set a long timeout (20 minutes) to avoid hanging indefinitely.
-         */
-        sock.setSoTimeout(BLOCK_MOVE_READ_TIMEOUT);
 
         sock.setKeepAlive(true);
 
@@ -341,8 +332,12 @@ private void sendRequest(DataOutputStream out, ExtendedBlock eb,
 
     /** Receive a block copy response from the input stream */
     private void receiveResponse(DataInputStream in) throws IOException {
-      BlockOpResponseProto response = BlockOpResponseProto
-          .parseFrom(vintPrefixed(in));
+      BlockOpResponseProto response =
+          BlockOpResponseProto.parseFrom(vintPrefixed(in));
+      while (response.getStatus() == Status.IN_PROGRESS) {
+        // read intermediate responses
+        response = BlockOpResponseProto.parseFrom(vintPrefixed(in));
+      }
       if (response.getStatus() != Status.SUCCESS) {
         if (response.getStatus() == Status.ERROR_ACCESS_TOKEN) {
           throw new IOException("block move failed due to access token error");
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
index fb7ecd69e9a..9dcd006ed51 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
@@ -45,6 +45,7 @@
 import org.apache.hadoop.hdfs.protocol.datatransfer.PacketHeader;
 import org.apache.hadoop.hdfs.protocol.datatransfer.PacketReceiver;
 import org.apache.hadoop.hdfs.protocol.datatransfer.PipelineAck;
+import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.BlockOpResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.Status;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.ReplicaInputStreams;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.ReplicaOutputStreams;
@@ -123,6 +124,14 @@ class BlockReceiver implements Closeable {
   private boolean syncOnClose;
   private long restartBudget;
 
+  /**
+   * for replaceBlock response
+   */
+  private final long responseInterval;
+  private long lastResponseTime = 0;
+  private boolean isReplaceBlock = false;
+  private DataOutputStream replyOut = null;
+
   BlockReceiver(final ExtendedBlock block, final StorageType storageType,
       final DataInputStream in,
       final String inAddr, final String myAddr,
@@ -144,6 +153,9 @@ class BlockReceiver implements Closeable {
       this.isClient = !this.isDatanode;
       this.restartBudget = datanode.getDnConf().restartReplicaExpiry;
       this.datanodeSlowLogThresholdMs = datanode.getDnConf().datanodeSlowIoWarningThresholdMs;
+      // For replaceBlock() calls response should be sent to avoid socketTimeout
+      // at clients. So sending with the interval of 0.5 * socketTimeout
+      this.responseInterval = (long) (datanode.getDnConf().socketTimeout * 0.5);
       //for datanode, we have
       //1: clientName.length() == 0, and
       //2: stage == null or PIPELINE_SETUP_CREATE
@@ -651,6 +663,20 @@ private int receivePacket() throws IOException {
           lastPacketInBlock, offsetInBlock, Status.SUCCESS);
     }
 
+    /*
+     * Send in-progress responses for the replaceBlock() calls back to caller to
+     * avoid timeouts due to balancer throttling. HDFS-6247
+     */
+    if (isReplaceBlock
+        && (Time.monotonicNow() - lastResponseTime > responseInterval)) {
+      BlockOpResponseProto.Builder response = BlockOpResponseProto.newBuilder()
+          .setStatus(Status.IN_PROGRESS);
+      response.build().writeDelimitedTo(replyOut);
+      replyOut.flush();
+
+      lastResponseTime = Time.monotonicNow();
+    }
+
     if (throttler != null) { // throttle I/O
       throttler.throttle(len);
     }
@@ -718,7 +744,8 @@ void receiveBlock(
       DataInputStream mirrIn,   // input from next datanode
       DataOutputStream replyOut,  // output to previous datanode
       String mirrAddr, DataTransferThrottler throttlerArg,
-      DatanodeInfo[] downstreams) throws IOException {
+      DatanodeInfo[] downstreams,
+      boolean isReplaceBlock) throws IOException {
 
       syncOnClose = datanode.getDnConf().syncOnClose;
       boolean responderClosed = false;
@@ -726,6 +753,9 @@ void receiveBlock(
       mirrorAddr = mirrAddr;
       throttler = throttlerArg;
 
+      this.replyOut = replyOut;
+      this.isReplaceBlock = isReplaceBlock;
+
     try {
       if (isClient && !isTransfer) {
         responder = new Daemon(datanode.threadGroup, 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
index 5ef6cc7ee22..01fe036f1d9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
@@ -708,7 +708,7 @@ public void writeBlock(final ExtendedBlock block,
       if (blockReceiver != null) {
         String mirrorAddr = (mirrorSock == null) ? null : mirrorNode;
         blockReceiver.receiveBlock(mirrorOut, mirrorIn, replyOut,
-            mirrorAddr, null, targets);
+            mirrorAddr, null, targets, false);
 
         // send close-ack for transfer-RBW/Finalized 
         if (isTransfer) {
@@ -983,7 +983,7 @@ public void replaceBlock(final ExtendedBlock block,
     String errMsg = null;
     BlockReceiver blockReceiver = null;
     DataInputStream proxyReply = null;
-    
+    DataOutputStream replyOut = new DataOutputStream(getOutputStream());
     try {
       // get the output stream to the proxy
       final String dnAddr = proxySource.getXferAddr(connectToDnViaHostname);
@@ -1040,8 +1040,8 @@ public void replaceBlock(final ExtendedBlock block,
           CachingStrategy.newDropBehind());
 
       // receive a block
-      blockReceiver.receiveBlock(null, null, null, null, 
-          dataXceiverServer.balanceThrottler, null);
+      blockReceiver.receiveBlock(null, null, replyOut, null, 
+          dataXceiverServer.balanceThrottler, null, true);
                     
       // notify name node
       datanode.notifyNamenodeReceivedBlock(
@@ -1076,6 +1076,7 @@ public void replaceBlock(final ExtendedBlock block,
       IOUtils.closeStream(proxyOut);
       IOUtils.closeStream(blockReceiver);
       IOUtils.closeStream(proxyReply);
+      IOUtils.closeStream(replyOut);
     }
 
     //update metrics
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto
index 9b4ba339d23..6283b569dda 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto
@@ -207,6 +207,7 @@ enum Status {
   OOB_RESERVED1 = 9;          // Reserved
   OOB_RESERVED2 = 10;         // Reserved
   OOB_RESERVED3 = 11;         // Reserved
+  IN_PROGRESS = 12;
 }
 
 message PipelineAckProto {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java
index 478b6d1546b..e0d79648a88 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java
@@ -272,8 +272,10 @@ private boolean replaceBlock( ExtendedBlock block, DatanodeInfo source,
     // receiveResponse
     DataInputStream reply = new DataInputStream(sock.getInputStream());
 
-    BlockOpResponseProto proto =
-      BlockOpResponseProto.parseDelimitedFrom(reply);
+    BlockOpResponseProto proto = BlockOpResponseProto.parseDelimitedFrom(reply);
+    while (proto.getStatus() == Status.IN_PROGRESS) {
+      proto = BlockOpResponseProto.parseDelimitedFrom(reply);
+    }
     return proto.getStatus() == Status.SUCCESS;
   }
 

From 6554994fab2d8a2a139fb71ed54be144f4057e08 Mon Sep 17 00:00:00 2001
From: Vinayakumar B <vinayakumarb@apache.org>
Date: Wed, 13 Aug 2014 18:36:51 +0000
Subject: [PATCH 203/354] Reverted Merged revision(s) 1617784 from
 hadoop/common/trunk: HDFS-6847. Avoid timeouts for replaceBlock() call by
 sending intermediate responses to Balancer (Contributed by Vinayakumar B.)
 ........

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617794 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 --
 .../hdfs/server/balancer/Dispatcher.java      | 17 ++++++----
 .../hdfs/server/datanode/BlockReceiver.java   | 32 +------------------
 .../hdfs/server/datanode/DataXceiver.java     |  9 +++---
 .../src/main/proto/datatransfer.proto         |  1 -
 .../server/datanode/TestBlockReplacement.java |  6 ++--
 6 files changed, 18 insertions(+), 50 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index d1ed85182e7..685cd6211d6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -500,9 +500,6 @@ Release 2.6.0 - UNRELEASED
     HDFS-6830. BlockInfo.addStorage fails when DN changes the storage for a
     block replica (Arpit Agarwal)
 
-    HDFS-6847. Avoid timeouts for replaceBlock() call by sending intermediate
-    responses to Balancer (vinayakumarb)
-
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
index b7dceb6f48d..4a6f96be7e5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
@@ -87,6 +87,8 @@ public class Dispatcher {
 
   private static final int MAX_NO_PENDING_MOVE_ITERATIONS = 5;
   private static final long DELAY_AFTER_ERROR = 10 * 1000L; // 10 seconds
+  private static final int BLOCK_MOVE_READ_TIMEOUT = 20 * 60 * 1000; // 20
+                                                                     // minutes
 
   private final NameNodeConnector nnc;
   private final SaslDataTransferClient saslClient;
@@ -276,6 +278,13 @@ private void dispatch() {
         sock.connect(
             NetUtils.createSocketAddr(target.getDatanodeInfo().getXferAddr()),
             HdfsServerConstants.READ_TIMEOUT);
+        /*
+         * Unfortunately we don't have a good way to know if the Datanode is
+         * taking a really long time to move a block, OR something has gone
+         * wrong and it's never going to finish. To deal with this scenario, we
+         * set a long timeout (20 minutes) to avoid hanging indefinitely.
+         */
+        sock.setSoTimeout(BLOCK_MOVE_READ_TIMEOUT);
 
         sock.setKeepAlive(true);
 
@@ -332,12 +341,8 @@ private void sendRequest(DataOutputStream out, ExtendedBlock eb,
 
     /** Receive a block copy response from the input stream */
     private void receiveResponse(DataInputStream in) throws IOException {
-      BlockOpResponseProto response =
-          BlockOpResponseProto.parseFrom(vintPrefixed(in));
-      while (response.getStatus() == Status.IN_PROGRESS) {
-        // read intermediate responses
-        response = BlockOpResponseProto.parseFrom(vintPrefixed(in));
-      }
+      BlockOpResponseProto response = BlockOpResponseProto
+          .parseFrom(vintPrefixed(in));
       if (response.getStatus() != Status.SUCCESS) {
         if (response.getStatus() == Status.ERROR_ACCESS_TOKEN) {
           throw new IOException("block move failed due to access token error");
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
index 9dcd006ed51..fb7ecd69e9a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
@@ -45,7 +45,6 @@
 import org.apache.hadoop.hdfs.protocol.datatransfer.PacketHeader;
 import org.apache.hadoop.hdfs.protocol.datatransfer.PacketReceiver;
 import org.apache.hadoop.hdfs.protocol.datatransfer.PipelineAck;
-import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.BlockOpResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.Status;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.ReplicaInputStreams;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.ReplicaOutputStreams;
@@ -124,14 +123,6 @@ class BlockReceiver implements Closeable {
   private boolean syncOnClose;
   private long restartBudget;
 
-  /**
-   * for replaceBlock response
-   */
-  private final long responseInterval;
-  private long lastResponseTime = 0;
-  private boolean isReplaceBlock = false;
-  private DataOutputStream replyOut = null;
-
   BlockReceiver(final ExtendedBlock block, final StorageType storageType,
       final DataInputStream in,
       final String inAddr, final String myAddr,
@@ -153,9 +144,6 @@ class BlockReceiver implements Closeable {
       this.isClient = !this.isDatanode;
       this.restartBudget = datanode.getDnConf().restartReplicaExpiry;
       this.datanodeSlowLogThresholdMs = datanode.getDnConf().datanodeSlowIoWarningThresholdMs;
-      // For replaceBlock() calls response should be sent to avoid socketTimeout
-      // at clients. So sending with the interval of 0.5 * socketTimeout
-      this.responseInterval = (long) (datanode.getDnConf().socketTimeout * 0.5);
       //for datanode, we have
       //1: clientName.length() == 0, and
       //2: stage == null or PIPELINE_SETUP_CREATE
@@ -663,20 +651,6 @@ private int receivePacket() throws IOException {
           lastPacketInBlock, offsetInBlock, Status.SUCCESS);
     }
 
-    /*
-     * Send in-progress responses for the replaceBlock() calls back to caller to
-     * avoid timeouts due to balancer throttling. HDFS-6247
-     */
-    if (isReplaceBlock
-        && (Time.monotonicNow() - lastResponseTime > responseInterval)) {
-      BlockOpResponseProto.Builder response = BlockOpResponseProto.newBuilder()
-          .setStatus(Status.IN_PROGRESS);
-      response.build().writeDelimitedTo(replyOut);
-      replyOut.flush();
-
-      lastResponseTime = Time.monotonicNow();
-    }
-
     if (throttler != null) { // throttle I/O
       throttler.throttle(len);
     }
@@ -744,8 +718,7 @@ void receiveBlock(
       DataInputStream mirrIn,   // input from next datanode
       DataOutputStream replyOut,  // output to previous datanode
       String mirrAddr, DataTransferThrottler throttlerArg,
-      DatanodeInfo[] downstreams,
-      boolean isReplaceBlock) throws IOException {
+      DatanodeInfo[] downstreams) throws IOException {
 
       syncOnClose = datanode.getDnConf().syncOnClose;
       boolean responderClosed = false;
@@ -753,9 +726,6 @@ void receiveBlock(
       mirrorAddr = mirrAddr;
       throttler = throttlerArg;
 
-      this.replyOut = replyOut;
-      this.isReplaceBlock = isReplaceBlock;
-
     try {
       if (isClient && !isTransfer) {
         responder = new Daemon(datanode.threadGroup, 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
index 01fe036f1d9..5ef6cc7ee22 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
@@ -708,7 +708,7 @@ public void writeBlock(final ExtendedBlock block,
       if (blockReceiver != null) {
         String mirrorAddr = (mirrorSock == null) ? null : mirrorNode;
         blockReceiver.receiveBlock(mirrorOut, mirrorIn, replyOut,
-            mirrorAddr, null, targets, false);
+            mirrorAddr, null, targets);
 
         // send close-ack for transfer-RBW/Finalized 
         if (isTransfer) {
@@ -983,7 +983,7 @@ public void replaceBlock(final ExtendedBlock block,
     String errMsg = null;
     BlockReceiver blockReceiver = null;
     DataInputStream proxyReply = null;
-    DataOutputStream replyOut = new DataOutputStream(getOutputStream());
+    
     try {
       // get the output stream to the proxy
       final String dnAddr = proxySource.getXferAddr(connectToDnViaHostname);
@@ -1040,8 +1040,8 @@ public void replaceBlock(final ExtendedBlock block,
           CachingStrategy.newDropBehind());
 
       // receive a block
-      blockReceiver.receiveBlock(null, null, replyOut, null, 
-          dataXceiverServer.balanceThrottler, null, true);
+      blockReceiver.receiveBlock(null, null, null, null, 
+          dataXceiverServer.balanceThrottler, null);
                     
       // notify name node
       datanode.notifyNamenodeReceivedBlock(
@@ -1076,7 +1076,6 @@ public void replaceBlock(final ExtendedBlock block,
       IOUtils.closeStream(proxyOut);
       IOUtils.closeStream(blockReceiver);
       IOUtils.closeStream(proxyReply);
-      IOUtils.closeStream(replyOut);
     }
 
     //update metrics
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto
index 6283b569dda..9b4ba339d23 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto
@@ -207,7 +207,6 @@ enum Status {
   OOB_RESERVED1 = 9;          // Reserved
   OOB_RESERVED2 = 10;         // Reserved
   OOB_RESERVED3 = 11;         // Reserved
-  IN_PROGRESS = 12;
 }
 
 message PipelineAckProto {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java
index e0d79648a88..478b6d1546b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java
@@ -272,10 +272,8 @@ private boolean replaceBlock( ExtendedBlock block, DatanodeInfo source,
     // receiveResponse
     DataInputStream reply = new DataInputStream(sock.getInputStream());
 
-    BlockOpResponseProto proto = BlockOpResponseProto.parseDelimitedFrom(reply);
-    while (proto.getStatus() == Status.IN_PROGRESS) {
-      proto = BlockOpResponseProto.parseDelimitedFrom(reply);
-    }
+    BlockOpResponseProto proto =
+      BlockOpResponseProto.parseDelimitedFrom(reply);
     return proto.getStatus() == Status.SUCCESS;
   }
 

From 195961a7c1da86421761162836766b1de07930fd Mon Sep 17 00:00:00 2001
From: Vinayakumar B <vinayakumarb@apache.org>
Date: Wed, 13 Aug 2014 18:43:05 +0000
Subject: [PATCH 204/354] HDFS-6247. Avoid timeouts for replaceBlock() call by
 sending intermediate responses to Balancer (vinayakumarb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617799 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 ++
 .../hdfs/server/balancer/Dispatcher.java      | 17 ++++------
 .../hdfs/server/datanode/BlockReceiver.java   | 32 ++++++++++++++++++-
 .../hdfs/server/datanode/DataXceiver.java     |  9 +++---
 .../src/main/proto/datatransfer.proto         |  1 +
 .../server/datanode/TestBlockReplacement.java |  6 ++--
 6 files changed, 50 insertions(+), 18 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 685cd6211d6..9253b8b88a6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -500,6 +500,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6830. BlockInfo.addStorage fails when DN changes the storage for a
     block replica (Arpit Agarwal)
 
+    HDFS-6247. Avoid timeouts for replaceBlock() call by sending intermediate
+    responses to Balancer (vinayakumarb)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
index 4a6f96be7e5..b7dceb6f48d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/balancer/Dispatcher.java
@@ -87,8 +87,6 @@ public class Dispatcher {
 
   private static final int MAX_NO_PENDING_MOVE_ITERATIONS = 5;
   private static final long DELAY_AFTER_ERROR = 10 * 1000L; // 10 seconds
-  private static final int BLOCK_MOVE_READ_TIMEOUT = 20 * 60 * 1000; // 20
-                                                                     // minutes
 
   private final NameNodeConnector nnc;
   private final SaslDataTransferClient saslClient;
@@ -278,13 +276,6 @@ private void dispatch() {
         sock.connect(
             NetUtils.createSocketAddr(target.getDatanodeInfo().getXferAddr()),
             HdfsServerConstants.READ_TIMEOUT);
-        /*
-         * Unfortunately we don't have a good way to know if the Datanode is
-         * taking a really long time to move a block, OR something has gone
-         * wrong and it's never going to finish. To deal with this scenario, we
-         * set a long timeout (20 minutes) to avoid hanging indefinitely.
-         */
-        sock.setSoTimeout(BLOCK_MOVE_READ_TIMEOUT);
 
         sock.setKeepAlive(true);
 
@@ -341,8 +332,12 @@ private void sendRequest(DataOutputStream out, ExtendedBlock eb,
 
     /** Receive a block copy response from the input stream */
     private void receiveResponse(DataInputStream in) throws IOException {
-      BlockOpResponseProto response = BlockOpResponseProto
-          .parseFrom(vintPrefixed(in));
+      BlockOpResponseProto response =
+          BlockOpResponseProto.parseFrom(vintPrefixed(in));
+      while (response.getStatus() == Status.IN_PROGRESS) {
+        // read intermediate responses
+        response = BlockOpResponseProto.parseFrom(vintPrefixed(in));
+      }
       if (response.getStatus() != Status.SUCCESS) {
         if (response.getStatus() == Status.ERROR_ACCESS_TOKEN) {
           throw new IOException("block move failed due to access token error");
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
index fb7ecd69e9a..9dcd006ed51 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
@@ -45,6 +45,7 @@
 import org.apache.hadoop.hdfs.protocol.datatransfer.PacketHeader;
 import org.apache.hadoop.hdfs.protocol.datatransfer.PacketReceiver;
 import org.apache.hadoop.hdfs.protocol.datatransfer.PipelineAck;
+import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.BlockOpResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.Status;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.ReplicaInputStreams;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.ReplicaOutputStreams;
@@ -123,6 +124,14 @@ class BlockReceiver implements Closeable {
   private boolean syncOnClose;
   private long restartBudget;
 
+  /**
+   * for replaceBlock response
+   */
+  private final long responseInterval;
+  private long lastResponseTime = 0;
+  private boolean isReplaceBlock = false;
+  private DataOutputStream replyOut = null;
+
   BlockReceiver(final ExtendedBlock block, final StorageType storageType,
       final DataInputStream in,
       final String inAddr, final String myAddr,
@@ -144,6 +153,9 @@ class BlockReceiver implements Closeable {
       this.isClient = !this.isDatanode;
       this.restartBudget = datanode.getDnConf().restartReplicaExpiry;
       this.datanodeSlowLogThresholdMs = datanode.getDnConf().datanodeSlowIoWarningThresholdMs;
+      // For replaceBlock() calls response should be sent to avoid socketTimeout
+      // at clients. So sending with the interval of 0.5 * socketTimeout
+      this.responseInterval = (long) (datanode.getDnConf().socketTimeout * 0.5);
       //for datanode, we have
       //1: clientName.length() == 0, and
       //2: stage == null or PIPELINE_SETUP_CREATE
@@ -651,6 +663,20 @@ private int receivePacket() throws IOException {
           lastPacketInBlock, offsetInBlock, Status.SUCCESS);
     }
 
+    /*
+     * Send in-progress responses for the replaceBlock() calls back to caller to
+     * avoid timeouts due to balancer throttling. HDFS-6247
+     */
+    if (isReplaceBlock
+        && (Time.monotonicNow() - lastResponseTime > responseInterval)) {
+      BlockOpResponseProto.Builder response = BlockOpResponseProto.newBuilder()
+          .setStatus(Status.IN_PROGRESS);
+      response.build().writeDelimitedTo(replyOut);
+      replyOut.flush();
+
+      lastResponseTime = Time.monotonicNow();
+    }
+
     if (throttler != null) { // throttle I/O
       throttler.throttle(len);
     }
@@ -718,7 +744,8 @@ void receiveBlock(
       DataInputStream mirrIn,   // input from next datanode
       DataOutputStream replyOut,  // output to previous datanode
       String mirrAddr, DataTransferThrottler throttlerArg,
-      DatanodeInfo[] downstreams) throws IOException {
+      DatanodeInfo[] downstreams,
+      boolean isReplaceBlock) throws IOException {
 
       syncOnClose = datanode.getDnConf().syncOnClose;
       boolean responderClosed = false;
@@ -726,6 +753,9 @@ void receiveBlock(
       mirrorAddr = mirrAddr;
       throttler = throttlerArg;
 
+      this.replyOut = replyOut;
+      this.isReplaceBlock = isReplaceBlock;
+
     try {
       if (isClient && !isTransfer) {
         responder = new Daemon(datanode.threadGroup, 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
index 5ef6cc7ee22..01fe036f1d9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
@@ -708,7 +708,7 @@ public void writeBlock(final ExtendedBlock block,
       if (blockReceiver != null) {
         String mirrorAddr = (mirrorSock == null) ? null : mirrorNode;
         blockReceiver.receiveBlock(mirrorOut, mirrorIn, replyOut,
-            mirrorAddr, null, targets);
+            mirrorAddr, null, targets, false);
 
         // send close-ack for transfer-RBW/Finalized 
         if (isTransfer) {
@@ -983,7 +983,7 @@ public void replaceBlock(final ExtendedBlock block,
     String errMsg = null;
     BlockReceiver blockReceiver = null;
     DataInputStream proxyReply = null;
-    
+    DataOutputStream replyOut = new DataOutputStream(getOutputStream());
     try {
       // get the output stream to the proxy
       final String dnAddr = proxySource.getXferAddr(connectToDnViaHostname);
@@ -1040,8 +1040,8 @@ public void replaceBlock(final ExtendedBlock block,
           CachingStrategy.newDropBehind());
 
       // receive a block
-      blockReceiver.receiveBlock(null, null, null, null, 
-          dataXceiverServer.balanceThrottler, null);
+      blockReceiver.receiveBlock(null, null, replyOut, null, 
+          dataXceiverServer.balanceThrottler, null, true);
                     
       // notify name node
       datanode.notifyNamenodeReceivedBlock(
@@ -1076,6 +1076,7 @@ public void replaceBlock(final ExtendedBlock block,
       IOUtils.closeStream(proxyOut);
       IOUtils.closeStream(blockReceiver);
       IOUtils.closeStream(proxyReply);
+      IOUtils.closeStream(replyOut);
     }
 
     //update metrics
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto
index 9b4ba339d23..6283b569dda 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/datatransfer.proto
@@ -207,6 +207,7 @@ enum Status {
   OOB_RESERVED1 = 9;          // Reserved
   OOB_RESERVED2 = 10;         // Reserved
   OOB_RESERVED3 = 11;         // Reserved
+  IN_PROGRESS = 12;
 }
 
 message PipelineAckProto {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java
index 478b6d1546b..e0d79648a88 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockReplacement.java
@@ -272,8 +272,10 @@ private boolean replaceBlock( ExtendedBlock block, DatanodeInfo source,
     // receiveResponse
     DataInputStream reply = new DataInputStream(sock.getInputStream());
 
-    BlockOpResponseProto proto =
-      BlockOpResponseProto.parseDelimitedFrom(reply);
+    BlockOpResponseProto proto = BlockOpResponseProto.parseDelimitedFrom(reply);
+    while (proto.getStatus() == Status.IN_PROGRESS) {
+      proto = BlockOpResponseProto.parseDelimitedFrom(reply);
+    }
     return proto.getStatus() == Status.SUCCESS;
   }
 

From 6ab25dfcd9cedecd43c30039ace33d1c234a7b43 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Wed, 13 Aug 2014 19:10:24 +0000
Subject: [PATCH 205/354] HADOOP-8944. Shell command fs -count should include
 human readable option (Jonathan Allen via aw) (continued)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617802 13f79535-47bb-0310-9956-ffa450edef68
---
 .../apache/hadoop/fs/TestContentSummary.java  | 248 ++++++++++++++++
 .../org/apache/hadoop/fs/shell/TestCount.java | 270 ++++++++++++++++++
 2 files changed, 518 insertions(+)
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestContentSummary.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/shell/TestCount.java

diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestContentSummary.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestContentSummary.java
new file mode 100644
index 00000000000..9c8a8a4e067
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestContentSummary.java
@@ -0,0 +1,248 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.fs;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.*;
+
+import java.io.DataInput;
+import java.io.DataOutput;
+import java.io.IOException;
+
+import org.junit.Test;
+import org.mockito.InOrder;
+
+public class TestContentSummary {
+
+  // check the empty constructor correctly initialises the object
+  @Test
+  public void testConstructorEmpty() {
+    ContentSummary contentSummary = new ContentSummary();
+    assertEquals("getLength", 0, contentSummary.getLength());
+    assertEquals("getFileCount", 0, contentSummary.getFileCount());
+    assertEquals("getDirectoryCount", 0, contentSummary.getDirectoryCount());
+    assertEquals("getQuota", 0, contentSummary.getQuota());
+    assertEquals("getSpaceConsumed", 0, contentSummary.getSpaceConsumed());
+    assertEquals("getSpaceQuota", 0, contentSummary.getSpaceQuota());
+  }
+
+  // check the full constructor with quota information
+  @Test
+  public void testConstructorWithQuota() {
+    long length = 11111;
+    long fileCount = 22222;
+    long directoryCount = 33333;
+    long quota = 44444;
+    long spaceConsumed = 55555;
+    long spaceQuota = 66666;
+
+    ContentSummary contentSummary = new ContentSummary(length, fileCount,
+        directoryCount, quota, spaceConsumed, spaceQuota);
+    assertEquals("getLength", length, contentSummary.getLength());
+    assertEquals("getFileCount", fileCount, contentSummary.getFileCount());
+    assertEquals("getDirectoryCount", directoryCount,
+        contentSummary.getDirectoryCount());
+    assertEquals("getQuota", quota, contentSummary.getQuota());
+    assertEquals("getSpaceConsumed", spaceConsumed,
+        contentSummary.getSpaceConsumed());
+    assertEquals("getSpaceQuota", spaceQuota, contentSummary.getSpaceQuota());
+  }
+
+  // check the constructor with quota information
+  @Test
+  public void testConstructorNoQuota() {
+    long length = 11111;
+    long fileCount = 22222;
+    long directoryCount = 33333;
+
+    ContentSummary contentSummary = new ContentSummary(length, fileCount,
+        directoryCount);
+    assertEquals("getLength", length, contentSummary.getLength());
+    assertEquals("getFileCount", fileCount, contentSummary.getFileCount());
+    assertEquals("getDirectoryCount", directoryCount,
+        contentSummary.getDirectoryCount());
+    assertEquals("getQuota", -1, contentSummary.getQuota());
+    assertEquals("getSpaceConsumed", length, contentSummary.getSpaceConsumed());
+    assertEquals("getSpaceQuota", -1, contentSummary.getSpaceQuota());
+  }
+
+  // check the write method
+  @Test
+  public void testWrite() throws IOException {
+    long length = 11111;
+    long fileCount = 22222;
+    long directoryCount = 33333;
+    long quota = 44444;
+    long spaceConsumed = 55555;
+    long spaceQuota = 66666;
+
+    ContentSummary contentSummary = new ContentSummary(length, fileCount,
+        directoryCount, quota, spaceConsumed, spaceQuota);
+
+    DataOutput out = mock(DataOutput.class);
+    InOrder inOrder = inOrder(out);
+
+    contentSummary.write(out);
+    inOrder.verify(out).writeLong(length);
+    inOrder.verify(out).writeLong(fileCount);
+    inOrder.verify(out).writeLong(directoryCount);
+    inOrder.verify(out).writeLong(quota);
+    inOrder.verify(out).writeLong(spaceConsumed);
+    inOrder.verify(out).writeLong(spaceQuota);
+  }
+
+  // check the readFields method
+  @Test
+  public void testReadFields() throws IOException {
+    long length = 11111;
+    long fileCount = 22222;
+    long directoryCount = 33333;
+    long quota = 44444;
+    long spaceConsumed = 55555;
+    long spaceQuota = 66666;
+
+    ContentSummary contentSummary = new ContentSummary();
+
+    DataInput in = mock(DataInput.class);
+    when(in.readLong()).thenReturn(length).thenReturn(fileCount)
+        .thenReturn(directoryCount).thenReturn(quota).thenReturn(spaceConsumed)
+        .thenReturn(spaceQuota);
+
+    contentSummary.readFields(in);
+    assertEquals("getLength", length, contentSummary.getLength());
+    assertEquals("getFileCount", fileCount, contentSummary.getFileCount());
+    assertEquals("getDirectoryCount", directoryCount,
+        contentSummary.getDirectoryCount());
+    assertEquals("getQuota", quota, contentSummary.getQuota());
+    assertEquals("getSpaceConsumed", spaceConsumed,
+        contentSummary.getSpaceConsumed());
+    assertEquals("getSpaceQuota", spaceQuota, contentSummary.getSpaceQuota());
+  }
+
+  // check the header with quotas
+  @Test
+  public void testGetHeaderWithQuota() {
+    String header = "  name quota  rem name quota     space quota "
+        + "rem space quota  directories        files              bytes ";
+    assertEquals(header, ContentSummary.getHeader(true));
+  }
+
+  // check the header without quotas
+  @Test
+  public void testGetHeaderNoQuota() {
+    String header = " directories        files              bytes ";
+    assertEquals(header, ContentSummary.getHeader(false));
+  }
+
+  // check the toString method with quotas
+  @Test
+  public void testToStringWithQuota() {
+    long length = 11111;
+    long fileCount = 22222;
+    long directoryCount = 33333;
+    long quota = 44444;
+    long spaceConsumed = 55555;
+    long spaceQuota = 66665;
+
+    ContentSummary contentSummary = new ContentSummary(length, fileCount,
+        directoryCount, quota, spaceConsumed, spaceQuota);
+    String expected = "       44444          -11111           66665           11110"
+        + "        33333        22222              11111 ";
+    assertEquals(expected, contentSummary.toString(true));
+  }
+
+  // check the toString method with quotas
+  @Test
+  public void testToStringNoQuota() {
+    long length = 11111;
+    long fileCount = 22222;
+    long directoryCount = 33333;
+
+    ContentSummary contentSummary = new ContentSummary(length, fileCount,
+        directoryCount);
+    String expected = "        none             inf            none"
+        + "             inf        33333        22222              11111 ";
+    assertEquals(expected, contentSummary.toString(true));
+  }
+
+  // check the toString method with quotas
+  @Test
+  public void testToStringNoShowQuota() {
+    long length = 11111;
+    long fileCount = 22222;
+    long directoryCount = 33333;
+    long quota = 44444;
+    long spaceConsumed = 55555;
+    long spaceQuota = 66665;
+
+    ContentSummary contentSummary = new ContentSummary(length, fileCount,
+        directoryCount, quota, spaceConsumed, spaceQuota);
+    String expected = "       33333        22222              11111 ";
+    assertEquals(expected, contentSummary.toString(false));
+  }
+
+  // check the toString method (defaults to with quotas)
+  @Test
+  public void testToString() {
+    long length = 11111;
+    long fileCount = 22222;
+    long directoryCount = 33333;
+    long quota = 44444;
+    long spaceConsumed = 55555;
+    long spaceQuota = 66665;
+
+    ContentSummary contentSummary = new ContentSummary(length, fileCount,
+        directoryCount, quota, spaceConsumed, spaceQuota);
+    String expected = "       44444          -11111           66665"
+        + "           11110        33333        22222              11111 ";
+    assertEquals(expected, contentSummary.toString());
+  }
+
+  // check the toString method with quotas
+  @Test
+  public void testToStringHumanWithQuota() {
+    long length = Long.MAX_VALUE;
+    long fileCount = 222222222;
+    long directoryCount = 33333;
+    long quota = 222256578;
+    long spaceConsumed = 1073741825;
+    long spaceQuota = 1;
+
+    ContentSummary contentSummary = new ContentSummary(length, fileCount,
+        directoryCount, quota, spaceConsumed, spaceQuota);
+    String expected = "     212.0 M            1023               1 "
+        + "           -1 G       32.6 K      211.9 M              8.0 E ";
+    assertEquals(expected, contentSummary.toString(true, true));
+  }
+
+  // check the toString method with quotas
+  @Test
+  public void testToStringHumanNoShowQuota() {
+    long length = Long.MAX_VALUE;
+    long fileCount = 222222222;
+    long directoryCount = 33333;
+    long quota = 222256578;
+    long spaceConsumed = 55555;
+    long spaceQuota = Long.MAX_VALUE;
+
+    ContentSummary contentSummary = new ContentSummary(length, fileCount,
+        directoryCount, quota, spaceConsumed, spaceQuota);
+    String expected = "      32.6 K      211.9 M              8.0 E ";
+    assertEquals(expected, contentSummary.toString(false, true));
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/shell/TestCount.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/shell/TestCount.java
new file mode 100644
index 00000000000..6c753c6a8f4
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/shell/TestCount.java
@@ -0,0 +1,270 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.fs.shell;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.*;
+
+import java.io.PrintStream;
+import java.io.IOException;
+import java.net.URI;
+import java.util.LinkedList;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.ContentSummary;
+import org.apache.hadoop.fs.FileStatus;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.FilterFileSystem;
+import org.apache.hadoop.fs.Path;
+import org.junit.Test;
+import org.junit.Before;
+import org.junit.BeforeClass;
+
+/**
+ * JUnit test class for {@link org.apache.hadoop.fs.shell.Count}
+ * 
+ */
+public class TestCount {
+  private static final String WITH_QUOTAS = "Content summary with quotas";
+  private static final String NO_QUOTAS = "Content summary without quotas";
+  private static final String HUMAN = "human: ";
+  private static final String BYTES = "bytes: ";
+  private static Configuration conf;
+  private static FileSystem mockFs;
+  private static FileStatus fileStat;
+  private static ContentSummary mockCs;
+
+  @BeforeClass
+  public static void setup() {
+    conf = new Configuration();
+    conf.setClass("fs.mockfs.impl", MockFileSystem.class, FileSystem.class);
+    mockFs = mock(FileSystem.class);
+    fileStat = mock(FileStatus.class);
+    mockCs = mock(ContentSummary.class);
+    when(fileStat.isFile()).thenReturn(true);
+  }
+
+  @Before
+  public void resetMock() {
+    reset(mockFs);
+  }
+
+  @Test
+  public void processOptionsHumanReadable() {
+    LinkedList<String> options = new LinkedList<String>();
+    options.add("-h");
+    options.add("dummy");
+    Count count = new Count();
+    count.processOptions(options);
+    assertFalse(count.isShowQuotas());
+    assertTrue(count.isHumanReadable());
+  }
+
+  @Test
+  public void processOptionsAll() {
+    LinkedList<String> options = new LinkedList<String>();
+    options.add("-q");
+    options.add("-h");
+    options.add("dummy");
+    Count count = new Count();
+    count.processOptions(options);
+    assertTrue(count.isShowQuotas());
+    assertTrue(count.isHumanReadable());
+  }
+
+  // check quotas are reported correctly
+  @Test
+  public void processPathShowQuotas() throws Exception {
+    Path path = new Path("mockfs:/test");
+
+    when(mockFs.getFileStatus(eq(path))).thenReturn(fileStat);
+    PathData pathData = new PathData(path.toString(), conf);
+
+    PrintStream out = mock(PrintStream.class);
+
+    Count count = new Count();
+    count.out = out;
+
+    LinkedList<String> options = new LinkedList<String>();
+    options.add("-q");
+    options.add("dummy");
+    count.processOptions(options);
+
+    count.processPath(pathData);
+    verify(out).println(BYTES + WITH_QUOTAS + path.toString());
+    verifyNoMoreInteractions(out);
+  }
+
+  // check counts without quotas are reported correctly
+  @Test
+  public void processPathNoQuotas() throws Exception {
+    Path path = new Path("mockfs:/test");
+
+    when(mockFs.getFileStatus(eq(path))).thenReturn(fileStat);
+    PathData pathData = new PathData(path.toString(), conf);
+
+    PrintStream out = mock(PrintStream.class);
+
+    Count count = new Count();
+    count.out = out;
+
+    LinkedList<String> options = new LinkedList<String>();
+    options.add("dummy");
+    count.processOptions(options);
+
+    count.processPath(pathData);
+    verify(out).println(BYTES + NO_QUOTAS + path.toString());
+    verifyNoMoreInteractions(out);
+  }
+
+  @Test
+  public void processPathShowQuotasHuman() throws Exception {
+    Path path = new Path("mockfs:/test");
+
+    when(mockFs.getFileStatus(eq(path))).thenReturn(fileStat);
+    PathData pathData = new PathData(path.toString(), conf);
+
+    PrintStream out = mock(PrintStream.class);
+
+    Count count = new Count();
+    count.out = out;
+
+    LinkedList<String> options = new LinkedList<String>();
+    options.add("-q");
+    options.add("-h");
+    options.add("dummy");
+    count.processOptions(options);
+
+    count.processPath(pathData);
+    verify(out).println(HUMAN + WITH_QUOTAS + path.toString());
+  }
+
+  @Test
+  public void processPathNoQuotasHuman() throws Exception {
+    Path path = new Path("mockfs:/test");
+
+    when(mockFs.getFileStatus(eq(path))).thenReturn(fileStat);
+    PathData pathData = new PathData(path.toString(), conf);
+
+    PrintStream out = mock(PrintStream.class);
+
+    Count count = new Count();
+    count.out = out;
+
+    LinkedList<String> options = new LinkedList<String>();
+    options.add("-h");
+    options.add("dummy");
+    count.processOptions(options);
+
+    count.processPath(pathData);
+    verify(out).println(HUMAN + NO_QUOTAS + path.toString());
+  }
+
+  @Test
+  public void getCommandName() {
+    Count count = new Count();
+    String actual = count.getCommandName();
+    String expected = "count";
+    assertEquals("Count.getCommandName", expected, actual);
+  }
+
+  @Test
+  public void isDeprecated() {
+    Count count = new Count();
+    boolean actual = count.isDeprecated();
+    boolean expected = false;
+    assertEquals("Count.isDeprecated", expected, actual);
+  }
+
+  @Test
+  public void getReplacementCommand() {
+    Count count = new Count();
+    String actual = count.getReplacementCommand();
+    String expected = null;
+    assertEquals("Count.getReplacementCommand", expected, actual);
+  }
+
+  @Test
+  public void getName() {
+    Count count = new Count();
+    String actual = count.getName();
+    String expected = "count";
+    assertEquals("Count.getName", expected, actual);
+  }
+
+  @Test
+  public void getUsage() {
+    Count count = new Count();
+    String actual = count.getUsage();
+    String expected = "-count [-q] [-h] <path> ...";
+    assertEquals("Count.getUsage", expected, actual);
+  }
+
+
+  // mock content system
+  static class MockContentSummary extends ContentSummary {
+    
+    public MockContentSummary() {}
+
+    @Override
+    public String toString(boolean qOption, boolean hOption) {
+      if (qOption) {
+        if (hOption) {
+          return(HUMAN + WITH_QUOTAS);
+        } else {
+          return(BYTES + WITH_QUOTAS);
+        }
+      } else {
+        if (hOption) {
+          return(HUMAN + NO_QUOTAS);
+        } else {
+          return(BYTES + NO_QUOTAS);
+        }
+      }
+    }
+  }
+
+  // mock file system for use in testing
+  static class MockFileSystem extends FilterFileSystem {
+    Configuration conf;
+
+    MockFileSystem() {
+      super(mockFs);
+    }
+
+    @Override
+    public void initialize(URI uri, Configuration conf) {
+      this.conf = conf;
+    }
+
+    @Override
+    public Path makeQualified(Path path) {
+      return path;
+    }
+
+    @Override
+    public ContentSummary getContentSummary(Path f) throws IOException {
+      return new MockContentSummary();
+    }
+
+    @Override
+    public Configuration getConf() {
+      return conf;
+    }
+  }
+}

From cc93c1fd759cecda57cd558b670c5fbcbca9b2e0 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Wed, 13 Aug 2014 19:18:50 +0000
Subject: [PATCH 206/354] MAPREDUCE-5944. Remove MRv1 commands from
 CommandsManual.apt.vm (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617804 13f79535-47bb-0310-9956-ffa450edef68
---
 .../src/site/apt/CommandsManual.apt.vm        | 35 -------------------
 hadoop-mapreduce-project/CHANGES.txt          |  3 ++
 2 files changed, 3 insertions(+), 35 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm
index 5ca5c2c5eb2..1e76bafec59 100644
--- a/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm
+++ b/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm
@@ -314,35 +314,6 @@ Administration Commands
    Deprecated, use {{{../hadoop-hdfs/HDFSCommands.html#dfsadmin}
    <<<hdfs dfsadmin>>>}} instead.
 
-* <<<mradmin>>>
-
-   Runs MR admin client
-
-   Usage: <<<hadoop mradmin [ GENERIC_OPTIONS ] [-refreshQueueAcls]>>>
-
-*-------------------+-----------------------------------------------------------+
-|| COMMAND_OPTION   || Description
-*-------------------+-----------------------------------------------------------+
-| -refreshQueueAcls | Refresh the queue acls used by hadoop, to check access
-                    | during submissions and administration of the job by the
-                    | user. The properties present in mapred-queue-acls.xml is
-                    | reloaded by the queue manager.
-*-------------------+-----------------------------------------------------------+
-
-* <<<jobtracker>>>
-
-   Runs the MapReduce job Tracker node.
-
-   Usage: <<<hadoop jobtracker [-dumpConfiguration]>>>
-
-*--------------------+-----------------------------------------------------------+
-|| COMMAND_OPTION    || Description
-*--------------------+-----------------------------------------------------------+
-| -dumpConfiguration | Dumps the configuration used by the JobTracker alongwith
-                     | queue configuration in JSON format into Standard output
-                     | used by the jobtracker and exits.
-*--------------------+-----------------------------------------------------------+
-
 * <<<namenode>>>
 
    Deprecated, use {{{../hadoop-hdfs/HDFSCommands.html#namenode}
@@ -352,9 +323,3 @@ Administration Commands
 
    Deprecated, use {{{../hadoop-hdfs/HDFSCommands.html#secondarynamenode}
    <<<hdfs secondarynamenode>>>}} instead.
-
-* <<<tasktracker>>>
-
-   Runs a MapReduce task Tracker node.
-
-   Usage: <<<hadoop tasktracker>>>
diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 5bb579745a0..a683526ae60 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -151,6 +151,9 @@ Trunk (Unreleased)
     MAPREDUCE-5867. Fix NPE in KillAMPreemptionPolicy related to 
     ProportionalCapacityPreemptionPolicy (Sunil G via devaraj)
 
+    MAPREDUCE-5944. Remove MRv1 commands from CommandsManual.apt.vm 
+      (Akira AJISAKA via aw)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES

From e51a5d691b004d49f7426d943568170126323929 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Wed, 13 Aug 2014 19:34:26 +0000
Subject: [PATCH 207/354] MAPREDUCE-5943. Separate mapred commands from
 CommandManual.apt.vm (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617806 13f79535-47bb-0310-9956-ffa450edef68
---
 .../src/site/apt/CommandsManual.apt.vm        | 131 ++--------
 hadoop-mapreduce-project/CHANGES.txt          |   3 +
 .../src/site/apt/MapredCommands.apt.vm        | 224 ++++++++++++++++++
 hadoop-project/src/site/site.xml              |   1 +
 4 files changed, 242 insertions(+), 117 deletions(-)
 create mode 100644 hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/MapredCommands.apt.vm

diff --git a/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm
index 1e76bafec59..dd4eb0a3f6a 100644
--- a/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm
+++ b/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm
@@ -81,36 +81,15 @@ User Commands
 
 * <<<archive>>>
 
-   Creates a hadoop archive. More information can be found at Hadoop
-   Archives.
-
-   Usage: <<<hadoop archive -archiveName NAME <src>* <dest> >>>
-
-*-------------------+-------------------------------------------------------+
-||COMMAND_OPTION    ||                   Description
-*-------------------+-------------------------------------------------------+
-| -archiveName NAME |  Name of the archive to be created.
-*-------------------+-------------------------------------------------------+
-| src               | Filesystem pathnames which work as usual with regular
-                    | expressions.
-*-------------------+-------------------------------------------------------+
-| dest              | Destination directory which would contain the archive.
-*-------------------+-------------------------------------------------------+
+   Creates a hadoop archive. More information can be found at
+   {{{../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/HadoopArchives.html}
+   Hadoop Archives Guide}}.
 
 * <<<distcp>>>
 
    Copy file or directories recursively. More information can be found at
-   Hadoop DistCp Guide.
-
-   Usage: <<<hadoop distcp <srcurl> <desturl> >>>
-
-*-------------------+--------------------------------------------+
-||COMMAND_OPTION    || Description
-*-------------------+--------------------------------------------+
-| srcurl            | Source Url
-*-------------------+--------------------------------------------+
-| desturl           | Destination Url
-*-------------------+--------------------------------------------+
+   {{{../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/DistCp.html}
+   Hadoop DistCp Guide}}.
 
 * <<<fs>>>
 
@@ -142,103 +121,21 @@ User Commands
 
 * <<<job>>>
 
-   Command to interact with Map Reduce Jobs.
-
-   Usage: <<<hadoop job [GENERIC_OPTIONS] [-submit <job-file>] | [-status <job-id>] | [-counter <job-id> <group-name> <counter-name>] | [-kill <job-id>] | [-events <job-id> <from-event-#> <#-of-events>] | [-history [all] <jobOutputDir>] | [-list [all]] | [-kill-task <task-id>] | [-fail-task <task-id>] | [-set-priority <job-id> <priority>]>>>
-
-*------------------------------+---------------------------------------------+
-|| COMMAND_OPTION              || Description
-*------------------------------+---------------------------------------------+
-| -submit <job-file>           | Submits the job.
-*------------------------------+---------------------------------------------+
-| -status <job-id>             | Prints the map and reduce completion
-                               | percentage and all job counters.
-*------------------------------+---------------------------------------------+
-| -counter <job-id> <group-name> <counter-name> | Prints the counter value.
-*------------------------------+---------------------------------------------+
-| -kill <job-id>               | Kills the job.
-*------------------------------+---------------------------------------------+
-| -events <job-id> <from-event-#> <#-of-events> | Prints the events' details
-                               | received by jobtracker for the given range.
-*------------------------------+---------------------------------------------+
-| -history [all]<jobOutputDir> | Prints job details, failed and killed tip
-                               | details.  More details about the job such as
-                               | successful tasks and task attempts made for
-                               | each task can be viewed by specifying the [all]
-                               | option.
-*------------------------------+---------------------------------------------+
-| -list [all]                  | Displays jobs which are yet to complete.
-                               | <<<-list all>>> displays all jobs.
-*------------------------------+---------------------------------------------+
-| -kill-task <task-id>         | Kills the task. Killed tasks are NOT counted
-                               | against failed attempts.
-*------------------------------+---------------------------------------------+
-| -fail-task <task-id>         | Fails the task. Failed tasks are counted
-                               | against failed attempts.
-*------------------------------+---------------------------------------------+
-| -set-priority <job-id> <priority> | Changes the priority of the job. Allowed
-                               | priority values are VERY_HIGH, HIGH, NORMAL,
-                               | LOW, VERY_LOW
-*------------------------------+---------------------------------------------+
+   Deprecated. Use
+   {{{../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapredCommands.html#job}
+   <<<mapred job>>>}} instead.
 
 * <<<pipes>>>
 
-   Runs a pipes job.
-
-   Usage: <<<hadoop pipes [-conf <path>] [-jobconf <key=value>, <key=value>,
-   ...] [-input <path>] [-output <path>] [-jar <jar file>] [-inputformat
-   <class>] [-map <class>] [-partitioner <class>] [-reduce <class>] [-writer
-   <class>] [-program <executable>] [-reduces <num>]>>>
- 
-*----------------------------------------+------------------------------------+
-|| COMMAND_OPTION                        || Description
-*----------------------------------------+------------------------------------+
-| -conf <path>                           | Configuration for job
-*----------------------------------------+------------------------------------+
-| -jobconf <key=value>, <key=value>, ... | Add/override configuration for job
-*----------------------------------------+------------------------------------+
-| -input <path>                          | Input directory
-*----------------------------------------+------------------------------------+
-| -output <path>                         | Output directory
-*----------------------------------------+------------------------------------+
-| -jar <jar file>                        | Jar filename
-*----------------------------------------+------------------------------------+
-| -inputformat <class>                   | InputFormat class
-*----------------------------------------+------------------------------------+
-| -map <class>                           | Java Map class
-*----------------------------------------+------------------------------------+
-| -partitioner <class>                   | Java Partitioner
-*----------------------------------------+------------------------------------+
-| -reduce <class>                        | Java Reduce class
-*----------------------------------------+------------------------------------+
-| -writer <class>                        | Java RecordWriter
-*----------------------------------------+------------------------------------+
-| -program <executable>                  | Executable URI
-*----------------------------------------+------------------------------------+
-| -reduces <num>                         | Number of reduces
-*----------------------------------------+------------------------------------+
+   Deprecated. Use
+   {{{../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapredCommands.html#pipes}
+   <<<mapred pipes>>>}} instead.
 
 * <<<queue>>>
 
-   command to interact and view Job Queue information
-
-   Usage: <<<hadoop queue [-list] | [-info <job-queue-name> [-showJobs]] | [-showacls]>>>
-
-*-----------------+-----------------------------------------------------------+
-|| COMMAND_OPTION || Description
-*-----------------+-----------------------------------------------------------+
-| -list           | Gets list of Job Queues configured in the system.
-                  | Along with scheduling information associated with the job queues.
-*-----------------+-----------------------------------------------------------+
-| -info <job-queue-name> [-showJobs] | Displays the job queue information and
-                  | associated scheduling information of particular job queue.
-                  | If <<<-showJobs>>> options is present a list of jobs
-                  | submitted to the particular job queue is displayed.
-*-----------------+-----------------------------------------------------------+
-| -showacls       | Displays the queue name and associated queue operations
-                  | allowed for the current user. The list consists of only
-                  | those queues to which the user has access.
-*-----------------+-----------------------------------------------------------+
+   Deprecated. Use
+   {{{../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapredCommands.html#queue}
+   <<<mapred queue>>>}} instead.
 
 * <<<version>>>
 
diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index a683526ae60..22ca1b54e9b 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -154,6 +154,9 @@ Trunk (Unreleased)
     MAPREDUCE-5944. Remove MRv1 commands from CommandsManual.apt.vm 
       (Akira AJISAKA via aw)
 
+    MAPREDUCE-5943. Separate mapred commands from CommandManual.apt.vm
+      (Akira AJISAKA via aw)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/MapredCommands.apt.vm b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/MapredCommands.apt.vm
new file mode 100644
index 00000000000..795eb344e64
--- /dev/null
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/MapredCommands.apt.vm
@@ -0,0 +1,224 @@
+~~ Licensed to the Apache Software Foundation (ASF) under one or more
+~~ contributor license agreements.  See the NOTICE file distributed with
+~~ this work for additional information regarding copyright ownership.
+~~ The ASF licenses this file to You under the Apache License, Version 2.0
+~~ (the "License"); you may not use this file except in compliance with
+~~ the License.  You may obtain a copy of the License at
+~~
+~~     http://www.apache.org/licenses/LICENSE-2.0
+~~
+~~ Unless required by applicable law or agreed to in writing, software
+~~ distributed under the License is distributed on an "AS IS" BASIS,
+~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+~~ See the License for the specific language governing permissions and
+~~ limitations under the License.
+
+  ---
+  MapReduce Commands Guide
+  ---
+  ---
+  ${maven.build.timestamp}
+
+MapReduce Commands Guide
+
+%{toc|section=1|fromDepth=2|toDepth=4}
+
+* Overview
+
+  MapReduce commands are invoked by the <<<bin/mapred>>> script. Running the
+  script without any arguments prints the description for all commands.
+
+   Usage: <<<mapred [--config confdir] COMMAND>>>
+
+   MapReduce has an option parsing framework that employs parsing generic
+   options as well as running classes.
+
+*-------------------------+---------------------------------------------------+
+|| COMMAND_OPTIONS        || Description                                      |
+*-------------------------+---------------------------------------------------+
+| --config confdir | Overwrites the default Configuration directory. Default
+|                  | is $\{HADOOP_PREFIX\}/conf.
+*-------------------------+---------------------------------------------------+
+| COMMAND COMMAND_OPTIONS | Various commands with their options are described
+|                         | in the following sections. The commands have been
+|                         | grouped into {{User Commands}} and
+|                         | {{Administration Commands}}.
+*-------------------------+---------------------------------------------------+
+
+* User Commands
+
+   Commands useful for users of a hadoop cluster.
+
+** <<<pipes>>>
+
+   Runs a pipes job.
+
+   Usage: <<<mapred pipes [-conf <path>] [-jobconf <key=value>, <key=value>,
+   ...] [-input <path>] [-output <path>] [-jar <jar file>] [-inputformat
+   <class>] [-map <class>] [-partitioner <class>] [-reduce <class>] [-writer
+   <class>] [-program <executable>] [-reduces <num>]>>>
+
+*----------------------------------------+------------------------------------+
+|| COMMAND_OPTION                        || Description
+*----------------------------------------+------------------------------------+
+| -conf <path>                           | Configuration for job
+*----------------------------------------+------------------------------------+
+| -jobconf <key=value>, <key=value>, ... | Add/override configuration for job
+*----------------------------------------+------------------------------------+
+| -input <path>                          | Input directory
+*----------------------------------------+------------------------------------+
+| -output <path>                         | Output directory
+*----------------------------------------+------------------------------------+
+| -jar <jar file>                        | Jar filename
+*----------------------------------------+------------------------------------+
+| -inputformat <class>                   | InputFormat class
+*----------------------------------------+------------------------------------+
+| -map <class>                           | Java Map class
+*----------------------------------------+------------------------------------+
+| -partitioner <class>                   | Java Partitioner
+*----------------------------------------+------------------------------------+
+| -reduce <class>                        | Java Reduce class
+*----------------------------------------+------------------------------------+
+| -writer <class>                        | Java RecordWriter
+*----------------------------------------+------------------------------------+
+| -program <executable>                  | Executable URI
+*----------------------------------------+------------------------------------+
+| -reduces <num>                         | Number of reduces
+*----------------------------------------+------------------------------------+
+
+** <<<job>>>
+
+   Command to interact with Map Reduce Jobs.
+
+   Usage: <<<mapred job
+          | [{{{../../hadoop-project-dist/hadoop-common/CommandsManual.html#Generic_Options}GENERIC_OPTIONS}}]
+          | [-submit <job-file>]
+          | [-status <job-id>]
+          | [-counter <job-id> <group-name> <counter-name>]
+          | [-kill <job-id>]
+          | [-events <job-id> <from-event-#> <#-of-events>]
+          | [-history [all] <jobOutputDir>] | [-list [all]]
+          | [-kill-task <task-id>] | [-fail-task <task-id>]
+          | [-set-priority <job-id> <priority>]>>>
+
+*------------------------------+---------------------------------------------+
+|| COMMAND_OPTION              || Description
+*------------------------------+---------------------------------------------+
+| -submit <job-file>           | Submits the job.
+*------------------------------+---------------------------------------------+
+| -status <job-id>             | Prints the map and reduce completion
+                               | percentage and all job counters.
+*------------------------------+---------------------------------------------+
+| -counter <job-id> <group-name> <counter-name> | Prints the counter value.
+*------------------------------+---------------------------------------------+
+| -kill <job-id>               | Kills the job.
+*------------------------------+---------------------------------------------+
+| -events <job-id> <from-event-#> <#-of-events> | Prints the events' details
+                               | received by jobtracker for the given range.
+*------------------------------+---------------------------------------------+
+| -history [all]<jobOutputDir> | Prints job details, failed and killed tip
+                               | details.  More details about the job such as
+                               | successful tasks and task attempts made for
+                               | each task can be viewed by specifying the
+                               | [all] option.
+*------------------------------+---------------------------------------------+
+| -list [all]                  | Displays jobs which are yet to complete.
+                               | <<<-list all>>> displays all jobs.
+*------------------------------+---------------------------------------------+
+| -kill-task <task-id>         | Kills the task. Killed tasks are NOT counted
+                               | against failed attempts.
+*------------------------------+---------------------------------------------+
+| -fail-task <task-id>         | Fails the task. Failed tasks are counted
+                               | against failed attempts.
+*------------------------------+---------------------------------------------+
+| -set-priority <job-id> <priority> | Changes the priority of the job. Allowed
+                               | priority values are VERY_HIGH, HIGH, NORMAL,
+                               | LOW, VERY_LOW
+*------------------------------+---------------------------------------------+
+
+** <<<queue>>>
+
+   command to interact and view Job Queue information
+
+   Usage: <<<mapred queue [-list] | [-info <job-queue-name> [-showJobs]]
+          | [-showacls]>>>
+
+*-----------------+-----------------------------------------------------------+
+|| COMMAND_OPTION || Description
+*-----------------+-----------------------------------------------------------+
+| -list           | Gets list of Job Queues configured in the system.
+                  | Along with scheduling information associated with the job
+                  | queues.
+*-----------------+-----------------------------------------------------------+
+| -info <job-queue-name> [-showJobs] | Displays the job queue information and
+                  | associated scheduling information of particular job queue.
+                  | If <<<-showJobs>>> options is present a list of jobs
+                  | submitted to the particular job queue is displayed.
+*-----------------+-----------------------------------------------------------+
+| -showacls       | Displays the queue name and associated queue operations
+                  | allowed for the current user. The list consists of only
+                  | those queues to which the user has access.
+*-----------------+-----------------------------------------------------------+
+
+** <<<classpath>>>
+
+   Prints the class path needed to get the Hadoop jar and the required
+   libraries.
+
+   Usage: <<<mapred classpath>>>
+
+** <<<distcp>>>
+
+   Copy file or directories recursively. More information can be found at
+   {{{./DistCp.html}Hadoop DistCp Guide}}.
+
+** <<<archive>>>
+
+   Creates a hadoop archive. More information can be found at
+   {{{./HadoopArchives.html}Hadoop Archives Guide}}.
+
+* Administration Commands
+
+   Commands useful for administrators of a hadoop cluster.
+
+** <<<historyserver>>>
+
+   Start JobHistoryServer.
+
+   Usage: <<<mapred historyserver>>>
+
+** <<<hsadmin>>>
+
+   Runs a MapReduce hsadmin client for execute JobHistoryServer administrative
+   commands.
+
+   Usage: <<<mapred hsadmin
+          [-refreshUserToGroupsMappings] |
+          [-refreshSuperUserGroupsConfiguration] |
+          [-refreshAdminAcls] |
+          [-refreshLoadedJobCache] |
+          [-refreshLogRetentionSettings] |
+          [-refreshJobRetentionSettings] |
+          [-getGroups [username]] | [-help [cmd]]>>>
+
+*-----------------+-----------------------------------------------------------+
+|| COMMAND_OPTION || Description
+*-----------------+-----------------------------------------------------------+
+| -refreshUserToGroupsMappings | Refresh user-to-groups mappings
+*-----------------+-----------------------------------------------------------+
+| -refreshSuperUserGroupsConfiguration| Refresh superuser proxy groups mappings
+*-----------------+-----------------------------------------------------------+
+| -refreshAdminAcls | Refresh acls for administration of Job history server
+*-----------------+-----------------------------------------------------------+
+| -refreshLoadedJobCache | Refresh loaded job cache of Job history server
+*-----------------+-----------------------------------------------------------+
+| -refreshJobRetentionSettings|Refresh job history period, job cleaner settings
+*-----------------+-----------------------------------------------------------+
+| -refreshLogRetentionSettings | Refresh log retention period and log retention
+|                              | check interval
+*-----------------+-----------------------------------------------------------+
+| -getGroups [username] | Get the groups which given user belongs to
+*-----------------+-----------------------------------------------------------+
+| -help [cmd] | Displays help for the given command or all commands if none is
+|             | specified.
+*-----------------+-----------------------------------------------------------+
diff --git a/hadoop-project/src/site/site.xml b/hadoop-project/src/site/site.xml
index 89f230fbc27..37e0153ec8f 100644
--- a/hadoop-project/src/site/site.xml
+++ b/hadoop-project/src/site/site.xml
@@ -95,6 +95,7 @@
 
     <menu name="MapReduce" inherit="top">
       <item name="MapReduce Tutorial" href="hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapReduceTutorial.html"/>
+      <item name="MapReduce Commands Reference" href="hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapredCommands.html"/>
       <item name="Compatibilty between Hadoop 1.x and Hadoop 2.x" href="hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapReduce_Compatibility_Hadoop1_Hadoop2.html"/>
       <item name="Encrypted Shuffle" href="hadoop-mapreduce-client/hadoop-mapreduce-client-core/EncryptedShuffle.html"/>
       <item name="Pluggable Shuffle/Sort" href="hadoop-mapreduce-client/hadoop-mapreduce-client-core/PluggableShuffleAndPluggableSort.html"/>

From 2f3ed504c1d5721185eb8244e7368df651ac72c1 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Wed, 13 Aug 2014 20:01:21 +0000
Subject: [PATCH 208/354] HADOOP-10966. Hadoop Common native compilation broken
 in windows. (Contributed by David Villegas)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617823 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt               | 3 +++
 .../main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c  | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 547f2318feb..6a0fbc596e4 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -575,6 +575,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10962. Flags for posix_fadvise are not valid in some architectures
     (David Villegas via Colin Patrick McCabe)
 
+    HADOOP-10966. Hadoop Common native compilation broken in windows.
+    (David Villegas via Arpit Agarwal)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c
index fa95047394f..d8538c8b0be 100644
--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/io/nativeio/NativeIO.c
@@ -176,6 +176,7 @@ static void nioe_deinit(JNIEnv *env) {
  * If the value is not known, return the argument unchanged.
  */
 static int map_fadvise_flag(jint flag) {
+#ifdef HAVE_POSIX_FADVISE
   switch(flag) {
     case org_apache_hadoop_io_nativeio_NativeIO_POSIX_POSIX_FADV_NORMAL:
       return POSIX_FADV_NORMAL;
@@ -198,6 +199,9 @@ static int map_fadvise_flag(jint flag) {
     default:
       return flag;
   }
+#else
+  return flag;
+#endif
 }
 
 /*

From 065d9ec5d93e37b4bbd6fd27cb411dc58b0fb686 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Wed, 13 Aug 2014 20:27:50 +0000
Subject: [PATCH 209/354] HDFS-6849. Replace HttpFS custom proxyuser handling
 with common implementation. (tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617831 13f79535-47bb-0310-9956-ffa450edef68
---
 .../server/HttpFSAuthenticationFilter.java    |  10 +
 .../http/server/HttpFSParametersProvider.java | 108 +++------
 .../hadoop/fs/http/server/HttpFSServer.java   | 144 ++++-------
 .../fs/http/server/HttpFSServerWebApp.java    |   4 -
 .../apache/hadoop/lib/service/ProxyUser.java  |  31 ---
 .../service/security/ProxyUserService.java    | 179 --------------
 .../apache/hadoop/lib/wsrs/UserProvider.java  | 109 ---------
 .../src/main/resources/httpfs-default.xml     |   6 +-
 .../security/TestProxyUserService.java        | 226 ------------------
 .../hadoop/lib/wsrs/TestUserProvider.java     | 142 -----------
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 11 files changed, 93 insertions(+), 869 deletions(-)
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/ProxyUser.java
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/security/ProxyUserService.java
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/wsrs/UserProvider.java
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/lib/service/security/TestProxyUserService.java
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/lib/wsrs/TestUserProvider.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSAuthenticationFilter.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSAuthenticationFilter.java
index d65616d45c6..8b332fc6e9a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSAuthenticationFilter.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSAuthenticationFilter.java
@@ -91,4 +91,14 @@ protected Properties getConfiguration(String configPrefix,
     return props;
   }
 
+  protected Configuration getProxyuserConfiguration(FilterConfig filterConfig) {
+    Map<String, String> proxyuserConf = HttpFSServerWebApp.get().getConfig().
+        getValByRegex("httpfs\\.proxyuser\\.");
+    Configuration conf = new Configuration(false);
+    for (Map.Entry<String, String> entry : proxyuserConf.entrySet()) {
+      conf.set(entry.getKey().substring("httpfs.".length()), entry.getValue());
+    }
+    return conf;
+  }
+
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSParametersProvider.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSParametersProvider.java
index 84910d5de78..9b0be9bfc0f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSParametersProvider.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSParametersProvider.java
@@ -30,8 +30,6 @@
 import org.apache.hadoop.lib.wsrs.ParametersProvider;
 import org.apache.hadoop.lib.wsrs.ShortParam;
 import org.apache.hadoop.lib.wsrs.StringParam;
-import org.apache.hadoop.lib.wsrs.UserProvider;
-import org.slf4j.MDC;
 
 import javax.ws.rs.ext.Provider;
 import java.util.HashMap;
@@ -53,57 +51,44 @@ public class HttpFSParametersProvider extends ParametersProvider {
 
   static {
     PARAMS_DEF.put(Operation.OPEN,
-      new Class[]{DoAsParam.class, OffsetParam.class, LenParam.class});
-    PARAMS_DEF.put(Operation.GETFILESTATUS, new Class[]{DoAsParam.class});
-    PARAMS_DEF.put(Operation.LISTSTATUS,
-      new Class[]{DoAsParam.class, FilterParam.class});
-    PARAMS_DEF.put(Operation.GETHOMEDIRECTORY, new Class[]{DoAsParam.class});
-    PARAMS_DEF.put(Operation.GETCONTENTSUMMARY, new Class[]{DoAsParam.class});
-    PARAMS_DEF.put(Operation.GETFILECHECKSUM, new Class[]{DoAsParam.class});
-    PARAMS_DEF.put(Operation.GETFILEBLOCKLOCATIONS,
-      new Class[]{DoAsParam.class});
-    PARAMS_DEF.put(Operation.GETACLSTATUS, new Class[]{DoAsParam.class});
-    PARAMS_DEF.put(Operation.INSTRUMENTATION, new Class[]{DoAsParam.class});
-    PARAMS_DEF.put(Operation.APPEND,
-      new Class[]{DoAsParam.class, DataParam.class});
+        new Class[]{OffsetParam.class, LenParam.class});
+    PARAMS_DEF.put(Operation.GETFILESTATUS, new Class[]{});
+    PARAMS_DEF.put(Operation.LISTSTATUS, new Class[]{FilterParam.class});
+    PARAMS_DEF.put(Operation.GETHOMEDIRECTORY, new Class[]{});
+    PARAMS_DEF.put(Operation.GETCONTENTSUMMARY, new Class[]{});
+    PARAMS_DEF.put(Operation.GETFILECHECKSUM, new Class[]{});
+    PARAMS_DEF.put(Operation.GETFILEBLOCKLOCATIONS, new Class[]{});
+    PARAMS_DEF.put(Operation.GETACLSTATUS, new Class[]{});
+    PARAMS_DEF.put(Operation.INSTRUMENTATION, new Class[]{});
+    PARAMS_DEF.put(Operation.APPEND, new Class[]{DataParam.class});
     PARAMS_DEF.put(Operation.CONCAT, new Class[]{SourcesParam.class});
     PARAMS_DEF.put(Operation.CREATE,
-      new Class[]{DoAsParam.class, PermissionParam.class, OverwriteParam.class,
+      new Class[]{PermissionParam.class, OverwriteParam.class,
                   ReplicationParam.class, BlockSizeParam.class, DataParam.class});
-    PARAMS_DEF.put(Operation.MKDIRS,
-      new Class[]{DoAsParam.class, PermissionParam.class});
-    PARAMS_DEF.put(Operation.RENAME,
-      new Class[]{DoAsParam.class, DestinationParam.class});
+    PARAMS_DEF.put(Operation.MKDIRS, new Class[]{PermissionParam.class});
+    PARAMS_DEF.put(Operation.RENAME, new Class[]{DestinationParam.class});
     PARAMS_DEF.put(Operation.SETOWNER,
-      new Class[]{DoAsParam.class, OwnerParam.class, GroupParam.class});
-    PARAMS_DEF.put(Operation.SETPERMISSION,
-      new Class[]{DoAsParam.class, PermissionParam.class});
+        new Class[]{OwnerParam.class, GroupParam.class});
+    PARAMS_DEF.put(Operation.SETPERMISSION, new Class[]{PermissionParam.class});
     PARAMS_DEF.put(Operation.SETREPLICATION,
-      new Class[]{DoAsParam.class, ReplicationParam.class});
+        new Class[]{ReplicationParam.class});
     PARAMS_DEF.put(Operation.SETTIMES,
-      new Class[]{DoAsParam.class, ModifiedTimeParam.class,
-                  AccessTimeParam.class});
-    PARAMS_DEF.put(Operation.DELETE,
-      new Class[]{DoAsParam.class, RecursiveParam.class});
-    PARAMS_DEF.put(Operation.SETACL,
-            new Class[]{DoAsParam.class, AclPermissionParam.class});
-    PARAMS_DEF.put(Operation.REMOVEACL,
-            new Class[]{DoAsParam.class});
+        new Class[]{ModifiedTimeParam.class, AccessTimeParam.class});
+    PARAMS_DEF.put(Operation.DELETE, new Class[]{RecursiveParam.class});
+    PARAMS_DEF.put(Operation.SETACL, new Class[]{AclPermissionParam.class});
+    PARAMS_DEF.put(Operation.REMOVEACL, new Class[]{});
     PARAMS_DEF.put(Operation.MODIFYACLENTRIES,
-            new Class[]{DoAsParam.class, AclPermissionParam.class});
+        new Class[]{AclPermissionParam.class});
     PARAMS_DEF.put(Operation.REMOVEACLENTRIES,
-            new Class[]{DoAsParam.class, AclPermissionParam.class});
-    PARAMS_DEF.put(Operation.REMOVEDEFAULTACL,
-            new Class[]{DoAsParam.class});
+        new Class[]{AclPermissionParam.class});
+    PARAMS_DEF.put(Operation.REMOVEDEFAULTACL, new Class[]{});
     PARAMS_DEF.put(Operation.SETXATTR,
-      new Class[]{DoAsParam.class, XAttrNameParam.class, XAttrValueParam.class, 
+        new Class[]{XAttrNameParam.class, XAttrValueParam.class,
                   XAttrSetFlagParam.class});
-    PARAMS_DEF.put(Operation.REMOVEXATTR, 
-      new Class[]{DoAsParam.class, XAttrNameParam.class});
+    PARAMS_DEF.put(Operation.REMOVEXATTR, new Class[]{XAttrNameParam.class});
     PARAMS_DEF.put(Operation.GETXATTRS, 
-      new Class[]{DoAsParam.class, XAttrNameParam.class, XAttrEncodingParam.class});
-    PARAMS_DEF.put(Operation.LISTXATTRS,
-      new Class[]{DoAsParam.class});
+        new Class[]{XAttrNameParam.class, XAttrEncodingParam.class});
+    PARAMS_DEF.put(Operation.LISTXATTRS, new Class[]{});
   }
 
   public HttpFSParametersProvider() {
@@ -205,41 +190,6 @@ public RecursiveParam() {
     }
   }
 
-  /**
-   * Class for do-as parameter.
-   */
-  @InterfaceAudience.Private
-  public static class DoAsParam extends StringParam {
-
-    /**
-     * Parameter name.
-     */
-    public static final String NAME = HttpFSFileSystem.DO_AS_PARAM;
-
-    /**
-     * Constructor.
-     */
-    public DoAsParam() {
-      super(NAME, null, UserProvider.getUserPattern());
-    }
-
-    /**
-     * Delegates to parent and then adds do-as user to
-     * MDC context for logging purposes.
-     *
-     *
-     * @param str parameter value.
-     *
-     * @return parsed parameter
-     */
-    @Override
-    public String parseParam(String str) {
-      String doAs = super.parseParam(str);
-      MDC.put(getName(), (doAs != null) ? doAs : "-");
-      return doAs;
-    }
-  }
-
   /**
    * Class for filter parameter.
    */
@@ -275,7 +225,7 @@ public static class GroupParam extends StringParam {
      * Constructor.
      */
     public GroupParam() {
-      super(NAME, null, UserProvider.getUserPattern());
+      super(NAME, null);
     }
 
   }
@@ -371,7 +321,7 @@ public static class OwnerParam extends StringParam {
      * Constructor.
      */
     public OwnerParam() {
-      super(NAME, null, UserProvider.getUserPattern());
+      super(NAME, null);
     }
 
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java
index 000d34ec037..db113611ae3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java
@@ -29,7 +29,6 @@
 import org.apache.hadoop.fs.http.server.HttpFSParametersProvider.BlockSizeParam;
 import org.apache.hadoop.fs.http.server.HttpFSParametersProvider.DataParam;
 import org.apache.hadoop.fs.http.server.HttpFSParametersProvider.DestinationParam;
-import org.apache.hadoop.fs.http.server.HttpFSParametersProvider.DoAsParam;
 import org.apache.hadoop.fs.http.server.HttpFSParametersProvider.FilterParam;
 import org.apache.hadoop.fs.http.server.HttpFSParametersProvider.GroupParam;
 import org.apache.hadoop.fs.http.server.HttpFSParametersProvider.LenParam;
@@ -50,12 +49,11 @@
 import org.apache.hadoop.lib.service.FileSystemAccessException;
 import org.apache.hadoop.lib.service.Groups;
 import org.apache.hadoop.lib.service.Instrumentation;
-import org.apache.hadoop.lib.service.ProxyUser;
 import org.apache.hadoop.lib.servlet.FileSystemReleaseFilter;
-import org.apache.hadoop.lib.servlet.HostnameFilter;
 import org.apache.hadoop.lib.wsrs.InputStreamEntity;
 import org.apache.hadoop.lib.wsrs.Parameters;
-import org.apache.hadoop.security.authentication.server.AuthenticationToken;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation;
 import org.json.simple.JSONObject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -79,7 +77,6 @@
 import java.io.InputStream;
 import java.net.URI;
 import java.security.AccessControlException;
-import java.security.Principal;
 import java.text.MessageFormat;
 import java.util.EnumSet;
 import java.util.List;
@@ -96,49 +93,11 @@
 public class HttpFSServer {
   private static Logger AUDIT_LOG = LoggerFactory.getLogger("httpfsaudit");
 
-  /**
-   * Resolves the effective user that will be used to request a FileSystemAccess filesystem.
-   * <p/>
-   * If the doAs-user is NULL or the same as the user, it returns the user.
-   * <p/>
-   * Otherwise it uses proxyuser rules (see {@link ProxyUser} to determine if the
-   * current user can impersonate the doAs-user.
-   * <p/>
-   * If the current user cannot impersonate the doAs-user an
-   * <code>AccessControlException</code> will be thrown.
-   *
-   * @param user principal for whom the filesystem instance is.
-   * @param doAs do-as user, if any.
-   *
-   * @return the effective user.
-   *
-   * @throws IOException thrown if an IO error occurrs.
-   * @throws AccessControlException thrown if the current user cannot impersonate
-   * the doAs-user.
-   */
-  private String getEffectiveUser(Principal user, String doAs) throws IOException {
-    String effectiveUser = user.getName();
-    if (doAs != null && !doAs.equals(user.getName())) {
-      ProxyUser proxyUser = HttpFSServerWebApp.get().get(ProxyUser.class);
-      String proxyUserName;
-      if (user instanceof AuthenticationToken) {
-        proxyUserName = ((AuthenticationToken)user).getUserName();
-      } else {
-        proxyUserName = user.getName();
-      }
-      proxyUser.validate(proxyUserName, HostnameFilter.get(), doAs);
-      effectiveUser = doAs;
-      AUDIT_LOG.info("Proxy user [{}] DoAs user [{}]", proxyUserName, doAs);
-    }
-    return effectiveUser;
-  }
-
   /**
    * Executes a {@link FileSystemAccess.FileSystemExecutor} using a filesystem for the effective
    * user.
    *
-   * @param user principal making the request.
-   * @param doAs do-as user, if any.
+   * @param ugi user making the request.
    * @param executor FileSystemExecutor to execute.
    *
    * @return FileSystemExecutor response
@@ -147,12 +106,11 @@ private String getEffectiveUser(Principal user, String doAs) throws IOException
    * @throws FileSystemAccessException thrown if a FileSystemAccess releated error occurred. Thrown
    * exceptions are handled by {@link HttpFSExceptionProvider}.
    */
-  private <T> T fsExecute(Principal user, String doAs, FileSystemAccess.FileSystemExecutor<T> executor)
+  private <T> T fsExecute(UserGroupInformation ugi, FileSystemAccess.FileSystemExecutor<T> executor)
     throws IOException, FileSystemAccessException {
-    String hadoopUser = getEffectiveUser(user, doAs);
     FileSystemAccess fsAccess = HttpFSServerWebApp.get().get(FileSystemAccess.class);
     Configuration conf = HttpFSServerWebApp.get().get(FileSystemAccess.class).getFileSystemConfiguration();
-    return fsAccess.execute(hadoopUser, conf, executor);
+    return fsAccess.execute(ugi.getShortUserName(), conf, executor);
   }
 
   /**
@@ -162,8 +120,7 @@ private <T> T fsExecute(Principal user, String doAs, FileSystemAccess.FileSystem
    * If a do-as user is specified, the current user must be a valid proxyuser, otherwise an
    * <code>AccessControlException</code> will be thrown.
    *
-   * @param user principal for whom the filesystem instance is.
-   * @param doAs do-as user, if any.
+   * @param ugi principal for whom the filesystem instance is.
    *
    * @return a filesystem for the specified user or do-as user.
    *
@@ -172,8 +129,9 @@ private <T> T fsExecute(Principal user, String doAs, FileSystemAccess.FileSystem
    * @throws FileSystemAccessException thrown if a FileSystemAccess releated error occurred. Thrown
    * exceptions are handled by {@link HttpFSExceptionProvider}.
    */
-  private FileSystem createFileSystem(Principal user, String doAs) throws IOException, FileSystemAccessException {
-    String hadoopUser = getEffectiveUser(user, doAs);
+  private FileSystem createFileSystem(UserGroupInformation ugi)
+      throws IOException, FileSystemAccessException {
+    String hadoopUser = ugi.getShortUserName();
     FileSystemAccess fsAccess = HttpFSServerWebApp.get().get(FileSystemAccess.class);
     Configuration conf = HttpFSServerWebApp.get().get(FileSystemAccess.class).getFileSystemConfiguration();
     FileSystem fs = fsAccess.createFileSystem(hadoopUser, conf);
@@ -192,7 +150,6 @@ private void enforceRootPath(HttpFSFileSystem.Operation op, String path) {
   /**
    * Special binding for '/' as it is not handled by the wildcard binding.
    *
-   * @param user the principal of the user making the request.
    * @param op the HttpFS operation of the request.
    * @param params the HttpFS parameters of the request.
    *
@@ -206,11 +163,10 @@ private void enforceRootPath(HttpFSFileSystem.Operation op, String path) {
    */
   @GET
   @Produces(MediaType.APPLICATION_JSON)
-  public Response getRoot(@Context Principal user,
-                          @QueryParam(OperationParam.NAME) OperationParam op,
+  public Response getRoot(@QueryParam(OperationParam.NAME) OperationParam op,
                           @Context Parameters params)
     throws IOException, FileSystemAccessException {
-    return get(user, "", op, params);
+    return get("", op, params);
   }
 
   private String makeAbsolute(String path) {
@@ -220,7 +176,6 @@ private String makeAbsolute(String path) {
   /**
    * Binding to handle GET requests, supported operations are
    *
-   * @param user the principal of the user making the request.
    * @param path the path for operation.
    * @param op the HttpFS operation of the request.
    * @param params the HttpFS parameters of the request.
@@ -236,21 +191,20 @@ private String makeAbsolute(String path) {
   @GET
   @Path("{path:.*}")
   @Produces({MediaType.APPLICATION_OCTET_STREAM, MediaType.APPLICATION_JSON})
-  public Response get(@Context Principal user,
-                      @PathParam("path") String path,
+  public Response get(@PathParam("path") String path,
                       @QueryParam(OperationParam.NAME) OperationParam op,
                       @Context Parameters params)
     throws IOException, FileSystemAccessException {
+    UserGroupInformation user = HttpUserGroupInformation.get();
     Response response;
     path = makeAbsolute(path);
     MDC.put(HttpFSFileSystem.OP_PARAM, op.value().name());
-    String doAs = params.get(DoAsParam.NAME, DoAsParam.class);
     switch (op.value()) {
       case OPEN: {
         //Invoking the command directly using an unmanaged FileSystem that is
         // released by the FileSystemReleaseFilter
         FSOperations.FSOpen command = new FSOperations.FSOpen(path);
-        FileSystem fs = createFileSystem(user, doAs);
+        FileSystem fs = createFileSystem(user);
         InputStream is = command.execute(fs);
         Long offset = params.get(OffsetParam.NAME, OffsetParam.class);
         Long len = params.get(LenParam.NAME, LenParam.class);
@@ -264,7 +218,7 @@ public Response get(@Context Principal user,
       case GETFILESTATUS: {
         FSOperations.FSFileStatus command =
           new FSOperations.FSFileStatus(path);
-        Map json = fsExecute(user, doAs, command);
+        Map json = fsExecute(user, command);
         AUDIT_LOG.info("[{}]", path);
         response = Response.ok(json).type(MediaType.APPLICATION_JSON).build();
         break;
@@ -273,7 +227,7 @@ public Response get(@Context Principal user,
         String filter = params.get(FilterParam.NAME, FilterParam.class);
         FSOperations.FSListStatus command = new FSOperations.FSListStatus(
           path, filter);
-        Map json = fsExecute(user, doAs, command);
+        Map json = fsExecute(user, command);
         AUDIT_LOG.info("[{}] filter [{}]", path,
                        (filter != null) ? filter : "-");
         response = Response.ok(json).type(MediaType.APPLICATION_JSON).build();
@@ -282,7 +236,7 @@ public Response get(@Context Principal user,
       case GETHOMEDIRECTORY: {
         enforceRootPath(op.value(), path);
         FSOperations.FSHomeDir command = new FSOperations.FSHomeDir();
-        JSONObject json = fsExecute(user, doAs, command);
+        JSONObject json = fsExecute(user, command);
         AUDIT_LOG.info("");
         response = Response.ok(json).type(MediaType.APPLICATION_JSON).build();
         break;
@@ -290,7 +244,7 @@ public Response get(@Context Principal user,
       case INSTRUMENTATION: {
         enforceRootPath(op.value(), path);
         Groups groups = HttpFSServerWebApp.get().get(Groups.class);
-        List<String> userGroups = groups.getGroups(user.getName());
+        List<String> userGroups = groups.getGroups(user.getShortUserName());
         if (!userGroups.contains(HttpFSServerWebApp.get().getAdminGroup())) {
           throw new AccessControlException(
             "User not in HttpFSServer admin group");
@@ -304,7 +258,7 @@ public Response get(@Context Principal user,
       case GETCONTENTSUMMARY: {
         FSOperations.FSContentSummary command =
           new FSOperations.FSContentSummary(path);
-        Map json = fsExecute(user, doAs, command);
+        Map json = fsExecute(user, command);
         AUDIT_LOG.info("[{}]", path);
         response = Response.ok(json).type(MediaType.APPLICATION_JSON).build();
         break;
@@ -312,7 +266,7 @@ public Response get(@Context Principal user,
       case GETFILECHECKSUM: {
         FSOperations.FSFileChecksum command =
           new FSOperations.FSFileChecksum(path);
-        Map json = fsExecute(user, doAs, command);
+        Map json = fsExecute(user, command);
         AUDIT_LOG.info("[{}]", path);
         response = Response.ok(json).type(MediaType.APPLICATION_JSON).build();
         break;
@@ -324,7 +278,7 @@ public Response get(@Context Principal user,
       case GETACLSTATUS: {
         FSOperations.FSAclStatus command =
                 new FSOperations.FSAclStatus(path);
-        Map json = fsExecute(user, doAs, command);
+        Map json = fsExecute(user, command);
         AUDIT_LOG.info("ACL status for [{}]", path);
         response = Response.ok(json).type(MediaType.APPLICATION_JSON).build();
         break;
@@ -337,7 +291,7 @@ public Response get(@Context Principal user,
         FSOperations.FSGetXAttrs command = new FSOperations.FSGetXAttrs(path, 
             xattrNames, encoding);
         @SuppressWarnings("rawtypes")
-        Map json = fsExecute(user, doAs, command);
+        Map json = fsExecute(user, command);
         AUDIT_LOG.info("XAttrs for [{}]", path);
         response = Response.ok(json).type(MediaType.APPLICATION_JSON).build();
         break;
@@ -345,7 +299,7 @@ public Response get(@Context Principal user,
       case LISTXATTRS: {
         FSOperations.FSListXAttrs command = new FSOperations.FSListXAttrs(path);
         @SuppressWarnings("rawtypes")
-        Map json = fsExecute(user, doAs, command);
+        Map json = fsExecute(user, command);
         AUDIT_LOG.info("XAttr names for [{}]", path);
         response = Response.ok(json).type(MediaType.APPLICATION_JSON).build();
         break;
@@ -363,7 +317,6 @@ public Response get(@Context Principal user,
   /**
    * Binding to handle DELETE requests.
    *
-   * @param user the principal of the user making the request.
    * @param path the path for operation.
    * @param op the HttpFS operation of the request.
    * @param params the HttpFS parameters of the request.
@@ -379,15 +332,14 @@ public Response get(@Context Principal user,
   @DELETE
   @Path("{path:.*}")
   @Produces(MediaType.APPLICATION_JSON)
-  public Response delete(@Context Principal user,
-                      @PathParam("path") String path,
-                      @QueryParam(OperationParam.NAME) OperationParam op,
-                      @Context Parameters params)
+  public Response delete(@PathParam("path") String path,
+                         @QueryParam(OperationParam.NAME) OperationParam op,
+                         @Context Parameters params)
     throws IOException, FileSystemAccessException {
+    UserGroupInformation user = HttpUserGroupInformation.get();
     Response response;
     path = makeAbsolute(path);
     MDC.put(HttpFSFileSystem.OP_PARAM, op.value().name());
-    String doAs = params.get(DoAsParam.NAME, DoAsParam.class);
     switch (op.value()) {
       case DELETE: {
         Boolean recursive =
@@ -395,7 +347,7 @@ public Response delete(@Context Principal user,
         AUDIT_LOG.info("[{}] recursive [{}]", path, recursive);
         FSOperations.FSDelete command =
           new FSOperations.FSDelete(path, recursive);
-        JSONObject json = fsExecute(user, doAs, command);
+        JSONObject json = fsExecute(user, command);
         response = Response.ok(json).type(MediaType.APPLICATION_JSON).build();
         break;
       }
@@ -412,7 +364,6 @@ public Response delete(@Context Principal user,
    * Binding to handle POST requests.
    *
    * @param is the inputstream for the request payload.
-   * @param user the principal of the user making the request.
    * @param uriInfo the of the request.
    * @param path the path for operation.
    * @param op the HttpFS operation of the request.
@@ -431,18 +382,17 @@ public Response delete(@Context Principal user,
   @Consumes({"*/*"})
   @Produces({MediaType.APPLICATION_JSON})
   public Response post(InputStream is,
-                       @Context Principal user,
                        @Context UriInfo uriInfo,
                        @PathParam("path") String path,
                        @QueryParam(OperationParam.NAME) OperationParam op,
                        @Context Parameters params)
     throws IOException, FileSystemAccessException {
+    UserGroupInformation user = HttpUserGroupInformation.get();
     Response response;
     path = makeAbsolute(path);
     MDC.put(HttpFSFileSystem.OP_PARAM, op.value().name());
     switch (op.value()) {
       case APPEND: {
-        String doAs = params.get(DoAsParam.NAME, DoAsParam.class);
         Boolean hasData = params.get(DataParam.NAME, DataParam.class);
         if (!hasData) {
           response = Response.temporaryRedirect(
@@ -451,7 +401,7 @@ public Response post(InputStream is,
         } else {
           FSOperations.FSAppend command =
             new FSOperations.FSAppend(is, path);
-          fsExecute(user, doAs, command);
+          fsExecute(user, command);
           AUDIT_LOG.info("[{}]", path);
           response = Response.ok().type(MediaType.APPLICATION_JSON).build();
         }
@@ -463,7 +413,7 @@ public Response post(InputStream is,
 
         FSOperations.FSConcat command =
             new FSOperations.FSConcat(path, sources.split(","));
-        fsExecute(user, null, command);
+        fsExecute(user, command);
         AUDIT_LOG.info("[{}]", path);
         System.out.println("SENT RESPONSE");
         response = Response.ok().build();
@@ -498,7 +448,6 @@ protected URI createUploadRedirectionURL(UriInfo uriInfo, Enum<?> uploadOperatio
    * Binding to handle PUT requests.
    *
    * @param is the inputstream for the request payload.
-   * @param user the principal of the user making the request.
    * @param uriInfo the of the request.
    * @param path the path for operation.
    * @param op the HttpFS operation of the request.
@@ -517,16 +466,15 @@ protected URI createUploadRedirectionURL(UriInfo uriInfo, Enum<?> uploadOperatio
   @Consumes({"*/*"})
   @Produces({MediaType.APPLICATION_JSON})
   public Response put(InputStream is,
-                       @Context Principal user,
                        @Context UriInfo uriInfo,
                        @PathParam("path") String path,
                        @QueryParam(OperationParam.NAME) OperationParam op,
                        @Context Parameters params)
     throws IOException, FileSystemAccessException {
+    UserGroupInformation user = HttpUserGroupInformation.get();
     Response response;
     path = makeAbsolute(path);
     MDC.put(HttpFSFileSystem.OP_PARAM, op.value().name());
-    String doAs = params.get(DoAsParam.NAME, DoAsParam.class);
     switch (op.value()) {
       case CREATE: {
         Boolean hasData = params.get(DataParam.NAME, DataParam.class);
@@ -546,7 +494,7 @@ public Response put(InputStream is,
           FSOperations.FSCreate command =
             new FSOperations.FSCreate(is, path, permission, override,
                                       replication, blockSize);
-          fsExecute(user, doAs, command);
+          fsExecute(user, command);
           AUDIT_LOG.info(
             "[{}] permission [{}] override [{}] replication [{}] blockSize [{}]",
             new Object[]{path, permission, override, replication, blockSize});
@@ -564,7 +512,7 @@ public Response put(InputStream is,
 
         FSOperations.FSSetXAttr command = new FSOperations.FSSetXAttr(
             path, xattrName, xattrValue, flag);
-        fsExecute(user, doAs, command);
+        fsExecute(user, command);
         AUDIT_LOG.info("[{}] to xAttr [{}]", path, xattrName);
         response = Response.ok().build();
         break;
@@ -573,7 +521,7 @@ public Response put(InputStream is,
         String xattrName = params.get(XAttrNameParam.NAME, XAttrNameParam.class);
         FSOperations.FSRemoveXAttr command = new FSOperations.FSRemoveXAttr(
             path, xattrName);
-        fsExecute(user, doAs, command);
+        fsExecute(user, command);
         AUDIT_LOG.info("[{}] removed xAttr [{}]", path, xattrName);
         response = Response.ok().build();
         break;
@@ -583,7 +531,7 @@ public Response put(InputStream is,
                                        PermissionParam.class);
         FSOperations.FSMkdirs command =
           new FSOperations.FSMkdirs(path, permission);
-        JSONObject json = fsExecute(user, doAs, command);
+        JSONObject json = fsExecute(user, command);
         AUDIT_LOG.info("[{}] permission [{}]", path, permission);
         response = Response.ok(json).type(MediaType.APPLICATION_JSON).build();
         break;
@@ -592,7 +540,7 @@ public Response put(InputStream is,
         String toPath = params.get(DestinationParam.NAME, DestinationParam.class);
         FSOperations.FSRename command =
           new FSOperations.FSRename(path, toPath);
-        JSONObject json = fsExecute(user, doAs, command);
+        JSONObject json = fsExecute(user, command);
         AUDIT_LOG.info("[{}] to [{}]", path, toPath);
         response = Response.ok(json).type(MediaType.APPLICATION_JSON).build();
         break;
@@ -602,7 +550,7 @@ public Response put(InputStream is,
         String group = params.get(GroupParam.NAME, GroupParam.class);
         FSOperations.FSSetOwner command =
           new FSOperations.FSSetOwner(path, owner, group);
-        fsExecute(user, doAs, command);
+        fsExecute(user, command);
         AUDIT_LOG.info("[{}] to (O/G)[{}]", path, owner + ":" + group);
         response = Response.ok().build();
         break;
@@ -612,7 +560,7 @@ public Response put(InputStream is,
                                       PermissionParam.class);
         FSOperations.FSSetPermission command =
           new FSOperations.FSSetPermission(path, permission);
-        fsExecute(user, doAs, command);
+        fsExecute(user, command);
         AUDIT_LOG.info("[{}] to [{}]", path, permission);
         response = Response.ok().build();
         break;
@@ -622,7 +570,7 @@ public Response put(InputStream is,
                                        ReplicationParam.class);
         FSOperations.FSSetReplication command =
           new FSOperations.FSSetReplication(path, replication);
-        JSONObject json = fsExecute(user, doAs, command);
+        JSONObject json = fsExecute(user, command);
         AUDIT_LOG.info("[{}] to [{}]", path, replication);
         response = Response.ok(json).build();
         break;
@@ -634,7 +582,7 @@ public Response put(InputStream is,
                                      AccessTimeParam.class);
         FSOperations.FSSetTimes command =
           new FSOperations.FSSetTimes(path, modifiedTime, accessTime);
-        fsExecute(user, doAs, command);
+        fsExecute(user, command);
         AUDIT_LOG.info("[{}] to (M/A)[{}]", path,
                        modifiedTime + ":" + accessTime);
         response = Response.ok().build();
@@ -645,7 +593,7 @@ public Response put(InputStream is,
                 AclPermissionParam.class);
         FSOperations.FSSetAcl command =
                 new FSOperations.FSSetAcl(path, aclSpec);
-        fsExecute(user, doAs, command);
+        fsExecute(user, command);
         AUDIT_LOG.info("[{}] to acl [{}]", path, aclSpec);
         response = Response.ok().build();
         break;
@@ -653,7 +601,7 @@ public Response put(InputStream is,
       case REMOVEACL: {
         FSOperations.FSRemoveAcl command =
                 new FSOperations.FSRemoveAcl(path);
-        fsExecute(user, doAs, command);
+        fsExecute(user, command);
         AUDIT_LOG.info("[{}] removed acl", path);
         response = Response.ok().build();
         break;
@@ -663,7 +611,7 @@ public Response put(InputStream is,
                 AclPermissionParam.class);
         FSOperations.FSModifyAclEntries command =
                 new FSOperations.FSModifyAclEntries(path, aclSpec);
-        fsExecute(user, doAs, command);
+        fsExecute(user, command);
         AUDIT_LOG.info("[{}] modify acl entry with [{}]", path, aclSpec);
         response = Response.ok().build();
         break;
@@ -673,7 +621,7 @@ public Response put(InputStream is,
                 AclPermissionParam.class);
         FSOperations.FSRemoveAclEntries command =
                 new FSOperations.FSRemoveAclEntries(path, aclSpec);
-        fsExecute(user, doAs, command);
+        fsExecute(user, command);
         AUDIT_LOG.info("[{}] remove acl entry [{}]", path, aclSpec);
         response = Response.ok().build();
         break;
@@ -681,7 +629,7 @@ public Response put(InputStream is,
       case REMOVEDEFAULTACL: {
         FSOperations.FSRemoveDefaultAcl command =
                 new FSOperations.FSRemoveDefaultAcl(path);
-        fsExecute(user, doAs, command);
+        fsExecute(user, command);
         AUDIT_LOG.info("[{}] remove default acl", path);
         response = Response.ok().build();
         break;
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServerWebApp.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServerWebApp.java
index 258a5c1e3ae..b7ae3015e3b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServerWebApp.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServerWebApp.java
@@ -24,7 +24,6 @@
 import org.apache.hadoop.lib.server.ServerException;
 import org.apache.hadoop.lib.service.FileSystemAccess;
 import org.apache.hadoop.lib.servlet.ServerWebApp;
-import org.apache.hadoop.lib.wsrs.UserProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -103,9 +102,6 @@ public void init() throws ServerException {
     LOG.info("Connects to Namenode [{}]",
              get().get(FileSystemAccess.class).getFileSystemConfiguration().
                get(CommonConfigurationKeysPublic.FS_DEFAULT_NAME_KEY));
-    String userPattern = getConfig().get(UserProvider.USER_PATTERN_KEY, 
-      UserProvider.USER_PATTERN_DEFAULT);
-    UserProvider.setUserPattern(userPattern);
   }
 
   /**
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/ProxyUser.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/ProxyUser.java
deleted file mode 100644
index 7619dcd200c..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/ProxyUser.java
+++ /dev/null
@@ -1,31 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.lib.service;
-
-import org.apache.hadoop.classification.InterfaceAudience;
-
-import java.io.IOException;
-import java.security.AccessControlException;
-
-@InterfaceAudience.Private
-public interface ProxyUser {
-
-  public void validate(String proxyUser, String proxyHost, String doAsUser) throws IOException, AccessControlException;
-
-}
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/security/ProxyUserService.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/security/ProxyUserService.java
deleted file mode 100644
index 095ce11b4dc..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/security/ProxyUserService.java
+++ /dev/null
@@ -1,179 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.lib.service.security;
-
-import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.lib.lang.XException;
-import org.apache.hadoop.lib.server.BaseService;
-import org.apache.hadoop.lib.server.ServiceException;
-import org.apache.hadoop.lib.service.Groups;
-import org.apache.hadoop.lib.service.ProxyUser;
-import org.apache.hadoop.lib.util.Check;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.IOException;
-import java.net.InetAddress;
-import java.security.AccessControlException;
-import java.text.MessageFormat;
-import java.util.Arrays;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-@InterfaceAudience.Private
-public class ProxyUserService extends BaseService implements ProxyUser {
-  private static Logger LOG = LoggerFactory.getLogger(ProxyUserService.class);
-
-  @InterfaceAudience.Private
-  public static enum ERROR implements XException.ERROR {
-    PRXU01("Could not normalize host name [{0}], {1}"),
-    PRXU02("Missing [{0}] property");
-
-    private String template;
-
-    ERROR(String template) {
-      this.template = template;
-    }
-
-    @Override
-    public String getTemplate() {
-      return template;
-    }
-  }
-
-  private static final String PREFIX = "proxyuser";
-  private static final String GROUPS = ".groups";
-  private static final String HOSTS = ".hosts";
-
-  private Map<String, Set<String>> proxyUserHosts = new HashMap<String, Set<String>>();
-  private Map<String, Set<String>> proxyUserGroups = new HashMap<String, Set<String>>();
-
-  public ProxyUserService() {
-    super(PREFIX);
-  }
-
-  @Override
-  public Class getInterface() {
-    return ProxyUser.class;
-  }
-
-  @Override
-  public Class[] getServiceDependencies() {
-    return new Class[]{Groups.class};
-  }
-
-  @Override
-  protected void init() throws ServiceException {
-    for (Map.Entry<String, String> entry : getServiceConfig()) {
-      String key = entry.getKey();
-      if (key.endsWith(GROUPS)) {
-        String proxyUser = key.substring(0, key.lastIndexOf(GROUPS));
-        if (getServiceConfig().get(proxyUser + HOSTS) == null) {
-          throw new ServiceException(ERROR.PRXU02, getPrefixedName(proxyUser + HOSTS));
-        }
-        String value = entry.getValue().trim();
-        LOG.info("Loading proxyuser settings [{}]=[{}]", key, value);
-        Set<String> values = null;
-        if (!value.equals("*")) {
-          values = new HashSet<String>(Arrays.asList(value.split(",")));
-        }
-        proxyUserGroups.put(proxyUser, values);
-      }
-      if (key.endsWith(HOSTS)) {
-        String proxyUser = key.substring(0, key.lastIndexOf(HOSTS));
-        if (getServiceConfig().get(proxyUser + GROUPS) == null) {
-          throw new ServiceException(ERROR.PRXU02, getPrefixedName(proxyUser + GROUPS));
-        }
-        String value = entry.getValue().trim();
-        LOG.info("Loading proxyuser settings [{}]=[{}]", key, value);
-        Set<String> values = null;
-        if (!value.equals("*")) {
-          String[] hosts = value.split(",");
-          for (int i = 0; i < hosts.length; i++) {
-            String originalName = hosts[i];
-            try {
-              hosts[i] = normalizeHostname(originalName);
-            } catch (Exception ex) {
-              throw new ServiceException(ERROR.PRXU01, originalName, ex.getMessage(), ex);
-            }
-            LOG.info("  Hostname, original [{}], normalized [{}]", originalName, hosts[i]);
-          }
-          values = new HashSet<String>(Arrays.asList(hosts));
-        }
-        proxyUserHosts.put(proxyUser, values);
-      }
-    }
-  }
-
-  @Override
-  public void validate(String proxyUser, String proxyHost, String doAsUser) throws IOException,
-    AccessControlException {
-    Check.notEmpty(proxyUser, "proxyUser");
-    Check.notEmpty(proxyHost, "proxyHost");
-    Check.notEmpty(doAsUser, "doAsUser");
-    LOG.debug("Authorization check proxyuser [{}] host [{}] doAs [{}]",
-              new Object[]{proxyUser, proxyHost, doAsUser});
-    if (proxyUserHosts.containsKey(proxyUser)) {
-      proxyHost = normalizeHostname(proxyHost);
-      validateRequestorHost(proxyUser, proxyHost, proxyUserHosts.get(proxyUser));
-      validateGroup(proxyUser, doAsUser, proxyUserGroups.get(proxyUser));
-    } else {
-      throw new AccessControlException(MessageFormat.format("User [{0}] not defined as proxyuser", proxyUser));
-    }
-  }
-
-  private void validateRequestorHost(String proxyUser, String hostname, Set<String> validHosts)
-    throws IOException, AccessControlException {
-    if (validHosts != null) {
-      if (!validHosts.contains(hostname) && !validHosts.contains(normalizeHostname(hostname))) {
-        throw new AccessControlException(MessageFormat.format("Unauthorized host [{0}] for proxyuser [{1}]",
-                                                              hostname, proxyUser));
-      }
-    }
-  }
-
-  private void validateGroup(String proxyUser, String user, Set<String> validGroups) throws IOException,
-    AccessControlException {
-    if (validGroups != null) {
-      List<String> userGroups = getServer().get(Groups.class).getGroups(user);
-      for (String g : validGroups) {
-        if (userGroups.contains(g)) {
-          return;
-        }
-      }
-      throw new AccessControlException(
-        MessageFormat.format("Unauthorized proxyuser [{0}] for user [{1}], not in proxyuser groups",
-                             proxyUser, user));
-    }
-  }
-
-  private String normalizeHostname(String name) {
-    try {
-      InetAddress address = InetAddress.getByName(name);
-      return address.getCanonicalHostName();
-    } catch (IOException ex) {
-      throw new AccessControlException(MessageFormat.format("Could not resolve host [{0}], {1}", name,
-                                                            ex.getMessage()));
-    }
-  }
-
-}
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/wsrs/UserProvider.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/wsrs/UserProvider.java
deleted file mode 100644
index cd1cfc7f4ef..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/wsrs/UserProvider.java
+++ /dev/null
@@ -1,109 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.lib.wsrs;
-
-import com.sun.jersey.api.core.HttpContext;
-import com.sun.jersey.core.spi.component.ComponentContext;
-import com.sun.jersey.core.spi.component.ComponentScope;
-import com.sun.jersey.server.impl.inject.AbstractHttpContextInjectable;
-import com.sun.jersey.spi.inject.Injectable;
-import com.sun.jersey.spi.inject.InjectableProvider;
-import org.apache.hadoop.classification.InterfaceAudience;
-import org.slf4j.MDC;
-
-import javax.ws.rs.core.Context;
-import javax.ws.rs.ext.Provider;
-import java.lang.reflect.Type;
-import java.security.Principal;
-import java.text.MessageFormat;
-import java.util.regex.Pattern;
-
-@Provider
-@InterfaceAudience.Private
-public class UserProvider extends AbstractHttpContextInjectable<Principal> implements
-  InjectableProvider<Context, Type> {
-
-  public static final String USER_NAME_PARAM = "user.name";
-
-
-  public static final String USER_PATTERN_KEY 
-    = "httpfs.user.provider.user.pattern";
-
-  public static final String USER_PATTERN_DEFAULT 
-    = "^[A-Za-z_][A-Za-z0-9._-]*[$]?$";
-
-  private static Pattern userPattern = Pattern.compile(USER_PATTERN_DEFAULT);
-
-  public static void setUserPattern(String pattern) {
-    userPattern = Pattern.compile(pattern);
-  }
-
-  public static Pattern getUserPattern() {
-    return userPattern;
-  }
-
-  static class UserParam extends StringParam {
-
-    public UserParam(String user) {
-      super(USER_NAME_PARAM, user, getUserPattern());
-    }
-
-    @Override
-    public String parseParam(String str) {
-      if (str != null) {
-        int len = str.length();
-        if (len < 1) {
-          throw new IllegalArgumentException(MessageFormat.format(
-            "Parameter [{0}], it's length must be at least 1", getName()));
-        }
-      }
-      return super.parseParam(str);
-    }
-  }
-
-  @Override
-  public Principal getValue(HttpContext httpContext) {
-    Principal principal = httpContext.getRequest().getUserPrincipal();
-    if (principal == null) {
-      final String user = httpContext.getRequest().getQueryParameters().getFirst(USER_NAME_PARAM);
-      if (user != null) {
-        principal = new Principal() {
-          @Override
-          public String getName() {
-            return new UserParam(user).value();
-          }
-        };
-      }
-    }
-    if (principal != null) {
-      MDC.put("user", principal.getName());
-    }
-    return principal;
-  }
-
-  @Override
-  public ComponentScope getScope() {
-    return ComponentScope.PerRequest;
-  }
-
-  @Override
-  public Injectable getInjectable(ComponentContext componentContext, Context context, Type type) {
-    return (type.equals(Principal.class)) ? this : null;
-  }
-}
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/resources/httpfs-default.xml b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/resources/httpfs-default.xml
index 05e1400ca93..d28ffa5638a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/resources/httpfs-default.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/resources/httpfs-default.xml
@@ -34,7 +34,6 @@
       org.apache.hadoop.lib.service.instrumentation.InstrumentationService,
       org.apache.hadoop.lib.service.scheduler.SchedulerService,
       org.apache.hadoop.lib.service.security.GroupsService,
-      org.apache.hadoop.lib.service.security.ProxyUserService,
       org.apache.hadoop.lib.service.hadoop.FileSystemAccessService
     </value>
     <description>
@@ -118,6 +117,10 @@
   </property>
 
   <!-- HttpFSServer proxy user Configuration -->
+<!--
+
+  The following 2 properties within this comment are provided as an
+  example to facilitate configuring HttpFS proxyusers.
 
   <property>
     <name>httpfs.proxyuser.#USER#.hosts</name>
@@ -152,6 +155,7 @@
       in the property name.
     </description>
   </property>
+-->
 
   <!-- HttpFS Delegation Token configuration -->
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/lib/service/security/TestProxyUserService.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/lib/service/security/TestProxyUserService.java
deleted file mode 100644
index 294f5e80b24..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/lib/service/security/TestProxyUserService.java
+++ /dev/null
@@ -1,226 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.lib.service.security;
-
-import static org.junit.Assert.assertNotNull;
-
-import java.security.AccessControlException;
-import java.util.Arrays;
-import java.util.List;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.lib.server.Server;
-import org.apache.hadoop.lib.server.ServiceException;
-import org.apache.hadoop.lib.service.Groups;
-import org.apache.hadoop.lib.service.ProxyUser;
-import org.apache.hadoop.test.HTestCase;
-import org.apache.hadoop.test.TestDir;
-import org.apache.hadoop.test.TestDirHelper;
-import org.apache.hadoop.test.TestException;
-import org.apache.hadoop.util.StringUtils;
-import org.junit.Test;
-
-public class TestProxyUserService extends HTestCase {
-
-  @Test
-  @TestDir
-  public void service() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("server.services", StringUtils.join(",", Arrays.asList(GroupsService.class.getName(),
-                                                                    ProxyUserService.class.getName())));
-    Server server = new Server("server", dir, dir, dir, dir, conf);
-    server.init();
-    ProxyUser proxyUser = server.get(ProxyUser.class);
-    assertNotNull(proxyUser);
-    server.destroy();
-  }
-
-  @Test
-  @TestException(exception = ServiceException.class, msgRegExp = "PRXU02.*")
-  @TestDir
-  public void wrongConfigGroups() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("server.services", StringUtils.join(",", Arrays.asList(GroupsService.class.getName(),
-                                                                    ProxyUserService.class.getName())));
-    conf.set("server.proxyuser.foo.hosts", "*");
-    Server server = new Server("server", dir, dir, dir, dir, conf);
-    server.init();
-  }
-
-  @Test
-  @TestException(exception = ServiceException.class, msgRegExp = "PRXU01.*")
-  @TestDir
-  public void wrongHost() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("server.services", StringUtils.join(",", Arrays.asList(GroupsService.class.getName(),
-                                                                    ProxyUserService.class.getName())));
-    conf.set("server.proxyuser.foo.hosts", "otherhost");
-    conf.set("server.proxyuser.foo.groups", "*");
-    Server server = new Server("server", dir, dir, dir, dir, conf);
-    server.init();
-  }
-
-  @Test
-  @TestException(exception = ServiceException.class, msgRegExp = "PRXU02.*")
-  @TestDir
-  public void wrongConfigHosts() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("server.services", StringUtils.join(",", Arrays.asList(GroupsService.class.getName(),
-                                                                    ProxyUserService.class.getName())));
-    conf.set("server.proxyuser.foo.groups", "*");
-    Server server = new Server("server", dir, dir, dir, dir, conf);
-    server.init();
-  }
-
-  @Test
-  @TestDir
-  public void validateAnyHostAnyUser() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("server.services", StringUtils.join(",", Arrays.asList(GroupsService.class.getName(),
-                                                                    ProxyUserService.class.getName())));
-    conf.set("server.proxyuser.foo.hosts", "*");
-    conf.set("server.proxyuser.foo.groups", "*");
-    Server server = new Server("server", dir, dir, dir, dir, conf);
-    server.init();
-    ProxyUser proxyUser = server.get(ProxyUser.class);
-    assertNotNull(proxyUser);
-    proxyUser.validate("foo", "localhost", "bar");
-    server.destroy();
-  }
-
-  @Test(expected = AccessControlException.class)
-  @TestDir
-  public void invalidProxyUser() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("server.services", StringUtils.join(",", Arrays.asList(GroupsService.class.getName(),
-                                                                    ProxyUserService.class.getName())));
-    conf.set("server.proxyuser.foo.hosts", "*");
-    conf.set("server.proxyuser.foo.groups", "*");
-    Server server = new Server("server", dir, dir, dir, dir, conf);
-    server.init();
-    ProxyUser proxyUser = server.get(ProxyUser.class);
-    assertNotNull(proxyUser);
-    proxyUser.validate("bar", "localhost", "foo");
-    server.destroy();
-  }
-
-  @Test
-  @TestDir
-  public void validateHost() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("server.services", StringUtils.join(",", Arrays.asList(GroupsService.class.getName(),
-                                                                    ProxyUserService.class.getName())));
-    conf.set("server.proxyuser.foo.hosts", "localhost");
-    conf.set("server.proxyuser.foo.groups", "*");
-    Server server = new Server("server", dir, dir, dir, dir, conf);
-    server.init();
-    ProxyUser proxyUser = server.get(ProxyUser.class);
-    assertNotNull(proxyUser);
-    proxyUser.validate("foo", "localhost", "bar");
-    server.destroy();
-  }
-
-  private String getGroup() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("server.services", StringUtils.join(",", Arrays.asList(GroupsService.class.getName())));
-    Server server = new Server("server", dir, dir, dir, dir, conf);
-    server.init();
-    Groups groups = server.get(Groups.class);
-    List<String> g = groups.getGroups(System.getProperty("user.name"));
-    server.destroy();
-    return g.get(0);
-  }
-
-  @Test
-  @TestDir
-  public void validateGroup() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("server.services", StringUtils.join(",", Arrays.asList(GroupsService.class.getName(),
-                                                                    ProxyUserService.class.getName())));
-    conf.set("server.proxyuser.foo.hosts", "*");
-    conf.set("server.proxyuser.foo.groups", getGroup());
-    Server server = new Server("server", dir, dir, dir, dir, conf);
-    server.init();
-    ProxyUser proxyUser = server.get(ProxyUser.class);
-    assertNotNull(proxyUser);
-    proxyUser.validate("foo", "localhost", System.getProperty("user.name"));
-    server.destroy();
-  }
-
-
-  @Test(expected = AccessControlException.class)
-  @TestDir
-  public void unknownHost() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("server.services", StringUtils.join(",", Arrays.asList(GroupsService.class.getName(),
-                                                                    ProxyUserService.class.getName())));
-    conf.set("server.proxyuser.foo.hosts", "localhost");
-    conf.set("server.proxyuser.foo.groups", "*");
-    Server server = new Server("server", dir, dir, dir, dir, conf);
-    server.init();
-    ProxyUser proxyUser = server.get(ProxyUser.class);
-    assertNotNull(proxyUser);
-    proxyUser.validate("foo", "unknownhost.bar.foo", "bar");
-    server.destroy();
-  }
-
-  @Test(expected = AccessControlException.class)
-  @TestDir
-  public void invalidHost() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("server.services", StringUtils.join(",", Arrays.asList(GroupsService.class.getName(),
-                                                                    ProxyUserService.class.getName())));
-    conf.set("server.proxyuser.foo.hosts", "localhost");
-    conf.set("server.proxyuser.foo.groups", "*");
-    Server server = new Server("server", dir, dir, dir, dir, conf);
-    server.init();
-    ProxyUser proxyUser = server.get(ProxyUser.class);
-    assertNotNull(proxyUser);
-    proxyUser.validate("foo", "www.yahoo.com", "bar");
-    server.destroy();
-  }
-
-  @Test(expected = AccessControlException.class)
-  @TestDir
-  public void invalidGroup() throws Exception {
-    String dir = TestDirHelper.getTestDir().getAbsolutePath();
-    Configuration conf = new Configuration(false);
-    conf.set("server.services", StringUtils.join(",", Arrays.asList(GroupsService.class.getName(),
-                                                                    ProxyUserService.class.getName())));
-    conf.set("server.proxyuser.foo.hosts", "localhost");
-    conf.set("server.proxyuser.foo.groups", "nobody");
-    Server server = new Server("server", dir, dir, dir, dir, conf);
-    server.init();
-    ProxyUser proxyUser = server.get(ProxyUser.class);
-    assertNotNull(proxyUser);
-    proxyUser.validate("foo", "localhost", System.getProperty("user.name"));
-    server.destroy();
-  }
-}
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/lib/wsrs/TestUserProvider.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/lib/wsrs/TestUserProvider.java
deleted file mode 100644
index e8942fbe4ef..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/lib/wsrs/TestUserProvider.java
+++ /dev/null
@@ -1,142 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.lib.wsrs;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
-
-import java.security.Principal;
-
-import javax.ws.rs.core.MultivaluedMap;
-
-import org.apache.hadoop.test.TestException;
-import org.apache.hadoop.test.TestExceptionHelper;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.rules.MethodRule;
-import org.mockito.Mockito;
-import org.slf4j.MDC;
-
-import com.sun.jersey.api.core.HttpContext;
-import com.sun.jersey.api.core.HttpRequestContext;
-import com.sun.jersey.core.spi.component.ComponentScope;
-
-public class TestUserProvider {
-
-  @Rule
-  public MethodRule exceptionHelper = new TestExceptionHelper();
-
-  @Test
-  @SuppressWarnings("unchecked")
-  public void noUser() {
-    MDC.remove("user");
-    HttpRequestContext request = Mockito.mock(HttpRequestContext.class);
-    Mockito.when(request.getUserPrincipal()).thenReturn(null);
-    MultivaluedMap map = Mockito.mock(MultivaluedMap.class);
-    Mockito.when(map.getFirst(UserProvider.USER_NAME_PARAM)).thenReturn(null);
-    Mockito.when(request.getQueryParameters()).thenReturn(map);
-    HttpContext context = Mockito.mock(HttpContext.class);
-    Mockito.when(context.getRequest()).thenReturn(request);
-    UserProvider up = new UserProvider();
-    assertNull(up.getValue(context));
-    assertNull(MDC.get("user"));
-  }
-
-  @Test
-  @SuppressWarnings("unchecked")
-  public void queryStringUser() {
-    MDC.remove("user");
-    HttpRequestContext request = Mockito.mock(HttpRequestContext.class);
-    Mockito.when(request.getUserPrincipal()).thenReturn(null);
-    MultivaluedMap map = Mockito.mock(MultivaluedMap.class);
-    Mockito.when(map.getFirst(UserProvider.USER_NAME_PARAM)).thenReturn("foo");
-    Mockito.when(request.getQueryParameters()).thenReturn(map);
-    HttpContext context = Mockito.mock(HttpContext.class);
-    Mockito.when(context.getRequest()).thenReturn(request);
-    UserProvider up = new UserProvider();
-    assertEquals(up.getValue(context).getName(), "foo");
-    assertEquals(MDC.get("user"), "foo");
-  }
-
-  @Test
-  @SuppressWarnings("unchecked")
-  public void principalUser() {
-    MDC.remove("user");
-    HttpRequestContext request = Mockito.mock(HttpRequestContext.class);
-    Mockito.when(request.getUserPrincipal()).thenReturn(new Principal() {
-      @Override
-      public String getName() {
-        return "bar";
-      }
-    });
-    HttpContext context = Mockito.mock(HttpContext.class);
-    Mockito.when(context.getRequest()).thenReturn(request);
-    UserProvider up = new UserProvider();
-    assertEquals(up.getValue(context).getName(), "bar");
-    assertEquals(MDC.get("user"), "bar");
-  }
-
-  @Test
-  public void getters() {
-    UserProvider up = new UserProvider();
-    assertEquals(up.getScope(), ComponentScope.PerRequest);
-    assertEquals(up.getInjectable(null, null, Principal.class), up);
-    assertNull(up.getInjectable(null, null, String.class));
-  }
-
-  @Test
-  @TestException(exception = IllegalArgumentException.class)
-  public void userNameEmpty() {
-    new UserProvider.UserParam("");
-  }
-
-  @Test
-  @TestException(exception = IllegalArgumentException.class)
-  public void userNameInvalidStart() {
-    new UserProvider.UserParam("1x");
-  }
-
-  @Test
-  @TestException(exception = IllegalArgumentException.class)
-  public void userNameInvalidDollarSign() {
-    new UserProvider.UserParam("1$x");
-  }
-
-  @Test
-  public void userNameMinLength() {
-    new UserProvider.UserParam("a");
-  }
-
-  @Test
-  public void userNameValidDollarSign() {
-    new UserProvider.UserParam("a$");
-  }
-
-  @Test
-  public void customUserPattern() {
-    try {
-      UserProvider.setUserPattern("1");
-      new UserProvider.UserParam("1");      
-    } finally {
-      UserProvider.setUserPattern(UserProvider.USER_PATTERN_DEFAULT);
-    }
-  }
-
-}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 9253b8b88a6..0a90370dc68 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -399,6 +399,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6567. Normalize the order of public final in HdfsFileStatus.
     (Tassapol Athiapinya via wheat9)
 
+    HDFS-6849. Replace HttpFS custom proxyuser handling with common 
+    implementation. (tucu)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)

From 41aa4badf8270a8e7d4321809fe8b8a34db98968 Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Wed, 13 Aug 2014 20:29:23 +0000
Subject: [PATCH 210/354] YARN-2277. Added cross-origin support for the
 timeline server web services. Contributed by Jonathan Eagles.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617832 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../timeline/webapp/CrossOriginFilter.java    | 220 ++++++++++++++++++
 .../webapp/CrossOriginFilterInitializer.java  |  42 ++++
 .../webapp/TestCrossOriginFilter.java         | 214 +++++++++++++++++
 .../TestCrossOriginFilterInitializer.java     |  60 +++++
 5 files changed, 539 insertions(+)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilter.java
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilterInitializer.java
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilter.java
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilterInitializer.java

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 55a61126fe2..99b2d612229 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -41,6 +41,9 @@ Release 2.6.0 - UNRELEASED
     YARN-1337. Recover containers upon nodemanager restart. (Jason Lowe via 
     junping_du)
 
+    YARN-2277. Added cross-origin support for the timeline server web services.
+    (Jonathan Eagles via zjshen)
+
   IMPROVEMENTS
 
     YARN-2242. Improve exception information on AM launch crashes. (Li Lu 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilter.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilter.java
new file mode 100644
index 00000000000..a9fb3e875f5
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilter.java
@@ -0,0 +1,220 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.timeline.webapp;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import com.google.common.annotations.VisibleForTesting;
+
+public class CrossOriginFilter implements Filter {
+
+  private static final Log LOG = LogFactory.getLog(CrossOriginFilter.class);
+
+  // HTTP CORS Request Headers
+  static final String ORIGIN = "Origin";
+  static final String ACCESS_CONTROL_REQUEST_METHOD =
+      "Access-Control-Request-Method";
+  static final String ACCESS_CONTROL_REQUEST_HEADERS =
+      "Access-Control-Request-Headers";
+
+  // HTTP CORS Response Headers
+  static final String ACCESS_CONTROL_ALLOW_ORIGIN =
+      "Access-Control-Allow-Origin";
+  static final String ACCESS_CONTROL_ALLOW_CREDENTIALS =
+      "Access-Control-Allow-Credentials";
+  static final String ACCESS_CONTROL_ALLOW_METHODS =
+      "Access-Control-Allow-Methods";
+  static final String ACCESS_CONTROL_ALLOW_HEADERS =
+      "Access-Control-Allow-Headers";
+  static final String ACCESS_CONTROL_MAX_AGE = "Access-Control-Max-Age";
+
+  // Filter configuration
+  public static final String ALLOWED_ORIGINS = "allowed-origins";
+  public static final String ALLOWED_ORIGINS_DEFAULT = "*";
+  public static final String ALLOWED_METHODS = "allowed-methods";
+  public static final String ALLOWED_METHODS_DEFAULT = "GET,POST,HEAD";
+  public static final String ALLOWED_HEADERS = "allowed-headers";
+  public static final String ALLOWED_HEADERS_DEFAULT =
+      "X-Requested-With,Content-Type,Accept,Origin";
+  public static final String MAX_AGE = "max-age";
+  public static final String MAX_AGE_DEFAULT = "1800";
+
+  private List<String> allowedMethods = new ArrayList<String>();
+  private List<String> allowedHeaders = new ArrayList<String>();
+  private List<String> allowedOrigins = new ArrayList<String>();
+  private String maxAge;
+
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    initializeAllowedMethods(filterConfig);
+    initializeAllowedHeaders(filterConfig);
+    initializeAllowedOrigins(filterConfig);
+    initializeMaxAge(filterConfig);
+  }
+
+  @Override
+  public void doFilter(ServletRequest req, ServletResponse res,
+      FilterChain chain)
+      throws IOException, ServletException {
+    doCrossFilter((HttpServletRequest) req, (HttpServletResponse) res);
+    chain.doFilter(req, res);
+  }
+
+  @Override
+  public void destroy() {
+    allowedMethods.clear();
+    allowedHeaders.clear();
+    allowedOrigins.clear();
+  }
+
+  private void doCrossFilter(HttpServletRequest req, HttpServletResponse res) {
+
+    String origin = encodeHeader(req.getHeader(ORIGIN));
+    if (!isCrossOrigin(origin)) {
+      return;
+    }
+
+    if (!isOriginAllowed(origin)) {
+      return;
+    }
+
+    String accessControlRequestMethod =
+        req.getHeader(ACCESS_CONTROL_REQUEST_METHOD);
+    if (!isMethodAllowed(accessControlRequestMethod)) {
+      return;
+    }
+
+    String accessControlRequestHeaders =
+        req.getHeader(ACCESS_CONTROL_REQUEST_HEADERS);
+    if (!areHeadersAllowed(accessControlRequestHeaders)) {
+      return;
+    }
+
+    res.setHeader(ACCESS_CONTROL_ALLOW_ORIGIN, origin);
+    res.setHeader(ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.TRUE.toString());
+    res.setHeader(ACCESS_CONTROL_ALLOW_METHODS, getAllowedMethodsHeader());
+    res.setHeader(ACCESS_CONTROL_ALLOW_HEADERS, getAllowedHeadersHeader());
+    res.setHeader(ACCESS_CONTROL_MAX_AGE, maxAge);
+  }
+
+  @VisibleForTesting
+  String getAllowedHeadersHeader() {
+    return StringUtils.join(allowedHeaders, ',');
+  }
+
+  @VisibleForTesting
+  String getAllowedMethodsHeader() {
+    return StringUtils.join(allowedMethods, ',');
+  }
+
+  private void initializeAllowedMethods(FilterConfig filterConfig) {
+    String allowedMethodsConfig =
+        filterConfig.getInitParameter(ALLOWED_METHODS);
+    if (allowedMethodsConfig == null) {
+      allowedMethodsConfig = ALLOWED_METHODS_DEFAULT;
+    }
+    allowedMethods =
+        Arrays.asList(allowedMethodsConfig.trim().split("\\s*,\\s*"));
+    LOG.info("Allowed Methods: " + getAllowedMethodsHeader());
+  }
+
+  private void initializeAllowedHeaders(FilterConfig filterConfig) {
+    String allowedHeadersConfig =
+        filterConfig.getInitParameter(ALLOWED_HEADERS);
+    if (allowedHeadersConfig == null) {
+      allowedHeadersConfig = ALLOWED_HEADERS_DEFAULT;
+    }
+    allowedHeaders =
+        Arrays.asList(allowedHeadersConfig.trim().split("\\s*,\\s*"));
+    LOG.info("Allowed Headers: " + getAllowedHeadersHeader());
+  }
+
+  private void initializeAllowedOrigins(FilterConfig filterConfig) {
+    String allowedOriginsConfig =
+        filterConfig.getInitParameter(ALLOWED_ORIGINS);
+    if (allowedOriginsConfig == null) {
+      allowedOriginsConfig = ALLOWED_ORIGINS_DEFAULT;
+    }
+    allowedOrigins =
+        Arrays.asList(allowedOriginsConfig.trim().split("\\s*,\\s*"));
+    LOG.info("Allowed Origins: " + StringUtils.join(allowedOrigins, ','));
+  }
+
+  private void initializeMaxAge(FilterConfig filterConfig) {
+    maxAge = filterConfig.getInitParameter(MAX_AGE);
+    if (maxAge == null) {
+      maxAge = MAX_AGE_DEFAULT;
+    }
+    LOG.info("Max Age: " + maxAge);
+  }
+
+  static String encodeHeader(final String header) {
+    if (header == null) {
+      return null;
+    }
+    try {
+      // Protect against HTTP response splitting vulnerability
+      // since value is written as part of the response header
+      return URLEncoder.encode(header, "ASCII");
+    } catch (UnsupportedEncodingException e) {
+      return null;
+    }
+  }
+
+  static boolean isCrossOrigin(String origin) {
+    return origin != null;
+  }
+
+  private boolean isOriginAllowed(String origin) {
+    return allowedOrigins.contains(origin);
+  }
+
+  private boolean areHeadersAllowed(String accessControlRequestHeaders) {
+    if (accessControlRequestHeaders == null) {
+      return true;
+    }
+    String headers[] = accessControlRequestHeaders.trim().split("\\s*,\\s*");
+    return allowedHeaders.containsAll(Arrays.asList(headers));
+  }
+
+  private boolean isMethodAllowed(String accessControlRequestMethod) {
+    if (accessControlRequestMethod == null) {
+      return false;
+    }
+    return allowedMethods.contains(accessControlRequestMethod);
+  }
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilterInitializer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilterInitializer.java
new file mode 100644
index 00000000000..69e0188137a
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilterInitializer.java
@@ -0,0 +1,42 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.timeline.webapp;
+
+import java.util.Map;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.http.FilterContainer;
+import org.apache.hadoop.http.FilterInitializer;
+
+public class CrossOriginFilterInitializer extends FilterInitializer {
+
+  public static final String PREFIX =
+      "yarn.timeline-service.http-cross-origin.";
+
+  @Override
+  public void initFilter(FilterContainer container, Configuration conf) {
+
+    container.addGlobalFilter("Cross Origin Filter",
+        CrossOriginFilter.class.getName(), getFilterParameters(conf));
+  }
+
+  static Map<String, String> getFilterParameters(Configuration conf) {
+    return conf.getValByRegex(PREFIX);
+  }
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilter.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilter.java
new file mode 100644
index 00000000000..a29e4a0aa6d
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilter.java
@@ -0,0 +1,214 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.timeline.webapp;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.Test;
+
+import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyZeroInteractions;
+
+public class TestCrossOriginFilter {
+
+  @Test
+  public void testSameOrigin() throws ServletException, IOException {
+
+    // Setup the configuration settings of the server
+    Map<String, String> conf = new HashMap<String, String>();
+    conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "");
+    FilterConfig filterConfig = new FilterConfigTest(conf);
+
+    // Origin is not specified for same origin requests
+    HttpServletRequest mockReq = mock(HttpServletRequest.class);
+    when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn(null);
+
+    // Objects to verify interactions based on request
+    HttpServletResponse mockRes = mock(HttpServletResponse.class);
+    FilterChain mockChain = mock(FilterChain.class);
+
+    // Object under test
+    CrossOriginFilter filter = new CrossOriginFilter();
+    filter.init(filterConfig);
+    filter.doFilter(mockReq, mockRes, mockChain);
+
+    verifyZeroInteractions(mockRes);
+    verify(mockChain).doFilter(mockReq, mockRes);
+  }
+
+  @Test
+  public void testDisallowedOrigin() throws ServletException, IOException {
+
+    // Setup the configuration settings of the server
+    Map<String, String> conf = new HashMap<String, String>();
+    conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com");
+    FilterConfig filterConfig = new FilterConfigTest(conf);
+
+    // Origin is not specified for same origin requests
+    HttpServletRequest mockReq = mock(HttpServletRequest.class);
+    when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn("example.org");
+
+    // Objects to verify interactions based on request
+    HttpServletResponse mockRes = mock(HttpServletResponse.class);
+    FilterChain mockChain = mock(FilterChain.class);
+
+    // Object under test
+    CrossOriginFilter filter = new CrossOriginFilter();
+    filter.init(filterConfig);
+    filter.doFilter(mockReq, mockRes, mockChain);
+
+    verifyZeroInteractions(mockRes);
+    verify(mockChain).doFilter(mockReq, mockRes);
+  }
+
+  @Test
+  public void testDisallowedMethod() throws ServletException, IOException {
+
+    // Setup the configuration settings of the server
+    Map<String, String> conf = new HashMap<String, String>();
+    conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com");
+    FilterConfig filterConfig = new FilterConfigTest(conf);
+
+    // Origin is not specified for same origin requests
+    HttpServletRequest mockReq = mock(HttpServletRequest.class);
+    when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn("example.com");
+    when(mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_METHOD))
+        .thenReturn("DISALLOWED_METHOD");
+
+    // Objects to verify interactions based on request
+    HttpServletResponse mockRes = mock(HttpServletResponse.class);
+    FilterChain mockChain = mock(FilterChain.class);
+
+    // Object under test
+    CrossOriginFilter filter = new CrossOriginFilter();
+    filter.init(filterConfig);
+    filter.doFilter(mockReq, mockRes, mockChain);
+
+    verifyZeroInteractions(mockRes);
+    verify(mockChain).doFilter(mockReq, mockRes);
+  }
+
+  @Test
+  public void testDisallowedHeader() throws ServletException, IOException {
+
+    // Setup the configuration settings of the server
+    Map<String, String> conf = new HashMap<String, String>();
+    conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com");
+    FilterConfig filterConfig = new FilterConfigTest(conf);
+
+    // Origin is not specified for same origin requests
+    HttpServletRequest mockReq = mock(HttpServletRequest.class);
+    when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn("example.com");
+    when(mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_METHOD))
+        .thenReturn("GET");
+    when(mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_HEADERS))
+        .thenReturn("Disallowed-Header");
+
+    // Objects to verify interactions based on request
+    HttpServletResponse mockRes = mock(HttpServletResponse.class);
+    FilterChain mockChain = mock(FilterChain.class);
+
+    // Object under test
+    CrossOriginFilter filter = new CrossOriginFilter();
+    filter.init(filterConfig);
+    filter.doFilter(mockReq, mockRes, mockChain);
+
+    verifyZeroInteractions(mockRes);
+    verify(mockChain).doFilter(mockReq, mockRes);
+  }
+
+  @Test
+  public void testCrossOriginFilter() throws ServletException, IOException {
+
+    // Setup the configuration settings of the server
+    Map<String, String> conf = new HashMap<String, String>();
+    conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com");
+    FilterConfig filterConfig = new FilterConfigTest(conf);
+
+    // Origin is not specified for same origin requests
+    HttpServletRequest mockReq = mock(HttpServletRequest.class);
+    when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn("example.com");
+    when(mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_METHOD))
+        .thenReturn("GET");
+    when(mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_HEADERS))
+        .thenReturn("X-Requested-With");
+
+    // Objects to verify interactions based on request
+    HttpServletResponse mockRes = mock(HttpServletResponse.class);
+    FilterChain mockChain = mock(FilterChain.class);
+
+    // Object under test
+    CrossOriginFilter filter = new CrossOriginFilter();
+    filter.init(filterConfig);
+    filter.doFilter(mockReq, mockRes, mockChain);
+
+    verify(mockRes).setHeader(CrossOriginFilter.ACCESS_CONTROL_ALLOW_ORIGIN,
+        "example.com");
+    verify(mockRes).setHeader(
+        CrossOriginFilter.ACCESS_CONTROL_ALLOW_CREDENTIALS,
+        Boolean.TRUE.toString());
+    verify(mockRes).setHeader(CrossOriginFilter.ACCESS_CONTROL_ALLOW_METHODS,
+        filter.getAllowedMethodsHeader());
+    verify(mockRes).setHeader(CrossOriginFilter.ACCESS_CONTROL_ALLOW_HEADERS,
+        filter.getAllowedHeadersHeader());
+    verify(mockChain).doFilter(mockReq, mockRes);
+  }
+
+  private static class FilterConfigTest implements FilterConfig {
+
+    final Map<String, String> map;
+
+    FilterConfigTest(Map<String, String> map) {
+      this.map = map;
+    }
+
+    @Override
+    public String getFilterName() {
+      return "test-filter";
+    }
+
+    @Override
+    public String getInitParameter(String key) {
+      return map.get(key);
+    }
+
+    @Override
+    public Enumeration<String> getInitParameterNames() {
+      return Collections.enumeration(map.keySet());
+    }
+
+    @Override
+    public ServletContext getServletContext() {
+      return null;
+    }
+  }
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilterInitializer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilterInitializer.java
new file mode 100644
index 00000000000..3199aac5089
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilterInitializer.java
@@ -0,0 +1,60 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.timeline.webapp;
+
+import java.util.Map;
+
+import org.apache.hadoop.conf.Configuration;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestCrossOriginFilterInitializer {
+
+  @Test
+  public void testGetFilterParameters() {
+
+    // Initialize configuration object
+    Configuration conf = new Configuration();
+    conf.set(CrossOriginFilterInitializer.PREFIX + "rootparam", "rootvalue");
+    conf.set(CrossOriginFilterInitializer.PREFIX + "nested.param",
+        "nestedvalue");
+    conf.set("outofscopeparam", "outofscopevalue");
+
+    // call function under test
+    Map<String, String> filterParameters =
+        CrossOriginFilterInitializer.getFilterParameters(conf);
+
+    // retrieve values
+    String rootvalue =
+        filterParameters.get(CrossOriginFilterInitializer.PREFIX + "rootparam");
+    String nestedvalue =
+        filterParameters.get(CrossOriginFilterInitializer.PREFIX
+            + "nested.param");
+    String outofscopeparam = filterParameters.get("outofscopeparam");
+
+    // verify expected values are in place
+    Assert.assertEquals("Could not find filter parameter", "rootvalue",
+        rootvalue);
+    Assert.assertEquals("Could not find filter parameter", "nestedvalue",
+        nestedvalue);
+    Assert.assertNull("Found unexpected value in filter parameters",
+        outofscopeparam);
+  }
+}

From 1a535f8dcdfc4fab8ba6125680957caf55ea8f46 Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Wed, 13 Aug 2014 21:07:18 +0000
Subject: [PATCH 211/354] YARN-2070. Made DistributedShell publish the short
 user name to the timeline server. Contributed by Robert Kanter.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617837 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                      |  3 +++
 .../distributedshell/ApplicationMaster.java          | 12 ++++++------
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 99b2d612229..4b06e627fca 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -190,6 +190,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2361. RMAppAttempt state machine entries for KILLED state has duplicate
     event entries. (Zhihai Xu via kasha)
 
+    YARN-2070. Made DistributedShell publish the short user name to the timeline
+    server. (Robert Kanter via zjshen)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/ApplicationMaster.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/ApplicationMaster.java
index 9051d31089f..4a842458691 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/ApplicationMaster.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/ApplicationMaster.java
@@ -1054,8 +1054,8 @@ private static void publishContainerStartEvent(TimelineClient timelineClient,
     TimelineEntity entity = new TimelineEntity();
     entity.setEntityId(container.getId().toString());
     entity.setEntityType(DSEntity.DS_CONTAINER.toString());
-    entity.addPrimaryFilter("user", UserGroupInformation.getCurrentUser()
-        .toString());
+    entity.addPrimaryFilter("user",
+        UserGroupInformation.getCurrentUser().getShortUserName());
     TimelineEvent event = new TimelineEvent();
     event.setTimestamp(System.currentTimeMillis());
     event.setEventType(DSEvent.DS_CONTAINER_START.toString());
@@ -1071,8 +1071,8 @@ private static void publishContainerEndEvent(TimelineClient timelineClient,
     TimelineEntity entity = new TimelineEntity();
     entity.setEntityId(container.getContainerId().toString());
     entity.setEntityType(DSEntity.DS_CONTAINER.toString());
-    entity.addPrimaryFilter("user", UserGroupInformation.getCurrentUser()
-        .toString());
+    entity.addPrimaryFilter("user",
+        UserGroupInformation.getCurrentUser().getShortUserName());
     TimelineEvent event = new TimelineEvent();
     event.setTimestamp(System.currentTimeMillis());
     event.setEventType(DSEvent.DS_CONTAINER_END.toString());
@@ -1089,8 +1089,8 @@ private static void publishApplicationAttemptEvent(
     TimelineEntity entity = new TimelineEntity();
     entity.setEntityId(appAttemptId);
     entity.setEntityType(DSEntity.DS_APP_ATTEMPT.toString());
-    entity.addPrimaryFilter("user", UserGroupInformation.getCurrentUser()
-        .toString());
+    entity.addPrimaryFilter("user",
+        UserGroupInformation.getCurrentUser().getShortUserName());
     TimelineEvent event = new TimelineEvent();
     event.setEventType(appEvent.toString());
     event.setTimestamp(System.currentTimeMillis());

From e90d940699f288ddfef5923f38cb619f6d6259f4 Mon Sep 17 00:00:00 2001
From: Colin McCabe <cmccabe@apache.org>
Date: Thu, 14 Aug 2014 01:36:12 +0000
Subject: [PATCH 212/354] HADOOP-10843. TestGridmixRecord unit tests failure on
 PowerPC (Jinghui Wang via Colin Patrick McCabe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617860 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt        |  3 +++
 .../hadoop/mapred/gridmix/TestGridmixRecord.java       | 10 +++++-----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 6a0fbc596e4..362c83e8f4b 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -578,6 +578,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10966. Hadoop Common native compilation broken in windows.
     (David Villegas via Arpit Agarwal)
 
+    HADOOP-10843. TestGridmixRecord unit tests failure on PowerPC (Jinghui Wang
+    via Colin Patrick McCabe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-tools/hadoop-gridmix/src/test/java/org/apache/hadoop/mapred/gridmix/TestGridmixRecord.java b/hadoop-tools/hadoop-gridmix/src/test/java/org/apache/hadoop/mapred/gridmix/TestGridmixRecord.java
index 2f3ce701d6b..b3b72778f77 100644
--- a/hadoop-tools/hadoop-gridmix/src/test/java/org/apache/hadoop/mapred/gridmix/TestGridmixRecord.java
+++ b/hadoop-tools/hadoop-gridmix/src/test/java/org/apache/hadoop/mapred/gridmix/TestGridmixRecord.java
@@ -140,10 +140,10 @@ static void binSortTest(GridmixRecord x, GridmixRecord y, int min,
       final int chk = WritableComparator.compareBytes(
           out1.getData(), 0, out1.getLength(),
           out2.getData(), 0, out2.getLength());
-      assertEquals(chk, x.compareTo(y));
-      assertEquals(chk, cmp.compare(
+      assertEquals(Integer.signum(chk), Integer.signum(x.compareTo(y)));
+      assertEquals(Integer.signum(chk), Integer.signum(cmp.compare(
             out1.getData(), 0, out1.getLength(),
-            out2.getData(), 0, out2.getLength()));
+            out2.getData(), 0, out2.getLength())));
       // write second copy, compare eq
       final int s1 = out1.getLength();
       x.write(out1);
@@ -153,8 +153,8 @@ static void binSortTest(GridmixRecord x, GridmixRecord y, int min,
       y.write(out2);
       assertEquals(0, cmp.compare(out2.getData(), 0, s2,
             out2.getData(), s2, out2.getLength() - s2));
-      assertEquals(chk, cmp.compare(out1.getData(), 0, s1,
-            out2.getData(), s2, out2.getLength() - s2));
+      assertEquals(Integer.signum(chk), Integer.signum(cmp.compare(out1.getData(), 0, s1,
+            out2.getData(), s2, out2.getLength() - s2)));
     }
   }
 

From 44864c68b59a72f27279212c1316adec37e5209a Mon Sep 17 00:00:00 2001
From: Uma Maheswara Rao G <umamahesh@apache.org>
Date: Thu, 14 Aug 2014 04:20:00 +0000
Subject: [PATCH 213/354] HDFS-6783. Fix HDFS CacheReplicationMonitor rescan
 logic. Contributed by Yi Liu and Colin Patrick McCabe.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617872 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  2 +
 .../CacheReplicationMonitor.java              | 55 +++++++++++--------
 2 files changed, 35 insertions(+), 22 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 0a90370dc68..cffa1679fd2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -506,6 +506,8 @@ Release 2.6.0 - UNRELEASED
     HDFS-6247. Avoid timeouts for replaceBlock() call by sending intermediate
     responses to Balancer (vinayakumarb)
 
+    HDFS-6783. Fix HDFS CacheReplicationMonitor rescan logic. (Yi Liu via umamahesh)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/CacheReplicationMonitor.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/CacheReplicationMonitor.java
index cf5a4a6504b..cfd6333469b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/CacheReplicationMonitor.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/CacheReplicationMonitor.java
@@ -103,22 +103,22 @@ public class CacheReplicationMonitor extends Thread implements Closeable {
    */
   private final Condition scanFinished;
 
-  /**
-   * Whether there are pending CacheManager operations that necessitate a
-   * CacheReplicationMonitor rescan. Protected by the CRM lock.
-   */
-  private boolean needsRescan = true;
-
-  /**
-   * Whether we are currently doing a rescan. Protected by the CRM lock.
-   */
-  private boolean isScanning = false;
-
   /**
    * The number of rescans completed. Used to wait for scans to finish.
    * Protected by the CacheReplicationMonitor lock.
    */
-  private long scanCount = 0;
+  private long completedScanCount = 0;
+
+  /**
+   * The scan we're currently performing, or -1 if no scan is in progress.
+   * Protected by the CacheReplicationMonitor lock.
+   */
+  private long curScanCount = -1;
+
+  /**
+   * The number of rescans we need to complete.  Protected by the CRM lock.
+   */
+  private long neededScanCount = 0;
 
   /**
    * True if this monitor should terminate. Protected by the CRM lock.
@@ -169,7 +169,7 @@ public void run() {
               LOG.info("Shutting down CacheReplicationMonitor");
               return;
             }
-            if (needsRescan) {
+            if (completedScanCount < neededScanCount) {
               LOG.info("Rescanning because of pending operations");
               break;
             }
@@ -182,8 +182,6 @@ public void run() {
             doRescan.await(delta, TimeUnit.MILLISECONDS);
             curTimeMs = Time.monotonicNow();
           }
-          isScanning = true;
-          needsRescan = false;
         } finally {
           lock.unlock();
         }
@@ -194,8 +192,8 @@ public void run() {
         // Update synchronization-related variables.
         lock.lock();
         try {
-          isScanning = false;
-          scanCount++;
+          completedScanCount = curScanCount;
+          curScanCount = -1;
           scanFinished.signalAll();
         } finally {
           lock.unlock();
@@ -226,16 +224,15 @@ public void waitForRescanIfNeeded() {
         "Must not hold the FSN write lock when waiting for a rescan.");
     Preconditions.checkArgument(lock.isHeldByCurrentThread(),
         "Must hold the CRM lock when waiting for a rescan.");
-    if (!needsRescan) {
+    if (neededScanCount <= completedScanCount) {
       return;
     }
     // If no scan is already ongoing, mark the CRM as dirty and kick
-    if (!isScanning) {
+    if (curScanCount < 0) {
       doRescan.signal();
     }
     // Wait until the scan finishes and the count advances
-    final long startCount = scanCount;
-    while ((!shutdown) && (startCount >= scanCount)) {
+    while ((!shutdown) && (completedScanCount < neededScanCount)) {
       try {
         scanFinished.await();
       } catch (InterruptedException e) {
@@ -253,7 +250,14 @@ public void waitForRescanIfNeeded() {
   public void setNeedsRescan() {
     Preconditions.checkArgument(lock.isHeldByCurrentThread(),
         "Must hold the CRM lock when setting the needsRescan bit.");
-    this.needsRescan = true;
+    if (curScanCount >= 0) {
+      // If there is a scan in progress, we need to wait for the scan after
+      // that.
+      neededScanCount = curScanCount + 1;
+    } else {
+      // If there is no scan in progress, we need to wait for the next scan.
+      neededScanCount = completedScanCount + 1;
+    }
   }
 
   /**
@@ -284,10 +288,17 @@ private void rescan() throws InterruptedException {
     scannedBlocks = 0;
     namesystem.writeLock();
     try {
+      lock.lock();
       if (shutdown) {
         throw new InterruptedException("CacheReplicationMonitor was " +
             "shut down.");
       }
+      curScanCount = completedScanCount + 1;
+    }
+    finally {
+      lock.unlock();
+    }
+    try {
       resetStatistics();
       rescanCacheDirectives();
       rescanCachedBlockMap();

From bd79a4b9263726f4642c94bff689dbc109592a70 Mon Sep 17 00:00:00 2001
From: Todd Lipcon <todd@apache.org>
Date: Thu, 14 Aug 2014 04:29:35 +0000
Subject: [PATCH 214/354] HADOOP-10838. Byte array native checksumming.
 Contributed by James Thomas.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617875 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  2 +
 .../org/apache/hadoop/util/DataChecksum.java  |  6 ++
 .../org/apache/hadoop/util/NativeCrc32.java   | 16 ++++
 .../src/org/apache/hadoop/util/NativeCrc32.c  | 82 +++++++++++++++++++
 4 files changed, 106 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 362c83e8f4b..9215927bb82 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -513,6 +513,8 @@ Release 2.6.0 - UNRELEASED
 
   OPTIMIZATIONS
 
+    HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
+
   BUG FIXES
 
     HADOOP-10781. Unportable getgrouplist() usage breaks FreeBSD (Dmitry
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DataChecksum.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DataChecksum.java
index c50ecfd64ed..27984b48c7e 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DataChecksum.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DataChecksum.java
@@ -339,6 +339,12 @@ private void verifyChunkedSums(
       byte[] data, int dataOff, int dataLen,
       byte[] checksums, int checksumsOff, String fileName,
       long basePos) throws ChecksumException {
+
+    if (NativeCrc32.isAvailable()) {
+      NativeCrc32.verifyChunkedSumsByteArray(bytesPerChecksum, type.id,
+          checksums, checksumsOff, data, dataOff, dataLen, fileName, basePos);
+      return;
+    }
     
     int remaining = dataLen;
     int dataPos = 0;
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCrc32.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCrc32.java
index 13b2c9a5816..26a5e9b10dd 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCrc32.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCrc32.java
@@ -59,6 +59,16 @@ public static void verifyChunkedSums(int bytesPerSum, int checksumType,
         data, data.position(), data.remaining(),
         fileName, basePos);
   }
+
+  public static void verifyChunkedSumsByteArray(int bytesPerSum,
+      int checksumType, byte[] sums, int sumsOffset, byte[] data,
+      int dataOffset, int dataLength, String fileName, long basePos)
+      throws ChecksumException {
+    nativeVerifyChunkedSumsByteArray(bytesPerSum, checksumType,
+        sums, sumsOffset,
+        data, dataOffset, dataLength,
+        fileName, basePos);
+  }
   
     private static native void nativeVerifyChunkedSums(
       int bytesPerSum, int checksumType,
@@ -66,6 +76,12 @@ private static native void nativeVerifyChunkedSums(
       ByteBuffer data, int dataOffset, int dataLength,
       String fileName, long basePos);
 
+    private static native void nativeVerifyChunkedSumsByteArray(
+      int bytesPerSum, int checksumType,
+      byte[] sums, int sumsOffset,
+      byte[] data, int dataOffset, int dataLength,
+      String fileName, long basePos);
+
   // Copy the constants over from DataChecksum so that javah will pick them up
   // and make them available in the native code header.
   public static final int CHECKSUM_CRC32 = DataChecksum.CHECKSUM_CRC32;
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/NativeCrc32.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/NativeCrc32.c
index cba25fa3047..4bd69bc41d7 100644
--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/NativeCrc32.c
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/NativeCrc32.c
@@ -34,6 +34,10 @@
 
 #include "bulk_crc32.h"
 
+#define MBYTE 1048576
+#define MIN(X,Y) ((X) < (Y) ? (X) : (Y))
+#define MAX(X,Y) ((X) > (Y) ? (X) : (Y))
+
 static void throw_checksum_exception(JNIEnv *env,
     uint32_t got_crc, uint32_t expected_crc,
     jstring j_filename, jlong pos) {
@@ -177,6 +181,84 @@ JNIEXPORT void JNICALL Java_org_apache_hadoop_util_NativeCrc32_nativeVerifyChunk
   }
 }
 
+JNIEXPORT void JNICALL Java_org_apache_hadoop_util_NativeCrc32_nativeVerifyChunkedSumsByteArray
+  (JNIEnv *env, jclass clazz,
+    jint bytes_per_checksum, jint j_crc_type,
+    jarray j_sums, jint sums_offset,
+    jarray j_data, jint data_offset, jint data_len,
+    jstring j_filename, jlong base_pos)
+{
+  uint8_t *sums_addr;
+  uint8_t *data_addr;
+  uint32_t *sums;
+  uint8_t *data;
+  int crc_type;
+  crc32_error_t error_data;
+  int ret;
+  int numChecksumsPerIter;
+  int checksumNum;
+
+  if (unlikely(!j_sums || !j_data)) {
+    THROW(env, "java/lang/NullPointerException",
+      "input byte arrays must not be null");
+    return;
+  }
+  if (unlikely(sums_offset < 0 || data_offset < 0 || data_len < 0)) {
+    THROW(env, "java/lang/IllegalArgumentException",
+      "bad offsets or lengths");
+    return;
+  }
+  if (unlikely(bytes_per_checksum) <= 0) {
+    THROW(env, "java/lang/IllegalArgumentException",
+      "invalid bytes_per_checksum");
+    return;
+  }
+
+  // Convert to correct internal C constant for CRC type
+  crc_type = convert_java_crc_type(env, j_crc_type);
+  if (crc_type == -1) return; // exception already thrown
+
+  numChecksumsPerIter = MAX(1, MBYTE / bytes_per_checksum);
+  checksumNum = 0;
+  while (checksumNum * bytes_per_checksum < data_len) {
+    // Convert byte arrays to C pointers
+    sums_addr = (*env)->GetPrimitiveArrayCritical(env, j_sums, NULL);
+    data_addr = (*env)->GetPrimitiveArrayCritical(env, j_data, NULL);
+
+    if (unlikely(!sums_addr || !data_addr)) {
+      if (data_addr) (*env)->ReleasePrimitiveArrayCritical(env, j_data, data_addr, 0);
+      if (sums_addr) (*env)->ReleasePrimitiveArrayCritical(env, j_sums, sums_addr, 0);
+      THROW(env, "java/lang/OutOfMemoryError",
+        "not enough memory for byte arrays in JNI code");
+      return;
+    }
+
+    sums = (uint32_t *)(sums_addr + sums_offset) + checksumNum;
+    data = data_addr + data_offset + checksumNum * bytes_per_checksum;
+
+    // Setup complete. Actually verify checksums.
+    ret = bulk_verify_crc(data, MIN(numChecksumsPerIter * bytes_per_checksum,
+                                    data_len - checksumNum * bytes_per_checksum),
+                          sums, crc_type, bytes_per_checksum, &error_data);
+    (*env)->ReleasePrimitiveArrayCritical(env, j_data, data_addr, 0);
+    (*env)->ReleasePrimitiveArrayCritical(env, j_sums, sums_addr, 0);
+    if (unlikely(ret == INVALID_CHECKSUM_DETECTED)) {
+      long pos = base_pos + (error_data.bad_data - data) + checksumNum *
+        bytes_per_checksum;
+      throw_checksum_exception(
+        env, error_data.got_crc, error_data.expected_crc,
+        j_filename, pos);
+      return;
+    } else if (unlikely(ret != CHECKSUMS_VALID)) {
+      THROW(env, "java/lang/AssertionError",
+        "Bad response code from native bulk_verify_crc");
+      return;
+    }
+    checksumNum += numChecksumsPerIter;
+  }
+
+}
+
 /**
  * vim: sw=2: ts=2: et:
  */

From 13ad623b9dbb479d3aed4ef3919e15da36c38fec Mon Sep 17 00:00:00 2001
From: Uma Maheswara Rao G <umamahesh@apache.org>
Date: Thu, 14 Aug 2014 04:57:47 +0000
Subject: [PATCH 215/354] Updated contributors name in CHANGES.txt for
 HDFS-6783

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617880 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index cffa1679fd2..393938ce4ef 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -506,7 +506,7 @@ Release 2.6.0 - UNRELEASED
     HDFS-6247. Avoid timeouts for replaceBlock() call by sending intermediate
     responses to Balancer (vinayakumarb)
 
-    HDFS-6783. Fix HDFS CacheReplicationMonitor rescan logic. (Yi Liu via umamahesh)
+    HDFS-6783. Fix HDFS CacheReplicationMonitor rescan logic. (Yi Liu and Colin Patrick McCabe via umamahesh)
 
 Release 2.5.0 - UNRELEASED
 

From b3df973adb6af68a881418151a903cb205392137 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 14 Aug 2014 15:39:52 +0000
Subject: [PATCH 216/354] MAPREDUCE-883. harchive: Document how to unarchive
 (Akira AJISAKA and Koji Noguchi via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617977 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt              |  3 +++
 .../src/site/markdown/HadoopArchives.md.vm        | 15 +++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 22ca1b54e9b..dd3a2d02e45 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -86,6 +86,9 @@ Trunk (Unreleased)
     MAPREDUCE-6019. MapReduce changes for exposing YARN/MR endpoints on multiple
     interfaces. (Craig Welch, Milan Potocnik, Arpit Agarwal via xgong)
 
+    MAPREDUCE-883. harchive: Document how to unarchive (Akira AJISAKA and
+      Koji Noguchi via aw)
+
   BUG FIXES
 
     MAPREDUCE-5714. Removed forceful JVM exit in shutDownJob.  
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/HadoopArchives.md.vm b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/HadoopArchives.md.vm
index 431310a9f5c..0cc0f1c93aa 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/HadoopArchives.md.vm
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/HadoopArchives.md.vm
@@ -20,6 +20,7 @@ Hadoop Archives Guide
  - [Overview](#Overview)
  - [How to Create an Archive](#How_to_Create_an_Archive)
  - [How to Look Up Files in Archives](#How_to_Look_Up_Files_in_Archives)
+ - [How to Unarchive an Archive](#How_to_Unarchive_an_Archive)
  - [Archives Examples](#Archives_Examples)
      - [Creating an Archive](#Creating_an_Archive)
      - [Looking Up Files](#Looking_Up_Files)
@@ -70,6 +71,20 @@ How to Look Up Files in Archives
 
   `har:///archivepath/fileinarchive`
 
+How to Unarchive an Archive
+---------------------------
+
+  Since all the fs shell commands in the archives work transparently,
+  unarchiving is just a matter of copying.
+
+  To unarchive sequentially:
+
+  `hdfs dfs -cp har:///user/zoo/foo.har/dir1 hdfs:/user/zoo/newdir`
+
+  To unarchive in parallel, use DistCp:
+
+  `hadoop distcp har:///user/zoo/foo.har/dir1 hdfs:/user/zoo/newdir`
+
 Archives Examples
 -----------------
 

From 1e016e6451c1c8359ade42f91d8533abdedffd65 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 14 Aug 2014 15:43:28 +0000
Subject: [PATCH 217/354] MAPREDUCE-4791. Javadoc for KeyValueTextInputFormat
 should include default separator and how to change it (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617979 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt                           | 3 +++
 .../hadoop/mapreduce/lib/input/KeyValueTextInputFormat.java    | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index dd3a2d02e45..049c8b89dcf 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -89,6 +89,9 @@ Trunk (Unreleased)
     MAPREDUCE-883. harchive: Document how to unarchive (Akira AJISAKA and
       Koji Noguchi via aw)
 
+    MAPREDUCE-4791. Javadoc for KeyValueTextInputFormat should include default 
+      separator and how to change it (Akira AJISAKA via aw)
+
   BUG FIXES
 
     MAPREDUCE-5714. Removed forceful JVM exit in shutDownJob.  
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/lib/input/KeyValueTextInputFormat.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/lib/input/KeyValueTextInputFormat.java
index 336c960910d..0800a0effa6 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/lib/input/KeyValueTextInputFormat.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/lib/input/KeyValueTextInputFormat.java
@@ -38,6 +38,9 @@
  * Either line feed or carriage-return are used to signal end of line. 
  * Each line is divided into key and value parts by a separator byte. If no
  * such a byte exists, the key will be the entire line and value will be empty.
+ * The separator byte can be specified in config file under the attribute name
+ * mapreduce.input.keyvaluelinerecordreader.key.value.separator. The default
+ * is the tab character ('\t').
  */
 @InterfaceAudience.Public
 @InterfaceStability.Stable

From e7b540eced929a9c3a3ca6aab6c40571815a23de Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 14 Aug 2014 15:49:10 +0000
Subject: [PATCH 218/354] MAPREDUCE-5363. Fix doc and spelling for
 TaskCompletionEvent#getTaskStatus and getStatus (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617982 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt                          | 3 +++
 .../java/org/apache/hadoop/mapred/TaskCompletionEvent.java    | 4 ++--
 .../java/org/apache/hadoop/mapreduce/TaskCompletionEvent.java | 4 ++--
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 049c8b89dcf..bb3d67a8363 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -163,6 +163,9 @@ Trunk (Unreleased)
     MAPREDUCE-5943. Separate mapred commands from CommandManual.apt.vm
       (Akira AJISAKA via aw)
 
+    MAPREDUCE-5363. Fix doc and spelling for TaskCompletionEvent#getTaskStatus 
+      and getStatus (Akira AJISAKA via aw)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/TaskCompletionEvent.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/TaskCompletionEvent.java
index 742da3f86a4..dc4d82e116c 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/TaskCompletionEvent.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/TaskCompletionEvent.java
@@ -90,8 +90,8 @@ public TaskAttemptID getTaskAttemptId() {
   }
   
   /**
-   * Returns enum Status.SUCESS or Status.FAILURE.
-   * @return task tracker status
+   * Returns {@link Status}
+   * @return task completion status
    */
   public Status getTaskStatus() {
     return Status.valueOf(super.getStatus().name());
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/TaskCompletionEvent.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/TaskCompletionEvent.java
index 9118f62e01c..31643a94ac2 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/TaskCompletionEvent.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/TaskCompletionEvent.java
@@ -95,8 +95,8 @@ public TaskAttemptID getTaskAttemptId() {
   }
   
   /**
-   * Returns enum Status.SUCESS or Status.FAILURE.
-   * @return task tracker status
+   * Returns {@link Status}
+   * @return task completion status
    */
   public Status getStatus() {
     return status;

From 9579554988f82d506a32b81834f3a4fa9c698471 Mon Sep 17 00:00:00 2001
From: Jason Darrell Lowe <jlowe@apache.org>
Date: Thu, 14 Aug 2014 15:55:03 +0000
Subject: [PATCH 219/354] MAPREDUCE-6010. HistoryServerFileSystemStateStore
 fails to update tokens. Contributed by Jason Lowe

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617984 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt          |   3 +
 ...toryServerFileSystemStateStoreService.java | 101 ++++++++++++++----
 ...toryServerFileSystemStateStoreService.java |  85 ++++++++++++++-
 3 files changed, 166 insertions(+), 23 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index bb3d67a8363..17bf08cd49c 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -202,6 +202,9 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-6021. MR AM should have working directory in LD_LIBRARY_PATH
     (jlowe)
 
+    MAPREDUCE-6010. HistoryServerFileSystemStateStore fails to update tokens
+    (jlowe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryServerFileSystemStateStoreService.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryServerFileSystemStateStoreService.java
index d92a9af4b07..dcea333b5f8 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryServerFileSystemStateStoreService.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryServerFileSystemStateStoreService.java
@@ -24,6 +24,8 @@
 import java.io.DataOutputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.util.HashSet;
+import java.util.Set;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -64,6 +66,7 @@ public class HistoryServerFileSystemStateStoreService
   private static final String TOKEN_MASTER_KEY_FILE_PREFIX = "key_";
   private static final String TOKEN_FILE_PREFIX = "token_";
   private static final String TMP_FILE_PREFIX = "tmp-";
+  private static final String UPDATE_TMP_FILE_PREFIX = "update-";
   private static final FsPermission DIR_PERMISSIONS =
       new FsPermission((short)0700);
   private static final FsPermission FILE_PERMISSIONS = Shell.WINDOWS
@@ -90,7 +93,7 @@ protected void initStorage(Configuration conf)
 
   @Override
   protected void startStorage() throws IOException {
-    fs = rootStatePath.getFileSystem(getConfig());
+    fs = createFileSystem();
     createDir(rootStatePath);
     tokenStatePath = new Path(rootStatePath, TOKEN_STATE_DIR_NAME);
     createDir(tokenStatePath);
@@ -101,6 +104,10 @@ protected void startStorage() throws IOException {
     }
   }
 
+  FileSystem createFileSystem() throws IOException {
+    return rootStatePath.getFileSystem(getConfig());
+  }
+
   @Override
   protected void closeStorage() throws IOException {
     // don't close the filesystem as it's part of the filesystem cache
@@ -127,7 +134,7 @@ public void storeToken(MRDelegationTokenIdentifier tokenId,
       throw new IOException(tokenPath + " already exists");
     }
 
-    createFile(tokenPath, buildTokenData(tokenId, renewDate));
+    createNewFile(tokenPath, buildTokenData(tokenId, renewDate));
   }
 
   @Override
@@ -136,7 +143,25 @@ public void updateToken(MRDelegationTokenIdentifier tokenId,
     if (LOG.isDebugEnabled()) {
       LOG.debug("Updating token " + tokenId.getSequenceNumber());
     }
-    createFile(getTokenPath(tokenId), buildTokenData(tokenId, renewDate));
+
+    // Files cannot be atomically replaced, therefore we write a temporary
+    // update file, remove the original token file, then rename the update
+    // file to the token file. During recovery either the token file will be
+    // used or if that is missing and an update file is present then the
+    // update file is used.
+    Path tokenPath = getTokenPath(tokenId);
+    Path tmp = new Path(tokenPath.getParent(),
+        UPDATE_TMP_FILE_PREFIX + tokenPath.getName());
+    writeFile(tmp, buildTokenData(tokenId, renewDate));
+    try {
+      deleteFile(tokenPath);
+    } catch (IOException e) {
+      fs.delete(tmp, false);
+      throw e;
+    }
+    if (!fs.rename(tmp, tokenPath)) {
+      throw new IOException("Could not rename " + tmp + " to " + tokenPath);
+    }
   }
 
   @Override
@@ -168,7 +193,7 @@ public void storeTokenMasterKey(DelegationKey key) throws IOException {
       IOUtils.cleanup(LOG, dataStream);
     }
 
-    createFile(keyPath, memStream.toByteArray());
+    createNewFile(keyPath, memStream.toByteArray());
   }
 
   @Override
@@ -213,23 +238,33 @@ private void createDir(Path dir) throws IOException {
     }
   }
 
-  private void createFile(Path file, byte[] data) throws IOException {
-    final int WRITE_BUFFER_SIZE = 4096;
+  private void createNewFile(Path file, byte[] data)
+      throws IOException {
     Path tmp = new Path(file.getParent(), TMP_FILE_PREFIX + file.getName());
-    FSDataOutputStream out = fs.create(tmp, FILE_PERMISSIONS, true,
-        WRITE_BUFFER_SIZE, fs.getDefaultReplication(tmp),
-        fs.getDefaultBlockSize(tmp), null);
+    writeFile(tmp, data);
+    try {
+      if (!fs.rename(tmp, file)) {
+        throw new IOException("Could not rename " + tmp + " to " + file);
+      }
+    } catch (IOException e) {
+      fs.delete(tmp, false);
+      throw e;
+    }
+  }
+
+  private void writeFile(Path file, byte[] data) throws IOException {
+    final int WRITE_BUFFER_SIZE = 4096;
+    FSDataOutputStream out = fs.create(file, FILE_PERMISSIONS, true,
+        WRITE_BUFFER_SIZE, fs.getDefaultReplication(file),
+        fs.getDefaultBlockSize(file), null);
     try {
       try {
         out.write(data);
       } finally {
         IOUtils.cleanup(LOG, out);
       }
-      if (!fs.rename(tmp, file)) {
-        throw new IOException("Could not rename " + tmp + " to " + file);
-      }
     } catch (IOException e) {
-      fs.delete(tmp, false);
+      fs.delete(file, false);
       throw e;
     }
   }
@@ -284,6 +319,19 @@ private void loadTokenMasterKey(HistoryServerState state, Path keyFile,
     state.tokenMasterKeyState.add(key);
   }
 
+  private void loadTokenFromBucket(int bucketId,
+      HistoryServerState state, Path tokenFile, long numTokenFileBytes)
+          throws IOException {
+    MRDelegationTokenIdentifier token =
+        loadToken(state, tokenFile, numTokenFileBytes);
+    int tokenBucketId = getBucketId(token);
+    if (tokenBucketId != bucketId) {
+      throw new IOException("Token " + tokenFile
+          + " should be in bucket " + tokenBucketId + ", found in bucket "
+          + bucketId);
+    }
+  }
+
   private MRDelegationTokenIdentifier loadToken(HistoryServerState state,
       Path tokenFile, long numTokenFileBytes) throws IOException {
     MRDelegationTokenIdentifier tokenId = new MRDelegationTokenIdentifier();
@@ -308,18 +356,29 @@ private int loadTokensFromBucket(HistoryServerState state, Path bucket)
     final int bucketId = Integer.parseInt(numStr);
     int numTokens = 0;
     FileStatus[] tokenStats = fs.listStatus(bucket);
+    Set<String> loadedTokens = new HashSet<String>(tokenStats.length);
     for (FileStatus stat : tokenStats) {
       String name = stat.getPath().getName();
       if (name.startsWith(TOKEN_FILE_PREFIX)) {
-        MRDelegationTokenIdentifier token =
-            loadToken(state, stat.getPath(), stat.getLen());
-        int tokenBucketId = getBucketId(token);
-        if (tokenBucketId != bucketId) {
-          throw new IOException("Token " + stat.getPath()
-              + " should be in bucket " + tokenBucketId + ", found in bucket "
-              + bucketId);
-        }
+        loadTokenFromBucket(bucketId, state, stat.getPath(), stat.getLen());
+        loadedTokens.add(name);
         ++numTokens;
+      } else if (name.startsWith(UPDATE_TMP_FILE_PREFIX)) {
+        String tokenName = name.substring(UPDATE_TMP_FILE_PREFIX.length());
+        if (loadedTokens.contains(tokenName)) {
+          // already have the token, update may be partial so ignore it
+          fs.delete(stat.getPath(), false);
+        } else {
+          // token is missing, so try to parse the update temp file
+          loadTokenFromBucket(bucketId, state, stat.getPath(), stat.getLen());
+          fs.rename(stat.getPath(),
+              new Path(stat.getPath().getParent(), tokenName));
+          loadedTokens.add(tokenName);
+          ++numTokens;
+        }
+      } else if (name.startsWith(TMP_FILE_PREFIX)) {
+        // cleanup incomplete temp files
+        fs.delete(stat.getPath(), false);
       } else {
         LOG.warn("Skipping unexpected file in history server token bucket: "
             + stat.getPath());
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/TestHistoryServerFileSystemStateStoreService.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/TestHistoryServerFileSystemStateStoreService.java
index c9159963310..0a790028a16 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/TestHistoryServerFileSystemStateStoreService.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/TestHistoryServerFileSystemStateStoreService.java
@@ -21,12 +21,19 @@
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
+import static org.mockito.Mockito.argThat;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.isA;
+import static org.mockito.Mockito.spy;
 
 import java.io.File;
 import java.io.IOException;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.FileUtil;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.mapreduce.v2.api.MRDelegationTokenIdentifier;
 import org.apache.hadoop.mapreduce.v2.hs.HistoryServerStateStoreService.HistoryServerState;
@@ -35,6 +42,7 @@
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
+import org.mockito.ArgumentMatcher;
 
 public class TestHistoryServerFileSystemStateStoreService {
 
@@ -74,8 +82,8 @@ private HistoryServerStateStoreService createAndStartStore()
     return store;
   }
 
-  @Test
-  public void testTokenStore() throws IOException {
+  private void testTokenStore(String stateStoreUri) throws IOException {
+    conf.set(JHAdminConfig.MR_HS_FS_STATE_STORE_URI, stateStoreUri);
     HistoryServerStateStoreService store = createAndStartStore();
 
     HistoryServerState state = store.loadState();
@@ -161,4 +169,77 @@ public void testTokenStore() throws IOException {
     assertTrue("missing master key 3",
         state.tokenMasterKeyState.contains(key3));
   }
+
+  @Test
+  public void testTokenStore() throws IOException {
+    testTokenStore(testDir.getAbsoluteFile().toURI().toString());
+  }
+
+  @Test
+  public void testTokenStoreHdfs() throws IOException {
+    MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).build();
+    conf = cluster.getConfiguration(0);
+    try {
+      testTokenStore("/tmp/historystore");
+    } finally {
+        cluster.shutdown();
+    }
+  }
+
+  @Test
+  public void testUpdatedTokenRecovery() throws IOException {
+    IOException intentionalErr = new IOException("intentional error");
+    FileSystem fs = FileSystem.getLocal(conf);
+    final FileSystem spyfs = spy(fs);
+    // make the update token process fail halfway through where we're left
+    // with just the temporary update file and no token file
+    ArgumentMatcher<Path> updateTmpMatcher = new ArgumentMatcher<Path>() {
+      @Override
+      public boolean matches(Object argument) {
+        if (argument instanceof Path) {
+          return ((Path) argument).getName().startsWith("update");
+        }
+        return false;
+      }
+    };
+    doThrow(intentionalErr)
+        .when(spyfs).rename(argThat(updateTmpMatcher), isA(Path.class));
+
+    conf.set(JHAdminConfig.MR_HS_FS_STATE_STORE_URI,
+        testDir.getAbsoluteFile().toURI().toString());
+    HistoryServerStateStoreService store =
+        new HistoryServerFileSystemStateStoreService() {
+          @Override
+          FileSystem createFileSystem() throws IOException {
+            return spyfs;
+          }
+    };
+    store.init(conf);
+    store.start();
+
+    final MRDelegationTokenIdentifier token1 =
+        new MRDelegationTokenIdentifier(new Text("tokenOwner1"),
+            new Text("tokenRenewer1"), new Text("tokenUser1"));
+    token1.setSequenceNumber(1);
+    final Long tokenDate1 = 1L;
+    store.storeToken(token1, tokenDate1);
+    final Long newTokenDate1 = 975318642L;
+    try {
+      store.updateToken(token1, newTokenDate1);
+      fail("intentional error not thrown");
+    } catch (IOException e) {
+      assertEquals(intentionalErr, e);
+    }
+    store.close();
+
+    // verify the update file is seen and parsed upon recovery when
+    // original token file is missing
+    store = createAndStartStore();
+    HistoryServerState state = store.loadState();
+    assertEquals("incorrect loaded token count", 1, state.tokenState.size());
+    assertTrue("missing token 1", state.tokenState.containsKey(token1));
+    assertEquals("incorrect token 1 date", newTokenDate1,
+        state.tokenState.get(token1));
+    store.close();
+  }
 }

From 92054f2a06a017d3c643d3b78e40483579739fca Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 14 Aug 2014 16:00:18 +0000
Subject: [PATCH 220/354] MAPREDUCE-5597. Missing alternatives in javadocs for
 deprecated constructors in mapreduce.Job (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617986 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt                  |  5 +++++
 .../main/java/org/apache/hadoop/mapreduce/Job.java    | 11 ++++++++++-
 .../mapreduce/task/reduce/MergeManagerImpl.java       |  2 +-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 17bf08cd49c..6d1594cad88 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -166,6 +166,11 @@ Trunk (Unreleased)
     MAPREDUCE-5363. Fix doc and spelling for TaskCompletionEvent#getTaskStatus 
       and getStatus (Akira AJISAKA via aw)
 
+    MAPREDUCE-5595. Typo in MergeManagerImpl.java (Akira AJISAKA via aw)
+
+    MAPREDUCE-5597. Missing alternatives in javadocs for deprecated constructors 
+      in mapreduce.Job (Akira AJISAKA via aw)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/Job.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/Job.java
index 115a2b9fee3..3f8d13928ca 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/Job.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/Job.java
@@ -54,7 +54,7 @@
  * <p>Here is an example on how to submit a job:</p>
  * <p><blockquote><pre>
  *     // Create a new Job
- *     Job job = new Job(new Configuration());
+ *     Job job = Job.getInstance();
  *     job.setJarByClass(MyJob.class);
  *     
  *     // Specify various job-specific parameters     
@@ -113,16 +113,25 @@ public static enum TaskStatusFilter { NONE, KILLED, FAILED, SUCCEEDED, ALL }
   private long statustime;
   private Cluster cluster;
 
+  /**
+   * @deprecated Use {@link #getInstance()}
+   */
   @Deprecated
   public Job() throws IOException {
     this(new Configuration());
   }
 
+  /**
+   * @deprecated Use {@link #getInstance(Configuration)}
+   */
   @Deprecated
   public Job(Configuration conf) throws IOException {
     this(new JobConf(conf));
   }
 
+  /**
+   * @deprecated Use {@link #getInstance(Configuration, String)}
+   */
   @Deprecated
   public Job(Configuration conf, String jobName) throws IOException {
     this(conf);
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/MergeManagerImpl.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/MergeManagerImpl.java
index a821e4d1b8a..4d83995dcfd 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/MergeManagerImpl.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/MergeManagerImpl.java
@@ -197,7 +197,7 @@ public MergeManagerImpl(TaskAttemptID reduceId, JobConf jobConf,
              "memToMemMergeOutputsThreshold=" + memToMemMergeOutputsThreshold);
 
     if (this.maxSingleShuffleLimit >= this.mergeThreshold) {
-      throw new RuntimeException("Invlaid configuration: "
+      throw new RuntimeException("Invalid configuration: "
           + "maxSingleShuffleLimit should be less than mergeThreshold"
           + "maxSingleShuffleLimit: " + this.maxSingleShuffleLimit
           + "mergeThreshold: " + this.mergeThreshold);

From 6be98091f7636bb029130ebdffc1e9a26c707798 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 14 Aug 2014 17:11:39 +0000
Subject: [PATCH 221/354] MAPREDUCE-5950. incorrect description in distcp2
 document (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617994 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt                      | 3 +++
 .../src/site/markdown/DistCp.md.vm                        | 8 ++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 6d1594cad88..f2a99b6ef07 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -171,6 +171,9 @@ Trunk (Unreleased)
     MAPREDUCE-5597. Missing alternatives in javadocs for deprecated constructors 
       in mapreduce.Job (Akira AJISAKA via aw)
 
+    MAPREDUCE-5950. incorrect description in distcp2 document (Akira AJISAKA 
+      via aw)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/DistCp.md.vm b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/DistCp.md.vm
index 6271a927a47..41b381ab6ec 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/DistCp.md.vm
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/DistCp.md.vm
@@ -118,9 +118,9 @@ $H3 Basic Usage
 
 $H3 Update and Overwrite
 
-  `-update` is used to copy files from source that don't exist at the target,
-  or have different contents. `-overwrite` overwrites target-files even if they
-  exist at the source, or have the same contents.
+  `-update` is used to copy files from source that don't exist at the target
+  or differ than the target version. `-overwrite` overwrites target-files that
+  exist at the target.
 
   Update and Overwrite options warrant special attention, since their handling
   of source-paths varies from the defaults in a very subtle manner. Consider a
@@ -201,7 +201,7 @@ Flag              | Description                          | Notes
 `-log <logdir>` | Write logs to \<logdir\> | DistCp keeps logs of each file it attempts to copy as map output. If a map fails, the log output will not be retained if it is re-executed.
 `-m <num_maps>` | Maximum number of simultaneous copies | Specify the number of maps to copy data. Note that more maps may not necessarily improve throughput.
 `-overwrite` | Overwrite destination | If a map fails and `-i` is not specified, all the files in the split, not only those that failed, will be recopied. As discussed in the Usage documentation, it also changes the semantics for generating destination paths, so users should use this carefully.
-`-update` | Overwrite if src size different from dst size | As noted in the preceding, this is not a "sync" operation. The only criterion examined is the source and destination file sizes; if they differ, the source file replaces the destination file. As discussed in the Usage documentation, it also changes the semantics for generating destination paths, so users should use this carefully.
+`-update` | Overwrite if source and destination differ in size, blocksize, or checksum | As noted in the preceding, this is not a "sync" operation. The criteria examined are the source and destination file sizes, blocksizes, and checksums; if they differ, the source file replaces the destination file. As discussed in the Usage documentation, it also changes the semantics for generating destination paths, so users should use this carefully.
 `-f <urilist_uri>` | Use list at \<urilist_uri\> as src list | This is equivalent to listing each source on the command line. The `urilist_uri` list should be a fully qualified URI.
 `-filelimit <n>` | Limit the total number of files to be <= n | **Deprecated!** Ignored in the new DistCp.
 `-sizelimit <n>` | Limit the total size to be <= n bytes | **Deprecated!** Ignored in the new DistCp.

From 7557f7bb2d22f564e26d6cf9672d24b7ef4f347a Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 14 Aug 2014 17:18:14 +0000
Subject: [PATCH 222/354] MAPREDUCE-5998. CompositeInputFormat javadoc is
 broken (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617995 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt                           | 3 +++
 .../org/apache/hadoop/mapred/join/CompositeInputFormat.java    | 2 +-
 .../apache/hadoop/mapreduce/lib/join/CompositeInputFormat.java | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index f2a99b6ef07..d3a26dbceef 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -174,6 +174,9 @@ Trunk (Unreleased)
     MAPREDUCE-5950. incorrect description in distcp2 document (Akira AJISAKA 
       via aw)
 
+    MAPREDUCE-5998. CompositeInputFormat javadoc is broken (Akira AJISAKA via
+      aw)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/join/CompositeInputFormat.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/join/CompositeInputFormat.java
index b177e8b8c00..40690e7541f 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/join/CompositeInputFormat.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/join/CompositeInputFormat.java
@@ -36,7 +36,6 @@
 /**
  * An InputFormat capable of performing joins over a set of data sources sorted
  * and partitioned the same way.
- * @see #setFormat
  *
  * A user may define new join types by setting the property
  * <tt>mapred.join.define.&lt;ident&gt;</tt> to a classname. In the expression
@@ -44,6 +43,7 @@
  * ComposableRecordReader.
  * <tt>mapred.join.keycomparator</tt> can be a classname used to compare keys
  * in the join.
+ * @see #setFormat
  * @see JoinRecordReader
  * @see MultiFilterRecordReader
  */
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/lib/join/CompositeInputFormat.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/lib/join/CompositeInputFormat.java
index bfb4bf14045..6189a271bc3 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/lib/join/CompositeInputFormat.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/lib/join/CompositeInputFormat.java
@@ -39,7 +39,6 @@
 /**
  * An InputFormat capable of performing joins over a set of data sources sorted
  * and partitioned the same way.
- * @see #setFormat
  *
  * A user may define new join types by setting the property
  * <tt>mapreduce.join.define.&lt;ident&gt;</tt> to a classname. 
@@ -47,6 +46,7 @@
  * assumed to be a ComposableRecordReader.
  * <tt>mapreduce.join.keycomparator</tt> can be a classname used to compare 
  * keys in the join.
+ * @see #setFormat
  * @see JoinRecordReader
  * @see MultiFilterRecordReader
  */

From e1f15d2cdf6be26df2716fee3c325895deedfc2f Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 14 Aug 2014 17:56:53 +0000
Subject: [PATCH 223/354] MAPREDUCE-5999. Fix dead link in InputFormat javadoc
 (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618003 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt                            | 2 ++
 .../src/main/java/org/apache/hadoop/mapred/InputFormat.java     | 2 +-
 .../src/main/java/org/apache/hadoop/mapreduce/InputFormat.java  | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index d3a26dbceef..a44f2e41ada 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -177,6 +177,8 @@ Trunk (Unreleased)
     MAPREDUCE-5998. CompositeInputFormat javadoc is broken (Akira AJISAKA via
       aw)
 
+    MAPREDUCE-5999. Fix dead link in InputFormat javadoc (Akira AJISAKA via aw)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/InputFormat.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/InputFormat.java
index afebdcf60b5..6f7b27893a6 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/InputFormat.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/InputFormat.java
@@ -50,7 +50,7 @@
  * bytes, of the input files. However, the {@link FileSystem} blocksize of  
  * the input files is treated as an upper bound for input splits. A lower bound 
  * on the split size can be set via 
- * <a href="{@docRoot}/../mapred-default.html#mapreduce.input.fileinputformat.split.minsize">
+ * <a href="{@docRoot}/../hadoop-mapreduce-client/hadoop-mapreduce-client-core/mapred-default.xml#mapreduce.input.fileinputformat.split.minsize">
  * mapreduce.input.fileinputformat.split.minsize</a>.</p>
  * 
  * <p>Clearly, logical splits based on input-size is insufficient for many 
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/InputFormat.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/InputFormat.java
index 83559904f42..37648b748d1 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/InputFormat.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/InputFormat.java
@@ -52,7 +52,7 @@
  * bytes, of the input files. However, the {@link FileSystem} blocksize of  
  * the input files is treated as an upper bound for input splits. A lower bound 
  * on the split size can be set via 
- * <a href="{@docRoot}/../mapred-default.html#mapreduce.input.fileinputformat.split.minsize">
+ * <a href="{@docRoot}/../hadoop-mapreduce-client/hadoop-mapreduce-client-core/mapred-default.xml#mapreduce.input.fileinputformat.split.minsize">
  * mapreduce.input.fileinputformat.split.minsize</a>.</p>
  * 
  * <p>Clearly, logical splits based on input-size is insufficient for many 

From 2d904b3fa3bb406415f6e7b9807fcd5afa564f04 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 14 Aug 2014 18:07:06 +0000
Subject: [PATCH 224/354] MAPREDUCE-5906. Inconsistent configuration in
 property "mapreduce.reduce.shuffle.input.buffer.percent" (Akira AJISAKA via
 aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618007 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt                           | 3 +++
 .../src/main/java/org/apache/hadoop/mapreduce/MRJobConfig.java | 1 +
 .../apache/hadoop/mapreduce/task/reduce/MergeManagerImpl.java  | 3 ++-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index a44f2e41ada..7dc4436a887 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -92,6 +92,9 @@ Trunk (Unreleased)
     MAPREDUCE-4791. Javadoc for KeyValueTextInputFormat should include default 
       separator and how to change it (Akira AJISAKA via aw)
 
+    MAPREDUCE-5906. Inconsistent configuration in property 
+      "mapreduce.reduce.shuffle.input.buffer.percent" (Akira AJISAKA via aw)
+
   BUG FIXES
 
     MAPREDUCE-5714. Removed forceful JVM exit in shutDownJob.  
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRJobConfig.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRJobConfig.java
index 4795af78d2a..0a586967d01 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRJobConfig.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRJobConfig.java
@@ -265,6 +265,7 @@ public interface MRJobConfig {
   public static final String REDUCE_MEMORY_TOTAL_BYTES = "mapreduce.reduce.memory.totalbytes";
 
   public static final String SHUFFLE_INPUT_BUFFER_PERCENT = "mapreduce.reduce.shuffle.input.buffer.percent";
+  public static final float DEFAULT_SHUFFLE_INPUT_BUFFER_PERCENT = 0.70f;
 
   public static final String SHUFFLE_MEMORY_LIMIT_PERCENT
     = "mapreduce.reduce.shuffle.memory.limit.percent";
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/MergeManagerImpl.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/MergeManagerImpl.java
index 4d83995dcfd..49aa8576d60 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/MergeManagerImpl.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/MergeManagerImpl.java
@@ -156,7 +156,8 @@ public MergeManagerImpl(TaskAttemptID reduceId, JobConf jobConf,
     this.rfs = ((LocalFileSystem)localFS).getRaw();
     
     final float maxInMemCopyUse =
-      jobConf.getFloat(MRJobConfig.SHUFFLE_INPUT_BUFFER_PERCENT, 0.90f);
+      jobConf.getFloat(MRJobConfig.SHUFFLE_INPUT_BUFFER_PERCENT,
+          MRJobConfig.DEFAULT_SHUFFLE_INPUT_BUFFER_PERCENT);
     if (maxInMemCopyUse > 1.0 || maxInMemCopyUse < 0.0) {
       throw new IllegalArgumentException("Invalid value for " +
           MRJobConfig.SHUFFLE_INPUT_BUFFER_PERCENT + ": " +

From 20dcb841ce55b0d414885ceba530c30b5b528b0f Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Thu, 14 Aug 2014 19:11:06 +0000
Subject: [PATCH 225/354] HDFS-6546. Add non-superuser capability to get the
 encryption zone for a specific path. (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1618022 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     |   3 +
 .../org/apache/hadoop/hdfs/DFSClient.java     |  13 +++
 .../hadoop/hdfs/DistributedFileSystem.java    |   7 ++
 .../apache/hadoop/hdfs/client/HdfsAdmin.java  |  16 ++-
 .../hadoop/hdfs/protocol/ClientProtocol.java  |   7 ++
 ...amenodeProtocolServerSideTranslatorPB.java |  17 +++
 .../ClientNamenodeProtocolTranslatorPB.java   |  17 +++
 .../namenode/EncryptionZoneManager.java       |  21 +++-
 .../hdfs/server/namenode/FSDirectory.java     |   9 ++
 .../hdfs/server/namenode/FSNamesystem.java    |  35 ++++++
 .../server/namenode/NameNodeRpcServer.java    |   6 ++
 .../main/proto/ClientNamenodeProtocol.proto   |   2 +
 .../src/main/proto/encryption.proto           |   8 ++
 .../hadoop/hdfs/TestEncryptionZones.java      | 100 +++++++++++++++++-
 14 files changed, 258 insertions(+), 3 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
index e37732606de..0171b82c31a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
@@ -79,6 +79,9 @@ fs-encryption (Unreleased)
     HDFS-6834. Improve the configuration guidance in DFSClient when there 
     are no Codec classes found in configs. (umamahesh)
 
+    HDFS-6546. Add non-superuser capability to get the encryption zone
+    for a specific path. (clamb)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index 39f988ccab1..c49d210bf8d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -154,6 +154,7 @@
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
 import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.EncryptionZoneIterator;
+import org.apache.hadoop.hdfs.protocol.EncryptionZoneWithId;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.HdfsBlocksMetadata;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
@@ -2880,6 +2881,18 @@ public void createEncryptionZone(String src, String keyName)
     }
   }
 
+  public EncryptionZone getEZForPath(String src)
+          throws IOException {
+    checkOpen();
+    try {
+      final EncryptionZoneWithId ezi = namenode.getEZForPath(src);
+      return (ezi.getId() < 0) ? null : ezi;
+    } catch (RemoteException re) {
+      throw re.unwrapRemoteException(AccessControlException.class,
+                                     UnresolvedPathException.class);
+    }
+  }
+
   public RemoteIterator<EncryptionZone> listEncryptionZones()
       throws IOException {
     checkOpen();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
index ee38d7ee62c..354640b42b9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
@@ -1805,6 +1805,13 @@ public void createEncryptionZone(Path path, String keyName)
     dfs.createEncryptionZone(getPathName(path), keyName);
   }
 
+  /* HDFS only */
+  public EncryptionZone getEZForPath(Path path)
+          throws IOException {
+    Preconditions.checkNotNull(path);
+    return dfs.getEZForPath(getPathName(path));
+  }
+
   /* HDFS only */
   public RemoteIterator<EncryptionZone> listEncryptionZones()
       throws IOException {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
index 1a8dce3acbf..1adfc1bfab0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
@@ -21,7 +21,6 @@
 import java.io.IOException;
 import java.net.URI;
 import java.util.EnumSet;
-import java.util.List;
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
@@ -247,6 +246,21 @@ public void createEncryptionZone(Path path, String keyName)
     dfs.createEncryptionZone(path, keyName);
   }
 
+  /**
+   * Get the path of the encryption zone for a given file or directory.
+   *
+   * @param path The path to get the ez for.
+   *
+   * @return The EncryptionZone of the ez, or null if path is not in an ez.
+   * @throws IOException            if there was a general IO exception
+   * @throws AccessControlException if the caller does not have access to path
+   * @throws FileNotFoundException  if the path does not exist
+   */
+  public EncryptionZone getEncryptionZoneForPath(Path path)
+    throws IOException, AccessControlException, FileNotFoundException {
+    return dfs.getEZForPath(path);
+  }
+
   /**
    * Returns a RemoteIterator which can be used to list the encryption zones
    * in HDFS. For large numbers of encryption zones, the iterator will fetch
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
index 21e1c07767b..ef0ac55dec2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
@@ -1275,6 +1275,13 @@ public void removeAclEntries(String src, List<AclEntry> aclSpec)
   public void createEncryptionZone(String src, String keyName)
     throws IOException;
 
+  /**
+   * Get the encryption zone for a path.
+   */
+  @Idempotent
+  public EncryptionZoneWithId getEZForPath(String src)
+    throws IOException;
+
   /**
    * Used to implement cursor-based batched listing of {@EncryptionZone}s.
    *
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
index 29449933973..40dd8f03381 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
@@ -179,6 +179,8 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.CheckAccessResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.CreateEncryptionZoneResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.CreateEncryptionZoneRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.GetEZForPathResponseProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.GetEZForPathRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.ListEncryptionZonesResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.ListEncryptionZonesRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.DatanodeIDProto;
@@ -1318,6 +1320,21 @@ public CreateEncryptionZoneResponseProto createEncryptionZone(
     }
   }
 
+  @Override
+  public GetEZForPathResponseProto getEZForPath(
+      RpcController controller, GetEZForPathRequestProto req)
+      throws ServiceException {
+    try {
+      GetEZForPathResponseProto.Builder builder =
+          GetEZForPathResponseProto.newBuilder();
+      final EncryptionZoneWithId ret = server.getEZForPath(req.getSrc());
+      builder.setZone(PBHelper.convert(ret));
+      return builder.build();
+    } catch (IOException e) {
+      throw new ServiceException(e);
+    }
+  }
+
   @Override
   public ListEncryptionZonesResponseProto listEncryptionZones(
     RpcController controller, ListEncryptionZonesRequestProto req)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
index 662682448b7..210828db914 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
@@ -151,6 +151,7 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.CheckAccessRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.CreateEncryptionZoneRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.GetEZForPathRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.EncryptionZonesProtos.ListEncryptionZonesRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.GetXAttrsRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.ListXAttrsRequestProto;
@@ -1325,6 +1326,22 @@ public void createEncryptionZone(String src, String keyName)
     }
   }
 
+  @Override
+  public EncryptionZoneWithId getEZForPath(String src)
+      throws IOException {
+    final GetEZForPathRequestProto.Builder builder =
+        GetEZForPathRequestProto.newBuilder();
+    builder.setSrc(src);
+    final GetEZForPathRequestProto req = builder.build();
+    try {
+      final EncryptionZonesProtos.GetEZForPathResponseProto response =
+          rpcProxy.getEZForPath(null, req);
+      return PBHelper.convert(response.getZone());
+    } catch (ServiceException e) {
+      throw ProtobufHelper.getRemoteException(e);
+    }
+  }
+
   @Override
   public BatchedEntries<EncryptionZoneWithId> listEncryptionZones(long id)
       throws IOException {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
index 31cb53c40ce..e45d540386f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
@@ -36,6 +36,9 @@ public class EncryptionZoneManager {
   public static Logger LOG = LoggerFactory.getLogger(EncryptionZoneManager
       .class);
 
+  private static final EncryptionZoneWithId NULL_EZ =
+      new EncryptionZoneWithId("", "", -1);
+
   /**
    * EncryptionZoneInt is the internal representation of an encryption zone. The
    * external representation of an EZ is embodied in an EncryptionZone and
@@ -57,7 +60,6 @@ String getKeyName() {
     long getINodeId() {
       return inodeId;
     }
-
   }
 
   private final TreeMap<Long, EncryptionZoneInt> encryptionZones;
@@ -164,6 +166,23 @@ private EncryptionZoneInt getEncryptionZoneForPath(INodesInPath iip) {
     return null;
   }
 
+  /**
+   * Returns an EncryptionZoneWithId representing the ez for a given path.
+   * Returns an empty marker EncryptionZoneWithId if path is not in an ez.
+   *
+   * @param iip The INodesInPath of the path to check
+   * @return the EncryptionZoneWithId representing the ez for the path.
+   */
+  EncryptionZoneWithId getEZINodeForPath(INodesInPath iip) {
+    final EncryptionZoneInt ezi = getEncryptionZoneForPath(iip);
+    if (ezi == null) {
+      return NULL_EZ;
+    } else {
+      return new EncryptionZoneWithId(getFullPathName(ezi), ezi.getKeyName(),
+          ezi.getINodeId());
+    }
+  }
+
   /**
    * Throws an exception if the provided path cannot be renamed into the
    * destination because of differing encryption zones.
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index 15210b9ed16..d2314628d15 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -2640,6 +2640,15 @@ XAttr createEncryptionZone(String src, String keyName)
     }
   }
 
+  EncryptionZoneWithId getEZForPath(INodesInPath iip) {
+    readLock();
+    try {
+      return ezManager.getEZINodeForPath(iip);
+    } finally {
+      readUnlock();
+    }
+  }
+
   BatchedListEntries<EncryptionZoneWithId> listEncryptionZones(long prevId)
       throws IOException {
     readLock();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index bb58e2e7ecf..9d09202dc25 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -8571,6 +8571,41 @@ private void createEncryptionZoneInt(final String srcArg, String keyName,
     logAuditEvent(true, "createEncryptionZone", srcArg, null, resultingStat);
   }
 
+  /**
+   * Get the encryption zone for the specified path.
+   *
+   * @param srcArg the path of a file or directory to get the EZ for.
+   * @return the EZ of the of the path or null if none.
+   * @throws AccessControlException  if the caller is not the superuser.
+   * @throws UnresolvedLinkException if the path can't be resolved.
+   */
+  EncryptionZoneWithId getEZForPath(final String srcArg)
+    throws AccessControlException, UnresolvedLinkException, IOException {
+    String src = srcArg;
+    HdfsFileStatus resultingStat = null;
+    final byte[][] pathComponents =
+        FSDirectory.getPathComponentsForReservedPath(src);
+    boolean success = false;
+    final FSPermissionChecker pc = getPermissionChecker();
+    checkOperation(OperationCategory.READ);
+    readLock();
+    try {
+      if (isPermissionEnabled) {
+        checkPathAccess(pc, src, FsAction.READ);
+      }
+      checkOperation(OperationCategory.READ);
+      src = resolvePath(src, pathComponents);
+      final INodesInPath iip = dir.getINodesInPath(src, true);
+      final EncryptionZoneWithId ret = dir.getEZForPath(iip);
+      resultingStat = getAuditFileInfo(src, false);
+      success = true;
+      return ret;
+    } finally {
+      readUnlock();
+      logAuditEvent(success, "getEZForPath", srcArg, null, resultingStat);
+    }
+  }
+
   BatchedListEntries<EncryptionZoneWithId> listEncryptionZones(long prevId)
       throws IOException {
     boolean success = false;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index 9cbba2fac99..e17d403c094 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -1432,6 +1432,12 @@ public void createEncryptionZone(String src, String keyName)
     namesystem.createEncryptionZone(src, keyName);
   }
 
+  @Override
+  public EncryptionZoneWithId getEZForPath(String src)
+    throws IOException {
+    return namesystem.getEZForPath(src);
+  }
+
   @Override
   public BatchedEntries<EncryptionZoneWithId> listEncryptionZones(
       long prevId) throws IOException {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
index 8eb662d21bf..edffc9a99ce 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
@@ -799,4 +799,6 @@ service ClientNamenodeProtocol {
       returns(CreateEncryptionZoneResponseProto);
   rpc listEncryptionZones(ListEncryptionZonesRequestProto)
       returns(ListEncryptionZonesResponseProto);
+  rpc getEZForPath(GetEZForPathRequestProto)
+      returns(GetEZForPathResponseProto);
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
index fadaef1b9d7..ecf09708d10 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/encryption.proto
@@ -55,3 +55,11 @@ message ListEncryptionZonesResponseProto {
   repeated EncryptionZoneWithIdProto zones = 1;
   required bool hasMore = 2;
 }
+
+message GetEZForPathRequestProto {
+    required string src = 1;
+}
+
+message GetEZForPathResponseProto {
+    required EncryptionZoneWithIdProto zone = 1;
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
index b48978c97ca..1a13332a14c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
@@ -19,7 +19,6 @@
 
 import java.io.File;
 import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
 import java.security.PrivilegedExceptionAction;
 import java.util.Arrays;
 import java.util.List;
@@ -64,6 +63,7 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotEquals;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
@@ -337,6 +337,104 @@ public Object run() throws Exception {
     });
   }
 
+  /**
+   * Test getEncryptionZoneForPath as a non super user.
+   */
+  @Test(timeout = 60000)
+  public void testGetEZAsNonSuperUser() throws Exception {
+
+    final UserGroupInformation user = UserGroupInformation.
+            createUserForTesting("user", new String[] { "mygroup" });
+
+    final Path testRoot = new Path(fsHelper.getTestRootDir());
+    final Path superPath = new Path(testRoot, "superuseronly");
+    final Path superPathFile = new Path(superPath, "file1");
+    final Path allPath = new Path(testRoot, "accessall");
+    final Path allPathFile = new Path(allPath, "file1");
+    final Path nonEZDir = new Path(testRoot, "nonEZDir");
+    final Path nonEZFile = new Path(nonEZDir, "file1");
+    final int len = 8192;
+
+    fsWrapper.mkdir(testRoot, new FsPermission((short) 0777), true);
+    fsWrapper.mkdir(superPath, new FsPermission((short) 0700), false);
+    fsWrapper.mkdir(allPath, new FsPermission((short) 0777), false);
+    fsWrapper.mkdir(nonEZDir, new FsPermission((short) 0777), false);
+    dfsAdmin.createEncryptionZone(superPath, TEST_KEY);
+    dfsAdmin.createEncryptionZone(allPath, TEST_KEY);
+    dfsAdmin.allowSnapshot(new Path("/"));
+    final Path newSnap = fs.createSnapshot(new Path("/"));
+    DFSTestUtil.createFile(fs, superPathFile, len, (short) 1, 0xFEED);
+    DFSTestUtil.createFile(fs, allPathFile, len, (short) 1, 0xFEED);
+    DFSTestUtil.createFile(fs, nonEZFile, len, (short) 1, 0xFEED);
+
+    user.doAs(new PrivilegedExceptionAction<Object>() {
+      @Override
+      public Object run() throws Exception {
+        final HdfsAdmin userAdmin =
+            new HdfsAdmin(FileSystem.getDefaultUri(conf), conf);
+
+        // Check null arg
+        try {
+          userAdmin.getEncryptionZoneForPath(null);
+          fail("should have thrown NPE");
+        } catch (NullPointerException e) {
+          /*
+           * IWBNI we could use assertExceptionContains, but the NPE that is
+           * thrown has no message text.
+           */
+        }
+
+        // Check operation with accessible paths
+        assertEquals("expected ez path", allPath.toString(),
+            userAdmin.getEncryptionZoneForPath(allPath).getPath().
+            toString());
+        assertEquals("expected ez path", allPath.toString(),
+            userAdmin.getEncryptionZoneForPath(allPathFile).getPath().
+            toString());
+
+        // Check operation with inaccessible (lack of permissions) path
+        try {
+          userAdmin.getEncryptionZoneForPath(superPathFile);
+          fail("expected AccessControlException");
+        } catch (AccessControlException e) {
+          assertExceptionContains("Permission denied:", e);
+        }
+
+        // Check operation with non-ez paths
+        assertNull("expected null for non-ez path",
+            userAdmin.getEncryptionZoneForPath(nonEZDir));
+        assertNull("expected null for non-ez path",
+            userAdmin.getEncryptionZoneForPath(nonEZFile));
+
+        // Check operation with snapshots
+        String snapshottedAllPath = newSnap.toString() + allPath.toString();
+        assertEquals("expected ez path", allPath.toString(),
+            userAdmin.getEncryptionZoneForPath(
+                new Path(snapshottedAllPath)).getPath().toString());
+
+        /*
+         * Delete the file from the non-snapshot and test that it is still ok
+         * in the ez.
+         */
+        fs.delete(allPathFile, false);
+        assertEquals("expected ez path", allPath.toString(),
+            userAdmin.getEncryptionZoneForPath(
+                new Path(snapshottedAllPath)).getPath().toString());
+
+        // Delete the ez and make sure ss's ez is still ok.
+        fs.delete(allPath, true);
+        assertEquals("expected ez path", allPath.toString(),
+            userAdmin.getEncryptionZoneForPath(
+                new Path(snapshottedAllPath)).getPath().toString());
+        assertNull("expected null for deleted file path",
+            userAdmin.getEncryptionZoneForPath(allPathFile));
+        assertNull("expected null for deleted directory path",
+            userAdmin.getEncryptionZoneForPath(allPath));
+        return null;
+      }
+    });
+  }
+
   /**
    * Test success of Rename EZ on a directory which is already an EZ.
    */

From 399e428deb6a4aafff20bfff6a2fd0acfd21366a Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 14 Aug 2014 20:28:36 +0000
Subject: [PATCH 226/354] HADOOP-10121. Fix javadoc spelling for
 HadoopArchives#writeTopLevelDirs (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618044 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt                | 3 +++
 .../src/main/java/org/apache/hadoop/tools/HadoopArchives.java  | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 9215927bb82..446934f55d9 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -430,6 +430,9 @@ Trunk (Unreleased)
     HADOOP-10862. Miscellaneous trivial corrections to KMS classes. 
     (asuresh via tucu)
 
+    HADOOP-10121. Fix javadoc spelling for HadoopArchives#writeTopLevelDirs
+      (Akira AJISAKA via aw)
+
   OPTIMIZATIONS
 
     HADOOP-7761. Improve the performance of raw comparisons. (todd)
diff --git a/hadoop-tools/hadoop-archives/src/main/java/org/apache/hadoop/tools/HadoopArchives.java b/hadoop-tools/hadoop-archives/src/main/java/org/apache/hadoop/tools/HadoopArchives.java
index 98b3c9ca1e9..93994b817a4 100644
--- a/hadoop-tools/hadoop-archives/src/main/java/org/apache/hadoop/tools/HadoopArchives.java
+++ b/hadoop-tools/hadoop-archives/src/main/java/org/apache/hadoop/tools/HadoopArchives.java
@@ -338,7 +338,7 @@ else if (fullPath.depth() > root.depth()) {
    * directories to
    * @param paths the source paths provided by the user. They
    * are glob free and have full path (not relative paths)
-   * @param parentPath the parent path that you wnat the archives
+   * @param parentPath the parent path that you want the archives
    * to be relative to. example - /home/user/dir1 can be archived with
    * parent as /home or /home/user.
    * @throws IOException

From a9023c2736fb8a95dbba90d3f61c9eca33126af4 Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Thu, 14 Aug 2014 21:17:20 +0000
Subject: [PATCH 227/354] YARN-2397. Avoided loading two authentication filters
 for RM and TS web interfaces. Contributed by Varun Vasudev.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618054 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |  3 +
 .../ApplicationHistoryServer.java             | 33 ++++++--
 .../TestApplicationHistoryServer.java         | 28 +++++++
 .../RMAuthenticationFilterInitializer.java    |  2 +-
 .../resourcemanager/ResourceManager.java      | 78 +++++++++++++------
 .../resourcemanager/TestResourceManager.java  | 76 ++++++++++++++++++
 ...ServicesDelegationTokenAuthentication.java |  3 +
 7 files changed, 190 insertions(+), 33 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 4b06e627fca..84216274eb5 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -193,6 +193,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2070. Made DistributedShell publish the short user name to the timeline
     server. (Robert Kanter via zjshen)
 
+    YARN-2397. Avoided loading two authentication filters for RM and TS web
+    interfaces. (Varun Vasudev via zjshen)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
index 29bbd217338..c61b80e1993 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
@@ -20,6 +20,7 @@
 
 import java.io.IOException;
 import java.net.InetSocketAddress;
+import java.util.ArrayList;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -27,6 +28,7 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
 import org.apache.hadoop.metrics2.source.JvmMetrics;
+import org.apache.hadoop.security.AuthenticationFilterInitializer;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.service.CompositeService;
 import org.apache.hadoop.service.Service;
@@ -195,14 +197,31 @@ private void startWebApp() {
     // the customized filter will be loaded by the timeline server to do Kerberos
     // + DT authentication.
     String initializers = conf.get("hadoop.http.filter.initializers");
+
     initializers =
-        initializers == null || initializers.length() == 0 ? "" : ","
-            + initializers;
-    if (!initializers.contains(
-        TimelineAuthenticationFilterInitializer.class.getName())) {
-      conf.set("hadoop.http.filter.initializers",
-          TimelineAuthenticationFilterInitializer.class.getName()
-              + initializers);
+        initializers == null || initializers.length() == 0 ? "" : initializers;
+
+    if (!initializers.contains(TimelineAuthenticationFilterInitializer.class
+      .getName())) {
+      initializers =
+          TimelineAuthenticationFilterInitializer.class.getName() + ","
+              + initializers;
+    }
+
+    String[] parts = initializers.split(",");
+    ArrayList<String> target = new ArrayList<String>();
+    for (String filterInitializer : parts) {
+      filterInitializer = filterInitializer.trim();
+      if (filterInitializer.equals(AuthenticationFilterInitializer.class
+        .getName())) {
+        continue;
+      }
+      target.add(filterInitializer);
+    }
+    String actualInitializers =
+        org.apache.commons.lang.StringUtils.join(target, ",");
+    if (!actualInitializers.equals(initializers)) {
+      conf.set("hadoop.http.filter.initializers", actualInitializers);
     }
     String bindAddress = WebAppUtils.getWebAppBindURL(conf,
                           YarnConfiguration.TIMELINE_SERVICE_BIND_HOST,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestApplicationHistoryServer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestApplicationHistoryServer.java
index 5c55becb6c9..bcd8e454c5e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestApplicationHistoryServer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestApplicationHistoryServer.java
@@ -23,11 +23,14 @@
 import static org.junit.Assert.fail;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.AuthenticationFilterInitializer;
 import org.apache.hadoop.service.Service.STATE;
 import org.apache.hadoop.util.ExitUtil;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.server.applicationhistoryservice.webapp.AHSWebApp;
+import org.apache.hadoop.yarn.server.timeline.security.TimelineAuthenticationFilterInitializer;
 import org.junit.After;
+import org.junit.Assert;
 import org.junit.Test;
 
 public class TestApplicationHistoryServer {
@@ -69,6 +72,31 @@ public void testLaunch() throws Exception {
     }
   }
 
+  @Test(timeout = 50000)
+  public void testFilteOverrides() throws Exception {
+
+    String[] filterInitializers =
+        {
+            AuthenticationFilterInitializer.class.getName(),
+            TimelineAuthenticationFilterInitializer.class.getName(),
+            AuthenticationFilterInitializer.class.getName() + ","
+                + TimelineAuthenticationFilterInitializer.class.getName(),
+            AuthenticationFilterInitializer.class.getName() + ", "
+                + TimelineAuthenticationFilterInitializer.class.getName() };
+    for (String filterInitializer : filterInitializers) {
+      historyServer = new ApplicationHistoryServer();
+      Configuration config = new YarnConfiguration();
+      config.set("hadoop.http.filter.initializers", filterInitializer);
+      historyServer.init(config);
+      historyServer.start();
+      Configuration tmp = historyServer.getConfig();
+      assertEquals(TimelineAuthenticationFilterInitializer.class.getName(),
+        tmp.get("hadoop.http.filter.initializers"));
+      historyServer.stop();
+      AHSWebApp.resetInstance();
+    }
+  }
+
   @After
   public void stop() {
     if (historyServer != null) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java
index 2227833e7cf..128794ee6eb 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java
@@ -114,7 +114,7 @@ protected Map<String, String> createFilterConfig(Configuration conf) {
   public void initFilter(FilterContainer container, Configuration conf) {
 
     Map<String, String> filterConfig = createFilterConfig(conf);
-    container.addFilter("YARNAuthenticationFilter",
+    container.addFilter("RMAuthenticationFilter",
       RMAuthenticationFilter.class.getName(), filterConfig);
   }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
index 90441d6c947..6fea90043bb 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
@@ -22,6 +22,7 @@
 import java.io.InputStream;
 import java.net.InetSocketAddress;
 import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.LinkedBlockingQueue;
@@ -35,6 +36,7 @@
 import org.apache.hadoop.http.lib.StaticUserWebFilter;
 import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
 import org.apache.hadoop.metrics2.source.JvmMetrics;
+import org.apache.hadoop.security.AuthenticationFilterInitializer;
 import org.apache.hadoop.security.Groups;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
@@ -799,10 +801,11 @@ protected void startWepApp() {
 
     // Use the customized yarn filter instead of the standard kerberos filter to
     // allow users to authenticate using delegation tokens
-    // 3 conditions need to be satisfied -
+    // 4 conditions need to be satisfied -
     // 1. security is enabled
     // 2. http auth type is set to kerberos
     // 3. "yarn.resourcemanager.webapp.use-yarn-filter" override is set to true
+    // 4. hadoop.http.filter.initializers container AuthenticationFilterInitializer
 
     Configuration conf = getConfig();
     boolean useYarnAuthenticationFilter =
@@ -811,41 +814,66 @@ protected void startWepApp() {
           YarnConfiguration.DEFAULT_RM_WEBAPP_DELEGATION_TOKEN_AUTH_FILTER);
     String authPrefix = "hadoop.http.authentication.";
     String authTypeKey = authPrefix + "type";
-    String initializers = conf.get("hadoop.http.filter.initializers");
-    if (UserGroupInformation.isSecurityEnabled()
-        && useYarnAuthenticationFilter
-        && conf.get(authTypeKey, "").equalsIgnoreCase(
-          KerberosAuthenticationHandler.TYPE)) {
-      LOG.info("Using RM authentication filter(kerberos/delegation-token)"
-          + " for RM webapp authentication");
-      RMAuthenticationHandler
-        .setSecretManager(getClientRMService().rmDTSecretManager);
-      String yarnAuthKey =
-          authPrefix + RMAuthenticationFilter.AUTH_HANDLER_PROPERTY;
-      conf.setStrings(yarnAuthKey, RMAuthenticationHandler.class.getName());
+    String filterInitializerConfKey = "hadoop.http.filter.initializers";
+    String actualInitializers = "";
+    Class<?>[] initializersClasses =
+        conf.getClasses(filterInitializerConfKey);
 
-      initializers =
-          initializers == null || initializers.isEmpty() ? "" : ","
-              + initializers;
-      if (!initializers.contains(RMAuthenticationFilterInitializer.class
-        .getName())) {
-        conf.set("hadoop.http.filter.initializers",
-          RMAuthenticationFilterInitializer.class.getName() + initializers);
+    boolean hasHadoopAuthFilterInitializer = false;
+    boolean hasRMAuthFilterInitializer = false;
+    if (initializersClasses != null) {
+      for (Class<?> initializer : initializersClasses) {
+        if (initializer.getName().equals(
+          AuthenticationFilterInitializer.class.getName())) {
+          hasHadoopAuthFilterInitializer = true;
+        }
+        if (initializer.getName().equals(
+          RMAuthenticationFilterInitializer.class.getName())) {
+          hasRMAuthFilterInitializer = true;
+        }
+      }
+      if (UserGroupInformation.isSecurityEnabled()
+          && useYarnAuthenticationFilter
+          && hasHadoopAuthFilterInitializer
+          && conf.get(authTypeKey, "").equals(
+            KerberosAuthenticationHandler.TYPE)) {
+        ArrayList<String> target = new ArrayList<String>();
+        for (Class<?> filterInitializer : initializersClasses) {
+          if (filterInitializer.getName().equals(
+            AuthenticationFilterInitializer.class.getName())) {
+            if (hasRMAuthFilterInitializer == false) {
+              target.add(RMAuthenticationFilterInitializer.class.getName());
+            }
+            continue;
+          }
+          target.add(filterInitializer.getName());
+        }
+        actualInitializers = StringUtils.join(",", target);
+
+        LOG.info("Using RM authentication filter(kerberos/delegation-token)"
+            + " for RM webapp authentication");
+        RMAuthenticationHandler
+          .setSecretManager(getClientRMService().rmDTSecretManager);
+        String yarnAuthKey =
+            authPrefix + RMAuthenticationFilter.AUTH_HANDLER_PROPERTY;
+        conf.setStrings(yarnAuthKey, RMAuthenticationHandler.class.getName());
+        conf.set(filterInitializerConfKey, actualInitializers);
       }
     }
 
-    // if security is not enabled and the default filter initializer has been
-    // set, set the initializer to include the
+    // if security is not enabled and the default filter initializer has not 
+    // been set, set the initializer to include the
     // RMAuthenticationFilterInitializer which in turn will set up the simple
     // auth filter.
 
+    String initializers = conf.get(filterInitializerConfKey);
     if (!UserGroupInformation.isSecurityEnabled()) {
-      if (initializers == null || initializers.isEmpty()) {
-        conf.set("hadoop.http.filter.initializers",
+      if (initializersClasses == null || initializersClasses.length == 0) {
+        conf.set(filterInitializerConfKey,
           RMAuthenticationFilterInitializer.class.getName());
         conf.set(authTypeKey, "simple");
       } else if (initializers.equals(StaticUserWebFilter.class.getName())) {
-        conf.set("hadoop.http.filter.initializers",
+        conf.set(filterInitializerConfKey,
           RMAuthenticationFilterInitializer.class.getName() + ","
               + initializers);
         conf.set(authTypeKey, "simple");
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestResourceManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestResourceManager.java
index 4fdfcf61e94..1117fbe3393 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestResourceManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestResourceManager.java
@@ -27,7 +27,10 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.http.lib.StaticUserWebFilter;
 import org.apache.hadoop.net.NetworkTopology;
+import org.apache.hadoop.security.AuthenticationFilterInitializer;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.yarn.api.records.Priority;
 import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.api.records.ResourceRequest;
@@ -39,8 +42,10 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.AppAttemptRemovedSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeAddedSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeUpdateSchedulerEvent;
+import org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilterInitializer;
 import org.apache.hadoop.yarn.util.resource.Resources;
 import org.junit.After;
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -235,4 +240,75 @@ public void testNMExpiryAndHeartbeatIntervalsValidation() throws Exception {
     }
   }
 
+  @Test(timeout = 50000)
+  public void testFilterOverrides() throws Exception {
+    String filterInitializerConfKey = "hadoop.http.filter.initializers";
+    String[] filterInitializers =
+        {
+            AuthenticationFilterInitializer.class.getName(),
+            RMAuthenticationFilterInitializer.class.getName(),
+            AuthenticationFilterInitializer.class.getName() + ","
+                + RMAuthenticationFilterInitializer.class.getName(),
+            AuthenticationFilterInitializer.class.getName() + ", "
+                + RMAuthenticationFilterInitializer.class.getName(),
+            AuthenticationFilterInitializer.class.getName() + ", "
+                + this.getClass().getName() };
+    for (String filterInitializer : filterInitializers) {
+      resourceManager = new ResourceManager();
+      Configuration conf = new YarnConfiguration();
+      conf.set(filterInitializerConfKey, filterInitializer);
+      conf.set("hadoop.security.authentication", "kerberos");
+      conf.set("hadoop.http.authentication.type", "kerberos");
+      try {
+        try {
+          UserGroupInformation.setConfiguration(conf);
+        } catch (Exception e) {
+          // ignore we just care about getting true for
+          // isSecurityEnabled()
+          LOG.info("Got expected exception");
+        }
+        resourceManager.init(conf);
+        resourceManager.startWepApp();
+      } catch (RuntimeException e) {
+        // Exceptions are expected because we didn't setup everything
+        // just want to test filter settings
+        String tmp = resourceManager.getConfig().get(filterInitializerConfKey);
+        if (filterInitializer.contains(this.getClass().getName())) {
+          Assert.assertEquals(RMAuthenticationFilterInitializer.class.getName()
+              + "," + this.getClass().getName(), tmp);
+        } else {
+          Assert.assertEquals(
+            RMAuthenticationFilterInitializer.class.getName(), tmp);
+        }
+        resourceManager.stop();
+      }
+    }
+
+    // simple mode overrides
+    String[] simpleFilterInitializers =
+        { "", StaticUserWebFilter.class.getName() };
+    for (String filterInitializer : simpleFilterInitializers) {
+      resourceManager = new ResourceManager();
+      Configuration conf = new YarnConfiguration();
+      conf.set(filterInitializerConfKey, filterInitializer);
+      try {
+        UserGroupInformation.setConfiguration(conf);
+        resourceManager.init(conf);
+        resourceManager.startWepApp();
+      } catch (RuntimeException e) {
+        // Exceptions are expected because we didn't setup everything
+        // just want to test filter settings
+        String tmp = resourceManager.getConfig().get(filterInitializerConfKey);
+        if (filterInitializer.equals(StaticUserWebFilter.class.getName())) {
+          Assert.assertEquals(RMAuthenticationFilterInitializer.class.getName()
+              + "," + StaticUserWebFilter.class.getName(), tmp);
+        } else {
+          Assert.assertEquals(
+            RMAuthenticationFilterInitializer.class.getName(), tmp);
+        }
+        resourceManager.stop();
+      }
+    }
+  }
+
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokenAuthentication.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokenAuthentication.java
index 34a914a7541..239d5922eaf 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokenAuthentication.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokenAuthentication.java
@@ -41,6 +41,7 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.AuthenticationFilterInitializer;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.KerberosTestUtils;
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
@@ -122,6 +123,8 @@ private static void setupAndStartRM() throws Exception {
       "kerberos");
     rmconf.setBoolean(YarnConfiguration.RM_WEBAPP_DELEGATION_TOKEN_AUTH_FILTER,
       true);
+    rmconf.set("hadoop.http.filter.initializers",
+      AuthenticationFilterInitializer.class.getName());
     rmconf.set(YarnConfiguration.RM_WEBAPP_SPNEGO_USER_NAME_KEY,
       httpSpnegoPrincipal);
     rmconf.set(YarnConfiguration.RM_KEYTAB,

From 597b3fdc925f9eab69be1a72eee135216251e919 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 14 Aug 2014 21:39:49 +0000
Subject: [PATCH 228/354] HADOOP-10231. Add some components in Native Libraries
 document (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618059 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt    |  3 +++
 .../src/site/apt/NativeLibraries.apt.vm            | 14 +++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 446934f55d9..38a21a4a847 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -205,6 +205,9 @@ Trunk (Unreleased)
     HADOOP-8944. Shell command fs -count should include human readable option
       (Jonathan Allen via aw)
 
+    HADOOP-10231. Add some components in Native Libraries document (Akira 
+      AJISAKA via aw)
+
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
diff --git a/hadoop-common-project/hadoop-common/src/site/apt/NativeLibraries.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/NativeLibraries.apt.vm
index 27325194100..070a7d3e568 100644
--- a/hadoop-common-project/hadoop-common/src/site/apt/NativeLibraries.apt.vm
+++ b/hadoop-common-project/hadoop-common/src/site/apt/NativeLibraries.apt.vm
@@ -30,6 +30,8 @@ Native Libraries Guide
    compression" could refer to all *.so's you need to compile that are
    specifically related to compression. Currently, however, this document
    only addresses the native hadoop library (<<<libhadoop.so>>>).
+   The document for libhdfs library (<<<libhdfs.so>>>) is
+   {{{../hadoop-hdfs/LibHdfs.html}here}}.
 
 * Native Hadoop Library
 
@@ -64,14 +66,16 @@ Native Libraries Guide
 
 * Components
 
-   The native hadoop library includes two components, the zlib and gzip
-   compression codecs:
+   The native hadoop library includes various components:
 
-     * zlib
+   * Compression Codecs (bzip2, lz4, snappy, zlib)
 
-     * gzip
+   * Native IO utilities for {{{../hadoop-hdfs/ShortCircuitLocalReads.html}
+     HDFS Short-Circuit Local Reads}} and
+     {{{../hadoop-hdfs/CentralizedCacheManagement.html}Centralized Cache
+     Management in HDFS}}
 
-   The native hadoop library is imperative for gzip to work.
+   * CRC32 checksum implementation
 
 * Supported Platforms
 

From b8ea45c2e33e0365ee3c0308da4681dc9cb4a285 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 14 Aug 2014 21:45:58 +0000
Subject: [PATCH 229/354] YARN-2197. Add a link to YARN CHANGES.txt in the left
 side of doc (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618066 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-project/src/site/site.xml | 1 +
 hadoop-yarn-project/CHANGES.txt  | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/hadoop-project/src/site/site.xml b/hadoop-project/src/site/site.xml
index 37e0153ec8f..3930ace2802 100644
--- a/hadoop-project/src/site/site.xml
+++ b/hadoop-project/src/site/site.xml
@@ -142,6 +142,7 @@
       <item name="Common CHANGES.txt" href="hadoop-project-dist/hadoop-common/CHANGES.txt"/>
       <item name="HDFS CHANGES.txt" href="hadoop-project-dist/hadoop-hdfs/CHANGES.txt"/>
       <item name="MapReduce CHANGES.txt" href="hadoop-project-dist/hadoop-mapreduce/CHANGES.txt"/>
+      <item name="YARN CHANGES.txt" href="hadoop-project-dist/hadoop-yarn/CHANGES.txt"/>
       <item name="Metrics" href="hadoop-project-dist/hadoop-common/Metrics.html"/>
     </menu>
     
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 84216274eb5..920983dd7c6 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -8,6 +8,9 @@ Trunk - Unreleased
 
   IMPROVEMENTS
 
+    YARN-2197. Add a link to YARN CHANGES.txt in the left side of doc
+      (Akira AJISAKA via aw)
+
   OPTIMIZATIONS
 
   BUG FIXES

From 0350ea3c72b8cb036f8f066c12f400dd9e45c439 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 14 Aug 2014 21:53:12 +0000
Subject: [PATCH 230/354] YARN-1918. Typo in description and error message for
 yarn.resourcemanager.cluster-id (Anandha L Ranganathan via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618070 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                                | 3 +++
 .../java/org/apache/hadoop/yarn/conf/YarnConfiguration.java    | 2 +-
 .../hadoop-yarn-common/src/main/resources/yarn-default.xml     | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 920983dd7c6..b879600537b 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -11,6 +11,9 @@ Trunk - Unreleased
     YARN-2197. Add a link to YARN CHANGES.txt in the left side of doc
       (Akira AJISAKA via aw)
 
+    YARN-1918. Typo in description and error message for 
+      'yarn.resourcemanager.cluster-id' (Anandha L Ranganathan via aw)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
index 9e08ef52008..39d1dd3b015 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
@@ -1370,7 +1370,7 @@ public static boolean useHttps(Configuration conf) {
   public static String getClusterId(Configuration conf) {
     String clusterId = conf.get(YarnConfiguration.RM_CLUSTER_ID);
     if (clusterId == null) {
-      throw new HadoopIllegalArgumentException("Configuration doesn't specify" +
+      throw new HadoopIllegalArgumentException("Configuration doesn't specify " +
           YarnConfiguration.RM_CLUSTER_ID);
     }
     return clusterId;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
index 94b4d7f20ec..9b2b6764923 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
@@ -474,7 +474,7 @@
   <property>
     <description>Name of the cluster. In a HA setting,
       this is used to ensure the RM participates in leader
-      election fo this cluster and ensures it does not affect
+      election for this cluster and ensures it does not affect
       other clusters</description>
     <name>yarn.resourcemanager.cluster-id</name>
     <!--value>yarn-cluster</value-->

From 7378af7bcad781353ca40bd9754bf958480381a1 Mon Sep 17 00:00:00 2001
From: Jason Darrell Lowe <jlowe@apache.org>
Date: Thu, 14 Aug 2014 23:17:33 +0000
Subject: [PATCH 231/354] MAPREDUCE-5878. some standard JDK APIs are not part
 of system classes defaults. Contributed by Sangjin Lee

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618080 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt                        | 3 +++
 .../src/main/resources/mapred-default.xml                   | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 7dc4436a887..05cce4ebde8 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -221,6 +221,9 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-6010. HistoryServerFileSystemStateStore fails to update tokens
     (jlowe)
 
+    MAPREDUCE-5878. some standard JDK APIs are not part of system classes
+    defaults (Sangjin Lee via jlowe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml
index 8e7e76c3442..110e3162833 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml
@@ -1225,9 +1225,9 @@
 
 <property>
    <name>mapreduce.job.classloader.system.classes</name>
-   <value>java.,javax.,org.apache.commons.logging.,org.apache.log4j.,
-          org.apache.hadoop.,core-default.xml,hdfs-default.xml,
-          mapred-default.xml,yarn-default.xml</value>
+   <value>java.,javax.,org.w3c.dom.,org.xml.sax.,org.apache.commons.logging.,
+          org.apache.log4j.,org.apache.hadoop.,core-default.xml,
+          hdfs-default.xml,mapred-default.xml,yarn-default.xml</value>
   <description>A comma-separated list of classes that should be loaded from the
     system classpath, not the user-supplied JARs, when mapreduce.job.classloader
     is enabled. Names ending in '.' (period) are treated as package names,

From 894b4e427fdcce08ebcf6b6fc04bf8d8e573f64f Mon Sep 17 00:00:00 2001
From: Aaron Myers <atm@apache.org>
Date: Fri, 15 Aug 2014 02:33:24 +0000
Subject: [PATCH 232/354] HDFS-6850. Move NFS out of order write unit tests
 into TestWrites class. Contributed by Zhe Zhang.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618091 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop/hdfs/nfs/nfs3/TestWrites.java      | 77 +++++++++++++++++++
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +
 2 files changed, 80 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestWrites.java b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestWrites.java
index 32f9b2bcddf..363bc1205e4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestWrites.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestWrites.java
@@ -30,6 +30,7 @@
 import org.apache.hadoop.hdfs.DFSClient;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.hadoop.hdfs.client.HdfsDataOutputStream;
+import org.apache.hadoop.hdfs.nfs.conf.NfsConfigKeys;
 import org.apache.hadoop.hdfs.nfs.conf.NfsConfiguration;
 import org.apache.hadoop.hdfs.nfs.nfs3.OpenFileCtx.COMMIT_STATUS;
 import org.apache.hadoop.hdfs.nfs.nfs3.OpenFileCtx.CommitCtx;
@@ -407,4 +408,80 @@ public void testWriteStableHow() throws IOException, InterruptedException {
       }
     }
   }
+
+  @Test
+  public void testOOOWrites() throws IOException, InterruptedException {
+    NfsConfiguration config = new NfsConfiguration();
+    MiniDFSCluster cluster = null;
+    RpcProgramNfs3 nfsd;
+    final int bufSize = 32;
+    final int numOOO = 3;
+    SecurityHandler securityHandler = Mockito.mock(SecurityHandler.class);
+    Mockito.when(securityHandler.getUser()).thenReturn(
+        System.getProperty("user.name"));
+    String currentUser = System.getProperty("user.name");
+    config.set(
+        DefaultImpersonationProvider.getTestProvider().
+            getProxySuperuserGroupConfKey(currentUser),
+        "*");
+    config.set(
+        DefaultImpersonationProvider.getTestProvider().
+            getProxySuperuserIpConfKey(currentUser),
+        "*");
+    ProxyUsers.refreshSuperUserGroupsConfiguration(config);
+    // Use emphral port in case tests are running in parallel
+    config.setInt("nfs3.mountd.port", 0);
+    config.setInt("nfs3.server.port", 0);
+
+    try {
+      cluster = new MiniDFSCluster.Builder(config).numDataNodes(1).build();
+      cluster.waitActive();
+
+      Nfs3 nfs3 = new Nfs3(config);
+      nfs3.startServiceInternal(false);
+      nfsd = (RpcProgramNfs3) nfs3.getRpcProgram();
+
+      DFSClient dfsClient = new DFSClient(NameNode.getAddress(config), config);
+      HdfsFileStatus status = dfsClient.getFileInfo("/");
+      FileHandle rootHandle = new FileHandle(status.getFileId());
+
+      CREATE3Request createReq = new CREATE3Request(rootHandle,
+          "out-of-order-write" + System.currentTimeMillis(),
+          Nfs3Constant.CREATE_UNCHECKED, new SetAttr3(), 0);
+      XDR createXdr = new XDR();
+      createReq.serialize(createXdr);
+      CREATE3Response createRsp = nfsd.create(createXdr.asReadOnlyWrap(),
+          securityHandler, new InetSocketAddress("localhost", 1234));
+      FileHandle handle = createRsp.getObjHandle();
+
+      byte[][] oooBuf = new byte[numOOO][bufSize];
+      for (int i = 0; i < numOOO; i++) {
+        Arrays.fill(oooBuf[i], (byte) i);
+      }
+
+      for (int i = 0; i < numOOO; i++) {
+        final long offset = (numOOO - 1 - i) * bufSize;
+        WRITE3Request writeReq = new WRITE3Request(handle, offset, bufSize,
+            WriteStableHow.UNSTABLE, ByteBuffer.wrap(oooBuf[i]));
+        XDR writeXdr = new XDR();
+        writeReq.serialize(writeXdr);
+        nfsd.write(writeXdr.asReadOnlyWrap(), null, 1, securityHandler,
+            new InetSocketAddress("localhost", 1234));
+      }
+
+      waitWrite(nfsd, handle, 60000);
+      READ3Request readReq = new READ3Request(handle, bufSize, bufSize);
+      XDR readXdr = new XDR();
+      readReq.serialize(readXdr);
+      READ3Response readRsp = nfsd.read(readXdr.asReadOnlyWrap(),
+          securityHandler, new InetSocketAddress("localhost", config.getInt(
+              NfsConfigKeys.DFS_NFS_SERVER_PORT_KEY,
+              NfsConfigKeys.DFS_NFS_SERVER_PORT_DEFAULT)));
+      assertTrue(Arrays.equals(oooBuf[1], readRsp.getData().array()));
+    } finally {
+      if (cluster != null) {
+        cluster.shutdown();
+      }
+    }
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 393938ce4ef..b47018a61b3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -402,6 +402,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6849. Replace HttpFS custom proxyuser handling with common 
     implementation. (tucu)
 
+    HDFS-6850. Move NFS out of order write unit tests into TestWrites class.
+    (Zhe Zhang via atm)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)

From e86c9ef6517313aaa0e4575261a462f2f55d43dc Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Fri, 15 Aug 2014 05:03:58 +0000
Subject: [PATCH 233/354] HADOOP-10770. KMS add delegation token support.
 (tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618096 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   2 +
 .../KeyProviderDelegationTokenExtension.java  |   8 +-
 .../crypto/key/kms/KMSClientProvider.java     |  54 +++-
 .../DelegationTokenAuthenticationHandler.java |   2 +-
 .../hadoop/crypto/key/kms/server/KMS.java     | 272 ++++++++++++------
 .../hadoop/crypto/key/kms/server/KMSACLs.java |   3 +-
 .../crypto/key/kms/server/KMSAudit.java       |  18 +-
 .../kms/server/KMSAuthenticationFilter.java   |  21 +-
 .../key/kms/server/KMSExceptionsProvider.java |   8 +-
 .../crypto/key/kms/server/KMSMDCFilter.java   |  17 +-
 .../hadoop-kms/src/site/apt/index.apt.vm      |  40 +++
 .../hadoop/crypto/key/kms/server/TestKMS.java |  98 ++++++-
 .../crypto/key/kms/server/TestKMSACLs.java    |  10 +-
 .../crypto/key/kms/server/TestKMSAudit.java   |  10 +-
 14 files changed, 418 insertions(+), 145 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 38a21a4a847..0a17758483c 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -208,6 +208,8 @@ Trunk (Unreleased)
     HADOOP-10231. Add some components in Native Libraries document (Akira 
       AJISAKA via aw)
 
+    HADOOP-10770. KMS add delegation token support. (tucu)
+
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderDelegationTokenExtension.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderDelegationTokenExtension.java
index ccf382241ff..2f237c63968 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderDelegationTokenExtension.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderDelegationTokenExtension.java
@@ -20,6 +20,8 @@
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.token.Token;
 
+import java.io.IOException;
+
 /**
  * A KeyProvider extension with the ability to add a renewer's Delegation 
  * Tokens to the provided Credentials.
@@ -45,9 +47,10 @@ public interface DelegationTokenExtension extends
      * @param renewer the user allowed to renew the delegation tokens
      * @param credentials cache in which to add new delegation tokens
      * @return list of new delegation tokens
+     * @throws IOException thrown if IOException if an IO error occurs.
      */
     public Token<?>[] addDelegationTokens(final String renewer, 
-        Credentials credentials);
+        Credentials credentials) throws IOException;
   }
   
   /**
@@ -76,9 +79,10 @@ private KeyProviderDelegationTokenExtension(KeyProvider keyProvider,
    * @param renewer the user allowed to renew the delegation tokens
    * @param credentials cache in which to add new delegation tokens
    * @return list of new delegation tokens
+   * @throws IOException thrown if IOException if an IO error occurs.
    */
   public Token<?>[] addDelegationTokens(final String renewer, 
-      Credentials credentials) {
+      Credentials credentials) throws IOException {
     return getExtension().addDelegationTokens(renewer, credentials);
   }
   
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
index cf5b11315fa..35439f26f6a 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@@ -22,15 +22,17 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
+import org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension;
 import org.apache.hadoop.crypto.key.KeyProviderFactory;
 import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.ProviderUtils;
-import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authentication.client.ConnectionConfigurator;
-import org.apache.hadoop.security.authentication.client.PseudoAuthenticator;
 import org.apache.hadoop.security.ssl.SSLFactory;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL;
 import org.apache.http.client.utils.URIBuilder;
 import org.codehaus.jackson.map.ObjectMapper;
 
@@ -69,7 +71,10 @@
  * KMS client <code>KeyProvider</code> implementation.
  */
 @InterfaceAudience.Private
-public class KMSClientProvider extends KeyProvider implements CryptoExtension {
+public class KMSClientProvider extends KeyProvider implements CryptoExtension,
+    KeyProviderDelegationTokenExtension.DelegationTokenExtension {
+
+  public static final String TOKEN_KIND = "kms-dt";
 
   public static final String SCHEME_NAME = "kms";
 
@@ -229,6 +234,7 @@ public static String checkNotEmpty(String s, String name)
   private String kmsUrl;
   private SSLFactory sslFactory;
   private ConnectionConfigurator configurator;
+  private DelegationTokenAuthenticatedURL.Token authToken;
 
   @Override
   public String toString() {
@@ -309,6 +315,7 @@ public KMSClientProvider(URI uri, Configuration conf) throws IOException {
                 CommonConfigurationKeysPublic.
                     KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
             new EncryptedQueueRefiller());
+    authToken = new DelegationTokenAuthenticatedURL.Token();
   }
 
   private String createServiceURL(URL url) throws IOException {
@@ -325,12 +332,14 @@ private URL createURL(String collection, String resource, String subResource,
     try {
       StringBuilder sb = new StringBuilder();
       sb.append(kmsUrl);
-      sb.append(collection);
-      if (resource != null) {
-        sb.append("/").append(URLEncoder.encode(resource, UTF8));
-      }
-      if (subResource != null) {
-        sb.append("/").append(subResource);
+      if (collection != null) {
+        sb.append(collection);
+        if (resource != null) {
+          sb.append("/").append(URLEncoder.encode(resource, UTF8));
+          if (subResource != null) {
+            sb.append("/").append(subResource);
+          }
+        }
       }
       URIBuilder uriBuilder = new URIBuilder(sb.toString());
       if (parameters != null) {
@@ -369,9 +378,9 @@ private HttpURLConnection createConnection(URL url, String method)
       throws IOException {
     HttpURLConnection conn;
     try {
-      AuthenticatedURL authUrl = new AuthenticatedURL(new PseudoAuthenticator(),
-          configurator);
-      conn = authUrl.openConnection(url, new AuthenticatedURL.Token());
+      DelegationTokenAuthenticatedURL authUrl =
+          new DelegationTokenAuthenticatedURL(configurator);
+      conn = authUrl.openConnection(url, authToken);
     } catch (AuthenticationException ex) {
       throw new IOException(ex);
     }
@@ -729,4 +738,25 @@ public void warmUpEncryptedKeys(String... keyNames)
     }
   }
 
+  @Override
+  public Token<?>[] addDelegationTokens(String renewer,
+      Credentials credentials) throws IOException {
+    Token<?>[] tokens;
+    URL url = createURL(null, null, null, null);
+    DelegationTokenAuthenticatedURL authUrl =
+        new DelegationTokenAuthenticatedURL(configurator);
+    try {
+      Token<?> token = authUrl.getDelegationToken(url, authToken, renewer);
+      if (token != null) {
+        credentials.addToken(token.getService(), token);
+        tokens = new Token<?>[] { token };
+      } else {
+        throw new IOException("Got NULL as delegation token");
+      }
+    } catch (AuthenticationException ex) {
+      throw new IOException(ex);
+    }
+    return tokens;
+  }
+
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
index 3b6c289df5f..670ec551a09 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
@@ -75,7 +75,7 @@ public abstract class DelegationTokenAuthenticationHandler
 
   public static final String PREFIX = "delegation-token.";
 
-  public static final String TOKEN_KIND = PREFIX + "token-kind.sec";
+  public static final String TOKEN_KIND = PREFIX + "token-kind";
 
   public static final String UPDATE_INTERVAL = PREFIX + "update-interval.sec";
   public static final long UPDATE_INTERVAL_DEFAULT = 24 * 60 * 60;
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
index 08cb91f6504..faec70a7554 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
@@ -25,9 +25,10 @@
 import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
 import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
 import org.apache.hadoop.security.AccessControlException;
-import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authorize.AuthorizationException;
 import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
+import org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation;
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
@@ -38,15 +39,13 @@
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.SecurityContext;
 
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.security.Principal;
+import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;
@@ -74,15 +73,6 @@ public KMS() throws Exception {
     kmsAudit= KMSWebApp.getKMSAudit();
   }
 
-  private static Principal getPrincipal(SecurityContext securityContext)
-      throws AuthenticationException{
-    Principal user = securityContext.getUserPrincipal();
-    if (user == null) {
-      throw new AuthenticationException("User must be authenticated");
-    }
-    return user;
-  }
-
 
   private static final String UNAUTHORIZED_MSG_WITH_KEY = 
       "User:%s not allowed to do '%s' on '%s'";
@@ -90,20 +80,21 @@ private static Principal getPrincipal(SecurityContext securityContext)
   private static final String UNAUTHORIZED_MSG_WITHOUT_KEY = 
       "User:%s not allowed to do '%s'";
 
-  private void assertAccess(KMSACLs.Type aclType, Principal principal,
+  private void assertAccess(KMSACLs.Type aclType, UserGroupInformation ugi,
       KMSOp operation) throws AccessControlException {
-    assertAccess(aclType, principal, operation, null);
+    assertAccess(aclType, ugi, operation, null);
   }
 
-  private void assertAccess(KMSACLs.Type aclType, Principal principal,
-      KMSOp operation, String key) throws AccessControlException {
-    if (!KMSWebApp.getACLs().hasAccess(aclType, principal.getName())) {
+  private void assertAccess(KMSACLs.Type aclType,
+      UserGroupInformation ugi, KMSOp operation, String key)
+      throws AccessControlException {
+    if (!KMSWebApp.getACLs().hasAccess(aclType, ugi)) {
       KMSWebApp.getUnauthorizedCallsMeter().mark();
-      kmsAudit.unauthorized(principal, operation, key);
+      kmsAudit.unauthorized(ugi, operation, key);
       throw new AuthorizationException(String.format(
           (key != null) ? UNAUTHORIZED_MSG_WITH_KEY 
                         : UNAUTHORIZED_MSG_WITHOUT_KEY,
-          principal.getName(), operation, key));
+          ugi.getShortUserName(), operation, key));
     }
   }
 
@@ -123,15 +114,14 @@ private static URI getKeyURI(String name) throws URISyntaxException {
   @Consumes(MediaType.APPLICATION_JSON)
   @Produces(MediaType.APPLICATION_JSON)
   @SuppressWarnings("unchecked")
-  public Response createKey(@Context SecurityContext securityContext,
-      Map jsonKey) throws Exception {
+  public Response createKey(Map jsonKey) throws Exception {
     KMSWebApp.getAdminCallsMeter().mark();
-    Principal user = getPrincipal(securityContext);
-    String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD);
+    UserGroupInformation user = HttpUserGroupInformation.get();
+    final String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD);
     KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);
     assertAccess(KMSACLs.Type.CREATE, user, KMSOp.CREATE_KEY, name);
     String cipher = (String) jsonKey.get(KMSRESTConstants.CIPHER_FIELD);
-    String material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD);
+    final String material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD);
     int length = (jsonKey.containsKey(KMSRESTConstants.LENGTH_FIELD))
                  ? (Integer) jsonKey.get(KMSRESTConstants.LENGTH_FIELD) : 0;
     String description = (String)
@@ -142,7 +132,7 @@ public Response createKey(@Context SecurityContext securityContext,
       assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
           KMSOp.CREATE_KEY, name);
     }
-    KeyProvider.Options options = new KeyProvider.Options(
+    final KeyProvider.Options options = new KeyProvider.Options(
         KMSWebApp.getConfiguration());
     if (cipher != null) {
       options.setCipher(cipher);
@@ -153,16 +143,23 @@ public Response createKey(@Context SecurityContext securityContext,
     options.setDescription(description);
     options.setAttributes(attributes);
 
-    KeyProvider.KeyVersion keyVersion = (material != null)
-        ? provider.createKey(name, Base64.decodeBase64(material), options)
-        : provider.createKey(name, options);
-
-    provider.flush();
+    KeyProvider.KeyVersion keyVersion = user.doAs(
+        new PrivilegedExceptionAction<KeyVersion>() {
+          @Override
+          public KeyVersion run() throws Exception {
+            KeyProvider.KeyVersion keyVersion = (material != null)
+              ? provider.createKey(name, Base64.decodeBase64(material), options)
+              : provider.createKey(name, options);
+            provider.flush();
+            return keyVersion;
+          }
+        }
+    );
 
     kmsAudit.ok(user, KMSOp.CREATE_KEY, name, "UserProvidedMaterial:" +
         (material != null) + " Description:" + description);
 
-    if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user.getName())) {
+    if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user)) {
       keyVersion = removeKeyMaterial(keyVersion);
     }
     Map json = KMSServerJSONUtils.toJSON(keyVersion);
@@ -176,14 +173,21 @@ public Response createKey(@Context SecurityContext securityContext,
 
   @DELETE
   @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
-  public Response deleteKey(@Context SecurityContext securityContext,
-      @PathParam("name") String name) throws Exception {
+  public Response deleteKey(@PathParam("name") final String name)
+      throws Exception {
     KMSWebApp.getAdminCallsMeter().mark();
-    Principal user = getPrincipal(securityContext);
+    UserGroupInformation user = HttpUserGroupInformation.get();
     assertAccess(KMSACLs.Type.DELETE, user, KMSOp.DELETE_KEY, name);
     KMSClientProvider.checkNotEmpty(name, "name");
-    provider.deleteKey(name);
-    provider.flush();
+
+    user.doAs(new PrivilegedExceptionAction<Void>() {
+      @Override
+      public Void run() throws Exception {
+        provider.deleteKey(name);
+        provider.flush();
+        return null;
+      }
+    });
 
     kmsAudit.ok(user, KMSOp.DELETE_KEY, name, "");
 
@@ -194,29 +198,36 @@ public Response deleteKey(@Context SecurityContext securityContext,
   @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
   @Consumes(MediaType.APPLICATION_JSON)
   @Produces(MediaType.APPLICATION_JSON)
-  public Response rolloverKey(@Context SecurityContext securityContext,
-      @PathParam("name") String name, Map jsonMaterial)
-      throws Exception {
+  public Response rolloverKey(@PathParam("name") final String name,
+      Map jsonMaterial) throws Exception {
     KMSWebApp.getAdminCallsMeter().mark();
-    Principal user = getPrincipal(securityContext);
+    UserGroupInformation user = HttpUserGroupInformation.get();
     assertAccess(KMSACLs.Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name);
     KMSClientProvider.checkNotEmpty(name, "name");
-    String material = (String)
+    final String material = (String)
         jsonMaterial.get(KMSRESTConstants.MATERIAL_FIELD);
     if (material != null) {
       assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
           KMSOp.ROLL_NEW_VERSION, name);
     }
-    KeyProvider.KeyVersion keyVersion = (material != null)
-        ? provider.rollNewVersion(name, Base64.decodeBase64(material))
-        : provider.rollNewVersion(name);
 
-    provider.flush();
+    KeyProvider.KeyVersion keyVersion = user.doAs(
+        new PrivilegedExceptionAction<KeyVersion>() {
+          @Override
+          public KeyVersion run() throws Exception {
+            KeyVersion keyVersion = (material != null)
+              ? provider.rollNewVersion(name, Base64.decodeBase64(material))
+              : provider.rollNewVersion(name);
+            provider.flush();
+            return keyVersion;
+          }
+        }
+    );
 
     kmsAudit.ok(user, KMSOp.ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
         (material != null) + " NewVersion:" + keyVersion.getVersionName());
 
-    if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user.getName())) {
+    if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user)) {
       keyVersion = removeKeyMaterial(keyVersion);
     }
     Map json = KMSServerJSONUtils.toJSON(keyVersion);
@@ -226,14 +237,23 @@ public Response rolloverKey(@Context SecurityContext securityContext,
   @GET
   @Path(KMSRESTConstants.KEYS_METADATA_RESOURCE)
   @Produces(MediaType.APPLICATION_JSON)
-  public Response getKeysMetadata(@Context SecurityContext securityContext,
-      @QueryParam(KMSRESTConstants.KEY) List<String> keyNamesList)
-      throws Exception {
+  public Response getKeysMetadata(@QueryParam(KMSRESTConstants.KEY)
+      List<String> keyNamesList) throws Exception {
     KMSWebApp.getAdminCallsMeter().mark();
-    Principal user = getPrincipal(securityContext);
-    String[] keyNames = keyNamesList.toArray(new String[keyNamesList.size()]);
+    UserGroupInformation user = HttpUserGroupInformation.get();
+    final String[] keyNames = keyNamesList.toArray(
+        new String[keyNamesList.size()]);
     assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA);
-    KeyProvider.Metadata[] keysMeta = provider.getKeysMetadata(keyNames);
+
+    KeyProvider.Metadata[] keysMeta = user.doAs(
+        new PrivilegedExceptionAction<KeyProvider.Metadata[]>() {
+          @Override
+          public KeyProvider.Metadata[] run() throws Exception {
+            return provider.getKeysMetadata(keyNames);
+          }
+        }
+    );
+
     Object json = KMSServerJSONUtils.toJSON(keyNames, keysMeta);
     kmsAudit.ok(user, KMSOp.GET_KEYS_METADATA, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
@@ -242,36 +262,52 @@ public Response getKeysMetadata(@Context SecurityContext securityContext,
   @GET
   @Path(KMSRESTConstants.KEYS_NAMES_RESOURCE)
   @Produces(MediaType.APPLICATION_JSON)
-  public Response getKeyNames(@Context SecurityContext securityContext)
-      throws Exception {
+  public Response getKeyNames() throws Exception {
     KMSWebApp.getAdminCallsMeter().mark();
-    Principal user = getPrincipal(securityContext);
+    UserGroupInformation user = HttpUserGroupInformation.get();
     assertAccess(KMSACLs.Type.GET_KEYS, user, KMSOp.GET_KEYS);
-    Object json = provider.getKeys();
+
+    List<String> json = user.doAs(
+        new PrivilegedExceptionAction<List<String>>() {
+          @Override
+          public List<String> run() throws Exception {
+            return provider.getKeys();
+          }
+        }
+    );
+
     kmsAudit.ok(user, KMSOp.GET_KEYS, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
 
   @GET
   @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
-  public Response getKey(@Context SecurityContext securityContext,
-      @PathParam("name") String name)
+  public Response getKey(@PathParam("name") String name)
       throws Exception {
-    return getMetadata(securityContext, name);
+    return getMetadata(name);
   }
 
   @GET
   @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
       KMSRESTConstants.METADATA_SUB_RESOURCE)
   @Produces(MediaType.APPLICATION_JSON)
-  public Response getMetadata(@Context SecurityContext securityContext,
-      @PathParam("name") String name)
+  public Response getMetadata(@PathParam("name") final String name)
       throws Exception {
-    Principal user = getPrincipal(securityContext);
+    UserGroupInformation user = HttpUserGroupInformation.get();
     KMSClientProvider.checkNotEmpty(name, "name");
     KMSWebApp.getAdminCallsMeter().mark();
     assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_METADATA, name);
-    Object json = KMSServerJSONUtils.toJSON(name, provider.getMetadata(name));
+
+    KeyProvider.Metadata metadata = user.doAs(
+        new PrivilegedExceptionAction<KeyProvider.Metadata>() {
+          @Override
+          public KeyProvider.Metadata run() throws Exception {
+            return provider.getMetadata(name);
+          }
+        }
+    );
+
+    Object json = KMSServerJSONUtils.toJSON(name, metadata);
     kmsAudit.ok(user, KMSOp.GET_METADATA, name, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
@@ -280,14 +316,23 @@ public Response getMetadata(@Context SecurityContext securityContext,
   @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
       KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE)
   @Produces(MediaType.APPLICATION_JSON)
-  public Response getCurrentVersion(@Context SecurityContext securityContext,
-      @PathParam("name") String name)
+  public Response getCurrentVersion(@PathParam("name") final String name)
       throws Exception {
-    Principal user = getPrincipal(securityContext);
+    UserGroupInformation user = HttpUserGroupInformation.get();
     KMSClientProvider.checkNotEmpty(name, "name");
     KMSWebApp.getKeyCallsMeter().mark();
     assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_CURRENT_KEY, name);
-    Object json = KMSServerJSONUtils.toJSON(provider.getCurrentKey(name));
+
+    KeyVersion keyVersion = user.doAs(
+        new PrivilegedExceptionAction<KeyVersion>() {
+          @Override
+          public KeyVersion run() throws Exception {
+            return provider.getCurrentKey(name);
+          }
+        }
+    );
+
+    Object json = KMSServerJSONUtils.toJSON(keyVersion);
     kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
@@ -295,14 +340,22 @@ public Response getCurrentVersion(@Context SecurityContext securityContext,
   @GET
   @Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}")
   @Produces(MediaType.APPLICATION_JSON)
-  public Response getKeyVersion(@Context SecurityContext securityContext,
-      @PathParam("versionName") String versionName)
-      throws Exception {
-    Principal user = getPrincipal(securityContext);
+  public Response getKeyVersion(
+      @PathParam("versionName") final String versionName) throws Exception {
+    UserGroupInformation user = HttpUserGroupInformation.get();
     KMSClientProvider.checkNotEmpty(versionName, "versionName");
     KMSWebApp.getKeyCallsMeter().mark();
-    KeyVersion keyVersion = provider.getKeyVersion(versionName);
     assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSION);
+
+    KeyVersion keyVersion = user.doAs(
+        new PrivilegedExceptionAction<KeyVersion>() {
+          @Override
+          public KeyVersion run() throws Exception {
+            return provider.getKeyVersion(versionName);
+          }
+        }
+    );
+
     if (keyVersion != null) {
       kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), "");
     }
@@ -316,13 +369,12 @@ public Response getKeyVersion(@Context SecurityContext securityContext,
       KMSRESTConstants.EEK_SUB_RESOURCE)
   @Produces(MediaType.APPLICATION_JSON)
   public Response generateEncryptedKeys(
-          @Context SecurityContext securityContext,
-          @PathParam("name") String name,
+          @PathParam("name") final String name,
           @QueryParam(KMSRESTConstants.EEK_OP) String edekOp,
           @DefaultValue("1")
-          @QueryParam(KMSRESTConstants.EEK_NUM_KEYS) int numKeys)
+          @QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys)
           throws Exception {
-    Principal user = getPrincipal(securityContext);
+    UserGroupInformation user = HttpUserGroupInformation.get();
     KMSClientProvider.checkNotEmpty(name, "name");
     KMSClientProvider.checkNotNull(edekOp, "eekOp");
 
@@ -330,12 +382,22 @@ public Response generateEncryptedKeys(
     if (edekOp.equals(KMSRESTConstants.EEK_GENERATE)) {
       assertAccess(KMSACLs.Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name);
 
-      List<EncryptedKeyVersion> retEdeks =
+      final List<EncryptedKeyVersion> retEdeks =
           new LinkedList<EncryptedKeyVersion>();
       try {
-        for (int i = 0; i < numKeys; i ++) {
-          retEdeks.add(provider.generateEncryptedKey(name));
-        }
+
+        user.doAs(
+            new PrivilegedExceptionAction<Void>() {
+              @Override
+              public Void run() throws Exception {
+                for (int i = 0; i < numKeys; i++) {
+                  retEdeks.add(provider.generateEncryptedKey(name));
+                }
+                return null;
+              }
+            }
+        );
+
       } catch (Exception e) {
         throw new IOException(e);
       }
@@ -359,16 +421,17 @@ public Response generateEncryptedKeys(
   @Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}/" +
       KMSRESTConstants.EEK_SUB_RESOURCE)
   @Produces(MediaType.APPLICATION_JSON)
-  public Response decryptEncryptedKey(@Context SecurityContext securityContext,
-      @PathParam("versionName") String versionName,
+  public Response decryptEncryptedKey(
+      @PathParam("versionName") final String versionName,
       @QueryParam(KMSRESTConstants.EEK_OP) String eekOp,
       Map jsonPayload)
       throws Exception {
-    Principal user = getPrincipal(securityContext);
+    UserGroupInformation user = HttpUserGroupInformation.get();
     KMSClientProvider.checkNotEmpty(versionName, "versionName");
     KMSClientProvider.checkNotNull(eekOp, "eekOp");
 
-    String keyName = (String) jsonPayload.get(KMSRESTConstants.NAME_FIELD);
+    final String keyName = (String) jsonPayload.get(
+        KMSRESTConstants.NAME_FIELD);
     String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD);
     String encMaterialStr = 
         (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
@@ -376,14 +439,24 @@ public Response decryptEncryptedKey(@Context SecurityContext securityContext,
     if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
       assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName);
       KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
-      byte[] iv = Base64.decodeBase64(ivStr);
+      final byte[] iv = Base64.decodeBase64(ivStr);
       KMSClientProvider.checkNotNull(encMaterialStr,
           KMSRESTConstants.MATERIAL_FIELD);
-      byte[] encMaterial = Base64.decodeBase64(encMaterialStr);
-      KeyProvider.KeyVersion retKeyVersion =
-          provider.decryptEncryptedKey(
-              new KMSClientProvider.KMSEncryptedKeyVersion(keyName, versionName,
-                  iv, KeyProviderCryptoExtension.EEK, encMaterial));
+      final byte[] encMaterial = Base64.decodeBase64(encMaterialStr);
+
+      KeyProvider.KeyVersion retKeyVersion = user.doAs(
+          new PrivilegedExceptionAction<KeyVersion>() {
+            @Override
+            public KeyVersion run() throws Exception {
+              return provider.decryptEncryptedKey(
+                  new KMSClientProvider.KMSEncryptedKeyVersion(keyName,
+                      versionName, iv, KeyProviderCryptoExtension.EEK,
+                      encMaterial)
+              );
+            }
+          }
+      );
+
       retJSON = KMSServerJSONUtils.toJSON(retKeyVersion);
       kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, "");
     } else {
@@ -400,14 +473,23 @@ public Response decryptEncryptedKey(@Context SecurityContext securityContext,
   @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
       KMSRESTConstants.VERSIONS_SUB_RESOURCE)
   @Produces(MediaType.APPLICATION_JSON)
-  public Response getKeyVersions(@Context SecurityContext securityContext,
-      @PathParam("name") String name)
+  public Response getKeyVersions(@PathParam("name") final String name)
       throws Exception {
-    Principal user = getPrincipal(securityContext);
+    UserGroupInformation user = HttpUserGroupInformation.get();
     KMSClientProvider.checkNotEmpty(name, "name");
     KMSWebApp.getKeyCallsMeter().mark();
     assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSIONS, name);
-    Object json = KMSServerJSONUtils.toJSON(provider.getKeyVersions(name));
+
+    List<KeyVersion> ret = user.doAs(
+        new PrivilegedExceptionAction<List<KeyVersion>>() {
+          @Override
+          public List<KeyVersion> run() throws Exception {
+            return provider.getKeyVersions(name);
+          }
+        }
+    );
+
+    Object json = KMSServerJSONUtils.toJSON(ret);
     kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, "");
     return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
   }
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
index 58e91475f73..a6c5bf4c2a5 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
@@ -113,8 +113,7 @@ private Configuration loadACLs() {
     return conf;
   }
 
-  public boolean hasAccess(Type type, String user) {
-    UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user);
+  public boolean hasAccess(Type type, UserGroupInformation ugi) {
     return acls.get(type).isUserAllowed(ugi);
   }
 
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
index 30d340d785a..dc55a8459cf 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.crypto.key.kms.server;
 
+import org.apache.hadoop.security.UserGroupInformation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -29,7 +30,6 @@
 import com.google.common.collect.Sets;
 import com.google.common.util.concurrent.ThreadFactoryBuilder;
 
-import java.security.Principal;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Set;
@@ -186,22 +186,22 @@ public AuditEvent call() throws Exception {
     }
   }
 
-  public void ok(Principal user, KMS.KMSOp op, String key,
+  public void ok(UserGroupInformation user, KMS.KMSOp op, String key,
       String extraMsg) {
-    op(OpStatus.OK, op, user.getName(), key, extraMsg);
+    op(OpStatus.OK, op, user.getShortUserName(), key, extraMsg);
   }
 
-  public void ok(Principal user, KMS.KMSOp op, String extraMsg) {
-    op(OpStatus.OK, op, user.getName(), null, extraMsg);
+  public void ok(UserGroupInformation user, KMS.KMSOp op, String extraMsg) {
+    op(OpStatus.OK, op, user.getShortUserName(), null, extraMsg);
   }
 
-  public void unauthorized(Principal user, KMS.KMSOp op, String key) {
-    op(OpStatus.UNAUTHORIZED, op, user.getName(), key, "");
+  public void unauthorized(UserGroupInformation user, KMS.KMSOp op, String key) {
+    op(OpStatus.UNAUTHORIZED, op, user.getShortUserName(), key, "");
   }
 
-  public void error(Principal user, String method, String url,
+  public void error(UserGroupInformation user, String method, String url,
       String extraMsg) {
-    op(OpStatus.ERROR, null, user.getName(), null, "Method:'" + method
+    op(OpStatus.ERROR, null, user.getShortUserName(), null, "Method:'" + method
         + "' Exception:'" + extraMsg + "'");
   }
 
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
index db60b097ee7..76c22c4646d 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
@@ -19,7 +19,13 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
+import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
+import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter;
+import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler;
+import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticationHandler;
+import org.apache.hadoop.security.token.delegation.web.PseudoDelegationTokenAuthenticationHandler;
 
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
@@ -38,7 +44,8 @@
  * file.
  */
 @InterfaceAudience.Private
-public class KMSAuthenticationFilter extends AuthenticationFilter {
+public class KMSAuthenticationFilter
+    extends DelegationTokenAuthenticationFilter {
   private static final String CONF_PREFIX = KMSConfiguration.CONFIG_PREFIX +
       "authentication.";
 
@@ -55,6 +62,16 @@ protected Properties getConfiguration(String configPrefix,
         props.setProperty(name, value);
       }
     }
+    String authType = props.getProperty(AUTH_TYPE);
+    if (authType.equals(PseudoAuthenticationHandler.TYPE)) {
+      props.setProperty(AUTH_TYPE,
+          PseudoDelegationTokenAuthenticationHandler.class.getName());
+    } else if (authType.equals(KerberosAuthenticationHandler.TYPE)) {
+      props.setProperty(AUTH_TYPE,
+          KerberosDelegationTokenAuthenticationHandler.class.getName());
+    }
+    props.setProperty(DelegationTokenAuthenticationHandler.TOKEN_KIND,
+        KMSClientProvider.TOKEN_KIND);
     return props;
   }
 
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java
index bf24ed8a108..059d7f063c1 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java
@@ -23,6 +23,7 @@
 
 import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
 import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authorize.AuthorizationException;
 import org.slf4j.Logger;
@@ -34,7 +35,6 @@
 import javax.ws.rs.ext.Provider;
 
 import java.io.IOException;
-import java.security.Principal;
 import java.util.LinkedHashMap;
 import java.util.Map;
 
@@ -102,7 +102,7 @@ public Response toResponse(Exception exception) {
       status = Response.Status.INTERNAL_SERVER_ERROR;
     }
     if (doAudit) {
-      KMSWebApp.getKMSAudit().error(KMSMDCFilter.getPrincipal(),
+      KMSWebApp.getKMSAudit().error(KMSMDCFilter.getUgi(),
           KMSMDCFilter.getMethod(),
           KMSMDCFilter.getURL(), getOneLineMessage(exception));
     }
@@ -110,11 +110,11 @@ public Response toResponse(Exception exception) {
   }
 
   protected void log(Response.Status status, Throwable ex) {
-    Principal principal = KMSMDCFilter.getPrincipal();
+    UserGroupInformation ugi = KMSMDCFilter.getUgi();
     String method = KMSMDCFilter.getMethod();
     String url = KMSMDCFilter.getURL();
     String msg = getOneLineMessage(ex);
-    LOG.warn("User:{} Method:{} URL:{} Response:{}-{}", principal, method, url,
+    LOG.warn("User:'{}' Method:{} URL:{} Response:{}-{}", ugi, method, url,
         status, msg, ex);
   }
 
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java
index 8d24c7ce476..2a3c14971b2 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java
@@ -18,6 +18,8 @@
 package org.apache.hadoop.crypto.key.kms.server;
 
 import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -27,7 +29,6 @@
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
-import java.security.Principal;
 
 /**
  * Servlet filter that captures context of the HTTP request to be use in the
@@ -37,12 +38,12 @@
 public class KMSMDCFilter implements Filter {
 
   private static class Data {
-    private Principal principal;
+    private UserGroupInformation ugi;
     private String method;
     private StringBuffer url;
 
-    private Data(Principal principal, String method, StringBuffer url) {
-      this.principal = principal;
+    private Data(UserGroupInformation ugi, String method, StringBuffer url) {
+      this.ugi = ugi;
       this.method = method;
       this.url = url;
     }
@@ -50,8 +51,8 @@ private Data(Principal principal, String method, StringBuffer url) {
 
   private static ThreadLocal<Data> DATA_TL = new ThreadLocal<Data>();
 
-  public static Principal getPrincipal() {
-    return DATA_TL.get().principal;
+  public static UserGroupInformation getUgi() {
+    return DATA_TL.get().ugi;
   }
 
   public static String getMethod() {
@@ -72,14 +73,14 @@ public void doFilter(ServletRequest request, ServletResponse response,
       throws IOException, ServletException {
     try {
       DATA_TL.remove();
-      Principal principal = ((HttpServletRequest) request).getUserPrincipal();
+      UserGroupInformation ugi = HttpUserGroupInformation.get();
       String method = ((HttpServletRequest) request).getMethod();
       StringBuffer requestURL = ((HttpServletRequest) request).getRequestURL();
       String queryString = ((HttpServletRequest) request).getQueryString();
       if (queryString != null) {
         requestURL.append("?").append(queryString);
       }
-      DATA_TL.set(new Data(principal, method, requestURL));
+      DATA_TL.set(new Data(ugi, method, requestURL));
       chain.doFilter(request, response);
     } finally {
       DATA_TL.remove();
diff --git a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
index ebfe8e2c170..0a1cba52e13 100644
--- a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
+++ b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
@@ -319,6 +319,46 @@ $ keytool -genkey -alias tomcat -keyalg RSA
 </configuration>
 +---+
 
+** KMS Delegation Token Configuration
+
+  KMS delegation token secret manager can be configured with the following
+  properties:
+
+  +---+
+    <property>
+      <name>hadoop.kms.authentication.delegation-token.update-interval.sec</name>
+      <value>86400</value>
+      <description>
+        How often the master key is rotated, in seconds. Default value 1 day.
+      </description>
+    </property>
+
+    <property>
+      <name>hadoop.kms.authentication.delegation-token.max-lifetime.sec</name>
+      <value>604800</value>
+      <description>
+        Maximum lifetime of a delagation token, in seconds. Default value 7 days.
+      </description>
+    </property>
+
+    <property>
+      <name>hadoop.kms.authentication.delegation-token.renew-interval.sec</name>
+      <value>86400</value>
+      <description>
+        Renewal interval of a delagation token, in seconds. Default value 1 day.
+      </description>
+    </property>
+
+    <property>
+      <name>hadoop.kms.authentication.delegation-token.removal-scan-interval.sec</name>
+      <value>3600</value>
+      <description>
+        Scan interval to remove expired delegation tokens.
+      </description>
+    </property>
+  +---+
+
+
 ** KMS HTTP REST API
 
 *** Create a Key
diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
index 021f3cb0533..971c6179b2c 100644
--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
@@ -22,8 +22,13 @@
 import org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
 import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
+import org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension;
 import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
+import org.apache.hadoop.io.Text;
 import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.Credentials;
+import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authorize.AuthorizationException;
 import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
 import org.junit.AfterClass;
@@ -45,6 +50,7 @@
 import java.io.IOException;
 import java.io.Writer;
 import java.net.InetAddress;
+import java.net.InetSocketAddress;
 import java.net.MalformedURLException;
 import java.net.ServerSocket;
 import java.net.SocketTimeoutException;
@@ -565,6 +571,17 @@ public Void call() throws Exception {
         Assert.assertEquals("d", meta.getDescription());
         Assert.assertEquals(attributes, meta.getAttributes());
 
+        KeyProviderDelegationTokenExtension kpdte =
+            KeyProviderDelegationTokenExtension.
+                createKeyProviderDelegationTokenExtension(kp);
+        Credentials credentials = new Credentials();
+        kpdte.addDelegationTokens("foo", credentials);
+        Assert.assertEquals(1, credentials.getAllTokens().size());
+        InetSocketAddress kmsAddr = new InetSocketAddress(getKMSUrl().getHost(),
+            getKMSUrl().getPort());
+
+        Assert.assertEquals(new Text("kms-dt"), credentials.getToken(
+            SecurityUtil.buildTokenService(kmsAddr)).getKind());
         return null;
       }
     });
@@ -596,13 +613,13 @@ public void testACLs() throws Exception {
       public Void call() throws Exception {
         final Configuration conf = new Configuration();
         conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
-        URI uri = createKMSUri(getKMSUrl());
-        final KeyProvider kp = new KMSClientProvider(uri, conf);
+        final URI uri = createKMSUri(getKMSUrl());
 
         //nothing allowed
         doAs("client", new PrivilegedExceptionAction<Void>() {
           @Override
           public Void run() throws Exception {
+            KeyProvider kp = new KMSClientProvider(uri, conf);
             try {
               kp.createKey("k", new KeyProvider.Options(conf));
               Assert.fail();
@@ -693,6 +710,7 @@ public Void run() throws Exception {
         doAs("CREATE", new PrivilegedExceptionAction<Void>() {
           @Override
           public Void run() throws Exception {
+            KeyProvider kp = new KMSClientProvider(uri, conf);
             try {
               KeyProvider.KeyVersion kv = kp.createKey("k0",
                   new KeyProvider.Options(conf));
@@ -707,6 +725,7 @@ public Void run() throws Exception {
         doAs("DELETE", new PrivilegedExceptionAction<Void>() {
           @Override
           public Void run() throws Exception {
+            KeyProvider kp = new KMSClientProvider(uri, conf);
             try {
               kp.deleteKey("k0");
             } catch (Exception ex) {
@@ -719,6 +738,7 @@ public Void run() throws Exception {
         doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<Void>() {
           @Override
           public Void run() throws Exception {
+            KeyProvider kp = new KMSClientProvider(uri, conf);
             try {
               KeyProvider.KeyVersion kv = kp.createKey("k1", new byte[16],
                   new KeyProvider.Options(conf));
@@ -733,6 +753,7 @@ public Void run() throws Exception {
         doAs("ROLLOVER", new PrivilegedExceptionAction<Void>() {
           @Override
           public Void run() throws Exception {
+            KeyProvider kp = new KMSClientProvider(uri, conf);
             try {
               KeyProvider.KeyVersion kv = kp.rollNewVersion("k1");
               Assert.assertNull(kv.getMaterial());
@@ -746,6 +767,7 @@ public Void run() throws Exception {
         doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<Void>() {
           @Override
           public Void run() throws Exception {
+            KeyProvider kp = new KMSClientProvider(uri, conf);
             try {
               KeyProvider.KeyVersion kv =
                   kp.rollNewVersion("k1", new byte[16]);
@@ -761,6 +783,7 @@ public Void run() throws Exception {
             doAs("GET", new PrivilegedExceptionAction<KeyVersion>() {
           @Override
           public KeyVersion run() throws Exception {
+            KeyProvider kp = new KMSClientProvider(uri, conf);
             try {
               kp.getKeyVersion("k1@0");
               KeyVersion kv = kp.getCurrentKey("k1");
@@ -777,6 +800,7 @@ public KeyVersion run() throws Exception {
                 new PrivilegedExceptionAction<EncryptedKeyVersion>() {
           @Override
           public EncryptedKeyVersion run() throws Exception {
+            KeyProvider kp = new KMSClientProvider(uri, conf);
             try {
               KeyProviderCryptoExtension kpCE = KeyProviderCryptoExtension.
                       createKeyProviderCryptoExtension(kp);
@@ -793,6 +817,7 @@ public EncryptedKeyVersion run() throws Exception {
         doAs("DECRYPT_EEK", new PrivilegedExceptionAction<Void>() {
           @Override
           public Void run() throws Exception {
+            KeyProvider kp = new KMSClientProvider(uri, conf);
             try {
               KeyProviderCryptoExtension kpCE = KeyProviderCryptoExtension.
                       createKeyProviderCryptoExtension(kp);
@@ -807,6 +832,7 @@ public Void run() throws Exception {
         doAs("GET_KEYS", new PrivilegedExceptionAction<Void>() {
           @Override
           public Void run() throws Exception {
+            KeyProvider kp = new KMSClientProvider(uri, conf);
             try {
               kp.getKeys();
             } catch (Exception ex) {
@@ -819,6 +845,7 @@ public Void run() throws Exception {
         doAs("GET_METADATA", new PrivilegedExceptionAction<Void>() {
           @Override
           public Void run() throws Exception {
+            KeyProvider kp = new KMSClientProvider(uri, conf);
             try {
               kp.getMetadata("k1");
               kp.getKeysMetadata("k1");
@@ -836,6 +863,7 @@ public Void run() throws Exception {
         Thread.sleep(10); // to ensure the ACLs file modifiedTime is newer
         conf.set(KMSACLs.Type.CREATE.getConfigKey(), "foo");
         writeConf(testDir, conf);
+        Thread.sleep(1000);
 
         KMSWebApp.getACLs().run(); // forcing a reload by hand.
 
@@ -844,6 +872,7 @@ public Void run() throws Exception {
           @Override
           public Void run() throws Exception {
             try {
+              KeyProvider kp = new KMSClientProvider(uri, conf);
               KeyProvider.KeyVersion kv = kp.createKey("k2",
                   new KeyProvider.Options(conf));
               Assert.fail();
@@ -982,4 +1011,69 @@ public void testKMSTimeout() throws Exception {
 
     sock.close();
   }
+
+  @Test
+  public void testDelegationTokenAccess() throws Exception {
+    final File testDir = getTestDir();
+    Configuration conf = createBaseKMSConf(testDir);
+    conf.set("hadoop.kms.authentication.type", "kerberos");
+    conf.set("hadoop.kms.authentication.kerberos.keytab",
+        keytab.getAbsolutePath());
+    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
+    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
+
+    writeConf(testDir, conf);
+
+    runServer(null, null, testDir, new KMSCallable() {
+      @Override
+      public Void call() throws Exception {
+        final Configuration conf = new Configuration();
+        conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 64);
+        final URI uri = createKMSUri(getKMSUrl());
+        final Credentials credentials = new Credentials();
+        final UserGroupInformation nonKerberosUgi =
+            UserGroupInformation.getCurrentUser();
+
+        try {
+          KeyProvider kp = new KMSClientProvider(uri, conf);
+          kp.createKey("kA", new KeyProvider.Options(conf));
+        } catch (IOException ex) {
+          System.out.println(ex.getMessage());
+        }
+
+        doAs("client", new PrivilegedExceptionAction<Void>() {
+          @Override
+          public Void run() throws Exception {
+            KeyProvider kp = new KMSClientProvider(uri, conf);
+            KeyProviderDelegationTokenExtension kpdte =
+                KeyProviderDelegationTokenExtension.
+                    createKeyProviderDelegationTokenExtension(kp);
+            kpdte.addDelegationTokens("foo", credentials);
+            return null;
+          }
+        });
+
+        nonKerberosUgi.addCredentials(credentials);
+
+        try {
+          KeyProvider kp = new KMSClientProvider(uri, conf);
+          kp.createKey("kA", new KeyProvider.Options(conf));
+        } catch (IOException ex) {
+          System.out.println(ex.getMessage());
+        }
+
+        nonKerberosUgi.doAs(new PrivilegedExceptionAction<Void>() {
+          @Override
+          public Void run() throws Exception {
+            KeyProvider kp = new KMSClientProvider(uri, conf);
+            kp.createKey("kD", new KeyProvider.Options(conf));
+            return null;
+          }
+        });
+
+        return null;
+      }
+    });
+  }
+
 }
diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
index e65a1027ea7..7c0ad3bc9d1 100644
--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
@@ -18,6 +18,7 @@
 package org.apache.hadoop.crypto.key.kms.server;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.junit.Assert;
 import org.junit.Test;
 
@@ -27,7 +28,8 @@ public class TestKMSACLs {
   public void testDefaults() {
     KMSACLs acls = new KMSACLs(new Configuration(false));
     for (KMSACLs.Type type : KMSACLs.Type.values()) {
-      Assert.assertTrue(acls.hasAccess(type, "foo"));
+      Assert.assertTrue(acls.hasAccess(type,
+          UserGroupInformation.createRemoteUser("foo")));
     }
   }
 
@@ -39,8 +41,10 @@ public void testCustom() {
     }
     KMSACLs acls = new KMSACLs(conf);
     for (KMSACLs.Type type : KMSACLs.Type.values()) {
-      Assert.assertTrue(acls.hasAccess(type, type.toString()));
-      Assert.assertFalse(acls.hasAccess(type, "foo"));
+      Assert.assertTrue(acls.hasAccess(type,
+          UserGroupInformation.createRemoteUser(type.toString())));
+      Assert.assertFalse(acls.hasAccess(type,
+          UserGroupInformation.createRemoteUser("foo")));
     }
   }
 
diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
index 857884d4e14..f4962693c16 100644
--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
@@ -21,9 +21,9 @@
 import java.io.FilterOutputStream;
 import java.io.OutputStream;
 import java.io.PrintStream;
-import java.security.Principal;
 
 import org.apache.hadoop.crypto.key.kms.server.KMS.KMSOp;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.log4j.LogManager;
 import org.apache.log4j.PropertyConfigurator;
 import org.junit.After;
@@ -81,8 +81,8 @@ private String getAndResetLogOutput() {
 
   @Test
   public void testAggregation() throws Exception {
-    Principal luser = Mockito.mock(Principal.class);
-    Mockito.when(luser.getName()).thenReturn("luser");
+    UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
+    Mockito.when(luser.getShortUserName()).thenReturn("luser");
     kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
     kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
     kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
@@ -109,8 +109,8 @@ public void testAggregation() throws Exception {
 
   @Test
   public void testAggregationUnauth() throws Exception {
-    Principal luser = Mockito.mock(Principal.class);
-    Mockito.when(luser.getName()).thenReturn("luser");
+    UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
+    Mockito.when(luser.getShortUserName()).thenReturn("luser");
     kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k2");
     Thread.sleep(1000);
     kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");

From be117cbcdf9e7c72bb24aaf3556cf1212963ed4b Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Fri, 15 Aug 2014 05:45:14 +0000
Subject: [PATCH 234/354] HADOOP-10967. Improve
 DefaultCryptoExtension#generateEncryptedKey performance. (hitliuyi via tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618101 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt     |  3 +++
 .../crypto/key/KeyProviderCryptoExtension.java      | 13 ++++++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 0a17758483c..46784c17128 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -438,6 +438,9 @@ Trunk (Unreleased)
     HADOOP-10121. Fix javadoc spelling for HadoopArchives#writeTopLevelDirs
       (Akira AJISAKA via aw)
 
+    HADOOP-10967. Improve DefaultCryptoExtension#generateEncryptedKey 
+    performance. (hitliuyi via tucu)
+
   OPTIMIZATIONS
 
     HADOOP-7761. Improve the performance of raw comparisons. (todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
index e2b25ae8ed6..026f285f4c4 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
@@ -219,6 +219,13 @@ public KeyVersion decryptEncryptedKey(
   private static class DefaultCryptoExtension implements CryptoExtension {
 
     private final KeyProvider keyProvider;
+    private static final ThreadLocal<SecureRandom> RANDOM = 
+        new ThreadLocal<SecureRandom>() {
+      @Override
+      protected SecureRandom initialValue() {
+        return new SecureRandom();
+      }
+    };
 
     private DefaultCryptoExtension(KeyProvider keyProvider) {
       this.keyProvider = keyProvider;
@@ -233,10 +240,10 @@ public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
           "No KeyVersion exists for key '%s' ", encryptionKeyName);
       // Generate random bytes for new key and IV
       Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
-      SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
       final byte[] newKey = new byte[encryptionKey.getMaterial().length];
-      random.nextBytes(newKey);
-      final byte[] iv = random.generateSeed(cipher.getBlockSize());
+      RANDOM.get().nextBytes(newKey);
+      final byte[] iv = new byte[cipher.getBlockSize()];
+      RANDOM.get().nextBytes(iv);
       // Encryption key IV is derived from new key's IV
       final byte[] encryptionIV = EncryptedKeyVersion.deriveIV(iv);
       // Encrypt the new key

From cfeaf4cd093a83db5c84ce04a4438a2a60663df9 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 15 Aug 2014 05:50:00 +0000
Subject: [PATCH 235/354] HADOOP-10964. Small fix for
 NetworkTopologyWithNodeGroup#sortByDistance. Contributed by Yi Liu.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618103 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt                | 3 +++
 .../org/apache/hadoop/net/NetworkTopologyWithNodeGroup.java    | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 46784c17128..8cd6a359f2f 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -594,6 +594,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10843. TestGridmixRecord unit tests failure on PowerPC (Jinghui Wang
     via Colin Patrick McCabe)
 
+    HADOOP-10964. Small fix for NetworkTopologyWithNodeGroup#sortByDistance.
+    (Yi Liu via wang)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/net/NetworkTopologyWithNodeGroup.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/net/NetworkTopologyWithNodeGroup.java
index 86d290abd60..cc598c0986f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/net/NetworkTopologyWithNodeGroup.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/net/NetworkTopologyWithNodeGroup.java
@@ -293,7 +293,7 @@ public void sortByDistance(Node reader, Node[] nodes, int activeLen,
         return;
       }
     }
-    super.sortByDistance(reader, nodes, nodes.length, seed,
+    super.sortByDistance(reader, nodes, activeLen, seed,
         randomizeBlockLocationsPerBlock);
   }
 

From 16b7bd4e6cb988762e5afe3b23fc98a8ddd807e1 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 15 Aug 2014 05:53:03 +0000
Subject: [PATCH 236/354] Move HADOOP-10121 to correct section of CHANGES.txt

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618105 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 8cd6a359f2f..aec02b4f61d 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -435,9 +435,6 @@ Trunk (Unreleased)
     HADOOP-10862. Miscellaneous trivial corrections to KMS classes. 
     (asuresh via tucu)
 
-    HADOOP-10121. Fix javadoc spelling for HadoopArchives#writeTopLevelDirs
-      (Akira AJISAKA via aw)
-
     HADOOP-10967. Improve DefaultCryptoExtension#generateEncryptedKey 
     performance. (hitliuyi via tucu)
 
@@ -594,6 +591,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10843. TestGridmixRecord unit tests failure on PowerPC (Jinghui Wang
     via Colin Patrick McCabe)
 
+    HADOOP-10121. Fix javadoc spelling for HadoopArchives#writeTopLevelDirs
+    (Akira AJISAKA via aw)
+
     HADOOP-10964. Small fix for NetworkTopologyWithNodeGroup#sortByDistance.
     (Yi Liu via wang)
 

From 7360cec692be5dcc3377ae5082fe22870caac96b Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Fri, 15 Aug 2014 06:00:31 +0000
Subject: [PATCH 237/354] YARN-2378. Added support for moving applications
 across queues in CapacityScheduler. Contributed by Subramaniam Venkatraman
 Krishnan

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618106 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../resourcemanager/rmapp/RMAppImpl.java      |  19 +-
 .../scheduler/AbstractYarnScheduler.java      |  31 +
 .../scheduler/AppSchedulingInfo.java          |   3 +-
 .../scheduler/YarnScheduler.java              |  10 +
 .../scheduler/capacity/CSQueue.java           |  18 +
 .../scheduler/capacity/CapacityScheduler.java |  58 ++
 .../scheduler/capacity/LeafQueue.java         |  41 +-
 .../scheduler/capacity/ParentQueue.java       |  33 +
 .../capacity/TestCapacityScheduler.java       | 784 ++++++++++++++++++
 10 files changed, 989 insertions(+), 11 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index b879600537b..d0d32958f1e 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -50,6 +50,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2277. Added cross-origin support for the timeline server web services.
     (Jonathan Eagles via zjshen)
 
+    YARN-2378. Added support for moving applications across queues in
+    CapacityScheduler. (Subramaniam Venkatraman Krishnan via jianhe)
+
   IMPROVEMENTS
 
     YARN-2242. Improve exception information on AM launch crashes. (Li Lu 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java
index 45c89592af8..48cf4602991 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java
@@ -166,6 +166,8 @@ RMAppEventType.APP_NEW_SAVED, new AddApplicationToSchedulerTransition())
         RMAppEventType.APP_REJECTED,
           new FinalSavingTransition(new AppRejectedTransition(),
             RMAppState.FAILED))
+    .addTransition(RMAppState.NEW_SAVING, RMAppState.NEW_SAVING,
+        RMAppEventType.MOVE, new RMAppMoveTransition())
 
      // Transitions from SUBMITTED state
     .addTransition(RMAppState.SUBMITTED, RMAppState.SUBMITTED,
@@ -243,7 +245,7 @@ RMAppEventType.KILL, new KillAttemptTransition())
     // ignorable transitions
     .addTransition(RMAppState.FINAL_SAVING, RMAppState.FINAL_SAVING,
         EnumSet.of(RMAppEventType.NODE_UPDATE, RMAppEventType.KILL,
-          RMAppEventType.APP_NEW_SAVED))
+          RMAppEventType.APP_NEW_SAVED, RMAppEventType.MOVE))
 
      // Transitions from FINISHING state
     .addTransition(RMAppState.FINISHING, RMAppState.FINISHED,
@@ -254,9 +256,9 @@ RMAppEventType.KILL, new KillAttemptTransition())
     // ignorable transitions
     .addTransition(RMAppState.FINISHING, RMAppState.FINISHING,
       EnumSet.of(RMAppEventType.NODE_UPDATE,
-        // ignore Kill as we have already saved the final Finished state in
-        // state store.
-        RMAppEventType.KILL))
+        // ignore Kill/Move as we have already saved the final Finished state
+        // in state store.
+        RMAppEventType.KILL, RMAppEventType.MOVE))
 
      // Transitions from KILLING state
     .addTransition(RMAppState.KILLING, RMAppState.KILLING, 
@@ -274,7 +276,7 @@ RMAppEventType.KILL, new KillAttemptTransition())
             RMAppEventType.ATTEMPT_FINISHED,
             RMAppEventType.ATTEMPT_FAILED,
             RMAppEventType.APP_UPDATE_SAVED,
-            RMAppEventType.KILL))
+            RMAppEventType.KILL, RMAppEventType.MOVE))
 
      // Transitions from FINISHED state
      // ignorable transitions
@@ -286,7 +288,7 @@ RMAppEventType.KILL, new KillAttemptTransition())
             RMAppEventType.NODE_UPDATE,
             RMAppEventType.ATTEMPT_UNREGISTERED,
             RMAppEventType.ATTEMPT_FINISHED,
-            RMAppEventType.KILL))
+            RMAppEventType.KILL, RMAppEventType.MOVE))
 
      // Transitions from FAILED state
      // ignorable transitions
@@ -294,7 +296,8 @@ RMAppEventType.KILL, new KillAttemptTransition())
         RMAppEventType.APP_RUNNING_ON_NODE,
         new AppRunningOnNodeTransition())
     .addTransition(RMAppState.FAILED, RMAppState.FAILED,
-        EnumSet.of(RMAppEventType.KILL, RMAppEventType.NODE_UPDATE))
+        EnumSet.of(RMAppEventType.KILL, RMAppEventType.NODE_UPDATE,
+            RMAppEventType.MOVE))
 
      // Transitions from KILLED state
      // ignorable transitions
@@ -307,7 +310,7 @@ RMAppEventType.KILL, new KillAttemptTransition())
         EnumSet.of(RMAppEventType.APP_ACCEPTED,
             RMAppEventType.APP_REJECTED, RMAppEventType.KILL,
             RMAppEventType.ATTEMPT_FINISHED, RMAppEventType.ATTEMPT_FAILED,
-            RMAppEventType.NODE_UPDATE))
+            RMAppEventType.NODE_UPDATE, RMAppEventType.MOVE))
 
      .installTopology();
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
index 5764c8c7a65..e5f22b8fc41 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
@@ -18,6 +18,7 @@
 
 package org.apache.hadoop.yarn.server.resourcemanager.scheduler;
 
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -40,6 +41,7 @@
 import org.apache.hadoop.yarn.server.api.protocolrecords.NMContainerStatus;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppMoveEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerImpl;
@@ -48,6 +50,8 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNodeCleanContainerEvent;
 import org.apache.hadoop.yarn.util.resource.Resources;
 
+import com.google.common.util.concurrent.SettableFuture;
+
 @SuppressWarnings("unchecked")
 public abstract class AbstractYarnScheduler
     <T extends SchedulerApplicationAttempt, N extends SchedulerNode>
@@ -317,4 +321,31 @@ protected void recoverResourceRequestForContainer(RMContainer rmContainer) {
   public SchedulerNode getSchedulerNode(NodeId nodeId) {
     return nodes.get(nodeId);
   }
+
+  @Override
+  public synchronized void moveAllApps(String sourceQueue, String destQueue)
+      throws YarnException {
+    // check if destination queue is a valid leaf queue
+    try {
+      getQueueInfo(destQueue, false, false);
+    } catch (IOException e) {
+      LOG.warn(e);
+      throw new YarnException(e);
+    }
+    // check if source queue is a valid
+    List<ApplicationAttemptId> apps = getAppsInQueue(sourceQueue);
+    if (apps == null) {
+      String errMsg = "The specified Queue: " + sourceQueue + " doesn't exist";
+      LOG.warn(errMsg);
+      throw new YarnException(errMsg);
+    }
+    // generate move events for each pending/running app
+    for (ApplicationAttemptId app : apps) {
+      SettableFuture<Object> future = SettableFuture.create();
+      this.rmContext
+          .getDispatcher()
+          .getEventHandler()
+          .handle(new RMAppMoveEvent(app.getApplicationId(), destQueue, future));
+    }
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AppSchedulingInfo.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AppSchedulingInfo.java
index 3c6f210b4b6..e871f429e16 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AppSchedulingInfo.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AppSchedulingInfo.java
@@ -54,7 +54,7 @@ public class AppSchedulingInfo {
   private static final Log LOG = LogFactory.getLog(AppSchedulingInfo.class);
   private final ApplicationAttemptId applicationAttemptId;
   final ApplicationId applicationId;
-  private final String queueName;
+  private String queueName;
   Queue queue;
   final String user;
   // TODO making containerIdCounter long
@@ -410,6 +410,7 @@ synchronized public void move(Queue newQueue) {
     activeUsersManager = newQueue.getActiveUsersManager();
     activeUsersManager.activateApplication(user, applicationId);
     this.queue = newQueue;
+    this.queueName = newQueue.getQueueName();
   }
 
   synchronized public void stop(RMAppAttemptState rmAppAttemptFinalState) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java
index 21eba396985..79dc773b410 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java
@@ -202,4 +202,14 @@ boolean checkAccess(UserGroupInformation callerUGI,
   @Evolving
   public String moveApplication(ApplicationId appId, String newQueue)
       throws YarnException;
+
+  /**
+   * Completely drain sourceQueue of applications, by moving all of them to
+   * destQueue.
+   *
+   * @param sourceQueue
+   * @param destQueue
+   * @throws YarnException
+   */
+  void moveAllApps(String sourceQueue, String destQueue) throws YarnException;
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueue.java
index ccb71e21236..04c2fd51bf8 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueue.java
@@ -238,4 +238,22 @@ public void reinitialize(CSQueue newlyParsedQueue, Resource clusterResource)
    * @param apps the collection to add the applications to
    */
   public void collectSchedulerApplications(Collection<ApplicationAttemptId> apps);
+
+  /**
+  * Detach a container from this queue
+  * @param clusterResource the current cluster resource
+  * @param application application to which the container was assigned
+  * @param container the container to detach
+  */
+  public void detachContainer(Resource clusterResource,
+               FiCaSchedulerApp application, RMContainer container);
+
+  /**
+   * Attach a container to this queue
+   * @param clusterResource the current cluster resource
+   * @param application application to which the container was assigned
+   * @param container the container to attach
+   */
+  public void attachContainer(Resource clusterResource,
+               FiCaSchedulerApp application, RMContainer container);
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
index 65ff81c0216..1b31a1a6bbb 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
@@ -53,6 +53,7 @@
 import org.apache.hadoop.yarn.api.records.QueueUserACLInfo;
 import org.apache.hadoop.yarn.api.records.ResourceRequest;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.exceptions.YarnException;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger;
 import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants;
@@ -547,6 +548,8 @@ private synchronized void addApplication(ApplicationId applicationId,
           .handle(new RMAppRejectedEvent(applicationId, ace.toString()));
       return;
     }
+    // update the metrics
+    queue.getMetrics().submitApp(user);
     SchedulerApplication<FiCaSchedulerApp> application =
         new SchedulerApplication<FiCaSchedulerApp>(queue, user);
     applications.put(applicationId, application);
@@ -1131,4 +1134,59 @@ private CapacitySchedulerConfiguration loadCapacitySchedulerConfiguration(
       throw new IOException(e);
     }
   }
+
+  @Override
+  public synchronized String moveApplication(ApplicationId appId,
+      String targetQueueName) throws YarnException {
+    FiCaSchedulerApp app =
+        getApplicationAttempt(ApplicationAttemptId.newInstance(appId, 0));
+    String sourceQueueName = app.getQueue().getQueueName();
+    LeafQueue source = getAndCheckLeafQueue(sourceQueueName);
+    LeafQueue dest = getAndCheckLeafQueue(targetQueueName);
+    // Validation check - ACLs, submission limits for user & queue
+    String user = app.getUser();
+    try {
+      dest.submitApplication(appId, user, targetQueueName);
+    } catch (AccessControlException e) {
+      throw new YarnException(e);
+    }
+    // Move all live containers
+    for (RMContainer rmContainer : app.getLiveContainers()) {
+      source.detachContainer(clusterResource, app, rmContainer);
+      // attach the Container to another queue
+      dest.attachContainer(clusterResource, app, rmContainer);
+    }
+    // Detach the application..
+    source.finishApplicationAttempt(app, sourceQueueName);
+    source.getParent().finishApplication(appId, app.getUser());
+    // Finish app & update metrics
+    app.move(dest);
+    // Submit to a new queue
+    dest.submitApplicationAttempt(app, user);
+    applications.get(appId).setQueue(dest);
+    LOG.info("App: " + app.getApplicationId() + " successfully moved from "
+        + sourceQueueName + " to: " + targetQueueName);
+    return targetQueueName;
+  }
+
+  /**
+   * Check that the String provided in input is the name of an existing,
+   * LeafQueue, if successful returns the queue.
+   *
+   * @param queue
+   * @return the LeafQueue
+   * @throws YarnException
+   */
+  private LeafQueue getAndCheckLeafQueue(String queue) throws YarnException {
+    CSQueue ret = this.getQueue(queue);
+    if (ret == null) {
+      throw new YarnException("The specified Queue: " + queue
+          + " doesn't exist");
+    }
+    if (!(ret instanceof LeafQueue)) {
+      throw new YarnException("The specified Queue: " + queue
+          + " is not a Leaf Queue. Move is supported only for Leaf Queues.");
+    }
+    return (LeafQueue) ret;
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java
index 4fd8b490577..5c93c5fc026 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java
@@ -643,7 +643,10 @@ public void submitApplicationAttempt(FiCaSchedulerApp application,
       addApplicationAttempt(application, user);
     }
 
-    metrics.submitAppAttempt(userName);
+    // We don't want to update metrics for move app
+    if (application.isPending()) {
+      metrics.submitAppAttempt(userName);
+    }
     getParent().submitApplicationAttempt(application, userName);
   }
 
@@ -701,7 +704,6 @@ public void submitApplication(ApplicationId applicationId, String userName,
       throw ace;
     }
 
-    metrics.submitApp(userName);
   }
 
   private synchronized void activateApplications() {
@@ -1620,8 +1622,43 @@ public Resource getTotalResourcePending() {
   @Override
   public void collectSchedulerApplications(
       Collection<ApplicationAttemptId> apps) {
+    for (FiCaSchedulerApp pendingApp : pendingApplications) {
+      apps.add(pendingApp.getApplicationAttemptId());
+    }
     for (FiCaSchedulerApp app : activeApplications) {
       apps.add(app.getApplicationAttemptId());
     }
   }
+
+  @Override
+  public void attachContainer(Resource clusterResource,
+      FiCaSchedulerApp application, RMContainer rmContainer) {
+    if (application != null) {
+      allocateResource(clusterResource, application, rmContainer.getContainer()
+          .getResource());
+      LOG.info("movedContainer" + " container=" + rmContainer.getContainer()
+          + " resource=" + rmContainer.getContainer().getResource()
+          + " queueMoveIn=" + this + " usedCapacity=" + getUsedCapacity()
+          + " absoluteUsedCapacity=" + getAbsoluteUsedCapacity() + " used="
+          + usedResources + " cluster=" + clusterResource);
+      // Inform the parent queue
+      getParent().attachContainer(clusterResource, application, rmContainer);
+    }
+  }
+
+  @Override
+  public void detachContainer(Resource clusterResource,
+      FiCaSchedulerApp application, RMContainer rmContainer) {
+    if (application != null) {
+      releaseResource(clusterResource, application, rmContainer.getContainer()
+          .getResource());
+      LOG.info("movedContainer" + " container=" + rmContainer.getContainer()
+          + " resource=" + rmContainer.getContainer().getResource()
+          + " queueMoveOut=" + this + " usedCapacity=" + getUsedCapacity()
+          + " absoluteUsedCapacity=" + getAbsoluteUsedCapacity() + " used="
+          + usedResources + " cluster=" + clusterResource);
+      // Inform the parent queue
+      getParent().detachContainer(clusterResource, application, rmContainer);
+    }
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java
index d83eed34cb3..8c654b7ded1 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java
@@ -791,4 +791,37 @@ public void collectSchedulerApplications(
       queue.collectSchedulerApplications(apps);
     }
   }
+
+  @Override
+  public void attachContainer(Resource clusterResource,
+      FiCaSchedulerApp application, RMContainer rmContainer) {
+    if (application != null) {
+      allocateResource(clusterResource, rmContainer.getContainer()
+          .getResource());
+      LOG.info("movedContainer" + " queueMoveIn=" + getQueueName()
+          + " usedCapacity=" + getUsedCapacity() + " absoluteUsedCapacity="
+          + getAbsoluteUsedCapacity() + " used=" + usedResources + " cluster="
+          + clusterResource);
+      // Inform the parent
+      if (parent != null) {
+        parent.attachContainer(clusterResource, application, rmContainer);
+      }
+    }
+  }
+
+  @Override
+  public void detachContainer(Resource clusterResource,
+      FiCaSchedulerApp application, RMContainer rmContainer) {
+    if (application != null) {
+      releaseResource(clusterResource, rmContainer.getContainer().getResource());
+      LOG.info("movedContainer" + " queueMoveOut=" + getQueueName()
+          + " usedCapacity=" + getUsedCapacity() + " absoluteUsedCapacity="
+          + getAbsoluteUsedCapacity() + " used=" + usedResources + " cluster="
+          + clusterResource);
+      // Inform the parent
+      if (parent != null) {
+        parent.detachContainer(clusterResource, application, rmContainer);
+      }
+    }
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacityScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacityScheduler.java
index 0efd48fa28d..45c4950202d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacityScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacityScheduler.java
@@ -55,6 +55,7 @@
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.api.records.Priority;
 import org.apache.hadoop.yarn.api.records.QueueInfo;
+import org.apache.hadoop.yarn.api.records.QueueState;
 import org.apache.hadoop.yarn.api.records.QueueUserACLInfo;
 import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.api.records.ResourceRequest;
@@ -68,6 +69,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.MockNM;
 import org.apache.hadoop.yarn.server.resourcemanager.MockNodes;
 import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.NodeManager;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContextImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
@@ -100,6 +102,10 @@
 import org.apache.hadoop.yarn.server.resourcemanager.security.ClientToAMTokenSecretManagerInRM;
 import org.apache.hadoop.yarn.server.resourcemanager.security.NMTokenSecretManagerInRM;
 import org.apache.hadoop.yarn.server.resourcemanager.security.RMContainerTokenSecretManager;
+import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.CapacitySchedulerInfo;
+import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.CapacitySchedulerLeafQueueInfo;
+import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.CapacitySchedulerQueueInfo;
+import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.CapacitySchedulerQueueInfoList;
 import org.apache.hadoop.yarn.server.utils.BuilderUtils;
 import org.apache.hadoop.yarn.util.resource.Resources;
 import org.junit.After;
@@ -1014,4 +1020,782 @@ public void testRecoverRequestAfterPreemption() throws Exception {
     // Now with updated ResourceRequest, a container is allocated for AM.
     Assert.assertTrue(containers.size() == 1);
   }
+
+  private MockRM setUpMove() {
+    CapacitySchedulerConfiguration conf = new CapacitySchedulerConfiguration();
+    setupQueueConfiguration(conf);
+    conf.setClass(YarnConfiguration.RM_SCHEDULER, CapacityScheduler.class,
+      ResourceScheduler.class);
+    MockRM rm = new MockRM(conf);
+    rm.start();
+    return rm;
+  }
+
+  @Test
+  public void testMoveAppBasic() throws Exception {
+    MockRM rm = setUpMove();
+    AbstractYarnScheduler scheduler =
+        (AbstractYarnScheduler) rm.getResourceScheduler();
+
+    // submit an app
+    RMApp app = rm.submitApp(GB, "test-move-1", "user_0", null, "a1");
+    ApplicationAttemptId appAttemptId =
+        rm.getApplicationReport(app.getApplicationId())
+            .getCurrentApplicationAttemptId();
+
+    // check preconditions
+    List<ApplicationAttemptId> appsInA1 = scheduler.getAppsInQueue("a1");
+    assertEquals(1, appsInA1.size());
+    String queue =
+        scheduler.getApplicationAttempt(appsInA1.get(0)).getQueue()
+            .getQueueName();
+    Assert.assertTrue(queue.equals("a1"));
+
+    List<ApplicationAttemptId> appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.contains(appAttemptId));
+    assertEquals(1, appsInA.size());
+
+    List<ApplicationAttemptId> appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.contains(appAttemptId));
+    assertEquals(1, appsInRoot.size());
+
+    List<ApplicationAttemptId> appsInB1 = scheduler.getAppsInQueue("b1");
+    assertTrue(appsInB1.isEmpty());
+
+    List<ApplicationAttemptId> appsInB = scheduler.getAppsInQueue("b");
+    assertTrue(appsInB.isEmpty());
+
+    // now move the app
+    scheduler.moveApplication(app.getApplicationId(), "b1");
+
+    // check postconditions
+    appsInB1 = scheduler.getAppsInQueue("b1");
+    assertEquals(1, appsInB1.size());
+    queue =
+        scheduler.getApplicationAttempt(appsInB1.get(0)).getQueue()
+            .getQueueName();
+    System.out.println(queue);
+    Assert.assertTrue(queue.equals("b1"));
+
+    appsInB = scheduler.getAppsInQueue("b");
+    assertTrue(appsInA.contains(appAttemptId));
+    assertEquals(1, appsInB.size());
+
+    appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.contains(appAttemptId));
+    assertEquals(1, appsInRoot.size());
+
+    appsInA1 = scheduler.getAppsInQueue("a1");
+    assertTrue(appsInA1.isEmpty());
+
+    appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.isEmpty());
+
+    rm.stop();
+  }
+
+  @Test
+  public void testMoveAppSameParent() throws Exception {
+    MockRM rm = setUpMove();
+    AbstractYarnScheduler scheduler =
+        (AbstractYarnScheduler) rm.getResourceScheduler();
+
+    // submit an app
+    RMApp app = rm.submitApp(GB, "test-move-1", "user_0", null, "a1");
+    ApplicationAttemptId appAttemptId =
+        rm.getApplicationReport(app.getApplicationId())
+            .getCurrentApplicationAttemptId();
+
+    // check preconditions
+    List<ApplicationAttemptId> appsInA1 = scheduler.getAppsInQueue("a1");
+    assertEquals(1, appsInA1.size());
+    String queue =
+        scheduler.getApplicationAttempt(appsInA1.get(0)).getQueue()
+            .getQueueName();
+    Assert.assertTrue(queue.equals("a1"));
+
+    List<ApplicationAttemptId> appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.contains(appAttemptId));
+    assertEquals(1, appsInA.size());
+
+    List<ApplicationAttemptId> appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.contains(appAttemptId));
+    assertEquals(1, appsInRoot.size());
+
+    List<ApplicationAttemptId> appsInA2 = scheduler.getAppsInQueue("a2");
+    assertTrue(appsInA2.isEmpty());
+
+    // now move the app
+    scheduler.moveApplication(app.getApplicationId(), "a2");
+
+    // check postconditions
+    appsInA2 = scheduler.getAppsInQueue("a2");
+    assertEquals(1, appsInA2.size());
+    queue =
+        scheduler.getApplicationAttempt(appsInA2.get(0)).getQueue()
+            .getQueueName();
+    Assert.assertTrue(queue.equals("a2"));
+
+    appsInA1 = scheduler.getAppsInQueue("a1");
+    assertTrue(appsInA1.isEmpty());
+
+    appsInA = scheduler.getAppsInQueue("a");
+    assertEquals(1, appsInA.size());
+
+    appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.contains(appAttemptId));
+    assertEquals(1, appsInRoot.size());
+
+    rm.stop();
+  }
+
+  @Test
+  public void testMoveAppForMoveToQueueWithFreeCap() throws Exception {
+
+    ResourceScheduler scheduler = resourceManager.getResourceScheduler();
+    // Register node1
+    String host_0 = "host_0";
+    NodeManager nm_0 =
+        registerNode(host_0, 1234, 2345, NetworkTopology.DEFAULT_RACK,
+            Resources.createResource(4 * GB, 1));
+
+    // Register node2
+    String host_1 = "host_1";
+    NodeManager nm_1 =
+        registerNode(host_1, 1234, 2345, NetworkTopology.DEFAULT_RACK,
+            Resources.createResource(2 * GB, 1));
+
+    // ResourceRequest priorities
+    Priority priority_0 =
+        org.apache.hadoop.yarn.server.resourcemanager.resource.Priority
+            .create(0);
+    Priority priority_1 =
+        org.apache.hadoop.yarn.server.resourcemanager.resource.Priority
+            .create(1);
+
+    // Submit application_0
+    Application application_0 =
+        new Application("user_0", "a1", resourceManager);
+    application_0.submit(); // app + app attempt event sent to scheduler
+
+    application_0.addNodeManager(host_0, 1234, nm_0);
+    application_0.addNodeManager(host_1, 1234, nm_1);
+
+    Resource capability_0_0 = Resources.createResource(1 * GB, 1);
+    application_0.addResourceRequestSpec(priority_1, capability_0_0);
+
+    Resource capability_0_1 = Resources.createResource(2 * GB, 1);
+    application_0.addResourceRequestSpec(priority_0, capability_0_1);
+
+    Task task_0_0 =
+        new Task(application_0, priority_1, new String[] { host_0, host_1 });
+    application_0.addTask(task_0_0);
+
+    // Submit application_1
+    Application application_1 =
+        new Application("user_1", "b2", resourceManager);
+    application_1.submit(); // app + app attempt event sent to scheduler
+
+    application_1.addNodeManager(host_0, 1234, nm_0);
+    application_1.addNodeManager(host_1, 1234, nm_1);
+
+    Resource capability_1_0 = Resources.createResource(1 * GB, 1);
+    application_1.addResourceRequestSpec(priority_1, capability_1_0);
+
+    Resource capability_1_1 = Resources.createResource(2 * GB, 1);
+    application_1.addResourceRequestSpec(priority_0, capability_1_1);
+
+    Task task_1_0 =
+        new Task(application_1, priority_1, new String[] { host_0, host_1 });
+    application_1.addTask(task_1_0);
+
+    // Send resource requests to the scheduler
+    application_0.schedule(); // allocate
+    application_1.schedule(); // allocate
+
+    // task_0_0 task_1_0 allocated, used=2G
+    nodeUpdate(nm_0);
+
+    // nothing allocated
+    nodeUpdate(nm_1);
+
+    // Get allocations from the scheduler
+    application_0.schedule(); // task_0_0
+    checkApplicationResourceUsage(1 * GB, application_0);
+
+    application_1.schedule(); // task_1_0
+    checkApplicationResourceUsage(1 * GB, application_1);
+
+    checkNodeResourceUsage(2 * GB, nm_0); // task_0_0 (1G) and task_1_0 (1G) 2G
+                                          // available
+    checkNodeResourceUsage(0 * GB, nm_1); // no tasks, 2G available
+
+    // move app from a1(30% cap of total 10.5% cap) to b1(79,2% cap of 89,5%
+    // total cap)
+    scheduler.moveApplication(application_0.getApplicationId(), "b1");
+
+    // 2GB 1C
+    Task task_1_1 =
+        new Task(application_1, priority_0,
+            new String[] { ResourceRequest.ANY });
+    application_1.addTask(task_1_1);
+
+    application_1.schedule();
+
+    // 2GB 1C
+    Task task_0_1 =
+        new Task(application_0, priority_0, new String[] { host_0, host_1 });
+    application_0.addTask(task_0_1);
+
+    application_0.schedule();
+
+    // prev 2G used free 2G
+    nodeUpdate(nm_0);
+
+    // prev 0G used free 2G
+    nodeUpdate(nm_1);
+
+    // Get allocations from the scheduler
+    application_1.schedule();
+    checkApplicationResourceUsage(3 * GB, application_1);
+
+    // Get allocations from the scheduler
+    application_0.schedule();
+    checkApplicationResourceUsage(3 * GB, application_0);
+
+    checkNodeResourceUsage(4 * GB, nm_0);
+    checkNodeResourceUsage(2 * GB, nm_1);
+
+  }
+
+  @Test
+  public void testMoveAppSuccess() throws Exception {
+
+    ResourceScheduler scheduler = resourceManager.getResourceScheduler();
+
+    // Register node1
+    String host_0 = "host_0";
+    NodeManager nm_0 =
+        registerNode(host_0, 1234, 2345, NetworkTopology.DEFAULT_RACK,
+            Resources.createResource(5 * GB, 1));
+
+    // Register node2
+    String host_1 = "host_1";
+    NodeManager nm_1 =
+        registerNode(host_1, 1234, 2345, NetworkTopology.DEFAULT_RACK,
+            Resources.createResource(5 * GB, 1));
+
+    // ResourceRequest priorities
+    Priority priority_0 =
+        org.apache.hadoop.yarn.server.resourcemanager.resource.Priority
+            .create(0);
+    Priority priority_1 =
+        org.apache.hadoop.yarn.server.resourcemanager.resource.Priority
+            .create(1);
+
+    // Submit application_0
+    Application application_0 =
+        new Application("user_0", "a1", resourceManager);
+    application_0.submit(); // app + app attempt event sent to scheduler
+
+    application_0.addNodeManager(host_0, 1234, nm_0);
+    application_0.addNodeManager(host_1, 1234, nm_1);
+
+    Resource capability_0_0 = Resources.createResource(3 * GB, 1);
+    application_0.addResourceRequestSpec(priority_1, capability_0_0);
+
+    Resource capability_0_1 = Resources.createResource(2 * GB, 1);
+    application_0.addResourceRequestSpec(priority_0, capability_0_1);
+
+    Task task_0_0 =
+        new Task(application_0, priority_1, new String[] { host_0, host_1 });
+    application_0.addTask(task_0_0);
+
+    // Submit application_1
+    Application application_1 =
+        new Application("user_1", "b2", resourceManager);
+    application_1.submit(); // app + app attempt event sent to scheduler
+
+    application_1.addNodeManager(host_0, 1234, nm_0);
+    application_1.addNodeManager(host_1, 1234, nm_1);
+
+    Resource capability_1_0 = Resources.createResource(1 * GB, 1);
+    application_1.addResourceRequestSpec(priority_1, capability_1_0);
+
+    Resource capability_1_1 = Resources.createResource(2 * GB, 1);
+    application_1.addResourceRequestSpec(priority_0, capability_1_1);
+
+    Task task_1_0 =
+        new Task(application_1, priority_1, new String[] { host_0, host_1 });
+    application_1.addTask(task_1_0);
+
+    // Send resource requests to the scheduler
+    application_0.schedule(); // allocate
+    application_1.schedule(); // allocate
+
+    // b2 can only run 1 app at a time
+    scheduler.moveApplication(application_0.getApplicationId(), "b2");
+
+    nodeUpdate(nm_0);
+
+    nodeUpdate(nm_1);
+
+    // Get allocations from the scheduler
+    application_0.schedule(); // task_0_0
+    checkApplicationResourceUsage(0 * GB, application_0);
+
+    application_1.schedule(); // task_1_0
+    checkApplicationResourceUsage(1 * GB, application_1);
+
+    // task_1_0 (1G) application_0 moved to b2 with max running app 1 so it is
+    // not scheduled
+    checkNodeResourceUsage(1 * GB, nm_0);
+    checkNodeResourceUsage(0 * GB, nm_1);
+
+    // lets move application_0 to a queue where it can run
+    scheduler.moveApplication(application_0.getApplicationId(), "a2");
+    application_0.schedule();
+
+    nodeUpdate(nm_1);
+
+    // Get allocations from the scheduler
+    application_0.schedule(); // task_0_0
+    checkApplicationResourceUsage(3 * GB, application_0);
+
+    checkNodeResourceUsage(1 * GB, nm_0);
+    checkNodeResourceUsage(3 * GB, nm_1);
+
+  }
+
+  @Test(expected = YarnException.class)
+  public void testMoveAppViolateQueueState() throws Exception {
+
+    resourceManager = new ResourceManager();
+    CapacitySchedulerConfiguration csConf =
+        new CapacitySchedulerConfiguration();
+    setupQueueConfiguration(csConf);
+    StringBuilder qState = new StringBuilder();
+    qState.append(CapacitySchedulerConfiguration.PREFIX).append(B)
+        .append(CapacitySchedulerConfiguration.DOT)
+        .append(CapacitySchedulerConfiguration.STATE);
+    csConf.set(qState.toString(), QueueState.STOPPED.name());
+    YarnConfiguration conf = new YarnConfiguration(csConf);
+    conf.setClass(YarnConfiguration.RM_SCHEDULER, CapacityScheduler.class,
+        ResourceScheduler.class);
+    resourceManager.init(conf);
+    resourceManager.getRMContext().getContainerTokenSecretManager()
+        .rollMasterKey();
+    resourceManager.getRMContext().getNMTokenSecretManager().rollMasterKey();
+    ((AsyncDispatcher) resourceManager.getRMContext().getDispatcher()).start();
+    mockContext = mock(RMContext.class);
+    when(mockContext.getConfigurationProvider()).thenReturn(
+        new LocalConfigurationProvider());
+
+    ResourceScheduler scheduler = resourceManager.getResourceScheduler();
+
+    // Register node1
+    String host_0 = "host_0";
+    NodeManager nm_0 =
+        registerNode(host_0, 1234, 2345, NetworkTopology.DEFAULT_RACK,
+            Resources.createResource(6 * GB, 1));
+
+    // ResourceRequest priorities
+    Priority priority_0 =
+        org.apache.hadoop.yarn.server.resourcemanager.resource.Priority
+            .create(0);
+    Priority priority_1 =
+        org.apache.hadoop.yarn.server.resourcemanager.resource.Priority
+            .create(1);
+
+    // Submit application_0
+    Application application_0 =
+        new Application("user_0", "a1", resourceManager);
+    application_0.submit(); // app + app attempt event sent to scheduler
+
+    application_0.addNodeManager(host_0, 1234, nm_0);
+
+    Resource capability_0_0 = Resources.createResource(3 * GB, 1);
+    application_0.addResourceRequestSpec(priority_1, capability_0_0);
+
+    Resource capability_0_1 = Resources.createResource(2 * GB, 1);
+    application_0.addResourceRequestSpec(priority_0, capability_0_1);
+
+    Task task_0_0 =
+        new Task(application_0, priority_1, new String[] { host_0 });
+    application_0.addTask(task_0_0);
+
+    // Send resource requests to the scheduler
+    application_0.schedule(); // allocate
+
+    // task_0_0 allocated
+    nodeUpdate(nm_0);
+
+    // Get allocations from the scheduler
+    application_0.schedule(); // task_0_0
+    checkApplicationResourceUsage(3 * GB, application_0);
+
+    checkNodeResourceUsage(3 * GB, nm_0);
+    // b2 queue contains 3GB consumption app,
+    // add another 3GB will hit max capacity limit on queue b
+    scheduler.moveApplication(application_0.getApplicationId(), "b1");
+
+  }
+
+  @Test
+  public void testMoveAppQueueMetricsCheck() throws Exception {
+    ResourceScheduler scheduler = resourceManager.getResourceScheduler();
+
+    // Register node1
+    String host_0 = "host_0";
+    NodeManager nm_0 =
+        registerNode(host_0, 1234, 2345, NetworkTopology.DEFAULT_RACK,
+            Resources.createResource(5 * GB, 1));
+
+    // Register node2
+    String host_1 = "host_1";
+    NodeManager nm_1 =
+        registerNode(host_1, 1234, 2345, NetworkTopology.DEFAULT_RACK,
+            Resources.createResource(5 * GB, 1));
+
+    // ResourceRequest priorities
+    Priority priority_0 =
+        org.apache.hadoop.yarn.server.resourcemanager.resource.Priority
+            .create(0);
+    Priority priority_1 =
+        org.apache.hadoop.yarn.server.resourcemanager.resource.Priority
+            .create(1);
+
+    // Submit application_0
+    Application application_0 =
+        new Application("user_0", "a1", resourceManager);
+    application_0.submit(); // app + app attempt event sent to scheduler
+
+    application_0.addNodeManager(host_0, 1234, nm_0);
+    application_0.addNodeManager(host_1, 1234, nm_1);
+
+    Resource capability_0_0 = Resources.createResource(3 * GB, 1);
+    application_0.addResourceRequestSpec(priority_1, capability_0_0);
+
+    Resource capability_0_1 = Resources.createResource(2 * GB, 1);
+    application_0.addResourceRequestSpec(priority_0, capability_0_1);
+
+    Task task_0_0 =
+        new Task(application_0, priority_1, new String[] { host_0, host_1 });
+    application_0.addTask(task_0_0);
+
+    // Submit application_1
+    Application application_1 =
+        new Application("user_1", "b2", resourceManager);
+    application_1.submit(); // app + app attempt event sent to scheduler
+
+    application_1.addNodeManager(host_0, 1234, nm_0);
+    application_1.addNodeManager(host_1, 1234, nm_1);
+
+    Resource capability_1_0 = Resources.createResource(1 * GB, 1);
+    application_1.addResourceRequestSpec(priority_1, capability_1_0);
+
+    Resource capability_1_1 = Resources.createResource(2 * GB, 1);
+    application_1.addResourceRequestSpec(priority_0, capability_1_1);
+
+    Task task_1_0 =
+        new Task(application_1, priority_1, new String[] { host_0, host_1 });
+    application_1.addTask(task_1_0);
+
+    // Send resource requests to the scheduler
+    application_0.schedule(); // allocate
+    application_1.schedule(); // allocate
+
+    nodeUpdate(nm_0);
+
+    nodeUpdate(nm_1);
+
+    CapacityScheduler cs =
+        (CapacityScheduler) resourceManager.getResourceScheduler();
+    CSQueue origRootQ = cs.getRootQueue();
+    CapacitySchedulerInfo oldInfo = new CapacitySchedulerInfo(origRootQ);
+    int origNumAppsA = getNumAppsInQueue("a", origRootQ.getChildQueues());
+    int origNumAppsRoot = origRootQ.getNumApplications();
+
+    scheduler.moveApplication(application_0.getApplicationId(), "a2");
+
+    CSQueue newRootQ = cs.getRootQueue();
+    int newNumAppsA = getNumAppsInQueue("a", newRootQ.getChildQueues());
+    int newNumAppsRoot = newRootQ.getNumApplications();
+    CapacitySchedulerInfo newInfo = new CapacitySchedulerInfo(newRootQ);
+    CapacitySchedulerLeafQueueInfo origOldA1 =
+        (CapacitySchedulerLeafQueueInfo) getQueueInfo("a1", oldInfo.getQueues());
+    CapacitySchedulerLeafQueueInfo origNewA1 =
+        (CapacitySchedulerLeafQueueInfo) getQueueInfo("a1", newInfo.getQueues());
+    CapacitySchedulerLeafQueueInfo targetOldA2 =
+        (CapacitySchedulerLeafQueueInfo) getQueueInfo("a2", oldInfo.getQueues());
+    CapacitySchedulerLeafQueueInfo targetNewA2 =
+        (CapacitySchedulerLeafQueueInfo) getQueueInfo("a2", newInfo.getQueues());
+    // originally submitted here
+    assertEquals(1, origOldA1.getNumApplications());
+    assertEquals(1, origNumAppsA);
+    assertEquals(2, origNumAppsRoot);
+    // after the move
+    assertEquals(0, origNewA1.getNumApplications());
+    assertEquals(1, newNumAppsA);
+    assertEquals(2, newNumAppsRoot);
+    // original consumption on a1
+    assertEquals(3 * GB, origOldA1.getResourcesUsed().getMemory());
+    assertEquals(1, origOldA1.getResourcesUsed().getvCores());
+    assertEquals(0, origNewA1.getResourcesUsed().getMemory()); // after the move
+    assertEquals(0, origNewA1.getResourcesUsed().getvCores()); // after the move
+    // app moved here with live containers
+    assertEquals(3 * GB, targetNewA2.getResourcesUsed().getMemory());
+    assertEquals(1, targetNewA2.getResourcesUsed().getvCores());
+    // it was empty before the move
+    assertEquals(0, targetOldA2.getNumApplications());
+    assertEquals(0, targetOldA2.getResourcesUsed().getMemory());
+    assertEquals(0, targetOldA2.getResourcesUsed().getvCores());
+    // after the app moved here
+    assertEquals(1, targetNewA2.getNumApplications());
+    // 1 container on original queue before move
+    assertEquals(1, origOldA1.getNumContainers());
+    // after the move the resource released
+    assertEquals(0, origNewA1.getNumContainers());
+    // and moved to the new queue
+    assertEquals(1, targetNewA2.getNumContainers());
+    // which originally didn't have any
+    assertEquals(0, targetOldA2.getNumContainers());
+    // 1 user with 3GB
+    assertEquals(3 * GB, origOldA1.getUsers().getUsersList().get(0)
+        .getResourcesUsed().getMemory());
+    // 1 user with 1 core
+    assertEquals(1, origOldA1.getUsers().getUsersList().get(0)
+        .getResourcesUsed().getvCores());
+    // user ha no more running app in the orig queue
+    assertEquals(0, origNewA1.getUsers().getUsersList().size());
+    // 1 user with 3GB
+    assertEquals(3 * GB, targetNewA2.getUsers().getUsersList().get(0)
+        .getResourcesUsed().getMemory());
+    // 1 user with 1 core
+    assertEquals(1, targetNewA2.getUsers().getUsersList().get(0)
+        .getResourcesUsed().getvCores());
+
+    // Get allocations from the scheduler
+    application_0.schedule(); // task_0_0
+    checkApplicationResourceUsage(3 * GB, application_0);
+
+    application_1.schedule(); // task_1_0
+    checkApplicationResourceUsage(1 * GB, application_1);
+
+    // task_1_0 (1G) application_0 moved to b2 with max running app 1 so it is
+    // not scheduled
+    checkNodeResourceUsage(4 * GB, nm_0);
+    checkNodeResourceUsage(0 * GB, nm_1);
+
+  }
+
+  private int getNumAppsInQueue(String name, List<CSQueue> queues) {
+    for (CSQueue queue : queues) {
+      if (queue.getQueueName().equals(name)) {
+        return queue.getNumApplications();
+      }
+    }
+    return -1;
+  }
+
+  private CapacitySchedulerQueueInfo getQueueInfo(String name,
+      CapacitySchedulerQueueInfoList info) {
+    if (info != null) {
+      for (CapacitySchedulerQueueInfo queueInfo : info.getQueueInfoList()) {
+        if (queueInfo.getQueueName().equals(name)) {
+          return queueInfo;
+        } else {
+          CapacitySchedulerQueueInfo result =
+              getQueueInfo(name, queueInfo.getQueues());
+          if (result == null) {
+            continue;
+          }
+          return result;
+        }
+      }
+    }
+    return null;
+  }
+
+  @Test
+  public void testMoveAllApps() throws Exception {
+    MockRM rm = setUpMove();
+    AbstractYarnScheduler scheduler =
+        (AbstractYarnScheduler) rm.getResourceScheduler();
+
+    // submit an app
+    RMApp app = rm.submitApp(GB, "test-move-1", "user_0", null, "a1");
+    ApplicationAttemptId appAttemptId =
+        rm.getApplicationReport(app.getApplicationId())
+            .getCurrentApplicationAttemptId();
+
+    // check preconditions
+    List<ApplicationAttemptId> appsInA1 = scheduler.getAppsInQueue("a1");
+    assertEquals(1, appsInA1.size());
+
+    List<ApplicationAttemptId> appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.contains(appAttemptId));
+    assertEquals(1, appsInA.size());
+    String queue =
+        scheduler.getApplicationAttempt(appsInA1.get(0)).getQueue()
+            .getQueueName();
+    Assert.assertTrue(queue.equals("a1"));
+
+    List<ApplicationAttemptId> appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.contains(appAttemptId));
+    assertEquals(1, appsInRoot.size());
+
+    List<ApplicationAttemptId> appsInB1 = scheduler.getAppsInQueue("b1");
+    assertTrue(appsInB1.isEmpty());
+
+    List<ApplicationAttemptId> appsInB = scheduler.getAppsInQueue("b");
+    assertTrue(appsInB.isEmpty());
+
+    // now move the app
+    scheduler.moveAllApps("a1", "b1");
+
+    // check postconditions
+    Thread.sleep(1000);
+    appsInB1 = scheduler.getAppsInQueue("b1");
+    assertEquals(1, appsInB1.size());
+    queue =
+        scheduler.getApplicationAttempt(appsInB1.get(0)).getQueue()
+            .getQueueName();
+    Assert.assertTrue(queue.equals("b1"));
+
+    appsInB = scheduler.getAppsInQueue("b");
+    assertTrue(appsInA.contains(appAttemptId));
+    assertEquals(1, appsInB.size());
+
+    appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.contains(appAttemptId));
+    assertEquals(1, appsInRoot.size());
+
+    appsInA1 = scheduler.getAppsInQueue("a1");
+    assertTrue(appsInA1.isEmpty());
+
+    appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.isEmpty());
+
+    rm.stop();
+  }
+
+  @Test
+  public void testMoveAllAppsInvalidDestination() throws Exception {
+    MockRM rm = setUpMove();
+    AbstractYarnScheduler scheduler =
+        (AbstractYarnScheduler) rm.getResourceScheduler();
+
+    // submit an app
+    RMApp app = rm.submitApp(GB, "test-move-1", "user_0", null, "a1");
+    ApplicationAttemptId appAttemptId =
+        rm.getApplicationReport(app.getApplicationId())
+            .getCurrentApplicationAttemptId();
+
+    // check preconditions
+    List<ApplicationAttemptId> appsInA1 = scheduler.getAppsInQueue("a1");
+    assertEquals(1, appsInA1.size());
+
+    List<ApplicationAttemptId> appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.contains(appAttemptId));
+    assertEquals(1, appsInA.size());
+
+    List<ApplicationAttemptId> appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.contains(appAttemptId));
+    assertEquals(1, appsInRoot.size());
+
+    List<ApplicationAttemptId> appsInB1 = scheduler.getAppsInQueue("b1");
+    assertTrue(appsInB1.isEmpty());
+
+    List<ApplicationAttemptId> appsInB = scheduler.getAppsInQueue("b");
+    assertTrue(appsInB.isEmpty());
+
+    // now move the app
+    try {
+      scheduler.moveAllApps("a1", "DOES_NOT_EXIST");
+      Assert.fail();
+    } catch (YarnException e) {
+      // expected
+    }
+
+    // check postconditions, app should still be in a1
+    appsInA1 = scheduler.getAppsInQueue("a1");
+    assertEquals(1, appsInA1.size());
+
+    appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.contains(appAttemptId));
+    assertEquals(1, appsInA.size());
+
+    appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.contains(appAttemptId));
+    assertEquals(1, appsInRoot.size());
+
+    appsInB1 = scheduler.getAppsInQueue("b1");
+    assertTrue(appsInB1.isEmpty());
+
+    appsInB = scheduler.getAppsInQueue("b");
+    assertTrue(appsInB.isEmpty());
+
+    rm.stop();
+  }
+
+  @Test
+  public void testMoveAllAppsInvalidSource() throws Exception {
+    MockRM rm = setUpMove();
+    AbstractYarnScheduler scheduler =
+        (AbstractYarnScheduler) rm.getResourceScheduler();
+
+    // submit an app
+    RMApp app = rm.submitApp(GB, "test-move-1", "user_0", null, "a1");
+    ApplicationAttemptId appAttemptId =
+        rm.getApplicationReport(app.getApplicationId())
+            .getCurrentApplicationAttemptId();
+
+    // check preconditions
+    List<ApplicationAttemptId> appsInA1 = scheduler.getAppsInQueue("a1");
+    assertEquals(1, appsInA1.size());
+
+    List<ApplicationAttemptId> appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.contains(appAttemptId));
+    assertEquals(1, appsInA.size());
+
+    List<ApplicationAttemptId> appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.contains(appAttemptId));
+    assertEquals(1, appsInRoot.size());
+
+    List<ApplicationAttemptId> appsInB1 = scheduler.getAppsInQueue("b1");
+    assertTrue(appsInB1.isEmpty());
+
+    List<ApplicationAttemptId> appsInB = scheduler.getAppsInQueue("b");
+    assertTrue(appsInB.isEmpty());
+
+    // now move the app
+    try {
+      scheduler.moveAllApps("DOES_NOT_EXIST", "b1");
+      Assert.fail();
+    } catch (YarnException e) {
+      // expected
+    }
+
+    // check postconditions, app should still be in a1
+    appsInA1 = scheduler.getAppsInQueue("a1");
+    assertEquals(1, appsInA1.size());
+
+    appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.contains(appAttemptId));
+    assertEquals(1, appsInA.size());
+
+    appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.contains(appAttemptId));
+    assertEquals(1, appsInRoot.size());
+
+    appsInB1 = scheduler.getAppsInQueue("b1");
+    assertTrue(appsInB1.isEmpty());
+
+    appsInB = scheduler.getAppsInQueue("b");
+    assertTrue(appsInB.isEmpty());
+
+    rm.stop();
+  }
+
 }

From e932365d6d46b5be16d0e79b751fac0b0b661400 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Fri, 15 Aug 2014 15:53:28 +0000
Subject: [PATCH 238/354] HADOOP-10698. KMS, add proxyuser support. (tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618217 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   2 +
 .../crypto/key/kms/KMSClientProvider.java     |  62 +++++--
 .../kms/server/KMSAuthenticationFilter.java   |  11 ++
 .../hadoop-kms/src/site/apt/index.apt.vm      |  40 +++++
 .../hadoop/crypto/key/kms/server/TestKMS.java | 165 ++++++++++++++----
 5 files changed, 230 insertions(+), 50 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index aec02b4f61d..e18ad5fa28c 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -210,6 +210,8 @@ Trunk (Unreleased)
 
     HADOOP-10770. KMS add delegation token support. (tucu)
 
+    HADOOP-10698. KMS, add proxyuser support. (tucu)
+
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
index 35439f26f6a..bce1eb5dd3d 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@@ -28,6 +28,7 @@
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.ProviderUtils;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authentication.client.ConnectionConfigurator;
 import org.apache.hadoop.security.ssl.SSLFactory;
@@ -52,6 +53,7 @@
 import java.net.URLEncoder;
 import java.security.GeneralSecurityException;
 import java.security.NoSuchAlgorithmException;
+import java.security.PrivilegedExceptionAction;
 import java.text.MessageFormat;
 import java.util.ArrayList;
 import java.util.Date;
@@ -235,6 +237,7 @@ public static String checkNotEmpty(String s, String name)
   private SSLFactory sslFactory;
   private ConnectionConfigurator configurator;
   private DelegationTokenAuthenticatedURL.Token authToken;
+  private UserGroupInformation loginUgi;
 
   @Override
   public String toString() {
@@ -316,6 +319,7 @@ public KMSClientProvider(URI uri, Configuration conf) throws IOException {
                     KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
             new EncryptedQueueRefiller());
     authToken = new DelegationTokenAuthenticatedURL.Token();
+    loginUgi = UserGroupInformation.getCurrentUser();
   }
 
   private String createServiceURL(URL url) throws IOException {
@@ -374,14 +378,29 @@ private HttpURLConnection configureConnection(HttpURLConnection conn)
     return conn;
   }
 
-  private HttpURLConnection createConnection(URL url, String method)
+  private HttpURLConnection createConnection(final URL url, String method)
       throws IOException {
     HttpURLConnection conn;
     try {
-      DelegationTokenAuthenticatedURL authUrl =
-          new DelegationTokenAuthenticatedURL(configurator);
-      conn = authUrl.openConnection(url, authToken);
-    } catch (AuthenticationException ex) {
+      // if current UGI is different from UGI at constructor time, behave as
+      // proxyuser
+      UserGroupInformation currentUgi = UserGroupInformation.getCurrentUser();
+      final String doAsUser =
+          (loginUgi.getShortUserName().equals(currentUgi.getShortUserName()))
+          ? null : currentUgi.getShortUserName();
+
+      // creating the HTTP connection using the current UGI at constructor time
+      conn = loginUgi.doAs(new PrivilegedExceptionAction<HttpURLConnection>() {
+        @Override
+        public HttpURLConnection run() throws Exception {
+          DelegationTokenAuthenticatedURL authUrl =
+              new DelegationTokenAuthenticatedURL(configurator);
+          return authUrl.openConnection(url, authToken, doAsUser);
+        }
+      });
+    } catch (IOException ex) {
+      throw ex;
+    } catch (Exception ex) {
       throw new IOException(ex);
     }
     conn.setUseCaches(false);
@@ -412,20 +431,27 @@ private static void validateResponse(HttpURLConnection conn, int expected)
     if (status != expected) {
       InputStream es = null;
       try {
-        es = conn.getErrorStream();
-        ObjectMapper mapper = new ObjectMapper();
-        Map json = mapper.readValue(es, Map.class);
-        String exClass = (String) json.get(
-            KMSRESTConstants.ERROR_EXCEPTION_JSON);
-        String exMsg = (String)
-            json.get(KMSRESTConstants.ERROR_MESSAGE_JSON);
         Exception toThrow;
-        try {
-          ClassLoader cl = KMSClientProvider.class.getClassLoader();
-          Class klass = cl.loadClass(exClass);
-          Constructor constr = klass.getConstructor(String.class);
-          toThrow = (Exception) constr.newInstance(exMsg);
-        } catch (Exception ex) {
+        String contentType = conn.getHeaderField(CONTENT_TYPE);
+        if (contentType != null &&
+            contentType.toLowerCase().startsWith(APPLICATION_JSON_MIME)) {
+          es = conn.getErrorStream();
+          ObjectMapper mapper = new ObjectMapper();
+          Map json = mapper.readValue(es, Map.class);
+          String exClass = (String) json.get(
+              KMSRESTConstants.ERROR_EXCEPTION_JSON);
+          String exMsg = (String)
+              json.get(KMSRESTConstants.ERROR_MESSAGE_JSON);
+          try {
+            ClassLoader cl = KMSClientProvider.class.getClassLoader();
+            Class klass = cl.loadClass(exClass);
+            Constructor constr = klass.getConstructor(String.class);
+            toThrow = (Exception) constr.newInstance(exMsg);
+          } catch (Exception ex) {
+            toThrow = new IOException(MessageFormat.format(
+                "HTTP status [{0}], {1}", status, conn.getResponseMessage()));
+          }
+        } else {
           toThrow = new IOException(MessageFormat.format(
               "HTTP status [{0}], {1}", status, conn.getResponseMessage()));
         }
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
index 76c22c4646d..4df6db54084 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
@@ -75,6 +75,17 @@ protected Properties getConfiguration(String configPrefix,
     return props;
   }
 
+  protected Configuration getProxyuserConfiguration(FilterConfig filterConfig) {
+    Map<String, String> proxyuserConf = KMSWebApp.getConfiguration().
+        getValByRegex("hadoop\\.kms\\.proxyuser\\.");
+    Configuration conf = new Configuration(false);
+    for (Map.Entry<String, String> entry : proxyuserConf.entrySet()) {
+      conf.set(entry.getKey().substring("hadoop.kms.".length()),
+          entry.getValue());
+    }
+    return conf;
+  }
+
   private static class KMSResponse extends HttpServletResponseWrapper {
     public int statusCode;
     public String msg;
diff --git a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
index 0a1cba52e13..e0cbd780fd5 100644
--- a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
+++ b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
@@ -195,6 +195,46 @@ hadoop-${project.version} $ sbin/kms.sh start
   NOTE: You need to restart the KMS for the configuration changes to take
   effect.
 
+*** KMS Proxyuser Configuration
+
+  Each proxyusers must be configured in <<<etc/hadoop/kms-site.xml>>> using the
+  following properties:
+
++---+
+  <property>
+    <name>hadoop.kms.proxyusers.#USER#.users</name>
+    <value>*</value>
+  </property>
+
+  <property>
+    <name>hadoop.kms.proxyusers.#USER#.groups</name>
+    <value>*</value>
+  </property>
+
+  <property>
+    <name>hadoop.kms.proxyusers.#USER#.hosts</name>
+    <value>*</value>
+  </property>
++---+
+
+  <<<#USER#>>> is the username of the proxyuser to configure.
+
+  The <<<users>>> property indicates the users that can be impersonated.
+
+  The <<<groups>>> property indicates the groups users being impersonated must
+  belong to.
+
+  At least one of the <<<users>>> or <<<groups>>> properties must be defined.
+  If both are specified, then the configured proxyuser will be able to 
+  impersonate and user in the <<<users>>> list and any user belonging to one of 
+  the groups in the <<<groups>>> list.
+
+  The <<<hosts>>> property indicates from which host the proxyuser can make
+  impersonation requests.
+
+  If <<<users>>>, <<<groups>>> or <<<hosts>>> has a <<<*>>>, it means there are
+  no restrictions for the proxyuser regarding users, groups or hosts.
+  
 *** KMS over HTTPS (SSL)
 
   To configure KMS to work over HTTPS the following 2 properties must be
diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
index 971c6179b2c..be0a229b8d7 100644
--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
@@ -33,6 +33,7 @@
 import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
 import org.junit.AfterClass;
 import org.junit.Assert;
+import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.mortbay.jetty.Connector;
@@ -71,6 +72,13 @@
 
 public class TestKMS {
 
+  @Before
+  public void cleanUp() {
+    // resetting kerberos security
+    Configuration conf = new Configuration();
+    UserGroupInformation.setConfiguration(conf);
+  }
+
   public static File getTestDir() throws Exception {
     File file = new File("dummy");
     file = file.getAbsoluteFile();
@@ -261,6 +269,7 @@ public static void setUpMiniKdc() throws Exception {
     principals.add("HTTP/localhost");
     principals.add("client");
     principals.add("client/host");
+    principals.add("client1");
     for (KMSACLs.Type type : KMSACLs.Type.values()) {
       principals.add(type.toString());
     }
@@ -290,7 +299,9 @@ private <T> T doAs(String user, final PrivilegedExceptionAction<T> action)
     try {
       loginContext.login();
       subject = loginContext.getSubject();
-      return Subject.doAs(subject, action);
+      UserGroupInformation ugi =
+          UserGroupInformation.getUGIFromSubject(subject);
+      return ugi.doAs(action);
     } finally {
       loginContext.logout();
     }
@@ -298,8 +309,13 @@ private <T> T doAs(String user, final PrivilegedExceptionAction<T> action)
 
   public void testStartStop(final boolean ssl, final boolean kerberos)
       throws Exception {
+    Configuration conf = new Configuration();
+    if (kerberos) {
+      conf.set("hadoop.security.authentication", "kerberos");
+    }
+    UserGroupInformation.setConfiguration(conf);
     File testDir = getTestDir();
-    Configuration conf = createBaseKMSConf(testDir);
+    conf = createBaseKMSConf(testDir);
 
     final String keystore;
     final String password;
@@ -327,18 +343,18 @@ public void testStartStop(final boolean ssl, final boolean kerberos)
     runServer(keystore, password, testDir, new KMSCallable() {
       @Override
       public Void call() throws Exception {
-        Configuration conf = new Configuration();
+        final Configuration conf = new Configuration();
         URL url = getKMSUrl();
         Assert.assertEquals(keystore != null,
             url.getProtocol().equals("https"));
-        URI uri = createKMSUri(getKMSUrl());
-        final KeyProvider kp = new KMSClientProvider(uri, conf);
+        final URI uri = createKMSUri(getKMSUrl());
 
         if (kerberos) {
           for (String user : new String[]{"client", "client/host"}) {
             doAs(user, new PrivilegedExceptionAction<Void>() {
               @Override
               public Void run() throws Exception {
+                final KeyProvider kp = new KMSClientProvider(uri, conf);
                 // getKeys() empty
                 Assert.assertTrue(kp.getKeys().isEmpty());
                 return null;
@@ -346,6 +362,7 @@ public Void run() throws Exception {
             });
           }
         } else {
+          KeyProvider kp = new KMSClientProvider(uri, conf);
           // getKeys() empty
           Assert.assertTrue(kp.getKeys().isEmpty());
         }
@@ -376,8 +393,11 @@ public void testStartStopHttpsKerberos() throws Exception {
 
   @Test
   public void testKMSProvider() throws Exception {
+    Configuration conf = new Configuration();
+    conf.set("hadoop.security.authentication", "kerberos");
+    UserGroupInformation.setConfiguration(conf);
     File confDir = getTestDir();
-    Configuration conf = createBaseKMSConf(confDir);
+    conf = createBaseKMSConf(confDir);
     writeConf(confDir, conf);
 
     runServer(null, null, confDir, new KMSCallable() {
@@ -589,8 +609,11 @@ public Void call() throws Exception {
 
   @Test
   public void testACLs() throws Exception {
+    Configuration conf = new Configuration();
+    conf.set("hadoop.security.authentication", "kerberos");
+    UserGroupInformation.setConfiguration(conf);
     final File testDir = getTestDir();
-    Configuration conf = createBaseKMSConf(testDir);
+    conf = createBaseKMSConf(testDir);
     conf.set("hadoop.kms.authentication.type", "kerberos");
     conf.set("hadoop.kms.authentication.kerberos.keytab",
         keytab.getAbsolutePath());
@@ -626,7 +649,7 @@ public Void run() throws Exception {
             } catch (AuthorizationException ex) {
               //NOP
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             try {
               kp.createKey("k", new byte[16], new KeyProvider.Options(conf));
@@ -634,7 +657,7 @@ public Void run() throws Exception {
             } catch (AuthorizationException ex) {
               //NOP
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             try {
               kp.rollNewVersion("k");
@@ -642,7 +665,7 @@ public Void run() throws Exception {
             } catch (AuthorizationException ex) {
               //NOP
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             try {
               kp.rollNewVersion("k", new byte[16]);
@@ -650,7 +673,7 @@ public Void run() throws Exception {
             } catch (AuthorizationException ex) {
               //NOP
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             try {
               kp.getKeys();
@@ -658,7 +681,7 @@ public Void run() throws Exception {
             } catch (AuthorizationException ex) {
               //NOP
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             try {
               kp.getKeysMetadata("k");
@@ -666,7 +689,7 @@ public Void run() throws Exception {
             } catch (AuthorizationException ex) {
               //NOP
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             try {
               // we are using JavaKeyStoreProvider for testing, so we know how
@@ -676,7 +699,7 @@ public Void run() throws Exception {
             } catch (AuthorizationException ex) {
               //NOP
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             try {
               kp.getCurrentKey("k");
@@ -684,7 +707,7 @@ public Void run() throws Exception {
             } catch (AuthorizationException ex) {
               //NOP
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             try {
               kp.getMetadata("k");
@@ -692,7 +715,7 @@ public Void run() throws Exception {
             } catch (AuthorizationException ex) {
               //NOP
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             try {
               kp.getKeyVersions("k");
@@ -700,7 +723,7 @@ public Void run() throws Exception {
             } catch (AuthorizationException ex) {
               //NOP
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
 
             return null;
@@ -716,7 +739,7 @@ public Void run() throws Exception {
                   new KeyProvider.Options(conf));
               Assert.assertNull(kv.getMaterial());
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             return null;
           }
@@ -729,7 +752,7 @@ public Void run() throws Exception {
             try {
               kp.deleteKey("k0");
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             return null;
           }
@@ -744,7 +767,7 @@ public Void run() throws Exception {
                   new KeyProvider.Options(conf));
               Assert.assertNull(kv.getMaterial());
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             return null;
           }
@@ -758,7 +781,7 @@ public Void run() throws Exception {
               KeyProvider.KeyVersion kv = kp.rollNewVersion("k1");
               Assert.assertNull(kv.getMaterial());
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             return null;
           }
@@ -773,7 +796,7 @@ public Void run() throws Exception {
                   kp.rollNewVersion("k1", new byte[16]);
               Assert.assertNull(kv.getMaterial());
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             return null;
           }
@@ -823,7 +846,7 @@ public Void run() throws Exception {
                       createKeyProviderCryptoExtension(kp);
               kpCE.decryptEncryptedKey(encKv);
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             return null;
           }
@@ -836,7 +859,7 @@ public Void run() throws Exception {
             try {
               kp.getKeys();
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             return null;
           }
@@ -850,7 +873,7 @@ public Void run() throws Exception {
               kp.getMetadata("k1");
               kp.getKeysMetadata("k1");
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             return null;
           }
@@ -879,7 +902,7 @@ public Void run() throws Exception {
             } catch (AuthorizationException ex) {
               //NOP
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
 
             return null;
@@ -893,8 +916,11 @@ public Void run() throws Exception {
 
   @Test
   public void testServicePrincipalACLs() throws Exception {
+    Configuration conf = new Configuration();
+    conf.set("hadoop.security.authentication", "kerberos");
+    UserGroupInformation.setConfiguration(conf);
     File testDir = getTestDir();
-    Configuration conf = createBaseKMSConf(testDir);
+    conf = createBaseKMSConf(testDir);
     conf.set("hadoop.kms.authentication.type", "kerberos");
     conf.set("hadoop.kms.authentication.kerberos.keytab",
         keytab.getAbsolutePath());
@@ -912,18 +938,19 @@ public void testServicePrincipalACLs() throws Exception {
       public Void call() throws Exception {
         final Configuration conf = new Configuration();
         conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
-        URI uri = createKMSUri(getKMSUrl());
-        final KeyProvider kp = new KMSClientProvider(uri, conf);
+        conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 64);
+        final URI uri = createKMSUri(getKMSUrl());
 
         doAs("client", new PrivilegedExceptionAction<Void>() {
           @Override
           public Void run() throws Exception {
             try {
+              KeyProvider kp = new KMSClientProvider(uri, conf);
               KeyProvider.KeyVersion kv = kp.createKey("ck0",
                   new KeyProvider.Options(conf));
               Assert.assertNull(kv.getMaterial());
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             return null;
           }
@@ -933,11 +960,12 @@ public Void run() throws Exception {
           @Override
           public Void run() throws Exception {
             try {
+              KeyProvider kp = new KMSClientProvider(uri, conf);
               KeyProvider.KeyVersion kv = kp.createKey("ck1",
                   new KeyProvider.Options(conf));
               Assert.assertNull(kv.getMaterial());
             } catch (Exception ex) {
-              Assert.fail(ex.toString());
+              Assert.fail(ex.getMessage());
             }
             return null;
           }
@@ -1014,8 +1042,11 @@ public void testKMSTimeout() throws Exception {
 
   @Test
   public void testDelegationTokenAccess() throws Exception {
+    Configuration conf = new Configuration();
+    conf.set("hadoop.security.authentication", "kerberos");
+    UserGroupInformation.setConfiguration(conf);
     final File testDir = getTestDir();
-    Configuration conf = createBaseKMSConf(testDir);
+    conf = createBaseKMSConf(testDir);
     conf.set("hadoop.kms.authentication.type", "kerberos");
     conf.set("hadoop.kms.authentication.kerberos.keytab",
         keytab.getAbsolutePath());
@@ -1076,4 +1107,74 @@ public Void run() throws Exception {
     });
   }
 
+  @Test
+  public void testProxyUser() throws Exception {
+    Configuration conf = new Configuration();
+    conf.set("hadoop.security.authentication", "kerberos");
+    UserGroupInformation.setConfiguration(conf);
+    final File testDir = getTestDir();
+    conf = createBaseKMSConf(testDir);
+    conf.set("hadoop.kms.authentication.type", "kerberos");
+    conf.set("hadoop.kms.authentication.kerberos.keytab",
+        keytab.getAbsolutePath());
+    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
+    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
+    conf.set("hadoop.kms.proxyuser.client.users", "foo");
+    conf.set("hadoop.kms.proxyuser.client.hosts", "*");
+    writeConf(testDir, conf);
+
+    runServer(null, null, testDir, new KMSCallable() {
+      @Override
+      public Void call() throws Exception {
+        final Configuration conf = new Configuration();
+        conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 64);
+        final URI uri = createKMSUri(getKMSUrl());
+
+        // proxyuser client using kerberos credentials
+        UserGroupInformation clientUgi = UserGroupInformation.
+            loginUserFromKeytabAndReturnUGI("client", keytab.getAbsolutePath());
+        clientUgi.doAs(new PrivilegedExceptionAction<Void>() {
+          @Override
+          public Void run() throws Exception {
+            final KeyProvider kp = new KMSClientProvider(uri, conf);
+            kp.createKey("kAA", new KeyProvider.Options(conf));
+
+            // authorized proxyuser
+            UserGroupInformation fooUgi =
+                UserGroupInformation.createRemoteUser("foo");
+            fooUgi.doAs(new PrivilegedExceptionAction<Void>() {
+              @Override
+              public Void run() throws Exception {
+                Assert.assertNotNull(kp.createKey("kBB",
+                    new KeyProvider.Options(conf)));
+                return null;
+              }
+            });
+
+            // unauthorized proxyuser
+            UserGroupInformation foo1Ugi =
+                UserGroupInformation.createRemoteUser("foo1");
+            foo1Ugi.doAs(new PrivilegedExceptionAction<Void>() {
+              @Override
+              public Void run() throws Exception {
+                try {
+                  kp.createKey("kCC", new KeyProvider.Options(conf));
+                  Assert.fail();
+                } catch (AuthorizationException ex) {
+                  // OK
+                } catch (Exception ex) {
+                  Assert.fail(ex.getMessage());
+                }
+                return null;
+              }
+            });
+            return null;
+          }
+        });
+
+        return null;
+      }
+    });
+  }
+
 }

From 31e478905af8cb4659bba5b0d3777791fb2945e7 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Fri, 15 Aug 2014 16:47:34 +0000
Subject: [PATCH 239/354] Wrong categorization for a variety of commits in the
 CHANGES.txt files

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618233 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 | 12 ++--
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  6 +-
 hadoop-mapreduce-project/CHANGES.txt          | 62 +++++++++----------
 hadoop-yarn-project/CHANGES.txt               | 12 ++--
 4 files changed, 46 insertions(+), 46 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index e18ad5fa28c..c1e57c9621e 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -202,12 +202,6 @@ Trunk (Unreleased)
     HADOOP-10224. JavaKeyStoreProvider has to protect against corrupting 
     underlying store. (asuresh via tucu)
 
-    HADOOP-8944. Shell command fs -count should include human readable option
-      (Jonathan Allen via aw)
-
-    HADOOP-10231. Add some components in Native Libraries document (Akira 
-      AJISAKA via aw)
-
     HADOOP-10770. KMS add delegation token support. (tucu)
 
     HADOOP-10698. KMS, add proxyuser support. (tucu)
@@ -521,6 +515,12 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10281. Create a scheduler, which assigns schedulables a priority
     level. (Chris Li via Arpit Agarwal)
 
+    HADOOP-8944. Shell command fs -count should include human readable option 
+    (Jonathan Allen via aw)
+
+    HADOOP-10231. Add some components in Native Libraries document (Akira 
+    AJISAKA via aw)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index b47018a61b3..e7013146cd1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -137,9 +137,6 @@ Trunk (Unreleased)
 
   BUG FIXES
  
-    HDFS-6517. Remove hadoop-metrics2.properties from hdfs project (Akira 
-               AJISAKA via aw)
-
     HADOOP-9635 Fix potential Stack Overflow in DomainSocket.c (V. Karthik Kumar
                 via cmccabe)
 
@@ -414,6 +411,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6823. dfs.web.authentication.kerberos.principal shows up in logs for 
     insecure HDFS (Allen Wittenauer via raviprak)
 
+    HDFS-6517. Remove hadoop-metrics2.properties from hdfs project (Akira 
+    AJISAKA via aw)
+
     HDFS-6617. Flake TestDFSZKFailoverController.testManualFailoverWithDFSHAAdmin
     due to a long edit log sync op. (Liang Xie via cnauroth)
 
diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 05cce4ebde8..74a1fc163d6 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -86,15 +86,6 @@ Trunk (Unreleased)
     MAPREDUCE-6019. MapReduce changes for exposing YARN/MR endpoints on multiple
     interfaces. (Craig Welch, Milan Potocnik, Arpit Agarwal via xgong)
 
-    MAPREDUCE-883. harchive: Document how to unarchive (Akira AJISAKA and
-      Koji Noguchi via aw)
-
-    MAPREDUCE-4791. Javadoc for KeyValueTextInputFormat should include default 
-      separator and how to change it (Akira AJISAKA via aw)
-
-    MAPREDUCE-5906. Inconsistent configuration in property 
-      "mapreduce.reduce.shuffle.input.buffer.percent" (Akira AJISAKA via aw)
-
   BUG FIXES
 
     MAPREDUCE-5714. Removed forceful JVM exit in shutDownJob.  
@@ -160,28 +151,6 @@ Trunk (Unreleased)
     MAPREDUCE-5867. Fix NPE in KillAMPreemptionPolicy related to 
     ProportionalCapacityPreemptionPolicy (Sunil G via devaraj)
 
-    MAPREDUCE-5944. Remove MRv1 commands from CommandsManual.apt.vm 
-      (Akira AJISAKA via aw)
-
-    MAPREDUCE-5943. Separate mapred commands from CommandManual.apt.vm
-      (Akira AJISAKA via aw)
-
-    MAPREDUCE-5363. Fix doc and spelling for TaskCompletionEvent#getTaskStatus 
-      and getStatus (Akira AJISAKA via aw)
-
-    MAPREDUCE-5595. Typo in MergeManagerImpl.java (Akira AJISAKA via aw)
-
-    MAPREDUCE-5597. Missing alternatives in javadocs for deprecated constructors 
-      in mapreduce.Job (Akira AJISAKA via aw)
-
-    MAPREDUCE-5950. incorrect description in distcp2 document (Akira AJISAKA 
-      via aw)
-
-    MAPREDUCE-5998. CompositeInputFormat javadoc is broken (Akira AJISAKA via
-      aw)
-
-    MAPREDUCE-5999. Fix dead link in InputFormat javadoc (Akira AJISAKA via aw)
-
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
@@ -196,6 +165,15 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-5963. ShuffleHandler DB schema should be versioned with
     compatible/incompatible changes (Junping Du via jlowe)
 
+    MAPREDUCE-883. harchive: Document how to unarchive (Akira AJISAKA and
+      Koji Noguchi via aw)
+
+    MAPREDUCE-4791. Javadoc for KeyValueTextInputFormat should include default
+      separator and how to change it (Akira AJISAKA via aw)
+
+    MAPREDUCE-5906. Inconsistent configuration in property
+      "mapreduce.reduce.shuffle.input.buffer.percent" (Akira AJISAKA via aw)
+
   OPTIMIZATIONS
 
   BUG FIXES
@@ -224,6 +202,28 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-5878. some standard JDK APIs are not part of system classes
     defaults (Sangjin Lee via jlowe)
 
+    MAPREDUCE-5944. Remove MRv1 commands from CommandsManual.apt.vm
+      (Akira AJISAKA via aw)
+
+    MAPREDUCE-5943. Separate mapred commands from CommandManual.apt.vm
+      (Akira AJISAKA via aw)
+
+    MAPREDUCE-5363. Fix doc and spelling for TaskCompletionEvent#getTaskStatus
+      and getStatus (Akira AJISAKA via aw)
+
+    MAPREDUCE-5595. Typo in MergeManagerImpl.java (Akira AJISAKA via aw)
+
+    MAPREDUCE-5597. Missing alternatives in javadocs for deprecated constructors
+     in mapreduce.Job (Akira AJISAKA via aw)
+
+    MAPREDUCE-5950. incorrect description in distcp2 document (Akira AJISAKA
+      via aw)
+
+    MAPREDUCE-5998. CompositeInputFormat javadoc is broken (Akira AJISAKA via
+      aw)
+
+    MAPREDUCE-5999. Fix dead link in InputFormat javadoc (Akira AJISAKA via aw)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index d0d32958f1e..495aae4746b 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -8,12 +8,6 @@ Trunk - Unreleased
 
   IMPROVEMENTS
 
-    YARN-2197. Add a link to YARN CHANGES.txt in the left side of doc
-      (Akira AJISAKA via aw)
-
-    YARN-1918. Typo in description and error message for 
-      'yarn.resourcemanager.cluster-id' (Anandha L Ranganathan via aw)
-
   OPTIMIZATIONS
 
   BUG FIXES
@@ -55,6 +49,12 @@ Release 2.6.0 - UNRELEASED
 
   IMPROVEMENTS
 
+    YARN-2197. Add a link to YARN CHANGES.txt in the left side of doc
+      (Akira AJISAKA via aw)
+
+    YARN-1918. Typo in description and error message for
+      'yarn.resourcemanager.cluster-id' (Anandha L Ranganathan via aw)
+
     YARN-2242. Improve exception information on AM launch crashes. (Li Lu 
     via junping_du)
 

From 84bc2fe4021be32e0ff8ba395359337904149034 Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Fri, 15 Aug 2014 20:17:45 +0000
Subject: [PATCH 240/354] =?UTF-8?q?MAPREDUCE-6032.=20Made=20MR=20jobs=20wr?=
 =?UTF-8?q?ite=20job=20history=20files=20on=20the=20default=20FS=20when=20?=
 =?UTF-8?q?the=20current=20context=E2=80=99s=20FS=20is=20different.=20Cont?=
 =?UTF-8?q?ributed=20by=20Benjamin=20Zhitomirsky.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618269 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt          |  3 +
 .../hadoop-mapreduce-client-app/pom.xml       |  6 ++
 .../jobhistory/JobHistoryEventHandler.java    | 12 ++-
 .../TestJobHistoryEventHandler.java           | 97 ++++++++++++++++++-
 .../v2/jobhistory/JobHistoryUtils.java        | 75 +++++++++++++-
 .../v2/hs/TestHistoryFileManager.java         | 70 ++++++++++++-
 6 files changed, 247 insertions(+), 16 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 74a1fc163d6..a48c6c18701 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -224,6 +224,9 @@ Release 2.6.0 - UNRELEASED
 
     MAPREDUCE-5999. Fix dead link in InputFormat javadoc (Akira AJISAKA via aw)
 
+    MAPREDUCE-6032. Made MR jobs write job history files on the default FS when
+    the current context’s FS is different. (Benjamin Zhitomirsky via zjshen)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/pom.xml b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/pom.xml
index 4d1800f15c1..2e597d11d66 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/pom.xml
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/pom.xml
@@ -73,6 +73,12 @@
       <groupId>org.apache.hadoop</groupId>
       <artifactId>hadoop-mapreduce-client-shuffle</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-hdfs</artifactId>
+      <type>test-jar</type>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/jobhistory/JobHistoryEventHandler.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/jobhistory/JobHistoryEventHandler.java
index 8fd7b471600..c566740aa7a 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/jobhistory/JobHistoryEventHandler.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/jobhistory/JobHistoryEventHandler.java
@@ -28,13 +28,13 @@
 import java.util.TimerTask;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.LinkedBlockingQueue;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FSDataOutputStream;
 import org.apache.hadoop.fs.FileAlreadyExistsException;
+import org.apache.hadoop.fs.FileContext;
 import org.apache.hadoop.fs.FileStatus;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.FileUtil;
@@ -74,7 +74,9 @@ public class JobHistoryEventHandler extends AbstractService
 
   private int eventCounter;
 
-  //TODO Does the FS object need to be different ? 
+  // Those file systems may differ from the job configuration
+  // See org.apache.hadoop.mapreduce.v2.jobhistory.JobHistoryUtils
+  // #ensurePathInDefaultFileSystem
   private FileSystem stagingDirFS; // log Dir FileSystem
   private FileSystem doneDirFS; // done Dir FileSystem
 
@@ -141,7 +143,7 @@ protected void serviceInit(Configuration conf) throws Exception {
     //Check for the existence of the history staging dir. Maybe create it. 
     try {
       stagingDirPath =
-          FileSystem.get(conf).makeQualified(new Path(stagingDirStr));
+          FileContext.getFileContext(conf).makeQualified(new Path(stagingDirStr));
       stagingDirFS = FileSystem.get(stagingDirPath.toUri(), conf);
       mkdir(stagingDirFS, stagingDirPath, new FsPermission(
           JobHistoryUtils.HISTORY_STAGING_DIR_PERMISSIONS));
@@ -154,7 +156,7 @@ protected void serviceInit(Configuration conf) throws Exception {
     //Check for the existence of intermediate done dir.
     Path doneDirPath = null;
     try {
-      doneDirPath = FileSystem.get(conf).makeQualified(new Path(doneDirStr));
+      doneDirPath = FileContext.getFileContext(conf).makeQualified(new Path(doneDirStr));
       doneDirFS = FileSystem.get(doneDirPath.toUri(), conf);
       // This directory will be in a common location, or this may be a cluster
       // meant for a single user. Creating based on the conf. Should ideally be
@@ -194,7 +196,7 @@ protected void serviceInit(Configuration conf) throws Exception {
     //Check/create user directory under intermediate done dir.
     try {
       doneDirPrefixPath =
-          FileSystem.get(conf).makeQualified(new Path(userDoneDirStr));
+          FileContext.getFileContext(conf).makeQualified(new Path(userDoneDirStr));
       mkdir(doneDirFS, doneDirPrefixPath, new FsPermission(
           JobHistoryUtils.HISTORY_INTERMEDIATE_USER_DIR_PERMISSIONS));
     } catch (IOException e) {
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/jobhistory/TestJobHistoryEventHandler.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/jobhistory/TestJobHistoryEventHandler.java
index 167df3c8e29..d8a0cc7af52 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/jobhistory/TestJobHistoryEventHandler.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/jobhistory/TestJobHistoryEventHandler.java
@@ -28,6 +28,7 @@
 import static org.mockito.Mockito.never;
 
 import java.io.File;
+import java.io.FileOutputStream;
 import java.io.IOException;
 
 import org.junit.Assert;
@@ -35,8 +36,13 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.fs.FileContext;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.LocalFileSystem;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.HdfsConfiguration;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.hadoop.mapreduce.Counters;
 import org.apache.hadoop.mapreduce.JobID;
 import org.apache.hadoop.mapreduce.MRJobConfig;
@@ -52,6 +58,10 @@
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
+import org.junit.After;
+import org.junit.AfterClass;
+import static org.junit.Assert.assertFalse;
+import org.junit.BeforeClass;
 import org.junit.Test;
 import org.mockito.Mockito;
 
@@ -60,6 +70,26 @@ public class TestJobHistoryEventHandler {
 
   private static final Log LOG = LogFactory
       .getLog(TestJobHistoryEventHandler.class);
+  private static MiniDFSCluster dfsCluster = null;
+  private static String coreSitePath;
+
+  @BeforeClass
+  public static void setUpClass() throws Exception {
+    coreSitePath = "." + File.separator + "target" + File.separator +
+            "test-classes" + File.separator + "core-site.xml";
+    Configuration conf = new HdfsConfiguration();
+    dfsCluster = new MiniDFSCluster.Builder(conf).build();
+  }
+
+  @AfterClass
+  public static void cleanUpClass() throws Exception {
+    dfsCluster.shutdown();
+  }
+
+  @After
+  public void cleanTest() throws Exception {
+    new File(coreSitePath).delete();
+  }
 
   @Test (timeout=50000)
   public void testFirstFlushOnCompletionEvent() throws Exception {
@@ -325,6 +355,50 @@ public void testProcessDoneFilesNotLastAMRetry() throws Exception {
     }
   }
 
+  @Test (timeout=50000)
+  public void testDefaultFsIsUsedForHistory() throws Exception {
+    // Create default configuration pointing to the minicluster
+    Configuration conf = new Configuration();
+    conf.set(CommonConfigurationKeysPublic.FS_DEFAULT_NAME_KEY,
+            dfsCluster.getURI().toString());
+    FileOutputStream os = new FileOutputStream(coreSitePath);
+    conf.writeXml(os);
+    os.close();
+
+    // simulate execution under a non-default namenode
+    conf.set(CommonConfigurationKeysPublic.FS_DEFAULT_NAME_KEY,
+            "file:///");
+
+    TestParams t = new TestParams();
+    conf.set(MRJobConfig.MR_AM_STAGING_DIR, t.dfsWorkDir);
+
+    JHEvenHandlerForTest realJheh =
+        new JHEvenHandlerForTest(t.mockAppContext, 0, false);
+    JHEvenHandlerForTest jheh = spy(realJheh);
+    jheh.init(conf);
+
+    try {
+      jheh.start();
+      handleEvent(jheh, new JobHistoryEvent(t.jobId, new AMStartedEvent(
+          t.appAttemptId, 200, t.containerId, "nmhost", 3000, 4000)));
+
+      handleEvent(jheh, new JobHistoryEvent(t.jobId, new JobFinishedEvent(
+          TypeConverter.fromYarn(t.jobId), 0, 0, 0, 0, 0, new Counters(),
+          new Counters(), new Counters())));
+
+      // If we got here then event handler worked but we don't know with which
+      // file system. Now we check that history stuff was written to minicluster
+      FileSystem dfsFileSystem = dfsCluster.getFileSystem();
+      assertTrue("Minicluster contains some history files",
+          dfsFileSystem.globStatus(new Path(t.dfsWorkDir + "/*")).length != 0);
+      FileSystem localFileSystem = LocalFileSystem.get(conf);
+      assertFalse("No history directory on non-default file system",
+          localFileSystem.exists(new Path(t.dfsWorkDir)));
+    } finally {
+      jheh.stop();
+    }
+  }
+
   private void queueEvent(JHEvenHandlerForTest jheh, JobHistoryEvent event) {
     jheh.handle(event);
   }
@@ -372,6 +446,7 @@ private AppContext mockAppContext(ApplicationId appId, boolean isLastAMRetry) {
   private class TestParams {
     boolean isLastAMRetry;
     String workDir = setupTestWorkDir();
+    String dfsWorkDir = "/" + this.getClass().getCanonicalName();
     ApplicationId appId = ApplicationId.newInstance(200, 1);
     ApplicationAttemptId appAttemptId =
         ApplicationAttemptId.newInstance(appId, 1);
@@ -451,10 +526,16 @@ public void testSigTermedFunctionality() throws IOException {
 class JHEvenHandlerForTest extends JobHistoryEventHandler {
 
   private EventWriter eventWriter;
+  private boolean mockHistoryProcessing = true;
   public JHEvenHandlerForTest(AppContext context, int startCount) {
     super(context, startCount);
   }
 
+  public JHEvenHandlerForTest(AppContext context, int startCount, boolean mockHistoryProcessing) {
+    super(context, startCount);
+    this.mockHistoryProcessing = mockHistoryProcessing;
+  }
+
   @Override
   protected void serviceStart() {
   }
@@ -462,7 +543,12 @@ protected void serviceStart() {
   @Override
   protected EventWriter createEventWriter(Path historyFilePath)
       throws IOException {
-    this.eventWriter = mock(EventWriter.class);
+    if (mockHistoryProcessing) {
+      this.eventWriter = mock(EventWriter.class);
+    }
+    else {
+      this.eventWriter = super.createEventWriter(historyFilePath);
+    }
     return this.eventWriter;
   }
 
@@ -475,8 +561,13 @@ public EventWriter getEventWriter() {
   }
 
   @Override
-  protected void processDoneFiles(JobId jobId){
-    // do nothing
+  protected void processDoneFiles(JobId jobId) throws IOException {
+    if (!mockHistoryProcessing) {
+      super.processDoneFiles(jobId);
+    }
+    else {
+      // do nothing
+    }
   }
 }
 
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/jobhistory/JobHistoryUtils.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/jobhistory/JobHistoryUtils.java
index d80fe40958d..167ee20a22e 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/jobhistory/JobHistoryUtils.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/jobhistory/JobHistoryUtils.java
@@ -22,20 +22,24 @@
 import java.io.IOException;
 import java.util.Calendar;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
-
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.fs.FileContext;
 import org.apache.hadoop.fs.FileStatus;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.PathFilter;
 import org.apache.hadoop.fs.RemoteIterator;
+import org.apache.hadoop.fs.UnsupportedFileSystemException;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.mapreduce.JobID;
 import org.apache.hadoop.mapreduce.MRJobConfig;
@@ -117,6 +121,7 @@ public class JobHistoryUtils {
   public static final String TIMESTAMP_DIR_REGEX = "\\d{4}" + "\\" + Path.SEPARATOR +  "\\d{2}" + "\\" + Path.SEPARATOR + "\\d{2}";
   public static final Pattern TIMESTAMP_DIR_PATTERN = Pattern.compile(TIMESTAMP_DIR_REGEX);
   private static final String TIMESTAMP_DIR_FORMAT = "%04d" + File.separator + "%02d" + File.separator + "%02d";
+  private static final Log LOG = LogFactory.getLog(JobHistoryUtils.class);
 
   private static final PathFilter CONF_FILTER = new PathFilter() {
     @Override
@@ -183,7 +188,7 @@ public static PathFilter getHistoryFileFilter() {
     Path stagingPath = MRApps.getStagingAreaDir(conf, user);
     Path path = new Path(stagingPath, jobId);
     String logDir = path.toString();
-    return logDir;
+    return ensurePathInDefaultFileSystem(logDir, conf);
   }
   
   /**
@@ -200,7 +205,7 @@ public static String getConfiguredHistoryIntermediateDoneDirPrefix(
           MRJobConfig.DEFAULT_MR_AM_STAGING_DIR)
           + "/history/done_intermediate";
     }
-    return doneDirPrefix;
+    return ensurePathInDefaultFileSystem(doneDirPrefix, conf);
   }
   
   /**
@@ -216,7 +221,69 @@ public static String getConfiguredHistoryServerDoneDirPrefix(
           MRJobConfig.DEFAULT_MR_AM_STAGING_DIR)
           + "/history/done";
     }
-    return doneDirPrefix;
+    return ensurePathInDefaultFileSystem(doneDirPrefix, conf);
+  }
+
+  /**
+   * Get default file system URI for the cluster (used to ensure consistency
+   * of history done/staging locations) over different context
+   *
+   * @return Default file context
+   */
+  private static FileContext getDefaultFileContext() {
+    // If FS_DEFAULT_NAME_KEY was set solely by core-default.xml then we ignore
+    // ignore it. This prevents defaulting history paths to file system specified
+    // by core-default.xml which would not make sense in any case. For a test
+    // case to exploit this functionality it should create core-site.xml
+    FileContext fc = null;
+    Configuration defaultConf = new Configuration();
+    String[] sources;
+    sources = defaultConf.getPropertySources(
+        CommonConfigurationKeysPublic.FS_DEFAULT_NAME_KEY);
+    if (sources != null &&
+        (!Arrays.asList(sources).contains("core-default.xml") ||
+        sources.length > 1)) {
+      try {
+        fc = FileContext.getFileContext(defaultConf);
+        LOG.info("Default file system [" +
+                  fc.getDefaultFileSystem().getUri() + "]");
+      } catch (UnsupportedFileSystemException e) {
+        LOG.error("Unable to create default file context [" +
+            defaultConf.get(CommonConfigurationKeysPublic.FS_DEFAULT_NAME_KEY) +
+            "]",
+            e);
+      }
+    }
+    else {
+      LOG.info("Default file system is set solely " +
+          "by core-default.xml therefore -  ignoring");
+    }
+
+    return fc;
+  }
+
+  /**
+   * Ensure that path belongs to cluster's default file system unless
+   * 1. it is already fully qualified.
+   * 2. current job configuration uses default file system
+   * 3. running from a test case without core-site.xml
+   *
+   * @param sourcePath source path
+   * @param conf the job configuration
+   * @return full qualified path (if necessary) in default file system
+   */
+  private static String ensurePathInDefaultFileSystem(String sourcePath, Configuration conf) {
+    Path path = new Path(sourcePath);
+    FileContext fc = getDefaultFileContext();
+    if (fc == null ||
+        fc.getDefaultFileSystem().getUri().toString().equals(
+            conf.get(CommonConfigurationKeysPublic.FS_DEFAULT_NAME_KEY, "")) ||
+        path.toUri().getAuthority() != null ||
+        path.toUri().getScheme()!= null) {
+      return sourcePath;
+    }
+
+    return fc.makeQualified(path).toString();
   }
 
   /**
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/TestHistoryFileManager.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/TestHistoryFileManager.java
index 34cb74b5a8b..1e07062d69c 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/TestHistoryFileManager.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/TestHistoryFileManager.java
@@ -19,42 +19,74 @@
 package org.apache.hadoop.mapreduce.v2.hs;
 
 
+import java.io.File;
+import java.io.FileOutputStream;
+import java.util.UUID;
 import org.junit.Assert;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
 import org.apache.hadoop.mapreduce.v2.app.ControlledClock;
 import org.apache.hadoop.mapreduce.v2.jobhistory.JHAdminConfig;
+import org.apache.hadoop.test.CoreTestDriver;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.util.Clock;
 import org.apache.hadoop.yarn.util.SystemClock;
+import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
+import org.junit.Rule;
 import org.junit.Test;
-
-import java.util.UUID;
+import org.junit.rules.TestName;
 
 public class TestHistoryFileManager {
   private static MiniDFSCluster dfsCluster = null;
+  private static MiniDFSCluster dfsCluster2 = null;
+  private static String coreSitePath;
+
+  @Rule
+  public TestName name = new TestName();
 
   @BeforeClass
   public static void setUpClass() throws Exception {
+    coreSitePath = "." + File.separator + "target" + File.separator +
+            "test-classes" + File.separator + "core-site.xml";
     Configuration conf = new HdfsConfiguration();
+    Configuration conf2 = new HdfsConfiguration();
     dfsCluster = new MiniDFSCluster.Builder(conf).build();
+    conf2.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR,
+            conf.get(MiniDFSCluster.HDFS_MINIDFS_BASEDIR) + "_2");
+    dfsCluster2 = new MiniDFSCluster.Builder(conf2).build();
   }
 
   @AfterClass
   public static void cleanUpClass() throws Exception {
     dfsCluster.shutdown();
+    dfsCluster2.shutdown();
+  }
+
+  @After
+  public void cleanTest() throws Exception {
+    new File(coreSitePath).delete();
+  }
+
+  private String getDoneDirNameForTest() {
+    return "/" + name.getMethodName();
+  }
+
+  private String getIntermediateDoneDirNameForTest() {
+    return "/intermediate_" + name.getMethodName();
   }
 
   private void testTryCreateHistoryDirs(Configuration conf, boolean expected)
       throws Exception {
-    conf.set(JHAdminConfig.MR_HISTORY_DONE_DIR, "/" + UUID.randomUUID());
-    conf.set(JHAdminConfig.MR_HISTORY_INTERMEDIATE_DONE_DIR, "/" + UUID.randomUUID());
+    conf.set(JHAdminConfig.MR_HISTORY_DONE_DIR, getDoneDirNameForTest());
+    conf.set(JHAdminConfig.MR_HISTORY_INTERMEDIATE_DONE_DIR, getIntermediateDoneDirNameForTest());
     HistoryFileManager hfm = new HistoryFileManager();
     hfm.conf = conf;
     Assert.assertEquals(expected, hfm.tryCreatingHistoryDirs(false));
@@ -75,6 +107,36 @@ public void testCreateDirsWithFileSystem() throws Exception {
     testTryCreateHistoryDirs(dfsCluster.getConfiguration(0), true);
   }
 
+  @Test
+  public void testCreateDirsWithAdditionalFileSystem() throws Exception {
+    dfsCluster.getFileSystem().setSafeMode(
+        HdfsConstants.SafeModeAction.SAFEMODE_LEAVE);
+    dfsCluster2.getFileSystem().setSafeMode(
+        HdfsConstants.SafeModeAction.SAFEMODE_LEAVE);
+    Assert.assertFalse(dfsCluster.getFileSystem().isInSafeMode());
+    Assert.assertFalse(dfsCluster2.getFileSystem().isInSafeMode());
+
+    // Set default configuration to the first cluster
+    Configuration conf = new Configuration(false);
+    conf.set(CommonConfigurationKeysPublic.FS_DEFAULT_NAME_KEY,
+            dfsCluster.getURI().toString());
+    FileOutputStream os = new FileOutputStream(coreSitePath);
+    conf.writeXml(os);
+    os.close();
+
+    testTryCreateHistoryDirs(dfsCluster2.getConfiguration(0), true);
+
+    // Directories should be created only in the default file system (dfsCluster)
+    Assert.assertTrue(dfsCluster.getFileSystem()
+            .exists(new Path(getDoneDirNameForTest())));
+    Assert.assertTrue(dfsCluster.getFileSystem()
+            .exists(new Path(getIntermediateDoneDirNameForTest())));
+    Assert.assertFalse(dfsCluster2.getFileSystem()
+            .exists(new Path(getDoneDirNameForTest())));
+    Assert.assertFalse(dfsCluster2.getFileSystem()
+            .exists(new Path(getIntermediateDoneDirNameForTest())));
+  }
+
   @Test
   public void testCreateDirsWithFileSystemInSafeMode() throws Exception {
     dfsCluster.getFileSystem().setSafeMode(

From ddf108449d05e1b3c767d0dc81643b29b7d526b9 Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Fri, 15 Aug 2014 20:25:51 +0000
Subject: [PATCH 241/354] MAPREDUCE-6032. Fix the non-unicode character in the
 change log in CHANGES.txt.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618270 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index a48c6c18701..62b4e525644 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -225,7 +225,7 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-5999. Fix dead link in InputFormat javadoc (Akira AJISAKA via aw)
 
     MAPREDUCE-6032. Made MR jobs write job history files on the default FS when
-    the current context’s FS is different. (Benjamin Zhitomirsky via zjshen)
+    the current context's FS is different. (Benjamin Zhitomirsky via zjshen)
 
 Release 2.5.0 - UNRELEASED
 

From c3084d6c1661332a4771882529077e778d9c5692 Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Fri, 15 Aug 2014 23:53:57 +0000
Subject: [PATCH 242/354] YARN-2389. Added functionality for schedulers to kill
 all applications in a queue. Contributed by Subramaniam Venkatraman Krishnan

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618294 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |  3 +
 .../scheduler/AbstractYarnScheduler.java      | 21 ++++
 .../scheduler/YarnScheduler.java              |  8 ++
 .../capacity/TestCapacityScheduler.java       | 98 ++++++++++++++++++-
 4 files changed, 127 insertions(+), 3 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 495aae4746b..aa217edaec0 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -140,6 +140,9 @@ Release 2.6.0 - UNRELEASED
     YARN-1370. Fair scheduler to re-populate container allocation state. 
     (Anubhav Dhoot via kasha)
 
+    YARN-2389. Added functionality for schedulers to kill all applications in a
+    queue. (Subramaniam Venkatraman Krishnan via jianhe)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
index e5f22b8fc41..6463153c147 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
@@ -41,6 +41,8 @@
 import org.apache.hadoop.yarn.server.api.protocolrecords.NMContainerStatus;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEvent;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEventType;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppMoveEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
@@ -348,4 +350,23 @@ public synchronized void moveAllApps(String sourceQueue, String destQueue)
           .handle(new RMAppMoveEvent(app.getApplicationId(), destQueue, future));
     }
   }
+
+  @Override
+  public synchronized void killAllAppsInQueue(String queueName)
+      throws YarnException {
+    // check if queue is a valid
+    List<ApplicationAttemptId> apps = getAppsInQueue(queueName);
+    if (apps == null) {
+      String errMsg = "The specified Queue: " + queueName + " doesn't exist";
+      LOG.warn(errMsg);
+      throw new YarnException(errMsg);
+    }
+    // generate kill events for each pending/running app
+    for (ApplicationAttemptId app : apps) {
+      this.rmContext
+          .getDispatcher()
+          .getEventHandler()
+          .handle(new RMAppEvent(app.getApplicationId(), RMAppEventType.KILL));
+    }
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java
index 79dc773b410..5ce16c2b888 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java
@@ -212,4 +212,12 @@ public String moveApplication(ApplicationId appId, String newQueue)
    * @throws YarnException
    */
   void moveAllApps(String sourceQueue, String destQueue) throws YarnException;
+
+  /**
+   * Terminate all applications in the specified queue.
+   *
+   * @param queueName the name of queue to be drained
+   * @throws YarnException
+   */
+  void killAllAppsInQueue(String queueName) throws YarnException;
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacityScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacityScheduler.java
index 45c4950202d..f64bd62e078 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacityScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacityScheduler.java
@@ -1074,11 +1074,10 @@ public void testMoveAppBasic() throws Exception {
     queue =
         scheduler.getApplicationAttempt(appsInB1.get(0)).getQueue()
             .getQueueName();
-    System.out.println(queue);
     Assert.assertTrue(queue.equals("b1"));
 
     appsInB = scheduler.getAppsInQueue("b");
-    assertTrue(appsInA.contains(appAttemptId));
+    assertTrue(appsInB.contains(appAttemptId));
     assertEquals(1, appsInB.size());
 
     appsInRoot = scheduler.getAppsInQueue("root");
@@ -1140,6 +1139,7 @@ public void testMoveAppSameParent() throws Exception {
     assertTrue(appsInA1.isEmpty());
 
     appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.contains(appAttemptId));
     assertEquals(1, appsInA.size());
 
     appsInRoot = scheduler.getAppsInQueue("root");
@@ -1664,7 +1664,7 @@ public void testMoveAllApps() throws Exception {
     Assert.assertTrue(queue.equals("b1"));
 
     appsInB = scheduler.getAppsInQueue("b");
-    assertTrue(appsInA.contains(appAttemptId));
+    assertTrue(appsInB.contains(appAttemptId));
     assertEquals(1, appsInB.size());
 
     appsInRoot = scheduler.getAppsInQueue("root");
@@ -1798,4 +1798,96 @@ public void testMoveAllAppsInvalidSource() throws Exception {
     rm.stop();
   }
 
+  @Test
+  public void testKillAllAppsInQueue() throws Exception {
+    MockRM rm = setUpMove();
+    AbstractYarnScheduler scheduler =
+        (AbstractYarnScheduler) rm.getResourceScheduler();
+
+    // submit an app
+    RMApp app = rm.submitApp(GB, "test-move-1", "user_0", null, "a1");
+    ApplicationAttemptId appAttemptId =
+        rm.getApplicationReport(app.getApplicationId())
+            .getCurrentApplicationAttemptId();
+
+    // check preconditions
+    List<ApplicationAttemptId> appsInA1 = scheduler.getAppsInQueue("a1");
+    assertEquals(1, appsInA1.size());
+
+    List<ApplicationAttemptId> appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.contains(appAttemptId));
+    assertEquals(1, appsInA.size());
+    String queue =
+        scheduler.getApplicationAttempt(appsInA1.get(0)).getQueue()
+            .getQueueName();
+    Assert.assertTrue(queue.equals("a1"));
+
+    List<ApplicationAttemptId> appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.contains(appAttemptId));
+    assertEquals(1, appsInRoot.size());
+
+    // now kill the app
+    scheduler.killAllAppsInQueue("a1");
+
+    // check postconditions
+    rm.waitForState(app.getApplicationId(), RMAppState.KILLED);
+    appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.isEmpty());
+
+    appsInA1 = scheduler.getAppsInQueue("a1");
+    assertTrue(appsInA1.isEmpty());
+
+    appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.isEmpty());
+
+    rm.stop();
+  }
+
+  @Test
+  public void testKillAllAppsInvalidSource() throws Exception {
+    MockRM rm = setUpMove();
+    AbstractYarnScheduler scheduler =
+        (AbstractYarnScheduler) rm.getResourceScheduler();
+
+    // submit an app
+    RMApp app = rm.submitApp(GB, "test-move-1", "user_0", null, "a1");
+    ApplicationAttemptId appAttemptId =
+        rm.getApplicationReport(app.getApplicationId())
+            .getCurrentApplicationAttemptId();
+
+    // check preconditions
+    List<ApplicationAttemptId> appsInA1 = scheduler.getAppsInQueue("a1");
+    assertEquals(1, appsInA1.size());
+
+    List<ApplicationAttemptId> appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.contains(appAttemptId));
+    assertEquals(1, appsInA.size());
+
+    List<ApplicationAttemptId> appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.contains(appAttemptId));
+    assertEquals(1, appsInRoot.size());
+
+    // now kill the app
+    try {
+      scheduler.killAllAppsInQueue("DOES_NOT_EXIST");
+      Assert.fail();
+    } catch (YarnException e) {
+      // expected
+    }
+
+    // check postconditions, app should still be in a1
+    appsInA1 = scheduler.getAppsInQueue("a1");
+    assertEquals(1, appsInA1.size());
+
+    appsInA = scheduler.getAppsInQueue("a");
+    assertTrue(appsInA.contains(appAttemptId));
+    assertEquals(1, appsInA.size());
+
+    appsInRoot = scheduler.getAppsInQueue("root");
+    assertTrue(appsInRoot.contains(appAttemptId));
+    assertEquals(1, appsInRoot.size());
+
+    rm.stop();
+  }
+
 }

From c1cd41cc49ad99e733dc6b4e90cf29bb8020be06 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Sun, 17 Aug 2014 17:06:01 +0000
Subject: [PATCH 243/354] HADOOP-10650. Add ability to specify a reverse ACL
 (black list) of users and groups. (Contributed by Benoy Antony)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618482 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   3 +
 .../hadoop/fs/CommonConfigurationKeys.java    |   3 +
 .../ServiceAuthorizationManager.java          |  38 ++++--
 .../src/site/apt/ServiceLevelAuth.apt.vm      |  21 ++++
 .../authorize/TestServiceAuthorization.java   | 117 ++++++++++++++++++
 5 files changed, 171 insertions(+), 11 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index c1e57c9621e..d0168c2d5bc 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -521,6 +521,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10231. Add some components in Native Libraries document (Akira 
     AJISAKA via aw)
 
+    HADOOP-10650. Add ability to specify a reverse ACL (black list) of users
+    and groups. (Benoy Antony via Arpit Agarwal)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java
index 3345e3c93d5..b4aedb37aef 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java
@@ -134,6 +134,9 @@ public class CommonConfigurationKeys extends CommonConfigurationKeysPublic {
   HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL = 
       "security.service.authorization.default.acl";
   public static final String 
+  HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL =
+      "security.service.authorization.default.acl.blocked";
+  public static final String
   HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_POLICY = 
       "security.refresh.policy.protocol.acl";
   public static final String 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
index d12ab79c798..272538a90fd 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
@@ -43,10 +43,14 @@
 @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
 @InterfaceStability.Evolving
 public class ServiceAuthorizationManager {
+  static final String BLOCKED = ".blocked";
+
   private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
 
-  private volatile Map<Class<?>, AccessControlList> protocolToAcl =
-    new IdentityHashMap<Class<?>, AccessControlList>();
+  // For each class, first ACL in the array specifies the allowed entries
+  // and second ACL specifies blocked entries.
+  private volatile Map<Class<?>, AccessControlList[]> protocolToAcls =
+    new IdentityHashMap<Class<?>, AccessControlList[]>();
   
   /**
    * Configuration key for controlling service-level authorization for Hadoop.
@@ -80,8 +84,8 @@ public void authorize(UserGroupInformation user,
                                Configuration conf,
                                InetAddress addr
                                ) throws AuthorizationException {
-    AccessControlList acl = protocolToAcl.get(protocol);
-    if (acl == null) {
+    AccessControlList[] acls = protocolToAcls.get(protocol);
+    if (acls == null) {
       throw new AuthorizationException("Protocol " + protocol + 
                                        " is not known.");
     }
@@ -104,7 +108,7 @@ public void authorize(UserGroupInformation user,
       }
     }
     if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
-        !acl.isUserAllowed(user)) {
+       acls.length != 2  || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
       AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
           + ", expected client Kerberos principal is " + clientPrincipal);
       throw new AuthorizationException("User " + user + 
@@ -129,13 +133,16 @@ public void refresh(Configuration conf,
   @Private
   public void refreshWithLoadedConfiguration(Configuration conf,
       PolicyProvider provider) {
-    final Map<Class<?>, AccessControlList> newAcls =
-        new IdentityHashMap<Class<?>, AccessControlList>();
+    final Map<Class<?>, AccessControlList[]> newAcls =
+      new IdentityHashMap<Class<?>, AccessControlList[]>();
     
     String defaultAcl = conf.get(
         CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL,
         AccessControlList.WILDCARD_ACL_VALUE);
 
+    String defaultBlockedAcl = conf.get(
+      CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL, "");
+
     // Parse the config file
     Service[] services = provider.getServices();
     if (services != null) {
@@ -145,21 +152,30 @@ public void refreshWithLoadedConfiguration(Configuration conf,
                 conf.get(service.getServiceKey(),
                     defaultAcl)
             );
-        newAcls.put(service.getProtocol(), acl);
+        AccessControlList blockedAcl =
+           new AccessControlList(
+           conf.get(service.getServiceKey() + BLOCKED,
+           defaultBlockedAcl));
+        newAcls.put(service.getProtocol(), new AccessControlList[] {acl, blockedAcl});
       }
     }
 
     // Flip to the newly parsed permissions
-    protocolToAcl = newAcls;
+    protocolToAcls = newAcls;
   }
 
   @VisibleForTesting
   public Set<Class<?>> getProtocolsWithAcls() {
-    return protocolToAcl.keySet();
+    return protocolToAcls.keySet();
   }
 
   @VisibleForTesting
   public AccessControlList getProtocolsAcls(Class<?> className) {
-    return protocolToAcl.get(className);
+    return protocolToAcls.get(className)[0];
+  }
+
+  @VisibleForTesting
+  public AccessControlList getProtocolsBlockedAcls(Class<?> className) {
+    return protocolToAcls.get(className)[1];
   }
 }
diff --git a/hadoop-common-project/hadoop-common/src/site/apt/ServiceLevelAuth.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/ServiceLevelAuth.apt.vm
index 6a11f3f643d..6f714545ffe 100644
--- a/hadoop-common-project/hadoop-common/src/site/apt/ServiceLevelAuth.apt.vm
+++ b/hadoop-common-project/hadoop-common/src/site/apt/ServiceLevelAuth.apt.vm
@@ -110,6 +110,27 @@ security.ha.service.protocol.acl      | ACL for HAService protocol used by HAAdm
    <<<security.service.authorization.default.acl>>> is applied. If 
    <<<security.service.authorization.default.acl>>> is not defined, <<<*>>>  is applied.
 
+ ** Blocked Access Control Lists
+
+   In some cases, it is required to specify blocked access control list for a service. This specifies
+   the list of users and groups who are not authorized to access the service. The format of
+   the blocked access control list is same as that of access control list. The blocked access
+   control list can be specified via <<<${HADOOP_CONF_DIR}/hadoop-policy.xml>>>. The property name
+   is derived by suffixing with ".blocked".
+
+   Example: The property name of blocked access control list for <<<security.client.protocol.acl>>
+   will be <<<security.client.protocol.acl.blocked>>>
+
+   For a service, it is possible to specify both an access control list and a blocked control
+   list. A user is authorized to access the service if the user is in the access control and not in
+   the blocked access control list.
+
+   If blocked access control list is not defined for a service, the value of
+   <<<security.service.authorization.default.acl.blocked>>> is applied. If
+   <<<security.service.authorization.default.acl.blocked>>> is not defined,
+   empty blocked access control list is applied.
+
+
 ** Refreshing Service Level Authorization Configuration
 
    The service-level authorization configuration for the NameNode and
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestServiceAuthorization.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestServiceAuthorization.java
index f6cf8bce2e9..9ef9d7add53 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestServiceAuthorization.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestServiceAuthorization.java
@@ -18,16 +18,22 @@
 package org.apache.hadoop.security.authorize;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 import org.apache.hadoop.ipc.TestRPC.TestProtocol;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.junit.Test;
 
 public class TestServiceAuthorization {
 
   private static final String ACL_CONFIG = "test.protocol.acl";
   private static final String ACL_CONFIG1 = "test.protocol1.acl";
+  private static final String ADDRESS =  "0.0.0.0";
 
   public interface TestProtocol1 extends TestProtocol {};
 
@@ -64,4 +70,115 @@ public void testDefaultAcl() {
     acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class);
     assertEquals("user2 group2", acl.getAclString());
   }
+
+  @Test
+  public void testBlockedAcl() throws UnknownHostException {
+    UserGroupInformation drwho =
+        UserGroupInformation.createUserForTesting("drwho@EXAMPLE.COM",
+            new String[] { "group1", "group2" });
+
+    ServiceAuthorizationManager serviceAuthorizationManager =
+        new ServiceAuthorizationManager();
+    Configuration conf = new Configuration ();
+
+    //test without setting a blocked acl
+    conf.set(ACL_CONFIG, "user1 group1");
+    serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
+    try {
+      serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf,
+          InetAddress.getByName(ADDRESS));
+    } catch (AuthorizationException e) {
+      fail();
+    }
+    //now set a blocked acl with another user and another group
+    conf.set(ACL_CONFIG + ServiceAuthorizationManager.BLOCKED, "drwho2 group3");
+    serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
+    try {
+      serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf,
+          InetAddress.getByName(ADDRESS));
+    } catch (AuthorizationException e) {
+      fail();
+    }
+    //now set a blocked acl with the user and another group
+    conf.set(ACL_CONFIG + ServiceAuthorizationManager.BLOCKED, "drwho group3");
+    serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
+    try {
+      serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf,
+          InetAddress.getByName(ADDRESS));
+      fail();
+    } catch (AuthorizationException e) {
+
+    }
+    //now set a blocked acl with another user and another group
+    conf.set(ACL_CONFIG + ServiceAuthorizationManager.BLOCKED, "drwho2 group3");
+    serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
+    try {
+      serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf,
+          InetAddress.getByName(ADDRESS));
+    } catch (AuthorizationException e) {
+      fail();
+    }
+    //now set a blocked acl with another user and group that the user belongs to
+    conf.set(ACL_CONFIG + ServiceAuthorizationManager.BLOCKED, "drwho2 group2");
+    serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
+    try {
+      serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf,
+          InetAddress.getByName(ADDRESS));
+      fail();
+    } catch (AuthorizationException e) {
+      //expects Exception
+    }
+    //reset blocked acl so that there is no blocked ACL
+    conf.set(ACL_CONFIG + ServiceAuthorizationManager.BLOCKED, "");
+    serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
+    try {
+      serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf,
+          InetAddress.getByName(ADDRESS));
+    } catch (AuthorizationException e) {
+      fail();
+    }
+  }
+
+  @Test
+  public void testDefaultBlockedAcl() throws UnknownHostException {
+    UserGroupInformation drwho =
+        UserGroupInformation.createUserForTesting("drwho@EXAMPLE.COM",
+            new String[] { "group1", "group2" });
+
+    ServiceAuthorizationManager serviceAuthorizationManager =
+        new ServiceAuthorizationManager();
+    Configuration conf = new Configuration ();
+
+    //test without setting a default blocked acl
+    serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
+    try {
+      serviceAuthorizationManager.authorize(drwho, TestProtocol1.class, conf,
+          InetAddress.getByName(ADDRESS));
+    } catch (AuthorizationException e) {
+      fail();
+    }
+
+    //set a restrictive default blocked acl and an non-restricting blocked acl for TestProtocol
+    conf.set(
+        CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL,
+        "user2 group2");
+    conf.set(ACL_CONFIG + ServiceAuthorizationManager.BLOCKED, "user2");
+    serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
+    //drwho is authorized to access TestProtocol
+    try {
+      serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf,
+          InetAddress.getByName(ADDRESS));
+    } catch (AuthorizationException e) {
+      fail();
+    }
+    //drwho is not authorized to access TestProtocol1 because it uses the default blocked acl.
+    try {
+      serviceAuthorizationManager.authorize(drwho, TestProtocol1.class, conf,
+          InetAddress.getByName(ADDRESS));
+      fail();
+    } catch (AuthorizationException e) {
+      //expects Exception
+    }
+  }
+
 }

From b47ad1ccbaf6a75eecfbeddb17e539480a01aab3 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Sun, 17 Aug 2014 17:43:20 +0000
Subject: [PATCH 244/354] HADOOP-10335. An ip whilelist based implementation to
 resolve Sasl properties per connection. (Contributed by Benoy Antony)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618484 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   3 +
 .../security/WhitelistBasedResolver.java      | 149 ++++++++++++
 .../apache/hadoop/util/CacheableIPList.java   |  76 +++++++
 .../hadoop/util/CombinedIPWhiteList.java      |  60 +++++
 .../apache/hadoop/util/FileBasedIPList.java   | 102 +++++++++
 .../java/org/apache/hadoop/util/IPList.java   |  33 +++
 .../org/apache/hadoop/util/MachineList.java   |  13 +-
 .../security/TestWhitelistBasedResolver.java  | 163 +++++++++++++
 .../hadoop/util/TestCacheableIPList.java      | 188 +++++++++++++++
 .../hadoop/util/TestFileBasedIPList.java      | 215 ++++++++++++++++++
 10 files changed, 999 insertions(+), 3 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/WhitelistBasedResolver.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CacheableIPList.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CombinedIPWhiteList.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/FileBasedIPList.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/IPList.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestWhitelistBasedResolver.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestCacheableIPList.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestFileBasedIPList.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index d0168c2d5bc..fb0578f7c50 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -524,6 +524,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10650. Add ability to specify a reverse ACL (black list) of users
     and groups. (Benoy Antony via Arpit Agarwal)
 
+    HADOOP-10335. An ip whilelist based implementation to resolve Sasl
+    properties per connection. (Benoy Antony via Arpit Agarwal)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/WhitelistBasedResolver.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/WhitelistBasedResolver.java
new file mode 100644
index 00000000000..dc0815ed768
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/WhitelistBasedResolver.java
@@ -0,0 +1,149 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.Map;
+import java.util.TreeMap;
+
+import javax.security.sasl.Sasl;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.SaslPropertiesResolver;
+import org.apache.hadoop.security.SaslRpcServer.QualityOfProtection;
+import org.apache.hadoop.util.CombinedIPWhiteList;
+import org.apache.hadoop.util.StringUtils;
+
+
+/**
+ * An implementation of the SaslPropertiesResolver.
+ * Uses a white list of IPs.
+ * If the connection's IP address is in the list of IP addresses, the salProperties
+ * will be unchanged.
+ * If the connection's IP is not in the list of IP addresses, then QOP for the
+ * connection will be restricted to "hadoop.rpc.protection.non-whitelist"
+ *
+ * Uses 3 IPList implementations together to form an aggregate whitelist.
+ * 1. ConstantIPList - to check against a set of hardcoded IPs
+ * 2. Fixed IP List - to check against a list of IP addresses which are specified externally, but
+ * will not change over runtime.
+ * 3. Variable IP List - to check against a list of IP addresses which are specified externally and
+ * could change during runtime.
+ * A connection IP address will checked against these 3 IP Lists in the order specified above.
+ * Once a match is found , the IP address is determined to be in whitelist.
+ *
+ * The behavior can be configured using a bunch of configuration parameters.
+ *
+ */
+public class WhitelistBasedResolver extends SaslPropertiesResolver {
+  public static final Log LOG = LogFactory.getLog(WhitelistBasedResolver.class);
+
+  private static final String FIXEDWHITELIST_DEFAULT_LOCATION = "/etc/hadoop/fixedwhitelist";
+
+  private static final String VARIABLEWHITELIST_DEFAULT_LOCATION = "/etc/hadoop/whitelist";
+
+  /**
+   * Path to the file to containing subnets and ip addresses to form fixed whitelist.
+   */
+  public static final String HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE =
+    "hadoop.security.sasl.fixedwhitelist.file";
+  /**
+   * Enables/Disables variable whitelist
+   */
+  public static final String HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE =
+    "hadoop.security.sasl.variablewhitelist.enable";
+  /**
+   * Path to the file to containing subnets and ip addresses to form variable whitelist.
+   */
+  public static final String HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE =
+    "hadoop.security.sasl.variablewhitelist.file";
+  /**
+   * time in seconds by which the variable whitelist file is checked for updates
+   */
+  public static final String HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS =
+    "hadoop.security.sasl.variablewhitelist.cache.secs";
+
+  /**
+   * comma separated list containing alternate hadoop.rpc.protection values for
+   * clients which are not in whitelist
+   */
+  public static final String HADOOP_RPC_PROTECTION_NON_WHITELIST =
+    "hadoop.rpc.protection.non-whitelist";
+
+  private CombinedIPWhiteList whiteList;
+
+  private Map<String, String> saslProps;
+
+  @Override
+  public void setConf(Configuration conf) {
+    super.setConf(conf);
+    String fixedFile = conf.get(HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE,
+        FIXEDWHITELIST_DEFAULT_LOCATION);
+    String variableFile = null;
+    long expiryTime = 0;
+
+    if (conf.getBoolean(HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE, false)) {
+      variableFile = conf.get(HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE,
+          VARIABLEWHITELIST_DEFAULT_LOCATION);
+      expiryTime =
+        conf.getLong(HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS,3600) * 1000;
+    }
+
+    whiteList = new CombinedIPWhiteList(fixedFile,variableFile,expiryTime);
+
+    this.saslProps = getSaslProperties(conf);
+  }
+
+  /**
+   * Identify the Sasl Properties to be used for a connection with a client.
+   * @param clientAddress client's address
+   * @return the sasl properties to be used for the connection.
+   */
+  @Override
+  public Map<String, String> getServerProperties(InetAddress clientAddress) {
+    if (clientAddress == null) {
+      return saslProps;
+    }
+    return  whiteList.isIn(clientAddress.getHostAddress())?getDefaultProperties():saslProps;
+  }
+
+  public Map<String, String> getServerProperties(String clientAddress) throws UnknownHostException {
+    if (clientAddress == null) {
+      return saslProps;
+    }
+    return getServerProperties(InetAddress.getByName(clientAddress));
+  }
+
+  static Map<String, String> getSaslProperties(Configuration conf) {
+    Map<String, String> saslProps =new TreeMap<String, String>();
+    String[] qop = conf.getStrings(HADOOP_RPC_PROTECTION_NON_WHITELIST,
+        QualityOfProtection.PRIVACY.toString());
+
+    for (int i=0; i < qop.length; i++) {
+      qop[i] = QualityOfProtection.valueOf(qop[i].toUpperCase()).getSaslQop();
+    }
+
+    saslProps.put(Sasl.QOP, StringUtils.join(",", qop));
+    saslProps.put(Sasl.SERVER_AUTH, "true");
+
+    return saslProps;
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CacheableIPList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CacheableIPList.java
new file mode 100644
index 00000000000..1343fc6129e
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CacheableIPList.java
@@ -0,0 +1,76 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+/**
+ * CacheableIPList loads a list of subnets from a file.
+ * The list is cached and the cache can be refreshed by specifying cache timeout.
+ * A negative value of cache timeout disables any caching.
+ *
+ * Thread safe.
+ */
+
+public class CacheableIPList implements IPList {
+  private final long cacheTimeout;
+  private volatile long cacheExpiryTimeStamp;
+  private volatile FileBasedIPList ipList;
+
+  public CacheableIPList(FileBasedIPList ipList, long cacheTimeout) {
+    this.cacheTimeout =  cacheTimeout;
+    this.ipList = ipList;
+    updateCacheExpiryTime();
+  }
+
+  /**
+   * Reloads the ip list
+   */
+  private  void  reset() {
+    ipList = ipList.reload();
+    updateCacheExpiryTime();
+  }
+
+  private void updateCacheExpiryTime() {
+    if (cacheTimeout < 0) {
+      cacheExpiryTimeStamp = -1; // no automatic cache expiry.
+    }else {
+      cacheExpiryTimeStamp = System.currentTimeMillis() + cacheTimeout;
+    }
+  }
+
+  /**
+   * Refreshes the ip list
+   */
+  public  void refresh () {
+    cacheExpiryTimeStamp = 0;
+  }
+
+  @Override
+  public boolean isIn(String ipAddress) {
+    //is cache expired
+    //Uses Double Checked Locking using volatile
+    if (cacheExpiryTimeStamp >= 0 && cacheExpiryTimeStamp < System.currentTimeMillis()) {
+      synchronized(this) {
+        //check if cache expired again
+        if (cacheExpiryTimeStamp < System.currentTimeMillis()) {
+          reset();
+        }
+      }
+    }
+    return ipList.isIn(ipAddress);
+  }
+}
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CombinedIPWhiteList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CombinedIPWhiteList.java
new file mode 100644
index 00000000000..d12c4c11d5d
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CombinedIPWhiteList.java
@@ -0,0 +1,60 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class CombinedIPWhiteList implements IPList {
+
+  public static final Log LOG = LogFactory.getLog(CombinedIPWhiteList.class);
+  private static final String LOCALHOST_IP = "127.0.0.1";
+
+  private final IPList[] networkLists;
+
+  public CombinedIPWhiteList(String fixedWhiteListFile,
+      String variableWhiteListFile, long cacheExpiryInSeconds) {
+
+    IPList fixedNetworkList = new FileBasedIPList(fixedWhiteListFile);
+    if (variableWhiteListFile != null){
+      IPList variableNetworkList = new CacheableIPList(
+          new FileBasedIPList(variableWhiteListFile),cacheExpiryInSeconds);
+      networkLists = new IPList[] {fixedNetworkList, variableNetworkList};
+    }
+    else {
+      networkLists = new IPList[] {fixedNetworkList};
+    }
+  }
+  @Override
+  public boolean isIn(String ipAddress) {
+    if (ipAddress == null) {
+      throw new IllegalArgumentException("ipAddress is null");
+    }
+
+    if (LOCALHOST_IP.equals(ipAddress)) {
+      return true;
+    }
+
+    for (IPList networkList:networkLists) {
+      if (networkList.isIn(ipAddress)) {
+        return true;
+      }
+    }
+    return false;
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/FileBasedIPList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/FileBasedIPList.java
new file mode 100644
index 00000000000..8bfb5d93aef
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/FileBasedIPList.java
@@ -0,0 +1,102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * FileBasedIPList loads a list of subnets in CIDR format and ip addresses from a file.
+ *
+ * Given an ip address, isIn  method returns true if ip belongs to one of the subnets.
+ *
+ * Thread safe.
+ */
+
+public class FileBasedIPList implements IPList {
+
+  private static final Log LOG = LogFactory.getLog(FileBasedIPList.class);
+
+  private final String fileName;
+  private final MachineList addressList;
+
+  public FileBasedIPList(String fileName) {
+    this.fileName = fileName;
+    String[] lines = readLines(fileName);
+    if (lines != null) {
+      addressList = new MachineList(new HashSet<String>(Arrays.asList(lines)));
+    } else {
+      addressList = null;
+    }
+  }
+
+  public FileBasedIPList reload() {
+    return new FileBasedIPList(fileName);
+  }
+
+  @Override
+  public  boolean isIn(String ipAddress) {
+    if (ipAddress == null || addressList == null) {
+      return false;
+    }
+    return addressList.includes(ipAddress);
+  }
+
+  /**
+   * reads the lines in a file.
+   * @param fileName
+   * @return lines in a String array; null if the file does not exist or if the
+   * file name is null
+   * @throws IOException
+   */
+  private static String[] readLines(String fileName) {
+    try {
+      if (fileName != null) {
+        File file = new File (fileName);
+        if (file.exists()) {
+          FileReader fileReader = new FileReader(file);
+          BufferedReader bufferedReader = new BufferedReader(fileReader);
+          List<String> lines = new ArrayList<String>();
+          String line = null;
+          while ((line = bufferedReader.readLine()) != null) {
+            lines.add(line);
+          }
+          bufferedReader.close();
+          LOG.debug("Loaded IP list of size = " + lines.size() +" from file = " + fileName);
+          return(lines.toArray(new String[lines.size()]));
+        }
+        else {
+          LOG.debug("Missing ip list file : "+ fileName);
+        }
+      }
+    }
+    catch (Throwable t) {
+      LOG.error(t);
+    }
+    return null;
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/IPList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/IPList.java
new file mode 100644
index 00000000000..3a2616376fb
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/IPList.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+
+@InterfaceStability.Unstable
+@InterfaceAudience.Public
+public interface IPList {
+
+  /**
+   * returns true if the ipAddress is in the IPList.
+   * @param ipAddress
+   * @return boolean value indicating whether the ipAddress is in the IPList
+   */
+  public abstract boolean isIn(String ipAddress);
+}
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java
index 7f2e2c8de7e..d1a0870f679 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java
@@ -37,7 +37,7 @@
 /**
  * Container class which holds a list of ip/host addresses and 
  * answers membership queries.
- * .
+ *
  * Accepts list of ip addresses, ip addreses in CIDR format and/or 
  * host addresses.
  */
@@ -71,8 +71,15 @@ public InetAddress getByName (String host) throws UnknownHostException {
    * @param hostEntries comma separated ip/cidr/host addresses
    */
   public MachineList(String hostEntries) {
-    this(StringUtils.getTrimmedStringCollection(hostEntries),
-        InetAddressFactory.S_INSTANCE);
+    this(StringUtils.getTrimmedStringCollection(hostEntries));
+  }
+
+  /**
+   *
+   * @param hostEntries collection of separated ip/cidr/host addresses
+   */
+  public MachineList(Collection<String> hostEntries) {
+    this(hostEntries, InetAddressFactory.S_INSTANCE);
   }
 
   /**
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestWhitelistBasedResolver.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestWhitelistBasedResolver.java
new file mode 100644
index 00000000000..684ef3bf17a
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestWhitelistBasedResolver.java
@@ -0,0 +1,163 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.util.Map;
+
+import junit.framework.TestCase;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.WhitelistBasedResolver;
+import org.apache.hadoop.util.TestFileBasedIPList;
+
+public class TestWhitelistBasedResolver extends TestCase {
+
+  public static final Map<String, String> SASL_PRIVACY_PROPS =
+    WhitelistBasedResolver.getSaslProperties(new Configuration());
+
+  public void testFixedVariableAndLocalWhiteList() throws IOException {
+
+    String[] fixedIps = {"10.119.103.112", "10.221.102.0/23"};
+
+    TestFileBasedIPList.createFileWithEntries ("fixedwhitelist.txt", fixedIps);
+
+    String[] variableIps = {"10.222.0.0/16", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("variablewhitelist.txt", variableIps);
+
+    Configuration conf = new Configuration();
+    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE ,
+        "fixedwhitelist.txt");
+
+    conf.setBoolean(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE,
+        true);
+
+    conf.setLong(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS,
+        1);
+
+    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE ,
+        "variablewhitelist.txt");
+
+    WhitelistBasedResolver wqr = new WhitelistBasedResolver ();
+    wqr.setConf(conf);
+
+    assertEquals (wqr.getDefaultProperties(),
+        wqr.getServerProperties(InetAddress.getByName("10.119.103.112")));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.119.103.113"));
+    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("10.221.103.121"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.221.104.0"));
+    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("10.222.103.121"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.223.104.0"));
+    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("10.113.221.221"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.113.221.222"));
+    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("127.0.0.1"));
+
+    TestFileBasedIPList.removeFile("fixedwhitelist.txt");
+    TestFileBasedIPList.removeFile("variablewhitelist.txt");
+  }
+
+
+  /**
+   * Add a bunch of subnets and IPSs to the whitelist
+   * Check  for inclusion in whitelist
+   * Check for exclusion from whitelist
+   */
+  public void testFixedAndLocalWhiteList() throws IOException {
+
+    String[] fixedIps = {"10.119.103.112", "10.221.102.0/23"};
+
+    TestFileBasedIPList.createFileWithEntries ("fixedwhitelist.txt", fixedIps);
+
+    String[] variableIps = {"10.222.0.0/16", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("variablewhitelist.txt", variableIps);
+
+    Configuration conf = new Configuration();
+
+    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE ,
+        "fixedwhitelist.txt");
+
+    conf.setBoolean(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE,
+        false);
+
+    conf.setLong(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS,
+        100);
+
+    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE ,
+        "variablewhitelist.txt");
+
+    WhitelistBasedResolver wqr = new WhitelistBasedResolver();
+    wqr.setConf(conf);
+
+    assertEquals (wqr.getDefaultProperties(),
+        wqr.getServerProperties(InetAddress.getByName("10.119.103.112")));
+
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.119.103.113"));
+
+    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("10.221.103.121"));
+
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.221.104.0"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.222.103.121"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.223.104.0"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.113.221.221"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.113.221.222"));
+    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("127.0.0.1"));;
+
+    TestFileBasedIPList.removeFile("fixedwhitelist.txt");
+    TestFileBasedIPList.removeFile("variablewhitelist.txt");
+  }
+
+  /**
+   * Add a bunch of subnets and IPSs to the whitelist
+   * Check  for inclusion in whitelist with a null value
+   */
+  public void testNullIPAddress() throws IOException {
+
+    String[] fixedIps = {"10.119.103.112", "10.221.102.0/23"};
+
+    TestFileBasedIPList.createFileWithEntries ("fixedwhitelist.txt", fixedIps);
+
+    String[] variableIps = {"10.222.0.0/16", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("variablewhitelist.txt", variableIps);
+
+    Configuration conf = new Configuration();
+    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE ,
+        "fixedwhitelist.txt");
+
+    conf.setBoolean(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE,
+        true);
+
+    conf.setLong(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS,
+        100);
+
+    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE ,
+        "variablewhitelist.txt");
+
+    WhitelistBasedResolver wqr = new WhitelistBasedResolver();
+    wqr.setConf(conf);
+
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties((InetAddress)null));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties((String)null));
+
+    TestFileBasedIPList.removeFile("fixedwhitelist.txt");
+    TestFileBasedIPList.removeFile("variablewhitelist.txt");
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestCacheableIPList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestCacheableIPList.java
new file mode 100644
index 00000000000..3289d786c13
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestCacheableIPList.java
@@ -0,0 +1,188 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+import java.io.IOException;
+
+import org.apache.hadoop.util.CacheableIPList;
+import org.apache.hadoop.util.FileBasedIPList;
+
+
+import junit.framework.TestCase;
+
+public class TestCacheableIPList extends TestCase {
+
+  /**
+   * Add a bunch of subnets and IPSs to the file
+   * setup a low cache refresh
+   * test for inclusion
+   * Check for exclusion
+   * Add a bunch of subnets and Ips
+   * wait for cache timeout.
+   * test for inclusion
+   * Check for exclusion
+   */
+  public void testAddWithSleepForCacheTimeout() throws IOException, InterruptedException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips);
+
+    CacheableIPList cipl = new CacheableIPList(
+        new FileBasedIPList("ips.txt"),100);
+
+    assertFalse("10.113.221.222 is in the list",
+        cipl.isIn("10.113.221.222"));
+    assertFalse ("10.222.103.121 is  in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+    String[]ips2 = {"10.119.103.112", "10.221.102.0/23",
+        "10.222.0.0/16", "10.113.221.221", "10.113.221.222"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips2);
+    Thread.sleep(101);
+
+    assertTrue("10.113.221.222 is not in the list",
+        cipl.isIn("10.113.221.222"));
+    assertTrue ("10.222.103.121 is not in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+  }
+
+  /**
+   * Add a bunch of subnets and IPSs to the file
+   * setup a low cache refresh
+   * test for inclusion
+   * Check for exclusion
+   * Remove a bunch of subnets and Ips
+   * wait for cache timeout.
+   * test for inclusion
+   * Check for exclusion
+   */
+  public void testRemovalWithSleepForCacheTimeout() throws IOException, InterruptedException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23",
+        "10.222.0.0/16", "10.113.221.221", "10.113.221.222"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips);
+
+    CacheableIPList cipl = new CacheableIPList(
+        new FileBasedIPList("ips.txt"),100);
+
+    assertTrue("10.113.221.222 is not in the list",
+        cipl.isIn("10.113.221.222"));
+    assertTrue ("10.222.103.121 is not in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+    String[]ips2 = {"10.119.103.112", "10.221.102.0/23", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips2);
+    Thread.sleep(1005);
+
+    assertFalse("10.113.221.222 is in the list",
+        cipl.isIn("10.113.221.222"));
+    assertFalse ("10.222.103.121 is  in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+  }
+
+  /**
+   * Add a bunch of subnets and IPSs to the file
+   * setup a low cache refresh
+   * test for inclusion
+   * Check for exclusion
+   * Add a bunch of subnets and Ips
+   * do a refresh
+   * test for inclusion
+   * Check for exclusion
+   */
+  public void testAddWithRefresh() throws IOException, InterruptedException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips);
+
+    CacheableIPList cipl = new CacheableIPList(
+        new FileBasedIPList("ips.txt"),100);
+
+    assertFalse("10.113.221.222 is in the list",
+        cipl.isIn("10.113.221.222"));
+    assertFalse ("10.222.103.121 is  in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+    String[]ips2 = {"10.119.103.112", "10.221.102.0/23",
+        "10.222.0.0/16", "10.113.221.221", "10.113.221.222"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips2);
+    cipl.refresh();
+
+    assertTrue("10.113.221.222 is not in the list",
+        cipl.isIn("10.113.221.222"));
+    assertTrue ("10.222.103.121 is not in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+  }
+
+  /**
+   * Add a bunch of subnets and IPSs to the file
+   * setup a low cache refresh
+   * test for inclusion
+   * Check for exclusion
+   * Remove a bunch of subnets and Ips
+   * wait for cache timeout.
+   * test for inclusion
+   * Check for exclusion
+   */
+  public void testRemovalWithRefresh() throws IOException, InterruptedException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23",
+        "10.222.0.0/16", "10.113.221.221", "10.113.221.222"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips);
+
+    CacheableIPList cipl = new CacheableIPList(
+        new FileBasedIPList("ips.txt"),100);
+
+    assertTrue("10.113.221.222 is not in the list",
+        cipl.isIn("10.113.221.222"));
+    assertTrue ("10.222.103.121 is not in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+    String[]ips2 = {"10.119.103.112", "10.221.102.0/23", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips2);
+    cipl.refresh();
+
+    assertFalse("10.113.221.222 is in the list",
+        cipl.isIn("10.113.221.222"));
+    assertFalse ("10.222.103.121 is  in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+  }
+
+
+
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestFileBasedIPList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestFileBasedIPList.java
new file mode 100644
index 00000000000..0e79fd1bbab
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestFileBasedIPList.java
@@ -0,0 +1,215 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Arrays;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.util.FileBasedIPList;
+import org.apache.hadoop.util.IPList;
+import org.junit.After;
+import org.junit.Test;
+
+import junit.framework.TestCase;
+
+public class TestFileBasedIPList extends TestCase {
+
+  @After
+  public void tearDown() {
+    removeFile("ips.txt");
+  }
+
+  /**
+   * Add a bunch of IPS  to the file
+   * Check  for inclusion
+   * Check for exclusion
+   */
+  @Test
+  public void testSubnetsAndIPs() throws IOException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23"};
+
+    createFileWithEntries ("ips.txt", ips);
+
+    IPList ipList = new FileBasedIPList("ips.txt");
+
+    assertTrue ("10.119.103.112 is not in the list",
+        ipList.isIn("10.119.103.112"));
+    assertFalse ("10.119.103.113 is in the list",
+        ipList.isIn("10.119.103.113"));
+
+    assertTrue ("10.221.102.0 is not in the list",
+        ipList.isIn("10.221.102.0"));
+    assertTrue ("10.221.102.1 is not in the list",
+        ipList.isIn("10.221.102.1"));
+    assertTrue ("10.221.103.1 is not in the list",
+        ipList.isIn("10.221.103.1"));
+    assertTrue ("10.221.103.255 is not in the list",
+        ipList.isIn("10.221.103.255"));
+    assertFalse("10.221.104.0 is in the list",
+        ipList.isIn("10.221.104.0"));
+    assertFalse("10.221.104.1 is in the list",
+        ipList.isIn("10.221.104.1"));
+  }
+
+  /**
+   * Add a bunch of IPS  to the file
+   * Check  for inclusion
+   * Check for exclusion
+   */
+  @Test
+  public void testNullIP() throws IOException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23"};
+    createFileWithEntries ("ips.txt", ips);
+
+    IPList ipList = new FileBasedIPList("ips.txt");
+
+    assertFalse ("Null Ip is in the list",
+        ipList.isIn(null));
+  }
+
+  /**
+   * Add a bunch of subnets and IPSs to the file
+   * Check  for inclusion
+   * Check for exclusion
+   */
+  @Test
+  public void testWithMultipleSubnetAndIPs() throws IOException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23", "10.222.0.0/16",
+    "10.113.221.221"};
+
+    createFileWithEntries ("ips.txt", ips);
+
+    IPList ipList = new FileBasedIPList("ips.txt");
+
+    assertTrue ("10.119.103.112 is not in the list",
+        ipList.isIn("10.119.103.112"));
+    assertFalse ("10.119.103.113 is in the list",
+        ipList.isIn("10.119.103.113"));
+
+    assertTrue ("10.221.103.121 is not in the list",
+        ipList.isIn("10.221.103.121"));
+    assertFalse("10.221.104.0 is in the list",
+        ipList.isIn("10.221.104.0"));
+
+    assertTrue ("10.222.103.121 is not in the list",
+        ipList.isIn("10.222.103.121"));
+    assertFalse("10.223.104.0 is in the list",
+        ipList.isIn("10.223.104.0"));
+
+    assertTrue ("10.113.221.221 is not in the list",
+        ipList.isIn("10.113.221.221"));
+    assertFalse("10.113.221.222 is in the list",
+        ipList.isIn("10.113.221.222"));
+  }
+
+  /**
+   * Do not specify the file
+   * test for inclusion
+   * should be true as if the feature is turned off
+   */
+  public void testFileNotSpecified() {
+
+    IPList ipl = new FileBasedIPList(null);
+
+    assertFalse("110.113.221.222 is in the list",
+        ipl.isIn("110.113.221.222"));
+  }
+
+  /**
+   * Specify a non existent file
+   * test for inclusion
+   * should be true as if the feature is turned off
+   */
+  public void testFileMissing() {
+
+    IPList ipl = new FileBasedIPList("missingips.txt");
+
+    assertFalse("110.113.221.222 is in the list",
+        ipl.isIn("110.113.221.222"));
+  }
+
+  /**
+   * Specify an existing file, but empty
+   * test for inclusion
+   * should be true as if the feature is turned off
+   */
+  public void testWithEmptyList() throws IOException {
+    String[] ips = {};
+
+    createFileWithEntries ("ips.txt", ips);
+    IPList ipl = new FileBasedIPList("ips.txt");
+
+    assertFalse("110.113.221.222 is in the list",
+        ipl.isIn("110.113.221.222"));
+  }
+
+  /**
+   * Specify an existing file, but ips in wrong format
+   * test for inclusion
+   * should be true as if the feature is turned off
+   */
+  public void testForBadFIle() throws IOException {
+    String[] ips = { "10.221.102/23"};
+
+    createFileWithEntries ("ips.txt", ips);
+
+    try {
+      new FileBasedIPList("ips.txt");
+     fail();
+     } catch (Exception e) {
+       //expects Exception
+     }
+  }
+
+  /**
+   * Add a bunch of subnets and IPSs to the file. Keep one entry wrong.
+   * The good entries will still be used.
+   * Check  for inclusion with good entries
+   * Check for exclusion
+   */
+  public void testWithAWrongEntry() throws IOException {
+
+    String[] ips = {"10.119.103.112", "10.221.102/23", "10.221.204.1/23"};
+
+    createFileWithEntries ("ips.txt", ips);
+
+    try {
+     new FileBasedIPList("ips.txt");
+    fail();
+    } catch (Exception e) {
+      //expects Exception
+    }
+  }
+
+  public static void createFileWithEntries(String fileName, String[] ips)
+      throws IOException {
+    FileUtils.writeLines(new File(fileName), Arrays.asList(ips));
+  }
+
+  public static void removeFile(String fileName) {
+    File file  = new File(fileName);
+    if (file.exists()) {
+      new File(fileName).delete();
+    }
+  }
+}

From 48505679c03f953fd045cc8077e210ef191c51dd Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Sun, 17 Aug 2014 17:47:18 +0000
Subject: [PATCH 245/354] HADOOP-10335. Undo checkin to resolve test build
 issue.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618487 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   3 -
 .../security/WhitelistBasedResolver.java      | 149 ------------
 .../apache/hadoop/util/CacheableIPList.java   |  76 -------
 .../hadoop/util/CombinedIPWhiteList.java      |  60 -----
 .../apache/hadoop/util/FileBasedIPList.java   | 102 ---------
 .../java/org/apache/hadoop/util/IPList.java   |  33 ---
 .../org/apache/hadoop/util/MachineList.java   |  13 +-
 .../security/TestWhitelistBasedResolver.java  | 163 -------------
 .../hadoop/util/TestCacheableIPList.java      | 188 ---------------
 .../hadoop/util/TestFileBasedIPList.java      | 215 ------------------
 10 files changed, 3 insertions(+), 999 deletions(-)
 delete mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/WhitelistBasedResolver.java
 delete mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CacheableIPList.java
 delete mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CombinedIPWhiteList.java
 delete mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/FileBasedIPList.java
 delete mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/IPList.java
 delete mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestWhitelistBasedResolver.java
 delete mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestCacheableIPList.java
 delete mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestFileBasedIPList.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index fb0578f7c50..d0168c2d5bc 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -524,9 +524,6 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10650. Add ability to specify a reverse ACL (black list) of users
     and groups. (Benoy Antony via Arpit Agarwal)
 
-    HADOOP-10335. An ip whilelist based implementation to resolve Sasl
-    properties per connection. (Benoy Antony via Arpit Agarwal)
-
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/WhitelistBasedResolver.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/WhitelistBasedResolver.java
deleted file mode 100644
index dc0815ed768..00000000000
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/WhitelistBasedResolver.java
+++ /dev/null
@@ -1,149 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.security;
-
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.util.Map;
-import java.util.TreeMap;
-
-import javax.security.sasl.Sasl;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.SaslPropertiesResolver;
-import org.apache.hadoop.security.SaslRpcServer.QualityOfProtection;
-import org.apache.hadoop.util.CombinedIPWhiteList;
-import org.apache.hadoop.util.StringUtils;
-
-
-/**
- * An implementation of the SaslPropertiesResolver.
- * Uses a white list of IPs.
- * If the connection's IP address is in the list of IP addresses, the salProperties
- * will be unchanged.
- * If the connection's IP is not in the list of IP addresses, then QOP for the
- * connection will be restricted to "hadoop.rpc.protection.non-whitelist"
- *
- * Uses 3 IPList implementations together to form an aggregate whitelist.
- * 1. ConstantIPList - to check against a set of hardcoded IPs
- * 2. Fixed IP List - to check against a list of IP addresses which are specified externally, but
- * will not change over runtime.
- * 3. Variable IP List - to check against a list of IP addresses which are specified externally and
- * could change during runtime.
- * A connection IP address will checked against these 3 IP Lists in the order specified above.
- * Once a match is found , the IP address is determined to be in whitelist.
- *
- * The behavior can be configured using a bunch of configuration parameters.
- *
- */
-public class WhitelistBasedResolver extends SaslPropertiesResolver {
-  public static final Log LOG = LogFactory.getLog(WhitelistBasedResolver.class);
-
-  private static final String FIXEDWHITELIST_DEFAULT_LOCATION = "/etc/hadoop/fixedwhitelist";
-
-  private static final String VARIABLEWHITELIST_DEFAULT_LOCATION = "/etc/hadoop/whitelist";
-
-  /**
-   * Path to the file to containing subnets and ip addresses to form fixed whitelist.
-   */
-  public static final String HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE =
-    "hadoop.security.sasl.fixedwhitelist.file";
-  /**
-   * Enables/Disables variable whitelist
-   */
-  public static final String HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE =
-    "hadoop.security.sasl.variablewhitelist.enable";
-  /**
-   * Path to the file to containing subnets and ip addresses to form variable whitelist.
-   */
-  public static final String HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE =
-    "hadoop.security.sasl.variablewhitelist.file";
-  /**
-   * time in seconds by which the variable whitelist file is checked for updates
-   */
-  public static final String HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS =
-    "hadoop.security.sasl.variablewhitelist.cache.secs";
-
-  /**
-   * comma separated list containing alternate hadoop.rpc.protection values for
-   * clients which are not in whitelist
-   */
-  public static final String HADOOP_RPC_PROTECTION_NON_WHITELIST =
-    "hadoop.rpc.protection.non-whitelist";
-
-  private CombinedIPWhiteList whiteList;
-
-  private Map<String, String> saslProps;
-
-  @Override
-  public void setConf(Configuration conf) {
-    super.setConf(conf);
-    String fixedFile = conf.get(HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE,
-        FIXEDWHITELIST_DEFAULT_LOCATION);
-    String variableFile = null;
-    long expiryTime = 0;
-
-    if (conf.getBoolean(HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE, false)) {
-      variableFile = conf.get(HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE,
-          VARIABLEWHITELIST_DEFAULT_LOCATION);
-      expiryTime =
-        conf.getLong(HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS,3600) * 1000;
-    }
-
-    whiteList = new CombinedIPWhiteList(fixedFile,variableFile,expiryTime);
-
-    this.saslProps = getSaslProperties(conf);
-  }
-
-  /**
-   * Identify the Sasl Properties to be used for a connection with a client.
-   * @param clientAddress client's address
-   * @return the sasl properties to be used for the connection.
-   */
-  @Override
-  public Map<String, String> getServerProperties(InetAddress clientAddress) {
-    if (clientAddress == null) {
-      return saslProps;
-    }
-    return  whiteList.isIn(clientAddress.getHostAddress())?getDefaultProperties():saslProps;
-  }
-
-  public Map<String, String> getServerProperties(String clientAddress) throws UnknownHostException {
-    if (clientAddress == null) {
-      return saslProps;
-    }
-    return getServerProperties(InetAddress.getByName(clientAddress));
-  }
-
-  static Map<String, String> getSaslProperties(Configuration conf) {
-    Map<String, String> saslProps =new TreeMap<String, String>();
-    String[] qop = conf.getStrings(HADOOP_RPC_PROTECTION_NON_WHITELIST,
-        QualityOfProtection.PRIVACY.toString());
-
-    for (int i=0; i < qop.length; i++) {
-      qop[i] = QualityOfProtection.valueOf(qop[i].toUpperCase()).getSaslQop();
-    }
-
-    saslProps.put(Sasl.QOP, StringUtils.join(",", qop));
-    saslProps.put(Sasl.SERVER_AUTH, "true");
-
-    return saslProps;
-  }
-}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CacheableIPList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CacheableIPList.java
deleted file mode 100644
index 1343fc6129e..00000000000
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CacheableIPList.java
+++ /dev/null
@@ -1,76 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.util;
-
-/**
- * CacheableIPList loads a list of subnets from a file.
- * The list is cached and the cache can be refreshed by specifying cache timeout.
- * A negative value of cache timeout disables any caching.
- *
- * Thread safe.
- */
-
-public class CacheableIPList implements IPList {
-  private final long cacheTimeout;
-  private volatile long cacheExpiryTimeStamp;
-  private volatile FileBasedIPList ipList;
-
-  public CacheableIPList(FileBasedIPList ipList, long cacheTimeout) {
-    this.cacheTimeout =  cacheTimeout;
-    this.ipList = ipList;
-    updateCacheExpiryTime();
-  }
-
-  /**
-   * Reloads the ip list
-   */
-  private  void  reset() {
-    ipList = ipList.reload();
-    updateCacheExpiryTime();
-  }
-
-  private void updateCacheExpiryTime() {
-    if (cacheTimeout < 0) {
-      cacheExpiryTimeStamp = -1; // no automatic cache expiry.
-    }else {
-      cacheExpiryTimeStamp = System.currentTimeMillis() + cacheTimeout;
-    }
-  }
-
-  /**
-   * Refreshes the ip list
-   */
-  public  void refresh () {
-    cacheExpiryTimeStamp = 0;
-  }
-
-  @Override
-  public boolean isIn(String ipAddress) {
-    //is cache expired
-    //Uses Double Checked Locking using volatile
-    if (cacheExpiryTimeStamp >= 0 && cacheExpiryTimeStamp < System.currentTimeMillis()) {
-      synchronized(this) {
-        //check if cache expired again
-        if (cacheExpiryTimeStamp < System.currentTimeMillis()) {
-          reset();
-        }
-      }
-    }
-    return ipList.isIn(ipAddress);
-  }
-}
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CombinedIPWhiteList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CombinedIPWhiteList.java
deleted file mode 100644
index d12c4c11d5d..00000000000
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CombinedIPWhiteList.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.util;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-public class CombinedIPWhiteList implements IPList {
-
-  public static final Log LOG = LogFactory.getLog(CombinedIPWhiteList.class);
-  private static final String LOCALHOST_IP = "127.0.0.1";
-
-  private final IPList[] networkLists;
-
-  public CombinedIPWhiteList(String fixedWhiteListFile,
-      String variableWhiteListFile, long cacheExpiryInSeconds) {
-
-    IPList fixedNetworkList = new FileBasedIPList(fixedWhiteListFile);
-    if (variableWhiteListFile != null){
-      IPList variableNetworkList = new CacheableIPList(
-          new FileBasedIPList(variableWhiteListFile),cacheExpiryInSeconds);
-      networkLists = new IPList[] {fixedNetworkList, variableNetworkList};
-    }
-    else {
-      networkLists = new IPList[] {fixedNetworkList};
-    }
-  }
-  @Override
-  public boolean isIn(String ipAddress) {
-    if (ipAddress == null) {
-      throw new IllegalArgumentException("ipAddress is null");
-    }
-
-    if (LOCALHOST_IP.equals(ipAddress)) {
-      return true;
-    }
-
-    for (IPList networkList:networkLists) {
-      if (networkList.isIn(ipAddress)) {
-        return true;
-      }
-    }
-    return false;
-  }
-}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/FileBasedIPList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/FileBasedIPList.java
deleted file mode 100644
index 8bfb5d93aef..00000000000
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/FileBasedIPList.java
+++ /dev/null
@@ -1,102 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.util;
-
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileReader;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.List;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-/**
- * FileBasedIPList loads a list of subnets in CIDR format and ip addresses from a file.
- *
- * Given an ip address, isIn  method returns true if ip belongs to one of the subnets.
- *
- * Thread safe.
- */
-
-public class FileBasedIPList implements IPList {
-
-  private static final Log LOG = LogFactory.getLog(FileBasedIPList.class);
-
-  private final String fileName;
-  private final MachineList addressList;
-
-  public FileBasedIPList(String fileName) {
-    this.fileName = fileName;
-    String[] lines = readLines(fileName);
-    if (lines != null) {
-      addressList = new MachineList(new HashSet<String>(Arrays.asList(lines)));
-    } else {
-      addressList = null;
-    }
-  }
-
-  public FileBasedIPList reload() {
-    return new FileBasedIPList(fileName);
-  }
-
-  @Override
-  public  boolean isIn(String ipAddress) {
-    if (ipAddress == null || addressList == null) {
-      return false;
-    }
-    return addressList.includes(ipAddress);
-  }
-
-  /**
-   * reads the lines in a file.
-   * @param fileName
-   * @return lines in a String array; null if the file does not exist or if the
-   * file name is null
-   * @throws IOException
-   */
-  private static String[] readLines(String fileName) {
-    try {
-      if (fileName != null) {
-        File file = new File (fileName);
-        if (file.exists()) {
-          FileReader fileReader = new FileReader(file);
-          BufferedReader bufferedReader = new BufferedReader(fileReader);
-          List<String> lines = new ArrayList<String>();
-          String line = null;
-          while ((line = bufferedReader.readLine()) != null) {
-            lines.add(line);
-          }
-          bufferedReader.close();
-          LOG.debug("Loaded IP list of size = " + lines.size() +" from file = " + fileName);
-          return(lines.toArray(new String[lines.size()]));
-        }
-        else {
-          LOG.debug("Missing ip list file : "+ fileName);
-        }
-      }
-    }
-    catch (Throwable t) {
-      LOG.error(t);
-    }
-    return null;
-  }
-}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/IPList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/IPList.java
deleted file mode 100644
index 3a2616376fb..00000000000
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/IPList.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.util;
-
-import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.classification.InterfaceStability;
-
-@InterfaceStability.Unstable
-@InterfaceAudience.Public
-public interface IPList {
-
-  /**
-   * returns true if the ipAddress is in the IPList.
-   * @param ipAddress
-   * @return boolean value indicating whether the ipAddress is in the IPList
-   */
-  public abstract boolean isIn(String ipAddress);
-}
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java
index d1a0870f679..7f2e2c8de7e 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java
@@ -37,7 +37,7 @@
 /**
  * Container class which holds a list of ip/host addresses and 
  * answers membership queries.
- *
+ * .
  * Accepts list of ip addresses, ip addreses in CIDR format and/or 
  * host addresses.
  */
@@ -71,15 +71,8 @@ public InetAddress getByName (String host) throws UnknownHostException {
    * @param hostEntries comma separated ip/cidr/host addresses
    */
   public MachineList(String hostEntries) {
-    this(StringUtils.getTrimmedStringCollection(hostEntries));
-  }
-
-  /**
-   *
-   * @param hostEntries collection of separated ip/cidr/host addresses
-   */
-  public MachineList(Collection<String> hostEntries) {
-    this(hostEntries, InetAddressFactory.S_INSTANCE);
+    this(StringUtils.getTrimmedStringCollection(hostEntries),
+        InetAddressFactory.S_INSTANCE);
   }
 
   /**
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestWhitelistBasedResolver.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestWhitelistBasedResolver.java
deleted file mode 100644
index 684ef3bf17a..00000000000
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestWhitelistBasedResolver.java
+++ /dev/null
@@ -1,163 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.security;
-
-import java.io.IOException;
-import java.net.InetAddress;
-import java.util.Map;
-
-import junit.framework.TestCase;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.WhitelistBasedResolver;
-import org.apache.hadoop.util.TestFileBasedIPList;
-
-public class TestWhitelistBasedResolver extends TestCase {
-
-  public static final Map<String, String> SASL_PRIVACY_PROPS =
-    WhitelistBasedResolver.getSaslProperties(new Configuration());
-
-  public void testFixedVariableAndLocalWhiteList() throws IOException {
-
-    String[] fixedIps = {"10.119.103.112", "10.221.102.0/23"};
-
-    TestFileBasedIPList.createFileWithEntries ("fixedwhitelist.txt", fixedIps);
-
-    String[] variableIps = {"10.222.0.0/16", "10.113.221.221"};
-
-    TestFileBasedIPList.createFileWithEntries ("variablewhitelist.txt", variableIps);
-
-    Configuration conf = new Configuration();
-    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE ,
-        "fixedwhitelist.txt");
-
-    conf.setBoolean(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE,
-        true);
-
-    conf.setLong(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS,
-        1);
-
-    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE ,
-        "variablewhitelist.txt");
-
-    WhitelistBasedResolver wqr = new WhitelistBasedResolver ();
-    wqr.setConf(conf);
-
-    assertEquals (wqr.getDefaultProperties(),
-        wqr.getServerProperties(InetAddress.getByName("10.119.103.112")));
-    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.119.103.113"));
-    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("10.221.103.121"));
-    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.221.104.0"));
-    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("10.222.103.121"));
-    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.223.104.0"));
-    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("10.113.221.221"));
-    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.113.221.222"));
-    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("127.0.0.1"));
-
-    TestFileBasedIPList.removeFile("fixedwhitelist.txt");
-    TestFileBasedIPList.removeFile("variablewhitelist.txt");
-  }
-
-
-  /**
-   * Add a bunch of subnets and IPSs to the whitelist
-   * Check  for inclusion in whitelist
-   * Check for exclusion from whitelist
-   */
-  public void testFixedAndLocalWhiteList() throws IOException {
-
-    String[] fixedIps = {"10.119.103.112", "10.221.102.0/23"};
-
-    TestFileBasedIPList.createFileWithEntries ("fixedwhitelist.txt", fixedIps);
-
-    String[] variableIps = {"10.222.0.0/16", "10.113.221.221"};
-
-    TestFileBasedIPList.createFileWithEntries ("variablewhitelist.txt", variableIps);
-
-    Configuration conf = new Configuration();
-
-    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE ,
-        "fixedwhitelist.txt");
-
-    conf.setBoolean(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE,
-        false);
-
-    conf.setLong(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS,
-        100);
-
-    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE ,
-        "variablewhitelist.txt");
-
-    WhitelistBasedResolver wqr = new WhitelistBasedResolver();
-    wqr.setConf(conf);
-
-    assertEquals (wqr.getDefaultProperties(),
-        wqr.getServerProperties(InetAddress.getByName("10.119.103.112")));
-
-    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.119.103.113"));
-
-    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("10.221.103.121"));
-
-    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.221.104.0"));
-    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.222.103.121"));
-    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.223.104.0"));
-    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.113.221.221"));
-    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.113.221.222"));
-    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("127.0.0.1"));;
-
-    TestFileBasedIPList.removeFile("fixedwhitelist.txt");
-    TestFileBasedIPList.removeFile("variablewhitelist.txt");
-  }
-
-  /**
-   * Add a bunch of subnets and IPSs to the whitelist
-   * Check  for inclusion in whitelist with a null value
-   */
-  public void testNullIPAddress() throws IOException {
-
-    String[] fixedIps = {"10.119.103.112", "10.221.102.0/23"};
-
-    TestFileBasedIPList.createFileWithEntries ("fixedwhitelist.txt", fixedIps);
-
-    String[] variableIps = {"10.222.0.0/16", "10.113.221.221"};
-
-    TestFileBasedIPList.createFileWithEntries ("variablewhitelist.txt", variableIps);
-
-    Configuration conf = new Configuration();
-    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE ,
-        "fixedwhitelist.txt");
-
-    conf.setBoolean(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE,
-        true);
-
-    conf.setLong(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS,
-        100);
-
-    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE ,
-        "variablewhitelist.txt");
-
-    WhitelistBasedResolver wqr = new WhitelistBasedResolver();
-    wqr.setConf(conf);
-
-    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties((InetAddress)null));
-    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties((String)null));
-
-    TestFileBasedIPList.removeFile("fixedwhitelist.txt");
-    TestFileBasedIPList.removeFile("variablewhitelist.txt");
-  }
-}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestCacheableIPList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestCacheableIPList.java
deleted file mode 100644
index 3289d786c13..00000000000
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestCacheableIPList.java
+++ /dev/null
@@ -1,188 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.util;
-
-import java.io.IOException;
-
-import org.apache.hadoop.util.CacheableIPList;
-import org.apache.hadoop.util.FileBasedIPList;
-
-
-import junit.framework.TestCase;
-
-public class TestCacheableIPList extends TestCase {
-
-  /**
-   * Add a bunch of subnets and IPSs to the file
-   * setup a low cache refresh
-   * test for inclusion
-   * Check for exclusion
-   * Add a bunch of subnets and Ips
-   * wait for cache timeout.
-   * test for inclusion
-   * Check for exclusion
-   */
-  public void testAddWithSleepForCacheTimeout() throws IOException, InterruptedException {
-
-    String[] ips = {"10.119.103.112", "10.221.102.0/23", "10.113.221.221"};
-
-    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips);
-
-    CacheableIPList cipl = new CacheableIPList(
-        new FileBasedIPList("ips.txt"),100);
-
-    assertFalse("10.113.221.222 is in the list",
-        cipl.isIn("10.113.221.222"));
-    assertFalse ("10.222.103.121 is  in the list",
-        cipl.isIn("10.222.103.121"));
-
-    TestFileBasedIPList.removeFile("ips.txt");
-    String[]ips2 = {"10.119.103.112", "10.221.102.0/23",
-        "10.222.0.0/16", "10.113.221.221", "10.113.221.222"};
-
-    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips2);
-    Thread.sleep(101);
-
-    assertTrue("10.113.221.222 is not in the list",
-        cipl.isIn("10.113.221.222"));
-    assertTrue ("10.222.103.121 is not in the list",
-        cipl.isIn("10.222.103.121"));
-
-    TestFileBasedIPList.removeFile("ips.txt");
-  }
-
-  /**
-   * Add a bunch of subnets and IPSs to the file
-   * setup a low cache refresh
-   * test for inclusion
-   * Check for exclusion
-   * Remove a bunch of subnets and Ips
-   * wait for cache timeout.
-   * test for inclusion
-   * Check for exclusion
-   */
-  public void testRemovalWithSleepForCacheTimeout() throws IOException, InterruptedException {
-
-    String[] ips = {"10.119.103.112", "10.221.102.0/23",
-        "10.222.0.0/16", "10.113.221.221", "10.113.221.222"};
-
-    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips);
-
-    CacheableIPList cipl = new CacheableIPList(
-        new FileBasedIPList("ips.txt"),100);
-
-    assertTrue("10.113.221.222 is not in the list",
-        cipl.isIn("10.113.221.222"));
-    assertTrue ("10.222.103.121 is not in the list",
-        cipl.isIn("10.222.103.121"));
-
-    TestFileBasedIPList.removeFile("ips.txt");
-    String[]ips2 = {"10.119.103.112", "10.221.102.0/23", "10.113.221.221"};
-
-    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips2);
-    Thread.sleep(1005);
-
-    assertFalse("10.113.221.222 is in the list",
-        cipl.isIn("10.113.221.222"));
-    assertFalse ("10.222.103.121 is  in the list",
-        cipl.isIn("10.222.103.121"));
-
-    TestFileBasedIPList.removeFile("ips.txt");
-  }
-
-  /**
-   * Add a bunch of subnets and IPSs to the file
-   * setup a low cache refresh
-   * test for inclusion
-   * Check for exclusion
-   * Add a bunch of subnets and Ips
-   * do a refresh
-   * test for inclusion
-   * Check for exclusion
-   */
-  public void testAddWithRefresh() throws IOException, InterruptedException {
-
-    String[] ips = {"10.119.103.112", "10.221.102.0/23", "10.113.221.221"};
-
-    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips);
-
-    CacheableIPList cipl = new CacheableIPList(
-        new FileBasedIPList("ips.txt"),100);
-
-    assertFalse("10.113.221.222 is in the list",
-        cipl.isIn("10.113.221.222"));
-    assertFalse ("10.222.103.121 is  in the list",
-        cipl.isIn("10.222.103.121"));
-
-    TestFileBasedIPList.removeFile("ips.txt");
-    String[]ips2 = {"10.119.103.112", "10.221.102.0/23",
-        "10.222.0.0/16", "10.113.221.221", "10.113.221.222"};
-
-    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips2);
-    cipl.refresh();
-
-    assertTrue("10.113.221.222 is not in the list",
-        cipl.isIn("10.113.221.222"));
-    assertTrue ("10.222.103.121 is not in the list",
-        cipl.isIn("10.222.103.121"));
-
-    TestFileBasedIPList.removeFile("ips.txt");
-  }
-
-  /**
-   * Add a bunch of subnets and IPSs to the file
-   * setup a low cache refresh
-   * test for inclusion
-   * Check for exclusion
-   * Remove a bunch of subnets and Ips
-   * wait for cache timeout.
-   * test for inclusion
-   * Check for exclusion
-   */
-  public void testRemovalWithRefresh() throws IOException, InterruptedException {
-
-    String[] ips = {"10.119.103.112", "10.221.102.0/23",
-        "10.222.0.0/16", "10.113.221.221", "10.113.221.222"};
-
-    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips);
-
-    CacheableIPList cipl = new CacheableIPList(
-        new FileBasedIPList("ips.txt"),100);
-
-    assertTrue("10.113.221.222 is not in the list",
-        cipl.isIn("10.113.221.222"));
-    assertTrue ("10.222.103.121 is not in the list",
-        cipl.isIn("10.222.103.121"));
-
-    TestFileBasedIPList.removeFile("ips.txt");
-    String[]ips2 = {"10.119.103.112", "10.221.102.0/23", "10.113.221.221"};
-
-    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips2);
-    cipl.refresh();
-
-    assertFalse("10.113.221.222 is in the list",
-        cipl.isIn("10.113.221.222"));
-    assertFalse ("10.222.103.121 is  in the list",
-        cipl.isIn("10.222.103.121"));
-
-    TestFileBasedIPList.removeFile("ips.txt");
-  }
-
-
-
-}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestFileBasedIPList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestFileBasedIPList.java
deleted file mode 100644
index 0e79fd1bbab..00000000000
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestFileBasedIPList.java
+++ /dev/null
@@ -1,215 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.util;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Arrays;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.hadoop.util.FileBasedIPList;
-import org.apache.hadoop.util.IPList;
-import org.junit.After;
-import org.junit.Test;
-
-import junit.framework.TestCase;
-
-public class TestFileBasedIPList extends TestCase {
-
-  @After
-  public void tearDown() {
-    removeFile("ips.txt");
-  }
-
-  /**
-   * Add a bunch of IPS  to the file
-   * Check  for inclusion
-   * Check for exclusion
-   */
-  @Test
-  public void testSubnetsAndIPs() throws IOException {
-
-    String[] ips = {"10.119.103.112", "10.221.102.0/23"};
-
-    createFileWithEntries ("ips.txt", ips);
-
-    IPList ipList = new FileBasedIPList("ips.txt");
-
-    assertTrue ("10.119.103.112 is not in the list",
-        ipList.isIn("10.119.103.112"));
-    assertFalse ("10.119.103.113 is in the list",
-        ipList.isIn("10.119.103.113"));
-
-    assertTrue ("10.221.102.0 is not in the list",
-        ipList.isIn("10.221.102.0"));
-    assertTrue ("10.221.102.1 is not in the list",
-        ipList.isIn("10.221.102.1"));
-    assertTrue ("10.221.103.1 is not in the list",
-        ipList.isIn("10.221.103.1"));
-    assertTrue ("10.221.103.255 is not in the list",
-        ipList.isIn("10.221.103.255"));
-    assertFalse("10.221.104.0 is in the list",
-        ipList.isIn("10.221.104.0"));
-    assertFalse("10.221.104.1 is in the list",
-        ipList.isIn("10.221.104.1"));
-  }
-
-  /**
-   * Add a bunch of IPS  to the file
-   * Check  for inclusion
-   * Check for exclusion
-   */
-  @Test
-  public void testNullIP() throws IOException {
-
-    String[] ips = {"10.119.103.112", "10.221.102.0/23"};
-    createFileWithEntries ("ips.txt", ips);
-
-    IPList ipList = new FileBasedIPList("ips.txt");
-
-    assertFalse ("Null Ip is in the list",
-        ipList.isIn(null));
-  }
-
-  /**
-   * Add a bunch of subnets and IPSs to the file
-   * Check  for inclusion
-   * Check for exclusion
-   */
-  @Test
-  public void testWithMultipleSubnetAndIPs() throws IOException {
-
-    String[] ips = {"10.119.103.112", "10.221.102.0/23", "10.222.0.0/16",
-    "10.113.221.221"};
-
-    createFileWithEntries ("ips.txt", ips);
-
-    IPList ipList = new FileBasedIPList("ips.txt");
-
-    assertTrue ("10.119.103.112 is not in the list",
-        ipList.isIn("10.119.103.112"));
-    assertFalse ("10.119.103.113 is in the list",
-        ipList.isIn("10.119.103.113"));
-
-    assertTrue ("10.221.103.121 is not in the list",
-        ipList.isIn("10.221.103.121"));
-    assertFalse("10.221.104.0 is in the list",
-        ipList.isIn("10.221.104.0"));
-
-    assertTrue ("10.222.103.121 is not in the list",
-        ipList.isIn("10.222.103.121"));
-    assertFalse("10.223.104.0 is in the list",
-        ipList.isIn("10.223.104.0"));
-
-    assertTrue ("10.113.221.221 is not in the list",
-        ipList.isIn("10.113.221.221"));
-    assertFalse("10.113.221.222 is in the list",
-        ipList.isIn("10.113.221.222"));
-  }
-
-  /**
-   * Do not specify the file
-   * test for inclusion
-   * should be true as if the feature is turned off
-   */
-  public void testFileNotSpecified() {
-
-    IPList ipl = new FileBasedIPList(null);
-
-    assertFalse("110.113.221.222 is in the list",
-        ipl.isIn("110.113.221.222"));
-  }
-
-  /**
-   * Specify a non existent file
-   * test for inclusion
-   * should be true as if the feature is turned off
-   */
-  public void testFileMissing() {
-
-    IPList ipl = new FileBasedIPList("missingips.txt");
-
-    assertFalse("110.113.221.222 is in the list",
-        ipl.isIn("110.113.221.222"));
-  }
-
-  /**
-   * Specify an existing file, but empty
-   * test for inclusion
-   * should be true as if the feature is turned off
-   */
-  public void testWithEmptyList() throws IOException {
-    String[] ips = {};
-
-    createFileWithEntries ("ips.txt", ips);
-    IPList ipl = new FileBasedIPList("ips.txt");
-
-    assertFalse("110.113.221.222 is in the list",
-        ipl.isIn("110.113.221.222"));
-  }
-
-  /**
-   * Specify an existing file, but ips in wrong format
-   * test for inclusion
-   * should be true as if the feature is turned off
-   */
-  public void testForBadFIle() throws IOException {
-    String[] ips = { "10.221.102/23"};
-
-    createFileWithEntries ("ips.txt", ips);
-
-    try {
-      new FileBasedIPList("ips.txt");
-     fail();
-     } catch (Exception e) {
-       //expects Exception
-     }
-  }
-
-  /**
-   * Add a bunch of subnets and IPSs to the file. Keep one entry wrong.
-   * The good entries will still be used.
-   * Check  for inclusion with good entries
-   * Check for exclusion
-   */
-  public void testWithAWrongEntry() throws IOException {
-
-    String[] ips = {"10.119.103.112", "10.221.102/23", "10.221.204.1/23"};
-
-    createFileWithEntries ("ips.txt", ips);
-
-    try {
-     new FileBasedIPList("ips.txt");
-    fail();
-    } catch (Exception e) {
-      //expects Exception
-    }
-  }
-
-  public static void createFileWithEntries(String fileName, String[] ips)
-      throws IOException {
-    FileUtils.writeLines(new File(fileName), Arrays.asList(ips));
-  }
-
-  public static void removeFile(String fileName) {
-    File file  = new File(fileName);
-    if (file.exists()) {
-      new File(fileName).delete();
-    }
-  }
-}

From 86840834ed822527196a7eca117648be4df43292 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Sun, 17 Aug 2014 19:02:45 +0000
Subject: [PATCH 246/354] HADOOP-10335. An ip whilelist based implementation to
 resolve Sasl properties per connection. (Contributed by Benoy Antony)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618503 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   3 +
 .../security/WhitelistBasedResolver.java      | 149 ++++++++++++
 .../apache/hadoop/util/CacheableIPList.java   |  76 +++++++
 .../hadoop/util/CombinedIPWhiteList.java      |  60 +++++
 .../apache/hadoop/util/FileBasedIPList.java   | 102 +++++++++
 .../java/org/apache/hadoop/util/IPList.java   |  33 +++
 .../org/apache/hadoop/util/MachineList.java   |  13 +-
 .../security/TestWhitelistBasedResolver.java  | 163 +++++++++++++
 .../hadoop/util/TestCacheableIPList.java      | 188 +++++++++++++++
 .../hadoop/util/TestFileBasedIPList.java      | 215 ++++++++++++++++++
 10 files changed, 999 insertions(+), 3 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/WhitelistBasedResolver.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CacheableIPList.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CombinedIPWhiteList.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/FileBasedIPList.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/IPList.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestWhitelistBasedResolver.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestCacheableIPList.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestFileBasedIPList.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index d0168c2d5bc..fb0578f7c50 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -524,6 +524,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10650. Add ability to specify a reverse ACL (black list) of users
     and groups. (Benoy Antony via Arpit Agarwal)
 
+    HADOOP-10335. An ip whilelist based implementation to resolve Sasl
+    properties per connection. (Benoy Antony via Arpit Agarwal)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/WhitelistBasedResolver.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/WhitelistBasedResolver.java
new file mode 100644
index 00000000000..dc0815ed768
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/WhitelistBasedResolver.java
@@ -0,0 +1,149 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.Map;
+import java.util.TreeMap;
+
+import javax.security.sasl.Sasl;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.SaslPropertiesResolver;
+import org.apache.hadoop.security.SaslRpcServer.QualityOfProtection;
+import org.apache.hadoop.util.CombinedIPWhiteList;
+import org.apache.hadoop.util.StringUtils;
+
+
+/**
+ * An implementation of the SaslPropertiesResolver.
+ * Uses a white list of IPs.
+ * If the connection's IP address is in the list of IP addresses, the salProperties
+ * will be unchanged.
+ * If the connection's IP is not in the list of IP addresses, then QOP for the
+ * connection will be restricted to "hadoop.rpc.protection.non-whitelist"
+ *
+ * Uses 3 IPList implementations together to form an aggregate whitelist.
+ * 1. ConstantIPList - to check against a set of hardcoded IPs
+ * 2. Fixed IP List - to check against a list of IP addresses which are specified externally, but
+ * will not change over runtime.
+ * 3. Variable IP List - to check against a list of IP addresses which are specified externally and
+ * could change during runtime.
+ * A connection IP address will checked against these 3 IP Lists in the order specified above.
+ * Once a match is found , the IP address is determined to be in whitelist.
+ *
+ * The behavior can be configured using a bunch of configuration parameters.
+ *
+ */
+public class WhitelistBasedResolver extends SaslPropertiesResolver {
+  public static final Log LOG = LogFactory.getLog(WhitelistBasedResolver.class);
+
+  private static final String FIXEDWHITELIST_DEFAULT_LOCATION = "/etc/hadoop/fixedwhitelist";
+
+  private static final String VARIABLEWHITELIST_DEFAULT_LOCATION = "/etc/hadoop/whitelist";
+
+  /**
+   * Path to the file to containing subnets and ip addresses to form fixed whitelist.
+   */
+  public static final String HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE =
+    "hadoop.security.sasl.fixedwhitelist.file";
+  /**
+   * Enables/Disables variable whitelist
+   */
+  public static final String HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE =
+    "hadoop.security.sasl.variablewhitelist.enable";
+  /**
+   * Path to the file to containing subnets and ip addresses to form variable whitelist.
+   */
+  public static final String HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE =
+    "hadoop.security.sasl.variablewhitelist.file";
+  /**
+   * time in seconds by which the variable whitelist file is checked for updates
+   */
+  public static final String HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS =
+    "hadoop.security.sasl.variablewhitelist.cache.secs";
+
+  /**
+   * comma separated list containing alternate hadoop.rpc.protection values for
+   * clients which are not in whitelist
+   */
+  public static final String HADOOP_RPC_PROTECTION_NON_WHITELIST =
+    "hadoop.rpc.protection.non-whitelist";
+
+  private CombinedIPWhiteList whiteList;
+
+  private Map<String, String> saslProps;
+
+  @Override
+  public void setConf(Configuration conf) {
+    super.setConf(conf);
+    String fixedFile = conf.get(HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE,
+        FIXEDWHITELIST_DEFAULT_LOCATION);
+    String variableFile = null;
+    long expiryTime = 0;
+
+    if (conf.getBoolean(HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE, false)) {
+      variableFile = conf.get(HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE,
+          VARIABLEWHITELIST_DEFAULT_LOCATION);
+      expiryTime =
+        conf.getLong(HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS,3600) * 1000;
+    }
+
+    whiteList = new CombinedIPWhiteList(fixedFile,variableFile,expiryTime);
+
+    this.saslProps = getSaslProperties(conf);
+  }
+
+  /**
+   * Identify the Sasl Properties to be used for a connection with a client.
+   * @param clientAddress client's address
+   * @return the sasl properties to be used for the connection.
+   */
+  @Override
+  public Map<String, String> getServerProperties(InetAddress clientAddress) {
+    if (clientAddress == null) {
+      return saslProps;
+    }
+    return  whiteList.isIn(clientAddress.getHostAddress())?getDefaultProperties():saslProps;
+  }
+
+  public Map<String, String> getServerProperties(String clientAddress) throws UnknownHostException {
+    if (clientAddress == null) {
+      return saslProps;
+    }
+    return getServerProperties(InetAddress.getByName(clientAddress));
+  }
+
+  static Map<String, String> getSaslProperties(Configuration conf) {
+    Map<String, String> saslProps =new TreeMap<String, String>();
+    String[] qop = conf.getStrings(HADOOP_RPC_PROTECTION_NON_WHITELIST,
+        QualityOfProtection.PRIVACY.toString());
+
+    for (int i=0; i < qop.length; i++) {
+      qop[i] = QualityOfProtection.valueOf(qop[i].toUpperCase()).getSaslQop();
+    }
+
+    saslProps.put(Sasl.QOP, StringUtils.join(",", qop));
+    saslProps.put(Sasl.SERVER_AUTH, "true");
+
+    return saslProps;
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CacheableIPList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CacheableIPList.java
new file mode 100644
index 00000000000..1343fc6129e
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CacheableIPList.java
@@ -0,0 +1,76 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+/**
+ * CacheableIPList loads a list of subnets from a file.
+ * The list is cached and the cache can be refreshed by specifying cache timeout.
+ * A negative value of cache timeout disables any caching.
+ *
+ * Thread safe.
+ */
+
+public class CacheableIPList implements IPList {
+  private final long cacheTimeout;
+  private volatile long cacheExpiryTimeStamp;
+  private volatile FileBasedIPList ipList;
+
+  public CacheableIPList(FileBasedIPList ipList, long cacheTimeout) {
+    this.cacheTimeout =  cacheTimeout;
+    this.ipList = ipList;
+    updateCacheExpiryTime();
+  }
+
+  /**
+   * Reloads the ip list
+   */
+  private  void  reset() {
+    ipList = ipList.reload();
+    updateCacheExpiryTime();
+  }
+
+  private void updateCacheExpiryTime() {
+    if (cacheTimeout < 0) {
+      cacheExpiryTimeStamp = -1; // no automatic cache expiry.
+    }else {
+      cacheExpiryTimeStamp = System.currentTimeMillis() + cacheTimeout;
+    }
+  }
+
+  /**
+   * Refreshes the ip list
+   */
+  public  void refresh () {
+    cacheExpiryTimeStamp = 0;
+  }
+
+  @Override
+  public boolean isIn(String ipAddress) {
+    //is cache expired
+    //Uses Double Checked Locking using volatile
+    if (cacheExpiryTimeStamp >= 0 && cacheExpiryTimeStamp < System.currentTimeMillis()) {
+      synchronized(this) {
+        //check if cache expired again
+        if (cacheExpiryTimeStamp < System.currentTimeMillis()) {
+          reset();
+        }
+      }
+    }
+    return ipList.isIn(ipAddress);
+  }
+}
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CombinedIPWhiteList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CombinedIPWhiteList.java
new file mode 100644
index 00000000000..d12c4c11d5d
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CombinedIPWhiteList.java
@@ -0,0 +1,60 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class CombinedIPWhiteList implements IPList {
+
+  public static final Log LOG = LogFactory.getLog(CombinedIPWhiteList.class);
+  private static final String LOCALHOST_IP = "127.0.0.1";
+
+  private final IPList[] networkLists;
+
+  public CombinedIPWhiteList(String fixedWhiteListFile,
+      String variableWhiteListFile, long cacheExpiryInSeconds) {
+
+    IPList fixedNetworkList = new FileBasedIPList(fixedWhiteListFile);
+    if (variableWhiteListFile != null){
+      IPList variableNetworkList = new CacheableIPList(
+          new FileBasedIPList(variableWhiteListFile),cacheExpiryInSeconds);
+      networkLists = new IPList[] {fixedNetworkList, variableNetworkList};
+    }
+    else {
+      networkLists = new IPList[] {fixedNetworkList};
+    }
+  }
+  @Override
+  public boolean isIn(String ipAddress) {
+    if (ipAddress == null) {
+      throw new IllegalArgumentException("ipAddress is null");
+    }
+
+    if (LOCALHOST_IP.equals(ipAddress)) {
+      return true;
+    }
+
+    for (IPList networkList:networkLists) {
+      if (networkList.isIn(ipAddress)) {
+        return true;
+      }
+    }
+    return false;
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/FileBasedIPList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/FileBasedIPList.java
new file mode 100644
index 00000000000..8bfb5d93aef
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/FileBasedIPList.java
@@ -0,0 +1,102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * FileBasedIPList loads a list of subnets in CIDR format and ip addresses from a file.
+ *
+ * Given an ip address, isIn  method returns true if ip belongs to one of the subnets.
+ *
+ * Thread safe.
+ */
+
+public class FileBasedIPList implements IPList {
+
+  private static final Log LOG = LogFactory.getLog(FileBasedIPList.class);
+
+  private final String fileName;
+  private final MachineList addressList;
+
+  public FileBasedIPList(String fileName) {
+    this.fileName = fileName;
+    String[] lines = readLines(fileName);
+    if (lines != null) {
+      addressList = new MachineList(new HashSet<String>(Arrays.asList(lines)));
+    } else {
+      addressList = null;
+    }
+  }
+
+  public FileBasedIPList reload() {
+    return new FileBasedIPList(fileName);
+  }
+
+  @Override
+  public  boolean isIn(String ipAddress) {
+    if (ipAddress == null || addressList == null) {
+      return false;
+    }
+    return addressList.includes(ipAddress);
+  }
+
+  /**
+   * reads the lines in a file.
+   * @param fileName
+   * @return lines in a String array; null if the file does not exist or if the
+   * file name is null
+   * @throws IOException
+   */
+  private static String[] readLines(String fileName) {
+    try {
+      if (fileName != null) {
+        File file = new File (fileName);
+        if (file.exists()) {
+          FileReader fileReader = new FileReader(file);
+          BufferedReader bufferedReader = new BufferedReader(fileReader);
+          List<String> lines = new ArrayList<String>();
+          String line = null;
+          while ((line = bufferedReader.readLine()) != null) {
+            lines.add(line);
+          }
+          bufferedReader.close();
+          LOG.debug("Loaded IP list of size = " + lines.size() +" from file = " + fileName);
+          return(lines.toArray(new String[lines.size()]));
+        }
+        else {
+          LOG.debug("Missing ip list file : "+ fileName);
+        }
+      }
+    }
+    catch (Throwable t) {
+      LOG.error(t);
+    }
+    return null;
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/IPList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/IPList.java
new file mode 100644
index 00000000000..3a2616376fb
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/IPList.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+
+@InterfaceStability.Unstable
+@InterfaceAudience.Public
+public interface IPList {
+
+  /**
+   * returns true if the ipAddress is in the IPList.
+   * @param ipAddress
+   * @return boolean value indicating whether the ipAddress is in the IPList
+   */
+  public abstract boolean isIn(String ipAddress);
+}
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java
index 7f2e2c8de7e..d1a0870f679 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java
@@ -37,7 +37,7 @@
 /**
  * Container class which holds a list of ip/host addresses and 
  * answers membership queries.
- * .
+ *
  * Accepts list of ip addresses, ip addreses in CIDR format and/or 
  * host addresses.
  */
@@ -71,8 +71,15 @@ public InetAddress getByName (String host) throws UnknownHostException {
    * @param hostEntries comma separated ip/cidr/host addresses
    */
   public MachineList(String hostEntries) {
-    this(StringUtils.getTrimmedStringCollection(hostEntries),
-        InetAddressFactory.S_INSTANCE);
+    this(StringUtils.getTrimmedStringCollection(hostEntries));
+  }
+
+  /**
+   *
+   * @param hostEntries collection of separated ip/cidr/host addresses
+   */
+  public MachineList(Collection<String> hostEntries) {
+    this(hostEntries, InetAddressFactory.S_INSTANCE);
   }
 
   /**
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestWhitelistBasedResolver.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestWhitelistBasedResolver.java
new file mode 100644
index 00000000000..684ef3bf17a
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestWhitelistBasedResolver.java
@@ -0,0 +1,163 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.util.Map;
+
+import junit.framework.TestCase;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.WhitelistBasedResolver;
+import org.apache.hadoop.util.TestFileBasedIPList;
+
+public class TestWhitelistBasedResolver extends TestCase {
+
+  public static final Map<String, String> SASL_PRIVACY_PROPS =
+    WhitelistBasedResolver.getSaslProperties(new Configuration());
+
+  public void testFixedVariableAndLocalWhiteList() throws IOException {
+
+    String[] fixedIps = {"10.119.103.112", "10.221.102.0/23"};
+
+    TestFileBasedIPList.createFileWithEntries ("fixedwhitelist.txt", fixedIps);
+
+    String[] variableIps = {"10.222.0.0/16", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("variablewhitelist.txt", variableIps);
+
+    Configuration conf = new Configuration();
+    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE ,
+        "fixedwhitelist.txt");
+
+    conf.setBoolean(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE,
+        true);
+
+    conf.setLong(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS,
+        1);
+
+    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE ,
+        "variablewhitelist.txt");
+
+    WhitelistBasedResolver wqr = new WhitelistBasedResolver ();
+    wqr.setConf(conf);
+
+    assertEquals (wqr.getDefaultProperties(),
+        wqr.getServerProperties(InetAddress.getByName("10.119.103.112")));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.119.103.113"));
+    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("10.221.103.121"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.221.104.0"));
+    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("10.222.103.121"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.223.104.0"));
+    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("10.113.221.221"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.113.221.222"));
+    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("127.0.0.1"));
+
+    TestFileBasedIPList.removeFile("fixedwhitelist.txt");
+    TestFileBasedIPList.removeFile("variablewhitelist.txt");
+  }
+
+
+  /**
+   * Add a bunch of subnets and IPSs to the whitelist
+   * Check  for inclusion in whitelist
+   * Check for exclusion from whitelist
+   */
+  public void testFixedAndLocalWhiteList() throws IOException {
+
+    String[] fixedIps = {"10.119.103.112", "10.221.102.0/23"};
+
+    TestFileBasedIPList.createFileWithEntries ("fixedwhitelist.txt", fixedIps);
+
+    String[] variableIps = {"10.222.0.0/16", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("variablewhitelist.txt", variableIps);
+
+    Configuration conf = new Configuration();
+
+    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE ,
+        "fixedwhitelist.txt");
+
+    conf.setBoolean(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE,
+        false);
+
+    conf.setLong(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS,
+        100);
+
+    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE ,
+        "variablewhitelist.txt");
+
+    WhitelistBasedResolver wqr = new WhitelistBasedResolver();
+    wqr.setConf(conf);
+
+    assertEquals (wqr.getDefaultProperties(),
+        wqr.getServerProperties(InetAddress.getByName("10.119.103.112")));
+
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.119.103.113"));
+
+    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("10.221.103.121"));
+
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.221.104.0"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.222.103.121"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.223.104.0"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.113.221.221"));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties("10.113.221.222"));
+    assertEquals (wqr.getDefaultProperties(), wqr.getServerProperties("127.0.0.1"));;
+
+    TestFileBasedIPList.removeFile("fixedwhitelist.txt");
+    TestFileBasedIPList.removeFile("variablewhitelist.txt");
+  }
+
+  /**
+   * Add a bunch of subnets and IPSs to the whitelist
+   * Check  for inclusion in whitelist with a null value
+   */
+  public void testNullIPAddress() throws IOException {
+
+    String[] fixedIps = {"10.119.103.112", "10.221.102.0/23"};
+
+    TestFileBasedIPList.createFileWithEntries ("fixedwhitelist.txt", fixedIps);
+
+    String[] variableIps = {"10.222.0.0/16", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("variablewhitelist.txt", variableIps);
+
+    Configuration conf = new Configuration();
+    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_FIXEDWHITELIST_FILE ,
+        "fixedwhitelist.txt");
+
+    conf.setBoolean(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_ENABLE,
+        true);
+
+    conf.setLong(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_CACHE_SECS,
+        100);
+
+    conf.set(WhitelistBasedResolver.HADOOP_SECURITY_SASL_VARIABLEWHITELIST_FILE ,
+        "variablewhitelist.txt");
+
+    WhitelistBasedResolver wqr = new WhitelistBasedResolver();
+    wqr.setConf(conf);
+
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties((InetAddress)null));
+    assertEquals (SASL_PRIVACY_PROPS, wqr.getServerProperties((String)null));
+
+    TestFileBasedIPList.removeFile("fixedwhitelist.txt");
+    TestFileBasedIPList.removeFile("variablewhitelist.txt");
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestCacheableIPList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestCacheableIPList.java
new file mode 100644
index 00000000000..3289d786c13
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestCacheableIPList.java
@@ -0,0 +1,188 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+import java.io.IOException;
+
+import org.apache.hadoop.util.CacheableIPList;
+import org.apache.hadoop.util.FileBasedIPList;
+
+
+import junit.framework.TestCase;
+
+public class TestCacheableIPList extends TestCase {
+
+  /**
+   * Add a bunch of subnets and IPSs to the file
+   * setup a low cache refresh
+   * test for inclusion
+   * Check for exclusion
+   * Add a bunch of subnets and Ips
+   * wait for cache timeout.
+   * test for inclusion
+   * Check for exclusion
+   */
+  public void testAddWithSleepForCacheTimeout() throws IOException, InterruptedException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips);
+
+    CacheableIPList cipl = new CacheableIPList(
+        new FileBasedIPList("ips.txt"),100);
+
+    assertFalse("10.113.221.222 is in the list",
+        cipl.isIn("10.113.221.222"));
+    assertFalse ("10.222.103.121 is  in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+    String[]ips2 = {"10.119.103.112", "10.221.102.0/23",
+        "10.222.0.0/16", "10.113.221.221", "10.113.221.222"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips2);
+    Thread.sleep(101);
+
+    assertTrue("10.113.221.222 is not in the list",
+        cipl.isIn("10.113.221.222"));
+    assertTrue ("10.222.103.121 is not in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+  }
+
+  /**
+   * Add a bunch of subnets and IPSs to the file
+   * setup a low cache refresh
+   * test for inclusion
+   * Check for exclusion
+   * Remove a bunch of subnets and Ips
+   * wait for cache timeout.
+   * test for inclusion
+   * Check for exclusion
+   */
+  public void testRemovalWithSleepForCacheTimeout() throws IOException, InterruptedException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23",
+        "10.222.0.0/16", "10.113.221.221", "10.113.221.222"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips);
+
+    CacheableIPList cipl = new CacheableIPList(
+        new FileBasedIPList("ips.txt"),100);
+
+    assertTrue("10.113.221.222 is not in the list",
+        cipl.isIn("10.113.221.222"));
+    assertTrue ("10.222.103.121 is not in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+    String[]ips2 = {"10.119.103.112", "10.221.102.0/23", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips2);
+    Thread.sleep(1005);
+
+    assertFalse("10.113.221.222 is in the list",
+        cipl.isIn("10.113.221.222"));
+    assertFalse ("10.222.103.121 is  in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+  }
+
+  /**
+   * Add a bunch of subnets and IPSs to the file
+   * setup a low cache refresh
+   * test for inclusion
+   * Check for exclusion
+   * Add a bunch of subnets and Ips
+   * do a refresh
+   * test for inclusion
+   * Check for exclusion
+   */
+  public void testAddWithRefresh() throws IOException, InterruptedException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips);
+
+    CacheableIPList cipl = new CacheableIPList(
+        new FileBasedIPList("ips.txt"),100);
+
+    assertFalse("10.113.221.222 is in the list",
+        cipl.isIn("10.113.221.222"));
+    assertFalse ("10.222.103.121 is  in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+    String[]ips2 = {"10.119.103.112", "10.221.102.0/23",
+        "10.222.0.0/16", "10.113.221.221", "10.113.221.222"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips2);
+    cipl.refresh();
+
+    assertTrue("10.113.221.222 is not in the list",
+        cipl.isIn("10.113.221.222"));
+    assertTrue ("10.222.103.121 is not in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+  }
+
+  /**
+   * Add a bunch of subnets and IPSs to the file
+   * setup a low cache refresh
+   * test for inclusion
+   * Check for exclusion
+   * Remove a bunch of subnets and Ips
+   * wait for cache timeout.
+   * test for inclusion
+   * Check for exclusion
+   */
+  public void testRemovalWithRefresh() throws IOException, InterruptedException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23",
+        "10.222.0.0/16", "10.113.221.221", "10.113.221.222"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips);
+
+    CacheableIPList cipl = new CacheableIPList(
+        new FileBasedIPList("ips.txt"),100);
+
+    assertTrue("10.113.221.222 is not in the list",
+        cipl.isIn("10.113.221.222"));
+    assertTrue ("10.222.103.121 is not in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+    String[]ips2 = {"10.119.103.112", "10.221.102.0/23", "10.113.221.221"};
+
+    TestFileBasedIPList.createFileWithEntries ("ips.txt", ips2);
+    cipl.refresh();
+
+    assertFalse("10.113.221.222 is in the list",
+        cipl.isIn("10.113.221.222"));
+    assertFalse ("10.222.103.121 is  in the list",
+        cipl.isIn("10.222.103.121"));
+
+    TestFileBasedIPList.removeFile("ips.txt");
+  }
+
+
+
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestFileBasedIPList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestFileBasedIPList.java
new file mode 100644
index 00000000000..0e79fd1bbab
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestFileBasedIPList.java
@@ -0,0 +1,215 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Arrays;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.util.FileBasedIPList;
+import org.apache.hadoop.util.IPList;
+import org.junit.After;
+import org.junit.Test;
+
+import junit.framework.TestCase;
+
+public class TestFileBasedIPList extends TestCase {
+
+  @After
+  public void tearDown() {
+    removeFile("ips.txt");
+  }
+
+  /**
+   * Add a bunch of IPS  to the file
+   * Check  for inclusion
+   * Check for exclusion
+   */
+  @Test
+  public void testSubnetsAndIPs() throws IOException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23"};
+
+    createFileWithEntries ("ips.txt", ips);
+
+    IPList ipList = new FileBasedIPList("ips.txt");
+
+    assertTrue ("10.119.103.112 is not in the list",
+        ipList.isIn("10.119.103.112"));
+    assertFalse ("10.119.103.113 is in the list",
+        ipList.isIn("10.119.103.113"));
+
+    assertTrue ("10.221.102.0 is not in the list",
+        ipList.isIn("10.221.102.0"));
+    assertTrue ("10.221.102.1 is not in the list",
+        ipList.isIn("10.221.102.1"));
+    assertTrue ("10.221.103.1 is not in the list",
+        ipList.isIn("10.221.103.1"));
+    assertTrue ("10.221.103.255 is not in the list",
+        ipList.isIn("10.221.103.255"));
+    assertFalse("10.221.104.0 is in the list",
+        ipList.isIn("10.221.104.0"));
+    assertFalse("10.221.104.1 is in the list",
+        ipList.isIn("10.221.104.1"));
+  }
+
+  /**
+   * Add a bunch of IPS  to the file
+   * Check  for inclusion
+   * Check for exclusion
+   */
+  @Test
+  public void testNullIP() throws IOException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23"};
+    createFileWithEntries ("ips.txt", ips);
+
+    IPList ipList = new FileBasedIPList("ips.txt");
+
+    assertFalse ("Null Ip is in the list",
+        ipList.isIn(null));
+  }
+
+  /**
+   * Add a bunch of subnets and IPSs to the file
+   * Check  for inclusion
+   * Check for exclusion
+   */
+  @Test
+  public void testWithMultipleSubnetAndIPs() throws IOException {
+
+    String[] ips = {"10.119.103.112", "10.221.102.0/23", "10.222.0.0/16",
+    "10.113.221.221"};
+
+    createFileWithEntries ("ips.txt", ips);
+
+    IPList ipList = new FileBasedIPList("ips.txt");
+
+    assertTrue ("10.119.103.112 is not in the list",
+        ipList.isIn("10.119.103.112"));
+    assertFalse ("10.119.103.113 is in the list",
+        ipList.isIn("10.119.103.113"));
+
+    assertTrue ("10.221.103.121 is not in the list",
+        ipList.isIn("10.221.103.121"));
+    assertFalse("10.221.104.0 is in the list",
+        ipList.isIn("10.221.104.0"));
+
+    assertTrue ("10.222.103.121 is not in the list",
+        ipList.isIn("10.222.103.121"));
+    assertFalse("10.223.104.0 is in the list",
+        ipList.isIn("10.223.104.0"));
+
+    assertTrue ("10.113.221.221 is not in the list",
+        ipList.isIn("10.113.221.221"));
+    assertFalse("10.113.221.222 is in the list",
+        ipList.isIn("10.113.221.222"));
+  }
+
+  /**
+   * Do not specify the file
+   * test for inclusion
+   * should be true as if the feature is turned off
+   */
+  public void testFileNotSpecified() {
+
+    IPList ipl = new FileBasedIPList(null);
+
+    assertFalse("110.113.221.222 is in the list",
+        ipl.isIn("110.113.221.222"));
+  }
+
+  /**
+   * Specify a non existent file
+   * test for inclusion
+   * should be true as if the feature is turned off
+   */
+  public void testFileMissing() {
+
+    IPList ipl = new FileBasedIPList("missingips.txt");
+
+    assertFalse("110.113.221.222 is in the list",
+        ipl.isIn("110.113.221.222"));
+  }
+
+  /**
+   * Specify an existing file, but empty
+   * test for inclusion
+   * should be true as if the feature is turned off
+   */
+  public void testWithEmptyList() throws IOException {
+    String[] ips = {};
+
+    createFileWithEntries ("ips.txt", ips);
+    IPList ipl = new FileBasedIPList("ips.txt");
+
+    assertFalse("110.113.221.222 is in the list",
+        ipl.isIn("110.113.221.222"));
+  }
+
+  /**
+   * Specify an existing file, but ips in wrong format
+   * test for inclusion
+   * should be true as if the feature is turned off
+   */
+  public void testForBadFIle() throws IOException {
+    String[] ips = { "10.221.102/23"};
+
+    createFileWithEntries ("ips.txt", ips);
+
+    try {
+      new FileBasedIPList("ips.txt");
+     fail();
+     } catch (Exception e) {
+       //expects Exception
+     }
+  }
+
+  /**
+   * Add a bunch of subnets and IPSs to the file. Keep one entry wrong.
+   * The good entries will still be used.
+   * Check  for inclusion with good entries
+   * Check for exclusion
+   */
+  public void testWithAWrongEntry() throws IOException {
+
+    String[] ips = {"10.119.103.112", "10.221.102/23", "10.221.204.1/23"};
+
+    createFileWithEntries ("ips.txt", ips);
+
+    try {
+     new FileBasedIPList("ips.txt");
+    fail();
+    } catch (Exception e) {
+      //expects Exception
+    }
+  }
+
+  public static void createFileWithEntries(String fileName, String[] ips)
+      throws IOException {
+    FileUtils.writeLines(new File(fileName), Arrays.asList(ips));
+  }
+
+  public static void removeFile(String fileName) {
+    File file  = new File(fileName);
+    if (file.exists()) {
+      new File(fileName).delete();
+    }
+  }
+}

From 519c4be95a091a072302e9ae52c2d221d80037a8 Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Mon, 18 Aug 2014 06:08:45 +0000
Subject: [PATCH 247/354] YARN-2411. Support simple user and group mappings to
 queues. Contributed by Ram Venkatesh

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618542 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../conf/capacity-scheduler.xml               |  23 ++
 .../scheduler/capacity/CapacityScheduler.java | 121 ++++++++-
 .../CapacitySchedulerConfiguration.java       | 119 ++++++++-
 .../scheduler/capacity/TestQueueMappings.java | 240 ++++++++++++++++++
 5 files changed, 492 insertions(+), 14 deletions(-)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestQueueMappings.java

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index aa217edaec0..0bb4a8ccd68 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -47,6 +47,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2378. Added support for moving applications across queues in
     CapacityScheduler. (Subramaniam Venkatraman Krishnan via jianhe)
 
+    YARN-2411. Support simple user and group mappings to queues. (Ram Venkatesh
+    via jianhe)
+
   IMPROVEMENTS
 
     YARN-2197. Add a link to YARN CHANGES.txt in the left side of doc
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/conf/capacity-scheduler.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/conf/capacity-scheduler.xml
index 2bed464bcc6..30f4eb96c6c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/conf/capacity-scheduler.xml
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/conf/capacity-scheduler.xml
@@ -108,4 +108,27 @@
     </description>
   </property>
 
+  <property>
+    <name>yarn.scheduler.capacity.queue-mappings</name>
+    <value></value>
+    <description>
+      A list of mappings that will be used to assign jobs to queues
+      The syntax for this list is [u|g]:[name]:[queue_name][,next mapping]*
+      Typically this list will be used to map users to queues,
+      for example, u:%user:%user maps all users to queues with the same name
+      as the user.
+    </description>
+  </property>
+
+  <property>
+    <name>yarn.scheduler.capacity.queue-mappings-override.enable</name>
+    <value>false</value>
+    <description>
+      If a queue mapping is present, will it override the value specified
+      by the user? This can be used by administrators to place jobs in queues
+      that are different than the one specified by the user.
+      The default is false.
+    </description>
+  </property>
+
 </configuration>
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
index 1b31a1a6bbb..e979c5c2320 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
@@ -18,8 +18,6 @@
 
 package org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity;
 
-import com.google.common.base.Preconditions;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.ArrayList;
@@ -41,6 +39,7 @@
 import org.apache.hadoop.conf.Configurable;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.Groups;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
@@ -59,10 +58,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMState;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEvent;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEventType;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppRejectedEvent;
-import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.*;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEventType;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
@@ -77,6 +73,8 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.QueueMetrics;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerApplication;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerUtils;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacitySchedulerConfiguration.QueueMapping;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacitySchedulerConfiguration.QueueMapping.MappingType;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.common.fica.FiCaSchedulerApp;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.common.fica.FiCaSchedulerNode;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.AppAddedSchedulerEvent;
@@ -94,6 +92,7 @@
 import org.apache.hadoop.yarn.util.resource.Resources;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Preconditions;
 
 @LimitedPrivate("yarn")
 @Evolving
@@ -199,6 +198,16 @@ public Configuration getConf() {
           + ".scheduling-interval-ms";
   private static final long DEFAULT_ASYNC_SCHEDULER_INTERVAL = 5;
   
+  private boolean overrideWithQueueMappings = false;
+  private List<QueueMapping> mappings = new ArrayList<QueueMapping>();
+  private Groups groups;
+
+  @VisibleForTesting
+  public synchronized String getMappedQueueForTest(String user)
+      throws IOException {
+    return getMappedQueue(user);
+  }
+
   public CapacityScheduler() {
     super(CapacityScheduler.class.getName());
   }
@@ -263,7 +272,6 @@ private synchronized void initScheduler(Configuration configuration) throws
     this.applications =
         new ConcurrentHashMap<ApplicationId,
             SchedulerApplication<FiCaSchedulerApp>>();
-
     initializeQueues(this.conf);
 
     scheduleAsynchronously = this.conf.getScheduleAynschronously();
@@ -402,7 +410,32 @@ public CSQueue hook(CSQueue queue) {
     }
   }
   private static final QueueHook noop = new QueueHook();
-  
+
+  private void initializeQueueMappings() throws IOException {
+    overrideWithQueueMappings = conf.getOverrideWithQueueMappings();
+    LOG.info("Initialized queue mappings, override: "
+        + overrideWithQueueMappings);
+    // Get new user/group mappings
+    List<QueueMapping> newMappings = conf.getQueueMappings();
+    //check if mappings refer to valid queues
+    for (QueueMapping mapping : newMappings) {
+      if (!mapping.queue.equals(CURRENT_USER_MAPPING) &&
+          !mapping.queue.equals(PRIMARY_GROUP_MAPPING)) {
+        CSQueue queue = queues.get(mapping.queue);
+        if (queue == null || !(queue instanceof LeafQueue)) {
+          throw new IOException(
+              "mapping contains invalid or non-leaf queue " + mapping.queue);
+        }
+      }
+    }
+    //apply the new mappings since they are valid
+    mappings = newMappings;
+    // initialize groups if mappings are present
+    if (mappings.size() > 0) {
+      groups = new Groups(conf);
+    }
+  }
+
   @Lock(CapacityScheduler.class)
   private void initializeQueues(CapacitySchedulerConfiguration conf)
     throws IOException {
@@ -410,7 +443,9 @@ private void initializeQueues(CapacitySchedulerConfiguration conf)
     root = 
         parseQueue(this, conf, null, CapacitySchedulerConfiguration.ROOT, 
             queues, queues, noop);
+
     LOG.info("Initialized root queue " + root);
+    initializeQueueMappings();
   }
 
   @Lock(CapacityScheduler.class)
@@ -430,6 +465,7 @@ private void reinitializeQueues(CapacitySchedulerConfiguration conf)
     
     // Re-configure queues
     root.reinitialize(newRoot, clusterResource);
+    initializeQueueMappings();
   }
 
   /**
@@ -517,12 +553,73 @@ static CSQueue parseQueue(
   }
 
   synchronized CSQueue getQueue(String queueName) {
+    if (queueName == null) {
+      return null;
+    }
     return queues.get(queueName);
   }
 
+  private static final String CURRENT_USER_MAPPING = "%user";
+
+  private static final String PRIMARY_GROUP_MAPPING = "%primary_group";
+
+  private String getMappedQueue(String user) throws IOException {
+    for (QueueMapping mapping : mappings) {
+      if (mapping.type == MappingType.USER) {
+        if (mapping.source.equals(CURRENT_USER_MAPPING)) {
+          if (mapping.queue.equals(CURRENT_USER_MAPPING)) {
+            return user;
+          }
+          else if (mapping.queue.equals(PRIMARY_GROUP_MAPPING)) {
+            return groups.getGroups(user).get(0);
+          }
+          else {
+            return mapping.queue;
+          }
+        }
+        if (user.equals(mapping.source)) {
+          return mapping.queue;
+        }
+      }
+      if (mapping.type == MappingType.GROUP) {
+        for (String userGroups : groups.getGroups(user)) {
+          if (userGroups.equals(mapping.source)) {
+            return mapping.queue;
+          }
+        }
+      }
+    }
+    return null;
+  }
+
   private synchronized void addApplication(ApplicationId applicationId,
-      String queueName, String user, boolean isAppRecovering) {
-    // santiy checks.
+    String queueName, String user, boolean isAppRecovering) {
+
+    if (mappings != null && mappings.size() > 0) {
+      try {
+        String mappedQueue = getMappedQueue(user);
+        if (mappedQueue != null) {
+          // We have a mapping, should we use it?
+          if (queueName.equals(YarnConfiguration.DEFAULT_QUEUE_NAME)
+              || overrideWithQueueMappings) {
+            LOG.info("Application " + applicationId + " user " + user
+                + " mapping [" + queueName + "] to [" + mappedQueue
+                + "] override " + overrideWithQueueMappings);
+            queueName = mappedQueue;
+            RMApp rmApp = rmContext.getRMApps().get(applicationId);
+            rmApp.setQueue(queueName);
+          }
+        }
+      } catch (IOException ioex) {
+        String message = "Failed to submit application " + applicationId +
+            " submitted by user " + user + " reason: " + ioex.getMessage();
+        this.rmContext.getDispatcher().getEventHandler()
+            .handle(new RMAppRejectedEvent(applicationId, message));
+        return;
+      }
+    }
+
+    // sanity checks.
     CSQueue queue = getQueue(queueName);
     if (queue == null) {
       String message = "Application " + applicationId + 
@@ -902,8 +999,8 @@ public void handle(SchedulerEvent event) {
     {
       AppAddedSchedulerEvent appAddedEvent = (AppAddedSchedulerEvent) event;
       addApplication(appAddedEvent.getApplicationId(),
-        appAddedEvent.getQueue(), appAddedEvent.getUser(),
-        appAddedEvent.getIsAppRecovering());
+        appAddedEvent.getQueue(),
+        appAddedEvent.getUser(), appAddedEvent.getIsAppRecovering());
     }
     break;
     case APP_REMOVED:
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java
index 6fe695ecda2..af6bdc301ca 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java
@@ -18,8 +18,7 @@
 
 package org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity;
 
-import java.util.HashMap;
-import java.util.Map;
+import java.util.*;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -145,6 +144,44 @@ public class CapacitySchedulerConfiguration extends Configuration {
 
   @Private
   public static final boolean DEFAULT_SCHEDULE_ASYNCHRONOUSLY_ENABLE = false;
+
+  @Private
+  public static final String QUEUE_MAPPING = PREFIX + "queue-mappings";
+
+  @Private
+  public static final String ENABLE_QUEUE_MAPPING_OVERRIDE = QUEUE_MAPPING + "-override.enable";
+
+  @Private
+  public static final boolean DEFAULT_ENABLE_QUEUE_MAPPING_OVERRIDE = false;
+
+  @Private
+  public static class QueueMapping {
+
+    public enum MappingType {
+
+      USER("u"),
+      GROUP("g");
+      private final String type;
+      private MappingType(String type) {
+        this.type = type;
+      }
+
+      public String toString() {
+        return type;
+      }
+
+    };
+
+    MappingType type;
+    String source;
+    String queue;
+
+    public QueueMapping(MappingType type, String source, String queue) {
+      this.type = type;
+      this.source = source;
+      this.queue = queue;
+    }
+  }
   
   public CapacitySchedulerConfiguration() {
     this(new Configuration());
@@ -378,4 +415,82 @@ public void setScheduleAynschronously(boolean async) {
     setBoolean(SCHEDULE_ASYNCHRONOUSLY_ENABLE, async);
   }
 
+  public boolean getOverrideWithQueueMappings() {
+    return getBoolean(ENABLE_QUEUE_MAPPING_OVERRIDE,
+        DEFAULT_ENABLE_QUEUE_MAPPING_OVERRIDE);
+  }
+
+  /**
+   * Returns a collection of strings, trimming leading and trailing whitespeace
+   * on each value
+   *
+   * @param str
+   *          String to parse
+   * @param delim
+   *          delimiter to separate the values
+   * @return Collection of parsed elements.
+   */
+  private static Collection<String> getTrimmedStringCollection(String str,
+      String delim) {
+    List<String> values = new ArrayList<String>();
+    if (str == null)
+      return values;
+    StringTokenizer tokenizer = new StringTokenizer(str, delim);
+    while (tokenizer.hasMoreTokens()) {
+      String next = tokenizer.nextToken();
+      if (next == null || next.trim().isEmpty()) {
+        continue;
+      }
+      values.add(next.trim());
+    }
+    return values;
+  }
+
+  /**
+   * Get user/group mappings to queues.
+   *
+   * @return user/groups mappings or null on illegal configs
+   */
+  public List<QueueMapping> getQueueMappings() {
+    List<QueueMapping> mappings =
+        new ArrayList<CapacitySchedulerConfiguration.QueueMapping>();
+    Collection<String> mappingsString =
+        getTrimmedStringCollection(QUEUE_MAPPING);
+    for (String mappingValue : mappingsString) {
+      String[] mapping =
+          getTrimmedStringCollection(mappingValue, ":")
+              .toArray(new String[] {});
+      if (mapping.length != 3 || mapping[1].length() == 0
+          || mapping[2].length() == 0) {
+        throw new IllegalArgumentException(
+            "Illegal queue mapping " + mappingValue);
+      }
+
+      QueueMapping m;
+      try {
+        QueueMapping.MappingType mappingType;
+        if (mapping[0].equals("u")) {
+          mappingType = QueueMapping.MappingType.USER;
+        } else if (mapping[0].equals("g")) {
+          mappingType = QueueMapping.MappingType.GROUP;
+        } else {
+          throw new IllegalArgumentException(
+              "unknown mapping prefix " + mapping[0]);
+        }
+        m = new QueueMapping(
+                mappingType,
+                mapping[1],
+                mapping[2]);
+      } catch (Throwable t) {
+        throw new IllegalArgumentException(
+            "Illegal queue mapping " + mappingValue);
+      }
+
+      if (m != null) {
+        mappings.add(m);
+      }
+    }
+
+    return mappings;
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestQueueMappings.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestQueueMappings.java
new file mode 100644
index 00000000000..f573f43f067
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestQueueMappings.java
@@ -0,0 +1,240 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity;
+
+import java.io.IOException;
+import java.util.HashMap;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.fs.CommonConfigurationKeys;
+import org.apache.hadoop.security.GroupMappingServiceProvider;
+import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.RMContextImpl;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerApplication;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.SimpleGroupsMapping;
+import org.apache.hadoop.yarn.server.resourcemanager.security.ClientToAMTokenSecretManagerInRM;
+import org.apache.hadoop.yarn.server.resourcemanager.security.NMTokenSecretManagerInRM;
+import org.apache.hadoop.yarn.server.resourcemanager.security.RMContainerTokenSecretManager;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestQueueMappings {
+
+  private static final Log LOG = LogFactory.getLog(TestQueueMappings.class);
+
+  private static final String Q1 = "q1";
+  private static final String Q2 = "q2";
+
+  private final static String Q1_PATH =
+      CapacitySchedulerConfiguration.ROOT + "." + Q1;
+  private final static String Q2_PATH =
+      CapacitySchedulerConfiguration.ROOT + "." + Q2;
+
+  private MockRM resourceManager;
+
+  @After
+  public void tearDown() throws Exception {
+    if (resourceManager != null) {
+      LOG.info("Stopping the resource manager");
+      resourceManager.stop();
+    }
+  }
+
+  private void setupQueueConfiguration(CapacitySchedulerConfiguration conf) {
+    // Define top-level queues
+    conf.setQueues(CapacitySchedulerConfiguration.ROOT, new String[] { Q1, Q2 });
+
+    conf.setCapacity(Q1_PATH, 10);
+    conf.setCapacity(Q2_PATH, 90);
+
+    LOG.info("Setup top-level queues q1 and q2");
+  }
+
+  @Test (timeout = 60000)
+  public void testQueueMapping() throws Exception {
+    CapacitySchedulerConfiguration csConf =
+        new CapacitySchedulerConfiguration();
+    setupQueueConfiguration(csConf);
+    YarnConfiguration conf = new YarnConfiguration(csConf);
+    CapacityScheduler cs = new CapacityScheduler();
+
+    RMContextImpl rmContext = new RMContextImpl(null, null, null, null, null,
+        null, new RMContainerTokenSecretManager(conf),
+        new NMTokenSecretManagerInRM(conf),
+        new ClientToAMTokenSecretManagerInRM(), null);
+    cs.setConf(conf);
+    cs.setRMContext(rmContext);
+    cs.init(conf);
+    cs.start();
+
+    conf.setClass(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
+        SimpleGroupsMapping.class, GroupMappingServiceProvider.class);
+    conf.set(CapacitySchedulerConfiguration.ENABLE_QUEUE_MAPPING_OVERRIDE,
+        "true");
+
+    // configuration parsing tests - negative test cases
+    checkInvalidQMapping(conf, cs, "x:a:b", "invalid specifier");
+    checkInvalidQMapping(conf, cs, "u:a", "no queue specified");
+    checkInvalidQMapping(conf, cs, "g:a", "no queue specified");
+    checkInvalidQMapping(conf, cs, "u:a:b,g:a",
+        "multiple mappings with invalid mapping");
+    checkInvalidQMapping(conf, cs, "u:a:b,g:a:d:e", "too many path segments");
+    checkInvalidQMapping(conf, cs, "u::", "empty source and queue");
+    checkInvalidQMapping(conf, cs, "u:", "missing source missing queue");
+    checkInvalidQMapping(conf, cs, "u:a:", "empty source missing q");
+
+    // simple base case for mapping user to queue
+    conf.set(CapacitySchedulerConfiguration.QUEUE_MAPPING, "u:a:" + Q1);
+    cs.reinitialize(conf, null);
+    checkQMapping("a", Q1, cs);
+
+    // group mapping test
+    conf.set(CapacitySchedulerConfiguration.QUEUE_MAPPING, "g:agroup:" + Q1);
+    cs.reinitialize(conf, null);
+    checkQMapping("a", Q1, cs);
+
+    // %user tests
+    conf.set(CapacitySchedulerConfiguration.QUEUE_MAPPING, "u:%user:" + Q2);
+    cs.reinitialize(conf, null);
+    checkQMapping("a", Q2, cs);
+
+    conf.set(CapacitySchedulerConfiguration.QUEUE_MAPPING, "u:%user:%user");
+    cs.reinitialize(conf, null);
+    checkQMapping("a", "a", cs);
+
+    // %primary_group tests
+    conf.set(CapacitySchedulerConfiguration.QUEUE_MAPPING,
+        "u:%user:%primary_group");
+    cs.reinitialize(conf, null);
+    checkQMapping("a", "agroup", cs);
+
+    // non-primary group mapping
+    conf.set(CapacitySchedulerConfiguration.QUEUE_MAPPING,
+        "g:asubgroup1:" + Q1);
+    cs.reinitialize(conf, null);
+    checkQMapping("a", Q1, cs);
+
+    // space trimming
+    conf.set(CapacitySchedulerConfiguration.QUEUE_MAPPING, "    u : a : " + Q1);
+    cs.reinitialize(conf, null);
+    checkQMapping("a", Q1, cs);
+
+    csConf = new CapacitySchedulerConfiguration();
+    setupQueueConfiguration(csConf);
+    conf = new YarnConfiguration(csConf);
+
+    resourceManager = new MockRM(csConf);
+    resourceManager.start();
+
+    conf.setClass(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
+        SimpleGroupsMapping.class, GroupMappingServiceProvider.class);
+    conf.set(CapacitySchedulerConfiguration.ENABLE_QUEUE_MAPPING_OVERRIDE,
+        "true");
+    conf.set(CapacitySchedulerConfiguration.QUEUE_MAPPING, "u:user:" + Q1);
+    resourceManager.getResourceScheduler().reinitialize(conf, null);
+
+    // ensure that if the user specifies a Q that is still overriden
+    checkAppQueue(resourceManager, "user", Q2, Q1);
+
+    // toggle admin override and retry
+    conf.setBoolean(
+        CapacitySchedulerConfiguration.ENABLE_QUEUE_MAPPING_OVERRIDE,
+        false);
+    conf.set(CapacitySchedulerConfiguration.QUEUE_MAPPING, "u:user:" + Q1);
+    setupQueueConfiguration(csConf);
+    resourceManager.getResourceScheduler().reinitialize(conf, null);
+
+    checkAppQueue(resourceManager, "user", Q2, Q2);
+
+    // ensure that if a user does not specify a Q, the user mapping is used
+    checkAppQueue(resourceManager, "user", null, Q1);
+
+    conf.set(CapacitySchedulerConfiguration.QUEUE_MAPPING, "g:usergroup:" + Q2);
+    setupQueueConfiguration(csConf);
+    resourceManager.getResourceScheduler().reinitialize(conf, null);
+
+    // ensure that if a user does not specify a Q, the group mapping is used
+    checkAppQueue(resourceManager, "user", null, Q2);
+
+    // if the mapping specifies a queue that does not exist, the job is rejected
+    conf.set(CapacitySchedulerConfiguration.QUEUE_MAPPING,
+        "u:user:non_existent_queue");
+    setupQueueConfiguration(csConf);
+
+    boolean fail = false;
+    try {
+      resourceManager.getResourceScheduler().reinitialize(conf, null);
+    }
+    catch (IOException ioex) {
+      fail = true;
+    }
+    Assert.assertTrue("queue initialization failed for non-existent q", fail);
+    resourceManager.stop();
+  }
+
+  private void checkAppQueue(MockRM resourceManager, String user,
+      String submissionQueue, String expected)
+      throws Exception {
+    RMApp app = resourceManager.submitApp(200, "name", user,
+        new HashMap<ApplicationAccessType, String>(), false, submissionQueue, -1,
+        null, "MAPREDUCE", false);
+    RMAppState expectedState = expected.isEmpty() ? RMAppState.FAILED
+        : RMAppState.ACCEPTED;
+    resourceManager.waitForState(app.getApplicationId(), expectedState);
+    // get scheduler app
+    CapacityScheduler cs = (CapacityScheduler)
+        resourceManager.getResourceScheduler();
+    SchedulerApplication schedulerApp =
+        cs.getSchedulerApplications().get(app.getApplicationId());
+    String queue = "";
+    if (schedulerApp != null) {
+      queue = schedulerApp.getQueue().getQueueName();
+    }
+    Assert.assertTrue("expected " + expected + " actual " + queue,
+        expected.equals(queue));
+    Assert.assertEquals(expected, app.getQueue());
+  }
+
+  private void checkInvalidQMapping(YarnConfiguration conf,
+      CapacityScheduler cs,
+      String mapping, String reason)
+      throws IOException {
+    boolean fail = false;
+    try {
+      conf.set(CapacitySchedulerConfiguration.QUEUE_MAPPING, mapping);
+      cs.reinitialize(conf, null);
+    } catch (IOException ex) {
+      fail = true;
+    }
+    Assert.assertTrue("invalid mapping did not throw exception for " + reason,
+        fail);
+  }
+
+  private void checkQMapping(String user, String expected, CapacityScheduler cs)
+          throws IOException {
+    String actual = cs.getMappedQueueForTest(user);
+    Assert.assertTrue("expected " + expected + " actual " + actual,
+        expected.equals(actual));
+  }
+}

From 1c77c8041009196b03b2e27106bc6497e865e2a8 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Mon, 18 Aug 2014 15:34:58 +0000
Subject: [PATCH 248/354] HDFS-6783. Addendum patch to fix test failures.
 (Contributed by Yi Liu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618635 13f79535-47bb-0310-9956-ffa450edef68
---
 .../CacheReplicationMonitor.java              | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/CacheReplicationMonitor.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/CacheReplicationMonitor.java
index cfd6333469b..fa5083ca6e0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/CacheReplicationMonitor.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/CacheReplicationMonitor.java
@@ -286,19 +286,19 @@ public void close() throws IOException {
   private void rescan() throws InterruptedException {
     scannedDirectives = 0;
     scannedBlocks = 0;
-    namesystem.writeLock();
     try {
-      lock.lock();
-      if (shutdown) {
-        throw new InterruptedException("CacheReplicationMonitor was " +
-            "shut down.");
+      namesystem.writeLock();
+      try {
+        lock.lock();
+        if (shutdown) {
+          throw new InterruptedException("CacheReplicationMonitor was " +
+              "shut down.");
+        }
+        curScanCount = completedScanCount + 1;
+      } finally {
+        lock.unlock();
       }
-      curScanCount = completedScanCount + 1;
-    }
-    finally {
-      lock.unlock();
-    }
-    try {
+
       resetStatistics();
       rescanCacheDirectives();
       rescanCachedBlockMap();

From 08d6201b344cf7a7b4353774f06fb6e6b94541f0 Mon Sep 17 00:00:00 2001
From: Eric Yang <eyang@apache.org>
Date: Mon, 18 Aug 2014 16:13:56 +0000
Subject: [PATCH 249/354] MAPREDUCE-6033. Updated access check for displaying
 job information (Yu Gao via Eric Yang)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618648 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt                   |  3 +++
 .../hadoop/mapreduce/v2/app/job/impl/JobImpl.java      |  2 +-
 .../hadoop/mapreduce/v2/app/job/impl/TestJobImpl.java  | 10 +++++-----
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 62b4e525644..142056c8260 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -308,6 +308,9 @@ Release 2.5.0 - UNRELEASED
 
   BUG FIXES 
 
+    MAPREDUCE-6033. Updated access check for displaying job information 
+    (Yu Gao via Eric Yang)
+
     MAPREDUCE-5759. Remove unnecessary conf load in Limits (Sandy Ryza)
 
     MAPREDUCE-5014. Extend Distcp to accept a custom CopyListing.
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/job/impl/JobImpl.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/job/impl/JobImpl.java
index 19dbb05c714..10c93f83e76 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/job/impl/JobImpl.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/job/impl/JobImpl.java
@@ -730,7 +730,7 @@ public boolean checkAccess(UserGroupInformation callerUGI,
     if (jobACL == null) {
       return true;
     }
-    return aclsManager.checkAccess(callerUGI, jobOperation, username, jobACL);
+    return aclsManager.checkAccess(callerUGI, jobOperation, userName, jobACL);
   }
 
   @Override
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/job/impl/TestJobImpl.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/job/impl/TestJobImpl.java
index 65352b75ad0..cae9663e8cc 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/job/impl/TestJobImpl.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/job/impl/TestJobImpl.java
@@ -536,7 +536,7 @@ public void testCheckAccess() {
 
     // Verify access
     JobImpl job1 = new JobImpl(jobId, null, conf1, null, null, null, null, null,
-        null, null, null, true, null, 0, null, null, null, null);
+        null, null, null, true, user1, 0, null, null, null, null);
     Assert.assertTrue(job1.checkAccess(ugi1, JobACL.VIEW_JOB));
     Assert.assertFalse(job1.checkAccess(ugi2, JobACL.VIEW_JOB));
 
@@ -547,7 +547,7 @@ public void testCheckAccess() {
 
     // Verify access
     JobImpl job2 = new JobImpl(jobId, null, conf2, null, null, null, null, null,
-        null, null, null, true, null, 0, null, null, null, null);
+        null, null, null, true, user1, 0, null, null, null, null);
     Assert.assertTrue(job2.checkAccess(ugi1, JobACL.VIEW_JOB));
     Assert.assertTrue(job2.checkAccess(ugi2, JobACL.VIEW_JOB));
 
@@ -558,7 +558,7 @@ public void testCheckAccess() {
 
     // Verify access
     JobImpl job3 = new JobImpl(jobId, null, conf3, null, null, null, null, null,
-        null, null, null, true, null, 0, null, null, null, null);
+        null, null, null, true, user1, 0, null, null, null, null);
     Assert.assertTrue(job3.checkAccess(ugi1, JobACL.VIEW_JOB));
     Assert.assertTrue(job3.checkAccess(ugi2, JobACL.VIEW_JOB));
 
@@ -569,7 +569,7 @@ public void testCheckAccess() {
 
     // Verify access
     JobImpl job4 = new JobImpl(jobId, null, conf4, null, null, null, null, null,
-        null, null, null, true, null, 0, null, null, null, null);
+        null, null, null, true, user1, 0, null, null, null, null);
     Assert.assertTrue(job4.checkAccess(ugi1, JobACL.VIEW_JOB));
     Assert.assertTrue(job4.checkAccess(ugi2, JobACL.VIEW_JOB));
 
@@ -580,7 +580,7 @@ public void testCheckAccess() {
 
     // Verify access
     JobImpl job5 = new JobImpl(jobId, null, conf5, null, null, null, null, null,
-        null, null, null, true, null, 0, null, null, null, null);
+        null, null, null, true, user1, 0, null, null, null, null);
     Assert.assertTrue(job5.checkAccess(ugi1, null));
     Assert.assertTrue(job5.checkAccess(ugi2, null));
   }

From 4a978bff3e8abc86850f89b5c3acffd522c56f80 Mon Sep 17 00:00:00 2001
From: Jason Darrell Lowe <jlowe@apache.org>
Date: Mon, 18 Aug 2014 16:31:38 +0000
Subject: [PATCH 250/354] HADOOP-10059. RPC authentication and authorization
 metrics overflow to negative values on busy clusters. Contributed by Tsuyoshi
 OZAWA and Akira AJISAKA

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618659 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt           | 4 ++++
 .../java/org/apache/hadoop/ipc/metrics/RpcMetrics.java    | 8 ++++----
 .../src/test/java/org/apache/hadoop/ipc/TestRPC.java      | 8 ++++----
 3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index fb0578f7c50..fff78128619 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -605,6 +605,10 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10964. Small fix for NetworkTopologyWithNodeGroup#sortByDistance.
     (Yi Liu via wang)
 
+    HADOOP-10059. RPC authentication and authorization metrics overflow to
+    negative values on busy clusters (Tsuyoshi OZAWA and Akira AJISAKA
+    via jlowe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/metrics/RpcMetrics.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/metrics/RpcMetrics.java
index 4b2269d6b6a..5eba44a58f6 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/metrics/RpcMetrics.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/metrics/RpcMetrics.java
@@ -88,13 +88,13 @@ public static RpcMetrics create(Server server, Configuration conf) {
   @Metric("Processsing time") MutableRate rpcProcessingTime;
   MutableQuantiles[] rpcProcessingTimeMillisQuantiles;
   @Metric("Number of authentication failures")
-  MutableCounterInt rpcAuthenticationFailures;
+  MutableCounterLong rpcAuthenticationFailures;
   @Metric("Number of authentication successes")
-  MutableCounterInt rpcAuthenticationSuccesses;
+  MutableCounterLong rpcAuthenticationSuccesses;
   @Metric("Number of authorization failures")
-  MutableCounterInt rpcAuthorizationFailures;
+  MutableCounterLong rpcAuthorizationFailures;
   @Metric("Number of authorization sucesses")
-  MutableCounterInt rpcAuthorizationSuccesses;
+  MutableCounterLong rpcAuthorizationSuccesses;
 
   @Metric("Number of open connections") public int numOpenConnections() {
     return server.getNumOpenConnections();
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestRPC.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestRPC.java
index dfbc91c43a6..f0e389ff5de 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestRPC.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestRPC.java
@@ -583,14 +583,14 @@ private void doRPCs(Configuration conf, boolean expectFailure) throws IOExceptio
       }
       MetricsRecordBuilder rb = getMetrics(server.rpcMetrics.name());
       if (expectFailure) {
-        assertCounter("RpcAuthorizationFailures", 1, rb);
+        assertCounter("RpcAuthorizationFailures", 1L, rb);
       } else {
-        assertCounter("RpcAuthorizationSuccesses", 1, rb);
+        assertCounter("RpcAuthorizationSuccesses", 1L, rb);
       }
       //since we don't have authentication turned ON, we should see 
       // 0 for the authentication successes and 0 for failure
-      assertCounter("RpcAuthenticationFailures", 0, rb);
-      assertCounter("RpcAuthenticationSuccesses", 0, rb);
+      assertCounter("RpcAuthenticationFailures", 0L, rb);
+      assertCounter("RpcAuthenticationSuccesses", 0L, rb);
     }
   }
   

From f8e871d01b851cd5d8c57dd7e364b3e787521765 Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Mon, 18 Aug 2014 17:57:48 +0000
Subject: [PATCH 251/354] MAPREDUCE-6024. Shortened the time when Fetcher is
 stuck in retrying before concluding the failure by configuration. Contributed
 by Yunjiong Zhao.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618677 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt          |  3 ++
 .../mapreduce/v2/app/job/impl/JobImpl.java    | 28 +++++++++++----
 .../apache/hadoop/mapreduce/MRJobConfig.java  |  8 +++++
 .../hadoop/mapreduce/task/reduce/Fetcher.java |  2 ++
 .../task/reduce/ShuffleSchedulerImpl.java     | 34 +++++++++++++------
 5 files changed, 57 insertions(+), 18 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 142056c8260..ddec273dcb1 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -227,6 +227,9 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-6032. Made MR jobs write job history files on the default FS when
     the current context's FS is different. (Benjamin Zhitomirsky via zjshen)
 
+    MAPREDUCE-6024. Shortened the time when Fetcher is stuck in retrying before
+    concluding the failure by configuration. (Yunjiong Zhao via zjshen)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/job/impl/JobImpl.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/job/impl/JobImpl.java
index 10c93f83e76..c1bc17df97c 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/job/impl/JobImpl.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/job/impl/JobImpl.java
@@ -148,10 +148,10 @@ public class JobImpl implements org.apache.hadoop.mapreduce.v2.app.job.Job,
   private static final Log LOG = LogFactory.getLog(JobImpl.class);
 
   //The maximum fraction of fetch failures allowed for a map
-  private static final double MAX_ALLOWED_FETCH_FAILURES_FRACTION = 0.5;
-
-  // Maximum no. of fetch-failure notifications after which map task is failed
-  private static final int MAX_FETCH_FAILURES_NOTIFICATIONS = 3;
+  private float maxAllowedFetchFailuresFraction;
+  
+  //Maximum no. of fetch-failure notifications after which map task is failed
+  private int maxFetchFailuresNotifications;
 
   public static final String JOB_KILLED_DIAG =
       "Job received Kill while in RUNNING state.";
@@ -704,6 +704,13 @@ public JobImpl(JobId jobId, ApplicationAttemptId applicationAttemptId,
     if(forcedDiagnostic != null) {
       this.diagnostics.add(forcedDiagnostic);
     }
+    
+    this.maxAllowedFetchFailuresFraction = conf.getFloat(
+        MRJobConfig.MAX_ALLOWED_FETCH_FAILURES_FRACTION,
+        MRJobConfig.DEFAULT_MAX_ALLOWED_FETCH_FAILURES_FRACTION);
+    this.maxFetchFailuresNotifications = conf.getInt(
+        MRJobConfig.MAX_FETCH_FAILURES_NOTIFICATIONS,
+        MRJobConfig.DEFAULT_MAX_FETCH_FAILURES_NOTIFICATIONS);
   }
 
   protected StateMachine<JobStateInternal, JobEventType, JobEvent> getStateMachine() {
@@ -1900,9 +1907,8 @@ public void transition(JobImpl job, JobEvent event) {
         float failureRate = shufflingReduceTasks == 0 ? 1.0f : 
           (float) fetchFailures / shufflingReduceTasks;
         // declare faulty if fetch-failures >= max-allowed-failures
-        boolean isMapFaulty =
-            (failureRate >= MAX_ALLOWED_FETCH_FAILURES_FRACTION);
-        if (fetchFailures >= MAX_FETCH_FAILURES_NOTIFICATIONS && isMapFaulty) {
+        if (fetchFailures >= job.getMaxFetchFailuresNotifications()
+            && failureRate >= job.getMaxAllowedFetchFailuresFraction()) {
           LOG.info("Too many fetch-failures for output of task attempt: " + 
               mapId + " ... raising fetch failure to map");
           job.eventHandler.handle(new TaskAttemptEvent(mapId, 
@@ -2185,4 +2191,12 @@ public Configuration loadConfFile() throws IOException {
     jobConf.addResource(fc.open(confPath), confPath.toString());
     return jobConf;
   }
+
+  public float getMaxAllowedFetchFailuresFraction() {
+    return maxAllowedFetchFailuresFraction;
+  }
+
+  public int getMaxFetchFailuresNotifications() {
+    return maxFetchFailuresNotifications;
+  }
 }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRJobConfig.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRJobConfig.java
index 0a586967d01..aef84c0ccad 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRJobConfig.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRJobConfig.java
@@ -293,11 +293,19 @@ public interface MRJobConfig {
   public static final String SHUFFLE_READ_TIMEOUT = "mapreduce.reduce.shuffle.read.timeout";
 
   public static final String SHUFFLE_FETCH_FAILURES = "mapreduce.reduce.shuffle.maxfetchfailures";
+  public static final String MAX_ALLOWED_FETCH_FAILURES_FRACTION = "mapreduce.reduce.shuffle.max-fetch-failures-fraction";
+  public static final float DEFAULT_MAX_ALLOWED_FETCH_FAILURES_FRACTION = 0.5f;
+  
+  public static final String MAX_FETCH_FAILURES_NOTIFICATIONS = "mapreduce.reduce.shuffle.max-fetch-failures-notifications";
+  public static final int DEFAULT_MAX_FETCH_FAILURES_NOTIFICATIONS = 3;
 
   public static final String SHUFFLE_NOTIFY_READERROR = "mapreduce.reduce.shuffle.notify.readerror";
   
   public static final String MAX_SHUFFLE_FETCH_RETRY_DELAY = "mapreduce.reduce.shuffle.retry-delay.max.ms";
   public static final long DEFAULT_MAX_SHUFFLE_FETCH_RETRY_DELAY = 60000;
+  
+  public static final String MAX_SHUFFLE_FETCH_HOST_FAILURES = "mapreduce.reduce.shuffle.max-host-failures";
+  public static final int DEFAULT_MAX_SHUFFLE_FETCH_HOST_FAILURES = 5;
 
   public static final String REDUCE_SKIP_INCR_PROC_COUNT = "mapreduce.reduce.skip.proc-count.auto-incr";
 
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/Fetcher.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/Fetcher.java
index 00d4764e665..94966b91560 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/Fetcher.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/Fetcher.java
@@ -319,6 +319,7 @@ protected void copyFromHost(MapHost host) throws IOException {
 
       // If connect did not succeed, just mark all the maps as failed,
       // indirectly penalizing the host
+      scheduler.hostFailed(host.getHostName());
       for(TaskAttemptID left: remaining) {
         scheduler.copyFailed(left, host, false, connectExcpt);
       }
@@ -343,6 +344,7 @@ protected void copyFromHost(MapHost host) throws IOException {
       
       if(failedTasks != null && failedTasks.length > 0) {
         LOG.warn("copyMapOutput failed for tasks "+Arrays.toString(failedTasks));
+        scheduler.hostFailed(host.getHostName());
         for(TaskAttemptID left: failedTasks) {
           scheduler.copyFailed(left, host, true, false);
         }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/ShuffleSchedulerImpl.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/ShuffleSchedulerImpl.java
index 6f9b222bdcf..63f326632ef 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/ShuffleSchedulerImpl.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/task/reduce/ShuffleSchedulerImpl.java
@@ -18,7 +18,6 @@
 package org.apache.hadoop.mapreduce.task.reduce;
 
 import java.io.IOException;
-
 import java.net.InetAddress;
 import java.net.URI;
 import java.net.UnknownHostException;
@@ -101,6 +100,7 @@ protected Long initialValue() {
 
   private final boolean reportReadErrorImmediately;
   private long maxDelay = MRJobConfig.DEFAULT_MAX_SHUFFLE_FETCH_RETRY_DELAY;
+  private int maxHostFailures;
 
   public ShuffleSchedulerImpl(JobConf job, TaskStatus status,
                           TaskAttemptID reduceId,
@@ -132,6 +132,9 @@ public ShuffleSchedulerImpl(JobConf job, TaskStatus status,
 
     this.maxDelay = job.getLong(MRJobConfig.MAX_SHUFFLE_FETCH_RETRY_DELAY,
         MRJobConfig.DEFAULT_MAX_SHUFFLE_FETCH_RETRY_DELAY);
+    this.maxHostFailures = job.getInt(
+        MRJobConfig.MAX_SHUFFLE_FETCH_HOST_FAILURES,
+        MRJobConfig.DEFAULT_MAX_SHUFFLE_FETCH_HOST_FAILURES);
   }
 
   @Override
@@ -213,9 +216,18 @@ private void updateStatus() {
     progress.setStatus("copy(" + mapsDone + " of " + totalMaps + " at "
         + mbpsFormat.format(transferRate) + " MB/s)");
   }
+  
+  public synchronized void hostFailed(String hostname) {
+    if (hostFailures.containsKey(hostname)) {
+      IntWritable x = hostFailures.get(hostname);
+      x.set(x.get() + 1);
+    } else {
+      hostFailures.put(hostname, new IntWritable(1));
+    }
+  }
 
   public synchronized void copyFailed(TaskAttemptID mapId, MapHost host,
-                                      boolean readError, boolean connectExcpt) {
+      boolean readError, boolean connectExcpt) {
     host.penalize();
     int failures = 1;
     if (failureCounts.containsKey(mapId)) {
@@ -226,12 +238,9 @@ public synchronized void copyFailed(TaskAttemptID mapId, MapHost host,
       failureCounts.put(mapId, new IntWritable(1));
     }
     String hostname = host.getHostName();
-    if (hostFailures.containsKey(hostname)) {
-      IntWritable x = hostFailures.get(hostname);
-      x.set(x.get() + 1);
-    } else {
-      hostFailures.put(hostname, new IntWritable(1));
-    }
+    //report failure if already retried maxHostFailures times
+    boolean hostFail = hostFailures.get(hostname).get() > getMaxHostFailures() ? true : false;
+    
     if (failures >= abortFailureLimit) {
       try {
         throw new IOException(failures + " failures downloading " + mapId);
@@ -240,7 +249,7 @@ public synchronized void copyFailed(TaskAttemptID mapId, MapHost host,
       }
     }
 
-    checkAndInformJobTracker(failures, mapId, readError, connectExcpt);
+    checkAndInformJobTracker(failures, mapId, readError, connectExcpt, hostFail);
 
     checkReducerHealth();
 
@@ -270,9 +279,9 @@ public void reportLocalError(IOException ioe) {
   // after every 'maxFetchFailuresBeforeReporting' failures
   private void checkAndInformJobTracker(
       int failures, TaskAttemptID mapId, boolean readError,
-      boolean connectExcpt) {
+      boolean connectExcpt, boolean hostFailed) {
     if (connectExcpt || (reportReadErrorImmediately && readError)
-        || ((failures % maxFetchFailuresBeforeReporting) == 0)) {
+        || ((failures % maxFetchFailuresBeforeReporting) == 0) || hostFailed) {
       LOG.info("Reporting fetch failure for " + mapId + " to jobtracker.");
       status.addFetchFailedMap((org.apache.hadoop.mapred.TaskAttemptID) mapId);
     }
@@ -507,4 +516,7 @@ public void close() throws InterruptedException {
     referee.join();
   }
 
+  public int getMaxHostFailures() {
+    return maxHostFailures;
+  }
 }

From e446497cd1e9b892659e9cfb79d37f33a4e39de0 Mon Sep 17 00:00:00 2001
From: Colin McCabe <cmccabe@apache.org>
Date: Mon, 18 Aug 2014 18:02:37 +0000
Subject: [PATCH 252/354] HDFS-6561. org.apache.hadoop.util.DataChecksum should
 support native checksumming (James Thomas via Colin Patrick McCabe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618680 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   3 +
 .../org/apache/hadoop/util/DataChecksum.java  |  14 +-
 .../org/apache/hadoop/util/NativeCrc32.java   |  33 +++-
 .../src/org/apache/hadoop/util/NativeCrc32.c  |  30 ++--
 .../src/org/apache/hadoop/util/bulk_crc32.c   |  60 +++----
 .../src/org/apache/hadoop/util/bulk_crc32.h   |  49 ++----
 .../org/apache/hadoop/util/test_bulk_crc32.c  |   6 +-
 .../apache/hadoop/util/TestDataChecksum.java  | 154 ++++++++++++------
 8 files changed, 197 insertions(+), 152 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index fff78128619..69aec036ed8 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -527,6 +527,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10335. An ip whilelist based implementation to resolve Sasl
     properties per connection. (Benoy Antony via Arpit Agarwal)
 
+    HDFS-6561. org.apache.hadoop.util.DataChecksum should support native
+    checksumming (James Thomas via Colin Patrick McCabe)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DataChecksum.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DataChecksum.java
index 27984b48c7e..1636af68a36 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DataChecksum.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DataChecksum.java
@@ -390,6 +390,12 @@ public void calculateChunkedSums(ByteBuffer data, ByteBuffer checksums) {
           checksums.array(), checksums.arrayOffset() + checksums.position());
       return;
     }
+
+    if (NativeCrc32.isAvailable()) {
+      NativeCrc32.calculateChunkedSums(bytesPerChecksum, type.id,
+          checksums, data);
+      return;
+    }
     
     data.mark();
     checksums.mark();
@@ -412,10 +418,16 @@ public void calculateChunkedSums(ByteBuffer data, ByteBuffer checksums) {
    * Implementation of chunked calculation specifically on byte arrays. This
    * is to avoid the copy when dealing with ByteBuffers that have array backing.
    */
-  private void calculateChunkedSums(
+  public void calculateChunkedSums(
       byte[] data, int dataOffset, int dataLength,
       byte[] sums, int sumsOffset) {
 
+    if (NativeCrc32.isAvailable()) {
+      NativeCrc32.calculateChunkedSumsByteArray(bytesPerChecksum, type.id,
+          sums, sumsOffset, data, dataOffset, dataLength);
+      return;
+    }
+
     int remaining = dataLength;
     while (remaining > 0) {
       int n = Math.min(remaining, bytesPerChecksum);
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCrc32.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCrc32.java
index 26a5e9b10dd..2f21ae1a03d 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCrc32.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCrc32.java
@@ -54,33 +54,50 @@ public static boolean isAvailable() {
   public static void verifyChunkedSums(int bytesPerSum, int checksumType,
       ByteBuffer sums, ByteBuffer data, String fileName, long basePos)
       throws ChecksumException {
-    nativeVerifyChunkedSums(bytesPerSum, checksumType,
+    nativeComputeChunkedSums(bytesPerSum, checksumType,
         sums, sums.position(),
         data, data.position(), data.remaining(),
-        fileName, basePos);
+        fileName, basePos, true);
   }
 
   public static void verifyChunkedSumsByteArray(int bytesPerSum,
       int checksumType, byte[] sums, int sumsOffset, byte[] data,
       int dataOffset, int dataLength, String fileName, long basePos)
       throws ChecksumException {
-    nativeVerifyChunkedSumsByteArray(bytesPerSum, checksumType,
+    nativeComputeChunkedSumsByteArray(bytesPerSum, checksumType,
         sums, sumsOffset,
         data, dataOffset, dataLength,
-        fileName, basePos);
+        fileName, basePos, true);
+  }
+
+  public static void calculateChunkedSums(int bytesPerSum, int checksumType,
+      ByteBuffer sums, ByteBuffer data) {
+    nativeComputeChunkedSums(bytesPerSum, checksumType,
+        sums, sums.position(),
+        data, data.position(), data.remaining(),
+        "", 0, false);
+  }
+
+  public static void calculateChunkedSumsByteArray(int bytesPerSum,
+      int checksumType, byte[] sums, int sumsOffset, byte[] data,
+      int dataOffset, int dataLength) {
+    nativeComputeChunkedSumsByteArray(bytesPerSum, checksumType,
+        sums, sumsOffset,
+        data, dataOffset, dataLength,
+        "", 0, false);
   }
   
-    private static native void nativeVerifyChunkedSums(
+    private static native void nativeComputeChunkedSums(
       int bytesPerSum, int checksumType,
       ByteBuffer sums, int sumsOffset,
       ByteBuffer data, int dataOffset, int dataLength,
-      String fileName, long basePos);
+      String fileName, long basePos, boolean verify);
 
-    private static native void nativeVerifyChunkedSumsByteArray(
+    private static native void nativeComputeChunkedSumsByteArray(
       int bytesPerSum, int checksumType,
       byte[] sums, int sumsOffset,
       byte[] data, int dataOffset, int dataLength,
-      String fileName, long basePos);
+      String fileName, long basePos, boolean verify);
 
   // Copy the constants over from DataChecksum so that javah will pick them up
   // and make them available in the native code header.
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/NativeCrc32.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/NativeCrc32.c
index 4bd69bc41d7..899c59f9809 100644
--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/NativeCrc32.c
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/NativeCrc32.c
@@ -117,12 +117,12 @@ static int convert_java_crc_type(JNIEnv *env, jint crc_type) {
   }
 }
 
-JNIEXPORT void JNICALL Java_org_apache_hadoop_util_NativeCrc32_nativeVerifyChunkedSums
+JNIEXPORT void JNICALL Java_org_apache_hadoop_util_NativeCrc32_nativeComputeChunkedSums
   (JNIEnv *env, jclass clazz,
     jint bytes_per_checksum, jint j_crc_type,
     jobject j_sums, jint sums_offset,
     jobject j_data, jint data_offset, jint data_len,
-    jstring j_filename, jlong base_pos)
+    jstring j_filename, jlong base_pos, jboolean verify)
 {
   uint8_t *sums_addr;
   uint8_t *data_addr;
@@ -166,27 +166,27 @@ JNIEXPORT void JNICALL Java_org_apache_hadoop_util_NativeCrc32_nativeVerifyChunk
   if (crc_type == -1) return; // exception already thrown
 
   // Setup complete. Actually verify checksums.
-  ret = bulk_verify_crc(data, data_len, sums, crc_type,
-                            bytes_per_checksum, &error_data);
-  if (likely(ret == CHECKSUMS_VALID)) {
+  ret = bulk_crc(data, data_len, sums, crc_type,
+                            bytes_per_checksum, verify ? &error_data : NULL);
+  if (likely(verify && ret == CHECKSUMS_VALID || !verify && ret == 0)) {
     return;
-  } else if (unlikely(ret == INVALID_CHECKSUM_DETECTED)) {
+  } else if (unlikely(verify && ret == INVALID_CHECKSUM_DETECTED)) {
     long pos = base_pos + (error_data.bad_data - data);
     throw_checksum_exception(
       env, error_data.got_crc, error_data.expected_crc,
       j_filename, pos);
   } else {
     THROW(env, "java/lang/AssertionError",
-      "Bad response code from native bulk_verify_crc");
+      "Bad response code from native bulk_crc");
   }
 }
 
-JNIEXPORT void JNICALL Java_org_apache_hadoop_util_NativeCrc32_nativeVerifyChunkedSumsByteArray
+JNIEXPORT void JNICALL Java_org_apache_hadoop_util_NativeCrc32_nativeComputeChunkedSumsByteArray
   (JNIEnv *env, jclass clazz,
     jint bytes_per_checksum, jint j_crc_type,
     jarray j_sums, jint sums_offset,
     jarray j_data, jint data_offset, jint data_len,
-    jstring j_filename, jlong base_pos)
+    jstring j_filename, jlong base_pos, jboolean verify)
 {
   uint8_t *sums_addr;
   uint8_t *data_addr;
@@ -237,21 +237,21 @@ JNIEXPORT void JNICALL Java_org_apache_hadoop_util_NativeCrc32_nativeVerifyChunk
     data = data_addr + data_offset + checksumNum * bytes_per_checksum;
 
     // Setup complete. Actually verify checksums.
-    ret = bulk_verify_crc(data, MIN(numChecksumsPerIter * bytes_per_checksum,
-                                    data_len - checksumNum * bytes_per_checksum),
-                          sums, crc_type, bytes_per_checksum, &error_data);
+    ret = bulk_crc(data, MIN(numChecksumsPerIter * bytes_per_checksum,
+                             data_len - checksumNum * bytes_per_checksum),
+                   sums, crc_type, bytes_per_checksum, verify ? &error_data : NULL);
     (*env)->ReleasePrimitiveArrayCritical(env, j_data, data_addr, 0);
     (*env)->ReleasePrimitiveArrayCritical(env, j_sums, sums_addr, 0);
-    if (unlikely(ret == INVALID_CHECKSUM_DETECTED)) {
+    if (unlikely(verify && ret == INVALID_CHECKSUM_DETECTED)) {
       long pos = base_pos + (error_data.bad_data - data) + checksumNum *
         bytes_per_checksum;
       throw_checksum_exception(
         env, error_data.got_crc, error_data.expected_crc,
         j_filename, pos);
       return;
-    } else if (unlikely(ret != CHECKSUMS_VALID)) {
+    } else if (unlikely(verify && ret != CHECKSUMS_VALID || !verify && ret != 0)) {
       THROW(env, "java/lang/AssertionError",
-        "Bad response code from native bulk_verify_crc");
+        "Bad response code from native bulk_crc");
       return;
     }
     checksumNum += numChecksumsPerIter;
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/bulk_crc32.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/bulk_crc32.c
index 4f02eedd6a7..c7efb8db95c 100644
--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/bulk_crc32.c
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/bulk_crc32.c
@@ -55,40 +55,23 @@ static void pipelined_crc32c(uint32_t *crc1, uint32_t *crc2, uint32_t *crc3, con
 static int cached_cpu_supports_crc32; // initialized by constructor below
 static uint32_t crc32c_hardware(uint32_t crc, const uint8_t* data, size_t length);
 
-int bulk_calculate_crc(const uint8_t *data, size_t data_len,
-                    uint32_t *sums, int checksum_type,
-                    int bytes_per_checksum) {
-  uint32_t crc;
-  crc_update_func_t crc_update_func;
-
-  switch (checksum_type) {
-    case CRC32_ZLIB_POLYNOMIAL:
-      crc_update_func = crc32_zlib_sb8;
-      break;
-    case CRC32C_POLYNOMIAL:
-      crc_update_func = crc32c_sb8;
-      break;
-    default:
-      return -EINVAL;
-      break;
+static inline int store_or_verify(uint32_t *sums, uint32_t crc,
+                                   int is_verify) {
+  if (!is_verify) {
+    *sums = crc;
+    return 1;
+  } else {
+    return crc == *sums;
   }
-  while (likely(data_len > 0)) {
-    int len = likely(data_len >= bytes_per_checksum) ? bytes_per_checksum : data_len;
-    crc = CRC_INITIAL_VAL;
-    crc = crc_update_func(crc, data, len);
-    *sums = ntohl(crc_val(crc));
-    data += len;
-    data_len -= len;
-    sums++;
-  }
-  return 0;
 }
 
-int bulk_verify_crc(const uint8_t *data, size_t data_len,
-                    const uint32_t *sums, int checksum_type,
+int bulk_crc(const uint8_t *data, size_t data_len,
+                    uint32_t *sums, int checksum_type,
                     int bytes_per_checksum,
                     crc32_error_t *error_info) {
 
+  int is_verify = error_info != NULL;
+
 #ifdef USE_PIPELINED
   uint32_t crc1, crc2, crc3;
   int n_blocks = data_len / bytes_per_checksum;
@@ -112,7 +95,7 @@ int bulk_verify_crc(const uint8_t *data, size_t data_len,
       }
       break;
     default:
-      return INVALID_CHECKSUM_TYPE;
+      return is_verify ? INVALID_CHECKSUM_TYPE : -EINVAL;
   }
 
 #ifdef USE_PIPELINED
@@ -122,16 +105,15 @@ int bulk_verify_crc(const uint8_t *data, size_t data_len,
       crc1 = crc2 = crc3 = CRC_INITIAL_VAL;
       pipelined_crc32c(&crc1, &crc2, &crc3, data, bytes_per_checksum, 3);
 
-      crc = ntohl(crc_val(crc1));
-      if ((crc = ntohl(crc_val(crc1))) != *sums)
+      if (unlikely(!store_or_verify(sums, (crc = ntohl(crc_val(crc1))), is_verify)))
         goto return_crc_error;
       sums++;
       data += bytes_per_checksum;
-      if ((crc = ntohl(crc_val(crc2))) != *sums)
+      if (unlikely(!store_or_verify(sums, (crc = ntohl(crc_val(crc2))), is_verify)))
         goto return_crc_error;
       sums++;
       data += bytes_per_checksum;
-      if ((crc = ntohl(crc_val(crc3))) != *sums)
+      if (unlikely(!store_or_verify(sums, (crc = ntohl(crc_val(crc3))), is_verify)))
         goto return_crc_error;
       sums++;
       data += bytes_per_checksum;
@@ -143,12 +125,12 @@ int bulk_verify_crc(const uint8_t *data, size_t data_len,
       crc1 = crc2 = crc3 = CRC_INITIAL_VAL;
       pipelined_crc32c(&crc1, &crc2, &crc3, data, bytes_per_checksum, n_blocks);
 
-      if ((crc = ntohl(crc_val(crc1))) != *sums)
+      if (unlikely(!store_or_verify(sums, (crc = ntohl(crc_val(crc1))), is_verify)))
         goto return_crc_error;
       data += bytes_per_checksum;
       sums++;
       if (n_blocks == 2) {
-        if ((crc = ntohl(crc_val(crc2))) != *sums)
+        if (unlikely(!store_or_verify(sums, (crc = ntohl(crc_val(crc2))), is_verify)))
           goto return_crc_error;
         sums++;
         data += bytes_per_checksum;
@@ -160,10 +142,10 @@ int bulk_verify_crc(const uint8_t *data, size_t data_len,
       crc1 = crc2 = crc3 = CRC_INITIAL_VAL;
       pipelined_crc32c(&crc1, &crc2, &crc3, data, remainder, 1);
 
-      if ((crc = ntohl(crc_val(crc1))) != *sums)
+      if (unlikely(!store_or_verify(sums, (crc = ntohl(crc_val(crc1))), is_verify)))
         goto return_crc_error;
     }
-    return CHECKSUMS_VALID;
+    return is_verify ? CHECKSUMS_VALID : 0;
   }
 #endif
 
@@ -172,14 +154,14 @@ int bulk_verify_crc(const uint8_t *data, size_t data_len,
     crc = CRC_INITIAL_VAL;
     crc = crc_update_func(crc, data, len);
     crc = ntohl(crc_val(crc));
-    if (unlikely(crc != *sums)) {
+    if (unlikely(!store_or_verify(sums, crc, is_verify))) {
       goto return_crc_error;
     }
     data += len;
     data_len -= len;
     sums++;
   }
-  return CHECKSUMS_VALID;
+  return is_verify ? CHECKSUMS_VALID : 0;
 
 return_crc_error:
   if (error_info != NULL) {
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/bulk_crc32.h b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/bulk_crc32.h
index fce5358d646..b38a65acc6b 100644
--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/bulk_crc32.h
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/util/bulk_crc32.h
@@ -42,49 +42,32 @@ typedef struct crc32_error {
 
 
 /**
- * Verify a buffer of data which is checksummed in chunks
- * of bytes_per_checksum bytes. The checksums are each 32 bits
- * and are stored in sequential indexes of the 'sums' array.
+ * Either calculates checksums for or verifies a buffer of data.
+ * Checksums performed in chunks of bytes_per_checksum bytes. The checksums
+ * are each 32 bits and are stored in sequential indexes of the 'sums' array.
+ * Verification is done (sums is assumed to already contain the checksums)
+ * if error_info is non-null; otherwise calculation is done and checksums
+ * are stored into sums.
  *
  * @param data                  The data to checksum
  * @param dataLen               Length of the data buffer
- * @param sums                  (out param) buffer to write checksums into.
- *                              It must contain at least dataLen * 4 bytes.
+ * @param sums                  (out param) buffer to write checksums into or
+ *                              where checksums are already stored.
+ *                              It must contain at least
+ *                              ((dataLen - 1) / bytes_per_checksum + 1) * 4 bytes.
  * @param checksum_type         One of the CRC32 algorithm constants defined 
  *                              above
  * @param bytes_per_checksum    How many bytes of data to process per checksum.
- * @param error_info            If non-NULL, will be filled in if an error
- *                              is detected
+ * @param error_info            If non-NULL, verification will be performed and
+ *                              it will be filled in if an error
+ *                              is detected. Otherwise calculation is performed.
  *
  * @return                      0 for success, non-zero for an error, result codes
- *                              for which are defined above
+ *                              for verification are defined above
  */
-extern int bulk_verify_crc(const uint8_t *data, size_t data_len,
-    const uint32_t *sums, int checksum_type,
+extern int bulk_crc(const uint8_t *data, size_t data_len,
+    uint32_t *sums, int checksum_type,
     int bytes_per_checksum,
     crc32_error_t *error_info);
 
-/**
- * Calculate checksums for some data.
- *
- * The checksums are each 32 bits and are stored in sequential indexes of the
- * 'sums' array.
- *
- * This function is not (yet) optimized.  It is provided for testing purposes
- * only.
- *
- * @param data                  The data to checksum
- * @param dataLen               Length of the data buffer
- * @param sums                  (out param) buffer to write checksums into.
- *                              It must contain at least dataLen * 4 bytes.
- * @param checksum_type         One of the CRC32 algorithm constants defined 
- *                              above
- * @param bytesPerChecksum      How many bytes of data to process per checksum.
- *
- * @return                      0 for success, non-zero for an error
- */
-int bulk_calculate_crc(const uint8_t *data, size_t data_len,
-                    uint32_t *sums, int checksum_type,
-                    int bytes_per_checksum);
-
 #endif
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/test/org/apache/hadoop/util/test_bulk_crc32.c b/hadoop-common-project/hadoop-common/src/main/native/src/test/org/apache/hadoop/util/test_bulk_crc32.c
index c962337830e..5a8c9f2d855 100644
--- a/hadoop-common-project/hadoop-common/src/main/native/src/test/org/apache/hadoop/util/test_bulk_crc32.c
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/test/org/apache/hadoop/util/test_bulk_crc32.c
@@ -48,9 +48,9 @@ static int testBulkVerifyCrc(int dataLen, int crcType, int bytesPerChecksum)
   sums = calloc(sizeof(uint32_t),
                 (dataLen + bytesPerChecksum - 1) / bytesPerChecksum);
 
-  EXPECT_ZERO(bulk_calculate_crc(data, dataLen, sums, crcType,
-                                 bytesPerChecksum));
-  EXPECT_ZERO(bulk_verify_crc(data, dataLen, sums, crcType,
+  EXPECT_ZERO(bulk_crc(data, dataLen, sums, crcType,
+                                 bytesPerChecksum, NULL));
+  EXPECT_ZERO(bulk_crc(data, dataLen, sums, crcType,
                             bytesPerChecksum, &errorData));
   free(data);
   free(sums);
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestDataChecksum.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestDataChecksum.java
index 1e523da6948..34fc32aa08f 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestDataChecksum.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestDataChecksum.java
@@ -19,6 +19,9 @@
 
 import java.nio.ByteBuffer;
 import java.util.Random;
+import java.util.concurrent.TimeUnit;
+
+import com.google.common.base.Stopwatch;
 
 import org.apache.hadoop.fs.ChecksumException;
 import org.junit.Test;
@@ -53,68 +56,113 @@ public void testBulkOps() throws Exception {
       }
     }
   }
-  
-  private void doBulkTest(DataChecksum checksum, int dataLength,
-      boolean useDirect) throws Exception {
-    System.err.println("Testing bulk checksums of length " + 
-        dataLength + " with " +
-        (useDirect ? "direct" : "array-backed") + " buffers");
-    int numSums = (dataLength - 1)/checksum.getBytesPerChecksum() + 1;
-    int sumsLength = numSums * checksum.getChecksumSize();
-    
-    byte data[] = new byte[dataLength +
-                           DATA_OFFSET_IN_BUFFER +
-                           DATA_TRAILER_IN_BUFFER];
-    new Random().nextBytes(data);
-    ByteBuffer dataBuf = ByteBuffer.wrap(
+
+  private static class Harness {
+    final DataChecksum checksum;
+    final int dataLength, sumsLength, numSums;
+    ByteBuffer dataBuf, checksumBuf;
+
+    Harness(DataChecksum checksum, int dataLength, boolean useDirect) {
+      this.checksum = checksum;
+      this.dataLength = dataLength;
+
+      numSums = (dataLength - 1)/checksum.getBytesPerChecksum() + 1;
+      sumsLength = numSums * checksum.getChecksumSize();
+
+      byte data[] = new byte[dataLength +
+                             DATA_OFFSET_IN_BUFFER +
+                             DATA_TRAILER_IN_BUFFER];
+      new Random().nextBytes(data);
+      dataBuf = ByteBuffer.wrap(
         data, DATA_OFFSET_IN_BUFFER, dataLength);
 
-    byte checksums[] = new byte[SUMS_OFFSET_IN_BUFFER + sumsLength];
-    ByteBuffer checksumBuf = ByteBuffer.wrap(
+      byte checksums[] = new byte[SUMS_OFFSET_IN_BUFFER + sumsLength];
+      checksumBuf = ByteBuffer.wrap(
         checksums, SUMS_OFFSET_IN_BUFFER, sumsLength);
-    
-    // Swap out for direct buffers if requested.
-    if (useDirect) {
-      dataBuf = directify(dataBuf);
-      checksumBuf = directify(checksumBuf);
-    }
-    
-    // calculate real checksum, make sure it passes
-    checksum.calculateChunkedSums(dataBuf, checksumBuf);
-    checksum.verifyChunkedSums(dataBuf, checksumBuf, "fake file", 0);
 
-    // Change a byte in the header and in the trailer, make sure
-    // it doesn't affect checksum result
-    corruptBufferOffset(checksumBuf, 0);
-    checksum.verifyChunkedSums(dataBuf, checksumBuf, "fake file", 0);
-    corruptBufferOffset(dataBuf, 0);
-    dataBuf.limit(dataBuf.limit() + 1);
-    corruptBufferOffset(dataBuf, dataLength + DATA_OFFSET_IN_BUFFER);
-    dataBuf.limit(dataBuf.limit() - 1);
-    checksum.verifyChunkedSums(dataBuf, checksumBuf, "fake file", 0);    
-    
-    // Make sure bad checksums fail - error at beginning of array
-    corruptBufferOffset(checksumBuf, SUMS_OFFSET_IN_BUFFER);
-    try {
-      checksum.verifyChunkedSums(dataBuf, checksumBuf, "fake file", 0);
-      fail("Did not throw on bad checksums");
-    } catch (ChecksumException ce) {
-      assertEquals(0, ce.getPos());
+      // Swap out for direct buffers if requested.
+      if (useDirect) {
+        dataBuf = directify(dataBuf);
+        checksumBuf = directify(checksumBuf);
+      }
     }
 
-    // Make sure bad checksums fail - error at end of array
-    uncorruptBufferOffset(checksumBuf, SUMS_OFFSET_IN_BUFFER);
-    corruptBufferOffset(checksumBuf, SUMS_OFFSET_IN_BUFFER + sumsLength - 1);
-    try {
+    void testCorrectness() throws ChecksumException {
+      // calculate real checksum, make sure it passes
+      checksum.calculateChunkedSums(dataBuf, checksumBuf);
       checksum.verifyChunkedSums(dataBuf, checksumBuf, "fake file", 0);
-      fail("Did not throw on bad checksums");
-    } catch (ChecksumException ce) {
-      int expectedPos = checksum.getBytesPerChecksum() * (numSums - 1);
-      assertEquals(expectedPos, ce.getPos());
-      assertTrue(ce.getMessage().contains("fake file"));
+
+      // Change a byte in the header and in the trailer, make sure
+      // it doesn't affect checksum result
+      corruptBufferOffset(checksumBuf, 0);
+      checksum.verifyChunkedSums(dataBuf, checksumBuf, "fake file", 0);
+      corruptBufferOffset(dataBuf, 0);
+      dataBuf.limit(dataBuf.limit() + 1);
+      corruptBufferOffset(dataBuf, dataLength + DATA_OFFSET_IN_BUFFER);
+      dataBuf.limit(dataBuf.limit() - 1);
+      checksum.verifyChunkedSums(dataBuf, checksumBuf, "fake file", 0);
+
+      // Make sure bad checksums fail - error at beginning of array
+      corruptBufferOffset(checksumBuf, SUMS_OFFSET_IN_BUFFER);
+      try {
+        checksum.verifyChunkedSums(dataBuf, checksumBuf, "fake file", 0);
+        fail("Did not throw on bad checksums");
+      } catch (ChecksumException ce) {
+        assertEquals(0, ce.getPos());
+      }
+
+      // Make sure bad checksums fail - error at end of array
+      uncorruptBufferOffset(checksumBuf, SUMS_OFFSET_IN_BUFFER);
+      corruptBufferOffset(checksumBuf, SUMS_OFFSET_IN_BUFFER + sumsLength - 1);
+      try {
+        checksum.verifyChunkedSums(dataBuf, checksumBuf, "fake file", 0);
+        fail("Did not throw on bad checksums");
+      } catch (ChecksumException ce) {
+        int expectedPos = checksum.getBytesPerChecksum() * (numSums - 1);
+        assertEquals(expectedPos, ce.getPos());
+        assertTrue(ce.getMessage().contains("fake file"));
+      }
     }
   }
-  
+
+  private void doBulkTest(DataChecksum checksum, int dataLength,
+      boolean useDirect) throws Exception {
+    System.err.println("Testing bulk checksums of length " +
+        dataLength + " with " +
+        (useDirect ? "direct" : "array-backed") + " buffers");
+
+    new Harness(checksum, dataLength, useDirect).testCorrectness();
+  }
+
+  /**
+   * Simple performance test for the "common case" checksum usage in HDFS:
+   * computing and verifying CRC32C with 512 byte chunking on native
+   * buffers.
+   */
+  @Test
+  public void commonUsagePerfTest() throws Exception {
+    final int NUM_RUNS = 5;
+    final DataChecksum checksum = DataChecksum.newDataChecksum(DataChecksum.Type.CRC32C, 512);
+    final int dataLength = 512 * 1024 * 1024;
+    Harness h = new Harness(checksum, dataLength, true);
+
+    for (int i = 0; i < NUM_RUNS; i++) {
+      Stopwatch s = new Stopwatch().start();
+      // calculate real checksum, make sure it passes
+      checksum.calculateChunkedSums(h.dataBuf, h.checksumBuf);
+      s.stop();
+      System.err.println("Calculate run #" + i + ": " +
+                         s.elapsedTime(TimeUnit.MICROSECONDS) + "us");
+
+      s = new Stopwatch().start();
+      // calculate real checksum, make sure it passes
+      checksum.verifyChunkedSums(h.dataBuf, h.checksumBuf, "fake file", 0);
+      s.stop();
+      System.err.println("Verify run #" + i + ": " +
+                         s.elapsedTime(TimeUnit.MICROSECONDS) + "us");
+    }
+  }
+
   @Test
   public void testEquality() {
     assertEquals(

From 110cf46a0725798bd5ed1d225f7c01fbb685a718 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Mon, 18 Aug 2014 18:05:36 +0000
Subject: [PATCH 253/354] HADOOP-10973. Native Libraries Guide contains format
 error. (Contributed by Peter Klavins)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618682 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt             | 3 +++
 .../hadoop-common/src/site/apt/NativeLibraries.apt.vm       | 6 ++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 69aec036ed8..32507184956 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -612,6 +612,9 @@ Release 2.6.0 - UNRELEASED
     negative values on busy clusters (Tsuyoshi OZAWA and Akira AJISAKA
     via jlowe)
 
+    HADOOP-10973. Native Libraries Guide contains format error. (Peter Klavins
+    via Arpit Agarwal)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/site/apt/NativeLibraries.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/NativeLibraries.apt.vm
index 070a7d3e568..ab06a7c61d4 100644
--- a/hadoop-common-project/hadoop-common/src/site/apt/NativeLibraries.apt.vm
+++ b/hadoop-common-project/hadoop-common/src/site/apt/NativeLibraries.apt.vm
@@ -56,10 +56,12 @@ Native Libraries Guide
 
     [[4]] Install the compression codec development packages (>zlib-1.2,
        >gzip-1.2):
-          + If you download the library, install one or more development
+
+          * If you download the library, install one or more development
             packages - whichever compression codecs you want to use with
             your deployment.
-          + If you build the library, it is mandatory to install both
+
+          * If you build the library, it is mandatory to install both
             development packages.
 
     [[5]] Check the runtime log files.

From bd616552cce7e46d1cc27ad9aba38f96a1f4c29c Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Mon, 18 Aug 2014 18:08:42 +0000
Subject: [PATCH 254/354] HDFS-6825. Edit log corruption due to delayed block
 removal. Contributed by Yongjun Zhang.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618684 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../BlockInfoUnderConstruction.java           |  12 +-
 .../hdfs/server/namenode/FSNamesystem.java    |  50 ++++++-
 .../hdfs/server/namenode/INodeDirectory.java  |   2 +-
 .../org/apache/hadoop/hdfs/DFSTestUtil.java   |  32 +++++
 .../TestCommitBlockSynchronization.java       |  11 ++
 .../hdfs/server/namenode/TestDeleteRace.java  | 133 ++++++++++++++++++
 .../namenode/ha/TestPipelinesFailover.java    |  34 +----
 8 files changed, 235 insertions(+), 42 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index e7013146cd1..cb80e33d303 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -511,6 +511,9 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-6783. Fix HDFS CacheReplicationMonitor rescan logic. (Yi Liu and Colin Patrick McCabe via umamahesh)
 
+    HDFS-6825. Edit log corruption due to delayed block removal.
+    (Yongjun Zhang via wang)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfoUnderConstruction.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfoUnderConstruction.java
index 1161077f49d..dd3593f33bb 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfoUnderConstruction.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/blockmanagement/BlockInfoUnderConstruction.java
@@ -373,12 +373,14 @@ private void appendUCParts(StringBuilder sb) {
     sb.append("{blockUCState=").append(blockUCState)
       .append(", primaryNodeIndex=").append(primaryNodeIndex)
       .append(", replicas=[");
-    Iterator<ReplicaUnderConstruction> iter = replicas.iterator();
-    if (iter.hasNext()) {
-      iter.next().appendStringTo(sb);
-      while (iter.hasNext()) {
-        sb.append(", ");
+    if (replicas != null) {
+      Iterator<ReplicaUnderConstruction> iter = replicas.iterator();
+      if (iter.hasNext()) {
         iter.next().appendStringTo(sb);
+        while (iter.hasNext()) {
+          sb.append(", ");
+          iter.next().appendStringTo(sb);
+        }
       }
     }
     sb.append("]}");
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index b9cda6cefc9..0cb90bd2039 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -4300,7 +4300,30 @@ void commitBlockSynchronization(ExtendedBlock lastblock,
           throw new IOException("Block (=" + lastblock + ") not found");
         }
       }
-      INodeFile iFile = ((INode)storedBlock.getBlockCollection()).asFile();
+      //
+      // The implementation of delete operation (see @deleteInternal method)
+      // first removes the file paths from namespace, and delays the removal
+      // of blocks to later time for better performance. When
+      // commitBlockSynchronization (this method) is called in between, the
+      // blockCollection of storedBlock could have been assigned to null by
+      // the delete operation, throw IOException here instead of NPE; if the
+      // file path is already removed from namespace by the delete operation,
+      // throw FileNotFoundException here, so not to proceed to the end of
+      // this method to add a CloseOp to the edit log for an already deleted
+      // file (See HDFS-6825).
+      //
+      BlockCollection blockCollection = storedBlock.getBlockCollection();
+      if (blockCollection == null) {
+        throw new IOException("The blockCollection of " + storedBlock
+            + " is null, likely because the file owning this block was"
+            + " deleted and the block removal is delayed");
+      }
+      INodeFile iFile = ((INode)blockCollection).asFile();
+      if (isFileDeleted(iFile)) {
+        throw new FileNotFoundException("File not found: "
+            + iFile.getFullPathName() + ", likely due to delayed block"
+            + " removal");
+      }
       if (!iFile.isUnderConstruction() || storedBlock.isComplete()) {
         if (LOG.isDebugEnabled()) {
           LOG.debug("Unexpected block (=" + lastblock
@@ -6297,9 +6320,28 @@ private long nextBlockId() throws IOException {
 
   private boolean isFileDeleted(INodeFile file) {
     // Not in the inodeMap or in the snapshot but marked deleted.
-    if (dir.getInode(file.getId()) == null || 
-        file.getParent() == null || (file.isWithSnapshot() &&
-        file.getFileWithSnapshotFeature().isCurrentFileDeleted())) {
+    if (dir.getInode(file.getId()) == null) {
+      return true;
+    }
+
+    // look at the path hierarchy to see if one parent is deleted by recursive
+    // deletion
+    INode tmpChild = file;
+    INodeDirectory tmpParent = file.getParent();
+    while (true) {
+      if (tmpParent == null ||
+          tmpParent.searchChildren(tmpChild.getLocalNameBytes()) < 0) {
+        return true;
+      }
+      if (tmpParent.isRoot()) {
+        break;
+      }
+      tmpChild = tmpParent;
+      tmpParent = tmpParent.getParent();
+    }
+
+    if (file.isWithSnapshot() &&
+        file.getFileWithSnapshotFeature().isCurrentFileDeleted()) {
       return true;
     }
     return false;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeDirectory.java
index 5e6a4b4f78f..18b41098bd2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeDirectory.java
@@ -157,7 +157,7 @@ DirectoryWithQuotaFeature addDirectoryWithQuotaFeature(
     return quota;
   }
 
-  private int searchChildren(byte[] name) {
+  int searchChildren(byte[] name) {
     return children == null? -1: Collections.binarySearch(children, name);
   }
   
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java
index 949713e6f44..68aa85713fc 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/DFSTestUtil.java
@@ -44,6 +44,9 @@
 import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.BlockOpResponseProto;
 import org.apache.hadoop.hdfs.security.token.block.BlockTokenIdentifier;
 import org.apache.hadoop.hdfs.security.token.block.ExportedBlockKeys;
+import org.apache.hadoop.hdfs.server.blockmanagement.BlockInfo;
+import org.apache.hadoop.hdfs.server.blockmanagement.BlockInfoUnderConstruction;
+import org.apache.hadoop.hdfs.server.blockmanagement.BlockManager;
 import org.apache.hadoop.hdfs.server.blockmanagement.BlockManagerTestUtil;
 import org.apache.hadoop.hdfs.server.blockmanagement.DatanodeDescriptor;
 import org.apache.hadoop.hdfs.server.blockmanagement.DatanodeManager;
@@ -1300,4 +1303,33 @@ public void close() throws IOException {
       sockDir.close();
     }
   }
+
+  /**
+   * @return the node which is expected to run the recovery of the
+   * given block, which is known to be under construction inside the
+   * given NameNOde.
+   */
+  public static DatanodeDescriptor getExpectedPrimaryNode(NameNode nn,
+      ExtendedBlock blk) {
+    BlockManager bm0 = nn.getNamesystem().getBlockManager();
+    BlockInfo storedBlock = bm0.getStoredBlock(blk.getLocalBlock());
+    assertTrue("Block " + blk + " should be under construction, " +
+        "got: " + storedBlock,
+        storedBlock instanceof BlockInfoUnderConstruction);
+    BlockInfoUnderConstruction ucBlock =
+      (BlockInfoUnderConstruction)storedBlock;
+    // We expect that the replica with the most recent heart beat will be
+    // the one to be in charge of the synchronization / recovery protocol.
+    final DatanodeStorageInfo[] storages = ucBlock.getExpectedStorageLocations();
+    DatanodeStorageInfo expectedPrimary = storages[0];
+    long mostRecentLastUpdate = expectedPrimary.getDatanodeDescriptor().getLastUpdate();
+    for (int i = 1; i < storages.length; i++) {
+      final long lastUpdate = storages[i].getDatanodeDescriptor().getLastUpdate();
+      if (lastUpdate > mostRecentLastUpdate) {
+        expectedPrimary = storages[i];
+        mostRecentLastUpdate = lastUpdate;
+      }
+    }
+    return expectedPrimary.getDatanodeDescriptor();
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCommitBlockSynchronization.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCommitBlockSynchronization.java
index 45be905f89d..bd71870a5cc 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCommitBlockSynchronization.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCommitBlockSynchronization.java
@@ -50,6 +50,17 @@ private FSNamesystem makeNameSystemSpy(Block block, INodeFile file)
 
     FSNamesystem namesystem = new FSNamesystem(conf, image);
     namesystem.setImageLoaded(true);
+
+    // set file's parent as root and put the file to inodeMap, so
+    // FSNamesystem's isFileDeleted() method will return false on this file
+    if (file.getParent() == null) {
+      INodeDirectory parent = mock(INodeDirectory.class);
+      parent.setLocalName(new byte[0]);
+      parent.addChild(file);
+      file.setParent(parent);
+    }
+    namesystem.dir.getINodeMap().put(file);
+
     FSNamesystem namesystemSpy = spy(namesystem);
     BlockInfoUnderConstruction blockInfo = new BlockInfoUnderConstruction(
         block, 1, HdfsServerConstants.BlockUCState.UNDER_CONSTRUCTION, targets);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestDeleteRace.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestDeleteRace.java
index d78e3a3f0a8..4cdd8092d18 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestDeleteRace.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestDeleteRace.java
@@ -18,7 +18,9 @@
 package org.apache.hadoop.hdfs.server.namenode;
 
 import java.io.FileNotFoundException;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 import org.apache.commons.logging.Log;
@@ -27,19 +29,30 @@
 import org.apache.hadoop.fs.FSDataOutputStream;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.AppendTestUtil;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.DFSTestUtil;
 import org.apache.hadoop.hdfs.DistributedFileSystem;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.hadoop.hdfs.StorageType;
+import org.apache.hadoop.hdfs.protocol.DatanodeID;
+import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
+import org.apache.hadoop.hdfs.protocolPB.DatanodeProtocolClientSideTranslatorPB;
 import org.apache.hadoop.hdfs.server.blockmanagement.BlockPlacementPolicy;
 import org.apache.hadoop.hdfs.server.blockmanagement.BlockPlacementPolicyDefault;
+import org.apache.hadoop.hdfs.server.blockmanagement.DatanodeDescriptor;
 import org.apache.hadoop.hdfs.server.blockmanagement.DatanodeStorageInfo;
+import org.apache.hadoop.hdfs.server.datanode.DataNode;
+import org.apache.hadoop.hdfs.server.datanode.DataNodeTestUtils;
 import org.apache.hadoop.hdfs.server.namenode.snapshot.SnapshotTestHelper;
+import org.apache.hadoop.io.IOUtils;
 import org.apache.hadoop.net.Node;
 import org.apache.hadoop.test.GenericTestUtils;
+import org.apache.hadoop.test.GenericTestUtils.DelayAnswer;
 import org.junit.Assert;
 import org.junit.Test;
+import org.mockito.Mockito;
 import org.mockito.internal.util.reflection.Whitebox;
 
 
@@ -49,6 +62,7 @@
  * whole duration.
  */
 public class TestDeleteRace {
+  private static final int BLOCK_SIZE = 4096;
   private static final Log LOG = LogFactory.getLog(TestDeleteRace.class);
   private static final Configuration conf = new HdfsConfiguration();
   private MiniDFSCluster cluster;
@@ -201,7 +215,126 @@ public void testRenameRace() throws Exception {
         cluster.shutdown();
       }
     }
+  }
 
+  /**
+   * Test race between delete operation and commitBlockSynchronization method.
+   * See HDFS-6825.
+   * @param hasSnapshot
+   * @throws Exception
+   */
+  private void testDeleteAndCommitBlockSynchronizationRace(boolean hasSnapshot)
+      throws Exception {
+    LOG.info("Start testing, hasSnapshot: " + hasSnapshot);
+    final String testPaths[] = {
+        "/test-file",
+        "/testdir/testdir1/test-file"
+    };
+    final Path rootPath = new Path("/");
+    final Configuration conf = new Configuration();
+    // Disable permissions so that another user can recover the lease.
+    conf.setBoolean(DFSConfigKeys.DFS_PERMISSIONS_ENABLED_KEY, false);
+    conf.setInt(DFSConfigKeys.DFS_BLOCK_SIZE_KEY, BLOCK_SIZE);
+    FSDataOutputStream stm = null;
+    Map<DataNode, DatanodeProtocolClientSideTranslatorPB> dnMap =
+        new HashMap<DataNode, DatanodeProtocolClientSideTranslatorPB>();
 
+    try {
+      cluster = new MiniDFSCluster.Builder(conf)
+          .numDataNodes(3)
+          .build();
+      cluster.waitActive();
+
+      DistributedFileSystem fs = cluster.getFileSystem();
+      int stId = 0;
+      for (String testPath : testPaths) {
+        LOG.info("test on " + testPath + " snapshot: " + hasSnapshot);
+        Path fPath = new Path(testPath);
+        //find grandest non-root parent
+        Path grandestNonRootParent = fPath;
+        while (!grandestNonRootParent.getParent().equals(rootPath)) {
+          grandestNonRootParent = grandestNonRootParent.getParent();
+        }
+        stm = fs.create(fPath);
+        LOG.info("test on " + testPath + " created " + fPath);
+
+        // write a half block
+        AppendTestUtil.write(stm, 0, BLOCK_SIZE / 2);
+        stm.hflush();
+
+        if (hasSnapshot) {
+          SnapshotTestHelper.createSnapshot(fs, rootPath,
+              "st" + String.valueOf(stId));
+          ++stId;
+        }
+
+        // Look into the block manager on the active node for the block
+        // under construction.
+        NameNode nn = cluster.getNameNode();
+        ExtendedBlock blk = DFSTestUtil.getFirstBlock(fs, fPath);
+        DatanodeDescriptor expectedPrimary =
+            DFSTestUtil.getExpectedPrimaryNode(nn, blk);
+        LOG.info("Expecting block recovery to be triggered on DN " +
+            expectedPrimary);
+
+        // Find the corresponding DN daemon, and spy on its connection to the
+        // active.
+        DataNode primaryDN = cluster.getDataNode(expectedPrimary.getIpcPort());
+        DatanodeProtocolClientSideTranslatorPB nnSpy = dnMap.get(primaryDN);
+        if (nnSpy == null) {
+          nnSpy = DataNodeTestUtils.spyOnBposToNN(primaryDN, nn);
+          dnMap.put(primaryDN, nnSpy);
+        }
+
+        // Delay the commitBlockSynchronization call
+        DelayAnswer delayer = new DelayAnswer(LOG);
+        Mockito.doAnswer(delayer).when(nnSpy).commitBlockSynchronization(
+            Mockito.eq(blk),
+            Mockito.anyInt(),  // new genstamp
+            Mockito.anyLong(), // new length
+            Mockito.eq(true),  // close file
+            Mockito.eq(false), // delete block
+            (DatanodeID[]) Mockito.anyObject(), // new targets
+            (String[]) Mockito.anyObject());    // new target storages
+
+        fs.recoverLease(fPath);
+
+        LOG.info("Waiting for commitBlockSynchronization call from primary");
+        delayer.waitForCall();
+
+        LOG.info("Deleting recursively " + grandestNonRootParent);
+        fs.delete(grandestNonRootParent, true);
+
+        delayer.proceed();
+        LOG.info("Now wait for result");
+        delayer.waitForResult();
+        Throwable t = delayer.getThrown();
+        if (t != null) {
+          LOG.info("Result exception (snapshot: " + hasSnapshot + "): " + t);
+        }
+      } // end of loop each fPath
+      LOG.info("Now check we can restart");
+      cluster.restartNameNodes();
+      LOG.info("Restart finished");
+    } finally {
+      if (stm != null) {
+        IOUtils.closeStream(stm);
+      }
+      if (cluster != null) {
+        cluster.shutdown();
+      }
+    }
+  }
+
+  @Test(timeout=600000)
+  public void testDeleteAndCommitBlockSynchonizationRaceNoSnapshot()
+      throws Exception {
+    testDeleteAndCommitBlockSynchronizationRace(false);
+  }
+
+  @Test(timeout=600000)
+  public void testDeleteAndCommitBlockSynchronizationRaceHasSnapshot()
+      throws Exception {
+    testDeleteAndCommitBlockSynchronizationRace(true);
   }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestPipelinesFailover.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestPipelinesFailover.java
index 7c87ab0d664..bba3dbb1196 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestPipelinesFailover.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestPipelinesFailover.java
@@ -356,7 +356,8 @@ public void testFailoverRightBeforeCommitSynchronization() throws Exception {
       
       NameNode nn0 = cluster.getNameNode(0);
       ExtendedBlock blk = DFSTestUtil.getFirstBlock(fs, TEST_PATH);
-      DatanodeDescriptor expectedPrimary = getExpectedPrimaryNode(nn0, blk);
+      DatanodeDescriptor expectedPrimary =
+          DFSTestUtil.getExpectedPrimaryNode(nn0, blk);
       LOG.info("Expecting block recovery to be triggered on DN " +
           expectedPrimary);
       
@@ -506,37 +507,6 @@ public String toString() {
     }
   }
 
-
-
-  /**
-   * @return the node which is expected to run the recovery of the
-   * given block, which is known to be under construction inside the
-   * given NameNOde.
-   */
-  private DatanodeDescriptor getExpectedPrimaryNode(NameNode nn,
-      ExtendedBlock blk) {
-    BlockManager bm0 = nn.getNamesystem().getBlockManager();
-    BlockInfo storedBlock = bm0.getStoredBlock(blk.getLocalBlock());
-    assertTrue("Block " + blk + " should be under construction, " +
-        "got: " + storedBlock,
-        storedBlock instanceof BlockInfoUnderConstruction);
-    BlockInfoUnderConstruction ucBlock =
-      (BlockInfoUnderConstruction)storedBlock;
-    // We expect that the replica with the most recent heart beat will be
-    // the one to be in charge of the synchronization / recovery protocol.
-    final DatanodeStorageInfo[] storages = ucBlock.getExpectedStorageLocations();
-    DatanodeStorageInfo expectedPrimary = storages[0];
-    long mostRecentLastUpdate = expectedPrimary.getDatanodeDescriptor().getLastUpdate();
-    for (int i = 1; i < storages.length; i++) {
-      final long lastUpdate = storages[i].getDatanodeDescriptor().getLastUpdate();
-      if (lastUpdate > mostRecentLastUpdate) {
-        expectedPrimary = storages[i];
-        mostRecentLastUpdate = lastUpdate;
-      }
-    }
-    return expectedPrimary.getDatanodeDescriptor();
-  }
-
   private DistributedFileSystem createFsAsOtherUser(
       final MiniDFSCluster cluster, final Configuration conf)
       throws IOException, InterruptedException {

From 55d7fecd09a515892b2a4e8514ffdc57dfdb07f9 Mon Sep 17 00:00:00 2001
From: Todd Lipcon <todd@apache.org>
Date: Mon, 18 Aug 2014 18:09:38 +0000
Subject: [PATCH 255/354] Update CHANGES.txt for HDFS-6561 which was renamed to
 HADOOP-10975.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618686 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 32507184956..2a0b371e5fa 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -527,8 +527,8 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10335. An ip whilelist based implementation to resolve Sasl
     properties per connection. (Benoy Antony via Arpit Agarwal)
 
-    HDFS-6561. org.apache.hadoop.util.DataChecksum should support native
-    checksumming (James Thomas via Colin Patrick McCabe)
+    HADOOP-10975. org.apache.hadoop.util.DataChecksum should support calculating
+    checksums in native code (James Thomas via Colin Patrick McCabe)
 
   OPTIMIZATIONS
 

From d51f81c3b6e55feece55df5e2c052b18ca2dc768 Mon Sep 17 00:00:00 2001
From: Jason Darrell Lowe <jlowe@apache.org>
Date: Mon, 18 Aug 2014 18:18:22 +0000
Subject: [PATCH 256/354] MAPREDUCE-6036. TestJobEndNotifier fails
 intermittently in branch-2. Contributed by chang li

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618691 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt                           | 3 +++
 .../org/apache/hadoop/mapreduce/v2/app/TestJobEndNotifier.java | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index ddec273dcb1..0ff390db839 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -230,6 +230,9 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-6024. Shortened the time when Fetcher is stuck in retrying before
     concluding the failure by configuration. (Yunjiong Zhao via zjshen)
 
+    MAPREDUCE-6036. TestJobEndNotifier fails intermittently in branch-2 (chang
+    li via jlowe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/TestJobEndNotifier.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/TestJobEndNotifier.java
index e143b25695d..ecfa43c447f 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/TestJobEndNotifier.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/TestJobEndNotifier.java
@@ -270,7 +270,8 @@ public void testNotificationOnLastRetryUnregistrationFailure()
     app.waitForInternalState(job, JobStateInternal.REBOOT);
     // Now shutdown. User should see FAILED state.
     // Unregistration fails: isLastAMRetry is recalculated, this is
-    app.shutDownJob();
+    ///reboot will stop service internally, we don't need to shutdown twice
+    app.waitForServiceToStop(10000);
     Assert.assertFalse(app.isLastAMRetry());
     // Since it's not last retry, JobEndServlet didn't called
     Assert.assertEquals(0, JobEndServlet.calledTimes);

From 73325f23f691e93cf88a445ce8bb0f94b7b2cfbf Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Mon, 18 Aug 2014 18:25:50 +0000
Subject: [PATCH 257/354] MAPREDUCE-6012. DBInputSplit creates invalid ranges
 on Oracle. (Wei Yan via kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618694 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt                       | 3 +++
 .../hadoop/mapreduce/lib/db/OracleDBRecordReader.java      | 7 +++----
 .../org/apache/hadoop/mapreduce/lib/db/TestDbClasses.java  | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 0ff390db839..c1701297d6c 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -233,6 +233,9 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-6036. TestJobEndNotifier fails intermittently in branch-2 (chang
     li via jlowe)
 
+    MAPREDUCE-6012. DBInputSplit creates invalid ranges on Oracle. 
+    (Wei Yan via kasha)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/lib/db/OracleDBRecordReader.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/lib/db/OracleDBRecordReader.java
index 12b62cd8418..61ff15656f8 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/lib/db/OracleDBRecordReader.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/lib/db/OracleDBRecordReader.java
@@ -81,15 +81,14 @@ protected String getSelectQuery() {
         
     try {
       DBInputFormat.DBInputSplit split = getSplit();
-      if (split.getLength() > 0 && split.getStart() > 0){
+      if (split.getLength() > 0){
         String querystring = query.toString();
 
         query = new StringBuilder();
         query.append("SELECT * FROM (SELECT a.*,ROWNUM dbif_rno FROM ( ");
         query.append(querystring);
-        query.append(" ) a WHERE rownum <= ").append(split.getStart());
-        query.append(" + ").append(split.getLength());
-        query.append(" ) WHERE dbif_rno >= ").append(split.getStart());
+        query.append(" ) a WHERE rownum <= ").append(split.getEnd());
+        query.append(" ) WHERE dbif_rno > ").append(split.getStart());
       }
     } catch (IOException ex) {
       // ignore, will not throw.
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/lib/db/TestDbClasses.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/lib/db/TestDbClasses.java
index 8c8fcfac220..772552c54ea 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/lib/db/TestDbClasses.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/lib/db/TestDbClasses.java
@@ -110,7 +110,7 @@ public void testOracleDBRecordReader() throws Exception {
         splitter, NullDBWritable.class, configuration, connect,
         dbConfiguration, "condition", fields, "table");
     assertEquals(
-        "SELECT * FROM (SELECT a.*,ROWNUM dbif_rno FROM ( SELECT f1, f2 FROM table WHERE condition ORDER BY Order ) a WHERE rownum <= 1 + 9 ) WHERE dbif_rno >= 1",
+        "SELECT * FROM (SELECT a.*,ROWNUM dbif_rno FROM ( SELECT f1, f2 FROM table WHERE condition ORDER BY Order ) a WHERE rownum <= 10 ) WHERE dbif_rno > 1",
         recorder.getSelectQuery());
   }
 

From 4129a6e093239326b574a731fc0d73ed4c390a25 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Mon, 18 Aug 2014 20:00:56 +0000
Subject: [PATCH 258/354] HADOOP-10972. Native Libraries Guide contains
 mis-spelt build line (Peter Klavins via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618719 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt                | 3 +++
 .../hadoop-common/src/site/apt/NativeLibraries.apt.vm          | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 2a0b371e5fa..1669e3aa497 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -615,6 +615,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10973. Native Libraries Guide contains format error. (Peter Klavins
     via Arpit Agarwal)
 
+    HADOOP-10972. Native Libraries Guide contains mis-spelt build line (Peter
+    Klavins via aw)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/site/apt/NativeLibraries.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/NativeLibraries.apt.vm
index ab06a7c61d4..49818af806e 100644
--- a/hadoop-common-project/hadoop-common/src/site/apt/NativeLibraries.apt.vm
+++ b/hadoop-common-project/hadoop-common/src/site/apt/NativeLibraries.apt.vm
@@ -129,7 +129,7 @@ Native Libraries Guide
    library:
 
 ----
-   $ mvn package -Pdist,native -Dskiptests -Dtar
+   $ mvn package -Pdist,native -DskipTests -Dtar
 ----
 
    You should see the newly-built library in:

From 379292aa97795d89a04796a41e18dce0a535329b Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Mon, 18 Aug 2014 20:05:08 +0000
Subject: [PATCH 259/354] HADOOP-10873. Fix dead link in Configuration javadoc
 (Akira AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618721 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt              | 3 +++
 .../src/main/java/org/apache/hadoop/conf/Configuration.java  | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 1669e3aa497..8a94615808c 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -618,6 +618,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10972. Native Libraries Guide contains mis-spelt build line (Peter
     Klavins via aw)
 
+    HADOOP-10873. Fix dead link in Configuration javadoc (Akira AJISAKA 
+    via aw)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java
index cf5ec1a53ee..16c74ce807a 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java
@@ -110,8 +110,9 @@
  *
  * <p>Unless explicitly turned off, Hadoop by default specifies two 
  * resources, loaded in-order from the classpath: <ol>
- * <li><tt><a href="{@docRoot}/../core-default.html">core-default.xml</a>
- * </tt>: Read-only defaults for hadoop.</li>
+ * <li><tt>
+ * <a href="{@docRoot}/../hadoop-project-dist/hadoop-common/core-default.xml">
+ * core-default.xml</a></tt>: Read-only defaults for hadoop.</li>
  * <li><tt>core-site.xml</tt>: Site-specific configuration for a given hadoop
  * installation.</li>
  * </ol>

From 1b5139b29a808f9cdb8edfd956eac9a5bfb83b99 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Mon, 18 Aug 2014 20:50:06 +0000
Subject: [PATCH 260/354] HDFS-6188. An ip whitelist based implementation of
 TrustedChannelResolver. (Contributed by Benoy Antony)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618727 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../WhitelistBasedTrustedChannelResolver.java | 119 ++++++++++++++++++
 2 files changed, 122 insertions(+)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/WhitelistBasedTrustedChannelResolver.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index cb80e33d303..6e2df651733 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -402,6 +402,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6850. Move NFS out of order write unit tests into TestWrites class.
     (Zhe Zhang via atm)
 
+    HDFS-6188. An ip whitelist based implementation of TrustedChannelResolver.
+    (Benoy Antony via Arpit Agarwal)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/WhitelistBasedTrustedChannelResolver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/WhitelistBasedTrustedChannelResolver.java
new file mode 100644
index 00000000000..53df44ef870
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/WhitelistBasedTrustedChannelResolver.java
@@ -0,0 +1,119 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.protocol.datatransfer;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hdfs.protocol.datatransfer.TrustedChannelResolver;
+import org.apache.hadoop.util.CombinedIPWhiteList;
+
+
+public class WhitelistBasedTrustedChannelResolver  extends TrustedChannelResolver {
+
+  private CombinedIPWhiteList whiteListForServer;
+  private CombinedIPWhiteList whitelistForClient;
+
+  private static final String FIXEDWHITELIST_DEFAULT_LOCATION = "/etc/hadoop/fixedwhitelist";
+
+  private static final String VARIABLEWHITELIST_DEFAULT_LOCATION = "/etc/hadoop/whitelist";
+
+  /**
+   * Path to the file to containing subnets and ip addresses to form fixed whitelist.
+   */
+  public static final String DFS_DATATRANSFER_SERVER_FIXEDWHITELIST_FILE =
+    "dfs.datatransfer.server.fixedwhitelist.file";
+  /**
+   * Enables/Disables variable whitelist
+   */
+  public static final String DFS_DATATRANSFER_SERVER_VARIABLEWHITELIST_ENABLE =
+    "dfs.datatransfer.server.variablewhitelist.enable";
+  /**
+   * Path to the file to containing subnets and ip addresses to form variable whitelist.
+   */
+  public static final String DFS_DATATRANSFER_SERVER_VARIABLEWHITELIST_FILE =
+    "dfs.datatransfer.server.variablewhitelist.file";
+  /**
+   * time in seconds by which the variable whitelist file is checked for updates
+   */
+  public static final String DFS_DATATRANSFER_SERVER_VARIABLEWHITELIST_CACHE_SECS =
+    "dfs.datatransfer.server.variablewhitelist.cache.secs";
+
+  /**
+   * Path to the file to containing subnets and ip addresses to form fixed whitelist.
+   */
+  public static final String DFS_DATATRANSFER_CLIENT_FIXEDWHITELIST_FILE =
+    "dfs.datatransfer.client.fixedwhitelist.file";
+  /**
+   * Enables/Disables variable whitelist
+   */
+  public static final String DFS_DATATRANSFER_CLIENT_VARIABLEWHITELIST_ENABLE =
+    "dfs.datatransfer.client.variablewhitelist.enable";
+  /**
+   * Path to the file to containing subnets and ip addresses to form variable whitelist.
+   */
+  public static final String DFS_DATATRANSFER_CLIENT_VARIABLEWHITELIST_FILE =
+    "dfs.datatransfer.client.variablewhitelist.file";
+  /**
+   * time in seconds by which the variable whitelist file is checked for updates
+   */
+  public static final String DFS_DATATRANSFER_CLIENT_VARIABLEWHITELIST_CACHE_SECS =
+    "dfs.datatransfer.client.variablewhitelist.cache.secs";
+
+  @Override
+  public void setConf(Configuration conf) {
+    super.setConf(conf);
+    String fixedFile = conf.get(DFS_DATATRANSFER_SERVER_FIXEDWHITELIST_FILE,
+        FIXEDWHITELIST_DEFAULT_LOCATION);
+    String variableFile = null;
+    long expiryTime = 0;
+
+    if (conf.getBoolean(DFS_DATATRANSFER_SERVER_VARIABLEWHITELIST_ENABLE, false)) {
+      variableFile = conf.get(DFS_DATATRANSFER_SERVER_VARIABLEWHITELIST_FILE,
+          VARIABLEWHITELIST_DEFAULT_LOCATION);
+      expiryTime =
+        conf.getLong(DFS_DATATRANSFER_SERVER_VARIABLEWHITELIST_CACHE_SECS,3600) * 1000;
+    }
+
+    whiteListForServer = new CombinedIPWhiteList(fixedFile,variableFile,expiryTime);
+
+    fixedFile = conf.get(DFS_DATATRANSFER_CLIENT_FIXEDWHITELIST_FILE, fixedFile);
+    expiryTime = 0;
+
+    if (conf.getBoolean(DFS_DATATRANSFER_CLIENT_VARIABLEWHITELIST_ENABLE, false)) {
+      variableFile = conf.get(DFS_DATATRANSFER_CLIENT_VARIABLEWHITELIST_FILE,variableFile);
+      expiryTime =
+        conf.getLong(DFS_DATATRANSFER_CLIENT_VARIABLEWHITELIST_CACHE_SECS,3600) * 1000;
+    }
+
+    whitelistForClient = new CombinedIPWhiteList(fixedFile,variableFile,expiryTime);
+  }
+
+  public boolean isTrusted() {
+    try {
+      return whitelistForClient.isIn(InetAddress.getLocalHost().getHostAddress());
+    } catch (UnknownHostException e) {
+      return false;
+    }
+  }
+
+  public boolean isTrusted(InetAddress clientAddress) {
+    return whiteListForServer.isIn(clientAddress.getHostAddress());
+  }
+}

From 2fb04d2a30919bde350f566a39faa7085f1a1d7b Mon Sep 17 00:00:00 2001
From: Brandon Li <brandonli@apache.org>
Date: Mon, 18 Aug 2014 21:23:08 +0000
Subject: [PATCH 261/354] HDFS-6569. OOB message can't be sent to the client
 when DataNode shuts down for upgrade. Contributed by Brandon Li

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618742 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 ++
 .../hdfs/server/datanode/BlockReceiver.java   | 13 ++---
 .../hadoop/hdfs/server/datanode/DataNode.java | 11 ++++-
 .../hdfs/server/datanode/DataXceiver.java     | 13 +++--
 .../server/datanode/DataXceiverServer.java    | 33 ++++++++++++-
 .../datanode/TestDataNodeRollingUpgrade.java  | 48 +++++++++++++++++++
 6 files changed, 108 insertions(+), 13 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 6e2df651733..a2f1c72775c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -517,6 +517,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6825. Edit log corruption due to delayed block removal.
     (Yongjun Zhang via wang)
 
+    HDFS-6569. OOB message can't be sent to the client when DataNode shuts down for upgrade
+    (brandonli)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
index 9dcd006ed51..afa8bbba481 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
@@ -738,7 +738,12 @@ private void manageWriterOsCache(long offsetInBlock) {
       LOG.warn("Error managing cache for writer of block " + block, t);
     }
   }
-
+  
+  public void sendOOB() throws IOException, InterruptedException {
+    ((PacketResponder) responder.getRunnable()).sendOOBResponse(PipelineAck
+        .getRestartOOBStatus());
+  }
+  
   void receiveBlock(
       DataOutputStream mirrOut, // output to next datanode
       DataInputStream mirrIn,   // input from next datanode
@@ -830,9 +835,7 @@ void receiveBlock(
               // The worst case is not recovering this RBW replica. 
               // Client will fall back to regular pipeline recovery.
             }
-            try {
-              ((PacketResponder) responder.getRunnable()).
-                  sendOOBResponse(PipelineAck.getRestartOOBStatus());
+            try {              
               // Even if the connection is closed after the ack packet is
               // flushed, the client can react to the connection closure 
               // first. Insert a delay to lower the chance of client 
@@ -840,8 +843,6 @@ void receiveBlock(
               Thread.sleep(1000);
             } catch (InterruptedException ie) {
               // It is already going down. Ignore this.
-            } catch (IOException ioe) {
-              LOG.info("Error sending OOB Ack.", ioe);
             }
           }
           responder.interrupt();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
index a3ace9b5125..df50eabacb7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
@@ -270,6 +270,7 @@ public static InetSocketAddress createSocketAddr(String target) {
   public final static String EMPTY_DEL_HINT = "";
   final AtomicInteger xmitsInProgress = new AtomicInteger();
   Daemon dataXceiverServer = null;
+  DataXceiverServer xserver = null;
   Daemon localDataXceiverServer = null;
   ShortCircuitRegistry shortCircuitRegistry = null;
   ThreadGroup threadGroup = null;
@@ -649,8 +650,8 @@ private void initDataXceiver(Configuration conf) throws IOException {
     streamingAddr = tcpPeerServer.getStreamingAddr();
     LOG.info("Opened streaming server at " + streamingAddr);
     this.threadGroup = new ThreadGroup("dataXceiverServer");
-    this.dataXceiverServer = new Daemon(threadGroup, 
-        new DataXceiverServer(tcpPeerServer, conf, this));
+    xserver = new DataXceiverServer(tcpPeerServer, conf, this);
+    this.dataXceiverServer = new Daemon(threadGroup, xserver);
     this.threadGroup.setDaemon(true); // auto destroy when empty
 
     if (conf.getBoolean(DFSConfigKeys.DFS_CLIENT_READ_SHORTCIRCUIT_KEY,
@@ -1137,6 +1138,11 @@ private void registerMXBean() {
     dataNodeInfoBeanName = MBeans.register("DataNode", "DataNodeInfo", this);
   }
   
+  @VisibleForTesting
+  public DataXceiverServer getXferServer() {
+    return xserver;  
+  }
+  
   @VisibleForTesting
   public int getXferPort() {
     return streamingAddr.getPort();
@@ -1395,6 +1401,7 @@ public void shutdown() {
     // in order to avoid any further acceptance of requests, but the peers
     // for block writes are not closed until the clients are notified.
     if (dataXceiverServer != null) {
+      xserver.sendOOBToPeers();
       ((DataXceiverServer) this.dataXceiverServer.getRunnable()).kill();
       this.dataXceiverServer.interrupt();
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
index 01fe036f1d9..2d72f0110ad 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
@@ -103,7 +103,8 @@ class DataXceiver extends Receiver implements Runnable {
   private long opStartTime; //the start time of receiving an Op
   private final InputStream socketIn;
   private OutputStream socketOut;
-
+  private BlockReceiver blockReceiver = null;
+  
   /**
    * Client Name used in previous operation. Not available on first request
    * on the socket.
@@ -159,6 +160,12 @@ private OutputStream getOutputStream() {
     return socketOut;
   }
 
+  public void sendOOB() throws IOException, InterruptedException {
+    LOG.info("Sending OOB to peer: " + peer);
+    if(blockReceiver!=null)
+      blockReceiver.sendOOB();
+  }
+  
   /**
    * Read/write data from/to the DataXceiverServer.
    */
@@ -168,7 +175,7 @@ public void run() {
     Op op = null;
 
     try {
-      dataXceiverServer.addPeer(peer, Thread.currentThread());
+      dataXceiverServer.addPeer(peer, Thread.currentThread(), this);
       peer.setWriteTimeout(datanode.getDnConf().socketWriteTimeout);
       InputStream input = socketIn;
       IOStreamPair saslStreams = datanode.saslServer.receive(peer, socketOut,
@@ -584,7 +591,6 @@ public void writeBlock(final ExtendedBlock block,
     DataOutputStream mirrorOut = null;  // stream to next target
     DataInputStream mirrorIn = null;    // reply from next target
     Socket mirrorSock = null;           // socket to next target
-    BlockReceiver blockReceiver = null; // responsible for data handling
     String mirrorNode = null;           // the name:port of next target
     String firstBadLink = "";           // first datanode that failed in connection setup
     Status mirrorInStatus = SUCCESS;
@@ -747,6 +753,7 @@ public void writeBlock(final ExtendedBlock block,
       IOUtils.closeStream(replyOut);
       IOUtils.closeSocket(mirrorSock);
       IOUtils.closeStream(blockReceiver);
+      blockReceiver = null;
     }
 
     //update metrics
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiverServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiverServer.java
index 27dc1bf7457..2c03a5123b8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiverServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiverServer.java
@@ -27,11 +27,11 @@
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.net.Peer;
 import org.apache.hadoop.hdfs.net.PeerServer;
-import org.apache.hadoop.hdfs.server.balancer.Balancer;
 import org.apache.hadoop.hdfs.util.DataTransferThrottler;
 import org.apache.hadoop.io.IOUtils;
 import org.apache.hadoop.util.Daemon;
 
+import com.google.common.annotations.VisibleForTesting;
 
 /**
  * Server used for receiving/sending a block of data.
@@ -45,6 +45,7 @@ class DataXceiverServer implements Runnable {
   private final PeerServer peerServer;
   private final DataNode datanode;
   private final HashMap<Peer, Thread> peers = new HashMap<Peer, Thread>();
+  private final HashMap<Peer, DataXceiver> peersXceiver = new HashMap<Peer, DataXceiver>();
   private boolean closed = false;
   
   /**
@@ -217,18 +218,38 @@ void kill() {
     }
   }
   
-  synchronized void addPeer(Peer peer, Thread t) throws IOException {
+  synchronized void addPeer(Peer peer, Thread t, DataXceiver xceiver)
+      throws IOException {
     if (closed) {
       throw new IOException("Server closed.");
     }
     peers.put(peer, t);
+    peersXceiver.put(peer, xceiver);
   }
 
   synchronized void closePeer(Peer peer) {
     peers.remove(peer);
+    peersXceiver.remove(peer);
     IOUtils.cleanup(null, peer);
   }
 
+  // Sending OOB to all peers
+  public synchronized void sendOOBToPeers() {
+    if (!datanode.shutdownForUpgrade) {
+      return;
+    }
+
+    for (Peer p : peers.keySet()) {
+      try {
+        peersXceiver.get(p).sendOOB();
+      } catch (IOException e) {
+        LOG.warn("Got error when sending OOB message.", e);
+      } catch (InterruptedException e) {
+        LOG.warn("Interrupted when sending OOB message.");
+      }
+    }
+  }
+  
   // Notify all peers of the shutdown and restart.
   // datanode.shouldRun should still be true and datanode.restarting should
   // be set true before calling this method.
@@ -247,6 +268,7 @@ synchronized void closeAllPeers() {
       IOUtils.cleanup(LOG, p);
     }
     peers.clear();
+    peersXceiver.clear();
   }
 
   // Return the number of peers.
@@ -254,7 +276,14 @@ synchronized int getNumPeers() {
     return peers.size();
   }
 
+  // Return the number of peers and DataXceivers.
+  @VisibleForTesting
+  synchronized int getNumPeersXceiver() {
+    return peersXceiver.size();
+  }
+  
   synchronized void releasePeer(Peer peer) {
     peers.remove(peer);
+    peersXceiver.remove(peer);
   }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDataNodeRollingUpgrade.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDataNodeRollingUpgrade.java
index 5299c7c2ece..f58f4710825 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDataNodeRollingUpgrade.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDataNodeRollingUpgrade.java
@@ -27,11 +27,14 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.util.Random;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.DFSClient;
+import org.apache.hadoop.hdfs.DFSOutputStream;
 import org.apache.hadoop.hdfs.DFSTestUtil;
 import org.apache.hadoop.hdfs.DistributedFileSystem;
 import org.apache.hadoop.hdfs.HdfsConfiguration;
@@ -67,6 +70,7 @@ public class TestDataNodeRollingUpgrade {
 
   private void startCluster() throws IOException {
     conf = new HdfsConfiguration();
+    conf.setInt("dfs.blocksize", 1024*1024);
     cluster = new Builder(conf).numDataNodes(REPL_FACTOR).build();
     cluster.waitActive();
     fs = cluster.getFileSystem();
@@ -243,4 +247,48 @@ public void testDatanodeRollingUpgradeWithRollback() throws Exception {
       shutdownCluster();
     }
   }
+  
+  @Test (timeout=600000)
+  // Test DatanodeXceiver has correct peer-dataxceiver pairs for sending OOB message
+  public void testDatanodePeersXceiver() throws Exception {
+    try {
+      startCluster();
+
+      // Create files in DFS.
+      String testFile1 = "/TestDataNodeXceiver1.dat";
+      String testFile2 = "/TestDataNodeXceiver2.dat";
+      String testFile3 = "/TestDataNodeXceiver3.dat";
+
+      DFSClient client1 = new DFSClient(NameNode.getAddress(conf), conf);
+      DFSClient client2 = new DFSClient(NameNode.getAddress(conf), conf);
+      DFSClient client3 = new DFSClient(NameNode.getAddress(conf), conf);
+
+      DFSOutputStream s1 = (DFSOutputStream) client1.create(testFile1, true);
+      DFSOutputStream s2 = (DFSOutputStream) client2.create(testFile2, true);
+      DFSOutputStream s3 = (DFSOutputStream) client3.create(testFile3, true);
+
+      byte[] toWrite = new byte[1024*1024*8];
+      Random rb = new Random(1111);
+      rb.nextBytes(toWrite);
+      s1.write(toWrite, 0, 1024*1024*8);
+      s1.flush();
+      s2.write(toWrite, 0, 1024*1024*8);
+      s2.flush();
+      s3.write(toWrite, 0, 1024*1024*8);
+      s3.flush();       
+
+      assertTrue(dn.getXferServer().getNumPeersXceiver() == dn.getXferServer()
+          .getNumPeersXceiver());
+      s1.close();
+      s2.close();
+      s3.close();
+      assertTrue(dn.getXferServer().getNumPeersXceiver() == dn.getXferServer()
+          .getNumPeersXceiver());
+      client1.close();
+      client2.close();
+      client3.close();      
+    } finally {
+      shutdownCluster();
+    }
+  }
 }

From 31467453ec453f5df0ae29b5296c96d2514f2751 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Tue, 19 Aug 2014 12:11:17 +0000
Subject: [PATCH 262/354] HADOOP-9902. Shell script rewrite (aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618847 13f79535-47bb-0310-9956-ffa450edef68
---
 .../main/resources/assemblies/hadoop-dist.xml |    7 +
 .../hadoop-common/CHANGES.txt                 |    2 +
 .../hadoop-common/src/main/bin/hadoop         |  234 ++--
 .../src/main/bin/hadoop-config.sh             |  422 +++----
 .../src/main/bin/hadoop-daemon.sh             |  214 +---
 .../src/main/bin/hadoop-daemons.sh            |   37 +-
 .../src/main/bin/hadoop-functions.sh          | 1036 +++++++++++++++++
 .../src/main/bin/hadoop-layout.sh.example     |   93 ++
 .../hadoop-common/src/main/bin/rcc            |   53 +-
 .../hadoop-common/src/main/bin/slaves.sh      |   51 +-
 .../hadoop-common/src/main/bin/start-all.sh   |   38 +-
 .../hadoop-common/src/main/bin/stop-all.sh    |   34 +-
 .../hadoop-common/src/main/conf/hadoop-env.sh |  421 ++++++-
 .../src/main/bin/distribute-exclude.sh        |    6 +-
 .../hadoop-hdfs/src/main/bin/hdfs             |  417 ++++---
 .../hadoop-hdfs/src/main/bin/hdfs-config.sh   |   76 +-
 .../src/main/bin/refresh-namenodes.sh         |   44 +-
 .../src/main/bin/start-balancer.sh            |   30 +-
 .../hadoop-hdfs/src/main/bin/start-dfs.sh     |  140 ++-
 .../src/main/bin/start-secure-dns.sh          |   34 +-
 .../hadoop-hdfs/src/main/bin/stop-balancer.sh |   30 +-
 .../hadoop-hdfs/src/main/bin/stop-dfs.sh      |  103 +-
 .../src/main/bin/stop-secure-dns.sh           |   34 +-
 hadoop-mapreduce-project/bin/mapred           |  221 ++--
 hadoop-mapreduce-project/bin/mapred-config.sh |   72 +-
 .../bin/mr-jobhistory-daemon.sh               |  145 +--
 hadoop-mapreduce-project/conf/mapred-env.sh   |   60 +-
 hadoop-yarn-project/hadoop-yarn/bin/slaves.sh |   70 --
 .../hadoop-yarn/bin/start-yarn.sh             |   34 +-
 .../hadoop-yarn/bin/stop-yarn.sh              |   40 +-
 hadoop-yarn-project/hadoop-yarn/bin/yarn      |  386 +++---
 .../hadoop-yarn/bin/yarn-config.sh            |  116 +-
 .../hadoop-yarn/bin/yarn-daemon.sh            |  159 +--
 .../hadoop-yarn/bin/yarn-daemons.sh           |   36 +-
 .../hadoop-yarn/conf/yarn-env.sh              |  155 ++-
 35 files changed, 3113 insertions(+), 1937 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
 create mode 100644 hadoop-common-project/hadoop-common/src/main/bin/hadoop-layout.sh.example
 delete mode 100644 hadoop-yarn-project/hadoop-yarn/bin/slaves.sh

diff --git a/hadoop-assemblies/src/main/resources/assemblies/hadoop-dist.xml b/hadoop-assemblies/src/main/resources/assemblies/hadoop-dist.xml
index 7128c752685..f0195353207 100644
--- a/hadoop-assemblies/src/main/resources/assemblies/hadoop-dist.xml
+++ b/hadoop-assemblies/src/main/resources/assemblies/hadoop-dist.xml
@@ -29,6 +29,7 @@
         <exclude>*-config.cmd</exclude>
         <exclude>start-*.cmd</exclude>
         <exclude>stop-*.cmd</exclude>
+        <exclude>hadoop-layout.sh.example</exclude>
       </excludes>
       <fileMode>0755</fileMode>
     </fileSet>
@@ -42,6 +43,8 @@
       <includes>
         <include>*-config.sh</include>
         <include>*-config.cmd</include>
+        <include>*-functions.sh</include>
+        <include>hadoop-layout.sh.example</include>
       </includes>
       <fileMode>0755</fileMode>
     </fileSet>
@@ -57,6 +60,10 @@
         <exclude>hadoop.cmd</exclude>
         <exclude>hdfs.cmd</exclude>
         <exclude>hadoop-config.cmd</exclude>
+        <exclude>hadoop-functions.sh</exclude>
+        <exclude>hadoop-layout.sh.example</exclude>
+        <exclude>hdfs-config.cmd</exclude>
+        <exclude>hdfs-config.sh</exclude>
       </excludes>
       <fileMode>0755</fileMode>
     </fileSet>
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 8a94615808c..fad1c77db71 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -9,6 +9,8 @@ Trunk (Unreleased)
 
     HADOOP-10474 Move o.a.h.record to hadoop-streaming. (wheat9)
 
+    HADOOP-9902. Shell script rewrite (aw)
+
   NEW FEATURES
 
     HADOOP-10433. Key Management Server based on KeyProvider API. (tucu)
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop b/hadoop-common-project/hadoop-common/src/main/bin/hadoop
index b1e2018f611..24c4d18e829 100755
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop
@@ -15,130 +15,164 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# This script runs the hadoop core commands. 
-
-bin=`which $0`
-bin=`dirname ${bin}`
-bin=`cd "$bin" > /dev/null; pwd`
- 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hadoop-config.sh
-
-function print_usage(){
+function hadoop_usage()
+{
   echo "Usage: hadoop [--config confdir] COMMAND"
   echo "       where COMMAND is one of:"
-  echo "  fs                   run a generic filesystem user client"
-  echo "  version              print the version"
-  echo "  jar <jar>            run a jar file"
-  echo "  checknative [-a|-h]  check native hadoop and compression libraries availability"
-  echo "  distcp <srcurl> <desturl> copy file or directories recursively"
-  echo "  archive -archiveName NAME -p <parent path> <src>* <dest> create a hadoop archive"
+  echo "  archive -archiveName NAME -p <parent path> <src>* <dest>"
+  echo "                       create a Hadoop archive"
+  echo "  checknative [-a|-h]  check native Hadoop and compression "
+  echo "                         libraries availability"
   echo "  classpath            prints the class path needed to get the"
+  echo "                         Hadoop jar and the required libraries"
   echo "  credential           interact with credential providers"
-  echo "                       Hadoop jar and the required libraries"
   echo "  daemonlog            get/set the log level for each daemon"
+  echo "  distch path:owner:group:permisson"
+  echo "                       distributed metadata changer"
+  echo "  distcp <srcurl> <desturl> "
+  echo "                       copy file or directories recursively"
+  echo "  fs                   run a generic filesystem user client"
+  echo "  jar <jar>            run a jar file"
+  echo "  jnipath              prints the java.library.path"
+  echo "  key                  manage keys via the KeyProvider"
+  echo "  version              print the version"
   echo " or"
   echo "  CLASSNAME            run the class named CLASSNAME"
   echo ""
   echo "Most commands print help when invoked w/o parameters."
 }
 
+
+# This script runs the hadoop core commands.
+
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  this="${BASH_SOURCE-$0}"
+  bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hadoop-config.sh." 2>&1
+  exit 1
+fi
+
 if [ $# = 0 ]; then
-  print_usage
-  exit
+  hadoop_exit_with_usage 1
 fi
 
 COMMAND=$1
-case $COMMAND in
-  # usage flags
-  --help|-help|-h)
-    print_usage
-    exit
-    ;;
+shift
 
-  #hdfs commands
-  namenode|secondarynamenode|datanode|dfs|dfsadmin|fsck|balancer|fetchdt|oiv|dfsgroups|portmap|nfs3)
-    echo "DEPRECATED: Use of this script to execute hdfs command is deprecated." 1>&2
-    echo "Instead use the hdfs command for it." 1>&2
-    echo "" 1>&2
-    #try to locate hdfs and if present, delegate to it.  
-    shift
-    if [ -f "${HADOOP_HDFS_HOME}"/bin/hdfs ]; then
-      exec "${HADOOP_HDFS_HOME}"/bin/hdfs ${COMMAND/dfsgroups/groups}  "$@"
-    elif [ -f "${HADOOP_PREFIX}"/bin/hdfs ]; then
-      exec "${HADOOP_PREFIX}"/bin/hdfs ${COMMAND/dfsgroups/groups} "$@"
+case ${COMMAND} in
+  balancer|datanode|dfs|dfsadmin|dfsgroups|  \
+  namenode|secondarynamenode|fsck|fetchdt|oiv| \
+  portmap|nfs3)
+    hadoop_error "WARNING: Use of this script to execute ${COMMAND} is deprecated."
+    COMMAND=${COMMAND/dfsgroups/groups}
+    hadoop_error "WARNING: Attempting to execute replacement \"hdfs ${COMMAND}\" instead."
+    hadoop_error ""
+    #try to locate hdfs and if present, delegate to it.
+    if [[ -f "${HADOOP_HDFS_HOME}/bin/hdfs" ]]; then
+      # shellcheck disable=SC2086
+      exec "${HADOOP_HDFS_HOME}/bin/hdfs" \
+      --config "${HADOOP_CONF_DIR}" "${COMMAND}"  "$@"
+    elif [[ -f "${HADOOP_PREFIX}/bin/hdfs" ]]; then
+      # shellcheck disable=SC2086
+      exec "${HADOOP_PREFIX}/bin/hdfs" \
+      --config "${HADOOP_CONF_DIR}" "${COMMAND}" "$@"
     else
-      echo "HADOOP_HDFS_HOME not found!"
+      hadoop_error "HADOOP_HDFS_HOME not found!"
       exit 1
     fi
-    ;;
-
+  ;;
+  
   #mapred commands for backwards compatibility
   pipes|job|queue|mrgroups|mradmin|jobtracker|tasktracker)
-    echo "DEPRECATED: Use of this script to execute mapred command is deprecated." 1>&2
-    echo "Instead use the mapred command for it." 1>&2
-    echo "" 1>&2
+    hadoop_error "WARNING: Use of this script to execute ${COMMAND} is deprecated."
+    COMMAND=${COMMAND/mrgroups/groups}
+    hadoop_error "WARNING: Attempting to execute replacement \"mapred ${COMMAND}\" instead."
+    hadoop_error ""
     #try to locate mapred and if present, delegate to it.
-    shift
-    if [ -f "${HADOOP_MAPRED_HOME}"/bin/mapred ]; then
-      exec "${HADOOP_MAPRED_HOME}"/bin/mapred ${COMMAND/mrgroups/groups} "$@"
-    elif [ -f "${HADOOP_PREFIX}"/bin/mapred ]; then
-      exec "${HADOOP_PREFIX}"/bin/mapred ${COMMAND/mrgroups/groups} "$@"
+    if [[ -f "${HADOOP_MAPRED_HOME}/bin/mapred" ]]; then
+      exec "${HADOOP_MAPRED_HOME}/bin/mapred" \
+      --config "${HADOOP_CONF_DIR}" "${COMMAND}" "$@"
+    elif [[ -f "${HADOOP_PREFIX}/bin/mapred" ]]; then
+      exec "${HADOOP_PREFIX}/bin/mapred" \
+      --config "${HADOOP_CONF_DIR}" "${COMMAND}" "$@"
     else
-      echo "HADOOP_MAPRED_HOME not found!"
+      hadoop_error "HADOOP_MAPRED_HOME not found!"
       exit 1
     fi
-    ;;
-
-  #core commands  
-  *)
-    # the core commands
-    if [ "$COMMAND" = "fs" ] ; then
-      CLASS=org.apache.hadoop.fs.FsShell
-    elif [ "$COMMAND" = "version" ] ; then
-      CLASS=org.apache.hadoop.util.VersionInfo
-    elif [ "$COMMAND" = "jar" ] ; then
-      CLASS=org.apache.hadoop.util.RunJar
-    elif [ "$COMMAND" = "key" ] ; then
-      CLASS=org.apache.hadoop.crypto.key.KeyShell
-    elif [ "$COMMAND" = "checknative" ] ; then
-      CLASS=org.apache.hadoop.util.NativeLibraryChecker
-    elif [ "$COMMAND" = "distcp" ] ; then
-      CLASS=org.apache.hadoop.tools.DistCp
-      CLASSPATH=${CLASSPATH}:${TOOL_PATH}
-    elif [ "$COMMAND" = "daemonlog" ] ; then
-      CLASS=org.apache.hadoop.log.LogLevel
-    elif [ "$COMMAND" = "archive" ] ; then
-      CLASS=org.apache.hadoop.tools.HadoopArchives
-      CLASSPATH=${CLASSPATH}:${TOOL_PATH}
-    elif [ "$COMMAND" = "credential" ] ; then
-      CLASS=org.apache.hadoop.security.alias.CredentialShell
-    elif [ "$COMMAND" = "classpath" ] ; then
-      if [ "$#" -eq 1 ]; then
-        # No need to bother starting up a JVM for this simple case.
-        echo $CLASSPATH
-        exit
-      else
-        CLASS=org.apache.hadoop.util.Classpath
-      fi
-    elif [[ "$COMMAND" = -*  ]] ; then
-        # class and package names cannot begin with a -
-        echo "Error: No command named \`$COMMAND' was found. Perhaps you meant \`hadoop ${COMMAND#-}'"
-        exit 1
-    else
-      CLASS=$COMMAND
+  ;;
+  archive)
+    CLASS=org.apache.hadoop.tools.HadoopArchives
+    hadoop_add_classpath "${TOOL_PATH}"
+  ;;
+  checknative)
+    CLASS=org.apache.hadoop.util.NativeLibraryChecker
+  ;;
+  classpath)
+    if [[ "$#" -eq 1 ]]; then
+      CLASS=org.apache.hadoop.util.Classpath
+    else   
+      hadoop_finalize
+      echo "${CLASSPATH}"
+      exit 0
     fi
-    shift
-    
-    # Always respect HADOOP_OPTS and HADOOP_CLIENT_OPTS
-    HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
-
-    #make sure security appender is turned off
-    HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.security.logger=${HADOOP_SECURITY_LOGGER:-INFO,NullAppender}"
-
-    export CLASSPATH=$CLASSPATH
-    exec "$JAVA" $JAVA_HEAP_MAX $HADOOP_OPTS $CLASS "$@"
-    ;;
-
+  ;;
+  credential)
+    CLASS=org.apache.hadoop.security.alias.CredentialShell
+  ;;
+  daemonlog)
+    CLASS=org.apache.hadoop.log.LogLevel
+  ;;
+  distch)
+    CLASS=org.apache.hadoop.tools.DistCh
+    hadoop_add_classpath "${TOOL_PATH}"
+  ;;
+  distcp)
+    CLASS=org.apache.hadoop.tools.DistCp
+    hadoop_add_classpath "${TOOL_PATH}"
+  ;;
+  fs)
+    CLASS=org.apache.hadoop.fs.FsShell
+  ;;
+  jar)
+    CLASS=org.apache.hadoop.util.RunJar
+  ;;
+  jnipath)
+    hadoop_finalize
+    echo "${JAVA_LIBRARY_PATH}"
+    exit 0
+  ;;
+  key)
+    CLASS=org.apache.hadoop.crypto.key.KeyShell
+  ;;
+  version)
+    CLASS=org.apache.hadoop.util.VersionInfo
+  ;;
+  -*|hdfs)
+    hadoop_exit_with_usage 1
+  ;;
+  *)
+    CLASS="${COMMAND}"
+  ;;
 esac
+
+# Always respect HADOOP_OPTS and HADOOP_CLIENT_OPTS
+HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
+
+hadoop_add_param HADOOP_OPTS Xmx "${JAVA_HEAP_MAX}"
+
+hadoop_finalize
+export CLASSPATH
+hadoop_java_exec "${COMMAND}" "${CLASS}" "$@"
+
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh
index a0fb9d0c99d..b2fc4d341df 100644
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh
@@ -1,3 +1,5 @@
+#
+#
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
@@ -13,280 +15,176 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+####
+# IMPORTANT
+####
+
+## The hadoop-config.sh tends to get executed by non-Hadoop scripts.
+## Those parts expect this script to parse/manipulate $@. In order
+## to maintain backward compatibility, this means a surprising
+## lack of functions for bits that would be much better off in
+## a function.
+##
+## In other words, yes, there is some bad things happen here and
+## unless we break the rest of the ecosystem, we can't change it. :(
+
+
 # included in all the hadoop scripts with source command
 # should not be executable directly
 # also should not be passed any arguments, since we need original $*
-
-# Resolve links ($0 may be a softlink) and convert a relative path
-# to an absolute path.  NB: The -P option requires bash built-ins
-# or POSIX:2001 compliant cd and pwd.
-
-#   HADOOP_CLASSPATH Extra Java CLASSPATH entries.
-#
-#   HADOOP_USER_CLASSPATH_FIRST      When defined, the HADOOP_CLASSPATH is 
-#                                    added in the beginning of the global
-#                                    classpath. Can be defined, for example,
-#                                    by doing 
-#                                    export HADOOP_USER_CLASSPATH_FIRST=true
 #
+# after doing more config, caller should also exec finalize
+# function to finish last minute/default configs for
+# settings that might be different between daemons & interactive
 
-this="${BASH_SOURCE-$0}"
-common_bin=$(cd -P -- "$(dirname -- "$this")" && pwd -P)
-script="$(basename -- "$this")"
-this="$common_bin/$script"
-
-[ -f "$common_bin/hadoop-layout.sh" ] && . "$common_bin/hadoop-layout.sh"
-
-HADOOP_COMMON_DIR=${HADOOP_COMMON_DIR:-"share/hadoop/common"}
-HADOOP_COMMON_LIB_JARS_DIR=${HADOOP_COMMON_LIB_JARS_DIR:-"share/hadoop/common/lib"}
-HADOOP_COMMON_LIB_NATIVE_DIR=${HADOOP_COMMON_LIB_NATIVE_DIR:-"lib/native"}
-HDFS_DIR=${HDFS_DIR:-"share/hadoop/hdfs"}
-HDFS_LIB_JARS_DIR=${HDFS_LIB_JARS_DIR:-"share/hadoop/hdfs/lib"}
-YARN_DIR=${YARN_DIR:-"share/hadoop/yarn"}
-YARN_LIB_JARS_DIR=${YARN_LIB_JARS_DIR:-"share/hadoop/yarn/lib"}
-MAPRED_DIR=${MAPRED_DIR:-"share/hadoop/mapreduce"}
-MAPRED_LIB_JARS_DIR=${MAPRED_LIB_JARS_DIR:-"share/hadoop/mapreduce/lib"}
-
-# the root of the Hadoop installation
-# See HADOOP-6255 for directory structure layout
-HADOOP_DEFAULT_PREFIX=$(cd -P -- "$common_bin"/.. && pwd -P)
-HADOOP_PREFIX=${HADOOP_PREFIX:-$HADOOP_DEFAULT_PREFIX}
-export HADOOP_PREFIX
-
-#check to see if the conf dir is given as an optional argument
-if [ $# -gt 1 ]
-then
-    if [ "--config" = "$1" ]
-	  then
-	      shift
-	      confdir=$1
-	      if [ ! -d "$confdir" ]; then
-                echo "Error: Cannot find configuration directory: $confdir"
-                exit 1
-             fi
-	      shift
-	      HADOOP_CONF_DIR=$confdir
-    fi
+# you must be this high to ride the ride
+if [[ -z "${BASH_VERSINFO}" ]] || [[ "${BASH_VERSINFO}" -lt 3 ]]; then
+  echo "Hadoop requires bash v3 or better. Sorry."
+  exit 1
 fi
- 
-# Allow alternate conf dir location.
-if [ -e "${HADOOP_PREFIX}/conf/hadoop-env.sh" ]; then
-  DEFAULT_CONF_DIR="conf"
+
+# In order to get partially bootstrapped, we need to figure out where
+# we are located. Chances are good that our caller has already done
+# this work for us, but just in case...
+
+if [[ -z "${HADOOP_LIBEXEC_DIR}" ]]; then
+  _hadoop_common_this="${BASH_SOURCE-$0}"
+  HADOOP_LIBEXEC_DIR=$(cd -P -- "$(dirname -- "${_hadoop_common_this}")" >/dev/null && pwd -P)
+fi
+
+# get our functions defined for usage later
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hadoop-functions.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hadoop-functions.sh"
 else
-  DEFAULT_CONF_DIR="etc/hadoop"
-fi
-
-export HADOOP_CONF_DIR="${HADOOP_CONF_DIR:-$HADOOP_PREFIX/$DEFAULT_CONF_DIR}"
-
-if [ -f "${HADOOP_CONF_DIR}/hadoop-env.sh" ]; then
-  . "${HADOOP_CONF_DIR}/hadoop-env.sh"
-fi
-
-# User can specify hostnames or a file where the hostnames are (not both)
-if [[ ( "$HADOOP_SLAVES" != '' ) && ( "$HADOOP_SLAVE_NAMES" != '' ) ]] ; then
-  echo \
-    "Error: Please specify one variable HADOOP_SLAVES or " \
-    "HADOOP_SLAVE_NAME and not both."
+  echo "ERROR: Unable to exec ${HADOOP_LIBEXEC_DIR}/hadoop-functions.sh." 1>&2
   exit 1
 fi
 
-# Process command line options that specify hosts or file with host
-# list
-if [ $# -gt 1 ]
-then
-    if [ "--hosts" = "$1" ]
-    then
-        shift
-        export HADOOP_SLAVES="${HADOOP_CONF_DIR}/$1"
-        shift
-    elif [ "--hostnames" = "$1" ]
-    then
-        shift
-        export HADOOP_SLAVE_NAMES=$1
-        shift
-    fi
+# allow overrides of the above and pre-defines of the below
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hadoop-layout.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hadoop-layout.sh"
 fi
 
-# User can specify hostnames or a file where the hostnames are (not both)
-# (same check as above but now we know it's command line options that cause
-# the problem)
-if [[ ( "$HADOOP_SLAVES" != '' ) && ( "$HADOOP_SLAVE_NAMES" != '' ) ]] ; then
-  echo \
-    "Error: Please specify one of --hosts or --hostnames options and not both."
-  exit 1
+#
+# IMPORTANT! We are not executing user provided code yet!
+#
+
+# Let's go!  Base definitions so we can move forward
+hadoop_bootstrap_init
+
+# let's find our conf.
+#
+# first, check and process params passed to us
+# we process this in-line so that we can directly modify $@
+# if something downstream is processing that directly,
+# we need to make sure our params have been ripped out
+# note that we do many of them here for various utilities.
+# this provides consistency and forces a more consistent
+# user experience
+
+
+# save these off in case our caller needs them
+# shellcheck disable=SC2034
+HADOOP_USER_PARAMS="$@"
+
+HADOOP_DAEMON_MODE="default"
+
+while [[ -z "${_hadoop_common_done}" ]]; do
+  case $1 in
+    --buildpaths)
+      # shellcheck disable=SC2034
+      HADOOP_ENABLE_BUILD_PATHS=true
+      shift
+    ;;
+    --config)
+      shift
+      confdir=$1
+      shift
+      if [[ -d "${confdir}" ]]; then
+        # shellcheck disable=SC2034
+        YARN_CONF_DIR="${confdir}"
+        # shellcheck disable=SC2034
+        HADOOP_CONF_DIR="${confdir}"
+      elif [[ -z "${confdir}" ]]; then
+        hadoop_error "ERROR: No parameter provided for --config "
+        hadoop_exit_with_usage 1
+      else
+        hadoop_error "ERROR: Cannot find configuration directory \"${confdir}\""
+        hadoop_exit_with_usage 1
+      fi
+    ;;
+    --daemon)
+      shift
+      HADOOP_DAEMON_MODE=$1
+      shift
+      if [[ -z "${HADOOP_DAEMON_MODE}" || \
+        ! "${HADOOP_DAEMON_MODE}" =~ ^st(art|op|atus)$ ]]; then
+        hadoop_error "ERROR: --daemon must be followed by either \"start\", \"stop\", or \"status\"."
+        hadoop_exit_with_usage 1
+      fi
+    ;;
+    --help|-help|-h|help|--h|--\?|-\?|\?)
+      hadoop_exit_with_usage 0
+    ;;
+    --hostnames)
+      shift
+      # shellcheck disable=SC2034
+      HADOOP_SLAVE_NAMES="$1"
+      shift
+    ;;
+    --hosts)
+      shift
+      hadoop_populate_slaves_file "$1"
+      shift
+    ;;
+    *)
+      _hadoop_common_done=true
+    ;;
+  esac
+done
+
+hadoop_find_confdir
+hadoop_exec_hadoopenv
+
+#
+# IMPORTANT! User provided code is now available!
+#
+
+# do all the OS-specific startup bits here
+# this allows us to get a decent JAVA_HOME,
+# call crle for LD_LIBRARY_PATH, etc.
+hadoop_os_tricks
+
+hadoop_java_setup
+
+hadoop_basic_init
+
+# inject any sub-project overrides, defaults, etc.
+if declare -F hadoop_subproject_init >/dev/null ; then
+  hadoop_subproject_init
 fi
 
-# check if net.ipv6.bindv6only is set to 1
-bindv6only=$(/sbin/sysctl -n net.ipv6.bindv6only 2> /dev/null)
-if [ -n "$bindv6only" ] && [ "$bindv6only" -eq "1" ] && [ "$HADOOP_ALLOW_IPV6" != "yes" ]
-then
-  echo "Error: \"net.ipv6.bindv6only\" is set to 1 - Java networking could be broken"
-  echo "For more info: http://wiki.apache.org/hadoop/HadoopIPv6"
-  exit 1
-fi
-
-# Newer versions of glibc use an arena memory allocator that causes virtual
-# memory usage to explode. This interacts badly with the many threads that
-# we use in Hadoop. Tune the variable down to prevent vmem explosion.
-export MALLOC_ARENA_MAX=${MALLOC_ARENA_MAX:-4}
-
-# Attempt to set JAVA_HOME if it is not set
-if [[ -z $JAVA_HOME ]]; then
-  # On OSX use java_home (or /Library for older versions)
-  if [ "Darwin" == "$(uname -s)" ]; then
-    if [ -x /usr/libexec/java_home ]; then
-      export JAVA_HOME=($(/usr/libexec/java_home))
-    else
-      export JAVA_HOME=(/Library/Java/Home)
-    fi
-  fi
-
-  # Bail if we did not detect it
-  if [[ -z $JAVA_HOME ]]; then
-    echo "Error: JAVA_HOME is not set and could not be found." 1>&2
-    exit 1
-  fi
-fi
-
-JAVA=$JAVA_HOME/bin/java
-
-# check envvars which might override default args
-if [ "$HADOOP_HEAPSIZE" != "" ]; then
-  #echo "run with heapsize $HADOOP_HEAPSIZE"
-  JAVA_HEAP_MAX="-Xmx""$HADOOP_HEAPSIZE""m"
-  #echo $JAVA_HEAP_MAX
-fi
-
-# CLASSPATH initially contains $HADOOP_CONF_DIR
-CLASSPATH="${HADOOP_CONF_DIR}"
-
-# so that filenames w/ spaces are handled correctly in loops below
-IFS=
-
-if [ "$HADOOP_COMMON_HOME" = "" ]; then
-  if [ -d "${HADOOP_PREFIX}/$HADOOP_COMMON_DIR" ]; then
-    export HADOOP_COMMON_HOME=$HADOOP_PREFIX
-  fi
-fi
-
-# for releases, add core hadoop jar & webapps to CLASSPATH
-if [ -d "$HADOOP_COMMON_HOME/$HADOOP_COMMON_DIR/webapps" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_COMMON_HOME/$HADOOP_COMMON_DIR
-fi
-
-if [ -d "$HADOOP_COMMON_HOME/$HADOOP_COMMON_LIB_JARS_DIR" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_COMMON_HOME/$HADOOP_COMMON_LIB_JARS_DIR'/*'
-fi
-
-CLASSPATH=${CLASSPATH}:$HADOOP_COMMON_HOME/$HADOOP_COMMON_DIR'/*'
-
-# default log directory & file
-if [ "$HADOOP_LOG_DIR" = "" ]; then
-  HADOOP_LOG_DIR="$HADOOP_PREFIX/logs"
-fi
-if [ "$HADOOP_LOGFILE" = "" ]; then
-  HADOOP_LOGFILE='hadoop.log'
-fi
-
-# default policy file for service-level authorization
-if [ "$HADOOP_POLICYFILE" = "" ]; then
-  HADOOP_POLICYFILE="hadoop-policy.xml"
-fi
-
-# restore ordinary behaviour
-unset IFS
-
-# setup 'java.library.path' for native-hadoop code if necessary
-
-if [ -d "${HADOOP_PREFIX}/build/native" -o -d "${HADOOP_PREFIX}/$HADOOP_COMMON_LIB_NATIVE_DIR" ]; then
-    
-  if [ -d "${HADOOP_PREFIX}/$HADOOP_COMMON_LIB_NATIVE_DIR" ]; then
-    if [ "x$JAVA_LIBRARY_PATH" != "x" ]; then
-      JAVA_LIBRARY_PATH=${JAVA_LIBRARY_PATH}:${HADOOP_PREFIX}/$HADOOP_COMMON_LIB_NATIVE_DIR
-    else
-      JAVA_LIBRARY_PATH=${HADOOP_PREFIX}/$HADOOP_COMMON_LIB_NATIVE_DIR
-    fi
-  fi
-fi
-
-# setup a default TOOL_PATH
-TOOL_PATH="${TOOL_PATH:-$HADOOP_PREFIX/share/hadoop/tools/lib/*}"
-
-HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.log.dir=$HADOOP_LOG_DIR"
-HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.log.file=$HADOOP_LOGFILE"
-HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.home.dir=$HADOOP_PREFIX"
-HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.id.str=$HADOOP_IDENT_STRING"
-HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.root.logger=${HADOOP_ROOT_LOGGER:-INFO,console}"
-if [ "x$JAVA_LIBRARY_PATH" != "x" ]; then
-  HADOOP_OPTS="$HADOOP_OPTS -Djava.library.path=$JAVA_LIBRARY_PATH"
-  export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$JAVA_LIBRARY_PATH
-fi  
-HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.policy.file=$HADOOP_POLICYFILE"
-
-# Disable ipv6 as it can cause issues
-HADOOP_OPTS="$HADOOP_OPTS -Djava.net.preferIPv4Stack=true"
-
-# put hdfs in classpath if present
-if [ "$HADOOP_HDFS_HOME" = "" ]; then
-  if [ -d "${HADOOP_PREFIX}/$HDFS_DIR" ]; then
-    export HADOOP_HDFS_HOME=$HADOOP_PREFIX
-  fi
-fi
-
-if [ -d "$HADOOP_HDFS_HOME/$HDFS_DIR/webapps" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_HDFS_HOME/$HDFS_DIR
-fi
-
-if [ -d "$HADOOP_HDFS_HOME/$HDFS_LIB_JARS_DIR" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_HDFS_HOME/$HDFS_LIB_JARS_DIR'/*'
-fi
-
-CLASSPATH=${CLASSPATH}:$HADOOP_HDFS_HOME/$HDFS_DIR'/*'
-
-# put yarn in classpath if present
-if [ "$HADOOP_YARN_HOME" = "" ]; then
-  if [ -d "${HADOOP_PREFIX}/$YARN_DIR" ]; then
-    export HADOOP_YARN_HOME=$HADOOP_PREFIX
-  fi
-fi
-
-if [ -d "$HADOOP_YARN_HOME/$YARN_DIR/webapps" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/$YARN_DIR
-fi
-
-if [ -d "$HADOOP_YARN_HOME/$YARN_LIB_JARS_DIR" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/$YARN_LIB_JARS_DIR'/*'
-fi
-
-CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/$YARN_DIR'/*'
-
-# put mapred in classpath if present AND different from YARN
-if [ "$HADOOP_MAPRED_HOME" = "" ]; then
-  if [ -d "${HADOOP_PREFIX}/$MAPRED_DIR" ]; then
-    export HADOOP_MAPRED_HOME=$HADOOP_PREFIX
-  fi
-fi
-
-if [ "$HADOOP_MAPRED_HOME/$MAPRED_DIR" != "$HADOOP_YARN_HOME/$YARN_DIR" ] ; then
-  if [ -d "$HADOOP_MAPRED_HOME/$MAPRED_DIR/webapps" ]; then
-    CLASSPATH=${CLASSPATH}:$HADOOP_MAPRED_HOME/$MAPRED_DIR
-  fi
-
-  if [ -d "$HADOOP_MAPRED_HOME/$MAPRED_LIB_JARS_DIR" ]; then
-    CLASSPATH=${CLASSPATH}:$HADOOP_MAPRED_HOME/$MAPRED_LIB_JARS_DIR'/*'
-  fi
-
-  CLASSPATH=${CLASSPATH}:$HADOOP_MAPRED_HOME/$MAPRED_DIR'/*'
-fi
-
-# Add the user-specified CLASSPATH via HADOOP_CLASSPATH
-# Add it first or last depending on if user has
-# set env-var HADOOP_USER_CLASSPATH_FIRST
-if [ "$HADOOP_CLASSPATH" != "" ]; then
-  # Prefix it if its to be preceded
-  if [ "$HADOOP_USER_CLASSPATH_FIRST" != "" ]; then
-    CLASSPATH=${HADOOP_CLASSPATH}:${CLASSPATH}
-  else
-    CLASSPATH=${CLASSPATH}:${HADOOP_CLASSPATH}
-  fi
+# get the native libs in there pretty quick
+hadoop_add_javalibpath "${HADOOP_PREFIX}/build/native"
+hadoop_add_javalibpath "${HADOOP_PREFIX}/${HADOOP_COMMON_LIB_NATIVE_DIR}"
+
+# get the basic java class path for these subprojects
+# in as quickly as possible since other stuff
+# will definitely depend upon it.
+#
+# at some point, this will get replaced with something pluggable
+# so that these functions can sit in their projects rather than
+# common
+#
+for i in common hdfs yarn mapred
+do
+  hadoop_add_to_classpath_$i
+done
+
+#
+# backwards compatibility. new stuff should
+# call this when they are ready
+#
+if [[ -z "${HADOOP_NEW_CONFIG}" ]]; then
+  hadoop_finalize
 fi
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-daemon.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-daemon.sh
index 6a4cd69152e..b60915c1cda 100755
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-daemon.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-daemon.sh
@@ -15,200 +15,42 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+function hadoop_usage
+{
+  echo "Usage: hadoop-daemon.sh [--config confdir] (start|stop|status) <hadoop-command> <args...>"
+}
 
-# Runs a Hadoop command as a daemon.
-#
-# Environment Variables
-#
-#   HADOOP_CONF_DIR  Alternate conf dir. Default is ${HADOOP_PREFIX}/conf.
-#   HADOOP_LOG_DIR   Where log files are stored.  PWD by default.
-#   HADOOP_MASTER    host:path where hadoop code should be rsync'd from
-#   HADOOP_PID_DIR   The pid files are stored. /tmp by default.
-#   HADOOP_IDENT_STRING   A string representing this instance of hadoop. $USER by default
-#   HADOOP_NICENESS The scheduling priority for daemons. Defaults to 0.
-##
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  this="${BASH_SOURCE-$0}"
+  bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
 
-usage="Usage: hadoop-daemon.sh [--config <conf-dir>] [--hosts hostlistfile] [--script script] (start|stop) <hadoop-command> <args...>"
-
-# if no args specified, show usage
-if [ $# -le 1 ]; then
-  echo $usage
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hdfs-config.sh." 2>&1
   exit 1
 fi
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
-
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hadoop-config.sh
-
-# get arguments
-
-#default value
-hadoopScript="$HADOOP_PREFIX"/bin/hadoop
-if [ "--script" = "$1" ]
-  then
-    shift
-    hadoopScript=$1
-    shift
+if [[ $# = 0 ]]; then
+  hadoop_exit_with_usage 1
 fi
-startStop=$1
-shift
-command=$1
+
+daemonmode=$1
 shift
 
-hadoop_rotate_log ()
-{
-    log=$1;
-    num=5;
-    if [ -n "$2" ]; then
-	num=$2
-    fi
-    if [ -f "$log" ]; then # rotate logs
-	while [ $num -gt 1 ]; do
-	    prev=`expr $num - 1`
-	    [ -f "$log.$prev" ] && mv "$log.$prev" "$log.$num"
-	    num=$prev
-	done
-	mv "$log" "$log.$num";
-    fi
-}
-
-if [ -f "${HADOOP_CONF_DIR}/hadoop-env.sh" ]; then
-  . "${HADOOP_CONF_DIR}/hadoop-env.sh"
+if [[ -z "${HADOOP_HDFS_HOME}" ]]; then
+  hdfsscript="${HADOOP_PREFIX}/bin/hdfs"
+else
+  hdfsscript="${HADOOP_HDFS_HOME}/bin/hdfs"
 fi
 
-# Determine if we're starting a secure datanode, and if so, redefine appropriate variables
-if [ "$command" == "datanode" ] && [ "$EUID" -eq 0 ] && [ -n "$HADOOP_SECURE_DN_USER" ]; then
-  export HADOOP_PID_DIR=$HADOOP_SECURE_DN_PID_DIR
-  export HADOOP_LOG_DIR=$HADOOP_SECURE_DN_LOG_DIR
-  export HADOOP_IDENT_STRING=$HADOOP_SECURE_DN_USER
-  starting_secure_dn="true"
-fi
-
-#Determine if we're starting a privileged NFS, if so, redefine the appropriate variables
-if [ "$command" == "nfs3" ] && [ "$EUID" -eq 0 ] && [ -n "$HADOOP_PRIVILEGED_NFS_USER" ]; then
-    export HADOOP_PID_DIR=$HADOOP_PRIVILEGED_NFS_PID_DIR
-    export HADOOP_LOG_DIR=$HADOOP_PRIVILEGED_NFS_LOG_DIR
-    export HADOOP_IDENT_STRING=$HADOOP_PRIVILEGED_NFS_USER
-    starting_privileged_nfs="true"
-fi
-
-if [ "$HADOOP_IDENT_STRING" = "" ]; then
-  export HADOOP_IDENT_STRING="$USER"
-fi
-
-
-# get log directory
-if [ "$HADOOP_LOG_DIR" = "" ]; then
-  export HADOOP_LOG_DIR="$HADOOP_PREFIX/logs"
-fi
-
-if [ ! -w "$HADOOP_LOG_DIR" ] ; then
-  mkdir -p "$HADOOP_LOG_DIR"
-  chown $HADOOP_IDENT_STRING $HADOOP_LOG_DIR
-fi
-
-if [ "$HADOOP_PID_DIR" = "" ]; then
-  HADOOP_PID_DIR=/tmp
-fi
-
-# some variables
-export HADOOP_LOGFILE=hadoop-$HADOOP_IDENT_STRING-$command-$HOSTNAME.log
-export HADOOP_ROOT_LOGGER=${HADOOP_ROOT_LOGGER:-"INFO,RFA"}
-export HADOOP_SECURITY_LOGGER=${HADOOP_SECURITY_LOGGER:-"INFO,RFAS"}
-export HDFS_AUDIT_LOGGER=${HDFS_AUDIT_LOGGER:-"INFO,NullAppender"}
-log=$HADOOP_LOG_DIR/hadoop-$HADOOP_IDENT_STRING-$command-$HOSTNAME.out
-pid=$HADOOP_PID_DIR/hadoop-$HADOOP_IDENT_STRING-$command.pid
-HADOOP_STOP_TIMEOUT=${HADOOP_STOP_TIMEOUT:-5}
-
-# Set default scheduling priority
-if [ "$HADOOP_NICENESS" = "" ]; then
-    export HADOOP_NICENESS=0
-fi
-
-case $startStop in
-
-  (start)
-
-    [ -w "$HADOOP_PID_DIR" ] ||  mkdir -p "$HADOOP_PID_DIR"
-
-    if [ -f $pid ]; then
-      if kill -0 `cat $pid` > /dev/null 2>&1; then
-        echo $command running as process `cat $pid`.  Stop it first.
-        exit 1
-      fi
-    fi
-
-    if [ "$HADOOP_MASTER" != "" ]; then
-      echo rsync from $HADOOP_MASTER
-      rsync -a -e ssh --delete --exclude=.svn --exclude='logs/*' --exclude='contrib/hod/logs/*' $HADOOP_MASTER/ "$HADOOP_PREFIX"
-    fi
-
-    hadoop_rotate_log $log
-    echo starting $command, logging to $log
-    cd "$HADOOP_PREFIX"
-    case $command in
-      namenode|secondarynamenode|datanode|journalnode|dfs|dfsadmin|fsck|balancer|zkfc)
-        if [ -z "$HADOOP_HDFS_HOME" ]; then
-          hdfsScript="$HADOOP_PREFIX"/bin/hdfs
-        else
-          hdfsScript="$HADOOP_HDFS_HOME"/bin/hdfs
-        fi
-        nohup nice -n $HADOOP_NICENESS $hdfsScript --config $HADOOP_CONF_DIR $command "$@" > "$log" 2>&1 < /dev/null &
-      ;;
-      (*)
-        nohup nice -n $HADOOP_NICENESS $hadoopScript --config $HADOOP_CONF_DIR $command "$@" > "$log" 2>&1 < /dev/null &
-      ;;
-    esac
-    echo $! > $pid
-    sleep 1
-    head "$log"
-    # capture the ulimit output
-    if [ "true" = "$starting_secure_dn" ]; then
-      echo "ulimit -a for secure datanode user $HADOOP_SECURE_DN_USER" >> $log
-      # capture the ulimit info for the appropriate user
-      su --shell=/bin/bash $HADOOP_SECURE_DN_USER -c 'ulimit -a' >> $log 2>&1
-    elif [ "true" = "$starting_privileged_nfs" ]; then
-        echo "ulimit -a for privileged nfs user $HADOOP_PRIVILEGED_NFS_USER" >> $log
-        su --shell=/bin/bash $HADOOP_PRIVILEGED_NFS_USER -c 'ulimit -a' >> $log 2>&1
-    else
-      echo "ulimit -a for user $USER" >> $log
-      ulimit -a >> $log 2>&1
-    fi
-    sleep 3;
-    if ! ps -p $! > /dev/null ; then
-      exit 1
-    fi
-    ;;
-          
-  (stop)
-
-    if [ -f $pid ]; then
-      TARGET_PID=`cat $pid`
-      if kill -0 $TARGET_PID > /dev/null 2>&1; then
-        echo stopping $command
-        kill $TARGET_PID
-        sleep $HADOOP_STOP_TIMEOUT
-        if kill -0 $TARGET_PID > /dev/null 2>&1; then
-          echo "$command did not stop gracefully after $HADOOP_STOP_TIMEOUT seconds: killing with kill -9"
-          kill -9 $TARGET_PID
-        fi
-      else
-        echo no $command to stop
-      fi
-      rm -f $pid
-    else
-      echo no $command to stop
-    fi
-    ;;
-
-  (*)
-    echo $usage
-    exit 1
-    ;;
-
-esac
-
+exec "$hdfsscript" --config "${HADOOP_CONF_DIR}" --daemon "${daemonmode}" "$@"
 
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-daemons.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-daemons.sh
index 181d7ac101f..db06612691d 100755
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-daemons.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-daemons.sh
@@ -18,19 +18,34 @@
 
 # Run a Hadoop command on all slave hosts.
 
-usage="Usage: hadoop-daemons.sh [--config confdir] [--hosts hostlistfile] [start|stop] command args..."
+function hadoop_usage
+{
+  echo "Usage: hadoop-daemons.sh [--config confdir] [--hosts hostlistfile] (start|stop|status) <hadoop-command> <args...>"
+}
 
-# if no args specified, show usage
-if [ $# -le 1 ]; then
-  echo $usage
+this="${BASH_SOURCE-$0}"
+bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hadoop-config.sh." 2>&1
   exit 1
 fi
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
+if [[ $# = 0 ]]; then
+  hadoop_exit_with_usage 1
+fi
 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hadoop-config.sh
-
-exec "$bin/slaves.sh" --config $HADOOP_CONF_DIR cd "$HADOOP_PREFIX" \; "$bin/hadoop-daemon.sh" --config $HADOOP_CONF_DIR "$@"
+hadoop_connect_to_hosts "${bin}/hadoop-daemon.sh" \
+--config "${HADOOP_CONF_DIR}" "$@"
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
new file mode 100644
index 00000000000..646c11ee3f7
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
@@ -0,0 +1,1036 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+function hadoop_error
+{
+  # NOTE: This function is not user replaceable.
+
+  echo "$*" 1>&2
+}
+
+function hadoop_bootstrap_init
+{
+  # NOTE: This function is not user replaceable.
+
+  # the root of the Hadoop installation
+  # See HADOOP-6255 for the expected directory structure layout
+  
+  # By now, HADOOP_LIBEXEC_DIR should have been defined upstream
+  # We can piggyback off of that to figure out where the default
+  # HADOOP_FREFIX should be.  This allows us to run without
+  # HADOOP_PREFIX ever being defined by a human! As a consequence
+  # HADOOP_LIBEXEC_DIR now becomes perhaps the single most powerful
+  # env var within Hadoop.
+  if [[ -z "${HADOOP_LIBEXEC_DIR}" ]]; then
+    hadoop_error "HADOOP_LIBEXEC_DIR is not defined.  Exiting."
+    exit 1
+  fi
+  HADOOP_DEFAULT_PREFIX=$(cd -P -- "${HADOOP_LIBEXEC_DIR}/.." >/dev/null && pwd -P)
+  HADOOP_PREFIX=${HADOOP_PREFIX:-$HADOOP_DEFAULT_PREFIX}
+  export HADOOP_PREFIX
+  
+  #
+  # short-cuts. vendors may redefine these as well, preferably
+  # in hadoop-layouts.sh
+  #
+  HADOOP_COMMON_DIR=${HADOOP_COMMON_DIR:-"share/hadoop/common"}
+  HADOOP_COMMON_LIB_JARS_DIR=${HADOOP_COMMON_LIB_JARS_DIR:-"share/hadoop/common/lib"}
+  HADOOP_COMMON_LIB_NATIVE_DIR=${HADOOP_COMMON_LIB_NATIVE_DIR:-"lib/native"}
+  HDFS_DIR=${HDFS_DIR:-"share/hadoop/hdfs"}
+  HDFS_LIB_JARS_DIR=${HDFS_LIB_JARS_DIR:-"share/hadoop/hdfs/lib"}
+  YARN_DIR=${YARN_DIR:-"share/hadoop/yarn"}
+  YARN_LIB_JARS_DIR=${YARN_LIB_JARS_DIR:-"share/hadoop/yarn/lib"}
+  MAPRED_DIR=${MAPRED_DIR:-"share/hadoop/mapreduce"}
+  MAPRED_LIB_JARS_DIR=${MAPRED_LIB_JARS_DIR:-"share/hadoop/mapreduce/lib"}
+  # setup a default TOOL_PATH
+  TOOL_PATH=${TOOL_PATH:-${HADOOP_PREFIX}/share/hadoop/tools/lib/*}
+
+  export HADOOP_OS_TYPE=${HADOOP_OS_TYPE:-$(uname -s)}
+
+  
+  # defaults
+  export HADOOP_OPTS=${HADOOP_OPTS:-"-Djava.net.preferIPv4Stack=true"}
+}
+
+function hadoop_find_confdir
+{
+  # NOTE: This function is not user replaceable.
+
+  # Look for the basic hadoop configuration area.
+  #
+  #
+  # An attempt at compatibility with some Hadoop 1.x
+  # installs.
+  if [[ -e "${HADOOP_PREFIX}/conf/hadoop-env.sh" ]]; then
+    DEFAULT_CONF_DIR="conf"
+  else
+    DEFAULT_CONF_DIR="etc/hadoop"
+  fi
+  export HADOOP_CONF_DIR="${HADOOP_CONF_DIR:-${HADOOP_PREFIX}/${DEFAULT_CONF_DIR}}"
+}
+
+function hadoop_exec_hadoopenv
+{
+  # NOTE: This function is not user replaceable.
+
+  if [[ -z "${HADOOP_ENV_PROCESSED}" ]]; then
+    if [[ -f "${HADOOP_CONF_DIR}/hadoop-env.sh" ]]; then
+      export HADOOP_ENV_PROCESSED=true
+      . "${HADOOP_CONF_DIR}/hadoop-env.sh"
+    fi
+  fi
+}
+
+
+function hadoop_basic_init
+{
+  # Some of these are also set in hadoop-env.sh.
+  # we still set them here just in case hadoop-env.sh is
+  # broken in some way, set up defaults, etc.
+  #
+  # but it is important to note that if you update these
+  # you also need to update hadoop-env.sh as well!!!
+  
+  # CLASSPATH initially contains $HADOOP_CONF_DIR
+  CLASSPATH="${HADOOP_CONF_DIR}"
+  
+  if [[ -z "${HADOOP_COMMON_HOME}" ]] &&
+  [[ -d "${HADOOP_PREFIX}/${HADOOP_COMMON_DIR}" ]]; then
+    export HADOOP_COMMON_HOME="${HADOOP_PREFIX}"
+  fi
+  
+  # default policy file for service-level authorization
+  HADOOP_POLICYFILE=${HADOOP_POLICYFILE:-"hadoop-policy.xml"}
+  
+  # define HADOOP_HDFS_HOME
+  if [[ -z "${HADOOP_HDFS_HOME}" ]] &&
+  [[ -d "${HADOOP_PREFIX}/${HDFS_DIR}" ]]; then
+    export HADOOP_HDFS_HOME="${HADOOP_PREFIX}"
+  fi
+  
+  # define HADOOP_YARN_HOME
+  if [[ -z "${HADOOP_YARN_HOME}" ]] &&
+  [[ -d "${HADOOP_PREFIX}/${YARN_DIR}" ]]; then
+    export HADOOP_YARN_HOME="${HADOOP_PREFIX}"
+  fi
+  
+  # define HADOOP_MAPRED_HOME
+  if [[ -z "${HADOOP_MAPRED_HOME}" ]] &&
+  [[ -d "${HADOOP_PREFIX}/${MAPRED_DIR}" ]]; then
+    export HADOOP_MAPRED_HOME="${HADOOP_PREFIX}"
+  fi
+  
+  HADOOP_IDENT_STRING=${HADOP_IDENT_STRING:-$USER}
+  HADOOP_LOG_DIR=${HADOOP_LOG_DIR:-"${HADOOP_PREFIX}/logs"}
+  HADOOP_LOGFILE=${HADOOP_LOGFILE:-hadoop.log}
+  HADOOP_NICENESS=${HADOOP_NICENESS:-0}
+  HADOOP_STOP_TIMEOUT=${HADOOP_STOP_TIMEOUT:-5}
+  HADOOP_PID_DIR=${HADOOP_PID_DIR:-/tmp}
+  HADOOP_ROOT_LOGGER=${HADOOP_ROOT_LOGGER:-INFO,console}
+  HADOOP_DAEMON_ROOT_LOGGER=${HADOOP_DAEMON_ROOT_LOGGER:-INFO,RFA}
+  HADOOP_SECURITY_LOGGER=${HADOOP_SECURITY_LOGGER:-INFO,NullAppender}
+  HADOOP_HEAPSIZE=${HADOOP_HEAPSIZE:-1024}
+  HADOOP_SSH_OPTS=${HADOOP_SSH_OPTS:-"-o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=10s"}
+  HADOOP_SECURE_LOG_DIR=${HADOOP_SECURE_LOG_DIR:-${HADOOP_LOG_DIR}}
+  HADOOP_SECURE_PID_DIR=${HADOOP_SECURE_PID_DIR:-${HADOOP_PID_DIR}}
+  HADOOP_SSH_PARALLEL=${HADOOP_SSH_PARALLEL:-10}
+}
+
+function hadoop_populate_slaves_file()
+{
+  # NOTE: This function is not user replaceable.
+
+  local slavesfile=$1
+  shift
+  if [[ -f "${slavesfile}" ]]; then
+    # shellcheck disable=2034
+    HADOOP_SLAVES="${slavesfile}"
+  elif [[ -f "${HADOOP_CONF_DIR}/${slavesfile}" ]]; then
+    # shellcheck disable=2034
+    HADOOP_SLAVES="${HADOOP_CONF_DIR}/${slavesfile}"
+    # shellcheck disable=2034
+    YARN_SLAVES="${HADOOP_CONF_DIR}/${slavesfile}"
+  else
+    hadoop_error "ERROR: Cannot find hosts file \"${slavesfile}\""
+    hadoop_exit_with_usage 1
+  fi
+}
+
+function hadoop_rotate_log
+{
+  #
+  # log rotation (mainly used for .out files)
+  # Users are likely to replace this one for something
+  # that gzips or uses dates or who knows what.
+  #
+  # be aware that &1 and &2 might go through here
+  # so don't do anything too crazy...
+  #
+  local log=$1;
+  local num=${2:-5};
+  
+  if [[ -f "${log}" ]]; then # rotate logs
+    while [[ ${num} -gt 1 ]]; do
+      #shellcheck disable=SC2086
+      let prev=${num}-1
+      if [[ -f "${log}.${prev}" ]]; then
+        mv "${log}.${prev}" "${log}.${num}"
+      fi
+      num=${prev}
+    done
+    mv "${log}" "${log}.${num}"
+  fi
+}
+
+function hadoop_actual_ssh
+{
+  # we are passing this function to xargs
+  # should get hostname followed by rest of command line
+  local slave=$1
+  shift
+  
+  # shellcheck disable=SC2086
+  ssh ${HADOOP_SSH_OPTS} ${slave} $"${@// /\\ }" 2>&1 | sed "s/^/$slave: /"
+}
+
+function hadoop_connect_to_hosts
+{
+  # shellcheck disable=SC2124
+  local params="$@"
+  
+  #
+  # ssh (or whatever) to a host
+  #
+  # User can specify hostnames or a file where the hostnames are (not both)
+  if [[ -n "${HADOOP_SLAVES}" && -n "${HADOOP_SLAVE_NAMES}" ]] ; then
+    hadoop_error "ERROR: Both HADOOP_SLAVES and HADOOP_SLAVE_NAME were defined. Aborting."
+    exit 1
+  fi
+  
+  if [[ -n "${HADOOP_SLAVE_NAMES}" ]] ; then
+    SLAVE_NAMES=${HADOOP_SLAVE_NAMES}
+  else
+    SLAVE_FILE=${HADOOP_SLAVES:-${HADOOP_CONF_DIR}/slaves}
+  fi
+  
+  # if pdsh is available, let's use it.  otherwise default
+  # to a loop around ssh.  (ugh)
+  if [[ -e '/usr/bin/pdsh' ]]; then
+    if [[ -z "${HADOOP_SLAVE_NAMES}" ]] ; then
+      # if we were given a file, just let pdsh deal with it.
+      # shellcheck disable=SC2086
+      PDSH_SSH_ARGS_APPEND="${HADOOP_SSH_OPTS}" pdsh \
+      -f "${HADOOP_SSH_PARALLEL}" -w ^"${SLAVE_FILE}" $"${@// /\\ }" 2>&1
+    else
+      # no spaces allowed in the pdsh arg host list
+      # shellcheck disable=SC2086
+      SLAVE_NAMES=$(echo ${SLAVE_NAMES} | tr -s ' ' ,)
+      PDSH_SSH_ARGS_APPEND="${HADOOP_SSH_OPTS}" pdsh \
+      -f "${HADOOP_SSH_PARALLEL}" -w "${SLAVE_NAMES}" $"${@// /\\ }" 2>&1
+    fi
+  else
+    if [[ -z "${SLAVE_NAMES}" ]]; then
+      SLAVE_NAMES=$(sed 's/#.*$//;/^$/d' "${SLAVE_FILE}")
+    fi
+    
+    # quoting here gets tricky. it's easier to push it into a function
+    # so that we don't have to deal with it. However...
+    # xargs can't use a function so instead we'll export it out
+    # and force it into a subshell
+    # moral of the story: just use pdsh.
+    export -f hadoop_actual_ssh
+    export HADOOP_SSH_OPTS
+    echo "${SLAVE_NAMES}" | \
+    xargs -n 1 -P"${HADOOP_SSH_PARALLEL}" \
+    -I {} bash -c --  "hadoop_actual_ssh {} ${params}"
+    wait
+  fi
+}
+
+function hadoop_add_param
+{
+  #
+  # general param dedupe..
+  # $1 is what we are adding to
+  # $2 is the name of what we want to add (key)
+  # $3 is the key+value of what we're adding
+  #
+  # doing it this way allows us to support all sorts of
+  # different syntaxes, just so long as they are space
+  # delimited
+  #
+  if [[ ! ${!1} =~ $2 ]] ; then
+    # shellcheck disable=SC2086
+    eval $1="'${!1} $3'"
+  fi
+}
+
+function hadoop_add_classpath
+{
+  # two params:
+  # $1 = directory, file, wildcard, whatever to add
+  # $2 = before or after, which determines where in the
+  #      classpath this object should go. default is after
+  # return 0 = success
+  # return 1 = failure (duplicate, doesn't exist, whatever)
+  
+  # However, with classpath (& JLP), we can do dedupe
+  # along with some sanity checking (e.g., missing directories)
+  # since we have a better idea of what is legal
+  #
+  # for wildcard at end, we can
+  # at least check the dir exists
+  if [[ $1 =~ ^.*\*$ ]]; then
+    local mp=$(dirname "$1")
+    if [[ ! -d "${mp}" ]]; then
+      return 1
+    fi
+    
+    # no wildcard in the middle, so check existence
+    # (doesn't matter *what* it is)
+  elif [[ ! $1 =~ ^.*\*.*$ ]] && [[ ! -e "$1" ]]; then
+    return 1
+  fi
+  
+  if [[ -z "${CLASSPATH}" ]]; then
+    CLASSPATH=$1
+  elif [[ ":${CLASSPATH}:" != *":$1:"* ]]; then
+    if [[ "$2" = "before" ]]; then
+      CLASSPATH="$1:${CLASSPATH}"
+    else
+      CLASSPATH+=:$1
+    fi
+  fi
+  return 0
+}
+
+function hadoop_add_colonpath
+{
+  # two params:
+  # $1 = directory, file, wildcard, whatever to add
+  # $2 = before or after, which determines where in the
+  #      classpath this object should go
+  # return 0 = success
+  # return 1 = failure (duplicate)
+  
+  # this is CLASSPATH, JLP, etc but with dedupe but no
+  # other checking
+  if [[ -d "${2}" ]] && [[ ":${!1}:" != *":$2:"* ]]; then
+    if [[ -z "${!1}" ]]; then
+      # shellcheck disable=SC2086
+      eval $1="'$2'"
+    elif [[ "$3" = "before" ]]; then
+      # shellcheck disable=SC2086
+      eval $1="'$2:${!1}'"
+    else
+      # shellcheck disable=SC2086
+      eval $1+="'$2'"
+    fi
+  fi
+}
+
+function hadoop_add_javalibpath
+{
+  # specialized function for a common use case
+  hadoop_add_colonpath JAVA_LIBRARY_PATH "$1" "$2"
+}
+
+function hadoop_add_ldlibpath
+{
+  # specialized function for a common use case
+  hadoop_add_colonpath LD_LIBRARY_PATH "$1" "$2"
+  
+  # note that we export this
+  export LD_LIBRARY_PATH
+}
+
+function hadoop_add_to_classpath_common
+{
+  
+  #
+  # get all of the common jars+config in the path
+  #
+  
+  # developers
+  if [[ -n "${HADOOP_ENABLE_BUILD_PATHS}" ]]; then
+    hadoop_add_classpath "${HADOOP_COMMON_HOME}/hadoop-common/target/classes"
+  fi
+  
+  if [[ -d "${HADOOP_COMMON_HOME}/${HADOOP_COMMON_DIR}/webapps" ]]; then
+    hadoop_add_classpath "${HADOOP_COMMON_HOME}/${HADOOP_COMMON_DIR}"
+  fi
+  
+  hadoop_add_classpath "${HADOOP_COMMON_HOME}/${HADOOP_COMMON_LIB_JARS_DIR}"'/*'
+  hadoop_add_classpath "${HADOOP_COMMON_HOME}/${HADOOP_COMMON_DIR}"'/*'
+}
+
+function hadoop_add_to_classpath_hdfs
+{
+  #
+  # get all of the hdfs jars+config in the path
+  #
+  # developers
+  if [[ -n "${HADOOP_ENABLE_BUILD_PATHS}" ]]; then
+    hadoop_add_classpath "${HADOOP_HDFS_HOME}/hadoop-hdfs/target/classes"
+  fi
+  
+  # put hdfs in classpath if present
+  if [[ -d "${HADOOP_HDFS_HOME}/${HDFS_DIR}/webapps" ]]; then
+    hadoop_add_classpath "${HADOOP_HDFS_HOME}/${HDFS_DIR}"
+  fi
+  
+  hadoop_add_classpath "${HADOOP_HDFS_HOME}/${HDFS_LIB_JARS_DIR}"'/*'
+  hadoop_add_classpath "${HADOOP_HDFS_HOME}/${HDFS_DIR}"'/*'
+}
+
+function hadoop_add_to_classpath_yarn
+{
+  #
+  # get all of the yarn jars+config in the path
+  #
+  # developers
+  if [[ -n "${HADOOP_ENABLE_BUILD_PATHS}" ]]; then
+    for i in yarn-api yarn-common yarn-mapreduce yarn-master-worker \
+    yarn-server/yarn-server-nodemanager \
+    yarn-server/yarn-server-common \
+    yarn-server/yarn-server-resourcemanager; do
+      hadoop_add_classpath "${HADOOP_YARN_HOME}/$i/target/classes"
+    done
+    
+    hadoop_add_classpath "${HADOOP_YARN_HOME}/build/test/classes"
+    hadoop_add_classpath "${HADOOP_YARN_HOME}/build/tools"
+  fi
+  
+  if [[ -d "${HADOOP_YARN_HOME}/${YARN_DIR}/webapps" ]]; then
+    hadoop_add_classpath "${HADOOP_YARN_HOME}/${YARN_DIR}"
+  fi
+  
+  hadoop_add_classpath "${HADOOP_YARN_HOME}/${YARN_LIB_JARS_DIR}"'/*'
+  hadoop_add_classpath  "${HADOOP_YARN_HOME}/${YARN_DIR}"'/*'
+}
+
+function hadoop_add_to_classpath_mapred
+{
+  #
+  # get all of the mapreduce jars+config in the path
+  #
+  # developers
+  if [[ -n "${HADOOP_ENABLE_BUILD_PATHS}" ]]; then
+    hadoop_add_classpath "${HADOOP_MAPRED_HOME}/hadoop-mapreduce-client-shuffle/target/classes"
+    hadoop_add_classpath "${HADOOP_MAPRED_HOME}/hadoop-mapreduce-client-common/target/classes"
+    hadoop_add_classpath "${HADOOP_MAPRED_HOME}/hadoop-mapreduce-client-hs/target/classes"
+    hadoop_add_classpath "${HADOOP_MAPRED_HOME}/hadoop-mapreduce-client-hs-plugins/target/classes"
+    hadoop_add_classpath "${HADOOP_MAPRED_HOME}/hadoop-mapreduce-client-app/target/classes"
+    hadoop_add_classpath "${HADOOP_MAPRED_HOME}/hadoop-mapreduce-client-jobclient/target/classes"
+    hadoop_add_classpath "${HADOOP_MAPRED_HOME}/hadoop-mapreduce-client-core/target/classes"
+  fi
+  
+  if [[ -d "${HADOOP_MAPRED_HOME}/${MAPRED_DIR}/webapps" ]]; then
+    hadoop_add_classpath "${HADOOP_MAPRED_HOME}/${MAPRED_DIR}"
+  fi
+  
+  hadoop_add_classpath "${HADOOP_MAPRED_HOME}/${MAPRED_LIB_JARS_DIR}"'/*'
+  hadoop_add_classpath "${HADOOP_MAPRED_HOME}/${MAPRED_DIR}"'/*'
+}
+
+
+function hadoop_add_to_classpath_userpath
+{
+  # Add the user-specified HADOOP_CLASSPATH to the
+  # official CLASSPATH env var.
+  # Add it first or last depending on if user has
+  # set env-var HADOOP_USER_CLASSPATH_FIRST
+  # we'll also dedupe it, because we're cool like that.
+  #
+  local c
+  local array
+  local i
+  local j
+  let c=0
+  
+  if [[ -n "${HADOOP_CLASSPATH}" ]]; then
+    # I wonder if Java runs on VMS.
+    for i in $(echo "${HADOOP_CLASSPATH}" | tr : '\n'); do
+      array[$c]=$i
+      let c+=1
+    done
+    let j=c-1
+    
+    if [[ -z "${HADOOP_USER_CLASSPATH_FIRST}" ]]; then
+      for ((i=j; i>=0; i--)); do
+        hadoop_add_classpath "${array[$i]}" before
+      done
+    else
+      for ((i=0; i<=j; i++)); do
+        hadoop_add_classpath "${array[$i]}" after
+      done
+    fi
+  fi
+}
+
+function hadoop_os_tricks
+{
+  local bindv6only
+
+  # some OSes have special needs. here's some out of the box
+  # examples for OS X and Linux. Vendors, replace this with your special sauce.
+  case ${HADOOP_OS_TYPE} in
+    Darwin)
+      if [[ -x /usr/libexec/java_home ]]; then
+        export JAVA_HOME="$(/usr/libexec/java_home)"
+      else
+        export JAVA_HOME=/Library/Java/Home
+      fi
+    ;;
+    Linux)
+      bindv6only=$(/sbin/sysctl -n net.ipv6.bindv6only 2> /dev/null)
+
+      # NOTE! HADOOP_ALLOW_IPV6 is a developer hook.  We leave it
+      # undocumented in hadoop-env.sh because we don't want users to
+      # shoot themselves in the foot while devs make IPv6 work.
+      if [[ -n "${bindv6only}" ]] && 
+         [[ "${bindv6only}" -eq "1" ]] && 
+         [[ "${HADOOP_ALLOW_IPV6}" != "yes" ]]; then
+        hadoop_error "ERROR: \"net.ipv6.bindv6only\" is set to 1 "
+        hadoop_error "ERROR: Hadoop networking could be broken. Aborting."
+        hadoop_error "ERROR: For more info: http://wiki.apache.org/hadoop/HadoopIPv6"
+        exit 1
+      fi
+      # Newer versions of glibc use an arena memory allocator that
+      # causes virtual # memory usage to explode. This interacts badly
+      # with the many threads that we use in Hadoop. Tune the variable
+      # down to prevent vmem explosion.
+      export MALLOC_ARENA_MAX=${MALLOC_ARENA_MAX:-4}
+    ;;
+  esac
+}
+
+function hadoop_java_setup
+{
+  # Bail if we did not detect it
+  if [[ -z "${JAVA_HOME}" ]]; then
+    hadoop_error "ERROR: JAVA_HOME is not set and could not be found."
+    exit 1
+  fi
+  
+  if [[ ! -d "${JAVA_HOME}" ]]; then
+    hadoop_error "ERROR: JAVA_HOME ${JAVA_HOME} does not exist."
+    exit 1
+  fi
+  
+  JAVA="${JAVA_HOME}/bin/java"
+  
+  if [[ ! -x "$JAVA" ]]; then
+    hadoop_error "ERROR: $JAVA is not executable."
+    exit 1
+  fi
+  # shellcheck disable=SC2034
+  JAVA_HEAP_MAX=-Xmx1g
+  HADOOP_HEAPSIZE=${HADOOP_HEAPSIZE:-1024}
+  
+  # check envvars which might override default args
+  if [[ -n "$HADOOP_HEAPSIZE" ]]; then
+    # shellcheck disable=SC2034
+    JAVA_HEAP_MAX="-Xmx${HADOOP_HEAPSIZE}m"
+  fi
+}
+
+
+function hadoop_finalize_libpaths
+{
+  if [[ -n "${JAVA_LIBRARY_PATH}" ]]; then
+    hadoop_add_param HADOOP_OPTS java.library.path \
+    "-Djava.library.path=${JAVA_LIBRARY_PATH}"
+    export LD_LIBRARY_PATH
+  fi
+}
+
+#
+# fill in any last minute options that might not have been defined yet
+#
+# Note that we are replacing ' ' with '\ ' so that directories with
+# spaces work correctly when run exec blah
+#
+function hadoop_finalize_hadoop_opts
+{
+  hadoop_add_param HADOOP_OPTS hadoop.log.dir "-Dhadoop.log.dir=${HADOOP_LOG_DIR/ /\ }"
+  hadoop_add_param HADOOP_OPTS hadoop.log.file "-Dhadoop.log.file=${HADOOP_LOGFILE/ /\ }"
+  hadoop_add_param HADOOP_OPTS hadoop.home.dir "-Dhadoop.home.dir=${HADOOP_PREFIX/ /\ }"
+  hadoop_add_param HADOOP_OPTS hadoop.id.str "-Dhadoop.id.str=${HADOOP_IDENT_STRING/ /\ }"
+  hadoop_add_param HADOOP_OPTS hadoop.root.logger "-Dhadoop.root.logger=${HADOOP_ROOT_LOGGER}"
+  hadoop_add_param HADOOP_OPTS hadoop.policy.file "-Dhadoop.policy.file=${HADOOP_POLICYFILE/ /\ }"
+  hadoop_add_param HADOOP_OPTS hadoop.security.logger "-Dhadoop.security.logger=${HADOOP_SECURITY_LOGGER}"
+}
+
+function hadoop_finalize_classpath
+{
+  
+  # we want the HADOOP_CONF_DIR at the end
+  # according to oom, it gives a 2% perf boost
+  hadoop_add_classpath "${HADOOP_CONF_DIR}" after
+  
+  # user classpath gets added at the last minute. this allows
+  # override of CONF dirs and more
+  hadoop_add_to_classpath_userpath
+}
+
+function hadoop_finalize
+{
+  # user classpath gets added at the last minute. this allows
+  # override of CONF dirs and more
+  hadoop_finalize_classpath
+  hadoop_finalize_libpaths
+  hadoop_finalize_hadoop_opts
+}
+
+function hadoop_exit_with_usage
+{
+  # NOTE: This function is not user replaceable.
+
+  local exitcode=$1
+  if [[ -z $exitcode ]]; then
+    exitcode=1
+  fi
+  if declare -F hadoop_usage >/dev/null ; then
+    hadoop_usage
+  elif [[ -x /usr/bin/cowsay ]]; then
+    /usr/bin/cowsay -f elephant "Sorry, no help available."
+  else
+    hadoop_error "Sorry, no help available."
+  fi
+  exit $exitcode
+}
+
+function hadoop_verify_secure_prereq
+{
+  # if you are on an OS like Illumos that has functional roles
+  # and you are using pfexec, you'll probably want to change
+  # this.
+  
+  # ${EUID} comes from the shell itself!
+  if [[ "${EUID}" -ne 0 ]] || [[ -n "${HADOOP_SECURE_COMMAND}" ]]; then
+    hadoop_error "ERROR: You must be a privileged in order to run a secure serice."
+    return 1
+  else
+    return 0
+  fi
+}
+
+function hadoop_setup_secure_service
+{
+  # need a more complicated setup? replace me!
+  
+  HADOOP_PID_DIR=${HADOOP_SECURE_PID_DIR}
+  HADOOP_LOG_DIR=${HADOOP_SECURE_LOG_DIR}
+}
+
+function hadoop_verify_piddir
+{
+  if [[ -z "${HADOOP_PID_DIR}" ]]; then
+    hadoop_error "No pid directory defined."
+    exit 1
+  fi
+  if [[ ! -w "${HADOOP_PID_DIR}" ]] && [[ ! -d "${HADOOP_PID_DIR}" ]]; then
+    hadoop_error "WARNING: ${HADOOP_PID_DIR} does not exist. Creating."
+    mkdir -p "${HADOOP_PID_DIR}" > /dev/null 2>&1
+    if [[ $? -gt 0 ]]; then
+      hadoop_error "ERROR: Unable to create ${HADOOP_PID_DIR}. Aborting."
+      exit 1
+    fi
+  fi
+  touch "${HADOOP_PID_DIR}/$$" >/dev/null 2>&1
+  if [[ $? -gt 0 ]]; then
+    hadoop_error "ERROR: Unable to write in ${HADOOP_PID_DIR}. Aborting."
+    exit 1
+  fi
+  rm "${HADOOP_PID_DIR}/$$" >/dev/null 2>&1
+}
+
+function hadoop_verify_logdir
+{
+  if [[ -z "${HADOOP_LOG_DIR}" ]]; then
+    hadoop_error "No log directory defined."
+    exit 1
+  fi
+  if [[ ! -w "${HADOOP_LOG_DIR}" ]] && [[ ! -d "${HADOOP_LOG_DIR}" ]]; then
+    hadoop_error "WARNING: ${HADOOP_LOG_DIR} does not exist. Creating."
+    mkdir -p "${HADOOP_LOG_DIR}" > /dev/null 2>&1
+    if [[ $? -gt 0 ]]; then
+      hadoop_error "ERROR: Unable to create ${HADOOP_LOG_DIR}. Aborting."
+      exit 1
+    fi
+  fi
+  touch "${HADOOP_LOG_DIR}/$$" >/dev/null 2>&1
+  if [[ $? -gt 0 ]]; then
+    hadoop_error "ERROR: Unable to write in ${HADOOP_LOG_DIR}. Aborting."
+    exit 1
+  fi
+  rm "${HADOOP_LOG_DIR}/$$" >/dev/null 2>&1
+}
+
+function hadoop_status_daemon() {
+  #
+  # LSB 4.1.0 compatible status command (1)
+  #
+  # 0 = program is running
+  # 1 = dead, but still a pid (2)
+  # 2 = (not used by us)
+  # 3 = not running
+  #
+  # 1 - this is not an endorsement of the LSB
+  #
+  # 2 - technically, the specification says /var/run/pid, so
+  #     we should never return this value, but we're giving
+  #     them the benefit of a doubt and returning 1 even if
+  #     our pid is not in in /var/run .
+  #
+  
+  local pidfile=$1
+  shift
+  
+  local pid
+  
+  if [[ -f "${pidfile}" ]]; then
+    pid=$(cat "${pidfile}")
+    if ps -p "${pid}" > /dev/null 2>&1; then
+      return 0
+    fi
+    return 1
+  fi
+  return 3
+}
+
+function hadoop_java_exec
+{
+  # run a java command.  this is used for
+  # non-daemons
+
+  local command=$1
+  local class=$2
+  shift 2
+  # we eval this so that paths with spaces work
+  #shellcheck disable=SC2086
+  eval exec "$JAVA" "-Dproc_${command}" ${HADOOP_OPTS} "${class}" "$@"
+
+}
+
+function hadoop_start_daemon
+{
+  # this is our non-privileged daemon starter
+  # that fires up a daemon in the *foreground*
+  # so complex! so wow! much java!
+  local command=$1
+  local class=$2
+  shift 2
+  #shellcheck disable=SC2086
+  eval exec "$JAVA" "-Dproc_${command}" ${HADOOP_OPTS} "${class}" "$@"
+}
+
+function hadoop_start_daemon_wrapper
+{
+  # this is our non-privileged daemon start
+  # that fires up a daemon in the *background*
+  local daemonname=$1
+  local class=$2
+  local pidfile=$3
+  local outfile=$4
+  shift 4
+  
+  hadoop_rotate_log "${outfile}"
+  
+  hadoop_start_daemon "${daemonname}" \
+  "$class" "$@" >> "${outfile}" 2>&1 < /dev/null &
+  #shellcheck disable=SC2086
+  echo $! > "${pidfile}" 2>/dev/null
+  if [[ $? -gt 0 ]]; then
+    hadoop_error "ERROR:  Cannot write pid ${pidfile}."
+  fi
+  
+  # shellcheck disable=SC2086
+  renice "${HADOOP_NICENESS}" $! >/dev/null 2>&1
+  if [[ $? -gt 0 ]]; then
+    hadoop_error "ERROR: Cannot set priority of process $!"
+  fi
+  
+  # shellcheck disable=SC2086
+  disown $! 2>&1
+  if [[ $? -gt 0 ]]; then
+    hadoop_error "ERROR: Cannot disconnect process $!"
+  fi
+  sleep 1
+  
+  # capture the ulimit output
+  ulimit -a >> "${outfile}" 2>&1
+  
+  # shellcheck disable=SC2086
+  if ! ps -p $! >/dev/null 2>&1; then
+    return 1
+  fi
+  return 0
+}
+
+function hadoop_start_secure_daemon
+{
+  # this is used to launch a secure daemon in the *foreground*
+  #
+  local daemonname=$1
+  local class=$2
+  
+  # pid file to create for our deamon
+  local daemonpidfile=$3
+  
+  # where to send stdout. jsvc has bad habits so this *may* be &1
+  # which means you send it to stdout!
+  local daemonoutfile=$4
+  
+  # where to send stderr.  same thing, except &2 = stderr
+  local daemonerrfile=$5
+  shift 5
+  
+  
+  
+  hadoop_rotate_log "${daemonoutfile}"
+  hadoop_rotate_log "${daemonerrfile}"
+  
+  jsvc="${JSVC_HOME}/jsvc"
+  if [[ ! -f "${jsvc}" ]]; then
+    hadoop_error "JSVC_HOME is not set or set incorrectly. jsvc is required to run secure"
+    hadoop_error "or privileged daemons. Please download and install jsvc from "
+    hadoop_error "http://archive.apache.org/dist/commons/daemon/binaries/ "
+    hadoop_error "and set JSVC_HOME to the directory containing the jsvc binary."
+    exit 1
+  fi
+  
+  # note that shellcheck will throw a
+  # bogus for-our-use-case 2086 here.
+  # it doesn't properly support multi-line situations
+  
+  exec "${jsvc}" \
+  "-Dproc_${daemonname}" \
+  -outfile "${daemonoutfile}" \
+  -errfile "${daemonerrfile}" \
+  -pidfile "${daemonpidfile}" \
+  -nodetach \
+  -user "${HADOOP_SECURE_USER}" \
+  -cp "${CLASSPATH}" \
+  ${HADOOP_OPTS} \
+  "${class}" "$@"
+}
+
+function hadoop_start_secure_daemon_wrapper
+{
+  # this wraps hadoop_start_secure_daemon to take care
+  # of the dirty work to launch a daemon in the background!
+  local daemonname=$1
+  local class=$2
+  
+  # same rules as hadoop_start_secure_daemon except we
+  # have some additional parameters
+  
+  local daemonpidfile=$3
+  
+  local daemonoutfile=$4
+  
+  # the pid file of the subprocess that spawned our
+  # secure launcher
+  local jsvcpidfile=$5
+  
+  # the output of the subprocess that spawned our secure
+  # launcher
+  local jsvcoutfile=$6
+  
+  local daemonerrfile=$7
+  shift 7
+  
+  hadoop_rotate_log "${jsvcoutfile}"
+  
+  hadoop_start_secure_daemon \
+  "${daemonname}" \
+  "${class}" \
+  "${daemonpidfile}" \
+  "${daemonoutfile}" \
+  "${daemonerrfile}" "$@" >> "${jsvcoutfile}" 2>&1 < /dev/null &
+  
+  # This wrapper should only have one child.  Unlike Shawty Lo.
+  #shellcheck disable=SC2086
+  echo $! > "${jsvcpidfile}" 2>/dev/null
+  if [[ $? -gt 0 ]]; then
+    hadoop_error "ERROR:  Cannot write pid ${pidfile}."
+  fi
+  sleep 1
+  #shellcheck disable=SC2086
+  renice "${HADOOP_NICENESS}" $! >/dev/null 2>&1
+  if [[ $? -gt 0 ]]; then
+    hadoop_error "ERROR: Cannot set priority of process $!"
+  fi
+  if [[ -f "${daemonpidfile}" ]]; then
+    #shellcheck disable=SC2046
+    renice "${HADOOP_NICENESS}" $(cat "${daemonpidfile}") >/dev/null 2>&1
+    if [[ $? -gt 0 ]]; then
+      hadoop_error "ERROR: Cannot set priority of process $(cat "${daemonpidfile}")"
+    fi
+  fi
+  #shellcheck disable=SC2086
+  disown $! 2>&1
+  if [[ $? -gt 0 ]]; then
+    hadoop_error "ERROR: Cannot disconnect process $!"
+  fi
+  # capture the ulimit output
+  su "${HADOOP_SECURE_USER}" -c 'bash -c "ulimit -a"' >> "${jsvcoutfile}" 2>&1
+  #shellcheck disable=SC2086
+  if ! ps -p $! >/dev/null 2>&1; then
+    return 1
+  fi
+  return 0
+}
+
+function hadoop_stop_daemon
+{
+  local cmd=$1
+  local pidfile=$2
+  shift 2
+  
+  local pid
+  
+  if [[ -f "${pidfile}" ]]; then
+    pid=$(cat "$pidfile")
+    
+    kill "${pid}" >/dev/null 2>&1
+    sleep "${HADOOP_STOP_TIMEOUT}"
+    if kill -0 "${pid}" > /dev/null 2>&1; then
+      hadoop_error "WARNING: ${cmd} did not stop gracefully after ${HADOOP_STOP_TIMEOUT} seconds: Trying to kill with kill -9"
+      kill -9 "${pid}" >/dev/null 2>&1
+    fi
+    if ps -p "${pid}" > /dev/null 2>&1; then
+      hadoop_error "ERROR: Unable to kill ${pid}"
+    else
+      rm -f "${pidfile}" >/dev/null 2>&1
+    fi
+  fi
+}
+
+
+function hadoop_stop_secure_daemon
+{
+  local command=$1
+  local daemonpidfile=$2
+  local privpidfile=$3
+  shift 3
+  local ret
+  
+  hadoop_stop_daemon "${command}" "${daemonpidfile}"
+  ret=$?
+  rm -f "${daemonpidfile}" "${privpidfile}" 2>/dev/null
+  return ${ret}
+}
+
+function hadoop_daemon_handler
+{
+  local daemonmode=$1
+  local daemonname=$2
+  local class=$3
+  local pidfile=$4
+  local outfile=$5
+  shift 5
+  
+  case ${daemonmode} in
+    status)
+      hadoop_status_daemon "${daemon_pidfile}"
+      exit $?
+    ;;
+    
+    stop)
+      hadoop_stop_daemon "${daemonname}" "${daemon_pidfile}"
+      exit $?
+    ;;
+    
+    ##COMPAT  -- older hadoops would also start daemons by default
+    start|default)
+      hadoop_verify_piddir
+      hadoop_verify_logdir
+      hadoop_status_daemon "${daemon_pidfile}"
+      if [[ $? == 0  ]]; then
+        hadoop_error "${daemonname} running as process $(cat "${daemon_pidfile}").  Stop it first."
+        exit 1
+      else
+        # stale pid file, so just remove it and continue on
+        rm -f "${daemon_pidfile}" >/dev/null 2>&1
+      fi
+      ##COMPAT  - differenticate between --daemon start and nothing
+      # "nothing" shouldn't detach
+      if [[ "$daemonmode" = "default" ]]; then
+        hadoop_start_daemon "${daemonname}" "${class}" "$@"
+      else
+        hadoop_start_daemon_wrapper "${daemonname}" \
+        "${class}" "${daemon_pidfile}" "${daemon_outfile}" "$@"
+      fi
+    ;;
+  esac
+}
+
+
+function hadoop_secure_daemon_handler
+{
+  local daemonmode=$1
+  local daemonname=$2
+  local classname=$3
+  local daemon_pidfile=$4
+  local daemon_outfile=$5
+  local priv_pidfile=$6
+  local priv_outfile=$7
+  local priv_errfile=$8
+  shift 8
+  
+  case ${daemonmode} in
+    status)
+      hadoop_status_daemon "${daemon_pidfile}"
+      exit $?
+    ;;
+    
+    stop)
+      hadoop_stop_secure_daemon "${daemonname}" \
+      "${daemon_pidfile}" "${priv_pidfile}"
+      exit $?
+    ;;
+    
+    ##COMPAT  -- older hadoops would also start daemons by default
+    start|default)
+      hadoop_verify_piddir
+      hadoop_verify_logdir
+      hadoop_status_daemon "${daemon_pidfile}"
+      if [[ $? == 0  ]]; then
+        hadoop_error "${daemonname} running as process $(cat "${daemon_pidfile}").  Stop it first."
+        exit 1
+      else
+        # stale pid file, so just remove it and continue on
+        rm -f "${daemon_pidfile}" >/dev/null 2>&1
+      fi
+      
+      ##COMPAT  - differenticate between --daemon start and nothing
+      # "nothing" shouldn't detach
+      if [[ "${daemonmode}" = "default" ]]; then
+        hadoop_start_secure_daemon "${daemonname}" "${classname}" \
+        "${daemon_pidfile}" "${daemon_outfile}" \
+        "${priv_errfile}"  "$@"
+      else
+        hadoop_start_secure_daemon_wrapper "${daemonname}" "${classname}" \
+        "${daemon_pidfile}" "${daemon_outfile}" \
+        "${priv_pidfile}" "${priv_outfile}" "${priv_errfile}"  "$@"
+      fi
+    ;;
+  esac
+}
+
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-layout.sh.example b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-layout.sh.example
new file mode 100644
index 00000000000..a44d3cb9ac3
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-layout.sh.example
@@ -0,0 +1,93 @@
+# Copyright 2014 The Apache Software Foundation
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+##
+## VENDORS!
+##
+## This is where you can redefine the layout of Hadoop directories
+## and expect to be reasonably compatible.  Needless to say, this
+## is expert level stuff and one needs to tread carefully.
+##
+## If you move HADOOP_LIBEXEC_DIR from some location that
+## isn't bin/../libexec, you MUST define either HADOOP_LIBEXEC_DIR
+## or have HADOOP_PREFIX/libexec/hadoop-config.sh and
+## HADOOP_PREFIX/libexec/hadoop-layout.sh (this file) exist.
+
+## NOTE:
+##
+## hadoop-functions.sh gets executed BEFORE this file.  So you can
+##   redefine all of those functions here.
+##
+## *-env.sh get executed AFTER this file but generally too late to
+## override the settings (but not the functions!) here.  However, this
+## also means you cannot use things like HADOOP_CONF_DIR for these
+## definitions.
+
+####
+# Common disk layout
+####
+
+# Default location for the common/core Hadoop project
+# export HADOOP_COMMON_HOME=$HADOOP_PREFIX
+
+# Relative locations where components under HADOOP_COMMON_HOME are located
+# export HADOOP_COMMON_DIR="share/hadoop/common"
+# export HADOOP_COMMON_LIB_JARS_DIR="share/hadoop/common/lib"
+# export HADOOP_COMMON_LIB_NATIVE_DIR="lib/native"
+
+####
+# HDFS disk layout
+####
+
+# Default location for the HDFS subproject
+# export HADOOP_HDFS_HOME=$HADOOP_PREFIX
+
+# Relative locations where components under HADOOP_HDFS_HOME are located
+# export HDFS_DIR="share/hadoop/hdfs"
+# export HDFS_LIB_JARS_DIR="share/hadoop/hdfs/lib"
+
+####
+# YARN disk layout
+####
+
+# Default location for the YARN subproject
+# export HADOOP_YARN_HOME=$HADOOP_PREFIX
+
+# Relative locations where components under HADOOP_YARN_HOME are located
+# export YARN_DIR="share/hadoop/yarn"
+# export YARN_LIB_JARS_DIR="share/hadoop/yarn/lib"
+
+# Default location for the MapReduce subproject
+# export HADOOP_MAPRED_HOME=$HADOOP_PREFIX
+
+####
+# MapReduce disk layout
+####
+
+# Relative locations where components under HADOOP_MAPRED_HOME are located
+# export MAPRED_DIR="share/hadoop/mapreduce"
+# export MAPRED_LIB_JARS_DIR="share/hadoop/mapreduce/lib"
+
+####
+# Misc paths
+####
+
+# setup a default TOOL_PATH, where things like distcp lives
+# note that this path only gets added for certain commands and not
+# part of the general classpath
+# export TOOL_PATH="$HADOOP_PREFIX/share/hadoop/tools/lib/*"
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/rcc b/hadoop-common-project/hadoop-common/src/main/bin/rcc
index 22bffffbf22..dc6158a8ea4 100755
--- a/hadoop-common-project/hadoop-common/src/main/bin/rcc
+++ b/hadoop-common-project/hadoop-common/src/main/bin/rcc
@@ -15,47 +15,28 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
-# The Hadoop record compiler
-#
-# Environment Variables
-#
-#   JAVA_HOME        The java implementation to use.  Overrides JAVA_HOME.
-#
-#   HADOOP_OPTS      Extra Java runtime options.
-#
-#   HADOOP_CONF_DIR  Alternate conf dir. Default is ${HADOOP_PREFIX}/conf.
-#
-
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
+# This script runs the hadoop core commands.
+this="${BASH_SOURCE-$0}"
+bin=$(cd -P -- "$(dirname -- "$this")" >/dev/null && pwd -P)
+script="$(basename -- "$this")"
+this="$bin/$script"
 
 DEFAULT_LIBEXEC_DIR="$bin"/../libexec
 HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hadoop-config.sh
+HADOOP_NEW_CONFIG=true
+. "$HADOOP_LIBEXEC_DIR/hadoop-config.sh"
 
-if [ -f "${HADOOP_CONF_DIR}/hadoop-env.sh" ]; then
-  . "${HADOOP_CONF_DIR}/hadoop-env.sh"
+if [ $# = 0 ]; then
+  hadoop_exit_with_usage 1
 fi
 
-# some Java parameters
-if [ "$JAVA_HOME" != "" ]; then
-  #echo "run java in $JAVA_HOME"
-  JAVA_HOME=$JAVA_HOME
-fi
-  
-if [ "$JAVA_HOME" = "" ]; then
-  echo "Error: JAVA_HOME is not set."
-  exit 1
-fi
-
-JAVA=$JAVA_HOME/bin/java
-JAVA_HEAP_MAX=-Xmx1000m 
-
-# restore ordinary behaviour
-unset IFS
-
 CLASS='org.apache.hadoop.record.compiler.generated.Rcc'
 
-# run it
-exec "$JAVA" $HADOOP_OPTS -classpath "$CLASSPATH" $CLASS "$@"
+# Always respect HADOOP_OPTS and HADOOP_CLIENT_OPTS
+HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
+
+hadoop_add_param HADOOP_OPTS Xmx "$JAVA_HEAP_MAX"
+
+hadoop_finalize
+export CLASSPATH
+hadoop_java_exec rcc "${CLASS}" "$@"
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/slaves.sh b/hadoop-common-project/hadoop-common/src/main/bin/slaves.sh
index fe164a89242..0ffb4849cfb 100755
--- a/hadoop-common-project/hadoop-common/src/main/bin/slaves.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/slaves.sh
@@ -27,38 +27,33 @@
 #   HADOOP_SSH_OPTS Options passed to ssh when running remote commands.
 ##
 
-usage="Usage: slaves.sh [--config confdir] command..."
+function hadoop_usage {
+  echo "Usage: slaves.sh [--config confdir] command..."
+}
 
-# if no args specified, show usage
-if [ $# -le 0 ]; then
-  echo $usage
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  this="${BASH_SOURCE-$0}"
+  bin=$(cd -P -- "$(dirname -- "${this}")" >dev/null && pwd -P)
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hadoop-config.sh." 2>&1
   exit 1
 fi
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
-
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hadoop-config.sh
-
-
-# Where to start the script, see hadoop-config.sh
-# (it set up the variables based on command line options)
-if [ "$HADOOP_SLAVE_NAMES" != '' ] ; then
-  SLAVE_NAMES=$HADOOP_SLAVE_NAMES
-else
-  SLAVE_FILE=${HADOOP_SLAVES:-${HADOOP_CONF_DIR}/slaves}
-  SLAVE_NAMES=$(cat "$SLAVE_FILE" | sed  's/#.*$//;/^$/d')
+# if no args specified, show usage
+if [[ $# -le 0 ]]; then
+  hadoop_exit_with_usage 1
 fi
 
-# start the daemons
-for slave in $SLAVE_NAMES ; do
- ssh $HADOOP_SSH_OPTS $slave $"${@// /\\ }" \
-   2>&1 | sed "s/^/$slave: /" &
- if [ "$HADOOP_SLAVE_SLEEP" != "" ]; then
-   sleep $HADOOP_SLAVE_SLEEP
- fi
-done
+hadoop_connect_to_hosts "$@"
 
-wait
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/start-all.sh b/hadoop-common-project/hadoop-common/src/main/bin/start-all.sh
index 312432801f0..edd1b934dd0 100755
--- a/hadoop-common-project/hadoop-common/src/main/bin/start-all.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/start-all.sh
@@ -15,24 +15,38 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+echo "This script is deprecated. Use start-dfs.sh and start-yarn.sh instead."
+exit 1
 
-# Start all hadoop daemons.  Run this on master node.
 
-echo "This script is Deprecated. Instead use start-dfs.sh and start-yarn.sh"
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
-
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hadoop-config.sh
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  this="${BASH_SOURCE-$0}"
+  bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
 
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hadoop-config.sh." 2>&1
+  exit 1
+fi
 # start hdfs daemons if hdfs is present
-if [ -f "${HADOOP_HDFS_HOME}"/sbin/start-dfs.sh ]; then
-  "${HADOOP_HDFS_HOME}"/sbin/start-dfs.sh --config $HADOOP_CONF_DIR
+if [[ -f "${HADOOP_HDFS_HOME}/sbin/start-dfs.sh" ]]; then
+  "${HADOOP_HDFS_HOME}/sbin/start-dfs.sh" --config "${HADOOP_CONF_DIR}"
 fi
 
 # start yarn daemons if yarn is present
-if [ -f "${HADOOP_YARN_HOME}"/sbin/start-yarn.sh ]; then
-  "${HADOOP_YARN_HOME}"/sbin/start-yarn.sh --config $HADOOP_CONF_DIR
+if [[ -f "${HADOOP_YARN_HOME}/sbin/start-yarn.sh" ]]; then
+  "${HADOOP_YARN_HOME}/sbin/start-yarn.sh" --config "${HADOOP_CONF_DIR}"
 fi
+
+
+
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/stop-all.sh b/hadoop-common-project/hadoop-common/src/main/bin/stop-all.sh
index 9a2fe98fc0e..a0311e482ef 100755
--- a/hadoop-common-project/hadoop-common/src/main/bin/stop-all.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/stop-all.sh
@@ -18,21 +18,35 @@
 
 # Stop all hadoop daemons.  Run this on master node.
 
-echo "This script is Deprecated. Instead use stop-dfs.sh and stop-yarn.sh"
+echo "This script is deprecated. Use stop-dfs.sh and stop-yarn.sh instead."
+exit 1
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  this="${BASH_SOURCE-$0}"
+  bin=$(cd -P -- "$(dirname -- "${this}")" >dev/null && pwd -P)
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hadoop-config.sh
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hadoop-config.sh." 2>&1
+  exit 1
+fi
 
 # stop hdfs daemons if hdfs is present
-if [ -f "${HADOOP_HDFS_HOME}"/sbin/stop-dfs.sh ]; then
-  "${HADOOP_HDFS_HOME}"/sbin/stop-dfs.sh --config $HADOOP_CONF_DIR
+if [[ -f "${HADOOP_HDFS_HOME}/sbin/stop-dfs.sh" ]]; then
+  "${HADOOP_HDFS_HOME}/sbin/stop-dfs.sh" --config "${HADOOP_CONF_DIR}"
 fi
 
 # stop yarn daemons if yarn is present
-if [ -f "${HADOOP_HDFS_HOME}"/sbin/stop-yarn.sh ]; then
-  "${HADOOP_HDFS_HOME}"/sbin/stop-yarn.sh --config $HADOOP_CONF_DIR
+if [[ -f "${HADOOP_HDFS_HOME}/sbin/stop-yarn.sh" ]]; then
+  "${HADOOP_HDFS_HOME}/sbin/stop-yarn.sh" --config "${HADOOP_CONF_DIR}"
 fi
+
diff --git a/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh b/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh
index f2643894082..f50e4126636 100644
--- a/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh
+++ b/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh
@@ -1,3 +1,4 @@
+#
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
@@ -16,71 +17,393 @@
 
 # Set Hadoop-specific environment variables here.
 
-# The only required environment variable is JAVA_HOME.  All others are
-# optional.  When running a distributed configuration it is best to
-# set JAVA_HOME in this file, so that it is correctly defined on
-# remote nodes.
+##
+## THIS FILE ACTS AS THE MASTER FILE FOR ALL HADOOP PROJECTS.
+## SETTINGS HERE WILL BE READ BY ALL HADOOP COMMANDS.  THEREFORE,
+## ONE CAN USE THIS FILE TO SET YARN, HDFS, AND MAPREDUCE
+## CONFIGURATION OPTIONS INSTEAD OF xxx-env.sh.
+##
+## Precedence rules:
+##
+## {yarn-env.sh|hdfs-env.sh} > hadoop-env.sh > hard-coded defaults
+##
+## {YARN_xyz|HDFS_xyz} > HADOOP_xyz > hard-coded defaults
+##
+
+# Many of the options here are built from the perspective that users
+# may want to provide OVERWRITING values on the command line.
+# For example:
+#
+#  JAVA_HOME=/usr/java/testing hdfs dfs -ls
+#
+# Therefore, the vast majority (BUT NOT ALL!) of these defaults
+# are configured for substitution and not append.  If you would
+# like append, you'll # need to modify this file accordingly.
+
+###
+# Generic settings for HADOOP
+###
+
+# Technically, the only required environment variable is JAVA_HOME.
+# All others are optional.  However, our defaults are probably not
+# your defaults.  Many sites configure these options outside of Hadoop,
+# such as in /etc/profile.d
 
 # The java implementation to use.
-export JAVA_HOME=${JAVA_HOME}
+export JAVA_HOME=${JAVA_HOME:-"hadoop-env.sh is not configured"}
 
-# The jsvc implementation to use. Jsvc is required to run secure datanodes.
-#export JSVC_HOME=${JSVC_HOME}
+# Location of Hadoop's configuration information.  i.e., where this
+# file is probably living.  You will almost certainly want to set
+# this in /etc/profile.d or equivalent.
+# export HADOOP_CONF_DIR=$HADOOP_PREFIX/etc/hadoop
 
-export HADOOP_CONF_DIR=${HADOOP_CONF_DIR:-"/etc/hadoop"}
+# The maximum amount of heap to use, in MB. Default is 1024.
+# export HADOOP_HEAPSIZE=1024
 
-# Extra Java CLASSPATH elements.  Automatically insert capacity-scheduler.
-for f in $HADOOP_HOME/contrib/capacity-scheduler/*.jar; do
-  if [ "$HADOOP_CLASSPATH" ]; then
-    export HADOOP_CLASSPATH=$HADOOP_CLASSPATH:$f
-  else
-    export HADOOP_CLASSPATH=$f
-  fi
-done
+# Extra Java runtime options for all Hadoop commands. We don't support
+# IPv6 yet/still, so by default we set preference to IPv4.
+# export HADOOP_OPTS="-Djava.net.preferIPv4Stack=true"
 
-# The maximum amount of heap to use, in MB. Default is 1000.
-#export HADOOP_HEAPSIZE=
-#export HADOOP_NAMENODE_INIT_HEAPSIZE=""
+# Some parts of the shell code may do special things dependent upon
+# the operating system.  We have to set this here. See the next
+# section as to why....
+export HADOOP_OS_TYPE=${HADOOP_OS_TYPE:-$(uname -s)}
 
-# Extra Java runtime options.  Empty by default.
-export HADOOP_OPTS="$HADOOP_OPTS -Djava.net.preferIPv4Stack=true"
 
-MAC_OSX=false
-case "`uname`" in
-Darwin*) MAC_OSX=true;;
+# Under certain conditions, Java on OS X will throw SCDynamicStore errors
+# in the system logs.
+# See HADOOP-8719 for more information.  If you need Kerberos
+# support on OS X, you'll want to change/remove this extra bit.
+case ${HADOOP_OS_TYPE} in
+  Darwin*)
+    export HADOOP_OPTS="${HADOOP_OPTS} -Djava.security.krb5.realm= "
+    export HADOOP_OPTS="${HADOOP_OPTS} -Djava.security.krb5.kdc= "
+    export HADOOP_OPTS="${HADOOP_OPTS} -Djava.security.krb5.conf= "
+  ;;
 esac
-if $MAC_OSX; then
-    export HADOOP_OPTS="$HADOOP_OPTS -Djava.security.krb5.realm= -Djava.security.krb5.kdc="
-fi
 
-# Command specific options appended to HADOOP_OPTS when specified
-export HADOOP_NAMENODE_OPTS="-Dhadoop.security.logger=${HADOOP_SECURITY_LOGGER:-INFO,RFAS} -Dhdfs.audit.logger=${HDFS_AUDIT_LOGGER:-INFO,NullAppender} $HADOOP_NAMENODE_OPTS"
-export HADOOP_DATANODE_OPTS="-Dhadoop.security.logger=ERROR,RFAS $HADOOP_DATANODE_OPTS"
+# Extra Java runtime options for Hadoop clients (i.e., hdfs dfs -blah)
+# These get added to HADOOP_OPTS for such commands.  In most cases,
+# this should be left empty and let users supply it on the
+# command line.
+# extra HADOOP_CLIENT_OPTS=""
 
-export HADOOP_SECONDARYNAMENODE_OPTS="-Dhadoop.security.logger=${HADOOP_SECURITY_LOGGER:-INFO,RFAS} -Dhdfs.audit.logger=${HDFS_AUDIT_LOGGER:-INFO,NullAppender} $HADOOP_SECONDARYNAMENODE_OPTS"
+#
+# A note about classpaths.
+#
+# The classpath is configured such that entries are stripped prior
+# to handing to Java based either upon duplication or non-existence.
+# Wildcards and/or directories are *NOT* expanded as the
+# de-duplication is fairly simple.  So if two directories are in
+# the classpath that both contain awesome-methods-1.0.jar,
+# awesome-methods-1.0.jar will still be seen by java.  But if
+# the classpath specifically has awesome-methods-1.0.jar from the
+# same directory listed twice, the last one will be removed.
+#
 
-export HADOOP_NFS3_OPTS="$HADOOP_NFS3_OPTS"
-export HADOOP_PORTMAP_OPTS="-Xmx512m $HADOOP_PORTMAP_OPTS"
+# An additional, custom CLASSPATH.  This is really meant for
+# end users, but as an administrator, one might want to push
+# something extra in here too, such as the jar to the topology
+# method.  Just be sure to append to the existing HADOOP_USER_CLASSPATH
+# so end users have a way to add stuff.
+# export HADOOP_USER_CLASSPATH="/some/cool/path/on/your/machine"
 
-# The following applies to multiple commands (fs, dfs, fsck, distcp etc)
-export HADOOP_CLIENT_OPTS="-Xmx512m $HADOOP_CLIENT_OPTS"
-#HADOOP_JAVA_PLATFORM_OPTS="-XX:-UsePerfData $HADOOP_JAVA_PLATFORM_OPTS"
+# Should HADOOP_USER_CLASSPATH be first in the official CLASSPATH?
+# export HADOOP_USER_CLASSPATH_FIRST="yes"
 
-# On secure datanodes, user to run the datanode as after dropping privileges
-export HADOOP_SECURE_DN_USER=${HADOOP_SECURE_DN_USER}
+###
+# Options for remote shell connectivity
+###
 
-# Where log files are stored.  $HADOOP_HOME/logs by default.
-#export HADOOP_LOG_DIR=${HADOOP_LOG_DIR}/$USER
+# There are some optional components of hadoop that allow for
+# command and control of remote hosts.  For example,
+# start-dfs.sh will attempt to bring up all NNs, DNS, etc.
 
-# Where log files are stored in the secure data environment.
-export HADOOP_SECURE_DN_LOG_DIR=${HADOOP_LOG_DIR}/${HADOOP_HDFS_USER}
+# Options to pass to SSH when one of the "log into a host and
+# start/stop daemons" scripts is executed
+# export HADOOP_SSH_OPTS="-o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=10s"
 
-# The directory where pid files are stored. /tmp by default.
-# NOTE: this should be set to a directory that can only be written to by 
-#       the user that will run the hadoop daemons.  Otherwise there is the
-#       potential for a symlink attack.
-export HADOOP_PID_DIR=${HADOOP_PID_DIR}
-export HADOOP_SECURE_DN_PID_DIR=${HADOOP_PID_DIR}
+# The built-in ssh handler will limit itself to 10 simultaneous connections.
+# For pdsh users, this sets the fanout size ( -f )
+# Change this to increase/decrease as necessary.
+# export HADOOP_SSH_PARALLEL=10
+
+# Filename which contains all of the hosts for any remote execution
+# helper scripts # such as slaves.sh, start-dfs.sh, etc.
+# export HADOOP_SLAVES="${HADOOP_CONF_DIR}/slaves"
+
+###
+# Options for all daemons
+###
+#
+
+#
+# You can define variables right here and then re-use them later on.
+# For example, it is common to use the same garbage collection settings
+# for all the daemons.  So we could define:
+#
+# export HADOOP_GC_SETTINGS="-verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps"
+#
+# .. and then use it as per the b option under the namenode.
+
+# Where (primarily) daemon log files are stored.
+# $HADOOP_PREFIX/logs by default.
+# export HADOOP_LOG_DIR=${HADOOP_PREFIX}/logs
 
 # A string representing this instance of hadoop. $USER by default.
-export HADOOP_IDENT_STRING=$USER
+# This is used in writing log and pid files, so keep that in mind!
+# export HADOOP_IDENT_STRING=$USER
+
+# How many seconds to pause after stopping a daemon
+# export HADOOP_STOP_TIMEOUT=5
+
+# Where pid files are stored.  /tmp by default.
+# export HADOOP_PID_DIR=/tmp
+
+# Default log level and output location
+# This sets the hadoop.root.logger property
+# export HADOOP_ROOT_LOGGER=INFO,console
+
+# Default log level for daemons spawned explicitly by hadoop-daemon.sh
+# This sets the hadoop.root.logger property
+# export HADOOP_DAEMON_ROOT_LOGGER=INFO,RFA
+
+# Default log level and output location for security-related messages.
+# It sets -Dhadoop.security.logger on the command line.
+# You will almost certainly want to change this on a per-daemon basis!
+# export HADOOP_SECURITY_LOGGER=INFO,NullAppender
+
+# Default log level for file system audit messages.
+# It sets -Dhdfs.audit.logger on the command line.
+# You will almost certainly want to change this on a per-daemon basis!
+# export HADOOP_AUDIT_LOGGER=INFO,NullAppender
+
+# Default process priority level
+# Note that sub-processes will also run at this level!
+# export HADOOP_NICENESS=0
+
+# Default name for the service level authorization file
+# export HADOOP_POLICYFILE="hadoop-policy.xml"
+
+###
+# Secure/privileged execution
+###
+
+#
+# Out of the box, Hadoop uses jsvc from Apache Commons to launch daemons
+# on privileged ports.  This functionality can be replaced by providing
+# custom functions.  See hadoop-functions.sh for more information.
+#
+
+# The jsvc implementation to use. Jsvc is required to run secure datanodes.
+# export JSVC_HOME=/usr/bin
+
+#
+# This directory contains pids for secure and privileged processes.
+#export HADOOP_SECURE_PID_DIR=${HADOOP_PID_DIR}
+
+#
+# This directory contains the logs for secure and privileged processes.
+# export HADOOP_SECURE_LOG=${HADOOP_LOG_DIR}
+
+#
+# When running a secure daemon, the default value of HADOOP_IDENT_STRING
+# ends up being a bit bogus.  Therefore, by default, the code will
+# replace HADOOP_IDENT_STRING with HADOOP_SECURE_xx_USER.  If you want
+# to keep HADOOP_IDENT_STRING untouched, then uncomment this line.
+# export HADOOP_SECURE_IDENT_PRESERVE="true"
+
+###
+# NameNode specific parameters
+###
+# Specify the JVM options to be used when starting the NameNode.
+# These options will be appended to the options specified as HADOOP_OPTS
+# and therefore may override any similar flags set in HADOOP_OPTS
+#
+# a) Set JMX options
+# export HADOOP_NAMENODE_OPTS="-Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.port=1026"
+#
+# b) Set garbage collection logs
+# export HADOOP_NAMENODE_OPTS="${HADOOP_GC_SETTINGS} -Xloggc:${HADOOP_LOG_DIR}/gc-rm.log-$(date +'%Y%m%d%H%M')"
+#
+# c) ... or set them directly
+# export HADOOP_NAMENODE_OPTS="-verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps -Xloggc:${HADOOP_LOG_DIR}/gc-rm.log-$(date +'%Y%m%d%H%M')"
+
+# this is the default:
+# export HADOOP_NAMENODE_OPTS="-Dhadoop.security.logger=INFO,RFAS -Dhdfs.audit.logger=INFO,NullAppender"
+
+###
+# SecondaryNameNode specific parameters
+###
+# Specify the JVM options to be used when starting the SecondaryNameNode.
+# These options will be appended to the options specified as HADOOP_OPTS
+# and therefore may override any similar flags set in HADOOP_OPTS
+#
+# This is the default:
+# export HADOOP_SECONDARYNAMENODE_OPTS="-Dhadoop.security.logger=INFO,RFAS -Dhdfs.audit.logger=INFO,NullAppender"
+
+###
+# DataNode specific parameters
+###
+# Specify the JVM options to be used when starting the DataNode.
+# These options will be appended to the options specified as HADOOP_OPTS
+# and therefore may override any similar flags set in HADOOP_OPTS
+#
+# This is the default:
+# export HADOOP_DATANODE_OPTS="-Dhadoop.security.logger=ERROR,RFAS"
+
+# On secure datanodes, user to run the datanode as after dropping privileges
+# This **MUST** be uncommented to enable secure HDFS!
+# export HADOOP_SECURE_DN_USER=hdfs
+
+# Supplemental options for secure datanodes
+# By default, we use jsvc which needs to know to launch a
+# server jvm.
+# export HADOOP_DN_SECURE_EXTRA_OPTS="-jvm server"
+
+# Where datanode log files are stored in the secure data environment.
+# export HADOOP_SECURE_DN_LOG_DIR=${HADOOP_SECURE_LOG_DIR}
+
+# Where datanode pid files are stored in the secure data environment.
+# export HADOOP_SECURE_DN_PID_DIR=${HADOOP_SECURE_PID_DIR}
+
+###
+# NFS3 Gateway specific parameters
+###
+# Specify the JVM options to be used when starting the NFS3 Gateway.
+# These options will be appended to the options specified as HADOOP_OPTS
+# and therefore may override any similar flags set in HADOOP_OPTS
+#
+# export HADOOP_NFS3_OPTS=""
+
+# Specify the JVM options to be used when starting the Hadoop portmapper.
+# These options will be appended to the options specified as HADOOP_OPTS
+# and therefore may override any similar flags set in HADOOP_OPTS
+#
+# export HADOOP_PORTMAP_OPTS="-Xmx512m"
+
+# Supplemental options for priviliged gateways
+# By default, we use jsvc which needs to know to launch a
+# server jvm.
+# export HADOOP_NFS3_SECURE_EXTRA_OPTS="-jvm server"
+
+# On privileged gateways, user to run the gateway as after dropping privileges
+# export HADOOP_PRIVILEGED_NFS_USER=nfsserver
+
+###
+# ZKFailoverController specific parameters
+###
+# Specify the JVM options to be used when starting the ZKFailoverController.
+# These options will be appended to the options specified as HADOOP_OPTS
+# and therefore may override any similar flags set in HADOOP_OPTS
+#
+# export HADOOP_ZKFC_OPTS=""
+
+###
+# QuorumJournalNode specific parameters
+###
+# Specify the JVM options to be used when starting the QuorumJournalNode.
+# These options will be appended to the options specified as HADOOP_OPTS
+# and therefore may override any similar flags set in HADOOP_OPTS
+#
+# export HADOOP_JOURNALNODE_OPTS=""
+
+###
+# HDFS Balancer specific parameters
+###
+# Specify the JVM options to be used when starting the HDFS Balancer.
+# These options will be appended to the options specified as HADOOP_OPTS
+# and therefore may override any similar flags set in HADOOP_OPTS
+#
+# export HADOOP_BALANCER_OPTS=""
+
+###
+# Advanced Users Only!
+###
+
+#
+# When building Hadoop, you can add the class paths to your commands
+# via this special env var:
+# HADOOP_ENABLE_BUILD_PATHS="true"
+
+# You can do things like replace parts of the shell underbelly.
+# Most of this code is in hadoop-functions.sh.
+#
+#
+# For example, if you want to add compression to the rotation
+# menthod for the .out files that daemons generate, you can do
+# that by redefining the hadoop_rotate_log function by
+# uncommenting this code block:
+
+#function hadoop_rotate_log
+#{
+#  #
+#  # log rotation (mainly used for .out files)
+#  # Users are likely to replace this one for something
+#  # that gzips or uses dates or who knows what.
+#  #
+#  # be aware that &1 and &2 might go through here
+#  # so don't do anything too crazy...
+#  #
+#  local log=$1;
+#  local num=${2:-5};
+#
+#  if [[ -f "${log}" ]]; then # rotate logs
+#    while [[ ${num} -gt 1 ]]; do
+#      #shellcheck disable=SC2086
+#      let prev=${num}-1
+#      if [[ -f "${log}.${prev}" ]]; then
+#        mv "${log}.${prev}" "${log}.${num}"
+#      fi
+#      num=${prev}
+#    done
+#    mv "${log}" "${log}.${num}"
+#    gzip -9 "${log}.${num}"
+#  fi
+#}
+#
+#
+# Another example:  finding java
+#
+# By default, Hadoop assumes that $JAVA_HOME is always defined
+# outside of its configuration. Eons ago, Apple standardized
+# on a helper program called java_home to find it for you.
+#
+#function hadoop_java_setup
+#{
+#
+#  if [[ -z "${JAVA_HOME}" ]]; then
+#     case $HADOOP_OS_TYPE in
+#       Darwin*)
+#          JAVA_HOME=$(/usr/libexec/java_home)
+#          ;;
+#     esac
+#  fi
+#
+#  # Bail if we did not detect it
+#  if [[ -z "${JAVA_HOME}" ]]; then
+#    echo "ERROR: JAVA_HOME is not set and could not be found." 1>&2
+#    exit 1
+#  fi
+#
+#  if [[ ! -d "${JAVA_HOME}" ]]; then
+#     echo "ERROR: JAVA_HOME (${JAVA_HOME}) does not exist." 1>&2
+#     exit 1
+#  fi
+#
+#  JAVA="${JAVA_HOME}/bin/java"
+#
+#  if [[ ! -x ${JAVA} ]]; then
+#    echo "ERROR: ${JAVA} is not executable." 1>&2
+#    exit 1
+#  fi
+#  JAVA_HEAP_MAX=-Xmx1g
+#  HADOOP_HEAPSIZE=${HADOOP_HEAPSIZE:-128}
+#
+#  # check envvars which might override default args
+#  if [[ -n "$HADOOP_HEAPSIZE" ]]; then
+#    JAVA_HEAP_MAX="-Xmx${HADOOP_HEAPSIZE}m"
+#  fi
+#}
+
+
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/distribute-exclude.sh b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/distribute-exclude.sh
index 66fc14a2468..3c0b9af3ff3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/distribute-exclude.sh
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/distribute-exclude.sh
@@ -57,9 +57,9 @@ excludeFilenameRemote=$("$HADOOP_PREFIX/bin/hdfs" getconf -excludeFile)
 
 if [ "$excludeFilenameRemote" = '' ] ; then
   echo \
-    "Error: hdfs getconf -excludeFile returned empty string, " \
-    "please setup dfs.hosts.exclude in hdfs-site.xml in local cluster " \
-    "configuration and on all namenodes"
+  "Error: hdfs getconf -excludeFile returned empty string, " \
+  "please setup dfs.hosts.exclude in hdfs-site.xml in local cluster " \
+  "configuration and on all namenodes"
   exit 1
 fi
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs
index fa2d863a75c..bb5636217a0 100755
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs
@@ -15,250 +15,237 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Environment Variables
-#
-#   JSVC_HOME  home directory of jsvc binary.  Required for starting secure
-#              datanode.
-#
-#   JSVC_OUTFILE  path to jsvc output file.  Defaults to
-#                 $HADOOP_LOG_DIR/jsvc.out.
-#
-#   JSVC_ERRFILE  path to jsvc error file.  Defaults to $HADOOP_LOG_DIR/jsvc.err.
-
-bin=`which $0`
-bin=`dirname ${bin}`
-bin=`cd "$bin" > /dev/null; pwd`
-
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hdfs-config.sh
-
-function print_usage(){
-  echo "Usage: hdfs [--config confdir] COMMAND"
+function hadoop_usage
+{
+  echo "Usage: hdfs [--config confdir] [--daemon (start|stop|status)] COMMAND"
   echo "       where COMMAND is one of:"
-  echo "  dfs                  run a filesystem command on the file systems supported in Hadoop."
-  echo "  namenode -format     format the DFS filesystem"
-  echo "  secondarynamenode    run the DFS secondary namenode"
-  echo "  namenode             run the DFS namenode"
-  echo "  journalnode          run the DFS journalnode"
-  echo "  zkfc                 run the ZK Failover Controller daemon"
-  echo "  datanode             run a DFS datanode"
-  echo "  dfsadmin             run a DFS admin client"
-  echo "  haadmin              run a DFS HA admin client"
-  echo "  fsck                 run a DFS filesystem checking utility"
   echo "  balancer             run a cluster balancing utility"
-  echo "  jmxget               get JMX exported values from NameNode or DataNode."
-  echo "  oiv                  apply the offline fsimage viewer to an fsimage"
-  echo "  oiv_legacy           apply the offline fsimage viewer to an legacy fsimage"
-  echo "  oev                  apply the offline edits viewer to an edits file"
+  echo "  cacheadmin           configure the HDFS cache"
+  echo "  classpath            prints the class path needed to get the"
+  echo "                       Hadoop jar and the required libraries"
+  echo "  datanode             run a DFS datanode"
+  echo "  dfs                  run a filesystem command on the file system"
+  echo "  dfsadmin             run a DFS admin client"
   echo "  fetchdt              fetch a delegation token from the NameNode"
+  echo "  fsck                 run a DFS filesystem checking utility"
   echo "  getconf              get config values from configuration"
   echo "  groups               get the groups which users belong to"
+  echo "  haadmin              run a DFS HA admin client"
+  echo "  jmxget               get JMX exported values from NameNode or DataNode."
+  echo "  journalnode          run the DFS journalnode"
+  echo "  lsSnapshottableDir   list all snapshottable dirs owned by the current user"
+  echo "                               Use -help to see options"
+  echo "  namenode             run the DFS namenode"
+  echo "                               Use -format to initialize the DFS filesystem"
+  echo "  nfs3                 run an NFS version 3 gateway"
+  echo "  oev                  apply the offline edits viewer to an edits file"
+  echo "  oiv                  apply the offline fsimage viewer to an fsimage"
+  echo "  oiv_legacy           apply the offline fsimage viewer to a legacy fsimage"
+  echo "  portmap              run a portmap service"
+  echo "  secondarynamenode    run the DFS secondary namenode"
   echo "  snapshotDiff         diff two snapshots of a directory or diff the"
   echo "                       current directory contents with a snapshot"
-  echo "  lsSnapshottableDir   list all snapshottable dirs owned by the current user"
-  echo "						Use -help to see options"
-  echo "  portmap              run a portmap service"
-  echo "  nfs3                 run an NFS version 3 gateway"
-  echo "  cacheadmin           configure the HDFS cache"
+  echo "  zkfc                 run the ZK Failover Controller daemon"
   echo ""
   echo "Most commands print help when invoked w/o parameters."
 }
 
-if [ $# = 0 ]; then
-  print_usage
-  exit
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  this="${BASH_SOURCE-$0}"
+  bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hdfs-config.sh." 2>&1
+  exit 1
+fi
+
+if [[ $# = 0 ]]; then
+  hadoop_exit_with_usage 1
 fi
 
 COMMAND=$1
 shift
 
-case $COMMAND in
-  # usage flags
-  --help|-help|-h)
-    print_usage
+case ${COMMAND} in
+  balancer)
+    CLASS=org.apache.hadoop.hdfs.server.balancer.Balancer
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_BALANCER_OPTS}"
+  ;;
+  cacheadmin)
+    CLASS=org.apache.hadoop.hdfs.tools.CacheAdmin
+  ;;
+  classpath)
+    hadoop_finalize
+    echo "${CLASSPATH}"
     exit
-    ;;
+  ;;
+  datanode)
+    daemon="true"
+    # Determine if we're starting a secure datanode, and
+    # if so, redefine appropriate variables
+    if [[ -n "${HADOOP_SECURE_DN_USER}" ]]; then
+      secure_service="true"
+      secure_user="${HADOOP_SECURE_DN_USER}"
+      
+      # backward compatiblity
+      HADOOP_SECURE_PID_DIR="${HADOOP_SECURE_PID_DIR:-$HADOOP_SECURE_DN_PID_DIR}"
+      HADOOP_SECURE_LOG_DIR="${HADOOP_SECURE_LOG_DIR:-$HADOOP_SECURE_DN_LOG_DIR}"
+      
+      HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_DN_SECURE_EXTRA_OPTS} ${HADOOP_DATANODE_OPTS}"
+      CLASS="org.apache.hadoop.hdfs.server.datanode.SecureDataNodeStarter"
+    else
+      HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_DATANODE_OPTS}"
+      CLASS='org.apache.hadoop.hdfs.server.datanode.DataNode'
+    fi
+  ;;
+  dfs)
+    CLASS=org.apache.hadoop.fs.FsShell
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
+  ;;
+  dfsadmin)
+    CLASS=org.apache.hadoop.hdfs.tools.DFSAdmin
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
+  ;;
+  fetchdt)
+    CLASS=org.apache.hadoop.hdfs.tools.DelegationTokenFetcher
+  ;;
+  fsck)
+    CLASS=org.apache.hadoop.hdfs.tools.DFSck
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
+  ;;
+  getconf)
+    CLASS=org.apache.hadoop.hdfs.tools.GetConf
+  ;;
+  groups)
+    CLASS=org.apache.hadoop.hdfs.tools.GetGroups
+  ;;
+  haadmin)
+    CLASS=org.apache.hadoop.hdfs.tools.DFSHAAdmin
+    CLASSPATH="${CLASSPATH}:${TOOL_PATH}"
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
+  ;;
+  journalnode)
+    daemon="true"
+    CLASS='org.apache.hadoop.hdfs.qjournal.server.JournalNode'
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_JOURNALNODE_OPTS}"
+  ;;
+  jmxget)
+    CLASS=org.apache.hadoop.hdfs.tools.JMXGet
+  ;;
+  lsSnapshottableDir)
+    CLASS=org.apache.hadoop.hdfs.tools.snapshot.LsSnapshottableDir
+  ;;
+  namenode)
+    daemon="true"
+    CLASS='org.apache.hadoop.hdfs.server.namenode.NameNode'
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_NAMENODE_OPTS}"
+  ;;
+  nfs3)
+    daemon="true"
+    if [[ -n "${HADOOP_PRIVILEGED_NFS_USER}" ]]; then
+      secure_service="true"
+      secure_user="${HADOOP_PRIVILEGED_NFS_USER}"
+      
+      # backward compatiblity
+      HADOOP_SECURE_PID_DIR="${HADOOP_SECURE_PID_DIR:-$HADOOP_SECURE_NFS3_PID_DIR}"
+      HADOOP_SECURE_LOG_DIR="${HADOOP_SECURE_LOG_DIR:-$HADOOP_SECURE_NFS3_LOG_DIR}"
+      
+      HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_NFS3_SECURE_EXTRA_OPTS} ${HADOOP_NFS3_OPTS}"
+      CLASS=org.apache.hadoop.hdfs.nfs.nfs3.PrivilegedNfsGatewayStarter
+    else
+      HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_NFS3_OPTS}"
+      CLASS=org.apache.hadoop.hdfs.nfs.nfs3.Nfs3
+    fi
+  ;;
+  oev)
+    CLASS=org.apache.hadoop.hdfs.tools.offlineEditsViewer.OfflineEditsViewer
+  ;;
+  oiv)
+    CLASS=org.apache.hadoop.hdfs.tools.offlineImageViewer.OfflineImageViewerPB
+  ;;
+  oiv_legacy)
+    CLASS=org.apache.hadoop.hdfs.tools.offlineImageViewer.OfflineImageViewer
+  ;;
+  portmap)
+    daemon="true"
+    CLASS=org.apache.hadoop.portmap.Portmap
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_PORTMAP_OPTS}"
+  ;;
+  secondarynamenode)
+    daemon="true"
+    CLASS='org.apache.hadoop.hdfs.server.namenode.SecondaryNameNode'
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_SECONDARYNAMENODE_OPTS}"
+  ;;
+  snapshotDiff)
+    CLASS=org.apache.hadoop.hdfs.tools.snapshot.SnapshotDiff
+  ;;
+  zkfc)
+    daemon="true"
+    CLASS='org.apache.hadoop.hdfs.tools.DFSZKFailoverController'
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_ZKFC_OPTS}"
+  ;;
+  -*)
+    hadoop_exit_with_usage 1
+  ;;
+  *)
+    CLASS="${COMMAND}"
+  ;;
 esac
 
-# Determine if we're starting a secure datanode, and if so, redefine appropriate variables
-if [ "$COMMAND" == "datanode" ] && [ "$EUID" -eq 0 ] && [ -n "$HADOOP_SECURE_DN_USER" ]; then
-  if [ -n "$JSVC_HOME" ]; then
-    if [ -n "$HADOOP_SECURE_DN_PID_DIR" ]; then
-      HADOOP_PID_DIR=$HADOOP_SECURE_DN_PID_DIR
-    fi
-  
-    if [ -n "$HADOOP_SECURE_DN_LOG_DIR" ]; then
-      HADOOP_LOG_DIR=$HADOOP_SECURE_DN_LOG_DIR
-      HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.log.dir=$HADOOP_LOG_DIR"
-    fi
-   
-    HADOOP_IDENT_STRING=$HADOOP_SECURE_DN_USER
-    HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.id.str=$HADOOP_IDENT_STRING"
-    starting_secure_dn="true"
-  else
-    echo "It looks like you're trying to start a secure DN, but \$JSVC_HOME"\
-      "isn't set. Falling back to starting insecure DN."
+if [[ -n "${secure_service}" ]]; then
+  HADOOP_SECURE_USER="${secure_user}"
+  if hadoop_verify_secure_prereq; then
+    hadoop_setup_secure_service
+    priv_outfile="${HADOOP_LOG_DIR}/privileged-${HADOOP_IDENT_STRING}-${COMMAND-$HOSTNAME}.out"
+    priv_errfile="${HADOOP_LOG_DIR}/privileged-${HADOOP_IDENT_STRING}-${COMMAND-$HOSTNAME}.err"
+    priv_pidfile="${HADOOP_PID_DIR}/privileged-${HADOOP_IDENT_STRING}-${COMMAND-$HOSTNAME}.pid"
+    daemon_outfile="${HADOOP_LOG_DIR}/hadoop-${HADOOP_SECURE_USER}-${HADOOP_IDENT_STRING}-${COMMAND}-${HOSTNAME}.out"
+    daemon_pidfile="${HADOOP_PID_DIR}/hadoop-${HADOOP_SECURE_USER}-${HADOOP_IDENT_STRING}-${COMMAND}.pid"
   fi
-fi
-
-# Determine if we're starting a privileged NFS daemon, and if so, redefine appropriate variables
-if [ "$COMMAND" == "nfs3" ] && [ "$EUID" -eq 0 ] && [ -n "$HADOOP_PRIVILEGED_NFS_USER" ]; then
-  if [ -n "$JSVC_HOME" ]; then
-    if [ -n "$HADOOP_PRIVILEGED_NFS_PID_DIR" ]; then
-      HADOOP_PID_DIR=$HADOOP_PRIVILEGED_NFS_PID_DIR
-    fi
-  
-    if [ -n "$HADOOP_PRIVILEGED_NFS_LOG_DIR" ]; then
-      HADOOP_LOG_DIR=$HADOOP_PRIVILEGED_NFS_LOG_DIR
-      HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.log.dir=$HADOOP_LOG_DIR"
-    fi
-   
-    HADOOP_IDENT_STRING=$HADOOP_PRIVILEGED_NFS_USER
-    HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.id.str=$HADOOP_IDENT_STRING"
-    starting_privileged_nfs="true"
-  else
-    echo "It looks like you're trying to start a privileged NFS server, but"\
-      "\$JSVC_HOME isn't set. Falling back to starting unprivileged NFS server."
-  fi
-fi
-
-if [ "$COMMAND" = "namenode" ] ; then
-  CLASS='org.apache.hadoop.hdfs.server.namenode.NameNode'
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_NAMENODE_OPTS"
-elif [ "$COMMAND" = "zkfc" ] ; then
-  CLASS='org.apache.hadoop.hdfs.tools.DFSZKFailoverController'
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_ZKFC_OPTS"
-elif [ "$COMMAND" = "secondarynamenode" ] ; then
-  CLASS='org.apache.hadoop.hdfs.server.namenode.SecondaryNameNode'
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_SECONDARYNAMENODE_OPTS"
-elif [ "$COMMAND" = "datanode" ] ; then
-  CLASS='org.apache.hadoop.hdfs.server.datanode.DataNode'
-  if [ "$starting_secure_dn" = "true" ]; then
-    HADOOP_OPTS="$HADOOP_OPTS -jvm server $HADOOP_DATANODE_OPTS"
-  else
-    HADOOP_OPTS="$HADOOP_OPTS -server $HADOOP_DATANODE_OPTS"
-  fi
-elif [ "$COMMAND" = "journalnode" ] ; then
-  CLASS='org.apache.hadoop.hdfs.qjournal.server.JournalNode'
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_JOURNALNODE_OPTS"
-elif [ "$COMMAND" = "dfs" ] ; then
-  CLASS=org.apache.hadoop.fs.FsShell
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
-elif [ "$COMMAND" = "dfsadmin" ] ; then
-  CLASS=org.apache.hadoop.hdfs.tools.DFSAdmin
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
-elif [ "$COMMAND" = "haadmin" ] ; then
-  CLASS=org.apache.hadoop.hdfs.tools.DFSHAAdmin
-  CLASSPATH=${CLASSPATH}:${TOOL_PATH}
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
-elif [ "$COMMAND" = "fsck" ] ; then
-  CLASS=org.apache.hadoop.hdfs.tools.DFSck
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
-elif [ "$COMMAND" = "balancer" ] ; then
-  CLASS=org.apache.hadoop.hdfs.server.balancer.Balancer
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_BALANCER_OPTS"
-elif [ "$COMMAND" = "jmxget" ] ; then
-  CLASS=org.apache.hadoop.hdfs.tools.JMXGet
-elif [ "$COMMAND" = "oiv" ] ; then
-  CLASS=org.apache.hadoop.hdfs.tools.offlineImageViewer.OfflineImageViewerPB
-elif [ "$COMMAND" = "oiv_legacy" ] ; then
-  CLASS=org.apache.hadoop.hdfs.tools.offlineImageViewer.OfflineImageViewer
-elif [ "$COMMAND" = "oev" ] ; then
-  CLASS=org.apache.hadoop.hdfs.tools.offlineEditsViewer.OfflineEditsViewer
-elif [ "$COMMAND" = "fetchdt" ] ; then
-  CLASS=org.apache.hadoop.hdfs.tools.DelegationTokenFetcher
-elif [ "$COMMAND" = "getconf" ] ; then
-  CLASS=org.apache.hadoop.hdfs.tools.GetConf
-elif [ "$COMMAND" = "groups" ] ; then
-  CLASS=org.apache.hadoop.hdfs.tools.GetGroups
-elif [ "$COMMAND" = "snapshotDiff" ] ; then
-  CLASS=org.apache.hadoop.hdfs.tools.snapshot.SnapshotDiff
-elif [ "$COMMAND" = "lsSnapshottableDir" ] ; then
-  CLASS=org.apache.hadoop.hdfs.tools.snapshot.LsSnapshottableDir
-elif [ "$COMMAND" = "portmap" ] ; then
-  CLASS=org.apache.hadoop.portmap.Portmap
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_PORTMAP_OPTS"
-elif [ "$COMMAND" = "nfs3" ] ; then
-  CLASS=org.apache.hadoop.hdfs.nfs.nfs3.Nfs3
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_NFS3_OPTS"
-elif [ "$COMMAND" = "cacheadmin" ] ; then
-  CLASS=org.apache.hadoop.hdfs.tools.CacheAdmin
 else
-  CLASS="$COMMAND"
+  daemon_outfile="${HADOOP_LOG_DIR}/hadoop-${HADOOP_IDENT_STRING}-${COMMAND}-${HOSTNAME}.out"
+  daemon_pidfile="${HADOOP_PID_DIR}/hadoop-${HADOOP_IDENT_STRING}-${COMMAND}.pid"
 fi
 
-export CLASSPATH=$CLASSPATH
-
-HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.security.logger=${HADOOP_SECURITY_LOGGER:-INFO,NullAppender}"
-
-# Check to see if we should start a secure datanode
-if [ "$starting_secure_dn" = "true" ]; then
-  if [ "$HADOOP_PID_DIR" = "" ]; then
-    HADOOP_SECURE_DN_PID="/tmp/hadoop_secure_dn.pid"
+if [[ "${HADOOP_DAEMON_MODE}" != "default" ]]; then
+  # shellcheck disable=SC2034
+  HADOOP_ROOT_LOGGER="${HADOOP_DAEMON_ROOT_LOGGER}"
+  if [[ -n "${secure_service}" ]]; then
+    # shellcheck disable=SC2034
+    HADOOP_LOGFILE="hadoop-${HADOOP_SECURE_USER}-${HADOOP_IDENT_STRING}-${COMMAND}-${HOSTNAME}.log"
   else
-    HADOOP_SECURE_DN_PID="$HADOOP_PID_DIR/hadoop_secure_dn.pid"
+    # shellcheck disable=SC2034
+    HADOOP_LOGFILE="hadoop-${HADOOP_IDENT_STRING}-${COMMAND}-${HOSTNAME}.log"
   fi
+fi
 
-  JSVC=$JSVC_HOME/jsvc
-  if [ ! -f $JSVC ]; then
-    echo "JSVC_HOME is not set correctly so jsvc cannot be found. jsvc is required to run secure datanodes. "
-    echo "Please download and install jsvc from http://archive.apache.org/dist/commons/daemon/binaries/ "\
-      "and set JSVC_HOME to the directory containing the jsvc binary."
-    exit
-  fi
+hadoop_add_param HADOOP_OPTS Xmx "${JAVA_HEAP_MAX}"
+hadoop_finalize
 
-  if [[ ! $JSVC_OUTFILE ]]; then
-    JSVC_OUTFILE="$HADOOP_LOG_DIR/jsvc.out"
-  fi
+export CLASSPATH
 
-  if [[ ! $JSVC_ERRFILE ]]; then
-    JSVC_ERRFILE="$HADOOP_LOG_DIR/jsvc.err"
-  fi
-
-  exec "$JSVC" \
-           -Dproc_$COMMAND -outfile "$JSVC_OUTFILE" \
-           -errfile "$JSVC_ERRFILE" \
-           -pidfile "$HADOOP_SECURE_DN_PID" \
-           -nodetach \
-           -user "$HADOOP_SECURE_DN_USER" \
-            -cp "$CLASSPATH" \
-           $JAVA_HEAP_MAX $HADOOP_OPTS \
-           org.apache.hadoop.hdfs.server.datanode.SecureDataNodeStarter "$@"
-elif [ "$starting_privileged_nfs" = "true" ] ; then
-  if [ "$HADOOP_PID_DIR" = "" ]; then
-    HADOOP_PRIVILEGED_NFS_PID="/tmp/hadoop_privileged_nfs3.pid"
+if [[ -n "${daemon}" ]]; then
+  if [[ -n "${secure_service}" ]]; then
+    hadoop_secure_daemon_handler \
+    "${HADOOP_DAEMON_MODE}" "${COMMAND}" "${CLASS}"\
+    "${daemon_pidfile}" "${daemon_outfile}" \
+    "${priv_pidfile}" "${priv_outfile}" "${priv_errfile}" "$@"
   else
-    HADOOP_PRIVILEGED_NFS_PID="$HADOOP_PID_DIR/hadoop_privileged_nfs3.pid"
+    hadoop_daemon_handler "${HADOOP_DAEMON_MODE}" "${COMMAND}" "${CLASS}"\
+    "${daemon_pidfile}" "${daemon_outfile}" "$@"
   fi
-
-  JSVC=$JSVC_HOME/jsvc
-  if [ ! -f $JSVC ]; then
-    echo "JSVC_HOME is not set correctly so jsvc cannot be found. jsvc is required to run privileged NFS gateways. "
-    echo "Please download and install jsvc from http://archive.apache.org/dist/commons/daemon/binaries/ "\
-      "and set JSVC_HOME to the directory containing the jsvc binary."
-    exit
-  fi
-
-  if [[ ! $JSVC_OUTFILE ]]; then
-    JSVC_OUTFILE="$HADOOP_LOG_DIR/nfs3_jsvc.out"
-  fi
-
-  if [[ ! $JSVC_ERRFILE ]]; then
-    JSVC_ERRFILE="$HADOOP_LOG_DIR/nfs3_jsvc.err"
-  fi
-
-  exec "$JSVC" \
-           -Dproc_$COMMAND -outfile "$JSVC_OUTFILE" \
-           -errfile "$JSVC_ERRFILE" \
-           -pidfile "$HADOOP_PRIVILEGED_NFS_PID" \
-           -nodetach \
-           -user "$HADOOP_PRIVILEGED_NFS_USER" \
-           -cp "$CLASSPATH" \
-           $JAVA_HEAP_MAX $HADOOP_OPTS \
-           org.apache.hadoop.hdfs.nfs.nfs3.PrivilegedNfsGatewayStarter "$@"
+  exit $?
 else
-  # run it
-  exec "$JAVA" -Dproc_$COMMAND $JAVA_HEAP_MAX $HADOOP_OPTS $CLASS "$@"
+  # shellcheck disable=SC2086
+  hadoop_java_exec "${COMMAND}" "${CLASS}" "$@"
 fi
-
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs-config.sh b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs-config.sh
index 2aabf5300bf..fb460d96d6a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs-config.sh
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs-config.sh
@@ -18,19 +18,67 @@
 # included in all the hdfs scripts with source command
 # should not be executed directly
 
-bin=`which "$0"`
-bin=`dirname "${bin}"`
-bin=`cd "$bin"; pwd`
+function hadoop_subproject_init
+{
+  if [ -e "${HADOOP_CONF_DIR}/hdfs-env.sh" ]; then
+    . "${HADOOP_CONF_DIR}/hdfs-env.sh"
+  fi
+  
+  # at some point in time, someone thought it would be a good idea to
+  # create separate vars for every subproject.  *sigh*
+  # let's perform some overrides and setup some defaults for bw compat
+  # this way the common hadoop var's == subproject vars and can be
+  # used interchangeable from here on out
+  # ...
+  # this should get deprecated at some point.
+  HADOOP_LOG_DIR="${HADOOP_HDFS_LOG_DIR:-$HADOOP_LOG_DIR}"
+  HADOOP_HDFS_LOG_DIR="${HADOOP_LOG_DIR}"
+  
+  HADOOP_LOGFILE="${HADOOP_HDFS_LOGFILE:-$HADOOP_LOGFILE}"
+  HADOOP_HDFS_LOGFILE="${HADOOP_LOGFILE}"
+  
+  HADOOP_NICENESS=${HADOOP_HDFS_NICENESS:-$HADOOP_NICENESS}
+  HADOOP_HDFS_NICENESS="${HADOOP_NICENESS}"
+  
+  HADOOP_STOP_TIMEOUT=${HADOOP_HDFS_STOP_TIMEOUT:-$HADOOP_STOP_TIMEOUT}
+  HADOOP_HDFS_STOP_TIMEOUT="${HADOOP_STOP_TIMEOUT}"
+  
+  HADOOP_PID_DIR="${HADOOP_HDFS_PID_DIR:-$HADOOP_PID_DIR}"
+  HADOOP_HDFS_PID_DIR="${HADOOP_PID_DIR}"
+  
+  HADOOP_ROOT_LOGGER=${HADOOP_HDFS_ROOT_LOGGER:-$HADOOP_ROOT_LOGGER}
+  HADOOP_HDFS_ROOT_LOGGER="${HADOOP_ROOT_LOGGER}"
+  
+  HADOOP_HDFS_HOME="${HADOOP_HDFS_HOME:-$HADOOP_HOME_DIR}"
+  
+  HADOOP_IDENT_STRING="${HADOOP_HDFS_IDENT_STRING:-$HADOOP_IDENT_STRING}"
+  HADOOP_HDFS_IDENT_STRING="${HADOOP_IDENT_STRING}"
+  
+  # turn on the defaults
+  
+  export HADOOP_NAMENODE_OPTS=${HADOOP_NAMENODE_OPTS:-"-Dhadoop.security.logger=INFO,RFAS -Dhdfs.audit.logger=INFO,NullAppender"}
+  export HADOOP_SECONDARYNAMENODE_OPTS=${HADOOP_SECONDARYNAMENODE_OPTS:-"-Dhadoop.security.logger=INFO,RFAS -Dhdfs.audit.logger=INFO,NullAppender"}
+  export HADOOP_DATANODE_OPTS=${HADOOP_DATANODE_OPTS:-"-Dhadoop.security.logger=ERROR,RFAS"}
+  export HADOOP_DN_SECURE_EXTRA_OPTS=${HADOOP_DN_SECURE_EXTRA_OPTS:-"-jvm server"}
+  export HADOOP_NFS3_SECURE_EXTRA_OPTS=${HADOOP_NFS3_SECURE_EXTRA_OPTS:-"-jvm server"}
+  export HADOOP_PORTMAP_OPTS=${HADOOP_PORTMAP_OPTS:-"-Xmx512m"}
+  
+  
+}
 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-if [ -e "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]; then
-  . ${HADOOP_LIBEXEC_DIR}/hadoop-config.sh
-elif [ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh" ]; then
-  . "$HADOOP_COMMON_HOME"/libexec/hadoop-config.sh
-elif [ -e "${HADOOP_HOME}/libexec/hadoop-config.sh" ]; then
-  . "$HADOOP_HOME"/libexec/hadoop-config.sh
-else
-  echo "Hadoop common not found."
-  exit
+if [[ -z "${HADOOP_LIBEXEC_DIR}" ]]; then
+  _hd_this="${BASH_SOURCE-$0}"
+  HADOOP_LIBEXEC_DIR=$(cd -P -- "$(dirname -- "${_hd_this}")" >/dev/null && pwd -P)
 fi
+
+if [ -e "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]; then
+  . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
+elif [ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh" ]; then
+  . "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh"
+elif [ -e "${HADOOP_HOME}/libexec/hadoop-config.sh" ]; then
+  . "${HADOOP_HOME}/libexec/hadoop-config.sh"
+else
+  echo "ERROR: Hadoop common not found." 2>&1
+  exit 1
+fi
+
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/refresh-namenodes.sh b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/refresh-namenodes.sh
index d3f67598b6e..3bac3b47775 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/refresh-namenodes.sh
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/refresh-namenodes.sh
@@ -20,24 +20,40 @@
 # This script refreshes all namenodes, it's a simple wrapper
 # for dfsadmin to support multiple namenodes.
 
-bin=`dirname "$0"`
-bin=`cd "$bin"; pwd`
-
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hdfs-config.sh
-
-namenodes=$("$HADOOP_PREFIX/bin/hdfs" getconf -nnRpcAddresses)
-if [ "$?" != '0' ] ; then errorFlag='1' ; 
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
 else
-  for namenode in $namenodes ; do
-    echo "Refreshing namenode [$namenode]"
-    "$HADOOP_PREFIX/bin/hdfs" dfsadmin -fs hdfs://$namenode -refreshNodes
-    if [ "$?" != '0' ] ; then errorFlag='1' ; fi
+  this="${BASH_SOURCE-$0}"
+  bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hdfs-config.sh." 2>&1
+  exit 1
+fi
+
+namenodes=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -nnRpcAddresses)
+if [[ "$?" != '0' ]] ; then
+  errorFlag='1' ;
+else
+  for namenode in ${namenodes} ; do
+    echo "Refreshing namenode [${namenode}]"
+    "${HADOOP_HDFS_HOME}/bin/hdfs" dfsadmin \
+    -fs hdfs://${namenode} -refreshNodes
+    if [[ "$?" != '0' ]]; then
+      errorFlag='1'
+    fi
   done
 fi
 
-if [ "$errorFlag" = '1' ] ; then
+if [[ "${errorFlag}" = '1' ]] ; then
   echo "Error: refresh of namenodes failed, see error messages above."
   exit 1
 else
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-balancer.sh b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-balancer.sh
index 2c14a59f8a0..a116502fc75 100755
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-balancer.sh
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-balancer.sh
@@ -15,13 +15,31 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
+function usage
+{
+  echo "Usage: start-balancer.sh [--config confdir]  [-policy <policy>] [-threshold <threshold>]"
+}
 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hdfs-config.sh
+this="${BASH_SOURCE-$0}"
+bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hdfs-config.sh." 2>&1
+  exit 1
+fi
 
 # Start balancer daemon.
 
-"$HADOOP_PREFIX"/sbin/hadoop-daemon.sh --config $HADOOP_CONF_DIR --script "$bin"/hdfs start balancer $@
+exec "${bin}/hadoop-daemon.sh" --config "${HADOOP_CONF_DIR}" start balancer "$@"
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-dfs.sh b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-dfs.sh
index 8cbea16aa61..5799dec8761 100755
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-dfs.sh
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-dfs.sh
@@ -20,98 +20,128 @@
 # Optinally upgrade or rollback dfs state.
 # Run this on master node.
 
-usage="Usage: start-dfs.sh [-upgrade|-rollback] [other options such as -clusterId]"
+function hadoop_usage
+{
+  echo "Usage: start-dfs.sh [-upgrade|-rollback] [-clusterId]"
+}
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
+this="${BASH_SOURCE-$0}"
+bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hdfs-config.sh." 2>&1
+  exit 1
+fi
 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hdfs-config.sh
 
 # get arguments
-if [ $# -ge 1 ]; then
-	nameStartOpt="$1"
-	shift
-	case "$nameStartOpt" in
-	  (-upgrade)
-	  	;;
-	  (-rollback) 
-	  	dataStartOpt="$nameStartOpt"
-	  	;;
-	  (*)
-		  echo $usage
-		  exit 1
-	    ;;
-	esac
+if [[ $# -ge 1 ]]; then
+  nameStartOpt="$1"
+  shift
+  case "$nameStartOpt" in
+    -upgrade)
+    ;;
+    -rollback)
+      dataStartOpt="$nameStartOpt"
+    ;;
+    *)
+      hadoop_exit_with_usage 1
+    ;;
+  esac
 fi
 
+
 #Add other possible options
 nameStartOpt="$nameStartOpt $@"
 
 #---------------------------------------------------------
 # namenodes
 
-NAMENODES=$($HADOOP_PREFIX/bin/hdfs getconf -namenodes)
+NAMENODES=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -namenodes 2>/dev/null)
+
+if [[ -z "${NAMENODES}" ]]; then
+  NAMENODES=$(hostname)
+fi
 
 echo "Starting namenodes on [$NAMENODES]"
 
-"$HADOOP_PREFIX/sbin/hadoop-daemons.sh" \
-  --config "$HADOOP_CONF_DIR" \
-  --hostnames "$NAMENODES" \
-  --script "$bin/hdfs" start namenode $nameStartOpt
+"${bin}/hadoop-daemons.sh" \
+--config "${HADOOP_CONF_DIR}" \
+--hostnames "${NAMENODES}" \
+start namenode ${nameStartOpt}
 
 #---------------------------------------------------------
 # datanodes (using default slaves file)
 
-if [ -n "$HADOOP_SECURE_DN_USER" ]; then
-  echo \
-    "Attempting to start secure cluster, skipping datanodes. " \
-    "Run start-secure-dns.sh as root to complete startup."
+if [[ -n "${HADOOP_SECURE_DN_USER}" ]] &&
+[[ -z "${HADOOP_SECURE_COMMAND}" ]]; then
+  echo "ERROR: Attempting to start secure cluster, skipping datanodes. "
+  echo "Run start-secure-dns.sh as root or configure "
+  echo "\${HADOOP_SECURE_COMMAND} to complete startup."
 else
-  "$HADOOP_PREFIX/sbin/hadoop-daemons.sh" \
-    --config "$HADOOP_CONF_DIR" \
-    --script "$bin/hdfs" start datanode $dataStartOpt
+  
+  echo "Starting datanodes"
+  
+  "${bin}/hadoop-daemons.sh" \
+  --config "${HADOOP_CONF_DIR}" \
+  start datanode ${dataStartOpt}
 fi
 
 #---------------------------------------------------------
 # secondary namenodes (if any)
 
-SECONDARY_NAMENODES=$($HADOOP_PREFIX/bin/hdfs getconf -secondarynamenodes 2>/dev/null)
+SECONDARY_NAMENODES=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -secondarynamenodes 2>/dev/null)
 
-if [ -n "$SECONDARY_NAMENODES" ]; then
-  echo "Starting secondary namenodes [$SECONDARY_NAMENODES]"
+if [[ "${SECONDARY_NAMENODES}" == "0.0.0.0" ]]; then
+  SECONDARY_NAMENODES=$(hostname)
+fi
 
-  "$HADOOP_PREFIX/sbin/hadoop-daemons.sh" \
-      --config "$HADOOP_CONF_DIR" \
-      --hostnames "$SECONDARY_NAMENODES" \
-      --script "$bin/hdfs" start secondarynamenode
+if [[ -n "${SECONDARY_NAMENODES}" ]]; then
+  echo "Starting secondary namenodes [${SECONDARY_NAMENODES}]"
+  
+  "${bin}/hadoop-daemons.sh" \
+  --config "${HADOOP_CONF_DIR}" \
+  --hostnames "${SECONDARY_NAMENODES}" \
+  start secondarynamenode
 fi
 
 #---------------------------------------------------------
 # quorumjournal nodes (if any)
 
-SHARED_EDITS_DIR=$($HADOOP_PREFIX/bin/hdfs getconf -confKey dfs.namenode.shared.edits.dir 2>&-)
+SHARED_EDITS_DIR=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -confKey dfs.namenode.shared.edits.dir 2>&-)
 
-case "$SHARED_EDITS_DIR" in
-qjournal://*)
-  JOURNAL_NODES=$(echo "$SHARED_EDITS_DIR" | sed 's,qjournal://\([^/]*\)/.*,\1,g; s/;/ /g; s/:[0-9]*//g')
-  echo "Starting journal nodes [$JOURNAL_NODES]"
-  "$HADOOP_PREFIX/sbin/hadoop-daemons.sh" \
-      --config "$HADOOP_CONF_DIR" \
-      --hostnames "$JOURNAL_NODES" \
-      --script "$bin/hdfs" start journalnode ;;
+case "${SHARED_EDITS_DIR}" in
+  qjournal://*)
+    JOURNAL_NODES=$(echo "${SHARED_EDITS_DIR}" | sed 's,qjournal://\([^/]*\)/.*,\1,g; s/;/ /g; s/:[0-9]*//g')
+    echo "Starting journal nodes [${JOURNAL_NODES}]"
+    "${bin}/hadoop-daemons.sh" \
+    --config "${HADOOP_CONF_DIR}" \
+    --hostnames "${JOURNAL_NODES}" \
+    start journalnode
+  ;;
 esac
 
 #---------------------------------------------------------
 # ZK Failover controllers, if auto-HA is enabled
-AUTOHA_ENABLED=$($HADOOP_PREFIX/bin/hdfs getconf -confKey dfs.ha.automatic-failover.enabled)
-if [ "$(echo "$AUTOHA_ENABLED" | tr A-Z a-z)" = "true" ]; then
-  echo "Starting ZK Failover Controllers on NN hosts [$NAMENODES]"
-  "$HADOOP_PREFIX/sbin/hadoop-daemons.sh" \
-    --config "$HADOOP_CONF_DIR" \
-    --hostnames "$NAMENODES" \
-    --script "$bin/hdfs" start zkfc
+AUTOHA_ENABLED=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -confKey dfs.ha.automatic-failover.enabled | tr '[:upper:]' '[:lower:]')
+if [[ "${AUTOHA_ENABLED}" = "true" ]]; then
+  echo "Starting ZK Failover Controllers on NN hosts [${NAMENODES}]"
+  "${bin}/hadoop-daemons.sh" \
+  --config "${HADOOP_CONF_DIR}" \
+  --hostnames "${NAMENODES}" \
+  start zkfc
 fi
 
 # eof
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-secure-dns.sh b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-secure-dns.sh
index 7ddf6879229..ab69cc237ee 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-secure-dns.sh
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-secure-dns.sh
@@ -17,17 +17,33 @@
 
 # Run as root to start secure datanodes in a security-enabled cluster.
 
-usage="Usage (run as root in order to start secure datanodes): start-secure-dns.sh"
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
+function hadoop_usage {
+  echo "Usage: start-secure-dns.sh"
+}
 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hdfs-config.sh
+this="${BASH_SOURCE-$0}"
+bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
 
-if [ "$EUID" -eq 0 ] && [ -n "$HADOOP_SECURE_DN_USER" ]; then
-  "$HADOOP_PREFIX"/sbin/hadoop-daemons.sh --config $HADOOP_CONF_DIR --script "$bin"/hdfs start datanode $dataStartOpt
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
 else
-  echo $usage
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hdfs-config.sh." 2>&1
+  exit 1
+fi
+
+if [[ "${EUID}" -eq 0 ]] && [[ -n "${HADOOP_SECURE_DN_USER}" ]]; then
+  exec "${bin}/hadoop-daemons.sh" --config "${HADOOP_CONF_DIR}" start datanode "${dataStartOpt}"
+else
+  echo hadoop_usage_and_exit 1
 fi
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-balancer.sh b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-balancer.sh
index df824560cc3..718f8674369 100755
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-balancer.sh
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-balancer.sh
@@ -15,14 +15,32 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
+function hadoop_usage
+{
+  echo "Usage: stop-balancer.sh [--config confdir]"
+}
 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hdfs-config.sh
+this="${BASH_SOURCE-$0}"
+bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hdfs-config.sh." 2>&1
+  exit 1
+fi
 
 # Stop balancer daemon.
 # Run this on the machine where the balancer is running
 
-"$HADOOP_PREFIX"/sbin/hadoop-daemon.sh --config $HADOOP_CONF_DIR --script "$bin"/hdfs stop balancer
+"${bin}/hadoop-daemon.sh" --config "${HADOOP_CONF_DIR}" stop balancer
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-dfs.sh b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-dfs.sh
index 6a622fae473..4f4d4f40178 100755
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-dfs.sh
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-dfs.sh
@@ -15,75 +15,100 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
+function hadoop_usage
+{
+  echo "Usage: start-balancer.sh [--config confdir]  [-policy <policy>] [-threshold <threshold>]"
+}
 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hdfs-config.sh
+this="${BASH_SOURCE-$0}"
+bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hdfs-config.sh." 2>&1
+  exit 1
+fi
 
 #---------------------------------------------------------
 # namenodes
 
-NAMENODES=$($HADOOP_PREFIX/bin/hdfs getconf -namenodes)
+NAMENODES=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -namenodes)
 
 echo "Stopping namenodes on [$NAMENODES]"
 
-"$HADOOP_PREFIX/sbin/hadoop-daemons.sh" \
-  --config "$HADOOP_CONF_DIR" \
-  --hostnames "$NAMENODES" \
-  --script "$bin/hdfs" stop namenode
+"${bin}/hadoop-daemons.sh" \
+--config "${HADOOP_CONF_DIR}" \
+--hostnames "${NAMENODES}" \
+stop namenode
 
 #---------------------------------------------------------
 # datanodes (using default slaves file)
 
-if [ -n "$HADOOP_SECURE_DN_USER" ]; then
+if [[ -n "${HADOOP_SECURE_DN_USER}" ]] &&
+[[ -z "${HADOOP_SECURE_COMMAND}" ]]; then
   echo \
-    "Attempting to stop secure cluster, skipping datanodes. " \
-    "Run stop-secure-dns.sh as root to complete shutdown."
+  "ERROR: Attempting to stop secure cluster, skipping datanodes. " \
+  "Run stop-secure-dns.sh as root to complete shutdown."
 else
-  "$HADOOP_PREFIX/sbin/hadoop-daemons.sh" \
-    --config "$HADOOP_CONF_DIR" \
-    --script "$bin/hdfs" stop datanode
+  
+  echo "Stopping datanodes"
+  
+  "${bin}/hadoop-daemons.sh" --config "${HADOOP_CONF_DIR}" stop datanode
 fi
 
 #---------------------------------------------------------
 # secondary namenodes (if any)
 
-SECONDARY_NAMENODES=$($HADOOP_PREFIX/bin/hdfs getconf -secondarynamenodes 2>/dev/null)
+SECONDARY_NAMENODES=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -secondarynamenodes 2>/dev/null)
 
-if [ -n "$SECONDARY_NAMENODES" ]; then
-  echo "Stopping secondary namenodes [$SECONDARY_NAMENODES]"
+if [[ "${SECONDARY_NAMENODES}" == "0.0.0.0" ]]; then
+  SECONDARY_NAMENODES=$(hostname)
+fi
 
-  "$HADOOP_PREFIX/sbin/hadoop-daemons.sh" \
-      --config "$HADOOP_CONF_DIR" \
-      --hostnames "$SECONDARY_NAMENODES" \
-      --script "$bin/hdfs" stop secondarynamenode
+if [[ -n "${SECONDARY_NAMENODES}" ]]; then
+  echo "Stopping secondary namenodes [${SECONDARY_NAMENODES}]"
+  
+  "${bin}/hadoop-daemons.sh" \
+  --config "${HADOOP_CONF_DIR}" \
+  --hostnames "${SECONDARY_NAMENODES}" \
+  stop secondarynamenode
 fi
 
 #---------------------------------------------------------
 # quorumjournal nodes (if any)
 
-SHARED_EDITS_DIR=$($HADOOP_PREFIX/bin/hdfs getconf -confKey dfs.namenode.shared.edits.dir 2>&-)
+SHARED_EDITS_DIR=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -confKey dfs.namenode.shared.edits.dir 2>&-)
 
-case "$SHARED_EDITS_DIR" in
-qjournal://*)
-  JOURNAL_NODES=$(echo "$SHARED_EDITS_DIR" | sed 's,qjournal://\([^/]*\)/.*,\1,g; s/;/ /g; s/:[0-9]*//g')
-  echo "Stopping journal nodes [$JOURNAL_NODES]"
-  "$HADOOP_PREFIX/sbin/hadoop-daemons.sh" \
-      --config "$HADOOP_CONF_DIR" \
-      --hostnames "$JOURNAL_NODES" \
-      --script "$bin/hdfs" stop journalnode ;;
+case "${SHARED_EDITS_DIR}" in
+  qjournal://*)
+    JOURNAL_NODES=$(echo "${SHARED_EDITS_DIR}" | sed 's,qjournal://\([^/]*\)/.*,\1,g; s/;/ /g; s/:[0-9]*//g')
+    echo "Stopping journal nodes [${JOURNAL_NODES}]"
+    "${bin}/hadoop-daemons.sh" \
+    --config "${HADOOP_CONF_DIR}" \
+    --hostnames "${JOURNAL_NODES}" \
+    stop journalnode
+  ;;
 esac
 
 #---------------------------------------------------------
 # ZK Failover controllers, if auto-HA is enabled
-AUTOHA_ENABLED=$($HADOOP_PREFIX/bin/hdfs getconf -confKey dfs.ha.automatic-failover.enabled)
-if [ "$(echo "$AUTOHA_ENABLED" | tr A-Z a-z)" = "true" ]; then
-  echo "Stopping ZK Failover Controllers on NN hosts [$NAMENODES]"
-  "$HADOOP_PREFIX/sbin/hadoop-daemons.sh" \
-    --config "$HADOOP_CONF_DIR" \
-    --hostnames "$NAMENODES" \
-    --script "$bin/hdfs" stop zkfc
+AUTOHA_ENABLED=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -confKey dfs.ha.automatic-failover.enabled | tr '[:upper:]' '[:lower:]')
+if [[ "${AUTOHA_ENABLED}" = "true" ]]; then
+  echo "Stopping ZK Failover Controllers on NN hosts [${NAMENODES}]"
+  "${bin}/hadoop-daemons.sh" \
+  --config "${HADOOP_CONF_DIR}" \
+  --hostnames "${NAMENODES}" \
+  stop zkfc
 fi
 # eof
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-secure-dns.sh b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-secure-dns.sh
index fdd47c3891a..efce92edee8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-secure-dns.sh
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-secure-dns.sh
@@ -17,17 +17,33 @@
 
 # Run as root to start secure datanodes in a security-enabled cluster.
 
-usage="Usage (run as root in order to stop secure datanodes): stop-secure-dns.sh"
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
+function hadoop_usage {
+  echo "Usage (run as root in order to stop secure datanodes): stop-secure-dns.sh"
+}
 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/hdfs-config.sh
+this="${BASH_SOURCE-$0}"
+bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
 
-if [ "$EUID" -eq 0 ] && [ -n "$HADOOP_SECURE_DN_USER" ]; then
-  "$HADOOP_PREFIX"/sbin/hadoop-daemons.sh --config $HADOOP_CONF_DIR --script "$bin"/hdfs stop datanode
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
 else
-  echo $usage
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hdfs-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/hdfs-config.sh." 2>&1
+  exit 1
+fi
+
+if [[ "${EUID}" -eq 0 ]] && [[ -n "${HADOOP_SECURE_DN_USER}" ]]; then
+  "${bin}/hadoop-daemons.sh" --config "${HADOOP_CONF_DIR}" stop datanode
+else
+  hadoop_exit_with_usage 1
 fi
diff --git a/hadoop-mapreduce-project/bin/mapred b/hadoop-mapreduce-project/bin/mapred
index b95c7cd4f94..340a95b8a32 100755
--- a/hadoop-mapreduce-project/bin/mapred
+++ b/hadoop-mapreduce-project/bin/mapred
@@ -15,138 +15,129 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-bin=`which $0`
-bin=`dirname ${bin}`
-bin=`cd "$bin" > /dev/null; pwd`
-
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-if [ -e ${HADOOP_LIBEXEC_DIR}/mapred-config.sh ]; then
-  . ${HADOOP_LIBEXEC_DIR}/mapred-config.sh
-else
-  . "$bin/mapred-config.sh"
-fi
-
-function print_usage(){
-  echo "Usage: mapred [--config confdir] COMMAND"
+function hadoop_usage
+{
+  echo "Usage: mapred [--config confdir] [--daemon (start|stop|status)] COMMAND"
   echo "       where COMMAND is one of:"
-  echo "  pipes                run a Pipes job"
-  echo "  job                  manipulate MapReduce jobs"
-  echo "  queue                get information regarding JobQueues"
+  
+  echo "  archive -archiveName NAME -p <parent path> <src>* <dest> create a hadoop archive"
   echo "  classpath            prints the class path needed for running"
   echo "                       mapreduce subcommands"
-  echo "  historyserver        run job history servers as a standalone daemon"
   echo "  distcp <srcurl> <desturl> copy file or directories recursively"
-  echo "  archive -archiveName NAME -p <parent path> <src>* <dest> create a hadoop archive"
-  echo "  hsadmin              job history server admin interface"
+  echo "  job                  manipulate MapReduce jobs"
+  echo "  historyserver        run job history servers as a standalone daemon"
+  echo "  pipes                run a Pipes job"
+  echo "  queue                get information regarding JobQueues"
+  echo "  sampler              sampler"
   echo ""
   echo "Most commands print help when invoked w/o parameters."
 }
 
+this="${BASH_SOURCE-$0}"
+bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/mapred-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/mapred-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/mapred-config.sh." 2>&1
+  exit 1
+fi
+
+
 if [ $# = 0 ]; then
-  print_usage
-  exit
+  hadoop_exit_with_usage 1
 fi
 
 COMMAND=$1
 shift
 
-case $COMMAND in
-  # usage flags
-  --help|-help|-h)
-    print_usage
-    exit
-    ;;
+case ${COMMAND} in
+  mradmin|jobtracker|tasktracker|groups)
+    echo "Sorry, the ${COMMAND} command is no longer supported."
+    echo "You may find similar functionality with the \"yarn\" shell command."
+    hadoop_exit_with_usage 1
+  ;;
+  archive)
+    CLASS=org.apache.hadoop.tools.HadoopArchives
+    hadoop_add_classpath "${TOOL_PATH}"
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
+  ;;
+  classpath)
+    hadoop_finalize
+    echo "${CLASSPATH}"
+    exit 0
+  ;;
+  distcp)
+    CLASS=org.apache.hadoop.tools.DistCp
+    hadoop_add_classpath "${TOOL_PATH}"
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
+  ;;
+  historyserver)
+    daemon="true"
+    CLASS=org.apache.hadoop.mapreduce.v2.hs.JobHistoryServer
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_JOB_HISTORYSERVER_OPTS}"
+    if [ -n "${HADOOP_JOB_HISTORYSERVER_HEAPSIZE}" ]; then
+      JAVA_HEAP_MAX="-Xmx${HADOOP_JOB_HISTORYSERVER_HEAPSIZE}m"
+    fi
+    HADOOP_DAEMON_ROOT_LOGGER=${HADOOP_JHS_LOGGER:-$HADOOP_DAEMON_ROOT_LOGGER}
+  ;;
+  job)
+    CLASS=org.apache.hadoop.mapred.JobClient
+  ;;
+  pipes)
+    CLASS=org.apache.hadoop.mapred.pipes.Submitter
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
+  ;;
+  queue)
+    CLASS=org.apache.hadoop.mapred.JobQueueClient
+  ;;
+  sampler)
+    CLASS=org.apache.hadoop.mapred.lib.InputSampler
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
+  ;;
+  -*|*)
+    hadoop_exit_with_usage 1
+  ;;
 esac
 
-if [ "$COMMAND" = "job" ] ; then
-  CLASS=org.apache.hadoop.mapred.JobClient
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
-elif [ "$COMMAND" = "queue" ] ; then
-  CLASS=org.apache.hadoop.mapred.JobQueueClient
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
-elif [ "$COMMAND" = "pipes" ] ; then
-  CLASS=org.apache.hadoop.mapred.pipes.Submitter
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
-elif [ "$COMMAND" = "sampler" ] ; then
-  CLASS=org.apache.hadoop.mapred.lib.InputSampler
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
-elif [ "$COMMAND" = "classpath" ] ; then
-  echo -n 
-elif [ "$COMMAND" = "historyserver" ] ; then
-  CLASS=org.apache.hadoop.mapreduce.v2.hs.JobHistoryServer
-  HADOOP_OPTS="$HADOOP_OPTS -Dmapred.jobsummary.logger=${HADOOP_JHS_LOGGER:-INFO,console} $HADOOP_JOB_HISTORYSERVER_OPTS"
-  if [ "$HADOOP_JOB_HISTORYSERVER_HEAPSIZE" != "" ]; then
-    JAVA_HEAP_MAX="-Xmx""$HADOOP_JOB_HISTORYSERVER_HEAPSIZE""m"
-  fi
-elif [ "$COMMAND" = "mradmin" ] \
-    || [ "$COMMAND" = "jobtracker" ] \
-    || [ "$COMMAND" = "tasktracker" ] \
-    || [ "$COMMAND" = "groups" ] ; then
-  echo "Sorry, the $COMMAND command is no longer supported."
-  echo "You may find similar functionality with the \"yarn\" shell command."
-  print_usage
-  exit 1
-elif [ "$COMMAND" = "distcp" ] ; then
-  CLASS=org.apache.hadoop.tools.DistCp
-  CLASSPATH=${CLASSPATH}:${TOOL_PATH}
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
-elif [ "$COMMAND" = "archive" ] ; then
-  CLASS=org.apache.hadoop.tools.HadoopArchives
-  CLASSPATH=${CLASSPATH}:${TOOL_PATH}
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
-elif [ "$COMMAND" = "hsadmin" ] ; then
-  CLASS=org.apache.hadoop.mapreduce.v2.hs.client.HSAdmin
-  HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
-else
-  echo $COMMAND - invalid command
-  print_usage
-  exit 1
+daemon_outfile="${HADOOP_LOG_DIR}/hadoop-${HADOOP_IDENT_STRING}-${COMMAND}-${HOSTNAME}.out"
+daemon_pidfile="${HADOOP_PID_DIR}/hadoop-${HADOOP_IDENT_STRING}-${COMMAND}.pid"
+
+
+if [[  "${HADOOP_DAEMON_MODE}" != "default" ]]; then
+  # shellcheck disable=SC2034
+  HADOOP_ROOT_LOGGER="${HADOOP_DAEMON_ROOT_LOGGER}"
+  hadoop_add_param HADOOP_OPTS mapred.jobsummary.logger "-Dmapred.jobsummary.logger=${HADOOP_ROOT_LOGGER}"
+  # shellcheck disable=SC2034
+  HADOOP_LOGFILE="hadoop-${HADOOP_IDENT_STRING}-${COMMAND}-${HOSTNAME}.log"
 fi
 
-# for developers, add mapred classes to CLASSPATH
-if [ -d "$HADOOP_MAPRED_HOME/build/classes" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_MAPRED_HOME/build/classes
-fi
-if [ -d "$HADOOP_MAPRED_HOME/build/webapps" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_MAPRED_HOME/build
-fi
-if [ -d "$HADOOP_MAPRED_HOME/build/test/classes" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_MAPRED_HOME/build/test/classes
-fi
-if [ -d "$HADOOP_MAPRED_HOME/build/tools" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_MAPRED_HOME/build/tools
-fi
-
-# for releases, add core mapred jar & webapps to CLASSPATH
-if [ -d "$HADOOP_PREFIX/${MAPRED_DIR}/webapps" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_PREFIX/${MAPRED_DIR}
-fi
-for f in $HADOOP_MAPRED_HOME/${MAPRED_DIR}/*.jar; do
-  CLASSPATH=${CLASSPATH}:$f;
-done
-
-# Need YARN jars also
-for f in $HADOOP_YARN_HOME/${YARN_DIR}/*.jar; do
-  CLASSPATH=${CLASSPATH}:$f;
-done
-
-# add libs to CLASSPATH
-for f in $HADOOP_MAPRED_HOME/${MAPRED_LIB_JARS_DIR}/*.jar; do
-  CLASSPATH=${CLASSPATH}:$f;
-done
-
-# add modules to CLASSPATH
-for f in $HADOOP_MAPRED_HOME/modules/*.jar; do
-  CLASSPATH=${CLASSPATH}:$f;
-done
-
-if [ "$COMMAND" = "classpath" ] ; then
-  echo $CLASSPATH
-  exit
-fi
-
-HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.security.logger=${HADOOP_SECURITY_LOGGER:-INFO,NullAppender}"
+hadoop_add_param HADOOP_OPTS Xmx "${JAVA_HEAP_MAX}"
+hadoop_finalize
 
 export CLASSPATH
-exec "$JAVA" -Dproc_$COMMAND $JAVA_HEAP_MAX $HADOOP_OPTS $CLASS "$@"
+
+if [[ -n "${daemon}" ]]; then
+  if [[ -n "${secure_service}" ]]; then
+    hadoop_secure_daemon_handler "${HADOOP_DAEMON_MODE}" "${COMMAND}"\
+    "${CLASS}" "${daemon_pidfile}" "${daemon_outfile}" \
+    "${priv_pidfile}" "${priv_outfile}" "${priv_errfile}" "$@"
+  else
+    hadoop_daemon_handler "${HADOOP_DAEMON_MODE}" "${COMMAND}" "${CLASS}" \
+    "${daemon_pidfile}" "${daemon_outfile}" "$@"
+  fi
+  exit $?
+else
+  hadoop_java_exec "${COMMAND}" "${CLASS}" "$@"
+fi
+
diff --git a/hadoop-mapreduce-project/bin/mapred-config.sh b/hadoop-mapreduce-project/bin/mapred-config.sh
index 254e0a0f430..c24d3509c48 100644
--- a/hadoop-mapreduce-project/bin/mapred-config.sh
+++ b/hadoop-mapreduce-project/bin/mapred-config.sh
@@ -18,35 +18,55 @@
 # included in all the mapred scripts with source command
 # should not be executed directly
 
-bin=`which "$0"`
-bin=`dirname "${bin}"`
-bin=`cd "$bin"; pwd`
+function hadoop_subproject_init
+{
+  if [ -e "${HADOOP_CONF_DIR}/mapred-env.sh" ]; then
+    . "${HADOOP_CONF_DIR}/mapred-env.sh"
+  fi
+  
+  # at some point in time, someone thought it would be a good idea to
+  # create separate vars for every subproject.  *sigh*
+  # let's perform some overrides and setup some defaults for bw compat
+  # this way the common hadoop var's == subproject vars and can be
+  # used interchangeable from here on out
+  # ...
+  # this should get deprecated at some point.
+  HADOOP_LOG_DIR="${HADOOP_MAPRED_LOG_DIR:-$HADOOP_LOG_DIR}"
+  HADOOP_MAPRED_LOG_DIR="${HADOOP_LOG_DIR}"
+  
+  HADOOP_LOGFILE="${HADOOP_MAPRED_LOGFILE:-$HADOOP_LOGFILE}"
+  HADOOP_MAPRED_LOGFILE="${HADOOP_LOGFILE}"
+  
+  HADOOP_NICENESS="${HADOOP_MAPRED_NICENESS:-$HADOOP_NICENESS}"
+  HADOOP_MAPRED_NICENESS="${HADOOP_NICENESS}"
+  
+  HADOOP_STOP_TIMEOUT="${HADOOP_MAPRED_STOP_TIMEOUT:-$HADOOP_STOP_TIMEOUT}"
+  HADOOP_MAPRED_STOP_TIMEOUT="${HADOOP_STOP_TIMEOUT}"
+  
+  HADOOP_PID_DIR="${HADOOP_MAPRED_PID_DIR:-$HADOOP_PID_DIR}"
+  HADOOP_MAPRED_PID_DIR="${HADOOP_PID_DIR}"
+  
+  HADOOP_ROOT_LOGGER="${HADOOP_MAPRED_ROOT_LOGGER:-INFO,console}"
+  HADOOP_MAPRED_ROOT_LOGGER="${HADOOP_ROOT_LOGGER}"
+  
+  HADOOP_MAPRED_HOME="${HADOOP_MAPRED_HOME:-$HADOOP_HOME_DIR}"
+  
+  HADOOP_IDENT_STRING="${HADOOP_MAPRED_IDENT_STRING:-$HADOOP_IDENT_STRING}"
+  HADOOP_MAPRED_IDENT_STRING="${HADOOP_IDENT_STRING}"
+}
 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-if [ -e "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]; then
+if [[ -z "${HADOOP_LIBEXEC_DIR}" ]]; then
+  _mc_this="${BASH_SOURCE-$0}"
+  HADOOP_LIBEXEC_DIR=$(cd -P -- "$(dirname -- "${_mc_this}")" >/dev/null && pwd -P)
+fi
+
+if [[ -e "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]]; then
   . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
-elif [ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh" ]; then
-  . "$HADOOP_COMMON_HOME"/libexec/hadoop-config.sh
-elif [ -e "${HADOOP_COMMON_HOME}/bin/hadoop-config.sh" ]; then
-  . "$HADOOP_COMMON_HOME"/bin/hadoop-config.sh
-elif [ -e "${HADOOP_HOME}/bin/hadoop-config.sh" ]; then
-  . "$HADOOP_HOME"/bin/hadoop-config.sh
-elif [ -e "${HADOOP_MAPRED_HOME}/bin/hadoop-config.sh" ]; then
-  . "$HADOOP_MAPRED_HOME"/bin/hadoop-config.sh
+elif [[ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh" ]]; then
+  . "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh"
+elif [[ -e "${HADOOP_HOME}/libexec/hadoop-config.sh" ]]; then
+  . "${HADOOP_HOME}/libexec/hadoop-config.sh"
 else
   echo "Hadoop common not found."
   exit
 fi
-
-# Only set locally to use in HADOOP_OPTS. No need to export.
-# The following defaults are useful when somebody directly invokes bin/mapred.
-HADOOP_MAPRED_LOG_DIR=${HADOOP_MAPRED_LOG_DIR:-${HADOOP_MAPRED_HOME}/logs}
-HADOOP_MAPRED_LOGFILE=${HADOOP_MAPRED_LOGFILE:-hadoop.log}
-HADOOP_MAPRED_ROOT_LOGGER=${HADOOP_MAPRED_ROOT_LOGGER:-INFO,console}
-
-HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.log.dir=$HADOOP_MAPRED_LOG_DIR"
-HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.log.file=$HADOOP_MAPRED_LOGFILE"
-export HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.root.logger=${HADOOP_MAPRED_ROOT_LOGGER}"
-
-
diff --git a/hadoop-mapreduce-project/bin/mr-jobhistory-daemon.sh b/hadoop-mapreduce-project/bin/mr-jobhistory-daemon.sh
index 7585c9a81e8..7f6e6f1db68 100644
--- a/hadoop-mapreduce-project/bin/mr-jobhistory-daemon.sh
+++ b/hadoop-mapreduce-project/bin/mr-jobhistory-daemon.sh
@@ -15,133 +15,32 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+function hadoop_usage
+{
+  echo "Usage: mr-jobhistory-daemon.sh [--config confdir] (start|stop|status) <hadoop-command> <args...>"
+}
 
-#
-# Environment Variables
-#
-#   HADOOP_JHS_LOGGER  Hadoop JobSummary logger.
-#   HADOOP_CONF_DIR  Alternate conf dir. Default is ${HADOOP_MAPRED_HOME}/conf.
-#   HADOOP_MAPRED_PID_DIR   The pid files are stored. /tmp by default.
-#   HADOOP_MAPRED_NICENESS The scheduling priority for daemons. Defaults to 0.
-##
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  this="${BASH_SOURCE-$0}"
+  bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
 
-usage="Usage: mr-jobhistory-daemon.sh [--config <conf-dir>] (start|stop) <mapred-command> "
-
-# if no args specified, show usage
-if [ $# -le 1 ]; then
-  echo $usage
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/yarn-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/yarn-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/yarn-config.sh." 2>&1
   exit 1
 fi
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
-
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-if [ -e ${HADOOP_LIBEXEC_DIR}/mapred-config.sh ]; then
-  . $HADOOP_LIBEXEC_DIR/mapred-config.sh
-fi
-
-# get arguments
-startStop=$1
-shift
-command=$1
+daemonmode=$1
 shift
 
-hadoop_rotate_log ()
-{
-  log=$1;
-  num=5;
-  if [ -n "$2" ]; then
-    num=$2
-  fi
-  if [ -f "$log" ]; then # rotate logs
-    while [ $num -gt 1 ]; do
-      prev=`expr $num - 1`
-      [ -f "$log.$prev" ] && mv "$log.$prev" "$log.$num"
-      num=$prev
-    done
-    mv "$log" "$log.$num";
-  fi
-}
-
-if [ "$HADOOP_MAPRED_IDENT_STRING" = "" ]; then
-  export HADOOP_MAPRED_IDENT_STRING="$USER"
-fi
-
-export HADOOP_MAPRED_HOME=${HADOOP_MAPRED_HOME:-${HADOOP_PREFIX}}
-export HADOOP_MAPRED_LOGFILE=mapred-$HADOOP_MAPRED_IDENT_STRING-$command-$HOSTNAME.log
-export HADOOP_MAPRED_ROOT_LOGGER=${HADOOP_MAPRED_ROOT_LOGGER:-INFO,RFA}
-export HADOOP_JHS_LOGGER=${HADOOP_JHS_LOGGER:-INFO,JSA}
-
-if [ -f "${HADOOP_CONF_DIR}/mapred-env.sh" ]; then
-  . "${HADOOP_CONF_DIR}/mapred-env.sh"
-fi
-
-mkdir -p "$HADOOP_MAPRED_LOG_DIR"
-chown $HADOOP_MAPRED_IDENT_STRING $HADOOP_MAPRED_LOG_DIR
-
-if [ "$HADOOP_MAPRED_PID_DIR" = "" ]; then
-  HADOOP_MAPRED_PID_DIR=/tmp
-fi
-
-HADOOP_OPTS="$HADOOP_OPTS -Dhadoop.id.str=$HADOOP_MAPRED_IDENT_STRING"
-
-log=$HADOOP_MAPRED_LOG_DIR/mapred-$HADOOP_MAPRED_IDENT_STRING-$command-$HOSTNAME.out
-pid=$HADOOP_MAPRED_PID_DIR/mapred-$HADOOP_MAPRED_IDENT_STRING-$command.pid
-
-HADOOP_MAPRED_STOP_TIMEOUT=${HADOOP_MAPRED_STOP_TIMEOUT:-5}
-
-# Set default scheduling priority
-if [ "$HADOOP_MAPRED_NICENESS" = "" ]; then
-  export HADOOP_MAPRED_NICENESS=0
-fi
-
-case $startStop in
-
-  (start)
-
-    mkdir -p "$HADOOP_MAPRED_PID_DIR"
-
-    if [ -f $pid ]; then
-      if kill -0 `cat $pid` > /dev/null 2>&1; then
-        echo $command running as process `cat $pid`.  Stop it first.
-        exit 1
-      fi
-    fi
-
-    hadoop_rotate_log $log
-    echo starting $command, logging to $log
-    cd "$HADOOP_MAPRED_HOME"
-    nohup nice -n $HADOOP_MAPRED_NICENESS "$HADOOP_MAPRED_HOME"/bin/mapred --config $HADOOP_CONF_DIR $command "$@" > "$log" 2>&1 < /dev/null &
-    echo $! > $pid
-    sleep 1; head "$log"
-    ;;
-
-  (stop)
-
-    if [ -f $pid ]; then
-      TARGET_PID=`cat $pid`
-      if kill -0 $TARGET_PID > /dev/null 2>&1; then
-        echo stopping $command
-        kill $TARGET_PID
-        sleep $HADOOP_MAPRED_STOP_TIMEOUT
-        if kill -0 $TARGET_PID > /dev/null 2>&1; then
-          echo "$command did not stop gracefully after $HADOOP_MAPRED_STOP_TIMEOUT seconds: killing with kill -9"
-          kill -9 $TARGET_PID
-        fi
-      else
-        echo no $command to stop
-      fi
-      rm -f $pid
-    else
-      echo no $command to stop
-    fi
-    ;;
-
-  (*)
-    echo $usage
-    exit 1
-    ;;
-
-esac
+exec "${HADOOP_MAPRED_HOME}/bin/mapred" \
+--config "${HADOOP_CONF_DIR}" --daemon "${daemonmode}" "$@"
diff --git a/hadoop-mapreduce-project/conf/mapred-env.sh b/hadoop-mapreduce-project/conf/mapred-env.sh
index 6be1e279667..6c417a3a0fd 100644
--- a/hadoop-mapreduce-project/conf/mapred-env.sh
+++ b/hadoop-mapreduce-project/conf/mapred-env.sh
@@ -13,15 +13,59 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# export JAVA_HOME=/home/y/libexec/jdk1.6.0/
+##
+## THIS FILE ACTS AS AN OVERRIDE FOR hadoop-env.sh FOR ALL
+## WORK DONE BY THE mapred AND RELATED COMMANDS.
+##
+## Precedence rules:
+##
+## mapred-env.sh > hadoop-env.sh > hard-coded defaults
+##
+## MAPRED_xyz > HADOOP_xyz > hard-coded defaults
+##
 
-export HADOOP_JOB_HISTORYSERVER_HEAPSIZE=1000
+###
+# Generic settings for MapReduce
+###
 
-export HADOOP_MAPRED_ROOT_LOGGER=INFO,RFA
+#Override the log4j settings for all MR apps
+# export MAPRED_ROOT_LOGGER="INFO,console"
 
+# Override Hadoop's log directory & file
+# export HADOOP_MAPRED_LOG_DIR=""
+
+# Override Hadoop's pid directory
+# export HADOOP_MAPRED_PID_DIR=
+
+# Override Hadoop's identity string. $USER by default.
+# This is used in writing log and pid files, so keep that in mind!
+# export HADOOP_MAPRED_IDENT_STRING=$USER
+
+# Override Hadoop's process priority
+# Note that sub-processes will also run at this level!
+# export HADOOP_MAPRED_NICENESS=0
+
+###
+# Job History Server specific parameters
+###
+
+# Specify the max heapsize for the Job History Server using a numerical value
+# in the scale of MB. For example, to specify an jvm option of -Xmx1000m, set
+# the value to 1000.
+# This value will be overridden by an Xmx setting specified in either
+# MAPRED_OPTS, HADOOP_OPTS, and/or HADOOP_JOB_HISTORYSERVER_OPTS.
+# If not specified, the default value will be picked from either YARN_HEAPMAX
+# or JAVA_HEAP_MAX with YARN_HEAPMAX as the preferred option of the two.
+#
+#export HADOOP_JOB_HISTORYSERVER_HEAPSIZE=1000
+
+# Specify the JVM options to be used when starting the ResourceManager.
+# These options will be appended to the options specified as YARN_OPTS
+# and therefore may override any similar flags set in YARN_OPTS
 #export HADOOP_JOB_HISTORYSERVER_OPTS=
-#export HADOOP_MAPRED_LOG_DIR="" # Where log files are stored.  $HADOOP_MAPRED_HOME/logs by default.
-#export HADOOP_JHS_LOGGER=INFO,RFA # Hadoop JobSummary logger.
-#export HADOOP_MAPRED_PID_DIR= # The pid files are stored. /tmp by default.
-#export HADOOP_MAPRED_IDENT_STRING= #A string representing this instance of hadoop. $USER by default
-#export HADOOP_MAPRED_NICENESS= #The scheduling priority for daemons. Defaults to 0.
+
+# Specify the log4j settings for the JobHistoryServer
+#export HADOOP_JHS_LOGGER=INFO,RFA
+
+
+
diff --git a/hadoop-yarn-project/hadoop-yarn/bin/slaves.sh b/hadoop-yarn-project/hadoop-yarn/bin/slaves.sh
deleted file mode 100644
index 9b783b4f32e..00000000000
--- a/hadoop-yarn-project/hadoop-yarn/bin/slaves.sh
+++ /dev/null
@@ -1,70 +0,0 @@
-#!/usr/bin/env bash
-
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# Run a shell command on all slave hosts.
-#
-# Environment Variables
-#
-#   YARN_SLAVES    File naming remote hosts.
-#     Default is ${YARN_CONF_DIR}/slaves.
-#   YARN_CONF_DIR  Alternate conf dir. Default is ${HADOOP_YARN_HOME}/conf.
-#   YARN_SLAVE_SLEEP Seconds to sleep between spawning remote commands.
-#   YARN_SSH_OPTS Options passed to ssh when running remote commands.
-##
-
-usage="Usage: slaves.sh [--config confdir] command..."
-
-# if no args specified, show usage
-if [ $# -le 0 ]; then
-  echo $usage
-  exit 1
-fi
-
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
-
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/yarn-config.sh
-
-# If the slaves file is specified in the command line,
-# then it takes precedence over the definition in 
-# yarn-env.sh. Save it here.
-HOSTLIST=$YARN_SLAVES
-
-if [ -f "${YARN_CONF_DIR}/yarn-env.sh" ]; then
-  . "${YARN_CONF_DIR}/yarn-env.sh"
-fi
-
-if [ "$HOSTLIST" = "" ]; then
-  if [ "$YARN_SLAVES" = "" ]; then
-    export HOSTLIST="${YARN_CONF_DIR}/slaves"
-  else
-    export HOSTLIST="${YARN_SLAVES}"
-  fi
-fi
-
-for slave in `cat "$HOSTLIST"|sed  "s/#.*$//;/^$/d"`; do
- ssh $YARN_SSH_OPTS $slave $"${@// /\\ }" \
-   2>&1 | sed "s/^/$slave: /" &
- if [ "$YARN_SLAVE_SLEEP" != "" ]; then
-   sleep $YARN_SLAVE_SLEEP
- fi
-done
-
-wait
diff --git a/hadoop-yarn-project/hadoop-yarn/bin/start-yarn.sh b/hadoop-yarn-project/hadoop-yarn/bin/start-yarn.sh
index 40b77fb35ab..6803601b513 100644
--- a/hadoop-yarn-project/hadoop-yarn/bin/start-yarn.sh
+++ b/hadoop-yarn-project/hadoop-yarn/bin/start-yarn.sh
@@ -16,20 +16,34 @@
 # limitations under the License.
 
 
-# Start all yarn daemons.  Run this on master node.
+function hadoop_usage
+{
+  echo "Usage: start-yarn.sh [--config confdir]"
+}
 
-echo "starting yarn daemons"
+this="${BASH_SOURCE-$0}"
+bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/yarn-config.sh
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/yarn-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/yarn-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/yarn-config.sh." 2>&1
+  exit 1
+fi
 
 # start resourceManager
-"$bin"/yarn-daemon.sh --config $YARN_CONF_DIR  start resourcemanager
+"${bin}/yarn-daemon.sh" --config "${YARN_CONF_DIR}"  start resourcemanager
 # start nodeManager
-"$bin"/yarn-daemons.sh --config $YARN_CONF_DIR  start nodemanager
+"${bin}/yarn-daemons.sh" --config "${YARN_CONF_DIR}"  start nodemanager
 # start proxyserver
-#"$bin"/yarn-daemon.sh --config $YARN_CONF_DIR  start proxyserver
+#"${bin}/yarn-daemon.sh" --config "${YARN_CONF_DIR}"  start proxyserver
diff --git a/hadoop-yarn-project/hadoop-yarn/bin/stop-yarn.sh b/hadoop-yarn-project/hadoop-yarn/bin/stop-yarn.sh
index a8498ef3ffd..605971b765b 100644
--- a/hadoop-yarn-project/hadoop-yarn/bin/stop-yarn.sh
+++ b/hadoop-yarn-project/hadoop-yarn/bin/stop-yarn.sh
@@ -18,18 +18,34 @@
 
 # Stop all yarn daemons.  Run this on master node.
 
-echo "stopping yarn daemons"
+function hadoop_usage
+{
+  echo "Usage: stop-yarn.sh [--config confdir]"
+}
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
+this="${BASH_SOURCE-$0}"
+bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/yarn-config.sh
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
 
-# stop resourceManager
-"$bin"/yarn-daemon.sh --config $YARN_CONF_DIR  stop resourcemanager
-# stop nodeManager
-"$bin"/yarn-daemons.sh --config $YARN_CONF_DIR  stop nodemanager
-# stop proxy server
-"$bin"/yarn-daemon.sh --config $YARN_CONF_DIR  stop proxyserver
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/yarn-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/yarn-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/yarn-config.sh." 2>&1
+  exit 1
+fi
+
+# start resourceManager
+"${bin}/yarn-daemon.sh" --config "${YARN_CONF_DIR}"  stop resourcemanager
+# start nodeManager
+"${bin}/yarn-daemons.sh" --config "${YARN_CONF_DIR}"  stop nodemanager
+# start proxyserver
+#"${bin}/yarn-daemon.sh" --config "${YARN_CONF_DIR}"  stop proxyserver
diff --git a/hadoop-yarn-project/hadoop-yarn/bin/yarn b/hadoop-yarn-project/hadoop-yarn/bin/yarn
index 200ab27d381..2017d57feac 100644
--- a/hadoop-yarn-project/hadoop-yarn/bin/yarn
+++ b/hadoop-yarn-project/hadoop-yarn/bin/yarn
@@ -15,266 +15,182 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
-# The Hadoop command script
-#
-# Environment Variables
-#
-#   JAVA_HOME        The java implementation to use.  Overrides JAVA_HOME.
-#
-#   YARN_USER_CLASSPATH Additional user CLASSPATH entries.
-#
-#   YARN_USER_CLASSPATH_FIRST  If set to non empty value then the user classpath
-#                              specified in YARN_USER_CLASSPATH will be
-#                              appended at the beginning of YARN's final
-#                              classpath instead of at the end.
-#
-#   YARN_HEAPSIZE  The maximum amount of heap to use, in MB. 
-#                    Default is 1000.
-#
-#   YARN_{COMMAND}_HEAPSIZE overrides YARN_HEAPSIZE for a given command
-#                           eg YARN_NODEMANAGER_HEAPSIZE sets the heap
-#                           size for the NodeManager.  If you set the
-#                           heap size in YARN_{COMMAND}_OPTS or YARN_OPTS
-#                           they take precedence.
-#
-#   YARN_OPTS      Extra Java runtime options.
-#   
-#   YARN_CLIENT_OPTS         when the respective command is run.
-#   YARN_{COMMAND}_OPTS etc  YARN_NODEMANAGER_OPTS applies to NodeManager 
-#                              for e.g.  YARN_CLIENT_OPTS applies to 
-#                              more than one command (fs, dfs, fsck, 
-#                              dfsadmin etc)  
-#
-#   YARN_CONF_DIR  Alternate conf dir. Default is ${HADOOP_YARN_HOME}/conf.
-#
-#   YARN_ROOT_LOGGER The root appender. Default is INFO,console
-#
-
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin" > /dev/null; pwd`
-
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/yarn-config.sh
-
-function print_usage(){
-  echo "Usage: yarn [--config confdir] COMMAND"
+function hadoop_usage
+{
+  echo "Usage: yarn [--config confdir] [--daemon (start|stop|status)] COMMAND"
   echo "where COMMAND is one of:"
-  echo "  resourcemanager -format-state-store   deletes the RMStateStore"
-  echo "  resourcemanager                       run the ResourceManager"
-  echo "  nodemanager                           run a nodemanager on each slave"
-  echo "  timelineserver                        run the timeline server"
-  echo "  rmadmin                               admin tools"
-  echo "  version                               print the version"
-  echo "  jar <jar>                             run a jar file"
-  echo "  application                           prints application(s)"
-  echo "                                        report/kill application"
-  echo "  applicationattempt                    prints applicationattempt(s)"
-  echo "                                        report"
+  echo "  application                           prints application(s) report/kill application"
+  echo "  applicationattempt                    prints applicationattempt(s) report"
+  echo "  classpath                             prints the class path needed to get the"
+  echo "                                        Hadoop jar and the required libraries"
   echo "  container                             prints container(s) report"
-  echo "  node                                  prints node report(s)"
+  echo "  daemonlog                             get/set the log level for each daemon"
+  echo "  jar <jar>                             run a jar file"
   echo "  logs                                  dump container logs"
-  echo "  classpath                             prints the class path needed to"
-  echo "                                        get the Hadoop jar and the"
-  echo "                                        required libraries"
-  echo "  daemonlog                             get/set the log level for each"
-  echo "                                        daemon"
+  echo "  node                                  prints node report(s)"
+  echo "  nodemanager                           run a nodemanager on each slave"
+  echo "  proxyserver                           run the web app proxy server"
+  echo "  resourcemanager                       run the ResourceManager"
+  echo "  resourcemanager -format-state-store   deletes the RMStateStore"
+  echo "  rmadmin                               admin tools"
+  echo "  timelineserver                        run the timeline server"
+  echo "  version                               print the version"
   echo " or"
   echo "  CLASSNAME                             run the class named CLASSNAME"
   echo "Most commands print help when invoked w/o parameters."
 }
 
-# if no args specified, show usage
-if [ $# = 0 ]; then
-  print_usage
+
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  this="${BASH_SOURCE-$0}"
+  bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/yarn-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/yarn-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/yarn-config.sh." 2>&1
   exit 1
 fi
 
+# if no args specified, show usage
+if [[ $# = 0 ]]; then
+  hadoop_exit_with_usage 1
+fi
+
 # get arguments
 COMMAND=$1
 shift
 
-case $COMMAND in
-  # usage flags
-  --help|-help|-h)
-    print_usage
+case "${COMMAND}" in
+  application|applicationattempt|container)
+    CLASS=org.apache.hadoop.yarn.client.cli.ApplicationCLI
+    YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
+  ;;
+  classpath)
+    hadoop_finalize
+    echo "${CLASSPATH}"
     exit
-    ;;
+  ;;
+  daemonlog)
+    CLASS=org.apache.hadoop.log.LogLevel
+    YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
+  ;;
+  jar)
+    CLASS=org.apache.hadoop.util.RunJar
+    YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
+  ;;
+  historyserver)
+    daemon="true"
+    echo "DEPRECATED: Use of this command to start the timeline server is deprecated." 1>&2
+    echo "Instead use the timelineserver command for it." 1>&2
+    echo "Starting the History Server anyway..." 1>&2
+    CLASS='org.apache.hadoop.yarn.server.applicationhistoryservice.ApplicationHistoryServer'
+  ;;
+  logs)
+    CLASS=org.apache.hadoop.yarn.logaggregation.LogDumper
+    YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
+  ;;
+  node)
+    CLASS=org.apache.hadoop.yarn.client.cli.NodeCLI
+    YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
+  ;;
+  nodemanager)
+    daemon="true"
+    CLASS='org.apache.hadoop.yarn.server.nodemanager.NodeManager'
+    YARN_OPTS="${YARN_OPTS} ${YARN_NODEMANAGER_OPTS}"
+    if [[ -n "${YARN_NODEMANAGER_HEAPSIZE}" ]]; then
+      JAVA_HEAP_MAX="-Xmx${YARN_NODEMANAGER_HEAPSIZE}m"
+    fi
+  ;;
+  proxyserver)
+    daemon="true"
+    CLASS='org.apache.hadoop.yarn.server.webproxy.WebAppProxyServer'
+    YARN_OPTS="${YARN_OPTS} ${YARN_PROXYSERVER_OPTS}"
+    if [[ -n "${YARN_PROXYSERVER_HEAPSIZE}" ]]; then
+      JAVA_HEAP_MAX="-Xmx${YARN_PROXYSERVER_HEAPSIZE}m"
+    fi
+  ;;
+  resourcemanager)
+    daemon="true"
+    CLASS='org.apache.hadoop.yarn.server.resourcemanager.ResourceManager'
+    YARN_OPTS="${YARN_OPTS} ${YARN_RESOURCEMANAGER_OPTS}"
+    if [[ -n "${YARN_RESOURCEMANAGER_HEAPSIZE}" ]]; then
+      JAVA_HEAP_MAX="-Xmx${YARN_RESOURCEMANAGER_HEAPSIZE}m"
+    fi
+  ;;
+  rmadmin)
+    CLASS='org.apache.hadoop.yarn.client.cli.RMAdminCLI'
+    YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
+  ;;
+  timelineserver)
+    daemon="true"
+    CLASS='org.apache.hadoop.yarn.server.applicationhistoryservice.ApplicationHistoryServer'
+    YARN_OPTS="${YARN_OPTS} ${YARN_TIMELINESERVER_OPTS}"
+    if [[ -n "${YARN_TIMELINESERVER_HEAPSIZE}" ]]; then
+      JAVA_HEAP_MAX="-Xmx${YARN_TIMELINESERVER_HEAPSIZE}m"
+    fi
+  ;;
+  version)
+    CLASS=org.apache.hadoop.util.VersionInfo
+    YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
+  ;;
+  -*)
+    hadoop_exit_with_usage 1
+  ;;
+  *)
+    CLASS="${COMMAND}"
+  ;;
 esac
 
-if [ -f "${YARN_CONF_DIR}/yarn-env.sh" ]; then
-  . "${YARN_CONF_DIR}/yarn-env.sh"
+# set HADOOP_OPTS to YARN_OPTS so that we can use
+# finalize, etc, without doing anything funky
+HADOOP_OPTS="${YARN_OPTS}"
+
+daemon_outfile="${HADOOP_LOG_DIR}/hadoop-${HADOOP_IDENT_STRING}-${COMMAND}-${HOSTNAME}.out"
+daemon_pidfile="${HADOOP_PID_DIR}/hadoop-${HADOOP_IDENT_STRING}-${COMMAND}.pid"
+
+if [[  "${HADOOP_DAEMON_MODE}" != "default" ]]; then
+  # shellcheck disable=SC2034
+  HADOOP_ROOT_LOGGER="${HADOOP_DAEMON_ROOT_LOGGER}"
+  YARN_ROOT_LOGGER="${HADOOP_DAEMON_ROOT_LOGGER}"
+  HADOOP_LOGFILE="hadoop-${HADOOP_IDENT_STRING}-${COMMAND}-${HOSTNAME}.log"
 fi
 
-# some Java parameters
-if [ "$JAVA_HOME" != "" ]; then
-  #echo "run java in $JAVA_HOME"
-  JAVA_HOME=$JAVA_HOME
-fi
-  
-if [ "$JAVA_HOME" = "" ]; then
-  echo "Error: JAVA_HOME is not set."
-  exit 1
-fi
+hadoop_add_param HADOOP_OPTS Xmx "${JAVA_HEAP_MAX}"
 
-JAVA=$JAVA_HOME/bin/java
-JAVA_HEAP_MAX=-Xmx1000m 
+# Add YARN custom options to comamnd line in case someone actaully 
+# used these.
+#
+# Note that we are replacing ' ' with '\ ' so that when we exec
+# stuff it works
+#
+hadoop_add_param HADOOP_OPTS yarn.log.dir "-Dyarn.log.dir=${HADOOP_LOG_DIR/ /\ }"
+hadoop_add_param HADOOP_OPTS yarn.log.file "-Dyarn.log.file=${HADOOP_LOGFILE/ /\ }"
+hadoop_add_param HADOOP_OPTS yarn.home.dir "-Dyarn.home.dir=${HADOOP_YARN_HOME/ /\ }"
+hadoop_add_param HADOOP_OPTS yarn.root.logger "-Dyarn.root.logger=${YARN_ROOT_LOGGER:-INFO,console}"
 
-# check envvars which might override default args
-if [ "$YARN_HEAPSIZE" != "" ]; then
-  #echo "run with heapsize $YARN_HEAPSIZE"
-  JAVA_HEAP_MAX="-Xmx""$YARN_HEAPSIZE""m"
-  #echo $JAVA_HEAP_MAX
-fi
+hadoop_finalize
 
-# CLASSPATH initially contains $HADOOP_CONF_DIR & $YARN_CONF_DIR
-if [ ! -d "$HADOOP_CONF_DIR" ]; then
-  echo No HADOOP_CONF_DIR set. 
-  echo Please specify it either in yarn-env.sh or in the environment.
-  exit 1
-fi
+export CLASSPATH
 
-CLASSPATH="${HADOOP_CONF_DIR}:${YARN_CONF_DIR}:${CLASSPATH}"
-
-# for developers, add Hadoop classes to CLASSPATH
-if [ -d "$HADOOP_YARN_HOME/yarn-api/target/classes" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/yarn-api/target/classes
-fi
-if [ -d "$HADOOP_YARN_HOME/yarn-common/target/classes" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/yarn-common/target/classes
-fi
-if [ -d "$HADOOP_YARN_HOME/yarn-mapreduce/target/classes" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/yarn-mapreduce/target/classes
-fi
-if [ -d "$HADOOP_YARN_HOME/yarn-master-worker/target/classes" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/yarn-master-worker/target/classes
-fi
-if [ -d "$HADOOP_YARN_HOME/yarn-server/yarn-server-nodemanager/target/classes" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/yarn-server/yarn-server-nodemanager/target/classes
-fi
-if [ -d "$HADOOP_YARN_HOME/yarn-server/yarn-server-common/target/classes" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/yarn-server/yarn-server-common/target/classes
-fi
-if [ -d "$HADOOP_YARN_HOME/yarn-server/yarn-server-resourcemanager/target/classes" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/yarn-server/yarn-server-resourcemanager/target/classes
-fi
-if [ -d "$HADOOP_YARN_HOME/yarn-server/yarn-server-applicationhistoryservice/target/classes" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/yarn-server/yarn-server-applicationhistoryservice/target/classes
-fi
-if [ -d "$HADOOP_YARN_HOME/build/test/classes" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/target/test/classes
-fi
-if [ -d "$HADOOP_YARN_HOME/build/tools" ]; then
-  CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/build/tools
-fi
-
-CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/${YARN_DIR}/*
-CLASSPATH=${CLASSPATH}:$HADOOP_YARN_HOME/${YARN_LIB_JARS_DIR}/*
-
-# Add user defined YARN_USER_CLASSPATH to the class path (if defined)
-if [ -n "$YARN_USER_CLASSPATH" ]; then
-  if [ -n "$YARN_USER_CLASSPATH_FIRST" ]; then
-    # User requested to add the custom entries at the beginning
-    CLASSPATH=${YARN_USER_CLASSPATH}:${CLASSPATH}
+if [[ -n "${daemon}" ]]; then
+  if [[ -n "${secure_service}" ]]; then
+    hadoop_secure_daemon_handler "${HADOOP_DAEMON_MODE}" "${COMMAND}" \
+    "${CLASS}" "${daemon_pidfile}" "${daemon_outfile}" \
+    "${priv_pidfile}" "${priv_outfile}" "${priv_errfile}" "$@"
   else
-    # By default we will just append the extra entries at the end
-    CLASSPATH=${CLASSPATH}:${YARN_USER_CLASSPATH}
+    hadoop_daemon_handler "${HADOOP_DAEMON_MODE}" "${COMMAND}" "${CLASS}" \
+    "${daemon_pidfile}" "${daemon_outfile}" "$@"
   fi
-fi
-
-# so that filenames w/ spaces are handled correctly in loops below
-IFS=
-
-# default log directory & file
-if [ "$YARN_LOG_DIR" = "" ]; then
-  YARN_LOG_DIR="$HADOOP_YARN_HOME/logs"
-fi
-if [ "$YARN_LOGFILE" = "" ]; then
-  YARN_LOGFILE='yarn.log'
-fi
-
-# restore ordinary behaviour
-unset IFS
-
-# figure out which class to run
-if [ "$COMMAND" = "classpath" ] ; then
-  echo $CLASSPATH
-  exit
-elif [ "$COMMAND" = "rmadmin" ] ; then
-  CLASS='org.apache.hadoop.yarn.client.cli.RMAdminCLI'
-  YARN_OPTS="$YARN_OPTS $YARN_CLIENT_OPTS"
-elif [ "$COMMAND" = "application" ] || 
-     [ "$COMMAND" = "applicationattempt" ] || 
-     [ "$COMMAND" = "container" ]; then
-  CLASS=org.apache.hadoop.yarn.client.cli.ApplicationCLI
-  YARN_OPTS="$YARN_OPTS $YARN_CLIENT_OPTS"
-  set -- $COMMAND $@
-elif [ "$COMMAND" = "node" ] ; then
-  CLASS=org.apache.hadoop.yarn.client.cli.NodeCLI
-  YARN_OPTS="$YARN_OPTS $YARN_CLIENT_OPTS"
-elif [ "$COMMAND" = "resourcemanager" ] ; then
-  CLASSPATH=${CLASSPATH}:$YARN_CONF_DIR/rm-config/log4j.properties
-  CLASS='org.apache.hadoop.yarn.server.resourcemanager.ResourceManager'
-  YARN_OPTS="$YARN_OPTS $YARN_RESOURCEMANAGER_OPTS"
-  if [ "$YARN_RESOURCEMANAGER_HEAPSIZE" != "" ]; then
-    JAVA_HEAP_MAX="-Xmx""$YARN_RESOURCEMANAGER_HEAPSIZE""m"
-  fi
-elif [ "$COMMAND" = "historyserver" ] ; then
-  echo "DEPRECATED: Use of this command to start the timeline server is deprecated." 1>&2
-  echo "Instead use the timelineserver command for it." 1>&2
-  CLASSPATH=${CLASSPATH}:$YARN_CONF_DIR/ahs-config/log4j.properties
-  CLASS='org.apache.hadoop.yarn.server.applicationhistoryservice.ApplicationHistoryServer'
-  YARN_OPTS="$YARN_OPTS $YARN_HISTORYSERVER_OPTS"
-  if [ "$YARN_HISTORYSERVER_HEAPSIZE" != "" ]; then
-    JAVA_HEAP_MAX="-Xmx""$YARN_HISTORYSERVER_HEAPSIZE""m"
-  fi
-elif [ "$COMMAND" = "timelineserver" ] ; then
-  CLASSPATH=${CLASSPATH}:$YARN_CONF_DIR/timelineserver-config/log4j.properties
-  CLASS='org.apache.hadoop.yarn.server.applicationhistoryservice.ApplicationHistoryServer'
-  YARN_OPTS="$YARN_OPTS $YARN_TIMELINESERVER_OPTS"
-  if [ "$YARN_TIMELINESERVER_HEAPSIZE" != "" ]; then
-    JAVA_HEAP_MAX="-Xmx""$YARN_TIMELINESERVER_HEAPSIZE""m"
-  fi
-elif [ "$COMMAND" = "nodemanager" ] ; then
-  CLASSPATH=${CLASSPATH}:$YARN_CONF_DIR/nm-config/log4j.properties
-  CLASS='org.apache.hadoop.yarn.server.nodemanager.NodeManager'
-  YARN_OPTS="$YARN_OPTS -server $YARN_NODEMANAGER_OPTS"
-  if [ "$YARN_NODEMANAGER_HEAPSIZE" != "" ]; then
-    JAVA_HEAP_MAX="-Xmx""$YARN_NODEMANAGER_HEAPSIZE""m"
-  fi
-elif [ "$COMMAND" = "proxyserver" ] ; then
-  CLASS='org.apache.hadoop.yarn.server.webproxy.WebAppProxyServer'
-  YARN_OPTS="$YARN_OPTS $YARN_PROXYSERVER_OPTS"
-  if [ "$YARN_PROXYSERVER_HEAPSIZE" != "" ]; then
-    JAVA_HEAP_MAX="-Xmx""$YARN_PROXYSERVER_HEAPSIZE""m"
-  fi
-elif [ "$COMMAND" = "version" ] ; then
-  CLASS=org.apache.hadoop.util.VersionInfo
-  YARN_OPTS="$YARN_OPTS $YARN_CLIENT_OPTS"
-elif [ "$COMMAND" = "jar" ] ; then
-  CLASS=org.apache.hadoop.util.RunJar
-  YARN_OPTS="$YARN_OPTS $YARN_CLIENT_OPTS"
-elif [ "$COMMAND" = "logs" ] ; then
-  CLASS=org.apache.hadoop.yarn.client.cli.LogsCLI
-  YARN_OPTS="$YARN_OPTS $YARN_CLIENT_OPTS"
-elif [ "$COMMAND" = "daemonlog" ] ; then
-  CLASS=org.apache.hadoop.log.LogLevel
-  YARN_OPTS="$YARN_OPTS $YARN_CLIENT_OPTS"
+  exit $?
 else
-  CLASS=$COMMAND
+  hadoop_java_exec "${COMMAND}" "${CLASS}" "$@"
 fi
-
-YARN_OPTS="$YARN_OPTS -Dhadoop.log.dir=$YARN_LOG_DIR"
-YARN_OPTS="$YARN_OPTS -Dyarn.log.dir=$YARN_LOG_DIR"
-YARN_OPTS="$YARN_OPTS -Dhadoop.log.file=$YARN_LOGFILE"
-YARN_OPTS="$YARN_OPTS -Dyarn.log.file=$YARN_LOGFILE"
-YARN_OPTS="$YARN_OPTS -Dyarn.home.dir=$HADOOP_YARN_HOME"
-YARN_OPTS="$YARN_OPTS -Dhadoop.home.dir=$HADOOP_YARN_HOME"
-YARN_OPTS="$YARN_OPTS -Dhadoop.root.logger=${YARN_ROOT_LOGGER:-INFO,console}"
-YARN_OPTS="$YARN_OPTS -Dyarn.root.logger=${YARN_ROOT_LOGGER:-INFO,console}"
-if [ "x$JAVA_LIBRARY_PATH" != "x" ]; then
-  YARN_OPTS="$YARN_OPTS -Djava.library.path=$JAVA_LIBRARY_PATH"
-fi  
-
-exec "$JAVA" -Dproc_$COMMAND $JAVA_HEAP_MAX $YARN_OPTS -classpath "$CLASSPATH" $CLASS "$@"
diff --git a/hadoop-yarn-project/hadoop-yarn/bin/yarn-config.sh b/hadoop-yarn-project/hadoop-yarn/bin/yarn-config.sh
index 3d67801efec..34d2d2d0a80 100644
--- a/hadoop-yarn-project/hadoop-yarn/bin/yarn-config.sh
+++ b/hadoop-yarn-project/hadoop-yarn/bin/yarn-config.sh
@@ -13,53 +13,81 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# included in all the hadoop scripts with source command
-# should not be executable directly
-bin=`which "$0"`
-bin=`dirname "${bin}"`
-bin=`cd "$bin"; pwd`
+function hadoop_subproject_init
+{
+  
+  # at some point in time, someone thought it would be a good idea to
+  # create separate vars for every subproject.  *sigh*
+  # let's perform some overrides and setup some defaults for bw compat
+  # this way the common hadoop var's == subproject vars and can be
+  # used interchangeable from here on out
+  # ...
+  # this should get deprecated at some point.
+  
+  if [[ -e "${YARN_CONF_DIR}/yarn-env.sh" ]]; then
+    . "${YARN_CONF_DIR}/yarn-env.sh"
+  elif [[ -e "${HADOOP_CONF_DIR}/yarn-env.sh" ]]; then
+    . "${HADOOP_CONF_DIR}/yarn-env.sh"
+  fi
+  
+  if [[ -n "${YARN_CONF_DIR}" ]]; then
+    HADOOP_CONF_DIR="${YARN_CONF_DIR}"
+  fi
+  
+  YARN_CONF_DIR="${HADOOP_CONF_DIR}"
+  
+  # YARN_CONF_DIR needs precedence over HADOOP_CONF_DIR
+  # and the various jar dirs
+  hadoop_add_classpath "${YARN_CONF_DIR}" before
+  
+  HADOOP_LOG_DIR="${YARN_LOG_DIR:-$HADOOP_LOG_DIR}"
+  YARN_LOG_DIR="${HADOOP_LOG_DIR}"
+  
+  HADOOP_LOGFILE="${YARN_LOGFILE:-$HADOOP_LOGFILE}"
+  YARN_LOGFILE="${HADOOP_LOGFILE}"
+  
+  HADOOP_NICENESS="${YARN_NICENESS:-$HADOOP_NICENESS}"
+  YARN_NICENESS="${HADOOP_NICENESS}"
+  
+  HADOOP_STOP_TIMEOUT="${YARN_STOP_TIMEOUT:-$HADOOP_STOP_TIMEOUT}"
+  YARN_STOP_TIMEOUT="${HADOOP_STOP_TIMEOUT}"
+  
+  HADOOP_PID_DIR="${YARN_PID_DIR:-$HADOOP_PID_DIR}"
+  YARN_PID_DIR="${HADOOP_PID_DIR}"
+  
+  HADOOP_ROOT_LOGGER="${YARN_ROOT_LOGGER:-INFO,console}"
+  YARN_ROOT_LOGGER="${HADOOP_ROOT_LOGGER}"
+  
+  HADOOP_YARN_HOME="${HADOOP_YARN_HOME:-$HADOOP_PREFIX}"
+  
+  HADOOP_IDENT_STRING="${YARN_IDENT_STRING:-$HADOOP_IDENT_STRING}"
+  YARN_IDENT_STRING="${HADOOP_IDENT_STRING}"
+  
+  YARN_OPTS="${YARN_OPTS:-$HADOOP_OPTS}"
+  
+  # YARN-1429 added the completely superfluous YARN_USER_CLASSPATH
+  # env var.  We're going to override HADOOP_USER_CLASSPATH to keep
+  # consistency with the rest of the duplicate/useless env vars
+  HADOOP_USER_CLASSPATH="${YARN_USER_CLASSPATH:-$HADOOP_USER_CLASSPATH}"
+  YARN_USER_CLASSPATH="${HADOOP_USER_CLASSPATH}"
+  
+  HADOOP_USER_CLASSPATH_FIRST="${YARN_USER_CLASSPATH_FIRST:-$HADOOP_USER_CLASSPATH_FIRST}"
+  YARN_USER_CLASSPATH_FIRST="${HADOOP_USER_CLASSPATH_FIRST}"
+}
 
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-if [ -e "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]; then
-  . ${HADOOP_LIBEXEC_DIR}/hadoop-config.sh
-elif [ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh" ]; then
-  . "$HADOOP_COMMON_HOME"/libexec/hadoop-config.sh
-elif [ -e "${HADOOP_HOME}/libexec/hadoop-config.sh" ]; then
-  . "$HADOOP_HOME"/libexec/hadoop-config.sh
+if [[ -z "${HADOOP_LIBEXEC_DIR}" ]]; then
+  _yc_this="${BASH_SOURCE-$0}"
+  HADOOP_LIBEXEC_DIR=$(cd -P -- "$(dirname -- "${_yc_this}")" >/dev/null && pwd -P)
+fi
+
+if [[ -e "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
+elif [[ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh" ]]; then
+  . "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh"
+elif [[ -e "${HADOOP_HOME}/libexec/hadoop-config.sh" ]]; then
+  . "${HADOOP_HOME}/libexec/hadoop-config.sh"
 else
   echo "Hadoop common not found."
   exit
 fi
 
-# Same glibc bug that discovered in Hadoop.
-# Without this you can see very large vmem settings on containers.
-export MALLOC_ARENA_MAX=${MALLOC_ARENA_MAX:-4}
-
-#check to see if the conf dir is given as an optional argument
-if [ $# -gt 1 ]
-then
-    if [ "--config" = "$1" ]
-	  then
-	      shift
-	      confdir=$1
-	      shift
-	      YARN_CONF_DIR=$confdir
-    fi
-fi
- 
-# Allow alternate conf dir location.
-export YARN_CONF_DIR="${HADOOP_CONF_DIR:-$HADOOP_YARN_HOME/conf}"
-
-#check to see it is specified whether to use the slaves or the
-# masters file
-if [ $# -gt 1 ]
-then
-    if [ "--hosts" = "$1" ]
-    then
-        shift
-        slavesfile=$1
-        shift
-        export YARN_SLAVES="${YARN_CONF_DIR}/$slavesfile"
-    fi
-fi
diff --git a/hadoop-yarn-project/hadoop-yarn/bin/yarn-daemon.sh b/hadoop-yarn-project/hadoop-yarn/bin/yarn-daemon.sh
index fbfa71d80df..b15448bdbcd 100644
--- a/hadoop-yarn-project/hadoop-yarn/bin/yarn-daemon.sh
+++ b/hadoop-yarn-project/hadoop-yarn/bin/yarn-daemon.sh
@@ -15,147 +15,32 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+function hadoop_usage
+{
+  echo "Usage: yarn-daemon.sh [--config confdir] (start|stop|status) <hadoop-command> <args...>"
+}
 
-# Runs a yarn command as a daemon.
-#
-# Environment Variables
-#
-#   YARN_CONF_DIR  Alternate conf dir. Default is ${HADOOP_YARN_HOME}/conf.
-#   YARN_LOG_DIR   Where log files are stored.  PWD by default.
-#   YARN_MASTER    host:path where hadoop code should be rsync'd from
-#   YARN_PID_DIR   The pid files are stored. /tmp by default.
-#   YARN_IDENT_STRING   A string representing this instance of hadoop. $USER by default
-#   YARN_NICENESS The scheduling priority for daemons. Defaults to 0.
-##
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  this="${BASH_SOURCE-$0}"
+  bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
 
-usage="Usage: yarn-daemon.sh [--config <conf-dir>] [--hosts hostlistfile] (start|stop) <yarn-command> "
-
-# if no args specified, show usage
-if [ $# -le 1 ]; then
-  echo $usage
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/yarn-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/yarn-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/yarn-config.sh." 2>&1
   exit 1
 fi
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
-
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/yarn-config.sh
-
-# get arguments
-startStop=$1
-shift
-command=$1
+daemonmode=$1
 shift
 
-hadoop_rotate_log ()
-{
-    log=$1;
-    num=5;
-    if [ -n "$2" ]; then
-	num=$2
-    fi
-    if [ -f "$log" ]; then # rotate logs
-	while [ $num -gt 1 ]; do
-	    prev=`expr $num - 1`
-	    [ -f "$log.$prev" ] && mv "$log.$prev" "$log.$num"
-	    num=$prev
-	done
-	mv "$log" "$log.$num";
-    fi
-}
-
-if [ -f "${YARN_CONF_DIR}/yarn-env.sh" ]; then
-  . "${YARN_CONF_DIR}/yarn-env.sh"
-fi
-
-if [ "$YARN_IDENT_STRING" = "" ]; then
-  export YARN_IDENT_STRING="$USER"
-fi
-
-# get log directory
-if [ "$YARN_LOG_DIR" = "" ]; then
-  export YARN_LOG_DIR="$HADOOP_YARN_HOME/logs"
-fi
-
-if [ ! -w "$YARN_LOG_DIR" ] ; then
-  mkdir -p "$YARN_LOG_DIR"
-  chown $YARN_IDENT_STRING $YARN_LOG_DIR 
-fi
-
-if [ "$YARN_PID_DIR" = "" ]; then
-  YARN_PID_DIR=/tmp
-fi
-
-# some variables
-export YARN_LOGFILE=yarn-$YARN_IDENT_STRING-$command-$HOSTNAME.log
-export YARN_ROOT_LOGGER=${YARN_ROOT_LOGGER:-INFO,RFA}
-log=$YARN_LOG_DIR/yarn-$YARN_IDENT_STRING-$command-$HOSTNAME.out
-pid=$YARN_PID_DIR/yarn-$YARN_IDENT_STRING-$command.pid
-YARN_STOP_TIMEOUT=${YARN_STOP_TIMEOUT:-5}
-
-# Set default scheduling priority
-if [ "$YARN_NICENESS" = "" ]; then
-    export YARN_NICENESS=0
-fi
-
-case $startStop in
-
-  (start)
-
-    [ -w "$YARN_PID_DIR" ] || mkdir -p "$YARN_PID_DIR"
-
-    if [ -f $pid ]; then
-      if kill -0 `cat $pid` > /dev/null 2>&1; then
-        echo $command running as process `cat $pid`.  Stop it first.
-        exit 1
-      fi
-    fi
-
-    if [ "$YARN_MASTER" != "" ]; then
-      echo rsync from $YARN_MASTER
-      rsync -a -e ssh --delete --exclude=.svn --exclude='logs/*' --exclude='contrib/hod/logs/*' $YARN_MASTER/ "$HADOOP_YARN_HOME"
-    fi
-
-    hadoop_rotate_log $log
-    echo starting $command, logging to $log
-    cd "$HADOOP_YARN_HOME"
-    nohup nice -n $YARN_NICENESS "$HADOOP_YARN_HOME"/bin/yarn --config $YARN_CONF_DIR $command "$@" > "$log" 2>&1 < /dev/null &
-    echo $! > $pid
-    sleep 1
-    head "$log"
-    # capture the ulimit output
-    echo "ulimit -a" >> $log
-    ulimit -a >> $log 2>&1
-    ;;
-          
-  (stop)
-
-    if [ -f $pid ]; then
-      TARGET_PID=`cat $pid`
-      if kill -0 $TARGET_PID > /dev/null 2>&1; then
-        echo stopping $command
-        kill $TARGET_PID
-        sleep $YARN_STOP_TIMEOUT
-        if kill -0 $TARGET_PID > /dev/null 2>&1; then
-          echo "$command did not stop gracefully after $YARN_STOP_TIMEOUT seconds: killing with kill -9"
-          kill -9 $TARGET_PID
-        fi
-      else
-        echo no $command to stop
-      fi
-      rm -f $pid
-    else
-      echo no $command to stop
-    fi
-    ;;
-
-  (*)
-    echo $usage
-    exit 1
-    ;;
-
-esac
-
-
+exec "${HADOOP_YARN_HOME}/bin/yarn" \
+--config "${HADOOP_CONF_DIR}" --daemon "${daemonmode}" "$@"
diff --git a/hadoop-yarn-project/hadoop-yarn/bin/yarn-daemons.sh b/hadoop-yarn-project/hadoop-yarn/bin/yarn-daemons.sh
index a7858e49690..1413a3dfacf 100644
--- a/hadoop-yarn-project/hadoop-yarn/bin/yarn-daemons.sh
+++ b/hadoop-yarn-project/hadoop-yarn/bin/yarn-daemons.sh
@@ -16,23 +16,31 @@
 # limitations under the License.
 
 
-# Run a Yarn command on all slave hosts.
+function hadoop_usage
+{
+  echo "Usage: yarn-daemons.sh [--config confdir] [--hosts hostlistfile] (start|stop|status) <yarn-command> <args...>"
+}
 
-usage="Usage: yarn-daemons.sh [--config confdir] [--hosts hostlistfile] [start
-|stop] command args..."
+this="${BASH_SOURCE-$0}"
+bin=$(cd -P -- "$(dirname -- "${this}")" >/dev/null && pwd -P)
 
-# if no args specified, show usage
-if [ $# -le 1 ]; then
-  echo $usage
+# let's locate libexec...
+if [[ -n "${HADOOP_PREFIX}" ]]; then
+  DEFAULT_LIBEXEC_DIR="${HADOOP_PREFIX}/libexec"
+else
+  DEFAULT_LIBEXEC_DIR="${bin}/../libexec"
+fi
+
+HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}"
+# shellcheck disable=SC2034
+HADOOP_NEW_CONFIG=true
+if [[ -f "${HADOOP_LIBEXEC_DIR}/yarn-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/yarn-config.sh"
+else
+  echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/yarn-config.sh." 2>&1
   exit 1
 fi
 
-bin=`dirname "${BASH_SOURCE-$0}"`
-bin=`cd "$bin"; pwd`
-
-DEFAULT_LIBEXEC_DIR="$bin"/../libexec
-HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
-. $HADOOP_LIBEXEC_DIR/yarn-config.sh
-
-exec "$bin/slaves.sh" --config $YARN_CONF_DIR cd "$HADOOP_YARN_HOME" \; "$bin/yarn-daemon.sh" --config $YARN_CONF_DIR "$@"
+hadoop_connect_to_hosts "${bin}/yarn-daemon.sh" \
+--config "${HADOOP_CONF_DIR}" "$@"
 
diff --git a/hadoop-yarn-project/hadoop-yarn/conf/yarn-env.sh b/hadoop-yarn-project/hadoop-yarn/conf/yarn-env.sh
index bced9b155db..755cfd88d8c 100644
--- a/hadoop-yarn-project/hadoop-yarn/conf/yarn-env.sh
+++ b/hadoop-yarn-project/hadoop-yarn/conf/yarn-env.sh
@@ -13,118 +13,115 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+##
+## THIS FILE ACTS AS AN OVERRIDE FOR hadoop-env.sh FOR ALL
+## WORK DONE BY THE yarn AND RELATED COMMANDS.
+##
+## Precedence rules:
+##
+## yarn-env.sh > hadoop-env.sh > hard-coded defaults
+##
+## YARN_xyz > HADOOP_xyz > hard-coded defaults
+##
+
+###
+# Generic settings for YARN
+###
+
 # User for YARN daemons
 export HADOOP_YARN_USER=${HADOOP_YARN_USER:-yarn}
 
-# resolve links - $0 may be a softlink
-export YARN_CONF_DIR="${YARN_CONF_DIR:-$HADOOP_YARN_HOME/conf}"
+#
+# By default, YARN will use HADOOP_CONF_DIR. Specify a custom
+# YARN_CONF_DIR here
+# export YARN_CONF_DIR="${YARN_CONF_DIR:-$HADOOP_YARN_HOME/conf}"
+#
 
-# some Java parameters
-# export JAVA_HOME=/home/y/libexec/jdk1.6.0/
-if [ "$JAVA_HOME" != "" ]; then
-  #echo "run java in $JAVA_HOME"
-  JAVA_HOME=$JAVA_HOME
-fi
-  
-if [ "$JAVA_HOME" = "" ]; then
-  echo "Error: JAVA_HOME is not set."
-  exit 1
-fi
+# Override Hadoop's log directory & file
+# export YARN_LOG_DIR="$HADOOP_YARN_HOME/logs"
+# export YARN_LOGFILE='yarn.log'
 
-JAVA=$JAVA_HOME/bin/java
-JAVA_HEAP_MAX=-Xmx1000m 
+# Need a custom-to-YARN service-level authorization policy file?
+# export YARN_POLICYFILE="yarn-policy.xml"
 
-# For setting YARN specific HEAP sizes please use this
-# Parameter and set appropriately
-# YARN_HEAPSIZE=1000
-
-# check envvars which might override default args
-if [ "$YARN_HEAPSIZE" != "" ]; then
-  JAVA_HEAP_MAX="-Xmx""$YARN_HEAPSIZE""m"
-fi
+#Override the log4j settings for all YARN apps
+# export YARN_ROOT_LOGGER="INFO,console"
 
+###
 # Resource Manager specific parameters
+###
 
-# Specify the max Heapsize for the ResourceManager using a numerical value
+# Specify the max heapsize for the ResourceManager using a numerical value
 # in the scale of MB. For example, to specify an jvm option of -Xmx1000m, set
 # the value to 1000.
-# This value will be overridden by an Xmx setting specified in either YARN_OPTS
-# and/or YARN_RESOURCEMANAGER_OPTS.
+# This value will be overridden by an Xmx setting specified in either YARN_OPTS,
+# HADOOP_OPTS, and/or YARN_RESOURCEMANAGER_OPTS.
 # If not specified, the default value will be picked from either YARN_HEAPMAX
 # or JAVA_HEAP_MAX with YARN_HEAPMAX as the preferred option of the two.
+#
 #export YARN_RESOURCEMANAGER_HEAPSIZE=1000
 
-# Specify the max Heapsize for the timeline server using a numerical value
-# in the scale of MB. For example, to specify an jvm option of -Xmx1000m, set
-# the value to 1000.
-# This value will be overridden by an Xmx setting specified in either YARN_OPTS
-# and/or YARN_TIMELINESERVER_OPTS.
-# If not specified, the default value will be picked from either YARN_HEAPMAX
-# or JAVA_HEAP_MAX with YARN_HEAPMAX as the preferred option of the two.
-#export YARN_TIMELINESERVER_HEAPSIZE=1000
-
 # Specify the JVM options to be used when starting the ResourceManager.
 # These options will be appended to the options specified as YARN_OPTS
 # and therefore may override any similar flags set in YARN_OPTS
-#export YARN_RESOURCEMANAGER_OPTS=
+#
+# Examples for a Sun/Oracle JDK:
+# a) override the appsummary log file:
+# export YARN_RESOURCEMANAGER_OPTS="-Dyarn.server.resourcemanager.appsummary.log.file=rm-appsummary.log -Dyarn.server.resourcemanager.appsummary.logger=INFO,RMSUMMARY"
+#
+# b) Set JMX options
+# export YARN_RESOURCEMANAGER_OPTS="-Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.port=1026"
+#
+# c) Set garbage collection logs from hadoop-env.sh
+# export YARN_RESOURCE_MANAGER_OPTS="${HADOOP_GC_SETTINGS} -Xloggc:${HADOOP_LOG_DIR}/gc-rm.log-$(date +'%Y%m%d%H%M')"
+#
+# d) ... or set them directly
+# export YARN_RESOURCEMANAGER_OPTS="-verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps -Xloggc:${HADOOP_LOG_DIR}/gc-rm.log-$(date +'%Y%m%d%H%M')"
+#
+#
+# export YARN_RESOURCEMANAGER_OPTS=
 
+###
 # Node Manager specific parameters
+###
 
 # Specify the max Heapsize for the NodeManager using a numerical value
 # in the scale of MB. For example, to specify an jvm option of -Xmx1000m, set
 # the value to 1000.
-# This value will be overridden by an Xmx setting specified in either YARN_OPTS
-# and/or YARN_NODEMANAGER_OPTS.
+# This value will be overridden by an Xmx setting specified in either YARN_OPTS,
+# HADOOP_OPTS, and/or YARN_NODEMANAGER_OPTS.
 # If not specified, the default value will be picked from either YARN_HEAPMAX
 # or JAVA_HEAP_MAX with YARN_HEAPMAX as the preferred option of the two.
+#
 #export YARN_NODEMANAGER_HEAPSIZE=1000
 
 # Specify the JVM options to be used when starting the NodeManager.
 # These options will be appended to the options specified as YARN_OPTS
 # and therefore may override any similar flags set in YARN_OPTS
+#
+# See ResourceManager for some examples
+#
 #export YARN_NODEMANAGER_OPTS=
 
-# so that filenames w/ spaces are handled correctly in loops below
-IFS=
+###
+# TimeLineServer specifc parameters
+###
 
+# Specify the max Heapsize for the timeline server using a numerical value
+# in the scale of MB. For example, to specify an jvm option of -Xmx1000m, set
+# the value to 1000.
+# This value will be overridden by an Xmx setting specified in either YARN_OPTS,
+# HADOOP_OPTS, and/or YARN_TIMELINESERVER_OPTS.
+# If not specified, the default value will be picked from either YARN_HEAPMAX
+# or JAVA_HEAP_MAX with YARN_HEAPMAX as the preferred option of the two.
+#
+#export YARN_TIMELINESERVER_HEAPSIZE=1000
 
-# default log directory & file
-if [ "$YARN_LOG_DIR" = "" ]; then
-  YARN_LOG_DIR="$HADOOP_YARN_HOME/logs"
-fi
-if [ "$YARN_LOGFILE" = "" ]; then
-  YARN_LOGFILE='yarn.log'
-fi
-
-# default policy file for service-level authorization
-if [ "$YARN_POLICYFILE" = "" ]; then
-  YARN_POLICYFILE="hadoop-policy.xml"
-fi
-
-# restore ordinary behaviour
-unset IFS
-
-MAC_OSX=false
-case "`uname`" in
-Darwin*) MAC_OSX=true;;
-esac
-
-if $MAC_OSX; then
-  YARN_OPTS="$YARN_OPTS -Djava.security.krb5.realm= -Djava.security.krb5.kdc="
-fi
-
-
-YARN_OPTS="$YARN_OPTS -Dhadoop.log.dir=$YARN_LOG_DIR"
-YARN_OPTS="$YARN_OPTS -Dyarn.log.dir=$YARN_LOG_DIR"
-YARN_OPTS="$YARN_OPTS -Dhadoop.log.file=$YARN_LOGFILE"
-YARN_OPTS="$YARN_OPTS -Dyarn.log.file=$YARN_LOGFILE"
-YARN_OPTS="$YARN_OPTS -Dyarn.home.dir=$YARN_COMMON_HOME"
-YARN_OPTS="$YARN_OPTS -Dyarn.id.str=$YARN_IDENT_STRING"
-YARN_OPTS="$YARN_OPTS -Dhadoop.root.logger=${YARN_ROOT_LOGGER:-INFO,console}"
-YARN_OPTS="$YARN_OPTS -Dyarn.root.logger=${YARN_ROOT_LOGGER:-INFO,console}"
-if [ "x$JAVA_LIBRARY_PATH" != "x" ]; then
-  YARN_OPTS="$YARN_OPTS -Djava.library.path=$JAVA_LIBRARY_PATH"
-fi  
-YARN_OPTS="$YARN_OPTS -Dyarn.policy.file=$YARN_POLICYFILE"
-
+# Specify the JVM options to be used when starting the TimeLineServer.
+# These options will be appended to the options specified as YARN_OPTS
+# and therefore may override any similar flags set in YARN_OPTS
+#
+# See ResourceManager for some examples
+#
+#export YARN_TIMELINESERVER_OPTS=
 

From 375c221960abfd6a928677a25ab43503976c3e90 Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Tue, 19 Aug 2014 17:49:39 +0000
Subject: [PATCH 263/354] YARN-2409. RM ActiveToStandBy transition missing
 stoping previous rmDispatcher. Contributed by Rohith

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618915 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |  3 +++
 .../resourcemanager/ResourceManager.java      |  3 +++
 .../yarn/server/resourcemanager/TestRMHA.java | 23 +++++++++++++++++++
 3 files changed, 29 insertions(+)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 0bb4a8ccd68..31f53bdc1d6 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -211,6 +211,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2397. Avoided loading two authentication filters for RM and TS web
     interfaces. (Varun Vasudev via zjshen)
 
+    YARN-2409. RM ActiveToStandBy transition missing stoping previous rmDispatcher.
+    (Rohith via jianhe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
index 6fea90043bb..f315702df44 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
@@ -1161,6 +1161,9 @@ private void resetDispatcher() {
     ((Service)dispatcher).init(this.conf);
     ((Service)dispatcher).start();
     removeService((Service)rmDispatcher);
+    // Need to stop previous rmDispatcher before assigning new dispatcher
+    // otherwise causes "AsyncDispatcher event handler" thread leak
+    ((Service) rmDispatcher).stop();
     rmDispatcher = dispatcher;
     addIfService(rmDispatcher);
     rmContext.setDispatcher(rmDispatcher);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMHA.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMHA.java
index b8290de5127..1066b3a511a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMHA.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMHA.java
@@ -331,6 +331,10 @@ protected Dispatcher createDispatcher() {
     rm.adminService.transitionToStandby(requestInfo);
     rm.adminService.transitionToActive(requestInfo);
     rm.adminService.transitionToStandby(requestInfo);
+    
+    MyCountingDispatcher dispatcher =
+        (MyCountingDispatcher) rm.getRMContext().getDispatcher();
+    assertTrue(!dispatcher.isStopped());
 
     rm.adminService.transitionToActive(requestInfo);
     assertEquals(errorMessageForEventHandler, expectedEventHandlerCount,
@@ -339,6 +343,11 @@ protected Dispatcher createDispatcher() {
     assertEquals(errorMessageForService, expectedServiceCount,
         rm.getServices().size());
 
+    
+    // Keep the dispatcher reference before transitioning to standby
+    dispatcher = (MyCountingDispatcher) rm.getRMContext().getDispatcher();
+    
+    
     rm.adminService.transitionToStandby(requestInfo);
     assertEquals(errorMessageForEventHandler, expectedEventHandlerCount,
         ((MyCountingDispatcher) rm.getRMContext().getDispatcher())
@@ -346,6 +355,8 @@ protected Dispatcher createDispatcher() {
     assertEquals(errorMessageForService, expectedServiceCount,
         rm.getServices().size());
 
+    assertTrue(dispatcher.isStopped());
+    
     rm.stop();
   }
 
@@ -492,6 +503,8 @@ class MyCountingDispatcher extends AbstractService implements Dispatcher {
 
     private int eventHandlerCount;
 
+    private volatile boolean stopped = false;
+
     public MyCountingDispatcher() {
       super("MyCountingDispatcher");
       this.eventHandlerCount = 0;
@@ -510,5 +523,15 @@ public void register(Class<? extends Enum> eventType, EventHandler handler) {
     public int getEventHandlerCount() {
       return this.eventHandlerCount;
     }
+
+    @Override
+    protected void serviceStop() throws Exception {
+      this.stopped = true;
+      super.serviceStop();
+    }
+
+    public boolean isStopped() {
+      return this.stopped;
+    }
   }
 }

From bf9aa34dea8ccba3ad8fbead9c7cf51d3a54fd60 Mon Sep 17 00:00:00 2001
From: Colin McCabe <cmccabe@apache.org>
Date: Tue, 19 Aug 2014 18:10:00 +0000
Subject: [PATCH 264/354] HADOOP-10968. hadoop native build fails to detect
 java_libarch on ppc64le (Dinar Valeev via Colin Patrick McCabe)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618919 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt        | 3 +++
 hadoop-common-project/hadoop-common/src/JNIFlags.cmake | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index fad1c77db71..6e5b4adc1c7 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -623,6 +623,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10873. Fix dead link in Configuration javadoc (Akira AJISAKA 
     via aw)
 
+    HADOOP-10968. hadoop native build fails to detect java_libarch on
+    ppc64le (Dinar Valeev via Colin Patrick McCabe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/JNIFlags.cmake b/hadoop-common-project/hadoop-common/src/JNIFlags.cmake
index 8333285f2fe..c558fe8c55c 100644
--- a/hadoop-common-project/hadoop-common/src/JNIFlags.cmake
+++ b/hadoop-common-project/hadoop-common/src/JNIFlags.cmake
@@ -78,6 +78,12 @@ IF("${CMAKE_SYSTEM}" MATCHES "Linux")
         SET(_java_libarch "amd64")
     ELSEIF (CMAKE_SYSTEM_PROCESSOR MATCHES "^arm")
         SET(_java_libarch "arm")
+    ELSEIF (CMAKE_SYSTEM_PROCESSOR MATCHES "^(powerpc|ppc)64le")
+        IF(EXISTS "${_JAVA_HOME}/jre/lib/ppc64le")
+                SET(_java_libarch "ppc64le")
+        ELSE()
+                SET(_java_libarch "ppc64")
+        ENDIF()
     ELSE()
         SET(_java_libarch ${CMAKE_SYSTEM_PROCESSOR})
     ENDIF()

From f6a778c3725bcdaba1e1de43786af17dd44deb78 Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Tue, 19 Aug 2014 20:33:49 +0000
Subject: [PATCH 265/354] YARN-2249. Avoided AM release requests being lost on
 work preserving RM restart. Contributed by Jian He.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1618972 13f79535-47bb-0310-9956-ffa450edef68
---
 .../scheduler/ResourceSchedulerWrapper.java   |  9 +-
 hadoop-yarn-project/CHANGES.txt               |  3 +
 .../scheduler/AbstractYarnScheduler.java      | 91 +++++++++++++++++++
 .../SchedulerApplicationAttempt.java          | 18 +++-
 .../scheduler/capacity/CapacityScheduler.java | 23 +----
 .../scheduler/fair/FairScheduler.java         | 21 +----
 .../scheduler/fifo/FifoScheduler.java         | 30 ++----
 .../yarn/server/resourcemanager/MockAM.java   |  8 +-
 .../TestApplicationMasterService.java         |  1 -
 .../server/resourcemanager/TestRMRestart.java |  4 +-
 .../TestWorkPreservingRMRestart.java          | 79 +++++++++++++++-
 11 files changed, 213 insertions(+), 74 deletions(-)

diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ResourceSchedulerWrapper.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ResourceSchedulerWrapper.java
index 6ccae98bd86..a65f7760d13 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ResourceSchedulerWrapper.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/ResourceSchedulerWrapper.java
@@ -36,8 +36,8 @@
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
 
-import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.conf.Configurable;
 import org.apache.hadoop.conf.Configuration;
@@ -61,6 +61,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
+import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerEventType;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.UpdatedContainerInfo;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.AbstractYarnScheduler;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.Allocation;
@@ -933,4 +934,10 @@ public synchronized List<Container> getTransferredContainers(
     return new HashMap<ApplicationId,
         SchedulerApplication<SchedulerApplicationAttempt>>();
   }
+
+  @Override
+  protected void completedContainer(RMContainer rmContainer,
+      ContainerStatus containerStatus, RMContainerEventType event) {
+    // do nothing
+  }
 }
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 31f53bdc1d6..6fbf493e130 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -214,6 +214,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2409. RM ActiveToStandBy transition missing stoping previous rmDispatcher.
     (Rohith via jianhe)
 
+    YARN-2249. Avoided AM release requests being lost on work preserving RM
+    restart. (Jian He via zjshen)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
index 6463153c147..72ee7dbbe0a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
@@ -23,10 +23,14 @@
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
+import java.util.Timer;
+import java.util.TimerTask;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.service.AbstractService;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
@@ -34,18 +38,25 @@
 import org.apache.hadoop.yarn.api.records.Container;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.api.records.ContainerState;
+import org.apache.hadoop.yarn.api.records.ContainerStatus;
 import org.apache.hadoop.yarn.api.records.NodeId;
 import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.api.records.ResourceRequest;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnException;
 import org.apache.hadoop.yarn.server.api.protocolrecords.NMContainerStatus;
+import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger;
+import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
+import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEventType;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppMoveEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
+import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerEventType;
+import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerFinishedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerRecoverEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNode;
@@ -54,6 +65,7 @@
 
 import com.google.common.util.concurrent.SettableFuture;
 
+
 @SuppressWarnings("unchecked")
 public abstract class AbstractYarnScheduler
     <T extends SchedulerApplicationAttempt, N extends SchedulerNode>
@@ -72,6 +84,7 @@ public abstract class AbstractYarnScheduler
 
   protected RMContext rmContext;
   protected Map<ApplicationId, SchedulerApplication<T>> applications;
+  protected int nmExpireInterval;
 
   protected final static List<Container> EMPTY_CONTAINER_LIST =
       new ArrayList<Container>();
@@ -87,6 +100,15 @@ public AbstractYarnScheduler(String name) {
     super(name);
   }
 
+  @Override
+  public void serviceInit(Configuration conf) throws Exception {
+    nmExpireInterval =
+        conf.getInt(YarnConfiguration.RM_NM_EXPIRY_INTERVAL_MS,
+          YarnConfiguration.DEFAULT_RM_NM_EXPIRY_INTERVAL_MS);
+    createReleaseCache();
+    super.serviceInit(conf);
+  }
+
   public synchronized List<Container> getTransferredContainers(
       ApplicationAttemptId currentAttempt) {
     ApplicationId appId = currentAttempt.getApplicationId();
@@ -281,6 +303,19 @@ public synchronized void recoverContainersOnNode(
           ((RMContainerImpl)rmContainer).setAMContainer(true);
         }
       }
+
+      synchronized (schedulerAttempt) {
+        Set<ContainerId> releases = schedulerAttempt.getPendingRelease();
+        if (releases.contains(container.getContainerId())) {
+          // release the container
+          rmContainer.handle(new RMContainerFinishedEvent(container
+            .getContainerId(), SchedulerUtils.createAbnormalContainerStatus(
+            container.getContainerId(), SchedulerUtils.RELEASED_CONTAINER),
+            RMContainerEventType.RELEASED));
+          releases.remove(container.getContainerId());
+          LOG.info(container.getContainerId() + " is released by application.");
+        }
+      }
     }
   }
 
@@ -320,6 +355,62 @@ protected void recoverResourceRequestForContainer(RMContainer rmContainer) {
     }
   }
 
+  protected void createReleaseCache() {
+    // Cleanup the cache after nm expire interval.
+    new Timer().schedule(new TimerTask() {
+      @Override
+      public void run() {
+        for (SchedulerApplication<T> app : applications.values()) {
+
+          T attempt = app.getCurrentAppAttempt();
+          synchronized (attempt) {
+            for (ContainerId containerId : attempt.getPendingRelease()) {
+              RMAuditLogger.logFailure(
+                app.getUser(),
+                AuditConstants.RELEASE_CONTAINER,
+                "Unauthorized access or invalid container",
+                "Scheduler",
+                "Trying to release container not owned by app or with invalid id.",
+                attempt.getApplicationId(), containerId);
+            }
+            attempt.getPendingRelease().clear();
+          }
+        }
+        LOG.info("Release request cache is cleaned up");
+      }
+    }, nmExpireInterval);
+  }
+
+  // clean up a completed container
+  protected abstract void completedContainer(RMContainer rmContainer,
+      ContainerStatus containerStatus, RMContainerEventType event);
+
+  protected void releaseContainers(List<ContainerId> containers,
+      SchedulerApplicationAttempt attempt) {
+    for (ContainerId containerId : containers) {
+      RMContainer rmContainer = getRMContainer(containerId);
+      if (rmContainer == null) {
+        if (System.currentTimeMillis() - ResourceManager.getClusterTimeStamp()
+            < nmExpireInterval) {
+          LOG.info(containerId + " doesn't exist. Add the container"
+              + " to the release request cache as it maybe on recovery.");
+          synchronized (attempt) {
+            attempt.getPendingRelease().add(containerId);
+          }
+        } else {
+          RMAuditLogger.logFailure(attempt.getUser(),
+            AuditConstants.RELEASE_CONTAINER,
+            "Unauthorized access or invalid container", "Scheduler",
+            "Trying to release container not owned by app or with invalid id.",
+            attempt.getApplicationId(), containerId);
+        }
+      }
+      completedContainer(rmContainer,
+        SchedulerUtils.createAbnormalContainerStatus(containerId,
+          SchedulerUtils.RELEASED_CONTAINER), RMContainerEventType.RELEASED);
+    }
+  }
+
   public SchedulerNode getSchedulerNode(NodeId nodeId) {
     return nodes.get(nodeId);
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerApplicationAttempt.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerApplicationAttempt.java
index 32dd23b08c1..933f456c60a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerApplicationAttempt.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerApplicationAttempt.java
@@ -17,13 +17,14 @@
 */
 package org.apache.hadoop.yarn.server.resourcemanager.scheduler;
 
-import com.google.common.base.Preconditions;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -41,7 +42,6 @@
 import org.apache.hadoop.yarn.api.records.Priority;
 import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.api.records.ResourceRequest;
-import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
@@ -53,6 +53,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNodeCleanContainerEvent;
 import org.apache.hadoop.yarn.util.resource.Resources;
 
+import com.google.common.base.Preconditions;
 import com.google.common.collect.HashMultiset;
 import com.google.common.collect.Multiset;
 
@@ -87,6 +88,13 @@ public class SchedulerApplicationAttempt {
   protected List<RMContainer> newlyAllocatedContainers = 
       new ArrayList<RMContainer>();
 
+  // This pendingRelease is used in work-preserving recovery scenario to keep
+  // track of the AM's outstanding release requests. RM on recovery could
+  // receive the release request form AM before it receives the container status
+  // from NM for recovery. In this case, the to-be-recovered containers reported
+  // by NM should not be recovered.
+  private Set<ContainerId> pendingRelease = null;
+
   /**
    * Count how many times the application has been given an opportunity
    * to schedule a task at each priority. Each time the scheduler
@@ -114,7 +122,7 @@ public SchedulerApplicationAttempt(ApplicationAttemptId applicationAttemptId,
         new AppSchedulingInfo(applicationAttemptId, user, queue,  
             activeUsersManager, rmContext.getEpoch());
     this.queue = queue;
-    
+    this.pendingRelease = new HashSet<ContainerId>();
     if (rmContext.getRMApps() != null &&
         rmContext.getRMApps()
             .containsKey(applicationAttemptId.getApplicationId())) {
@@ -163,6 +171,10 @@ public Map<String, ResourceRequest> getResourceRequests(Priority priority) {
     return appSchedulingInfo.getResourceRequests(priority);
   }
 
+  public Set<ContainerId> getPendingRelease() {
+    return this.pendingRelease;
+  }
+
   public int getNewContainerId() {
     return appSchedulingInfo.getNewContainerId();
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
index e979c5c2320..c8a73bfb530 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
@@ -54,8 +54,6 @@
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnException;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
-import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger;
-import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMState;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.*;
@@ -199,7 +197,7 @@ public Configuration getConf() {
   private static final long DEFAULT_ASYNC_SCHEDULER_INTERVAL = 5;
   
   private boolean overrideWithQueueMappings = false;
-  private List<QueueMapping> mappings = new ArrayList<QueueMapping>();
+  private List<QueueMapping> mappings = null;
   private Groups groups;
 
   @VisibleForTesting
@@ -789,21 +787,7 @@ ask, getResourceCalculator(), getClusterResource(),
         getMinimumResourceCapability(), maximumAllocation);
 
     // Release containers
-    for (ContainerId releasedContainerId : release) {
-      RMContainer rmContainer = getRMContainer(releasedContainerId);
-      if (rmContainer == null) {
-         RMAuditLogger.logFailure(application.getUser(),
-             AuditConstants.RELEASE_CONTAINER, 
-             "Unauthorized access or invalid container", "CapacityScheduler",
-             "Trying to release container not owned by app or with invalid id",
-             application.getApplicationId(), releasedContainerId);
-      }
-      completedContainer(rmContainer,
-          SchedulerUtils.createAbnormalContainerStatus(
-              releasedContainerId, 
-              SchedulerUtils.RELEASED_CONTAINER),
-          RMContainerEventType.RELEASED);
-    }
+    releaseContainers(release, application);
 
     synchronized (application) {
 
@@ -1098,7 +1082,8 @@ private synchronized void removeNode(RMNode nodeInfo) {
   }
   
   @Lock(CapacityScheduler.class)
-  private synchronized void completedContainer(RMContainer rmContainer,
+  @Override
+  protected synchronized void completedContainer(RMContainer rmContainer,
       ContainerStatus containerStatus, RMContainerEventType event) {
     if (rmContainer == null) {
       LOG.info("Null container completed...");
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
index aa3f8240947..0fcbad670e5 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
@@ -49,8 +49,6 @@
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnException;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
-import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger;
-import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMState;
 import org.apache.hadoop.yarn.server.resourcemanager.resource.ResourceWeights;
@@ -810,7 +808,8 @@ private synchronized void removeApplicationAttempt(
   /**
    * Clean up a completed container.
    */
-  private synchronized void completedContainer(RMContainer rmContainer,
+  @Override
+  protected synchronized void completedContainer(RMContainer rmContainer,
       ContainerStatus containerStatus, RMContainerEventType event) {
     if (rmContainer == null) {
       LOG.info("Null container completed...");
@@ -913,21 +912,7 @@ public Allocation allocate(ApplicationAttemptId appAttemptId,
     }
 
     // Release containers
-    for (ContainerId releasedContainerId : release) {
-      RMContainer rmContainer = getRMContainer(releasedContainerId);
-      if (rmContainer == null) {
-        RMAuditLogger.logFailure(application.getUser(),
-            AuditConstants.RELEASE_CONTAINER,
-            "Unauthorized access or invalid container", "FairScheduler",
-            "Trying to release container not owned by app or with invalid id",
-            application.getApplicationId(), releasedContainerId);
-      }
-      completedContainer(rmContainer,
-          SchedulerUtils.createAbnormalContainerStatus(
-              releasedContainerId,
-              SchedulerUtils.RELEASED_CONTAINER),
-          RMContainerEventType.RELEASED);
-    }
+    releaseContainers(release, application);
 
     synchronized (application) {
       if (!ask.isEmpty()) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java
index 518a8d9d3b6..dd2ea433ebb 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java
@@ -52,8 +52,6 @@
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.factories.RecordFactory;
 import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
-import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger;
-import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMState;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEvent;
@@ -89,7 +87,6 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeRemovedSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeUpdateSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.SchedulerEvent;
-
 import org.apache.hadoop.yarn.server.utils.BuilderUtils;
 import org.apache.hadoop.yarn.server.utils.Lock;
 import org.apache.hadoop.yarn.util.resource.DefaultResourceCalculator;
@@ -295,21 +292,7 @@ public Allocation allocate(
         clusterResource, minimumAllocation, maximumAllocation);
 
     // Release containers
-    for (ContainerId releasedContainer : release) {
-      RMContainer rmContainer = getRMContainer(releasedContainer);
-      if (rmContainer == null) {
-         RMAuditLogger.logFailure(application.getUser(),
-             AuditConstants.RELEASE_CONTAINER, 
-             "Unauthorized access or invalid container", "FifoScheduler", 
-             "Trying to release container not owned by app or with invalid id",
-             application.getApplicationId(), releasedContainer);
-      }
-      containerCompleted(rmContainer,
-          SchedulerUtils.createAbnormalContainerStatus(
-              releasedContainer, 
-              SchedulerUtils.RELEASED_CONTAINER),
-          RMContainerEventType.RELEASED);
-    }
+    releaseContainers(release, application);
 
     synchronized (application) {
 
@@ -443,7 +426,7 @@ private synchronized void doneApplicationAttempt(
         LOG.info("Skip killing " + container.getContainerId());
         continue;
       }
-      containerCompleted(container,
+      completedContainer(container,
         SchedulerUtils.createAbnormalContainerStatus(
           container.getContainerId(), SchedulerUtils.COMPLETED_APPLICATION),
         RMContainerEventType.KILL);
@@ -717,7 +700,7 @@ private synchronized void nodeUpdate(RMNode rmNode) {
     for (ContainerStatus completedContainer : completedContainers) {
       ContainerId containerId = completedContainer.getContainerId();
       LOG.debug("Container FINISHED: " + containerId);
-      containerCompleted(getRMContainer(containerId), 
+      completedContainer(getRMContainer(containerId), 
           completedContainer, RMContainerEventType.FINISHED);
     }
 
@@ -818,7 +801,7 @@ public void handle(SchedulerEvent event) {
       ContainerExpiredSchedulerEvent containerExpiredEvent = 
           (ContainerExpiredSchedulerEvent) event;
       ContainerId containerid = containerExpiredEvent.getContainerId();
-      containerCompleted(getRMContainer(containerid), 
+      completedContainer(getRMContainer(containerid), 
           SchedulerUtils.createAbnormalContainerStatus(
               containerid, 
               SchedulerUtils.EXPIRED_CONTAINER),
@@ -831,7 +814,8 @@ public void handle(SchedulerEvent event) {
   }
 
   @Lock(FifoScheduler.class)
-  private synchronized void containerCompleted(RMContainer rmContainer,
+  @Override
+  protected synchronized void completedContainer(RMContainer rmContainer,
       ContainerStatus containerStatus, RMContainerEventType event) {
     if (rmContainer == null) {
       LOG.info("Null container completed...");
@@ -881,7 +865,7 @@ private synchronized void removeNode(RMNode nodeInfo) {
     }
     // Kill running containers
     for(RMContainer container : node.getRunningContainers()) {
-      containerCompleted(container, 
+      completedContainer(container, 
           SchedulerUtils.createAbnormalContainerStatus(
               container.getContainerId(), 
               SchedulerUtils.LOST_CONTAINER),
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockAM.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockAM.java
index f1a3bbcae83..91e19058557 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockAM.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockAM.java
@@ -49,7 +49,7 @@ public class MockAM {
 
   private volatile int responseId = 0;
   private final ApplicationAttemptId attemptId;
-  private final RMContext context;
+  private RMContext context;
   private ApplicationMasterProtocol amRMProtocol;
 
   private final List<ResourceRequest> requests = new ArrayList<ResourceRequest>();
@@ -61,8 +61,10 @@ public MockAM(RMContext context, ApplicationMasterProtocol amRMProtocol,
     this.amRMProtocol = amRMProtocol;
     this.attemptId = attemptId;
   }
-  
-  void setAMRMProtocol(ApplicationMasterProtocol amRMProtocol) {
+
+  public void setAMRMProtocol(ApplicationMasterProtocol amRMProtocol,
+      RMContext context) {
+    this.context = context;
     this.amRMProtocol = amRMProtocol;
   }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestApplicationMasterService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestApplicationMasterService.java
index 671851c9529..b0ffc859b64 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestApplicationMasterService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestApplicationMasterService.java
@@ -171,7 +171,6 @@ public void testProgressFilter() throws Exception{
     RMAppAttempt attempt1 = app1.getCurrentAppAttempt();
     MockAM am1 = rm.sendAMLaunched(attempt1.getAppAttemptId());
     am1.registerAppAttempt();
-    am1.setAMRMProtocol(rm.getApplicationMasterService());
 
     AllocateRequestPBImpl allocateRequest = new AllocateRequestPBImpl();
     List<ContainerId> release = new ArrayList<ContainerId>();
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMRestart.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMRestart.java
index e60ac6adf21..5f63caf9a71 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMRestart.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMRestart.java
@@ -289,7 +289,7 @@ public void testRMRestart() throws Exception {
     
     // verify old AM is not accepted
     // change running AM to talk to new RM
-    am1.setAMRMProtocol(rm2.getApplicationMasterService());
+    am1.setAMRMProtocol(rm2.getApplicationMasterService(), rm2.getRMContext());
     AllocateResponse allocResponse = am1.allocate(
         new ArrayList<ResourceRequest>(),
         new ArrayList<ContainerId>());
@@ -1663,7 +1663,7 @@ public void testQueueMetricsOnRMRestart() throws Exception {
     nm1.setResourceTrackerService(rm2.getResourceTrackerService());
     // recover app
     RMApp loadedApp1 = rm2.getRMContext().getRMApps().get(app1.getApplicationId());
-    am1.setAMRMProtocol(rm2.getApplicationMasterService());
+    am1.setAMRMProtocol(rm2.getApplicationMasterService(), rm2.getRMContext());
     am1.allocate(new ArrayList<ResourceRequest>(), new ArrayList<ContainerId>());
     nm1.nodeHeartbeat(true);
     nm1 = new MockNM("127.0.0.1:1234", 15120, rm2.getResourceTrackerService());
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java
index 9cae07c7fb6..df64d4c32d2 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java
@@ -33,10 +33,13 @@
 
 import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.test.GenericTestUtils;
+import org.apache.hadoop.yarn.api.protocolrecords.AllocateResponse;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.api.records.ContainerState;
+import org.apache.hadoop.yarn.api.records.ContainerStatus;
 import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.server.api.protocolrecords.NMContainerStatus;
@@ -72,6 +75,9 @@
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
 
+import com.google.common.base.Supplier;
+
+
 @SuppressWarnings({"rawtypes", "unchecked"})
 @RunWith(value = Parameterized.class)
 public class TestWorkPreservingRMRestart {
@@ -572,8 +578,8 @@ public void testAppReregisterOnRMWorkPreservingRestart() throws Exception {
     rm2.waitForState(app0.getApplicationId(), RMAppState.ACCEPTED);
     rm2.waitForState(am0.getApplicationAttemptId(), RMAppAttemptState.LAUNCHED);
 
-    am0.setAMRMProtocol(rm2.getApplicationMasterService());
-    am0.registerAppAttempt(false);
+    am0.setAMRMProtocol(rm2.getApplicationMasterService(), rm2.getRMContext());
+    am0.registerAppAttempt(true);
 
     rm2.waitForState(app0.getApplicationId(), RMAppState.RUNNING);
     rm2.waitForState(am0.getApplicationAttemptId(), RMAppAttemptState.RUNNING);
@@ -646,6 +652,69 @@ public void testRecoverSchedulerAppAndAttemptSynchronously() throws Exception {
     waitForNumContainersToRecover(2, rm2, am0.getApplicationAttemptId());
   }
 
+  // Test if RM on recovery receives the container release request from AM
+  // before it receives the container status reported by NM for recovery. this
+  // container should not be recovered.
+  @Test (timeout = 30000)
+  public void testReleasedContainerNotRecovered() throws Exception {
+    MemoryRMStateStore memStore = new MemoryRMStateStore();
+    memStore.init(conf);
+    rm1 = new MockRM(conf, memStore);
+    MockNM nm1 = new MockNM("h1:1234", 15120, rm1.getResourceTrackerService());
+    nm1.registerNode();
+    rm1.start();
+
+    RMApp app1 = rm1.submitApp(1024);
+    final MockAM am1 = MockRM.launchAndRegisterAM(app1, rm1, nm1);
+
+    // Re-start RM
+    conf.setInt(YarnConfiguration.RM_NM_EXPIRY_INTERVAL_MS, 8000);
+    rm2 = new MockRM(conf, memStore);
+    rm2.start();
+    nm1.setResourceTrackerService(rm2.getResourceTrackerService());
+    rm2.waitForState(app1.getApplicationId(), RMAppState.ACCEPTED);
+    am1.setAMRMProtocol(rm2.getApplicationMasterService(), rm2.getRMContext());
+    am1.registerAppAttempt(true);
+
+    // try to release a container before the container is actually recovered.
+    final ContainerId runningContainer =
+        ContainerId.newInstance(am1.getApplicationAttemptId(), 2);
+    am1.allocate(null, Arrays.asList(runningContainer));
+
+    // send container statuses to recover the containers
+    List<NMContainerStatus> containerStatuses =
+        createNMContainerStatusForApp(am1);
+    nm1.registerNode(containerStatuses, null);
+
+    // only the am container should be recovered.
+    waitForNumContainersToRecover(1, rm2, am1.getApplicationAttemptId());
+
+    final AbstractYarnScheduler scheduler =
+        (AbstractYarnScheduler) rm2.getResourceScheduler();
+    // cached release request is cleaned.
+    // assertFalse(scheduler.getPendingRelease().contains(runningContainer));
+
+    AllocateResponse response = am1.allocate(null, null);
+    // AM gets notified of the completed container.
+    boolean receivedCompletedContainer = false;
+    for (ContainerStatus status : response.getCompletedContainersStatuses()) {
+      if (status.getContainerId().equals(runningContainer)) {
+        receivedCompletedContainer = true;
+      }
+    }
+    assertTrue(receivedCompletedContainer);
+
+    GenericTestUtils.waitFor(new Supplier<Boolean>() {
+      public Boolean get() {
+        // release cache is cleaned up and previous running container is not
+        // recovered
+        return scheduler.getApplicationAttempt(am1.getApplicationAttemptId())
+          .getPendingRelease().isEmpty()
+            && scheduler.getRMContainer(runningContainer) == null;
+      }
+    }, 1000, 20000);
+  }
+
   private void asserteMetrics(QueueMetrics qm, int appsSubmitted,
       int appsPending, int appsRunning, int appsCompleted,
       int allocatedContainers, int availableMB, int availableVirtualCores,
@@ -661,7 +730,7 @@ private void asserteMetrics(QueueMetrics qm, int appsSubmitted,
     assertEquals(allocatedVirtualCores, qm.getAllocatedVirtualCores());
   }
 
-  private void waitForNumContainersToRecover(int num, MockRM rm,
+  public static void waitForNumContainersToRecover(int num, MockRM rm,
       ApplicationAttemptId attemptId) throws Exception {
     AbstractYarnScheduler scheduler =
         (AbstractYarnScheduler) rm.getResourceScheduler();
@@ -674,7 +743,9 @@ private void waitForNumContainersToRecover(int num, MockRM rm,
       attempt = scheduler.getApplicationAttempt(attemptId);
     }
     while (attempt.getLiveContainers().size() < num) {
-      System.out.println("Wait for " + num + " containers to recover.");
+      System.out.println("Wait for " + num
+          + " containers to recover. currently: "
+          + attempt.getLiveContainers().size());
       Thread.sleep(200);
     }
   }

From 14b01dd04608669582e8ef934253b05c2f841ac0 Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Tue, 19 Aug 2014 20:41:15 +0000
Subject: [PATCH 266/354] HDFS-6872. Fix TestOptionsParser. (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1618974 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES-fs-encryption.txt             | 2 ++
 .../test/java/org/apache/hadoop/tools/TestOptionsParser.java   | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-mapreduce-project/CHANGES-fs-encryption.txt b/hadoop-mapreduce-project/CHANGES-fs-encryption.txt
index 9127a24ee32..3e1718e624b 100644
--- a/hadoop-mapreduce-project/CHANGES-fs-encryption.txt
+++ b/hadoop-mapreduce-project/CHANGES-fs-encryption.txt
@@ -14,5 +14,7 @@ fs-encryption (Unreleased)
     MAPREDUCE-6007. Add support to distcp to preserve raw.* namespace
     extended attributes. (clamb)
 
+    HDFS-6872. Fix TestOptionsParser. (clamb)
+
   BUG FIXES
 
diff --git a/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/TestOptionsParser.java b/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/TestOptionsParser.java
index d3da68ed386..2c42269c37e 100644
--- a/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/TestOptionsParser.java
+++ b/hadoop-tools/hadoop-distcp/src/test/java/org/apache/hadoop/tools/TestOptionsParser.java
@@ -357,7 +357,8 @@ public void testToString() {
     DistCpOptions option = new DistCpOptions(new Path("abc"), new Path("xyz"));
     String val = "DistCpOptions{atomicCommit=false, syncFolder=false, deleteMissing=false, " +
         "ignoreFailures=false, maxMaps=20, sslConfigurationFile='null', copyStrategy='uniformsize', " +
-        "sourceFileListing=abc, sourcePaths=null, targetPath=xyz, targetPathExists=true}";
+        "sourceFileListing=abc, sourcePaths=null, targetPath=xyz, targetPathExists=true, " +
+        "preserveRawXattrs=false}";
     Assert.assertEquals(val, option.toString());
     Assert.assertNotSame(DistCpOptionSwitch.ATOMIC_COMMIT.toString(),
         DistCpOptionSwitch.ATOMIC_COMMIT.name());

From a4ee77b65f31351b4eae76ba5df0681a0d2b856f Mon Sep 17 00:00:00 2001
From: Charles Lamb <clamb@apache.org>
Date: Tue, 19 Aug 2014 20:43:54 +0000
Subject: [PATCH 267/354] HDFS-6873. Constants in CommandWithDestination should
 be static. (clamb)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1618975 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt | 2 ++
 .../org/apache/hadoop/fs/shell/CommandWithDestination.java    | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
index 1a4965b5495..d036e711d94 100644
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
@@ -49,6 +49,8 @@ fs-encryption (Unreleased)
     HADOOP-10919. Copy command should preserve raw.* namespace
     extended attributes. (clamb)
 
+    HDFS-6873. Constants in CommandWithDestination should be static. (clamb)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/CommandWithDestination.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/CommandWithDestination.java
index 1097994f7df..da67f1ccac5 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/CommandWithDestination.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/CommandWithDestination.java
@@ -61,12 +61,12 @@ abstract class CommandWithDestination extends FsCommand {
    * The name of the raw xattr namespace. It would be nice to use
    * XAttr.RAW.name() but we can't reference the hadoop-hdfs project.
    */
-  private final String RAW = "raw.";
+  private static final String RAW = "raw.";
 
   /**
    * The name of the reserved raw directory.
    */
-  private final String RESERVED_RAW = "/.reserved/raw";
+  private static final String RESERVED_RAW = "/.reserved/raw";
 
   /**
    * 

From fbc1ee4d6fe51a9a0cce9e8d4eac2a41f3575143 Mon Sep 17 00:00:00 2001
From: Brandon Li <brandonli@apache.org>
Date: Tue, 19 Aug 2014 22:31:57 +0000
Subject: [PATCH 268/354] HDFS-6868. portmap and nfs3 are documented as hadoop
 commands instead of hdfs. Contributed by Brandon Li

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619001 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                   | 3 +++
 .../hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm            | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index a2f1c72775c..48b127bdc30 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -520,6 +520,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6569. OOB message can't be sent to the client when DataNode shuts down for upgrade
     (brandonli)
 
+    HDFS-6868. portmap and nfs3 are documented as hadoop commands instead of hdfs
+    (brandonli)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
index 4375895649b..4044ae8d508 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
@@ -209,7 +209,7 @@ HDFS NFS Gateway
    [[2]] Start package included portmap (needs root privileges):
 
 -------------------------
-     hadoop portmap
+     hdfs portmap
   
      OR
 
@@ -224,7 +224,7 @@ HDFS NFS Gateway
      as long as the user has read access to the Kerberos keytab defined in "nfs.keytab.file".
 
 -------------------------
-     hadoop nfs3
+     hdfs nfs3
 
      OR
 

From e4539e88e388b7ff01a6acd0b1596a5a276d4478 Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Wed, 20 Aug 2014 17:05:07 +0000
Subject: [PATCH 269/354] YARN-2174. Enable HTTPs for the writer REST API of
 TimelineServer. Contributed by Zhijie Shen

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619160 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../api/impl/TimelineAuthenticator.java       |  15 +-
 .../client/api/impl/TimelineClientImpl.java   |  98 +++++++++++--
 .../TestTimelineWebServicesWithSSL.java       | 134 ++++++++++++++++++
 4 files changed, 235 insertions(+), 15 deletions(-)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServicesWithSSL.java

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 6fbf493e130..b584ec54afd 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -50,6 +50,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2411. Support simple user and group mappings to queues. (Ram Venkatesh
     via jianhe)
 
+    YARN-2174. Enable HTTPs for the writer REST API of TimelineServer.
+    (Zhijie Shen via jianhe)
+
   IMPROVEMENTS
 
     YARN-2197. Add a link to YARN CHANGES.txt in the left side of doc
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineAuthenticator.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineAuthenticator.java
index 25333c7551b..bd05f4ab995 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineAuthenticator.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineAuthenticator.java
@@ -32,6 +32,7 @@
 import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authentication.client.Authenticator;
+import org.apache.hadoop.security.authentication.client.ConnectionConfigurator;
 import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.yarn.api.records.timeline.TimelineDelegationTokenResponse;
@@ -53,10 +54,13 @@
 public class TimelineAuthenticator extends KerberosAuthenticator {
 
   private static ObjectMapper mapper;
+  private static TimelineAuthenticator authenticator;
+  private static ConnectionConfigurator connConfigurator;
 
   static {
     mapper = new ObjectMapper();
     YarnJacksonJaxbJsonProvider.configObjectMapper(mapper);
+    authenticator = new TimelineAuthenticator();
   }
 
   /**
@@ -98,6 +102,11 @@ public void authenticate(URL url, AuthenticatedURL.Token token)
     }
   }
 
+  public static void setStaticConnectionConfigurator(
+      ConnectionConfigurator connConfigurator) {
+    TimelineAuthenticator.connConfigurator = connConfigurator;
+  }
+
   public static Token<TimelineDelegationTokenIdentifier> getDelegationToken(
       URL url, AuthenticatedURL.Token token, String renewer) throws IOException {
     TimelineDelegationTokenOperation op =
@@ -107,7 +116,7 @@ public static Token<TimelineDelegationTokenIdentifier> getDelegationToken(
     params.put(TimelineAuthenticationConsts.RENEWER_PARAM, renewer);
     url = appendParams(url, params);
     AuthenticatedURL aUrl =
-        new AuthenticatedURL(new TimelineAuthenticator());
+        new AuthenticatedURL(authenticator, connConfigurator);
     try {
       HttpURLConnection conn = aUrl.openConnection(url, token);
       conn.setRequestMethod(op.getHttpMethod());
@@ -137,7 +146,7 @@ public static long renewDelegationToken(URL url,
         dToken.encodeToUrlString());
     url = appendParams(url, params);
     AuthenticatedURL aUrl =
-        new AuthenticatedURL(new TimelineAuthenticator());
+        new AuthenticatedURL(authenticator, connConfigurator);
     try {
       HttpURLConnection conn = aUrl.openConnection(url, token);
       conn.setRequestMethod(
@@ -164,7 +173,7 @@ public static void cancelDelegationToken(URL url,
         dToken.encodeToUrlString());
     url = appendParams(url, params);
     AuthenticatedURL aUrl =
-        new AuthenticatedURL(new TimelineAuthenticator());
+        new AuthenticatedURL(authenticator, connConfigurator);
     try {
       HttpURLConnection conn = aUrl.openConnection(url, token);
       conn.setRequestMethod(TimelineDelegationTokenOperation.CANCELDELEGATIONTOKEN
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
index daf25eafeb7..f383a8aed33 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
@@ -23,10 +23,15 @@
 import java.net.HttpURLConnection;
 import java.net.URI;
 import java.net.URL;
+import java.net.URLConnection;
+import java.security.GeneralSecurityException;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
 
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLSocketFactory;
 import javax.ws.rs.core.MediaType;
 
 import org.apache.commons.cli.CommandLine;
@@ -42,6 +47,8 @@
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.client.ConnectionConfigurator;
+import org.apache.hadoop.security.ssl.SSLFactory;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.yarn.api.records.timeline.TimelineEntities;
 import org.apache.hadoop.yarn.api.records.timeline.TimelineEntity;
@@ -74,7 +81,10 @@ public class TimelineClientImpl extends TimelineClient {
   private static final String RESOURCE_URI_STR = "/ws/v1/timeline/";
   private static final String URL_PARAM_USER_NAME = "user.name";
   private static final Joiner JOINER = Joiner.on("");
+  public final static int DEFAULT_SOCKET_TIMEOUT = 1 * 60 * 1000; // 1 minute
+
   private static Options opts;
+
   static {
     opts = new Options();
     opts.addOption("put", true, "Put the TimelineEntities in a JSON file");
@@ -89,15 +99,6 @@ public class TimelineClientImpl extends TimelineClient {
 
   public TimelineClientImpl() {
     super(TimelineClientImpl.class.getName());
-    ClientConfig cc = new DefaultClientConfig();
-    cc.getClasses().add(YarnJacksonJaxbJsonProvider.class);
-    if (UserGroupInformation.isSecurityEnabled()) {
-      urlFactory = new KerberosAuthenticatedURLConnectionFactory();
-      client = new Client(new URLConnectionClientHandler(urlFactory), cc);
-    } else {
-      client = new Client(new URLConnectionClientHandler(
-          new PseudoAuthenticatedURLConnectionFactory()), cc);
-    }
   }
 
   protected void serviceInit(Configuration conf) throws Exception {
@@ -107,6 +108,17 @@ protected void serviceInit(Configuration conf) throws Exception {
     if (!isEnabled) {
       LOG.info("Timeline service is not enabled");
     } else {
+      ClientConfig cc = new DefaultClientConfig();
+      cc.getClasses().add(YarnJacksonJaxbJsonProvider.class);
+      ConnectionConfigurator connConfigurator = newConnConfigurator(conf);
+      if (UserGroupInformation.isSecurityEnabled()) {
+        TimelineAuthenticator.setStaticConnectionConfigurator(connConfigurator);
+        urlFactory = new KerberosAuthenticatedURLConnectionFactory(connConfigurator);
+        client = new Client(new URLConnectionClientHandler(urlFactory), cc);
+      } else {
+        client = new Client(new URLConnectionClientHandler(
+            new PseudoAuthenticatedURLConnectionFactory(connConfigurator)), cc);
+      }
       if (YarnConfiguration.useHttps(conf)) {
         resURI = URI
             .create(JOINER.join("https://", conf.get(
@@ -182,6 +194,13 @@ public ClientResponse doPostingEntities(TimelineEntities entities) {
   private static class PseudoAuthenticatedURLConnectionFactory
     implements HttpURLConnectionFactory {
 
+    private ConnectionConfigurator connConfigurator;
+
+    public PseudoAuthenticatedURLConnectionFactory(
+        ConnectionConfigurator connConfigurator) {
+      this.connConfigurator = connConfigurator;
+    }
+
     @Override
     public HttpURLConnection getHttpURLConnection(URL url) throws IOException {
       Map<String, String> params = new HashMap<String, String>();
@@ -191,7 +210,7 @@ public HttpURLConnection getHttpURLConnection(URL url) throws IOException {
       if (LOG.isDebugEnabled()) {
         LOG.debug("URL with delegation token: " + url);
       }
-      return (HttpURLConnection) url.openConnection();
+      return connConfigurator.configure((HttpURLConnection) url.openConnection());
     }
 
   }
@@ -202,10 +221,13 @@ private static class KerberosAuthenticatedURLConnectionFactory
     private TimelineAuthenticator authenticator;
     private Token<TimelineDelegationTokenIdentifier> dToken;
     private Text service;
+    private ConnectionConfigurator connConfigurator;
 
-    public KerberosAuthenticatedURLConnectionFactory() {
+    public KerberosAuthenticatedURLConnectionFactory(
+        ConnectionConfigurator connConfigurator) {
       token = new AuthenticatedURL.Token();
       authenticator = new TimelineAuthenticator();
+      this.connConfigurator = connConfigurator;
     }
 
     @Override
@@ -226,7 +248,8 @@ public HttpURLConnection getHttpURLConnection(URL url) throws IOException {
             LOG.debug("URL with delegation token: " + url);
           }
         }
-        return new AuthenticatedURL(authenticator).openConnection(url, token);
+        return new AuthenticatedURL(
+            authenticator, connConfigurator).openConnection(url, token);
       } catch (AuthenticationException e) {
         LOG.error("Authentication failed when openning connection [" + url
             + "] with token [" + token + "].", e);
@@ -255,6 +278,57 @@ public void setService(Text service) {
 
   }
 
+  private static ConnectionConfigurator newConnConfigurator(Configuration conf) {
+    try {
+      return newSslConnConfigurator(DEFAULT_SOCKET_TIMEOUT, conf);
+    } catch (Exception e) {
+      LOG.debug("Cannot load customized ssl related configuration. " +
+          "Fallback to system-generic settings.", e);
+      return DEFAULT_TIMEOUT_CONN_CONFIGURATOR;
+    }
+  }
+
+  private static final ConnectionConfigurator DEFAULT_TIMEOUT_CONN_CONFIGURATOR =
+      new ConnectionConfigurator() {
+    @Override
+    public HttpURLConnection configure(HttpURLConnection conn)
+        throws IOException {
+      setTimeouts(conn, DEFAULT_SOCKET_TIMEOUT);
+      return conn;
+    }
+  };
+
+  private static ConnectionConfigurator newSslConnConfigurator(final int timeout,
+      Configuration conf) throws IOException, GeneralSecurityException {
+    final SSLFactory factory;
+    final SSLSocketFactory sf;
+    final HostnameVerifier hv;
+
+    factory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
+    factory.init();
+    sf = factory.createSSLSocketFactory();
+    hv = factory.getHostnameVerifier();
+
+    return new ConnectionConfigurator() {
+      @Override
+      public HttpURLConnection configure(HttpURLConnection conn)
+          throws IOException {
+        if (conn instanceof HttpsURLConnection) {
+          HttpsURLConnection c = (HttpsURLConnection) conn;
+          c.setSSLSocketFactory(sf);
+          c.setHostnameVerifier(hv);
+        }
+        setTimeouts(conn, timeout);
+        return conn;
+      }
+    };
+  }
+
+  private static void setTimeouts(URLConnection connection, int socketTimeout) {
+    connection.setConnectTimeout(socketTimeout);
+    connection.setReadTimeout(socketTimeout);
+  }
+
   public static void main(String[] argv) throws Exception {
     CommandLine cliParser = new GnuParser().parse(opts, argv);
     if (cliParser.hasOption("put")) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServicesWithSSL.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServicesWithSSL.java
new file mode 100644
index 00000000000..81f87fbd65c
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServicesWithSSL.java
@@ -0,0 +1,134 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.timeline.webapp;
+
+import java.io.File;
+import java.util.EnumSet;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileUtil;
+import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
+import org.apache.hadoop.yarn.api.records.timeline.TimelineEntities;
+import org.apache.hadoop.yarn.api.records.timeline.TimelineEntity;
+import org.apache.hadoop.yarn.api.records.timeline.TimelineEvent;
+import org.apache.hadoop.yarn.api.records.timeline.TimelinePutResponse;
+import org.apache.hadoop.yarn.client.api.impl.TimelineClientImpl;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.applicationhistoryservice.ApplicationHistoryServer;
+import org.apache.hadoop.yarn.server.applicationhistoryservice.webapp.AHSWebApp;
+import org.apache.hadoop.yarn.server.timeline.MemoryTimelineStore;
+import org.apache.hadoop.yarn.server.timeline.TimelineReader.Field;
+import org.apache.hadoop.yarn.server.timeline.TimelineStore;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.sun.jersey.api.client.ClientResponse;
+
+public class TestTimelineWebServicesWithSSL {
+
+  private static final String BASEDIR =
+      System.getProperty("test.build.dir", "target/test-dir") + "/"
+          + TestTimelineWebServicesWithSSL.class.getSimpleName();
+
+  private static String keystoresDir;
+  private static String sslConfDir;
+  private static ApplicationHistoryServer timelineServer;
+  private static TimelineStore store;
+  private static Configuration conf;
+
+  @BeforeClass
+  public static void setupServer() throws Exception {
+    conf = new YarnConfiguration();
+    conf.setBoolean(YarnConfiguration.TIMELINE_SERVICE_ENABLED, true);
+    conf.setClass(YarnConfiguration.TIMELINE_SERVICE_STORE,
+        MemoryTimelineStore.class, TimelineStore.class);
+    conf.set(YarnConfiguration.YARN_HTTP_POLICY_KEY, "HTTPS_ONLY");
+
+    File base = new File(BASEDIR);
+    FileUtil.fullyDelete(base);
+    base.mkdirs();
+    keystoresDir = new File(BASEDIR).getAbsolutePath();
+    sslConfDir =
+        KeyStoreTestUtil.getClasspathDir(TestTimelineWebServicesWithSSL.class);
+
+    KeyStoreTestUtil.setupSSLConfig(keystoresDir, sslConfDir, conf, false);
+    conf.addResource("ssl-server.xml");
+    conf.addResource("ssl-client.xml");
+
+    timelineServer = new ApplicationHistoryServer();
+    timelineServer.init(conf);
+    timelineServer.start();
+    store = timelineServer.getTimelineStore();
+  }
+
+  @AfterClass
+  public static void tearDownServer() throws Exception {
+    if (timelineServer != null) {
+      timelineServer.stop();
+    }
+    AHSWebApp.resetInstance();
+  }
+
+  @Test
+  public void testPutEntities() throws Exception {
+    TestTimelineClient client = new TestTimelineClient();
+    try {
+      client.init(conf);
+      client.start();
+      TimelineEntity expectedEntity = new TimelineEntity();
+      expectedEntity.setEntityType("test entity type");
+      expectedEntity.setEntityId("test entity id");
+      TimelineEvent event = new TimelineEvent();
+      event.setEventType("test event type");
+      event.setTimestamp(0L);
+      expectedEntity.addEvent(event);
+
+      TimelinePutResponse response = client.putEntities(expectedEntity);
+      Assert.assertEquals(0, response.getErrors().size());
+      Assert.assertTrue(client.resp.toString().contains("https"));
+
+      TimelineEntity actualEntity = store.getEntity(
+          expectedEntity.getEntityId(), expectedEntity.getEntityType(),
+          EnumSet.allOf(Field.class));
+      Assert.assertNotNull(actualEntity);
+      Assert.assertEquals(
+          expectedEntity.getEntityId(), actualEntity.getEntityId());
+      Assert.assertEquals(
+          expectedEntity.getEntityType(), actualEntity.getEntityType());
+    } finally {
+      client.stop();
+      client.close();
+    }
+  }
+
+  private static class TestTimelineClient extends TimelineClientImpl {
+
+    private ClientResponse resp;
+
+    @Override
+    public ClientResponse doPostingEntities(TimelineEntities entities) {
+      resp = super.doPostingEntities(entities);
+      return resp;
+    }
+
+  }
+
+}

From 55a2b550b5a114b2801839d6b20c2d27cfbdaefb Mon Sep 17 00:00:00 2001
From: Jason Darrell Lowe <jlowe@apache.org>
Date: Wed, 20 Aug 2014 17:38:51 +0000
Subject: [PATCH 270/354] YARN-2034. Description for
 yarn.nodemanager.localizer.cache.target-size-mb is incorrect. Contributed by
 Chen He

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619176 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                             | 3 +++
 .../java/org/apache/hadoop/yarn/conf/YarnConfiguration.java | 6 +++++-
 .../hadoop-yarn-common/src/main/resources/yarn-default.xml  | 5 ++++-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index b584ec54afd..a57171ad7ec 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -220,6 +220,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2249. Avoided AM release requests being lost on work preserving RM
     restart. (Jian He via zjshen)
 
+    YARN-2034. Description for yarn.nodemanager.localizer.cache.target-size-mb
+    is incorrect (Chen He via jlowe)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
index 39d1dd3b015..d227e4f415d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
@@ -606,7 +606,11 @@ public class YarnConfiguration extends Configuration {
   public static final long DEFAULT_NM_LOCALIZER_CACHE_CLEANUP_INTERVAL_MS = 
     10 * 60 * 1000;
   
-  /** Target size of localizer cache in MB, per local directory.*/
+  /**
+   * Target size of localizer cache in MB, per nodemanager. It is a target
+   * retention size that only includes resources with PUBLIC and PRIVATE
+   * visibility and excludes resources with APPLICATION visibility
+   */
   public static final String NM_LOCALIZER_CACHE_TARGET_SIZE_MB =
     NM_PREFIX + "localizer.cache.target-size-mb";
   public static final long DEFAULT_NM_LOCALIZER_CACHE_TARGET_SIZE_MB = 10 * 1024;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
index 9b2b6764923..55b3490a4e8 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
@@ -757,7 +757,10 @@
   </property>
 
   <property>
-    <description>Target size of localizer cache in MB, per local directory.</description>
+    <description>Target size of localizer cache in MB, per nodemanager. It is
+      a target retention size that only includes resources with PUBLIC and 
+      PRIVATE visibility and excludes resources with APPLICATION visibility
+    </description>
     <name>yarn.nodemanager.localizer.cache.target-size-mb</name>
     <value>10240</value>
   </property>

From f20d36312681658f12c3fad49a8c0deddfa5f333 Mon Sep 17 00:00:00 2001
From: Jing Zhao <jing9@apache.org>
Date: Wed, 20 Aug 2014 18:13:03 +0000
Subject: [PATCH 271/354] HDFS-6870. Blocks and INodes could leak for Rename
 with overwrite flag. Contributed by Yi Liu.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619192 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 ++
 .../hdfs/server/namenode/FSDirectory.java     | 15 ++++---
 .../org/apache/hadoop/hdfs/TestDFSRename.java | 44 +++++++++++++++++++
 3 files changed, 57 insertions(+), 5 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 48b127bdc30..f5a3892165c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -523,6 +523,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6868. portmap and nfs3 are documented as hadoop commands instead of hdfs
     (brandonli)
 
+    HDFS-6870. Blocks and INodes could leak for Rename with overwrite flag. (Yi
+    Liu via jing9)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
index 77805258a1a..ef667f77164 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -644,15 +644,20 @@ boolean unprotectedRenameTo(String src, String dst, long timestamp,
         tx.updateMtimeAndLease(timestamp);
 
         // Collect the blocks and remove the lease for previous dst
-        long filesDeleted = -1;
+        boolean filesDeleted = false;
         if (removedDst != null) {
           undoRemoveDst = false;
           if (removedNum > 0) {
             BlocksMapUpdateInfo collectedBlocks = new BlocksMapUpdateInfo();
             List<INode> removedINodes = new ChunkedArrayList<INode>();
-            filesDeleted = removedDst.cleanSubtree(Snapshot.CURRENT_STATE_ID,
-                dstIIP.getLatestSnapshotId(), collectedBlocks, removedINodes,
-                true).get(Quota.NAMESPACE);
+            if (!removedDst.isInLatestSnapshot(dstIIP.getLatestSnapshotId())) {
+              removedDst.destroyAndCollectBlocks(collectedBlocks, removedINodes);
+              filesDeleted = true;
+            } else {
+              filesDeleted = removedDst.cleanSubtree(Snapshot.CURRENT_STATE_ID,
+                  dstIIP.getLatestSnapshotId(), collectedBlocks, removedINodes,
+                  true).get(Quota.NAMESPACE) >= 0;
+            }
             getFSNamesystem().removePathAndBlocks(src, collectedBlocks,
                 removedINodes, false);
           }
@@ -665,7 +670,7 @@ boolean unprotectedRenameTo(String src, String dst, long timestamp,
         }
 
         tx.updateQuotasInSourceTree();
-        return filesDeleted >= 0;
+        return filesDeleted;
       }
     } finally {
       if (undoRemoveSrc) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSRename.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSRename.java
index 1c00e509939..2e748b5b1c2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSRename.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSRename.java
@@ -27,6 +27,9 @@
 import org.apache.hadoop.fs.FileStatus;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.Options.Rename;
+import org.apache.hadoop.hdfs.protocol.LocatedBlocks;
+import org.apache.hadoop.hdfs.server.blockmanagement.BlockManager;
 import org.apache.hadoop.hdfs.server.namenode.NameNodeAdapter;
 import org.junit.Test;
 
@@ -125,4 +128,45 @@ public void testRename() throws Exception {
       if (cluster != null) {cluster.shutdown();}
     }
   }
+  
+  /**
+   * Check the blocks of dst file are cleaned after rename with overwrite
+   */
+  @Test(timeout = 120000)
+  public void testRenameWithOverwrite() throws Exception {
+    final short replFactor = 2;
+    final long blockSize = 512;
+    Configuration conf = new Configuration();
+    MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).
+        numDataNodes(replFactor).build();
+    DistributedFileSystem dfs = cluster.getFileSystem();
+    try {
+      
+      long fileLen = blockSize*3;
+      String src = "/foo/src";
+      String dst = "/foo/dst";
+      Path srcPath = new Path(src);
+      Path dstPath = new Path(dst);
+      
+      DFSTestUtil.createFile(dfs, srcPath, fileLen, replFactor, 1);
+      DFSTestUtil.createFile(dfs, dstPath, fileLen, replFactor, 1);
+      
+      LocatedBlocks lbs = NameNodeAdapter.getBlockLocations(
+          cluster.getNameNode(), dst, 0, fileLen);
+      BlockManager bm = NameNodeAdapter.getNamesystem(cluster.getNameNode()).
+          getBlockManager();
+      assertTrue(bm.getStoredBlock(lbs.getLocatedBlocks().get(0).getBlock().
+          getLocalBlock()) != null);
+      dfs.rename(srcPath, dstPath, Rename.OVERWRITE);
+      assertTrue(bm.getStoredBlock(lbs.getLocatedBlocks().get(0).getBlock().
+          getLocalBlock()) == null);
+    } finally {
+      if (dfs != null) {
+        dfs.close();
+      }
+      if (cluster != null) {
+        cluster.shutdown();
+      }
+    }
+  }
 }

From ef32d09030b4cc2674a134e123f784c0364c3f02 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Wed, 20 Aug 2014 18:47:10 +0000
Subject: [PATCH 272/354] [post-HADOOP-9902] mapred version is missing (Akira
 AJISAKA via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619201 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt                        | 3 +++
 hadoop-mapreduce-project/bin/mapred                         | 5 +++++
 .../src/site/apt/MapredCommands.apt.vm                      | 6 ++++++
 3 files changed, 14 insertions(+)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index c1701297d6c..0044287f7f5 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -86,6 +86,9 @@ Trunk (Unreleased)
     MAPREDUCE-6019. MapReduce changes for exposing YARN/MR endpoints on multiple
     interfaces. (Craig Welch, Milan Potocnik, Arpit Agarwal via xgong)
 
+    MAPREDUCE-6013. [post-HADOOP-9902] mapred version is missing (Akira AJISAKA
+    via aw)
+
   BUG FIXES
 
     MAPREDUCE-5714. Removed forceful JVM exit in shutDownJob.  
diff --git a/hadoop-mapreduce-project/bin/mapred b/hadoop-mapreduce-project/bin/mapred
index 340a95b8a32..cbfdc7e7d09 100755
--- a/hadoop-mapreduce-project/bin/mapred
+++ b/hadoop-mapreduce-project/bin/mapred
@@ -29,6 +29,7 @@ function hadoop_usage
   echo "  pipes                run a Pipes job"
   echo "  queue                get information regarding JobQueues"
   echo "  sampler              sampler"
+  echo "  version              print the version"
   echo ""
   echo "Most commands print help when invoked w/o parameters."
 }
@@ -105,6 +106,10 @@ case ${COMMAND} in
     CLASS=org.apache.hadoop.mapred.lib.InputSampler
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
   ;;
+  version)
+    CLASS=org.apache.hadoop.util.VersionInfo
+    HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
+  ;;
   -*|*)
     hadoop_exit_with_usage 1
   ;;
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/MapredCommands.apt.vm b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/MapredCommands.apt.vm
index 795eb344e64..9edc41d13d4 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/MapredCommands.apt.vm
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/MapredCommands.apt.vm
@@ -177,6 +177,12 @@ MapReduce Commands Guide
    Creates a hadoop archive. More information can be found at
    {{{./HadoopArchives.html}Hadoop Archives Guide}}.
 
+** <<<version>>>
+
+   Prints the version.
+
+   Usage: <<<mapred version>>>
+
 * Administration Commands
 
    Commands useful for administrators of a hadoop cluster.

From b0f0ef17f07c0140858bcb680f86fbbab3beccb8 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Wed, 20 Aug 2014 18:56:56 +0000
Subject: [PATCH 273/354] Fix up CHANGES.txt for HDFS-6134, HADOOP-10150 and
 related JIRAs.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619203 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES-fs-encryption.txt   |  61 -----------
 .../hadoop-common/CHANGES.txt                 |  50 +++++++++
 .../hadoop-hdfs/CHANGES-fs-encryption.txt     | 102 ------------------
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  91 ++++++++++++++++
 .../CHANGES-fs-encryption.txt                 |  20 ----
 hadoop-mapreduce-project/CHANGES.txt          |  10 ++
 6 files changed, 151 insertions(+), 183 deletions(-)
 delete mode 100644 hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
 delete mode 100644 hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
 delete mode 100644 hadoop-mapreduce-project/CHANGES-fs-encryption.txt

diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
deleted file mode 100644
index d036e711d94..00000000000
--- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt
+++ /dev/null
@@ -1,61 +0,0 @@
-Hadoop Common Change Log for HDFS-6134 and HADOOP-10150
-
-fs-encryption (Unreleased)
-
-  INCOMPATIBLE CHANGES
-
-  NEW FEATURES
-
-    HADOOP-10734. Implement high-performance secure random number sources.
-    (Yi Liu via Colin Patrick McCabe)
-
-  IMPROVEMENTS
-
-    HADOOP-10603. Crypto input and output streams implementing Hadoop stream
-    interfaces. (Yi Liu and Charles Lamb)
-
-    HADOOP-10628. Javadoc and few code style improvement for Crypto
-    input and output streams. (Yi Liu via clamb)
-
-    HADOOP-10632. Minor improvements to Crypto input and output streams. 
-    (Yi Liu)
-
-    HADOOP-10635. Add a method to CryptoCodec to generate SRNs for IV. (Yi Liu)
-
-    HADOOP-10653. Add a new constructor for CryptoInputStream that 
-    receives current position of wrapped stream. (Yi Liu)
-
-    HADOOP-10662. NullPointerException in CryptoInputStream while wrapped
-    stream is not ByteBufferReadable. Add tests using normal stream. (Yi Liu)
-
-    HADOOP-10713. Refactor CryptoCodec#generateSecureRandom to take a byte[]. 
-    (wang via yliu)
-
-    HADOOP-10693. Implementation of AES-CTR CryptoCodec using JNI to OpenSSL. 
-    (Yi Liu via cmccabe)
-
-    HADOOP-10803. Update OpensslCipher#getInstance to accept CipherSuite#name
-    format. (Yi Liu)
-
-    HADOOP-10735. Fall back AesCtrCryptoCodec implementation from OpenSSL to
-    JCE if non native support. (Yi Liu)
-
-    HADOOP-10870. Failed to load OpenSSL cipher error logs on systems with old
-    openssl versions (cmccabe)
-
-    HADOOP-10853. Refactor get instance of CryptoCodec and support create via
-    algorithm/mode/padding. (Yi Liu)
-
-    HADOOP-10919. Copy command should preserve raw.* namespace
-    extended attributes. (clamb)
-
-    HDFS-6873. Constants in CommandWithDestination should be static. (clamb)
-
-  OPTIMIZATIONS
-
-  BUG FIXES
-
-    HADOOP-10871. incorrect prototype in OpensslSecureRandom.c (cmccabe)
-
-    HADOOP-10886. CryptoCodec#getCodecclasses throws NPE when configurations not 
-    loaded. (umamahesh)
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 6e5b4adc1c7..fb2daeb711a 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -442,6 +442,56 @@ Trunk (Unreleased)
 
     HADOOP-8589. ViewFs tests fail when tests and home dirs are nested (sanjay Radia)
 
+  BREAKDOWN OF HDFS-6134 AND HADOOP-10150 SUBTASKS AND RELATED JIRAS
+
+    HADOOP-10734. Implement high-performance secure random number sources.
+    (Yi Liu via Colin Patrick McCabe)
+
+    HADOOP-10603. Crypto input and output streams implementing Hadoop stream
+    interfaces. (Yi Liu and Charles Lamb)
+
+    HADOOP-10628. Javadoc and few code style improvement for Crypto
+    input and output streams. (Yi Liu via clamb)
+
+    HADOOP-10632. Minor improvements to Crypto input and output streams. 
+    (Yi Liu)
+
+    HADOOP-10635. Add a method to CryptoCodec to generate SRNs for IV. (Yi Liu)
+
+    HADOOP-10653. Add a new constructor for CryptoInputStream that 
+    receives current position of wrapped stream. (Yi Liu)
+
+    HADOOP-10662. NullPointerException in CryptoInputStream while wrapped
+    stream is not ByteBufferReadable. Add tests using normal stream. (Yi Liu)
+
+    HADOOP-10713. Refactor CryptoCodec#generateSecureRandom to take a byte[]. 
+    (wang via yliu)
+
+    HADOOP-10693. Implementation of AES-CTR CryptoCodec using JNI to OpenSSL. 
+    (Yi Liu via cmccabe)
+
+    HADOOP-10803. Update OpensslCipher#getInstance to accept CipherSuite#name
+    format. (Yi Liu)
+
+    HADOOP-10735. Fall back AesCtrCryptoCodec implementation from OpenSSL to
+    JCE if non native support. (Yi Liu)
+
+    HADOOP-10870. Failed to load OpenSSL cipher error logs on systems with old
+    openssl versions (cmccabe)
+
+    HADOOP-10853. Refactor get instance of CryptoCodec and support create via
+    algorithm/mode/padding. (Yi Liu)
+
+    HADOOP-10919. Copy command should preserve raw.* namespace
+    extended attributes. (clamb)
+
+    HDFS-6873. Constants in CommandWithDestination should be static. (clamb)
+
+    HADOOP-10871. incorrect prototype in OpensslSecureRandom.c (cmccabe)
+
+    HADOOP-10886. CryptoCodec#getCodecclasses throws NPE when configurations not 
+    loaded. (umamahesh)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
deleted file mode 100644
index 0171b82c31a..00000000000
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt
+++ /dev/null
@@ -1,102 +0,0 @@
-Hadoop HDFS Change Log for HDFS-6134 and HADOOP-10150
-
-fs-encryption (Unreleased)
-
-  INCOMPATIBLE CHANGES
-
-  NEW FEATURES
-
-  IMPROVEMENTS
-
-    HDFS-6387. HDFS CLI admin tool for creating & deleting an
-    encryption zone. (clamb)
-
-    HDFS-6386. HDFS Encryption Zones (clamb)
-
-    HDFS-6388. HDFS integration with KeyProvider. (clamb)
-
-    HDFS-6473. Protocol and API for Encryption Zones (clamb)
-
-    HDFS-6392. Wire crypto streams for encrypted files in
-    DFSClient. (clamb and yliu)
-
-    HDFS-6476. Print out the KeyProvider after finding KP successfully on
-    startup. (Juan Yu via wang)
-
-    HDFS-6391. Get the Key/IV from the NameNode for encrypted files in
-    DFSClient. (Charles Lamb and wang)
-
-    HDFS-6389. Rename restrictions for encryption zones. (clamb)
-
-    HDFS-6605. Client server negotiation of cipher suite. (wang)
-
-    HDFS-6625. Remove the Delete Encryption Zone function (clamb)
-
-    HDFS-6516. List of Encryption Zones should be based on inodes (clamb)
-
-    HDFS-6629. Not able to create symlinks after HDFS-6516 (umamaheswararao)
-
-    HDFS-6635. Refactor encryption zone functionality into new
-    EncryptionZoneManager class. (wang)
-
-    HDFS-6474. Namenode needs to get the actual keys and iv from the
-    KeyProvider. (wang)
-
-    HDFS-6619. Clean up encryption-related tests. (wang)
-
-    HDFS-6405. Test Crypto streams in HDFS. (yliu via wang)
-
-    HDFS-6490. Fix the keyid format for generated keys in
-    FSNamesystem.createEncryptionZone (clamb)
-
-    HDFS-6716. Update usage of KeyProviderCryptoExtension APIs on NameNode.
-    (wang)
-
-    HDFS-6718. Remove EncryptionZoneManager lock. (wang)
-
-    HDFS-6720. Remove KeyProvider in EncryptionZoneManager. (wang)
-
-    HDFS-6738. Remove unnecessary getEncryptionZoneForPath call in
-    EZManager#createEncryptionZone. (clamb)
-
-    HDFS-6724. Decrypt EDEK before creating
-    CryptoInputStream/CryptoOutputStream. (wang)
-
-    HDFS-6509. Create a special /.reserved/raw directory for raw access to
-    encrypted data. (clamb via wang)
-
-    HDFS-6771. Require specification of an encryption key when creating
-    an encryption zone. (wang)
-
-    HDFS-6730. Create a .RAW extended attribute namespace. (clamb)
-
-    HDFS-6692. Add more HDFS encryption tests. (wang)
-
-    HDFS-6780. Batch the encryption zones listing API. (wang)
-
-    HDFS-6394. HDFS encryption documentation. (wang)
-
-    HDFS-6834. Improve the configuration guidance in DFSClient when there 
-    are no Codec classes found in configs. (umamahesh)
-
-    HDFS-6546. Add non-superuser capability to get the encryption zone
-    for a specific path. (clamb)
-
-  OPTIMIZATIONS
-
-  BUG FIXES
-
-    HDFS-6733. Creating encryption zone results in NPE when
-    KeyProvider is null. (clamb)
-
-    HDFS-6785. Should not be able to create encryption zone using path
-    to a non-directory file. (clamb)
-
-    HDFS-6807. Fix TestReservedRawPaths. (clamb)
-
-    HDFS-6814. Mistakenly dfs.namenode.list.encryption.zones.num.responses configured
-    as boolean. (umamahesh)
-
-    HDFS-6817. Fix findbugs and other warnings. (yliu)
-
-    HDFS-6839. Fix TestCLI to expect new output. (clamb)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index f5a3892165c..f20b1246cab 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -255,6 +255,97 @@ Trunk (Unreleased)
     HDFS-6657. Remove link to 'Legacy UI' in trunk's Namenode UI.
     (Vinayakumar B via wheat 9)
 
+  BREAKDOWN OF HDFS-6134 AND HADOOP-10150 SUBTASKS AND RELATED JIRAS
+
+    HDFS-6387. HDFS CLI admin tool for creating & deleting an
+    encryption zone. (clamb)
+
+    HDFS-6386. HDFS Encryption Zones (clamb)
+
+    HDFS-6388. HDFS integration with KeyProvider. (clamb)
+
+    HDFS-6473. Protocol and API for Encryption Zones (clamb)
+
+    HDFS-6392. Wire crypto streams for encrypted files in
+    DFSClient. (clamb and yliu)
+
+    HDFS-6476. Print out the KeyProvider after finding KP successfully on
+    startup. (Juan Yu via wang)
+
+    HDFS-6391. Get the Key/IV from the NameNode for encrypted files in
+    DFSClient. (Charles Lamb and wang)
+
+    HDFS-6389. Rename restrictions for encryption zones. (clamb)
+
+    HDFS-6605. Client server negotiation of cipher suite. (wang)
+
+    HDFS-6625. Remove the Delete Encryption Zone function (clamb)
+
+    HDFS-6516. List of Encryption Zones should be based on inodes (clamb)
+
+    HDFS-6629. Not able to create symlinks after HDFS-6516 (umamaheswararao)
+
+    HDFS-6635. Refactor encryption zone functionality into new
+    EncryptionZoneManager class. (wang)
+
+    HDFS-6474. Namenode needs to get the actual keys and iv from the
+    KeyProvider. (wang)
+
+    HDFS-6619. Clean up encryption-related tests. (wang)
+
+    HDFS-6405. Test Crypto streams in HDFS. (yliu via wang)
+
+    HDFS-6490. Fix the keyid format for generated keys in
+    FSNamesystem.createEncryptionZone (clamb)
+
+    HDFS-6716. Update usage of KeyProviderCryptoExtension APIs on NameNode.
+    (wang)
+
+    HDFS-6718. Remove EncryptionZoneManager lock. (wang)
+
+    HDFS-6720. Remove KeyProvider in EncryptionZoneManager. (wang)
+
+    HDFS-6738. Remove unnecessary getEncryptionZoneForPath call in
+    EZManager#createEncryptionZone. (clamb)
+
+    HDFS-6724. Decrypt EDEK before creating
+    CryptoInputStream/CryptoOutputStream. (wang)
+
+    HDFS-6509. Create a special /.reserved/raw directory for raw access to
+    encrypted data. (clamb via wang)
+
+    HDFS-6771. Require specification of an encryption key when creating
+    an encryption zone. (wang)
+
+    HDFS-6730. Create a .RAW extended attribute namespace. (clamb)
+
+    HDFS-6692. Add more HDFS encryption tests. (wang)
+
+    HDFS-6780. Batch the encryption zones listing API. (wang)
+
+    HDFS-6394. HDFS encryption documentation. (wang)
+
+    HDFS-6834. Improve the configuration guidance in DFSClient when there 
+    are no Codec classes found in configs. (umamahesh)
+
+    HDFS-6546. Add non-superuser capability to get the encryption zone
+    for a specific path. (clamb)
+
+    HDFS-6733. Creating encryption zone results in NPE when
+    KeyProvider is null. (clamb)
+
+    HDFS-6785. Should not be able to create encryption zone using path
+    to a non-directory file. (clamb)
+
+    HDFS-6807. Fix TestReservedRawPaths. (clamb)
+
+    HDFS-6814. Mistakenly dfs.namenode.list.encryption.zones.num.responses configured
+    as boolean. (umamahesh)
+
+    HDFS-6817. Fix findbugs and other warnings. (yliu)
+
+    HDFS-6839. Fix TestCLI to expect new output. (clamb)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/CHANGES-fs-encryption.txt b/hadoop-mapreduce-project/CHANGES-fs-encryption.txt
deleted file mode 100644
index 3e1718e624b..00000000000
--- a/hadoop-mapreduce-project/CHANGES-fs-encryption.txt
+++ /dev/null
@@ -1,20 +0,0 @@
-Hadoop MapReduce Change Log
-
-fs-encryption (Unreleased)
-
-  INCOMPATIBLE CHANGES
-
-  NEW FEATURES
-
-    MAPREDUCE-5890. Support for encrypting Intermediate 
-    data and spills in local filesystem. (asuresh via tucu)
-
-  IMPROVEMENTS
-
-    MAPREDUCE-6007. Add support to distcp to preserve raw.* namespace
-    extended attributes. (clamb)
-
-    HDFS-6872. Fix TestOptionsParser. (clamb)
-
-  BUG FIXES
-
diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 0044287f7f5..4cef9555897 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -154,6 +154,16 @@ Trunk (Unreleased)
     MAPREDUCE-5867. Fix NPE in KillAMPreemptionPolicy related to 
     ProportionalCapacityPreemptionPolicy (Sunil G via devaraj)
 
+  BREAKDOWN OF HDFS-6134 AND HADOOP-10150 SUBTASKS AND RELATED JIRAS
+
+    MAPREDUCE-5890. Support for encrypting Intermediate 
+    data and spills in local filesystem. (asuresh via tucu)
+
+    MAPREDUCE-6007. Add support to distcp to preserve raw.* namespace
+    extended attributes. (clamb)
+
+    MAPREDUCE-6041. Fix TestOptionsParser. (clamb)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES

From 9b8250c7423ecde7573a6710e551849864e2620c Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Wed, 20 Aug 2014 21:33:19 +0000
Subject: [PATCH 274/354] Set the release date for 2.5.0 in CHANGES.txt

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619237 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt | 2 +-
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt     | 2 +-
 hadoop-mapreduce-project/CHANGES.txt            | 2 +-
 hadoop-yarn-project/CHANGES.txt                 | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index fb2daeb711a..c697be1c512 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -676,7 +676,7 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10968. hadoop native build fails to detect java_libarch on
     ppc64le (Dinar Valeev via Colin Patrick McCabe)
 
-Release 2.5.0 - UNRELEASED
+Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index f20b1246cab..8bdfb0e8bc6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -617,7 +617,7 @@ Release 2.6.0 - UNRELEASED
     HDFS-6870. Blocks and INodes could leak for Rename with overwrite flag. (Yi
     Liu via jing9)
 
-Release 2.5.0 - UNRELEASED
+Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
 
diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 4cef9555897..5cc965a0b3f 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -249,7 +249,7 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-6012. DBInputSplit creates invalid ranges on Oracle. 
     (Wei Yan via kasha)
 
-Release 2.5.0 - UNRELEASED
+Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
 
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index a57171ad7ec..6b5c0410efc 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -223,7 +223,7 @@ Release 2.6.0 - UNRELEASED
     YARN-2034. Description for yarn.nodemanager.localizer.cache.target-size-mb
     is incorrect (Chen He via jlowe)
 
-Release 2.5.0 - UNRELEASED
+Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
 

From e1dd210fa55dcf043e7522d0d12e58158a17913f Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Wed, 20 Aug 2014 22:10:52 +0000
Subject: [PATCH 275/354] YARN-1919. Potential NPE in
 EmbeddedElectorService#stop. (Tsuyoshi Ozawa via kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619251 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                        |  3 +++
 .../server/resourcemanager/EmbeddedElectorService.java | 10 ++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 6b5c0410efc..a4a432d75dd 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -223,6 +223,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2034. Description for yarn.nodemanager.localizer.cache.target-size-mb
     is incorrect (Chen He via jlowe)
 
+    YARN-1919. Potential NPE in EmbeddedElectorService#stop. 
+    (Tsuyoshi Ozawa via kasha)
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/EmbeddedElectorService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/EmbeddedElectorService.java
index 0aa292ffbf5..c7b7768d10d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/EmbeddedElectorService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/EmbeddedElectorService.java
@@ -109,8 +109,14 @@ protected void serviceStart() throws Exception {
 
   @Override
   protected void serviceStop() throws Exception {
-    elector.quitElection(false);
-    elector.terminateConnection();
+    /**
+     * When error occurs in serviceInit(), serviceStop() can be called.
+     * We need null check for the case.
+     */
+    if (elector != null) {
+      elector.quitElection(false);
+      elector.terminateConnection();
+    }
     super.serviceStop();
   }
 

From 8304001861073a3f570afc32e25b0280018f427a Mon Sep 17 00:00:00 2001
From: Chris Nauroth <cnauroth@apache.org>
Date: Wed, 20 Aug 2014 22:46:35 +0000
Subject: [PATCH 276/354] HDFS-6858. Allow
 dfs.data.transfer.saslproperties.resolver.class default to
 hadoop.security.saslproperties.resolver.class. Contributed by Benoy Antony.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619256 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                | 3 +++
 .../protocol/datatransfer/sasl/DataTransferSaslUtil.java   | 4 +++-
 .../hadoop-hdfs/src/main/resources/hdfs-default.xml        | 7 ++-----
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 8bdfb0e8bc6..6bc8e74a858 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -496,6 +496,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6188. An ip whitelist based implementation of TrustedChannelResolver.
     (Benoy Antony via Arpit Agarwal)
 
+    HDFS-6858. Allow dfs.data.transfer.saslproperties.resolver.class default to
+    hadoop.security.saslproperties.resolver.class. (Benoy Antony via cnauroth)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java
index cd18b9fa0fa..81d740f2353 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java
@@ -162,8 +162,10 @@ public static SaslPropertiesResolver getSaslPropertiesResolver(
     Configuration saslPropsResolverConf = new Configuration(conf);
     saslPropsResolverConf.set(HADOOP_RPC_PROTECTION, qops);
     Class<? extends SaslPropertiesResolver> resolverClass = conf.getClass(
-      DFS_DATA_TRANSFER_SASL_PROPS_RESOLVER_CLASS_KEY,
+      HADOOP_SECURITY_SASL_PROPS_RESOLVER_CLASS,
       SaslPropertiesResolver.class, SaslPropertiesResolver.class);
+    resolverClass = conf.getClass(DFS_DATA_TRANSFER_SASL_PROPS_RESOLVER_CLASS_KEY,
+      resolverClass, SaslPropertiesResolver.class);
     saslPropsResolverConf.setClass(HADOOP_SECURITY_SASL_PROPS_RESOLVER_CLASS,
       resolverClass, SaslPropertiesResolver.class);
     SaslPropertiesResolver resolver = SaslPropertiesResolver.getInstance(
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
index 0b0657b2666..201560d0ccd 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
@@ -1474,11 +1474,8 @@
   <value></value>
   <description>
     SaslPropertiesResolver used to resolve the QOP used for a connection to the
-    DataNode when reading or writing block data.  If not specified, the full set
-    of values specified in dfs.data.transfer.protection is used while
-    determining the QOP used for the connection. If a class is specified, then
-    the QOP values returned by the class will be used while determining the QOP
-    used for the connection.
+    DataNode when reading or writing block data. If not specified, the value of
+    hadoop.security.saslproperties.resolver.class is used as the default value.
   </description>
 </property>
 

From 8f00897a4be5af42fff36336e40d2178c06ecccc Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Thu, 21 Aug 2014 00:42:27 +0000
Subject: [PATCH 277/354] HDFS-6878. Change MiniDFSCluster to support
 StorageType configuration for individual directories. (Arpit Agarwal)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619271 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +
 .../apache/hadoop/hdfs/MiniDFSCluster.java    | 82 +++++++++++--------
 .../hdfs/MiniDFSClusterWithNodeGroup.java     | 12 +--
 .../server/datanode/TestStorageReport.java    |  2 +-
 4 files changed, 61 insertions(+), 38 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 6bc8e74a858..0221018c46e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -499,6 +499,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6858. Allow dfs.data.transfer.saslproperties.resolver.class default to
     hadoop.security.saslproperties.resolver.class. (Benoy Antony via cnauroth)
 
+    HDFS-6878. Change MiniDFSCluster to support StorageType configuration
+    for individual directories (Arpit Agarwal)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java
index fe298d33118..fef5ff85227 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java
@@ -144,7 +144,7 @@ public static class Builder {
     private int nameNodeHttpPort = 0;
     private final Configuration conf;
     private int numDataNodes = 1;
-    private StorageType storageType = StorageType.DEFAULT;
+    private StorageType[][] storageTypes = null;
     private boolean format = true;
     private boolean manageNameDfsDirs = true;
     private boolean manageNameDfsSharedDirs = true;
@@ -193,10 +193,26 @@ public Builder numDataNodes(int val) {
     }
 
     /**
-     * Default: StorageType.DEFAULT
+     * Set the same storage type configuration for each datanode.
+     * If storageTypes is uninitialized or passed null then
+     * StorageType.DEFAULT is used.
      */
-    public Builder storageType(StorageType type) {
-      this.storageType = type;
+    public Builder storageTypes(StorageType[] types) {
+      assert types.length == DIRS_PER_DATANODE;
+      this.storageTypes = new StorageType[numDataNodes][types.length];
+      for (int i = 0; i < numDataNodes; ++i) {
+        this.storageTypes[i] = types;
+      }
+      return this;
+    }
+
+    /**
+     * Set custom storage type configuration for each datanode.
+     * If storageTypes is uninitialized or passed null then
+     * StorageType.DEFAULT is used.
+     */
+    public Builder storageTypes(StorageType[][] types) {
+      this.storageTypes = types;
       return this;
     }
 
@@ -369,7 +385,8 @@ protected MiniDFSCluster(Builder builder) throws IOException {
       builder.nnTopology = MiniDFSNNTopology.simpleSingleNN(
           builder.nameNodePort, builder.nameNodeHttpPort);
     }
-    
+    assert builder.storageTypes == null ||
+           builder.storageTypes.length == builder.numDataNodes;
     final int numNameNodes = builder.nnTopology.countNameNodes();
     LOG.info("starting cluster: numNameNodes=" + numNameNodes
         + ", numDataNodes=" + builder.numDataNodes);
@@ -377,7 +394,7 @@ protected MiniDFSCluster(Builder builder) throws IOException {
       
     initMiniDFSCluster(builder.conf,
                        builder.numDataNodes,
-                       builder.storageType,
+                       builder.storageTypes,
                        builder.format,
                        builder.manageNameDfsDirs,
                        builder.manageNameDfsSharedDirs,
@@ -477,8 +494,8 @@ public MiniDFSCluster() {
    * Servers will be started on free ports.
    * <p>
    * The caller must manage the creation of NameNode and DataNode directories
-   * and have already set {@link #DFS_NAMENODE_NAME_DIR_KEY} and 
-   * {@link #DFS_DATANODE_DATA_DIR_KEY} in the given conf.
+   * and have already set {@link DFSConfigKeys#DFS_NAMENODE_NAME_DIR_KEY} and
+   * {@link DFSConfigKeys#DFS_DATANODE_DATA_DIR_KEY} in the given conf.
    * 
    * @param conf the base configuration to use in starting the servers.  This
    *          will be modified as necessary.
@@ -554,8 +571,8 @@ public MiniDFSCluster(Configuration conf,
    * @param format if true, format the NameNode and DataNodes before starting 
    *          up
    * @param manageDfsDirs if true, the data directories for servers will be
-   *          created and {@link #DFS_NAMENODE_NAME_DIR_KEY} and 
-   *          {@link #DFS_DATANODE_DATA_DIR_KEY} will be set in 
+   *          created and {@link DFSConfigKeys#DFS_NAMENODE_NAME_DIR_KEY} and
+   *          {@link DFSConfigKeys#DFS_DATANODE_DATA_DIR_KEY} will be set in
    *          the conf
    * @param operation the operation with which to start the servers.  If null
    *          or StartupOption.FORMAT, then StartupOption.REGULAR will be used.
@@ -586,8 +603,8 @@ public MiniDFSCluster(int nameNodePort,
    * @param numDataNodes Number of DataNodes to start; may be zero
    * @param format if true, format the NameNode and DataNodes before starting up
    * @param manageDfsDirs if true, the data directories for servers will be
-   *          created and {@link #DFS_NAMENODE_NAME_DIR_KEY} and 
-   *          {@link #DFS_DATANODE_DATA_DIR_KEY} will be set in 
+   *          created and {@link DFSConfigKeys#DFS_NAMENODE_NAME_DIR_KEY} and
+   *          {@link DFSConfigKeys#DFS_DATANODE_DATA_DIR_KEY} will be set in
    *          the conf
    * @param operation the operation with which to start the servers.  If null
    *          or StartupOption.FORMAT, then StartupOption.REGULAR will be used.
@@ -620,11 +637,11 @@ public MiniDFSCluster(int nameNodePort,
    * @param numDataNodes Number of DataNodes to start; may be zero
    * @param format if true, format the NameNode and DataNodes before starting up
    * @param manageNameDfsDirs if true, the data directories for servers will be
-   *          created and {@link #DFS_NAMENODE_NAME_DIR_KEY} and 
-   *          {@link #DFS_DATANODE_DATA_DIR_KEY} will be set in 
+   *          created and {@link DFSConfigKeys#DFS_NAMENODE_NAME_DIR_KEY} and
+   *          {@link DFSConfigKeys#DFS_DATANODE_DATA_DIR_KEY} will be set in
    *          the conf
    * @param manageDataDfsDirs if true, the data directories for datanodes will
-   *          be created and {@link #DFS_DATANODE_DATA_DIR_KEY} 
+   *          be created and {@link DFSConfigKeys#DFS_DATANODE_DATA_DIR_KEY}
    *          set to same in the conf
    * @param operation the operation with which to start the servers.  If null
    *          or StartupOption.FORMAT, then StartupOption.REGULAR will be used.
@@ -643,7 +660,7 @@ public MiniDFSCluster(int nameNodePort,
                         String[] racks, String hosts[],
                         long[] simulatedCapacities) throws IOException {
     this.nameNodes = new NameNodeInfo[1]; // Single namenode in the cluster
-    initMiniDFSCluster(conf, numDataNodes, StorageType.DEFAULT, format,
+    initMiniDFSCluster(conf, numDataNodes, null, format,
         manageNameDfsDirs, true, manageDataDfsDirs, manageDataDfsDirs, 
         operation, null, racks, hosts,
         simulatedCapacities, null, true, false,
@@ -652,7 +669,7 @@ public MiniDFSCluster(int nameNodePort,
 
   private void initMiniDFSCluster(
       Configuration conf,
-      int numDataNodes, StorageType storageType, boolean format, boolean manageNameDfsDirs,
+      int numDataNodes, StorageType[][] storageTypes, boolean format, boolean manageNameDfsDirs,
       boolean manageNameDfsSharedDirs, boolean enableManagedDfsDirsRedundancy,
       boolean manageDataDfsDirs, StartupOption startOpt,
       StartupOption dnStartOpt, String[] racks,
@@ -725,7 +742,7 @@ private void initMiniDFSCluster(
       }
 
       // Start the DataNodes
-      startDataNodes(conf, numDataNodes, storageType, manageDataDfsDirs,
+      startDataNodes(conf, numDataNodes, storageTypes, manageDataDfsDirs,
           dnStartOpt != null ? dnStartOpt : startOpt,
           racks, hosts, simulatedCapacities, setupHostsFile,
           checkDataNodeAddrConfig, checkDataNodeHostConfig, dnConfOverlays);
@@ -1100,15 +1117,18 @@ public void waitClusterUp() throws IOException {
     }
   }
 
-  String makeDataNodeDirs(int dnIndex, StorageType storageType) throws IOException {
+  String makeDataNodeDirs(int dnIndex, StorageType[] storageTypes) throws IOException {
     StringBuilder sb = new StringBuilder();
+    assert storageTypes == null || storageTypes.length == DIRS_PER_DATANODE;
     for (int j = 0; j < DIRS_PER_DATANODE; ++j) {
       File dir = getInstanceStorageDir(dnIndex, j);
       dir.mkdirs();
       if (!dir.isDirectory()) {
         throw new IOException("Mkdirs failed to create directory for DataNode " + dir);
       }
-      sb.append((j > 0 ? "," : "") + "[" + storageType + "]" + fileAsURI(dir));
+      sb.append((j > 0 ? "," : "") + "[" +
+          (storageTypes == null ? StorageType.DEFAULT : storageTypes[j]) +
+          "]" + fileAsURI(dir));
     }
     return sb.toString();
   }
@@ -1127,7 +1147,7 @@ String makeDataNodeDirs(int dnIndex, StorageType storageType) throws IOException
    *          will be modified as necessary.
    * @param numDataNodes Number of DataNodes to start; may be zero
    * @param manageDfsDirs if true, the data directories for DataNodes will be
-   *          created and {@link #DFS_DATANODE_DATA_DIR_KEY} will be set 
+   *          created and {@link DFSConfigKeys#DFS_DATANODE_DATA_DIR_KEY} will be set
    *          in the conf
    * @param operation the operation with which to start the DataNodes.  If null
    *          or StartupOption.FORMAT, then StartupOption.REGULAR will be used.
@@ -1159,7 +1179,7 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
    *          will be modified as necessary.
    * @param numDataNodes Number of DataNodes to start; may be zero
    * @param manageDfsDirs if true, the data directories for DataNodes will be
-   *          created and {@link #DFS_DATANODE_DATA_DIR_KEY} will be 
+   *          created and {@link DFSConfigKeys#DFS_DATANODE_DATA_DIR_KEY} will be
    *          set in the conf
    * @param operation the operation with which to start the DataNodes.  If null
    *          or StartupOption.FORMAT, then StartupOption.REGULAR will be used.
@@ -1175,21 +1195,17 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
                              String[] racks, String[] hosts,
                              long[] simulatedCapacities,
                              boolean setupHostsFile) throws IOException {
-    startDataNodes(conf, numDataNodes, StorageType.DEFAULT, manageDfsDirs, operation, racks, hosts,
+    startDataNodes(conf, numDataNodes, null, manageDfsDirs, operation, racks, hosts,
         simulatedCapacities, setupHostsFile, false, false, null);
   }
 
-  /**
-   * @see MiniDFSCluster#startDataNodes(Configuration, int, boolean, StartupOption,
-   * String[], String[], long[], boolean, boolean, boolean)
-   */
   public synchronized void startDataNodes(Configuration conf, int numDataNodes,
       boolean manageDfsDirs, StartupOption operation, 
       String[] racks, String[] hosts,
       long[] simulatedCapacities,
       boolean setupHostsFile,
       boolean checkDataNodeAddrConfig) throws IOException {
-    startDataNodes(conf, numDataNodes, StorageType.DEFAULT, manageDfsDirs, operation, racks, hosts,
+    startDataNodes(conf, numDataNodes, null, manageDfsDirs, operation, racks, hosts,
         simulatedCapacities, setupHostsFile, checkDataNodeAddrConfig, false, null);
   }
 
@@ -1207,7 +1223,7 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
    *          will be modified as necessary.
    * @param numDataNodes Number of DataNodes to start; may be zero
    * @param manageDfsDirs if true, the data directories for DataNodes will be
-   *          created and {@link #DFS_DATANODE_DATA_DIR_KEY} will be 
+   *          created and {@link DFSConfigKeys#DFS_DATANODE_DATA_DIR_KEY} will be
    *          set in the conf
    * @param operation the operation with which to start the DataNodes.  If null
    *          or StartupOption.FORMAT, then StartupOption.REGULAR will be used.
@@ -1222,13 +1238,15 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
    * @throws IllegalStateException if NameNode has been shutdown
    */
   public synchronized void startDataNodes(Configuration conf, int numDataNodes,
-      StorageType storageType, boolean manageDfsDirs, StartupOption operation,
+      StorageType[][] storageTypes, boolean manageDfsDirs, StartupOption operation,
       String[] racks, String[] hosts,
       long[] simulatedCapacities,
       boolean setupHostsFile,
       boolean checkDataNodeAddrConfig,
       boolean checkDataNodeHostConfig,
       Configuration[] dnConfOverlays) throws IOException {
+    assert storageTypes == null || storageTypes.length == numDataNodes;
+
     if (operation == StartupOption.RECOVER) {
       return;
     }
@@ -1289,7 +1307,7 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
       // Set up datanode address
       setupDatanodeAddress(dnConf, setupHostsFile, checkDataNodeAddrConfig);
       if (manageDfsDirs) {
-        String dirs = makeDataNodeDirs(i, storageType);
+        String dirs = makeDataNodeDirs(i, storageTypes == null ? null : storageTypes[i]);
         dnConf.set(DFS_DATANODE_DATA_DIR_KEY, dirs);
         conf.set(DFS_DATANODE_DATA_DIR_KEY, dirs);
       }
@@ -2173,7 +2191,7 @@ public void injectBlocks(int dataNodeIndex,
   }
 
   /**
-   * Multiple-NameNode version of {@link #injectBlocks(Iterable[])}.
+   * Multiple-NameNode version of injectBlocks.
    */
   public void injectBlocks(int nameNodeIndex, int dataNodeIndex,
       Iterable<Block> blocksToInject) throws IOException {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSClusterWithNodeGroup.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSClusterWithNodeGroup.java
index d06a6a04519..382bf368213 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSClusterWithNodeGroup.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSClusterWithNodeGroup.java
@@ -50,12 +50,14 @@ public static void setNodeGroups (String[] nodeGroups) {
   }
 
   public synchronized void startDataNodes(Configuration conf, int numDataNodes,
-      StorageType storageType, boolean manageDfsDirs, StartupOption operation,
+      StorageType[][] storageTypes, boolean manageDfsDirs, StartupOption operation,
       String[] racks, String[] nodeGroups, String[] hosts,
       long[] simulatedCapacities,
       boolean setupHostsFile,
       boolean checkDataNodeAddrConfig,
       boolean checkDataNodeHostConfig) throws IOException {
+    assert storageTypes == null || storageTypes.length == numDataNodes;
+
     if (operation == StartupOption.RECOVER) {
       return;
     }
@@ -112,7 +114,7 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
       // Set up datanode address
       setupDatanodeAddress(dnConf, setupHostsFile, checkDataNodeAddrConfig);
       if (manageDfsDirs) {
-        String dirs = makeDataNodeDirs(i, storageType);
+        String dirs = makeDataNodeDirs(i, storageTypes == null ? null : storageTypes[i]);
         dnConf.set(DFSConfigKeys.DFS_DATANODE_DATA_DIR_KEY, dirs);
         conf.set(DFSConfigKeys.DFS_DATANODE_DATA_DIR_KEY, dirs);
       }
@@ -190,7 +192,7 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
       String[] racks, String[] nodeGroups, String[] hosts,
       long[] simulatedCapacities,
       boolean setupHostsFile) throws IOException {
-    startDataNodes(conf, numDataNodes, StorageType.DEFAULT, manageDfsDirs, operation, racks, nodeGroups,
+    startDataNodes(conf, numDataNodes, null, manageDfsDirs, operation, racks, nodeGroups,
         hosts, simulatedCapacities, setupHostsFile, false, false);
   }
 
@@ -205,14 +207,14 @@ public void startDataNodes(Configuration conf, int numDataNodes,
   // This is for initialize from parent class.
   @Override
   public synchronized void startDataNodes(Configuration conf, int numDataNodes, 
-      StorageType storageType, boolean manageDfsDirs, StartupOption operation,
+      StorageType[][] storageTypes, boolean manageDfsDirs, StartupOption operation,
       String[] racks, String[] hosts,
       long[] simulatedCapacities,
       boolean setupHostsFile,
       boolean checkDataNodeAddrConfig,
       boolean checkDataNodeHostConfig,
       Configuration[] dnConfOverlays) throws IOException {
-    startDataNodes(conf, numDataNodes, storageType, manageDfsDirs, operation, racks,
+    startDataNodes(conf, numDataNodes, storageTypes, manageDfsDirs, operation, racks,
         NODE_GROUPS, hosts, simulatedCapacities, setupHostsFile, 
         checkDataNodeAddrConfig, checkDataNodeHostConfig);
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestStorageReport.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestStorageReport.java
index 85afa274a88..b6b3fe69b09 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestStorageReport.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestStorageReport.java
@@ -58,7 +58,7 @@ public void startUpCluster() throws IOException {
     conf = new HdfsConfiguration();
     cluster = new MiniDFSCluster.Builder(conf)
         .numDataNodes(REPL_FACTOR)
-        .storageType(storageType)
+        .storageTypes(new StorageType[] { storageType, storageType } )
         .build();
     fs = cluster.getFileSystem();
     bpid = cluster.getNamesystem().getBlockPoolId();

From 6824abc19e12ed142d9f32b8706ef73d97edd1cc Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Thu, 21 Aug 2014 01:13:49 +0000
Subject: [PATCH 278/354] HDFS-6758. Block writer should pass the expected
 block size to DataXceiverServer (Arpit Agarwal)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619275 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   5 +-
 .../apache/hadoop/hdfs/DFSOutputStream.java   |   8 +-
 .../hdfs/server/datanode/DataXceiver.java     |   4 +-
 .../server/datanode/DataXceiverServer.java    |   7 +-
 .../TestWriteBlockGetsBlockLengthHint.java    | 106 ++++++++++++++++++
 5 files changed, 122 insertions(+), 8 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestWriteBlockGetsBlockLengthHint.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 0221018c46e..14ef2f1989b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -500,7 +500,10 @@ Release 2.6.0 - UNRELEASED
     hadoop.security.saslproperties.resolver.class. (Benoy Antony via cnauroth)
 
     HDFS-6878. Change MiniDFSCluster to support StorageType configuration
-    for individual directories (Arpit Agarwal)
+    for individual directories. (Arpit Agarwal)
+
+    HDFS-6758. block writer should pass the expected block size to
+    DataXceiverServer. (Arpit Agarwal)
 
   OPTIMIZATIONS
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
index 4ba2a3ba8da..14977a25077 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
@@ -1342,8 +1342,14 @@ private boolean createBlockOutputStream(DatanodeInfo[] nodes,
           //
   
           BlockConstructionStage bcs = recoveryFlag? stage.getRecoveryStage(): stage;
+
+          // We cannot change the block length in 'block' as it counts the number
+          // of bytes ack'ed.
+          ExtendedBlock blockCopy = new ExtendedBlock(block);
+          blockCopy.setNumBytes(blockSize);
+
           // send the request
-          new Sender(out).writeBlock(block, nodeStorageTypes[0], accessToken,
+          new Sender(out).writeBlock(blockCopy, nodeStorageTypes[0], accessToken,
               dfsClient.clientName, nodes, nodeStorageTypes, null, bcs, 
               nodes.length, block.getNumBytes(), bytesSent, newGS, checksum,
               cachingStrategy.get());
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
index 2d72f0110ad..4575c9353ce 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiver.java
@@ -576,7 +576,9 @@ public void writeBlock(final ExtendedBlock block,
     // forward the original version of the block to downstream mirrors, so
     // make a copy here.
     final ExtendedBlock originalBlock = new ExtendedBlock(block);
-    block.setNumBytes(dataXceiverServer.estimateBlockSize);
+    if (block.getNumBytes() == 0) {
+      block.setNumBytes(dataXceiverServer.estimateBlockSize);
+    }
     LOG.info("Receiving " + block + " src: " + remoteAddress + " dest: "
         + localAddress);
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiverServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiverServer.java
index 2c03a5123b8..a1f766d6249 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiverServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataXceiverServer.java
@@ -100,11 +100,8 @@ synchronized void release() {
   
   /**
    * We need an estimate for block size to check if the disk partition has
-   * enough space. For now we set it to be the default block size set
-   * in the server side configuration, which is not ideal because the
-   * default block size should be a client-size configuration. 
-   * A better solution is to include in the header the estimated block size,
-   * i.e. either the actual block size or the default block size.
+   * enough space. Newer clients pass the expected block size to the DataNode.
+   * For older clients we just use the server-side default block size.
    */
   final long estimateBlockSize;
   
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestWriteBlockGetsBlockLengthHint.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestWriteBlockGetsBlockLengthHint.java
new file mode 100644
index 00000000000..29ac3f2c473
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestWriteBlockGetsBlockLengthHint.java
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs;
+
+import java.io.IOException;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
+import org.apache.hadoop.hdfs.server.datanode.*;
+import org.apache.hadoop.hdfs.server.datanode.fsdataset.FsDatasetSpi;
+import org.apache.hadoop.test.GenericTestUtils;
+import org.junit.Test;
+
+import static org.hamcrest.core.Is.is;
+import static org.junit.Assert.*;
+
+
+/**
+ * Test to verify that the DFSClient passes the expected block length to
+ * the DataNode via DataTransferProtocol.
+ */
+public class TestWriteBlockGetsBlockLengthHint {
+  static final long DEFAULT_BLOCK_LENGTH = 1024;
+  static final long EXPECTED_BLOCK_LENGTH = DEFAULT_BLOCK_LENGTH * 2;
+
+  @Test
+  public void blockLengthHintIsPropagated() throws IOException {
+    final String METHOD_NAME = GenericTestUtils.getMethodName();
+    final Path path = new Path("/" + METHOD_NAME + ".dat");
+
+    Configuration conf = new HdfsConfiguration();
+    FsDatasetChecker.setFactory(conf);
+    conf.setLong(DFSConfigKeys.DFS_BLOCK_SIZE_KEY, DEFAULT_BLOCK_LENGTH);
+    conf.setInt(DFSConfigKeys.DFS_DATANODE_SCAN_PERIOD_HOURS_KEY, -1);
+    MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
+
+    try {
+      cluster.waitActive();
+
+      // FsDatasetChecker#createRbw asserts during block creation if the test
+      // fails.
+      DFSTestUtil.createFile(
+          cluster.getFileSystem(),
+          path,
+          4096,  // Buffer size.
+          EXPECTED_BLOCK_LENGTH,
+          EXPECTED_BLOCK_LENGTH,
+          (short) 1,
+          0x1BAD5EED);
+    } finally {
+      cluster.shutdown();
+    }
+  }
+
+  static class FsDatasetChecker extends SimulatedFSDataset {
+    static class Factory extends FsDatasetSpi.Factory<SimulatedFSDataset> {
+      @Override
+      public SimulatedFSDataset newInstance(DataNode datanode,
+          DataStorage storage, Configuration conf) throws IOException {
+        return new FsDatasetChecker(storage, conf);
+      }
+
+      @Override
+      public boolean isSimulated() {
+        return true;
+      }
+    }
+
+    public static void setFactory(Configuration conf) {
+      conf.set(DFSConfigKeys.DFS_DATANODE_FSDATASET_FACTORY_KEY,
+               Factory.class.getName());
+    }
+
+    public FsDatasetChecker(DataStorage storage, Configuration conf) {
+      super(storage, conf);
+    }
+
+    /**
+     * Override createRbw to verify that the block length that is passed
+     * is correct. This requires both DFSOutputStream and BlockReceiver to
+     * correctly propagate the hint to FsDatasetSpi.
+     */
+    @Override
+    public synchronized ReplicaInPipelineInterface createRbw(
+        StorageType storageType, ExtendedBlock b) throws IOException {
+      assertThat(b.getLocalBlock().getNumBytes(), is(EXPECTED_BLOCK_LENGTH));
+      return super.createRbw(storageType, b);
+    }
+  }
+}

From 7e75226e68715c3eca9d346c8eaf2f265aa70d23 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 21 Aug 2014 14:57:11 +0000
Subject: [PATCH 279/354] YARN-2424. LCE should support non-cgroups, non-secure
 mode (Chris Douglas via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619421 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                |  3 +++
 .../hadoop/yarn/conf/YarnConfiguration.java    |  9 +++++++++
 .../src/main/resources/yarn-default.xml        | 18 ++++++++++++++++--
 .../nodemanager/LinuxContainerExecutor.java    | 18 +++++++++++++++---
 .../TestLinuxContainerExecutor.java            |  7 +++++++
 5 files changed, 50 insertions(+), 5 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index a4a432d75dd..5eb5e400d30 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -226,6 +226,9 @@ Release 2.6.0 - UNRELEASED
     YARN-1919. Potential NPE in EmbeddedElectorService#stop. 
     (Tsuyoshi Ozawa via kasha)
 
+    YARN-2424. LCE should support non-cgroups, non-secure mode (Chris Douglas 
+    via aw)
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
index d227e4f415d..034ec4f90e5 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
@@ -836,6 +836,15 @@ public class YarnConfiguration extends Configuration {
   public static final String NM_LINUX_CONTAINER_GROUP =
     NM_PREFIX + "linux-container-executor.group";
 
+  /**
+   * True if linux-container-executor should limit itself to one user
+   * when running in non-secure mode.
+   */
+  public static final String NM_NONSECURE_MODE_LIMIT_USERS = NM_PREFIX +
+     "linux-container-executor.nonsecure-mode.limit-users";
+
+  public static final boolean DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS = true;
+
   /**
    * The UNIX user that containers will run as when Linux-container-executor
    * is used in nonsecure mode (a use case for this is using cgroups).
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
index 55b3490a4e8..9b4a90f4790 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
@@ -991,8 +991,22 @@
   </property>
 
   <property>
-    <description>The UNIX user that containers will run as when Linux-container-executor
-    is used in nonsecure mode (a use case for this is using cgroups).</description>
+    <description>This determines which of the two modes that LCE should use on
+      a non-secure cluster.  If this value is set to true, then all containers
+      will be launched as the user specified in
+      yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user.  If
+      this value is set to false, then containers will run as the user who
+      submitted the application.</description>
+    <name>yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users</name>
+    <value>true</value>
+  </property>
+
+  <property>
+    <description>The UNIX user that containers will run as when
+      Linux-container-executor is used in nonsecure mode (a use case for this
+      is using cgroups) if the
+      yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users is
+      set to true.</description>
     <name>yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user</name>
     <value>nobody</value>
   </property>
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java
index 7962da28c8c..804864e4cba 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java
@@ -57,8 +57,8 @@ public class LinuxContainerExecutor extends ContainerExecutor {
   private LCEResourcesHandler resourcesHandler;
   private boolean containerSchedPriorityIsSet = false;
   private int containerSchedPriorityAdjustment = 0;
-  
-  
+  private boolean containerLimitUsers;
+
   @Override
   public void setConf(Configuration conf) {
     super.setConf(conf);
@@ -81,6 +81,13 @@ public void setConf(Configuration conf) {
     nonsecureLocalUserPattern = Pattern.compile(
         conf.get(YarnConfiguration.NM_NONSECURE_MODE_USER_PATTERN_KEY,
             YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_USER_PATTERN));        
+    containerLimitUsers = conf.getBoolean(
+      YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS,
+      YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS);
+    if (!containerLimitUsers) {
+      LOG.warn(YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS +
+          ": impersonation without authentication enabled");
+    }
   }
 
   void verifyUsernamePattern(String user) {
@@ -92,7 +99,12 @@ void verifyUsernamePattern(String user) {
   }
 
   String getRunAsUser(String user) {
-    return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser;
+    if (UserGroupInformation.isSecurityEnabled() ||
+       !containerLimitUsers) {
+      return user;
+    } else {
+      return nonsecureLocalUser;
+    }
   }
 
   /**
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutor.java
index f840730a385..a5ec43b67a1 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutor.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutor.java
@@ -279,6 +279,13 @@ public void testLocalUser() throws Exception {
       lce.setConf(conf);
       Assert.assertEquals("bar", lce.getRunAsUser("foo"));
 
+      //nonsecure without limits
+      conf.set(YarnConfiguration.NM_NONSECURE_MODE_LOCAL_USER_KEY, "bar");
+      conf.setBoolean(YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS, false);
+      lce = new LinuxContainerExecutor();
+      lce.setConf(conf);
+      Assert.assertEquals("foo", lce.getRunAsUser("foo"));
+
       //secure
       conf = new YarnConfiguration();
       conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,

From e5e9d792c7903c58b62f2baabafd031d5d965c57 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Thu, 21 Aug 2014 17:37:34 +0000
Subject: [PATCH 280/354] MAPREDUCE-5974. Allow specifying multiple
 MapOutputCollectors with fallback. (Todd Lipcon via kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619492 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt          |  3 ++
 .../org/apache/hadoop/mapred/MapTask.java     | 37 ++++++++++++++-----
 .../src/main/resources/mapred-default.xml     |  4 +-
 .../PluggableShuffleAndPluggableSort.apt.vm   |  8 +++-
 4 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 5cc965a0b3f..cd4d6a5e643 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -187,6 +187,9 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-5906. Inconsistent configuration in property
       "mapreduce.reduce.shuffle.input.buffer.percent" (Akira AJISAKA via aw)
 
+    MAPREDUCE-5974. Allow specifying multiple MapOutputCollectors with 
+    fallback. (Todd Lipcon via kasha)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/MapTask.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/MapTask.java
index b533ebe8e47..dfcbe093832 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/MapTask.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/MapTask.java
@@ -381,16 +381,35 @@ private <T> T getSplitDetails(Path file, long offset)
   private <KEY, VALUE> MapOutputCollector<KEY, VALUE>
           createSortingCollector(JobConf job, TaskReporter reporter)
     throws IOException, ClassNotFoundException {
-    MapOutputCollector<KEY, VALUE> collector
-      = (MapOutputCollector<KEY, VALUE>)
-       ReflectionUtils.newInstance(
-                        job.getClass(JobContext.MAP_OUTPUT_COLLECTOR_CLASS_ATTR,
-                        MapOutputBuffer.class, MapOutputCollector.class), job);
-    LOG.info("Map output collector class = " + collector.getClass().getName());
     MapOutputCollector.Context context =
-                           new MapOutputCollector.Context(this, job, reporter);
-    collector.init(context);
-    return collector;
+      new MapOutputCollector.Context(this, job, reporter);
+
+    Class<?>[] collectorClasses = job.getClasses(
+      JobContext.MAP_OUTPUT_COLLECTOR_CLASS_ATTR, MapOutputBuffer.class);
+    int remainingCollectors = collectorClasses.length;
+    for (Class clazz : collectorClasses) {
+      try {
+        if (!MapOutputCollector.class.isAssignableFrom(clazz)) {
+          throw new IOException("Invalid output collector class: " + clazz.getName() +
+            " (does not implement MapOutputCollector)");
+        }
+        Class<? extends MapOutputCollector> subclazz =
+          clazz.asSubclass(MapOutputCollector.class);
+        LOG.debug("Trying map output collector class: " + subclazz.getName());
+        MapOutputCollector<KEY, VALUE> collector =
+          ReflectionUtils.newInstance(subclazz, job);
+        collector.init(context);
+        LOG.info("Map output collector class = " + collector.getClass().getName());
+        return collector;
+      } catch (Exception e) {
+        String msg = "Unable to initialize MapOutputCollector " + clazz.getName();
+        if (--remainingCollectors > 0) {
+          msg += " (" + remainingCollectors + " more collector(s) to try)";
+        }
+        LOG.warn(msg, e);
+      }
+    }
+    throw new IOException("Unable to initialize any output collector");
   }
 
   @SuppressWarnings("unchecked")
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml
index 110e3162833..b2503c74e20 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml
@@ -408,7 +408,9 @@
   <name>mapreduce.job.map.output.collector.class</name>
   <value>org.apache.hadoop.mapred.MapTask$MapOutputBuffer</value>
   <description>
-    It defines the MapOutputCollector implementation to use.
+    The MapOutputCollector implementation(s) to use. This may be a comma-separated
+    list of class names, in which case the map task will try to initialize each
+    of the collectors in turn. The first to successfully initialize will be used.
   </description>
 </property>
  
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/PluggableShuffleAndPluggableSort.apt.vm b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/PluggableShuffleAndPluggableSort.apt.vm
index 1b06ca9bfbe..06d802213d9 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/PluggableShuffleAndPluggableSort.apt.vm
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/PluggableShuffleAndPluggableSort.apt.vm
@@ -71,11 +71,16 @@ Hadoop MapReduce Next Generation - Pluggable Shuffle and Pluggable Sort
 *--------------------------------------+---------------------+-----------------+
 | <<<mapreduce.job.reduce.shuffle.consumer.plugin.class>>> | <<<org.apache.hadoop.mapreduce.task.reduce.Shuffle>>>         | The <<<ShuffleConsumerPlugin>>> implementation to use |
 *--------------------------------------+---------------------+-----------------+
-| <<<mapreduce.job.map.output.collector.class>>>   | <<<org.apache.hadoop.mapred.MapTask$MapOutputBuffer>>> | The <<<MapOutputCollector>>> implementation to use |
+| <<<mapreduce.job.map.output.collector.class>>>   | <<<org.apache.hadoop.mapred.MapTask$MapOutputBuffer>>> | The <<<MapOutputCollector>>> implementation(s) to use |
 *--------------------------------------+---------------------+-----------------+
 
   These properties can also be set in the <<<mapred-site.xml>>> to change the default values for all jobs.
 
+  The collector class configuration may specify a comma-separated list of collector implementations.
+  In this case, the map task will attempt to instantiate each in turn until one of the
+  implementations successfully initializes. This can be useful if a given collector
+  implementation is only compatible with certain types of keys or values, for example.
+
 ** NodeManager Configuration properties, <<<yarn-site.xml>>> in all nodes:
 
 *--------------------------------------+---------------------+-----------------+
@@ -91,4 +96,3 @@ Hadoop MapReduce Next Generation - Pluggable Shuffle and Pluggable Sort
   <<<yarn.nodemanager.aux-services>>> property, for example <<<mapred.shufflex>>>.
   Then the property defining the corresponding class must be
   <<<yarn.nodemanager.aux-services.mapreduce_shufflex.class>>>.
-  
\ No newline at end of file

From 7b28f363b1b3f12cecc92d0bba8eb3021b67b48e Mon Sep 17 00:00:00 2001
From: Brandon Li <brandonli@apache.org>
Date: Thu, 21 Aug 2014 17:53:54 +0000
Subject: [PATCH 281/354] HDFS-6890. NFS readdirplus doesn't return dotdot
 attributes. Contributed by Brandon Li

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619500 13f79535-47bb-0310-9956-ffa450edef68
---
 .../org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java     | 6 ++++--
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                 | 2 ++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
index 3ef9240263f..0c7aebeebf9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
@@ -1643,6 +1643,7 @@ READDIRPLUS3Response readdirplus(XDR xdr, SecurityHandler securityHandler,
     DirectoryListing dlisting = null;
     Nfs3FileAttributes postOpDirAttr = null;
     long dotdotFileId = 0;
+    HdfsFileStatus dotdotStatus = null;
     try {
       String dirFileIdPath = Nfs3Utils.getFileIdPath(handle);
       dirStatus = dfsClient.getFileInfo(dirFileIdPath);
@@ -1678,7 +1679,7 @@ READDIRPLUS3Response readdirplus(XDR xdr, SecurityHandler securityHandler,
       if (cookie == 0) {
         // Get dotdot fileId
         String dotdotFileIdPath = dirFileIdPath + "/..";
-        HdfsFileStatus dotdotStatus = dfsClient.getFileInfo(dotdotFileIdPath);
+        dotdotStatus = dfsClient.getFileInfo(dotdotFileIdPath);
 
         if (dotdotStatus == null) {
           // This should not happen
@@ -1723,7 +1724,8 @@ READDIRPLUS3Response readdirplus(XDR xdr, SecurityHandler securityHandler,
           postOpDirAttr.getFileId(), ".", 0, postOpDirAttr, new FileHandle(
               postOpDirAttr.getFileId()));
       entries[1] = new READDIRPLUS3Response.EntryPlus3(dotdotFileId, "..",
-          dotdotFileId, postOpDirAttr, new FileHandle(dotdotFileId));
+          dotdotFileId, Nfs3Utils.getNfs3FileAttrFromFileStatus(dotdotStatus,
+              iug), new FileHandle(dotdotFileId));
 
       for (int i = 2; i < n + 2; i++) {
         long fileId = fstatus[i - 2].getFileId();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 14ef2f1989b..5776f892b5c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -626,6 +626,8 @@ Release 2.6.0 - UNRELEASED
     HDFS-6870. Blocks and INodes could leak for Rename with overwrite flag. (Yi
     Liu via jing9)
 
+    HDFS-6890. NFS readdirplus doesn't return dotdot attributes (brandonli)
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES

From ddb7f12ef91d995f85fc4c5b67f9f4a1599ecc25 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Thu, 21 Aug 2014 19:03:28 +0000
Subject: [PATCH 282/354] HADOOP-10992. Merge KMS to branch-2, updating
 hadoop-common CHANGES.txt. (tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619556 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 | 248 +++++++++---------
 1 file changed, 126 insertions(+), 122 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index c697be1c512..6c202715045 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -13,8 +13,6 @@ Trunk (Unreleased)
 
   NEW FEATURES
 
-    HADOOP-10433. Key Management Server based on KeyProvider API. (tucu)
-
     HADOOP-9629. Support Windows Azure Storage - Blob as a file system in Hadoop.
     (Dexter Bradshaw, Mostafa Elhemali, Xi Fang, Johannes Klein, David Lao,
     Mike Liddell, Chuan Liu, Lengning Liu, Ivan Mitic, Michael Rys,
@@ -25,9 +23,6 @@ Trunk (Unreleased)
     Mike Liddell, Chuan Liu, Lengning Liu, Ivan Mitic, Michael Rys,
     Alexander Stojanovich, Brian Swan, and Min Wei via cnauroth)
     
-    HADOOP-10719. Add generateEncryptedKey and decryptEncryptedKey 
-    methods to KeyProvider. (asuresh via tucu)
-
   IMPROVEMENTS
 
     HADOOP-8017. Configure hadoop-main pom to get rid of M2E plugin execution
@@ -121,93 +116,15 @@ Trunk (Unreleased)
 
     HADOOP-9833 move slf4j to version 1.7.5 (Kousuke Saruta via stevel)
 
-    HADOOP-10141. Create KeyProvider API to separate encryption key storage
-    from the applications. (omalley)
-
-    HADOOP-10201. Add listing to KeyProvider API. (Larry McCay via omalley)
-
-    HADOOP-10177. Create CLI tools for managing keys. (Larry McCay via omalley)
-
-    HADOOP-10244. TestKeyShell improperly tests the results of delete (Larry
-    McCay via omalley)
-
     HADOOP-10325. Improve jenkins javadoc warnings from test-patch.sh (cmccabe)
 
     HADOOP-10342. Add a new method to UGI to use a Kerberos login subject to
     build a new UGI. (Larry McCay via omalley)
 
-    HADOOP-10237. JavaKeyStoreProvider needs to set keystore permissions 
-    correctly. (Larry McCay via omalley)
-
-    HADOOP-10432. Refactor SSLFactory to expose static method to determine
-    HostnameVerifier. (tucu)
-
-    HADOOP-10427. KeyProvider implementations should be thread safe. (tucu)
-
-    HADOOP-10429. KeyStores should have methods to generate the materials 
-    themselves, KeyShell should use them. (tucu)
-
-    HADOOP-10428. JavaKeyStoreProvider should accept keystore password via 
-    configuration falling back to ENV VAR. (tucu)
-
-    HADOOP-10430. KeyProvider Metadata should have an optional description, 
-    there should be a method to retrieve the metadata from all keys. (tucu)
-
-    HADOOP-10534. KeyProvider getKeysMetadata should take a list of names 
-    rather than returning all keys. (omalley)
-
     HADOOP-10563. Remove the dependency of jsp in trunk. (wheat9)
 
     HADOOP-10485. Remove dead classes in hadoop-streaming. (wheat9)
 
-    HADOOP-10696. Add optional attributes to KeyProvider Options and Metadata. 
-    (tucu)
-
-    HADOOP-10695. KMSClientProvider should respect a configurable timeout. 
-    (yoderme via tucu)
-
-    HADOOP-10757. KeyProvider KeyVersion should provide the key name. 
-    (asuresh via tucu)
-
-    HADOOP-10769. Create KeyProvider extension to handle delegation tokens.
-    (Arun Suresh via atm)
-
-    HADOOP-10812. Delegate KeyProviderExtension#toString to underlying
-    KeyProvider. (wang)
-
-    HADOOP-10736. Add key attributes to the key shell. (Mike Yoder via wang)
-
-    HADOOP-10824. Refactor KMSACLs to avoid locking. (Benoy Antony via umamahesh)
-
-    HADOOP-10841. EncryptedKeyVersion should have a key name property. 
-    (asuresh via tucu)
-
-    HADOOP-10842. CryptoExtension generateEncryptedKey method should 
-    receive the key name. (asuresh via tucu)
-
-    HADOOP-10750. KMSKeyProviderCache should be in hadoop-common. 
-    (asuresh via tucu)
-
-    HADOOP-10720. KMS: Implement generateEncryptedKey and decryptEncryptedKey
-    in the REST API. (asuresh via tucu)
-
-    HADOOP-10891. Add EncryptedKeyVersion factory method to
-    KeyProviderCryptoExtension. (wang)
-
-    HADOOP-10756. KMS audit log should consolidate successful similar requests. 
-    (asuresh via tucu)
-
-    HADOOP-10793. KeyShell args should use single-dash style. (wang)
-
-    HADOOP-10936. Change default KeyProvider bitlength to 128. (wang)
-
-    HADOOP-10224. JavaKeyStoreProvider has to protect against corrupting 
-    underlying store. (asuresh via tucu)
-
-    HADOOP-10770. KMS add delegation token support. (tucu)
-
-    HADOOP-10698. KMS, add proxyuser support. (tucu)
-
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
@@ -379,22 +296,9 @@ Trunk (Unreleased)
 
     HADOOP-10044 Improve the javadoc of rpc code (sanjay Radia)
 
-    HADOOP-10488. TestKeyProviderFactory fails randomly. (tucu)
-
-    HADOOP-10431. Change visibility of KeyStore.Options getter methods to public. (tucu)
-
-    HADOOP-10583. bin/hadoop key throws NPE with no args and assorted other fixups. (clamb via tucu)
-
-    HADOOP-10586. KeyShell doesn't allow setting Options via CLI. (clamb via tucu)
-
     HADOOP-10625. Trim configuration names when putting/getting them
     to properties. (Wangda Tan via xgong)
 
-    HADOOP-10645. TestKMS fails because race condition writing acl files. (tucu)
-
-    HADOOP-10611. KMS, keyVersion name should not be assumed to be 
-    keyName@versionNumber. (tucu)
-
     HADOOP-10717. HttpServer2 should load jsp DTD from local jars instead of
     going remote. (Dapeng Sun via wheat9)
 
@@ -409,33 +313,12 @@ Trunk (Unreleased)
 
     HADOOP-10834. Typo in CredentialShell usage. (Benoy Antony via umamahesh)
 
-    HADOOP-10816. KeyShell returns -1 on error to the shell, should be 1.
-    (Mike Yoder via wang)
-
     HADOOP-10840. Fix OutOfMemoryError caused by metrics system in Azure File
     System. (Shanyu Zhao via cnauroth)
 
-    HADOOP-10826. Iteration on KeyProviderFactory.serviceLoader is 
-    thread-unsafe. (benoyantony viat tucu)
-
-    HADOOP-10881. Clarify usage of encryption and encrypted encryption
-    key in KeyProviderCryptoExtension. (wang)
-
-    HADOOP-10920. site plugin couldn't parse hadoop-kms index.apt.vm.
-    (Akira Ajisaka via wang)
-
     HADOOP-10925. Compilation fails in native link0 function on Windows.
     (cnauroth)
 
-    HADOOP-10939. Fix TestKeyProviderFactory testcases to use default 128 bit
-    length keys. (Arun Suresh via wang)
-
-    HADOOP-10862. Miscellaneous trivial corrections to KMS classes. 
-    (asuresh via tucu)
-
-    HADOOP-10967. Improve DefaultCryptoExtension#generateEncryptedKey 
-    performance. (hitliuyi via tucu)
-
   OPTIMIZATIONS
 
     HADOOP-7761. Improve the performance of raw comparisons. (todd)
@@ -498,6 +381,8 @@ Release 2.6.0 - UNRELEASED
 
   NEW FEATURES
 
+    HADOOP-10433. Key Management Server based on KeyProvider API. (tucu)
+
   IMPROVEMENTS
 
     HADOOP-10808. Remove unused native code for munlock. (cnauroth)
@@ -582,10 +467,91 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10975. org.apache.hadoop.util.DataChecksum should support calculating
     checksums in native code (James Thomas via Colin Patrick McCabe)
 
+    HADOOP-10201. Add listing to KeyProvider API. (Larry McCay via omalley)
+
+    HADOOP-10177. Create CLI tools for managing keys. (Larry McCay via omalley)
+
+    HADOOP-10432. Refactor SSLFactory to expose static method to determine
+    HostnameVerifier. (tucu)
+
+    HADOOP-10429. KeyStores should have methods to generate the materials
+    themselves, KeyShell should use them. (tucu)
+
+    HADOOP-10427. KeyProvider implementations should be thread safe. (tucu)
+
+    HADOOP-10428. JavaKeyStoreProvider should accept keystore password via
+    configuration falling back to ENV VAR. (tucu)
+
+    HADOOP-10430. KeyProvider Metadata should have an optional description,
+    there should be a method to retrieve the metadata from all keys. (tucu)
+
+    HADOOP-10431. Change visibility of KeyStore.Options getter methods to
+    public. (tucu)
+
+    HADOOP-10534. KeyProvider getKeysMetadata should take a list of names
+    rather than returning all keys. (omalley)
+
+    HADOOP-10719. Add generateEncryptedKey and decryptEncryptedKey
+    methods to KeyProvider. (asuresh via tucu)
+
+    HADOOP-10817. ProxyUsers configuration should support configurable
+    prefixes. (tucu)
+
+    HADOOP-10881. Clarify usage of encryption and encrypted encryption
+    key in KeyProviderCryptoExtension. (wang)
+
+    HADOOP-10770. KMS add delegation token support. (tucu)
+
+    HADOOP-10698. KMS, add proxyuser support. (tucu)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
 
+    HADOOP-10696. Add optional attributes to KeyProvider Options and Metadata.
+    (tucu)
+
+    HADOOP-10695. KMSClientProvider should respect a configurable timeout.
+    (yoderme via tucu)
+
+    HADOOP-10757. KeyProvider KeyVersion should provide the key name.
+    (asuresh via tucu)
+
+    HADOOP-10769. Create KeyProvider extension to handle delegation tokens.
+    (Arun Suresh via atm)
+
+    HADOOP-10812. Delegate KeyProviderExtension#toString to underlying
+    KeyProvider. (wang)
+
+    HADOOP-10736. Add key attributes to the key shell. (Mike Yoder via wang)
+
+    HADOOP-10824. Refactor KMSACLs to avoid locking. (Benoy Antony via umamahesh)
+
+    HADOOP-10841. EncryptedKeyVersion should have a key name property.
+    (asuresh via tucu)
+
+    HADOOP-10842. CryptoExtension generateEncryptedKey method should
+    receive the key name. (asuresh via tucu)
+
+    HADOOP-10750. KMSKeyProviderCache should be in hadoop-common.
+    (asuresh via tucu)
+
+    HADOOP-10720. KMS: Implement generateEncryptedKey and decryptEncryptedKey
+    in the REST API. (asuresh via tucu)
+
+    HADOOP-10891. Add EncryptedKeyVersion factory method to
+    KeyProviderCryptoExtension. (wang)
+
+    HADOOP-10756. KMS audit log should consolidate successful similar requests.
+    (asuresh via tucu)
+
+    HADOOP-10793. KeyShell args should use single-dash style. (wang)
+
+    HADOOP-10936. Change default KeyProvider bitlength to 128. (wang)
+
+    HADOOP-10224. JavaKeyStoreProvider has to protect against corrupting
+    underlying store. (asuresh via tucu)
+
   BUG FIXES
 
     HADOOP-10781. Unportable getgrouplist() usage breaks FreeBSD (Dmitry
@@ -621,11 +587,6 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10927. Fix CredentialShell help behavior and error codes.
     (Josh Elser via wang)
 
-    HADOOP-10937. Need to set version name correctly before decrypting EEK.
-    (Arun Suresh via wang)
-
-    HADOOP-10918. JMXJsonServlet fails when used within Tomcat. (tucu)
-
     HADOOP-10933. FileBasedKeyStoresFactory Should use Configuration.getPassword 
     for SSL Passwords. (lmccay via tucu)
 
@@ -676,6 +637,49 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10968. hadoop native build fails to detect java_libarch on
     ppc64le (Dinar Valeev via Colin Patrick McCabe)
 
+    HADOOP-10141. Create KeyProvider API to separate encryption key storage
+    from the applications. (omalley)
+
+    HADOOP-10237. JavaKeyStoreProvider needs to set keystore permissions
+    correctly. (Larry McCay via omalley)
+
+    HADOOP-10244. TestKeyShell improperly tests the results of delete (Larry
+    McCay via omalley)
+
+    HADOOP-10583. bin/hadoop key throws NPE with no args and assorted other fixups. (clamb via tucu)
+
+    HADOOP-10586. KeyShell doesn't allow setting Options via CLI. (clamb via tucu)
+
+    HADOOP-10645. TestKMS fails because race condition writing acl files. (tucu)
+
+    HADOOP-10611. KMS, keyVersion name should not be assumed to be
+    keyName@versionNumber. (tucu)
+
+    HADOOP-10816. KeyShell returns -1 on error to the shell, should be 1.
+    (Mike Yoder via wang)
+
+    HADOOP-10826. Iteration on KeyProviderFactory.serviceLoader is
+    thread-unsafe. (benoyantony viat tucu)
+
+    HADOOP-10920. site plugin couldn't parse hadoop-kms index.apt.vm.
+    (Akira Ajisaka via wang)
+
+    HADOOP-10937. Need to set version name correctly before decrypting EEK.
+    (Arun Suresh via wang)
+
+    HADOOP-10918. JMXJsonServlet fails when used within Tomcat. (tucu)
+
+    HADOOP-10939. Fix TestKeyProviderFactory testcases to use default 128 bit
+    length keys. (Arun Suresh via wang)
+
+    HADOOP-10862. Miscellaneous trivial corrections to KMS classes.
+    (asuresh via tucu)
+
+    HADOOP-10967. Improve DefaultCryptoExtension#generateEncryptedKey
+    performance. (hitliuyi via tucu)
+
+    HADOOP-10488. TestKeyProviderFactory fails randomly. (tucu)
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES

From cbbb899aedacd59040f55ac5ed911c1e62bf3879 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 21 Aug 2014 21:33:35 +0000
Subject: [PATCH 283/354] YARN-2436. [post-HADOOP-9902] yarn application help
 doesn't work

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619603 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt          | 2 ++
 hadoop-yarn-project/hadoop-yarn/bin/yarn | 1 +
 2 files changed, 3 insertions(+)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 5eb5e400d30..ed162ba06d4 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -18,6 +18,8 @@ Trunk - Unreleased
     YARN-2216 TestRMApplicationHistoryWriter sometimes fails in trunk.
     (Zhijie Shen via xgong)
 
+    YARN-2436. [post-HADOOP-9902] yarn application help doesn't work (aw)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/bin/yarn b/hadoop-yarn-project/hadoop-yarn/bin/yarn
index 2017d57feac..dfef8112f05 100644
--- a/hadoop-yarn-project/hadoop-yarn/bin/yarn
+++ b/hadoop-yarn-project/hadoop-yarn/bin/yarn
@@ -73,6 +73,7 @@ case "${COMMAND}" in
   application|applicationattempt|container)
     CLASS=org.apache.hadoop.yarn.client.cli.ApplicationCLI
     YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
+    set -- "${COMMAND}" "$@"
   ;;
   classpath)
     hadoop_finalize

From da4ba50269254456650c08c739f2b394d1182ee4 Mon Sep 17 00:00:00 2001
From: Jason Darrell Lowe <jlowe@apache.org>
Date: Thu, 21 Aug 2014 21:38:16 +0000
Subject: [PATCH 284/354] HADOOP-10893. isolated classloader on the client
 side. Contributed by Sangjin Lee

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619604 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   3 +
 .../dev-support/findbugsExcludeFile.xml       |   5 +
 .../src/main/bin/hadoop-config.cmd            |  10 +-
 .../src/main/bin/hadoop-functions.sh          |  21 +-
 .../hadoop-common/src/main/bin/hadoop.cmd     |  20 ++
 .../hadoop-common/src/main/conf/hadoop-env.sh |  11 +
 .../hadoop/util/ApplicationClassLoader.java   | 219 ++++++++++++++++++
 .../java/org/apache/hadoop/util/RunJar.java   | 115 +++++++--
 .../apache/hadoop/util/ClassLoaderCheck.java  |  33 +++
 .../hadoop/util/ClassLoaderCheckMain.java     |  34 +++
 .../hadoop/util/ClassLoaderCheckSecond.java   |  24 ++
 .../hadoop/util/ClassLoaderCheckThird.java    |  24 ++
 .../util/TestApplicationClassLoader.java      |  12 +-
 .../org/apache/hadoop/util/TestRunJar.java    |  66 +++++-
 .../hadoop/mapreduce/v2/util/MRApps.java      |   3 +-
 .../hadoop/mapreduce/v2/util/TestMRApps.java  |   5 +-
 .../src/main/resources/mapred-default.xml     |  14 +-
 .../hadoop/mapreduce/v2/TestMRJobs.java       |   5 +-
 .../dev-support/findbugs-exclude.xml          |   7 +
 .../yarn/util/ApplicationClassLoader.java     | 170 +-------------
 20 files changed, 584 insertions(+), 217 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/ApplicationClassLoader.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheck.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheckMain.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheckSecond.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheckThird.java
 rename {hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn => hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop}/util/TestApplicationClassLoader.java (95%)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 6c202715045..c880e1167dd 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -383,6 +383,9 @@ Release 2.6.0 - UNRELEASED
 
     HADOOP-10433. Key Management Server based on KeyProvider API. (tucu)
 
+    HADOOP-10893. isolated classloader on the client side (Sangjin Lee via
+    jlowe)
+
   IMPROVEMENTS
 
     HADOOP-10808. Remove unused native code for munlock. (cnauroth)
diff --git a/hadoop-common-project/hadoop-common/dev-support/findbugsExcludeFile.xml b/hadoop-common-project/hadoop-common/dev-support/findbugsExcludeFile.xml
index e0b217118db..14690341c84 100644
--- a/hadoop-common-project/hadoop-common/dev-support/findbugsExcludeFile.xml
+++ b/hadoop-common-project/hadoop-common/dev-support/findbugsExcludeFile.xml
@@ -108,6 +108,11 @@
        <Method name="driver" />
        <Bug pattern="DM_EXIT" />
      </Match>
+     <Match>
+       <Class name="org.apache.hadoop.util.RunJar" />
+       <Method name="run" />
+       <Bug pattern="DM_EXIT" />
+     </Match>
      <!--
        We need to cast objects between old and new api objects
      -->
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.cmd b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.cmd
index 3ea576cef20..d8da5b16aab 100644
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.cmd
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.cmd
@@ -282,10 +282,12 @@ if not "%HADOOP_MAPRED_HOME%\%MAPRED_DIR%" == "%HADOOP_YARN_HOME%\%YARN_DIR%" (
 @rem
 
 if defined HADOOP_CLASSPATH (
-  if defined HADOOP_USER_CLASSPATH_FIRST (
-    set CLASSPATH=%HADOOP_CLASSPATH%;%CLASSPATH%;
-  ) else (
-    set CLASSPATH=%CLASSPATH%;%HADOOP_CLASSPATH%;
+  if not defined HADOOP_USE_CLIENT_CLASSLOADER (
+    if defined HADOOP_USER_CLASSPATH_FIRST (
+      set CLASSPATH=%HADOOP_CLASSPATH%;%CLASSPATH%;
+    ) else (
+      set CLASSPATH=%CLASSPATH%;%HADOOP_CLASSPATH%;
+    )
   )
 )
 
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
index 646c11ee3f7..f2437fa2ff2 100644
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
@@ -450,7 +450,8 @@ function hadoop_add_to_classpath_mapred
 function hadoop_add_to_classpath_userpath
 {
   # Add the user-specified HADOOP_CLASSPATH to the
-  # official CLASSPATH env var.
+  # official CLASSPATH env var if HADOOP_USE_CLIENT_CLASSLOADER
+  # is not set.
   # Add it first or last depending on if user has
   # set env-var HADOOP_USER_CLASSPATH_FIRST
   # we'll also dedupe it, because we're cool like that.
@@ -469,14 +470,16 @@ function hadoop_add_to_classpath_userpath
     done
     let j=c-1
     
-    if [[ -z "${HADOOP_USER_CLASSPATH_FIRST}" ]]; then
-      for ((i=j; i>=0; i--)); do
-        hadoop_add_classpath "${array[$i]}" before
-      done
-    else
-      for ((i=0; i<=j; i++)); do
-        hadoop_add_classpath "${array[$i]}" after
-      done
+    if [[ -z "${HADOOP_USE_CLIENT_CLASSLOADER}" ]]; then
+      if [[ -z "${HADOOP_USER_CLASSPATH_FIRST}" ]]; then
+        for ((i=j; i>=0; i--)); do
+          hadoop_add_classpath "${array[$i]}" before
+        done
+      else
+        for ((i=0; i<=j; i++)); do
+          hadoop_add_classpath "${array[$i]}" after
+        done
+      fi
     fi
   fi
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop.cmd b/hadoop-common-project/hadoop-common/src/main/bin/hadoop.cmd
index 04a302c0f38..f9cfe14b3f0 100644
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop.cmd
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop.cmd
@@ -28,6 +28,26 @@
 @rem                                    classpath. Can be defined, for example,
 @rem                                    by doing
 @rem                                    export HADOOP_USER_CLASSPATH_FIRST=true
+@rem
+@rem   HADOOP_USE_CLIENT_CLASSLOADER    When defined, HADOOP_CLASSPATH and the
+@rem                                    jar as the hadoop jar argument are
+@rem                                    handled by a separate isolated client
+@rem                                    classloader. If it is set,
+@rem                                    HADOOP_USER_CLASSPATH_FIRST is
+@rem                                    ignored. Can be defined by doing
+@rem                                    export HADOOP_USE_CLIENT_CLASSLOADER=true
+@rem
+@rem   HADOOP_CLIENT_CLASSLOADER_SYSTEM_CLASSES
+@rem                                    When defined, it overrides the default
+@rem                                    definition of system classes for the
+@rem                                    client classloader when
+@rem                                    HADOOP_USE_CLIENT_CLASSLOADER is
+@rem                                    enabled. Names ending in '.' (period)
+@rem                                    are treated as package names, and names
+@rem                                    starting with a '-' are treated as
+@rem                                    negative matches. For example,
+@rem                                    export HADOOP_CLIENT_CLASSLOADER_SYSTEM_CLASSES="-org.apache.hadoop.UserClass,java.,javax.,org.apache.hadoop."
+
 @rem
 @rem   HADOOP_HEAPSIZE  The maximum amount of heap to use, in MB.
 @rem                    Default is 1000.
diff --git a/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh b/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh
index f50e4126636..eda47c93492 100644
--- a/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh
+++ b/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh
@@ -111,6 +111,17 @@ esac
 # Should HADOOP_USER_CLASSPATH be first in the official CLASSPATH?
 # export HADOOP_USER_CLASSPATH_FIRST="yes"
 
+# If HADOOP_USE_CLIENT_CLASSLOADER is set, HADOOP_CLASSPATH along with the main
+# jar are handled by a separate isolated client classloader. If it is set,
+# HADOOP_USER_CLASSPATH_FIRST is ignored. Can be defined by doing
+# export HADOOP_USE_CLIENT_CLASSLOADER=true
+
+# HADOOP_CLIENT_CLASSLOADER_SYSTEM_CLASSES overrides the default definition of
+# system classes for the client classloader when HADOOP_USE_CLIENT_CLASSLOADER
+# is enabled. Names ending in '.' (period) are treated as package names, and
+# names starting with a '-' are treated as negative matches. For example,
+# export HADOOP_CLIENT_CLASSLOADER_SYSTEM_CLASSES="-org.apache.hadoop.UserClass,java.,javax.,org.apache.hadoop."
+
 ###
 # Options for remote shell connectivity
 ###
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/ApplicationClassLoader.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/ApplicationClassLoader.java
new file mode 100644
index 00000000000..5dda10fc887
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/ApplicationClassLoader.java
@@ -0,0 +1,219 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.util;
+
+import java.io.File;
+import java.io.FilenameFilter;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.classification.InterfaceAudience.Public;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
+
+/**
+ * A {@link URLClassLoader} for application isolation. Classes from the
+ * application JARs are loaded in preference to the parent loader.
+ */
+@Public
+@Unstable
+public class ApplicationClassLoader extends URLClassLoader {
+  /**
+   * Default value of the system classes if the user did not override them.
+   * JDK classes, hadoop classes and resources, and some select third-party
+   * classes are considered system classes, and are not loaded by the
+   * application classloader.
+   */
+  public static final String DEFAULT_SYSTEM_CLASSES =
+        "java.," +
+        "javax.," +
+        "org.w3c.dom.," +
+        "org.xml.sax.," +
+        "org.apache.commons.logging.," +
+        "org.apache.log4j.," +
+        "org.apache.hadoop.," +
+        "core-default.xml," +
+        "hdfs-default.xml," +
+        "mapred-default.xml," +
+        "yarn-default.xml";
+
+  private static final Log LOG =
+    LogFactory.getLog(ApplicationClassLoader.class.getName());
+
+  private static final FilenameFilter JAR_FILENAME_FILTER =
+    new FilenameFilter() {
+      @Override
+      public boolean accept(File dir, String name) {
+        return name.endsWith(".jar") || name.endsWith(".JAR");
+      }
+  };
+
+  private final ClassLoader parent;
+  private final List<String> systemClasses;
+
+  public ApplicationClassLoader(URL[] urls, ClassLoader parent,
+      List<String> systemClasses) {
+    super(urls, parent);
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("urls: " + Arrays.toString(urls));
+      LOG.debug("system classes: " + systemClasses);
+    }
+    this.parent = parent;
+    if (parent == null) {
+      throw new IllegalArgumentException("No parent classloader!");
+    }
+    // if the caller-specified system classes are null or empty, use the default
+    this.systemClasses = (systemClasses == null || systemClasses.isEmpty()) ?
+        Arrays.asList(StringUtils.getTrimmedStrings(DEFAULT_SYSTEM_CLASSES)) :
+        systemClasses;
+    LOG.info("system classes: " + this.systemClasses);
+  }
+
+  public ApplicationClassLoader(String classpath, ClassLoader parent,
+      List<String> systemClasses) throws MalformedURLException {
+    this(constructUrlsFromClasspath(classpath), parent, systemClasses);
+  }
+
+  static URL[] constructUrlsFromClasspath(String classpath)
+      throws MalformedURLException {
+    List<URL> urls = new ArrayList<URL>();
+    for (String element : classpath.split(File.pathSeparator)) {
+      if (element.endsWith("/*")) {
+        String dir = element.substring(0, element.length() - 1);
+        File[] files = new File(dir).listFiles(JAR_FILENAME_FILTER);
+        if (files != null) {
+          for (File file : files) {
+            urls.add(file.toURI().toURL());
+          }
+        }
+      } else {
+        File file = new File(element);
+        if (file.exists()) {
+          urls.add(new File(element).toURI().toURL());
+        }
+      }
+    }
+    return urls.toArray(new URL[urls.size()]);
+  }
+
+  @Override
+  public URL getResource(String name) {
+    URL url = null;
+    
+    if (!isSystemClass(name, systemClasses)) {
+      url= findResource(name);
+      if (url == null && name.startsWith("/")) {
+        if (LOG.isDebugEnabled()) {
+          LOG.debug("Remove leading / off " + name);
+        }
+        url= findResource(name.substring(1));
+      }
+    }
+
+    if (url == null) {
+      url= parent.getResource(name);
+    }
+
+    if (url != null) {
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("getResource("+name+")=" + url);
+      }
+    }
+    
+    return url;
+  }
+
+  @Override
+  public Class<?> loadClass(String name) throws ClassNotFoundException {
+    return this.loadClass(name, false);
+  }
+
+  @Override
+  protected synchronized Class<?> loadClass(String name, boolean resolve)
+      throws ClassNotFoundException {
+    
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("Loading class: " + name);
+    }
+
+    Class<?> c = findLoadedClass(name);
+    ClassNotFoundException ex = null;
+
+    if (c == null && !isSystemClass(name, systemClasses)) {
+      // Try to load class from this classloader's URLs. Note that this is like
+      // the servlet spec, not the usual Java 2 behaviour where we ask the
+      // parent to attempt to load first.
+      try {
+        c = findClass(name);
+        if (LOG.isDebugEnabled() && c != null) {
+          LOG.debug("Loaded class: " + name + " ");
+        }
+      } catch (ClassNotFoundException e) {
+        if (LOG.isDebugEnabled()) {
+          LOG.debug(e);
+        }
+        ex = e;
+      }
+    }
+
+    if (c == null) { // try parent
+      c = parent.loadClass(name);
+      if (LOG.isDebugEnabled() && c != null) {
+        LOG.debug("Loaded class from parent: " + name + " ");
+      }
+    }
+
+    if (c == null) {
+      throw ex != null ? ex : new ClassNotFoundException(name);
+    }
+
+    if (resolve) {
+      resolveClass(c);
+    }
+
+    return c;
+  }
+
+  public static boolean isSystemClass(String name, List<String> systemClasses) {
+    if (systemClasses != null) {
+      String canonicalName = name.replace('/', '.');
+      while (canonicalName.startsWith(".")) {
+        canonicalName=canonicalName.substring(1);
+      }
+      for (String c : systemClasses) {
+        boolean result = true;
+        if (c.startsWith("-")) {
+          c = c.substring(1);
+          result = false;
+        }
+        if (c.endsWith(".") && canonicalName.startsWith(c)) {
+          return result;
+        } else if (canonicalName.equals(c)) {
+          return result;
+        }
+      }
+    }
+    return false;
+  }
+}
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java
index 08b4fd15d84..75b43b63fbd 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java
@@ -18,23 +18,25 @@
 
 package org.apache.hadoop.util;
 
-import java.lang.reflect.Array;
-import java.lang.reflect.Method;
-import java.lang.reflect.InvocationTargetException;
-import java.net.URL;
-import java.net.URLClassLoader;
+import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
-import java.io.File;
-import java.util.regex.Pattern;
-import java.util.Arrays;
+import java.lang.reflect.Array;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLClassLoader;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Enumeration;
-import java.util.jar.JarFile;
+import java.util.List;
 import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
 import java.util.jar.Manifest;
+import java.util.regex.Pattern;
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
@@ -55,6 +57,21 @@ public class RunJar {
    */
   public static final int SHUTDOWN_HOOK_PRIORITY = 10;
 
+  /**
+   * Environment key for using the client classloader.
+   */
+  public static final String HADOOP_USE_CLIENT_CLASSLOADER =
+      "HADOOP_USE_CLIENT_CLASSLOADER";
+  /**
+   * Environment key for the (user-provided) hadoop classpath.
+   */
+  public static final String HADOOP_CLASSPATH = "HADOOP_CLASSPATH";
+  /**
+   * Environment key for the system classes.
+   */
+  public static final String HADOOP_CLIENT_CLASSLOADER_SYSTEM_CLASSES =
+      "HADOOP_CLIENT_CLASSLOADER_SYSTEM_CLASSES";
+
   /**
    * Unpack a jar file into a directory.
    *
@@ -116,6 +133,10 @@ private static void ensureDirectory(File dir) throws IOException {
   /** Run a Hadoop job jar.  If the main class is not in the jar's manifest,
    * then it must be provided on the command line. */
   public static void main(String[] args) throws Throwable {
+    new RunJar().run(args);
+  }
+
+  public void run(String[] args) throws Throwable {
     String usage = "RunJar jarFile [mainClass] args...";
 
     if (args.length < 1) {
@@ -187,19 +208,7 @@ public void run() {
 
     unJar(file, workDir);
 
-    ArrayList<URL> classPath = new ArrayList<URL>();
-    classPath.add(new File(workDir+"/").toURI().toURL());
-    classPath.add(file.toURI().toURL());
-    classPath.add(new File(workDir, "classes/").toURI().toURL());
-    File[] libs = new File(workDir, "lib").listFiles();
-    if (libs != null) {
-      for (int i = 0; i < libs.length; i++) {
-        classPath.add(libs[i].toURI().toURL());
-      }
-    }
-    
-    ClassLoader loader =
-      new URLClassLoader(classPath.toArray(new URL[0]));
+    ClassLoader loader = createClassLoader(file, workDir);
 
     Thread.currentThread().setContextClassLoader(loader);
     Class<?> mainClass = Class.forName(mainClassName, true, loader);
@@ -214,5 +223,65 @@ public void run() {
       throw e.getTargetException();
     }
   }
-  
+
+  /**
+   * Creates a classloader based on the environment that was specified by the
+   * user. If HADOOP_USE_CLIENT_CLASSLOADER is specified, it creates an
+   * application classloader that provides the isolation of the user class space
+   * from the hadoop classes and their dependencies. It forms a class space for
+   * the user jar as well as the HADOOP_CLASSPATH. Otherwise, it creates a
+   * classloader that simply adds the user jar to the classpath.
+   */
+  private ClassLoader createClassLoader(File file, final File workDir)
+      throws MalformedURLException {
+    ClassLoader loader;
+    // see if the client classloader is enabled
+    if (useClientClassLoader()) {
+      StringBuilder sb = new StringBuilder();
+      sb.append(workDir+"/").
+          append(File.pathSeparator).append(file).
+          append(File.pathSeparator).append(workDir+"/classes/").
+          append(File.pathSeparator).append(workDir+"/lib/*");
+      // HADOOP_CLASSPATH is added to the client classpath
+      String hadoopClasspath = getHadoopClasspath();
+      if (hadoopClasspath != null && !hadoopClasspath.isEmpty()) {
+        sb.append(File.pathSeparator).append(hadoopClasspath);
+      }
+      String clientClasspath = sb.toString();
+      // get the system classes
+      String systemClasses = getSystemClasses();
+      List<String> systemClassesList = systemClasses == null ?
+          null :
+          Arrays.asList(StringUtils.getTrimmedStrings(systemClasses));
+      // create an application classloader that isolates the user classes
+      loader = new ApplicationClassLoader(clientClasspath,
+          getClass().getClassLoader(), systemClassesList);
+    } else {
+      List<URL> classPath = new ArrayList<URL>();
+      classPath.add(new File(workDir+"/").toURI().toURL());
+      classPath.add(file.toURI().toURL());
+      classPath.add(new File(workDir, "classes/").toURI().toURL());
+      File[] libs = new File(workDir, "lib").listFiles();
+      if (libs != null) {
+        for (int i = 0; i < libs.length; i++) {
+          classPath.add(libs[i].toURI().toURL());
+        }
+      }
+      // create a normal parent-delegating classloader
+      loader = new URLClassLoader(classPath.toArray(new URL[0]));
+    }
+    return loader;
+  }
+
+  boolean useClientClassLoader() {
+    return Boolean.parseBoolean(System.getenv(HADOOP_USE_CLIENT_CLASSLOADER));
+  }
+
+  String getHadoopClasspath() {
+    return System.getenv(HADOOP_CLASSPATH);
+  }
+
+  String getSystemClasses() {
+    return System.getenv(HADOOP_CLIENT_CLASSLOADER_SYSTEM_CLASSES);
+  }
 }
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheck.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheck.java
new file mode 100644
index 00000000000..aa2cc0eee41
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheck.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+public class ClassLoaderCheck {
+  /**
+   * Verifies the class is loaded by the right classloader.
+   */
+  public static void checkClassLoader(Class cls,
+      boolean shouldBeLoadedByAppClassLoader) {
+    boolean loadedByAppClassLoader =
+        cls.getClassLoader() instanceof ApplicationClassLoader;
+    if ((shouldBeLoadedByAppClassLoader && !loadedByAppClassLoader) ||
+        (!shouldBeLoadedByAppClassLoader && loadedByAppClassLoader)) {
+      throw new RuntimeException("incorrect classloader used");
+    }
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheckMain.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheckMain.java
new file mode 100644
index 00000000000..bb14ac9594f
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheckMain.java
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+/**
+ * Test class used by {@link TestRunJar} to verify that it is loaded by the
+ * {@link ApplicationClassLoader}.
+ */
+public class ClassLoaderCheckMain {
+  public static void main(String[] args) {
+    // ClassLoaderCheckMain should be loaded by the application classloader
+    ClassLoaderCheck.checkClassLoader(ClassLoaderCheckMain.class, true);
+    // ClassLoaderCheckSecond should NOT be loaded by the application
+    // classloader
+    ClassLoaderCheck.checkClassLoader(ClassLoaderCheckSecond.class, false);
+    // ClassLoaderCheckThird should be loaded by the application classloader
+    ClassLoaderCheck.checkClassLoader(ClassLoaderCheckThird.class, true);
+  }
+}
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheckSecond.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheckSecond.java
new file mode 100644
index 00000000000..45601bd07dc
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheckSecond.java
@@ -0,0 +1,24 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+/**
+ * A class {@link ClassLoaderCheckMain} depends on that should be loaded by the
+ * system classloader.
+ */
+public class ClassLoaderCheckSecond {}
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheckThird.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheckThird.java
new file mode 100644
index 00000000000..dd4c0c4a1fa
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/ClassLoaderCheckThird.java
@@ -0,0 +1,24 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.util;
+
+/**
+ * A class {@link ClassLoaderCheckMain} depends on that should be loaded by the
+ * application classloader.
+ */
+public class ClassLoaderCheckThird {}
\ No newline at end of file
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/util/TestApplicationClassLoader.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestApplicationClassLoader.java
similarity index 95%
rename from hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/util/TestApplicationClassLoader.java
rename to hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestApplicationClassLoader.java
index bb4b28c616d..5d0e131bd6c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/util/TestApplicationClassLoader.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestApplicationClassLoader.java
@@ -16,18 +16,15 @@
  * limitations under the License.
  */
 
-package org.apache.hadoop.yarn.util;
+package org.apache.hadoop.util;
 
+import static org.apache.hadoop.util.ApplicationClassLoader.constructUrlsFromClasspath;
+import static org.apache.hadoop.util.ApplicationClassLoader.isSystemClass;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
-import static org.apache.hadoop.yarn.util.ApplicationClassLoader.constructUrlsFromClasspath;
-import static org.apache.hadoop.yarn.util.ApplicationClassLoader.isSystemClass;
-
-import com.google.common.base.Splitter;
-import com.google.common.collect.Lists;
 
 import java.io.File;
 import java.io.FileOutputStream;
@@ -43,6 +40,9 @@
 import org.junit.Before;
 import org.junit.Test;
 
+import com.google.common.base.Splitter;
+import com.google.common.collect.Lists;
+
 public class TestApplicationClassLoader {
   
   private static File testDir = new File(System.getProperty("test.build.data",
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestRunJar.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestRunJar.java
index 8903fca52f8..9e279689a49 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestRunJar.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestRunJar.java
@@ -17,23 +17,30 @@
  */
 package org.apache.hadoop.util;
 
-import junit.framework.TestCase;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.when;
+
+import java.io.BufferedInputStream;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.util.jar.JarOutputStream;
 import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
 
+import junit.framework.TestCase;
+
+import org.apache.hadoop.fs.FileUtil;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
-import org.apache.hadoop.fs.FileUtil;
 
 public class TestRunJar extends TestCase {
   private File TEST_ROOT_DIR;
 
   private static final String TEST_JAR_NAME="test-runjar.jar";
+  private static final String TEST_JAR_2_NAME = "test-runjar2.jar";
 
   @Override
   @Before
@@ -107,4 +114,59 @@ public void testUnJarWithPattern() throws Exception {
                new File(unjarDir, "foobaz.txt").exists());
 
   }
+
+  /**
+   * Tests the client classloader to verify the main class and its dependent
+   * class are loaded correctly by the application classloader, and others are
+   * loaded by the system classloader.
+   */
+  @Test
+  public void testClientClassLoader() throws Throwable {
+    RunJar runJar = spy(new RunJar());
+    // enable the client classloader
+    when(runJar.useClientClassLoader()).thenReturn(true);
+    // set the system classes and blacklist the test main class and the test
+    // third class so they can be loaded by the application classloader
+    String mainCls = ClassLoaderCheckMain.class.getName();
+    String thirdCls = ClassLoaderCheckThird.class.getName();
+    String systemClasses = "-" + mainCls + "," +
+        "-" + thirdCls + "," +
+        ApplicationClassLoader.DEFAULT_SYSTEM_CLASSES;
+    when(runJar.getSystemClasses()).thenReturn(systemClasses);
+
+    // create the test jar
+    File testJar = makeClassLoaderTestJar(mainCls, thirdCls);
+    // form the args
+    String[] args = new String[3];
+    args[0] = testJar.getAbsolutePath();
+    args[1] = mainCls;
+
+    // run RunJar
+    runJar.run(args);
+    // it should not throw an exception
+  }
+
+  private File makeClassLoaderTestJar(String... clsNames) throws IOException {
+    File jarFile = new File(TEST_ROOT_DIR, TEST_JAR_2_NAME);
+    JarOutputStream jstream =
+        new JarOutputStream(new FileOutputStream(jarFile));
+    for (String clsName: clsNames) {
+      String name = clsName.replace('.', '/') + ".class";
+      InputStream entryInputStream = this.getClass().getResourceAsStream(
+          "/" + name);
+      ZipEntry entry = new ZipEntry(name);
+      jstream.putNextEntry(entry);
+      BufferedInputStream bufInputStream = new BufferedInputStream(
+          entryInputStream, 2048);
+      int count;
+      byte[] data = new byte[2048];
+      while ((count = bufInputStream.read(data, 0, 2048)) != -1) {
+        jstream.write(data, 0, count);
+      }
+      jstream.closeEntry();
+    }
+    jstream.close();
+
+    return jarFile;
+  }
 }
\ No newline at end of file
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/util/MRApps.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/util/MRApps.java
index 423b842962f..3bd8414099c 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/util/MRApps.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/util/MRApps.java
@@ -34,6 +34,7 @@
 import java.util.regex.Pattern;
 
 import com.google.common.annotations.VisibleForTesting;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience.Private;
@@ -56,6 +57,7 @@
 import org.apache.hadoop.mapreduce.v2.api.records.TaskId;
 import org.apache.hadoop.mapreduce.v2.api.records.TaskState;
 import org.apache.hadoop.mapreduce.v2.api.records.TaskType;
+import org.apache.hadoop.util.ApplicationClassLoader;
 import org.apache.hadoop.util.Shell;
 import org.apache.hadoop.util.StringInterner;
 import org.apache.hadoop.util.StringUtils;
@@ -67,7 +69,6 @@
 import org.apache.hadoop.yarn.api.records.LocalResourceVisibility;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
-import org.apache.hadoop.yarn.util.ApplicationClassLoader;
 import org.apache.hadoop.yarn.util.Apps;
 import org.apache.hadoop.yarn.util.ConverterUtils;
 import org.apache.log4j.RollingFileAppender;
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/test/java/org/apache/hadoop/mapreduce/v2/util/TestMRApps.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/test/java/org/apache/hadoop/mapreduce/v2/util/TestMRApps.java
index 2e0423ff22e..02a59e73e2d 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/test/java/org/apache/hadoop/mapreduce/v2/util/TestMRApps.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/test/java/org/apache/hadoop/mapreduce/v2/util/TestMRApps.java
@@ -51,6 +51,7 @@
 import org.apache.hadoop.mapreduce.v2.api.records.TaskId;
 import org.apache.hadoop.mapreduce.v2.api.records.TaskState;
 import org.apache.hadoop.mapreduce.v2.api.records.TaskType;
+import org.apache.hadoop.util.ApplicationClassLoader;
 import org.apache.hadoop.util.StringUtils;
 import org.apache.hadoop.yarn.api.ApplicationConstants;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
@@ -58,7 +59,6 @@
 import org.apache.hadoop.yarn.api.records.LocalResourceType;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
-import org.apache.hadoop.yarn.util.ApplicationClassLoader;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
@@ -514,7 +514,8 @@ public void testTaskStateUI() {
   @Test
   public void testSystemClasses() {
     final List<String> systemClasses =
-        Arrays.asList(MRApps.getSystemClasses(new Configuration()));
+        Arrays.asList(StringUtils.getTrimmedStrings(
+        ApplicationClassLoader.DEFAULT_SYSTEM_CLASSES));
     for (String defaultXml : DEFAULT_XMLS) {
       assertTrue(defaultXml + " must be system resource",
           ApplicationClassLoader.isSystemClass(defaultXml, systemClasses));
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml
index b2503c74e20..802ffa1759f 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml
@@ -1227,13 +1227,13 @@
 
 <property>
    <name>mapreduce.job.classloader.system.classes</name>
-   <value>java.,javax.,org.w3c.dom.,org.xml.sax.,org.apache.commons.logging.,
-          org.apache.log4j.,org.apache.hadoop.,core-default.xml,
-          hdfs-default.xml,mapred-default.xml,yarn-default.xml</value>
-  <description>A comma-separated list of classes that should be loaded from the
-    system classpath, not the user-supplied JARs, when mapreduce.job.classloader
-    is enabled. Names ending in '.' (period) are treated as package names,
-    and names starting with a '-' are treated as negative matches.
+   <value></value>
+  <description>Used to override the default definition of the system classes for
+    the job classloader. The system classes are a comma-separated list of
+    classes that should be loaded from the system classpath, not the
+    user-supplied JARs, when mapreduce.job.classloader is enabled. Names ending
+    in '.' (period) are treated as package names, and names starting with a '-'
+    are treated as negative matches.
   </description>
 </property>
 
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobs.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobs.java
index 6b47554e8eb..32153996c8d 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobs.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobs.java
@@ -84,13 +84,13 @@
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
+import org.apache.hadoop.util.ApplicationClassLoader;
 import org.apache.hadoop.util.JarFinder;
 import org.apache.hadoop.util.Shell;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
-import org.apache.hadoop.yarn.util.ApplicationClassLoader;
 import org.apache.hadoop.yarn.util.ConverterUtils;
 import org.apache.log4j.Level;
 import org.junit.AfterClass;
@@ -242,8 +242,7 @@ private void testJobClassloader(boolean useCustomClasses) throws IOException,
       // to test AM loading user classes such as output format class, we want
       // to blacklist them from the system classes (they need to be prepended
       // as the first match wins)
-      String systemClasses =
-          sleepConf.get(MRJobConfig.MAPREDUCE_JOB_CLASSLOADER_SYSTEM_CLASSES);
+      String systemClasses = ApplicationClassLoader.DEFAULT_SYSTEM_CLASSES;
       // exclude the custom classes from system classes
       systemClasses = "-" + CustomOutputFormat.class.getName() + ",-" +
           CustomSpeculator.class.getName() + "," +
diff --git a/hadoop-yarn-project/hadoop-yarn/dev-support/findbugs-exclude.xml b/hadoop-yarn-project/hadoop-yarn/dev-support/findbugs-exclude.xml
index 6609a260130..b1dfb1ec5ed 100644
--- a/hadoop-yarn-project/hadoop-yarn/dev-support/findbugs-exclude.xml
+++ b/hadoop-yarn-project/hadoop-yarn/dev-support/findbugs-exclude.xml
@@ -344,4 +344,11 @@
       <Class name="org.apache.hadoop.yarn.server.resourcemanager.security.authorize.RMPolicyProvider"/>
       <Bug pattern="DC_DOUBLECHECK" />
   </Match>
+
+  <!-- ApplicationClassLoader is deprecated and moved to hadoop-common; ignore
+       warning on the identical name as it should be removed later -->
+  <Match>
+    <Class name="org.apache.hadoop.yarn.util.ApplicationClassLoader"/>
+    <Bug pattern="NM_SAME_SIMPLE_NAME_AS_SUPERCLASS"/>
+  </Match>
 </FindBugsFilter>
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/ApplicationClassLoader.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/ApplicationClassLoader.java
index 63dc5b798c1..ee9ad4c8ddd 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/ApplicationClassLoader.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/util/ApplicationClassLoader.java
@@ -18,180 +18,30 @@
 
 package org.apache.hadoop.yarn.util;
 
-import java.io.File;
-import java.io.FilenameFilter;
 import java.net.MalformedURLException;
 import java.net.URL;
-import java.net.URLClassLoader;
-import java.util.ArrayList;
 import java.util.List;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience.Public;
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Splitter;
-
 /**
- * A {@link URLClassLoader} for YARN application isolation. Classes from
- * the application JARs are loaded in preference to the parent loader.
+ * This type has been deprecated in favor of
+ * {@link org.apache.hadoop.util.ApplicationClassLoader}. All new uses of
+ * ApplicationClassLoader should use that type instead.
  */
 @Public
 @Unstable
-public class ApplicationClassLoader extends URLClassLoader {
-
-  private static final Log LOG =
-    LogFactory.getLog(ApplicationClassLoader.class.getName());
-  
-  private static final FilenameFilter JAR_FILENAME_FILTER =
-    new FilenameFilter() {
-      @Override
-      public boolean accept(File dir, String name) {
-        return name.endsWith(".jar") || name.endsWith(".JAR");
-      }
-  };
-  
-  private ClassLoader parent;
-  private List<String> systemClasses;
-
+@Deprecated
+public class ApplicationClassLoader extends
+    org.apache.hadoop.util.ApplicationClassLoader {
   public ApplicationClassLoader(URL[] urls, ClassLoader parent,
       List<String> systemClasses) {
-    super(urls, parent);
-    this.parent = parent;
-    if (parent == null) {
-      throw new IllegalArgumentException("No parent classloader!");
-    }
-    this.systemClasses = systemClasses;
+    super(urls, parent, systemClasses);
   }
-  
+
   public ApplicationClassLoader(String classpath, ClassLoader parent,
       List<String> systemClasses) throws MalformedURLException {
-    this(constructUrlsFromClasspath(classpath), parent, systemClasses);
+    super(classpath, parent, systemClasses);
   }
-  
-  @VisibleForTesting
-  static URL[] constructUrlsFromClasspath(String classpath)
-      throws MalformedURLException {
-    List<URL> urls = new ArrayList<URL>();
-    for (String element : Splitter.on(File.pathSeparator).split(classpath)) {
-      if (element.endsWith("/*")) {
-        String dir = element.substring(0, element.length() - 1);
-        File[] files = new File(dir).listFiles(JAR_FILENAME_FILTER);
-        if (files != null) {
-          for (File file : files) {
-            urls.add(file.toURI().toURL());
-          }
-        }
-      } else {
-        File file = new File(element);
-        if (file.exists()) {
-          urls.add(new File(element).toURI().toURL());
-        }
-      }
-    }
-    return urls.toArray(new URL[urls.size()]);
-  }
-
-  @Override
-  public URL getResource(String name) {
-    URL url = null;
-    
-    if (!isSystemClass(name, systemClasses)) {
-      url= findResource(name);
-      if (url == null && name.startsWith("/")) {
-        if (LOG.isDebugEnabled()) {
-          LOG.debug("Remove leading / off " + name);
-        }
-        url= findResource(name.substring(1));
-      }
-    }
-
-    if (url == null) {
-      url= parent.getResource(name);
-    }
-
-    if (url != null) {
-      if (LOG.isDebugEnabled()) {
-        LOG.debug("getResource("+name+")=" + url);
-      }
-    }
-    
-    return url;
-  }
-
-  @Override
-  public Class<?> loadClass(String name) throws ClassNotFoundException {
-    return this.loadClass(name, false);
-  }
-
-  @Override
-  protected synchronized Class<?> loadClass(String name, boolean resolve)
-      throws ClassNotFoundException {
-    
-    if (LOG.isDebugEnabled()) {
-      LOG.debug("Loading class: " + name);
-    }
-
-    Class<?> c = findLoadedClass(name);
-    ClassNotFoundException ex = null;
-
-    if (c == null && !isSystemClass(name, systemClasses)) {
-      // Try to load class from this classloader's URLs. Note that this is like
-      // the servlet spec, not the usual Java 2 behaviour where we ask the
-      // parent to attempt to load first.
-      try {
-        c = findClass(name);
-        if (LOG.isDebugEnabled() && c != null) {
-          LOG.debug("Loaded class: " + name + " ");
-        }
-      } catch (ClassNotFoundException e) {
-        if (LOG.isDebugEnabled()) {
-          LOG.debug(e);
-        }
-        ex = e;
-      }
-    }
-
-    if (c == null) { // try parent
-      c = parent.loadClass(name);
-      if (LOG.isDebugEnabled() && c != null) {
-        LOG.debug("Loaded class from parent: " + name + " ");
-      }
-    }
-
-    if (c == null) {
-      throw ex != null ? ex : new ClassNotFoundException(name);
-    }
-
-    if (resolve) {
-      resolveClass(c);
-    }
-
-    return c;
-  }
-
-  @VisibleForTesting
-  public static boolean isSystemClass(String name, List<String> systemClasses) {
-    if (systemClasses != null) {
-      String canonicalName = name.replace('/', '.');
-      while (canonicalName.startsWith(".")) {
-        canonicalName=canonicalName.substring(1);
-      }
-      for (String c : systemClasses) {
-        boolean result = true;
-        if (c.startsWith("-")) {
-          c = c.substring(1);
-          result = false;
-        }
-        if (c.endsWith(".") && canonicalName.startsWith(c)) {
-          return result;
-        } else if (canonicalName.equals(c)) {
-          return result;
-        }
-      }
-    }
-    return false;
-  }
-}
\ No newline at end of file
+}

From 4236c6600eda9cdda708d02f3a5a3fe31228f70c Mon Sep 17 00:00:00 2001
From: Jason Darrell Lowe <jlowe@apache.org>
Date: Thu, 21 Aug 2014 22:41:34 +0000
Subject: [PATCH 285/354] YARN-2434. RM should not recover containers from
 previously failed attempt when AM restart is not enabled. Contributed by Jian
 He

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619614 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt                     |  3 +++
 .../scheduler/AbstractYarnScheduler.java            | 13 +++++++++++++
 .../TestWorkPreservingRMRestart.java                | 13 +++++++++++++
 3 files changed, 29 insertions(+)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index ed162ba06d4..df0a29dadbd 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -231,6 +231,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2424. LCE should support non-cgroups, non-secure mode (Chris Douglas 
     via aw)
 
+    YARN-2434. RM should not recover containers from previously failed attempt
+    when AM restart is not enabled (Jian He via jlowe)
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
index 72ee7dbbe0a..ab56bb97212 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
@@ -273,6 +273,19 @@ public synchronized void recoverContainersOnNode(
       SchedulerApplicationAttempt schedulerAttempt =
           schedulerApp.getCurrentAppAttempt();
 
+      if (!rmApp.getApplicationSubmissionContext()
+        .getKeepContainersAcrossApplicationAttempts()) {
+        // Do not recover containers for stopped attempt or previous attempt.
+        if (schedulerAttempt.isStopped()
+            || !schedulerAttempt.getApplicationAttemptId().equals(
+              container.getContainerId().getApplicationAttemptId())) {
+          LOG.info("Skip recovering container " + container
+              + " for already stopped attempt.");
+          killOrphanContainerOnNode(nm, container);
+          continue;
+        }
+      }
+
       // create container
       RMContainer rmContainer = recoverAndCreateContainer(container, nm);
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java
index df64d4c32d2..d6af0d7307e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java
@@ -513,6 +513,19 @@ public void testAMfailedBetweenRMRestart() throws Exception {
     // just-recovered containers.
     assertNull(scheduler.getRMContainer(runningContainer.getContainerId()));
     assertNull(scheduler.getRMContainer(completedContainer.getContainerId()));
+
+    rm2.waitForNewAMToLaunchAndRegister(app1.getApplicationId(), 2, nm1);
+
+    MockNM nm2 =
+        new MockNM("127.1.1.1:4321", 8192, rm2.getResourceTrackerService());
+    NMContainerStatus previousAttemptContainer =
+        TestRMRestart.createNMContainerStatus(am1.getApplicationAttemptId(), 4,
+          ContainerState.RUNNING);
+    nm2.registerNode(Arrays.asList(previousAttemptContainer), null);
+    // Wait for RM to settle down on recovering containers;
+    Thread.sleep(3000);
+    // check containers from previous failed attempt should not be recovered.
+    assertNull(scheduler.getRMContainer(previousAttemptContainer.getContainerId()));
   }
 
   // Apps already completed before RM restart. Restarted RM scheduler should not

From 5109157ed1fbcfcc117f823995cf1a378627e2fd Mon Sep 17 00:00:00 2001
From: Sanford Ryza <sandy@apache.org>
Date: Thu, 21 Aug 2014 23:28:44 +0000
Subject: [PATCH 286/354] MAPREDUCE-5130. Add missing job config options to
 mapred-default.xml (Ray Chiang via Sandy Ryza)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619626 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt          |  3 +
 .../org/apache/hadoop/mapred/JobConf.java     | 94 ++++---------------
 .../hadoop/mapreduce/util/ConfigUtil.java     |  2 +
 .../src/main/resources/mapred-default.xml     | 89 +++++++++++++++++-
 .../org/apache/hadoop/mapred/TestJobConf.java | 15 +--
 .../org/apache/hadoop/conf/TestJobConf.java   | 20 ++--
 .../hadoop/mapred/gridmix/TestHighRamJob.java | 12 +--
 7 files changed, 133 insertions(+), 102 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index cd4d6a5e643..dfef8e5b99e 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -190,6 +190,9 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-5974. Allow specifying multiple MapOutputCollectors with 
     fallback. (Todd Lipcon via kasha)
 
+    MAPREDUCE-5130. Add missing job config options to mapred-default.xml
+    (Ray Chiang via Sandy Ryza)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobConf.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobConf.java
index 861c47bbb4c..de78e208e70 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobConf.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobConf.java
@@ -151,7 +151,9 @@ public class JobConf extends Configuration {
   /**
    * A value which if set for memory related configuration options,
    * indicates that the options are turned off.
+   * Deprecated because it makes no sense in the context of MR2.
    */
+  @Deprecated
   public static final long DISABLED_MEMORY_LIMIT = -1L;
 
   /**
@@ -1809,27 +1811,19 @@ public String getJobLocalDir() {
    * Get memory required to run a map task of the job, in MB.
    * 
    * If a value is specified in the configuration, it is returned.
-   * Else, it returns {@link #DISABLED_MEMORY_LIMIT}.
+   * Else, it returns {@link JobContext#DEFAULT_MAP_MEMORY_MB}.
    * <p/>
    * For backward compatibility, if the job configuration sets the
    * key {@link #MAPRED_TASK_MAXVMEM_PROPERTY} to a value different
    * from {@link #DISABLED_MEMORY_LIMIT}, that value will be used
    * after converting it from bytes to MB.
    * @return memory required to run a map task of the job, in MB,
-   *          or {@link #DISABLED_MEMORY_LIMIT} if unset.
    */
   public long getMemoryForMapTask() {
     long value = getDeprecatedMemoryValue();
-    if (value == DISABLED_MEMORY_LIMIT) {
-      value = normalizeMemoryConfigValue(
-                getLong(JobConf.MAPREDUCE_JOB_MAP_MEMORY_MB_PROPERTY,
-                          DISABLED_MEMORY_LIMIT));
-    }
-    // In case that M/R 1.x applications use the old property name
-    if (value == DISABLED_MEMORY_LIMIT) {
-      value = normalizeMemoryConfigValue(
-                getLong(JobConf.MAPRED_JOB_MAP_MEMORY_MB_PROPERTY,
-                          DISABLED_MEMORY_LIMIT));
+    if (value < 0) {
+      return getLong(JobConf.MAPRED_JOB_MAP_MEMORY_MB_PROPERTY,
+          JobContext.DEFAULT_MAP_MEMORY_MB);
     }
     return value;
   }
@@ -1844,27 +1838,19 @@ public void setMemoryForMapTask(long mem) {
    * Get memory required to run a reduce task of the job, in MB.
    * 
    * If a value is specified in the configuration, it is returned.
-   * Else, it returns {@link #DISABLED_MEMORY_LIMIT}.
+   * Else, it returns {@link JobContext#DEFAULT_REDUCE_MEMORY_MB}.
    * <p/>
    * For backward compatibility, if the job configuration sets the
    * key {@link #MAPRED_TASK_MAXVMEM_PROPERTY} to a value different
    * from {@link #DISABLED_MEMORY_LIMIT}, that value will be used
    * after converting it from bytes to MB.
-   * @return memory required to run a reduce task of the job, in MB,
-   *          or {@link #DISABLED_MEMORY_LIMIT} if unset.
+   * @return memory required to run a reduce task of the job, in MB.
    */
   public long getMemoryForReduceTask() {
     long value = getDeprecatedMemoryValue();
-    if (value == DISABLED_MEMORY_LIMIT) {
-      value = normalizeMemoryConfigValue(
-                getLong(JobConf.MAPREDUCE_JOB_REDUCE_MEMORY_MB_PROPERTY,
-                        DISABLED_MEMORY_LIMIT));
-    }
-    // In case that M/R 1.x applications use the old property name
-    if (value == DISABLED_MEMORY_LIMIT) {
-      value = normalizeMemoryConfigValue(
-                getLong(JobConf.MAPRED_JOB_REDUCE_MEMORY_MB_PROPERTY,
-                        DISABLED_MEMORY_LIMIT));
+    if (value < 0) {
+      return getLong(JobConf.MAPRED_JOB_REDUCE_MEMORY_MB_PROPERTY,
+          JobContext.DEFAULT_REDUCE_MEMORY_MB);
     }
     return value;
   }
@@ -1876,8 +1862,7 @@ public long getMemoryForReduceTask() {
   private long getDeprecatedMemoryValue() {
     long oldValue = getLong(MAPRED_TASK_MAXVMEM_PROPERTY, 
         DISABLED_MEMORY_LIMIT);
-    oldValue = normalizeMemoryConfigValue(oldValue);
-    if (oldValue != DISABLED_MEMORY_LIMIT) {
+    if (oldValue > 0) {
       oldValue /= (1024*1024);
     }
     return oldValue;
@@ -1921,39 +1906,6 @@ public static long normalizeMemoryConfigValue(long val) {
     return val;
   }
 
-  /**
-   * Compute the number of slots required to run a single map task-attempt
-   * of this job.
-   * @param slotSizePerMap cluster-wide value of the amount of memory required
-   *                       to run a map-task
-   * @return the number of slots required to run a single map task-attempt
-   *          1 if memory parameters are disabled.
-   */
-  int computeNumSlotsPerMap(long slotSizePerMap) {
-    if ((slotSizePerMap==DISABLED_MEMORY_LIMIT) ||
-        (getMemoryForMapTask()==DISABLED_MEMORY_LIMIT)) {
-      return 1;
-    }
-    return (int)(Math.ceil((float)getMemoryForMapTask() / (float)slotSizePerMap));
-  }
-  
-  /**
-   * Compute the number of slots required to run a single reduce task-attempt
-   * of this job.
-   * @param slotSizePerReduce cluster-wide value of the amount of memory 
-   *                          required to run a reduce-task
-   * @return the number of slots required to run a single reduce task-attempt
-   *          1 if memory parameters are disabled
-   */
-  int computeNumSlotsPerReduce(long slotSizePerReduce) {
-    if ((slotSizePerReduce==DISABLED_MEMORY_LIMIT) ||
-        (getMemoryForReduceTask()==DISABLED_MEMORY_LIMIT)) {
-      return 1;
-    }
-    return 
-    (int)(Math.ceil((float)getMemoryForReduceTask() / (float)slotSizePerReduce));
-  }
-
   /** 
    * Find a jar that contains a class of the same name, if any.
    * It will return a jar file, even if that is not the first thing
@@ -1975,14 +1927,12 @@ public static String findContainingJar(Class my_class) {
    * set for map and reduce tasks of a job, in MB. 
    * <p/>
    * For backward compatibility, if the job configuration sets the
-   * key {@link #MAPRED_TASK_MAXVMEM_PROPERTY} to a value different
-   * from {@link #DISABLED_MEMORY_LIMIT}, that value is returned. 
+   * key {@link #MAPRED_TASK_MAXVMEM_PROPERTY}, that value is returned. 
    * Otherwise, this method will return the larger of the values returned by 
    * {@link #getMemoryForMapTask()} and {@link #getMemoryForReduceTask()}
    * after converting them into bytes.
    *
-   * @return Memory required to run a task of this job, in bytes,
-   *          or {@link #DISABLED_MEMORY_LIMIT}, if unset.
+   * @return Memory required to run a task of this job, in bytes.
    * @see #setMaxVirtualMemoryForTask(long)
    * @deprecated Use {@link #getMemoryForMapTask()} and
    *             {@link #getMemoryForReduceTask()}
@@ -1993,15 +1943,8 @@ public long getMaxVirtualMemoryForTask() {
       "getMaxVirtualMemoryForTask() is deprecated. " +
       "Instead use getMemoryForMapTask() and getMemoryForReduceTask()");
 
-    long value = getLong(MAPRED_TASK_MAXVMEM_PROPERTY, DISABLED_MEMORY_LIMIT);
-    value = normalizeMemoryConfigValue(value);
-    if (value == DISABLED_MEMORY_LIMIT) {
-      value = Math.max(getMemoryForMapTask(), getMemoryForReduceTask());
-      value = normalizeMemoryConfigValue(value);
-      if (value != DISABLED_MEMORY_LIMIT) {
-        value *= 1024*1024;
-      }
-    }
+    long value = getLong(MAPRED_TASK_MAXVMEM_PROPERTY,
+        Math.max(getMemoryForMapTask(), getMemoryForReduceTask()) * 1024 * 1024);
     return value;
   }
 
@@ -2027,9 +1970,8 @@ public long getMaxVirtualMemoryForTask() {
   public void setMaxVirtualMemoryForTask(long vmem) {
     LOG.warn("setMaxVirtualMemoryForTask() is deprecated."+
       "Instead use setMemoryForMapTask() and setMemoryForReduceTask()");
-    if(vmem != DISABLED_MEMORY_LIMIT && vmem < 0) {
-      setMemoryForMapTask(DISABLED_MEMORY_LIMIT);
-      setMemoryForReduceTask(DISABLED_MEMORY_LIMIT);
+    if (vmem < 0) {
+      throw new IllegalArgumentException("Task memory allocation may not be < 0");
     }
 
     if(get(JobConf.MAPRED_TASK_MAXVMEM_PROPERTY) == null) {
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/util/ConfigUtil.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/util/ConfigUtil.java
index 5a38da8749f..450f3664355 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/util/ConfigUtil.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/util/ConfigUtil.java
@@ -278,6 +278,8 @@ private static void addDeprecatedKeys()  {
         MRJobConfig.TASK_DEBUGOUT_LINES),
       new DeprecationDelta("mapred.merge.recordsBeforeProgress",
         MRJobConfig.RECORDS_BEFORE_PROGRESS),
+      new DeprecationDelta("mapred.merge.recordsBeforeProgress",
+        MRJobConfig.COMBINE_RECORDS_BEFORE_PROGRESS),
       new DeprecationDelta("mapred.skip.attempts.to.start.skipping",
         MRJobConfig.SKIP_START_ATTEMPTS),
       new DeprecationDelta("mapred.task.id",
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml
index 802ffa1759f..703a1039569 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml
@@ -185,11 +185,42 @@
   </description>
 </property>
 
+<property>
+  <name>mapreduce.map.memory.mb</name>
+  <value>1024</value>
+  <description>The amount of memory to request from the scheduler for each
+  map task.
+  </description>
+</property>
+
+<property>
+  <name>mapreduce.map.cpu.vcores</name>
+  <value>1</value>
+  <description>The number of virtual cores to request from the scheduler for
+  each map task.
+  </description>
+</property>
+
+<property>
+  <name>mapreduce.reduce.memory.mb</name>
+  <value>1024</value>
+  <description>The amount of memory to request from the scheduler for each
+  reduce task.
+  </description>
+</property>
+
+<property>
+  <name>mapreduce.reduce.cpu.vcores</name>
+  <value>1</value>
+  <description>The number of virtual cores to request from the scheduler for
+  each reduce task.
+  </description>
+</property>
 
 <property>
   <name>mapred.child.java.opts</name>
   <value>-Xmx200m</value>
-  <description>Java opts for the task tracker child processes.  
+  <description>Java opts for the task processes.
   The following symbol, if present, will be interpolated: @taskid@ is replaced 
   by current TaskID. Any other occurrences of '@' will go unchanged.
   For example, to enable verbose gc logging to a file named for the taskid in
@@ -203,17 +234,55 @@
   </description>
 </property>
 
+<!-- This is commented out so that it won't override mapred.child.java.opts.
+<property>
+  <name>mapreduce.map.java.opts</name>
+  <value></value>
+  <description>Java opts only for the child processes that are maps. If set,
+  this will be used instead of mapred.child.java.opts.
+  </description>
+</property>
+-->
+
+<!-- This is commented out so that it won't override mapred.child.java.opts.
+<property>
+  <name>mapreduce.reduce.java.opts</name>
+  <value></value>
+  <description>Java opts only for the child processes that are reduces. If set,
+  this will be used instead of mapred.child.java.opts.
+  </description>
+</property>
+-->
+
 <property>
   <name>mapred.child.env</name>
   <value></value>
-  <description>User added environment variables for the task tracker child 
-  processes. Example :
+  <description>User added environment variables for the task processes.
+  Example :
   1) A=foo  This will set the env variable A to foo
   2) B=$B:c This is inherit nodemanager's B env variable on Unix.
   3) B=%B%;c This is inherit nodemanager's B env variable on Windows.
   </description>
 </property>
 
+<!-- This is commented out so that it won't override mapred.child.env.
+<property>
+  <name>mapreduce.map.env</name>
+  <value></value>
+  <description>User added environment variables for the map task processes.
+  </description>
+</property>
+-->
+
+<!-- This is commented out so that it won't override mapred.child.env.
+<property>
+  <name>mapreduce.reduce.env</name>
+  <value></value>
+  <description>User added environment variables for the reduce task processes.
+  </description>
+</property>
+-->
+
 <property>
   <name>mapreduce.admin.user.env</name>
   <value></value>
@@ -490,6 +559,12 @@
   </description>
 </property>
 
+<property>
+  <name>mapreduce.input.lineinputformat.linespermap</name>
+  <value>1</value>
+  <description>When using NLineInputFormat, the number of lines of input data
+  to include in each split.</description>
+</property>
 
 
 <property>
@@ -923,6 +998,14 @@
   </description>
 </property>
 
+<property>
+  <name>mapreduce.task.combine.progress.records</name>
+  <value>10000</value>
+  <description> The number of records to process during combine output collection
+   before sending a progress notification.
+  </description>
+</property>
+
 <property>
   <name>mapreduce.job.reduce.slowstart.completedmaps</name>
   <value>0.05</value>
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapred/TestJobConf.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapred/TestJobConf.java
index f4327459e66..3d924e1f72d 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapred/TestJobConf.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapred/TestJobConf.java
@@ -140,18 +140,21 @@ public void testJobConf() {
     conf.setQueueName("qname");
     assertEquals("qname", conf.getQueueName());
 
-    assertEquals(1, conf.computeNumSlotsPerMap(100L));
-    assertEquals(1, conf.computeNumSlotsPerReduce(100L));
-
     conf.setMemoryForMapTask(100 * 1000);
-    assertEquals(1000, conf.computeNumSlotsPerMap(100L));
+    assertEquals(100 * 1000, conf.getMemoryForMapTask());
     conf.setMemoryForReduceTask(1000 * 1000);
-    assertEquals(1000, conf.computeNumSlotsPerReduce(1000L));
+    assertEquals(1000 * 1000, conf.getMemoryForReduceTask());
 
     assertEquals(-1, conf.getMaxPhysicalMemoryForTask());
     assertEquals("The variable key is no longer used.",
         JobConf.deprecatedString("key"));
-
+    
+    // make sure mapreduce.map|reduce.java.opts are not set by default
+    // so that they won't override mapred.child.java.opts
+    assertEquals("mapreduce.map.java.opts should not be set by default",
+        null, conf.get(JobConf.MAPRED_MAP_TASK_JAVA_OPTS));
+    assertEquals("mapreduce.reduce.java.opts should not be set by default",
+        null, conf.get(JobConf.MAPRED_REDUCE_TASK_JAVA_OPTS));
   }
 
   /**
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/conf/TestJobConf.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/conf/TestJobConf.java
index b69f450ed35..e380d9200cf 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/conf/TestJobConf.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/conf/TestJobConf.java
@@ -108,6 +108,11 @@ public void testNegativeValueForTaskVmem() {
     JobConf configuration = new JobConf();
     
     configuration.set(JobConf.MAPRED_TASK_MAXVMEM_PROPERTY, "-3");
+    Assert.assertEquals(MRJobConfig.DEFAULT_MAP_MEMORY_MB,
+        configuration.getMemoryForMapTask());
+    Assert.assertEquals(MRJobConfig.DEFAULT_REDUCE_MEMORY_MB,
+        configuration.getMemoryForReduceTask());
+    
     configuration.set(MRJobConfig.MAP_MEMORY_MB, "4");
     configuration.set(MRJobConfig.REDUCE_MEMORY_MB, "5");
     Assert.assertEquals(4, configuration.getMemoryForMapTask());
@@ -116,23 +121,16 @@ public void testNegativeValueForTaskVmem() {
   }
   
   /**
-   * Test that negative values for all memory configuration properties causes
-   * APIs to disable memory limits
+   * Test that negative values for new configuration keys get passed through.
    */
   @Test
   public void testNegativeValuesForMemoryParams() {
     JobConf configuration = new JobConf();
-    
-    configuration.set(JobConf.MAPRED_TASK_MAXVMEM_PROPERTY, "-4");
+        
     configuration.set(MRJobConfig.MAP_MEMORY_MB, "-5");
     configuration.set(MRJobConfig.REDUCE_MEMORY_MB, "-6");
-    
-    Assert.assertEquals(JobConf.DISABLED_MEMORY_LIMIT,
-                        configuration.getMemoryForMapTask());
-    Assert.assertEquals(JobConf.DISABLED_MEMORY_LIMIT,
-                        configuration.getMemoryForReduceTask());
-    Assert.assertEquals(JobConf.DISABLED_MEMORY_LIMIT,
-                        configuration.getMaxVirtualMemoryForTask());
+    Assert.assertEquals(-5, configuration.getMemoryForMapTask());
+    Assert.assertEquals(-6, configuration.getMemoryForReduceTask());
   }
   
   /**
diff --git a/hadoop-tools/hadoop-gridmix/src/test/java/org/apache/hadoop/mapred/gridmix/TestHighRamJob.java b/hadoop-tools/hadoop-gridmix/src/test/java/org/apache/hadoop/mapred/gridmix/TestHighRamJob.java
index 5523d731b50..9cc84ea6d73 100644
--- a/hadoop-tools/hadoop-gridmix/src/test/java/org/apache/hadoop/mapred/gridmix/TestHighRamJob.java
+++ b/hadoop-tools/hadoop-gridmix/src/test/java/org/apache/hadoop/mapred/gridmix/TestHighRamJob.java
@@ -97,10 +97,10 @@ private static void testHighRamConfig(long jobMapMB, long jobReduceMB,
     // check if the high ram properties are not set
     assertEquals(expectedMapMB, 
                  simulatedConf.getLong(MRJobConfig.MAP_MEMORY_MB,
-                                       JobConf.DISABLED_MEMORY_LIMIT));
+                                       MRJobConfig.DEFAULT_MAP_MEMORY_MB));
     assertEquals(expectedReduceMB, 
                  simulatedConf.getLong(MRJobConfig.REDUCE_MEMORY_MB, 
-                                       JobConf.DISABLED_MEMORY_LIMIT));
+                                       MRJobConfig.DEFAULT_MAP_MEMORY_MB));
   }
   
   /**
@@ -114,10 +114,10 @@ public void testHighRamFeatureEmulation() throws IOException {
     
     // test : check high ram emulation disabled
     gridmixConf.setBoolean(GridmixJob.GRIDMIX_HIGHRAM_EMULATION_ENABLE, false);
-    testHighRamConfig(10, 20, 5, 10, JobConf.DISABLED_MEMORY_LIMIT, 
-                      JobConf.DISABLED_MEMORY_LIMIT, 
-                      JobConf.DISABLED_MEMORY_LIMIT, 
-                      JobConf.DISABLED_MEMORY_LIMIT, gridmixConf);
+    testHighRamConfig(10, 20, 5, 10, MRJobConfig.DEFAULT_MAP_MEMORY_MB, 
+                      MRJobConfig.DEFAULT_REDUCE_MEMORY_MB, 
+                      MRJobConfig.DEFAULT_MAP_MEMORY_MB, 
+                      MRJobConfig.DEFAULT_REDUCE_MEMORY_MB, gridmixConf);
     
     // test : check with high ram enabled (default) and no scaling
     gridmixConf = new Configuration();

From 7be28083472ee83d396a075c99ce5c59d29ec3f6 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 21 Aug 2014 23:58:25 +0000
Subject: [PATCH 287/354] HADOOP-8896. Javadoc points to Wrong Reader and
 Writer classes in SequenceFile (Ray Chiang via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619632 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt          | 3 +++
 .../src/main/java/org/apache/hadoop/io/SequenceFile.java | 9 +++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index c880e1167dd..655df79264c 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -507,6 +507,9 @@ Release 2.6.0 - UNRELEASED
 
     HADOOP-10698. KMS, add proxyuser support. (tucu)
 
+    HADOOP-8896. Javadoc points to Wrong Reader and Writer classes 
+    in SequenceFile (Ray Chiang via aw)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/SequenceFile.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/SequenceFile.java
index 0c5f31534ad..4cda1077482 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/SequenceFile.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/SequenceFile.java
@@ -53,8 +53,9 @@
  * <code>SequenceFile</code>s are flat files consisting of binary key/value 
  * pairs.
  * 
- * <p><code>SequenceFile</code> provides {@link Writer}, {@link Reader} and
- * {@link Sorter} classes for writing, reading and sorting respectively.</p>
+ * <p><code>SequenceFile</code> provides {@link SequenceFile.Writer},
+ * {@link SequenceFile.Reader} and {@link Sorter} classes for writing,
+ * reading and sorting respectively.</p>
  * 
  * There are three <code>SequenceFile</code> <code>Writer</code>s based on the 
  * {@link CompressionType} used to compress key/value pairs:
@@ -79,8 +80,8 @@
  * <p>The recommended way is to use the static <tt>createWriter</tt> methods
  * provided by the <code>SequenceFile</code> to chose the preferred format.</p>
  *
- * <p>The {@link Reader} acts as the bridge and can read any of the above 
- * <code>SequenceFile</code> formats.</p>
+ * <p>The {@link SequenceFile.Reader} acts as the bridge and can read any of the
+ * above <code>SequenceFile</code> formats.</p>
  *
  * <h4 id="Formats">SequenceFile Formats</h4>
  * 

From b6c24472f31c1509699b5b4d0c0f9fb5db69a49a Mon Sep 17 00:00:00 2001
From: Chris Nauroth <cnauroth@apache.org>
Date: Fri, 22 Aug 2014 04:05:18 +0000
Subject: [PATCH 288/354] HADOOP-10989. Work around buggy getgrouplist()
 implementations on Linux that return 0 on failure. Contributed by Chris
 Nauroth.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619659 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-common-project/hadoop-common/CHANGES.txt        |  3 +++
 .../src/org/apache/hadoop/security/hadoop_user_info.c  | 10 ++++++++++
 2 files changed, 13 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 655df79264c..52fc3e0eec7 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -686,6 +686,9 @@ Release 2.6.0 - UNRELEASED
 
     HADOOP-10488. TestKeyProviderFactory fails randomly. (tucu)
 
+    HADOOP-10989. Work around buggy getgrouplist() implementations on Linux that
+    return 0 on failure. (cnauroth)
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/security/hadoop_user_info.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/security/hadoop_user_info.c
index ca288ec7da2..e2438b1b06c 100644
--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/security/hadoop_user_info.c
+++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/security/hadoop_user_info.c
@@ -193,7 +193,17 @@ int hadoop_user_info_getgroups(struct hadoop_user_info *uinfo)
   ngroups = uinfo->gids_size;
   ret = getgrouplist(uinfo->pwd.pw_name, uinfo->pwd.pw_gid, 
                          uinfo->gids, &ngroups);
+  // Return value is different on Linux vs. FreeBSD.  Linux: the number of groups
+  // or -1 on error.  FreeBSD: 0 on success or -1 on error.  Unfortunately, we
+  // can't accept a 0 return on Linux, because buggy implementations have been
+  // observed to return 0 but leave the other out parameters in an indeterminate
+  // state.  This deviates from the man page, but it has been observed in
+  // practice.  See issue HADOOP-10989 for details.
+#ifdef __linux__
+  if (ret > 0) {
+#else
   if (ret >= 0) {
+#endif
     uinfo->num_gids = ngroups;
     ret = put_primary_gid_first(uinfo);
     if (ret) {

From 3aa3b0abc2a6994cde428ae73183561e40bfc96c Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Fri, 22 Aug 2014 05:17:22 +0000
Subject: [PATCH 289/354]  HDF-6905. fs-encryption merge triggered release
 audit failures. (clamb via tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619667 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt     |  2 ++
 .../hdfs/protocol/EncryptionZoneWithId.java     | 17 +++++++++++++++++
 .../namenode/EncryptionFaultInjector.java       | 17 +++++++++++++++++
 .../server/namenode/EncryptionZoneManager.java  | 17 +++++++++++++++++
 4 files changed, 53 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 5776f892b5c..8ff94827dad 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -346,6 +346,8 @@ Trunk (Unreleased)
 
     HDFS-6839. Fix TestCLI to expect new output. (clamb)
 
+    HDFS-6905. fs-encryption merge triggered release audit failures. (clamb via tucu)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneWithId.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneWithId.java
index 7ed4884bbd5..e7fd2aefd95 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneWithId.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/EncryptionZoneWithId.java
@@ -1,3 +1,20 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.apache.hadoop.hdfs.protocol;
 
 import org.apache.commons.lang.builder.HashCodeBuilder;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionFaultInjector.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionFaultInjector.java
index 2e65a892046..27d8f501d1a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionFaultInjector.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionFaultInjector.java
@@ -1,3 +1,20 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.apache.hadoop.hdfs.server.namenode;
 
 import java.io.IOException;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
index e45d540386f..a0e1f0ccac2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
@@ -1,3 +1,20 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.apache.hadoop.hdfs.server.namenode;
 
 import java.io.IOException;

From 0097b15e2150f95745f64179a0ef4644e96128f5 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Fri, 22 Aug 2014 15:44:47 +0000
Subject: [PATCH 290/354] YARN-2393. FairScheduler: Add the notion of steady
 fair share. (Wei Yan via kasha)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619845 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../scheduler/fair/FSAppAttempt.java          |   6 -
 .../scheduler/fair/FSParentQueue.java         |  11 +-
 .../scheduler/fair/FSQueue.java               |  19 ++-
 .../scheduler/fair/FSQueueMetrics.java        |  17 ++-
 .../scheduler/fair/FairScheduler.java         |   4 +
 .../scheduler/fair/QueueManager.java          |  10 +-
 .../scheduler/fair/Schedulable.java           |   7 -
 .../scheduler/fair/SchedulingPolicy.java      |  27 +++-
 .../fair/policies/ComputeFairShares.java      |  34 ++++-
 .../DominantResourceFairnessPolicy.java       |   9 ++
 .../fair/policies/FairSharePolicy.java        |   8 +
 .../scheduler/fair/policies/FifoPolicy.java   |   8 +
 .../scheduler/fair/FakeSchedulable.java       |   5 -
 .../scheduler/fair/TestFairScheduler.java     | 139 +++++++++++++++++-
 .../fair/TestFairSchedulerFairShare.java      |  68 ++++++++-
 16 files changed, 328 insertions(+), 47 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index df0a29dadbd..5b61b4146c1 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -55,6 +55,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2174. Enable HTTPs for the writer REST API of TimelineServer.
     (Zhijie Shen via jianhe)
 
+    YARN-2393. FairScheduler: Add the notion of steady fair share. 
+    (Wei Yan via kasha)
+
   IMPROVEMENTS
 
     YARN-2197. Add a link to YARN CHANGES.txt in the left side of doc
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSAppAttempt.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSAppAttempt.java
index eb6f6413893..bf543768f8c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSAppAttempt.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSAppAttempt.java
@@ -717,12 +717,6 @@ public void setFairShare(Resource fairShare) {
     this.fairShare = fairShare;
   }
 
-  @Override
-  public boolean isActive() {
-    return true;
-  }
-
-
   @Override
   public void updateDemand() {
     demand = Resources.createResource(0);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java
index 9af72a511e0..26a706c7f03 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java
@@ -35,7 +35,6 @@
 import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
 import org.apache.hadoop.yarn.util.resource.Resources;
-import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ActiveUsersManager;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerApplicationAttempt;
 
@@ -68,6 +67,16 @@ public void recomputeShares() {
     }
   }
 
+  public void recomputeSteadyShares() {
+    policy.computeSteadyShares(childQueues, getSteadyFairShare());
+    for (FSQueue childQueue : childQueues) {
+      childQueue.getMetrics().setSteadyFairShare(childQueue.getSteadyFairShare());
+      if (childQueue instanceof FSParentQueue) {
+        ((FSParentQueue) childQueue).recomputeSteadyShares();
+      }
+    }
+  }
+
   @Override
   public Resource getDemand() {
     return demand;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java
index c071c73321d..00f0795e1da 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java
@@ -41,6 +41,7 @@
 @Unstable
 public abstract class FSQueue implements Queue, Schedulable {
   private Resource fairShare = Resources.createResource(0, 0);
+  private Resource steadyFairShare = Resources.createResource(0, 0);
   private final String name;
   protected final FairScheduler scheduler;
   private final FSQueueMetrics metrics;
@@ -151,7 +152,17 @@ public void setFairShare(Resource fairShare) {
     this.fairShare = fairShare;
     metrics.setFairShare(fairShare);
   }
-  
+
+  /** Get the steady fair share assigned to this Schedulable. */
+  public Resource getSteadyFairShare() {
+    return steadyFairShare;
+  }
+
+  public void setSteadyFairShare(Resource steadyFairShare) {
+    this.steadyFairShare = steadyFairShare;
+    metrics.setSteadyFairShare(steadyFairShare);
+  }
+
   public boolean hasAccess(QueueACL acl, UserGroupInformation user) {
     return scheduler.getAllocationConfiguration().hasAccess(name, acl, user);
   }
@@ -161,7 +172,7 @@ public boolean hasAccess(QueueACL acl, UserGroupInformation user) {
    * queue's current share
    */
   public abstract void recomputeShares();
-  
+
   /**
    * Gets the children of this queue, if any.
    */
@@ -194,7 +205,9 @@ protected boolean assignContainerPreCheck(FSSchedulerNode node) {
     return true;
   }
 
-  @Override
+  /**
+   * Returns true if queue has at least one app running.
+   */
   public boolean isActive() {
     return getNumRunnableApps() > 0;
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueueMetrics.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueueMetrics.java
index ff0956e5f74..82c422b8207 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueueMetrics.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueueMetrics.java
@@ -33,6 +33,8 @@ public class FSQueueMetrics extends QueueMetrics {
 
   @Metric("Fair share of memory in MB") MutableGaugeInt fairShareMB;
   @Metric("Fair share of CPU in vcores") MutableGaugeInt fairShareVCores;
+  @Metric("Steady fair share of memory in MB") MutableGaugeInt steadyFairShareMB;
+  @Metric("Steady fair share of CPU in vcores") MutableGaugeInt steadyFairShareVCores;
   @Metric("Minimum share of memory in MB") MutableGaugeInt minShareMB;
   @Metric("Minimum share of CPU in vcores") MutableGaugeInt minShareVCores;
   @Metric("Maximum share of memory in MB") MutableGaugeInt maxShareMB;
@@ -55,7 +57,20 @@ public int getFairShareMB() {
   public int getFairShareVirtualCores() {
     return fairShareVCores.value();
   }
-  
+
+  public void setSteadyFairShare(Resource resource) {
+    steadyFairShareMB.set(resource.getMemory());
+    steadyFairShareVCores.set(resource.getVirtualCores());
+  }
+
+  public int getSteadyFairShareMB() {
+    return steadyFairShareMB.value();
+  }
+
+  public int getSteadyFairShareVCores() {
+    return steadyFairShareVCores.value();
+  }
+
   public void setMinShare(Resource resource) {
     minShareMB.set(resource.getMemory());
     minShareVCores.set(resource.getVirtualCores());
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
index 0fcbad670e5..40c72a621e7 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
@@ -851,6 +851,8 @@ private synchronized void addNode(RMNode node) {
     Resources.addTo(clusterResource, node.getTotalCapability());
     updateRootQueueMetrics();
 
+    queueMgr.getRootQueue().setSteadyFairShare(clusterResource);
+    queueMgr.getRootQueue().recomputeSteadyShares();
     LOG.info("Added node " + node.getNodeAddress() +
         " cluster capacity: " + clusterResource);
   }
@@ -885,6 +887,8 @@ private synchronized void removeNode(RMNode rmNode) {
     }
 
     nodes.remove(rmNode.getNodeID());
+    queueMgr.getRootQueue().setSteadyFairShare(clusterResource);
+    queueMgr.getRootQueue().recomputeSteadyShares();
     LOG.info("Removed node " + rmNode.getNodeAddress() +
         " cluster capacity: " + clusterResource);
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/QueueManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/QueueManager.java
index 4f8735bbf03..490ba686598 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/QueueManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/QueueManager.java
@@ -118,6 +118,11 @@ private FSQueue getQueue(String name, boolean create, FSQueueType queueType) {
       if (queue == null && create) {
         // if the queue doesn't exist,create it and return
         queue = createQueue(name, queueType);
+
+        // Update steady fair share for all queues
+        if (queue != null) {
+          rootQueue.recomputeSteadyShares();
+        }
       }
       return queue;
     }
@@ -190,7 +195,7 @@ private FSQueue createQueue(String name, FSQueueType queueType) {
         parent = newParent;
       }
     }
-    
+
     return parent;
   }
 
@@ -376,5 +381,8 @@ public void updateAllocationConfiguration(AllocationConfiguration queueConf) {
             + queue.getName(), ex);
       }
     }
+
+    // Update steady fair shares for all queues
+    rootQueue.recomputeSteadyShares();
   }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/Schedulable.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/Schedulable.java
index 122b986defc..289887f63c5 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/Schedulable.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/Schedulable.java
@@ -24,7 +24,6 @@
 import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.server.resourcemanager.resource.ResourceWeights;
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
-import org.apache.hadoop.yarn.util.resource.Resources;
 
 /**
  * A Schedulable represents an entity that can be scheduled such as an
@@ -102,10 +101,4 @@ public interface Schedulable {
 
   /** Assign a fair share to this Schedulable. */
   public void setFairShare(Resource fairShare);
-
-  /**
-   * Returns true if queue has atleast one app running. Always returns true for
-   * AppSchedulables.
-   */
-  public boolean isActive();
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/SchedulingPolicy.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/SchedulingPolicy.java
index 1087c73aa19..ca006c580ed 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/SchedulingPolicy.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/SchedulingPolicy.java
@@ -17,10 +17,6 @@
  */
 package org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair;
 
-import java.util.Collection;
-import java.util.Comparator;
-import java.util.concurrent.ConcurrentHashMap;
-
 import org.apache.hadoop.classification.InterfaceAudience.Public;
 import org.apache.hadoop.classification.InterfaceStability.Evolving;
 import org.apache.hadoop.util.ReflectionUtils;
@@ -29,6 +25,10 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.policies.FairSharePolicy;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.policies.FifoPolicy;
 
+import java.util.Collection;
+import java.util.Comparator;
+import java.util.concurrent.ConcurrentHashMap;
+
 @Public
 @Evolving
 public abstract class SchedulingPolicy {
@@ -131,8 +131,10 @@ public static boolean isApplicableTo(SchedulingPolicy policy, byte depth) {
   public abstract Comparator<Schedulable> getComparator();
 
   /**
-   * Computes and updates the shares of {@link Schedulable}s as per the
-   * {@link SchedulingPolicy}, to be used later at schedule time.
+   * Computes and updates the shares of {@link Schedulable}s as per
+   * the {@link SchedulingPolicy}, to be used later for scheduling decisions.
+   * The shares computed are instantaneous and only consider queues with
+   * running applications.
    * 
    * @param schedulables {@link Schedulable}s whose shares are to be updated
    * @param totalResources Total {@link Resource}s in the cluster
@@ -140,6 +142,19 @@ public static boolean isApplicableTo(SchedulingPolicy policy, byte depth) {
   public abstract void computeShares(
       Collection<? extends Schedulable> schedulables, Resource totalResources);
 
+  /**
+   * Computes and updates the steady shares of {@link FSQueue}s as per the
+   * {@link SchedulingPolicy}. The steady share does not differentiate
+   * between queues with and without running applications under them. The
+   * steady share is not used for scheduling, it is displayed on the Web UI
+   * for better visibility.
+   *
+   * @param queues {@link FSQueue}s whose shares are to be updated
+   * @param totalResources Total {@link Resource}s in the cluster
+   */
+  public abstract void computeSteadyShares(
+      Collection<? extends FSQueue> queues, Resource totalResources);
+
   /**
    * Check if the resource usage is over the fair share under this policy
    *
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/ComputeFairShares.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/ComputeFairShares.java
index 6363ec0218c..6836758019b 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/ComputeFairShares.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/ComputeFairShares.java
@@ -22,6 +22,7 @@
 
 import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.server.resourcemanager.resource.ResourceType;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FSQueue;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.Schedulable;
 
 /**
@@ -49,14 +50,29 @@ public static void computeShares(
       ResourceType type) {
     Collection<Schedulable> activeSchedulables = new ArrayList<Schedulable>();
     for (Schedulable sched : schedulables) {
-      if (sched.isActive()) {
-        activeSchedulables.add(sched);
-      } else {
+      if ((sched instanceof FSQueue) && !((FSQueue) sched).isActive()) {
         setResourceValue(0, sched.getFairShare(), type);
+      } else {
+        activeSchedulables.add(sched);
       }
     }
 
-    computeSharesInternal(activeSchedulables, totalResources, type);
+    computeSharesInternal(activeSchedulables, totalResources, type, false);
+  }
+
+  /**
+   * Compute the steady fair share of the given queues. The steady fair
+   * share is an allocation of shares considering all queues, i.e.,
+   * active and inactive.
+   *
+   * @param queues
+   * @param totalResources
+   * @param type
+   */
+  public static void computeSteadyShares(
+      Collection<? extends FSQueue> queues, Resource totalResources,
+      ResourceType type) {
+    computeSharesInternal(queues, totalResources, type, true);
   }
 
   /**
@@ -102,7 +118,7 @@ public static void computeShares(
    */
   private static void computeSharesInternal(
       Collection<? extends Schedulable> schedulables, Resource totalResources,
-      ResourceType type) {
+      ResourceType type, boolean isSteadyShare) {
     if (schedulables.isEmpty()) {
       return;
     }
@@ -145,7 +161,13 @@ private static void computeSharesInternal(
     }
     // Set the fair shares based on the value of R we've converged to
     for (Schedulable sched : schedulables) {
-      setResourceValue(computeShare(sched, right, type), sched.getFairShare(), type);
+      if (isSteadyShare) {
+        setResourceValue(computeShare(sched, right, type),
+            ((FSQueue) sched).getSteadyFairShare(), type);
+      } else {
+        setResourceValue(
+            computeShare(sched, right, type), sched.getFairShare(), type);
+      }
     }
   }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/DominantResourceFairnessPolicy.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/DominantResourceFairnessPolicy.java
index af674b96056..42044bcaac1 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/DominantResourceFairnessPolicy.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/DominantResourceFairnessPolicy.java
@@ -26,6 +26,7 @@
 import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.server.resourcemanager.resource.ResourceType;
 import org.apache.hadoop.yarn.server.resourcemanager.resource.ResourceWeights;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FSQueue;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.Schedulable;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.SchedulingPolicy;
 import org.apache.hadoop.yarn.util.resource.Resources;
@@ -68,6 +69,14 @@ public void computeShares(Collection<? extends Schedulable> schedulables,
       ComputeFairShares.computeShares(schedulables, totalResources, type);
     }
   }
+
+  @Override
+  public void computeSteadyShares(Collection<? extends FSQueue> queues,
+      Resource totalResources) {
+    for (ResourceType type : ResourceType.values()) {
+      ComputeFairShares.computeSteadyShares(queues, totalResources, type);
+    }
+  }
   
   @Override
   public boolean checkIfUsageOverFairShare(Resource usage, Resource fairShare) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/FairSharePolicy.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/FairSharePolicy.java
index c51852fa9d6..66bb88bf16c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/FairSharePolicy.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/FairSharePolicy.java
@@ -25,6 +25,7 @@
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.server.resourcemanager.resource.ResourceType;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FSQueue;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.Schedulable;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.SchedulingPolicy;
 import org.apache.hadoop.yarn.util.resource.DefaultResourceCalculator;
@@ -119,6 +120,13 @@ public void computeShares(Collection<? extends Schedulable> schedulables,
     ComputeFairShares.computeShares(schedulables, totalResources, ResourceType.MEMORY);
   }
 
+  @Override
+  public void computeSteadyShares(Collection<? extends FSQueue> queues,
+      Resource totalResources) {
+    ComputeFairShares.computeSteadyShares(queues, totalResources,
+        ResourceType.MEMORY);
+  }
+
   @Override
   public boolean checkIfUsageOverFairShare(Resource usage, Resource fairShare) {
     return Resources.greaterThan(RESOURCE_CALCULATOR, null, usage, fairShare);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/FifoPolicy.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/FifoPolicy.java
index 0f4309759d4..591ee4936b9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/FifoPolicy.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/policies/FifoPolicy.java
@@ -24,6 +24,7 @@
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.api.records.Resource;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FSQueue;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.Schedulable;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.SchedulingPolicy;
 import org.apache.hadoop.yarn.util.resource.Resources;
@@ -87,6 +88,13 @@ public void computeShares(Collection<? extends Schedulable> schedulables,
     earliest.setFairShare(Resources.clone(totalResources));
   }
 
+  @Override
+  public void computeSteadyShares(Collection<? extends FSQueue> queues,
+      Resource totalResources) {
+    // Nothing needs to do, as leaf queue doesn't have to calculate steady
+    // fair shares for applications.
+  }
+
   @Override
   public boolean checkIfUsageOverFairShare(Resource usage, Resource fairShare) {
     throw new UnsupportedOperationException(
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FakeSchedulable.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FakeSchedulable.java
index 5bd52ab7a07..5a170cf2c5a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FakeSchedulable.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FakeSchedulable.java
@@ -100,11 +100,6 @@ public void setFairShare(Resource fairShare) {
     this.fairShare = fairShare;
   }
 
-  @Override
-  public boolean isActive() {
-    return true;
-  }
-
   @Override
   public Resource getDemand() {
     return null;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
index a7b1738cda7..79e3184e79c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
@@ -292,14 +292,19 @@ public void testSimpleFairShareCalculation() throws IOException {
     createSchedulingRequest(10 * 1024, "root.default", "user1");
 
     scheduler.update();
+    scheduler.getQueueManager().getRootQueue()
+        .setSteadyFairShare(scheduler.getClusterResource());
+    scheduler.getQueueManager().getRootQueue().recomputeSteadyShares();
 
     Collection<FSLeafQueue> queues = scheduler.getQueueManager().getLeafQueues();
     assertEquals(3, queues.size());
     
-    // Divided three ways - betwen the two queues and the default queue
+    // Divided three ways - between the two queues and the default queue
     for (FSLeafQueue p : queues) {
       assertEquals(3414, p.getFairShare().getMemory());
       assertEquals(3414, p.getMetrics().getFairShareMB());
+      assertEquals(3414, p.getSteadyFairShare().getMemory());
+      assertEquals(3414, p.getMetrics().getSteadyFairShareMB());
     }
   }
   
@@ -323,6 +328,9 @@ public void testSimpleHierarchicalFairShareCalculation() throws IOException {
     createSchedulingRequest(10 * 1024, "root.default", "user1");
 
     scheduler.update();
+    scheduler.getQueueManager().getRootQueue()
+        .setSteadyFairShare(scheduler.getClusterResource());
+    scheduler.getQueueManager().getRootQueue().recomputeSteadyShares();
 
     QueueManager queueManager = scheduler.getQueueManager();
     Collection<FSLeafQueue> queues = queueManager.getLeafQueues();
@@ -333,10 +341,16 @@ public void testSimpleHierarchicalFairShareCalculation() throws IOException {
     FSLeafQueue queue3 = queueManager.getLeafQueue("parent.queue3", true);
     assertEquals(capacity / 2, queue1.getFairShare().getMemory());
     assertEquals(capacity / 2, queue1.getMetrics().getFairShareMB());
+    assertEquals(capacity / 2, queue1.getSteadyFairShare().getMemory());
+    assertEquals(capacity / 2, queue1.getMetrics().getSteadyFairShareMB());
     assertEquals(capacity / 4, queue2.getFairShare().getMemory());
     assertEquals(capacity / 4, queue2.getMetrics().getFairShareMB());
+    assertEquals(capacity / 4, queue2.getSteadyFairShare().getMemory());
+    assertEquals(capacity / 4, queue2.getMetrics().getSteadyFairShareMB());
     assertEquals(capacity / 4, queue3.getFairShare().getMemory());
     assertEquals(capacity / 4, queue3.getMetrics().getFairShareMB());
+    assertEquals(capacity / 4, queue3.getSteadyFairShare().getMemory());
+    assertEquals(capacity / 4, queue3.getMetrics().getSteadyFairShareMB());
   }
 
   @Test
@@ -771,6 +785,9 @@ public void testFairShareAndWeightsInNestedUserQueueRule() throws Exception {
     createSchedulingRequest(10 * 1024, "root.default", "user3");
 
     scheduler.update();
+    scheduler.getQueueManager().getRootQueue()
+        .setSteadyFairShare(scheduler.getClusterResource());
+    scheduler.getQueueManager().getRootQueue().recomputeSteadyShares();
 
     Collection<FSLeafQueue> leafQueues = scheduler.getQueueManager()
         .getLeafQueues();
@@ -780,12 +797,128 @@ public void testFairShareAndWeightsInNestedUserQueueRule() throws Exception {
           || leaf.getName().equals("root.parentq.user2")) {
         // assert that the fair share is 1/4th node1's capacity
         assertEquals(capacity / 4, leaf.getFairShare().getMemory());
+        // assert that the steady fair share is 1/4th node1's capacity
+        assertEquals(capacity / 4, leaf.getSteadyFairShare().getMemory());
         // assert weights are equal for both the user queues
         assertEquals(1.0, leaf.getWeights().getWeight(ResourceType.MEMORY), 0);
       }
     }
   }
-  
+
+  @Test
+  public void testSteadyFairShareWithReloadAndNodeAddRemove() throws Exception {
+    conf.set(FairSchedulerConfiguration.ALLOCATION_FILE, ALLOC_FILE);
+
+    PrintWriter out = new PrintWriter(new FileWriter(ALLOC_FILE));
+    out.println("<?xml version=\"1.0\"?>");
+    out.println("<allocations>");
+    out.println("<defaultQueueSchedulingPolicy>fair</defaultQueueSchedulingPolicy>");
+    out.println("<queue name=\"root\">");
+    out.println("  <schedulingPolicy>drf</schedulingPolicy>");
+    out.println("  <queue name=\"child1\">");
+    out.println("    <weight>1</weight>");
+    out.println("  </queue>");
+    out.println("  <queue name=\"child2\">");
+    out.println("    <weight>1</weight>");
+    out.println("  </queue>");
+    out.println("</queue>");
+    out.println("</allocations>");
+    out.close();
+
+    scheduler.init(conf);
+    scheduler.start();
+    scheduler.reinitialize(conf, resourceManager.getRMContext());
+
+    // The steady fair share for all queues should be 0
+    QueueManager queueManager = scheduler.getQueueManager();
+    assertEquals(0, queueManager.getLeafQueue("child1", false)
+        .getSteadyFairShare().getMemory());
+    assertEquals(0, queueManager.getLeafQueue("child2", false)
+        .getSteadyFairShare().getMemory());
+
+    // Add one node
+    RMNode node1 =
+        MockNodes
+            .newNodeInfo(1, Resources.createResource(6144), 1, "127.0.0.1");
+    NodeAddedSchedulerEvent nodeEvent1 = new NodeAddedSchedulerEvent(node1);
+    scheduler.handle(nodeEvent1);
+    assertEquals(6144, scheduler.getClusterResource().getMemory());
+
+    // The steady fair shares for all queues should be updated
+    assertEquals(2048, queueManager.getLeafQueue("child1", false)
+        .getSteadyFairShare().getMemory());
+    assertEquals(2048, queueManager.getLeafQueue("child2", false)
+        .getSteadyFairShare().getMemory());
+
+    // Reload the allocation configuration file
+    out = new PrintWriter(new FileWriter(ALLOC_FILE));
+    out.println("<?xml version=\"1.0\"?>");
+    out.println("<allocations>");
+    out.println("<defaultQueueSchedulingPolicy>fair</defaultQueueSchedulingPolicy>");
+    out.println("<queue name=\"root\">");
+    out.println("  <schedulingPolicy>drf</schedulingPolicy>");
+    out.println("  <queue name=\"child1\">");
+    out.println("    <weight>1</weight>");
+    out.println("  </queue>");
+    out.println("  <queue name=\"child2\">");
+    out.println("    <weight>2</weight>");
+    out.println("  </queue>");
+    out.println("  <queue name=\"child3\">");
+    out.println("    <weight>2</weight>");
+    out.println("  </queue>");
+    out.println("</queue>");
+    out.println("</allocations>");
+    out.close();
+    scheduler.reinitialize(conf, resourceManager.getRMContext());
+
+    // The steady fair shares for all queues should be updated
+    assertEquals(1024, queueManager.getLeafQueue("child1", false)
+        .getSteadyFairShare().getMemory());
+    assertEquals(2048, queueManager.getLeafQueue("child2", false)
+        .getSteadyFairShare().getMemory());
+    assertEquals(2048, queueManager.getLeafQueue("child3", false)
+        .getSteadyFairShare().getMemory());
+
+    // Remove the node, steady fair shares should back to 0
+    NodeRemovedSchedulerEvent nodeEvent2 = new NodeRemovedSchedulerEvent(node1);
+    scheduler.handle(nodeEvent2);
+    assertEquals(0, scheduler.getClusterResource().getMemory());
+    assertEquals(0, queueManager.getLeafQueue("child1", false)
+        .getSteadyFairShare().getMemory());
+    assertEquals(0, queueManager.getLeafQueue("child2", false)
+        .getSteadyFairShare().getMemory());
+  }
+
+  @Test
+  public void testSteadyFairShareWithQueueCreatedRuntime() throws Exception {
+    conf.setClass(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
+        SimpleGroupsMapping.class, GroupMappingServiceProvider.class);
+    conf.set(FairSchedulerConfiguration.USER_AS_DEFAULT_QUEUE, "true");
+    scheduler.init(conf);
+    scheduler.start();
+    scheduler.reinitialize(conf, resourceManager.getRMContext());
+
+    // Add one node
+    RMNode node1 =
+        MockNodes
+            .newNodeInfo(1, Resources.createResource(6144), 1, "127.0.0.1");
+    NodeAddedSchedulerEvent nodeEvent1 = new NodeAddedSchedulerEvent(node1);
+    scheduler.handle(nodeEvent1);
+    assertEquals(6144, scheduler.getClusterResource().getMemory());
+    assertEquals(6144, scheduler.getQueueManager().getRootQueue()
+        .getSteadyFairShare().getMemory());
+    assertEquals(6144, scheduler.getQueueManager()
+        .getLeafQueue("default", false).getSteadyFairShare().getMemory());
+
+    // Submit one application
+    ApplicationAttemptId appAttemptId1 = createAppAttemptId(1, 1);
+    createApplicationWithAMResource(appAttemptId1, "default", "user1", null);
+    assertEquals(3072, scheduler.getQueueManager()
+        .getLeafQueue("default", false).getSteadyFairShare().getMemory());
+    assertEquals(3072, scheduler.getQueueManager()
+        .getLeafQueue("user1", false).getSteadyFairShare().getMemory());
+  }
+
   /**
    * Make allocation requests and ensure they are reflected in queue demand.
    */
@@ -873,7 +1006,7 @@ public void testAppAdditionAndRemoval() throws Exception {
   }
 
   @Test
-  public void testHierarchicalQueueAllocationFileParsing() throws IOException, SAXException, 
+  public void testHierarchicalQueueAllocationFileParsing() throws IOException, SAXException,
       AllocationConfigurationException, ParserConfigurationException {
     conf.set(FairSchedulerConfiguration.ALLOCATION_FILE, ALLOC_FILE);
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerFairShare.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerFairShare.java
index 8b8ce93b506..ab8fcbc2b56 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerFairShare.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerFairShare.java
@@ -109,13 +109,15 @@ public void testFairShareNoAppsRunning() throws IOException {
 
     for (FSLeafQueue leaf : leafQueues) {
       if (leaf.getName().startsWith("root.parentA")) {
-        assertEquals(0, (double) leaf.getFairShare().getMemory() / nodeCapacity
-            * 100, 0);
+        assertEquals(0, (double) leaf.getFairShare().getMemory() / nodeCapacity,
+            0);
       } else if (leaf.getName().startsWith("root.parentB")) {
-        assertEquals(0, (double) leaf.getFairShare().getMemory() / nodeCapacity
-            * 100, 0.1);
+        assertEquals(0, (double) leaf.getFairShare().getMemory() / nodeCapacity,
+            0);
       }
     }
+
+    verifySteadyFairShareMemory(leafQueues, nodeCapacity);
   }
 
   @Test
@@ -135,14 +137,15 @@ public void testFairShareOneAppRunning() throws IOException {
         100,
         (double) scheduler.getQueueManager()
             .getLeafQueue("root.parentA.childA1", false).getFairShare()
-            .getMemory()
-            / nodeCapacity * 100, 0.1);
+            .getMemory() / nodeCapacity * 100, 0.1);
     assertEquals(
         0,
         (double) scheduler.getQueueManager()
             .getLeafQueue("root.parentA.childA2", false).getFairShare()
-            .getMemory()
-            / nodeCapacity * 100, 0.1);
+            .getMemory() / nodeCapacity, 0.1);
+
+    verifySteadyFairShareMemory(scheduler.getQueueManager().getLeafQueues(),
+        nodeCapacity);
   }
 
   @Test
@@ -167,6 +170,9 @@ public void testFairShareMultipleActiveQueuesUnderSameParent()
               .getMemory()
               / nodeCapacity * 100, .9);
     }
+
+    verifySteadyFairShareMemory(scheduler.getQueueManager().getLeafQueues(),
+        nodeCapacity);
   }
 
   @Test
@@ -206,6 +212,9 @@ public void testFairShareMultipleActiveQueuesUnderDifferentParent()
             .getLeafQueue("root.parentB.childB1", false).getFairShare()
             .getMemory()
             / nodeCapacity * 100, .9);
+
+    verifySteadyFairShareMemory(scheduler.getQueueManager().getLeafQueues(),
+        nodeCapacity);
   }
 
   @Test
@@ -253,6 +262,9 @@ public void testFairShareResetsToZeroWhenAppsComplete() throws IOException {
             .getLeafQueue("root.parentA.childA2", false).getFairShare()
             .getMemory()
             / nodeCapacity * 100, 0.1);
+
+    verifySteadyFairShareMemory(scheduler.getQueueManager().getLeafQueues(),
+        nodeCapacity);
   }
 
   @Test
@@ -304,5 +316,45 @@ public void testFairShareWithDRFMultipleActiveQueuesUnderDifferentParent()
             .getLeafQueue("root.parentB.childB1", false).getFairShare()
             .getVirtualCores()
             / nodeVCores * 100, .9);
+    Collection<FSLeafQueue> leafQueues = scheduler.getQueueManager()
+        .getLeafQueues();
+
+    for (FSLeafQueue leaf : leafQueues) {
+      if (leaf.getName().startsWith("root.parentA")) {
+        assertEquals(0.2,
+            (double) leaf.getSteadyFairShare().getMemory() / nodeMem, 0.001);
+        assertEquals(0.2,
+            (double) leaf.getSteadyFairShare().getVirtualCores() / nodeVCores,
+            0.001);
+      } else if (leaf.getName().startsWith("root.parentB")) {
+        assertEquals(0.05,
+            (double) leaf.getSteadyFairShare().getMemory() / nodeMem, 0.001);
+        assertEquals(0.1,
+            (double) leaf.getSteadyFairShare().getVirtualCores() / nodeVCores,
+            0.001);
+      }
+    }
+  }
+
+  /**
+   * Verify whether steady fair shares for all leaf queues still follow
+   * their weight, not related to active/inactive status.
+   *
+   * @param leafQueues
+   * @param nodeCapacity
+   */
+  private void verifySteadyFairShareMemory(Collection<FSLeafQueue> leafQueues,
+      int nodeCapacity) {
+    for (FSLeafQueue leaf : leafQueues) {
+      if (leaf.getName().startsWith("root.parentA")) {
+        assertEquals(0.2,
+            (double) leaf.getSteadyFairShare().getMemory() / nodeCapacity,
+            0.001);
+      } else if (leaf.getName().startsWith("root.parentB")) {
+        assertEquals(0.05,
+            (double) leaf.getSteadyFairShare().getMemory() / nodeCapacity,
+            0.001);
+      }
+    }
   }
 }

From 524a63e59ecfda99c66842462e1bac5d610e7997 Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Fri, 22 Aug 2014 17:06:23 +0000
Subject: [PATCH 291/354] MAPREDUCE-6044. Fully qualified intermediate done dir
 path breaks per-user dir creation on Windows. Contributed by Zhijie Shen.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619863 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-mapreduce-project/CHANGES.txt          |  3 ++
 .../TestJobHistoryEventHandler.java           | 30 ++++++++++++++++++-
 .../v2/jobhistory/JobHistoryUtils.java        |  4 +--
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index dfef8e5b99e..ddf21ed838b 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -255,6 +255,9 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-6012. DBInputSplit creates invalid ranges on Oracle. 
     (Wei Yan via kasha)
 
+    MAPREDUCE-6044. Fully qualified intermediate done dir path breaks per-user dir
+    creation on Windows. (zjshen)
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/jobhistory/TestJobHistoryEventHandler.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/jobhistory/TestJobHistoryEventHandler.java
index d8a0cc7af52..7539e73ee63 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/jobhistory/TestJobHistoryEventHandler.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/jobhistory/TestJobHistoryEventHandler.java
@@ -25,7 +25,6 @@
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
-import static org.mockito.Mockito.never;
 
 import java.io.File;
 import java.io.FileOutputStream;
@@ -53,6 +52,8 @@
 import org.apache.hadoop.mapreduce.v2.app.AppContext;
 import org.apache.hadoop.mapreduce.v2.app.job.Job;
 import org.apache.hadoop.mapreduce.v2.app.job.JobStateInternal;
+import org.apache.hadoop.mapreduce.v2.jobhistory.JHAdminConfig;
+import org.apache.hadoop.mapreduce.v2.jobhistory.JobHistoryUtils;
 import org.apache.hadoop.mapreduce.v2.util.MRBuilderUtils;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
@@ -399,6 +400,33 @@ public void testDefaultFsIsUsedForHistory() throws Exception {
     }
   }
 
+  @Test
+  public void testGetHistoryIntermediateDoneDirForUser() throws IOException {
+    // Test relative path
+    Configuration conf = new Configuration();
+    conf.set(JHAdminConfig.MR_HISTORY_INTERMEDIATE_DONE_DIR,
+        "/mapred/history/done_intermediate");
+    conf.set(MRJobConfig.USER_NAME, System.getProperty("user.name"));
+    String pathStr = JobHistoryUtils.getHistoryIntermediateDoneDirForUser(conf);
+    Assert.assertEquals("/mapred/history/done_intermediate/" +
+        System.getProperty("user.name"), pathStr);
+
+    // Test fully qualified path
+    // Create default configuration pointing to the minicluster
+    conf.set(CommonConfigurationKeysPublic.FS_DEFAULT_NAME_KEY,
+        dfsCluster.getURI().toString());
+    FileOutputStream os = new FileOutputStream(coreSitePath);
+    conf.writeXml(os);
+    os.close();
+    // Simulate execution under a non-default namenode
+    conf.set(CommonConfigurationKeysPublic.FS_DEFAULT_NAME_KEY,
+            "file:///");
+    pathStr = JobHistoryUtils.getHistoryIntermediateDoneDirForUser(conf);
+    Assert.assertEquals(dfsCluster.getURI().toString() +
+        "/mapred/history/done_intermediate/" + System.getProperty("user.name"),
+        pathStr);
+  }
+
   private void queueEvent(JHEvenHandlerForTest jheh, JobHistoryEvent event) {
     jheh.handle(event);
   }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/jobhistory/JobHistoryUtils.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/jobhistory/JobHistoryUtils.java
index 167ee20a22e..e279c03ac1a 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/jobhistory/JobHistoryUtils.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/jobhistory/JobHistoryUtils.java
@@ -292,8 +292,8 @@ private static String ensurePathInDefaultFileSystem(String sourcePath, Configura
    * @return the intermediate done directory for jobhistory files.
    */
   public static String getHistoryIntermediateDoneDirForUser(Configuration conf) throws IOException {
-    return getConfiguredHistoryIntermediateDoneDirPrefix(conf) + File.separator
-        + UserGroupInformation.getCurrentUser().getShortUserName();
+    return new Path(getConfiguredHistoryIntermediateDoneDirPrefix(conf),
+        UserGroupInformation.getCurrentUser().getShortUserName()).toString();
   }
 
   public static boolean shouldCreateNonUserDirectory(Configuration conf) {

From e6c36500705d3d756de82ee0ce9ff226f34b938f Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Fri, 22 Aug 2014 18:14:55 +0000
Subject: [PATCH 292/354] HDFS-6829. DFSAdmin
 refreshSuperUserGroupsConfiguration failed in security cluster. (Contributed
 by zhaoyunjiong)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619882 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                    | 3 +++
 .../src/main/java/org/apache/hadoop/hdfs/tools/DFSAdmin.java   | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 8ff94827dad..bd70656732b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -630,6 +630,9 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-6890. NFS readdirplus doesn't return dotdot attributes (brandonli)
 
+    HDFS-6829. DFSAdmin refreshSuperUserGroupsConfiguration failed in
+    security cluster (zhaoyunjiong via Arpit Agarwal)
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/DFSAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/DFSAdmin.java
index f4d39a830de..ad7be18a67c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/DFSAdmin.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/DFSAdmin.java
@@ -356,7 +356,7 @@ static int run(DistributedFileSystem dfs, String[] argv, int idx) throws IOExcep
    * Construct a DFSAdmin object.
    */
   public DFSAdmin() {
-    this(null);
+    this(new HdfsConfiguration());
   }
 
   /**

From 10d267975ce1d7266e232f3615c6045d85142404 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Fri, 22 Aug 2014 18:25:09 +0000
Subject: [PATCH 293/354] HADOOP-10998. Fix bash tab completion code to work
 (Jim Hester via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619887 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |  2 ++
 .../src/contrib/bash-tab-completion/hadoop.sh | 28 +++++++++----------
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 52fc3e0eec7..50a6b82afd0 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -510,6 +510,8 @@ Release 2.6.0 - UNRELEASED
     HADOOP-8896. Javadoc points to Wrong Reader and Writer classes 
     in SequenceFile (Ray Chiang via aw)
 
+    HADOOP-10998. Fix bash tab completion code to work (Jim Hester via aw)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-common-project/hadoop-common/src/contrib/bash-tab-completion/hadoop.sh b/hadoop-common-project/hadoop-common/src/contrib/bash-tab-completion/hadoop.sh
index 725aee781bc..2a229d4bd86 100644
--- a/hadoop-common-project/hadoop-common/src/contrib/bash-tab-completion/hadoop.sh
+++ b/hadoop-common-project/hadoop-common/src/contrib/bash-tab-completion/hadoop.sh
@@ -26,7 +26,7 @@ _hadoop() {
   COMPREPLY=()
   cur=${COMP_WORDS[COMP_CWORD]}
   prev=${COMP_WORDS[COMP_CWORD-1]}  
-  script=`which ${COMP_WORDS[0]}`
+  script=$(which ${COMP_WORDS[0]})
   
   # Bash lets you tab complete things even if the script doesn't
   # exist (or isn't executable). Check to make sure it is, as we
@@ -36,9 +36,9 @@ _hadoop() {
     1)
       # Completing the first argument (the command).
 
-      temp=`$script | grep -n "^\s*or"`;
-      temp=`$script | head -n $((${temp%%:*} - 1)) | awk '/^ / {print $1}' | sort | uniq`;
-      COMPREPLY=(`compgen -W "${temp}" -- ${cur}`);
+      temp=$($script | grep -n "^\s*or");
+      temp=$($script | head -n $((${temp%%:*} - 1)) | awk '/^ / {print $1}' | sort | uniq);
+      COMPREPLY=($(compgen -W "${temp}" -- ${cur}));
       return 0;;
 
     2)
@@ -51,21 +51,21 @@ _hadoop() {
       dfs | dfsadmin | fs | job | pipes)
         # One option per line, enclosed in square brackets
 
-        temp=`$script ${COMP_WORDS[1]} 2>&1 | awk '/^[ \t]*\[/ {gsub("[[\\]]", ""); print $1}'`;
-        COMPREPLY=(`compgen -W "${temp}" -- ${cur}`);
+        temp=$($script ${COMP_WORDS[1]} 2>&1 | awk '/^[ \t]*\[/ {gsub("[[\\]]", ""); print $1}');
+        COMPREPLY=($(compgen -W "${temp}" -- ${cur}));
         return 0;;
 
       jar)
         # Any (jar) file
 
-        COMPREPLY=(`compgen -A file -- ${cur}`);
+        COMPREPLY=($(compgen -A file -- ${cur}));
         return 0;;
 
       namenode)
         # All options specified in one line,
         # enclosed in [] and separated with |
-        temp=`$script ${COMP_WORDS[1]} -help 2>&1 | grep Usage: | cut -d '[' -f 2- | awk '{gsub("] \\| \\[|]", " "); print $0}'`;
-        COMPREPLY=(`compgen -W "${temp}" -- ${cur}`);
+        temp=$($script ${COMP_WORDS[1]} -help 2>&1 | grep Usage: | cut -d '[' -f 2- | awk '{gsub("] \\| \\[|]", " "); print $0}');
+        COMPREPLY=($(compgen -W "${temp}" -- ${cur}));
         return 0;;
 
       *)
@@ -83,26 +83,24 @@ _hadoop() {
         # Pull the list of options, grep for the one the user is trying to use,
         # and then select the description of the relevant argument
         temp=$((${COMP_CWORD} - 1));
-        temp=`$script ${COMP_WORDS[1]} 2>&1 | grep -- "${COMP_WORDS[2]} " | awk '{gsub("[[ \\]]", ""); print $0}' | cut -d '<' -f ${temp}`;
+        temp=$($script ${COMP_WORDS[1]} 2>&1 | grep -- "${COMP_WORDS[2]} " | awk '{gsub("[[ \\]]", ""); print $0}' | cut -d '<' -f ${temp} | cut -d '>' -f 1);
 
         if [ ${#temp} -lt 1 ]; then
           # No match
           return 1;
         fi;
 
-        temp=${temp:0:$((${#temp} - 1))};
-
         # Now do completion based on the argument
         case $temp in
         path | src | dst)
           # DFS path completion
-          temp=`$script ${COMP_WORDS[1]} -ls "${cur}*" 2>&1 | grep -vE '^Found ' | cut -f 1 | awk '{gsub("^.* ", ""); print $0;}'`
-          COMPREPLY=(`compgen -W "${temp}" -- ${cur}`);
+          temp=$($script ${COMP_WORDS[1]} -ls -d "${cur}*" 2>/dev/null | grep -vE '^Found ' | cut -f 1 | awk '{gsub("^.* ", ""); print $0;}');
+          COMPREPLY=($(compgen -W "${temp}" -- ${cur}));
           return 0;;
 
         localsrc | localdst)
           # Local path completion
-          COMPREPLY=(`compgen -A file -- ${cur}`);
+          COMPREPLY=($(compgen -A file -- ${cur}));
           return 0;;
 
         *)

From 4b3a6b87221076a6b5df2bf4243575018e5f1793 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Fri, 22 Aug 2014 22:16:15 +0000
Subject: [PATCH 294/354] HADOOP-10282. Create a FairCallQueue: a multi-level
 call queue which schedules incoming calls and multiplexes outgoing calls.
 (Contributed by Chris Li)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619938 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   4 +
 .../org/apache/hadoop/ipc/FairCallQueue.java  | 449 ++++++++++++++++++
 .../hadoop/ipc/FairCallQueueMXBean.java       |  27 ++
 .../org/apache/hadoop/ipc/RpcMultiplexer.java |  32 ++
 .../ipc/WeightedRoundRobinMultiplexer.java    |   2 +-
 .../apache/hadoop/ipc/TestFairCallQueue.java  | 392 +++++++++++++++
 6 files changed, 905 insertions(+), 1 deletion(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/FairCallQueue.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/FairCallQueueMXBean.java
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/RpcMultiplexer.java
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestFairCallQueue.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 50a6b82afd0..0291c758e03 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -560,6 +560,10 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10224. JavaKeyStoreProvider has to protect against corrupting
     underlying store. (asuresh via tucu)
 
+    HADOOP-10282. Create a FairCallQueue: a multi-level call queue which
+    schedules incoming calls and multiplexes outgoing calls. (Chris Li via
+    Arpit Agarwal)
+
   BUG FIXES
 
     HADOOP-10781. Unportable getgrouplist() usage breaks FreeBSD (Dmitry
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/FairCallQueue.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/FairCallQueue.java
new file mode 100644
index 00000000000..0b56243db58
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/FairCallQueue.java
@@ -0,0 +1,449 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ipc;
+
+import java.lang.ref.WeakReference;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.AbstractQueue;
+import java.util.HashMap;
+import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.LinkedBlockingQueue;
+import java.util.concurrent.locks.ReentrantLock;
+import java.util.concurrent.locks.Condition;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicLong;
+
+import com.google.common.annotations.VisibleForTesting;
+import org.apache.commons.lang.NotImplementedException;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.metrics2.util.MBeans;
+
+/**
+ * A queue with multiple levels for each priority.
+ */
+public class FairCallQueue<E extends Schedulable> extends AbstractQueue<E>
+  implements BlockingQueue<E> {
+  // Configuration Keys
+  public static final int    IPC_CALLQUEUE_PRIORITY_LEVELS_DEFAULT = 4;
+  public static final String IPC_CALLQUEUE_PRIORITY_LEVELS_KEY =
+    "faircallqueue.priority-levels";
+
+  public static final Log LOG = LogFactory.getLog(FairCallQueue.class);
+
+  /* The queues */
+  private final ArrayList<BlockingQueue<E>> queues;
+
+  /* Read locks */
+  private final ReentrantLock takeLock = new ReentrantLock();
+  private final Condition notEmpty = takeLock.newCondition();
+  private void signalNotEmpty() {
+    takeLock.lock();
+    try {
+      notEmpty.signal();
+    } finally {
+      takeLock.unlock();
+    }
+  }
+
+  /* Scheduler picks which queue to place in */
+  private RpcScheduler scheduler;
+
+  /* Multiplexer picks which queue to draw from */
+  private RpcMultiplexer multiplexer;
+
+  /* Statistic tracking */
+  private final ArrayList<AtomicLong> overflowedCalls;
+
+  /**
+   * Create a FairCallQueue.
+   * @param capacity the maximum size of each sub-queue
+   * @param ns the prefix to use for configuration
+   * @param conf the configuration to read from
+   * Notes: the FairCallQueue has no fixed capacity. Rather, it has a minimum
+   * capacity of `capacity` and a maximum capacity of `capacity * number_queues`
+   */
+  public FairCallQueue(int capacity, String ns, Configuration conf) {
+    int numQueues = parseNumQueues(ns, conf);
+    LOG.info("FairCallQueue is in use with " + numQueues + " queues.");
+
+    this.queues = new ArrayList<BlockingQueue<E>>(numQueues);
+    this.overflowedCalls = new ArrayList<AtomicLong>(numQueues);
+
+    for(int i=0; i < numQueues; i++) {
+      this.queues.add(new LinkedBlockingQueue<E>(capacity));
+      this.overflowedCalls.add(new AtomicLong(0));
+    }
+
+    this.scheduler = new DecayRpcScheduler(numQueues, ns, conf);
+    this.multiplexer = new WeightedRoundRobinMultiplexer(numQueues, ns, conf);
+
+    // Make this the active source of metrics
+    MetricsProxy mp = MetricsProxy.getInstance(ns);
+    mp.setDelegate(this);
+  }
+
+  /**
+   * Read the number of queues from the configuration.
+   * This will affect the FairCallQueue's overall capacity.
+   * @throws IllegalArgumentException on invalid queue count
+   */
+  private static int parseNumQueues(String ns, Configuration conf) {
+    int retval = conf.getInt(ns + "." + IPC_CALLQUEUE_PRIORITY_LEVELS_KEY,
+      IPC_CALLQUEUE_PRIORITY_LEVELS_DEFAULT);
+    if(retval < 1) {
+      throw new IllegalArgumentException("numQueues must be at least 1");
+    }
+    return retval;
+  }
+
+  /**
+   * Returns the first non-empty queue with equal or lesser priority
+   * than <i>startIdx</i>. Wraps around, searching a maximum of N
+   * queues, where N is this.queues.size().
+   *
+   * @param startIdx the queue number to start searching at
+   * @return the first non-empty queue with less priority, or null if
+   * everything was empty
+   */
+  private BlockingQueue<E> getFirstNonEmptyQueue(int startIdx) {
+    final int numQueues = this.queues.size();
+    for(int i=0; i < numQueues; i++) {
+      int idx = (i + startIdx) % numQueues; // offset and wrap around
+      BlockingQueue<E> queue = this.queues.get(idx);
+      if (queue.size() != 0) {
+        return queue;
+      }
+    }
+
+    // All queues were empty
+    return null;
+  }
+
+  /* AbstractQueue and BlockingQueue methods */
+
+  /**
+   * Put and offer follow the same pattern:
+   * 1. Get a priorityLevel from the scheduler
+   * 2. Get the nth sub-queue matching this priorityLevel
+   * 3. delegate the call to this sub-queue.
+   *
+   * But differ in how they handle overflow:
+   * - Put will move on to the next queue until it lands on the last queue
+   * - Offer does not attempt other queues on overflow
+   */
+  @Override
+  public void put(E e) throws InterruptedException {
+    int priorityLevel = scheduler.getPriorityLevel(e);
+
+    final int numLevels = this.queues.size();
+    while (true) {
+      BlockingQueue<E> q = this.queues.get(priorityLevel);
+      boolean res = q.offer(e);
+      if (!res) {
+        // Update stats
+        this.overflowedCalls.get(priorityLevel).getAndIncrement();
+
+        // If we failed to insert, try again on the next level
+        priorityLevel++;
+
+        if (priorityLevel == numLevels) {
+          // That was the last one, we will block on put in the last queue
+          // Delete this line to drop the call
+          this.queues.get(priorityLevel-1).put(e);
+          break;
+        }
+      } else {
+        break;
+      }
+    }
+
+
+    signalNotEmpty();
+  }
+
+  @Override
+  public boolean offer(E e, long timeout, TimeUnit unit)
+      throws InterruptedException {
+    int priorityLevel = scheduler.getPriorityLevel(e);
+    BlockingQueue<E> q = this.queues.get(priorityLevel);
+    boolean ret = q.offer(e, timeout, unit);
+
+    signalNotEmpty();
+
+    return ret;
+  }
+
+  @Override
+  public boolean offer(E e) {
+    int priorityLevel = scheduler.getPriorityLevel(e);
+    BlockingQueue<E> q = this.queues.get(priorityLevel);
+    boolean ret = q.offer(e);
+
+    signalNotEmpty();
+
+    return ret;
+  }
+
+  @Override
+  public E take() throws InterruptedException {
+    int startIdx = this.multiplexer.getAndAdvanceCurrentIndex();
+
+    takeLock.lockInterruptibly();
+    try {
+      // Wait while queue is empty
+      for (;;) {
+        BlockingQueue<E> q = this.getFirstNonEmptyQueue(startIdx);
+        if (q != null) {
+          // Got queue, so return if we can poll out an object
+          E e = q.poll();
+          if (e != null) {
+            return e;
+          }
+        }
+
+        notEmpty.await();
+      }
+    } finally {
+      takeLock.unlock();
+    }
+  }
+
+  @Override
+  public E poll(long timeout, TimeUnit unit)
+      throws InterruptedException {
+
+    int startIdx = this.multiplexer.getAndAdvanceCurrentIndex();
+
+    long nanos = unit.toNanos(timeout);
+    takeLock.lockInterruptibly();
+    try {
+      for (;;) {
+        BlockingQueue<E> q = this.getFirstNonEmptyQueue(startIdx);
+        if (q != null) {
+          E e = q.poll();
+          if (e != null) {
+            // Escape condition: there might be something available
+            return e;
+          }
+        }
+
+        if (nanos <= 0) {
+          // Wait has elapsed
+          return null;
+        }
+
+        try {
+          // Now wait on the condition for a bit. If we get
+          // spuriously awoken we'll re-loop
+          nanos = notEmpty.awaitNanos(nanos);
+        } catch (InterruptedException ie) {
+          notEmpty.signal(); // propagate to a non-interrupted thread
+          throw ie;
+        }
+      }
+    } finally {
+      takeLock.unlock();
+    }
+  }
+
+  /**
+   * poll() provides no strict consistency: it is possible for poll to return
+   * null even though an element is in the queue.
+   */
+  @Override
+  public E poll() {
+    int startIdx = this.multiplexer.getAndAdvanceCurrentIndex();
+
+    BlockingQueue<E> q = this.getFirstNonEmptyQueue(startIdx);
+    if (q == null) {
+      return null; // everything is empty
+    }
+
+    // Delegate to the sub-queue's poll, which could still return null
+    return q.poll();
+  }
+
+  /**
+   * Peek, like poll, provides no strict consistency.
+   */
+  @Override
+  public E peek() {
+    BlockingQueue<E> q = this.getFirstNonEmptyQueue(0);
+    if (q == null) {
+      return null;
+    } else {
+      return q.peek();
+    }
+  }
+
+  /**
+   * Size returns the sum of all sub-queue sizes, so it may be greater than
+   * capacity.
+   * Note: size provides no strict consistency, and should not be used to
+   * control queue IO.
+   */
+  @Override
+  public int size() {
+    int size = 0;
+    for (BlockingQueue q : this.queues) {
+      size += q.size();
+    }
+    return size;
+  }
+
+  /**
+   * Iterator is not implemented, as it is not needed.
+   */
+  @Override
+  public Iterator<E> iterator() {
+    throw new NotImplementedException();
+  }
+
+  /**
+   * drainTo defers to each sub-queue. Note that draining from a FairCallQueue
+   * to another FairCallQueue will likely fail, since the incoming calls
+   * may be scheduled differently in the new FairCallQueue. Nonetheless this
+   * method is provided for completeness.
+   */
+  @Override
+  public int drainTo(Collection<? super E> c, int maxElements) {
+    int sum = 0;
+    for (BlockingQueue<E> q : this.queues) {
+      sum += q.drainTo(c, maxElements);
+    }
+    return sum;
+  }
+
+  @Override
+  public int drainTo(Collection<? super E> c) {
+    int sum = 0;
+    for (BlockingQueue<E> q : this.queues) {
+      sum += q.drainTo(c);
+    }
+    return sum;
+  }
+
+  /**
+   * Returns maximum remaining capacity. This does not reflect how much you can
+   * ideally fit in this FairCallQueue, as that would depend on the scheduler's
+   * decisions.
+   */
+  @Override
+  public int remainingCapacity() {
+    int sum = 0;
+    for (BlockingQueue q : this.queues) {
+      sum += q.remainingCapacity();
+    }
+    return sum;
+  }
+
+  /**
+   * MetricsProxy is a singleton because we may init multiple
+   * FairCallQueues, but the metrics system cannot unregister beans cleanly.
+   */
+  private static final class MetricsProxy implements FairCallQueueMXBean {
+    // One singleton per namespace
+    private static final HashMap<String, MetricsProxy> INSTANCES =
+      new HashMap<String, MetricsProxy>();
+
+    // Weakref for delegate, so we don't retain it forever if it can be GC'd
+    private WeakReference<FairCallQueue> delegate;
+
+    // Keep track of how many objects we registered
+    private int revisionNumber = 0;
+
+    private MetricsProxy(String namespace) {
+      MBeans.register(namespace, "FairCallQueue", this);
+    }
+
+    public static synchronized MetricsProxy getInstance(String namespace) {
+      MetricsProxy mp = INSTANCES.get(namespace);
+      if (mp == null) {
+        // We must create one
+        mp = new MetricsProxy(namespace);
+        INSTANCES.put(namespace, mp);
+      }
+      return mp;
+    }
+
+    public void setDelegate(FairCallQueue obj) {
+      this.delegate = new WeakReference<FairCallQueue>(obj);
+      this.revisionNumber++;
+    }
+
+    @Override
+    public int[] getQueueSizes() {
+      FairCallQueue obj = this.delegate.get();
+      if (obj == null) {
+        return new int[]{};
+      }
+
+      return obj.getQueueSizes();
+    }
+
+    @Override
+    public long[] getOverflowedCalls() {
+      FairCallQueue obj = this.delegate.get();
+      if (obj == null) {
+        return new long[]{};
+      }
+
+      return obj.getOverflowedCalls();
+    }
+
+    @Override public int getRevision() {
+      return revisionNumber;
+    }
+  }
+
+  // FairCallQueueMXBean
+  public int[] getQueueSizes() {
+    int numQueues = queues.size();
+    int[] sizes = new int[numQueues];
+    for (int i=0; i < numQueues; i++) {
+      sizes[i] = queues.get(i).size();
+    }
+    return sizes;
+  }
+
+  public long[] getOverflowedCalls() {
+    int numQueues = queues.size();
+    long[] calls = new long[numQueues];
+    for (int i=0; i < numQueues; i++) {
+      calls[i] = overflowedCalls.get(i).get();
+    }
+    return calls;
+  }
+
+  // For testing
+  @VisibleForTesting
+  public void setScheduler(RpcScheduler newScheduler) {
+    this.scheduler = newScheduler;
+  }
+
+  @VisibleForTesting
+  public void setMultiplexer(RpcMultiplexer newMux) {
+    this.multiplexer = newMux;
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/FairCallQueueMXBean.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/FairCallQueueMXBean.java
new file mode 100644
index 00000000000..bd68ecb1ad3
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/FairCallQueueMXBean.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ipc;
+
+public interface FairCallQueueMXBean {
+  // Get the size of each subqueue, the index corrosponding to the priority
+  // level.
+  int[] getQueueSizes();
+  long[] getOverflowedCalls();
+  int getRevision();
+}
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/RpcMultiplexer.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/RpcMultiplexer.java
new file mode 100644
index 00000000000..01eecc55cfa
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/RpcMultiplexer.java
@@ -0,0 +1,32 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ipc;
+
+/**
+ * Implement this interface to make a pluggable multiplexer in the
+ * FairCallQueue.
+ */
+public interface RpcMultiplexer {
+  /**
+   * Should get current index and optionally perform whatever is needed
+   * to prepare the next index.
+   * @return current index
+   */
+  int getAndAdvanceCurrentIndex();
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/WeightedRoundRobinMultiplexer.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/WeightedRoundRobinMultiplexer.java
index 497ca757461..cfda94734cf 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/WeightedRoundRobinMultiplexer.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/WeightedRoundRobinMultiplexer.java
@@ -38,7 +38,7 @@
  * There may be more reads than the minimum due to race conditions. This is
  * allowed by design for performance reasons.
  */
-public class WeightedRoundRobinMultiplexer {
+public class WeightedRoundRobinMultiplexer implements RpcMultiplexer {
   // Config keys
   public static final String IPC_CALLQUEUE_WRRMUX_WEIGHTS_KEY =
     "faircallqueue.multiplexer.weights";
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestFairCallQueue.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestFairCallQueue.java
new file mode 100644
index 00000000000..acbedc50f9f
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestFairCallQueue.java
@@ -0,0 +1,392 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ipc;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import junit.framework.TestCase;
+
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.BlockingQueue;
+
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.conf.Configuration;
+import org.mockito.Matchers;
+
+import static org.apache.hadoop.ipc.FairCallQueue.IPC_CALLQUEUE_PRIORITY_LEVELS_KEY;
+
+public class TestFairCallQueue extends TestCase {
+  private FairCallQueue<Schedulable> fcq;
+
+  private Schedulable mockCall(String id) {
+    Schedulable mockCall = mock(Schedulable.class);
+    UserGroupInformation ugi = mock(UserGroupInformation.class);
+
+    when(ugi.getUserName()).thenReturn(id);
+    when(mockCall.getUserGroupInformation()).thenReturn(ugi);
+
+    return mockCall;
+  }
+
+  // A scheduler which always schedules into priority zero
+  private RpcScheduler alwaysZeroScheduler;
+  {
+    RpcScheduler sched = mock(RpcScheduler.class);
+    when(sched.getPriorityLevel(Matchers.<Schedulable>any())).thenReturn(0); // always queue 0
+    alwaysZeroScheduler = sched;
+  }
+
+  public void setUp() {
+    Configuration conf = new Configuration();
+    conf.setInt("ns." + IPC_CALLQUEUE_PRIORITY_LEVELS_KEY, 2);
+
+    fcq = new FairCallQueue<Schedulable>(5, "ns", conf);
+  }
+
+  //
+  // Ensure that FairCallQueue properly implements BlockingQueue
+  //
+  public void testPollReturnsNullWhenEmpty() {
+    assertNull(fcq.poll());
+  }
+
+  public void testPollReturnsTopCallWhenNotEmpty() {
+    Schedulable call = mockCall("c");
+    assertTrue(fcq.offer(call));
+
+    assertEquals(call, fcq.poll());
+
+    // Poll took it out so the fcq is empty
+    assertEquals(0, fcq.size());
+  }
+
+  public void testOfferSucceeds() {
+    fcq.setScheduler(alwaysZeroScheduler);
+
+    for (int i = 0; i < 5; i++) {
+      // We can fit 10 calls
+      assertTrue(fcq.offer(mockCall("c")));
+    }
+
+    assertEquals(5, fcq.size());
+  }
+
+  public void testOfferFailsWhenFull() {
+    fcq.setScheduler(alwaysZeroScheduler);
+    for (int i = 0; i < 5; i++) { assertTrue(fcq.offer(mockCall("c"))); }
+
+    assertFalse(fcq.offer(mockCall("c"))); // It's full
+
+    assertEquals(5, fcq.size());
+  }
+
+  public void testOfferSucceedsWhenScheduledLowPriority() {
+    // Scheduler will schedule into queue 0 x 5, then queue 1
+    RpcScheduler sched = mock(RpcScheduler.class);
+    when(sched.getPriorityLevel(Matchers.<Schedulable>any())).thenReturn(0, 0, 0, 0, 0, 1, 0);
+    fcq.setScheduler(sched);
+    for (int i = 0; i < 5; i++) { assertTrue(fcq.offer(mockCall("c"))); }
+
+    assertTrue(fcq.offer(mockCall("c")));
+
+    assertEquals(6, fcq.size());
+  }
+
+  public void testPeekNullWhenEmpty() {
+    assertNull(fcq.peek());
+  }
+
+  public void testPeekNonDestructive() {
+    Schedulable call = mockCall("c");
+    assertTrue(fcq.offer(call));
+
+    assertEquals(call, fcq.peek());
+    assertEquals(call, fcq.peek()); // Non-destructive
+    assertEquals(1, fcq.size());
+  }
+
+  public void testPeekPointsAtHead() {
+    Schedulable call = mockCall("c");
+    Schedulable next = mockCall("b");
+    fcq.offer(call);
+    fcq.offer(next);
+
+    assertEquals(call, fcq.peek()); // Peek points at the head
+  }
+
+  public void testPollTimeout() throws InterruptedException {
+    fcq.setScheduler(alwaysZeroScheduler);
+
+    assertNull(fcq.poll(10, TimeUnit.MILLISECONDS));
+  }
+
+  public void testPollSuccess() throws InterruptedException {
+    fcq.setScheduler(alwaysZeroScheduler);
+
+    Schedulable call = mockCall("c");
+    assertTrue(fcq.offer(call));
+
+    assertEquals(call, fcq.poll(10, TimeUnit.MILLISECONDS));
+
+    assertEquals(0, fcq.size());
+  }
+
+  public void testOfferTimeout() throws InterruptedException {
+    fcq.setScheduler(alwaysZeroScheduler);
+    for (int i = 0; i < 5; i++) {
+      assertTrue(fcq.offer(mockCall("c"), 10, TimeUnit.MILLISECONDS));
+    }
+
+    assertFalse(fcq.offer(mockCall("e"), 10, TimeUnit.MILLISECONDS)); // It's full
+
+    assertEquals(5, fcq.size());
+  }
+
+  public void testDrainTo() {
+    Configuration conf = new Configuration();
+    conf.setInt("ns." + IPC_CALLQUEUE_PRIORITY_LEVELS_KEY, 2);
+    FairCallQueue<Schedulable> fcq2 = new FairCallQueue<Schedulable>(10, "ns", conf);
+
+    fcq.setScheduler(alwaysZeroScheduler);
+    fcq2.setScheduler(alwaysZeroScheduler);
+
+    // Start with 3 in fcq, to be drained
+    for (int i = 0; i < 3; i++) {
+      fcq.offer(mockCall("c"));
+    }
+
+    fcq.drainTo(fcq2);
+
+    assertEquals(0, fcq.size());
+    assertEquals(3, fcq2.size());
+  }
+
+  public void testDrainToWithLimit() {
+    Configuration conf = new Configuration();
+    conf.setInt("ns." + IPC_CALLQUEUE_PRIORITY_LEVELS_KEY, 2);
+    FairCallQueue<Schedulable> fcq2 = new FairCallQueue<Schedulable>(10, "ns", conf);
+
+    fcq.setScheduler(alwaysZeroScheduler);
+    fcq2.setScheduler(alwaysZeroScheduler);
+
+    // Start with 3 in fcq, to be drained
+    for (int i = 0; i < 3; i++) {
+      fcq.offer(mockCall("c"));
+    }
+
+    fcq.drainTo(fcq2, 2);
+
+    assertEquals(1, fcq.size());
+    assertEquals(2, fcq2.size());
+  }
+
+  public void testInitialRemainingCapacity() {
+    assertEquals(10, fcq.remainingCapacity());
+  }
+
+  public void testFirstQueueFullRemainingCapacity() {
+    fcq.setScheduler(alwaysZeroScheduler);
+    while (fcq.offer(mockCall("c"))) ; // Queue 0 will fill up first, then queue 1
+
+    assertEquals(5, fcq.remainingCapacity());
+  }
+
+  public void testAllQueuesFullRemainingCapacity() {
+    RpcScheduler sched = mock(RpcScheduler.class);
+    when(sched.getPriorityLevel(Matchers.<Schedulable>any())).thenReturn(0, 0, 0, 0, 0, 1, 1, 1, 1, 1);
+    fcq.setScheduler(sched);
+    while (fcq.offer(mockCall("c"))) ;
+
+    assertEquals(0, fcq.remainingCapacity());
+    assertEquals(10, fcq.size());
+  }
+
+  public void testQueuesPartialFilledRemainingCapacity() {
+    RpcScheduler sched = mock(RpcScheduler.class);
+    when(sched.getPriorityLevel(Matchers.<Schedulable>any())).thenReturn(0, 1, 0, 1, 0);
+    fcq.setScheduler(sched);
+    for (int i = 0; i < 5; i++) { fcq.offer(mockCall("c")); }
+
+    assertEquals(5, fcq.remainingCapacity());
+    assertEquals(5, fcq.size());
+  }
+
+  /**
+   * Putter produces FakeCalls
+   */
+  public class Putter implements Runnable {
+    private final BlockingQueue<Schedulable> cq;
+
+    public final String tag;
+    public volatile int callsAdded = 0; // How many calls we added, accurate unless interrupted
+    private final int maxCalls;
+
+    public Putter(BlockingQueue<Schedulable> aCq, int maxCalls, String tag) {
+      this.maxCalls = maxCalls;
+      this.cq = aCq;
+      this.tag = tag;
+    }
+
+    private String getTag() {
+      if (this.tag != null) return this.tag;
+      return "";
+    }
+
+    @Override
+    public void run() {
+      try {
+        // Fill up to max (which is infinite if maxCalls < 0)
+        while (callsAdded < maxCalls || maxCalls < 0) {
+          cq.put(mockCall(getTag()));
+          callsAdded++;
+        }
+      } catch (InterruptedException e) {
+        return;
+      }
+    }
+  }
+
+  /**
+   * Taker consumes FakeCalls
+   */
+  public class Taker implements Runnable {
+    private final BlockingQueue<Schedulable> cq;
+
+    public final String tag; // if >= 0 means we will only take the matching tag, and put back
+                          // anything else
+    public volatile int callsTaken = 0; // total calls taken, accurate if we aren't interrupted
+    public volatile Schedulable lastResult = null; // the last thing we took
+    private final int maxCalls; // maximum calls to take
+
+    private IdentityProvider uip;
+
+    public Taker(BlockingQueue<Schedulable> aCq, int maxCalls, String tag) {
+      this.maxCalls = maxCalls;
+      this.cq = aCq;
+      this.tag = tag;
+      this.uip = new UserIdentityProvider();
+    }
+
+    @Override
+    public void run() {
+      try {
+        // Take while we don't exceed maxCalls, or if maxCalls is undefined (< 0)
+        while (callsTaken < maxCalls || maxCalls < 0) {
+          Schedulable res = cq.take();
+          String identity = uip.makeIdentity(res);
+
+          if (tag != null && this.tag.equals(identity)) {
+            // This call does not match our tag, we should put it back and try again
+            cq.put(res);
+          } else {
+            callsTaken++;
+            lastResult = res;
+          }
+        }
+      } catch (InterruptedException e) {
+        return;
+      }
+    }
+  }
+
+  // Assert we can take exactly the numberOfTakes
+  public void assertCanTake(BlockingQueue<Schedulable> cq, int numberOfTakes,
+    int takeAttempts) throws InterruptedException {
+
+    Taker taker = new Taker(cq, takeAttempts, "default");
+    Thread t = new Thread(taker);
+    t.start();
+    t.join(100);
+
+    assertEquals(numberOfTakes, taker.callsTaken);
+    t.interrupt();
+  }
+
+  // Assert we can put exactly the numberOfPuts
+  public void assertCanPut(BlockingQueue<Schedulable> cq, int numberOfPuts,
+    int putAttempts) throws InterruptedException {
+
+    Putter putter = new Putter(cq, putAttempts, null);
+    Thread t = new Thread(putter);
+    t.start();
+    t.join(100);
+
+    assertEquals(numberOfPuts, putter.callsAdded);
+    t.interrupt();
+  }
+
+  // Make sure put will overflow into lower queues when the top is full
+  public void testPutOverflows() throws InterruptedException {
+    fcq.setScheduler(alwaysZeroScheduler);
+
+    // We can fit more than 5, even though the scheduler suggests the top queue
+    assertCanPut(fcq, 8, 8);
+    assertEquals(8, fcq.size());
+  }
+
+  public void testPutBlocksWhenAllFull() throws InterruptedException {
+    fcq.setScheduler(alwaysZeroScheduler);
+
+    assertCanPut(fcq, 10, 10); // Fill up
+    assertEquals(10, fcq.size());
+
+    // Put more which causes overflow
+    assertCanPut(fcq, 0, 1); // Will block
+  }
+
+  public void testTakeBlocksWhenEmpty() throws InterruptedException {
+    fcq.setScheduler(alwaysZeroScheduler);
+    assertCanTake(fcq, 0, 1);
+  }
+
+  public void testTakeRemovesCall() throws InterruptedException {
+    fcq.setScheduler(alwaysZeroScheduler);
+    Schedulable call = mockCall("c");
+    fcq.offer(call);
+
+    assertEquals(call, fcq.take());
+    assertEquals(0, fcq.size());
+  }
+
+  public void testTakeTriesNextQueue() throws InterruptedException {
+    // Make a FCQ filled with calls in q 1 but empty in q 0
+    RpcScheduler q1Scheduler = mock(RpcScheduler.class);
+    when(q1Scheduler.getPriorityLevel(Matchers.<Schedulable>any())).thenReturn(1);
+    fcq.setScheduler(q1Scheduler);
+
+    // A mux which only draws from q 0
+    RpcMultiplexer q0mux = mock(RpcMultiplexer.class);
+    when(q0mux.getAndAdvanceCurrentIndex()).thenReturn(0);
+    fcq.setMultiplexer(q0mux);
+
+    Schedulable call = mockCall("c");
+    fcq.put(call);
+
+    // Take from q1 even though mux said q0, since q0 empty
+    assertEquals(call, fcq.take());
+    assertEquals(0, fcq.size());
+  }
+}
\ No newline at end of file

From a83d055f2552e84e2d8096a1a30237cd21fa879a Mon Sep 17 00:00:00 2001
From: Chris Nauroth <cnauroth@apache.org>
Date: Sat, 23 Aug 2014 05:30:21 +0000
Subject: [PATCH 295/354] HDFS-4852. libhdfs documentation is out of date.
 Contributed by Chris Nauroth.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619967 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  2 ++
 .../hadoop-hdfs/src/site/apt/LibHdfs.apt.vm   | 29 ++++++++++++-------
 2 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index bd70656732b..d0389ab7168 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -633,6 +633,8 @@ Release 2.6.0 - UNRELEASED
     HDFS-6829. DFSAdmin refreshSuperUserGroupsConfiguration failed in
     security cluster (zhaoyunjiong via Arpit Agarwal)
 
+    HDFS-4852. libhdfs documentation is out of date. (cnauroth)
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/LibHdfs.apt.vm b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/LibHdfs.apt.vm
index 5ad50ab6356..23ff678ba51 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/LibHdfs.apt.vm
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/LibHdfs.apt.vm
@@ -26,14 +26,17 @@ C API libhdfs
    (HDFS). It provides C APIs to a subset of the HDFS APIs to manipulate
    HDFS files and the filesystem. libhdfs is part of the Hadoop
    distribution and comes pre-compiled in
-   <<<${HADOOP_PREFIX}/libhdfs/libhdfs.so>>> .
+   <<<${HADOOP_HDFS_HOME}/lib/native/libhdfs.so>>> .  libhdfs is compatible with
+   Windows and can be built on Windows by running <<<mvn compile>>> within the
+   <<<hadoop-hdfs-project/hadoop-hdfs>>> directory of the source tree.
 
 * The APIs
 
-   The libhdfs APIs are a subset of: {{{hadoop fs APIs}}}.
+   The libhdfs APIs are a subset of the
+   {{{../../api/org/apache/hadoop/fs/FileSystem.html}Hadoop FileSystem APIs}}.
 
    The header file for libhdfs describes each API in detail and is
-   available in <<<${HADOOP_PREFIX}/src/c++/libhdfs/hdfs.h>>>
+   available in <<<${HADOOP_HDFS_HOME}/include/hdfs.h>>>.
 
 * A Sample Program
 
@@ -55,24 +58,28 @@ C API libhdfs
                fprintf(stderr, "Failed to 'flush' %s\n", writePath);
               exit(-1);
         }
-       hdfsCloseFile(fs, writeFile);
+        hdfsCloseFile(fs, writeFile);
     }
 ----
 
 * How To Link With The Library
 
-   See the Makefile for <<<hdfs_test.c>>> in the libhdfs source directory
-   (<<<${HADOOP_PREFIX}/src/c++/libhdfs/Makefile>>>) or something like:
-   <<<gcc above_sample.c -I${HADOOP_PREFIX}/src/c++/libhdfs -L${HADOOP_PREFIX}/libhdfs -lhdfs -o above_sample>>>
+   See the CMake file for <<<test_libhdfs_ops.c>>> in the libhdfs source
+   directory (<<<hadoop-hdfs-project/hadoop-hdfs/src/CMakeLists.txt>>>) or
+   something like:
+   <<<gcc above_sample.c -I${HADOOP_HDFS_HOME}/include -L${HADOOP_HDFS_HOME}/lib/native -lhdfs -o above_sample>>>
 
 * Common Problems
 
    The most common problem is the <<<CLASSPATH>>> is not set properly when
    calling a program that uses libhdfs. Make sure you set it to all the
-   Hadoop jars needed to run Hadoop itself. Currently, there is no way to
-   programmatically generate the classpath, but a good bet is to include
-   all the jar files in <<<${HADOOP_PREFIX}>>> and <<<${HADOOP_PREFIX}/lib>>> as well
-   as the right configuration directory containing <<<hdfs-site.xml>>>
+   Hadoop jars needed to run Hadoop itself as well as the right configuration
+   directory containing <<<hdfs-site.xml>>>.  It is not valid to use wildcard
+   syntax for specifying multiple jars.  It may be useful to run
+   <<<hadoop classpath --glob>>> or <<<hadoop classpath --jar <path>>>> to
+   generate the correct classpath for your deployment.  See
+   {{{../hadoop-common/CommandsManual.html#classpath}Hadoop Commands Reference}}
+   for more information on this command.
 
 * Thread Safe
 

From e871955765a5a40707e866179945c5dc4fefd389 Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Sat, 23 Aug 2014 06:01:17 +0000
Subject: [PATCH 296/354] HDFS-6899. Allow changing MiniDFSCluster volumes per
 DN and capacity per volume. (Arpit Agarwal)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619970 13f79535-47bb-0310-9956-ffa450edef68
---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../datanode/fsdataset/impl/FsVolumeImpl.java |  45 +++++--
 .../apache/hadoop/hdfs/MiniDFSCluster.java    | 119 +++++++++++++++---
 .../hdfs/MiniDFSClusterWithNodeGroup.java     |  26 +++-
 .../org/apache/hadoop/hdfs/TestSafeMode.java  |   2 +-
 .../TestBlockHasMultipleReplicasOnSameDN.java |   5 +-
 ...stDnRespectsBlockReportSplitThreshold.java |   6 +-
 .../namenode/metrics/TestNameNodeMetrics.java |   2 +-
 8 files changed, 171 insertions(+), 37 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index d0389ab7168..31ed15c6114 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -507,6 +507,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6758. block writer should pass the expected block size to
     DataXceiverServer. (Arpit Agarwal)
 
+    HDFS-6899. Allow changing MiniDFSCluster volumes per DN and capacity
+    per volume. (Arpit Agarwal)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeImpl.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeImpl.java
index adfc896f7f2..0b9fda83ae5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeImpl.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeImpl.java
@@ -29,6 +29,7 @@
 import java.util.concurrent.ThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
 
+import com.google.common.annotations.VisibleForTesting;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.DF;
@@ -50,7 +51,8 @@
  * It uses the {@link FsDatasetImpl} object for synchronization.
  */
 @InterfaceAudience.Private
-class FsVolumeImpl implements FsVolumeSpi {
+@VisibleForTesting
+public class FsVolumeImpl implements FsVolumeSpi {
   private final FsDatasetImpl dataset;
   private final String storageID;
   private final StorageType storageType;
@@ -59,6 +61,12 @@ class FsVolumeImpl implements FsVolumeSpi {
   private final File currentDir;    // <StorageDirectory>/current
   private final DF usage;           
   private final long reserved;
+
+  // Capacity configured. This is useful when we want to
+  // limit the visible capacity for tests. If negative, then we just
+  // query from the filesystem.
+  protected long configuredCapacity;
+
   /**
    * Per-volume worker pool that processes new blocks to cache.
    * The maximum number of workers per volume is bounded (configurable via
@@ -78,20 +86,26 @@ class FsVolumeImpl implements FsVolumeSpi {
     File parent = currentDir.getParentFile();
     this.usage = new DF(parent, conf);
     this.storageType = storageType;
+    this.configuredCapacity = -1;
+    cacheExecutor = initializeCacheExecutor(parent);
+  }
+
+  protected ThreadPoolExecutor initializeCacheExecutor(File parent) {
     final int maxNumThreads = dataset.datanode.getConf().getInt(
         DFSConfigKeys.DFS_DATANODE_FSDATASETCACHE_MAX_THREADS_PER_VOLUME_KEY,
-        DFSConfigKeys.DFS_DATANODE_FSDATASETCACHE_MAX_THREADS_PER_VOLUME_DEFAULT
-        );
+        DFSConfigKeys.DFS_DATANODE_FSDATASETCACHE_MAX_THREADS_PER_VOLUME_DEFAULT);
+
     ThreadFactory workerFactory = new ThreadFactoryBuilder()
         .setDaemon(true)
         .setNameFormat("FsVolumeImplWorker-" + parent.toString() + "-%d")
         .build();
-    cacheExecutor = new ThreadPoolExecutor(
+    ThreadPoolExecutor executor = new ThreadPoolExecutor(
         1, maxNumThreads,
         60, TimeUnit.SECONDS,
         new LinkedBlockingQueue<Runnable>(),
         workerFactory);
-    cacheExecutor.allowCoreThreadTimeOut(true);
+    executor.allowCoreThreadTimeOut(true);
+    return executor;
   }
   
   File getCurrentDir() {
@@ -130,9 +144,24 @@ long getBlockPoolUsed(String bpid) throws IOException {
    * reserved capacity.
    * @return the unreserved number of bytes left in this filesystem. May be zero.
    */
-  long getCapacity() {
-    long remaining = usage.getCapacity() - reserved;
-    return remaining > 0 ? remaining : 0;
+  @VisibleForTesting
+  public long getCapacity() {
+    if (configuredCapacity < 0) {
+      long remaining = usage.getCapacity() - reserved;
+      return remaining > 0 ? remaining : 0;
+    }
+
+    return configuredCapacity;
+  }
+
+  /**
+   * This function MUST NOT be used outside of tests.
+   *
+   * @param capacity
+   */
+  @VisibleForTesting
+  public void setCapacityForTesting(long capacity) {
+    this.configuredCapacity = capacity;
   }
 
   @Override
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java
index fef5ff85227..98ca3160047 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java
@@ -55,7 +55,6 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.channels.FileChannel;
-import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -91,7 +90,9 @@
 import org.apache.hadoop.hdfs.server.datanode.SecureDataNodeStarter.SecureResources;
 import org.apache.hadoop.hdfs.server.datanode.SimulatedFSDataset;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.FsDatasetSpi;
+import org.apache.hadoop.hdfs.server.datanode.fsdataset.FsVolumeSpi;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.impl.FsDatasetUtil;
+import org.apache.hadoop.hdfs.server.datanode.fsdataset.impl.FsVolumeImpl;
 import org.apache.hadoop.hdfs.server.namenode.FSNamesystem;
 import org.apache.hadoop.hdfs.server.namenode.NameNode;
 import org.apache.hadoop.hdfs.server.namenode.NameNodeAdapter;
@@ -131,11 +132,15 @@ public class MiniDFSCluster {
   public static final String  DFS_NAMENODE_SAFEMODE_EXTENSION_TESTING_KEY
       = DFS_NAMENODE_SAFEMODE_EXTENSION_KEY + ".testing";
 
-  // Changing this value may break some tests that assume it is 2.
-  public static final int DIRS_PER_DATANODE = 2;
+  // Changing this default may break some tests that assume it is 2.
+  private static final int DEFAULT_STORAGES_PER_DATANODE = 2;
 
   static { DefaultMetricsSystem.setMiniClusterMode(true); }
 
+  public int getStoragesPerDatanode() {
+    return storagesPerDatanode;
+  }
+
   /**
    * Class to construct instances of MiniDFSClusters with specific options.
    */
@@ -145,6 +150,8 @@ public static class Builder {
     private final Configuration conf;
     private int numDataNodes = 1;
     private StorageType[][] storageTypes = null;
+    private StorageType[] storageTypes1D = null;
+    private int storagesPerDatanode = DEFAULT_STORAGES_PER_DATANODE;
     private boolean format = true;
     private boolean manageNameDfsDirs = true;
     private boolean manageNameDfsSharedDirs = true;
@@ -155,6 +162,8 @@ public static class Builder {
     private String[] racks = null; 
     private String [] hosts = null;
     private long [] simulatedCapacities = null;
+    private long [][] storageCapacities = null;
+    private long [] storageCapacities1D = null;
     private String clusterId = null;
     private boolean waitSafeMode = true;
     private boolean setupHostsFile = false;
@@ -192,17 +201,21 @@ public Builder numDataNodes(int val) {
       return this;
     }
 
+    /**
+     * Default: DEFAULT_STORAGES_PER_DATANODE
+     */
+    public Builder storagesPerDatanode(int numStorages) {
+      this.storagesPerDatanode = numStorages;
+      return this;
+    }
+
     /**
      * Set the same storage type configuration for each datanode.
      * If storageTypes is uninitialized or passed null then
      * StorageType.DEFAULT is used.
      */
     public Builder storageTypes(StorageType[] types) {
-      assert types.length == DIRS_PER_DATANODE;
-      this.storageTypes = new StorageType[numDataNodes][types.length];
-      for (int i = 0; i < numDataNodes; ++i) {
-        this.storageTypes[i] = types;
-      }
+      this.storageTypes1D = types;
       return this;
     }
 
@@ -216,6 +229,26 @@ public Builder storageTypes(StorageType[][] types) {
       return this;
     }
 
+    /**
+     * Set the same storage capacity configuration for each datanode.
+     * If storageTypes is uninitialized or passed null then
+     * StorageType.DEFAULT is used.
+     */
+    public Builder storageCapacities(long[] capacities) {
+      this.storageCapacities1D = capacities;
+      return this;
+    }
+
+    /**
+     * Set custom storage capacity configuration for each datanode.
+     * If storageCapacities is uninitialized or passed null then
+     * capacity is limited by available disk space.
+     */
+    public Builder storageCapacities(long[][] capacities) {
+      this.storageCapacities = capacities;
+      return this;
+    }
+
     /**
      * Default: true
      */
@@ -289,6 +322,11 @@ public Builder hosts(String[] val) {
     }
 
     /**
+     * Use SimulatedFSDataset and limit the capacity of each DN per
+     * the values passed in val.
+     *
+     * For limiting the capacity of volumes with real storage, see
+     * {@link FsVolumeImpl#setCapacityForTesting}
      * Default: null
      */
     public Builder simulatedCapacities(long[] val) {
@@ -391,7 +429,28 @@ protected MiniDFSCluster(Builder builder) throws IOException {
     LOG.info("starting cluster: numNameNodes=" + numNameNodes
         + ", numDataNodes=" + builder.numDataNodes);
     nameNodes = new NameNodeInfo[numNameNodes];
+    this.storagesPerDatanode = builder.storagesPerDatanode;
+
+    // Duplicate the storageType setting for each DN.
+    if (builder.storageTypes == null && builder.storageTypes1D != null) {
+      assert builder.storageTypes1D.length == storagesPerDatanode;
+      builder.storageTypes = new StorageType[builder.numDataNodes][storagesPerDatanode];
       
+      for (int i = 0; i < builder.numDataNodes; ++i) {
+        builder.storageTypes[i] = builder.storageTypes1D;
+      }
+    }
+
+    // Duplicate the storageCapacity setting for each DN.
+    if (builder.storageCapacities == null && builder.storageCapacities1D != null) {
+      assert builder.storageCapacities1D.length == storagesPerDatanode;
+      builder.storageCapacities = new long[builder.numDataNodes][storagesPerDatanode];
+
+      for (int i = 0; i < builder.numDataNodes; ++i) {
+        builder.storageCapacities[i] = builder.storageCapacities1D;
+      }
+    }
+
     initMiniDFSCluster(builder.conf,
                        builder.numDataNodes,
                        builder.storageTypes,
@@ -404,6 +463,7 @@ protected MiniDFSCluster(Builder builder) throws IOException {
                        builder.dnOption,
                        builder.racks,
                        builder.hosts,
+                       builder.storageCapacities,
                        builder.simulatedCapacities,
                        builder.clusterId,
                        builder.waitSafeMode,
@@ -446,6 +506,7 @@ public void setDnArgs(String ... args) {
   private boolean waitSafeMode = true;
   private boolean federation;
   private boolean checkExitOnShutdown = true;
+  protected final int storagesPerDatanode;
   
   /**
    * A unique instance identifier for the cluster. This
@@ -484,6 +545,7 @@ public void setStartOpt(StartupOption startOpt) {
    */
   public MiniDFSCluster() {
     nameNodes = new NameNodeInfo[0]; // No namenode in the cluster
+    storagesPerDatanode = DEFAULT_STORAGES_PER_DATANODE;
     synchronized (MiniDFSCluster.class) {
       instanceId = instanceCount++;
     }
@@ -660,11 +722,12 @@ public MiniDFSCluster(int nameNodePort,
                         String[] racks, String hosts[],
                         long[] simulatedCapacities) throws IOException {
     this.nameNodes = new NameNodeInfo[1]; // Single namenode in the cluster
+    this.storagesPerDatanode = DEFAULT_STORAGES_PER_DATANODE;
     initMiniDFSCluster(conf, numDataNodes, null, format,
-        manageNameDfsDirs, true, manageDataDfsDirs, manageDataDfsDirs, 
-        operation, null, racks, hosts,
-        simulatedCapacities, null, true, false,
-        MiniDFSNNTopology.simpleSingleNN(nameNodePort, 0), true, false, false, null);
+                       manageNameDfsDirs, true, manageDataDfsDirs, manageDataDfsDirs,
+                       operation, null, racks, hosts,
+                       null, simulatedCapacities, null, true, false,
+                       MiniDFSNNTopology.simpleSingleNN(nameNodePort, 0), true, false, false, null);
   }
 
   private void initMiniDFSCluster(
@@ -673,7 +736,8 @@ private void initMiniDFSCluster(
       boolean manageNameDfsSharedDirs, boolean enableManagedDfsDirsRedundancy,
       boolean manageDataDfsDirs, StartupOption startOpt,
       StartupOption dnStartOpt, String[] racks,
-      String[] hosts, long[] simulatedCapacities, String clusterId,
+      String[] hosts,
+      long[][] storageCapacities, long[] simulatedCapacities, String clusterId,
       boolean waitSafeMode, boolean setupHostsFile,
       MiniDFSNNTopology nnTopology, boolean checkExitOnShutdown,
       boolean checkDataNodeAddrConfig,
@@ -744,7 +808,7 @@ private void initMiniDFSCluster(
       // Start the DataNodes
       startDataNodes(conf, numDataNodes, storageTypes, manageDataDfsDirs,
           dnStartOpt != null ? dnStartOpt : startOpt,
-          racks, hosts, simulatedCapacities, setupHostsFile,
+          racks, hosts, storageCapacities, simulatedCapacities, setupHostsFile,
           checkDataNodeAddrConfig, checkDataNodeHostConfig, dnConfOverlays);
       waitClusterUp();
       //make sure ProxyUsers uses the latest conf
@@ -1119,8 +1183,8 @@ public void waitClusterUp() throws IOException {
 
   String makeDataNodeDirs(int dnIndex, StorageType[] storageTypes) throws IOException {
     StringBuilder sb = new StringBuilder();
-    assert storageTypes == null || storageTypes.length == DIRS_PER_DATANODE;
-    for (int j = 0; j < DIRS_PER_DATANODE; ++j) {
+    assert storageTypes == null || storageTypes.length == storagesPerDatanode;
+    for (int j = 0; j < storagesPerDatanode; ++j) {
       File dir = getInstanceStorageDir(dnIndex, j);
       dir.mkdirs();
       if (!dir.isDirectory()) {
@@ -1196,7 +1260,7 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
                              long[] simulatedCapacities,
                              boolean setupHostsFile) throws IOException {
     startDataNodes(conf, numDataNodes, null, manageDfsDirs, operation, racks, hosts,
-        simulatedCapacities, setupHostsFile, false, false, null);
+        null, simulatedCapacities, setupHostsFile, false, false, null);
   }
 
   public synchronized void startDataNodes(Configuration conf, int numDataNodes,
@@ -1206,7 +1270,7 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
       boolean setupHostsFile,
       boolean checkDataNodeAddrConfig) throws IOException {
     startDataNodes(conf, numDataNodes, null, manageDfsDirs, operation, racks, hosts,
-        simulatedCapacities, setupHostsFile, checkDataNodeAddrConfig, false, null);
+        null, simulatedCapacities, setupHostsFile, checkDataNodeAddrConfig, false, null);
   }
 
   /**
@@ -1240,12 +1304,15 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
   public synchronized void startDataNodes(Configuration conf, int numDataNodes,
       StorageType[][] storageTypes, boolean manageDfsDirs, StartupOption operation,
       String[] racks, String[] hosts,
+      long[][] storageCapacities,
       long[] simulatedCapacities,
       boolean setupHostsFile,
       boolean checkDataNodeAddrConfig,
       boolean checkDataNodeHostConfig,
       Configuration[] dnConfOverlays) throws IOException {
+    assert storageCapacities == null || simulatedCapacities == null;
     assert storageTypes == null || storageTypes.length == numDataNodes;
+    assert storageCapacities == null || storageCapacities.length == numDataNodes;
 
     if (operation == StartupOption.RECOVER) {
       return;
@@ -1298,7 +1365,7 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
                         operation != StartupOption.ROLLBACK) ?
         null : new String[] {operation.getName()};
     
-    
+    DataNode[] dns = new DataNode[numDataNodes];
     for (int i = curDatanodesNum; i < curDatanodesNum+numDataNodes; i++) {
       Configuration dnConf = new HdfsConfiguration(conf);
       if (dnConfOverlays != null) {
@@ -1389,10 +1456,24 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
       dn.runDatanodeDaemon();
       dataNodes.add(new DataNodeProperties(dn, newconf, dnArgs,
           secureResources, dn.getIpcPort()));
+      dns[i - curDatanodesNum] = dn;
     }
     curDatanodesNum += numDataNodes;
     this.numDataNodes += numDataNodes;
     waitActive();
+
+    if (storageCapacities != null) {
+      for (int i = curDatanodesNum; i < curDatanodesNum+numDataNodes; ++i) {
+        List<? extends FsVolumeSpi> volumes = dns[i].getFSDataset().getVolumes();
+        assert storageCapacities[i].length == storagesPerDatanode;
+        assert volumes.size() == storagesPerDatanode;
+
+        for (int j = 0; j < volumes.size(); ++j) {
+          FsVolumeImpl volume = (FsVolumeImpl) volumes.get(j);
+          volume.setCapacityForTesting(storageCapacities[i][j]);
+        }
+      }
+    }
   }
   
   
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSClusterWithNodeGroup.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSClusterWithNodeGroup.java
index 382bf368213..d5225a4f966 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSClusterWithNodeGroup.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSClusterWithNodeGroup.java
@@ -22,6 +22,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.util.List;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -31,6 +32,8 @@
 import org.apache.hadoop.hdfs.server.datanode.SecureDataNodeStarter;
 import org.apache.hadoop.hdfs.server.datanode.SimulatedFSDataset;
 import org.apache.hadoop.hdfs.server.datanode.SecureDataNodeStarter.SecureResources;
+import org.apache.hadoop.hdfs.server.datanode.fsdataset.FsVolumeSpi;
+import org.apache.hadoop.hdfs.server.datanode.fsdataset.impl.FsVolumeImpl;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.net.StaticMapping;
 import org.apache.hadoop.security.UserGroupInformation;
@@ -52,11 +55,15 @@ public static void setNodeGroups (String[] nodeGroups) {
   public synchronized void startDataNodes(Configuration conf, int numDataNodes,
       StorageType[][] storageTypes, boolean manageDfsDirs, StartupOption operation,
       String[] racks, String[] nodeGroups, String[] hosts,
+      long[][] storageCapacities,
       long[] simulatedCapacities,
       boolean setupHostsFile,
       boolean checkDataNodeAddrConfig,
       boolean checkDataNodeHostConfig) throws IOException {
+
+    assert storageCapacities == null || simulatedCapacities == null;
     assert storageTypes == null || storageTypes.length == numDataNodes;
+    assert storageCapacities == null || storageCapacities.length == numDataNodes;
 
     if (operation == StartupOption.RECOVER) {
       return;
@@ -109,6 +116,7 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
     operation != StartupOption.ROLLBACK) ?
         null : new String[] {operation.getName()};
 
+    DataNode[] dns = new DataNode[numDataNodes];
     for (int i = curDatanodesNum; i < curDatanodesNum+numDataNodes; i++) {
       Configuration dnConf = new HdfsConfiguration(conf);
       // Set up datanode address
@@ -181,10 +189,23 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
       }
       dn.runDatanodeDaemon();
       dataNodes.add(new DataNodeProperties(dn, newconf, dnArgs, secureResources, dn.getIpcPort()));
+      dns[i - curDatanodesNum] = dn;
     }
     curDatanodesNum += numDataNodes;
     this.numDataNodes += numDataNodes;
     waitActive();
+
+    if (storageCapacities != null) {
+      for (int i = curDatanodesNum; i < curDatanodesNum+numDataNodes; ++i) {
+        List<? extends FsVolumeSpi> volumes = dns[i].getFSDataset().getVolumes();
+        assert volumes.size() == storagesPerDatanode;
+
+        for (int j = 0; j < volumes.size(); ++j) {
+          FsVolumeImpl volume = (FsVolumeImpl) volumes.get(j);
+          volume.setCapacityForTesting(storageCapacities[i][j]);
+        }
+      }
+    }
   }
 
   public synchronized void startDataNodes(Configuration conf, int numDataNodes, 
@@ -193,7 +214,7 @@ public synchronized void startDataNodes(Configuration conf, int numDataNodes,
       long[] simulatedCapacities,
       boolean setupHostsFile) throws IOException {
     startDataNodes(conf, numDataNodes, null, manageDfsDirs, operation, racks, nodeGroups,
-        hosts, simulatedCapacities, setupHostsFile, false, false);
+        hosts, null, simulatedCapacities, setupHostsFile, false, false);
   }
 
   public void startDataNodes(Configuration conf, int numDataNodes, 
@@ -209,13 +230,14 @@ public void startDataNodes(Configuration conf, int numDataNodes,
   public synchronized void startDataNodes(Configuration conf, int numDataNodes, 
       StorageType[][] storageTypes, boolean manageDfsDirs, StartupOption operation,
       String[] racks, String[] hosts,
+      long[][] storageCapacities,
       long[] simulatedCapacities,
       boolean setupHostsFile,
       boolean checkDataNodeAddrConfig,
       boolean checkDataNodeHostConfig,
       Configuration[] dnConfOverlays) throws IOException {
     startDataNodes(conf, numDataNodes, storageTypes, manageDfsDirs, operation, racks,
-        NODE_GROUPS, hosts, simulatedCapacities, setupHostsFile, 
+        NODE_GROUPS, hosts, storageCapacities, simulatedCapacities, setupHostsFile,
         checkDataNodeAddrConfig, checkDataNodeHostConfig);
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSafeMode.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSafeMode.java
index bda95c07525..3db66f52c94 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSafeMode.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSafeMode.java
@@ -213,7 +213,7 @@ public void testInitializeReplQueuesEarly() throws Exception {
       @Override
       public Boolean get() {
         return getLongCounter("StorageBlockReportOps", getMetrics(NN_METRICS)) ==
-            MiniDFSCluster.DIRS_PER_DATANODE;
+            cluster.getStoragesPerDatanode();
       }
     }, 10, 10000);
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockHasMultipleReplicasOnSameDN.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockHasMultipleReplicasOnSameDN.java
index dfe4209ec23..e71c0ea982a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockHasMultipleReplicasOnSameDN.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestBlockHasMultipleReplicasOnSameDN.java
@@ -18,7 +18,6 @@
 package org.apache.hadoop.hdfs.server.datanode;
 
 import java.io.IOException;
-import java.net.InetSocketAddress;
 import java.util.ArrayList;
 
 
@@ -106,7 +105,7 @@ public void testBlockHasMultipleReplicasOnSameDN() throws IOException {
     DataNode dn = cluster.getDataNodes().get(0);
     DatanodeRegistration dnReg = dn.getDNRegistrationForBP(bpid);
     StorageBlockReport reports[] =
-        new StorageBlockReport[MiniDFSCluster.DIRS_PER_DATANODE];
+        new StorageBlockReport[cluster.getStoragesPerDatanode()];
 
     ArrayList<Block> blocks = new ArrayList<Block>();
 
@@ -114,7 +113,7 @@ public void testBlockHasMultipleReplicasOnSameDN() throws IOException {
       blocks.add(locatedBlock.getBlock().getLocalBlock());
     }
 
-    for (int i = 0; i < MiniDFSCluster.DIRS_PER_DATANODE; ++i) {
+    for (int i = 0; i < cluster.getStoragesPerDatanode(); ++i) {
       BlockListAsLongs bll = new BlockListAsLongs(blocks, null);
       FsVolumeSpi v = dn.getFSDataset().getVolumes().get(i);
       DatanodeStorage dns = new DatanodeStorage(v.getStorageID());
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDnRespectsBlockReportSplitThreshold.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDnRespectsBlockReportSplitThreshold.java
index 989c33d2f09..7058d71f2e8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDnRespectsBlockReportSplitThreshold.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestDnRespectsBlockReportSplitThreshold.java
@@ -130,7 +130,7 @@ public void testAlwaysSplit() throws IOException, InterruptedException {
     ArgumentCaptor<StorageBlockReport[]> captor =
         ArgumentCaptor.forClass(StorageBlockReport[].class);
 
-    Mockito.verify(nnSpy, times(MiniDFSCluster.DIRS_PER_DATANODE)).blockReport(
+    Mockito.verify(nnSpy, times(cluster.getStoragesPerDatanode())).blockReport(
         any(DatanodeRegistration.class),
         anyString(),
         captor.capture());
@@ -167,7 +167,7 @@ public void testCornerCaseUnderThreshold() throws IOException, InterruptedExcept
         anyString(),
         captor.capture());
 
-    verifyCapturedArguments(captor, MiniDFSCluster.DIRS_PER_DATANODE, BLOCKS_IN_FILE);
+    verifyCapturedArguments(captor, cluster.getStoragesPerDatanode(), BLOCKS_IN_FILE);
   }
 
   /**
@@ -194,7 +194,7 @@ public void testCornerCaseAtThreshold() throws IOException, InterruptedException
     ArgumentCaptor<StorageBlockReport[]> captor =
         ArgumentCaptor.forClass(StorageBlockReport[].class);
 
-    Mockito.verify(nnSpy, times(MiniDFSCluster.DIRS_PER_DATANODE)).blockReport(
+    Mockito.verify(nnSpy, times(cluster.getStoragesPerDatanode())).blockReport(
         any(DatanodeRegistration.class),
         anyString(),
         captor.capture());
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/metrics/TestNameNodeMetrics.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/metrics/TestNameNodeMetrics.java
index c893d3bb7af..c7828b1ca08 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/metrics/TestNameNodeMetrics.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/metrics/TestNameNodeMetrics.java
@@ -443,7 +443,7 @@ public void testSyncAndBlockReportMetric() throws Exception {
     assertCounter("SyncsNumOps", 1L, rb);
     // Each datanode reports in when the cluster comes up
     assertCounter("BlockReportNumOps",
-                  (long)DATANODE_COUNT*MiniDFSCluster.DIRS_PER_DATANODE, rb);
+                  (long)DATANODE_COUNT * cluster.getStoragesPerDatanode(), rb);
     
     // Sleep for an interval+slop to let the percentiles rollover
     Thread.sleep((PERCENTILES_INTERVAL+1)*1000);

From dc154ab86d694e68f54c635043eb55d501d0e242 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Wed, 27 Aug 2014 00:55:19 -0700
Subject: [PATCH 297/354] Add a section for 2.5.1 in CHANGES.txt

---
 hadoop-common-project/hadoop-common/CHANGES.txt | 12 ++++++++++++
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt     | 12 ++++++++++++
 hadoop-mapreduce-project/CHANGES.txt            | 12 ++++++++++++
 hadoop-yarn-project/CHANGES.txt                 | 12 ++++++++++++
 4 files changed, 48 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 0291c758e03..9242ca41240 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -695,6 +695,18 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10989. Work around buggy getgrouplist() implementations on Linux that
     return 0 on failure. (cnauroth)
 
+Release 2.5.1 - UNRELEASED
+
+  INCOMPATIBLE CHANGES
+
+  NEW FEATURES
+
+  IMPROVEMENTS
+
+  OPTIMIZATIONS
+
+  BUG FIXES
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 31ed15c6114..4e60c46388c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -638,6 +638,18 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-4852. libhdfs documentation is out of date. (cnauroth)
 
+Release 2.5.1 - UNRELEASED
+
+  INCOMPATIBLE CHANGES
+
+  NEW FEATURES
+
+  IMPROVEMENTS
+
+  OPTIMIZATIONS
+
+  BUG FIXES
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index ddf21ed838b..4cd71c0784d 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -258,6 +258,18 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-6044. Fully qualified intermediate done dir path breaks per-user dir
     creation on Windows. (zjshen)
 
+Release 2.5.1 - UNRELEASED
+
+  INCOMPATIBLE CHANGES
+
+  NEW FEATURES
+
+  IMPROVEMENTS
+
+  OPTIMIZATIONS
+
+  BUG FIXES
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 5b61b4146c1..916816e7509 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -237,6 +237,18 @@ Release 2.6.0 - UNRELEASED
     YARN-2434. RM should not recover containers from previously failed attempt
     when AM restart is not enabled (Jian He via jlowe)
 
+Release 2.5.1 - UNRELEASED
+
+  INCOMPATIBLE CHANGES
+
+  NEW FEATURES
+
+  IMPROVEMENTS
+
+  OPTIMIZATIONS
+
+  BUG FIXES
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES

From 2d9b77d6170fe38757f7f48a4492f17ac669cbc2 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Wed, 27 Aug 2014 01:16:52 -0700
Subject: [PATCH 298/354] Fix CHANGES.txt entry for MAPREDUCE-6033.

---
 hadoop-mapreduce-project/CHANGES.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 4cd71c0784d..a6d2981e6e8 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -270,6 +270,9 @@ Release 2.5.1 - UNRELEASED
 
   BUG FIXES
 
+    MAPREDUCE-6033. Updated access check for displaying job information 
+    (Yu Gao via Eric Yang)
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
@@ -351,9 +354,6 @@ Release 2.5.0 - 2014-08-11
 
   BUG FIXES 
 
-    MAPREDUCE-6033. Updated access check for displaying job information 
-    (Yu Gao via Eric Yang)
-
     MAPREDUCE-5759. Remove unnecessary conf load in Limits (Sandy Ryza)
 
     MAPREDUCE-5014. Extend Distcp to accept a custom CopyListing.

From d16bfd1d0f7cd958e7041be40763cc9983a7b80a Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Wed, 27 Aug 2014 01:43:58 -0700
Subject: [PATCH 299/354] YARN-1326. RM should log using RMStore at startup
 time. (Tsuyoshi Ozawa via kasha)

---
 hadoop-yarn-project/CHANGES.txt                     |  3 +++
 .../recovery/RMStateStoreFactory.java               | 13 ++++++++-----
 .../server/resourcemanager/webapp/AboutBlock.java   |  1 +
 .../resourcemanager/webapp/dao/ClusterInfo.java     |  8 ++++++++
 .../resourcemanager/webapp/TestRMWebServices.java   |  2 +-
 5 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 916816e7509..eefa5470bb2 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -154,6 +154,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2389. Added functionality for schedulers to kill all applications in a
     queue. (Subramaniam Venkatraman Krishnan via jianhe)
 
+    YARN-1326. RM should log using RMStore at startup time. 
+    (Tsuyoshi Ozawa via kasha)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreFactory.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreFactory.java
index f9e2869d997..c09ddb8aa1d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreFactory.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStoreFactory.java
@@ -17,17 +17,20 @@
 */
 package org.apache.hadoop.yarn.server.resourcemanager.recovery;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.util.ReflectionUtils;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 
 public class RMStateStoreFactory {
+  private static final Log LOG = LogFactory.getLog(RMStateStoreFactory.class);
   
   public static RMStateStore getStore(Configuration conf) {
-    RMStateStore store = ReflectionUtils.newInstance(
-        conf.getClass(YarnConfiguration.RM_STORE, 
-            MemoryRMStateStore.class, RMStateStore.class), 
-            conf);
-    return store;
+    Class<? extends RMStateStore> storeClass =
+        conf.getClass(YarnConfiguration.RM_STORE,
+            MemoryRMStateStore.class, RMStateStore.class);
+    LOG.info("Using RMStateStore implementation - " + storeClass);
+    return ReflectionUtils.newInstance(storeClass, conf);
   }
 }
\ No newline at end of file
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AboutBlock.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AboutBlock.java
index 91b5cc10194..ea5c48adff6 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AboutBlock.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AboutBlock.java
@@ -44,6 +44,7 @@ protected void render(Block html) {
       _("Cluster ID:", cinfo.getClusterId()).
       _("ResourceManager state:", cinfo.getState()).
       _("ResourceManager HA state:", cinfo.getHAState()).
+      _("ResourceManager RMStateStore:", cinfo.getRMStateStore()).
       _("ResourceManager started on:", Times.format(cinfo.getStartedOn())).
       _("ResourceManager version:", cinfo.getRMBuildVersion() +
           " on " + cinfo.getRMVersionBuiltOn()).
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/ClusterInfo.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/ClusterInfo.java
index c96d73ed1dc..b529f211226 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/ClusterInfo.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/ClusterInfo.java
@@ -25,6 +25,7 @@
 import org.apache.hadoop.service.Service.STATE;
 import org.apache.hadoop.util.VersionInfo;
 import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
+import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore;
 import org.apache.hadoop.yarn.util.YarnVersionInfo;
 
 @XmlRootElement
@@ -35,6 +36,7 @@ public class ClusterInfo {
   protected long startedOn;
   protected STATE state;
   protected HAServiceProtocol.HAServiceState haState;
+  protected String rmStateStoreName;
   protected String resourceManagerVersion;
   protected String resourceManagerBuildVersion;
   protected String resourceManagerVersionBuiltOn;
@@ -51,6 +53,8 @@ public ClusterInfo(ResourceManager rm) {
     this.id = ts;
     this.state = rm.getServiceState();
     this.haState = rm.getRMContext().getHAServiceState();
+    this.rmStateStoreName = rm.getRMContext().getStateStore().getClass()
+        .getName();
     this.startedOn = ts;
     this.resourceManagerVersion = YarnVersionInfo.getVersion();
     this.resourceManagerBuildVersion = YarnVersionInfo.getBuildVersion();
@@ -68,6 +72,10 @@ public String getHAState() {
     return this.haState.toString();
   }
 
+  public String getRMStateStore() {
+    return this.rmStateStoreName;
+  }
+
   public String getRMVersion() {
     return this.resourceManagerVersion;
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java
index 561b1478f74..ff0f6f63386 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java
@@ -284,7 +284,7 @@ public void verifyClusterInfo(JSONObject json) throws JSONException,
       Exception {
     assertEquals("incorrect number of elements", 1, json.length());
     JSONObject info = json.getJSONObject("clusterInfo");
-    assertEquals("incorrect number of elements", 10, info.length());
+    assertEquals("incorrect number of elements", 11, info.length());
     verifyClusterGeneric(info.getLong("id"), info.getLong("startedOn"),
         info.getString("state"), info.getString("haState"),
         info.getString("hadoopVersionBuiltOn"),

From d778abf022b415c64223153814d4188c2b3dd797 Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Wed, 27 Aug 2014 02:01:00 -0700
Subject: [PATCH 300/354] YARN-2035. FileSystemApplicationHistoryStore should
 not make working dir when it already exists. Contributed by Jonathan Eagles.

---
 hadoop-yarn-project/CHANGES.txt               |  3 +
 .../FileSystemApplicationHistoryStore.java    | 14 ++++-
 ...TestFileSystemApplicationHistoryStore.java | 62 ++++++++++++++++++-
 3 files changed, 75 insertions(+), 4 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index eefa5470bb2..36d304c7876 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -240,6 +240,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2434. RM should not recover containers from previously failed attempt
     when AM restart is not enabled (Jian He via jlowe)
 
+    YARN-2035. FileSystemApplicationHistoryStore should not make working dir
+    when it already exists. (Jonathan Eagles via zjshen)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/FileSystemApplicationHistoryStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/FileSystemApplicationHistoryStore.java
index a5725ebfffe..a2d91406871 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/FileSystemApplicationHistoryStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/FileSystemApplicationHistoryStore.java
@@ -110,15 +110,23 @@ public FileSystemApplicationHistoryStore() {
     super(FileSystemApplicationHistoryStore.class.getName());
   }
 
+  protected FileSystem getFileSystem(Path path, Configuration conf) throws Exception {
+    return path.getFileSystem(conf);
+  }
+
   @Override
   public void serviceInit(Configuration conf) throws Exception {
     Path fsWorkingPath =
         new Path(conf.get(YarnConfiguration.FS_APPLICATION_HISTORY_STORE_URI));
     rootDirPath = new Path(fsWorkingPath, ROOT_DIR_NAME);
     try {
-      fs = fsWorkingPath.getFileSystem(conf);
-      fs.mkdirs(rootDirPath);
-      fs.setPermission(rootDirPath, ROOT_DIR_UMASK);
+      fs = getFileSystem(fsWorkingPath, conf);
+
+      if (!fs.isDirectory(rootDirPath)) {
+        fs.mkdirs(rootDirPath);
+        fs.setPermission(rootDirPath, ROOT_DIR_UMASK);
+      }
+
     } catch (IOException e) {
       LOG.error("Error when initializing FileSystemHistoryStorage", e);
       throw e;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestFileSystemApplicationHistoryStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestFileSystemApplicationHistoryStore.java
index d31018c1181..552a5e50b0e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestFileSystemApplicationHistoryStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestFileSystemApplicationHistoryStore.java
@@ -20,9 +20,17 @@
 
 import java.io.IOException;
 import java.net.URI;
+import java.net.URISyntaxException;
 
 import org.junit.Assert;
 
+import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
@@ -53,6 +61,11 @@ public class TestFileSystemApplicationHistoryStore extends
   @Before
   public void setup() throws Exception {
     fs = new RawLocalFileSystem();
+    initStore(fs);
+  }
+
+  private void initStore(final FileSystem fs) throws IOException,
+      URISyntaxException {
     Configuration conf = new Configuration();
     fs.initialize(new URI("/"), conf);
     fsWorkingPath =
@@ -61,7 +74,12 @@ public void setup() throws Exception {
     fs.delete(fsWorkingPath, true);
     conf.set(YarnConfiguration.FS_APPLICATION_HISTORY_STORE_URI,
       fsWorkingPath.toString());
-    store = new FileSystemApplicationHistoryStore();
+    store = new FileSystemApplicationHistoryStore() {
+      @Override
+      protected FileSystem getFileSystem(Path path, Configuration conf) {
+        return fs;
+      }
+    };
     store.init(conf);
     store.start();
   }
@@ -243,4 +261,46 @@ public void testMissingApplicationAttemptHistoryData() throws IOException {
     testWriteHistoryData(3, false, true);
     testReadHistoryData(3, false, true);
   }
+
+  @Test
+  public void testInitExistingWorkingDirectoryInSafeMode() throws Exception {
+    LOG.info("Starting testInitExistingWorkingDirectoryInSafeMode");
+    tearDown();
+
+    // Setup file system to inject startup conditions
+    FileSystem fs = spy(new RawLocalFileSystem());
+    doReturn(true).when(fs).isDirectory(any(Path.class));
+
+    try {
+      initStore(fs);
+    } catch (Exception e) {
+      Assert.fail("Exception should not be thrown: " + e);
+    }
+
+    // Make sure that directory creation was not attempted
+    verify(fs, times(1)).isDirectory(any(Path.class));
+    verify(fs, times(0)).mkdirs(any(Path.class));
+  }
+
+  @Test
+  public void testInitNonExistingWorkingDirectoryInSafeMode() throws Exception {
+    LOG.info("Starting testInitNonExistingWorkingDirectoryInSafeMode");
+    tearDown();
+
+    // Setup file system to inject startup conditions
+    FileSystem fs = spy(new RawLocalFileSystem());
+    doReturn(false).when(fs).isDirectory(any(Path.class));
+    doThrow(new IOException()).when(fs).mkdirs(any(Path.class));
+
+    try {
+      initStore(fs);
+      Assert.fail("Exception should have been thrown");
+    } catch (Exception e) {
+      // Expected failure
+    }
+
+    // Make sure that directory creation was attempted
+    verify(fs, times(1)).isDirectory(any(Path.class));
+    verify(fs, times(1)).mkdirs(any(Path.class));
+  }
 }

From a1618a2a77ef241b23058809037f93ea00da9329 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Tue, 26 Aug 2014 14:40:46 -0700
Subject: [PATCH 301/354] HADOOP-11002. shell escapes are incompatible with
 previous releases (aw)

---
 .../hadoop-common/CHANGES.txt                 |  2 ++
 .../src/main/bin/hadoop-functions.sh          | 31 ++++++-------------
 2 files changed, 11 insertions(+), 22 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 9242ca41240..2270df3424d 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -319,6 +319,8 @@ Trunk (Unreleased)
     HADOOP-10925. Compilation fails in native link0 function on Windows.
     (cnauroth)
 
+    HADOOP-11002. shell escapes are incompatible with previous releases (aw)
+
   OPTIMIZATIONS
 
     HADOOP-7761. Improve the performance of raw comparisons. (todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
index f2437fa2ff2..ab61b8483f6 100644
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
@@ -59,8 +59,7 @@ function hadoop_bootstrap_init
   TOOL_PATH=${TOOL_PATH:-${HADOOP_PREFIX}/share/hadoop/tools/lib/*}
 
   export HADOOP_OS_TYPE=${HADOOP_OS_TYPE:-$(uname -s)}
-
-  
+ 
   # defaults
   export HADOOP_OPTS=${HADOOP_OPTS:-"-Djava.net.preferIPv4Stack=true"}
 }
@@ -94,7 +93,6 @@ function hadoop_exec_hadoopenv
   fi
 }
 
-
 function hadoop_basic_init
 {
   # Some of these are also set in hadoop-env.sh.
@@ -446,7 +444,6 @@ function hadoop_add_to_classpath_mapred
   hadoop_add_classpath "${HADOOP_MAPRED_HOME}/${MAPRED_DIR}"'/*'
 }
 
-
 function hadoop_add_to_classpath_userpath
 {
   # Add the user-specified HADOOP_CLASSPATH to the
@@ -551,7 +548,6 @@ function hadoop_java_setup
   fi
 }
 
-
 function hadoop_finalize_libpaths
 {
   if [[ -n "${JAVA_LIBRARY_PATH}" ]]; then
@@ -564,17 +560,14 @@ function hadoop_finalize_libpaths
 #
 # fill in any last minute options that might not have been defined yet
 #
-# Note that we are replacing ' ' with '\ ' so that directories with
-# spaces work correctly when run exec blah
-#
 function hadoop_finalize_hadoop_opts
 {
-  hadoop_add_param HADOOP_OPTS hadoop.log.dir "-Dhadoop.log.dir=${HADOOP_LOG_DIR/ /\ }"
-  hadoop_add_param HADOOP_OPTS hadoop.log.file "-Dhadoop.log.file=${HADOOP_LOGFILE/ /\ }"
-  hadoop_add_param HADOOP_OPTS hadoop.home.dir "-Dhadoop.home.dir=${HADOOP_PREFIX/ /\ }"
-  hadoop_add_param HADOOP_OPTS hadoop.id.str "-Dhadoop.id.str=${HADOOP_IDENT_STRING/ /\ }"
+  hadoop_add_param HADOOP_OPTS hadoop.log.dir "-Dhadoop.log.dir=${HADOOP_LOG_DIR}"
+  hadoop_add_param HADOOP_OPTS hadoop.log.file "-Dhadoop.log.file=${HADOOP_LOGFILE}"
+  hadoop_add_param HADOOP_OPTS hadoop.home.dir "-Dhadoop.home.dir=${HADOOP_PREFIX}"
+  hadoop_add_param HADOOP_OPTS hadoop.id.str "-Dhadoop.id.str=${HADOOP_IDENT_STRING}"
   hadoop_add_param HADOOP_OPTS hadoop.root.logger "-Dhadoop.root.logger=${HADOOP_ROOT_LOGGER}"
-  hadoop_add_param HADOOP_OPTS hadoop.policy.file "-Dhadoop.policy.file=${HADOOP_POLICYFILE/ /\ }"
+  hadoop_add_param HADOOP_OPTS hadoop.policy.file "-Dhadoop.policy.file=${HADOOP_POLICYFILE}"
   hadoop_add_param HADOOP_OPTS hadoop.security.logger "-Dhadoop.security.logger=${HADOOP_SECURITY_LOGGER}"
 }
 
@@ -724,10 +717,8 @@ function hadoop_java_exec
   local command=$1
   local class=$2
   shift 2
-  # we eval this so that paths with spaces work
   #shellcheck disable=SC2086
-  eval exec "$JAVA" "-Dproc_${command}" ${HADOOP_OPTS} "${class}" "$@"
-
+  exec "${JAVA}" "-Dproc_${command}" ${HADOOP_OPTS} "${class}" "$@"
 }
 
 function hadoop_start_daemon
@@ -739,7 +730,7 @@ function hadoop_start_daemon
   local class=$2
   shift 2
   #shellcheck disable=SC2086
-  eval exec "$JAVA" "-Dproc_${command}" ${HADOOP_OPTS} "${class}" "$@"
+  exec "${JAVA}" "-Dproc_${command}" ${HADOOP_OPTS} "${class}" "$@"
 }
 
 function hadoop_start_daemon_wrapper
@@ -802,9 +793,7 @@ function hadoop_start_secure_daemon
   # where to send stderr.  same thing, except &2 = stderr
   local daemonerrfile=$5
   shift 5
-  
-  
-  
+ 
   hadoop_rotate_log "${daemonoutfile}"
   hadoop_rotate_log "${daemonerrfile}"
   
@@ -925,7 +914,6 @@ function hadoop_stop_daemon
   fi
 }
 
-
 function hadoop_stop_secure_daemon
 {
   local command=$1
@@ -984,7 +972,6 @@ function hadoop_daemon_handler
   esac
 }
 
-
 function hadoop_secure_daemon_handler
 {
   local daemonmode=$1

From 9ec4a930f57ab17b969ab656a7d5b0c7364b1354 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Wed, 27 Aug 2014 07:00:31 -0700
Subject: [PATCH 302/354] HADOOP-10996. Stop violence in the *_HOME (aw)

---
 .../hadoop-common/CHANGES.txt                 |  2 ++
 .../src/main/bin/hadoop-config.sh             | 10 ++++++++--
 .../src/main/bin/hadoop-functions.sh          | 12 +++++------
 .../hadoop-hdfs/src/main/bin/hdfs-config.sh   | 15 +++++++-------
 hadoop-mapreduce-project/bin/mapred-config.sh | 20 ++++++++++---------
 .../hadoop-yarn/bin/yarn-config.sh            | 16 +++++++--------
 6 files changed, 42 insertions(+), 33 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 2270df3424d..45e38d392f9 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -321,6 +321,8 @@ Trunk (Unreleased)
 
     HADOOP-11002. shell escapes are incompatible with previous releases (aw)
 
+    HADOOP-10996. Stop violence in the *_HOME (aw)
+
   OPTIMIZATIONS
 
     HADOOP-7761. Improve the performance of raw comparisons. (todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh
index b2fc4d341df..0cf8bcfc78e 100644
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh
@@ -53,7 +53,10 @@ if [[ -z "${HADOOP_LIBEXEC_DIR}" ]]; then
 fi
 
 # get our functions defined for usage later
-if [[ -f "${HADOOP_LIBEXEC_DIR}/hadoop-functions.sh" ]]; then
+if [[ -n "${HADOOP_COMMON_HOME}" ]] && 
+   [[ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-functions.sh" ]]; then
+  . "${HADOOP_COMMON_HOME}/libexec/hadoop-functions.sh"
+elif [[ -e "${HADOOP_LIBEXEC_DIR}/hadoop-functions.sh" ]]; then
   . "${HADOOP_LIBEXEC_DIR}/hadoop-functions.sh"
 else
   echo "ERROR: Unable to exec ${HADOOP_LIBEXEC_DIR}/hadoop-functions.sh." 1>&2
@@ -61,7 +64,10 @@ else
 fi
 
 # allow overrides of the above and pre-defines of the below
-if [[ -f "${HADOOP_LIBEXEC_DIR}/hadoop-layout.sh" ]]; then
+if [[ -n "${HADOOP_COMMON_HOME}" ]] &&
+   [[ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-layout.sh" ]]; then
+  . "${HADOOP_COMMON_HOME}/libexec/hadoop-layout.sh"
+elif [[ -e "${HADOOP_LIBEXEC_DIR}/hadoop-layout.sh" ]]; then
   . "${HADOOP_LIBEXEC_DIR}/hadoop-layout.sh"
 fi
 
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
index ab61b8483f6..800e024485e 100644
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
@@ -68,17 +68,18 @@ function hadoop_find_confdir
 {
   # NOTE: This function is not user replaceable.
 
+  local conf_dir
   # Look for the basic hadoop configuration area.
   #
   #
   # An attempt at compatibility with some Hadoop 1.x
   # installs.
   if [[ -e "${HADOOP_PREFIX}/conf/hadoop-env.sh" ]]; then
-    DEFAULT_CONF_DIR="conf"
+    conf_dir="conf"
   else
-    DEFAULT_CONF_DIR="etc/hadoop"
+    conf_dir="etc/hadoop"
   fi
-  export HADOOP_CONF_DIR="${HADOOP_CONF_DIR:-${HADOOP_PREFIX}/${DEFAULT_CONF_DIR}}"
+  export HADOOP_CONF_DIR="${HADOOP_CONF_DIR:-${HADOOP_PREFIX}/${conf_dir}}"
 }
 
 function hadoop_exec_hadoopenv
@@ -573,10 +574,7 @@ function hadoop_finalize_hadoop_opts
 
 function hadoop_finalize_classpath
 {
-  
-  # we want the HADOOP_CONF_DIR at the end
-  # according to oom, it gives a 2% perf boost
-  hadoop_add_classpath "${HADOOP_CONF_DIR}" after
+  hadoop_add_classpath "${HADOOP_CONF_DIR}" before
   
   # user classpath gets added at the last minute. this allows
   # override of CONF dirs and more
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs-config.sh b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs-config.sh
index fb460d96d6a..68240287d97 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs-config.sh
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs-config.sh
@@ -20,7 +20,7 @@
 
 function hadoop_subproject_init
 {
-  if [ -e "${HADOOP_CONF_DIR}/hdfs-env.sh" ]; then
+  if [[ -e "${HADOOP_CONF_DIR}/hdfs-env.sh" ]]; then
     . "${HADOOP_CONF_DIR}/hdfs-env.sh"
   fi
   
@@ -49,7 +49,7 @@ function hadoop_subproject_init
   HADOOP_ROOT_LOGGER=${HADOOP_HDFS_ROOT_LOGGER:-$HADOOP_ROOT_LOGGER}
   HADOOP_HDFS_ROOT_LOGGER="${HADOOP_ROOT_LOGGER}"
   
-  HADOOP_HDFS_HOME="${HADOOP_HDFS_HOME:-$HADOOP_HOME_DIR}"
+  HADOOP_HDFS_HOME="${HADOOP_HDFS_HOME:-$HADOOP_PREFIX}"
   
   HADOOP_IDENT_STRING="${HADOOP_HDFS_IDENT_STRING:-$HADOOP_IDENT_STRING}"
   HADOOP_HDFS_IDENT_STRING="${HADOOP_IDENT_STRING}"
@@ -71,12 +71,13 @@ if [[ -z "${HADOOP_LIBEXEC_DIR}" ]]; then
   HADOOP_LIBEXEC_DIR=$(cd -P -- "$(dirname -- "${_hd_this}")" >/dev/null && pwd -P)
 fi
 
-if [ -e "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]; then
-  . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
-elif [ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh" ]; then
+if [[ -n "${HADOOP_COMMON_HOME}" ]] &&
+   [[ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh" ]]; then
   . "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh"
-elif [ -e "${HADOOP_HOME}/libexec/hadoop-config.sh" ]; then
-  . "${HADOOP_HOME}/libexec/hadoop-config.sh"
+elif [[ -e "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
+elif [ -e "${HADOOP_PREFIX}/libexec/hadoop-config.sh" ]; then
+  . "${HADOOP_PREFIX}/libexec/hadoop-config.sh"
 else
   echo "ERROR: Hadoop common not found." 2>&1
   exit 1
diff --git a/hadoop-mapreduce-project/bin/mapred-config.sh b/hadoop-mapreduce-project/bin/mapred-config.sh
index c24d3509c48..c2681ac66b1 100644
--- a/hadoop-mapreduce-project/bin/mapred-config.sh
+++ b/hadoop-mapreduce-project/bin/mapred-config.sh
@@ -20,7 +20,7 @@
 
 function hadoop_subproject_init
 {
-  if [ -e "${HADOOP_CONF_DIR}/mapred-env.sh" ]; then
+  if [[ -e "${HADOOP_CONF_DIR}/mapred-env.sh" ]]; then
     . "${HADOOP_CONF_DIR}/mapred-env.sh"
   fi
   
@@ -49,7 +49,7 @@ function hadoop_subproject_init
   HADOOP_ROOT_LOGGER="${HADOOP_MAPRED_ROOT_LOGGER:-INFO,console}"
   HADOOP_MAPRED_ROOT_LOGGER="${HADOOP_ROOT_LOGGER}"
   
-  HADOOP_MAPRED_HOME="${HADOOP_MAPRED_HOME:-$HADOOP_HOME_DIR}"
+  HADOOP_MAPRED_HOME="${HADOOP_MAPRED_HOME:-$HADOOP_PREFIX}"
   
   HADOOP_IDENT_STRING="${HADOOP_MAPRED_IDENT_STRING:-$HADOOP_IDENT_STRING}"
   HADOOP_MAPRED_IDENT_STRING="${HADOOP_IDENT_STRING}"
@@ -60,13 +60,15 @@ if [[ -z "${HADOOP_LIBEXEC_DIR}" ]]; then
   HADOOP_LIBEXEC_DIR=$(cd -P -- "$(dirname -- "${_mc_this}")" >/dev/null && pwd -P)
 fi
 
-if [[ -e "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]]; then
-  . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
-elif [[ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh" ]]; then
+if [[ -n "${HADOOP_COMMON_HOME}" ]] &&
+   [[ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh" ]]; then
   . "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh"
-elif [[ -e "${HADOOP_HOME}/libexec/hadoop-config.sh" ]]; then
-  . "${HADOOP_HOME}/libexec/hadoop-config.sh"
+elif [[ -e "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
+elif [ -e "${HADOOP_PREFIX}/libexec/hadoop-config.sh" ]; then
+  . "${HADOOP_PREFIX}/libexec/hadoop-config.sh"
 else
-  echo "Hadoop common not found."
-  exit
+  echo "ERROR: Hadoop common not found." 2>&1
+  exit 1
 fi
+
diff --git a/hadoop-yarn-project/hadoop-yarn/bin/yarn-config.sh b/hadoop-yarn-project/hadoop-yarn/bin/yarn-config.sh
index 34d2d2d0a80..d83e9983d41 100644
--- a/hadoop-yarn-project/hadoop-yarn/bin/yarn-config.sh
+++ b/hadoop-yarn-project/hadoop-yarn/bin/yarn-config.sh
@@ -80,14 +80,14 @@ if [[ -z "${HADOOP_LIBEXEC_DIR}" ]]; then
   HADOOP_LIBEXEC_DIR=$(cd -P -- "$(dirname -- "${_yc_this}")" >/dev/null && pwd -P)
 fi
 
-if [[ -e "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]]; then
-  . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
-elif [[ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh" ]]; then
+if [[ -n "${HADOOP_COMMON_HOME}" ]] &&
+   [[ -e "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh" ]]; then
   . "${HADOOP_COMMON_HOME}/libexec/hadoop-config.sh"
-elif [[ -e "${HADOOP_HOME}/libexec/hadoop-config.sh" ]]; then
-  . "${HADOOP_HOME}/libexec/hadoop-config.sh"
+elif [[ -e "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh" ]]; then
+  . "${HADOOP_LIBEXEC_DIR}/hadoop-config.sh"
+elif [ -e "${HADOOP_PREFIX}/libexec/hadoop-config.sh" ]; then
+  . "${HADOOP_PREFIX}/libexec/hadoop-config.sh"
 else
-  echo "Hadoop common not found."
-  exit
+  echo "ERROR: Hadoop common not found." 2>&1
+  exit 1
 fi
-

From 812bd0c0e583fce925e3151510860ca9781b3e40 Mon Sep 17 00:00:00 2001
From: Jason Lowe <jlowe@apache.org>
Date: Wed, 27 Aug 2014 15:14:54 +0000
Subject: [PATCH 303/354] MAPREDUCE-5885. build/test/test.mapred.spill causes
 release audit warnings. Contributed by Chen He

---
 hadoop-mapreduce-project/CHANGES.txt          |  3 +
 .../apache/hadoop/mapred/TestComparators.java | 61 ++++++++++++------
 .../hadoop/mapred/TestMapOutputType.java      | 62 ++++++++++++-------
 .../org/apache/hadoop/mapred/TestMapRed.java  | 28 ++++++---
 .../lib/TestKeyFieldBasedComparator.java      | 25 +++++++-
 .../hadoop/mapreduce/TestMapReduce.java       | 30 ++++++---
 6 files changed, 150 insertions(+), 59 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index a6d2981e6e8..de0767d2a45 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -258,6 +258,9 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-6044. Fully qualified intermediate done dir path breaks per-user dir
     creation on Windows. (zjshen)
 
+    MAPREDUCE-5885. build/test/test.mapred.spill causes release audit warnings
+    (Chen He via jlowe)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestComparators.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestComparators.java
index 1cef5cb42f2..f83dbe28578 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestComparators.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestComparators.java
@@ -17,13 +17,30 @@
  */
 package org.apache.hadoop.mapred;
 
-import org.apache.hadoop.fs.*;
-import org.apache.hadoop.io.*;
+import java.io.DataInput;
+import java.io.DataOutput;
+import java.io.File;
+import java.io.IOException;
+import java.util.Iterator;
+import java.util.Random;
+
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.FileUtil;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.io.IntWritable;
+import org.apache.hadoop.io.SequenceFile;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.io.Writable;
+import org.apache.hadoop.io.WritableComparable;
+import org.apache.hadoop.io.WritableComparator;
 import org.apache.hadoop.mapreduce.MRConfig;
 
-import junit.framework.TestCase;
-import java.io.*;
-import java.util.*;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
 
 /**
  * Two different types of comparators can be used in MapReduce. One is used
@@ -37,8 +54,11 @@
  * 2. Test the common use case where values are grouped by keys but values 
  * within each key are grouped by a secondary key (a timestamp, for example). 
  */
-public class TestComparators extends TestCase 
-{
+public class TestComparators {
+  private static final File TEST_DIR = new File(
+      System.getProperty("test.build.data",
+          System.getProperty("java.io.tmpdir")), "TestComparators-mapred");
+
   JobConf conf = new JobConf(TestMapOutputType.class);
   JobClient jc;
   static Random rng = new Random();
@@ -292,9 +312,9 @@ public boolean equals (IntWritable v1, IntWritable v2) {
     }
   }
 
-
+  @Before
   public void configure() throws Exception {
-    Path testdir = new Path("build/test/test.mapred.spill");
+    Path testdir = new Path(TEST_DIR.getAbsolutePath());
     Path inDir = new Path(testdir, "in");
     Path outDir = new Path(testdir, "out");
     FileSystem fs = FileSystem.get(conf);
@@ -334,14 +354,18 @@ public void configure() throws Exception {
     
     jc = new JobClient(conf);
   }
-  
+
+  @After
+  public void cleanup() {
+    FileUtil.fullyDelete(TEST_DIR);
+  }
   /**
    * Test the default comparator for Map/Reduce. 
    * Use the identity mapper and see if the keys are sorted at the end
    * @throws Exception
    */
-  public void testDefaultMRComparator() throws Exception { 
-    configure();
+  @Test
+  public void testDefaultMRComparator() throws Exception {
     conf.setMapperClass(IdentityMapper.class);
     conf.setReducerClass(AscendingKeysReducer.class);
     
@@ -361,8 +385,8 @@ public void testDefaultMRComparator() throws Exception {
    * comparator. Keys should be sorted in reverse order in the reducer. 
    * @throws Exception
    */
-  public void testUserMRComparator() throws Exception { 
-    configure();
+  @Test
+  public void testUserMRComparator() throws Exception {
     conf.setMapperClass(IdentityMapper.class);
     conf.setReducerClass(DescendingKeysReducer.class);
     conf.setOutputKeyComparatorClass(DecreasingIntComparator.class);
@@ -384,8 +408,8 @@ public void testUserMRComparator() throws Exception {
    * values for a key should be sorted by the 'timestamp'. 
    * @throws Exception
    */
-  public void testUserValueGroupingComparator() throws Exception { 
-    configure();
+  @Test
+  public void testUserValueGroupingComparator() throws Exception {
     conf.setMapperClass(RandomGenMapper.class);
     conf.setReducerClass(AscendingGroupReducer.class);
     conf.setOutputValueGroupingComparator(CompositeIntGroupFn.class);
@@ -409,8 +433,8 @@ public void testUserValueGroupingComparator() throws Exception {
    * order. This lets us make sure that the right comparators are used. 
    * @throws Exception
    */
-  public void testAllUserComparators() throws Exception { 
-    configure();
+  @Test
+  public void testAllUserComparators() throws Exception {
     conf.setMapperClass(RandomGenMapper.class);
     // use a decreasing comparator so keys are sorted in reverse order
     conf.setOutputKeyComparatorClass(DecreasingIntComparator.class);
@@ -430,6 +454,7 @@ public void testAllUserComparators() throws Exception {
    * Test a user comparator that relies on deserializing both arguments
    * for each compare.
    */
+  @Test
   public void testBakedUserComparator() throws Exception {
     MyWritable a = new MyWritable(8, 8);
     MyWritable b = new MyWritable(7, 9);
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestMapOutputType.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestMapOutputType.java
index d11d7bc30b4..e3860fd2e25 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestMapOutputType.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestMapOutputType.java
@@ -17,21 +17,36 @@
  */
 package org.apache.hadoop.mapred;
 
-import org.apache.hadoop.fs.*;
-import org.apache.hadoop.io.*;
-import org.apache.hadoop.mapred.lib.*;
+import java.io.File;
+import java.io.IOException;
+import java.util.Iterator;
+
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.FileUtil;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.io.IntWritable;
+import org.apache.hadoop.io.SequenceFile;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.io.Writable;
+import org.apache.hadoop.io.WritableComparable;
 import org.apache.hadoop.mapreduce.MRConfig;
-import junit.framework.TestCase;
-import java.io.*;
-import java.util.*;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.fail;
+
 
 /** 
  * TestMapOutputType checks whether the Map task handles type mismatch
  * between mapper output and the type specified in
  * JobConf.MapOutputKeyType and JobConf.MapOutputValueType.
  */
-public class TestMapOutputType extends TestCase 
-{
+public class TestMapOutputType {
+  private static final File TEST_DIR = new File(
+      System.getProperty("test.build.data",
+          System.getProperty("java.io.tmpdir")), "TestMapOutputType-mapred");
   JobConf conf = new JobConf(TestMapOutputType.class);
   JobClient jc;
   /** 
@@ -75,9 +90,9 @@ public void close() {
     }
   }
 
-
+  @Before
   public void configure() throws Exception {
-    Path testdir = new Path("build/test/test.mapred.spill");
+    Path testdir = new Path(TEST_DIR.getAbsolutePath());
     Path inDir = new Path(testdir, "in");
     Path outDir = new Path(testdir, "out");
     FileSystem fs = FileSystem.get(conf);
@@ -101,17 +116,21 @@ public void configure() throws Exception {
       throw new IOException("Mkdirs failed to create " + inDir.toString());
     }
     Path inFile = new Path(inDir, "part0");
-    SequenceFile.Writer writer = SequenceFile.createWriter(fs, conf, inFile, 
+    SequenceFile.Writer writer = SequenceFile.createWriter(fs, conf, inFile,
                                                            Text.class, Text.class);
     writer.append(new Text("rec: 1"), new Text("Hello"));
     writer.close();
     
     jc = new JobClient(conf);
   }
-  
+
+  @After
+  public void cleanup() {
+    FileUtil.fullyDelete(TEST_DIR);
+  }
+
+  @Test
   public void testKeyMismatch() throws Exception {
-    configure();
-    
     //  Set bad MapOutputKeyClass and MapOutputValueClass
     conf.setMapOutputKeyClass(IntWritable.class);
     conf.setMapOutputValueClass(IntWritable.class);
@@ -125,11 +144,9 @@ public void testKeyMismatch() throws Exception {
       fail("Oops! The job was supposed to break due to an exception");
     }
   }
-  
+
+  @Test
   public void testValueMismatch() throws Exception {
-    configure();
-  
-    // Set good MapOutputKeyClass, bad MapOutputValueClass    
     conf.setMapOutputKeyClass(Text.class);
     conf.setMapOutputValueClass(IntWritable.class);
     
@@ -142,11 +159,10 @@ public void testValueMismatch() throws Exception {
       fail("Oops! The job was supposed to break due to an exception");
     }
   }
-  
-  public void testNoMismatch() throws Exception{ 
-    configure();
-    
-    //  Set good MapOutputKeyClass and MapOutputValueClass    
+
+  @Test
+  public void testNoMismatch() throws Exception{
+    //  Set good MapOutputKeyClass and MapOutputValueClass
     conf.setMapOutputKeyClass(Text.class);
     conf.setMapOutputValueClass(Text.class);
      
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestMapRed.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestMapRed.java
index 3f7a6f7e3b4..02a083b4f0a 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestMapRed.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestMapRed.java
@@ -24,7 +24,7 @@
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.OutputStreamWriter;
-import java.util.Collections;
+import java.io.File;
 import java.util.EnumSet;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -34,6 +34,7 @@
 import org.apache.hadoop.conf.Configured;
 import org.apache.hadoop.fs.FileStatus;
 import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.FileUtil;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.io.IntWritable;
 import org.apache.hadoop.io.NullWritable;
@@ -46,11 +47,11 @@
 import org.apache.hadoop.mapreduce.MRConfig;
 import org.apache.hadoop.util.Tool;
 import org.apache.hadoop.util.ToolRunner;
+import org.junit.After;
 import org.junit.Test;
 
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
 
 /**********************************************************
  * MapredLoadTest generates a bunch of work that exercises
@@ -110,6 +111,10 @@ public class TestMapRed extends Configured implements Tool {
    * of numbers in random order, but where each number appears
    * as many times as we were instructed.
    */
+  private static final File TEST_DIR = new File(
+      System.getProperty("test.build.data",
+          System.getProperty("java.io.tmpdir")), "TestMapRed-mapred");
+
   static class RandomGenMapper
     implements Mapper<IntWritable, IntWritable, IntWritable, IntWritable> {
     
@@ -248,6 +253,11 @@ public void close() {
   private static int counts = 100;
   private static Random r = new Random();
 
+  @After
+  public void cleanup() {
+    FileUtil.fullyDelete(TEST_DIR);
+  }
+
   /**
      public TestMapRed(int range, int counts, Configuration conf) throws IOException {
      this.range = range;
@@ -372,7 +382,7 @@ private void checkCompression(boolean compressMapOutputs,
                                 boolean includeCombine
                                 ) throws Exception {
     JobConf conf = new JobConf(TestMapRed.class);
-    Path testdir = new Path("build/test/test.mapred.compress");
+    Path testdir = new Path(TEST_DIR.getAbsolutePath());
     Path inDir = new Path(testdir, "in");
     Path outDir = new Path(testdir, "out");
     FileSystem fs = FileSystem.get(conf);
@@ -440,7 +450,7 @@ public void launch() throws Exception {
     //
     // Generate distribution of ints.  This is the answer key.
     //
-    JobConf conf = null;
+    JobConf conf;
     //Check to get configuration and check if it is configured thro' Configured
     //interface. This would happen when running testcase thro' command line.
     if(getConf() == null) {
@@ -465,7 +475,7 @@ public void launch() throws Exception {
     // Write the answer key to a file.  
     //
     FileSystem fs = FileSystem.get(conf);
-    Path testdir = new Path("mapred.loadtest");
+    Path testdir = new Path(TEST_DIR.getAbsolutePath(), "mapred.loadtest");
     if (!fs.mkdirs(testdir)) {
       throw new IOException("Mkdirs failed to create " + testdir.toString());
     }
@@ -635,8 +645,8 @@ public void launch() throws Exception {
       in.close();
     }
     int originalTotal = 0;
-    for (int i = 0; i < dist.length; i++) {
-      originalTotal += dist[i];
+    for (int aDist : dist) {
+      originalTotal += aDist;
     }
     System.out.println("Original sum: " + originalTotal);
     System.out.println("Recomputed sum: " + totalseen);
@@ -727,7 +737,7 @@ public void testBiggerInput(){
   public void runJob(int items) {
     try {
       JobConf conf = new JobConf(TestMapRed.class);
-      Path testdir = new Path("build/test/test.mapred.spill");
+      Path testdir = new Path(TEST_DIR.getAbsolutePath());
       Path inDir = new Path(testdir, "in");
       Path outDir = new Path(testdir, "out");
       FileSystem fs = FileSystem.get(conf);
@@ -777,7 +787,7 @@ public int run(String[] argv) throws Exception {
       System.err.println("Usage: TestMapRed <range> <counts>");
       System.err.println();
       System.err.println("Note: a good test will have a " +
-      		"<counts> value that is substantially larger than the <range>");
+          "<counts> value that is substantially larger than the <range>");
       return -1;
     }
 
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/lib/TestKeyFieldBasedComparator.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/lib/TestKeyFieldBasedComparator.java
index 0bee2b564b9..34a4d2c6c92 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/lib/TestKeyFieldBasedComparator.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/lib/TestKeyFieldBasedComparator.java
@@ -18,7 +18,6 @@
 
 package org.apache.hadoop.mapred.lib;
 
-import java.io.*;
 
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.FileUtil;
@@ -35,9 +34,23 @@
 import org.apache.hadoop.mapred.TextInputFormat;
 import org.apache.hadoop.mapred.TextOutputFormat;
 import org.apache.hadoop.mapred.Utils;
+import org.junit.After;
+import org.junit.Test;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
 
 
 public class TestKeyFieldBasedComparator extends HadoopTestCase {
+
+  private static final File TEST_DIR = new File(
+      System.getProperty("test.build.data",
+          System.getProperty("java.io.tmpdir")),
+          "TestKeyFieldBasedComparator-lib");
   JobConf conf;
   JobConf localConf;
   
@@ -50,8 +63,9 @@ public TestKeyFieldBasedComparator() throws IOException {
     localConf = createJobConf();
     localConf.set(JobContext.MAP_OUTPUT_KEY_FIELD_SEPERATOR, " ");
   }
+
   public void configure(String keySpec, int expect) throws Exception {
-    Path testdir = new Path("build/test/test.mapred.spill");
+    Path testdir = new Path(TEST_DIR.getAbsolutePath());
     Path inDir = new Path(testdir, "in");
     Path outDir = new Path(testdir, "out");
     FileSystem fs = getFileSystem();
@@ -116,6 +130,13 @@ public void configure(String keySpec, int expect) throws Exception {
       reader.close();
     }
   }
+
+  @After
+  public void cleanup() {
+    FileUtil.fullyDelete(TEST_DIR);
+  }
+
+  @Test
   public void testBasicUnixComparator() throws Exception {
     configure("-k1,1n", 1);
     configure("-k2,2n", 1);
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/TestMapReduce.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/TestMapReduce.java
index 01e1283dd23..48ad47af220 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/TestMapReduce.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/TestMapReduce.java
@@ -23,14 +23,14 @@
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.OutputStreamWriter;
+import java.io.File;
 import java.util.Iterator;
 import java.util.Random;
 
-import junit.framework.TestCase;
-
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileStatus;
 import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.FileUtil;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.io.IntWritable;
 import org.apache.hadoop.io.SequenceFile;
@@ -41,6 +41,10 @@
 import org.apache.hadoop.mapreduce.lib.output.FileOutputFormat;
 import org.apache.hadoop.mapreduce.lib.output.MapFileOutputFormat;
 import org.apache.hadoop.mapreduce.lib.output.SequenceFileOutputFormat;
+import org.junit.After;
+import org.junit.Test;
+
+import static org.junit.Assert.assertTrue;
 
 /**********************************************************
  * MapredLoadTest generates a bunch of work that exercises
@@ -75,8 +79,10 @@
  * 7) A mapred job integrates all the count files into a single one.
  *
  **********************************************************/
-public class TestMapReduce extends TestCase {
-  
+public class TestMapReduce {
+  private static final File TEST_DIR = new File(
+      System.getProperty("test.build.data",
+          System.getProperty("java.io.tmpdir")), "TestMapReduce-mapreduce");
   private static FileSystem fs;
   
   static {
@@ -215,6 +221,12 @@ public void reduce(IntWritable key, Iterator<IntWritable> it,
   private static int counts = 100;
   private static Random r = new Random();
 
+  @After
+  public void cleanup() {
+    FileUtil.fullyDelete(TEST_DIR);
+  }
+
+  @Test
   public void testMapred() throws Exception {
     launch();
   }
@@ -239,7 +251,7 @@ private static void launch() throws Exception {
     //
     // Write the answer key to a file.  
     //
-    Path testdir = new Path("mapred.loadtest");
+    Path testdir = new Path(TEST_DIR.getAbsolutePath());
     if (!fs.mkdirs(testdir)) {
       throw new IOException("Mkdirs failed to create " + testdir.toString());
     }
@@ -488,13 +500,17 @@ public static void main(String[] argv) throws Exception {
       System.err.println("Usage: TestMapReduce <range> <counts>");
       System.err.println();
       System.err.println("Note: a good test will have a <counts> value" +
-        " that is substantially larger than the <range>");
+          " that is substantially larger than the <range>");
       return;
     }
 
     int i = 0;
     range = Integer.parseInt(argv[i++]);
     counts = Integer.parseInt(argv[i++]);
-    launch();
+    try {
+      launch();
+    } finally {
+      FileUtil.fullyDelete(TEST_DIR);
+    }
   }
 }

From c5d9a4a91e4e0faae3a8530408da35b591396060 Mon Sep 17 00:00:00 2001
From: arp <arp@apache.org>
Date: Wed, 27 Aug 2014 09:52:33 -0700
Subject: [PATCH 304/354] HDFS-6694.
 TestPipelinesFailover.testPipelineRecoveryStress tests fail intermittently
 with various symptoms - debugging patch (Contributed by Yongjun Zhang)

---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  4 +++
 .../namenode/ha/TestPipelinesFailover.java    | 28 +++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 4e60c46388c..fb3906afb5c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -348,6 +348,10 @@ Trunk (Unreleased)
 
     HDFS-6905. fs-encryption merge triggered release audit failures. (clamb via tucu)
 
+    HDFS-6694. TestPipelinesFailover.testPipelineRecoveryStress tests fail
+    intermittently with various symptoms - debugging patch. (Yongjun Zhang via
+    Arpit Agarwal)
+
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestPipelinesFailover.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestPipelinesFailover.java
index bba3dbb1196..08c652553e9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestPipelinesFailover.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestPipelinesFailover.java
@@ -58,6 +58,7 @@
 import org.apache.hadoop.test.GenericTestUtils.DelayAnswer;
 import org.apache.hadoop.test.MultithreadedTestUtil.RepeatingTestThread;
 import org.apache.hadoop.test.MultithreadedTestUtil.TestContext;
+import org.apache.hadoop.util.Shell.ShellCommandExecutor;
 import org.apache.log4j.Level;
 import org.junit.Test;
 import org.mockito.Mockito;
@@ -420,6 +421,33 @@ public void testFailoverRightBeforeCommitSynchronization() throws Exception {
    */
   @Test(timeout=STRESS_RUNTIME*3)
   public void testPipelineRecoveryStress() throws Exception {
+
+    // The following section of code is to help debug HDFS-6694 about
+    // this test that fails from time to time due to "too many open files".
+    //
+    String[] scmd = new String[] {"/bin/sh", "-c", "ulimit -a"};
+    ShellCommandExecutor sce = new ShellCommandExecutor(scmd);
+    sce.execute();
+
+    System.out.println("HDFS-6694 Debug Data BEGIN===");
+    System.out.println("'ulimit -a' output:\n" + sce.getOutput());
+
+    scmd = new String[] {"hostname"};
+    sce = new ShellCommandExecutor(scmd);
+    sce.execute();
+    System.out.println("'hostname' output:\n" + sce.getOutput());
+
+    scmd = new String[] {"ifconfig"};
+    sce = new ShellCommandExecutor(scmd);
+    sce.execute();
+    System.out.println("'ifconfig' output:\n" + sce.getOutput());
+
+    scmd = new String[] {"whoami"};
+    sce = new ShellCommandExecutor(scmd);
+    sce.execute();
+    System.out.println("'whoami' output:\n" + sce.getOutput());
+    System.out.println("===HDFS-6694 Debug Data END");
+
     HAStressTestHarness harness = new HAStressTestHarness();
     // Disable permissions so that another user can recover the lease.
     harness.conf.setBoolean(

From e2d0ff364a84a4de10e7b11fe83cd3dab155a571 Mon Sep 17 00:00:00 2001
From: Jian He <jhe@hortonworks.com>
Date: Wed, 27 Aug 2014 10:02:45 -0700
Subject: [PATCH 305/354] YARN-2182. Updated ContainerId#toString() to append
 RM Epoch number. Contributed by Tsuyoshi OZAWA

---
 hadoop-yarn-project/CHANGES.txt                        |  3 +++
 .../apache/hadoop/yarn/api/records/ContainerId.java    | 10 +++++++---
 .../org/apache/hadoop/yarn/api/TestContainerId.java    |  4 +++-
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 36d304c7876..871829ac369 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -157,6 +157,9 @@ Release 2.6.0 - UNRELEASED
     YARN-1326. RM should log using RMStore at startup time. 
     (Tsuyoshi Ozawa via kasha)
 
+    YARN-2182. Updated ContainerId#toString() to append RM Epoch number.
+    (Tsuyoshi OZAWA via jianhe)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ContainerId.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ContainerId.java
index 73e80859049..fc7f40488ec 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ContainerId.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ContainerId.java
@@ -83,7 +83,7 @@ public static ContainerId newInstance(ApplicationAttemptId appAttemptId,
  
   
   // TODO: fail the app submission if attempts are more than 10 or something
-  private static final ThreadLocal<NumberFormat> appAttemptIdFormat =
+  private static final ThreadLocal<NumberFormat> appAttemptIdAndEpochFormat =
       new ThreadLocal<NumberFormat>() {
         @Override
         public NumberFormat initialValue() {
@@ -153,9 +153,13 @@ public String toString() {
     sb.append(ApplicationId.appIdFormat.get().format(appId.getId()))
         .append("_");
     sb.append(
-        appAttemptIdFormat.get().format(
+        appAttemptIdAndEpochFormat.get().format(
             getApplicationAttemptId().getAttemptId())).append("_");
-    sb.append(containerIdFormat.get().format(getId()));
+    sb.append(containerIdFormat.get().format(0x3fffff & getId()));
+    int epoch = getId() >> 22;
+    if (epoch > 0) {
+      sb.append("_").append(appAttemptIdAndEpochFormat.get().format(epoch));
+    }
     return sb.toString();
   }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/api/TestContainerId.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/api/TestContainerId.java
index f92df8a8d0c..b23d0ed3fbc 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/api/TestContainerId.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/api/TestContainerId.java
@@ -54,7 +54,9 @@ public void testContainerId() {
     long ts = System.currentTimeMillis();
     ContainerId c6 = newContainerId(36473, 4365472, ts, 25645811);
     Assert.assertEquals("container_10_0001_01_000001", c1.toString());
-    Assert.assertEquals("container_" + ts + "_36473_4365472_25645811",
+    Assert.assertEquals(479987, 0x003fffff & c6.getId());
+    Assert.assertEquals(6, c6.getId() >> 22);
+    Assert.assertEquals("container_" + ts + "_36473_4365472_479987_06",
         c6.toString());
   }
 

From 6b441d227a8806e87224106a81361bd61f0b3d0b Mon Sep 17 00:00:00 2001
From: Jing Zhao <jing9@apache.org>
Date: Wed, 27 Aug 2014 10:26:22 -0700
Subject: [PATCH 306/354] HDFS-6908. Incorrect snapshot directory diff
 generated by snapshot deletion. Contributed by Juan Yu and Jing Zhao.

---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +
 .../DirectoryWithSnapshotFeature.java         | 10 ++-
 .../snapshot/TestSnapshotDeletion.java        | 77 ++++++++++++++++++-
 3 files changed, 85 insertions(+), 5 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index fb3906afb5c..63c434d7085 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -642,6 +642,9 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-4852. libhdfs documentation is out of date. (cnauroth)
 
+    HDFS-6908. Incorrect snapshot directory diff generated by snapshot deletion.
+    (Juan Yu and jing9 via jing9)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/snapshot/DirectoryWithSnapshotFeature.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/snapshot/DirectoryWithSnapshotFeature.java
index 9893bbaf2e2..9c9d435a34e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/snapshot/DirectoryWithSnapshotFeature.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/snapshot/DirectoryWithSnapshotFeature.java
@@ -722,6 +722,8 @@ public Quota.Counts cleanDirectory(final INodeDirectory currentINode,
         counts.add(lastDiff.diff.destroyCreatedList(currentINode,
             collectedBlocks, removedINodes));
       }
+      counts.add(currentINode.cleanSubtreeRecursively(snapshot, prior,
+          collectedBlocks, removedINodes, priorDeleted, countDiffChange));
     } else {
       // update prior
       prior = getDiffs().updatePrior(snapshot, prior);
@@ -739,7 +741,9 @@ public Quota.Counts cleanDirectory(final INodeDirectory currentINode,
       
       counts.add(getDiffs().deleteSnapshotDiff(snapshot, prior,
           currentINode, collectedBlocks, removedINodes, countDiffChange));
-      
+      counts.add(currentINode.cleanSubtreeRecursively(snapshot, prior,
+          collectedBlocks, removedINodes, priorDeleted, countDiffChange));
+
       // check priorDiff again since it may be created during the diff deletion
       if (prior != Snapshot.NO_SNAPSHOT_ID) {
         DirectoryDiff priorDiff = this.getDiffs().getDiffById(prior);
@@ -778,9 +782,7 @@ public Quota.Counts cleanDirectory(final INodeDirectory currentINode,
         }
       }
     }
-    counts.add(currentINode.cleanSubtreeRecursively(snapshot, prior,
-        collectedBlocks, removedINodes, priorDeleted, countDiffChange));
-    
+
     if (currentINode.isQuotaSet()) {
       currentINode.getDirectoryWithQuotaFeature().addSpaceConsumed2Cache(
           -counts.get(Quota.NAMESPACE), -counts.get(Quota.DISKSPACE));
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/snapshot/TestSnapshotDeletion.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/snapshot/TestSnapshotDeletion.java
index 77fa2a20cf2..1450a7d2321 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/snapshot/TestSnapshotDeletion.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/snapshot/TestSnapshotDeletion.java
@@ -19,6 +19,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
@@ -558,7 +559,81 @@ public void testDeleteEarliestSnapshot2() throws Exception {
           + toDeleteFileInSnapshot.toString(), e);
     }
   }
-  
+
+  /**
+   * Delete a snapshot that is taken before a directory deletion,
+   * directory diff list should be combined correctly.
+   */
+  @Test (timeout=60000)
+  public void testDeleteSnapshot1() throws Exception {
+    final Path root = new Path("/");
+
+    Path dir = new Path("/dir1");
+    Path file1 = new Path(dir, "file1");
+    DFSTestUtil.createFile(hdfs, file1, BLOCKSIZE, REPLICATION, seed);
+
+    hdfs.allowSnapshot(root);
+    hdfs.createSnapshot(root, "s1");
+
+    Path file2 = new Path(dir, "file2");
+    DFSTestUtil.createFile(hdfs, file2, BLOCKSIZE, REPLICATION, seed);
+
+    hdfs.createSnapshot(root, "s2");
+
+    // delete file
+    hdfs.delete(file1, true);
+    hdfs.delete(file2, true);
+
+    // delete directory
+    assertTrue(hdfs.delete(dir, false));
+
+    // delete second snapshot
+    hdfs.deleteSnapshot(root, "s2");
+
+    NameNodeAdapter.enterSafeMode(cluster.getNameNode(), false);
+    NameNodeAdapter.saveNamespace(cluster.getNameNode());
+
+    // restart NN
+    cluster.restartNameNodes();
+  }
+
+  /**
+   * Delete a snapshot that is taken before a directory deletion (recursively),
+   * directory diff list should be combined correctly.
+   */
+  @Test (timeout=60000)
+  public void testDeleteSnapshot2() throws Exception {
+    final Path root = new Path("/");
+
+    Path dir = new Path("/dir1");
+    Path file1 = new Path(dir, "file1");
+    DFSTestUtil.createFile(hdfs, file1, BLOCKSIZE, REPLICATION, seed);
+
+    hdfs.allowSnapshot(root);
+    hdfs.createSnapshot(root, "s1");
+
+    Path file2 = new Path(dir, "file2");
+    DFSTestUtil.createFile(hdfs, file2, BLOCKSIZE, REPLICATION, seed);
+    INodeFile file2Node = fsdir.getINode(file2.toString()).asFile();
+    long file2NodeId = file2Node.getId();
+
+    hdfs.createSnapshot(root, "s2");
+
+    // delete directory recursively
+    assertTrue(hdfs.delete(dir, true));
+    assertNotNull(fsdir.getInode(file2NodeId));
+
+    // delete second snapshot
+    hdfs.deleteSnapshot(root, "s2");
+    assertTrue(fsdir.getInode(file2NodeId) == null);
+
+    NameNodeAdapter.enterSafeMode(cluster.getNameNode(), false);
+    NameNodeAdapter.saveNamespace(cluster.getNameNode());
+
+    // restart NN
+    cluster.restartNameNodes();
+  }
+
   /**
    * Test deleting snapshots in a more complicated scenario: need to combine
    * snapshot diffs, but no need to handle diffs distributed in a dir tree

From cd9182d8b5f60428f6c91b0eb0b2e61d52a07020 Mon Sep 17 00:00:00 2001
From: brandonli <Brandon@Brandons-MacBook-Pro-2.local>
Date: Wed, 27 Aug 2014 11:06:01 -0700
Subject: [PATCH 307/354] HDFS-6892. Add XDR packaging method for each NFS
 request. Contributed by Brandon Li

---
 .../nfs/nfs3/request/ACCESS3Request.java      |  15 +-
 .../nfs/nfs3/request/COMMIT3Request.java      |  23 +-
 .../nfs/nfs3/request/CREATE3Request.java      |  18 +-
 .../nfs/nfs3/request/FSINFO3Request.java      |  15 +-
 .../nfs/nfs3/request/FSSTAT3Request.java      |  15 +-
 .../nfs/nfs3/request/GETATTR3Request.java     |  15 +-
 .../nfs/nfs3/request/LOOKUP3Request.java      |   9 +-
 .../nfs/nfs3/request/MKDIR3Request.java       |  26 +-
 .../hadoop/nfs/nfs3/request/NFS3Request.java  |  45 ++++
 .../nfs/nfs3/request/PATHCONF3Request.java    |  15 +-
 .../hadoop/nfs/nfs3/request/READ3Request.java |   9 +-
 .../nfs/nfs3/request/READDIR3Request.java     |  30 ++-
 .../nfs/nfs3/request/READDIRPLUS3Request.java |  33 ++-
 .../nfs/nfs3/request/READLINK3Request.java    |  15 +-
 .../nfs/nfs3/request/REMOVE3Request.java      |  20 +-
 .../nfs/nfs3/request/RENAME3Request.java      |  37 ++-
 .../nfs/nfs3/request/RMDIR3Request.java       |  20 +-
 .../nfs/nfs3/request/RequestWithHandle.java   |  16 +-
 .../nfs/nfs3/request/SETATTR3Request.java     |  29 ++-
 .../nfs/nfs3/request/SYMLINK3Request.java     |  30 ++-
 .../hadoop/nfs/nfs3/request/SetAttr3.java     |   9 +
 .../nfs/nfs3/request/WRITE3Request.java       |  13 +-
 .../hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java  |  38 +--
 .../hdfs/nfs/nfs3/TestRpcProgramNfs3.java     | 241 +++++++++---------
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   2 +
 25 files changed, 507 insertions(+), 231 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/NFS3Request.java

diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/ACCESS3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/ACCESS3Request.java
index 2470108d97a..ea1ba86b9cf 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/ACCESS3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/ACCESS3Request.java
@@ -19,13 +19,24 @@
 
 import java.io.IOException;
 
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
  * ACCESS3 Request
  */
 public class ACCESS3Request extends RequestWithHandle {
-  public ACCESS3Request(XDR xdr) throws IOException {
-    super(xdr);
+  public static ACCESS3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    return new ACCESS3Request(handle);
+  }
+
+  public ACCESS3Request(FileHandle handle) {
+    super(handle);
+  }
+  
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);    
   }
 }
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/COMMIT3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/COMMIT3Request.java
index 810c41bdd84..ba84d4298f1 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/COMMIT3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/COMMIT3Request.java
@@ -19,6 +19,7 @@
 
 import java.io.IOException;
 
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
@@ -28,10 +29,17 @@ public class COMMIT3Request extends RequestWithHandle {
   private final long offset;
   private final int count;
 
-  public COMMIT3Request(XDR xdr) throws IOException {
-    super(xdr);
-    offset = xdr.readHyper();
-    count = xdr.readInt();
+  public static COMMIT3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    long offset = xdr.readHyper();
+    int count = xdr.readInt();
+    return new COMMIT3Request(handle, offset, count);
+  }
+  
+  public COMMIT3Request(FileHandle handle, long offset, int count) {
+    super(handle);
+    this.offset = offset;
+    this.count = count;
   }
 
   public long getOffset() {
@@ -41,4 +49,11 @@ public long getOffset() {
   public int getCount() {
     return this.count;
   }
+
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr); 
+    xdr.writeLongAsHyper(offset);
+    xdr.writeInt(count);
+  }
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/CREATE3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/CREATE3Request.java
index b444c99ca79..473d5276463 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/CREATE3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/CREATE3Request.java
@@ -29,8 +29,8 @@
 public class CREATE3Request extends RequestWithHandle {
   private final String name;
   private final int mode;
-  private SetAttr3 objAttr = null;
-  private long verf;
+  private final SetAttr3 objAttr;
+  private long verf = 0;
 
   public CREATE3Request(FileHandle handle, String name, int mode,
       SetAttr3 objAttr, long verf) {
@@ -41,12 +41,12 @@ public CREATE3Request(FileHandle handle, String name, int mode,
     this.verf = verf;
   }
   
-  public CREATE3Request(XDR xdr) throws IOException {
-    super(xdr);
-    name = xdr.readString();
-    mode = xdr.readInt();
-
-    objAttr = new SetAttr3();
+  public static CREATE3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    String name = xdr.readString();
+    int mode = xdr.readInt();
+    SetAttr3 objAttr = new SetAttr3();
+    long verf = 0;
     if ((mode == Nfs3Constant.CREATE_UNCHECKED)
         || (mode == Nfs3Constant.CREATE_GUARDED)) {
       objAttr.deserialize(xdr);
@@ -55,6 +55,7 @@ public CREATE3Request(XDR xdr) throws IOException {
     } else {
       throw new IOException("Wrong create mode:" + mode);
     }
+    return new CREATE3Request(handle, name, mode, objAttr, verf);
   }
 
   public String getName() {
@@ -81,4 +82,5 @@ public void serialize(XDR xdr) {
     xdr.writeInt(mode);
     objAttr.serialize(xdr);
   }
+
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/FSINFO3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/FSINFO3Request.java
index 26b65be6173..92c8ed87860 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/FSINFO3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/FSINFO3Request.java
@@ -19,13 +19,24 @@
 
 import java.io.IOException;
 
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
  * FSINFO3 Request
  */
 public class FSINFO3Request extends RequestWithHandle {
-  public FSINFO3Request(XDR xdr) throws IOException {
-    super(xdr);
+  public static FSINFO3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    return new FSINFO3Request(handle);
+  }
+
+  public FSINFO3Request(FileHandle handle) {
+    super(handle);
+  }
+  
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);    
   }
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/FSSTAT3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/FSSTAT3Request.java
index 90bec155432..c6c620df4d2 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/FSSTAT3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/FSSTAT3Request.java
@@ -19,13 +19,24 @@
 
 import java.io.IOException;
 
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
  * FSSTAT3 Request
  */
 public class FSSTAT3Request extends RequestWithHandle {
-  public FSSTAT3Request(XDR xdr) throws IOException {
-    super(xdr);
+  public static FSSTAT3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    return new FSSTAT3Request(handle);
+  }
+
+  public FSSTAT3Request(FileHandle handle) {
+    super(handle);
+  }
+  
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);    
   }
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/GETATTR3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/GETATTR3Request.java
index e1d69d1f570..b06b4b1b2b3 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/GETATTR3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/GETATTR3Request.java
@@ -19,13 +19,24 @@
 
 import java.io.IOException;
 
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
  * GETATTR3 Request
  */
 public class GETATTR3Request extends RequestWithHandle {
-  public GETATTR3Request(XDR xdr) throws IOException {
-    super(xdr);
+  public static GETATTR3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    return new GETATTR3Request(handle);
+  }
+
+  public GETATTR3Request(FileHandle handle) {
+    super(handle);
+  }
+  
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);    
   }
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/LOOKUP3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/LOOKUP3Request.java
index e461ec32648..4661821a68b 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/LOOKUP3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/LOOKUP3Request.java
@@ -35,9 +35,10 @@ public LOOKUP3Request(FileHandle handle, String name) {
     this.name = name;
   }
   
-  public LOOKUP3Request(XDR xdr) throws IOException {
-    super(xdr);
-    name = xdr.readString();
+  public static LOOKUP3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    String name = xdr.readString();
+    return new LOOKUP3Request(handle, name);
   }
 
   public String getName() {
@@ -51,7 +52,7 @@ public void setName(String name) {
   @Override
   @VisibleForTesting
   public void serialize(XDR xdr) {
-    super.serialize(xdr);
+    handle.serialize(xdr);
     xdr.writeInt(name.getBytes().length);
     xdr.writeFixedOpaque(name.getBytes());
   }
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/MKDIR3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/MKDIR3Request.java
index 170de8cf56d..b3ef828a7ec 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/MKDIR3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/MKDIR3Request.java
@@ -19,6 +19,7 @@
 
 import java.io.IOException;
 
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
@@ -28,13 +29,20 @@ public class MKDIR3Request extends RequestWithHandle {
   private final String name;
   private final SetAttr3 objAttr;
 
-  public MKDIR3Request(XDR xdr) throws IOException {
-    super(xdr);
-    name = xdr.readString();
-    objAttr = new SetAttr3();
+  public static MKDIR3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    String name = xdr.readString();
+    SetAttr3 objAttr = new SetAttr3();
     objAttr.deserialize(xdr);
+    return new MKDIR3Request(handle, name, objAttr);
   }
-  
+
+  public MKDIR3Request(FileHandle handle, String name, SetAttr3 objAttr) {
+    super(handle);
+    this.name = name;
+    this.objAttr = objAttr;
+  }
+
   public String getName() {
     return name;
   }
@@ -42,4 +50,12 @@ public String getName() {
   public SetAttr3 getObjAttr() {
     return objAttr;
   }
+
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);
+    xdr.writeInt(name.getBytes().length);
+    xdr.writeFixedOpaque(name.getBytes());
+    objAttr.serialize(xdr);
+  }
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/NFS3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/NFS3Request.java
new file mode 100644
index 00000000000..cffa215f313
--- /dev/null
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/NFS3Request.java
@@ -0,0 +1,45 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.nfs.nfs3.request;
+
+import java.io.IOException;
+
+import org.apache.hadoop.nfs.nfs3.FileHandle;
+import org.apache.hadoop.oncrpc.XDR;
+
+/**
+ * An NFS request that uses {@link FileHandle} to identify a file.
+ */
+public abstract class NFS3Request {
+  
+  /**
+   * Deserialize a handle from an XDR object
+   */
+  static FileHandle readHandle(XDR xdr) throws IOException {
+    FileHandle handle = new FileHandle();
+    if (!handle.deserialize(xdr)) {
+      throw new IOException("can't deserialize file handle");
+    }
+    return handle;
+  }
+  
+  /**
+   * Subclass should implement. Usually handle is the first to be serialized
+   */
+  public abstract void serialize(XDR xdr);
+}
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/PATHCONF3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/PATHCONF3Request.java
index d5142646878..bff80384ca7 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/PATHCONF3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/PATHCONF3Request.java
@@ -19,13 +19,24 @@
 
 import java.io.IOException;
 
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
  * PATHCONF3 Request
  */
 public class PATHCONF3Request extends RequestWithHandle {
-  public PATHCONF3Request(XDR xdr) throws IOException {
-    super(xdr);
+  public static PATHCONF3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    return new PATHCONF3Request(handle);
+  }
+  
+  public PATHCONF3Request(FileHandle handle) {
+    super(handle);
+  }
+  
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);
   }
 }
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READ3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READ3Request.java
index 6d95f5e9f84..5898ec588ff 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READ3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READ3Request.java
@@ -31,10 +31,11 @@ public class READ3Request extends RequestWithHandle {
   private final long offset;
   private final int count;
 
-  public READ3Request(XDR xdr) throws IOException {
-    super(xdr);
-    offset = xdr.readHyper();
-    count = xdr.readInt();
+  public static READ3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    long offset = xdr.readHyper();
+    int count = xdr.readInt();
+    return new READ3Request(handle, offset, count);
   }
 
   @VisibleForTesting
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READDIR3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READDIR3Request.java
index c9835b9a321..79245c1ced6 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READDIR3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READDIR3Request.java
@@ -19,6 +19,7 @@
 
 import java.io.IOException;
 
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
@@ -29,13 +30,22 @@ public class READDIR3Request extends RequestWithHandle {
   private final long cookieVerf;
   private final int count;
 
-  public READDIR3Request(XDR xdr) throws IOException {
-    super(xdr);
-    cookie = xdr.readHyper();
-    cookieVerf = xdr.readHyper();
-    count = xdr.readInt();
+  public static READDIR3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    long cookie = xdr.readHyper();
+    long cookieVerf = xdr.readHyper();
+    int count = xdr.readInt();
+    return new READDIR3Request(handle, cookie, cookieVerf, count);
   }
-
+  
+  public READDIR3Request(FileHandle handle, long cookie, long cookieVerf,
+      int count) {
+    super(handle);
+    this.cookie = cookie;
+    this.cookieVerf = cookieVerf;
+    this.count = count;
+  }
+  
   public long getCookie() {
     return this.cookie;
   }
@@ -47,4 +57,12 @@ public long getCookieVerf() {
   public long getCount() {
     return this.count;
   }
+
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);
+    xdr.writeLongAsHyper(cookie);
+    xdr.writeLongAsHyper(cookieVerf);
+    xdr.writeInt(count);
+  }
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READDIRPLUS3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READDIRPLUS3Request.java
index 2994fe996ba..c1e43652e85 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READDIRPLUS3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READDIRPLUS3Request.java
@@ -19,6 +19,7 @@
 
 import java.io.IOException;
 
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
@@ -30,14 +31,25 @@ public class READDIRPLUS3Request extends RequestWithHandle {
   private final int dirCount;
   private final int maxCount;
 
-  public READDIRPLUS3Request(XDR xdr) throws IOException {
-    super(xdr);
-    cookie = xdr.readHyper();
-    cookieVerf = xdr.readHyper();
-    dirCount = xdr.readInt();
-    maxCount = xdr.readInt();
+  public static READDIRPLUS3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    long cookie = xdr.readHyper();
+    long cookieVerf = xdr.readHyper();
+    int dirCount = xdr.readInt();
+    int maxCount = xdr.readInt();
+    return new READDIRPLUS3Request(handle, cookie, cookieVerf, dirCount,
+        maxCount);
   }
 
+  public READDIRPLUS3Request(FileHandle handle, long cookie, long cookieVerf,
+      int dirCount, int maxCount) {
+    super(handle);
+    this.cookie = cookie;
+    this.cookieVerf = cookieVerf;
+    this.dirCount = dirCount;
+    this.maxCount = maxCount;
+  }
+  
   public long getCookie() {
     return this.cookie;
   }
@@ -53,4 +65,13 @@ public int getDirCount() {
   public int getMaxCount() {
     return maxCount;
   }
+
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);
+    xdr.writeLongAsHyper(cookie);
+    xdr.writeLongAsHyper(cookieVerf);
+    xdr.writeInt(dirCount);
+    xdr.writeInt(maxCount);
+  }
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READLINK3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READLINK3Request.java
index 3b0e8a4dbe2..15fe8f0feed 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READLINK3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/READLINK3Request.java
@@ -19,6 +19,7 @@
 
 import java.io.IOException;
 
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
@@ -26,7 +27,17 @@
  */
 public class READLINK3Request extends RequestWithHandle {
 
-  public READLINK3Request(XDR xdr) throws IOException {
-    super(xdr);
+  public static READLINK3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    return new READLINK3Request(handle);
+  }
+  
+  public READLINK3Request(FileHandle handle) {
+    super(handle);
+  }
+  
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);   
   }
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/REMOVE3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/REMOVE3Request.java
index 901d80332e0..ffd47b0e5dc 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/REMOVE3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/REMOVE3Request.java
@@ -19,6 +19,7 @@
 
 import java.io.IOException;
 
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
@@ -27,12 +28,25 @@
 public class REMOVE3Request extends RequestWithHandle {
   private final String name;
 
-  public REMOVE3Request(XDR xdr) throws IOException {
-    super(xdr);
-    name = xdr.readString();
+  public static REMOVE3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    String name = xdr.readString();
+    return new REMOVE3Request(handle, name);
   }
 
+  public REMOVE3Request(FileHandle handle, String name) {
+    super(handle);
+    this.name = name;
+  }
+  
   public String getName() {
     return this.name;
   }
+
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);
+    xdr.writeInt(name.getBytes().length);
+    xdr.writeFixedOpaque(name.getBytes());
+  }
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/RENAME3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/RENAME3Request.java
index 6fdccffdea3..5144e8a4910 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/RENAME3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/RENAME3Request.java
@@ -25,23 +25,26 @@
 /**
  * RENAME3 Request
  */
-public class RENAME3Request {
+public class RENAME3Request extends NFS3Request {
   private final FileHandle fromDirHandle;
   private final String fromName;
   private final FileHandle toDirHandle;
   private final String toName;
   
-  public RENAME3Request(XDR xdr) throws IOException {
-    fromDirHandle = new FileHandle();
-    if (!fromDirHandle.deserialize(xdr)) {
-      throw new IOException("can't deserialize file handle");
-    }
-    fromName = xdr.readString();
-    toDirHandle = new FileHandle();
-    if (!toDirHandle.deserialize(xdr)) {
-      throw new IOException("can't deserialize file handle");
-    }
-    toName = xdr.readString();
+  public static RENAME3Request deserialize(XDR xdr) throws IOException {
+    FileHandle fromDirHandle = readHandle(xdr);
+    String fromName = xdr.readString();
+    FileHandle toDirHandle = readHandle(xdr);
+    String toName = xdr.readString();
+    return new RENAME3Request(fromDirHandle, fromName, toDirHandle, toName);
+  }
+  
+  public RENAME3Request(FileHandle fromDirHandle, String fromName,
+      FileHandle toDirHandle, String toName) {
+    this.fromDirHandle = fromDirHandle;
+    this.fromName = fromName;
+    this.toDirHandle = toDirHandle;
+    this.toName = toName;
   }
   
   public FileHandle getFromDirHandle() {
@@ -59,4 +62,14 @@ public FileHandle getToDirHandle() {
   public String getToName() {
     return toName;
   }
+
+  @Override
+  public void serialize(XDR xdr) {
+    fromDirHandle.serialize(xdr);
+    xdr.writeInt(fromName.getBytes().length);
+    xdr.writeFixedOpaque(fromName.getBytes());
+    toDirHandle.serialize(xdr);
+    xdr.writeInt(toName.getBytes().length);
+    xdr.writeFixedOpaque(toName.getBytes());
+  }
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/RMDIR3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/RMDIR3Request.java
index 8fd5b7026b3..e9977fa5488 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/RMDIR3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/RMDIR3Request.java
@@ -19,6 +19,7 @@
 
 import java.io.IOException;
 
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
@@ -27,12 +28,25 @@
 public class RMDIR3Request extends RequestWithHandle {
   private final String name;
 
-  public RMDIR3Request(XDR xdr) throws IOException {
-    super(xdr);
-    name = xdr.readString();
+  public static RMDIR3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    String name = xdr.readString();
+    return new RMDIR3Request(handle, name);
   }
 
+  public RMDIR3Request(FileHandle handle, String name) {
+    super(handle);
+    this.name = name;
+  }
+  
   public String getName() {
     return this.name;
   }
+
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);
+    xdr.writeInt(name.getBytes().length);
+    xdr.writeFixedOpaque(name.getBytes());
+  }
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/RequestWithHandle.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/RequestWithHandle.java
index a3b19a12be3..9f9539c1d4e 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/RequestWithHandle.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/RequestWithHandle.java
@@ -17,33 +17,19 @@
  */
 package org.apache.hadoop.nfs.nfs3.request;
 
-import java.io.IOException;
-
 import org.apache.hadoop.nfs.nfs3.FileHandle;
-import org.apache.hadoop.oncrpc.XDR;
 
 /**
  * An NFS request that uses {@link FileHandle} to identify a file.
  */
-public class RequestWithHandle {
+public abstract class RequestWithHandle extends NFS3Request {
   protected final FileHandle handle;
   
   RequestWithHandle(FileHandle handle) {
     this.handle = handle;
   }
-  
-  RequestWithHandle(XDR xdr) throws IOException {
-    handle = new FileHandle();
-    if (!handle.deserialize(xdr)) {
-      throw new IOException("can't deserialize file handle");
-    }
-  }
 
   public FileHandle getHandle() {
     return this.handle;
   }
-  
-  public void serialize(XDR xdr) {
-    handle.serialize(xdr);
-  }
 }
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/SETATTR3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/SETATTR3Request.java
index 05e8c0380b2..c5f668cf9a0 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/SETATTR3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/SETATTR3Request.java
@@ -20,6 +20,7 @@
 import java.io.IOException;
 
 import org.apache.hadoop.nfs.NfsTime;
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
@@ -38,16 +39,26 @@ public class SETATTR3Request extends RequestWithHandle {
   private final boolean check;
   private final NfsTime ctime;
   
-  public SETATTR3Request(XDR xdr) throws IOException {
-    super(xdr);
-    attr = new SetAttr3();
+  public static SETATTR3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    SetAttr3 attr = new SetAttr3();
     attr.deserialize(xdr);
-    check = xdr.readBoolean();
+    boolean check = xdr.readBoolean();
+    NfsTime ctime;
     if (check) {
       ctime = NfsTime.deserialize(xdr);
     } else {
       ctime = null;
     }
+    return new SETATTR3Request(handle, attr, check, ctime);
+  }
+  
+  public SETATTR3Request(FileHandle handle, SetAttr3 attr, boolean check,
+      NfsTime ctime) {
+    super(handle);
+    this.attr = attr;
+    this.check = check;
+    this.ctime = ctime;
   }
   
   public SetAttr3 getAttr() {
@@ -61,4 +72,14 @@ public boolean isCheck() {
   public NfsTime getCtime() {
     return ctime;
   }
+
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);
+    attr.serialize(xdr);
+    xdr.writeBoolean(check);
+    if (check) {
+      ctime.serialize(xdr);
+    }
+  }
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/SYMLINK3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/SYMLINK3Request.java
index 6e74d1aa61b..288079449dc 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/SYMLINK3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/SYMLINK3Request.java
@@ -19,6 +19,7 @@
 
 import java.io.IOException;
 
+import org.apache.hadoop.nfs.nfs3.FileHandle;
 import org.apache.hadoop.oncrpc.XDR;
 
 /**
@@ -29,14 +30,23 @@ public class SYMLINK3Request extends RequestWithHandle {
   private final SetAttr3 symAttr;
   private final String symData;  // It contains the target
   
-  public SYMLINK3Request(XDR xdr) throws IOException {
-    super(xdr);
-    name = xdr.readString();
-    symAttr = new SetAttr3();
+  public static SYMLINK3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    String name = xdr.readString();
+    SetAttr3 symAttr = new SetAttr3();
     symAttr.deserialize(xdr);
-    symData = xdr.readString();
+    String symData = xdr.readString();
+    return new SYMLINK3Request(handle, name, symAttr, symData);
   }
 
+  public SYMLINK3Request(FileHandle handle, String name, SetAttr3 symAttr,
+      String symData) {
+    super(handle);
+    this.name = name;
+    this.symAttr = symAttr;
+    this.symData = symData;
+  }
+  
   public String getName() {
     return name;
   }
@@ -48,4 +58,14 @@ public SetAttr3 getSymAttr() {
   public String getSymData() {
     return symData;
   }
+
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);
+    xdr.writeInt(name.getBytes().length);
+    xdr.writeFixedOpaque(name.getBytes());
+    symAttr.serialize(xdr);
+    xdr.writeInt(symData.getBytes().length);
+    xdr.writeFixedOpaque(symData.getBytes());
+  }
 }
\ No newline at end of file
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/SetAttr3.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/SetAttr3.java
index 373425f5aa9..e8e637c44cd 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/SetAttr3.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/SetAttr3.java
@@ -52,6 +52,15 @@ public SetAttr3() {
     size = 0;
     updateFields = EnumSet.noneOf(SetAttrField.class);
   }
+  
+  public SetAttr3(int mode, int uid, int gid, long size, NfsTime atime,
+      NfsTime mtime, EnumSet<SetAttrField> updateFields) {
+    this.mode = mode;
+    this.uid = uid;
+    this.gid = gid;
+    this.size = size;
+    this.updateFields = updateFields;
+  }
 
   public int getMode() {
     return mode;
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/WRITE3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/WRITE3Request.java
index 8a1ff8a1d5a..d85dcbbd78c 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/WRITE3Request.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/WRITE3Request.java
@@ -33,12 +33,13 @@ public class WRITE3Request extends RequestWithHandle {
   private final WriteStableHow stableHow;
   private final ByteBuffer data;
 
-  public WRITE3Request(XDR xdr) throws IOException {
-    super(xdr);
-    offset = xdr.readHyper();
-    count = xdr.readInt();
-    stableHow = WriteStableHow.fromValue(xdr.readInt());
-    data = ByteBuffer.wrap(xdr.readFixedOpaque(xdr.readInt()));
+  public static WRITE3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    long offset = xdr.readHyper();
+    int count = xdr.readInt();
+    WriteStableHow stableHow = WriteStableHow.fromValue(xdr.readInt());
+    ByteBuffer data = ByteBuffer.wrap(xdr.readFixedOpaque(xdr.readInt()));
+    return new WRITE3Request(handle, offset, count, stableHow, data);
   }
 
   public WRITE3Request(FileHandle handle, final long offset, final int count,
diff --git a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
index 0c7aebeebf9..33dc3a3d5a1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
@@ -268,7 +268,7 @@ GETATTR3Response getattr(XDR xdr, SecurityHandler securityHandler,
 
     GETATTR3Request request = null;
     try {
-      request = new GETATTR3Request(xdr);
+      request = GETATTR3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid GETATTR request");
       response.setStatus(Nfs3Status.NFS3ERR_INVAL);
@@ -360,7 +360,7 @@ SETATTR3Response setattr(XDR xdr, SecurityHandler securityHandler,
 
     SETATTR3Request request = null;
     try {
-      request = new SETATTR3Request(xdr);
+      request = SETATTR3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid SETATTR request");
       response.setStatus(Nfs3Status.NFS3ERR_INVAL);
@@ -445,7 +445,7 @@ LOOKUP3Response lookup(XDR xdr, SecurityHandler securityHandler,
 
     LOOKUP3Request request = null;
     try {
-      request = new LOOKUP3Request(xdr);
+      request = LOOKUP3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid LOOKUP request");
       return new LOOKUP3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -513,7 +513,7 @@ ACCESS3Response access(XDR xdr, SecurityHandler securityHandler,
 
     ACCESS3Request request = null;
     try {
-      request = new ACCESS3Request(xdr);
+      request = ACCESS3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid ACCESS request");
       return new ACCESS3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -581,7 +581,7 @@ READLINK3Response readlink(XDR xdr, SecurityHandler securityHandler,
     READLINK3Request request = null;
 
     try {
-      request = new READLINK3Request(xdr);
+      request = READLINK3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid READLINK request");
       return new READLINK3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -655,7 +655,7 @@ READ3Response read(XDR xdr, SecurityHandler securityHandler,
     READ3Request request = null;
 
     try {
-      request = new READ3Request(xdr);
+      request = READ3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid READ request");
       return new READ3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -788,7 +788,7 @@ WRITE3Response write(XDR xdr, Channel channel, int xid,
     WRITE3Request request = null;
 
     try {
-      request = new WRITE3Request(xdr);
+      request = WRITE3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid WRITE request");
       return new WRITE3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -870,7 +870,7 @@ CREATE3Response create(XDR xdr, SecurityHandler securityHandler,
     CREATE3Request request = null;
 
     try {
-      request = new CREATE3Request(xdr);
+      request = CREATE3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid CREATE request");
       return new CREATE3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -1003,7 +1003,7 @@ MKDIR3Response mkdir(XDR xdr, SecurityHandler securityHandler,
     MKDIR3Request request = null;
 
     try {
-      request = new MKDIR3Request(xdr);
+      request = MKDIR3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid MKDIR request");
       return new MKDIR3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -1099,7 +1099,7 @@ REMOVE3Response remove(XDR xdr, SecurityHandler securityHandler,
 
     REMOVE3Request request = null;
     try {
-      request = new REMOVE3Request(xdr);
+      request = REMOVE3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid REMOVE request");
       return new REMOVE3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -1179,7 +1179,7 @@ RMDIR3Response rmdir(XDR xdr, SecurityHandler securityHandler,
 
     RMDIR3Request request = null;
     try {
-      request = new RMDIR3Request(xdr);
+      request = RMDIR3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid RMDIR request");
       return new RMDIR3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -1264,7 +1264,7 @@ RENAME3Response rename(XDR xdr, SecurityHandler securityHandler,
 
     RENAME3Request request = null;
     try {
-      request = new RENAME3Request(xdr);
+      request = RENAME3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid RENAME request");
       return new RENAME3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -1360,7 +1360,7 @@ SYMLINK3Response symlink(XDR xdr, SecurityHandler securityHandler,
 
     SYMLINK3Request request = null;
     try {
-      request = new SYMLINK3Request(xdr);
+      request = SYMLINK3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid SYMLINK request");
       response.setStatus(Nfs3Status.NFS3ERR_INVAL);
@@ -1453,7 +1453,7 @@ public READDIR3Response readdir(XDR xdr, SecurityHandler securityHandler,
 
     READDIR3Request request = null;
     try {
-      request = new READDIR3Request(xdr);
+      request = READDIR3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid READDIR request");
       return new READDIR3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -1611,7 +1611,7 @@ READDIRPLUS3Response readdirplus(XDR xdr, SecurityHandler securityHandler,
 
     READDIRPLUS3Request request = null;
     try {
-      request = new READDIRPLUS3Request(xdr);
+      request = READDIRPLUS3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid READDIRPLUS request");
       return new READDIRPLUS3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -1788,7 +1788,7 @@ FSSTAT3Response fsstat(XDR xdr, SecurityHandler securityHandler,
 
     FSSTAT3Request request = null;
     try {
-      request = new FSSTAT3Request(xdr);
+      request = FSSTAT3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid FSSTAT request");
       return new FSSTAT3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -1862,7 +1862,7 @@ FSINFO3Response fsinfo(XDR xdr, SecurityHandler securityHandler,
 
     FSINFO3Request request = null;
     try {
-      request = new FSINFO3Request(xdr);
+      request = FSINFO3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid FSINFO request");
       return new FSINFO3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -1926,7 +1926,7 @@ PATHCONF3Response pathconf(XDR xdr, SecurityHandler securityHandler,
 
     PATHCONF3Request request = null;
     try {
-      request = new PATHCONF3Request(xdr);
+      request = PATHCONF3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid PATHCONF request");
       return new PATHCONF3Response(Nfs3Status.NFS3ERR_INVAL);
@@ -1977,7 +1977,7 @@ COMMIT3Response commit(XDR xdr, Channel channel, int xid,
 
     COMMIT3Request request = null;
     try {
-      request = new COMMIT3Request(xdr);
+      request = COMMIT3Request.deserialize(xdr);
     } catch (IOException e) {
       LOG.error("Invalid COMMIT request");
       response.setStatus(Nfs3Status.NFS3ERR_INVAL);
diff --git a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestRpcProgramNfs3.java b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestRpcProgramNfs3.java
index 3fc0d991883..05b976da8be 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestRpcProgramNfs3.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestRpcProgramNfs3.java
@@ -17,12 +17,71 @@
  */
 package org.apache.hadoop.hdfs.nfs.nfs3;
 
-import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.nio.ByteBuffer;
+import java.util.EnumSet;
+
+import org.apache.hadoop.fs.CommonConfigurationKeys;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.DFSTestUtil;
+import org.apache.hadoop.hdfs.DistributedFileSystem;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.nfs.conf.NfsConfigKeys;
+import org.apache.hadoop.hdfs.nfs.conf.NfsConfiguration;
+import org.apache.hadoop.hdfs.protocol.HdfsFileStatus;
+import org.apache.hadoop.hdfs.server.namenode.NameNode;
+import org.apache.hadoop.nfs.nfs3.FileHandle;
+import org.apache.hadoop.nfs.nfs3.Nfs3Constant;
+import org.apache.hadoop.nfs.nfs3.Nfs3Constant.WriteStableHow;
+import org.apache.hadoop.nfs.nfs3.Nfs3Status;
+import org.apache.hadoop.nfs.nfs3.request.ACCESS3Request;
+import org.apache.hadoop.nfs.nfs3.request.COMMIT3Request;
+import org.apache.hadoop.nfs.nfs3.request.CREATE3Request;
+import org.apache.hadoop.nfs.nfs3.request.FSINFO3Request;
+import org.apache.hadoop.nfs.nfs3.request.FSSTAT3Request;
+import org.apache.hadoop.nfs.nfs3.request.GETATTR3Request;
+import org.apache.hadoop.nfs.nfs3.request.LOOKUP3Request;
+import org.apache.hadoop.nfs.nfs3.request.MKDIR3Request;
+import org.apache.hadoop.nfs.nfs3.request.PATHCONF3Request;
+import org.apache.hadoop.nfs.nfs3.request.READ3Request;
+import org.apache.hadoop.nfs.nfs3.request.READDIR3Request;
+import org.apache.hadoop.nfs.nfs3.request.READDIRPLUS3Request;
+import org.apache.hadoop.nfs.nfs3.request.READLINK3Request;
+import org.apache.hadoop.nfs.nfs3.request.REMOVE3Request;
+import org.apache.hadoop.nfs.nfs3.request.RENAME3Request;
+import org.apache.hadoop.nfs.nfs3.request.RMDIR3Request;
+import org.apache.hadoop.nfs.nfs3.request.SETATTR3Request;
+import org.apache.hadoop.nfs.nfs3.request.SYMLINK3Request;
+import org.apache.hadoop.nfs.nfs3.request.SetAttr3;
+import org.apache.hadoop.nfs.nfs3.request.SetAttr3.SetAttrField;
+import org.apache.hadoop.nfs.nfs3.request.WRITE3Request;
+import org.apache.hadoop.nfs.nfs3.response.ACCESS3Response;
+import org.apache.hadoop.nfs.nfs3.response.COMMIT3Response;
+import org.apache.hadoop.nfs.nfs3.response.CREATE3Response;
+import org.apache.hadoop.nfs.nfs3.response.FSINFO3Response;
+import org.apache.hadoop.nfs.nfs3.response.FSSTAT3Response;
+import org.apache.hadoop.nfs.nfs3.response.GETATTR3Response;
+import org.apache.hadoop.nfs.nfs3.response.LOOKUP3Response;
+import org.apache.hadoop.nfs.nfs3.response.MKDIR3Response;
+import org.apache.hadoop.nfs.nfs3.response.PATHCONF3Response;
+import org.apache.hadoop.nfs.nfs3.response.READ3Response;
+import org.apache.hadoop.nfs.nfs3.response.READDIR3Response;
+import org.apache.hadoop.nfs.nfs3.response.READDIRPLUS3Response;
+import org.apache.hadoop.nfs.nfs3.response.READLINK3Response;
+import org.apache.hadoop.nfs.nfs3.response.REMOVE3Response;
+import org.apache.hadoop.nfs.nfs3.response.RENAME3Response;
+import org.apache.hadoop.nfs.nfs3.response.RMDIR3Response;
+import org.apache.hadoop.nfs.nfs3.response.SETATTR3Response;
+import org.apache.hadoop.nfs.nfs3.response.SYMLINK3Response;
+import org.apache.hadoop.nfs.nfs3.response.WRITE3Response;
+import org.apache.hadoop.oncrpc.XDR;
+import org.apache.hadoop.oncrpc.security.SecurityHandler;
+import org.apache.hadoop.security.authorize.DefaultImpersonationProvider;
+import org.apache.hadoop.security.authorize.ProxyUsers;
 import org.jboss.netty.channel.Channel;
 import org.junit.AfterClass;
 import org.junit.Assert;
@@ -31,46 +90,6 @@
 import org.junit.Test;
 import org.mockito.Mockito;
 
-import org.apache.hadoop.fs.CommonConfigurationKeys;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.hdfs.DFSTestUtil;
-import org.apache.hadoop.hdfs.DistributedFileSystem;
-import org.apache.hadoop.hdfs.MiniDFSCluster;
-import org.apache.hadoop.hdfs.nfs.conf.NfsConfiguration;
-import org.apache.hadoop.hdfs.nfs.conf.NfsConfigKeys;
-import org.apache.hadoop.hdfs.protocol.HdfsFileStatus;
-import org.apache.hadoop.hdfs.server.namenode.NameNode;
-import org.apache.hadoop.nfs.nfs3.FileHandle;
-import org.apache.hadoop.nfs.nfs3.Nfs3Constant;
-import org.apache.hadoop.nfs.nfs3.Nfs3Constant.WriteStableHow;
-import org.apache.hadoop.nfs.nfs3.Nfs3Status;
-import org.apache.hadoop.nfs.nfs3.request.LOOKUP3Request;
-import org.apache.hadoop.nfs.nfs3.request.READ3Request;
-import org.apache.hadoop.nfs.nfs3.request.WRITE3Request;
-import org.apache.hadoop.nfs.nfs3.response.ACCESS3Response;
-import org.apache.hadoop.nfs.nfs3.response.COMMIT3Response;
-import org.apache.hadoop.nfs.nfs3.response.CREATE3Response;
-import org.apache.hadoop.nfs.nfs3.response.FSSTAT3Response;
-import org.apache.hadoop.nfs.nfs3.response.FSINFO3Response;
-import org.apache.hadoop.nfs.nfs3.response.GETATTR3Response;
-import org.apache.hadoop.nfs.nfs3.response.LOOKUP3Response;
-import org.apache.hadoop.nfs.nfs3.response.PATHCONF3Response;
-import org.apache.hadoop.nfs.nfs3.response.READ3Response;
-import org.apache.hadoop.nfs.nfs3.response.REMOVE3Response;
-import org.apache.hadoop.nfs.nfs3.response.RMDIR3Response;
-import org.apache.hadoop.nfs.nfs3.response.RENAME3Response;
-import org.apache.hadoop.nfs.nfs3.response.READDIR3Response;
-import org.apache.hadoop.nfs.nfs3.response.READDIRPLUS3Response;
-import org.apache.hadoop.nfs.nfs3.response.READLINK3Response;
-import org.apache.hadoop.nfs.nfs3.response.SETATTR3Response;
-import org.apache.hadoop.nfs.nfs3.response.SYMLINK3Response;
-import org.apache.hadoop.nfs.nfs3.response.WRITE3Response;
-import org.apache.hadoop.nfs.nfs3.request.SetAttr3;
-import org.apache.hadoop.oncrpc.XDR;
-import org.apache.hadoop.oncrpc.security.SecurityHandler;
-import org.apache.hadoop.security.authorize.DefaultImpersonationProvider;
-import org.apache.hadoop.security.authorize.ProxyUsers;
-
 
 /**
  * Tests for {@link RpcProgramNfs3}
@@ -143,8 +162,9 @@ public void testGetattr() throws Exception {
     long dirId = status.getFileId();
     FileHandle handle = new FileHandle(dirId);
     XDR xdr_req = new XDR();
-    handle.serialize(xdr_req);
-
+    GETATTR3Request req = new GETATTR3Request(handle);
+    req.serialize(xdr_req);
+    
     // Attempt by an unpriviledged user should fail.
     GETATTR3Response response1 = nfsd.getattr(xdr_req.asReadOnlyWrap(),
         securityHandlerUnpriviledged,
@@ -165,13 +185,12 @@ public void testSetattr() throws Exception {
     long dirId = status.getFileId();
     XDR xdr_req = new XDR();
     FileHandle handle = new FileHandle(dirId);
-    handle.serialize(xdr_req);
-    xdr_req.writeString("bar");
-    SetAttr3 symAttr = new SetAttr3();
-    symAttr.serialize(xdr_req);
-    xdr_req.writeBoolean(false);
+    SetAttr3 symAttr = new SetAttr3(0, 1, 0, 0, null, null,
+        EnumSet.of(SetAttrField.UID));
+    SETATTR3Request req = new SETATTR3Request(handle, symAttr, false, null);
+    req.serialize(xdr_req);
 
-    // Attempt by an unpriviledged user should fail.
+    // Attempt by an unprivileged user should fail.
     SETATTR3Response response1 = nfsd.setattr(xdr_req.asReadOnlyWrap(),
         securityHandlerUnpriviledged,
         new InetSocketAddress("localhost", 1234));
@@ -214,7 +233,8 @@ public void testAccess() throws Exception {
     long dirId = status.getFileId();
     FileHandle handle = new FileHandle(dirId);
     XDR xdr_req = new XDR();
-    handle.serialize(xdr_req);
+    ACCESS3Request req = new ACCESS3Request(handle);
+    req.serialize(xdr_req);
 
     // Attempt by an unpriviledged user should fail.
     ACCESS3Response response1 = nfsd.access(xdr_req.asReadOnlyWrap(),
@@ -237,12 +257,10 @@ public void testReadlink() throws Exception {
     long dirId = status.getFileId();
     XDR xdr_req = new XDR();
     FileHandle handle = new FileHandle(dirId);
-    handle.serialize(xdr_req);
-    xdr_req.writeString("fubar");
-    SetAttr3 symAttr = new SetAttr3();
-    symAttr.serialize(xdr_req);
-    xdr_req.writeString("bar");
-
+    SYMLINK3Request req = new SYMLINK3Request(handle, "fubar", new SetAttr3(),
+        "bar");
+    req.serialize(xdr_req);
+    
     SYMLINK3Response response = nfsd.symlink(xdr_req.asReadOnlyWrap(),
         securityHandler, new InetSocketAddress("localhost", 1234));
     assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
@@ -251,7 +269,8 @@ public void testReadlink() throws Exception {
     // Now perform readlink operations.
     FileHandle handle2 = response.getObjFileHandle();
     XDR xdr_req2 = new XDR();
-    handle2.serialize(xdr_req2);
+    READLINK3Request req2 = new READLINK3Request(handle2);
+    req2.serialize(xdr_req2);
 
     // Attempt by an unpriviledged user should fail.
     READLINK3Response response1 = nfsd.readlink(xdr_req2.asReadOnlyWrap(),
@@ -327,12 +346,10 @@ public void testCreate() throws Exception {
     long dirId = status.getFileId();
     XDR xdr_req = new XDR();
     FileHandle handle = new FileHandle(dirId);
-    handle.serialize(xdr_req);
-    xdr_req.writeString("fubar");
-    xdr_req.writeInt(Nfs3Constant.CREATE_UNCHECKED);
-    SetAttr3 symAttr = new SetAttr3();
-    symAttr.serialize(xdr_req);
-
+    CREATE3Request req = new CREATE3Request(handle, "fubar",
+        Nfs3Constant.CREATE_UNCHECKED, new SetAttr3(), 0);
+    req.serialize(xdr_req);
+    
     // Attempt by an unpriviledged user should fail.
     CREATE3Response response1 = nfsd.create(xdr_req.asReadOnlyWrap(),
         securityHandlerUnpriviledged,
@@ -348,26 +365,27 @@ public void testCreate() throws Exception {
   }
 
   @Test(timeout = 60000)
-  public void testMkdir() throws Exception {
+  public void testMkdir() throws Exception {//FixME
     HdfsFileStatus status = nn.getRpcServer().getFileInfo(testdir);
     long dirId = status.getFileId();
     XDR xdr_req = new XDR();
     FileHandle handle = new FileHandle(dirId);
-    handle.serialize(xdr_req);
-    xdr_req.writeString("fubar");
-    SetAttr3 symAttr = new SetAttr3();
-    symAttr.serialize(xdr_req);
-    xdr_req.writeString("bar");
-
-    // Attempt to remove by an unpriviledged user should fail.
-    SYMLINK3Response response1 = nfsd.symlink(xdr_req.asReadOnlyWrap(),
+    MKDIR3Request req = new MKDIR3Request(handle, "fubar1", new SetAttr3());
+    req.serialize(xdr_req);
+    
+    // Attempt to mkdir by an unprivileged user should fail.
+    MKDIR3Response response1 = nfsd.mkdir(xdr_req.asReadOnlyWrap(),
         securityHandlerUnpriviledged,
         new InetSocketAddress("localhost", 1234));
     assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
         response1.getStatus());
 
-    // Attempt to remove by a priviledged user should pass.
-    SYMLINK3Response response2 = nfsd.symlink(xdr_req.asReadOnlyWrap(),
+    XDR xdr_req2 = new XDR();
+    MKDIR3Request req2 = new MKDIR3Request(handle, "fubar2", new SetAttr3());
+    req2.serialize(xdr_req2);
+    
+    // Attempt to mkdir by a privileged user should pass.
+    MKDIR3Response response2 = nfsd.mkdir(xdr_req2.asReadOnlyWrap(),
         securityHandler, new InetSocketAddress("localhost", 1234));
     assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
         response2.getStatus());
@@ -379,20 +397,18 @@ public void testSymlink() throws Exception {
     long dirId = status.getFileId();
     XDR xdr_req = new XDR();
     FileHandle handle = new FileHandle(dirId);
-    handle.serialize(xdr_req);
-    xdr_req.writeString("fubar");
-    SetAttr3 symAttr = new SetAttr3();
-    symAttr.serialize(xdr_req);
-    xdr_req.writeString("bar");
+    SYMLINK3Request req = new SYMLINK3Request(handle, "fubar", new SetAttr3(),
+        "bar");
+    req.serialize(xdr_req);
 
-    // Attempt by an unpriviledged user should fail.
+    // Attempt by an unprivileged user should fail.
     SYMLINK3Response response1 = nfsd.symlink(xdr_req.asReadOnlyWrap(),
         securityHandlerUnpriviledged,
         new InetSocketAddress("localhost", 1234));
     assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
         response1.getStatus());
 
-    // Attempt by a priviledged user should pass.
+    // Attempt by a privileged user should pass.
     SYMLINK3Response response2 = nfsd.symlink(xdr_req.asReadOnlyWrap(),
         securityHandler, new InetSocketAddress("localhost", 1234));
     assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
@@ -405,8 +421,8 @@ public void testRemove() throws Exception {
     long dirId = status.getFileId();
     XDR xdr_req = new XDR();
     FileHandle handle = new FileHandle(dirId);
-    handle.serialize(xdr_req);
-    xdr_req.writeString("bar");
+    REMOVE3Request req = new REMOVE3Request(handle, "bar");
+    req.serialize(xdr_req);
 
     // Attempt by an unpriviledged user should fail.
     REMOVE3Response response1 = nfsd.remove(xdr_req.asReadOnlyWrap(),
@@ -428,17 +444,17 @@ public void testRmdir() throws Exception {
     long dirId = status.getFileId();
     XDR xdr_req = new XDR();
     FileHandle handle = new FileHandle(dirId);
-    handle.serialize(xdr_req);
-    xdr_req.writeString("foo");
+    RMDIR3Request req = new RMDIR3Request(handle, "foo");
+    req.serialize(xdr_req);
 
-    // Attempt by an unpriviledged user should fail.
+    // Attempt by an unprivileged user should fail.
     RMDIR3Response response1 = nfsd.rmdir(xdr_req.asReadOnlyWrap(),
         securityHandlerUnpriviledged,
         new InetSocketAddress("localhost", 1234));
     assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
         response1.getStatus());
 
-    // Attempt by a priviledged user should pass.
+    // Attempt by a privileged user should pass.
     RMDIR3Response response2 = nfsd.rmdir(xdr_req.asReadOnlyWrap(),
         securityHandler, new InetSocketAddress("localhost", 1234));
     assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
@@ -451,19 +467,17 @@ public void testRename() throws Exception {
     long dirId = status.getFileId();
     XDR xdr_req = new XDR();
     FileHandle handle = new FileHandle(dirId);
-    handle.serialize(xdr_req);
-    xdr_req.writeString("bar");
-    handle.serialize(xdr_req);
-    xdr_req.writeString("fubar");
-
-    // Attempt by an unpriviledged user should fail.
+    RENAME3Request req = new RENAME3Request(handle, "bar", handle, "fubar");
+    req.serialize(xdr_req);
+    
+    // Attempt by an unprivileged user should fail.
     RENAME3Response response1 = nfsd.rename(xdr_req.asReadOnlyWrap(),
         securityHandlerUnpriviledged,
         new InetSocketAddress("localhost", 1234));
     assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
         response1.getStatus());
 
-    // Attempt by a priviledged user should pass.
+    // Attempt by a privileged user should pass.
     RENAME3Response response2 = nfsd.rename(xdr_req.asReadOnlyWrap(),
         securityHandler, new InetSocketAddress("localhost", 1234));
     assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
@@ -476,10 +490,8 @@ public void testReaddir() throws Exception {
     long dirId = status.getFileId();
     FileHandle handle = new FileHandle(dirId);
     XDR xdr_req = new XDR();
-    handle.serialize(xdr_req);
-    xdr_req.writeLongAsHyper(0);
-    xdr_req.writeLongAsHyper(0);
-    xdr_req.writeInt(100);
+    READDIR3Request req = new READDIR3Request(handle, 0, 0, 100);
+    req.serialize(xdr_req);
 
     // Attempt by an unpriviledged user should fail.
     READDIR3Response response1 = nfsd.readdir(xdr_req.asReadOnlyWrap(),
@@ -501,20 +513,17 @@ public void testReaddirplus() throws Exception {
     long dirId = status.getFileId();
     FileHandle handle = new FileHandle(dirId);
     XDR xdr_req = new XDR();
-    handle.serialize(xdr_req);
-    xdr_req.writeLongAsHyper(0);
-    xdr_req.writeLongAsHyper(0);
-    xdr_req.writeInt(3);
-    xdr_req.writeInt(2);
-
-    // Attempt by an unpriviledged user should fail.
+    READDIRPLUS3Request req = new READDIRPLUS3Request(handle, 0, 0, 3, 2);
+    req.serialize(xdr_req);
+    
+    // Attempt by an unprivileged user should fail.
     READDIRPLUS3Response response1 = nfsd.readdirplus(xdr_req.asReadOnlyWrap(),
         securityHandlerUnpriviledged,
         new InetSocketAddress("localhost", 1234));
     assertEquals("Incorrect return code:", Nfs3Status.NFS3ERR_ACCES,
         response1.getStatus());
 
-    // Attempt by a priviledged user should pass.
+    // Attempt by a privileged user should pass.
     READDIRPLUS3Response response2 = nfsd.readdirplus(xdr_req.asReadOnlyWrap(),
         securityHandler, new InetSocketAddress("localhost", 1234));
     assertEquals("Incorrect return code:", Nfs3Status.NFS3_OK,
@@ -527,8 +536,9 @@ public void testFsstat() throws Exception {
     long dirId = status.getFileId();
     FileHandle handle = new FileHandle(dirId);
     XDR xdr_req = new XDR();
-    handle.serialize(xdr_req);
-
+    FSSTAT3Request req = new FSSTAT3Request(handle);
+    req.serialize(xdr_req);
+    
     // Attempt by an unpriviledged user should fail.
     FSSTAT3Response response1 = nfsd.fsstat(xdr_req.asReadOnlyWrap(),
         securityHandlerUnpriviledged,
@@ -549,8 +559,9 @@ public void testFsinfo() throws Exception {
     long dirId = status.getFileId();
     FileHandle handle = new FileHandle(dirId);
     XDR xdr_req = new XDR();
-    handle.serialize(xdr_req);
-
+    FSINFO3Request req = new FSINFO3Request(handle);
+    req.serialize(xdr_req);
+    
     // Attempt by an unpriviledged user should fail.
     FSINFO3Response response1 = nfsd.fsinfo(xdr_req.asReadOnlyWrap(),
         securityHandlerUnpriviledged,
@@ -571,8 +582,9 @@ public void testPathconf() throws Exception {
     long dirId = status.getFileId();
     FileHandle handle = new FileHandle(dirId);
     XDR xdr_req = new XDR();
-    handle.serialize(xdr_req);
-
+    PATHCONF3Request req = new PATHCONF3Request(handle);
+    req.serialize(xdr_req);
+    
     // Attempt by an unpriviledged user should fail.
     PATHCONF3Response response1 = nfsd.pathconf(xdr_req.asReadOnlyWrap(),
         securityHandlerUnpriviledged,
@@ -593,9 +605,8 @@ public void testCommit() throws Exception {
     long dirId = status.getFileId();
     FileHandle handle = new FileHandle(dirId);
     XDR xdr_req = new XDR();
-    handle.serialize(xdr_req);
-    xdr_req.writeLongAsHyper(0);
-    xdr_req.writeInt(5);
+    COMMIT3Request req = new COMMIT3Request(handle, 0, 5);
+    req.serialize(xdr_req);
 
     Channel ch = Mockito.mock(Channel.class);
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 63c434d7085..8dd3ebea87e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -645,6 +645,8 @@ Release 2.6.0 - UNRELEASED
     HDFS-6908. Incorrect snapshot directory diff generated by snapshot deletion.
     (Juan Yu and jing9 via jing9)
 
+    HDFS-6892. Add XDR packaging method for each NFS request (brandonli)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES

From 26ebdd849b23243b31e58c44d0d363e11b42fc52 Mon Sep 17 00:00:00 2001
From: Haohui Mai <wheat9@apache.org>
Date: Wed, 27 Aug 2014 11:10:30 -0700
Subject: [PATCH 308/354] HDFS-6938. Cleanup javac warnings in FSNamesystem.
 Contributed by Charles Lamb.

---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt            |  2 ++
 .../hadoop/hdfs/server/namenode/FSNamesystem.java      | 10 ----------
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 8dd3ebea87e..99d5c01cb45 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -647,6 +647,8 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-6892. Add XDR packaging method for each NFS request (brandonli)
 
+    HDFS-6938. Cleanup javac warnings in FSNamesystem (Charles Lamb via wheat9)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 81d5a22af16..6d750bcc5d8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -106,7 +106,6 @@
 import java.net.InetAddress;
 import java.net.URI;
 import java.security.GeneralSecurityException;
-import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -120,7 +119,6 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.UUID;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.locks.Condition;
 import java.util.concurrent.locks.ReentrantLock;
@@ -137,8 +135,6 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.crypto.CipherSuite;
-import org.apache.hadoop.crypto.CryptoCodec;
-import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
 import org.apache.hadoop.fs.BatchedRemoteIterator.BatchedListEntries;
 import org.apache.hadoop.fs.CacheFlag;
@@ -182,7 +178,6 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeID;
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.DirectoryListing;
-import org.apache.hadoop.hdfs.protocol.EncryptionZone;
 import org.apache.hadoop.hdfs.protocol.EncryptionZoneWithId;
 import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants;
@@ -543,9 +538,6 @@ private void logAuditEvent(boolean succeeded,
   private final NNConf nnConf;
 
   private KeyProviderCryptoExtension provider = null;
-  private KeyProvider.Options providerOptions = null;
-
-  private final CryptoCodec codec;
 
   private volatile boolean imageLoaded = false;
   private final Condition cond;
@@ -772,8 +764,6 @@ static FSNamesystem loadFromDisk(Configuration conf) throws IOException {
     } else {
       LOG.info("Found KeyProvider: " + provider.toString());
     }
-    providerOptions = KeyProvider.options(conf);
-    this.codec = CryptoCodec.getInstance(conf);
     if (conf.getBoolean(DFS_NAMENODE_AUDIT_LOG_ASYNC_KEY,
                         DFS_NAMENODE_AUDIT_LOG_ASYNC_DEFAULT)) {
       LOG.info("Enabling async auditlog");

From fdd3bc5f45da615db4fd51cc07cb7d44c211150d Mon Sep 17 00:00:00 2001
From: Haohui Mai <wheat9@apache.org>
Date: Wed, 27 Aug 2014 13:26:25 -0700
Subject: [PATCH 309/354] HADOOP-10746. HttpServer2 should not load JspServlet.
 Contributed by Haohui Mai.

---
 hadoop-common-project/hadoop-common/CHANGES.txt      |  2 ++
 .../java/org/apache/hadoop/http/HttpServer2.java     | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 45e38d392f9..b13cd79bc69 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -323,6 +323,8 @@ Trunk (Unreleased)
 
     HADOOP-10996. Stop violence in the *_HOME (aw)
 
+    HADOOP-10748. HttpServer2 should not load JspServlet. (wheat9)
+
   OPTIMIZATIONS
 
     HADOOP-7761. Improve the performance of raw comparisons. (todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
index f84ade00374..8aa777b993e 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
@@ -44,6 +44,7 @@
 import javax.servlet.http.HttpServletRequestWrapper;
 import javax.servlet.http.HttpServletResponse;
 
+import com.google.common.collect.ImmutableMap;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.HadoopIllegalArgumentException;
@@ -415,6 +416,17 @@ private void addManagedListener(Connector connector) {
   private static WebAppContext createWebAppContext(String name,
       Configuration conf, AccessControlList adminsAcl, final String appDir) {
     WebAppContext ctx = new WebAppContext();
+    ctx.setDefaultsDescriptor(null);
+    ServletHolder holder = new ServletHolder(new DefaultServlet());
+    Map<String, String> params = ImmutableMap. <String, String> builder()
+            .put("acceptRanges", "true")
+            .put("dirAllowed", "false")
+            .put("gzip", "true")
+            .put("useFileMappedBuffer", "true")
+            .build();
+    holder.setInitParameters(params);
+    ctx.setWelcomeFiles(new String[] {"index.html"});
+    ctx.addServlet(holder, "/");
     ctx.setDisplayName(name);
     ctx.setContextPath("/");
     ctx.setWar(appDir + "/" + name);

From d805cc27a98abbdf14a20ef3127a2c7cb212c765 Mon Sep 17 00:00:00 2001
From: Colin Patrick Mccabe <cmccabe@cloudera.com>
Date: Wed, 27 Aug 2014 13:33:02 -0700
Subject: [PATCH 310/354] HDFS-6773. MiniDFSCluster should skip edit log fsync
 by default.  Contributed by Stephen Chu.

---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +++
 .../apache/hadoop/hdfs/MiniDFSCluster.java    | 22 ++++++++++++++++---
 .../server/datanode/TestFsDatasetCache.java   |  1 -
 .../server/namenode/TestCacheDirectives.java  |  1 -
 4 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 99d5c01cb45..77832433c1b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -518,6 +518,9 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
 
+    HDFS-6773. MiniDFSCluster should skip edit log fsync by default (Stephen
+    Chu via Colin Patrick McCabe)
+
   BUG FIXES
 
     HDFS-6823. dfs.web.authentication.kerberos.principal shows up in logs for 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java
index 98ca3160047..0e49cfec053 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/MiniDFSCluster.java
@@ -93,6 +93,7 @@
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.FsVolumeSpi;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.impl.FsDatasetUtil;
 import org.apache.hadoop.hdfs.server.datanode.fsdataset.impl.FsVolumeImpl;
+import org.apache.hadoop.hdfs.server.namenode.EditLogFileOutputStream;
 import org.apache.hadoop.hdfs.server.namenode.FSNamesystem;
 import org.apache.hadoop.hdfs.server.namenode.NameNode;
 import org.apache.hadoop.hdfs.server.namenode.NameNodeAdapter;
@@ -172,6 +173,7 @@ public static class Builder {
     private boolean checkDataNodeAddrConfig = false;
     private boolean checkDataNodeHostConfig = false;
     private Configuration[] dnConfOverlays;
+    private boolean skipFsyncForTesting = true;
     
     public Builder(Configuration conf) {
       this.conf = conf;
@@ -405,6 +407,15 @@ public Builder dataNodeConfOverlays(Configuration[] dnConfOverlays) {
       this.dnConfOverlays = dnConfOverlays;
       return this;
     }
+
+    /**
+     * Default: true
+     * When true, we skip fsync() calls for speed improvements.
+     */
+    public Builder skipFsyncForTesting(boolean val) {
+      this.skipFsyncForTesting = val;
+      return this;
+    }
     
     /**
      * Construct the actual MiniDFSCluster
@@ -472,7 +483,8 @@ protected MiniDFSCluster(Builder builder) throws IOException {
                        builder.checkExitOnShutdown,
                        builder.checkDataNodeAddrConfig,
                        builder.checkDataNodeHostConfig,
-                       builder.dnConfOverlays);
+                       builder.dnConfOverlays,
+                       builder.skipFsyncForTesting);
   }
   
   public class DataNodeProperties {
@@ -727,7 +739,8 @@ public MiniDFSCluster(int nameNodePort,
                        manageNameDfsDirs, true, manageDataDfsDirs, manageDataDfsDirs,
                        operation, null, racks, hosts,
                        null, simulatedCapacities, null, true, false,
-                       MiniDFSNNTopology.simpleSingleNN(nameNodePort, 0), true, false, false, null);
+                       MiniDFSNNTopology.simpleSingleNN(nameNodePort, 0),
+                       true, false, false, null, true);
   }
 
   private void initMiniDFSCluster(
@@ -742,7 +755,8 @@ private void initMiniDFSCluster(
       MiniDFSNNTopology nnTopology, boolean checkExitOnShutdown,
       boolean checkDataNodeAddrConfig,
       boolean checkDataNodeHostConfig,
-      Configuration[] dnConfOverlays)
+      Configuration[] dnConfOverlays,
+      boolean skipFsyncForTesting)
   throws IOException {
     boolean success = false;
     try {
@@ -782,6 +796,8 @@ private void initMiniDFSCluster(
             + "Standby node since no IPC ports have been specified.");
         conf.setInt(DFS_HA_LOGROLL_PERIOD_KEY, -1);
       }
+
+      EditLogFileOutputStream.setShouldSkipFsyncForTesting(skipFsyncForTesting);
     
       federation = nnTopology.isFederated();
       try {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestFsDatasetCache.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestFsDatasetCache.java
index 5ac13eec270..d6e70d80037 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestFsDatasetCache.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/TestFsDatasetCache.java
@@ -108,7 +108,6 @@ public class TestFsDatasetCache {
   private static CacheManipulator prevCacheManipulator;
 
   static {
-    EditLogFileOutputStream.setShouldSkipFsyncForTesting(false);
     LogManager.getLogger(FsDatasetCache.class).setLevel(Level.DEBUG);
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCacheDirectives.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCacheDirectives.java
index d54b90e6631..93076928f3e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCacheDirectives.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCacheDirectives.java
@@ -110,7 +110,6 @@ public class TestCacheDirectives {
 
   static {
     NativeIO.POSIX.setCacheManipulator(new NoMlockCacheManipulator());
-    EditLogFileOutputStream.setShouldSkipFsyncForTesting(false);
   }
 
   private static final long BLOCK_SIZE = 4096;

From 225569ece229cec32f852f831fd337a139c44b1e Mon Sep 17 00:00:00 2001
From: Colin Patrick Mccabe <cmccabe@cloudera.com>
Date: Wed, 27 Aug 2014 13:39:40 -0700
Subject: [PATCH 311/354] HDFS-4486. Add log category for long-running
 DFSClient notices.  Contributed by Zhe Zhang.

---
 .../apache/hadoop/crypto/OpensslCipher.java   |  2 ++
 .../crypto/random/OpensslSecureRandom.java    |  3 +++
 .../apache/hadoop/io/nativeio/NativeIO.java   |  7 ++---
 ...JniBasedUnixGroupsMappingWithFallback.java |  3 ++-
 .../hadoop/util/PerformanceAdvisory.java      | 24 +++++++++++++++++
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +++
 .../hadoop/hdfs/BlockReaderFactory.java       | 27 +++++++++----------
 .../shortcircuit/DomainSocketFactory.java     |  4 ++-
 8 files changed, 53 insertions(+), 20 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/PerformanceAdvisory.java

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java
index 264652b202a..2eb16ee4747 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java
@@ -32,6 +32,7 @@
 import org.apache.hadoop.util.NativeCodeLoader;
 
 import com.google.common.base.Preconditions;
+import org.apache.hadoop.util.PerformanceAdvisory;
 
 /**
  * OpenSSL cipher using JNI.
@@ -82,6 +83,7 @@ static int get(String padding) throws NoSuchPaddingException {
     String loadingFailure = null;
     try {
       if (!NativeCodeLoader.buildSupportsOpenssl()) {
+        PerformanceAdvisory.LOG.debug("Build does not support openssl");
         loadingFailure = "build does not support openssl.";
       } else {
         initIDs();
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OpensslSecureRandom.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OpensslSecureRandom.java
index b1fa9883373..6c53a0a2179 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OpensslSecureRandom.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/random/OpensslSecureRandom.java
@@ -25,6 +25,7 @@
 import org.apache.hadoop.util.NativeCodeLoader;
 
 import com.google.common.base.Preconditions;
+import org.apache.hadoop.util.PerformanceAdvisory;
 
 /**
  * OpenSSL secure random using JNI.
@@ -67,6 +68,8 @@ public static boolean isNativeCodeLoaded() {
   
   public OpensslSecureRandom() {
     if (!nativeEnabled) {
+      PerformanceAdvisory.LOG.debug("Build does not support openssl, " +
+          "falling back to Java SecureRandom.");
       fallback = new java.security.SecureRandom();
     }
   }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/nativeio/NativeIO.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/nativeio/NativeIO.java
index fafa29543e0..53d31d6fb96 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/nativeio/NativeIO.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/nativeio/NativeIO.java
@@ -37,6 +37,7 @@
 import org.apache.hadoop.io.SecureIOUtils.AlreadyExistsException;
 import org.apache.hadoop.util.NativeCodeLoader;
 import org.apache.hadoop.util.Shell;
+import org.apache.hadoop.util.PerformanceAdvisory;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -196,7 +197,7 @@ public boolean verifyCanMlock() {
           // This can happen if the user has an older version of libhadoop.so
           // installed - in this case we can continue without native IO
           // after warning
-          LOG.error("Unable to initialize NativeIO libraries", t);
+          PerformanceAdvisory.LOG.debug("Unable to initialize NativeIO libraries", t);
         }
       }
     }
@@ -574,7 +575,7 @@ public static boolean access(String path, AccessRight desiredAccess)
           // This can happen if the user has an older version of libhadoop.so
           // installed - in this case we can continue without native IO
           // after warning
-          LOG.error("Unable to initialize NativeIO libraries", t);
+          PerformanceAdvisory.LOG.debug("Unable to initialize NativeIO libraries", t);
         }
       }
     }
@@ -593,7 +594,7 @@ public static boolean access(String path, AccessRight desiredAccess)
         // This can happen if the user has an older version of libhadoop.so
         // installed - in this case we can continue without native IO
         // after warning
-        LOG.error("Unable to initialize NativeIO libraries", t);
+        PerformanceAdvisory.LOG.debug("Unable to initialize NativeIO libraries", t);
       }
     }
   }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/JniBasedUnixGroupsMappingWithFallback.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/JniBasedUnixGroupsMappingWithFallback.java
index 908ca1468d1..40333fcc5df 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/JniBasedUnixGroupsMappingWithFallback.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/JniBasedUnixGroupsMappingWithFallback.java
@@ -24,6 +24,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.util.NativeCodeLoader;
+import org.apache.hadoop.util.PerformanceAdvisory;
 
 public class JniBasedUnixGroupsMappingWithFallback implements
     GroupMappingServiceProvider {
@@ -37,7 +38,7 @@ public JniBasedUnixGroupsMappingWithFallback() {
     if (NativeCodeLoader.isNativeCodeLoaded()) {
       this.impl = new JniBasedUnixGroupsMapping();
     } else {
-      LOG.debug("Falling back to shell based");
+      PerformanceAdvisory.LOG.debug("Falling back to shell based");
       this.impl = new ShellBasedUnixGroupsMapping();
     }
     if (LOG.isDebugEnabled()){
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/PerformanceAdvisory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/PerformanceAdvisory.java
new file mode 100644
index 00000000000..306d47c805e
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/PerformanceAdvisory.java
@@ -0,0 +1,24 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.util;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class PerformanceAdvisory {
+  public static final Log LOG = LogFactory.getLog(PerformanceAdvisory.class);
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 77832433c1b..f3ecf075219 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -514,6 +514,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6899. Allow changing MiniDFSCluster volumes per DN and capacity
     per volume. (Arpit Agarwal)
 
+    HDFS-4486. Add log category for long-running DFSClient notices (Zhe Zhang
+    via Colin Patrick McCabe)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/BlockReaderFactory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/BlockReaderFactory.java
index d27bd6ef0d2..3fb442b94a5 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/BlockReaderFactory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/BlockReaderFactory.java
@@ -54,6 +54,7 @@
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.SecretManager.InvalidToken;
 import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.util.PerformanceAdvisory;
 import org.apache.hadoop.util.Time;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -343,10 +344,9 @@ private BlockReader getLegacyBlockReaderLocal() throws IOException {
       return null;
     }
     if (clientContext.getDisableLegacyBlockReaderLocal()) {
-      if (LOG.isTraceEnabled()) {
-        LOG.trace(this + ": can't construct BlockReaderLocalLegacy because " +
-            "disableLegacyBlockReaderLocal is set.");
-      }
+      PerformanceAdvisory.LOG.debug(this + ": can't construct " +
+          "BlockReaderLocalLegacy because " +
+          "disableLegacyBlockReaderLocal is set.");
       return null;
     }
     IOException ioe = null;
@@ -385,10 +385,8 @@ private BlockReader getBlockReaderLocal() throws InvalidToken {
                       getPathInfo(inetSocketAddress, conf);
     }
     if (!pathInfo.getPathState().getUsableForShortCircuit()) {
-      if (LOG.isTraceEnabled()) {
-        LOG.trace(this + ": " + pathInfo + " is not " +
-            "usable for short circuit; giving up on BlockReaderLocal.");
-      }
+      PerformanceAdvisory.LOG.debug(this + ": " + pathInfo + " is not " +
+          "usable for short circuit; giving up on BlockReaderLocal.");
       return null;
     }
     ShortCircuitCache cache = clientContext.getShortCircuitCache();
@@ -404,8 +402,9 @@ private BlockReader getBlockReaderLocal() throws InvalidToken {
     }
     if (info.getReplica() == null) {
       if (LOG.isTraceEnabled()) {
-        LOG.trace(this + ": failed to get ShortCircuitReplica.  " +
-            "Cannot construct BlockReaderLocal via " + pathInfo.getPath());
+        PerformanceAdvisory.LOG.debug(this + ": failed to get " +
+            "ShortCircuitReplica. Cannot construct " +
+            "BlockReaderLocal via " + pathInfo.getPath());
       }
       return null;
     }
@@ -580,11 +579,9 @@ private BlockReader getRemoteBlockReaderFromDomain() throws IOException {
                       getPathInfo(inetSocketAddress, conf);
     }
     if (!pathInfo.getPathState().getUsableForDataTransfer()) {
-      if (LOG.isTraceEnabled()) {
-        LOG.trace(this + ": not trying to create a remote block reader " +
-            "because the UNIX domain socket at " + pathInfo +
-            " is not usable.");
-      }
+      PerformanceAdvisory.LOG.debug(this + ": not trying to create a " +
+          "remote block reader because the UNIX domain socket at " +
+          pathInfo + " is not usable.");
       return null;
     }
     if (LOG.isTraceEnabled()) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/DomainSocketFactory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/DomainSocketFactory.java
index e067de7b4ad..5fd31a920cc 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/DomainSocketFactory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/shortcircuit/DomainSocketFactory.java
@@ -33,6 +33,7 @@
 import com.google.common.base.Preconditions;
 import com.google.common.cache.Cache;
 import com.google.common.cache.CacheBuilder;
+import org.apache.hadoop.util.PerformanceAdvisory;
 
 public class DomainSocketFactory {
   private static final Log LOG = LogFactory.getLog(DomainSocketFactory.class);
@@ -105,7 +106,8 @@ public DomainSocketFactory(Conf conf) {
     }
 
     if (feature == null) {
-      LOG.debug("Both short-circuit local reads and UNIX domain socket are disabled.");
+      PerformanceAdvisory.LOG.debug(
+          "Both short-circuit local reads and UNIX domain socket are disabled.");
     } else {
       if (conf.getDomainSocketPath().isEmpty()) {
         throw new HadoopIllegalArgumentException(feature + " is enabled but "

From b6b95ff66700e4db1d8d59a31c3048cb10504262 Mon Sep 17 00:00:00 2001
From: Colin Patrick Mccabe <cmccabe@cloudera.com>
Date: Wed, 27 Aug 2014 13:49:31 -0700
Subject: [PATCH 312/354] HDFS-6902. FileWriter should be closed in finally
 block in BlockReceiver#receiveBlock() (Tsuyoshi OZAWA via Colin Patrick
 McCabe)

---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt                 | 3 +++
 .../apache/hadoop/hdfs/server/datanode/BlockReceiver.java   | 6 ++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index f3ecf075219..d5797e842fd 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -655,6 +655,9 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-6938. Cleanup javac warnings in FSNamesystem (Charles Lamb via wheat9)
 
+    HDFS-6902. FileWriter should be closed in finally block in
+    BlockReceiver#receiveBlock() (Tsuyoshi OZAWA via Colin Patrick McCabe)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
index afa8bbba481..bfb22331250 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
@@ -825,15 +825,17 @@ void receiveBlock(
               LOG.warn("Failed to delete restart meta file: " +
                   restartMeta.getPath());
             }
+            FileWriter out = null;
             try {
-              FileWriter out = new FileWriter(restartMeta);
+              out = new FileWriter(restartMeta);
               // write out the current time.
               out.write(Long.toString(Time.now() + restartBudget));
               out.flush();
-              out.close();
             } catch (IOException ioe) {
               // The worst case is not recovering this RBW replica. 
               // Client will fall back to regular pipeline recovery.
+            } finally {
+              IOUtils.cleanup(LOG, out);
             }
             try {              
               // Even if the connection is closed after the ack packet is

From 6962510f729717f776929708813f99a28e582f34 Mon Sep 17 00:00:00 2001
From: Colin Patrick Mccabe <cmccabe@cloudera.com>
Date: Wed, 27 Aug 2014 14:12:05 -0700
Subject: [PATCH 313/354] HDFS-6879. Adding tracing to Hadoop RPC.  Contributed
 by Masatake Iwasaki.

---
 hadoop-common-project/hadoop-common/pom.xml   |   4 +
 .../java/org/apache/hadoop/ipc/Client.java    |   8 +
 .../apache/hadoop/ipc/ProtobufRpcEngine.java  |  20 +-
 .../java/org/apache/hadoop/ipc/Server.java    |  43 ++-
 .../apache/hadoop/ipc/WritableRpcEngine.java  |  18 +-
 .../hadoop/tracing/SpanReceiverHost.java      | 153 ++++++++++
 .../org/apache/hadoop/util/ProtoUtil.java     |  11 +
 .../src/main/proto/RpcHeader.proto            |  13 +
 .../hadoop-common/src/site/apt/Tracing.apt.vm | 169 +++++++++++
 hadoop-hdfs-project/hadoop-hdfs/pom.xml       |   4 +
 .../hadoop/hdfs/server/datanode/DataNode.java |   7 +
 .../hadoop/hdfs/server/namenode/NameNode.java |   8 +
 .../apache/hadoop/tracing/TestTracing.java    | 280 ++++++++++++++++++
 hadoop-project/pom.xml                        |   5 +
 hadoop-project/src/site/site.xml              |   1 +
 15 files changed, 738 insertions(+), 6 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/tracing/SpanReceiverHost.java
 create mode 100644 hadoop-common-project/hadoop-common/src/site/apt/Tracing.apt.vm
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/tracing/TestTracing.java

diff --git a/hadoop-common-project/hadoop-common/pom.xml b/hadoop-common-project/hadoop-common/pom.xml
index 09f1c5a2d32..ae495be0e65 100644
--- a/hadoop-common-project/hadoop-common/pom.xml
+++ b/hadoop-common-project/hadoop-common/pom.xml
@@ -224,6 +224,10 @@
       <scope>compile</scope>
     </dependency>
 
+    <dependency>
+      <groupId>org.htrace</groupId>
+      <artifactId>htrace-core</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.zookeeper</groupId>
       <artifactId>zookeeper</artifactId>
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java
index 158445f8367..2f482c290ed 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java
@@ -88,6 +88,7 @@
 import org.apache.hadoop.util.ReflectionUtils;
 import org.apache.hadoop.util.StringUtils;
 import org.apache.hadoop.util.Time;
+import org.htrace.Trace;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
@@ -694,6 +695,9 @@ private synchronized void setupIOstreams() {
         if (LOG.isDebugEnabled()) {
           LOG.debug("Connecting to "+server);
         }
+        if (Trace.isTracing()) {
+          Trace.addTimelineAnnotation("IPC client connecting to " + server);
+        }
         short numRetries = 0;
         Random rand = null;
         while (true) {
@@ -758,6 +762,10 @@ public AuthMethod run()
           // update last activity time
           touch();
 
+          if (Trace.isTracing()) {
+            Trace.addTimelineAnnotation("IPC client connected to " + server);
+          }
+
           // start the receiver thread after the socket connection has been set
           // up
           start();
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/ProtobufRpcEngine.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/ProtobufRpcEngine.java
index 64615d22f85..0ccdb71d0ee 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/ProtobufRpcEngine.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/ProtobufRpcEngine.java
@@ -48,6 +48,9 @@
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.hadoop.util.ProtoUtil;
 import org.apache.hadoop.util.Time;
+import org.htrace.Sampler;
+import org.htrace.Trace;
+import org.htrace.TraceScope;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.protobuf.BlockingService;
@@ -191,6 +194,16 @@ public Object invoke(Object proxy, Method method, Object[] args)
             + method.getName() + "]");
       }
 
+      TraceScope traceScope = null;
+      // if Tracing is on then start a new span for this rpc.
+      // guard it in the if statement to make sure there isn't
+      // any extra string manipulation.
+      if (Trace.isTracing()) {
+        traceScope = Trace.startSpan(
+            method.getDeclaringClass().getCanonicalName() +
+            "." + method.getName());
+      }
+
       RequestHeaderProto rpcRequestHeader = constructRpcRequestHeader(method);
       
       if (LOG.isTraceEnabled()) {
@@ -212,8 +225,13 @@ public Object invoke(Object proxy, Method method, Object[] args)
               remoteId + ": " + method.getName() +
                 " {" + e + "}");
         }
-
+        if (Trace.isTracing()) {
+          traceScope.getSpan().addTimelineAnnotation(
+              "Call got exception: " + e.getMessage());
+        }
         throw new ServiceException(e);
+      } finally {
+        if (traceScope != null) traceScope.close();
       }
 
       if (LOG.isDebugEnabled()) {
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java
index 24dd0c21b82..021e03537b4 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java
@@ -79,6 +79,7 @@
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.io.DataOutputBuffer;
+import org.apache.hadoop.io.IOUtils;
 import org.apache.hadoop.io.Writable;
 import org.apache.hadoop.io.WritableUtils;
 import org.apache.hadoop.ipc.ProtobufRpcEngine.RpcResponseMessageWrapper;
@@ -115,6 +116,10 @@
 import org.apache.hadoop.util.ReflectionUtils;
 import org.apache.hadoop.util.StringUtils;
 import org.apache.hadoop.util.Time;
+import org.htrace.Span;
+import org.htrace.Trace;
+import org.htrace.TraceInfo;
+import org.htrace.TraceScope;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.protobuf.ByteString;
@@ -506,6 +511,7 @@ public static class Call implements Schedulable {
     private ByteBuffer rpcResponse;       // the response for this call
     private final RPC.RpcKind rpcKind;
     private final byte[] clientId;
+    private final Span traceSpan; // the tracing span on the server side
 
     public Call(int id, int retryCount, Writable param, 
         Connection connection) {
@@ -515,6 +521,11 @@ public Call(int id, int retryCount, Writable param,
 
     public Call(int id, int retryCount, Writable param, Connection connection,
         RPC.RpcKind kind, byte[] clientId) {
+      this(id, retryCount, param, connection, kind, clientId, null);
+    }
+
+    public Call(int id, int retryCount, Writable param, Connection connection,
+        RPC.RpcKind kind, byte[] clientId, Span span) {
       this.callId = id;
       this.retryCount = retryCount;
       this.rpcRequest = param;
@@ -523,6 +534,7 @@ public Call(int id, int retryCount, Writable param, Connection connection,
       this.rpcResponse = null;
       this.rpcKind = kind;
       this.clientId = clientId;
+      this.traceSpan = span;
     }
     
     @Override
@@ -1921,9 +1933,18 @@ private void processRpcRequest(RpcRequestHeaderProto header,
             RpcErrorCodeProto.FATAL_DESERIALIZING_REQUEST, err);
       }
         
+      Span traceSpan = null;
+      if (header.hasTraceInfo()) {
+        // If the incoming RPC included tracing info, always continue the trace
+        TraceInfo parentSpan = new TraceInfo(header.getTraceInfo().getTraceId(),
+                                             header.getTraceInfo().getParentId());
+        traceSpan = Trace.startSpan(rpcRequest.toString(), parentSpan).detach();
+      }
+
       Call call = new Call(header.getCallId(), header.getRetryCount(),
-          rpcRequest, this, ProtoUtil.convert(header.getRpcKind()), header
-              .getClientId().toByteArray());
+          rpcRequest, this, ProtoUtil.convert(header.getRpcKind()),
+          header.getClientId().toByteArray(), traceSpan);
+
       callQueue.put(call);              // queue the call; maybe blocked here
       incRpcCount();  // Increment the rpc count
     }
@@ -2067,6 +2088,7 @@ public void run() {
       ByteArrayOutputStream buf = 
         new ByteArrayOutputStream(INITIAL_RESP_BUF_SIZE);
       while (running) {
+        TraceScope traceScope = null;
         try {
           final Call call = callQueue.take(); // pop the queue; maybe blocked here
           if (LOG.isDebugEnabled()) {
@@ -2083,6 +2105,10 @@ public void run() {
           Writable value = null;
 
           CurCall.set(call);
+          if (call.traceSpan != null) {
+            traceScope = Trace.continueSpan(call.traceSpan);
+          }
+
           try {
             // Make the call as the user via Subject.doAs, thus associating
             // the call with the Subject
@@ -2156,9 +2182,22 @@ public Writable run() throws Exception {
         } catch (InterruptedException e) {
           if (running) {                          // unexpected -- log it
             LOG.info(Thread.currentThread().getName() + " unexpectedly interrupted", e);
+            if (Trace.isTracing()) {
+              traceScope.getSpan().addTimelineAnnotation("unexpectedly interrupted: " +
+                  StringUtils.stringifyException(e));
+            }
           }
         } catch (Exception e) {
           LOG.info(Thread.currentThread().getName() + " caught an exception", e);
+          if (Trace.isTracing()) {
+            traceScope.getSpan().addTimelineAnnotation("Exception: " +
+                StringUtils.stringifyException(e));
+          }
+        } finally {
+          if (traceScope != null) {
+            traceScope.close();
+          }
+          IOUtils.cleanup(LOG, traceScope);
         }
       }
       LOG.debug(Thread.currentThread().getName() + ": exiting");
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/WritableRpcEngine.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/WritableRpcEngine.java
index 04ab4dc2699..4b2dfe0de10 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/WritableRpcEngine.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/WritableRpcEngine.java
@@ -41,6 +41,8 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.*;
+import org.htrace.Trace;
+import org.htrace.TraceScope;
 
 /** An RpcEngine implementation for Writable data. */
 @InterfaceStability.Evolving
@@ -227,9 +229,19 @@ public Object invoke(Object proxy, Method method, Object[] args)
       if (LOG.isDebugEnabled()) {
         startTime = Time.now();
       }
-
-      ObjectWritable value = (ObjectWritable)
-        client.call(RPC.RpcKind.RPC_WRITABLE, new Invocation(method, args), remoteId);
+      TraceScope traceScope = null;
+      if (Trace.isTracing()) {
+        traceScope = Trace.startSpan(
+            method.getDeclaringClass().getCanonicalName() +
+            "." + method.getName());
+      }
+      ObjectWritable value;
+      try {
+        value = (ObjectWritable)
+          client.call(RPC.RpcKind.RPC_WRITABLE, new Invocation(method, args), remoteId);
+      } finally {
+        if (traceScope != null) traceScope.close();
+      }
       if (LOG.isDebugEnabled()) {
         long callTime = Time.now() - startTime;
         LOG.debug("Call: " + method.getName() + " " + callTime);
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/tracing/SpanReceiverHost.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/tracing/SpanReceiverHost.java
new file mode 100644
index 00000000000..b8c7b311ffa
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/tracing/SpanReceiverHost.java
@@ -0,0 +1,153 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.tracing;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.HashSet;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.util.ReflectionUtils;
+import org.apache.hadoop.util.ShutdownHookManager;
+import org.htrace.HTraceConfiguration;
+import org.htrace.SpanReceiver;
+import org.htrace.Trace;
+
+/**
+ * This class provides functions for reading the names of SpanReceivers from
+ * the Hadoop configuration, adding those SpanReceivers to the Tracer,
+ * and closing those SpanReceivers when appropriate.
+ * This class does nothing If no SpanReceiver is configured.
+ */
+@InterfaceAudience.Private
+public class SpanReceiverHost {
+  public static final String SPAN_RECEIVERS_CONF_KEY = "hadoop.trace.spanreceiver.classes";
+  private static final Log LOG = LogFactory.getLog(SpanReceiverHost.class);
+  private Collection<SpanReceiver> receivers = new HashSet<SpanReceiver>();
+  private boolean closed = false;
+
+  private static enum SingletonHolder {
+    INSTANCE;
+    Object lock = new Object();
+    SpanReceiverHost host = null;
+  }
+
+  public static SpanReceiverHost getInstance(Configuration conf) {
+    if (SingletonHolder.INSTANCE.host != null) {
+      return SingletonHolder.INSTANCE.host;
+    }
+    synchronized (SingletonHolder.INSTANCE.lock) {
+      if (SingletonHolder.INSTANCE.host != null) {
+        return SingletonHolder.INSTANCE.host;
+      }
+      SpanReceiverHost host = new SpanReceiverHost();
+      host.loadSpanReceivers(conf);
+      SingletonHolder.INSTANCE.host = host;
+      ShutdownHookManager.get().addShutdownHook(new Runnable() {
+          public void run() {
+            SingletonHolder.INSTANCE.host.closeReceivers();
+          }
+        }, 0);
+      return SingletonHolder.INSTANCE.host;
+    }
+  }
+
+  /**
+   * Reads the names of classes specified in the
+   * "hadoop.trace.spanreceiver.classes" property and instantiates and registers
+   * them with the Tracer as SpanReceiver's.
+   *
+   * The nullary constructor is called during construction, but if the classes
+   * specified implement the Configurable interface, setConfiguration() will be
+   * called on them. This allows SpanReceivers to use values from the Hadoop
+   * configuration.
+   */
+  public void loadSpanReceivers(Configuration conf) {
+    Class<?> implClass = null;
+    String[] receiverNames = conf.getTrimmedStrings(SPAN_RECEIVERS_CONF_KEY);
+    if (receiverNames == null || receiverNames.length == 0) {
+      return;
+    }
+    for (String className : receiverNames) {
+      className = className.trim();
+      try {
+        implClass = Class.forName(className);
+        receivers.add(loadInstance(implClass, conf));
+        LOG.info("SpanReceiver " + className + " was loaded successfully.");
+      } catch (ClassNotFoundException e) {
+        LOG.warn("Class " + className + " cannot be found.", e);
+      } catch (IOException e) {
+        LOG.warn("Load SpanReceiver " + className + " failed.", e);
+      }
+    }
+    for (SpanReceiver rcvr : receivers) {
+      Trace.addReceiver(rcvr);
+    }
+  }
+
+  private SpanReceiver loadInstance(Class<?> implClass, Configuration conf)
+      throws IOException {
+    SpanReceiver impl;
+    try {
+      Object o = ReflectionUtils.newInstance(implClass, conf);
+      impl = (SpanReceiver)o;
+      impl.configure(wrapHadoopConf(conf));
+    } catch (SecurityException e) {
+      throw new IOException(e);
+    } catch (IllegalArgumentException e) {
+      throw new IOException(e);
+    } catch (RuntimeException e) {
+      throw new IOException(e);
+    }
+
+    return impl;
+  }
+
+  private static HTraceConfiguration wrapHadoopConf(final Configuration conf) {
+    return new HTraceConfiguration() {
+      public static final String HTRACE_CONF_PREFIX = "hadoop.";
+
+      @Override
+      public String get(String key) {
+        return conf.get(HTRACE_CONF_PREFIX + key);
+      }
+
+      @Override
+      public String get(String key, String defaultValue) {
+        return conf.get(HTRACE_CONF_PREFIX + key, defaultValue);
+      }
+    };
+  }
+
+  /**
+   * Calls close() on all SpanReceivers created by this SpanReceiverHost.
+   */
+  public synchronized void closeReceivers() {
+    if (closed) return;
+    closed = true;
+    for (SpanReceiver rcvr : receivers) {
+      try {
+        rcvr.close();
+      } catch (IOException e) {
+        LOG.warn("Unable to close SpanReceiver correctly: " + e.getMessage(), e);
+      }
+    }
+  }
+}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/ProtoUtil.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/ProtoUtil.java
index 79f8692842d..36b5ff11bc8 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/ProtoUtil.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/ProtoUtil.java
@@ -27,6 +27,8 @@
 import org.apache.hadoop.ipc.protobuf.RpcHeaderProtos.*;
 import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.htrace.Span;
+import org.htrace.Trace;
 
 import com.google.protobuf.ByteString;
 
@@ -165,6 +167,15 @@ public static RpcRequestHeaderProto makeRpcRequestHeader(RPC.RpcKind rpcKind,
     RpcRequestHeaderProto.Builder result = RpcRequestHeaderProto.newBuilder();
     result.setRpcKind(convert(rpcKind)).setRpcOp(operation).setCallId(callId)
         .setRetryCount(retryCount).setClientId(ByteString.copyFrom(uuid));
+
+    // Add tracing info if we are currently tracing.
+    if (Trace.isTracing()) {
+      Span s = Trace.currentSpan();
+      result.setTraceInfo(RPCTraceInfoProto.newBuilder()
+          .setParentId(s.getSpanId())
+          .setTraceId(s.getTraceId()).build());
+    }
+
     return result.build();
   }
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/proto/RpcHeader.proto b/hadoop-common-project/hadoop-common/src/main/proto/RpcHeader.proto
index e8c4adac367..c8791508b5a 100644
--- a/hadoop-common-project/hadoop-common/src/main/proto/RpcHeader.proto
+++ b/hadoop-common-project/hadoop-common/src/main/proto/RpcHeader.proto
@@ -53,6 +53,18 @@ enum RpcKindProto {
 
 
    
+/**
+ * Used to pass through the information necessary to continue
+ * a trace after an RPC is made. All we need is the traceid
+ * (so we know the overarching trace this message is a part of), and
+ * the id of the current span when this message was sent, so we know
+ * what span caused the new span we will create when this message is received.
+ */
+message RPCTraceInfoProto {
+  optional int64 traceId = 1;
+  optional int64 parentId = 2;
+}
+
 message RpcRequestHeaderProto { // the header for the RpcRequest
   enum OperationProto {
     RPC_FINAL_PACKET        = 0; // The final RPC Packet
@@ -67,6 +79,7 @@ message RpcRequestHeaderProto { // the header for the RpcRequest
   // clientId + callId uniquely identifies a request
   // retry count, 1 means this is the first retry
   optional sint32 retryCount = 5 [default = -1];
+  optional RPCTraceInfoProto traceInfo = 6; // tracing info
 }
 
 
diff --git a/hadoop-common-project/hadoop-common/src/site/apt/Tracing.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/Tracing.apt.vm
new file mode 100644
index 00000000000..f777dd23c16
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/site/apt/Tracing.apt.vm
@@ -0,0 +1,169 @@
+~~ Licensed under the Apache License, Version 2.0 (the "License");
+~~ you may not use this file except in compliance with the License.
+~~ You may obtain a copy of the License at
+~~
+~~   http://www.apache.org/licenses/LICENSE-2.0
+~~
+~~ Unless required by applicable law or agreed to in writing, software
+~~ distributed under the License is distributed on an "AS IS" BASIS,
+~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+~~ See the License for the specific language governing permissions and
+~~ limitations under the License. See accompanying LICENSE file.
+
+  ---
+  Hadoop Distributed File System-${project.version} - Enabling Dapper-like Tracing
+  ---
+  ---
+  ${maven.build.timestamp}
+
+Enabling Dapper-like Tracing in HDFS
+
+%{toc|section=1|fromDepth=0}
+
+* {Dapper-like Tracing in HDFS}
+
+** HTrace
+
+  {{{https://issues.apache.org/jira/browse/HDFS-5274}HDFS-5274}}
+  added support for tracing requests through HDFS,
+  using the open source tracing library, {{{https://github.com/cloudera/htrace}HTrace}}.
+  Setting up tracing is quite simple, however it requires some very minor changes to your client code.
+
+** SpanReceivers
+
+  The tracing system works by collecting information in structs called 'Spans'.
+  It is up to you to choose how you want to receive this information
+  by implementing the SpanReceiver interface, which defines one method:
+
++----
+public void receiveSpan(Span span);
++----
+
+  Configure what SpanReceivers you'd like to use
+  by putting a comma separated list of the fully-qualified class name of
+  classes implementing SpanReceiver
+  in <<<hdfs-site.xml>>> property: <<<hadoop.trace.spanreceiver.classes>>>.
+
++----
+  <property>
+    <name>hadoop.trace.spanreceiver.classes</name>
+    <value>org.htrace.impl.LocalFileSpanReceiver</value>
+  </property>
+  <property>
+    <name>hadoop.local-file-span-receiver.path</name>
+    <value>/var/log/hadoop/htrace.out</value>
+  </property>
++----
+
+** Setting up ZipkinSpanReceiver
+
+  Instead of implementing SpanReceiver by yourself,
+  you can use <<<ZipkinSpanReceiver>>> which uses
+  {{{https://github.com/twitter/zipkin}Zipkin}}
+  for collecting and dispalying tracing data.
+
+  In order to use <<<ZipkinSpanReceiver>>>,
+  you need to download and setup {{{https://github.com/twitter/zipkin}Zipkin}} first.
+
+  you also need to add the jar of <<<htrace-zipkin>>> to the classpath of Hadoop on each node.
+  Here is example setup procedure.
+
++----
+  $ git clone https://github.com/cloudera/htrace
+  $ cd htrace/htrace-zipkin
+  $ mvn compile assembly:single
+  $ cp target/htrace-zipkin-*-jar-with-dependencies.jar $HADOOP_HOME/share/hadoop/hdfs/lib/
++----
+
+  The sample configuration for <<<ZipkinSpanReceiver>>> is shown below.
+  By adding these to <<<hdfs-site.xml>>> of NameNode and DataNodes,
+  <<<ZipkinSpanReceiver>>> is initialized on the startup.
+  You also need this configuration on the client node in addition to the servers.
+
++----
+  <property>
+    <name>hadoop.trace.spanreceiver.classes</name>
+    <value>org.htrace.impl.ZipkinSpanReceiver</value>
+  </property>
+  <property>
+    <name>hadoop.zipkin.collector-hostname</name>
+    <value>192.168.1.2</value>
+  </property>
+  <property>
+    <name>hadoop.zipkin.collector-port</name>
+    <value>9410</value>
+  </property>
++----
+
+** Turning on tracing by HTrace API
+
+  In order to turn on Dapper-like tracing,
+  you will need to wrap the traced logic with <<tracing span>> as shown below.
+  When there is running tracing spans,
+  the tracing information is propagated to servers along with RPC requests.
+
+  In addition, you need to initialize <<<SpanReceiver>>> once per process.
+
++----
+import org.apache.hadoop.hdfs.HdfsConfiguration;
+import org.apache.hadoop.tracing.SpanReceiverHost;
+import org.htrace.Sampler;
+import org.htrace.Trace;
+import org.htrace.TraceScope;
+
+...
+
+    SpanReceiverHost.getInstance(new HdfsConfiguration());
+
+...
+
+    TraceScope ts = Trace.startSpan("Gets", Sampler.ALWAYS);
+    try {
+      ... // traced logic
+    } finally {
+      if (ts != null) ts.close();
+    }
++----
+
+** Sample code for tracing
+
+  The <<<TracingFsShell.java>>> shown below is the wrapper of FsShell
+  which start tracing span before invoking HDFS shell command.
+
++----
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FsShell;
+import org.apache.hadoop.hdfs.HdfsConfiguration;
+import org.apache.hadoop.tracing.SpanReceiverHost;
+import org.apache.hadoop.util.ToolRunner;
+import org.htrace.Sampler;
+import org.htrace.Trace;
+import org.htrace.TraceScope;
+
+public class TracingFsShell {
+  public static void main(String argv[]) throws Exception {
+    Configuration conf = new Configuration();
+    FsShell shell = new FsShell();
+    conf.setQuietMode(false);
+    shell.setConf(conf);
+    int res = 0;
+    SpanReceiverHost.init(new HdfsConfiguration());
+    TraceScope ts = null;
+    try {
+      ts = Trace.startSpan("FsShell", Sampler.ALWAYS);
+      res = ToolRunner.run(shell, argv);
+    } finally {
+      shell.close();
+      if (ts != null) ts.close();
+    }
+    System.exit(res);
+  }
+}
++----
+
+  You can compile and execute this code as shown below.
+
++----
+$ javac -cp `hadoop classpath` TracingFsShell.java
+$ HADOOP_CLASSPATH=. hdfs TracingFsShell -put sample.txt /tmp/
++----
diff --git a/hadoop-hdfs-project/hadoop-hdfs/pom.xml b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
index 9b026f2bdb5..81eae0ab510 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/pom.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
@@ -181,6 +181,10 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
       <artifactId>xercesImpl</artifactId>
       <scope>compile</scope>
     </dependency>
+    <dependency>
+      <groupId>org.htrace</groupId>
+      <artifactId>htrace-core</artifactId>
+    </dependency>
   </dependencies>
 
   <build>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
index df50eabacb7..1ec91d005b7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
@@ -180,6 +180,7 @@
 import org.apache.hadoop.util.StringUtils;
 import org.apache.hadoop.util.Time;
 import org.apache.hadoop.util.VersionInfo;
+import org.apache.hadoop.tracing.SpanReceiverHost;
 import org.mortbay.util.ajax.JSON;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -326,6 +327,8 @@ public static InetSocketAddress createSocketAddr(String target) {
   private boolean isPermissionEnabled;
   private String dnUserName = null;
 
+  private SpanReceiverHost spanReceiverHost;
+
   /**
    * Create the DataNode given a configuration, an array of dataDirs,
    * and a namenode proxy
@@ -823,6 +826,7 @@ void startDataNode(Configuration conf,
     this.dataDirs = dataDirs;
     this.conf = conf;
     this.dnConf = new DNConf(conf);
+    this.spanReceiverHost = SpanReceiverHost.getInstance(conf);
 
     if (dnConf.maxLockedMemory > 0) {
       if (!NativeIO.POSIX.getCacheManipulator().verifyCanMlock()) {
@@ -1510,6 +1514,9 @@ public void shutdown() {
       MBeans.unregister(dataNodeInfoBeanName);
       dataNodeInfoBeanName = null;
     }
+    if (this.spanReceiverHost != null) {
+      this.spanReceiverHost.closeReceivers();
+    }
     if (shortCircuitRegistry != null) shortCircuitRegistry.shutdown();
     LOG.info("Shutdown complete.");
     synchronized(this) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
index 4072b1720d7..bcb5a8697d1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
@@ -60,6 +60,7 @@
 import org.apache.hadoop.security.authorize.RefreshAuthorizationPolicyProtocol;
 import org.apache.hadoop.ipc.RefreshCallQueueProtocol;
 import org.apache.hadoop.tools.GetUserMappingsProtocol;
+import org.apache.hadoop.tracing.SpanReceiverHost;
 import org.apache.hadoop.util.ExitUtil.ExitException;
 import org.apache.hadoop.util.GenericOptionsParser;
 import org.apache.hadoop.util.JvmPauseMonitor;
@@ -278,6 +279,7 @@ public long getProtocolVersion(String protocol,
 
   private JvmPauseMonitor pauseMonitor;
   private ObjectName nameNodeStatusBeanName;
+  private SpanReceiverHost spanReceiverHost;
   /**
    * The namenode address that clients will use to access this namenode
    * or the name service. For HA configurations using logical URI, it
@@ -586,6 +588,9 @@ protected void initialize(Configuration conf) throws IOException {
     if (NamenodeRole.NAMENODE == role) {
       startHttpServer(conf);
     }
+
+    this.spanReceiverHost = SpanReceiverHost.getInstance(conf);
+
     loadNamesystem(conf);
 
     rpcServer = createRpcServer(conf);
@@ -822,6 +827,9 @@ public void stop() {
         MBeans.unregister(nameNodeStatusBeanName);
         nameNodeStatusBeanName = null;
       }
+      if (this.spanReceiverHost != null) {
+        this.spanReceiverHost.closeReceivers();
+      }
     }
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/tracing/TestTracing.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/tracing/TestTracing.java
new file mode 100644
index 00000000000..bb923a2c6be
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/tracing/TestTracing.java
@@ -0,0 +1,280 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.tracing;
+
+import org.apache.commons.lang.RandomStringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FSDataInputStream;
+import org.apache.hadoop.fs.FSDataOutputStream;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.DistributedFileSystem;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.htrace.HTraceConfiguration;
+import org.htrace.Sampler;
+import org.htrace.Span;
+import org.htrace.SpanReceiver;
+import org.htrace.Trace;
+import org.htrace.TraceScope;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+public class TestTracing {
+
+  private static Configuration conf;
+  private static MiniDFSCluster cluster;
+  private static DistributedFileSystem dfs;
+
+  @Test
+  public void testSpanReceiverHost() throws Exception {
+    Configuration conf = new Configuration();
+    conf.set(SpanReceiverHost.SPAN_RECEIVERS_CONF_KEY,
+        SetSpanReceiver.class.getName());
+    SpanReceiverHost spanReceiverHost = SpanReceiverHost.getInstance(conf);
+  }
+
+  @Test
+  public void testWriteTraceHooks() throws Exception {
+    long startTime = System.currentTimeMillis();
+    TraceScope ts = Trace.startSpan("testWriteTraceHooks", Sampler.ALWAYS);
+    Path file = new Path("traceWriteTest.dat");
+    FSDataOutputStream stream = dfs.create(file);
+
+    for (int i = 0; i < 10; i++) {
+      byte[] data = RandomStringUtils.randomAlphabetic(102400).getBytes();
+      stream.write(data);
+    }
+    stream.hflush();
+    stream.close();
+    long endTime = System.currentTimeMillis();
+    ts.close();
+
+    String[] expectedSpanNames = {
+      "testWriteTraceHooks",
+      "org.apache.hadoop.hdfs.protocol.ClientProtocol.create",
+      "org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.ClientNamenodeProtocol.BlockingInterface.create",
+      "org.apache.hadoop.hdfs.protocol.ClientProtocol.fsync",
+      "org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.ClientNamenodeProtocol.BlockingInterface.fsync",
+      "org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.ClientNamenodeProtocol.BlockingInterface.complete"
+    };
+    assertSpanNamesFound(expectedSpanNames);
+
+    // The trace should last about the same amount of time as the test
+    Map<String, List<Span>> map = SetSpanReceiver.SetHolder.getMap();
+    Span s = map.get("testWriteTraceHooks").get(0);
+    Assert.assertNotNull(s);
+    long spanStart = s.getStartTimeMillis();
+    long spanEnd = s.getStopTimeMillis();
+    Assert.assertTrue(spanStart - startTime < 100);
+    Assert.assertTrue(spanEnd - endTime < 100);
+
+    // There should only be one trace id as it should all be homed in the
+    // top trace.
+    for (Span span : SetSpanReceiver.SetHolder.spans) {
+      Assert.assertEquals(ts.getSpan().getTraceId(), span.getTraceId());
+    }
+  }
+
+  @Test
+  public void testWriteWithoutTraceHooks() throws Exception {
+    Path file = new Path("withoutTraceWriteTest.dat");
+    FSDataOutputStream stream = dfs.create(file);
+    for (int i = 0; i < 10; i++) {
+      byte[] data = RandomStringUtils.randomAlphabetic(102400).getBytes();
+      stream.write(data);
+    }
+    stream.hflush();
+    stream.close();
+    Assert.assertTrue(SetSpanReceiver.SetHolder.size() == 0);
+  }
+
+  @Test
+  public void testReadTraceHooks() throws Exception {
+    String fileName = "traceReadTest.dat";
+    Path filePath = new Path(fileName);
+
+    // Create the file.
+    FSDataOutputStream ostream = dfs.create(filePath);
+    for (int i = 0; i < 50; i++) {
+      byte[] data = RandomStringUtils.randomAlphabetic(10240).getBytes();
+      ostream.write(data);
+    }
+    ostream.close();
+
+
+    long startTime = System.currentTimeMillis();
+    TraceScope ts = Trace.startSpan("testReadTraceHooks", Sampler.ALWAYS);
+    FSDataInputStream istream = dfs.open(filePath, 10240);
+    ByteBuffer buf = ByteBuffer.allocate(10240);
+
+    int count = 0;
+    try {
+      while (istream.read(buf) > 0) {
+        count += 1;
+        buf.clear();
+        istream.seek(istream.getPos() + 5);
+      }
+    } catch (IOException ioe) {
+      // Ignore this it's probably a seek after eof.
+    } finally {
+      istream.close();
+    }
+    ts.getSpan().addTimelineAnnotation("count: " + count);
+    long endTime = System.currentTimeMillis();
+    ts.close();
+
+    String[] expectedSpanNames = {
+      "testReadTraceHooks",
+      "org.apache.hadoop.hdfs.protocol.ClientProtocol.getBlockLocations",
+      "org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.ClientNamenodeProtocol.BlockingInterface.getBlockLocations"
+    };
+    assertSpanNamesFound(expectedSpanNames);
+
+    // The trace should last about the same amount of time as the test
+    Map<String, List<Span>> map = SetSpanReceiver.SetHolder.getMap();
+    Span s = map.get("testReadTraceHooks").get(0);
+    Assert.assertNotNull(s);
+
+    long spanStart = s.getStartTimeMillis();
+    long spanEnd = s.getStopTimeMillis();
+    Assert.assertTrue(spanStart - startTime < 100);
+    Assert.assertTrue(spanEnd - endTime < 100);
+
+    // There should only be one trace id as it should all be homed in the
+    // top trace.
+    for (Span span : SetSpanReceiver.SetHolder.spans) {
+      Assert.assertEquals(ts.getSpan().getTraceId(), span.getTraceId());
+    }
+  }
+
+  @Test
+  public void testReadWithoutTraceHooks() throws Exception {
+    String fileName = "withoutTraceReadTest.dat";
+    Path filePath = new Path(fileName);
+
+    // Create the file.
+    FSDataOutputStream ostream = dfs.create(filePath);
+    for (int i = 0; i < 50; i++) {
+      byte[] data = RandomStringUtils.randomAlphabetic(10240).getBytes();
+      ostream.write(data);
+    }
+    ostream.close();
+
+    FSDataInputStream istream = dfs.open(filePath, 10240);
+    ByteBuffer buf = ByteBuffer.allocate(10240);
+
+    int count = 0;
+    try {
+      while (istream.read(buf) > 0) {
+        count += 1;
+        buf.clear();
+        istream.seek(istream.getPos() + 5);
+      }
+    } catch (IOException ioe) {
+      // Ignore this it's probably a seek after eof.
+    } finally {
+      istream.close();
+    }
+    Assert.assertTrue(SetSpanReceiver.SetHolder.size() == 0);
+  }
+
+  @Before
+  public void cleanSet() {
+    SetSpanReceiver.SetHolder.spans.clear();
+  }
+
+  @BeforeClass
+  public static void setupCluster() throws IOException {
+    conf = new Configuration();
+    conf.setLong("dfs.blocksize", 100 * 1024);
+    conf.set(SpanReceiverHost.SPAN_RECEIVERS_CONF_KEY,
+        SetSpanReceiver.class.getName());
+
+    cluster = new MiniDFSCluster.Builder(conf)
+        .numDataNodes(3)
+        .build();
+
+    dfs = cluster.getFileSystem();
+  }
+
+  @AfterClass
+  public static void shutDown() throws IOException {
+    cluster.shutdown();
+  }
+
+  private void assertSpanNamesFound(String[] expectedSpanNames) {
+    Map<String, List<Span>> map = SetSpanReceiver.SetHolder.getMap();
+    for (String spanName : expectedSpanNames) {
+      Assert.assertTrue("Should find a span with name " + spanName, map.get(spanName) != null);
+    }
+  }
+
+  /**
+   * Span receiver that puts all spans into a single set.
+   * This is useful for testing.
+   * <p/>
+   * We're not using HTrace's POJOReceiver here so as that doesn't
+   * push all the metrics to a static place, and would make testing
+   * SpanReceiverHost harder.
+   */
+  public static class SetSpanReceiver implements SpanReceiver {
+
+    public void configure(HTraceConfiguration conf) {
+    }
+
+    public void receiveSpan(Span span) {
+      SetHolder.spans.add(span);
+    }
+
+    public void close() {
+    }
+
+    public static class SetHolder {
+      public static Set<Span> spans = new HashSet<Span>();
+
+      public static int size() {
+        return spans.size();
+      }
+
+      public static Map<String, List<Span>> getMap() {
+        Map<String, List<Span>> map = new HashMap<String, List<Span>>();
+
+        for (Span s : spans) {
+          List<Span> l = map.get(s.getDescription());
+          if (l == null) {
+            l = new LinkedList<Span>();
+            map.put(s.getDescription(), l);
+          }
+          l.add(s);
+        }
+        return map;
+      }
+    }
+  }
+}
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index be5b3d51b59..beaeec63a77 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -677,6 +677,11 @@
         <artifactId>jsch</artifactId>
         <version>0.1.42</version>
       </dependency>
+      <dependency>
+        <groupId>org.htrace</groupId>
+        <artifactId>htrace-core</artifactId>
+        <version>3.0.4</version>
+      </dependency>
       <dependency>
         <groupId>org.jdom</groupId>
         <artifactId>jdom</artifactId>
diff --git a/hadoop-project/src/site/site.xml b/hadoop-project/src/site/site.xml
index 56288ee60ca..a42aff0a382 100644
--- a/hadoop-project/src/site/site.xml
+++ b/hadoop-project/src/site/site.xml
@@ -65,6 +65,7 @@
       <item name="Service Level Authorization" href="hadoop-project-dist/hadoop-common/ServiceLevelAuth.html"/>
       <item name="HTTP Authentication" href="hadoop-project-dist/hadoop-common/HttpAuthentication.html"/>
       <item name="Hadoop KMS" href="hadoop-kms/index.html"/>
+      <item name="Tracing" href="hadoop-project-dist/hadoop-common/Tracing.html"/>
     </menu>
     
     <menu name="HDFS" inherit="top">

From 37549576e7aca2fe3d0fe03ea2e82aeb953bca44 Mon Sep 17 00:00:00 2001
From: Colin Patrick Mccabe <cmccabe@cloudera.com>
Date: Wed, 27 Aug 2014 14:18:18 -0700
Subject: [PATCH 314/354] Add HDFS-6879 to CHANGES.txt

---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index d5797e842fd..30664c17a05 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -517,6 +517,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-4486. Add log category for long-running DFSClient notices (Zhe Zhang
     via Colin Patrick McCabe)
 
+    HDFS-6879. Adding tracing to Hadoop RPC (Masatake Iwasaki via Colin Patrick
+    McCabe)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)

From 7a167311918300b1f00868a83d2f71a1ca88e918 Mon Sep 17 00:00:00 2001
From: Colin Patrick Mccabe <cmccabe@cloudera.com>
Date: Wed, 27 Aug 2014 19:47:02 -0700
Subject: [PATCH 315/354] HADOOP-10957. The globber will sometimes erroneously
 return a permission denied exception when there is a non-terminal wildcard.

---
 .../java/org/apache/hadoop/fs/Globber.java    |   8 +-
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../org/apache/hadoop/fs/TestGlobPaths.java   | 260 ++++++++++++------
 3 files changed, 179 insertions(+), 92 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Globber.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Globber.java
index 5eee5e4fb3d..8a8137a3f01 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Globber.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Globber.java
@@ -232,6 +232,10 @@ public FileStatus[] glob() throws IOException {
               }
             }
             for (FileStatus child : children) {
+              if (componentIdx < components.size() - 1) {
+                // Don't try to recurse into non-directories.  See HADOOP-10957.
+                if (!child.isDirectory()) continue; 
+              }
               // Set the child path based on the parent path.
               child.setPath(new Path(candidate.getPath(),
                       child.getPath().getName()));
@@ -249,8 +253,8 @@ public FileStatus[] glob() throws IOException {
                 new Path(candidate.getPath(), component));
             if (childStatus != null) {
               newCandidates.add(childStatus);
-             }
-           }
+            }
+          }
         }
         candidates = newCandidates;
       }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 30664c17a05..1bb60254f56 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -673,6 +673,9 @@ Release 2.5.1 - UNRELEASED
 
   BUG FIXES
 
+    HADOOP-10957. The globber will sometimes erroneously return a permission
+    denied exception when there is a non-terminal wildcard (cmccabe)
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestGlobPaths.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestGlobPaths.java
index dccc581d689..50e2e5b0a34 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestGlobPaths.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/fs/TestGlobPaths.java
@@ -37,7 +37,8 @@
 public class TestGlobPaths {
 
   private static final UserGroupInformation unprivilegedUser =
-      UserGroupInformation.createRemoteUser("myuser");
+    UserGroupInformation.createUserForTesting("myuser",
+        new String[] { "mygroup" });
 
   static class RegexPathFilter implements PathFilter {
 
@@ -55,9 +56,9 @@ public boolean accept(Path path) {
 
   static private MiniDFSCluster dfsCluster;
   static private FileSystem fs;
-  static private FileSystem unprivilegedFs;
+  static private FileSystem privilegedFs;
   static private FileContext fc;
-  static private FileContext unprivilegedFc;
+  static private FileContext privilegedFc;
   static final private int NUM_OF_PATHS = 4;
   static private String USER_DIR;
   private final Path[] path = new Path[NUM_OF_PATHS];
@@ -66,22 +67,15 @@ public boolean accept(Path path) {
   public static void setUp() throws Exception {
     final Configuration conf = new HdfsConfiguration();
     dfsCluster = new MiniDFSCluster.Builder(conf).build();
+
+    privilegedFs = FileSystem.get(conf);
+    privilegedFc = FileContext.getFileContext(conf);
+    // allow unpriviledged user ability to create paths
+    privilegedFs.setPermission(new Path("/"),
+                               FsPermission.createImmutable((short)0777));
+    UserGroupInformation.setLoginUser(unprivilegedUser);
     fs = FileSystem.get(conf);
-    unprivilegedFs =
-      unprivilegedUser.doAs(new PrivilegedExceptionAction<FileSystem>() {
-        @Override
-        public FileSystem run() throws IOException {
-          return FileSystem.get(conf);
-        }
-      });
     fc = FileContext.getFileContext(conf);
-    unprivilegedFc =
-      unprivilegedUser.doAs(new PrivilegedExceptionAction<FileContext>() {
-        @Override
-        public FileContext run() throws IOException {
-          return FileContext.getFileContext(conf);
-        }
-      });
     USER_DIR = fs.getHomeDirectory().toUri().getPath().toString();
   }
   
@@ -443,8 +437,8 @@ public void testPathFilter() throws IOException {
       String[] files = new String[] { USER_DIR + "/a", USER_DIR + "/a/b" };
       Path[] matchedPath = prepareTesting(USER_DIR + "/*/*", files,
           new RegexPathFilter("^.*" + Pattern.quote(USER_DIR) + "/a/b"));
-      assertEquals(matchedPath.length, 1);
-      assertEquals(matchedPath[0], path[1]);
+      assertEquals(1, matchedPath.length);
+      assertEquals(path[1], matchedPath[0]);
     } finally {
       cleanupDFS();
     }
@@ -793,9 +787,21 @@ private void cleanupDFS() throws IOException {
   /**
    * A glob test that can be run on either FileContext or FileSystem.
    */
-  private static interface FSTestWrapperGlobTest {
-    void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrapper,
-        FileSystem fs, FileContext fc) throws Exception;
+  private abstract class FSTestWrapperGlobTest {
+    FSTestWrapperGlobTest(boolean useFc) {
+      if (useFc) {
+        this.privWrap = new FileContextTestWrapper(privilegedFc);
+        this.wrap = new FileContextTestWrapper(fc);
+      } else {
+        this.privWrap = new FileSystemTestWrapper(privilegedFs);
+        this.wrap = new FileSystemTestWrapper(fs);
+      }
+    }
+
+    abstract void run() throws Exception;
+
+    final FSTestWrapper privWrap;
+    final FSTestWrapper wrap;
   }
 
   /**
@@ -804,8 +810,7 @@ void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrapper,
   private void testOnFileSystem(FSTestWrapperGlobTest test) throws Exception {
     try {
       fc.mkdir(new Path(USER_DIR), FsPermission.getDefault(), true);
-      test.run(new FileSystemTestWrapper(fs),
-          new FileSystemTestWrapper(unprivilegedFs), fs, null);
+      test.run();
     } finally {
       fc.delete(new Path(USER_DIR), true);
     }
@@ -817,8 +822,7 @@ private void testOnFileSystem(FSTestWrapperGlobTest test) throws Exception {
   private void testOnFileContext(FSTestWrapperGlobTest test) throws Exception {
     try {
       fs.mkdirs(new Path(USER_DIR));
-      test.run(new FileContextTestWrapper(fc),
-          new FileContextTestWrapper(unprivilegedFc), null, fc);
+      test.run();
     } finally {
       cleanupDFS();
     }
@@ -850,9 +854,12 @@ public boolean accept(Path path) {
   /**
    * Test globbing through symlinks.
    */
-  private static class TestGlobWithSymlinks implements FSTestWrapperGlobTest {
-    public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
-        FileSystem fs, FileContext fc) throws Exception {
+  private class TestGlobWithSymlinks extends FSTestWrapperGlobTest {
+    TestGlobWithSymlinks(boolean useFc) {
+      super(useFc);
+    }
+
+    void run() throws Exception {
       // Test that globbing through a symlink to a directory yields a path
       // containing that symlink.
       wrap.mkdir(new Path(USER_DIR + "/alpha"), FsPermission.getDirDefault(),
@@ -889,13 +896,13 @@ public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
   @Ignore
   @Test
   public void testGlobWithSymlinksOnFS() throws Exception {
-    testOnFileSystem(new TestGlobWithSymlinks());
+    testOnFileSystem(new TestGlobWithSymlinks(false));
   }
 
   @Ignore
   @Test
   public void testGlobWithSymlinksOnFC() throws Exception {
-    testOnFileContext(new TestGlobWithSymlinks());
+    testOnFileContext(new TestGlobWithSymlinks(true));
   }
 
   /**
@@ -903,10 +910,13 @@ public void testGlobWithSymlinksOnFC() throws Exception {
    *
    * Also test globbing dangling symlinks.  It should NOT throw any exceptions!
    */
-  private static class TestGlobWithSymlinksToSymlinks implements
+  private class TestGlobWithSymlinksToSymlinks extends
       FSTestWrapperGlobTest {
-    public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
-        FileSystem fs, FileContext fc) throws Exception {
+    TestGlobWithSymlinksToSymlinks(boolean useFc) {
+      super(useFc);
+    }
+
+    void run() throws Exception {
       // Test that globbing through a symlink to a symlink to a directory
       // fully resolves
       wrap.mkdir(new Path(USER_DIR + "/alpha"), FsPermission.getDirDefault(),
@@ -968,22 +978,25 @@ public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
   @Ignore
   @Test
   public void testGlobWithSymlinksToSymlinksOnFS() throws Exception {
-    testOnFileSystem(new TestGlobWithSymlinksToSymlinks());
+    testOnFileSystem(new TestGlobWithSymlinksToSymlinks(false));
   }
 
   @Ignore
   @Test
   public void testGlobWithSymlinksToSymlinksOnFC() throws Exception {
-    testOnFileContext(new TestGlobWithSymlinksToSymlinks());
+    testOnFileContext(new TestGlobWithSymlinksToSymlinks(true));
   }
 
   /**
    * Test globbing symlinks with a custom PathFilter
    */
-  private static class TestGlobSymlinksWithCustomPathFilter implements
+  private class TestGlobSymlinksWithCustomPathFilter extends
       FSTestWrapperGlobTest {
-    public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
-        FileSystem fs, FileContext fc) throws Exception {
+    TestGlobSymlinksWithCustomPathFilter(boolean useFc) {
+      super(useFc);
+    }
+
+    void run() throws Exception {
       // Test that globbing through a symlink to a symlink to a directory
       // fully resolves
       wrap.mkdir(new Path(USER_DIR + "/alpha"), FsPermission.getDirDefault(),
@@ -1019,21 +1032,24 @@ public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
   @Ignore
   @Test
   public void testGlobSymlinksWithCustomPathFilterOnFS() throws Exception {
-    testOnFileSystem(new TestGlobSymlinksWithCustomPathFilter());
+    testOnFileSystem(new TestGlobSymlinksWithCustomPathFilter(false));
   }
 
   @Ignore
   @Test
   public void testGlobSymlinksWithCustomPathFilterOnFC() throws Exception {
-    testOnFileContext(new TestGlobSymlinksWithCustomPathFilter());
+    testOnFileContext(new TestGlobSymlinksWithCustomPathFilter(true));
   }
 
   /**
    * Test that globStatus fills in the scheme even when it is not provided.
    */
-  private static class TestGlobFillsInScheme implements FSTestWrapperGlobTest {
-    public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
-        FileSystem fs, FileContext fc) throws Exception {
+  private class TestGlobFillsInScheme extends FSTestWrapperGlobTest {
+    TestGlobFillsInScheme(boolean useFc) {
+      super(useFc);
+    }
+
+    void run() throws Exception {
       // Verify that the default scheme is hdfs, when we don't supply one.
       wrap.mkdir(new Path(USER_DIR + "/alpha"), FsPermission.getDirDefault(),
           false);
@@ -1045,38 +1061,40 @@ public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
       Path path = statuses[0].getPath();
       Assert.assertEquals(USER_DIR + "/alpha", path.toUri().getPath());
       Assert.assertEquals("hdfs", path.toUri().getScheme());
-      if (fc != null) {
-        // If we're using FileContext, then we can list a file:/// URI.
-        // Since everyone should have the root directory, we list that.
-        statuses = wrap.globStatus(new Path("file:///"),
-            new AcceptAllPathFilter());
-        Assert.assertEquals(1, statuses.length);
-        Path filePath = statuses[0].getPath();
-        Assert.assertEquals("file", filePath.toUri().getScheme());
-        Assert.assertEquals("/", filePath.toUri().getPath());
-      } else {
-        // The FileSystem we passed in should have scheme 'hdfs'
-        Assert.assertEquals("hdfs", fs.getScheme());
-      }
+
+      // FileContext can list a file:/// URI.
+      // Since everyone should have the root directory, we list that.
+      statuses = fc.util().globStatus(new Path("file:///"),
+          new AcceptAllPathFilter());
+      Assert.assertEquals(1, statuses.length);
+      Path filePath = statuses[0].getPath();
+      Assert.assertEquals("file", filePath.toUri().getScheme());
+      Assert.assertEquals("/", filePath.toUri().getPath());
+
+      // The FileSystem should have scheme 'hdfs'
+      Assert.assertEquals("hdfs", fs.getScheme());
     }
   }
 
   @Test
   public void testGlobFillsInSchemeOnFS() throws Exception {
-    testOnFileSystem(new TestGlobFillsInScheme());
+    testOnFileSystem(new TestGlobFillsInScheme(false));
   }
 
   @Test
   public void testGlobFillsInSchemeOnFC() throws Exception {
-    testOnFileContext(new TestGlobFillsInScheme());
+    testOnFileContext(new TestGlobFillsInScheme(true));
   }
 
   /**
    * Test that globStatus works with relative paths.
    **/
-  private static class TestRelativePath implements FSTestWrapperGlobTest {
-    public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
-        FileSystem fs, FileContext fc) throws Exception {
+  private class TestRelativePath extends FSTestWrapperGlobTest {
+    TestRelativePath(boolean useFc) {
+      super(useFc);
+    }
+
+    void run() throws Exception {
       String[] files = new String[] { "a", "abc", "abc.p", "bacd" };
 
       Path[] path = new Path[files.length];
@@ -1095,19 +1113,26 @@ public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
       }
 
       assertEquals(globResults.length, 3);
-      assertEquals(USER_DIR + "/a;" + USER_DIR + "/abc;" + USER_DIR + "/abc.p",
-                    TestPath.mergeStatuses(globResults));
+
+      // The default working directory for FileSystem is the user's home
+      // directory.  For FileContext, the default is based on the UNIX user that
+      // started the jvm.  This is arguably a bug (see HADOOP-10944 for
+      // details).  We work around it here by explicitly calling
+      // getWorkingDirectory and going from there.
+      String pwd = wrap.getWorkingDirectory().toUri().getPath();
+      assertEquals(pwd + "/a;" + pwd + "/abc;" + pwd + "/abc.p",
+                               TestPath.mergeStatuses(globResults));
     }
   }
 
   @Test
   public void testRelativePathOnFS() throws Exception {
-    testOnFileSystem(new TestRelativePath());
+    testOnFileSystem(new TestRelativePath(false));
   }
 
   @Test
   public void testRelativePathOnFC() throws Exception {
-    testOnFileContext(new TestRelativePath());
+    testOnFileContext(new TestRelativePath(true));
   }
   
   /**
@@ -1115,17 +1140,20 @@ public void testRelativePathOnFC() throws Exception {
    * to list fails with AccessControlException rather than succeeding or
    * throwing any other exception.
    **/
-  private static class TestGlobAccessDenied implements FSTestWrapperGlobTest {
-    public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
-        FileSystem fs, FileContext fc) throws Exception {
-      wrap.mkdir(new Path("/nopermission/val"),
+  private class TestGlobAccessDenied extends FSTestWrapperGlobTest {
+    TestGlobAccessDenied(boolean useFc) {
+      super(useFc);
+    }
+
+    void run() throws Exception {
+      privWrap.mkdir(new Path("/nopermission/val"),
           new FsPermission((short)0777), true);
-      wrap.mkdir(new Path("/norestrictions/val"),
+      privWrap.mkdir(new Path("/norestrictions/val"),
           new FsPermission((short)0777), true);
-      wrap.setPermission(new Path("/nopermission"),
+      privWrap.setPermission(new Path("/nopermission"),
           new FsPermission((short)0));
       try {
-        unprivilegedWrap.globStatus(new Path("/no*/*"),
+        wrap.globStatus(new Path("/no*/*"),
             new AcceptAllPathFilter());
         Assert.fail("expected to get an AccessControlException when " +
             "globbing through a directory we don't have permissions " +
@@ -1134,7 +1162,7 @@ public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
       }
 
       Assert.assertEquals("/norestrictions/val",
-        TestPath.mergeStatuses(unprivilegedWrap.globStatus(
+        TestPath.mergeStatuses(wrap.globStatus(
             new Path("/norestrictions/*"),
                 new AcceptAllPathFilter())));
     }
@@ -1142,66 +1170,118 @@ public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
 
   @Test
   public void testGlobAccessDeniedOnFS() throws Exception {
-    testOnFileSystem(new TestGlobAccessDenied());
+    testOnFileSystem(new TestGlobAccessDenied(false));
   }
 
   @Test
   public void testGlobAccessDeniedOnFC() throws Exception {
-    testOnFileContext(new TestGlobAccessDenied());
+    testOnFileContext(new TestGlobAccessDenied(true));
   }
 
   /**
    * Test that trying to list a reserved path on HDFS via the globber works.
    **/
-  private static class TestReservedHdfsPaths implements FSTestWrapperGlobTest {
-    public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
-        FileSystem fs, FileContext fc) throws Exception {
+  private class TestReservedHdfsPaths extends FSTestWrapperGlobTest {
+    TestReservedHdfsPaths(boolean useFc) {
+      super(useFc);
+    }
+
+    void run() throws Exception {
       String reservedRoot = "/.reserved/.inodes/" + INodeId.ROOT_INODE_ID;
       Assert.assertEquals(reservedRoot,
-        TestPath.mergeStatuses(unprivilegedWrap.
+        TestPath.mergeStatuses(wrap.
             globStatus(new Path(reservedRoot), new AcceptAllPathFilter())));
       // These inodes don't show up via listStatus.
       Assert.assertEquals("",
-        TestPath.mergeStatuses(unprivilegedWrap.
+        TestPath.mergeStatuses(wrap.
             globStatus(new Path("/.reserved/*"), new AcceptAllPathFilter())));
     }
   }
 
   @Test
   public void testReservedHdfsPathsOnFS() throws Exception {
-    testOnFileSystem(new TestReservedHdfsPaths());
+    testOnFileSystem(new TestReservedHdfsPaths(false));
   }
 
   @Test
   public void testReservedHdfsPathsOnFC() throws Exception {
-    testOnFileContext(new TestReservedHdfsPaths());
+    testOnFileContext(new TestReservedHdfsPaths(true));
   }
   
   /**
    * Test trying to glob the root.  Regression test for HDFS-5888.
    **/
-  private static class TestGlobRoot implements FSTestWrapperGlobTest {
-    public void run(FSTestWrapper wrap, FSTestWrapper unprivilegedWrap,
-        FileSystem fs, FileContext fc) throws Exception {
+  private class TestGlobRoot extends FSTestWrapperGlobTest {
+    TestGlobRoot (boolean useFc) {
+      super(useFc);
+    }
+
+    void run() throws Exception {
       final Path rootPath = new Path("/");
       FileStatus oldRootStatus = wrap.getFileStatus(rootPath);
       String newOwner = UUID.randomUUID().toString();
-      wrap.setOwner(new Path("/"), newOwner, null);
+      privWrap.setOwner(new Path("/"), newOwner, null);
       FileStatus[] status = 
           wrap.globStatus(rootPath, new AcceptAllPathFilter());
       Assert.assertEquals(1, status.length);
       Assert.assertEquals(newOwner, status[0].getOwner());
-      wrap.setOwner(new Path("/"), oldRootStatus.getOwner(), null);
+      privWrap.setOwner(new Path("/"), oldRootStatus.getOwner(), null);
     }
   }
 
   @Test
   public void testGlobRootOnFS() throws Exception {
-    testOnFileSystem(new TestGlobRoot());
+    testOnFileSystem(new TestGlobRoot(false));
   }
 
   @Test
   public void testGlobRootOnFC() throws Exception {
-    testOnFileContext(new TestGlobRoot());
+    testOnFileContext(new TestGlobRoot(true));
+  }
+
+  /**
+   * Test glob expressions that don't appear at the end of the path.  Regression
+   * test for HADOOP-10957.
+   **/
+  private class TestNonTerminalGlobs extends FSTestWrapperGlobTest {
+    TestNonTerminalGlobs(boolean useFc) {
+      super(useFc);
+    }
+
+    void run() throws Exception {
+      try {
+        privWrap.mkdir(new Path("/filed_away/alpha"),
+            new FsPermission((short)0777), true);
+        privWrap.createFile(new Path("/filed"), 0);
+        FileStatus[] statuses =
+            wrap.globStatus(new Path("/filed*/alpha"),
+                  new AcceptAllPathFilter());
+        Assert.assertEquals(1, statuses.length);
+        Assert.assertEquals("/filed_away/alpha", statuses[0].getPath()
+            .toUri().getPath());
+        privWrap.mkdir(new Path("/filed_away/alphabet"),
+            new FsPermission((short)0777), true);
+        privWrap.mkdir(new Path("/filed_away/alphabet/abc"),
+            new FsPermission((short)0777), true);
+        statuses = wrap.globStatus(new Path("/filed*/alph*/*b*"),
+                  new AcceptAllPathFilter());
+        Assert.assertEquals(1, statuses.length);
+        Assert.assertEquals("/filed_away/alphabet/abc", statuses[0].getPath()
+            .toUri().getPath());
+      } finally {
+        privWrap.delete(new Path("/filed"), true);
+        privWrap.delete(new Path("/filed_away"), true);
+      }
+    }
+  }
+
+  @Test
+  public void testNonTerminalGlobsOnFS() throws Exception {
+    testOnFileSystem(new TestNonTerminalGlobs(false));
+  }
+
+  @Test
+  public void testNonTerminalGlobsOnFC() throws Exception {
+    testOnFileContext(new TestNonTerminalGlobs(true));
   }
 }

From c4c9a784114dba503fa49fd5b6f146479a1f3f18 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Wed, 27 Aug 2014 23:12:57 -0700
Subject: [PATCH 316/354] HADOOP-11001. Fix test-patch to work with the git
 repo. (kasha)

---
 dev-support/test-patch.sh                     | 26 ++++++++++---------
 .../hadoop-common/CHANGES.txt                 |  2 ++
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/dev-support/test-patch.sh b/dev-support/test-patch.sh
index ed671a64ebb..cbeb81987e7 100755
--- a/dev-support/test-patch.sh
+++ b/dev-support/test-patch.sh
@@ -16,7 +16,7 @@
 ulimit -n 1024
 
 ### Setup some variables.  
-### SVN_REVISION and BUILD_URL are set by Hudson if it is run by patch process
+### BUILD_URL is set by Hudson if it is run by patch process
 ### Read variables from properties file
 bindir=$(dirname $0)
 
@@ -36,7 +36,7 @@ BUILD_NATIVE=true
 PS=${PS:-ps}
 AWK=${AWK:-awk}
 WGET=${WGET:-wget}
-SVN=${SVN:-svn}
+GIT=${GIT:-git}
 GREP=${GREP:-grep}
 PATCH=${PATCH:-patch}
 DIFF=${DIFF:-diff}
@@ -59,13 +59,13 @@ printUsage() {
   echo "--mvn-cmd=<cmd>        The 'mvn' command to use (default \$MAVEN_HOME/bin/mvn, or 'mvn')"
   echo "--ps-cmd=<cmd>         The 'ps' command to use (default 'ps')"
   echo "--awk-cmd=<cmd>        The 'awk' command to use (default 'awk')"
-  echo "--svn-cmd=<cmd>        The 'svn' command to use (default 'svn')"
+  echo "--git-cmd=<cmd>        The 'git' command to use (default 'git')"
   echo "--grep-cmd=<cmd>       The 'grep' command to use (default 'grep')"
   echo "--patch-cmd=<cmd>      The 'patch' command to use (default 'patch')"
   echo "--diff-cmd=<cmd>       The 'diff' command to use (default 'diff')"
   echo "--findbugs-home=<path> Findbugs home directory (default FINDBUGS_HOME environment variable)"
   echo "--forrest-home=<path>  Forrest home directory (default FORREST_HOME environment variable)"
-  echo "--dirty-workspace      Allow the local SVN workspace to have uncommitted changes"
+  echo "--dirty-workspace      Allow the local git workspace to have uncommitted changes"
   echo "--run-tests            Run all tests below the base directory"
   echo "--build-native=<bool>  If true, then build native components (default 'true')"
   echo
@@ -107,8 +107,8 @@ parseArgs() {
     --wget-cmd=*)
       WGET=${i#*=}
       ;;
-    --svn-cmd=*)
-      SVN=${i#*=}
+    --git-cmd=*)
+      GIT=${i#*=}
       ;;
     --grep-cmd=*)
       GREP=${i#*=}
@@ -197,7 +197,7 @@ checkout () {
   echo ""
   ### When run by a developer, if the workspace contains modifications, do not continue
   ### unless the --dirty-workspace option was set
-  status=`$SVN stat --ignore-externals | sed -e '/^X[ ]*/D'`
+  status=`$GIT status --porcelain`
   if [[ $JENKINS == "false" ]] ; then
     if [[ "$status" != "" && -z $DIRTY_WORKSPACE ]] ; then
       echo "ERROR: can't run in a workspace that contains the following modifications"
@@ -207,10 +207,12 @@ checkout () {
     echo
   else   
     cd $BASEDIR
-    $SVN revert -R .
-    rm -rf `$SVN status --no-ignore`
-    $SVN update
+    $GIT reset --hard
+    $GIT clean -xdf
+    $GIT checkout trunk
+    $GIT pull --rebase
   fi
+  GIT_REVISION=`git rev-parse --verify --short HEAD`
   return $?
 }
 
@@ -229,10 +231,10 @@ downloadPatch () {
     echo "$defect patch is being downloaded at `date` from"
     echo "$patchURL"
     $WGET -q -O $PATCH_DIR/patch $patchURL
-    VERSION=${SVN_REVISION}_${defect}_PATCH-${patchNum}
+    VERSION=${GIT_REVISION}_${defect}_PATCH-${patchNum}
     JIRA_COMMENT="Here are the results of testing the latest attachment 
   $patchURL
-  against trunk revision ${SVN_REVISION}."
+  against trunk revision ${GIT_REVISION}."
 
     ### Copy in any supporting files needed by this process
     cp -r $SUPPORT_DIR/lib/* ./lib
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index b13cd79bc69..ecbaaab06bd 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -713,6 +713,8 @@ Release 2.5.1 - UNRELEASED
 
   BUG FIXES
 
+    HADOOP-11001. Fix test-patch to work with the git repo. (kasha)
+
 Release 2.5.0 - 2014-08-11
 
   INCOMPATIBLE CHANGES

From d1ae479aa5ae4d3e7ec80e35892e1699c378f813 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Thu, 28 Aug 2014 14:45:40 -0700
Subject: [PATCH 317/354] HADOOP-10880. Move HTTP delegation tokens out of URL
 querystring to a header. (tucu)

---
 .../hadoop-common/CHANGES.txt                 |  3 +
 .../web/DelegationTokenAuthenticatedURL.java  | 81 ++++++++++++++++---
 .../DelegationTokenAuthenticationHandler.java | 14 +++-
 .../web/DelegationTokenAuthenticator.java     | 19 ++++-
 ...onTokenAuthenticationHandlerWithMocks.java | 46 ++++++++++-
 .../web/TestWebDelegationToken.java           | 50 +++++++++++-
 6 files changed, 187 insertions(+), 26 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index ecbaaab06bd..641635ba48d 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -518,6 +518,9 @@ Release 2.6.0 - UNRELEASED
 
     HADOOP-10998. Fix bash tab completion code to work (Jim Hester via aw)
 
+    HADOOP-10880. Move HTTP delegation tokens out of URL querystring to 
+    a header. (tucu)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticatedURL.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticatedURL.java
index d955ada8571..5aeb1772c81 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticatedURL.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticatedURL.java
@@ -125,6 +125,8 @@ public static void setDefaultDelegationTokenAuthenticator(
     }
   }
 
+  private boolean useQueryStringforDelegationToken = false;
+
   /**
    * Creates an <code>DelegationTokenAuthenticatedURL</code>.
    * <p/>
@@ -170,6 +172,34 @@ public DelegationTokenAuthenticatedURL(
     super(obtainDelegationTokenAuthenticator(authenticator), connConfigurator);
   }
 
+  /**
+   * Sets if delegation token should be transmitted in the URL query string.
+   * By default it is transmitted using the
+   * {@link DelegationTokenAuthenticator#DELEGATION_TOKEN_HEADER} HTTP header.
+   * <p/>
+   * This method is provided to enable WebHDFS backwards compatibility.
+   *
+   * @param useQueryString  <code>TRUE</code> if the token is transmitted in the
+   * URL query string, <code>FALSE</code> if the delegation token is transmitted
+   * using the {@link DelegationTokenAuthenticator#DELEGATION_TOKEN_HEADER} HTTP
+   * header.
+   */
+  @Deprecated
+  protected void setUseQueryStringForDelegationToken(boolean useQueryString) {
+    useQueryStringforDelegationToken = useQueryString;
+  }
+
+  /**
+   * Returns if delegation token is transmitted as a HTTP header.
+   *
+   * @return <code>TRUE</code> if the token is transmitted in the URL query
+   * string, <code>FALSE</code> if the delegation token is transmitted using the
+   * {@link DelegationTokenAuthenticator#DELEGATION_TOKEN_HEADER} HTTP header.
+   */
+  public boolean useQueryStringForDelegationToken() {
+    return useQueryStringforDelegationToken;
+  }
+
   /**
    * Returns an authenticated {@link HttpURLConnection}, it uses a Delegation
    * Token only if the given auth token is an instance of {@link Token} and
@@ -235,23 +265,41 @@ private URL augmentURL(URL url, Map<String, String> params)
    * @throws IOException if an IO error occurred.
    * @throws AuthenticationException if an authentication exception occurred.
    */
+  @SuppressWarnings("unchecked")
   public HttpURLConnection openConnection(URL url, Token token, String doAs)
       throws IOException, AuthenticationException {
     Preconditions.checkNotNull(url, "url");
     Preconditions.checkNotNull(token, "token");
     Map<String, String> extraParams = new HashMap<String, String>();
-
-    // delegation token
-    Credentials creds = UserGroupInformation.getCurrentUser().getCredentials();
-    if (!creds.getAllTokens().isEmpty()) {
-      InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
-          url.getPort());
-      Text service = SecurityUtil.buildTokenService(serviceAddr);
-      org.apache.hadoop.security.token.Token<? extends TokenIdentifier> dt =
-          creds.getToken(service);
-      if (dt != null) {
-        extraParams.put(KerberosDelegationTokenAuthenticator.DELEGATION_PARAM,
-            dt.encodeToUrlString());
+    org.apache.hadoop.security.token.Token<? extends TokenIdentifier> dToken
+        = null;
+    // if we have valid auth token, it takes precedence over a delegation token
+    // and we don't even look for one.
+    if (!token.isSet()) {
+      // delegation token
+      Credentials creds = UserGroupInformation.getCurrentUser().
+          getCredentials();
+      if (!creds.getAllTokens().isEmpty()) {
+        InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
+            url.getPort());
+        Text service = SecurityUtil.buildTokenService(serviceAddr);
+        dToken = creds.getToken(service);
+        if (dToken != null) {
+          if (useQueryStringForDelegationToken()) {
+            // delegation token will go in the query string, injecting it
+            extraParams.put(
+                KerberosDelegationTokenAuthenticator.DELEGATION_PARAM,
+                dToken.encodeToUrlString());
+          } else {
+            // delegation token will go as request header, setting it in the
+            // auth-token to ensure no authentication handshake is triggered
+            // (if we have a delegation token, we are authenticated)
+            // the delegation token header is injected in the connection request
+            // at the end of this method.
+            token.delegationToken = (org.apache.hadoop.security.token.Token
+                <AbstractDelegationTokenIdentifier>) dToken;
+          }
+        }
       }
     }
 
@@ -261,7 +309,14 @@ public HttpURLConnection openConnection(URL url, Token token, String doAs)
     }
 
     url = augmentURL(url, extraParams);
-    return super.openConnection(url, token);
+    HttpURLConnection conn = super.openConnection(url, token);
+    if (!token.isSet() && !useQueryStringForDelegationToken() && dToken != null) {
+      // injecting the delegation token header in the connection request
+      conn.setRequestProperty(
+          DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER,
+          dToken.encodeToUrlString());
+    }
+    return conn;
   }
 
   /**
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
index 670ec551a09..e4d942491fe 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
@@ -331,8 +331,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
       HttpServletResponse response)
       throws IOException, AuthenticationException {
     AuthenticationToken token;
-    String delegationParam = ServletUtils.getParameter(request,
-        KerberosDelegationTokenAuthenticator.DELEGATION_PARAM);
+    String delegationParam = getDelegationToken(request);
     if (delegationParam != null) {
       try {
         Token<DelegationTokenIdentifier> dt =
@@ -356,4 +355,15 @@ public AuthenticationToken authenticate(HttpServletRequest request,
     return token;
   }
 
+  private String getDelegationToken(HttpServletRequest request)
+      throws IOException {
+    String dToken = request.getHeader(
+        DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER);
+    if (dToken == null) {
+      dToken = ServletUtils.getParameter(request,
+          KerberosDelegationTokenAuthenticator.DELEGATION_PARAM);
+    }
+    return dToken;
+  }
+
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java
index ec192dab8ca..18df56ccf3f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java
@@ -56,6 +56,9 @@ public abstract class DelegationTokenAuthenticator implements Authenticator {
 
   public static final String OP_PARAM = "op";
 
+  public static final String DELEGATION_TOKEN_HEADER =
+      "X-Hadoop-Delegation-Token";
+
   public static final String DELEGATION_PARAM = "delegation";
   public static final String TOKEN_PARAM = "token";
   public static final String RENEWER_PARAM = "renewer";
@@ -101,15 +104,23 @@ public void setConnectionConfigurator(ConnectionConfigurator configurator) {
     authenticator.setConnectionConfigurator(configurator);
   }
 
-  private boolean hasDelegationToken(URL url) {
-    String queryStr = url.getQuery();
-    return (queryStr != null) && queryStr.contains(DELEGATION_PARAM + "=");
+  private boolean hasDelegationToken(URL url, AuthenticatedURL.Token token) {
+    boolean hasDt = false;
+    if (token instanceof DelegationTokenAuthenticatedURL.Token) {
+      hasDt = ((DelegationTokenAuthenticatedURL.Token) token).
+          getDelegationToken() != null;
+    }
+    if (!hasDt) {
+      String queryStr = url.getQuery();
+      hasDt = (queryStr != null) && queryStr.contains(DELEGATION_PARAM + "=");
+    }
+    return hasDt;
   }
 
   @Override
   public void authenticate(URL url, AuthenticatedURL.Token token)
       throws IOException, AuthenticationException {
-    if (!hasDelegationToken(url)) {
+    if (!hasDelegationToken(url, token)) {
       authenticator.authenticate(url, token);
     }
   }
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java
index c9d255dc5aa..7880fa1368b 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java
@@ -284,11 +284,13 @@ private void testRenewToken() throws Exception {
 
   @Test
   public void testAuthenticate() throws Exception {
-    testValidDelegationToken();
-    testInvalidDelegationToken();
+    testValidDelegationTokenQueryString();
+    testValidDelegationTokenHeader();
+    testInvalidDelegationTokenQueryString();
+    testInvalidDelegationTokenHeader();
   }
 
-  private void testValidDelegationToken() throws Exception {
+  private void testValidDelegationTokenQueryString() throws Exception {
     HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
     HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
     Token<DelegationTokenIdentifier> dToken =
@@ -307,7 +309,26 @@ private void testValidDelegationToken() throws Exception {
     Assert.assertTrue(token.isExpired());
   }
 
-  private void testInvalidDelegationToken() throws Exception {
+  private void testValidDelegationTokenHeader() throws Exception {
+    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+    HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+    Token<DelegationTokenIdentifier> dToken =
+        handler.getTokenManager().createToken(
+            UserGroupInformation.getCurrentUser(), "user");
+    Mockito.when(request.getHeader(Mockito.eq(
+        DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER))).thenReturn(
+        dToken.encodeToUrlString());
+
+    AuthenticationToken token = handler.authenticate(request, response);
+    Assert.assertEquals(UserGroupInformation.getCurrentUser().
+        getShortUserName(), token.getUserName());
+    Assert.assertEquals(0, token.getExpires());
+    Assert.assertEquals(handler.getType(),
+        token.getType());
+    Assert.assertTrue(token.isExpired());
+  }
+
+  private void testInvalidDelegationTokenQueryString() throws Exception {
     HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
     HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
     Mockito.when(request.getQueryString()).thenReturn(
@@ -323,4 +344,21 @@ private void testInvalidDelegationToken() throws Exception {
     }
   }
 
+  private void testInvalidDelegationTokenHeader() throws Exception {
+    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+    HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+    Mockito.when(request.getHeader(Mockito.eq(
+        DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER))).thenReturn(
+        "invalid");
+
+    try {
+      handler.authenticate(request, response);
+      Assert.fail();
+    } catch (AuthenticationException ex) {
+      //NOP
+    } catch (Exception ex) {
+      Assert.fail();
+    }
+  }
+
 }
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
index 1b452f18241..118abff2a56 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
@@ -149,6 +149,15 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp)
         throws ServletException, IOException {
       resp.setStatus(HttpServletResponse.SC_OK);
       resp.getWriter().write("ping");
+      if (req.getHeader(DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER)
+          != null) {
+        resp.setHeader("UsingHeader", "true");
+      }
+      if (req.getQueryString() != null &&
+          req.getQueryString().contains(
+              DelegationTokenAuthenticator.DELEGATION_PARAM + "=")) {
+        resp.setHeader("UsingQueryString", "true");
+      }
     }
 
     @Override
@@ -314,7 +323,20 @@ public void testRawHttpCalls() throws Exception {
   }
 
   @Test
-  public void testDelegationTokenAuthenticatorCalls() throws Exception {
+  public void testDelegationTokenAuthenticatorCallsWithHeader()
+      throws Exception {
+    testDelegationTokenAuthenticatorCalls(false);
+  }
+
+  @Test
+  public void testDelegationTokenAuthenticatorCallsWithQueryString()
+      throws Exception {
+    testDelegationTokenAuthenticatorCalls(true);
+  }
+
+
+  private void testDelegationTokenAuthenticatorCalls(final boolean useQS)
+      throws Exception {
     final Server jetty = createJettyServer();
     Context context = new Context();
     context.setContextPath("/foo");
@@ -324,14 +346,15 @@ public void testDelegationTokenAuthenticatorCalls() throws Exception {
 
     try {
       jetty.start();
-      URL nonAuthURL = new URL(getJettyURL() + "/foo/bar");
+      final URL nonAuthURL = new URL(getJettyURL() + "/foo/bar");
       URL authURL = new URL(getJettyURL() + "/foo/bar?authenticated=foo");
       URL authURL2 = new URL(getJettyURL() + "/foo/bar?authenticated=bar");
 
       DelegationTokenAuthenticatedURL.Token token =
           new DelegationTokenAuthenticatedURL.Token();
-      DelegationTokenAuthenticatedURL aUrl =
+      final DelegationTokenAuthenticatedURL aUrl =
           new DelegationTokenAuthenticatedURL();
+      aUrl.setUseQueryStringForDelegationToken(useQS);
 
       try {
         aUrl.getDelegationToken(nonAuthURL, token, FOO_USER);
@@ -379,6 +402,27 @@ public void testDelegationTokenAuthenticatorCalls() throws Exception {
         Assert.assertTrue(ex.getMessage().contains("401"));
       }
 
+      aUrl.getDelegationToken(authURL, token, "foo");
+
+      UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+      ugi.addToken(token.getDelegationToken());
+      ugi.doAs(new PrivilegedExceptionAction<Void>() {
+                 @Override
+                 public Void run() throws Exception {
+                   HttpURLConnection conn = aUrl.openConnection(nonAuthURL, new DelegationTokenAuthenticatedURL.Token());
+                   Assert.assertEquals(HttpServletResponse.SC_OK, conn.getResponseCode());
+                   if (useQS) {
+                     Assert.assertNull(conn.getHeaderField("UsingHeader"));
+                     Assert.assertNotNull(conn.getHeaderField("UsingQueryString"));
+                   } else {
+                     Assert.assertNotNull(conn.getHeaderField("UsingHeader"));
+                     Assert.assertNull(conn.getHeaderField("UsingQueryString"));
+                   }
+                   return null;
+                 }
+               });
+
+
     } finally {
       jetty.stop();
     }

From 88c5e2141c4e85c2cac9463aaf68091a0e93302e Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@cloudera.com>
Date: Wed, 27 Aug 2014 09:03:11 -0700
Subject: [PATCH 318/354] Fixing CHANGES.txt, moving HADOOP-8815 to 2.6.0
 release

---
 hadoop-common-project/hadoop-common/CHANGES.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 641635ba48d..2d794cf0029 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -232,9 +232,6 @@ Trunk (Unreleased)
     HADOOP-8813. Add InterfaceAudience and InterfaceStability annotations
     to RPC Server and Client classes. (Brandon Li via suresh)
 
-    HADOOP-8815. RandomDatum needs to override hashCode().
-    (Brandon Li via suresh)
-
     HADOOP-8436. NPE In getLocalPathForWrite ( path, conf ) when the
     required context item is not configured
     (Brahma Reddy Battula via harsh)
@@ -704,6 +701,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10989. Work around buggy getgrouplist() implementations on Linux that
     return 0 on failure. (cnauroth)
 
+    HADOOP-8815. RandomDatum needs to override hashCode().
+    (Brandon Li via suresh)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES

From d9a7404c389ea1adffe9c13f7178b54678577b56 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@cloudera.com>
Date: Tue, 26 Aug 2014 12:00:37 -0700
Subject: [PATCH 319/354] Fix up CHANGES.txt for HDFS-6134, HADOOP-10150 and
 related JIRAs following merge to branch-2

Conflicts:
	hadoop-common-project/hadoop-common/CHANGES.txt
	hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
	hadoop-mapreduce-project/CHANGES.txt

Conflicts:
	hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
---
 .../hadoop-common/CHANGES.txt                 | 101 +++++-----
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   | 185 +++++++++---------
 hadoop-mapreduce-project/CHANGES.txt          |  23 +--
 3 files changed, 155 insertions(+), 154 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 2d794cf0029..9fb0cd3b4f5 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -328,56 +328,6 @@ Trunk (Unreleased)
 
     HADOOP-8589. ViewFs tests fail when tests and home dirs are nested (sanjay Radia)
 
-  BREAKDOWN OF HDFS-6134 AND HADOOP-10150 SUBTASKS AND RELATED JIRAS
-
-    HADOOP-10734. Implement high-performance secure random number sources.
-    (Yi Liu via Colin Patrick McCabe)
-
-    HADOOP-10603. Crypto input and output streams implementing Hadoop stream
-    interfaces. (Yi Liu and Charles Lamb)
-
-    HADOOP-10628. Javadoc and few code style improvement for Crypto
-    input and output streams. (Yi Liu via clamb)
-
-    HADOOP-10632. Minor improvements to Crypto input and output streams. 
-    (Yi Liu)
-
-    HADOOP-10635. Add a method to CryptoCodec to generate SRNs for IV. (Yi Liu)
-
-    HADOOP-10653. Add a new constructor for CryptoInputStream that 
-    receives current position of wrapped stream. (Yi Liu)
-
-    HADOOP-10662. NullPointerException in CryptoInputStream while wrapped
-    stream is not ByteBufferReadable. Add tests using normal stream. (Yi Liu)
-
-    HADOOP-10713. Refactor CryptoCodec#generateSecureRandom to take a byte[]. 
-    (wang via yliu)
-
-    HADOOP-10693. Implementation of AES-CTR CryptoCodec using JNI to OpenSSL. 
-    (Yi Liu via cmccabe)
-
-    HADOOP-10803. Update OpensslCipher#getInstance to accept CipherSuite#name
-    format. (Yi Liu)
-
-    HADOOP-10735. Fall back AesCtrCryptoCodec implementation from OpenSSL to
-    JCE if non native support. (Yi Liu)
-
-    HADOOP-10870. Failed to load OpenSSL cipher error logs on systems with old
-    openssl versions (cmccabe)
-
-    HADOOP-10853. Refactor get instance of CryptoCodec and support create via
-    algorithm/mode/padding. (Yi Liu)
-
-    HADOOP-10919. Copy command should preserve raw.* namespace
-    extended attributes. (clamb)
-
-    HDFS-6873. Constants in CommandWithDestination should be static. (clamb)
-
-    HADOOP-10871. incorrect prototype in OpensslSecureRandom.c (cmccabe)
-
-    HADOOP-10886. CryptoCodec#getCodecclasses throws NPE when configurations not 
-    loaded. (umamahesh)
-
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
@@ -704,6 +654,57 @@ Release 2.6.0 - UNRELEASED
     HADOOP-8815. RandomDatum needs to override hashCode().
     (Brandon Li via suresh)
 
+    BREAKDOWN OF HDFS-6134 AND HADOOP-10150 SUBTASKS AND RELATED JIRAS
+  
+      HADOOP-10734. Implement high-performance secure random number sources.
+      (Yi Liu via Colin Patrick McCabe)
+  
+      HADOOP-10603. Crypto input and output streams implementing Hadoop stream
+      interfaces. (Yi Liu and Charles Lamb)
+  
+      HADOOP-10628. Javadoc and few code style improvement for Crypto
+      input and output streams. (Yi Liu via clamb)
+  
+      HADOOP-10632. Minor improvements to Crypto input and output streams. 
+      (Yi Liu)
+  
+      HADOOP-10635. Add a method to CryptoCodec to generate SRNs for IV. (Yi Liu)
+  
+      HADOOP-10653. Add a new constructor for CryptoInputStream that 
+      receives current position of wrapped stream. (Yi Liu)
+  
+      HADOOP-10662. NullPointerException in CryptoInputStream while wrapped
+      stream is not ByteBufferReadable. Add tests using normal stream. (Yi Liu)
+  
+      HADOOP-10713. Refactor CryptoCodec#generateSecureRandom to take a byte[]. 
+      (wang via yliu)
+  
+      HADOOP-10693. Implementation of AES-CTR CryptoCodec using JNI to OpenSSL. 
+      (Yi Liu via cmccabe)
+  
+      HADOOP-10803. Update OpensslCipher#getInstance to accept CipherSuite#name
+      format. (Yi Liu)
+  
+      HADOOP-10735. Fall back AesCtrCryptoCodec implementation from OpenSSL to
+      JCE if non native support. (Yi Liu)
+  
+      HADOOP-10870. Failed to load OpenSSL cipher error logs on systems with old
+      openssl versions (cmccabe)
+  
+      HADOOP-10853. Refactor get instance of CryptoCodec and support create via
+      algorithm/mode/padding. (Yi Liu)
+  
+      HADOOP-10919. Copy command should preserve raw.* namespace
+      extended attributes. (clamb)
+  
+      HDFS-6873. Constants in CommandWithDestination should be static. (clamb)
+  
+      HADOOP-10871. incorrect prototype in OpensslSecureRandom.c (cmccabe)
+  
+      HADOOP-10886. CryptoCodec#getCodecclasses throws NPE when configurations not 
+      loaded. (umamahesh)      
+    --
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 1bb60254f56..2c56407c90c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -255,99 +255,6 @@ Trunk (Unreleased)
     HDFS-6657. Remove link to 'Legacy UI' in trunk's Namenode UI.
     (Vinayakumar B via wheat 9)
 
-  BREAKDOWN OF HDFS-6134 AND HADOOP-10150 SUBTASKS AND RELATED JIRAS
-
-    HDFS-6387. HDFS CLI admin tool for creating & deleting an
-    encryption zone. (clamb)
-
-    HDFS-6386. HDFS Encryption Zones (clamb)
-
-    HDFS-6388. HDFS integration with KeyProvider. (clamb)
-
-    HDFS-6473. Protocol and API for Encryption Zones (clamb)
-
-    HDFS-6392. Wire crypto streams for encrypted files in
-    DFSClient. (clamb and yliu)
-
-    HDFS-6476. Print out the KeyProvider after finding KP successfully on
-    startup. (Juan Yu via wang)
-
-    HDFS-6391. Get the Key/IV from the NameNode for encrypted files in
-    DFSClient. (Charles Lamb and wang)
-
-    HDFS-6389. Rename restrictions for encryption zones. (clamb)
-
-    HDFS-6605. Client server negotiation of cipher suite. (wang)
-
-    HDFS-6625. Remove the Delete Encryption Zone function (clamb)
-
-    HDFS-6516. List of Encryption Zones should be based on inodes (clamb)
-
-    HDFS-6629. Not able to create symlinks after HDFS-6516 (umamaheswararao)
-
-    HDFS-6635. Refactor encryption zone functionality into new
-    EncryptionZoneManager class. (wang)
-
-    HDFS-6474. Namenode needs to get the actual keys and iv from the
-    KeyProvider. (wang)
-
-    HDFS-6619. Clean up encryption-related tests. (wang)
-
-    HDFS-6405. Test Crypto streams in HDFS. (yliu via wang)
-
-    HDFS-6490. Fix the keyid format for generated keys in
-    FSNamesystem.createEncryptionZone (clamb)
-
-    HDFS-6716. Update usage of KeyProviderCryptoExtension APIs on NameNode.
-    (wang)
-
-    HDFS-6718. Remove EncryptionZoneManager lock. (wang)
-
-    HDFS-6720. Remove KeyProvider in EncryptionZoneManager. (wang)
-
-    HDFS-6738. Remove unnecessary getEncryptionZoneForPath call in
-    EZManager#createEncryptionZone. (clamb)
-
-    HDFS-6724. Decrypt EDEK before creating
-    CryptoInputStream/CryptoOutputStream. (wang)
-
-    HDFS-6509. Create a special /.reserved/raw directory for raw access to
-    encrypted data. (clamb via wang)
-
-    HDFS-6771. Require specification of an encryption key when creating
-    an encryption zone. (wang)
-
-    HDFS-6730. Create a .RAW extended attribute namespace. (clamb)
-
-    HDFS-6692. Add more HDFS encryption tests. (wang)
-
-    HDFS-6780. Batch the encryption zones listing API. (wang)
-
-    HDFS-6394. HDFS encryption documentation. (wang)
-
-    HDFS-6834. Improve the configuration guidance in DFSClient when there 
-    are no Codec classes found in configs. (umamahesh)
-
-    HDFS-6546. Add non-superuser capability to get the encryption zone
-    for a specific path. (clamb)
-
-    HDFS-6733. Creating encryption zone results in NPE when
-    KeyProvider is null. (clamb)
-
-    HDFS-6785. Should not be able to create encryption zone using path
-    to a non-directory file. (clamb)
-
-    HDFS-6807. Fix TestReservedRawPaths. (clamb)
-
-    HDFS-6814. Mistakenly dfs.namenode.list.encryption.zones.num.responses configured
-    as boolean. (umamahesh)
-
-    HDFS-6817. Fix findbugs and other warnings. (yliu)
-
-    HDFS-6839. Fix TestCLI to expect new output. (clamb)
-
-    HDFS-6905. fs-encryption merge triggered release audit failures. (clamb via tucu)
-
     HDFS-6694. TestPipelinesFailover.testPipelineRecoveryStress tests fail
     intermittently with various symptoms - debugging patch. (Yongjun Zhang via
     Arpit Agarwal)
@@ -661,6 +568,98 @@ Release 2.6.0 - UNRELEASED
     HDFS-6902. FileWriter should be closed in finally block in
     BlockReceiver#receiveBlock() (Tsuyoshi OZAWA via Colin Patrick McCabe)
 
+    BREAKDOWN OF HDFS-6134 AND HADOOP-10150 SUBTASKS AND RELATED JIRAS
+  
+      HDFS-6387. HDFS CLI admin tool for creating & deleting an
+      encryption zone. (clamb)
+  
+      HDFS-6386. HDFS Encryption Zones (clamb)
+  
+      HDFS-6388. HDFS integration with KeyProvider. (clamb)
+  
+      HDFS-6473. Protocol and API for Encryption Zones (clamb)
+  
+      HDFS-6392. Wire crypto streams for encrypted files in
+      DFSClient. (clamb and yliu)
+  
+      HDFS-6476. Print out the KeyProvider after finding KP successfully on
+      startup. (Juan Yu via wang)
+  
+      HDFS-6391. Get the Key/IV from the NameNode for encrypted files in
+      DFSClient. (Charles Lamb and wang)
+  
+      HDFS-6389. Rename restrictions for encryption zones. (clamb)
+  
+      HDFS-6605. Client server negotiation of cipher suite. (wang)
+  
+      HDFS-6625. Remove the Delete Encryption Zone function (clamb)
+  
+      HDFS-6516. List of Encryption Zones should be based on inodes (clamb)
+  
+      HDFS-6629. Not able to create symlinks after HDFS-6516 (umamaheswararao)
+  
+      HDFS-6635. Refactor encryption zone functionality into new
+      EncryptionZoneManager class. (wang)
+  
+      HDFS-6474. Namenode needs to get the actual keys and iv from the
+      KeyProvider. (wang)
+  
+      HDFS-6619. Clean up encryption-related tests. (wang)
+  
+      HDFS-6405. Test Crypto streams in HDFS. (yliu via wang)
+  
+      HDFS-6490. Fix the keyid format for generated keys in
+      FSNamesystem.createEncryptionZone (clamb)
+  
+      HDFS-6716. Update usage of KeyProviderCryptoExtension APIs on NameNode.
+      (wang)
+  
+      HDFS-6718. Remove EncryptionZoneManager lock. (wang)
+  
+      HDFS-6720. Remove KeyProvider in EncryptionZoneManager. (wang)
+  
+      HDFS-6738. Remove unnecessary getEncryptionZoneForPath call in
+      EZManager#createEncryptionZone. (clamb)
+  
+      HDFS-6724. Decrypt EDEK before creating
+      CryptoInputStream/CryptoOutputStream. (wang)
+  
+      HDFS-6509. Create a special /.reserved/raw directory for raw access to
+      encrypted data. (clamb via wang)
+  
+      HDFS-6771. Require specification of an encryption key when creating
+      an encryption zone. (wang)
+  
+      HDFS-6730. Create a .RAW extended attribute namespace. (clamb)
+  
+      HDFS-6692. Add more HDFS encryption tests. (wang)
+  
+      HDFS-6780. Batch the encryption zones listing API. (wang)
+  
+      HDFS-6394. HDFS encryption documentation. (wang)
+  
+      HDFS-6834. Improve the configuration guidance in DFSClient when there 
+      are no Codec classes found in configs. (umamahesh)
+  
+      HDFS-6546. Add non-superuser capability to get the encryption zone
+      for a specific path. (clamb)
+  
+      HDFS-6733. Creating encryption zone results in NPE when
+      KeyProvider is null. (clamb)
+  
+      HDFS-6785. Should not be able to create encryption zone using path
+      to a non-directory file. (clamb)
+  
+      HDFS-6807. Fix TestReservedRawPaths. (clamb)
+  
+      HDFS-6814. Mistakenly dfs.namenode.list.encryption.zones.num.responses configured
+      as boolean. (umamahesh)
+  
+      HDFS-6817. Fix findbugs and other warnings. (yliu)
+  
+      HDFS-6839. Fix TestCLI to expect new output. (clamb)
+    --
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index de0767d2a45..c0038f60294 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -154,16 +154,6 @@ Trunk (Unreleased)
     MAPREDUCE-5867. Fix NPE in KillAMPreemptionPolicy related to 
     ProportionalCapacityPreemptionPolicy (Sunil G via devaraj)
 
-  BREAKDOWN OF HDFS-6134 AND HADOOP-10150 SUBTASKS AND RELATED JIRAS
-
-    MAPREDUCE-5890. Support for encrypting Intermediate 
-    data and spills in local filesystem. (asuresh via tucu)
-
-    MAPREDUCE-6007. Add support to distcp to preserve raw.* namespace
-    extended attributes. (clamb)
-
-    MAPREDUCE-6041. Fix TestOptionsParser. (clamb)
-
 Release 2.6.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
@@ -261,6 +251,17 @@ Release 2.6.0 - UNRELEASED
     MAPREDUCE-5885. build/test/test.mapred.spill causes release audit warnings
     (Chen He via jlowe)
 
+    BREAKDOWN OF HDFS-6134 AND HADOOP-10150 SUBTASKS AND RELATED JIRAS
+  
+      MAPREDUCE-5890. Support for encrypting Intermediate 
+      data and spills in local filesystem. (asuresh via tucu)
+  
+      MAPREDUCE-6007. Add support to distcp to preserve raw.* namespace
+      extended attributes. (clamb)
+  
+      MAPREDUCE-6041. Fix TestOptionsParser. (clamb)
+    --
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
@@ -273,7 +274,7 @@ Release 2.5.1 - UNRELEASED
 
   BUG FIXES
 
-    MAPREDUCE-6033. Updated access check for displaying job information 
+    MAPREDUCE-6033. Updated access check for displaying job information
     (Yu Gao via Eric Yang)
 
 Release 2.5.0 - 2014-08-11

From 48aa3b7274b73e022835268123d3711e28e7d48e Mon Sep 17 00:00:00 2001
From: Chris Douglas <cdouglas@apache.org>
Date: Thu, 28 Aug 2014 16:29:35 -0700
Subject: [PATCH 320/354] Fix typos in log messages. Contributed by Ray Chiang

---
 hadoop-mapreduce-project/CHANGES.txt                      | 8 +++++---
 .../mapreduce/v2/app/commit/CommitterEventHandler.java    | 2 +-
 .../apache/hadoop/mapreduce/v2/app/rm/RMCommunicator.java | 2 +-
 .../mapreduce/v2/app/speculate/DefaultSpeculator.java     | 8 ++++----
 .../main/java/org/apache/hadoop/mapred/BackupStore.java   | 2 +-
 .../src/test/java/org/apache/hadoop/fs/JHLogAnalyzer.java | 4 ++--
 6 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index c0038f60294..67f885127fe 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -252,16 +252,18 @@ Release 2.6.0 - UNRELEASED
     (Chen He via jlowe)
 
     BREAKDOWN OF HDFS-6134 AND HADOOP-10150 SUBTASKS AND RELATED JIRAS
-  
+
       MAPREDUCE-5890. Support for encrypting Intermediate 
       data and spills in local filesystem. (asuresh via tucu)
-  
+
       MAPREDUCE-6007. Add support to distcp to preserve raw.* namespace
       extended attributes. (clamb)
-  
+
       MAPREDUCE-6041. Fix TestOptionsParser. (clamb)
     --
 
+    MAPREDUCE-6051. Fix typos in log messages. (Ray Chiang via cdouglas)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/commit/CommitterEventHandler.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/commit/CommitterEventHandler.java
index 8c3be86cb11..d56c1e5aeb2 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/commit/CommitterEventHandler.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/commit/CommitterEventHandler.java
@@ -202,7 +202,7 @@ private synchronized void jobCommitEnded() {
   private synchronized void cancelJobCommit() {
     Thread threadCommitting = jobCommitThread;
     if (threadCommitting != null && threadCommitting.isAlive()) {
-      LOG.info("Canceling commit");
+      LOG.info("Cancelling commit");
       threadCommitting.interrupt();
 
       // wait up to configured timeout for commit thread to finish
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/rm/RMCommunicator.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/rm/RMCommunicator.java
index 4b32c045238..6e9f3138b4a 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/rm/RMCommunicator.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/rm/RMCommunicator.java
@@ -335,7 +335,7 @@ public void setShouldUnregister(boolean shouldUnregister) {
   
   public void setSignalled(boolean isSignalled) {
     this.isSignalled = isSignalled;
-    LOG.info("RMCommunicator notified that iSignalled is: " 
+    LOG.info("RMCommunicator notified that isSignalled is: " 
         + isSignalled);
   }
 
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/speculate/DefaultSpeculator.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/speculate/DefaultSpeculator.java
index 34dcb1294d3..392a51aebd6 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/speculate/DefaultSpeculator.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/speculate/DefaultSpeculator.java
@@ -134,16 +134,16 @@ public DefaultSpeculator(Configuration conf, AppContext context, Clock clock) {
 
       estimator.contextualize(conf, context);
     } catch (InstantiationException ex) {
-      LOG.error("Can't make a speculation runtime extimator", ex);
+      LOG.error("Can't make a speculation runtime estimator", ex);
       throw new YarnRuntimeException(ex);
     } catch (IllegalAccessException ex) {
-      LOG.error("Can't make a speculation runtime extimator", ex);
+      LOG.error("Can't make a speculation runtime estimator", ex);
       throw new YarnRuntimeException(ex);
     } catch (InvocationTargetException ex) {
-      LOG.error("Can't make a speculation runtime extimator", ex);
+      LOG.error("Can't make a speculation runtime estimator", ex);
       throw new YarnRuntimeException(ex);
     } catch (NoSuchMethodException ex) {
-      LOG.error("Can't make a speculation runtime extimator", ex);
+      LOG.error("Can't make a speculation runtime estimator", ex);
       throw new YarnRuntimeException(ex);
     }
     
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/BackupStore.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/BackupStore.java
index be7fe181f90..e79ec664a56 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/BackupStore.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/BackupStore.java
@@ -607,7 +607,7 @@ int reserve(int requestedSize) {
 
     int reserve(int requestedSize, int minSize) {
       if (availableSize < minSize) {
-        LOG.debug("No Space available. Available: " + availableSize + 
+        LOG.debug("No space available. Available: " + availableSize + 
             " MinSize: " + minSize);
         return 0;
       } else {
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/fs/JHLogAnalyzer.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/fs/JHLogAnalyzer.java
index 347dd066a98..8b3f4c895e1 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/fs/JHLogAnalyzer.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/fs/JHLogAnalyzer.java
@@ -1076,7 +1076,7 @@ private static void analyzeResult( FileSystem fs,
                                      long execTime,
                                      Path resFileName
                                      ) throws IOException {
-    LOG.info("Analizing results ...");
+    LOG.info("Analyzing results ...");
     DataOutputStream out = null;
     BufferedWriter writer = null;
     try {
@@ -1118,7 +1118,7 @@ private static void analyzeResult( FileSystem fs,
       if(writer != null) writer.close();
       if(out != null) out.close();
     }
-    LOG.info("Analizing results ... done.");
+    LOG.info("Analyzing results ... done.");
   }
 
   private static void cleanup(Configuration conf) throws IOException {

From ab638e77b811d9592470f7d342cd11a66efbbf0d Mon Sep 17 00:00:00 2001
From: Todd Lipcon <todd@apache.org>
Date: Thu, 28 Aug 2014 16:44:09 -0700
Subject: [PATCH 321/354] HDFS-6865. Byte array native checksumming on client
 side. Contributed by James Thomas.

---
 .../apache/hadoop/fs/ChecksumFileSystem.java  |   8 +-
 .../java/org/apache/hadoop/fs/ChecksumFs.java |   8 +-
 .../org/apache/hadoop/fs/FSOutputSummer.java  | 107 ++++++++++++------
 .../org/apache/hadoop/util/DataChecksum.java  |   2 +
 .../org/apache/hadoop/util/NativeCrc32.java   |   2 +-
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   3 +
 .../apache/hadoop/hdfs/DFSOutputStream.java   |  38 ++-----
 .../apache/hadoop/hdfs/TestFileAppend.java    |   4 +-
 .../security/token/block/TestBlockToken.java  |   2 +
 .../namenode/TestBlockUnderConstruction.java  |   3 +
 .../namenode/TestDecommissioningStatus.java   |   3 +
 11 files changed, 108 insertions(+), 72 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/ChecksumFileSystem.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/ChecksumFileSystem.java
index 511ca7f7549..c8d1b69ddaf 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/ChecksumFileSystem.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/ChecksumFileSystem.java
@@ -381,7 +381,8 @@ public ChecksumFSOutputSummer(ChecksumFileSystem fs,
                           long blockSize,
                           Progressable progress)
       throws IOException {
-      super(DataChecksum.newCrc32(), fs.getBytesPerSum(), 4);
+      super(DataChecksum.newDataChecksum(DataChecksum.Type.CRC32,
+          fs.getBytesPerSum()));
       int bytesPerSum = fs.getBytesPerSum();
       this.datas = fs.getRawFileSystem().create(file, overwrite, bufferSize, 
                                          replication, blockSize, progress);
@@ -405,10 +406,11 @@ public void close() throws IOException {
     }
     
     @Override
-    protected void writeChunk(byte[] b, int offset, int len, byte[] checksum)
+    protected void writeChunk(byte[] b, int offset, int len, byte[] checksum,
+        int ckoff, int cklen)
     throws IOException {
       datas.write(b, offset, len);
-      sums.write(checksum);
+      sums.write(checksum, ckoff, cklen);
     }
 
     @Override
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/ChecksumFs.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/ChecksumFs.java
index 4be3b291190..ab5cd13e0c3 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/ChecksumFs.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/ChecksumFs.java
@@ -337,7 +337,8 @@ public ChecksumFSOutputSummer(final ChecksumFs fs, final Path file,
       final short replication, final long blockSize, 
       final Progressable progress, final ChecksumOpt checksumOpt,
       final boolean createParent) throws IOException {
-      super(DataChecksum.newCrc32(), fs.getBytesPerSum(), 4);
+      super(DataChecksum.newDataChecksum(DataChecksum.Type.CRC32,
+          fs.getBytesPerSum()));
 
       // checksumOpt is passed down to the raw fs. Unless it implements
       // checksum impelemts internally, checksumOpt will be ignored.
@@ -370,10 +371,11 @@ public void close() throws IOException {
     }
     
     @Override
-    protected void writeChunk(byte[] b, int offset, int len, byte[] checksum)
+    protected void writeChunk(byte[] b, int offset, int len, byte[] checksum,
+        int ckoff, int cklen)
       throws IOException {
       datas.write(b, offset, len);
-      sums.write(checksum);
+      sums.write(checksum, ckoff, cklen);
     }
 
     @Override
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FSOutputSummer.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FSOutputSummer.java
index 49c919af196..19cbb6f9354 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FSOutputSummer.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FSOutputSummer.java
@@ -18,13 +18,14 @@
 
 package org.apache.hadoop.fs;
 
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.util.DataChecksum;
+
 import java.io.IOException;
 import java.io.OutputStream;
 import java.util.zip.Checksum;
 
-import org.apache.hadoop.classification.InterfaceAudience;
-import org.apache.hadoop.classification.InterfaceStability;
-
 /**
  * This is a generic output stream for generating checksums for
  * data before it is written to the underlying stream
@@ -33,7 +34,7 @@
 @InterfaceStability.Unstable
 abstract public class FSOutputSummer extends OutputStream {
   // data checksum
-  private Checksum sum;
+  private final DataChecksum sum;
   // internal buffer for storing data before it is checksumed
   private byte buf[];
   // internal buffer for storing checksum
@@ -41,18 +42,24 @@ abstract public class FSOutputSummer extends OutputStream {
   // The number of valid bytes in the buffer.
   private int count;
   
-  protected FSOutputSummer(Checksum sum, int maxChunkSize, int checksumSize) {
+  // We want this value to be a multiple of 3 because the native code checksums
+  // 3 chunks simultaneously. The chosen value of 9 strikes a balance between
+  // limiting the number of JNI calls and flushing to the underlying stream
+  // relatively frequently.
+  private static final int BUFFER_NUM_CHUNKS = 9;
+  
+  protected FSOutputSummer(DataChecksum sum) {
     this.sum = sum;
-    this.buf = new byte[maxChunkSize];
-    this.checksum = new byte[checksumSize];
+    this.buf = new byte[sum.getBytesPerChecksum() * BUFFER_NUM_CHUNKS];
+    this.checksum = new byte[sum.getChecksumSize() * BUFFER_NUM_CHUNKS];
     this.count = 0;
   }
   
   /* write the data chunk in <code>b</code> staring at <code>offset</code> with
-   * a length of <code>len</code>, and its checksum
+   * a length of <code>len > 0</code>, and its checksum
    */
-  protected abstract void writeChunk(byte[] b, int offset, int len, byte[] checksum)
-  throws IOException;
+  protected abstract void writeChunk(byte[] b, int bOffset, int bLen,
+      byte[] checksum, int checksumOffset, int checksumLen) throws IOException;
   
   /**
    * Check if the implementing OutputStream is closed and should no longer
@@ -66,7 +73,6 @@ protected abstract void writeChunk(byte[] b, int offset, int len, byte[] checksu
   /** Write one byte */
   @Override
   public synchronized void write(int b) throws IOException {
-    sum.update(b);
     buf[count++] = (byte)b;
     if(count == buf.length) {
       flushBuffer();
@@ -111,18 +117,17 @@ public synchronized void write(byte b[], int off, int len)
    */
   private int write1(byte b[], int off, int len) throws IOException {
     if(count==0 && len>=buf.length) {
-      // local buffer is empty and user data has one chunk
-      // checksum and output data
+      // local buffer is empty and user buffer size >= local buffer size, so
+      // simply checksum the user buffer and send it directly to the underlying
+      // stream
       final int length = buf.length;
-      sum.update(b, off, length);
-      writeChecksumChunk(b, off, length, false);
+      writeChecksumChunks(b, off, length);
       return length;
     }
     
     // copy user data to local buffer
     int bytesToCopy = buf.length-count;
     bytesToCopy = (len<bytesToCopy) ? len : bytesToCopy;
-    sum.update(b, off, bytesToCopy);
     System.arraycopy(b, off, buf, count, bytesToCopy);
     count += bytesToCopy;
     if (count == buf.length) {
@@ -136,22 +141,45 @@ private int write1(byte b[], int off, int len) throws IOException {
    * the underlying output stream. 
    */
   protected synchronized void flushBuffer() throws IOException {
-    flushBuffer(false);
+    flushBuffer(false, true);
   }
 
-  /* Forces any buffered output bytes to be checksumed and written out to
-   * the underlying output stream.  If keep is true, then the state of 
-   * this object remains intact.
+  /* Forces buffered output bytes to be checksummed and written out to
+   * the underlying output stream. If there is a trailing partial chunk in the
+   * buffer,
+   * 1) flushPartial tells us whether to flush that chunk
+   * 2) if flushPartial is true, keep tells us whether to keep that chunk in the
+   * buffer (if flushPartial is false, it is always kept in the buffer)
+   *
+   * Returns the number of bytes that were flushed but are still left in the
+   * buffer (can only be non-zero if keep is true).
    */
-  protected synchronized void flushBuffer(boolean keep) throws IOException {
-    if (count != 0) {
-      int chunkLen = count;
+  protected synchronized int flushBuffer(boolean keep,
+      boolean flushPartial) throws IOException {
+    int bufLen = count;
+    int partialLen = bufLen % sum.getBytesPerChecksum();
+    int lenToFlush = flushPartial ? bufLen : bufLen - partialLen;
+    if (lenToFlush != 0) {
+      writeChecksumChunks(buf, 0, lenToFlush);
+      if (!flushPartial || keep) {
+        count = partialLen;
+        System.arraycopy(buf, bufLen - count, buf, 0, count);
+      } else {
       count = 0;
-      writeChecksumChunk(buf, 0, chunkLen, keep);
-      if (keep) {
-        count = chunkLen;
       }
     }
+
+    // total bytes left minus unflushed bytes left
+    return count - (bufLen - lenToFlush);
+  }
+
+  /**
+   * Checksums all complete data chunks and flushes them to the underlying
+   * stream. If there is a trailing partial chunk, it is not flushed and is
+   * maintained in the buffer.
+   */
+  public void flush() throws IOException {
+    flushBuffer(false, false);
   }
 
   /**
@@ -161,18 +189,18 @@ protected synchronized int getBufferedDataSize() {
     return count;
   }
   
-  /** Generate checksum for the data chunk and output data chunk & checksum
-   * to the underlying output stream. If keep is true then keep the
-   * current checksum intact, do not reset it.
+  /** Generate checksums for the given data chunks and output chunks & checksums
+   * to the underlying output stream.
    */
-  private void writeChecksumChunk(byte b[], int off, int len, boolean keep)
+  private void writeChecksumChunks(byte b[], int off, int len)
   throws IOException {
-    int tempChecksum = (int)sum.getValue();
-    if (!keep) {
-      sum.reset();
+    sum.calculateChunkedSums(b, off, len, checksum, 0);
+    for (int i = 0; i < len; i += sum.getBytesPerChecksum()) {
+      int chunkLen = Math.min(sum.getBytesPerChecksum(), len - i);
+      int ckOffset = i / sum.getBytesPerChecksum() * sum.getChecksumSize();
+      writeChunk(b, off + i, chunkLen, checksum, ckOffset,
+          sum.getChecksumSize());
     }
-    int2byte(tempChecksum, checksum);
-    writeChunk(b, off, len, checksum);
   }
 
   /**
@@ -196,9 +224,14 @@ static byte[] int2byte(int integer, byte[] bytes) {
   /**
    * Resets existing buffer with a new one of the specified size.
    */
-  protected synchronized void resetChecksumChunk(int size) {
-    sum.reset();
+  protected synchronized void setChecksumBufSize(int size) {
     this.buf = new byte[size];
+    this.checksum = new byte[((size - 1) / sum.getBytesPerChecksum() + 1) *
+        sum.getChecksumSize()];
     this.count = 0;
   }
+
+  protected synchronized void resetChecksumBufSize() {
+    setChecksumBufSize(sum.getBytesPerChecksum() * BUFFER_NUM_CHUNKS);
+  }
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DataChecksum.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DataChecksum.java
index 1636af68a36..9f0ee35711c 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DataChecksum.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/DataChecksum.java
@@ -339,6 +339,7 @@ private void verifyChunkedSums(
       byte[] data, int dataOff, int dataLen,
       byte[] checksums, int checksumsOff, String fileName,
       long basePos) throws ChecksumException {
+    if (type.size == 0) return;
 
     if (NativeCrc32.isAvailable()) {
       NativeCrc32.verifyChunkedSumsByteArray(bytesPerChecksum, type.id,
@@ -421,6 +422,7 @@ public void calculateChunkedSums(ByteBuffer data, ByteBuffer checksums) {
   public void calculateChunkedSums(
       byte[] data, int dataOffset, int dataLength,
       byte[] sums, int sumsOffset) {
+    if (type.size == 0) return;
 
     if (NativeCrc32.isAvailable()) {
       NativeCrc32.calculateChunkedSumsByteArray(bytesPerChecksum, type.id,
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCrc32.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCrc32.java
index 2f21ae1a03d..0807d2cbde2 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCrc32.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/NativeCrc32.java
@@ -42,7 +42,7 @@ public static boolean isAvailable() {
    * modified.
    * 
    * @param bytesPerSum the chunk size (eg 512 bytes)
-   * @param checksumType the DataChecksum type constant
+   * @param checksumType the DataChecksum type constant (NULL is not supported)
    * @param sums the DirectByteBuffer pointing at the beginning of the
    *             stored checksums
    * @param data the DirectByteBuffer pointing at the beginning of the
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 2c56407c90c..8268b6b30e7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -434,6 +434,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6773. MiniDFSCluster should skip edit log fsync by default (Stephen
     Chu via Colin Patrick McCabe)
 
+    HDFS-6865. Byte array native checksumming on client side
+    (James Thomas via todd)
+
   BUG FIXES
 
     HDFS-6823. dfs.web.authentication.kerberos.principal shows up in logs for 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
index 14977a25077..0b5ecda95fd 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
@@ -398,7 +398,7 @@ private DataStreamer(LocatedBlock lastBlock, HdfsFileStatus stat,
         // one chunk that fills up the partial chunk.
         //
         computePacketChunkSize(0, freeInCksum);
-        resetChecksumChunk(freeInCksum);
+        setChecksumBufSize(freeInCksum);
         appendChunk = true;
       } else {
         // if the remaining space in the block is smaller than 
@@ -1563,7 +1563,7 @@ public synchronized DatanodeInfo[] getPipeline() {
 
   private DFSOutputStream(DFSClient dfsClient, String src, Progressable progress,
       HdfsFileStatus stat, DataChecksum checksum) throws IOException {
-    super(checksum, checksum.getBytesPerChecksum(), checksum.getChecksumSize());
+    super(checksum);
     this.dfsClient = dfsClient;
     this.src = src;
     this.fileId = stat.getFileId();
@@ -1717,22 +1717,21 @@ private void waitAndQueueCurrentPacket() throws IOException {
 
   // @see FSOutputSummer#writeChunk()
   @Override
-  protected synchronized void writeChunk(byte[] b, int offset, int len, byte[] checksum) 
-                                                        throws IOException {
+  protected synchronized void writeChunk(byte[] b, int offset, int len,
+      byte[] checksum, int ckoff, int cklen) throws IOException {
     dfsClient.checkOpen();
     checkClosed();
 
-    int cklen = checksum.length;
     int bytesPerChecksum = this.checksum.getBytesPerChecksum(); 
     if (len > bytesPerChecksum) {
       throw new IOException("writeChunk() buffer size is " + len +
                             " is larger than supported  bytesPerChecksum " +
                             bytesPerChecksum);
     }
-    if (checksum.length != this.checksum.getChecksumSize()) {
+    if (cklen != this.checksum.getChecksumSize()) {
       throw new IOException("writeChunk() checksum size is supposed to be " +
                             this.checksum.getChecksumSize() + 
-                            " but found to be " + checksum.length);
+                            " but found to be " + cklen);
     }
 
     if (currentPacket == null) {
@@ -1748,7 +1747,7 @@ protected synchronized void writeChunk(byte[] b, int offset, int len, byte[] che
       }
     }
 
-    currentPacket.writeChecksum(checksum, 0, cklen);
+    currentPacket.writeChecksum(checksum, ckoff, cklen);
     currentPacket.writeData(b, offset, len);
     currentPacket.numChunks++;
     bytesCurBlock += len;
@@ -1772,7 +1771,7 @@ protected synchronized void writeChunk(byte[] b, int offset, int len, byte[] che
       // crc chunks from now on.
       if (appendChunk && bytesCurBlock%bytesPerChecksum == 0) {
         appendChunk = false;
-        resetChecksumChunk(bytesPerChecksum);
+        resetChecksumBufSize();
       }
 
       if (!appendChunk) {
@@ -1853,20 +1852,13 @@ private void flushOrSync(boolean isSync, EnumSet<SyncFlag> syncFlags)
       long lastBlockLength = -1L;
       boolean updateLength = syncFlags.contains(SyncFlag.UPDATE_LENGTH);
       synchronized (this) {
-        /* Record current blockOffset. This might be changed inside
-         * flushBuffer() where a partial checksum chunk might be flushed.
-         * After the flush, reset the bytesCurBlock back to its previous value,
-         * any partial checksum chunk will be sent now and in next packet.
-         */
-        long saveOffset = bytesCurBlock;
-        Packet oldCurrentPacket = currentPacket;
         // flush checksum buffer, but keep checksum buffer intact
-        flushBuffer(true);
+        int numKept = flushBuffer(true, true);
         // bytesCurBlock potentially incremented if there was buffered data
 
         if (DFSClient.LOG.isDebugEnabled()) {
           DFSClient.LOG.debug(
-            "DFSClient flush() : saveOffset " + saveOffset +  
+            "DFSClient flush() :" +
             " bytesCurBlock " + bytesCurBlock +
             " lastFlushOffset " + lastFlushOffset);
         }
@@ -1883,14 +1875,6 @@ private void flushOrSync(boolean isSync, EnumSet<SyncFlag> syncFlags)
                 bytesCurBlock, currentSeqno++, this.checksum.getChecksumSize());
           }
         } else {
-          // We already flushed up to this offset.
-          // This means that we haven't written anything since the last flush
-          // (or the beginning of the file). Hence, we should not have any
-          // packet queued prior to this call, since the last flush set
-          // currentPacket = null.
-          assert oldCurrentPacket == null :
-            "Empty flush should not occur with a currentPacket";
-
           if (isSync && bytesCurBlock > 0) {
             // Nothing to send right now,
             // and the block was partially written,
@@ -1910,7 +1894,7 @@ private void flushOrSync(boolean isSync, EnumSet<SyncFlag> syncFlags)
         // Restore state of stream. Record the last flush offset 
         // of the last full chunk that was flushed.
         //
-        bytesCurBlock = saveOffset;
+        bytesCurBlock -= numKept;
         toWaitFor = lastQueuedSeqno;
       } // end synchronized
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileAppend.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileAppend.java
index d8400778ec9..34c701d0bbd 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileAppend.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestFileAppend.java
@@ -261,7 +261,9 @@ public void testComplexFlush() throws IOException {
         start += 29;
       }
       stm.write(fileContents, start, AppendTestUtil.FILE_SIZE -start);
-
+      // need to make sure we completely write out all full blocks before
+      // the checkFile() call (see FSOutputSummer#flush)
+      stm.flush();
       // verify that full blocks are sane
       checkFile(fs, file1, 1);
       stm.close();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java
index 242934547d0..1fe7ba89851 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java
@@ -394,6 +394,8 @@ public void testBlockTokenInLastLocatedBlock() throws IOException,
       Path filePath = new Path(fileName);
       FSDataOutputStream out = fs.create(filePath, (short) 1);
       out.write(new byte[1000]);
+      // ensure that the first block is written out (see FSOutputSummer#flush)
+      out.flush();
       LocatedBlocks locatedBlocks = cluster.getNameNodeRpc().getBlockLocations(
           fileName, 0, 1000);
       while (locatedBlocks.getLastLocatedBlock() == null) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestBlockUnderConstruction.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestBlockUnderConstruction.java
index 5448e7a885e..872ff9c490f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestBlockUnderConstruction.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestBlockUnderConstruction.java
@@ -70,6 +70,9 @@ void writeFile(Path file, FSDataOutputStream stm, int size)
     long blocksBefore = stm.getPos() / BLOCK_SIZE;
     
     TestFileCreation.writeFile(stm, BLOCK_SIZE);
+    // need to make sure the full block is completely flushed to the DataNodes
+    // (see FSOutputSummer#flush)
+    stm.flush();
     int blocksAfter = 0;
     // wait until the block is allocated by DataStreamer
     BlockLocation[] locatedBlocks;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestDecommissioningStatus.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestDecommissioningStatus.java
index d01df75f794..2ee251bdc7c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestDecommissioningStatus.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestDecommissioningStatus.java
@@ -141,6 +141,9 @@ private FSDataOutputStream writeIncompleteFile(FileSystem fileSys, Path name,
     Random rand = new Random(seed);
     rand.nextBytes(buffer);
     stm.write(buffer);
+    // need to make sure that we actually write out both file blocks
+    // (see FSOutputSummer#flush)
+    stm.flush();
     // Do not close stream, return it
     // so that it is not garbage collected
     return stm;

From 7119bd49c870cf1e6b8c091d87025b439b9468df Mon Sep 17 00:00:00 2001
From: Andrew Wang <andrew.wang@cloudera.com>
Date: Thu, 28 Aug 2014 17:39:50 -0700
Subject: [PATCH 322/354] HADOOP-11005. Fix HTTP content type for
 ReconfigurationServlet. Contributed by Lei Xu.

---
 hadoop-common-project/hadoop-common/CHANGES.txt                | 3 +++
 .../java/org/apache/hadoop/conf/ReconfigurationServlet.java    | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 9fb0cd3b4f5..05eb3837388 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -468,6 +468,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10880. Move HTTP delegation tokens out of URL querystring to 
     a header. (tucu)
 
+    HADOOP-11005. Fix HTTP content type for ReconfigurationServlet.
+    (Lei Xu via wang)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ReconfigurationServlet.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ReconfigurationServlet.java
index 3fa162b87af..eb1fb6b7d58 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ReconfigurationServlet.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ReconfigurationServlet.java
@@ -200,6 +200,7 @@ private void applyChanges(PrintWriter out, Reconfigurable reconf,
   protected void doGet(HttpServletRequest req, HttpServletResponse resp)
     throws ServletException, IOException {
     LOG.info("GET");
+    resp.setContentType("text/html");
     PrintWriter out = resp.getWriter();
     
     Reconfigurable reconf = getReconfigurable(req);
@@ -214,6 +215,7 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp)
   protected void doPost(HttpServletRequest req, HttpServletResponse resp)
     throws ServletException, IOException {
     LOG.info("POST");
+    resp.setContentType("text/html");
     PrintWriter out = resp.getWriter();
 
     Reconfigurable reconf = getReconfigurable(req);

From d8774cc577198fdc3bc36c26526c95ea9a989800 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Thu, 28 Aug 2014 10:37:23 -0700
Subject: [PATCH 323/354] HADOOP-11013. CLASSPATH handling should be
 consolidated, debuggable (aw)

---
 .../hadoop-common/CHANGES.txt                 |  2 +
 .../hadoop-common/src/main/bin/hadoop         |  5 +-
 .../src/main/bin/hadoop-config.sh             |  5 ++
 .../src/main/bin/hadoop-functions.sh          | 54 ++++++++++++++++---
 .../hadoop-common/src/main/bin/rcc            |  7 +--
 .../hadoop-hdfs/src/main/bin/hdfs             | 25 +++++++--
 hadoop-mapreduce-project/bin/mapred           | 14 +++--
 hadoop-yarn-project/hadoop-yarn/bin/yarn      | 15 +++++-
 8 files changed, 105 insertions(+), 22 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 05eb3837388..717bd249784 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -125,6 +125,8 @@ Trunk (Unreleased)
 
     HADOOP-10485. Remove dead classes in hadoop-streaming. (wheat9)
 
+    HADOOP-11013. CLASSPATH handling should be consolidated, debuggable (aw)
+
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop b/hadoop-common-project/hadoop-common/src/main/bin/hadoop
index 24c4d18e829..64c67587dc6 100755
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop
@@ -114,6 +114,7 @@ case ${COMMAND} in
   ;;
   archive)
     CLASS=org.apache.hadoop.tools.HadoopArchives
+    hadoop_debug "Injecting TOOL_PATH into CLASSPATH"
     hadoop_add_classpath "${TOOL_PATH}"
   ;;
   checknative)
@@ -136,10 +137,12 @@ case ${COMMAND} in
   ;;
   distch)
     CLASS=org.apache.hadoop.tools.DistCh
+    hadoop_debug "Injecting TOOL_PATH into CLASSPATH"
     hadoop_add_classpath "${TOOL_PATH}"
   ;;
   distcp)
     CLASS=org.apache.hadoop.tools.DistCp
+    hadoop_debug "Injecting TOOL_PATH into CLASSPATH"
     hadoop_add_classpath "${TOOL_PATH}"
   ;;
   fs)
@@ -168,11 +171,11 @@ case ${COMMAND} in
 esac
 
 # Always respect HADOOP_OPTS and HADOOP_CLIENT_OPTS
+hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS"
 HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
 
 hadoop_add_param HADOOP_OPTS Xmx "${JAVA_HEAP_MAX}"
 
 hadoop_finalize
-export CLASSPATH
 hadoop_java_exec "${COMMAND}" "${CLASS}" "$@"
 
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh
index 0cf8bcfc78e..40494b3ba4e 100644
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-config.sh
@@ -129,6 +129,11 @@ while [[ -z "${_hadoop_common_done}" ]]; do
         hadoop_exit_with_usage 1
       fi
     ;;
+    --debug)
+      shift
+      # shellcheck disable=SC2034
+      HADOOP_SHELL_SCRIPT_DEBUG=true
+    ;; 
     --help|-help|-h|help|--h|--\?|-\?|\?)
       hadoop_exit_with_usage 0
     ;;
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
index 800e024485e..dd5520cab11 100644
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
@@ -21,6 +21,13 @@ function hadoop_error
   echo "$*" 1>&2
 }
 
+function hadoop_debug
+{
+  if [[ -n "${HADOOP_SHELL_SCRIPT_DEBUG}" ]]; then
+    echo "DEBUG: $*" 1>&2
+  fi
+}
+
 function hadoop_bootstrap_init
 {
   # NOTE: This function is not user replaceable.
@@ -62,6 +69,7 @@ function hadoop_bootstrap_init
  
   # defaults
   export HADOOP_OPTS=${HADOOP_OPTS:-"-Djava.net.preferIPv4Stack=true"}
+  hadoop_debug "Initial HADOOP_OPTS=${HADOOP_OPTS}"
 }
 
 function hadoop_find_confdir
@@ -80,6 +88,8 @@ function hadoop_find_confdir
     conf_dir="etc/hadoop"
   fi
   export HADOOP_CONF_DIR="${HADOOP_CONF_DIR:-${HADOOP_PREFIX}/${conf_dir}}"
+
+  hadoop_debug "HADOOP_CONF_DIR=${HADOOP_CONF_DIR}"
 }
 
 function hadoop_exec_hadoopenv
@@ -105,6 +115,7 @@ function hadoop_basic_init
   
   # CLASSPATH initially contains $HADOOP_CONF_DIR
   CLASSPATH="${HADOOP_CONF_DIR}"
+  hadoop_debug "Initial CLASSPATH=${HADOOP_CONF_DIR}"
   
   if [[ -z "${HADOOP_COMMON_HOME}" ]] &&
   [[ -d "${HADOOP_PREFIX}/${HADOOP_COMMON_DIR}" ]]; then
@@ -116,19 +127,19 @@ function hadoop_basic_init
   
   # define HADOOP_HDFS_HOME
   if [[ -z "${HADOOP_HDFS_HOME}" ]] &&
-  [[ -d "${HADOOP_PREFIX}/${HDFS_DIR}" ]]; then
+     [[ -d "${HADOOP_PREFIX}/${HDFS_DIR}" ]]; then
     export HADOOP_HDFS_HOME="${HADOOP_PREFIX}"
   fi
   
   # define HADOOP_YARN_HOME
   if [[ -z "${HADOOP_YARN_HOME}" ]] &&
-  [[ -d "${HADOOP_PREFIX}/${YARN_DIR}" ]]; then
+     [[ -d "${HADOOP_PREFIX}/${YARN_DIR}" ]]; then
     export HADOOP_YARN_HOME="${HADOOP_PREFIX}"
   fi
   
   # define HADOOP_MAPRED_HOME
   if [[ -z "${HADOOP_MAPRED_HOME}" ]] &&
-  [[ -d "${HADOOP_PREFIX}/${MAPRED_DIR}" ]]; then
+     [[ -d "${HADOOP_PREFIX}/${MAPRED_DIR}" ]]; then
     export HADOOP_MAPRED_HOME="${HADOOP_PREFIX}"
   fi
   
@@ -274,6 +285,9 @@ function hadoop_add_param
   if [[ ! ${!1} =~ $2 ]] ; then
     # shellcheck disable=SC2086
     eval $1="'${!1} $3'"
+    hadoop_debug "$1 accepted $3"
+  else
+    hadoop_debug "$1 declined $3"
   fi
 }
 
@@ -283,8 +297,8 @@ function hadoop_add_classpath
   # $1 = directory, file, wildcard, whatever to add
   # $2 = before or after, which determines where in the
   #      classpath this object should go. default is after
-  # return 0 = success
-  # return 1 = failure (duplicate, doesn't exist, whatever)
+  # return 0 = success (added or duplicate)
+  # return 1 = failure (doesn't exist, whatever)
   
   # However, with classpath (& JLP), we can do dedupe
   # along with some sanity checking (e.g., missing directories)
@@ -295,23 +309,29 @@ function hadoop_add_classpath
   if [[ $1 =~ ^.*\*$ ]]; then
     local mp=$(dirname "$1")
     if [[ ! -d "${mp}" ]]; then
+      hadoop_debug "Rejected CLASSPATH: $1 (not a dir)"
       return 1
     fi
     
     # no wildcard in the middle, so check existence
     # (doesn't matter *what* it is)
   elif [[ ! $1 =~ ^.*\*.*$ ]] && [[ ! -e "$1" ]]; then
+    hadoop_debug "Rejected CLASSPATH: $1 (does not exist)"
     return 1
   fi
-  
   if [[ -z "${CLASSPATH}" ]]; then
     CLASSPATH=$1
+    hadoop_debug "Initial CLASSPATH=$1"
   elif [[ ":${CLASSPATH}:" != *":$1:"* ]]; then
     if [[ "$2" = "before" ]]; then
       CLASSPATH="$1:${CLASSPATH}"
+      hadoop_debug "Prepend CLASSPATH: $1"
     else
       CLASSPATH+=:$1
+      hadoop_debug "Append CLASSPATH: $1"
     fi
+  else
+    hadoop_debug "Dupe CLASSPATH: $1"
   fi
   return 0
 }
@@ -331,14 +351,20 @@ function hadoop_add_colonpath
     if [[ -z "${!1}" ]]; then
       # shellcheck disable=SC2086
       eval $1="'$2'"
+      hadoop_debug "Initial colonpath($1): $2"
     elif [[ "$3" = "before" ]]; then
       # shellcheck disable=SC2086
       eval $1="'$2:${!1}'"
+      hadoop_debug "Prepend colonpath($1): $2"
     else
       # shellcheck disable=SC2086
       eval $1+="'$2'"
+      hadoop_debug "Append colonpath($1): $2"
     fi
+    return 0
   fi
+  hadoop_debug "Rejected colonpath($1): $2"
+  return 1
 }
 
 function hadoop_add_javalibpath
@@ -397,6 +423,7 @@ function hadoop_add_to_classpath_hdfs
 
 function hadoop_add_to_classpath_yarn
 {
+  local i
   #
   # get all of the yarn jars+config in the path
   #
@@ -459,7 +486,7 @@ function hadoop_add_to_classpath_userpath
   local i
   local j
   let c=0
-  
+
   if [[ -n "${HADOOP_CLASSPATH}" ]]; then
     # I wonder if Java runs on VMS.
     for i in $(echo "${HADOOP_CLASSPATH}" | tr : '\n'); do
@@ -715,6 +742,11 @@ function hadoop_java_exec
   local command=$1
   local class=$2
   shift 2
+  
+  hadoop_debug "Final CLASSPATH: ${CLASSPATH}"
+  hadoop_debug "Final HADOOP_OPTS: ${HADOOP_OPTS}"
+
+  export CLASSPATH
   #shellcheck disable=SC2086
   exec "${JAVA}" "-Dproc_${command}" ${HADOOP_OPTS} "${class}" "$@"
 }
@@ -727,6 +759,11 @@ function hadoop_start_daemon
   local command=$1
   local class=$2
   shift 2
+
+  hadoop_debug "Final CLASSPATH: ${CLASSPATH}"
+  hadoop_debug "Final HADOOP_OPTS: ${HADOOP_OPTS}"
+
+  export CLASSPATH
   #shellcheck disable=SC2086
   exec "${JAVA}" "-Dproc_${command}" ${HADOOP_OPTS} "${class}" "$@"
 }
@@ -807,6 +844,9 @@ function hadoop_start_secure_daemon
   # note that shellcheck will throw a
   # bogus for-our-use-case 2086 here.
   # it doesn't properly support multi-line situations
+
+  hadoop_debug "Final CLASSPATH: ${CLASSPATH}"
+  hadoop_debug "Final HADOOP_OPTS: ${HADOOP_OPTS}"
   
   exec "${jsvc}" \
   "-Dproc_${daemonname}" \
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/rcc b/hadoop-common-project/hadoop-common/src/main/bin/rcc
index dc6158a8ea4..74253539fbe 100755
--- a/hadoop-common-project/hadoop-common/src/main/bin/rcc
+++ b/hadoop-common-project/hadoop-common/src/main/bin/rcc
@@ -23,6 +23,7 @@ this="$bin/$script"
 
 DEFAULT_LIBEXEC_DIR="$bin"/../libexec
 HADOOP_LIBEXEC_DIR=${HADOOP_LIBEXEC_DIR:-$DEFAULT_LIBEXEC_DIR}
+# shellcheck disable=SC2034
 HADOOP_NEW_CONFIG=true
 . "$HADOOP_LIBEXEC_DIR/hadoop-config.sh"
 
@@ -33,10 +34,10 @@ fi
 CLASS='org.apache.hadoop.record.compiler.generated.Rcc'
 
 # Always respect HADOOP_OPTS and HADOOP_CLIENT_OPTS
-HADOOP_OPTS="$HADOOP_OPTS $HADOOP_CLIENT_OPTS"
+hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS"
+HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
 
-hadoop_add_param HADOOP_OPTS Xmx "$JAVA_HEAP_MAX"
+hadoop_add_param HADOOP_OPTS Xmx "${JAVA_HEAP_MAX}"
 
 hadoop_finalize
-export CLASSPATH
 hadoop_java_exec rcc "${CLASS}" "$@"
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs
index 77f1582db27..6872a0eb1a4 100755
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs
@@ -80,6 +80,7 @@ shift
 case ${COMMAND} in
   balancer)
     CLASS=org.apache.hadoop.hdfs.server.balancer.Balancer
+    hadoop_debug "Appending HADOOP_BALANCER_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_BALANCER_OPTS}"
   ;;
   cacheadmin)
@@ -105,19 +106,24 @@ case ${COMMAND} in
       HADOOP_SECURE_PID_DIR="${HADOOP_SECURE_PID_DIR:-$HADOOP_SECURE_DN_PID_DIR}"
       HADOOP_SECURE_LOG_DIR="${HADOOP_SECURE_LOG_DIR:-$HADOOP_SECURE_DN_LOG_DIR}"
       
-      HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_DN_SECURE_EXTRA_OPTS} ${HADOOP_DATANODE_OPTS}"
+      hadoop_debug "Appending HADOOP_DATANODE_OPTS onto HADOOP_OPTS"
+      hadoop_debug "Appending HADOOP_DN_SECURE_EXTRA_OPTS onto HADOOP_OPTS"
+      HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_DATANODE_OPTS} ${HADOOP_DN_SECURE_EXTRA_OPTS}"
       CLASS="org.apache.hadoop.hdfs.server.datanode.SecureDataNodeStarter"
     else
+      hadoop_debug "Appending HADOOP_DATANODE_OPTS onto HADOOP_OPTS"
       HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_DATANODE_OPTS}"
       CLASS='org.apache.hadoop.hdfs.server.datanode.DataNode'
     fi
   ;;
   dfs)
     CLASS=org.apache.hadoop.fs.FsShell
+    hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
   ;;
   dfsadmin)
     CLASS=org.apache.hadoop.hdfs.tools.DFSAdmin
+    hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
   ;;
   fetchdt)
@@ -125,6 +131,7 @@ case ${COMMAND} in
   ;;
   fsck)
     CLASS=org.apache.hadoop.hdfs.tools.DFSck
+    hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
   ;;
   getconf)
@@ -135,12 +142,15 @@ case ${COMMAND} in
   ;;
   haadmin)
     CLASS=org.apache.hadoop.hdfs.tools.DFSHAAdmin
-    CLASSPATH="${CLASSPATH}:${TOOL_PATH}"
+    hadoop_debug "Injecting TOOL_PATH into CLASSPATH"
+    hadoop_add_classpath "${TOOL_PATH}"
+    hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
   ;;
   journalnode)
     daemon="true"
     CLASS='org.apache.hadoop.hdfs.qjournal.server.JournalNode'
+    hadoop_debug "Appending HADOOP_JOURNALNODE_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_JOURNALNODE_OPTS}"
   ;;
   jmxget)
@@ -152,6 +162,7 @@ case ${COMMAND} in
   namenode)
     daemon="true"
     CLASS='org.apache.hadoop.hdfs.server.namenode.NameNode'
+    hadoop_debug "Appending HADOOP_NAMENODE_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_NAMENODE_OPTS}"
   ;;
   nfs3)
@@ -164,9 +175,12 @@ case ${COMMAND} in
       HADOOP_SECURE_PID_DIR="${HADOOP_SECURE_PID_DIR:-$HADOOP_SECURE_NFS3_PID_DIR}"
       HADOOP_SECURE_LOG_DIR="${HADOOP_SECURE_LOG_DIR:-$HADOOP_SECURE_NFS3_LOG_DIR}"
       
-      HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_NFS3_SECURE_EXTRA_OPTS} ${HADOOP_NFS3_OPTS}"
+      hadoop_debug "Appending HADOOP_NFS3_OPTS onto HADOOP_OPTS"
+      hadoop_debug "Appending HADOOP_NFS3_SECURE_EXTRA_OPTS onto HADOOP_OPTS"
+      HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_NFS3_OPTS} ${HADOOP_NFS3_SECURE_EXTRA_OPTS}"
       CLASS=org.apache.hadoop.hdfs.nfs.nfs3.PrivilegedNfsGatewayStarter
     else
+      hadoop_debug "Appending HADOOP_NFS3_OPTS onto HADOOP_OPTS"
       HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_NFS3_OPTS}"
       CLASS=org.apache.hadoop.hdfs.nfs.nfs3.Nfs3
     fi
@@ -183,11 +197,13 @@ case ${COMMAND} in
   portmap)
     daemon="true"
     CLASS=org.apache.hadoop.portmap.Portmap
+    hadoop_debug "Appending HADOOP_PORTMAP_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_PORTMAP_OPTS}"
   ;;
   secondarynamenode)
     daemon="true"
     CLASS='org.apache.hadoop.hdfs.server.namenode.SecondaryNameNode'
+    hadoop_debug "Appending HADOOP_SECONDARYNAMENODE_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_SECONDARYNAMENODE_OPTS}"
   ;;
   snapshotDiff)
@@ -196,6 +212,7 @@ case ${COMMAND} in
   zkfc)
     daemon="true"
     CLASS='org.apache.hadoop.hdfs.tools.DFSZKFailoverController'
+    hadoop_debug "Appending HADOOP_ZKFC_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_ZKFC_OPTS}"
   ;;
   -*)
@@ -236,8 +253,6 @@ fi
 hadoop_add_param HADOOP_OPTS Xmx "${JAVA_HEAP_MAX}"
 hadoop_finalize
 
-export CLASSPATH
-
 if [[ -n "${daemon}" ]]; then
   if [[ -n "${secure_service}" ]]; then
     hadoop_secure_daemon_handler \
diff --git a/hadoop-mapreduce-project/bin/mapred b/hadoop-mapreduce-project/bin/mapred
index cbfdc7e7d09..8f3063774f8 100755
--- a/hadoop-mapreduce-project/bin/mapred
+++ b/hadoop-mapreduce-project/bin/mapred
@@ -64,13 +64,15 @@ shift
 
 case ${COMMAND} in
   mradmin|jobtracker|tasktracker|groups)
-    echo "Sorry, the ${COMMAND} command is no longer supported."
-    echo "You may find similar functionality with the \"yarn\" shell command."
+    hadoop_error "Sorry, the ${COMMAND} command is no longer supported."
+    hadoop_error "You may find similar functionality with the \"yarn\" shell command."
     hadoop_exit_with_usage 1
   ;;
   archive)
     CLASS=org.apache.hadoop.tools.HadoopArchives
+    hadoop_debug "Injecting TOOL_PATH into CLASSPATH"
     hadoop_add_classpath "${TOOL_PATH}"
+    hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
   ;;
   classpath)
@@ -80,12 +82,15 @@ case ${COMMAND} in
   ;;
   distcp)
     CLASS=org.apache.hadoop.tools.DistCp
+    hadoop_debug "Injecting TOOL_PATH into CLASSPATH"
     hadoop_add_classpath "${TOOL_PATH}"
+    hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
   ;;
   historyserver)
     daemon="true"
     CLASS=org.apache.hadoop.mapreduce.v2.hs.JobHistoryServer
+    hadoop_debug "Appending HADOOP_JOB_HISTORYSERVER_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_JOB_HISTORYSERVER_OPTS}"
     if [ -n "${HADOOP_JOB_HISTORYSERVER_HEAPSIZE}" ]; then
       JAVA_HEAP_MAX="-Xmx${HADOOP_JOB_HISTORYSERVER_HEAPSIZE}m"
@@ -97,6 +102,7 @@ case ${COMMAND} in
   ;;
   pipes)
     CLASS=org.apache.hadoop.mapred.pipes.Submitter
+    hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
   ;;
   queue)
@@ -104,10 +110,12 @@ case ${COMMAND} in
   ;;
   sampler)
     CLASS=org.apache.hadoop.mapred.lib.InputSampler
+    hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
   ;;
   version)
     CLASS=org.apache.hadoop.util.VersionInfo
+    hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS"
     HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
   ;;
   -*|*)
@@ -130,8 +138,6 @@ fi
 hadoop_add_param HADOOP_OPTS Xmx "${JAVA_HEAP_MAX}"
 hadoop_finalize
 
-export CLASSPATH
-
 if [[ -n "${daemon}" ]]; then
   if [[ -n "${secure_service}" ]]; then
     hadoop_secure_daemon_handler "${HADOOP_DAEMON_MODE}" "${COMMAND}"\
diff --git a/hadoop-yarn-project/hadoop-yarn/bin/yarn b/hadoop-yarn-project/hadoop-yarn/bin/yarn
index dfef8112f05..371d23d712d 100644
--- a/hadoop-yarn-project/hadoop-yarn/bin/yarn
+++ b/hadoop-yarn-project/hadoop-yarn/bin/yarn
@@ -72,6 +72,7 @@ shift
 case "${COMMAND}" in
   application|applicationattempt|container)
     CLASS=org.apache.hadoop.yarn.client.cli.ApplicationCLI
+    hadoop_debug "Append YARN_CLIENT_OPTS onto YARN_OPTS"
     YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
     set -- "${COMMAND}" "$@"
   ;;
@@ -82,10 +83,12 @@ case "${COMMAND}" in
   ;;
   daemonlog)
     CLASS=org.apache.hadoop.log.LogLevel
+    hadoop_debug "Append YARN_CLIENT_OPTS onto YARN_OPTS"
     YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
   ;;
   jar)
     CLASS=org.apache.hadoop.util.RunJar
+    hadoop_debug "Append YARN_CLIENT_OPTS onto YARN_OPTS"
     YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
   ;;
   historyserver)
@@ -97,15 +100,18 @@ case "${COMMAND}" in
   ;;
   logs)
     CLASS=org.apache.hadoop.yarn.logaggregation.LogDumper
+    hadoop_debug "Append YARN_CLIENT_OPTS onto YARN_OPTS"
     YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
   ;;
   node)
     CLASS=org.apache.hadoop.yarn.client.cli.NodeCLI
+    hadoop_debug "Append YARN_CLIENT_OPTS onto YARN_OPTS"
     YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
   ;;
   nodemanager)
     daemon="true"
     CLASS='org.apache.hadoop.yarn.server.nodemanager.NodeManager'
+    hadoop_debug "Append YARN_NODEMANAGER_OPTS onto YARN_OPTS"
     YARN_OPTS="${YARN_OPTS} ${YARN_NODEMANAGER_OPTS}"
     if [[ -n "${YARN_NODEMANAGER_HEAPSIZE}" ]]; then
       JAVA_HEAP_MAX="-Xmx${YARN_NODEMANAGER_HEAPSIZE}m"
@@ -114,6 +120,7 @@ case "${COMMAND}" in
   proxyserver)
     daemon="true"
     CLASS='org.apache.hadoop.yarn.server.webproxy.WebAppProxyServer'
+    hadoop_debug "Append YARN_PROXYSERVER_OPTS onto YARN_OPTS"
     YARN_OPTS="${YARN_OPTS} ${YARN_PROXYSERVER_OPTS}"
     if [[ -n "${YARN_PROXYSERVER_HEAPSIZE}" ]]; then
       JAVA_HEAP_MAX="-Xmx${YARN_PROXYSERVER_HEAPSIZE}m"
@@ -123,17 +130,20 @@ case "${COMMAND}" in
     daemon="true"
     CLASS='org.apache.hadoop.yarn.server.resourcemanager.ResourceManager'
     YARN_OPTS="${YARN_OPTS} ${YARN_RESOURCEMANAGER_OPTS}"
+    hadoop_debug "Append YARN_RESOURCEMANAGER_OPTS onto YARN_OPTS"
     if [[ -n "${YARN_RESOURCEMANAGER_HEAPSIZE}" ]]; then
       JAVA_HEAP_MAX="-Xmx${YARN_RESOURCEMANAGER_HEAPSIZE}m"
     fi
   ;;
   rmadmin)
     CLASS='org.apache.hadoop.yarn.client.cli.RMAdminCLI'
+    hadoop_debug "Append YARN_CLIENT_OPTS onto YARN_OPTS"
     YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
   ;;
   timelineserver)
     daemon="true"
     CLASS='org.apache.hadoop.yarn.server.applicationhistoryservice.ApplicationHistoryServer'
+    hadoop_debug "Append YARN_TIMELINESERVER_OPTS onto YARN_OPTS"
     YARN_OPTS="${YARN_OPTS} ${YARN_TIMELINESERVER_OPTS}"
     if [[ -n "${YARN_TIMELINESERVER_HEAPSIZE}" ]]; then
       JAVA_HEAP_MAX="-Xmx${YARN_TIMELINESERVER_HEAPSIZE}m"
@@ -141,6 +151,7 @@ case "${COMMAND}" in
   ;;
   version)
     CLASS=org.apache.hadoop.util.VersionInfo
+    hadoop_debug "Append YARN_CLIENT_OPTS onto YARN_OPTS"
     YARN_OPTS="${YARN_OPTS} ${YARN_CLIENT_OPTS}"
   ;;
   -*)
@@ -153,6 +164,8 @@ esac
 
 # set HADOOP_OPTS to YARN_OPTS so that we can use
 # finalize, etc, without doing anything funky
+hadoop_debug "Resetting HADOOP_OPTS=YARN_OPTS"
+# shellcheck disable=SC2034
 HADOOP_OPTS="${YARN_OPTS}"
 
 daemon_outfile="${HADOOP_LOG_DIR}/hadoop-${HADOOP_IDENT_STRING}-${COMMAND}-${HOSTNAME}.out"
@@ -180,8 +193,6 @@ hadoop_add_param HADOOP_OPTS yarn.root.logger "-Dyarn.root.logger=${YARN_ROOT_LO
 
 hadoop_finalize
 
-export CLASSPATH
-
 if [[ -n "${daemon}" ]]; then
   if [[ -n "${secure_service}" ]]; then
     hadoop_secure_daemon_handler "${HADOOP_DAEMON_MODE}" "${COMMAND}" \

From 7b3e27ab7393214e35a575bc9093100e94dd8c89 Mon Sep 17 00:00:00 2001
From: Jian <jianhe@apache.org>
Date: Thu, 28 Aug 2014 21:47:26 -0700
Subject: [PATCH 324/354] YARN-2406. Move RM recovery related proto to
 yarn_server_resourcemanager_recovery.proto. Contributed by Tsuyoshi OZAWA

---
 ...erver_resourcemanager_service_protos.proto | 58 ------------------
 .../recovery/FileSystemRMStateStore.java      |  6 +-
 .../recovery/ZKRMStateStore.java              |  6 +-
 .../records/ApplicationAttemptStateData.java  |  2 +-
 .../records/ApplicationStateData.java         |  2 +-
 .../recovery/records/Epoch.java               |  2 +-
 .../pb/ApplicationAttemptStateDataPBImpl.java |  6 +-
 .../impl/pb/ApplicationStateDataPBImpl.java   |  6 +-
 .../recovery/records/impl/pb/EpochPBImpl.java |  4 +-
 ...yarn_server_resourcemanager_recovery.proto | 60 +++++++++++++++++++
 10 files changed, 77 insertions(+), 75 deletions(-)

diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/server/yarn_server_resourcemanager_service_protos.proto b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/server/yarn_server_resourcemanager_service_protos.proto
index 08c937f68d0..4637f0348b6 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/server/yarn_server_resourcemanager_service_protos.proto
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/server/yarn_server_resourcemanager_service_protos.proto
@@ -75,64 +75,6 @@ message UpdateNodeResourceRequestProto {
 message UpdateNodeResourceResponseProto {
 }
 
-////////////////////////////////////////////////////////////////////////
-////// RM recovery related records /////////////////////////////////////
-////////////////////////////////////////////////////////////////////////
-enum RMAppAttemptStateProto {
-  RMATTEMPT_NEW = 1;
-  RMATTEMPT_SUBMITTED = 2;
-  RMATTEMPT_SCHEDULED = 3;
-  RMATTEMPT_ALLOCATED = 4;
-  RMATTEMPT_LAUNCHED = 5;
-  RMATTEMPT_FAILED = 6;
-  RMATTEMPT_RUNNING = 7;
-  RMATTEMPT_FINISHING = 8;
-  RMATTEMPT_FINISHED = 9;
-  RMATTEMPT_KILLED = 10;
-  RMATTEMPT_ALLOCATED_SAVING = 11;
-  RMATTEMPT_LAUNCHED_UNMANAGED_SAVING = 12;
-  RMATTEMPT_RECOVERED = 13;
-  RMATTEMPT_FINAL_SAVING = 14;
-}
-
-enum RMAppStateProto {
-  RMAPP_NEW = 1;
-  RMAPP_NEW_SAVING = 2;
-  RMAPP_SUBMITTED = 3;
-  RMAPP_ACCEPTED = 4;
-  RMAPP_RUNNING = 5;
-  RMAPP_FINAL_SAVING = 6;
-  RMAPP_FINISHING = 7;
-  RMAPP_FINISHED = 8;
-  RMAPP_FAILED = 9;
-  RMAPP_KILLED = 10;
-}
-
-message ApplicationStateDataProto {
-  optional int64 submit_time = 1;
-  optional ApplicationSubmissionContextProto application_submission_context = 2;
-  optional string user = 3;
-  optional int64 start_time = 4;
-  optional RMAppStateProto application_state = 5;
-  optional string diagnostics = 6 [default = "N/A"];
-  optional int64 finish_time = 7;
-}
-
-message ApplicationAttemptStateDataProto {
-  optional ApplicationAttemptIdProto attemptId = 1;
-  optional ContainerProto master_container = 2;
-  optional bytes app_attempt_tokens = 3;
-  optional RMAppAttemptStateProto app_attempt_state = 4;
-  optional string final_tracking_url = 5;
-  optional string diagnostics = 6 [default = "N/A"];
-  optional int64 start_time = 7;
-  optional FinalApplicationStatusProto final_application_status = 8;
-  optional int32 am_container_exit_status = 9 [default = -1000];
-}
-
-message EpochProto {
-  optional int64 epoch = 1;
-}
 
 //////////////////////////////////////////////////////////////////
 ///////////// RM Failover related records ////////////////////////
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
index d57669cce6e..162b484e0f1 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
@@ -46,9 +46,9 @@
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.proto.YarnServerCommonProtos.VersionProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.AMRMTokenSecretManagerStateProto;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.EpochProto;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationAttemptStateDataProto;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationStateDataProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.EpochProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.ApplicationAttemptStateDataProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.ApplicationStateDataProto;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
 import org.apache.hadoop.yarn.server.records.Version;
 import org.apache.hadoop.yarn.server.records.impl.pb.VersionPBImpl;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
index 1544dcc3458..b3100d1ac32 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
@@ -46,9 +46,9 @@
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.proto.YarnServerCommonProtos.VersionProto;
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.AMRMTokenSecretManagerStateProto;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationAttemptStateDataProto;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationStateDataProto;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.EpochProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.ApplicationAttemptStateDataProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.ApplicationStateDataProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.EpochProto;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
 import org.apache.hadoop.yarn.server.records.impl.pb.VersionPBImpl;
 import org.apache.hadoop.yarn.server.records.Version;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/ApplicationAttemptStateData.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/ApplicationAttemptStateData.java
index 90fb3ec0d2c..5cb9787fac0 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/ApplicationAttemptStateData.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/ApplicationAttemptStateData.java
@@ -28,7 +28,7 @@
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.Container;
 import org.apache.hadoop.yarn.api.records.FinalApplicationStatus;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationAttemptStateDataProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.ApplicationAttemptStateDataProto;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.ApplicationAttemptState;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
 import org.apache.hadoop.yarn.util.Records;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/ApplicationStateData.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/ApplicationStateData.java
index 55b726ffd0d..eff0445155d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/ApplicationStateData.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/ApplicationStateData.java
@@ -24,7 +24,7 @@
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationStateDataProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.ApplicationStateDataProto;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.ApplicationState;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
 import org.apache.hadoop.yarn.util.Records;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/Epoch.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/Epoch.java
index 066878918d0..80ec48ce634 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/Epoch.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/Epoch.java
@@ -20,7 +20,7 @@
 
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.EpochProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.EpochProto;
 import org.apache.hadoop.yarn.util.Records;
 
 /**
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/ApplicationAttemptStateDataPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/ApplicationAttemptStateDataPBImpl.java
index a90bda49030..5c62d634c32 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/ApplicationAttemptStateDataPBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/ApplicationAttemptStateDataPBImpl.java
@@ -27,9 +27,9 @@
 import org.apache.hadoop.yarn.api.records.impl.pb.ContainerPBImpl;
 import org.apache.hadoop.yarn.api.records.impl.pb.ProtoUtils;
 import org.apache.hadoop.yarn.proto.YarnProtos.FinalApplicationStatusProto;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationAttemptStateDataProto;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationAttemptStateDataProtoOrBuilder;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.RMAppAttemptStateProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.ApplicationAttemptStateDataProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.ApplicationAttemptStateDataProtoOrBuilder;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.RMAppAttemptStateProto;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationAttemptStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/ApplicationStateDataPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/ApplicationStateDataPBImpl.java
index 8aaf1a4a7ca..d8cbd2384e3 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/ApplicationStateDataPBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/ApplicationStateDataPBImpl.java
@@ -20,9 +20,9 @@
 
 import org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext;
 import org.apache.hadoop.yarn.api.records.impl.pb.ApplicationSubmissionContextPBImpl;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationStateDataProto;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationStateDataProtoOrBuilder;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.RMAppStateProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.ApplicationStateDataProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.ApplicationStateDataProtoOrBuilder;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.RMAppStateProto;
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/EpochPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/EpochPBImpl.java
index 4430672d079..a6ddeadb49c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/EpochPBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/EpochPBImpl.java
@@ -18,8 +18,8 @@
 
 package org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb;
 
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.EpochProto;
-import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.EpochProtoOrBuilder;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.EpochProto;
+import org.apache.hadoop.yarn.proto.YarnServerResourceManagerRecoveryProtos.EpochProtoOrBuilder;
 
 
 import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.Epoch;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/proto/yarn_server_resourcemanager_recovery.proto b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/proto/yarn_server_resourcemanager_recovery.proto
index ae56b9fd346..eab6af15787 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/proto/yarn_server_resourcemanager_recovery.proto
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/proto/yarn_server_resourcemanager_recovery.proto
@@ -23,6 +23,66 @@ option java_generate_equals_and_hash = true;
 package hadoop.yarn;
 
 import "yarn_server_common_protos.proto";
+import "yarn_protos.proto";
+
+////////////////////////////////////////////////////////////////////////
+////// RM recovery related records /////////////////////////////////////
+////////////////////////////////////////////////////////////////////////
+enum RMAppAttemptStateProto {
+    RMATTEMPT_NEW = 1;
+    RMATTEMPT_SUBMITTED = 2;
+    RMATTEMPT_SCHEDULED = 3;
+    RMATTEMPT_ALLOCATED = 4;
+    RMATTEMPT_LAUNCHED = 5;
+    RMATTEMPT_FAILED = 6;
+    RMATTEMPT_RUNNING = 7;
+    RMATTEMPT_FINISHING = 8;
+    RMATTEMPT_FINISHED = 9;
+    RMATTEMPT_KILLED = 10;
+    RMATTEMPT_ALLOCATED_SAVING = 11;
+    RMATTEMPT_LAUNCHED_UNMANAGED_SAVING = 12;
+    RMATTEMPT_RECOVERED = 13;
+    RMATTEMPT_FINAL_SAVING = 14;
+}
+
+enum RMAppStateProto {
+    RMAPP_NEW = 1;
+    RMAPP_NEW_SAVING = 2;
+    RMAPP_SUBMITTED = 3;
+    RMAPP_ACCEPTED = 4;
+    RMAPP_RUNNING = 5;
+    RMAPP_FINAL_SAVING = 6;
+    RMAPP_FINISHING = 7;
+    RMAPP_FINISHED = 8;
+    RMAPP_FAILED = 9;
+    RMAPP_KILLED = 10;
+}
+
+message ApplicationStateDataProto {
+    optional int64 submit_time = 1;
+    optional ApplicationSubmissionContextProto application_submission_context = 2;
+    optional string user = 3;
+    optional int64 start_time = 4;
+    optional RMAppStateProto application_state = 5;
+    optional string diagnostics = 6 [default = "N/A"];
+    optional int64 finish_time = 7;
+}
+
+message ApplicationAttemptStateDataProto {
+    optional ApplicationAttemptIdProto attemptId = 1;
+    optional ContainerProto master_container = 2;
+    optional bytes app_attempt_tokens = 3;
+    optional RMAppAttemptStateProto app_attempt_state = 4;
+    optional string final_tracking_url = 5;
+    optional string diagnostics = 6 [default = "N/A"];
+    optional int64 start_time = 7;
+    optional FinalApplicationStatusProto final_application_status = 8;
+    optional int32 am_container_exit_status = 9 [default = -1000];
+}
+
+message EpochProto {
+    optional int64 epoch = 1;
+}
 
 message AMRMTokenSecretManagerStateProto {
   optional MasterKeyProto current_master_key = 1;

From 9d68445710feff9fda9ee69847beeaf3e99b85ef Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Thu, 28 Aug 2014 21:58:37 -0700
Subject: [PATCH 325/354] Add CHANGES.txt for YARN-2406.

---
 hadoop-yarn-project/CHANGES.txt | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 871829ac369..fa4c8c53c9f 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -160,6 +160,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2182. Updated ContainerId#toString() to append RM Epoch number.
     (Tsuyoshi OZAWA via jianhe)
 
+    YARN-2406. Move RM recovery related proto to
+    yarn_server_resourcemanager_recovery.proto. (Tsuyoshi Ozawa via jianhe)
+
   OPTIMIZATIONS
 
   BUG FIXES

From fa80ca49bdd741823ff012ddbd7a0f1aecf26195 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Thu, 28 Aug 2014 23:21:37 -0700
Subject: [PATCH 326/354] YARN-2405. NPE in FairSchedulerAppsBlock. (Tsuyoshi
 Ozawa via kasha)

---
 hadoop-yarn-project/CHANGES.txt               |  2 +
 .../webapp/FairSchedulerAppsBlock.java        |  4 +
 .../webapp/dao/FairSchedulerInfo.java         | 15 ++-
 .../webapp/TestRMWebAppFairScheduler.java     | 96 ++++++++++++++++++-
 4 files changed, 114 insertions(+), 3 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index fa4c8c53c9f..fa47c8ee2d8 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -249,6 +249,8 @@ Release 2.6.0 - UNRELEASED
     YARN-2035. FileSystemApplicationHistoryStore should not make working dir
     when it already exists. (Jonathan Eagles via zjshen)
 
+    YARN-2405. NPE in FairSchedulerAppsBlock. (Tsuyoshi Ozawa via kasha)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/FairSchedulerAppsBlock.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/FairSchedulerAppsBlock.java
index b1aff9078ca..2a1442ea09d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/FairSchedulerAppsBlock.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/FairSchedulerAppsBlock.java
@@ -110,6 +110,10 @@ public class FairSchedulerAppsBlock extends HtmlBlock {
       String percent = String.format("%.1f", appInfo.getProgress());
       ApplicationAttemptId attemptId = app.getCurrentAppAttempt().getAppAttemptId();
       int fairShare = fsinfo.getAppFairShare(attemptId);
+      if (fairShare == FairSchedulerInfo.INVALID_FAIR_SHARE) {
+        // FairScheduler#applications don't have the entry. Skip it.
+        continue;
+      }
       //AppID numerical value parsed by parseHadoopID in yarn.dt.plugins.js
       appsTableData.append("[\"<a href='")
       .append(url("app", appInfo.getAppId())).append("'>")
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerInfo.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerInfo.java
index 23f8c01c38a..f97ff8ae64b 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerInfo.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerInfo.java
@@ -25,12 +25,14 @@
 import javax.xml.bind.annotation.XmlType;
 
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FSAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler;
 
 @XmlRootElement(name = "fairScheduler")
 @XmlType(name = "fairScheduler")
 @XmlAccessorType(XmlAccessType.FIELD)
 public class FairSchedulerInfo extends SchedulerInfo {
+  public static final int INVALID_FAIR_SHARE = -1;
   private FairSchedulerQueueInfo rootQueue;
   
   @XmlTransient
@@ -44,9 +46,18 @@ public FairSchedulerInfo(FairScheduler fs) {
     rootQueue = new FairSchedulerQueueInfo(scheduler.getQueueManager().
         getRootQueue(), scheduler);
   }
-  
+
+  /**
+   * Get the fair share assigned to the appAttemptId.
+   * @param appAttemptId
+   * @return The fair share assigned to the appAttemptId,
+   * <code>FairSchedulerInfo#INVALID_FAIR_SHARE</code> if the scheduler does
+   * not know about this application attempt.
+   */
   public int getAppFairShare(ApplicationAttemptId appAttemptId) {
-    return scheduler.getSchedulerApp(appAttemptId).getFairShare().getMemory();
+    FSAppAttempt fsAppAttempt = scheduler.getSchedulerApp(appAttemptId);
+    return fsAppAttempt == null ?
+        INVALID_FAIR_SHARE :  fsAppAttempt.getFairShare().getMemory();
   }
   
   public FairSchedulerQueueInfo getRootQueueInfo() {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebAppFairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebAppFairScheduler.java
index 1de64896c55..111bf47d2b1 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebAppFairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebAppFairScheduler.java
@@ -22,20 +22,29 @@
 import com.google.inject.Binder;
 import com.google.inject.Injector;
 import com.google.inject.Module;
+import org.apache.hadoop.util.StringUtils;
+import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
+import org.apache.hadoop.yarn.api.records.Resource;
+import org.apache.hadoop.yarn.api.records.YarnApplicationState;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContextImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.MockRMApp;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppMetrics;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
+import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
+
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FSAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairSchedulerConfiguration;
 import org.apache.hadoop.yarn.server.resourcemanager.security.ClientToAMTokenSecretManagerInRM;
 import org.apache.hadoop.yarn.server.resourcemanager.security.NMTokenSecretManagerInRM;
 import org.apache.hadoop.yarn.server.resourcemanager.security.RMContainerTokenSecretManager;
 import org.apache.hadoop.yarn.webapp.test.WebAppTests;
+import org.junit.Assert;
 import org.junit.Test;
 
 import java.io.IOException;
@@ -75,12 +84,67 @@ public void configure(Binder binder) {
     WebAppTests.flushOutput(injector);
   }
 
+
+  /**
+   *  Testing inconsistent state between AbstractYarnScheduler#applications and
+   *  RMContext#applications
+   */
+  @Test
+  public void testFairSchedulerWebAppPageInInconsistentState() {
+    List<RMAppState> appStates = Arrays.asList(
+        RMAppState.NEW,
+        RMAppState.NEW_SAVING,
+        RMAppState.SUBMITTED,
+        RMAppState.RUNNING,
+        RMAppState.FINAL_SAVING,
+        RMAppState.ACCEPTED,
+        RMAppState.FINISHED
+    );
+    final RMContext rmContext = mockRMContext(appStates);
+    Injector injector = WebAppTests.createMockInjector(RMContext.class,
+        rmContext,
+        new Module() {
+          @Override
+          public void configure(Binder binder) {
+            try {
+              ResourceManager mockRmWithFairScheduler =
+                  mockRmWithApps(rmContext);
+              binder.bind(ResourceManager.class).toInstance
+                  (mockRmWithFairScheduler);
+
+            } catch (IOException e) {
+              throw new IllegalStateException(e);
+            }
+          }
+        });
+    FairSchedulerPage fsViewInstance =
+        injector.getInstance(FairSchedulerPage.class);
+    try {
+      fsViewInstance.render();
+    } catch (Exception e) {
+      Assert.fail("Failed to render FairSchedulerPage: " +
+          StringUtils.stringifyException(e));
+    }
+    WebAppTests.flushOutput(injector);
+  }
+
   private static RMContext mockRMContext(List<RMAppState> states) {
     final ConcurrentMap<ApplicationId, RMApp> applicationsMaps = Maps
         .newConcurrentMap();
     int i = 0;
     for (RMAppState state : states) {
-      MockRMApp app = new MockRMApp(i, i, state);
+      MockRMApp app = new MockRMApp(i, i, state) {
+        @Override
+        public RMAppMetrics getRMAppMetrics() {
+          return new RMAppMetrics(Resource.newInstance(0, 0), 0, 0);
+        }
+        @Override
+        public YarnApplicationState createApplicationState() {
+          return YarnApplicationState.ACCEPTED;
+        }
+      };
+      RMAppAttempt attempt = mock(RMAppAttempt.class);
+      app.setCurrentAppAttempt(attempt);
       applicationsMaps.put(app.getApplicationId(), app);
       i++;
     }
@@ -113,4 +177,34 @@ null, new RMContainerTokenSecretManager(conf),
     fs.init(conf);
     return fs;
   }
+
+  private static ResourceManager mockRmWithApps(RMContext rmContext) throws
+      IOException {
+    ResourceManager rm = mock(ResourceManager.class);
+    ResourceScheduler rs =  mockFairSchedulerWithoutApps(rmContext);
+    when(rm.getResourceScheduler()).thenReturn(rs);
+    when(rm.getRMContext()).thenReturn(rmContext);
+    return rm;
+  }
+
+  private static FairScheduler mockFairSchedulerWithoutApps(RMContext rmContext)
+      throws IOException {
+    FairScheduler fs = new FairScheduler() {
+      @Override
+      public FSAppAttempt getSchedulerApp(ApplicationAttemptId
+          applicationAttemptId) {
+        return null ;
+      }
+      @Override
+      public FSAppAttempt getApplicationAttempt(ApplicationAttemptId
+          applicationAttemptId) {
+        return null;
+      }
+    };
+    FairSchedulerConfiguration conf = new FairSchedulerConfiguration();
+    fs.setRMContext(rmContext);
+    fs.init(conf);
+    return fs;
+  }
+
 }

From 4ae8178c5626d188b137e3f806e56fd8661c4970 Mon Sep 17 00:00:00 2001
From: arp <arp@apache.org>
Date: Fri, 29 Aug 2014 00:26:13 -0700
Subject: [PATCH 327/354] HDFS-6800. Support Datanode layout changes with
 rolling upgrade. (Contributed by James Thomas)

---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt              | 3 +++
 .../hdfs/server/datanode/BlockPoolSliceStorage.java      | 9 ++++++++-
 .../org/apache/hadoop/hdfs/server/datanode/DataNode.java | 5 ++---
 .../hadoop/hdfs/server/namenode/NameNodeRpcServer.java   | 1 +
 .../hadoop-hdfs/src/site/xdoc/HdfsRollingUpgrade.xml     | 2 +-
 5 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 8268b6b30e7..957034bda22 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -571,6 +571,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6902. FileWriter should be closed in finally block in
     BlockReceiver#receiveBlock() (Tsuyoshi OZAWA via Colin Patrick McCabe)
 
+    HDFS-6800. Support Datanode layout changes with rolling upgrade.
+    (James Thomas via Arpit Agarwal)
+
     BREAKDOWN OF HDFS-6134 AND HADOOP-10150 SUBTASKS AND RELATED JIRAS
   
       HDFS-6387. HDFS CLI admin tool for creating & deleting an
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
index 8e65dd0b548..88f858b94ce 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
@@ -255,7 +255,14 @@ protected void setFieldsFromProperties(Properties props, StorageDirectory sd)
    */
   private void doTransition(DataNode datanode, StorageDirectory sd,
       NamespaceInfo nsInfo, StartupOption startOpt) throws IOException {
-    if (startOpt == StartupOption.ROLLBACK) {
+    if (startOpt == StartupOption.ROLLBACK && sd.getPreviousDir().exists()) {
+      // we will already restore everything in the trash by rolling back to
+      // the previous directory, so we must delete the trash to ensure
+      // that it's not restored by BPOfferService.signalRollingUpgrade()
+      if (!FileUtil.fullyDelete(getTrashRootDir(sd))) {
+        throw new IOException("Unable to delete trash directory prior to " +
+            "restoration of previous directory: " + getTrashRootDir(sd));
+      }
       doRollback(sd, nsInfo); // rollback if applicable
     } else {
       // Restore all the files in the trash. The restored files are retained
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
index 1ec91d005b7..7edffa4cbb3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java
@@ -244,10 +244,9 @@ public class DataNode extends Configured
     LogFactory.getLog(DataNode.class.getName() + ".clienttrace");
   
   private static final String USAGE =
-      "Usage: java DataNode [-regular | -rollback | -rollingupgrade rollback]\n" +
+      "Usage: java DataNode [-regular | -rollback]\n" +
       "    -regular                 : Normal DataNode startup (default).\n" +
-      "    -rollback                : Rollback a standard upgrade.\n" +
-      "    -rollingupgrade rollback : Rollback a rolling upgrade operation.\n" +
+      "    -rollback                : Rollback a standard or rolling upgrade.\n" +
       "  Refer to HDFS documentation for the difference between standard\n" +
       "  and rolling upgrades.";
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index e17d403c094..a0b636f2ef8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -1073,6 +1073,7 @@ public DatanodeCommand blockReport(DatanodeRegistration nodeReg,
     }
 
     if (nn.getFSImage().isUpgradeFinalized() &&
+        !namesystem.isRollingUpgrade() &&
         !nn.isStandbyState() &&
         noStaleStorages) {
       return new FinalizeCommand(poolId);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/site/xdoc/HdfsRollingUpgrade.xml b/hadoop-hdfs-project/hadoop-hdfs/src/site/xdoc/HdfsRollingUpgrade.xml
index c369f3bd735..61d7d067f91 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/site/xdoc/HdfsRollingUpgrade.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/site/xdoc/HdfsRollingUpgrade.xml
@@ -206,7 +206,7 @@
       <li>Restore the pre-upgrade release in all machines.</li>
       <li>Start <em>NNs</em> with the
         "<a href="#namenode_-rollingUpgrade"><code>-rollingUpgrade rollback</code></a>" option.</li>
-      <li>Start <em>DNs</em> normally.</li>
+      <li>Start <em>DNs</em> with the "<code>-rollback</code>" option.</li>
     </ol></li>
   </ul>
 

From 4bd0194e6be68421eb1dc87f9f031626112e4c50 Mon Sep 17 00:00:00 2001
From: Zhijie Shen <zjshen@apache.org>
Date: Fri, 29 Aug 2014 09:40:39 -0700
Subject: [PATCH 328/354] YARN-2449. Fixed the bug that
 TimelineAuthenticationFilterInitializer is not automatically added when
 hadoop.http.filter.initializers is not configured. Contributed by Varun
 Vasudev.

---
 hadoop-yarn-project/CHANGES.txt               |  4 +++
 .../ApplicationHistoryServer.java             |  5 ++-
 .../TestApplicationHistoryServer.java         | 35 +++++++++++++------
 3 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index fa47c8ee2d8..1528cba6239 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -251,6 +251,10 @@ Release 2.6.0 - UNRELEASED
 
     YARN-2405. NPE in FairSchedulerAppsBlock. (Tsuyoshi Ozawa via kasha)
 
+    YARN-2449. Fixed the bug that TimelineAuthenticationFilterInitializer
+    is not automatically added when hadoop.http.filter.initializers is not
+    configured. (Varun Vasudev via zjshen)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
index c61b80e1993..6ec0d4221f0 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
@@ -197,6 +197,7 @@ private void startWebApp() {
     // the customized filter will be loaded by the timeline server to do Kerberos
     // + DT authentication.
     String initializers = conf.get("hadoop.http.filter.initializers");
+    boolean modifiedInitialiers = false;
 
     initializers =
         initializers == null || initializers.length() == 0 ? "" : initializers;
@@ -206,6 +207,7 @@ private void startWebApp() {
       initializers =
           TimelineAuthenticationFilterInitializer.class.getName() + ","
               + initializers;
+      modifiedInitialiers = true;
     }
 
     String[] parts = initializers.split(",");
@@ -214,13 +216,14 @@ private void startWebApp() {
       filterInitializer = filterInitializer.trim();
       if (filterInitializer.equals(AuthenticationFilterInitializer.class
         .getName())) {
+        modifiedInitialiers = true;
         continue;
       }
       target.add(filterInitializer);
     }
     String actualInitializers =
         org.apache.commons.lang.StringUtils.join(target, ",");
-    if (!actualInitializers.equals(initializers)) {
+    if (modifiedInitialiers) {
       conf.set("hadoop.http.filter.initializers", actualInitializers);
     }
     String bindAddress = WebAppUtils.getWebAppBindURL(conf,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestApplicationHistoryServer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestApplicationHistoryServer.java
index bcd8e454c5e..807d2df3c8f 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestApplicationHistoryServer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/applicationhistoryservice/TestApplicationHistoryServer.java
@@ -23,6 +23,7 @@
 import static org.junit.Assert.fail;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.http.lib.StaticUserWebFilter;
 import org.apache.hadoop.security.AuthenticationFilterInitializer;
 import org.apache.hadoop.service.Service.STATE;
 import org.apache.hadoop.util.ExitUtil;
@@ -33,6 +34,9 @@
 import org.junit.Assert;
 import org.junit.Test;
 
+import java.util.HashMap;
+import java.util.Map;
+
 public class TestApplicationHistoryServer {
 
   ApplicationHistoryServer historyServer = null;
@@ -75,23 +79,32 @@ public void testLaunch() throws Exception {
   @Test(timeout = 50000)
   public void testFilteOverrides() throws Exception {
 
-    String[] filterInitializers =
-        {
-            AuthenticationFilterInitializer.class.getName(),
-            TimelineAuthenticationFilterInitializer.class.getName(),
-            AuthenticationFilterInitializer.class.getName() + ","
-                + TimelineAuthenticationFilterInitializer.class.getName(),
-            AuthenticationFilterInitializer.class.getName() + ", "
-                + TimelineAuthenticationFilterInitializer.class.getName() };
-    for (String filterInitializer : filterInitializers) {
+    HashMap<String, String> driver = new HashMap<String, String>();
+    driver.put("", TimelineAuthenticationFilterInitializer.class.getName());
+    driver.put(StaticUserWebFilter.class.getName(),
+      TimelineAuthenticationFilterInitializer.class.getName() + ","
+          + StaticUserWebFilter.class.getName());
+    driver.put(AuthenticationFilterInitializer.class.getName(),
+      TimelineAuthenticationFilterInitializer.class.getName());
+    driver.put(TimelineAuthenticationFilterInitializer.class.getName(),
+      TimelineAuthenticationFilterInitializer.class.getName());
+    driver.put(AuthenticationFilterInitializer.class.getName() + ","
+        + TimelineAuthenticationFilterInitializer.class.getName(),
+      TimelineAuthenticationFilterInitializer.class.getName());
+    driver.put(AuthenticationFilterInitializer.class.getName() + ", "
+        + TimelineAuthenticationFilterInitializer.class.getName(),
+      TimelineAuthenticationFilterInitializer.class.getName());
+
+    for (Map.Entry<String, String> entry : driver.entrySet()) {
+      String filterInitializer = entry.getKey();
+      String expectedValue = entry.getValue();
       historyServer = new ApplicationHistoryServer();
       Configuration config = new YarnConfiguration();
       config.set("hadoop.http.filter.initializers", filterInitializer);
       historyServer.init(config);
       historyServer.start();
       Configuration tmp = historyServer.getConfig();
-      assertEquals(TimelineAuthenticationFilterInitializer.class.getName(),
-        tmp.get("hadoop.http.filter.initializers"));
+      assertEquals(expectedValue, tmp.get("hadoop.http.filter.initializers"));
       historyServer.stop();
       AHSWebApp.resetInstance();
     }

From 3de66011c2e80d7c458a67f80042af986fcc677d Mon Sep 17 00:00:00 2001
From: Hitesh Shah <hitesh@apache.org>
Date: Fri, 29 Aug 2014 11:16:36 -0700
Subject: [PATCH 329/354] YARN-2450. Fix typos in log messages. Contributed by
 Ray Chiang.

---
 hadoop-yarn-project/CHANGES.txt                           | 2 ++
 .../applications/distributedshell/ApplicationMaster.java  | 8 ++++----
 .../hadoop/yarn/applications/distributedshell/Client.java | 2 +-
 .../localizer/ResourceLocalizationService.java            | 4 ++--
 .../resourcemanager/recovery/FileSystemRMStateStore.java  | 2 +-
 .../server/resourcemanager/recovery/ZKRMStateStore.java   | 2 +-
 .../resourcemanager/security/DelegationTokenRenewer.java  | 2 +-
 7 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 1528cba6239..72e8a1e2447 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -255,6 +255,8 @@ Release 2.6.0 - UNRELEASED
     is not automatically added when hadoop.http.filter.initializers is not
     configured. (Varun Vasudev via zjshen)
 
+    YARN-2450. Fix typos in log messages. (Ray Chiang via hitesh)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/ApplicationMaster.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/ApplicationMaster.java
index 4a842458691..2451030af2c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/ApplicationMaster.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/ApplicationMaster.java
@@ -519,7 +519,7 @@ public void run() throws YarnException, IOException {
       publishApplicationAttemptEvent(timelineClient, appAttemptID.toString(),
           DSEvent.DS_APP_ATTEMPT_START);
     } catch (Exception e) {
-      LOG.error("App Attempt start event coud not be pulished for "
+      LOG.error("App Attempt start event could not be published for "
           + appAttemptID.toString(), e);
     }
 
@@ -616,7 +616,7 @@ public void run() throws YarnException, IOException {
       publishApplicationAttemptEvent(timelineClient, appAttemptID.toString(),
           DSEvent.DS_APP_ATTEMPT_END);
     } catch (Exception e) {
-      LOG.error("App Attempt start event coud not be pulished for "
+      LOG.error("App Attempt start event could not be published for "
           + appAttemptID.toString(), e);
     }
   }
@@ -726,7 +726,7 @@ public void onContainersCompleted(List<ContainerStatus> completedContainers) {
         try {
           publishContainerEndEvent(timelineClient, containerStatus);
         } catch (Exception e) {
-          LOG.error("Container start event could not be pulished for "
+          LOG.error("Container start event could not be published for "
               + containerStatus.getContainerId().toString(), e);
         }
       }
@@ -847,7 +847,7 @@ public void onContainerStarted(ContainerId containerId,
         ApplicationMaster.publishContainerStartEvent(
             applicationMaster.timelineClient, container);
       } catch (Exception e) {
-        LOG.error("Container start event coud not be pulished for "
+        LOG.error("Container start event could not be published for "
             + container.getId().toString(), e);
       }
     }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/Client.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/Client.java
index 05fd883be93..a86b52132eb 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/Client.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell/src/main/java/org/apache/hadoop/yarn/applications/distributedshell/Client.java
@@ -197,7 +197,7 @@ public static void main(String[] args) {
       }
       result = client.run();
     } catch (Throwable t) {
-      LOG.fatal("Error running CLient", t);
+      LOG.fatal("Error running Client", t);
       System.exit(1);
     }
     if (result) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ResourceLocalizationService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ResourceLocalizationService.java
index 64a0b37cc31..a092b59650b 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ResourceLocalizationService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ResourceLocalizationService.java
@@ -801,7 +801,7 @@ public void run() {
             try {
               Path local = completed.get();
               if (null == assoc) {
-                LOG.error("Localized unkonwn resource to " + completed);
+                LOG.error("Localized unknown resource to " + completed);
                 // TODO delete
                 return;
               }
@@ -810,7 +810,7 @@ public void run() {
                 .getDU(new File(local.toUri()))));
               assoc.getResource().unlock();
             } catch (ExecutionException e) {
-              LOG.info("Failed to download rsrc " + assoc.getResource(),
+              LOG.info("Failed to download resource " + assoc.getResource(),
                   e.getCause());
               LocalResourceRequest req = assoc.getResource().getRequest();
               publicRsrc.handle(new ResourceFailedLocalizationEvent(req,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
index 162b484e0f1..0a3b269c97a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/FileSystemRMStateStore.java
@@ -300,7 +300,7 @@ private void loadRMAppState(RMState rmState) throws Exception {
         assert appState != null;
         appState.attempts.put(attemptState.getAttemptId(), attemptState);
       }
-      LOG.info("Done Loading applications from FS state store");
+      LOG.info("Done loading applications from FS state store");
     } catch (Exception e) {
       LOG.error("Failed to load state.", e);
       throw e;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
index b3100d1ac32..1b1ec7629b1 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/ZKRMStateStore.java
@@ -608,7 +608,7 @@ private void loadApplicationAttemptState(ApplicationState appState,
         appState.attempts.put(attemptState.getAttemptId(), attemptState);
       }
     }
-    LOG.debug("Done Loading applications from ZK state store");
+    LOG.debug("Done loading applications from ZK state store");
   }
 
   @Override
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java
index bdcfd0460ef..e0c32247dfa 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java
@@ -289,7 +289,7 @@ public void run() {
           tokenWithConf = queue.take();
           final TokenWithConf current = tokenWithConf;
           if (LOG.isDebugEnabled()) {
-            LOG.debug("Canceling token " + tokenWithConf.token.getService());
+            LOG.debug("Cancelling token " + tokenWithConf.token.getService());
           }
           // need to use doAs so that http can find the kerberos tgt
           UserGroupInformation.getLoginUser()

From 156e6a4f8aed69febec408af423b2a8ac313c643 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Fri, 29 Aug 2014 11:06:51 -0700
Subject: [PATCH 330/354] HADOOP-10911. hadoop.auth cookie after HADOOP-10710
 still not proper according to RFC2109. (gchanan via tucu)

---
 hadoop-common-project/hadoop-auth/pom.xml     |  10 ++
 .../server/AuthenticationFilter.java          |   4 +-
 .../client/AuthenticatorTestCase.java         | 137 +++++++++++++++++-
 .../client/TestKerberosAuthenticator.java     |  58 +++++++-
 .../hadoop-common/CHANGES.txt                 |   3 +
 hadoop-project/pom.xml                        |  10 ++
 6 files changed, 210 insertions(+), 12 deletions(-)

diff --git a/hadoop-common-project/hadoop-auth/pom.xml b/hadoop-common-project/hadoop-auth/pom.xml
index 2ff51d6ffee..564518c540b 100644
--- a/hadoop-common-project/hadoop-auth/pom.xml
+++ b/hadoop-common-project/hadoop-auth/pom.xml
@@ -61,6 +61,16 @@
       <groupId>org.mortbay.jetty</groupId>
       <artifactId>jetty</artifactId>
       <scope>test</scope>
+    </dependency>
+     <dependency>
+      <groupId>org.apache.tomcat.embed</groupId>
+      <artifactId>tomcat-embed-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.tomcat.embed</groupId>
+      <artifactId>tomcat-embed-logging-juli</artifactId>
+      <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>javax.servlet</groupId>
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
index 316cd60a256..9330444c46e 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
@@ -519,9 +519,7 @@ public static void createAuthCookie(HttpServletResponse resp, String token,
     StringBuilder sb = new StringBuilder(AuthenticatedURL.AUTH_COOKIE)
                            .append("=");
     if (token != null && token.length() > 0) {
-      sb.append("\"")
-          .append(token)
-          .append("\"");
+      sb.append(token);
     }
     sb.append("; Version=1");
 
diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java
index 4e4ecc483eb..8f35e13e66a 100644
--- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java
+++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java
@@ -13,7 +13,22 @@
  */
 package org.apache.hadoop.security.authentication.client;
 
+import org.apache.catalina.deploy.FilterDef;
+import org.apache.catalina.deploy.FilterMap;
+import org.apache.catalina.startup.Tomcat;
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.http.HttpResponse;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.Credentials;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.client.params.AuthPolicy;
+import org.apache.http.entity.InputStreamEntity;
+import org.apache.http.impl.auth.SPNegoSchemeFactory;
+import org.apache.http.impl.client.SystemDefaultHttpClient;
+import org.apache.http.util.EntityUtils;
 import org.mortbay.jetty.Server;
 import org.mortbay.jetty.servlet.Context;
 import org.mortbay.jetty.servlet.FilterHolder;
@@ -24,16 +39,19 @@
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.OutputStreamWriter;
-import java.io.BufferedReader;
 import java.io.InputStreamReader;
 import java.io.Writer;
 import java.net.HttpURLConnection;
 import java.net.ServerSocket;
 import java.net.URL;
+import java.security.Principal;
 import java.util.Properties;
 import org.junit.Assert;
 
@@ -41,10 +59,18 @@ public class AuthenticatorTestCase {
   private Server server;
   private String host = null;
   private int port = -1;
+  private boolean useTomcat = false;
+  private Tomcat tomcat = null;
   Context context;
 
   private static Properties authenticatorConfig;
 
+  public AuthenticatorTestCase() {}
+
+  public AuthenticatorTestCase(boolean useTomcat) {
+    this.useTomcat = useTomcat;
+  }
+
   protected static void setAuthenticationHandlerConfig(Properties config) {
     authenticatorConfig = config;
   }
@@ -80,7 +106,19 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws S
     }
   }
 
+  protected int getLocalPort() throws Exception {
+    ServerSocket ss = new ServerSocket(0);
+    int ret = ss.getLocalPort();
+    ss.close();
+    return ret;
+  }
+
   protected void start() throws Exception {
+    if (useTomcat) startTomcat();
+    else startJetty();
+  }
+
+  protected void startJetty() throws Exception {
     server = new Server(0);
     context = new Context();
     context.setContextPath("/foo");
@@ -88,16 +126,42 @@ protected void start() throws Exception {
     context.addFilter(new FilterHolder(TestFilter.class), "/*", 0);
     context.addServlet(new ServletHolder(TestServlet.class), "/bar");
     host = "localhost";
-    ServerSocket ss = new ServerSocket(0);
-    port = ss.getLocalPort();
-    ss.close();
+    port = getLocalPort();
     server.getConnectors()[0].setHost(host);
     server.getConnectors()[0].setPort(port);
     server.start();
     System.out.println("Running embedded servlet container at: http://" + host + ":" + port);
   }
 
+  protected void startTomcat() throws Exception {
+    tomcat = new Tomcat();
+    File base = new File(System.getProperty("java.io.tmpdir"));
+    org.apache.catalina.Context ctx =
+      tomcat.addContext("/foo",base.getAbsolutePath());
+    FilterDef fd = new FilterDef();
+    fd.setFilterClass(TestFilter.class.getName());
+    fd.setFilterName("TestFilter");
+    FilterMap fm = new FilterMap();
+    fm.setFilterName("TestFilter");
+    fm.addURLPattern("/*");
+    fm.addServletName("/bar");
+    ctx.addFilterDef(fd);
+    ctx.addFilterMap(fm);
+    tomcat.addServlet(ctx, "/bar", TestServlet.class.getName());
+    ctx.addServletMapping("/bar", "/bar");
+    host = "localhost";
+    port = getLocalPort();
+    tomcat.setHostname(host);
+    tomcat.setPort(port);
+    tomcat.start();
+  }
+
   protected void stop() throws Exception {
+    if (useTomcat) stopTomcat();
+    else stopJetty();
+  }
+
+  protected void stopJetty() throws Exception {
     try {
       server.stop();
     } catch (Exception e) {
@@ -109,6 +173,18 @@ protected void stop() throws Exception {
     }
   }
 
+  protected void stopTomcat() throws Exception {
+    try {
+      tomcat.stop();
+    } catch (Exception e) {
+    }
+
+    try {
+      tomcat.destroy();
+    } catch (Exception e) {
+    }
+  }
+
   protected String getBaseURL() {
     return "http://" + host + ":" + port + "/foo/bar";
   }
@@ -165,4 +241,57 @@ protected void _testAuthentication(Authenticator authenticator, boolean doPost)
     }
   }
 
+  private SystemDefaultHttpClient getHttpClient() {
+    final SystemDefaultHttpClient httpClient = new SystemDefaultHttpClient();
+    httpClient.getAuthSchemes().register(AuthPolicy.SPNEGO, new SPNegoSchemeFactory(true));
+     Credentials use_jaas_creds = new Credentials() {
+       public String getPassword() {
+         return null;
+       }
+
+       public Principal getUserPrincipal() {
+         return null;
+       }
+     };
+
+     httpClient.getCredentialsProvider().setCredentials(
+       AuthScope.ANY, use_jaas_creds);
+     return httpClient;
+  }
+
+  private void doHttpClientRequest(HttpClient httpClient, HttpUriRequest request) throws Exception {
+    HttpResponse response = null;
+    try {
+      response = httpClient.execute(request);
+      final int httpStatus = response.getStatusLine().getStatusCode();
+      Assert.assertEquals(HttpURLConnection.HTTP_OK, httpStatus);
+    } finally {
+      if (response != null) EntityUtils.consumeQuietly(response.getEntity());
+    }
+  }
+
+  protected void _testAuthenticationHttpClient(Authenticator authenticator, boolean doPost) throws Exception {
+    start();
+    try {
+      SystemDefaultHttpClient httpClient = getHttpClient();
+      doHttpClientRequest(httpClient, new HttpGet(getBaseURL()));
+
+      // Always do a GET before POST to trigger the SPNego negotiation
+      if (doPost) {
+        HttpPost post = new HttpPost(getBaseURL());
+        byte [] postBytes = POST.getBytes();
+        ByteArrayInputStream bis = new ByteArrayInputStream(postBytes);
+        InputStreamEntity entity = new InputStreamEntity(bis, postBytes.length);
+
+        // Important that the entity is not repeatable -- this means if
+        // we have to renegotiate (e.g. b/c the cookie wasn't handled properly)
+        // the test will fail.
+        Assert.assertFalse(entity.isRepeatable());
+        post.setEntity(entity);
+        doHttpClientRequest(httpClient, post);
+      }
+    } finally {
+      stop();
+    }
+  }
 }
diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/TestKerberosAuthenticator.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/TestKerberosAuthenticator.java
index 53d23c467a4..6c49d15f09a 100644
--- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/TestKerberosAuthenticator.java
+++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/TestKerberosAuthenticator.java
@@ -20,16 +20,36 @@
 import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
 import org.junit.Assert;
 import org.junit.Before;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameters;
+import org.junit.runner.RunWith;
 import org.junit.Test;
 
 import java.io.File;
 import java.net.HttpURLConnection;
 import java.net.URL;
+import java.util.Arrays;
+import java.util.Collection;
 import java.util.Properties;
 import java.util.concurrent.Callable;
 
+@RunWith(Parameterized.class)
 public class TestKerberosAuthenticator extends KerberosSecurityTestcase {
 
+  private boolean useTomcat = false;
+
+  public TestKerberosAuthenticator(boolean useTomcat) {
+    this.useTomcat = useTomcat;
+  }
+
+  @Parameterized.Parameters
+  public static Collection booleans() {
+    return Arrays.asList(new Object[][] {
+      { false },
+      { true }
+    });
+  }
+
   @Before
   public void setup() throws Exception {
     // create keytab
@@ -53,7 +73,7 @@ private Properties getAuthenticationHandlerConfiguration() {
 
   @Test(timeout=60000)
   public void testFallbacktoPseudoAuthenticator() throws Exception {
-    AuthenticatorTestCase auth = new AuthenticatorTestCase();
+    AuthenticatorTestCase auth = new AuthenticatorTestCase(useTomcat);
     Properties props = new Properties();
     props.setProperty(AuthenticationFilter.AUTH_TYPE, "simple");
     props.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "false");
@@ -63,7 +83,7 @@ public void testFallbacktoPseudoAuthenticator() throws Exception {
 
   @Test(timeout=60000)
   public void testFallbacktoPseudoAuthenticatorAnonymous() throws Exception {
-    AuthenticatorTestCase auth = new AuthenticatorTestCase();
+    AuthenticatorTestCase auth = new AuthenticatorTestCase(useTomcat);
     Properties props = new Properties();
     props.setProperty(AuthenticationFilter.AUTH_TYPE, "simple");
     props.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true");
@@ -73,7 +93,7 @@ public void testFallbacktoPseudoAuthenticatorAnonymous() throws Exception {
 
   @Test(timeout=60000)
   public void testNotAuthenticated() throws Exception {
-    AuthenticatorTestCase auth = new AuthenticatorTestCase();
+    AuthenticatorTestCase auth = new AuthenticatorTestCase(useTomcat);
     AuthenticatorTestCase.setAuthenticationHandlerConfig(getAuthenticationHandlerConfiguration());
     auth.start();
     try {
@@ -89,7 +109,7 @@ public void testNotAuthenticated() throws Exception {
 
   @Test(timeout=60000)
   public void testAuthentication() throws Exception {
-    final AuthenticatorTestCase auth = new AuthenticatorTestCase();
+    final AuthenticatorTestCase auth = new AuthenticatorTestCase(useTomcat);
     AuthenticatorTestCase.setAuthenticationHandlerConfig(
             getAuthenticationHandlerConfiguration());
     KerberosTestUtils.doAsClient(new Callable<Void>() {
@@ -103,7 +123,7 @@ public Void call() throws Exception {
 
   @Test(timeout=60000)
   public void testAuthenticationPost() throws Exception {
-    final AuthenticatorTestCase auth = new AuthenticatorTestCase();
+    final AuthenticatorTestCase auth = new AuthenticatorTestCase(useTomcat);
     AuthenticatorTestCase.setAuthenticationHandlerConfig(
             getAuthenticationHandlerConfiguration());
     KerberosTestUtils.doAsClient(new Callable<Void>() {
@@ -114,4 +134,32 @@ public Void call() throws Exception {
       }
     });
   }
+
+  @Test(timeout=60000)
+  public void testAuthenticationHttpClient() throws Exception {
+    final AuthenticatorTestCase auth = new AuthenticatorTestCase(useTomcat);
+    AuthenticatorTestCase.setAuthenticationHandlerConfig(
+            getAuthenticationHandlerConfiguration());
+    KerberosTestUtils.doAsClient(new Callable<Void>() {
+      @Override
+      public Void call() throws Exception {
+        auth._testAuthenticationHttpClient(new KerberosAuthenticator(), false);
+        return null;
+      }
+    });
+  }
+
+  @Test(timeout=60000)
+  public void testAuthenticationHttpClientPost() throws Exception {
+    final AuthenticatorTestCase auth = new AuthenticatorTestCase(useTomcat);
+    AuthenticatorTestCase.setAuthenticationHandlerConfig(
+            getAuthenticationHandlerConfiguration());
+    KerberosTestUtils.doAsClient(new Callable<Void>() {
+      @Override
+      public Void call() throws Exception {
+        auth._testAuthenticationHttpClient(new KerberosAuthenticator(), true);
+        return null;
+      }
+    });
+  }
 }
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 717bd249784..637636479f2 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -710,6 +710,9 @@ Release 2.6.0 - UNRELEASED
       loaded. (umamahesh)      
     --
 
+    HADOOP-10911. hadoop.auth cookie after HADOOP-10710 still not proper
+    according to RFC2109. (gchanan via tucu)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index beaeec63a77..e9adc315922 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -398,6 +398,16 @@
         <artifactId>jetty-util</artifactId>
         <version>6.1.26</version>
       </dependency>
+      <dependency>
+        <groupId>org.apache.tomcat.embed</groupId>
+        <artifactId>tomcat-embed-core</artifactId>
+        <version>7.0.55</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.tomcat.embed</groupId>
+        <artifactId>tomcat-embed-logging-juli</artifactId>
+        <version>7.0.55</version>
+      </dependency>
       <dependency>
         <groupId>javax.servlet.jsp</groupId>
         <artifactId>jsp-api</artifactId>

From c686aa3533b42e1baf62a78bc1bfb0ac05be53bb Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Fri, 29 Aug 2014 11:40:47 -0700
Subject: [PATCH 331/354] YARN-2447. RM web service app submission doesn't pass
 secrets correctly. Contributed by Varun Vasudev

---
 hadoop-yarn-project/CHANGES.txt               |  3 +++
 .../resourcemanager/webapp/RMWebServices.java |  2 +-
 .../TestRMWebServicesAppsModification.java    | 21 +++++++++++++++----
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 72e8a1e2447..5503c4edf96 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -257,6 +257,9 @@ Release 2.6.0 - UNRELEASED
 
     YARN-2450. Fix typos in log messages. (Ray Chiang via hitesh)
 
+    YARN-2447. RM web service app submission doesn't pass secrets correctly.
+    (Varun Vasudev via jianhe)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java
index a8ec19260ed..24a90bd69aa 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java
@@ -1061,7 +1061,7 @@ private Credentials createCredentials(CredentialsInfo credentials) {
         token.decodeFromUrlString(entry.getValue());
         ret.addToken(alias, token);
       }
-      for (Map.Entry<String, String> entry : credentials.getTokens().entrySet()) {
+      for (Map.Entry<String, String> entry : credentials.getSecrets().entrySet()) {
         Text alias = new Text(entry.getKey());
         Base64 decoder = new Base64(0, null, true);
         byte[] secret = decoder.decode(entry.getValue());
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesAppsModification.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesAppsModification.java
index 12c5686e3ee..e02e410c5a7 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesAppsModification.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesAppsModification.java
@@ -22,9 +22,7 @@
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assume.assumeTrue;
 
-import java.io.IOException;
-import java.io.StringReader;
-import java.io.StringWriter;
+import java.io.*;
 import java.net.URI;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -47,6 +45,9 @@
 
 import org.apache.commons.codec.binary.Base64;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.io.DataInputBuffer;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
 import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
 import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
@@ -77,6 +78,7 @@
 import org.codehaus.jettison.json.JSONException;
 import org.codehaus.jettison.json.JSONObject;
 import org.junit.After;
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -684,7 +686,8 @@ public void testAppSubmit(String acceptMedia, String contentMedia)
     CredentialsInfo credentials = new CredentialsInfo();
     HashMap<String, String> tokens = new HashMap<String, String>();
     HashMap<String, String> secrets = new HashMap<String, String>();
-    secrets.put("secret1", Base64.encodeBase64URLSafeString("secret1".getBytes("UTF8")));
+    secrets.put("secret1", Base64.encodeBase64String(
+        "mysecret".getBytes("UTF8")));
     credentials.setSecrets(secrets);
     credentials.setTokens(tokens);
     ApplicationSubmissionContextInfo appInfo = new ApplicationSubmissionContextInfo();
@@ -757,6 +760,16 @@ public void testAppSubmit(String acceptMedia, String contentMedia)
     assertEquals(y.getType(), exampleLR.getType());
     assertEquals(y.getPattern(), exampleLR.getPattern());
     assertEquals(y.getVisibility(), exampleLR.getVisibility());
+    Credentials cs = new Credentials();
+    ByteArrayInputStream str =
+        new ByteArrayInputStream(app.getApplicationSubmissionContext()
+          .getAMContainerSpec().getTokens().array());
+    DataInputStream di = new DataInputStream(str);
+    cs.readTokenStorageStream(di);
+    Text key = new Text("secret1");
+    assertTrue("Secrets missing from credentials object", cs
+        .getAllSecretKeys().contains(key));
+    assertEquals("mysecret", new String(cs.getSecretKey(key), "UTF-8"));
 
     response =
         this.constructWebResource("apps", appId).accept(acceptMedia)

From b1dce2aa21d9692accdec710ef044d2a2e04ba33 Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Fri, 29 Aug 2014 11:51:23 -0700
Subject: [PATCH 332/354] HADOOP-10814. Update Tomcat version used by HttpFS
 and KMS to latest 6.x version. (rkanter via tucu)

---
 hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++
 hadoop-common-project/hadoop-kms/pom.xml        | 1 -
 hadoop-hdfs-project/hadoop-hdfs-httpfs/pom.xml  | 1 -
 hadoop-project/pom.xml                          | 2 ++
 4 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 637636479f2..1930e5d7ea3 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -473,6 +473,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-11005. Fix HTTP content type for ReconfigurationServlet.
     (Lei Xu via wang)
 
+    HADOOP-10814. Update Tomcat version used by HttpFS and KMS to latest
+    6.x version. (rkanter via tucu)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-common-project/hadoop-kms/pom.xml b/hadoop-common-project/hadoop-kms/pom.xml
index b65e67a5bbc..b1ca3077b30 100644
--- a/hadoop-common-project/hadoop-kms/pom.xml
+++ b/hadoop-common-project/hadoop-kms/pom.xml
@@ -34,7 +34,6 @@
   <description>Apache Hadoop KMS</description>
 
   <properties>
-    <tomcat.version>6.0.36</tomcat.version>
     <kms.tomcat.dist.dir>
       ${project.build.directory}/${project.artifactId}-${project.version}/share/hadoop/kms/tomcat
     </kms.tomcat.dist.dir>
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/pom.xml b/hadoop-hdfs-project/hadoop-hdfs-httpfs/pom.xml
index 8701bb0ad6f..24fa87b8b57 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/pom.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/pom.xml
@@ -34,7 +34,6 @@
   <description>Apache Hadoop HttpFS</description>
 
   <properties>
-    <tomcat.version>6.0.36</tomcat.version>
     <httpfs.source.repository>REPO NOT AVAIL</httpfs.source.repository>
     <httpfs.source.repository>REPO NOT AVAIL</httpfs.source.repository>
     <httpfs.source.revision>REVISION NOT AVAIL</httpfs.source.revision>
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index e9adc315922..5aa54a73e64 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -67,6 +67,8 @@
     <protoc.path>${env.HADOOP_PROTOC_PATH}</protoc.path>
 
     <zookeeper.version>3.4.6</zookeeper.version>
+
+    <tomcat.version>6.0.41</tomcat.version>
   </properties>
 
   <dependencyManagement>

From 15366d922772afaa9457ed946533cdf4b5d01e2f Mon Sep 17 00:00:00 2001
From: Jason Lowe <jlowe@apache.org>
Date: Fri, 29 Aug 2014 19:50:15 +0000
Subject: [PATCH 333/354] MAPREDUCE-5931. Validate SleepJob command line
 parameters. Contributed by Gera Shegalov

---
 hadoop-mapreduce-project/CHANGES.txt          |   3 +
 .../test/java/org/apache/hadoop/SleepJob.java | 275 ------------------
 .../org/apache/hadoop/mapreduce/SleepJob.java |  32 +-
 ...TestMRAMWithNonNormalizedCapabilities.java |   2 +-
 .../hadoop/mapreduce/v2/TestMRJobs.java       |   4 +-
 .../v2/TestMRJobsWithHistoryService.java      |   2 +-
 .../mapreduce/v2/TestMRJobsWithProfiler.java  |   2 +-
 7 files changed, 35 insertions(+), 285 deletions(-)
 delete mode 100644 hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/SleepJob.java

diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt
index 67f885127fe..63bc08be967 100644
--- a/hadoop-mapreduce-project/CHANGES.txt
+++ b/hadoop-mapreduce-project/CHANGES.txt
@@ -264,6 +264,9 @@ Release 2.6.0 - UNRELEASED
 
     MAPREDUCE-6051. Fix typos in log messages. (Ray Chiang via cdouglas)
 
+    MAPREDUCE-5931. Validate SleepJob command line parameters (Gera Shegalov
+    via jlowe)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/SleepJob.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/SleepJob.java
deleted file mode 100644
index 40fab8ce0b7..00000000000
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/SleepJob.java
+++ /dev/null
@@ -1,275 +0,0 @@
-/**
-* Licensed to the Apache Software Foundation (ASF) under one
-* or more contributor license agreements.  See the NOTICE file
-* distributed with this work for additional information
-* regarding copyright ownership.  The ASF licenses this file
-* to you under the Apache License, Version 2.0 (the
-* "License"); you may not use this file except in compliance
-* with the License.  You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-
-package org.apache.hadoop;
-
-import java.io.IOException;
-import java.io.DataInput;
-import java.io.DataOutput;
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.conf.Configured;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.io.IntWritable;
-import org.apache.hadoop.io.NullWritable;
-import org.apache.hadoop.io.Writable;
-import org.apache.hadoop.mapreduce.InputFormat;
-import org.apache.hadoop.mapreduce.InputSplit;
-import org.apache.hadoop.mapreduce.Job;
-import org.apache.hadoop.mapreduce.JobContext;
-import org.apache.hadoop.mapreduce.MRJobConfig;
-import org.apache.hadoop.mapreduce.Mapper;
-import org.apache.hadoop.mapreduce.Partitioner;
-import org.apache.hadoop.mapreduce.RecordReader;
-import org.apache.hadoop.mapreduce.Reducer;
-import org.apache.hadoop.mapreduce.TaskAttemptContext;
-import org.apache.hadoop.mapreduce.lib.output.NullOutputFormat;
-import org.apache.hadoop.mapreduce.lib.input.FileInputFormat;
-import org.apache.hadoop.util.Tool;
-import org.apache.hadoop.util.ToolRunner;
-
-/**
- * Dummy class for testing MR framefork. Sleeps for a defined period 
- * of time in mapper and reducer. Generates fake input for map / reduce 
- * jobs. Note that generated number of input pairs is in the order 
- * of <code>numMappers * mapSleepTime / 100</code>, so the job uses
- * some disk space.
- */
-public class SleepJob extends Configured implements Tool {
-  public static String MAP_SLEEP_COUNT = "mapreduce.sleepjob.map.sleep.count";
-  public static String REDUCE_SLEEP_COUNT = 
-    "mapreduce.sleepjob.reduce.sleep.count";
-  public static String MAP_SLEEP_TIME = "mapreduce.sleepjob.map.sleep.time";
-  public static String REDUCE_SLEEP_TIME = 
-    "mapreduce.sleepjob.reduce.sleep.time";
-
-  public static class SleepJobPartitioner extends 
-      Partitioner<IntWritable, NullWritable> {
-    public int getPartition(IntWritable k, NullWritable v, int numPartitions) {
-      return k.get() % numPartitions;
-    }
-  }
-  
-  public static class EmptySplit extends InputSplit implements Writable {
-    public void write(DataOutput out) throws IOException { }
-    public void readFields(DataInput in) throws IOException { }
-    public long getLength() { return 0L; }
-    public String[] getLocations() { return new String[0]; }
-  }
-
-  public static class SleepInputFormat 
-      extends InputFormat<IntWritable,IntWritable> {
-    
-    public List<InputSplit> getSplits(JobContext jobContext) {
-      List<InputSplit> ret = new ArrayList<InputSplit>();
-      int numSplits = jobContext.getConfiguration().
-                        getInt(MRJobConfig.NUM_MAPS, 1);
-      for (int i = 0; i < numSplits; ++i) {
-        ret.add(new EmptySplit());
-      }
-      return ret;
-    }
-    
-    public RecordReader<IntWritable,IntWritable> createRecordReader(
-        InputSplit ignored, TaskAttemptContext taskContext)
-        throws IOException {
-      Configuration conf = taskContext.getConfiguration();
-      final int count = conf.getInt(MAP_SLEEP_COUNT, 1);
-      if (count < 0) throw new IOException("Invalid map count: " + count);
-      final int redcount = conf.getInt(REDUCE_SLEEP_COUNT, 1);
-      if (redcount < 0)
-        throw new IOException("Invalid reduce count: " + redcount);
-      final int emitPerMapTask = (redcount * taskContext.getNumReduceTasks());
-      
-      return new RecordReader<IntWritable,IntWritable>() {
-        private int records = 0;
-        private int emitCount = 0;
-        private IntWritable key = null;
-        private IntWritable value = null;
-        public void initialize(InputSplit split, TaskAttemptContext context) {
-        }
-
-        public boolean nextKeyValue()
-            throws IOException {
-          if (count == 0) {
-            return false;
-          }
-          key = new IntWritable();
-          key.set(emitCount);
-          int emit = emitPerMapTask / count;
-          if ((emitPerMapTask) % count > records) {
-            ++emit;
-          }
-          emitCount += emit;
-          value = new IntWritable();
-          value.set(emit);
-          return records++ < count;
-        }
-        public IntWritable getCurrentKey() { return key; }
-        public IntWritable getCurrentValue() { return value; }
-        public void close() throws IOException { }
-        public float getProgress() throws IOException {
-          return count == 0 ? 100 : records / ((float)count);
-        }
-      };
-    }
-  }
-
-  public static class SleepMapper 
-      extends Mapper<IntWritable, IntWritable, IntWritable, NullWritable> {
-    private long mapSleepDuration = 100;
-    private int mapSleepCount = 1;
-    private int count = 0;
-
-    protected void setup(Context context) 
-      throws IOException, InterruptedException {
-      Configuration conf = context.getConfiguration();
-      this.mapSleepCount =
-        conf.getInt(MAP_SLEEP_COUNT, mapSleepCount);
-      this.mapSleepDuration = mapSleepCount == 0 ? 0 :
-        conf.getLong(MAP_SLEEP_TIME , 100) / mapSleepCount;
-    }
-
-    public void map(IntWritable key, IntWritable value, Context context
-               ) throws IOException, InterruptedException {
-      //it is expected that every map processes mapSleepCount number of records. 
-      try {
-        context.setStatus("Sleeping... (" +
-          (mapSleepDuration * (mapSleepCount - count)) + ") ms left");
-        Thread.sleep(mapSleepDuration);
-      }
-      catch (InterruptedException ex) {
-        throw (IOException)new IOException(
-            "Interrupted while sleeping").initCause(ex);
-      }
-      ++count;
-      // output reduceSleepCount * numReduce number of random values, so that
-      // each reducer will get reduceSleepCount number of keys.
-      int k = key.get();
-      for (int i = 0; i < value.get(); ++i) {
-        context.write(new IntWritable(k + i), NullWritable.get());
-      }
-    }
-  }
-  
-  public static class SleepReducer  
-      extends Reducer<IntWritable, NullWritable, NullWritable, NullWritable> {
-    private long reduceSleepDuration = 100;
-    private int reduceSleepCount = 1;
-    private int count = 0;
-
-    protected void setup(Context context) 
-      throws IOException, InterruptedException {
-      Configuration conf = context.getConfiguration();
-      this.reduceSleepCount =
-        conf.getInt(REDUCE_SLEEP_COUNT, reduceSleepCount);
-      this.reduceSleepDuration = reduceSleepCount == 0 ? 0 : 
-        conf.getLong(REDUCE_SLEEP_TIME , 100) / reduceSleepCount;
-    }
-
-    public void reduce(IntWritable key, Iterable<NullWritable> values,
-                       Context context)
-      throws IOException {
-      try {
-        context.setStatus("Sleeping... (" +
-            (reduceSleepDuration * (reduceSleepCount - count)) + ") ms left");
-        Thread.sleep(reduceSleepDuration);
-      
-      }
-      catch (InterruptedException ex) {
-        throw (IOException)new IOException(
-          "Interrupted while sleeping").initCause(ex);
-      }
-      count++;
-    }
-  }
-
-  public static void main(String[] args) throws Exception {
-    int res = ToolRunner.run(new Configuration(), new SleepJob(), args);
-    System.exit(res);
-  }
-
-  public Job createJob(int numMapper, int numReducer, 
-                       long mapSleepTime, int mapSleepCount, 
-                       long reduceSleepTime, int reduceSleepCount) 
-      throws IOException {
-    Configuration conf = getConf();
-    conf.setLong(MAP_SLEEP_TIME, mapSleepTime);
-    conf.setLong(REDUCE_SLEEP_TIME, reduceSleepTime);
-    conf.setInt(MAP_SLEEP_COUNT, mapSleepCount);
-    conf.setInt(REDUCE_SLEEP_COUNT, reduceSleepCount);
-    conf.setInt(MRJobConfig.NUM_MAPS, numMapper);
-    Job job = Job.getInstance(conf, "sleep");
-    job.setNumReduceTasks(numReducer);
-    job.setJarByClass(SleepJob.class);
-    job.setMapperClass(SleepMapper.class);
-    job.setMapOutputKeyClass(IntWritable.class);
-    job.setMapOutputValueClass(NullWritable.class);
-    job.setReducerClass(SleepReducer.class);
-    job.setOutputFormatClass(NullOutputFormat.class);
-    job.setInputFormatClass(SleepInputFormat.class);
-    job.setPartitionerClass(SleepJobPartitioner.class);
-    job.setSpeculativeExecution(false);
-    job.setJobName("Sleep job");
-    FileInputFormat.addInputPath(job, new Path("ignored"));
-    return job;
-  }
-
-  public int run(String[] args) throws Exception {
-
-    if(args.length < 1) {
-      System.err.println("SleepJob [-m numMapper] [-r numReducer]" +
-          " [-mt mapSleepTime (msec)] [-rt reduceSleepTime (msec)]" +
-          " [-recordt recordSleepTime (msec)]");
-      ToolRunner.printGenericCommandUsage(System.err);
-      return 2;
-    }
-
-    int numMapper = 1, numReducer = 1;
-    long mapSleepTime = 100, reduceSleepTime = 100, recSleepTime = 100;
-    int mapSleepCount = 1, reduceSleepCount = 1;
-
-    for(int i=0; i < args.length; i++ ) {
-      if(args[i].equals("-m")) {
-        numMapper = Integer.parseInt(args[++i]);
-      }
-      else if(args[i].equals("-r")) {
-        numReducer = Integer.parseInt(args[++i]);
-      }
-      else if(args[i].equals("-mt")) {
-        mapSleepTime = Long.parseLong(args[++i]);
-      }
-      else if(args[i].equals("-rt")) {
-        reduceSleepTime = Long.parseLong(args[++i]);
-      }
-      else if (args[i].equals("-recordt")) {
-        recSleepTime = Long.parseLong(args[++i]);
-      }
-    }
-    
-    // sleep for *SleepTime duration in Task by recSleepTime per record
-    mapSleepCount = (int)Math.ceil(mapSleepTime / ((double)recSleepTime));
-    reduceSleepCount = (int)Math.ceil(reduceSleepTime / ((double)recSleepTime));
-    Job job = createJob(numMapper, numReducer, mapSleepTime,
-                mapSleepCount, reduceSleepTime, reduceSleepCount);
-    return job.waitForCompletion(true) ? 0 : 1;
-  }
-
-}
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/SleepJob.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/SleepJob.java
index 97b76369c74..2b321833566 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/SleepJob.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/SleepJob.java
@@ -224,11 +224,7 @@ public Job createJob(int numMapper, int numReducer,
   public int run(String[] args) throws Exception {
 
     if(args.length < 1) {
-      System.err.println("SleepJob [-m numMapper] [-r numReducer]" +
-          " [-mt mapSleepTime (msec)] [-rt reduceSleepTime (msec)]" +
-          " [-recordt recordSleepTime (msec)]");
-      ToolRunner.printGenericCommandUsage(System.err);
-      return 2;
+      return printUsage("number of arguments must be > 0");
     }
 
     int numMapper = 1, numReducer = 1;
@@ -238,18 +234,34 @@ public int run(String[] args) throws Exception {
     for(int i=0; i < args.length; i++ ) {
       if(args[i].equals("-m")) {
         numMapper = Integer.parseInt(args[++i]);
+        if (numMapper < 0) {
+          return printUsage(numMapper + ": numMapper must be >= 0");
+        }
       }
       else if(args[i].equals("-r")) {
         numReducer = Integer.parseInt(args[++i]);
+        if (numReducer < 0) {
+          return printUsage(numReducer + ": numReducer must be >= 0");
+        }
       }
       else if(args[i].equals("-mt")) {
         mapSleepTime = Long.parseLong(args[++i]);
+        if (mapSleepTime < 0) {
+          return printUsage(mapSleepTime + ": mapSleepTime must be >= 0");
+        }
       }
       else if(args[i].equals("-rt")) {
         reduceSleepTime = Long.parseLong(args[++i]);
+        if (reduceSleepTime < 0) {
+          return printUsage(
+              reduceSleepTime + ": reduceSleepTime must be >= 0");
+        }
       }
       else if (args[i].equals("-recordt")) {
         recSleepTime = Long.parseLong(args[++i]);
+        if (recSleepTime < 0) {
+          return printUsage(recSleepTime + ": recordSleepTime must be >= 0");
+        }
       }
     }
     
@@ -261,4 +273,14 @@ else if (args[i].equals("-recordt")) {
     return job.waitForCompletion(true) ? 0 : 1;
   }
 
+  private int printUsage(String error) {
+    if (error != null) {
+      System.err.println("ERROR: " + error);
+    }
+    System.err.println("SleepJob [-m numMapper] [-r numReducer]" +
+        " [-mt mapSleepTime (msec)] [-rt reduceSleepTime (msec)]" +
+        " [-recordt recordSleepTime (msec)]");
+    ToolRunner.printGenericCommandUsage(System.err);
+    return 2;
+  }
 }
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRAMWithNonNormalizedCapabilities.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRAMWithNonNormalizedCapabilities.java
index dcd59acb5a0..7aaaa1b8d93 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRAMWithNonNormalizedCapabilities.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRAMWithNonNormalizedCapabilities.java
@@ -25,7 +25,7 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.SleepJob;
+import org.apache.hadoop.mapreduce.SleepJob;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobs.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobs.java
index 32153996c8d..5699600acc0 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobs.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobs.java
@@ -40,8 +40,8 @@
 import org.apache.hadoop.FailingMapper;
 import org.apache.hadoop.RandomTextWriterJob;
 import org.apache.hadoop.RandomTextWriterJob.RandomInputFormat;
-import org.apache.hadoop.SleepJob;
-import org.apache.hadoop.SleepJob.SleepMapper;
+import org.apache.hadoop.mapreduce.SleepJob;
+import org.apache.hadoop.mapreduce.SleepJob.SleepMapper;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.fs.FSDataOutputStream;
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobsWithHistoryService.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobsWithHistoryService.java
index b4581e65cb1..9fba91dbb1a 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobsWithHistoryService.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobsWithHistoryService.java
@@ -28,7 +28,7 @@
 import org.apache.avro.AvroRemoteException;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.SleepJob;
+import org.apache.hadoop.mapreduce.SleepJob;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobsWithProfiler.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobsWithProfiler.java
index e91f5c98071..df55f509d9e 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobsWithProfiler.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/v2/TestMRJobsWithProfiler.java
@@ -29,7 +29,7 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.SleepJob;
+import org.apache.hadoop.mapreduce.SleepJob;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.*;
 import org.apache.hadoop.fs.permission.FsPermission;

From 7eab2a29a5706ce10912c12fa225ef6b27a82cbe Mon Sep 17 00:00:00 2001
From: "Aaron T. Myers" <atm@apache.org>
Date: Fri, 29 Aug 2014 12:59:23 -0700
Subject: [PATCH 334/354] HDFS-6774. Make FsDataset and DataStore support
 removing volumes. Contributed by Lei Xu.

---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  3 +
 .../datanode/BlockPoolSliceStorage.java       | 14 +++
 .../hdfs/server/datanode/DataStorage.java     | 27 ++++++
 .../datanode/fsdataset/FsDatasetSpi.java      |  3 +
 .../fsdataset/impl/BlockPoolSlice.java        |  2 +-
 .../impl/FsDatasetAsyncDiskService.java       | 18 ++++
 .../fsdataset/impl/FsDatasetImpl.java         | 69 ++++++++++++++
 .../datanode/fsdataset/impl/FsVolumeList.java | 19 ++++
 .../server/datanode/SimulatedFSDataset.java   |  5 +
 .../fsdataset/impl/TestFsDatasetImpl.java     | 92 +++++++++++++++++--
 10 files changed, 245 insertions(+), 7 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 957034bda22..88b19d81a52 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -427,6 +427,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6879. Adding tracing to Hadoop RPC (Masatake Iwasaki via Colin Patrick
     McCabe)
 
+    HDFS-6774. Make FsDataset and DataStore support removing volumes. (Lei Xu
+    via atm)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
index 88f858b94ce..b7f688dca4d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/BlockPoolSliceStorage.java
@@ -201,6 +201,20 @@ private void format(StorageDirectory bpSdir, NamespaceInfo nsInfo) throws IOExce
     writeProperties(bpSdir);
   }
 
+  /**
+   * Remove storage directories.
+   * @param storageDirs a set of storage directories to be removed.
+   */
+  void removeVolumes(Set<File> storageDirs) {
+    for (Iterator<StorageDirectory> it = this.storageDirs.iterator();
+         it.hasNext(); ) {
+      StorageDirectory sd = it.next();
+      if (storageDirs.contains(sd.getRoot())) {
+        it.remove();
+      }
+    }
+  }
+
   /**
    * Set layoutVersion, namespaceID and blockpoolID into block pool storage
    * VERSION file
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataStorage.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataStorage.java
index 4b9656eb8e9..ceb2aa07953 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataStorage.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataStorage.java
@@ -336,6 +336,33 @@ private synchronized void addStorageLocations(DataNode datanode,
     }
   }
 
+  /**
+   * Remove volumes from DataStorage.
+   * @param locations a collection of volumes.
+   */
+  synchronized void removeVolumes(Collection<StorageLocation> locations) {
+    if (locations.isEmpty()) {
+      return;
+    }
+
+    Set<File> dataDirs = new HashSet<File>();
+    for (StorageLocation sl : locations) {
+      dataDirs.add(sl.getFile());
+    }
+
+    for (BlockPoolSliceStorage bpsStorage : this.bpStorageMap.values()) {
+      bpsStorage.removeVolumes(dataDirs);
+    }
+
+    for (Iterator<StorageDirectory> it = this.storageDirs.iterator();
+         it.hasNext(); ) {
+      StorageDirectory sd = it.next();
+      if (dataDirs.contains(sd.getRoot())) {
+        it.remove();
+      }
+    }
+  }
+
   /**
    * Analyze storage directories.
    * Recover from previous transitions if required.
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/FsDatasetSpi.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/FsDatasetSpi.java
index a64f9c0d589..0fbfe190869 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/FsDatasetSpi.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/FsDatasetSpi.java
@@ -97,6 +97,9 @@ public RollingLogs createRollingLogs(String bpid, String prefix
   public void addVolumes(Collection<StorageLocation> volumes)
       throws IOException;
 
+  /** Removes a collection of volumes from FsDataset. */
+  public void removeVolumes(Collection<StorageLocation> volumes);
+
   /** @return a storage with the given storage ID */
   public DatanodeStorage getStorage(final String storageUuid);
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/BlockPoolSlice.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/BlockPoolSlice.java
index af467b93f09..57744073c2a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/BlockPoolSlice.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/BlockPoolSlice.java
@@ -340,7 +340,7 @@ void addToReplicasMap(ReplicaMap volumeMap, File dir, boolean isFinalized
             loadRwr = false;
           }
           sc.close();
-          if (restartMeta.delete()) {
+          if (!restartMeta.delete()) {
             FsDatasetImpl.LOG.warn("Failed to delete restart meta file: " +
               restartMeta.getPath());
           }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetAsyncDiskService.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetAsyncDiskService.java
index 539e97be4a7..bee7bf70c3e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetAsyncDiskService.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetAsyncDiskService.java
@@ -118,6 +118,24 @@ synchronized void addVolume(File volume) {
     }
     addExecutorForVolume(volume);
   }
+
+  /**
+   * Stops AsyncDiskService for a volume.
+   * @param volume the root of the volume.
+   */
+  synchronized void removeVolume(File volume) {
+    if (executors == null) {
+      throw new RuntimeException("AsyncDiskService is already shutdown");
+    }
+    ThreadPoolExecutor executor = executors.get(volume);
+    if (executor == null) {
+      throw new RuntimeException("Can not find volume " + volume
+          + " to remove.");
+    } else {
+      executor.shutdown();
+      executors.remove(volume);
+    }
+  }
   
   synchronized long countPendingDeletions() {
     long count = 0;
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
index 148055c6f9e..5306be77140 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsDatasetImpl.java
@@ -30,9 +30,11 @@
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.Executor;
 
 import javax.management.NotCompliantMBeanException;
@@ -314,6 +316,51 @@ public synchronized void addVolumes(Collection<StorageLocation> volumes)
     }
   }
 
+  /**
+   * Removes a collection of volumes from FsDataset.
+   * @param volumes the root directories of the volumes.
+   *
+   * DataNode should call this function before calling
+   * {@link DataStorage#removeVolumes(java.util.Collection)}.
+   */
+  @Override
+  public synchronized void removeVolumes(Collection<StorageLocation> volumes) {
+    Set<File> volumeSet = new HashSet<File>();
+    for (StorageLocation sl : volumes) {
+      volumeSet.add(sl.getFile());
+    }
+    for (int idx = 0; idx < dataStorage.getNumStorageDirs(); idx++) {
+      Storage.StorageDirectory sd = dataStorage.getStorageDir(idx);
+      if (volumeSet.contains(sd.getRoot())) {
+        String volume = sd.getRoot().toString();
+        LOG.info("Removing " + volume + " from FsDataset.");
+
+        this.volumes.removeVolume(volume);
+        storageMap.remove(sd.getStorageUuid());
+        asyncDiskService.removeVolume(sd.getCurrentDir());
+
+        // Removed all replica information for the blocks on the volume. Unlike
+        // updating the volumeMap in addVolume(), this operation does not scan
+        // disks.
+        for (String bpid : volumeMap.getBlockPoolList()) {
+          List<Block> blocks = new ArrayList<Block>();
+          for (Iterator<ReplicaInfo> it = volumeMap.replicas(bpid).iterator();
+              it.hasNext(); ) {
+            ReplicaInfo block = it.next();
+            if (block.getVolume().getBasePath().equals(volume)) {
+              invalidate(bpid, block.getBlockId());
+              blocks.add(block);
+              it.remove();
+            }
+          }
+          // Delete blocks from the block scanner in batch.
+          datanode.getBlockScanner().deleteBlocks(bpid,
+              blocks.toArray(new Block[blocks.size()]));
+        }
+      }
+    }
+  }
+
   private StorageType getStorageTypeFromLocations(
       Collection<StorageLocation> dataLocations, File dir) {
     for (StorageLocation dataLocation : dataLocations) {
@@ -1294,6 +1341,28 @@ public void invalidate(String bpid, Block invalidBlks[]) throws IOException {
     }
   }
 
+  /**
+   * Invalidate a block but does not delete the actual on-disk block file.
+   *
+   * It should only be used for decommissioning disks.
+   *
+   * @param bpid the block pool ID.
+   * @param blockId the ID of the block.
+   */
+  public void invalidate(String bpid, long blockId) {
+    // If a DFSClient has the replica in its cache of short-circuit file
+    // descriptors (and the client is using ShortCircuitShm), invalidate it.
+    // The short-circuit registry is null in the unit tests, because the
+    // datanode is mock object.
+    if (datanode.getShortCircuitRegistry() != null) {
+      datanode.getShortCircuitRegistry().processBlockInvalidation(
+          new ExtendedBlockId(blockId, bpid));
+
+      // If the block is cached, start uncaching it.
+      cacheManager.uncacheBlock(bpid, blockId);
+    }
+  }
+
   /**
    * Asynchronously attempts to cache a single block via {@link FsDatasetCache}.
    */
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeList.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeList.java
index d4f8adc0113..90739c3f413 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeList.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/FsVolumeList.java
@@ -212,6 +212,25 @@ synchronized void addVolume(FsVolumeImpl newVolume) {
     FsDatasetImpl.LOG.info("Added new volume: " + newVolume.toString());
   }
 
+  /**
+   * Dynamically remove volume to the list.
+   * @param volume the volume to be removed.
+   */
+  synchronized void removeVolume(String volume) {
+    // Make a copy of volumes to remove one volume.
+    final List<FsVolumeImpl> volumeList = new ArrayList<FsVolumeImpl>(volumes);
+    for (Iterator<FsVolumeImpl> it = volumeList.iterator(); it.hasNext(); ) {
+      FsVolumeImpl fsVolume = it.next();
+      if (fsVolume.getBasePath().equals(volume)) {
+        fsVolume.shutdown();
+        it.remove();
+        volumes = Collections.unmodifiableList(volumeList);
+        FsDatasetImpl.LOG.info("Removed volume: " + volume);
+        break;
+      }
+    }
+  }
+
   void addBlockPool(final String bpid, final Configuration conf) throws IOException {
     long totalStartTime = Time.monotonicNow();
     
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/SimulatedFSDataset.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/SimulatedFSDataset.java
index 109a0394fc6..a51342ea751 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/SimulatedFSDataset.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/SimulatedFSDataset.java
@@ -1120,6 +1120,11 @@ public FsVolumeSpi getVolume(ExtendedBlock b) {
     throw new UnsupportedOperationException();
   }
 
+  @Override
+  public synchronized void removeVolumes(Collection<StorageLocation> volumes) {
+    throw new UnsupportedOperationException();
+  }
+
   @Override
   public void submitBackgroundSyncFileRangeRequest(ExtendedBlock block,
       FileDescriptor fd, long offset, long nbytes, int flags) {
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/TestFsDatasetImpl.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/TestFsDatasetImpl.java
index d9e99078be1..2c4c401205e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/TestFsDatasetImpl.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/datanode/fsdataset/impl/TestFsDatasetImpl.java
@@ -18,12 +18,20 @@
 package org.apache.hadoop.hdfs.server.datanode.fsdataset.impl;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystemTestHelper;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.StorageType;
+import org.apache.hadoop.hdfs.protocol.Block;
+import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
+import org.apache.hadoop.hdfs.server.common.HdfsServerConstants;
 import org.apache.hadoop.hdfs.server.common.Storage;
+import org.apache.hadoop.hdfs.server.common.StorageInfo;
 import org.apache.hadoop.hdfs.server.datanode.DNConf;
+import org.apache.hadoop.hdfs.server.datanode.DataBlockScanner;
 import org.apache.hadoop.hdfs.server.datanode.DataNode;
 import org.apache.hadoop.hdfs.server.datanode.DataStorage;
 import org.apache.hadoop.hdfs.server.datanode.StorageLocation;
+import org.apache.hadoop.test.GenericTestUtils;
 import org.apache.hadoop.util.StringUtils;
 import org.junit.Before;
 import org.junit.Test;
@@ -35,25 +43,44 @@
 import java.util.List;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+import static org.mockito.Matchers.any;
+import static org.mockito.Matchers.anyString;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 public class TestFsDatasetImpl {
   private static final String BASE_DIR =
-      System.getProperty("test.build.dir") + "/fsdatasetimpl";
+      new FileSystemTestHelper().getTestRootDir();
   private static final int NUM_INIT_VOLUMES = 2;
+  private static final String[] BLOCK_POOL_IDS = {"bpid-0", "bpid-1"};
 
+  // Use to generate storageUuid
+  private static final DataStorage dsForStorageUuid = new DataStorage(
+      new StorageInfo(HdfsServerConstants.NodeType.DATA_NODE));
+
+  private Configuration conf;
   private DataStorage storage;
+  private DataBlockScanner scanner;
   private FsDatasetImpl dataset;
 
+  private static Storage.StorageDirectory createStorageDirectory(File root) {
+    Storage.StorageDirectory sd = new Storage.StorageDirectory(root);
+    dsForStorageUuid.createStorageID(sd);
+    return sd;
+  }
+
   private static void createStorageDirs(DataStorage storage, Configuration conf,
       int numDirs) throws IOException {
     List<Storage.StorageDirectory> dirs =
         new ArrayList<Storage.StorageDirectory>();
     List<String> dirStrings = new ArrayList<String>();
     for (int i = 0; i < numDirs; i++) {
-      String loc = BASE_DIR + "/data" + i;
-      dirStrings.add(loc);
-      dirs.add(new Storage.StorageDirectory(new File(loc)));
+      File loc = new File(BASE_DIR + "/data" + i);
+      dirStrings.add(loc.toString());
+      loc.mkdirs();
+      dirs.add(createStorageDirectory(loc));
       when(storage.getStorageDir(i)).thenReturn(dirs.get(i));
     }
 
@@ -66,14 +93,19 @@ private static void createStorageDirs(DataStorage storage, Configuration conf,
   public void setUp() throws IOException {
     final DataNode datanode = Mockito.mock(DataNode.class);
     storage = Mockito.mock(DataStorage.class);
-    Configuration conf = new Configuration();
+    scanner = Mockito.mock(DataBlockScanner.class);
+    this.conf = new Configuration();
     final DNConf dnConf = new DNConf(conf);
 
     when(datanode.getConf()).thenReturn(conf);
     when(datanode.getDnConf()).thenReturn(dnConf);
+    when(datanode.getBlockScanner()).thenReturn(scanner);
 
     createStorageDirs(storage, conf, NUM_INIT_VOLUMES);
     dataset = new FsDatasetImpl(datanode, storage, conf);
+    for (String bpid : BLOCK_POOL_IDS) {
+      dataset.addBlockPool(bpid, conf);
+    }
 
     assertEquals(NUM_INIT_VOLUMES, dataset.getVolumes().size());
     assertEquals(0, dataset.getNumFailedVolumes());
@@ -89,15 +121,63 @@ public void testAddVolumes() throws IOException {
       String path = BASE_DIR + "/newData" + i;
       newLocations.add(StorageLocation.parse(path));
       when(storage.getStorageDir(numExistingVolumes + i))
-          .thenReturn(new Storage.StorageDirectory(new File(path)));
+          .thenReturn(createStorageDirectory(new File(path)));
     }
     when(storage.getNumStorageDirs()).thenReturn(totalVolumes);
 
     dataset.addVolumes(newLocations);
     assertEquals(totalVolumes, dataset.getVolumes().size());
+    assertEquals(totalVolumes, dataset.storageMap.size());
     for (int i = 0; i < numNewVolumes; i++) {
       assertEquals(newLocations.get(i).getFile().getPath(),
           dataset.getVolumes().get(numExistingVolumes + i).getBasePath());
     }
   }
+
+  @Test
+  public void testRemoveVolumes() throws IOException {
+    // Feed FsDataset with block metadata.
+    final int NUM_BLOCKS = 100;
+    for (int i = 0; i < NUM_BLOCKS; i++) {
+      String bpid = BLOCK_POOL_IDS[NUM_BLOCKS % BLOCK_POOL_IDS.length];
+      ExtendedBlock eb = new ExtendedBlock(bpid, i);
+      dataset.createRbw(StorageType.DEFAULT, eb);
+    }
+    final String[] dataDirs =
+        conf.get(DFSConfigKeys.DFS_DATANODE_DATA_DIR_KEY).split(",");
+    final String volumePathToRemove = dataDirs[0];
+    List<StorageLocation> volumesToRemove = new ArrayList<StorageLocation>();
+    volumesToRemove.add(StorageLocation.parse(volumePathToRemove));
+
+    dataset.removeVolumes(volumesToRemove);
+    int expectedNumVolumes = dataDirs.length - 1;
+    assertEquals("The volume has been removed from the volumeList.",
+        expectedNumVolumes, dataset.getVolumes().size());
+    assertEquals("The volume has been removed from the storageMap.",
+        expectedNumVolumes, dataset.storageMap.size());
+
+    try {
+      dataset.asyncDiskService.execute(volumesToRemove.get(0).getFile(),
+          new Runnable() {
+            @Override
+            public void run() {}
+          });
+      fail("Expect RuntimeException: the volume has been removed from the "
+           + "AsyncDiskService.");
+    } catch (RuntimeException e) {
+      GenericTestUtils.assertExceptionContains("Cannot find root", e);
+    }
+
+    int totalNumReplicas = 0;
+    for (String bpid : dataset.volumeMap.getBlockPoolList()) {
+      totalNumReplicas += dataset.volumeMap.size(bpid);
+    }
+    assertEquals("The replica infos on this volume has been removed from the "
+                 + "volumeMap.", NUM_BLOCKS / NUM_INIT_VOLUMES,
+                 totalNumReplicas);
+
+    // Verify that every BlockPool deletes the removed blocks from the volume.
+    verify(scanner, times(BLOCK_POOL_IDS.length))
+        .deleteBlocks(anyString(), any(Block[].class));
+  }
 }

From b03653f9a5d53cb49531cb76fd1e1786a95d1428 Mon Sep 17 00:00:00 2001
From: Jason Lowe <jlowe@apache.org>
Date: Fri, 29 Aug 2014 20:07:06 +0000
Subject: [PATCH 335/354] YARN-2462.
 TestNodeManagerResync#testBlockNewContainerRequestsOnStartAndResync should
 have a test timeout. Contributed by Eric Payne

---
 hadoop-yarn-project/CHANGES.txt                                | 3 +++
 .../hadoop/yarn/server/nodemanager/TestNodeManagerResync.java  | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 5503c4edf96..4cd45297d0c 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -260,6 +260,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2447. RM web service app submission doesn't pass secrets correctly.
     (Varun Vasudev via jianhe)
 
+    YARN-2462. TestNodeManagerResync#testBlockNewContainerRequestsOnStartAndResync
+    should have a test timeout (Eric Payne via jlowe)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestNodeManagerResync.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestNodeManagerResync.java
index bd531865815..acda2a9970c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestNodeManagerResync.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestNodeManagerResync.java
@@ -159,7 +159,7 @@ protected void testContainerPreservationOnResyncImpl(TestNodeManager1 nm,
   // This test tests new container requests are blocked when NM starts from
   // scratch until it register with RM AND while NM is resyncing with RM
   @SuppressWarnings("unchecked")
-  @Test
+  @Test(timeout=60000)
   public void testBlockNewContainerRequestsOnStartAndResync()
       throws IOException, InterruptedException, YarnException {
     NodeManager nm = new TestNodeManager2();

From c60da4d3b31e5fa0c4b27cf75ab7ed4add56396a Mon Sep 17 00:00:00 2001
From: Alejandro Abdelnur <tucu@apache.org>
Date: Fri, 29 Aug 2014 14:21:58 -0700
Subject: [PATCH 336/354] HADOOP-10994. KeyProviderCryptoExtension should use
 CryptoCodec for generation/decryption of keys. (tucu)

---
 .../hadoop-common/CHANGES.txt                 |  3 ++
 .../crypto/key/JavaKeyStoreProvider.java      |  1 +
 .../apache/hadoop/crypto/key/KeyProvider.java | 20 ++++++++
 .../key/KeyProviderCryptoExtension.java       | 51 ++++++++++++-------
 .../crypto/key/KeyProviderExtension.java      |  1 +
 .../hadoop/crypto/key/UserProvider.java       |  5 +-
 .../crypto/key/kms/KMSClientProvider.java     |  1 +
 .../crypto/key/TestCachingKeyProvider.java    |  6 +++
 .../hadoop/crypto/key/TestKeyProvider.java    | 17 ++++++-
 ...stKeyProviderDelegationTokenExtension.java | 13 +++--
 10 files changed, 94 insertions(+), 24 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 1930e5d7ea3..2bc3e4b0a01 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -476,6 +476,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10814. Update Tomcat version used by HttpFS and KMS to latest
     6.x version. (rkanter via tucu)
 
+    HADOOP-10994. KeyProviderCryptoExtension should use CryptoCodec for 
+    generation/decryption of keys. (tucu)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java
index 250315177a2..30583eb576c 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java
@@ -108,6 +108,7 @@ public class JavaKeyStoreProvider extends KeyProvider {
   private final Map<String, Metadata> cache = new HashMap<String, Metadata>();
 
   private JavaKeyStoreProvider(URI uri, Configuration conf) throws IOException {
+    super(conf);
     this.uri = uri;
     path = ProviderUtils.unnestUri(uri);
     fs = path.getFileSystem(conf);
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java
index a34ae10a71a..36ccbada0bc 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java
@@ -56,6 +56,8 @@ public abstract class KeyProvider {
       "hadoop.security.key.default.bitlength";
   public static final int DEFAULT_BITLENGTH = 128;
 
+  private final Configuration conf;
+
   /**
    * The combination of both the key version name and the key material.
    */
@@ -353,6 +355,24 @@ public String toString() {
     }
   }
 
+  /**
+   * Constructor.
+   * 
+   * @param conf configuration for the provider
+   */
+  public KeyProvider(Configuration conf) {
+    this.conf = new Configuration(conf);
+  }
+
+  /**
+   * Return the provider configuration.
+   * 
+   * @return the provider configuration
+   */
+  public Configuration getConf() {
+    return conf;
+  }
+  
   /**
    * A helper function to create an options object.
    * @param conf the configuration to use
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
index 026f285f4c4..e2fb5cb3b8e 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
@@ -19,6 +19,7 @@
 package org.apache.hadoop.crypto.key;
 
 import java.io.IOException;
+import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;
 import java.security.SecureRandom;
 
@@ -29,6 +30,9 @@
 import com.google.common.base.Preconditions;
 
 import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.crypto.CryptoCodec;
+import org.apache.hadoop.crypto.Decryptor;
+import org.apache.hadoop.crypto.Encryptor;
 
 /**
  * A KeyProvider with Cryptographic Extensions specifically for generating
@@ -239,18 +243,25 @@ public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
       Preconditions.checkNotNull(encryptionKey,
           "No KeyVersion exists for key '%s' ", encryptionKeyName);
       // Generate random bytes for new key and IV
-      Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
+
+      CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf());
       final byte[] newKey = new byte[encryptionKey.getMaterial().length];
-      RANDOM.get().nextBytes(newKey);
-      final byte[] iv = new byte[cipher.getBlockSize()];
-      RANDOM.get().nextBytes(iv);
+      cc.generateSecureRandom(newKey);
+      final byte[] iv = new byte[cc.getCipherSuite().getAlgorithmBlockSize()];
+      cc.generateSecureRandom(iv);
       // Encryption key IV is derived from new key's IV
       final byte[] encryptionIV = EncryptedKeyVersion.deriveIV(iv);
-      // Encrypt the new key
-      cipher.init(Cipher.ENCRYPT_MODE,
-          new SecretKeySpec(encryptionKey.getMaterial(), "AES"),
-          new IvParameterSpec(encryptionIV));
-      final byte[] encryptedKey = cipher.doFinal(newKey);
+      Encryptor encryptor = cc.createEncryptor();
+      encryptor.init(encryptionKey.getMaterial(), encryptionIV);
+      int keyLen = newKey.length;
+      ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
+      ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen);
+      bbIn.put(newKey);
+      bbIn.flip();
+      encryptor.encrypt(bbIn, bbOut);
+      bbOut.flip();
+      byte[] encryptedKey = new byte[keyLen];
+      bbOut.get(encryptedKey);    
       return new EncryptedKeyVersion(encryptionKeyName,
           encryptionKey.getVersionName(), iv,
           new KeyVersion(encryptionKey.getName(), EEK, encryptedKey));
@@ -274,19 +285,25 @@ public KeyVersion decryptEncryptedKey(
                 KeyProviderCryptoExtension.EEK,
                 encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
             );
-      final byte[] encryptionKeyMaterial = encryptionKey.getMaterial();
+
       // Encryption key IV is determined from encrypted key's IV
       final byte[] encryptionIV =
           EncryptedKeyVersion.deriveIV(encryptedKeyVersion.getEncryptedKeyIv());
-      // Init the cipher with encryption key parameters
-      Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
-      cipher.init(Cipher.DECRYPT_MODE,
-          new SecretKeySpec(encryptionKeyMaterial, "AES"),
-          new IvParameterSpec(encryptionIV));
-      // Decrypt the encrypted key
+
+      CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf());
+      Decryptor decryptor = cc.createDecryptor();
+      decryptor.init(encryptionKey.getMaterial(), encryptionIV);
       final KeyVersion encryptedKV =
           encryptedKeyVersion.getEncryptedKeyVersion();
-      final byte[] decryptedKey = cipher.doFinal(encryptedKV.getMaterial());
+      int keyLen = encryptedKV.getMaterial().length;
+      ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
+      ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen);
+      bbIn.put(encryptedKV.getMaterial());
+      bbIn.flip();
+      decryptor.decrypt(bbIn, bbOut);
+      bbOut.flip();
+      byte[] decryptedKey = new byte[keyLen];
+      bbOut.get(decryptedKey);
       return new KeyVersion(encryptionKey.getName(), EK, decryptedKey);
     }
 
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderExtension.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderExtension.java
index ba048b5a3e9..ec4c3b745ea 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderExtension.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderExtension.java
@@ -40,6 +40,7 @@ public static interface Extension {
   private E extension;
 
   public KeyProviderExtension(KeyProvider keyProvider, E extensions) {
+    super(keyProvider.getConf());
     this.keyProvider = keyProvider;
     this.extension = extensions;
   }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/UserProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/UserProvider.java
index e09b3f8d432..bf8f2fed063 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/UserProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/UserProvider.java
@@ -44,7 +44,8 @@ public class UserProvider extends KeyProvider {
   private final Credentials credentials;
   private final Map<String, Metadata> cache = new HashMap<String, Metadata>();
 
-  private UserProvider() throws IOException {
+  private UserProvider(Configuration conf) throws IOException {
+    super(conf);
     user = UserGroupInformation.getCurrentUser();
     credentials = user.getCredentials();
   }
@@ -145,7 +146,7 @@ public static class Factory extends KeyProviderFactory {
     public KeyProvider createProvider(URI providerName,
                                       Configuration conf) throws IOException {
       if (SCHEME_NAME.equals(providerName.getScheme())) {
-        return new UserProvider();
+        return new UserProvider(conf);
       }
       return null;
     }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
index bce1eb5dd3d..dc9e6cb96f5 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@@ -283,6 +283,7 @@ public HttpURLConnection configure(HttpURLConnection conn)
   }
 
   public KMSClientProvider(URI uri, Configuration conf) throws IOException {
+    super(conf);
     Path path = ProviderUtils.unnestUri(uri);
     URL url = path.toUri().toURL();
     kmsUrl = createServiceURL(url);
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestCachingKeyProvider.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestCachingKeyProvider.java
index 2eff6991c3d..b8d29a6d029 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestCachingKeyProvider.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestCachingKeyProvider.java
@@ -19,6 +19,7 @@
 
 import java.util.Date;
 
+import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
 import org.junit.Assert;
 import org.junit.Test;
@@ -32,6 +33,7 @@ public void testCurrentKey() throws Exception {
     KeyProvider mockProv = Mockito.mock(KeyProvider.class);
     Mockito.when(mockProv.getCurrentKey(Mockito.eq("k1"))).thenReturn(mockKey);
     Mockito.when(mockProv.getCurrentKey(Mockito.eq("k2"))).thenReturn(null);
+    Mockito.when(mockProv.getConf()).thenReturn(new Configuration());
     KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100);
 
     // asserting caching
@@ -58,6 +60,7 @@ public void testKeyVersion() throws Exception {
     Mockito.when(mockProv.getKeyVersion(Mockito.eq("k1@0")))
         .thenReturn(mockKey);
     Mockito.when(mockProv.getKeyVersion(Mockito.eq("k2@0"))).thenReturn(null);
+    Mockito.when(mockProv.getConf()).thenReturn(new Configuration());
     KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100);
 
     // asserting caching
@@ -88,6 +91,7 @@ public void testMetadata() throws Exception {
     KeyProvider mockProv = Mockito.mock(KeyProvider.class);
     Mockito.when(mockProv.getMetadata(Mockito.eq("k1"))).thenReturn(mockMeta);
     Mockito.when(mockProv.getMetadata(Mockito.eq("k2"))).thenReturn(null);
+    Mockito.when(mockProv.getConf()).thenReturn(new Configuration());
     KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100);
 
     // asserting caching
@@ -112,6 +116,7 @@ public void testRollNewVersion() throws Exception {
     KeyProvider.KeyVersion mockKey = Mockito.mock(KeyProvider.KeyVersion.class);
     KeyProvider mockProv = Mockito.mock(KeyProvider.class);
     Mockito.when(mockProv.getCurrentKey(Mockito.eq("k1"))).thenReturn(mockKey);
+    Mockito.when(mockProv.getConf()).thenReturn(new Configuration());
     KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100);
     Assert.assertEquals(mockKey, cache.getCurrentKey("k1"));
     Mockito.verify(mockProv, Mockito.times(1)).getCurrentKey(Mockito.eq("k1"));
@@ -134,6 +139,7 @@ public void testDeleteKey() throws Exception {
         .thenReturn(mockKey);
     Mockito.when(mockProv.getMetadata(Mockito.eq("k1"))).thenReturn(
         new KMSClientProvider.KMSMetadata("c", 0, "l", null, new Date(), 1));
+    Mockito.when(mockProv.getConf()).thenReturn(new Configuration());
     KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100);
     Assert.assertEquals(mockKey, cache.getCurrentKey("k1"));
     Mockito.verify(mockProv, Mockito.times(1)).getCurrentKey(Mockito.eq("k1"));
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProvider.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProvider.java
index 892cec82ff6..c3335a37aa0 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProvider.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProvider.java
@@ -159,6 +159,10 @@ private static class MyKeyProvider extends KeyProvider {
     private int size;
     private byte[] material;
 
+    public MyKeyProvider(Configuration conf) {
+      super(conf);
+    }
+
     @Override
     public KeyVersion getKeyVersion(String versionName)
         throws IOException {
@@ -216,7 +220,7 @@ protected byte[] generateKey(int size, String algorithm)
 
   @Test
   public void testMaterialGeneration() throws Exception {
-    MyKeyProvider kp = new MyKeyProvider();
+    MyKeyProvider kp = new MyKeyProvider(new Configuration());
     KeyProvider.Options options = new KeyProvider.Options(new Configuration());
     options.setCipher(CIPHER);
     options.setBitLength(128);
@@ -225,10 +229,19 @@ public void testMaterialGeneration() throws Exception {
     Assert.assertEquals(CIPHER, kp.algorithm);
     Assert.assertNotNull(kp.material);
 
-    kp = new MyKeyProvider();
+    kp = new MyKeyProvider(new Configuration());
     kp.rollNewVersion("hello");
     Assert.assertEquals(128, kp.size);
     Assert.assertEquals(CIPHER, kp.algorithm);
     Assert.assertNotNull(kp.material);
   }
+
+  @Test
+  public void testConfiguration() throws Exception {
+    Configuration conf = new Configuration(false);
+    conf.set("a", "A");
+    MyKeyProvider kp = new MyKeyProvider(conf);
+    Assert.assertEquals("A", kp.getConf().get("a"));
+  }
+
 }
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderDelegationTokenExtension.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderDelegationTokenExtension.java
index 52dedf00512..df5d3e88846 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderDelegationTokenExtension.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderDelegationTokenExtension.java
@@ -29,13 +29,18 @@
 import org.apache.hadoop.security.token.Token;
 import org.junit.Assert;
 import org.junit.Test;
+import org.mockito.Mockito;
 
 public class TestKeyProviderDelegationTokenExtension {
   
   public static abstract class MockKeyProvider extends
       KeyProvider implements DelegationTokenExtension {
+
+    public MockKeyProvider() {
+      super(new Configuration(false));
+    }
   }
-  
+
   @Test
   public void testCreateExtension() throws Exception {
     Configuration conf = new Configuration();
@@ -50,9 +55,11 @@ public void testCreateExtension() throws Exception {
     Assert.assertNull(kpDTE1.addDelegationTokens("user", credentials));
     
     MockKeyProvider mock = mock(MockKeyProvider.class);
+    Mockito.when(mock.getConf()).thenReturn(new Configuration());
     when(mock.addDelegationTokens("renewer", credentials)).thenReturn(
-        new Token<?>[] { new Token(null, null, new Text("kind"), new Text(
-            "service")) });
+        new Token<?>[]{new Token(null, null, new Text("kind"), new Text(
+            "service"))}
+    );
     KeyProviderDelegationTokenExtension kpDTE2 =
         KeyProviderDelegationTokenExtension
         .createKeyProviderDelegationTokenExtension(mock);

From ea1c6f31c2d2ea5b38ed57e2aa241d122103a721 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 29 Aug 2014 14:44:37 -0700
Subject: [PATCH 337/354] HADOOP-11021. Configurable replication factor in the
 hadoop archive command. Contributed by Zhe Zhang.

---
 .../src/site/markdown/HadoopArchives.md.vm    | 12 ++++--
 .../apache/hadoop/tools/HadoopArchives.java   | 12 +++++-
 .../hadoop/tools/TestHadoopArchives.java      | 41 +++++++++++++++++++
 3 files changed, 59 insertions(+), 6 deletions(-)

diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/HadoopArchives.md.vm b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/HadoopArchives.md.vm
index 0cc0f1c93aa..db0a25f7e4f 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/HadoopArchives.md.vm
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/HadoopArchives.md.vm
@@ -38,7 +38,7 @@ Overview
 How to Create an Archive
 ------------------------
 
-  `Usage: hadoop archive -archiveName name -p <parent> <src>* <dest>`
+  `Usage: hadoop archive -archiveName name -p <parent> [-r <replication factor>] <src>* <dest>`
 
   -archiveName is the name of the archive you would like to create. An example
   would be foo.har. The name should have a \*.har extension. The parent argument
@@ -52,9 +52,12 @@ How to Create an Archive
   would need a map reduce cluster to run this. For a detailed example the later
   sections.
 
+  -r indicates the desired replication factor; if this optional argument is
+  not specified, a replication factor of 10 will be used.
+
   If you just want to archive a single directory /foo/bar then you can just use
 
-  `hadoop archive -archiveName zoo.har -p /foo/bar /outputdir`
+  `hadoop archive -archiveName zoo.har -p /foo/bar -r 3 /outputdir`
 
 How to Look Up Files in Archives
 --------------------------------
@@ -90,14 +93,15 @@ Archives Examples
 
 $H3 Creating an Archive
 
-  `hadoop archive -archiveName foo.har -p /user/hadoop dir1 dir2 /user/zoo`
+  `hadoop archive -archiveName foo.har -p /user/hadoop -r 3 dir1 dir2 /user/zoo`
 
   The above example is creating an archive using /user/hadoop as the relative
   archive directory. The directories /user/hadoop/dir1 and /user/hadoop/dir2
   will be archived in the following file system directory -- /user/zoo/foo.har.
   Archiving does not delete the input files. If you want to delete the input
   files after creating the archives (to reduce namespace), you will have to do
-  it on your own. 
+  it on your own. In this example, because `-r 3` is specified, a replication
+  factor of 3 will be used.
 
 $H3 Looking Up Files
 
diff --git a/hadoop-tools/hadoop-archives/src/main/java/org/apache/hadoop/tools/HadoopArchives.java b/hadoop-tools/hadoop-archives/src/main/java/org/apache/hadoop/tools/HadoopArchives.java
index 93994b817a4..e53576d7d8f 100644
--- a/hadoop-tools/hadoop-archives/src/main/java/org/apache/hadoop/tools/HadoopArchives.java
+++ b/hadoop-tools/hadoop-archives/src/main/java/org/apache/hadoop/tools/HadoopArchives.java
@@ -97,9 +97,12 @@ public class HadoopArchives implements Tool {
   long partSize = 2 * 1024 * 1024 * 1024l;
   /** size of blocks in hadoop archives **/
   long blockSize = 512 * 1024 * 1024l;
+  /** the desired replication degree; default is 10 **/
+  short repl = 10;
 
   private static final String usage = "archive"
-  + " -archiveName NAME -p <parent path> <src>* <dest>" +
+  + " -archiveName NAME -p <parent path> [-r <replication factor>]" +
+      "<src>* <dest>" +
   "\n";
   
  
@@ -542,7 +545,7 @@ void archive(Path parentPath, List<Path> srcPaths,
       srcWriter.close();
     }
     //increase the replication of src files
-    jobfs.setReplication(srcFiles, (short) 10);
+    jobfs.setReplication(srcFiles, repl);
     conf.setInt(SRC_COUNT_LABEL, numFiles);
     conf.setLong(TOTAL_SIZE_LABEL, totalSize);
     int numMaps = (int)(totalSize/partSize);
@@ -835,6 +838,11 @@ public int run(String[] args) throws Exception {
       }
 
       i+=2;
+
+      if ("-r".equals(args[i])) {
+        repl = Short.parseShort(args[i+1]);
+        i+=2;
+      }
       //read the rest of the paths
       for (; i < args.length; i++) {
         if (i == (args.length - 1)) {
diff --git a/hadoop-tools/hadoop-archives/src/test/java/org/apache/hadoop/tools/TestHadoopArchives.java b/hadoop-tools/hadoop-archives/src/test/java/org/apache/hadoop/tools/TestHadoopArchives.java
index 65bbbe451bf..e7eef3f9666 100644
--- a/hadoop-tools/hadoop-archives/src/test/java/org/apache/hadoop/tools/TestHadoopArchives.java
+++ b/hadoop-tools/hadoop-archives/src/test/java/org/apache/hadoop/tools/TestHadoopArchives.java
@@ -157,6 +157,24 @@ public void testRelativePath() throws Exception {
     final List<String> harPaths = lsr(shell, fullHarPathStr);
     Assert.assertEquals(originalPaths, harPaths);
   }
+
+  @Test
+  public void testRelativePathWitRepl() throws Exception {
+    final Path sub1 = new Path(inputPath, "dir1");
+    fs.mkdirs(sub1);
+    createFile(inputPath, fs, sub1.getName(), "a");
+    final FsShell shell = new FsShell(conf);
+
+    final List<String> originalPaths = lsr(shell, "input");
+    System.out.println("originalPaths: " + originalPaths);
+
+    // make the archive:
+    final String fullHarPathStr = makeArchiveWithRepl();
+
+    // compare results:
+    final List<String> harPaths = lsr(shell, fullHarPathStr);
+    Assert.assertEquals(originalPaths, harPaths);
+  }
   
 @Test
   public void testPathWithSpaces() throws Exception {
@@ -625,6 +643,29 @@ private String makeArchive() throws Exception {
     assertEquals(0, ToolRunner.run(har, args));
     return fullHarPathStr;
   }
+
+  /*
+ * Run the HadoopArchives tool to create an archive on the
+ * given file system with a specified replication degree.
+ */
+  private String makeArchiveWithRepl() throws Exception {
+    final String inputPathStr = inputPath.toUri().getPath();
+    System.out.println("inputPathStr = " + inputPathStr);
+
+    final URI uri = fs.getUri();
+    final String prefix = "har://hdfs-" + uri.getHost() + ":" + uri.getPort()
+        + archivePath.toUri().getPath() + Path.SEPARATOR;
+
+    final String harName = "foo.har";
+    final String fullHarPathStr = prefix + harName;
+    final String[] args = { "-archiveName", harName, "-p", inputPathStr,
+        "-r 3", "*", archivePath.toString() };
+    System.setProperty(HadoopArchives.TEST_HADOOP_ARCHIVES_JAR_PATH,
+        HADOOP_ARCHIVES_JAR);
+    final HadoopArchives har = new HadoopArchives(conf);
+    assertEquals(0, ToolRunner.run(har, args));
+    return fullHarPathStr;
+  }
   
   @Test
   /*

From 93010faf10fd6894704c033cbd730f05f8c5ffe7 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 29 Aug 2014 14:56:01 -0700
Subject: [PATCH 338/354] Add CHANGES.txt for HADOOP-11021.

---
 hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 2bc3e4b0a01..47ef3aab699 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -479,6 +479,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10994. KeyProviderCryptoExtension should use CryptoCodec for 
     generation/decryption of keys. (tucu)
 
+    HADOOP-11021. Configurable replication factor in the hadoop archive
+    command. (Zhe Zhang via wang)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)

From 6066b1a4551bb70bba2789ac05bf9ddbe72c10e8 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Fri, 29 Aug 2014 15:47:01 -0700
Subject: [PATCH 339/354] HDFS-6972.
 TestRefreshUserMappings.testRefreshSuperUserGroupsConfiguration doesn't
 decode url correctly. Contributed by Yongjun Zhang.

---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt          |  3 +++
 .../hadoop/security/TestRefreshUserMappings.java     | 12 ++++++++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 88b19d81a52..3184e68efe2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -577,6 +577,9 @@ Release 2.6.0 - UNRELEASED
     HDFS-6800. Support Datanode layout changes with rolling upgrade.
     (James Thomas via Arpit Agarwal)
 
+    HDFS-6972. TestRefreshUserMappings.testRefreshSuperUserGroupsConfiguration
+    doesn't decode url correctly. (Yongjun Zhang via wang)
+
     BREAKDOWN OF HDFS-6134 AND HADOOP-10150 SUBTASKS AND RELATED JIRAS
   
       HDFS-6387. HDFS CLI admin tool for creating & deleting an
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/security/TestRefreshUserMappings.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/security/TestRefreshUserMappings.java
index 72776e03ceb..ca67245371b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/security/TestRefreshUserMappings.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/security/TestRefreshUserMappings.java
@@ -30,7 +30,9 @@
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.io.UnsupportedEncodingException;
 import java.net.URL;
+import java.net.URLDecoder;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@@ -225,15 +227,17 @@ public void testRefreshSuperUserGroupsConfiguration() throws Exception {
   }
 
   private void addNewConfigResource(String rsrcName, String keyGroup,
-      String groups, String keyHosts, String hosts)  throws FileNotFoundException {
+      String groups, String keyHosts, String hosts)
+          throws FileNotFoundException, UnsupportedEncodingException {
     // location for temp resource should be in CLASSPATH
     Configuration conf = new Configuration();
     URL url = conf.getResource("hdfs-site.xml");
-    Path p = new Path(url.getPath());
+
+    String urlPath = URLDecoder.decode(url.getPath().toString(), "UTF-8");
+    Path p = new Path(urlPath);
     Path dir = p.getParent();
     tempResource = dir.toString() + "/" + rsrcName;
-    
-    
+
     String newResource =
     "<configuration>"+
     "<property><name>" + keyGroup + "</name><value>"+groups+"</value></property>" +

From 9ad413b19d98352e4ae848a945ab1f72ababa576 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Fri, 29 Aug 2014 15:55:25 -0700
Subject: [PATCH 340/354] HADOOP-11030. Define a variable jackson.version
 instead of using constant at multiple places. (Juan Yu via kasha)

---
 hadoop-common-project/hadoop-common/CHANGES.txt |  3 +++
 hadoop-project/pom.xml                          | 11 +++++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 47ef3aab699..3b44b8bebe2 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -482,6 +482,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-11021. Configurable replication factor in the hadoop archive
     command. (Zhe Zhang via wang)
 
+    HADOOP-11030. Define a variable jackson.version instead of using constant 
+    at multiple places. (Juan Yu via kasha)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index 5aa54a73e64..f48b092bdfb 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -61,6 +61,9 @@
     <!-- jersey version -->
     <jersey.version>1.9</jersey.version>
 
+    <!-- jackson version -->
+    <jackson.version>1.9.13</jackson.version>
+
     <!-- ProtocolBuffer version, used to verify the protoc version and -->
     <!-- define the protobuf JAR version                               -->
     <protobuf.version>2.5.0</protobuf.version>
@@ -637,22 +640,22 @@
       <dependency>
         <groupId>org.codehaus.jackson</groupId>
         <artifactId>jackson-mapper-asl</artifactId>
-        <version>1.9.13</version>
+        <version>${jackson.version}</version>
       </dependency>
       <dependency>
         <groupId>org.codehaus.jackson</groupId>
         <artifactId>jackson-core-asl</artifactId>
-        <version>1.9.13</version>
+        <version>${jackson.version}</version>
       </dependency>
       <dependency>
         <groupId>org.codehaus.jackson</groupId>
         <artifactId>jackson-jaxrs</artifactId>
-        <version>1.9.13</version>
+        <version>${jackson.version}</version>
       </dependency>
       <dependency>
         <groupId>org.codehaus.jackson</groupId>
         <artifactId>jackson-xc</artifactId>
-        <version>1.9.13</version>
+        <version>${jackson.version}</version>
       </dependency>
       <dependency>
         <groupId>org.mockito</groupId>

From 270a271f53f52a1f33e63a0520ae6032536dd4c6 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Fri, 29 Aug 2014 17:15:38 -0700
Subject: [PATCH 341/354] YARN-2360. Fair Scheduler: Display dynamic fair share
 for queues on the scheduler page. (Ashwin Shankar and Wei Yan via kasha)

---
 hadoop-yarn-project/CHANGES.txt               |  3 ++
 .../webapp/FairSchedulerPage.java             | 31 ++++++++++++-----
 .../webapp/dao/FairSchedulerQueueInfo.java    | 34 +++++++++++++++----
 .../src/site/apt/FairScheduler.apt.vm         | 18 ++++++----
 4 files changed, 64 insertions(+), 22 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index 4cd45297d0c..f3909672455 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -163,6 +163,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2406. Move RM recovery related proto to
     yarn_server_resourcemanager_recovery.proto. (Tsuyoshi Ozawa via jianhe)
 
+    YARN-2360. Fair Scheduler: Display dynamic fair share for queues on the 
+    scheduler page. (Ashwin Shankar and Wei Yan via kasha)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/FairSchedulerPage.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/FairSchedulerPage.java
index aca3e448485..bcf7781fc47 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/FairSchedulerPage.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/FairSchedulerPage.java
@@ -44,10 +44,12 @@ public class FairSchedulerPage extends RmView {
   static final float Q_MAX_WIDTH = 0.8f;
   static final float Q_STATS_POS = Q_MAX_WIDTH + 0.05f;
   static final String Q_END = "left:101%";
-  static final String Q_GIVEN = "left:0%;background:none;border:1px dashed rgba(0,0,0,0.25)";
+  static final String Q_GIVEN = "left:0%;background:none;border:1px solid rgba(0,0,0,1)";
+  static final String Q_INSTANTANEOUS_FS = "left:0%;background:none;border:1px dashed rgba(0,0,0,1)";
   static final String Q_OVER = "background:rgba(255, 140, 0, 0.8)";
   static final String Q_UNDER = "background:rgba(50, 205, 50, 0.8)";
-  
+  static final String STEADY_FAIR_SHARE = "Steady Fair Share";
+  static final String INSTANTANEOUS_FAIR_SHARE = "Instantaneous Fair Share";
   @RequestScoped
   static class FSQInfo {
     FairSchedulerQueueInfo qinfo;
@@ -73,8 +75,8 @@ protected void render(Block html) {
       if (maxApps < Integer.MAX_VALUE) {
           ri._("Max Running Applications:", qinfo.getMaxApplications());
       }
-      ri._("Fair Share:", qinfo.getFairShare().toString());
-
+      ri._(STEADY_FAIR_SHARE + ":", qinfo.getSteadyFairShare().toString());
+      ri._(INSTANTANEOUS_FAIR_SHARE + ":", qinfo.getFairShare().toString());
       html._(InfoBlock.class);
 
       // clear the info contents so this queue's info doesn't accumulate into another queue's info
@@ -95,16 +97,21 @@ public void render(Block html) {
       UL<Hamlet> ul = html.ul("#pq");
       for (FairSchedulerQueueInfo info : subQueues) {
         float capacity = info.getMaxResourcesFraction();
-        float fairShare = info.getFairShareMemoryFraction();
+        float steadyFairShare = info.getSteadyFairShareMemoryFraction();
+        float instantaneousFairShare = info.getFairShareMemoryFraction();
         float used = info.getUsedMemoryFraction();
         LI<UL<Hamlet>> li = ul.
           li().
             a(_Q).$style(width(capacity * Q_MAX_WIDTH)).
-              $title(join("Fair Share:", percent(fairShare))).
-              span().$style(join(Q_GIVEN, ";font-size:1px;", width(fairShare/capacity))).
+              $title(join(join(STEADY_FAIR_SHARE + ":", percent(steadyFairShare)),
+                  join(" " + INSTANTANEOUS_FAIR_SHARE + ":", percent(instantaneousFairShare)))).
+              span().$style(join(Q_GIVEN, ";font-size:1px;", width(steadyFairShare / capacity))).
+                _('.')._().
+              span().$style(join(Q_INSTANTANEOUS_FS, ";font-size:1px;",
+                  width(instantaneousFairShare/capacity))).
                 _('.')._().
               span().$style(join(width(used/capacity),
-                ";font-size:1px;left:0%;", used > fairShare ? Q_OVER : Q_UNDER)).
+                ";font-size:1px;left:0%;", used > instantaneousFairShare ? Q_OVER : Q_UNDER)).
                 _('.')._().
               span(".q", info.getQueueName())._().
             span().$class("qstats").$style(left(Q_STATS_POS)).
@@ -156,7 +163,13 @@ public void render(Block html) {
           li().$style("margin-bottom: 1em").
             span().$style("font-weight: bold")._("Legend:")._().
             span().$class("qlegend ui-corner-all").$style(Q_GIVEN).
-              _("Fair Share")._().
+              $title("The steady fair shares consider all queues, " +
+                  "both active (with running applications) and inactive.").
+              _(STEADY_FAIR_SHARE)._().
+            span().$class("qlegend ui-corner-all").$style(Q_INSTANTANEOUS_FS).
+              $title("The instantaneous fair shares consider only active " +
+                  "queues (with running applications).").
+              _(INSTANTANEOUS_FAIR_SHARE)._().
             span().$class("qlegend ui-corner-all").$style(Q_UNDER).
               _("Used")._().
             span().$class("qlegend ui-corner-all").$style(Q_OVER).
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerQueueInfo.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerQueueInfo.java
index 2c1bc4796d4..c62aaf08c64 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerQueueInfo.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/dao/FairSchedulerQueueInfo.java
@@ -28,7 +28,6 @@
 import javax.xml.bind.annotation.XmlSeeAlso;
 import javax.xml.bind.annotation.XmlTransient;
 
-import org.apache.hadoop.yarn.api.records.Resource;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.AllocationConfiguration;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FSLeafQueue;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FSQueue;
@@ -44,6 +43,8 @@ public class FairSchedulerQueueInfo {
   @XmlTransient
   private float fractionMemUsed;
   @XmlTransient
+  private float fractionMemSteadyFairShare;
+  @XmlTransient
   private float fractionMemFairShare;
   @XmlTransient
   private float fractionMemMinShare;
@@ -53,6 +54,7 @@ public class FairSchedulerQueueInfo {
   private ResourceInfo minResources;
   private ResourceInfo maxResources;
   private ResourceInfo usedResources;
+  private ResourceInfo steadyFairResources;
   private ResourceInfo fairResources;
   private ResourceInfo clusterResources;
   
@@ -75,15 +77,19 @@ public FairSchedulerQueueInfo(FSQueue queue, FairScheduler scheduler) {
     usedResources = new ResourceInfo(queue.getResourceUsage());
     fractionMemUsed = (float)usedResources.getMemory() /
         clusterResources.getMemory();
-    
+
+    steadyFairResources = new ResourceInfo(queue.getSteadyFairShare());
     fairResources = new ResourceInfo(queue.getFairShare());
     minResources = new ResourceInfo(queue.getMinShare());
     maxResources = new ResourceInfo(queue.getMaxShare());
     maxResources = new ResourceInfo(
         Resources.componentwiseMin(queue.getMaxShare(),
             scheduler.getClusterResource()));
-    
-    fractionMemFairShare = (float)fairResources.getMemory() / clusterResources.getMemory();
+
+    fractionMemSteadyFairShare =
+        (float)steadyFairResources.getMemory() / clusterResources.getMemory();
+    fractionMemFairShare = (float) fairResources.getMemory()
+        / clusterResources.getMemory();
     fractionMemMinShare = (float)minResources.getMemory() / clusterResources.getMemory();
     fractionMemMaxShare = (float)maxResources.getMemory() / clusterResources.getMemory();
     
@@ -100,20 +106,34 @@ public FairSchedulerQueueInfo(FSQueue queue, FairScheduler scheduler) {
     }
   }
   
+  /**
+   * Returns the steady fair share as a fraction of the entire cluster capacity.
+   */
+  public float getSteadyFairShareMemoryFraction() {
+    return fractionMemSteadyFairShare;
+  }
+
   /**
    * Returns the fair share as a fraction of the entire cluster capacity.
    */
   public float getFairShareMemoryFraction() {
     return fractionMemFairShare;
   }
-  
+
   /**
-   * Returns the fair share of this queue in megabytes.
+   * Returns the steady fair share of this queue in megabytes.
+   */
+  public ResourceInfo getSteadyFairShare() {
+    return steadyFairResources;
+  }
+
+  /**
+   * Returns the fair share of this queue in megabytes
    */
   public ResourceInfo getFairShare() {
     return fairResources;
   }
-    
+
   public ResourceInfo getMinResources() {
     return minResources;
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/FairScheduler.apt.vm b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/FairScheduler.apt.vm
index 9bb85631584..a3edadeccc2 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/FairScheduler.apt.vm
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/FairScheduler.apt.vm
@@ -429,13 +429,19 @@ Monitoring through web UI
   	
  * Max Resources - The configured maximum resources that are allowed to the queue.
  
- * Fair Share - The queue's fair share of resources.  Queues may be allocated
-   resources beyond their fair share when other queues aren't using them.  A
-   queue whose resource consumption lies at or below its fair share will never
-   have its containers preempted.  
+ * Instantaneous Fair Share - The queue's instantaneous fair share of resources.
+   These shares consider only actives queues (those with running applications),
+   and are used for scheduling decisions. Queues may be allocated resources
+   beyond their shares when other queues aren't using them. A queue whose
+   resource consumption lies at or below its instantaneous fair share will never
+   have its containers preempted.
 
-  In addition to the information that the ResourceManager normally displays
-  about each application, the web interface includes the application's fair share.
+ * Steady Fair Share - The queue's steady fair share of resources. These shares
+   consider all the queues irrespective of whether they are active (have
+   running applications) or not. These are computed less frequently and
+   change only when the configuration or capacity changes.They are meant to
+   provide visibility into resources the user can expect, and hence displayed
+   in the Web UI.
 
 Moving applications between queues
 

From 5c14bc426b4be381383018ebc2236be83eef15cd Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Fri, 29 Aug 2014 23:05:51 -0700
Subject: [PATCH 342/354] YARN-1506. Changed RMNode/SchedulerNode to update
 resource with event notification. Contributed by Junping Du

---
 .../hadoop/yarn/sls/nodemanager/NodeInfo.java |  27 ++---
 .../yarn/sls/scheduler/RMNodeWrapper.java     |  11 --
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../yarn/api/records/ResourceOption.java      |   2 +
 .../UpdateNodeResourceResponse.java           |  12 +-
 .../records/impl/pb/ResourceOptionPBImpl.java |  33 ++++--
 .../pb/UpdateNodeResourceResponsePBImpl.java  |   2 +-
 .../server/resourcemanager/AdminService.java  |  34 +++++-
 .../ResourceTrackerService.java               |   4 +-
 .../server/resourcemanager/rmnode/RMNode.java |  12 --
 .../rmnode/RMNodeEventType.java               |   3 +
 .../resourcemanager/rmnode/RMNodeImpl.java    |  86 +++++++++++---
 .../rmnode/RMNodeResourceUpdateEvent.java     |  37 ++++++
 .../scheduler/AbstractYarnScheduler.java      |  29 +++++
 .../scheduler/SchedulerNode.java              |  25 ++--
 .../scheduler/SchedulerUtils.java             |  37 ------
 .../scheduler/capacity/CapacityScheduler.java |  26 ++++-
 .../NodeResourceUpdateSchedulerEvent.java     |  43 +++++++
 .../scheduler/event/SchedulerEventType.java   |   1 +
 .../scheduler/fair/FairScheduler.java         |  28 ++++-
 .../scheduler/fifo/FifoScheduler.java         |  12 +-
 .../server/resourcemanager/MockNodes.java     |  22 +---
 .../yarn/server/resourcemanager/MockRM.java   |   5 +-
 .../resourcemanager/TestFifoScheduler.java    |  85 ++++++++++++++
 .../TestRMNodeTransitions.java                |  75 +++++++++++-
 .../resourcetracker/TestNMReconnect.java      |  19 ++--
 .../capacity/TestCapacityScheduler.java       | 107 +++++++++++++++++-
 .../scheduler/fifo/TestFifoScheduler.java     |  24 ++--
 28 files changed, 617 insertions(+), 187 deletions(-)
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeResourceUpdateEvent.java
 create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/event/NodeResourceUpdateSchedulerEvent.java

diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NodeInfo.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NodeInfo.java
index 1d573822d9b..029fa877f0b 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NodeInfo.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/nodemanager/NodeInfo.java
@@ -32,7 +32,6 @@
 import org.apache.hadoop.yarn.api.records.NodeId;
 import org.apache.hadoop.yarn.api.records.NodeState;
 import org.apache.hadoop.yarn.api.records.Resource;
-import org.apache.hadoop.yarn.api.records.ResourceOption;
 import org.apache.hadoop.yarn.server.api.protocolrecords.NodeHeartbeatResponse;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNode;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode
@@ -55,7 +54,7 @@ private static class FakeRMNodeImpl implements RMNode {
     private String nodeAddr;
     private String httpAddress;
     private int cmdPort;
-    private volatile ResourceOption perNode;
+    private volatile Resource perNode;
     private String rackName;
     private String healthReport;
     private NodeState state;
@@ -63,7 +62,7 @@ private static class FakeRMNodeImpl implements RMNode {
     private List<ApplicationId> toCleanUpApplications;
     
     public FakeRMNodeImpl(NodeId nodeId, String nodeAddr, String httpAddress,
-        ResourceOption perNode, String rackName, String healthReport,
+        Resource perNode, String rackName, String healthReport,
         int cmdPort, String hostName, NodeState state) {
       this.nodeId = nodeId;
       this.nodeAddr = nodeAddr;
@@ -111,10 +110,6 @@ public long getLastHealthReportTime() {
     }
 
     public Resource getTotalCapability() {
-      return perNode.getResource();
-    }
-    
-    public ResourceOption getResourceOption() {
       return perNode;
     }
 
@@ -159,32 +154,26 @@ public List<UpdatedContainerInfo> pullContainerUpdates() {
       return list;
     }
 
-	@Override
-	public String getNodeManagerVersion() {
-		// TODO Auto-generated method stub
-		return null;
-	}
-
     @Override
-    public void setResourceOption(ResourceOption resourceOption) {
-      perNode = resourceOption;
+    public String getNodeManagerVersion() {
+      return null;
     }
+
   }
 
   public static RMNode newNodeInfo(String rackName, String hostName,
-                              final ResourceOption resourceOption, int port) {
+                              final Resource resource, int port) {
     final NodeId nodeId = newNodeID(hostName, port);
     final String nodeAddr = hostName + ":" + port;
     final String httpAddress = hostName;
     
     return new FakeRMNodeImpl(nodeId, nodeAddr, httpAddress,
-        resourceOption, rackName, "Me good",
+        resource, rackName, "Me good",
         port, hostName, null);
   }
   
   public static RMNode newNodeInfo(String rackName, String hostName,
                               final Resource resource) {
-    return newNodeInfo(rackName, hostName, ResourceOption.newInstance(resource,
-        RMNode.OVER_COMMIT_TIMEOUT_MILLIS_DEFAULT), NODE_ID++);
+    return newNodeInfo(rackName, hostName, resource, NODE_ID++);
   }
 }
diff --git a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/RMNodeWrapper.java b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/RMNodeWrapper.java
index da9b56fd546..7eca66fb779 100644
--- a/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/RMNodeWrapper.java
+++ b/hadoop-tools/hadoop-sls/src/main/java/org/apache/hadoop/yarn/sls/scheduler/RMNodeWrapper.java
@@ -26,7 +26,6 @@
 import org.apache.hadoop.yarn.api.records.NodeId;
 import org.apache.hadoop.yarn.api.records.NodeState;
 import org.apache.hadoop.yarn.api.records.Resource;
-import org.apache.hadoop.yarn.api.records.ResourceOption;
 import org.apache.hadoop.yarn.server.api.protocolrecords.NodeHeartbeatResponse;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNode;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode
@@ -148,14 +147,4 @@ public String getNodeManagerVersion() {
     return node.getNodeManagerVersion();
   }
 
-  @Override
-  public void setResourceOption(ResourceOption resourceOption) {
-    node.setResourceOption(resourceOption);
-  }
-  
-  @Override
-  public ResourceOption getResourceOption() {
-    return node.getResourceOption();
-  }
-
 }
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index f3909672455..cb09c19568b 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -166,6 +166,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2360. Fair Scheduler: Display dynamic fair share for queues on the 
     scheduler page. (Ashwin Shankar and Wei Yan via kasha)
 
+    YARN-1506. Changed RMNode/SchedulerNode to update resource with event
+    notification. (Junping Du via jianhe)
+
   OPTIMIZATIONS
 
   BUG FIXES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ResourceOption.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ResourceOption.java
index 380f38d74a1..1ca90ccedf9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ResourceOption.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ResourceOption.java
@@ -62,6 +62,8 @@ public static ResourceOption newInstance(Resource resource,
   @Evolving
   protected abstract void setOverCommitTimeout(int overCommitTimeout);
   
+  @Private
+  @Evolving
   protected abstract void build();
   
   @Override
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/server/api/protocolrecords/UpdateNodeResourceResponse.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/server/api/protocolrecords/UpdateNodeResourceResponse.java
index 5155101d244..8603ea31c9e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/server/api/protocolrecords/UpdateNodeResourceResponse.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/server/api/protocolrecords/UpdateNodeResourceResponse.java
@@ -17,9 +17,10 @@
  */
 package org.apache.hadoop.yarn.server.api.protocolrecords;
 
-import org.apache.hadoop.classification.InterfaceAudience.Public;
+import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceStability.Evolving;
 import org.apache.hadoop.yarn.server.api.ResourceManagerAdministrationProtocol;
+import org.apache.hadoop.yarn.util.Records;
 
 /**
  * <p>The response sent by the <code>ResourceManager</code> to Admin client on
@@ -30,8 +31,13 @@
  * @see ResourceManagerAdministrationProtocol#updateNodeResource(
  *      UpdateNodeResourceRequest)
  */
-@Public
+@Private
 @Evolving
-public interface UpdateNodeResourceResponse {
+public abstract class UpdateNodeResourceResponse {
+  public static UpdateNodeResourceResponse newInstance(){
+    UpdateNodeResourceResponse response = 
+        Records.newRecord(UpdateNodeResourceResponse.class);
+    return response;
+  }
 
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ResourceOptionPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ResourceOptionPBImpl.java
index 79f479ee99d..5a4a44e648a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ResourceOptionPBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ResourceOptionPBImpl.java
@@ -22,14 +22,15 @@
 import org.apache.hadoop.yarn.api.records.ResourceOption;
 import org.apache.hadoop.yarn.proto.YarnProtos.ResourceProto;
 import org.apache.hadoop.yarn.proto.YarnProtos.ResourceOptionProto;
+import org.apache.hadoop.yarn.proto.YarnProtos.ResourceOptionProtoOrBuilder;
 
 import com.google.common.base.Preconditions;
 
 public class ResourceOptionPBImpl extends ResourceOption {
 
-  ResourceOptionProto proto = null;
+  ResourceOptionProto proto = ResourceOptionProto.getDefaultInstance();
   ResourceOptionProto.Builder builder = null;
-  private Resource resource = null;
+  boolean viaProto = false;
 
   public ResourceOptionPBImpl() {
     builder = ResourceOptionProto.newBuilder();
@@ -37,39 +38,46 @@ public ResourceOptionPBImpl() {
 
   public ResourceOptionPBImpl(ResourceOptionProto proto) {
     this.proto = proto;
-    this.resource = convertFromProtoFormat(proto.getResource());
+    viaProto = true;
   }
   
   public ResourceOptionProto getProto() {
+    proto = viaProto ? proto : builder.build();
+    viaProto = true;
     return proto;
   }
   
   @Override
   public Resource getResource() {
-    return this.resource;
+    ResourceOptionProtoOrBuilder p = viaProto ? proto : builder;
+    return convertFromProtoFormat(p.getResource());
   }
 
   @Override
   protected void setResource(Resource resource) {
-    if (resource != null) {
-      Preconditions.checkNotNull(builder);
-      builder.setResource(convertToProtoFormat(resource));
-    }
-    this.resource = resource;
+    maybeInitBuilder();
+    builder.setResource(convertToProtoFormat(resource));
   }
 
   @Override
   public int getOverCommitTimeout() {
-    Preconditions.checkNotNull(proto);
-    return proto.getOverCommitTimeout();
+    ResourceOptionProtoOrBuilder p = viaProto ? proto : builder;
+    return p.getOverCommitTimeout();
   }
 
   @Override
   protected void setOverCommitTimeout(int overCommitTimeout) {
-    Preconditions.checkNotNull(builder);
+    maybeInitBuilder();
     builder.setOverCommitTimeout(overCommitTimeout);
   }
   
+  private void maybeInitBuilder() {
+    if (viaProto || builder == null) {
+      builder = ResourceOptionProto.newBuilder(proto);
+    }
+    viaProto = false;
+  }
+  
   private ResourceProto convertToProtoFormat(
       Resource resource) {
     return ((ResourcePBImpl)resource).getProto();
@@ -83,6 +91,7 @@ private ResourcePBImpl convertFromProtoFormat(
   @Override
   protected void build() {
     proto = builder.build();
+    viaProto = true;
     builder = null;
   }
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/server/api/protocolrecords/impl/pb/UpdateNodeResourceResponsePBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/server/api/protocolrecords/impl/pb/UpdateNodeResourceResponsePBImpl.java
index f314f861b65..3e2aca559ea 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/server/api/protocolrecords/impl/pb/UpdateNodeResourceResponsePBImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/server/api/protocolrecords/impl/pb/UpdateNodeResourceResponsePBImpl.java
@@ -20,7 +20,7 @@
 import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.UpdateNodeResourceResponseProto;
 import org.apache.hadoop.yarn.server.api.protocolrecords.UpdateNodeResourceResponse;
 
-public class UpdateNodeResourceResponsePBImpl implements UpdateNodeResourceResponse {
+public class UpdateNodeResourceResponsePBImpl extends UpdateNodeResourceResponse {
 
   UpdateNodeResourceResponseProto proto = UpdateNodeResourceResponseProto.getDefaultInstance();
   UpdateNodeResourceResponseProto.Builder builder = null;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
index c47f49e207e..ff0a249bce9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
@@ -72,6 +72,7 @@
 import org.apache.hadoop.yarn.server.api.protocolrecords.UpdateNodeResourceRequest;
 import org.apache.hadoop.yarn.server.api.protocolrecords.UpdateNodeResourceResponse;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNode;
+import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNodeResourceUpdateEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.security.authorize.RMPolicyProvider;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -513,9 +514,20 @@ public String[] getGroupsForUser(String user) throws IOException {
     return UserGroupInformation.createRemoteUser(user).getGroupNames();
   }
 
+  @SuppressWarnings("unchecked")
   @Override
   public UpdateNodeResourceResponse updateNodeResource(
       UpdateNodeResourceRequest request) throws YarnException, IOException {
+    String argName = "updateNodeResource";
+    UserGroupInformation user = checkAcls(argName);
+    
+    if (!isRMActive()) {
+      RMAuditLogger.logFailure(user.getShortUserName(), argName,
+          adminAcl.toString(), "AdminService",
+          "ResourceManager is not active. Can not update node resource.");
+      throwStandbyException();
+    }
+    
     Map<NodeId, ResourceOption> nodeResourceMap = request.getNodeResourceMap();
     Set<NodeId> nodeIds = nodeResourceMap.keySet();
     // verify nodes are all valid first. 
@@ -536,21 +548,31 @@ public UpdateNodeResourceResponse updateNodeResource(
     // Notice: it is still possible to have invalid NodeIDs as nodes decommission
     // may happen just at the same time. This time, only log and skip absent
     // nodes without throwing any exceptions.
+    boolean allSuccess = true;
     for (Map.Entry<NodeId, ResourceOption> entry : nodeResourceMap.entrySet()) {
       ResourceOption newResourceOption = entry.getValue();
       NodeId nodeId = entry.getKey();
       RMNode node = this.rmContext.getRMNodes().get(nodeId);
+      
       if (node == null) {
         LOG.warn("Resource update get failed on an unrecognized node: " + nodeId);
+        allSuccess = false;
       } else {
-        node.setResourceOption(newResourceOption);
-        LOG.info("Update resource successfully on node(" + node.getNodeID()
-            +") with resource(" + newResourceOption.toString() + ")");
+        // update resource to RMNode
+        this.rmContext.getDispatcher().getEventHandler()
+          .handle(new RMNodeResourceUpdateEvent(nodeId, newResourceOption));
+        LOG.info("Update resource on node(" + node.getNodeID()
+            + ") with resource(" + newResourceOption.toString() + ")");
+
       }
     }
-    UpdateNodeResourceResponse response = recordFactory.newRecordInstance(
-          UpdateNodeResourceResponse.class);
-      return response;
+    if (allSuccess) {
+      RMAuditLogger.logSuccess(user.getShortUserName(), argName,
+          "AdminService");
+    }
+    UpdateNodeResourceResponse response = 
+        UpdateNodeResourceResponse.newInstance();
+    return response;
   }
 
   private synchronized Configuration getConfiguration(Configuration conf,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceTrackerService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceTrackerService.java
index b532dd56309..4798120c0da 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceTrackerService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceTrackerService.java
@@ -36,7 +36,6 @@
 import org.apache.hadoop.yarn.api.records.ContainerStatus;
 import org.apache.hadoop.yarn.api.records.NodeId;
 import org.apache.hadoop.yarn.api.records.Resource;
-import org.apache.hadoop.yarn.api.records.ResourceOption;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnException;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
@@ -299,8 +298,7 @@ public RegisterNodeManagerResponse registerNodeManager(
         .getCurrentKey());    
 
     RMNode rmNode = new RMNodeImpl(nodeId, rmContext, host, cmPort, httpPort,
-        resolve(host), ResourceOption.newInstance(capability, RMNode.OVER_COMMIT_TIMEOUT_MILLIS_DEFAULT),
-        nodeManagerVersion);
+        resolve(host), capability, nodeManagerVersion);
 
     RMNode oldNode = this.rmContext.getRMNodes().putIfAbsent(nodeId, rmNode);
     if (oldNode == null) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNode.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNode.java
index 24793e86f17..a423ea50675 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNode.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNode.java
@@ -101,18 +101,6 @@ public interface RMNode {
    */
   public Resource getTotalCapability();
   
-  /**
-   * Set resource option with total available resource and overCommitTimoutMillis
-   * @param resourceOption
-   */
-  public void setResourceOption(ResourceOption resourceOption);
-  
-  /**
-   * resource option with total available resource and overCommitTimoutMillis
-   * @return ResourceOption
-   */
-  public ResourceOption getResourceOption();
-  
   /**
    * The rack name for this node manager.
    * @return the rack name.
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeEventType.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeEventType.java
index ef644be7000..c0096b9b90d 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeEventType.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeEventType.java
@@ -24,6 +24,9 @@ public enum RMNodeEventType {
   
   // Source: AdminService
   DECOMMISSION,
+  
+  // Source: AdminService, ResourceTrackerService
+  RESOURCE_UPDATE,
 
   // ResourceTrackerService
   STATUS_UPDATE,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeImpl.java
index 9ead898db40..3ce641662cc 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeImpl.java
@@ -58,6 +58,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppRunningOnNodeEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeAddedSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeRemovedSchedulerEvent;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeResourceUpdateSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeUpdateSchedulerEvent;
 import org.apache.hadoop.yarn.server.utils.BuilderUtils.ContainerIdComparator;
 import org.apache.hadoop.yarn.state.InvalidStateTransitonException;
@@ -96,7 +97,7 @@ public class RMNodeImpl implements RMNode, EventHandler<RMNodeEvent> {
   private int httpPort;
   private final String nodeAddress; // The containerManager address
   private String httpAddress;
-  private volatile ResourceOption resourceOption;
+  private volatile Resource totalCapability;
   private final Node node;
 
   private String healthReport;
@@ -129,6 +130,9 @@ public class RMNodeImpl implements RMNode, EventHandler<RMNodeEvent> {
      //Transitions from NEW state
      .addTransition(NodeState.NEW, NodeState.RUNNING, 
          RMNodeEventType.STARTED, new AddNodeTransition())
+     .addTransition(NodeState.NEW, NodeState.NEW,
+         RMNodeEventType.RESOURCE_UPDATE, 
+         new UpdateNodeResourceWhenUnusableTransition())
 
      //Transitions from RUNNING state
      .addTransition(NodeState.RUNNING, 
@@ -149,6 +153,23 @@ RMNodeEventType.CLEANUP_APP, new CleanUpAppTransition())
          RMNodeEventType.CLEANUP_CONTAINER, new CleanUpContainerTransition())
      .addTransition(NodeState.RUNNING, NodeState.RUNNING,
          RMNodeEventType.RECONNECTED, new ReconnectNodeTransition())
+     .addTransition(NodeState.RUNNING, NodeState.RUNNING,
+         RMNodeEventType.RESOURCE_UPDATE, new UpdateNodeResourceWhenRunningTransition())
+
+     //Transitions from REBOOTED state
+     .addTransition(NodeState.REBOOTED, NodeState.REBOOTED,
+         RMNodeEventType.RESOURCE_UPDATE, 
+         new UpdateNodeResourceWhenUnusableTransition())
+         
+     //Transitions from DECOMMISSIONED state
+     .addTransition(NodeState.DECOMMISSIONED, NodeState.DECOMMISSIONED,
+         RMNodeEventType.RESOURCE_UPDATE, 
+         new UpdateNodeResourceWhenUnusableTransition())
+         
+     //Transitions from LOST state
+     .addTransition(NodeState.LOST, NodeState.LOST,
+         RMNodeEventType.RESOURCE_UPDATE, 
+         new UpdateNodeResourceWhenUnusableTransition())
 
      //Transitions from UNHEALTHY state
      .addTransition(NodeState.UNHEALTHY, 
@@ -169,6 +190,8 @@ RMNodeEventType.RECONNECTED, new ReconnectNodeTransition())
          RMNodeEventType.CLEANUP_APP, new CleanUpAppTransition())
      .addTransition(NodeState.UNHEALTHY, NodeState.UNHEALTHY,
          RMNodeEventType.CLEANUP_CONTAINER, new CleanUpContainerTransition())
+     .addTransition(NodeState.UNHEALTHY, NodeState.UNHEALTHY,
+         RMNodeEventType.RESOURCE_UPDATE, new UpdateNodeResourceWhenUnusableTransition())
          
      // create the topology tables
      .installTopology(); 
@@ -177,13 +200,13 @@ RMNodeEventType.CLEANUP_CONTAINER, new CleanUpContainerTransition())
                              RMNodeEvent> stateMachine;
 
   public RMNodeImpl(NodeId nodeId, RMContext context, String hostName,
-      int cmPort, int httpPort, Node node, ResourceOption resourceOption, String nodeManagerVersion) {
+      int cmPort, int httpPort, Node node, Resource capability, String nodeManagerVersion) {
     this.nodeId = nodeId;
     this.context = context;
     this.hostName = hostName;
     this.commandPort = cmPort;
     this.httpPort = httpPort;
-    this.resourceOption = resourceOption; 
+    this.totalCapability = capability; 
     this.nodeAddress = hostName + ":" + cmPort;
     this.httpAddress = hostName + ":" + httpPort;
     this.node = node;
@@ -239,17 +262,7 @@ public String getHttpAddress() {
 
   @Override
   public Resource getTotalCapability() {
-    return this.resourceOption.getResource();
-  }
-  
-  @Override
-  public void setResourceOption(ResourceOption resourceOption) {
-    this.resourceOption = resourceOption;
-  }
-  
-  @Override
-  public ResourceOption getResourceOption(){
-    return this.resourceOption;
+    return this.totalCapability;
   }
 
   @Override
@@ -473,6 +486,13 @@ private static void handleRunningAppOnNode(RMNodeImpl rmNode,
     context.getDispatcher().getEventHandler()
         .handle(new RMAppRunningOnNodeEvent(appId, nodeId));
   }
+  
+  private static void updateNodeResourceFromEvent(RMNodeImpl rmNode, 
+     RMNodeResourceUpdateEvent event){
+      ResourceOption resourceOption = event.getResourceOption();
+      // Set resource on RMNode
+      rmNode.totalCapability = resourceOption.getResource();
+  }
 
   public static class AddNodeTransition implements
       SingleArcTransition<RMNodeImpl, RMNodeEvent> {
@@ -526,8 +546,8 @@ public void transition(RMNodeImpl rmNode, RMNodeEvent event) {
       rmNode.nodeManagerVersion = newNode.getNodeManagerVersion();
       rmNode.httpPort = newNode.getHttpPort();
       rmNode.httpAddress = newNode.getHttpAddress();
-      rmNode.resourceOption = newNode.getResourceOption();
-
+      rmNode.totalCapability = newNode.getTotalCapability();
+      
       // Reset heartbeat ID since node just restarted.
       rmNode.getLastNodeHeartBeatResponse().setResponseId(0);
 
@@ -540,9 +560,43 @@ public void transition(RMNodeImpl rmNode, RMNodeEvent event) {
       rmNode.context.getDispatcher().getEventHandler().handle(
           new NodesListManagerEvent(
               NodesListManagerEventType.NODE_USABLE, rmNode));
+      if (rmNode.getState().equals(NodeState.RUNNING)) {
+        // Update scheduler node's capacity for reconnect node.
+        rmNode.context.getDispatcher().getEventHandler().handle(
+            new NodeResourceUpdateSchedulerEvent(rmNode, 
+                ResourceOption.newInstance(rmNode.totalCapability, -1)));
+      }
+      
     }
   }
+  
+  public static class UpdateNodeResourceWhenRunningTransition
+      implements SingleArcTransition<RMNodeImpl, RMNodeEvent> {
 
+    @Override
+    public void transition(RMNodeImpl rmNode, RMNodeEvent event) {
+      RMNodeResourceUpdateEvent updateEvent = (RMNodeResourceUpdateEvent)event;
+      updateNodeResourceFromEvent(rmNode, updateEvent);
+      // Notify new resourceOption to scheduler
+      rmNode.context.getDispatcher().getEventHandler().handle(
+          new NodeResourceUpdateSchedulerEvent(rmNode, updateEvent.getResourceOption()));
+    }
+  }
+  
+  public static class UpdateNodeResourceWhenUnusableTransition
+      implements SingleArcTransition<RMNodeImpl, RMNodeEvent> {
+
+    @Override
+    public void transition(RMNodeImpl rmNode, RMNodeEvent event) {
+      // The node is not usable, only log a warn message
+      LOG.warn("Try to update resource on a "+ rmNode.getState().toString() +
+          " node: "+rmNode.toString());
+      updateNodeResourceFromEvent(rmNode, (RMNodeResourceUpdateEvent)event);
+      // No need to notify scheduler as schedulerNode is not function now
+      // and can sync later from RMnode.
+    }
+  }
+  
   public static class CleanUpAppTransition
     implements SingleArcTransition<RMNodeImpl, RMNodeEvent> {
 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeResourceUpdateEvent.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeResourceUpdateEvent.java
new file mode 100644
index 00000000000..bf1f148b125
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmnode/RMNodeResourceUpdateEvent.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.resourcemanager.rmnode;
+
+import org.apache.hadoop.yarn.api.records.NodeId;
+import org.apache.hadoop.yarn.api.records.ResourceOption;
+
+public class RMNodeResourceUpdateEvent extends RMNodeEvent {
+
+  private final ResourceOption resourceOption;
+  
+  public RMNodeResourceUpdateEvent(NodeId nodeId, ResourceOption resourceOption) {
+    super(nodeId, RMNodeEventType.RESOURCE_UPDATE);
+    this.resourceOption = resourceOption;
+  }
+
+  public ResourceOption getResourceOption() {
+    return resourceOption;
+  }
+
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
index ab56bb97212..ee5dcbe7ece 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/AbstractYarnScheduler.java
@@ -41,6 +41,7 @@
 import org.apache.hadoop.yarn.api.records.ContainerStatus;
 import org.apache.hadoop.yarn.api.records.NodeId;
 import org.apache.hadoop.yarn.api.records.Resource;
+import org.apache.hadoop.yarn.api.records.ResourceOption;
 import org.apache.hadoop.yarn.api.records.ResourceRequest;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnException;
@@ -473,4 +474,32 @@ public synchronized void killAllAppsInQueue(String queueName)
           .handle(new RMAppEvent(app.getApplicationId(), RMAppEventType.KILL));
     }
   }
+  
+  /**
+   * Process resource update on a node.
+   */
+  public synchronized void updateNodeResource(RMNode nm, 
+      ResourceOption resourceOption) {
+  
+    SchedulerNode node = getSchedulerNode(nm.getNodeID());
+    Resource newResource = resourceOption.getResource();
+    Resource oldResource = node.getTotalResource();
+    if(!oldResource.equals(newResource)) {
+      // Log resource change
+      LOG.info("Update resource on node: " + node.getNodeName() 
+          + " from: " + oldResource + ", to: "
+          + newResource);
+
+      // update resource to node
+      node.setTotalResource(newResource);
+    
+      // update resource to clusterResource
+      Resources.subtractFrom(clusterResource, oldResource);
+      Resources.addTo(clusterResource, newResource);
+    } else {
+      // Log resource change
+      LOG.warn("Update resource on node: " + node.getNodeName() 
+          + " with the same resource: " + newResource);
+    }
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerNode.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerNode.java
index 7074059ecf4..f4d8731a012 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerNode.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerNode.java
@@ -77,6 +77,16 @@ public RMNode getRMNode() {
     return this.rmNode;
   }
 
+  /**
+   * Set total resources on the node.
+   * @param resource total resources on the node.
+   */
+  public synchronized void setTotalResource(Resource resource){
+    this.totalResourceCapability = resource;
+    this.availableResource = Resources.subtract(totalResourceCapability,
+      this.usedResource);
+  }
+  
   /**
    * Get the ID of the node which contains both its hostname and port.
    * 
@@ -158,7 +168,7 @@ public synchronized Resource getUsedResource() {
    * 
    * @return total resources on the node.
    */
-  public Resource getTotalResource() {
+  public synchronized Resource getTotalResource() {
     return this.totalResourceCapability;
   }
 
@@ -259,19 +269,6 @@ public synchronized RMContainer getReservedContainer() {
     this.reservedContainer = reservedContainer;
   }
 
-  /**
-   * Apply delta resource on node's available resource.
-   * 
-   * @param deltaResource
-   *          the delta of resource need to apply to node
-   */
-  public synchronized void
-      applyDeltaOnAvailableResource(Resource deltaResource) {
-    // we can only adjust available resource if total resource is changed.
-    Resources.addTo(this.availableResource, deltaResource);
-  }
-
-
   public synchronized void recoverContainer(RMContainer rmContainer) {
     if (rmContainer.getState().equals(RMContainerState.COMPLETED)) {
       return;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
index d3df93fcc6e..ac37c2f0bc9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
@@ -19,7 +19,6 @@
 
 import java.util.List;
 
-import org.apache.commons.logging.Log;
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.yarn.api.records.ContainerExitStatus;
@@ -147,42 +146,6 @@ public static void normalizeRequest(
     ask.setCapability(normalized);
   }
   
-  /**
-   * Update resource in SchedulerNode if any resource change in RMNode.
-   * @param node SchedulerNode with old resource view
-   * @param rmNode RMNode with new resource view
-   * @param clusterResource the cluster's resource that need to update
-   * @param log Scheduler's log for resource change
-   * @return true if the resources have changed
-   */
-  public static boolean updateResourceIfChanged(SchedulerNode node,
-      RMNode rmNode, Resource clusterResource, Log log) {
-    boolean result = false;
-    Resource oldAvailableResource = node.getAvailableResource();
-    Resource newAvailableResource = Resources.subtract(
-        rmNode.getTotalCapability(), node.getUsedResource());
-    
-    if (!newAvailableResource.equals(oldAvailableResource)) {
-      result = true;
-      Resource deltaResource = Resources.subtract(newAvailableResource,
-          oldAvailableResource);
-      // Reflect resource change to scheduler node.
-      node.applyDeltaOnAvailableResource(deltaResource);
-      // Reflect resource change to clusterResource.
-      Resources.addTo(clusterResource, deltaResource);
-      // TODO process resource over-commitment case (allocated containers
-      // > total capacity) in different option by getting value of
-      // overCommitTimeoutMillis.
-      
-      // Log resource change
-      log.info("Resource change on node: " + rmNode.getNodeAddress() 
-          + " with delta: CPU: " + deltaResource.getMemory() + "core, Memory: "
-          + deltaResource.getMemory() +"MB");
-    }
-
-    return result;
-  }
-
   /**
    * Utility method to normalize a list of resource requests, by insuring that
    * the memory for each request is a multiple of minMemory and is not zero.
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
index c8a73bfb530..a8ef94224b9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
@@ -50,6 +50,8 @@
 import org.apache.hadoop.yarn.api.records.QueueACL;
 import org.apache.hadoop.yarn.api.records.QueueInfo;
 import org.apache.hadoop.yarn.api.records.QueueUserACLInfo;
+import org.apache.hadoop.yarn.api.records.Resource;
+import org.apache.hadoop.yarn.api.records.ResourceOption;
 import org.apache.hadoop.yarn.api.records.ResourceRequest;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnException;
@@ -82,6 +84,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.ContainerExpiredSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeAddedSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeRemovedSchedulerEvent;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeResourceUpdateSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeUpdateSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.SchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.security.RMContainerTokenSecretManager;
@@ -866,12 +869,6 @@ private synchronized void nodeUpdate(RMNode nm) {
 
     FiCaSchedulerNode node = getNode(nm.getNodeID());
     
-    // Update resource if any change
-    if (SchedulerUtils.updateResourceIfChanged(node, nm, clusterResource,
-        LOG)) {
-      root.updateClusterResource(clusterResource);
-    }
-    
     List<UpdatedContainerInfo> containerInfoList = nm.pullContainerUpdates();
     List<ContainerStatus> newlyLaunchedContainers = new ArrayList<ContainerStatus>();
     List<ContainerStatus> completedContainers = new ArrayList<ContainerStatus>();
@@ -899,6 +896,15 @@ private synchronized void nodeUpdate(RMNode nm) {
         + " availableResource: " + node.getAvailableResource());
     }
   }
+  
+  /**
+   * Process resource update on a node.
+   */
+  private synchronized void updateNodeAndQueueResource(RMNode nm, 
+      ResourceOption resourceOption) {
+    updateNodeResource(nm, resourceOption);
+    root.updateClusterResource(clusterResource);
+  }
 
   private synchronized void allocateContainersToNode(FiCaSchedulerNode node) {
 
@@ -969,6 +975,14 @@ public void handle(SchedulerEvent event) {
       removeNode(nodeRemovedEvent.getRemovedRMNode());
     }
     break;
+    case NODE_RESOURCE_UPDATE:
+    {
+      NodeResourceUpdateSchedulerEvent nodeResourceUpdatedEvent = 
+          (NodeResourceUpdateSchedulerEvent)event;
+      updateNodeAndQueueResource(nodeResourceUpdatedEvent.getRMNode(),
+        nodeResourceUpdatedEvent.getResourceOption());
+    }
+    break;
     case NODE_UPDATE:
     {
       NodeUpdateSchedulerEvent nodeUpdatedEvent = (NodeUpdateSchedulerEvent)event;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/event/NodeResourceUpdateSchedulerEvent.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/event/NodeResourceUpdateSchedulerEvent.java
new file mode 100644
index 00000000000..df32b283f6a
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/event/NodeResourceUpdateSchedulerEvent.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.resourcemanager.scheduler.event;
+
+import org.apache.hadoop.yarn.api.records.ResourceOption;
+import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNode;
+
+public class NodeResourceUpdateSchedulerEvent extends SchedulerEvent {
+
+  private final RMNode rmNode;
+  private final ResourceOption resourceOption;
+  
+  public NodeResourceUpdateSchedulerEvent(RMNode rmNode,
+      ResourceOption resourceOption) {
+    super(SchedulerEventType.NODE_RESOURCE_UPDATE);
+    this.rmNode = rmNode;
+    this.resourceOption = resourceOption;
+  }
+
+  public RMNode getRMNode() {
+    return rmNode;
+  }
+
+  public ResourceOption getResourceOption() {
+    return resourceOption;
+  }
+
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/event/SchedulerEventType.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/event/SchedulerEventType.java
index 243c72ba676..062f831c4ca 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/event/SchedulerEventType.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/event/SchedulerEventType.java
@@ -24,6 +24,7 @@ public enum SchedulerEventType {
   NODE_ADDED,
   NODE_REMOVED,
   NODE_UPDATE,
+  NODE_RESOURCE_UPDATE,
 
   // Source: RMApp
   APP_ADDED,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
index 40c72a621e7..6932a315959 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
@@ -45,6 +45,7 @@
 import org.apache.hadoop.yarn.api.records.QueueInfo;
 import org.apache.hadoop.yarn.api.records.QueueUserACLInfo;
 import org.apache.hadoop.yarn.api.records.Resource;
+import org.apache.hadoop.yarn.api.records.ResourceOption;
 import org.apache.hadoop.yarn.api.records.ResourceRequest;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnException;
@@ -79,6 +80,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.ContainerExpiredSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeAddedSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeRemovedSchedulerEvent;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeResourceUpdateSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeUpdateSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.SchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.security.RMContainerTokenSecretManager;
@@ -956,7 +958,7 @@ public Allocation allocate(ApplicationAttemptId appAttemptId,
         allocation.getNMTokenList());
     }
   }
-
+  
   /**
    * Process a heartbeat update from a node.
    */
@@ -967,9 +969,6 @@ private synchronized void nodeUpdate(RMNode nm) {
     }
     eventLog.log("HEARTBEAT", nm.getHostName());
     FSSchedulerNode node = getFSSchedulerNode(nm.getNodeID());
-
-    // Update resource if any change
-    SchedulerUtils.updateResourceIfChanged(node, nm, clusterResource, LOG);
     
     List<UpdatedContainerInfo> containerInfoList = nm.pullContainerUpdates();
     List<ContainerStatus> newlyLaunchedContainers = new ArrayList<ContainerStatus>();
@@ -1173,6 +1172,15 @@ public void handle(SchedulerEvent event) {
       removeApplication(appRemovedEvent.getApplicationID(),
         appRemovedEvent.getFinalState());
       break;
+    case NODE_RESOURCE_UPDATE:
+      if (!(event instanceof NodeResourceUpdateSchedulerEvent)) {
+        throw new RuntimeException("Unexpected event type: " + event);
+      }
+      NodeResourceUpdateSchedulerEvent nodeResourceUpdatedEvent = 
+          (NodeResourceUpdateSchedulerEvent)event;
+      updateNodeResource(nodeResourceUpdatedEvent.getRMNode(),
+            nodeResourceUpdatedEvent.getResourceOption());
+      break;
     case APP_ATTEMPT_ADDED:
       if (!(event instanceof AppAttemptAddedSchedulerEvent)) {
         throw new RuntimeException("Unexpected event type: " + event);
@@ -1534,4 +1542,16 @@ FSQueue findLowestCommonAncestorQueue(FSQueue queue1, FSQueue queue2) {
     }
     return queue1; // names are identical
   }
+  
+  /**
+   * Process resource update on a node and update Queue.
+   */
+  @Override
+  public synchronized void updateNodeResource(RMNode nm, 
+      ResourceOption resourceOption) {
+    super.updateNodeResource(nm, resourceOption);
+    updateRootQueueMetrics();
+    queueMgr.getRootQueue().setSteadyFairShare(clusterResource);
+    queueMgr.getRootQueue().recomputeSteadyShares();
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java
index dd2ea433ebb..d72e7966064 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java
@@ -85,6 +85,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.ContainerExpiredSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeAddedSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeRemovedSchedulerEvent;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeResourceUpdateSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeUpdateSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.SchedulerEvent;
 import org.apache.hadoop.yarn.server.utils.BuilderUtils;
@@ -681,9 +682,6 @@ private int assignContainer(FiCaSchedulerNode node, FiCaSchedulerApp application
   private synchronized void nodeUpdate(RMNode rmNode) {
     FiCaSchedulerNode node = getNode(rmNode.getNodeID());
     
-    // Update resource if any change
-    SchedulerUtils.updateResourceIfChanged(node, rmNode, clusterResource, LOG);
-    
     List<UpdatedContainerInfo> containerInfoList = rmNode.pullContainerUpdates();
     List<ContainerStatus> newlyLaunchedContainers = new ArrayList<ContainerStatus>();
     List<ContainerStatus> completedContainers = new ArrayList<ContainerStatus>();
@@ -750,6 +748,14 @@ public void handle(SchedulerEvent event) {
       removeNode(nodeRemovedEvent.getRemovedRMNode());
     }
     break;
+    case NODE_RESOURCE_UPDATE:
+    {
+      NodeResourceUpdateSchedulerEvent nodeResourceUpdatedEvent = 
+          (NodeResourceUpdateSchedulerEvent)event;
+      updateNodeResource(nodeResourceUpdatedEvent.getRMNode(),
+        nodeResourceUpdatedEvent.getResourceOption());
+    }
+    break;
     case NODE_UPDATE:
     {
       NodeUpdateSchedulerEvent nodeUpdatedEvent = 
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockNodes.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockNodes.java
index 8ef01d998d7..79f909806ea 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockNodes.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockNodes.java
@@ -27,7 +27,6 @@
 import org.apache.hadoop.yarn.api.records.NodeId;
 import org.apache.hadoop.yarn.api.records.NodeState;
 import org.apache.hadoop.yarn.api.records.Resource;
-import org.apache.hadoop.yarn.api.records.ResourceOption;
 import org.apache.hadoop.yarn.factories.RecordFactory;
 import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
 import org.apache.hadoop.yarn.server.api.protocolrecords.NodeHeartbeatResponse;
@@ -94,14 +93,14 @@ private static class MockRMNodeImpl implements RMNode {
     private String nodeAddr;
     private String httpAddress;
     private int cmdPort;
-    private ResourceOption perNode;
+    private Resource perNode;
     private String rackName;
     private String healthReport;
     private long lastHealthReportTime;
     private NodeState state;
 
     public MockRMNodeImpl(NodeId nodeId, String nodeAddr, String httpAddress,
-        ResourceOption perNode, String rackName, String healthReport,
+        Resource perNode, String rackName, String healthReport,
         long lastHealthReportTime, int cmdPort, String hostName, NodeState state) {
       this.nodeId = nodeId;
       this.nodeAddr = nodeAddr;
@@ -147,7 +146,7 @@ public String getHttpAddress() {
 
     @Override
     public Resource getTotalCapability() {
-      return this.perNode.getResource();
+      return this.perNode;
     }
 
     @Override
@@ -203,16 +202,6 @@ public String getHealthReport() {
     public long getLastHealthReportTime() {
       return lastHealthReportTime;
     }
-
-    @Override
-    public void setResourceOption(ResourceOption resourceOption) {
-      this.perNode = resourceOption;
-    }
-    
-    @Override
-    public ResourceOption getResourceOption(){
-      return this.perNode;
-    }
     
   };
 
@@ -232,9 +221,8 @@ private static RMNode buildRMNode(int rack, final Resource perNode,
 
     final String httpAddress = httpAddr;
     String healthReport = (state == NodeState.UNHEALTHY) ? null : "HealthyMe";
-    return new MockRMNodeImpl(nodeID, nodeAddr, httpAddress,
-        ResourceOption.newInstance(perNode, RMNode.OVER_COMMIT_TIMEOUT_MILLIS_DEFAULT),
-        rackName, healthReport, 0, nid, hostName, state); 
+    return new MockRMNodeImpl(nodeID, nodeAddr, httpAddress, perNode,
+        rackName, healthReport, 0, nid, hostName, state);
   }
 
   public static RMNode nodeInfo(int rack, final Resource perNode,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRM.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRM.java
index a7f624029b2..3817637676b 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRM.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRM.java
@@ -457,7 +457,6 @@ protected void serviceStop() {
 
   @Override
   protected ResourceTrackerService createResourceTrackerService() {
-    Configuration conf = new Configuration();
 
     RMContainerTokenSecretManager containerTokenSecretManager =
         getRMContext().getContainerTokenSecretManager();
@@ -547,6 +546,10 @@ public ClientToAMTokenSecretManagerInRM getClientToAMTokenSecretManager() {
   public RMAppManager getRMAppManager() {
     return this.rmAppManager;
   }
+  
+  public AdminService getAdminService() {
+    return this.adminService;
+  }
 
   @Override
   protected void startWepApp() {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestFifoScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestFifoScheduler.java
index 420fc942ae2..12f7498b7b0 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestFifoScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestFifoScheduler.java
@@ -23,7 +23,9 @@
 
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -35,9 +37,13 @@
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.api.records.ContainerState;
 import org.apache.hadoop.yarn.api.records.ContainerStatus;
+import org.apache.hadoop.yarn.api.records.NodeId;
+import org.apache.hadoop.yarn.api.records.Resource;
+import org.apache.hadoop.yarn.api.records.ResourceOption;
 import org.apache.hadoop.yarn.api.records.ResourceRequest;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
+import org.apache.hadoop.yarn.server.api.protocolrecords.UpdateNodeResourceRequest;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNode;
@@ -509,6 +515,85 @@ public void testHeadroom() throws Exception {
     rm.stop();
   }
   
+  @Test
+  public void testResourceOverCommit() throws Exception {
+    MockRM rm = new MockRM(conf);
+    rm.start();
+    
+    MockNM nm1 = rm.registerNode("127.0.0.1:1234", 4 * GB);
+    
+    RMApp app1 = rm.submitApp(2048);
+    // kick the scheduling, 2 GB given to AM1, remaining 2GB on nm1
+    nm1.nodeHeartbeat(true);
+    RMAppAttempt attempt1 = app1.getCurrentAppAttempt();
+    MockAM am1 = rm.sendAMLaunched(attempt1.getAppAttemptId());
+    am1.registerAppAttempt();
+    SchedulerNodeReport report_nm1 = rm.getResourceScheduler().getNodeReport(
+        nm1.getNodeId());
+    // check node report, 2 GB used and 2 GB available
+    Assert.assertEquals(2 * GB, report_nm1.getUsedResource().getMemory());
+    Assert.assertEquals(2 * GB, report_nm1.getAvailableResource().getMemory());
+
+    // add request for containers
+    am1.addRequests(new String[] { "127.0.0.1", "127.0.0.2" }, 2 * GB, 1, 1);
+    AllocateResponse alloc1Response = am1.schedule(); // send the request
+
+    // kick the scheduler, 2 GB given to AM1, resource remaining 0
+    nm1.nodeHeartbeat(true);
+    while (alloc1Response.getAllocatedContainers().size() < 1) {
+      LOG.info("Waiting for containers to be created for app 1...");
+      Thread.sleep(1000);
+      alloc1Response = am1.schedule();
+    }
+
+    List<Container> allocated1 = alloc1Response.getAllocatedContainers();
+    Assert.assertEquals(1, allocated1.size());
+    Assert.assertEquals(2 * GB, allocated1.get(0).getResource().getMemory());
+    Assert.assertEquals(nm1.getNodeId(), allocated1.get(0).getNodeId());
+    
+    report_nm1 = rm.getResourceScheduler().getNodeReport(nm1.getNodeId());
+    // check node report, 4 GB used and 0 GB available
+    Assert.assertEquals(0, report_nm1.getAvailableResource().getMemory());
+    Assert.assertEquals(4 * GB, report_nm1.getUsedResource().getMemory());
+
+    // check container is assigned with 2 GB.
+    Container c1 = allocated1.get(0);
+    Assert.assertEquals(2 * GB, c1.getResource().getMemory());
+    
+    // update node resource to 2 GB, so resource is over-consumed.
+    Map<NodeId, ResourceOption> nodeResourceMap = 
+        new HashMap<NodeId, ResourceOption>();
+    nodeResourceMap.put(nm1.getNodeId(), 
+        ResourceOption.newInstance(Resource.newInstance(2 * GB, 1), -1));
+    UpdateNodeResourceRequest request = 
+        UpdateNodeResourceRequest.newInstance(nodeResourceMap);
+    AdminService as = rm.adminService;
+    as.updateNodeResource(request);
+    
+    // Now, the used resource is still 4 GB, and available resource is minus value.
+    report_nm1 = rm.getResourceScheduler().getNodeReport(nm1.getNodeId());
+    Assert.assertEquals(4 * GB, report_nm1.getUsedResource().getMemory());
+    Assert.assertEquals(-2 * GB, report_nm1.getAvailableResource().getMemory());
+    
+    // Check container can complete successfully in case of resource over-commitment.
+    ContainerStatus containerStatus = BuilderUtils.newContainerStatus(
+        c1.getId(), ContainerState.COMPLETE, "", 0);
+    nm1.containerStatus(containerStatus);
+    int waitCount = 0;
+    while (attempt1.getJustFinishedContainers().size() < 1
+        && waitCount++ != 20) {
+      LOG.info("Waiting for containers to be finished for app 1... Tried "
+          + waitCount + " times already..");
+      Thread.sleep(100);
+    }
+    Assert.assertEquals(1, attempt1.getJustFinishedContainers().size());
+    Assert.assertEquals(1, am1.schedule().getCompletedContainersStatuses().size());
+    report_nm1 = rm.getResourceScheduler().getNodeReport(nm1.getNodeId());
+    Assert.assertEquals(2 * GB, report_nm1.getUsedResource().getMemory());
+    // As container return 2 GB back, the available resource becomes 0 again.
+    Assert.assertEquals(0 * GB, report_nm1.getAvailableResource().getMemory());
+    rm.stop();
+  }
 
   public static void main(String[] args) throws Exception {
     TestFifoScheduler t = new TestFifoScheduler();
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMNodeTransitions.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMNodeTransitions.java
index aa2cfc2eba1..d877e25c2d6 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMNodeTransitions.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMNodeTransitions.java
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.yarn.server.resourcemanager;
 
+import static org.junit.Assert.assertEquals;
 import static org.mockito.Matchers.any;
 import static org.mockito.Mockito.doAnswer;
 import static org.mockito.Mockito.doReturn;
@@ -48,6 +49,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNodeEventType;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNodeImpl;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNodeReconnectEvent;
+import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNodeResourceUpdateEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNodeStartedEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNodeStatusEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.rmnode.UpdatedContainerInfo;
@@ -463,8 +465,7 @@ private RMNodeImpl getRunningNode(String nmVersion) {
     NodeId nodeId = BuilderUtils.newNodeId("localhost", 0);
     Resource capability = Resource.newInstance(4096, 4);
     RMNodeImpl node = new RMNodeImpl(nodeId, rmContext,null, 0, 0,
-        null, ResourceOption.newInstance(capability,
-            RMNode.OVER_COMMIT_TIMEOUT_MILLIS_DEFAULT), nmVersion);
+        null, capability, nmVersion);
     node.handle(new RMNodeStartedEvent(node.getNodeID(), null, null));
     Assert.assertEquals(NodeState.RUNNING, node.getState());
     return node;
@@ -486,6 +487,25 @@ private RMNodeImpl getNewNode() {
     RMNodeImpl node = new RMNodeImpl(nodeId, rmContext, null, 0, 0, null, null, null);
     return node;
   }
+  
+  private RMNodeImpl getNewNode(Resource capability) {
+    NodeId nodeId = BuilderUtils.newNodeId("localhost", 0);
+    RMNodeImpl node = new RMNodeImpl(nodeId, rmContext, null, 0, 0, null, 
+        capability, null);
+    return node;
+  }
+  
+  private RMNodeImpl getRebootedNode() {
+    NodeId nodeId = BuilderUtils.newNodeId("localhost", 0);
+    Resource capability = Resource.newInstance(4096, 4);
+    RMNodeImpl node = new RMNodeImpl(nodeId, rmContext,null, 0, 0,
+        null, capability, null);
+    node.handle(new RMNodeStartedEvent(node.getNodeID(), null, null));
+    Assert.assertEquals(NodeState.RUNNING, node.getState());
+    node.handle(new RMNodeEvent(node.getNodeID(), RMNodeEventType.REBOOTING));
+    Assert.assertEquals(NodeState.REBOOTED, node.getState());
+    return node;
+  }
 
   @Test
   public void testAdd() {
@@ -534,6 +554,57 @@ public void testReconnect() {
     Assert.assertEquals(NodesListManagerEventType.NODE_USABLE,
         nodesListManagerEvent.getType());
   }
+  
+  @Test
+  public void testResourceUpdateOnRunningNode() {
+    RMNodeImpl node = getRunningNode();
+    Resource oldCapacity = node.getTotalCapability();
+    assertEquals("Memory resource is not match.", oldCapacity.getMemory(), 4096);
+    assertEquals("CPU resource is not match.", oldCapacity.getVirtualCores(), 4);
+    node.handle(new RMNodeResourceUpdateEvent(node.getNodeID(),
+        ResourceOption.newInstance(Resource.newInstance(2048, 2), 
+            RMNode.OVER_COMMIT_TIMEOUT_MILLIS_DEFAULT)));
+    Resource newCapacity = node.getTotalCapability();
+    assertEquals("Memory resource is not match.", newCapacity.getMemory(), 2048);
+    assertEquals("CPU resource is not match.", newCapacity.getVirtualCores(), 2);
+    
+    Assert.assertEquals(NodeState.RUNNING, node.getState());
+    Assert.assertNotNull(nodesListManagerEvent);
+    Assert.assertEquals(NodesListManagerEventType.NODE_USABLE,
+        nodesListManagerEvent.getType());
+  }
+  
+  @Test
+  public void testResourceUpdateOnNewNode() {
+    RMNodeImpl node = getNewNode(Resource.newInstance(4096, 4));
+    Resource oldCapacity = node.getTotalCapability();
+    assertEquals("Memory resource is not match.", oldCapacity.getMemory(), 4096);
+    assertEquals("CPU resource is not match.", oldCapacity.getVirtualCores(), 4);
+    node.handle(new RMNodeResourceUpdateEvent(node.getNodeID(),
+        ResourceOption.newInstance(Resource.newInstance(2048, 2), 
+            RMNode.OVER_COMMIT_TIMEOUT_MILLIS_DEFAULT)));
+    Resource newCapacity = node.getTotalCapability();
+    assertEquals("Memory resource is not match.", newCapacity.getMemory(), 2048);
+    assertEquals("CPU resource is not match.", newCapacity.getVirtualCores(), 2);
+    
+    Assert.assertEquals(NodeState.NEW, node.getState());
+  }
+  
+  @Test
+  public void testResourceUpdateOnRebootedNode() {
+    RMNodeImpl node = getRebootedNode();
+    Resource oldCapacity = node.getTotalCapability();
+    assertEquals("Memory resource is not match.", oldCapacity.getMemory(), 4096);
+    assertEquals("CPU resource is not match.", oldCapacity.getVirtualCores(), 4);
+    node.handle(new RMNodeResourceUpdateEvent(node.getNodeID(),
+        ResourceOption.newInstance(Resource.newInstance(2048, 2), 
+            RMNode.OVER_COMMIT_TIMEOUT_MILLIS_DEFAULT)));
+    Resource newCapacity = node.getTotalCapability();
+    assertEquals("Memory resource is not match.", newCapacity.getMemory(), 2048);
+    assertEquals("CPU resource is not match.", newCapacity.getVirtualCores(), 2);
+    
+    Assert.assertEquals(NodeState.REBOOTED, node.getState());
+  }
 
   @Test
   public void testReconnnectUpdate() {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/resourcetracker/TestNMReconnect.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/resourcetracker/TestNMReconnect.java
index cced69aea36..d16d5510365 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/resourcetracker/TestNMReconnect.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/resourcetracker/TestNMReconnect.java
@@ -18,6 +18,9 @@
 
 package org.apache.hadoop.yarn.server.resourcemanager.resourcetracker;
 
+import java.util.ArrayList;
+import java.util.List;
+
 import org.junit.Assert;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.yarn.api.records.NodeId;
@@ -47,14 +50,14 @@ public class TestNMReconnect {
   private static final RecordFactory recordFactory = 
       RecordFactoryProvider.getRecordFactory(null);
 
-  private RMNodeEvent rmNodeEvent = null;
+  private List<RMNodeEvent> rmNodeEvents = new ArrayList<RMNodeEvent>();
 
   private class TestRMNodeEventDispatcher implements
       EventHandler<RMNodeEvent> {
 
     @Override
     public void handle(RMNodeEvent event) {
-      rmNodeEvent = event;
+      rmNodeEvents.add(event);
     }
 
   }
@@ -109,16 +112,18 @@ public void testReconnect() throws Exception {
     request1.setResource(capability);
     resourceTrackerService.registerNodeManager(request1);
 
-    Assert.assertEquals(RMNodeEventType.STARTED, rmNodeEvent.getType());
+    Assert.assertEquals(RMNodeEventType.STARTED, rmNodeEvents.get(0).getType());
 
-    rmNodeEvent = null;
+    rmNodeEvents.clear();
     resourceTrackerService.registerNodeManager(request1);
-    Assert.assertEquals(RMNodeEventType.RECONNECTED, rmNodeEvent.getType());
+    Assert.assertEquals(RMNodeEventType.RECONNECTED,
+        rmNodeEvents.get(0).getType());
 
-    rmNodeEvent = null;
+    rmNodeEvents.clear();
     resourceTrackerService.registerNodeManager(request1);
     capability = BuilderUtils.newResource(1024, 2);
     request1.setResource(capability);
-    Assert.assertEquals(RMNodeEventType.RECONNECTED, rmNodeEvent.getType());
+    Assert.assertEquals(RMNodeEventType.RECONNECTED,
+        rmNodeEvents.get(0).getType());
   }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacityScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacityScheduler.java
index f64bd62e078..e029749f1db 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacityScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacityScheduler.java
@@ -47,23 +47,30 @@
 import org.apache.hadoop.yarn.LocalConfigurationProvider;
 import org.apache.hadoop.yarn.api.ApplicationMasterProtocol;
 import org.apache.hadoop.yarn.api.protocolrecords.AllocateRequest;
+import org.apache.hadoop.yarn.api.protocolrecords.AllocateResponse;
 import org.apache.hadoop.yarn.api.protocolrecords.RegisterApplicationMasterRequest;
 import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.Container;
 import org.apache.hadoop.yarn.api.records.ContainerId;
+import org.apache.hadoop.yarn.api.records.ContainerState;
+import org.apache.hadoop.yarn.api.records.ContainerStatus;
+import org.apache.hadoop.yarn.api.records.NodeId;
 import org.apache.hadoop.yarn.api.records.Priority;
 import org.apache.hadoop.yarn.api.records.QueueInfo;
 import org.apache.hadoop.yarn.api.records.QueueState;
 import org.apache.hadoop.yarn.api.records.QueueUserACLInfo;
 import org.apache.hadoop.yarn.api.records.Resource;
+import org.apache.hadoop.yarn.api.records.ResourceOption;
 import org.apache.hadoop.yarn.api.records.ResourceRequest;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.event.AsyncDispatcher;
 import org.apache.hadoop.yarn.exceptions.YarnException;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.ipc.YarnRPC;
+import org.apache.hadoop.yarn.server.api.protocolrecords.UpdateNodeResourceRequest;
+import org.apache.hadoop.yarn.server.resourcemanager.AdminService;
 import org.apache.hadoop.yarn.server.resourcemanager.Application;
 import org.apache.hadoop.yarn.server.resourcemanager.MockAM;
 import org.apache.hadoop.yarn.server.resourcemanager.MockNM;
@@ -90,6 +97,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerApplication;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerApplicationAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerNode;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerNodeReport;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.TestSchedulerUtils;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.common.fica.FiCaSchedulerApp;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.common.fica.FiCaSchedulerNode;
@@ -591,7 +599,6 @@ private int getQueueCount(List<QueueUserACLInfo> queueInformation, String queueN
     return result;
   }
 
-  @SuppressWarnings("resource")
   @Test
   public void testBlackListNodes() throws Exception {
     Configuration conf = new Configuration();
@@ -627,6 +634,104 @@ public void testBlackListNodes() throws Exception {
     Assert.assertFalse(cs.getApplicationAttempt(appAttemptId).isBlacklisted(host));
     rm.stop();
   }
+  
+  @Test
+  public void testResourceOverCommit() throws Exception {
+    Configuration conf = new Configuration();
+    conf.setClass(YarnConfiguration.RM_SCHEDULER, CapacityScheduler.class,
+        ResourceScheduler.class);
+    MockRM rm = new MockRM(conf);
+    rm.start();
+    
+    MockNM nm1 = rm.registerNode("127.0.0.1:1234", 4 * GB);
+    RMApp app1 = rm.submitApp(2048);
+    // kick the scheduling, 2 GB given to AM1, remaining 2GB on nm1
+    nm1.nodeHeartbeat(true);
+    RMAppAttempt attempt1 = app1.getCurrentAppAttempt();
+    MockAM am1 = rm.sendAMLaunched(attempt1.getAppAttemptId());
+    am1.registerAppAttempt();
+    SchedulerNodeReport report_nm1 = rm.getResourceScheduler().getNodeReport(
+        nm1.getNodeId());
+    // check node report, 2 GB used and 2 GB available
+    Assert.assertEquals(2 * GB, report_nm1.getUsedResource().getMemory());
+    Assert.assertEquals(2 * GB, report_nm1.getAvailableResource().getMemory());
+
+    // add request for containers
+    am1.addRequests(new String[] { "127.0.0.1", "127.0.0.2" }, 2 * GB, 1, 1);
+    AllocateResponse alloc1Response = am1.schedule(); // send the request
+
+    // kick the scheduler, 2 GB given to AM1, resource remaining 0
+    nm1.nodeHeartbeat(true);
+    while (alloc1Response.getAllocatedContainers().size() < 1) {
+      LOG.info("Waiting for containers to be created for app 1...");
+      Thread.sleep(100);
+      alloc1Response = am1.schedule();
+    }
+
+    List<Container> allocated1 = alloc1Response.getAllocatedContainers();
+    Assert.assertEquals(1, allocated1.size());
+    Assert.assertEquals(2 * GB, allocated1.get(0).getResource().getMemory());
+    Assert.assertEquals(nm1.getNodeId(), allocated1.get(0).getNodeId());
+    
+    report_nm1 = rm.getResourceScheduler().getNodeReport(nm1.getNodeId());
+    // check node report, 4 GB used and 0 GB available
+    Assert.assertEquals(0, report_nm1.getAvailableResource().getMemory());
+    Assert.assertEquals(4 * GB, report_nm1.getUsedResource().getMemory());
+
+    // check container is assigned with 2 GB.
+    Container c1 = allocated1.get(0);
+    Assert.assertEquals(2 * GB, c1.getResource().getMemory());
+    
+    // update node resource to 2 GB, so resource is over-consumed.
+    Map<NodeId, ResourceOption> nodeResourceMap = 
+        new HashMap<NodeId, ResourceOption>();
+    nodeResourceMap.put(nm1.getNodeId(), 
+        ResourceOption.newInstance(Resource.newInstance(2 * GB, 1), -1));
+    UpdateNodeResourceRequest request = 
+        UpdateNodeResourceRequest.newInstance(nodeResourceMap);
+    AdminService as = ((MockRM)rm).getAdminService();
+    as.updateNodeResource(request);
+    
+    // Now, the used resource is still 4 GB, and available resource is minus value.
+    report_nm1 = rm.getResourceScheduler().getNodeReport(nm1.getNodeId());
+    Assert.assertEquals(4 * GB, report_nm1.getUsedResource().getMemory());
+    Assert.assertEquals(-2 * GB, report_nm1.getAvailableResource().getMemory());
+    
+    // Check container can complete successfully in case of resource over-commitment.
+    ContainerStatus containerStatus = BuilderUtils.newContainerStatus(
+        c1.getId(), ContainerState.COMPLETE, "", 0);
+    nm1.containerStatus(containerStatus);
+    int waitCount = 0;
+    while (attempt1.getJustFinishedContainers().size() < 1
+        && waitCount++ != 20) {
+      LOG.info("Waiting for containers to be finished for app 1... Tried "
+          + waitCount + " times already..");
+      Thread.sleep(100);
+    }
+    Assert.assertEquals(1, attempt1.getJustFinishedContainers().size());
+    Assert.assertEquals(1, am1.schedule().getCompletedContainersStatuses().size());
+    report_nm1 = rm.getResourceScheduler().getNodeReport(nm1.getNodeId());
+    Assert.assertEquals(2 * GB, report_nm1.getUsedResource().getMemory());
+    // As container return 2 GB back, the available resource becomes 0 again.
+    Assert.assertEquals(0 * GB, report_nm1.getAvailableResource().getMemory());
+    
+    // Verify no NPE is trigger in schedule after resource is updated.
+    am1.addRequests(new String[] { "127.0.0.1", "127.0.0.2" }, 3 * GB, 1, 1);
+    alloc1Response = am1.schedule();
+    Assert.assertEquals("Shouldn't have enough resource to allocate containers",
+        0, alloc1Response.getAllocatedContainers().size());
+    int times = 0;
+    // try 10 times as scheduling is async process.
+    while (alloc1Response.getAllocatedContainers().size() < 1
+        && times++ < 10) {
+      LOG.info("Waiting for containers to be allocated for app 1... Tried "
+          + times + " times already..");
+      Thread.sleep(100);
+    }
+    Assert.assertEquals("Shouldn't have enough resource to allocate containers",
+        0, alloc1Response.getAllocatedContainers().size());
+    rm.stop();
+  }
 
     @Test (timeout = 5000)
     public void testApplicationComparator()
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/TestFifoScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/TestFifoScheduler.java
index a0e22799290..3d383647ba4 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/TestFifoScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/TestFifoScheduler.java
@@ -68,6 +68,7 @@
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.AppAddedSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.AppAttemptAddedSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeAddedSchedulerEvent;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeResourceUpdateSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.NodeUpdateSchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.SchedulerEvent;
 import org.apache.hadoop.yarn.server.resourcemanager.security.NMTokenSecretManagerInRM;
@@ -278,17 +279,16 @@ public Map<NodeId, FiCaSchedulerNode> getNodes(){
         (Map<NodeId, FiCaSchedulerNode>) method.invoke(scheduler);
     assertEquals(schedulerNodes.values().size(), 1);
     
-    // set resource of RMNode to 1024 and verify it works.
-    node0.setResourceOption(ResourceOption.newInstance(
-        Resources.createResource(1024, 4), RMNode.OVER_COMMIT_TIMEOUT_MILLIS_DEFAULT));
-    assertEquals(node0.getTotalCapability().getMemory(), 1024);
-    // verify that SchedulerNode's resource hasn't been changed.
-    assertEquals(schedulerNodes.get(node0.getNodeID()).
-        getAvailableResource().getMemory(), 2048);
-    // now, NM heartbeat comes.
-    NodeUpdateSchedulerEvent node0Update = new NodeUpdateSchedulerEvent(node0);
-    scheduler.handle(node0Update);
-    // SchedulerNode's available resource is changed.
+    Resource newResource = Resources.createResource(1024, 4);
+    
+    NodeResourceUpdateSchedulerEvent node0ResourceUpdate = new 
+        NodeResourceUpdateSchedulerEvent(node0, ResourceOption.newInstance(
+            newResource, RMNode.OVER_COMMIT_TIMEOUT_MILLIS_DEFAULT));
+    scheduler.handle(node0ResourceUpdate);
+    
+    // SchedulerNode's total resource and available resource are changed.
+    assertEquals(schedulerNodes.get(node0.getNodeID()).getTotalResource()
+        .getMemory(), 1024);
     assertEquals(schedulerNodes.get(node0.getNodeID()).
         getAvailableResource().getMemory(), 1024);
     QueueInfo queueInfo = scheduler.getQueueInfo(null, false, false);
@@ -324,6 +324,7 @@ public Map<NodeId, FiCaSchedulerNode> getNodes(){
     // Before the node update event, there are one local request
     Assert.assertEquals(1, nodeLocal.getNumContainers());
 
+    NodeUpdateSchedulerEvent node0Update = new NodeUpdateSchedulerEvent(node0);
     // Now schedule.
     scheduler.handle(node0Update);
 
@@ -544,7 +545,6 @@ public void testFifoScheduler() throws Exception {
     LOG.info("--- END: testFifoScheduler ---");
   }
 
-  @SuppressWarnings("resource")
   @Test
   public void testBlackListNodes() throws Exception {
     Configuration conf = new Configuration();

From 0f34e6f3873aee0f4932740ca790c6dd2a13b5d9 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@apache.org>
Date: Sat, 30 Aug 2014 01:17:13 -0700
Subject: [PATCH 343/354] YARN-2395. FairScheduler: Preemption timeout should
 be configurable per queue. (Wei Yan via kasha)

---
 hadoop-yarn-project/CHANGES.txt               |   3 +
 .../fair/AllocationConfiguration.java         |  40 ++-
 .../fair/AllocationFileLoaderService.java     |  57 ++--
 .../scheduler/fair/FSParentQueue.java         |   9 +
 .../scheduler/fair/FSQueue.java               |  39 ++-
 .../scheduler/fair/FairScheduler.java         |   5 +-
 .../scheduler/fair/QueueManager.java          |  27 ++
 .../fair/TestAllocationFileLoaderService.java |  64 ++--
 .../scheduler/fair/TestFairScheduler.java     | 285 +++++++++++++++++-
 .../src/site/apt/FairScheduler.apt.vm         |  18 +-
 10 files changed, 474 insertions(+), 73 deletions(-)

diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index cb09c19568b..a6a1b9b30ba 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -58,6 +58,9 @@ Release 2.6.0 - UNRELEASED
     YARN-2393. FairScheduler: Add the notion of steady fair share. 
     (Wei Yan via kasha)
 
+    YARN-2395. FairScheduler: Preemption timeout should be configurable per 
+    queue. (Wei Yan via kasha)
+
   IMPROVEMENTS
 
     YARN-2197. Add a link to YARN CHANGES.txt in the left side of doc
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationConfiguration.java
index d4ba88faf14..228a761852a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationConfiguration.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationConfiguration.java
@@ -65,13 +65,10 @@ public class AllocationConfiguration {
   // preempt other jobs' tasks.
   private final Map<String, Long> minSharePreemptionTimeouts;
 
-  // Default min share preemption timeout for queues where it is not set
-  // explicitly.
-  private final long defaultMinSharePreemptionTimeout;
-
-  // Preemption timeout for jobs below fair share in seconds. If a job remains
-  // below half its fair share for this long, it is allowed to preempt tasks.
-  private final long fairSharePreemptionTimeout;
+  // Fair share preemption timeout for each queue in seconds. If a job in the
+  // queue waits this long without receiving its fair share threshold, it is
+  // allowed to preempt other jobs' tasks.
+  private final Map<String, Long> fairSharePreemptionTimeouts;
 
   private final Map<String, SchedulingPolicy> schedulingPolicies;
   
@@ -94,8 +91,8 @@ public AllocationConfiguration(Map<String, Resource> minQueueResources,
       Map<String, SchedulingPolicy> schedulingPolicies,
       SchedulingPolicy defaultSchedulingPolicy,
       Map<String, Long> minSharePreemptionTimeouts,
+      Map<String, Long> fairSharePreemptionTimeouts,
       Map<String, Map<QueueACL, AccessControlList>> queueAcls,
-      long fairSharePreemptionTimeout, long defaultMinSharePreemptionTimeout,
       QueuePlacementPolicy placementPolicy,
       Map<FSQueueType, Set<String>> configuredQueues) {
     this.minQueueResources = minQueueResources;
@@ -110,9 +107,8 @@ public AllocationConfiguration(Map<String, Resource> minQueueResources,
     this.defaultSchedulingPolicy = defaultSchedulingPolicy;
     this.schedulingPolicies = schedulingPolicies;
     this.minSharePreemptionTimeouts = minSharePreemptionTimeouts;
+    this.fairSharePreemptionTimeouts = fairSharePreemptionTimeouts;
     this.queueAcls = queueAcls;
-    this.fairSharePreemptionTimeout = fairSharePreemptionTimeout;
-    this.defaultMinSharePreemptionTimeout = defaultMinSharePreemptionTimeout;
     this.placementPolicy = placementPolicy;
     this.configuredQueues = configuredQueues;
   }
@@ -129,8 +125,7 @@ public AllocationConfiguration(Configuration conf) {
     queueMaxAMShareDefault = -1.0f;
     queueAcls = new HashMap<String, Map<QueueACL, AccessControlList>>();
     minSharePreemptionTimeouts = new HashMap<String, Long>();
-    defaultMinSharePreemptionTimeout = Long.MAX_VALUE;
-    fairSharePreemptionTimeout = Long.MAX_VALUE;
+    fairSharePreemptionTimeouts = new HashMap<String, Long>();
     schedulingPolicies = new HashMap<String, SchedulingPolicy>();
     defaultSchedulingPolicy = SchedulingPolicy.DEFAULT_POLICY;
     configuredQueues = new HashMap<FSQueueType, Set<String>>();
@@ -159,23 +154,22 @@ public AccessControlList getQueueAcl(String queue, QueueACL operation) {
   }
   
   /**
-   * Get a queue's min share preemption timeout, in milliseconds. This is the
-   * time after which jobs in the queue may kill other queues' tasks if they
-   * are below their min share.
+   * Get a queue's min share preemption timeout configured in the allocation
+   * file, in milliseconds. Return -1 if not set.
    */
   public long getMinSharePreemptionTimeout(String queueName) {
     Long minSharePreemptionTimeout = minSharePreemptionTimeouts.get(queueName);
-    return (minSharePreemptionTimeout == null) ? defaultMinSharePreemptionTimeout
-        : minSharePreemptionTimeout;
+    return (minSharePreemptionTimeout == null) ? -1 : minSharePreemptionTimeout;
   }
-  
+
   /**
-   * Get the fair share preemption, in milliseconds. This is the time
-   * after which any job may kill other jobs' tasks if it is below half
-   * its fair share.
+   * Get a queue's fair share preemption timeout configured in the allocation
+   * file, in milliseconds. Return -1 if not set.
    */
-  public long getFairSharePreemptionTimeout() {
-    return fairSharePreemptionTimeout;
+  public long getFairSharePreemptionTimeout(String queueName) {
+    Long fairSharePreemptionTimeout = fairSharePreemptionTimeouts.get(queueName);
+    return (fairSharePreemptionTimeout == null) ?
+        -1 : fairSharePreemptionTimeout;
   }
   
   public ResourceWeights getQueueWeight(String queue) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java
index 4cc88c140d4..970ee9956de 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java
@@ -217,27 +217,28 @@ public synchronized void reloadAllocations() throws IOException,
     Map<String, ResourceWeights> queueWeights = new HashMap<String, ResourceWeights>();
     Map<String, SchedulingPolicy> queuePolicies = new HashMap<String, SchedulingPolicy>();
     Map<String, Long> minSharePreemptionTimeouts = new HashMap<String, Long>();
+    Map<String, Long> fairSharePreemptionTimeouts = new HashMap<String, Long>();
     Map<String, Map<QueueACL, AccessControlList>> queueAcls =
         new HashMap<String, Map<QueueACL, AccessControlList>>();
     int userMaxAppsDefault = Integer.MAX_VALUE;
     int queueMaxAppsDefault = Integer.MAX_VALUE;
     float queueMaxAMShareDefault = -1.0f;
-    long fairSharePreemptionTimeout = Long.MAX_VALUE;
+    long defaultFairSharePreemptionTimeout = Long.MAX_VALUE;
     long defaultMinSharePreemptionTimeout = Long.MAX_VALUE;
     SchedulingPolicy defaultSchedPolicy = SchedulingPolicy.DEFAULT_POLICY;
-    
+
     QueuePlacementPolicy newPlacementPolicy = null;
 
     // Remember all queue names so we can display them on web UI, etc.
     // configuredQueues is segregated based on whether it is a leaf queue
     // or a parent queue. This information is used for creating queues
     // and also for making queue placement decisions(QueuePlacementRule.java).
-    Map<FSQueueType, Set<String>> configuredQueues = 
+    Map<FSQueueType, Set<String>> configuredQueues =
         new HashMap<FSQueueType, Set<String>>();
     for (FSQueueType queueType : FSQueueType.values()) {
       configuredQueues.put(queueType, new HashSet<String>());
     }
-   
+
     // Read and parse the allocations file.
     DocumentBuilderFactory docBuilderFactory =
       DocumentBuilderFactory.newInstance();
@@ -276,10 +277,16 @@ public synchronized void reloadAllocations() throws IOException,
           String text = ((Text)element.getFirstChild()).getData().trim();
           int val = Integer.parseInt(text);
           userMaxAppsDefault = val;
-        } else if ("fairSharePreemptionTimeout".equals(element.getTagName())) {
+        } else if ("defaultFairSharePreemptionTimeout".equals(element.getTagName())) {
           String text = ((Text)element.getFirstChild()).getData().trim();
           long val = Long.parseLong(text) * 1000L;
-          fairSharePreemptionTimeout = val;
+          defaultFairSharePreemptionTimeout = val;
+        } else if ("fairSharePreemptionTimeout".equals(element.getTagName())) {
+          if (defaultFairSharePreemptionTimeout == Long.MAX_VALUE) {
+            String text = ((Text)element.getFirstChild()).getData().trim();
+            long val = Long.parseLong(text) * 1000L;
+            defaultFairSharePreemptionTimeout = val;
+          }
         } else if ("defaultMinSharePreemptionTimeout".equals(element.getTagName())) {
           String text = ((Text)element.getFirstChild()).getData().trim();
           long val = Long.parseLong(text) * 1000L;
@@ -304,7 +311,7 @@ public synchronized void reloadAllocations() throws IOException,
         }
       }
     }
-    
+
     // Load queue elements.  A root queue can either be included or omitted.  If
     // it's included, all other queues must be inside it.
     for (Element element : queueElements) {
@@ -318,10 +325,10 @@ public synchronized void reloadAllocations() throws IOException,
       }
       loadQueue(parent, element, minQueueResources, maxQueueResources,
           queueMaxApps, userMaxApps, queueMaxAMShares, queueWeights,
-          queuePolicies, minSharePreemptionTimeouts, queueAcls,
-          configuredQueues);
+          queuePolicies, minSharePreemptionTimeouts, fairSharePreemptionTimeouts,
+          queueAcls, configuredQueues);
     }
-    
+
     // Load placement policy and pass it configured queues
     Configuration conf = getConfig();
     if (placementPolicyElement != null) {
@@ -331,11 +338,22 @@ public synchronized void reloadAllocations() throws IOException,
       newPlacementPolicy = QueuePlacementPolicy.fromConfiguration(conf,
           configuredQueues);
     }
-    
-    AllocationConfiguration info = new AllocationConfiguration(minQueueResources, maxQueueResources,
-        queueMaxApps, userMaxApps, queueWeights, queueMaxAMShares, userMaxAppsDefault,
-        queueMaxAppsDefault, queueMaxAMShareDefault, queuePolicies, defaultSchedPolicy, minSharePreemptionTimeouts,
-        queueAcls, fairSharePreemptionTimeout, defaultMinSharePreemptionTimeout,
+
+    // Set the min/fair share preemption timeout for the root queue
+    if (!minSharePreemptionTimeouts.containsKey(QueueManager.ROOT_QUEUE)){
+      minSharePreemptionTimeouts.put(QueueManager.ROOT_QUEUE,
+          defaultMinSharePreemptionTimeout);
+    }
+    if (!fairSharePreemptionTimeouts.containsKey(QueueManager.ROOT_QUEUE)) {
+      fairSharePreemptionTimeouts.put(QueueManager.ROOT_QUEUE,
+          defaultFairSharePreemptionTimeout);
+    }
+
+    AllocationConfiguration info = new AllocationConfiguration(minQueueResources,
+        maxQueueResources, queueMaxApps, userMaxApps, queueWeights,
+        queueMaxAMShares, userMaxAppsDefault, queueMaxAppsDefault,
+        queueMaxAMShareDefault, queuePolicies, defaultSchedPolicy,
+        minSharePreemptionTimeouts, fairSharePreemptionTimeouts, queueAcls,
         newPlacementPolicy, configuredQueues);
     
     lastSuccessfulReload = clock.getTime();
@@ -353,6 +371,7 @@ private void loadQueue(String parentName, Element element, Map<String, Resource>
       Map<String, ResourceWeights> queueWeights,
       Map<String, SchedulingPolicy> queuePolicies,
       Map<String, Long> minSharePreemptionTimeouts,
+      Map<String, Long> fairSharePreemptionTimeouts,
       Map<String, Map<QueueACL, AccessControlList>> queueAcls, 
       Map<FSQueueType, Set<String>> configuredQueues) 
       throws AllocationConfigurationException {
@@ -395,6 +414,10 @@ private void loadQueue(String parentName, Element element, Map<String, Resource>
         String text = ((Text)field.getFirstChild()).getData().trim();
         long val = Long.parseLong(text) * 1000L;
         minSharePreemptionTimeouts.put(queueName, val);
+      } else if ("fairSharePreemptionTimeout".equals(field.getTagName())) {
+        String text = ((Text)field.getFirstChild()).getData().trim();
+        long val = Long.parseLong(text) * 1000L;
+        fairSharePreemptionTimeouts.put(queueName, val);
       } else if ("schedulingPolicy".equals(field.getTagName())
           || "schedulingMode".equals(field.getTagName())) {
         String text = ((Text)field.getFirstChild()).getData().trim();
@@ -410,8 +433,8 @@ private void loadQueue(String parentName, Element element, Map<String, Resource>
           "pool".equals(field.getTagName())) {
         loadQueue(queueName, field, minQueueResources, maxQueueResources,
             queueMaxApps, userMaxApps, queueMaxAMShares, queueWeights,
-            queuePolicies, minSharePreemptionTimeouts, queueAcls,
-            configuredQueues);
+            queuePolicies, minSharePreemptionTimeouts,
+            fairSharePreemptionTimeouts, queueAcls, configuredQueues);
         configuredQueues.get(FSQueueType.PARENT).add(queueName);
         isLeaf = false;
       }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java
index 26a706c7f03..1209970eccf 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java
@@ -77,6 +77,15 @@ public void recomputeSteadyShares() {
     }
   }
 
+  @Override
+  public void updatePreemptionTimeouts() {
+    super.updatePreemptionTimeouts();
+    // For child queues
+    for (FSQueue childQueue : childQueues) {
+      childQueue.updatePreemptionTimeouts();
+    }
+  }
+
   @Override
   public Resource getDemand() {
     return demand;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java
index 00f0795e1da..b9fcc4bbd97 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java
@@ -52,6 +52,9 @@ public abstract class FSQueue implements Queue, Schedulable {
   
   protected SchedulingPolicy policy = SchedulingPolicy.DEFAULT_POLICY;
 
+  private long fairSharePreemptionTimeout = Long.MAX_VALUE;
+  private long minSharePreemptionTimeout = Long.MAX_VALUE;
+
   public FSQueue(String name, FairScheduler scheduler, FSParentQueue parent) {
     this.name = name;
     this.scheduler = scheduler;
@@ -166,13 +169,47 @@ public void setSteadyFairShare(Resource steadyFairShare) {
   public boolean hasAccess(QueueACL acl, UserGroupInformation user) {
     return scheduler.getAllocationConfiguration().hasAccess(name, acl, user);
   }
-  
+
+  public long getFairSharePreemptionTimeout() {
+    return fairSharePreemptionTimeout;
+  }
+
+  public void setFairSharePreemptionTimeout(long fairSharePreemptionTimeout) {
+    this.fairSharePreemptionTimeout = fairSharePreemptionTimeout;
+  }
+
+  public long getMinSharePreemptionTimeout() {
+    return minSharePreemptionTimeout;
+  }
+
+  public void setMinSharePreemptionTimeout(long minSharePreemptionTimeout) {
+    this.minSharePreemptionTimeout = minSharePreemptionTimeout;
+  }
+
   /**
    * Recomputes the shares for all child queues and applications based on this
    * queue's current share
    */
   public abstract void recomputeShares();
 
+  /**
+   * Update the min/fair share preemption timeouts for this queue.
+   */
+  public void updatePreemptionTimeouts() {
+    // For min share
+    minSharePreemptionTimeout = scheduler.getAllocationConfiguration()
+        .getMinSharePreemptionTimeout(getName());
+    if (minSharePreemptionTimeout == -1 && parent != null) {
+      minSharePreemptionTimeout = parent.getMinSharePreemptionTimeout();
+    }
+    // For fair share
+    fairSharePreemptionTimeout = scheduler.getAllocationConfiguration()
+        .getFairSharePreemptionTimeout(getName());
+    if (fairSharePreemptionTimeout == -1 && parent != null) {
+      fairSharePreemptionTimeout = parent.getFairSharePreemptionTimeout();
+    }
+  }
+
   /**
    * Gets the children of this queue, if any.
    */
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
index 6932a315959..2798b8d5f3e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java
@@ -506,9 +506,8 @@ protected void warnOrKillContainer(RMContainer container) {
    * identical for some reason).
    */
   protected Resource resToPreempt(FSLeafQueue sched, long curTime) {
-    String queue = sched.getName();
-    long minShareTimeout = allocConf.getMinSharePreemptionTimeout(queue);
-    long fairShareTimeout = allocConf.getFairSharePreemptionTimeout();
+    long minShareTimeout = sched.getMinSharePreemptionTimeout();
+    long fairShareTimeout = sched.getFairSharePreemptionTimeout();
     Resource resDueToMinShare = Resources.none();
     Resource resDueToFairShare = Resources.none();
     if (curTime - sched.getLastTimeAtMinShare() > minShareTimeout) {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/QueueManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/QueueManager.java
index 490ba686598..2444ba422d1 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/QueueManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/QueueManager.java
@@ -181,6 +181,7 @@ private FSQueue createQueue(String name, FSQueueType queueType) {
         parent.addChildQueue(leafQueue);
         queues.put(leafQueue.getName(), leafQueue);
         leafQueues.add(leafQueue);
+        setPreemptionTimeout(leafQueue, parent, queueConf);
         return leafQueue;
       } else {
         FSParentQueue newParent = new FSParentQueue(queueName, scheduler, parent);
@@ -192,6 +193,7 @@ private FSQueue createQueue(String name, FSQueueType queueType) {
         }
         parent.addChildQueue(newParent);
         queues.put(newParent.getName(), newParent);
+        setPreemptionTimeout(newParent, parent, queueConf);
         parent = newParent;
       }
     }
@@ -199,6 +201,29 @@ private FSQueue createQueue(String name, FSQueueType queueType) {
     return parent;
   }
 
+  /**
+   * Set the min/fair share preemption timeouts for the given queue.
+   * If the timeout is configured in the allocation file, the queue will use
+   * that value; otherwise, the queue inherits the value from its parent queue.
+   */
+  private void setPreemptionTimeout(FSQueue queue,
+      FSParentQueue parentQueue, AllocationConfiguration queueConf) {
+    // For min share
+    long minSharePreemptionTimeout =
+        queueConf.getMinSharePreemptionTimeout(queue.getQueueName());
+    if (minSharePreemptionTimeout == -1) {
+      minSharePreemptionTimeout = parentQueue.getMinSharePreemptionTimeout();
+    }
+    queue.setMinSharePreemptionTimeout(minSharePreemptionTimeout);
+    // For fair share
+    long fairSharePreemptionTimeout =
+        queueConf.getFairSharePreemptionTimeout(queue.getQueueName());
+    if (fairSharePreemptionTimeout == -1) {
+      fairSharePreemptionTimeout = parentQueue.getFairSharePreemptionTimeout();
+    }
+    queue.setFairSharePreemptionTimeout(fairSharePreemptionTimeout);
+  }
+
   /**
    * Make way for the given queue if possible, by removing incompatible
    * queues with no apps in them. Incompatibility could be due to
@@ -384,5 +409,7 @@ public void updateAllocationConfiguration(AllocationConfiguration queueConf) {
 
     // Update steady fair shares for all queues
     rootQueue.recomputeSteadyShares();
+    // Update the fair share preemption timeouts for all queues recursively
+    rootQueue.updatePreemptionTimeouts();
   }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java
index 2a4992c32ab..14b3111c07f 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java
@@ -186,9 +186,14 @@ public void testAllocationFileParsing() throws Exception {
     //Make queue F a parent queue without configured leaf queues using the 'type' attribute
     out.println("<queue name=\"queueF\" type=\"parent\" >");
     out.println("</queue>");
-    //Create hierarchical queues G,H
+    // Create hierarchical queues G,H, with different min/fair share preemption
+    // timeouts
     out.println("<queue name=\"queueG\">");
+    out.println("<fairSharePreemptionTimeout>120</fairSharePreemptionTimeout>");
+    out.println("<minSharePreemptionTimeout>50</minSharePreemptionTimeout>");
     out.println("   <queue name=\"queueH\">");
+    out.println("   <fairSharePreemptionTimeout>180</fairSharePreemptionTimeout>");
+    out.println("   <minSharePreemptionTimeout>40</minSharePreemptionTimeout>");
     out.println("   </queue>");
     out.println("</queue>");
     // Set default limit of apps per queue to 15
@@ -204,8 +209,8 @@ public void testAllocationFileParsing() throws Exception {
     // Set default min share preemption timeout to 2 minutes
     out.println("<defaultMinSharePreemptionTimeout>120"
         + "</defaultMinSharePreemptionTimeout>");
-    // Set fair share preemption timeout to 5 minutes
-    out.println("<fairSharePreemptionTimeout>300</fairSharePreemptionTimeout>");
+    // Set default fair share preemption timeout to 5 minutes
+    out.println("<defaultFairSharePreemptionTimeout>300</defaultFairSharePreemptionTimeout>");
     // Set default scheduling policy to DRF
     out.println("<defaultQueueSchedulingPolicy>drf</defaultQueueSchedulingPolicy>");
     out.println("</allocations>");
@@ -270,16 +275,30 @@ public void testAllocationFileParsing() throws Exception {
     assertEquals("alice,bob admins", queueConf.getQueueAcl("root.queueC",
         QueueACL.SUBMIT_APPLICATIONS).getAclString());
 
-    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root." + 
+    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root"));
+    assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root." +
         YarnConfiguration.DEFAULT_QUEUE_NAME));
-    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root.queueA"));
-    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root.queueB"));
-    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root.queueC"));
-    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root.queueD"));
-    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root.queueA"));
+    assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root.queueA"));
+    assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root.queueB"));
+    assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root.queueC"));
+    assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root.queueD"));
     assertEquals(60000, queueConf.getMinSharePreemptionTimeout("root.queueE"));
-    assertEquals(300000, queueConf.getFairSharePreemptionTimeout());
-    
+    assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root.queueF"));
+    assertEquals(50000, queueConf.getMinSharePreemptionTimeout("root.queueG"));
+    assertEquals(40000, queueConf.getMinSharePreemptionTimeout("root.queueG.queueH"));
+
+    assertEquals(300000, queueConf.getFairSharePreemptionTimeout("root"));
+    assertEquals(-1, queueConf.getFairSharePreemptionTimeout("root." +
+        YarnConfiguration.DEFAULT_QUEUE_NAME));
+    assertEquals(-1, queueConf.getFairSharePreemptionTimeout("root.queueA"));
+    assertEquals(-1, queueConf.getFairSharePreemptionTimeout("root.queueB"));
+    assertEquals(-1, queueConf.getFairSharePreemptionTimeout("root.queueC"));
+    assertEquals(-1, queueConf.getFairSharePreemptionTimeout("root.queueD"));
+    assertEquals(-1, queueConf.getFairSharePreemptionTimeout("root.queueE"));
+    assertEquals(-1, queueConf.getFairSharePreemptionTimeout("root.queueF"));
+    assertEquals(120000, queueConf.getFairSharePreemptionTimeout("root.queueG"));
+    assertEquals(180000, queueConf.getFairSharePreemptionTimeout("root.queueG.queueH"));
+
     assertTrue(queueConf.getConfiguredQueues()
         .get(FSQueueType.PARENT)
         .contains("root.queueF"));
@@ -393,16 +412,23 @@ public void testBackwardsCompatibleAllocationFileParsing() throws Exception {
     assertEquals("alice,bob admins", queueConf.getQueueAcl("root.queueC",
         QueueACL.SUBMIT_APPLICATIONS).getAclString());
 
-
-    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root." +
+    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root"));
+    assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root." +
         YarnConfiguration.DEFAULT_QUEUE_NAME));
-    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root.queueA"));
-    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root.queueB"));
-    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root.queueC"));
-    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root.queueD"));
-    assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root.queueA"));
+    assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root.queueA"));
+    assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root.queueB"));
+    assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root.queueC"));
+    assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root.queueD"));
     assertEquals(60000, queueConf.getMinSharePreemptionTimeout("root.queueE"));
-    assertEquals(300000, queueConf.getFairSharePreemptionTimeout());
+
+    assertEquals(300000, queueConf.getFairSharePreemptionTimeout("root"));
+    assertEquals(-1, queueConf.getFairSharePreemptionTimeout("root." +
+        YarnConfiguration.DEFAULT_QUEUE_NAME));
+    assertEquals(-1, queueConf.getFairSharePreemptionTimeout("root.queueA"));
+    assertEquals(-1, queueConf.getFairSharePreemptionTimeout("root.queueB"));
+    assertEquals(-1, queueConf.getFairSharePreemptionTimeout("root.queueC"));
+    assertEquals(-1, queueConf.getFairSharePreemptionTimeout("root.queueD"));
+    assertEquals(-1, queueConf.getFairSharePreemptionTimeout("root.queueE"));
   }
   
   @Test
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
index 79e3184e79c..6e0127dad48 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairScheduler.java
@@ -1059,7 +1059,11 @@ public void testConfigureRootQueue() throws Exception {
     out.println("  <queue name=\"child2\">");
     out.println("    <minResources>1024mb,4vcores</minResources>");
     out.println("  </queue>");
+    out.println("  <fairSharePreemptionTimeout>100</fairSharePreemptionTimeout>");
+    out.println("  <minSharePreemptionTimeout>120</minSharePreemptionTimeout>");
     out.println("</queue>");
+    out.println("<defaultFairSharePreemptionTimeout>300</defaultFairSharePreemptionTimeout>");
+    out.println("<defaultMinSharePreemptionTimeout>200</defaultMinSharePreemptionTimeout>");
     out.println("</allocations>");
     out.close();
 
@@ -1073,6 +1077,9 @@ public void testConfigureRootQueue() throws Exception {
     
     assertNotNull(queueManager.getLeafQueue("child1", false));
     assertNotNull(queueManager.getLeafQueue("child2", false));
+
+    assertEquals(100000, root.getFairSharePreemptionTimeout());
+    assertEquals(120000, root.getMinSharePreemptionTimeout());
   }
   
   @Test (timeout = 5000)
@@ -1378,7 +1385,7 @@ public void testPreemptionIsNotDelayedToNextRound() throws Exception {
     out.println("<queue name=\"queueB\">");
     out.println("<weight>2</weight>");
     out.println("</queue>");
-    out.print("<fairSharePreemptionTimeout>10</fairSharePreemptionTimeout>");
+    out.print("<defaultFairSharePreemptionTimeout>10</defaultFairSharePreemptionTimeout>");
     out.println("</allocations>");
     out.close();
 
@@ -1462,7 +1469,7 @@ public void testPreemptionDecision() throws Exception {
     out.println("<minResources>1024mb,0vcores</minResources>");
     out.println("</queue>");
     out.print("<defaultMinSharePreemptionTimeout>5</defaultMinSharePreemptionTimeout>");
-    out.print("<fairSharePreemptionTimeout>10</fairSharePreemptionTimeout>");
+    out.print("<defaultFairSharePreemptionTimeout>10</defaultFairSharePreemptionTimeout>");
     out.println("</allocations>");
     out.close();
 
@@ -1489,7 +1496,6 @@ public void testPreemptionDecision() throws Exception {
     NodeAddedSchedulerEvent nodeEvent3 = new NodeAddedSchedulerEvent(node3);
     scheduler.handle(nodeEvent3);
 
-
     // Queue A and B each request three containers
     ApplicationAttemptId app1 =
         createSchedulingRequest(1 * 1024, "queueA", "user1", 1, 1);
@@ -1563,6 +1569,279 @@ public void testPreemptionDecision() throws Exception {
         1536, scheduler.resToPreempt(schedD, clock.getTime()).getMemory());
   }
 
+  @Test
+  /**
+   * Tests the various timing of decision to preempt tasks.
+   */
+  public void testPreemptionDecisionWithVariousTimeout() throws Exception {
+    conf.set(FairSchedulerConfiguration.ALLOCATION_FILE, ALLOC_FILE);
+    MockClock clock = new MockClock();
+    scheduler.setClock(clock);
+
+    PrintWriter out = new PrintWriter(new FileWriter(ALLOC_FILE));
+    out.println("<?xml version=\"1.0\"?>");
+    out.println("<allocations>");
+    out.println("<queue name=\"default\">");
+    out.println("<maxResources>0mb,0vcores</maxResources>");
+    out.println("</queue>");
+    out.println("<queue name=\"queueA\">");
+    out.println("<weight>1</weight>");
+    out.println("<minResources>1024mb,0vcores</minResources>");
+    out.println("</queue>");
+    out.println("<queue name=\"queueB\">");
+    out.println("<weight>2</weight>");
+    out.println("<minSharePreemptionTimeout>10</minSharePreemptionTimeout>");
+    out.println("<fairSharePreemptionTimeout>25</fairSharePreemptionTimeout>");
+    out.println("<queue name=\"queueB1\">");
+    out.println("<minResources>1024mb,0vcores</minResources>");
+    out.println("<minSharePreemptionTimeout>5</minSharePreemptionTimeout>");
+    out.println("</queue>");
+    out.println("<queue name=\"queueB2\">");
+    out.println("<minResources>1024mb,0vcores</minResources>");
+    out.println("<fairSharePreemptionTimeout>20</fairSharePreemptionTimeout>");
+    out.println("</queue>");
+    out.println("</queue>");
+    out.println("<queue name=\"queueC\">");
+    out.println("<weight>1</weight>");
+    out.println("<minResources>1024mb,0vcores</minResources>");
+    out.println("</queue>");
+    out.print("<defaultMinSharePreemptionTimeout>15</defaultMinSharePreemptionTimeout>");
+    out.print("<defaultFairSharePreemptionTimeout>30</defaultFairSharePreemptionTimeout>");
+    out.println("</allocations>");
+    out.close();
+
+    scheduler.init(conf);
+    scheduler.start();
+    scheduler.reinitialize(conf, resourceManager.getRMContext());
+
+    // Check the min/fair share preemption timeout for each queue
+    QueueManager queueMgr = scheduler.getQueueManager();
+    assertEquals(30000, queueMgr.getQueue("root")
+        .getFairSharePreemptionTimeout());
+    assertEquals(30000, queueMgr.getQueue("default")
+        .getFairSharePreemptionTimeout());
+    assertEquals(30000, queueMgr.getQueue("queueA")
+        .getFairSharePreemptionTimeout());
+    assertEquals(25000, queueMgr.getQueue("queueB")
+        .getFairSharePreemptionTimeout());
+    assertEquals(25000, queueMgr.getQueue("queueB.queueB1")
+        .getFairSharePreemptionTimeout());
+    assertEquals(20000, queueMgr.getQueue("queueB.queueB2")
+        .getFairSharePreemptionTimeout());
+    assertEquals(30000, queueMgr.getQueue("queueC")
+        .getFairSharePreemptionTimeout());
+    assertEquals(15000, queueMgr.getQueue("root")
+        .getMinSharePreemptionTimeout());
+    assertEquals(15000, queueMgr.getQueue("default")
+        .getMinSharePreemptionTimeout());
+    assertEquals(15000, queueMgr.getQueue("queueA")
+        .getMinSharePreemptionTimeout());
+    assertEquals(10000, queueMgr.getQueue("queueB")
+        .getMinSharePreemptionTimeout());
+    assertEquals(5000, queueMgr.getQueue("queueB.queueB1")
+        .getMinSharePreemptionTimeout());
+    assertEquals(10000, queueMgr.getQueue("queueB.queueB2")
+        .getMinSharePreemptionTimeout());
+    assertEquals(15000, queueMgr.getQueue("queueC")
+        .getMinSharePreemptionTimeout());
+
+    // Create one big node
+    RMNode node1 =
+        MockNodes.newNodeInfo(1, Resources.createResource(6 * 1024, 6), 1,
+            "127.0.0.1");
+    NodeAddedSchedulerEvent nodeEvent1 = new NodeAddedSchedulerEvent(node1);
+    scheduler.handle(nodeEvent1);
+
+    // Queue A takes all resources
+    for (int i = 0; i < 6; i ++) {
+      createSchedulingRequest(1 * 1024, "queueA", "user1", 1, 1);
+    }
+
+    scheduler.update();
+
+    // Sufficient node check-ins to fully schedule containers
+    NodeUpdateSchedulerEvent nodeUpdate1 = new NodeUpdateSchedulerEvent(node1);
+    for (int i = 0; i < 6; i++) {
+      scheduler.handle(nodeUpdate1);
+    }
+
+    // Now new requests arrive from queues B1, B2 and C
+    createSchedulingRequest(1 * 1024, "queueB.queueB1", "user1", 1, 1);
+    createSchedulingRequest(1 * 1024, "queueB.queueB1", "user1", 1, 2);
+    createSchedulingRequest(1 * 1024, "queueB.queueB1", "user1", 1, 3);
+    createSchedulingRequest(1 * 1024, "queueB.queueB2", "user1", 1, 1);
+    createSchedulingRequest(1 * 1024, "queueB.queueB2", "user1", 1, 2);
+    createSchedulingRequest(1 * 1024, "queueB.queueB2", "user1", 1, 3);
+    createSchedulingRequest(1 * 1024, "queueC", "user1", 1, 1);
+    createSchedulingRequest(1 * 1024, "queueC", "user1", 1, 2);
+    createSchedulingRequest(1 * 1024, "queueC", "user1", 1, 3);
+
+    scheduler.update();
+
+    FSLeafQueue queueB1 = queueMgr.getLeafQueue("queueB.queueB1", true);
+    FSLeafQueue queueB2 = queueMgr.getLeafQueue("queueB.queueB2", true);
+    FSLeafQueue queueC = queueMgr.getLeafQueue("queueC", true);
+
+    assertTrue(Resources.equals(
+        Resources.none(), scheduler.resToPreempt(queueB1, clock.getTime())));
+    assertTrue(Resources.equals(
+        Resources.none(), scheduler.resToPreempt(queueB2, clock.getTime())));
+    assertTrue(Resources.equals(
+        Resources.none(), scheduler.resToPreempt(queueC, clock.getTime())));
+
+    // After 5 seconds, queueB1 wants to preempt min share
+    scheduler.update();
+    clock.tick(6);
+    assertEquals(
+       1024, scheduler.resToPreempt(queueB1, clock.getTime()).getMemory());
+    assertEquals(
+        0, scheduler.resToPreempt(queueB2, clock.getTime()).getMemory());
+    assertEquals(
+        0, scheduler.resToPreempt(queueC, clock.getTime()).getMemory());
+
+    // After 10 seconds, queueB2 wants to preempt min share
+    scheduler.update();
+    clock.tick(5);
+    assertEquals(
+        1024, scheduler.resToPreempt(queueB1, clock.getTime()).getMemory());
+    assertEquals(
+        1024, scheduler.resToPreempt(queueB2, clock.getTime()).getMemory());
+    assertEquals(
+        0, scheduler.resToPreempt(queueC, clock.getTime()).getMemory());
+
+    // After 15 seconds, queueC wants to preempt min share
+    scheduler.update();
+    clock.tick(5);
+    assertEquals(
+        1024, scheduler.resToPreempt(queueB1, clock.getTime()).getMemory());
+    assertEquals(
+        1024, scheduler.resToPreempt(queueB2, clock.getTime()).getMemory());
+    assertEquals(
+        1024, scheduler.resToPreempt(queueC, clock.getTime()).getMemory());
+
+    // After 20 seconds, queueB2 should want to preempt fair share
+    scheduler.update();
+    clock.tick(5);
+    assertEquals(
+        1024, scheduler.resToPreempt(queueB1, clock.getTime()).getMemory());
+    assertEquals(
+        1536, scheduler.resToPreempt(queueB2, clock.getTime()).getMemory());
+    assertEquals(
+        1024, scheduler.resToPreempt(queueC, clock.getTime()).getMemory());
+
+    // After 25 seconds, queueB1 should want to preempt fair share
+    scheduler.update();
+    clock.tick(5);
+    assertEquals(
+        1536, scheduler.resToPreempt(queueB1, clock.getTime()).getMemory());
+    assertEquals(
+        1536, scheduler.resToPreempt(queueB2, clock.getTime()).getMemory());
+    assertEquals(
+        1024, scheduler.resToPreempt(queueC, clock.getTime()).getMemory());
+
+    // After 30 seconds, queueC should want to preempt fair share
+    scheduler.update();
+    clock.tick(5);
+    assertEquals(
+        1536, scheduler.resToPreempt(queueB1, clock.getTime()).getMemory());
+    assertEquals(
+        1536, scheduler.resToPreempt(queueB2, clock.getTime()).getMemory());
+    assertEquals(
+        1536, scheduler.resToPreempt(queueC, clock.getTime()).getMemory());
+  }
+
+  @Test
+  public void testBackwardsCompatiblePreemptionConfiguration() throws Exception {
+    conf.set(FairSchedulerConfiguration.ALLOCATION_FILE, ALLOC_FILE);
+    MockClock clock = new MockClock();
+    scheduler.setClock(clock);
+
+    PrintWriter out = new PrintWriter(new FileWriter(ALLOC_FILE));
+    out.println("<?xml version=\"1.0\"?>");
+    out.println("<allocations>");
+    out.println("<queue name=\"default\">");
+    out.println("</queue>");
+    out.println("<queue name=\"queueA\">");
+    out.println("</queue>");
+    out.println("<queue name=\"queueB\">");
+    out.println("<queue name=\"queueB1\">");
+    out.println("<minSharePreemptionTimeout>5</minSharePreemptionTimeout>");
+    out.println("</queue>");
+    out.println("<queue name=\"queueB2\">");
+    out.println("</queue>");
+    out.println("</queue>");
+    out.println("<queue name=\"queueC\">");
+    out.println("</queue>");
+    out.print("<defaultMinSharePreemptionTimeout>15</defaultMinSharePreemptionTimeout>");
+    out.print("<defaultFairSharePreemptionTimeout>30</defaultFairSharePreemptionTimeout>");
+    out.print("<fairSharePreemptionTimeout>40</fairSharePreemptionTimeout>");
+    out.println("</allocations>");
+    out.close();
+
+    scheduler.init(conf);
+    scheduler.start();
+    scheduler.reinitialize(conf, resourceManager.getRMContext());
+
+    // Check the min/fair share preemption timeout for each queue
+    QueueManager queueMgr = scheduler.getQueueManager();
+    assertEquals(30000, queueMgr.getQueue("root")
+        .getFairSharePreemptionTimeout());
+    assertEquals(30000, queueMgr.getQueue("default")
+        .getFairSharePreemptionTimeout());
+    assertEquals(30000, queueMgr.getQueue("queueA")
+        .getFairSharePreemptionTimeout());
+    assertEquals(30000, queueMgr.getQueue("queueB")
+        .getFairSharePreemptionTimeout());
+    assertEquals(30000, queueMgr.getQueue("queueB.queueB1")
+        .getFairSharePreemptionTimeout());
+    assertEquals(30000, queueMgr.getQueue("queueB.queueB2")
+        .getFairSharePreemptionTimeout());
+    assertEquals(30000, queueMgr.getQueue("queueC")
+        .getFairSharePreemptionTimeout());
+    assertEquals(15000, queueMgr.getQueue("root")
+        .getMinSharePreemptionTimeout());
+    assertEquals(15000, queueMgr.getQueue("default")
+        .getMinSharePreemptionTimeout());
+    assertEquals(15000, queueMgr.getQueue("queueA")
+        .getMinSharePreemptionTimeout());
+    assertEquals(15000, queueMgr.getQueue("queueB")
+        .getMinSharePreemptionTimeout());
+    assertEquals(5000, queueMgr.getQueue("queueB.queueB1")
+        .getMinSharePreemptionTimeout());
+    assertEquals(15000, queueMgr.getQueue("queueB.queueB2")
+        .getMinSharePreemptionTimeout());
+    assertEquals(15000, queueMgr.getQueue("queueC")
+        .getMinSharePreemptionTimeout());
+
+    // If both exist, we take the default one
+    out = new PrintWriter(new FileWriter(ALLOC_FILE));
+    out.println("<?xml version=\"1.0\"?>");
+    out.println("<allocations>");
+    out.println("<queue name=\"default\">");
+    out.println("</queue>");
+    out.println("<queue name=\"queueA\">");
+    out.println("</queue>");
+    out.println("<queue name=\"queueB\">");
+    out.println("<queue name=\"queueB1\">");
+    out.println("<minSharePreemptionTimeout>5</minSharePreemptionTimeout>");
+    out.println("</queue>");
+    out.println("<queue name=\"queueB2\">");
+    out.println("</queue>");
+    out.println("</queue>");
+    out.println("<queue name=\"queueC\">");
+    out.println("</queue>");
+    out.print("<defaultMinSharePreemptionTimeout>15</defaultMinSharePreemptionTimeout>");
+    out.print("<defaultFairSharePreemptionTimeout>25</defaultFairSharePreemptionTimeout>");
+    out.print("<fairSharePreemptionTimeout>30</fairSharePreemptionTimeout>");
+    out.println("</allocations>");
+    out.close();
+
+    scheduler.reinitialize(conf, resourceManager.getRMContext());
+
+    assertEquals(25000, queueMgr.getQueue("root")
+        .getFairSharePreemptionTimeout());
+  }
+
   @Test (timeout = 5000)
   public void testMultipleContainersWaitingForReservation() throws IOException {
     scheduler.init(conf);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/FairScheduler.apt.vm b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/FairScheduler.apt.vm
index a3edadeccc2..bd28bfff3f2 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/FairScheduler.apt.vm
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/FairScheduler.apt.vm
@@ -271,6 +271,11 @@ Allocation file format
 
    * minSharePreemptionTimeout: number of seconds the queue is under its minimum share
      before it will try to preempt containers to take resources from other queues.
+     If not set, the queue will inherit the value from its parent queue.
+
+   * fairSharePreemptionTimeout: number of seconds the queue is under its fair share
+     threshold before it will try to preempt containers to take resources from other
+     queues. If not set, the queue will inherit the value from its parent queue.
 
  * <<User elements>>, which represent settings governing the behavior of individual 
      users. They can contain a single property: maxRunningApps, a limit on the 
@@ -279,14 +284,13 @@ Allocation file format
  * <<A userMaxAppsDefault element>>, which sets the default running app limit 
    for any users whose limit is not otherwise specified.
 
- * <<A fairSharePreemptionTimeout element>>, number of seconds a queue is under
-   its fair share before it will try to preempt containers to take resources from
-   other queues.
+ * <<A defaultFairSharePreemptionTimeout element>>, which sets the fair share
+   preemption timeout for the root queue; overridden by fairSharePreemptionTimeout
+   element in root queue.
 
- * <<A defaultMinSharePreemptionTimeout element>>, which sets the default number
-   of seconds the queue is under its minimum share before it will try to preempt
-   containers to take resources from other queues; overriden by
-   minSharePreemptionTimeout element in each queue if specified.
+ * <<A defaultMinSharePreemptionTimeout element>>, which sets the min share
+   preemption timeout for the root queue; overridden by minSharePreemptionTimeout
+   element in root queue.
 
  * <<A queueMaxAppsDefault element>>, which sets the default running app limit
    for queues; overriden by maxRunningApps element in each queue.

From 258c7d0f53fbdf4b0b9cae901701176e3e70c4fe Mon Sep 17 00:00:00 2001
From: Benoy Antony <benoy@apache.org>
Date: Sat, 30 Aug 2014 12:49:19 -0700
Subject: [PATCH 344/354] HADOOP-10833. Remove unused cache in UserProvider.
 (Benoy Antony)

---
 hadoop-common-project/hadoop-common/CHANGES.txt              | 2 ++
 .../java/org/apache/hadoop/security/alias/UserProvider.java  | 5 -----
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 3b44b8bebe2..f3ef49d242e 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -537,6 +537,8 @@ Release 2.6.0 - UNRELEASED
     schedules incoming calls and multiplexes outgoing calls. (Chris Li via
     Arpit Agarwal)
 
+    HADOOP-10833. Remove unused cache in UserProvider. (Benoy Antony)
+
   BUG FIXES
 
     HADOOP-10781. Unportable getgrouplist() usage breaks FreeBSD (Dmitry
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/UserProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/UserProvider.java
index 99d6d0060d8..262cbadd71a 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/UserProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/UserProvider.java
@@ -21,9 +21,7 @@
 import java.io.IOException;
 import java.net.URI;
 import java.util.ArrayList;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
@@ -41,8 +39,6 @@ public class UserProvider extends CredentialProvider {
   public static final String SCHEME_NAME = "user";
   private final UserGroupInformation user;
   private final Credentials credentials;
-  private final Map<String, CredentialEntry> cache = new HashMap<String, 
-      CredentialEntry>();
 
   private UserProvider() throws IOException {
     user = UserGroupInformation.getCurrentUser();
@@ -86,7 +82,6 @@ public synchronized void deleteCredentialEntry(String name) throws IOException {
       throw new IOException("Credential " + name + 
           " does not exist in " + this);
     }
-    cache.remove(name);
   }
 
   @Override

From e1109fb65608a668cd53dc324dadc6f63a74eeb9 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Tue, 2 Sep 2014 10:10:06 -0700
Subject: [PATCH 345/354] HADOOP-11036. Add build directory to .gitignore
 (Tsuyoshi OZAWA via aw)

---
 .gitignore                                      | 1 +
 hadoop-common-project/hadoop-common/CHANGES.txt | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/.gitignore b/.gitignore
index 13b29ff20a3..db58f6af6a5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,7 @@
 .project
 .settings
 target
+build
 hadoop-common-project/hadoop-kms/downloads/
 hadoop-hdfs-project/hadoop-hdfs/downloads
 hadoop-hdfs-project/hadoop-hdfs-httpfs/downloads
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index f3ef49d242e..3f735f8d493 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -727,6 +727,8 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10911. hadoop.auth cookie after HADOOP-10710 still not proper
     according to RFC2109. (gchanan via tucu)
 
+    HADOOP-11036. Add build directory to .gitignore (Tsuyoshi OZAWA via aw)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES

From 01e8f056d9b7245193e6050f9830ca058db02a6e Mon Sep 17 00:00:00 2001
From: Jason Lowe <jlowe@apache.org>
Date: Tue, 2 Sep 2014 18:15:38 +0000
Subject: [PATCH 346/354] HADOOP-11012. hadoop fs -text of zero-length file
 causes EOFException. Contributed by Eric Payne

---
 .../hadoop-common/CHANGES.txt                 |  3 +
 .../org/apache/hadoop/fs/shell/Display.java   | 12 ++-
 .../hadoop/fs/shell/TestTextCommand.java      | 77 ++++++++++++++-----
 3 files changed, 72 insertions(+), 20 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 3f735f8d493..e4883d5633e 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -729,6 +729,9 @@ Release 2.6.0 - UNRELEASED
 
     HADOOP-11036. Add build directory to .gitignore (Tsuyoshi OZAWA via aw)
 
+    HADOOP-11012. hadoop fs -text of zero-length file causes EOFException
+    (Eric Payne via jlowe)
+
 Release 2.5.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/Display.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/Display.java
index a72af7a01f9..d437a663f55 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/Display.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/Display.java
@@ -18,6 +18,7 @@
 package org.apache.hadoop.fs.shell;
 
 import java.io.ByteArrayOutputStream;
+import java.io.EOFException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.LinkedList;
@@ -126,8 +127,17 @@ public static class Text extends Cat {
     protected InputStream getInputStream(PathData item) throws IOException {
       FSDataInputStream i = (FSDataInputStream)super.getInputStream(item);
 
+      // Handle 0 and 1-byte files
+      short leadBytes;
+      try {
+        leadBytes = i.readShort();
+      } catch (EOFException e) {
+        i.seek(0);
+        return i;
+      }
+
       // Check type of stream first
-      switch(i.readShort()) {
+      switch(leadBytes) {
         case 0x1f8b: { // RFC 1952
           // Must be gzip
           i.seek(0);
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/shell/TestTextCommand.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/shell/TestTextCommand.java
index 0c8a6acf4a9..70a2f037b39 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/shell/TestTextCommand.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/shell/TestTextCommand.java
@@ -42,29 +42,14 @@ public class TestTextCommand {
     System.getProperty("test.build.data", "build/test/data/") + "/testText";
   private static final String AVRO_FILENAME =
     new Path(TEST_ROOT_DIR, "weather.avro").toUri().getPath();
+  private static final String TEXT_FILENAME =
+    new Path(TEST_ROOT_DIR, "testtextfile.txt").toUri().getPath();
 
   /**
    * Tests whether binary Avro data files are displayed correctly.
    */
   @Test (timeout = 30000)
   public void testDisplayForAvroFiles() throws Exception {
-    // Create a small Avro data file on the local file system.
-    createAvroFile(generateWeatherAvroBinaryData());
-
-    // Prepare and call the Text command's protected getInputStream method
-    // using reflection.
-    Configuration conf = new Configuration();
-    URI localPath = new URI(AVRO_FILENAME);
-    PathData pathData = new PathData(localPath, conf);
-    Display.Text text = new Display.Text();
-    text.setConf(conf);
-    Method method = text.getClass().getDeclaredMethod(
-      "getInputStream", PathData.class);
-    method.setAccessible(true);
-    InputStream stream = (InputStream) method.invoke(text, pathData);
-    String output = inputStreamToString(stream);
-
-    // Check the output.
     String expectedOutput =
       "{\"station\":\"011990-99999\",\"time\":-619524000000,\"temp\":0}" +
       System.getProperty("line.separator") +
@@ -77,18 +62,72 @@ public void testDisplayForAvroFiles() throws Exception {
       "{\"station\":\"012650-99999\",\"time\":-655509600000,\"temp\":78}" +
       System.getProperty("line.separator");
 
+    String output = readUsingTextCommand(AVRO_FILENAME,
+                                         generateWeatherAvroBinaryData());
     assertEquals(expectedOutput, output);
   }
 
+  /**
+   * Tests that a zero-length file is displayed correctly.
+   */
+  @Test (timeout = 30000)
+  public void testEmptyTextFil() throws Exception {
+    byte[] emptyContents = { };
+    String output = readUsingTextCommand(TEXT_FILENAME, emptyContents);
+    assertTrue("".equals(output));
+  }
+
+  /**
+   * Tests that a one-byte file is displayed correctly.
+   */
+  @Test (timeout = 30000)
+  public void testOneByteTextFil() throws Exception {
+    byte[] oneByteContents = { 'x' };
+    String output = readUsingTextCommand(TEXT_FILENAME, oneByteContents);
+    assertTrue(new String(oneByteContents).equals(output));
+  }
+
+  /**
+   * Tests that a one-byte file is displayed correctly.
+   */
+  @Test (timeout = 30000)
+  public void testTwoByteTextFil() throws Exception {
+    byte[] twoByteContents = { 'x', 'y' };
+    String output = readUsingTextCommand(TEXT_FILENAME, twoByteContents);
+    assertTrue(new String(twoByteContents).equals(output));
+  }
+
+  // Create a file on the local file system and read it using
+  // the Display.Text class.
+  private String readUsingTextCommand(String fileName, byte[] fileContents)
+          throws Exception {
+    createFile(fileName, fileContents);
+
+    // Prepare and call the Text command's protected getInputStream method
+    // using reflection.
+    Configuration conf = new Configuration();
+    URI localPath = new URI(fileName);
+    PathData pathData = new PathData(localPath, conf);
+    Display.Text text = new Display.Text() {
+      @Override
+      public InputStream getInputStream(PathData item) throws IOException {
+        return super.getInputStream(item);
+      }
+    };
+    text.setConf(conf);
+    InputStream stream = (InputStream) text.getInputStream(pathData);
+    return inputStreamToString(stream);
+  }
+
   private String inputStreamToString(InputStream stream) throws IOException {
     StringWriter writer = new StringWriter();
     IOUtils.copy(stream, writer);
     return writer.toString();
   }
 
-  private void createAvroFile(byte[] contents) throws IOException {
+  private void createFile(String fileName, byte[] contents) throws IOException {
     (new File(TEST_ROOT_DIR)).mkdir();
-    File file = new File(AVRO_FILENAME);
+    File file = new File(fileName);
     file.createNewFile();
     FileOutputStream stream = new FileOutputStream(file);
     stream.write(contents);

From bad5f38d47f5e93c21641931ac92595c71b05bd7 Mon Sep 17 00:00:00 2001
From: Brandon Li <brandonli@apache.org>
Date: Tue, 2 Sep 2014 11:27:28 -0700
Subject: [PATCH 347/354] HADOOP-10990. Add missed NFSv3 request and response
 classes. Contributed by Brandon Li

---
 .../hadoop-common/CHANGES.txt                 |  2 +
 .../hadoop/nfs/nfs3/Nfs3FileAttributes.java   | 14 ++-
 .../hadoop/nfs/nfs3/request/LINK3Request.java | 61 +++++++++++++
 .../nfs/nfs3/request/MKNOD3Request.java       | 89 +++++++++++++++++++
 .../nfs/nfs3/response/LINK3Response.java      | 54 +++++++++++
 .../nfs/nfs3/response/MKNOD3Response.java     | 68 ++++++++++++++
 6 files changed, 286 insertions(+), 2 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/LINK3Request.java
 create mode 100644 hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/MKNOD3Request.java
 create mode 100644 hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/response/LINK3Response.java
 create mode 100644 hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/response/MKNOD3Response.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 3f735f8d493..32de0880d73 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -485,6 +485,8 @@ Release 2.6.0 - UNRELEASED
     HADOOP-11030. Define a variable jackson.version instead of using constant 
     at multiple places. (Juan Yu via kasha)
 
+    HADOOP-10990. Add missed NFSv3 request and response classes (brandonli)
+
   OPTIMIZATIONS
 
     HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/Nfs3FileAttributes.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/Nfs3FileAttributes.java
index 9936b8d0ee7..47126d6a372 100644
--- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/Nfs3FileAttributes.java
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/Nfs3FileAttributes.java
@@ -53,9 +53,19 @@ public class Nfs3FileAttributes {
    * For Hadoop, currently this field is always zero.
    */
   public static class Specdata3 {
-    final static int specdata1 = 0;
-    final static int specdata2 = 0;
+    final int specdata1;
+    final int specdata2;
 
+    public Specdata3() {
+      specdata1 = 0;
+      specdata2 = 0;
+    }
+    
+    public Specdata3(int specdata1, int specdata2) {
+      this.specdata1 = specdata1;
+      this.specdata2 = specdata2;
+    }
+    
     public int getSpecdata1() {
       return specdata1;
     }
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/LINK3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/LINK3Request.java
new file mode 100644
index 00000000000..2e959f59f90
--- /dev/null
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/LINK3Request.java
@@ -0,0 +1,61 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.nfs.nfs3.request;
+
+import java.io.IOException;
+
+import org.apache.hadoop.nfs.nfs3.FileHandle;
+import org.apache.hadoop.oncrpc.XDR;
+
+/**
+ * LINK3 Request
+ */
+public class LINK3Request extends RequestWithHandle {
+  private final FileHandle fromDirHandle;
+  private final String fromName;
+
+  public LINK3Request(FileHandle handle, FileHandle fromDirHandle,
+      String fromName) {
+    super(handle);
+    this.fromDirHandle = fromDirHandle;
+    this.fromName = fromName;
+  }
+
+  public static LINK3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    FileHandle fromDirHandle = readHandle(xdr);
+    String fromName = xdr.readString();
+    return new LINK3Request(handle, fromDirHandle, fromName);
+  }
+
+  public FileHandle getFromDirHandle() {
+    return fromDirHandle;
+  }
+
+  public String getFromName() {
+    return fromName;
+  }
+
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);
+    fromDirHandle.serialize(xdr);
+    xdr.writeInt(fromName.length());
+    xdr.writeFixedOpaque(fromName.getBytes(), fromName.length());
+  }
+}
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/MKNOD3Request.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/MKNOD3Request.java
new file mode 100644
index 00000000000..4a13f879ea3
--- /dev/null
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/request/MKNOD3Request.java
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.nfs.nfs3.request;
+
+import java.io.IOException;
+
+import org.apache.hadoop.nfs.NfsFileType;
+import org.apache.hadoop.nfs.nfs3.FileHandle;
+import org.apache.hadoop.nfs.nfs3.Nfs3FileAttributes.Specdata3;
+import org.apache.hadoop.oncrpc.XDR;
+
+/**
+ * MKNOD3 Request
+ */
+public class MKNOD3Request extends RequestWithHandle {
+  private final String name;
+  private int type;
+  private SetAttr3 objAttr = null;
+  private Specdata3 spec = null;
+
+  public MKNOD3Request(FileHandle handle, String name, int type,
+      SetAttr3 objAttr, Specdata3 spec) {
+    super(handle);
+    this.name = name;
+    this.type = type;
+    this.objAttr = objAttr;
+    this.spec = spec;
+  }
+
+  public static MKNOD3Request deserialize(XDR xdr) throws IOException {
+    FileHandle handle = readHandle(xdr);
+    String name = xdr.readString();
+    int type = xdr.readInt();
+    SetAttr3 objAttr =  new SetAttr3();
+    Specdata3 spec = null;
+    if (type == NfsFileType.NFSCHR.toValue()
+        || type == NfsFileType.NFSBLK.toValue()) {
+      objAttr.deserialize(xdr);
+      spec = new Specdata3(xdr.readInt(), xdr.readInt());
+    } else if (type == NfsFileType.NFSSOCK.toValue()
+        || type == NfsFileType.NFSFIFO.toValue()) {
+      objAttr.deserialize(xdr);
+    }
+    return new MKNOD3Request(handle, name, type, objAttr, spec);
+  }
+
+  public String getName() {
+    return name;
+  }
+
+  public int getType() {
+    return type;
+  }
+
+  public SetAttr3 getObjAttr() {
+    return objAttr;
+  }
+
+  public Specdata3 getSpec() {
+    return spec;
+  }
+
+  @Override
+  public void serialize(XDR xdr) {
+    handle.serialize(xdr);
+    xdr.writeInt(name.length());
+    xdr.writeFixedOpaque(name.getBytes(), name.length());
+    objAttr.serialize(xdr);
+    if (spec != null) {
+      xdr.writeInt(spec.getSpecdata1());
+      xdr.writeInt(spec.getSpecdata2());
+    }
+  }
+}
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/response/LINK3Response.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/response/LINK3Response.java
new file mode 100644
index 00000000000..834ee3ccd3d
--- /dev/null
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/response/LINK3Response.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.nfs.nfs3.response;
+
+import org.apache.hadoop.oncrpc.XDR;
+import org.apache.hadoop.oncrpc.security.Verifier;
+
+public class LINK3Response extends NFS3Response {
+  private final WccData fromDirWcc;
+  private final WccData linkDirWcc;
+  
+  public LINK3Response(int status) {
+    this(status, new WccData(null, null), new WccData(null, null));
+  }
+  
+  public LINK3Response(int status, WccData fromDirWcc,
+       WccData linkDirWcc) {
+    super(status);
+    this.fromDirWcc = fromDirWcc;
+    this.linkDirWcc = linkDirWcc;
+  }
+
+  public WccData getFromDirWcc() {
+    return fromDirWcc;
+  }
+
+  public WccData getLinkDirWcc() {
+    return linkDirWcc;
+  }
+
+  @Override
+  public XDR writeHeaderAndResponse(XDR out, int xid, Verifier verifier) {
+    super.writeHeaderAndResponse(out, xid, verifier);
+    fromDirWcc.serialize(out);
+    linkDirWcc.serialize(out);
+    
+    return out;
+  }
+}
diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/response/MKNOD3Response.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/response/MKNOD3Response.java
new file mode 100644
index 00000000000..292094ebb3e
--- /dev/null
+++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/response/MKNOD3Response.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.nfs.nfs3.response;
+
+import org.apache.hadoop.nfs.nfs3.FileHandle;
+import org.apache.hadoop.nfs.nfs3.Nfs3FileAttributes;
+import org.apache.hadoop.nfs.nfs3.Nfs3Status;
+import org.apache.hadoop.oncrpc.XDR;
+import org.apache.hadoop.oncrpc.security.Verifier;
+
+public class MKNOD3Response extends NFS3Response {
+  private final FileHandle objFileHandle;
+  private final Nfs3FileAttributes objPostOpAttr;
+  private final WccData dirWcc;
+  
+  public MKNOD3Response(int status) {
+    this(status, null, null, new WccData(null, null));
+  }
+  
+  public MKNOD3Response(int status, FileHandle handle,
+      Nfs3FileAttributes attrs, WccData dirWcc) {
+    super(status);
+    this.objFileHandle = handle;
+    this.objPostOpAttr = attrs;
+    this.dirWcc = dirWcc;
+  }
+  
+  public FileHandle getObjFileHandle() {
+    return objFileHandle;
+  }
+
+  public Nfs3FileAttributes getObjPostOpAttr() {
+    return objPostOpAttr;
+  }
+
+  public WccData getDirWcc() {
+    return dirWcc;
+  }
+
+  @Override
+  public XDR writeHeaderAndResponse(XDR out, int xid, Verifier verifier) {
+    super.writeHeaderAndResponse(out, xid, verifier);
+    if (this.getStatus() == Nfs3Status.NFS3_OK) {
+      out.writeBoolean(true);
+      objFileHandle.serialize(out);
+      out.writeBoolean(true);
+      objPostOpAttr.serialize(out);
+    }
+    dirWcc.serialize(out);
+    
+    return out;
+  }
+}

From e06d2e3c9811d14101ee3d27e101c2cfe54c823c Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Tue, 2 Sep 2014 12:02:29 -0700
Subject: [PATCH 348/354] HADOOP-11041. VersionInfo specifies subversion
 (Tsuyoshi OZAWA via aw)

---
 hadoop-common-project/hadoop-common/CHANGES.txt                | 2 ++
 .../src/main/java/org/apache/hadoop/util/VersionInfo.java      | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 8c978a8fa81..bc945854e97 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -127,6 +127,8 @@ Trunk (Unreleased)
 
     HADOOP-11013. CLASSPATH handling should be consolidated, debuggable (aw)
 
+    HADOOP-11041. VersionInfo specifies subversion (Tsuyoshi OZAWA via aw)
+
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/VersionInfo.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/VersionInfo.java
index 9296d54912e..1d96d996fa3 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/VersionInfo.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/VersionInfo.java
@@ -170,7 +170,8 @@ public static String getProtocVersion(){
   public static void main(String[] args) {
     LOG.debug("version: "+ getVersion());
     System.out.println("Hadoop " + getVersion());
-    System.out.println("Subversion " + getUrl() + " -r " + getRevision());
+    System.out.println("Source code repository " + getUrl() + " -r " +
+        getRevision());
     System.out.println("Compiled by " + getUser() + " on " + getDate());
     System.out.println("Compiled with protoc " + getProtocVersion());
     System.out.println("From source with checksum " + getSrcChecksum());

From 59384dfb710f42d2a419c1b7db5a1a62a39be5f3 Mon Sep 17 00:00:00 2001
From: Steve Loughran <stevel@apache.org>
Date: Mon, 1 Sep 2014 18:20:47 +0100
Subject: [PATCH 349/354] HADOOP-10373 create tools/hadoop-amazon for aws/EMR
 support

---
 .../hadoop-common/CHANGES.txt                 |   2 +
 hadoop-project/pom.xml                        |   5 +
 .../dev-support/findbugs-exclude.xml          |  19 +++
 hadoop-tools/hadoop-aws/pom.xml               | 116 ++++++++++++++++++
 hadoop-tools/pom.xml                          |   1 +
 5 files changed, 143 insertions(+)
 create mode 100644 hadoop-tools/hadoop-aws/dev-support/findbugs-exclude.xml
 create mode 100644 hadoop-tools/hadoop-aws/pom.xml

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index bc945854e97..d73bf9a120f 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -129,6 +129,8 @@ Trunk (Unreleased)
 
     HADOOP-11041. VersionInfo specifies subversion (Tsuyoshi OZAWA via aw)
 
+    HADOOP-10373 create tools/hadoop-amazon for aws/EMR support (stevel)
+
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index f48b092bdfb..76448cfcadc 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -572,6 +572,11 @@
         <artifactId>jets3t</artifactId>
         <version>0.9.0</version>
       </dependency>
+      <dependency>
+        <groupId>com.amazonaws</groupId>
+        <artifactId>aws-java-sdk</artifactId>
+        <version>1.7.2</version>
+      </dependency>
       <dependency>
         <groupId>org.apache.mina</groupId>
         <artifactId>mina-core</artifactId>
diff --git a/hadoop-tools/hadoop-aws/dev-support/findbugs-exclude.xml b/hadoop-tools/hadoop-aws/dev-support/findbugs-exclude.xml
new file mode 100644
index 00000000000..74e4923bf74
--- /dev/null
+++ b/hadoop-tools/hadoop-aws/dev-support/findbugs-exclude.xml
@@ -0,0 +1,19 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+<FindBugsFilter>
+
+ </FindBugsFilter>
diff --git a/hadoop-tools/hadoop-aws/pom.xml b/hadoop-tools/hadoop-aws/pom.xml
new file mode 100644
index 00000000000..c01a33ddd41
--- /dev/null
+++ b/hadoop-tools/hadoop-aws/pom.xml
@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License. See accompanying LICENSE file.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.apache.hadoop</groupId>
+    <artifactId>hadoop-project</artifactId>
+    <version>3.0.0-SNAPSHOT</version>
+    <relativePath>../../hadoop-project</relativePath>
+  </parent>
+  <artifactId>hadoop-aws</artifactId>
+  <version>3.0.0-SNAPSHOT</version>
+  <name>Apache Hadoop Amazon Web Services support</name>
+  <description>
+    This module contains code to support integration with Amazon Web Services.
+    It also declares the dependencies needed to work with AWS services.
+  </description>
+  <packaging>jar</packaging>
+
+  <properties>
+    <file.encoding>UTF-8</file.encoding>
+    <downloadSources>true</downloadSources>
+  </properties>
+
+  <profiles>
+    <profile>
+      <id>tests-off</id>
+      <activation>
+        <file>
+          <missing>src/test/resources/auth-keys.xml</missing>
+        </file>
+      </activation>
+      <properties>
+        <maven.test.skip>true</maven.test.skip>
+      </properties>
+    </profile>
+    <profile>
+      <id>tests-on</id>
+      <activation>
+        <file>
+          <exists>src/test/resources/auth-keys.xml</exists>
+        </file>
+      </activation>
+      <properties>
+        <maven.test.skip>false</maven.test.skip>
+      </properties>
+    </profile>
+
+  </profiles>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>findbugs-maven-plugin</artifactId>
+        <configuration>
+          <findbugsXmlOutput>true</findbugsXmlOutput>
+          <xmlOutput>true</xmlOutput>
+          <excludeFilterFile>${basedir}/dev-support/findbugs-exclude.xml
+          </excludeFilterFile>
+          <effort>Max</effort>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-project-info-reports-plugin</artifactId>
+        <configuration>
+          <dependencyDetailsEnabled>false</dependencyDetailsEnabled>
+          <dependencyLocationsEnabled>false</dependencyLocationsEnabled>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-common</artifactId>
+      <scope>compile</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-common</artifactId>
+      <scope>compile</scope>
+      <type>test-jar</type>
+    </dependency>
+
+    <dependency>
+      <groupId>com.amazonaws</groupId>
+      <artifactId>aws-java-sdk</artifactId>
+      <scope>compile</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+  </dependencies>
+</project>
diff --git a/hadoop-tools/pom.xml b/hadoop-tools/pom.xml
index bed0f9b6a97..25f06e04051 100644
--- a/hadoop-tools/pom.xml
+++ b/hadoop-tools/pom.xml
@@ -43,6 +43,7 @@
     <module>hadoop-openstack</module>
     <module>hadoop-sls</module>
     <module>hadoop-azure</module>
+    <module>hadoop-aws</module>
   </modules>
 
   <build>

From 6595e92b6421e40105efc65032d0680fd2e39f3b Mon Sep 17 00:00:00 2001
From: Steve Loughran <stevel@apache.org>
Date: Tue, 2 Sep 2014 20:28:11 +0100
Subject: [PATCH 350/354] Fix
 hadoop-common-project/hadoop-common/src/main/native/README to current mail
 list and URL

---
 hadoop-common-project/hadoop-common/src/main/native/README | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/native/README b/hadoop-common-project/hadoop-common/src/main/native/README
index 8c5af78f0f2..3ad449537c0 100644
--- a/hadoop-common-project/hadoop-common/src/main/native/README
+++ b/hadoop-common-project/hadoop-common/src/main/native/README
@@ -1,10 +1,11 @@
 Package: libhadoop 
-Authors: Arun C Murthy <arunc@yahoo-inc.com> 
 
 MOTIVATION
 
-The libhadoop package contains the native code for any of hadoop (http://hadoop.apache.org/core). 
+The libhadoop package contains the native code for Apache Hadoop (http://hadoop.apache.org/). 
 
 IMPROVEMENTS
 
-Any suggestions for improvements or patched should be sent to core-dev@hadoop.apache.org. Please go through http://wiki.apache.org/hadoop/HowToContribute for more information on how to contribute.
+Any suggestions for improvements or patched should be sent to common-dev@hadoop.apache.org. 
+
+Please see http://wiki.apache.org/hadoop/HowToContribute for more information on how to contribute.

From faa4455be512e070fa420084be8d1be5c72f3b08 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 2 Sep 2014 14:02:29 -0700
Subject: [PATCH 351/354] HDFS-6634. inotify in HDFS. Contributed by James
 Thomas.

---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   2 +
 .../dev-support/findbugsExcludeFile.xml       |   9 +
 hadoop-hdfs-project/hadoop-hdfs/pom.xml       |   1 +
 .../BookKeeperEditLogInputStream.java         |   5 +
 .../org/apache/hadoop/hdfs/DFSClient.java     |   9 +
 .../org/apache/hadoop/hdfs/DFSConfigKeys.java |   6 +
 .../hdfs/DFSInotifyEventInputStream.java      | 220 +++++++++
 .../hadoop/hdfs/DistributedFileSystem.java    |   9 +
 .../apache/hadoop/hdfs/client/HdfsAdmin.java  |  50 ++
 .../org/apache/hadoop/hdfs/inotify/Event.java | 452 ++++++++++++++++++
 .../hadoop/hdfs/inotify/EventsList.java       |  63 +++
 .../hdfs/inotify/MissingEventsException.java  |  54 +++
 .../hadoop/hdfs/protocol/ClientProtocol.java  |  18 +
 ...amenodeProtocolServerSideTranslatorPB.java |  25 +
 .../ClientNamenodeProtocolTranslatorPB.java   |  25 +
 .../hadoop/hdfs/protocolPB/PBHelper.java      | 245 ++++++++++
 .../qjournal/client/IPCLoggerChannel.java     |  78 ++-
 .../hadoop/hdfs/qjournal/server/Journal.java  |   3 +-
 .../namenode/EditLogBackupInputStream.java    |   5 +
 .../namenode/EditLogFileInputStream.java      |   5 +
 .../server/namenode/EditLogInputStream.java   |   6 +
 .../hdfs/server/namenode/FSEditLog.java       |  65 ++-
 .../server/namenode/FileJournalManager.java   |  16 +-
 .../InotifyFSEditLogOpTranslator.java         | 146 ++++++
 .../hdfs/server/namenode/JournalSet.java      |  38 +-
 .../server/namenode/NameNodeRpcServer.java    | 114 +++++
 .../namenode/RedundantEditLogInputStream.java |   5 +
 .../hdfs/server/namenode/TransferFsImage.java |   5 +-
 .../main/proto/ClientNamenodeProtocol.proto   |  20 +
 .../hadoop-hdfs/src/main/proto/inotify.proto  | 117 +++++
 .../src/main/resources/hdfs-default.xml       |  10 +
 .../hdfs/TestDFSInotifyEventInputStream.java  | 430 +++++++++++++++++
 .../hdfs/qjournal/MiniQJMHACluster.java       |   6 +-
 .../qjournal/client/TestQJMWithFaults.java    |   2 +-
 .../client/TestQuorumJournalManager.java      |   2 +-
 .../hdfs/server/namenode/TestEditLog.java     |   4 +
 36 files changed, 2213 insertions(+), 57 deletions(-)
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSInotifyEventInputStream.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/inotify/Event.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/inotify/EventsList.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/inotify/MissingEventsException.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/InotifyFSEditLogOpTranslator.java
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/main/proto/inotify.proto
 create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStream.java

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 3184e68efe2..ecf67827d20 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -430,6 +430,8 @@ Release 2.6.0 - UNRELEASED
     HDFS-6774. Make FsDataset and DataStore support removing volumes. (Lei Xu
     via atm)
 
+    HDFS-6634. inotify in HDFS. (James Thomas via wang)
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/dev-support/findbugsExcludeFile.xml b/hadoop-hdfs-project/hadoop-hdfs/dev-support/findbugsExcludeFile.xml
index 29702d4bace..bbfb9e9599d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/dev-support/findbugsExcludeFile.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/dev-support/findbugsExcludeFile.xml
@@ -106,6 +106,15 @@
        <Field name="metrics" />
        <Bug pattern="IS2_INCONSISTENT_SYNC" />
      </Match>
+    <!--
+     We use a separate lock to protect modifications to journalSet so that
+     FSEditLog#selectInputStreams does not need to be a synchronized method.
+    -->
+    <Match>
+        <Class name="org.apache.hadoop.hdfs.server.namenode.FSEditLog" />
+        <Field name="journalSet" />
+        <Bug pattern="IS2_INCONSISTENT_SYNC" />
+    </Match>
      <!--
       This method isn't performance-critical and is much clearer to write as it's written.
       -->
diff --git a/hadoop-hdfs-project/hadoop-hdfs/pom.xml b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
index 81eae0ab510..2c4ddf64379 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/pom.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
@@ -309,6 +309,7 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
                   <include>fsimage.proto</include>
                   <include>hdfs.proto</include>
                   <include>encryption.proto</include>
+                  <include>inotify.proto</include>
                 </includes>
               </source>
               <output>${project.build.directory}/generated-sources/java</output>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/contrib/bkjournal/src/main/java/org/apache/hadoop/contrib/bkjournal/BookKeeperEditLogInputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/contrib/bkjournal/src/main/java/org/apache/hadoop/contrib/bkjournal/BookKeeperEditLogInputStream.java
index bd3ccd435c0..e2098ddee19 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/contrib/bkjournal/src/main/java/org/apache/hadoop/contrib/bkjournal/BookKeeperEditLogInputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/contrib/bkjournal/src/main/java/org/apache/hadoop/contrib/bkjournal/BookKeeperEditLogInputStream.java
@@ -168,6 +168,11 @@ public void setMaxOpSize(int maxOpSize) {
     reader.setMaxOpSize(maxOpSize);
   }
 
+  @Override
+  public boolean isLocalLog() {
+    return false;
+  }
+
   /**
    * Input stream implementation which can be used by 
    * FSEditLogOp.Reader
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index c49d210bf8d..ce0f133f349 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -2990,6 +2990,15 @@ public void checkAccess(String src, FsAction mode) throws IOException {
     }
   }
 
+  public DFSInotifyEventInputStream getInotifyEventStream() throws IOException {
+    return new DFSInotifyEventInputStream(namenode);
+  }
+
+  public DFSInotifyEventInputStream getInotifyEventStream(long lastReadTxid)
+      throws IOException {
+    return new DFSInotifyEventInputStream(namenode, lastReadTxid);
+  }
+
   @Override // RemotePeerFactory
   public Peer newConnectedPeer(InetSocketAddress addr,
       Token<BlockTokenIdentifier> blockToken, DatanodeID datanodeId)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
index 71a530ba181..7f96cf02b0d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
@@ -673,4 +673,10 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
    public static final String DFS_DATANODE_BLOCK_ID_LAYOUT_UPGRADE_THREADS_KEY =
        "dfs.datanode.block.id.layout.upgrade.threads";
    public static final int DFS_DATANODE_BLOCK_ID_LAYOUT_UPGRADE_THREADS = 12;
+
+  public static final String DFS_NAMENODE_INOTIFY_MAX_EVENTS_PER_RPC_KEY =
+      "dfs.namenode.inotify.max.events.per.rpc";
+  public static final int DFS_NAMENODE_INOTIFY_MAX_EVENTS_PER_RPC_DEFAULT =
+      1000;
+
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSInotifyEventInputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSInotifyEventInputStream.java
new file mode 100644
index 00000000000..73c5f55a43b
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSInotifyEventInputStream.java
@@ -0,0 +1,220 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs;
+
+import com.google.common.collect.Iterators;
+import com.google.common.util.concurrent.UncheckedExecutionException;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.hdfs.inotify.Event;
+import org.apache.hadoop.hdfs.inotify.EventsList;
+import org.apache.hadoop.hdfs.inotify.MissingEventsException;
+import org.apache.hadoop.hdfs.protocol.ClientProtocol;
+import org.apache.hadoop.util.Time;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.Iterator;
+import java.util.Random;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+
+/**
+ * Stream for reading inotify events. DFSInotifyEventInputStreams should not
+ * be shared among multiple threads.
+ */
+@InterfaceAudience.Public
+@InterfaceStability.Unstable
+public class DFSInotifyEventInputStream {
+  public static Logger LOG = LoggerFactory.getLogger(DFSInotifyEventInputStream
+      .class);
+
+  private final ClientProtocol namenode;
+  private Iterator<Event> it;
+  private long lastReadTxid;
+  /**
+   * The most recent txid the NameNode told us it has sync'ed -- helps us
+   * determine how far behind we are in the edit stream.
+   */
+  private long syncTxid;
+  /**
+   * Used to generate wait times in {@link DFSInotifyEventInputStream#take()}.
+   */
+  private Random rng = new Random();
+
+  private static final int INITIAL_WAIT_MS = 10;
+
+  DFSInotifyEventInputStream(ClientProtocol namenode) throws IOException {
+    this(namenode, namenode.getCurrentEditLogTxid()); // only consider new txn's
+  }
+
+  DFSInotifyEventInputStream(ClientProtocol namenode, long lastReadTxid)
+      throws IOException {
+    this.namenode = namenode;
+    this.it = Iterators.emptyIterator();
+    this.lastReadTxid = lastReadTxid;
+  }
+
+  /**
+   * Returns the next event in the stream or null if no new events are currently
+   * available.
+   *
+   * @throws IOException because of network error or edit log
+   * corruption. Also possible if JournalNodes are unresponsive in the
+   * QJM setting (even one unresponsive JournalNode is enough in rare cases),
+   * so catching this exception and retrying at least a few times is
+   * recommended.
+   * @throws MissingEventsException if we cannot return the next event in the
+   * stream because the data for the event (and possibly some subsequent events)
+   * has been deleted (generally because this stream is a very large number of
+   * events behind the current state of the NameNode). It is safe to continue
+   * reading from the stream after this exception is thrown -- the next
+   * available event will be returned.
+   */
+  public Event poll() throws IOException, MissingEventsException {
+    // need to keep retrying until the NN sends us the latest committed txid
+    if (lastReadTxid == -1) {
+      LOG.debug("poll(): lastReadTxid is -1, reading current txid from NN");
+      lastReadTxid = namenode.getCurrentEditLogTxid();
+      return null;
+    }
+    if (!it.hasNext()) {
+      EventsList el = namenode.getEditsFromTxid(lastReadTxid + 1);
+      if (el.getLastTxid() != -1) {
+        // we only want to set syncTxid when we were actually able to read some
+        // edits on the NN -- otherwise it will seem like edits are being
+        // generated faster than we can read them when the problem is really
+        // that we are temporarily unable to read edits
+        syncTxid = el.getSyncTxid();
+        it = el.getEvents().iterator();
+        long formerLastReadTxid = lastReadTxid;
+        lastReadTxid = el.getLastTxid();
+        if (el.getFirstTxid() != formerLastReadTxid + 1) {
+          throw new MissingEventsException(formerLastReadTxid + 1,
+              el.getFirstTxid());
+        }
+      } else {
+        LOG.debug("poll(): read no edits from the NN when requesting edits " +
+          "after txid {}", lastReadTxid);
+        return null;
+      }
+    }
+
+    if (it.hasNext()) { // can be empty if el.getLastTxid != -1 but none of the
+      // newly seen edit log ops actually got converted to events
+      return it.next();
+    } else {
+      return null;
+    }
+  }
+
+  /**
+   * Return a estimate of how many events behind the NameNode's current state
+   * this stream is. Clients should periodically call this method and check if
+   * its result is steadily increasing, which indicates that they are falling
+   * behind (i.e. events are being generated faster than the client is reading
+   * them). If a client falls too far behind events may be deleted before the
+   * client can read them.
+   * <p/>
+   * A return value of -1 indicates that an estimate could not be produced, and
+   * should be ignored. The value returned by this method is really only useful
+   * when compared to previous or subsequent returned values.
+   */
+  public long getEventsBehindEstimate() {
+    if (syncTxid == 0) {
+      return -1;
+    } else {
+      assert syncTxid >= lastReadTxid;
+      // this gives the difference between the last txid we have fetched to the
+      // client and syncTxid at the time we last fetched events from the
+      // NameNode
+      return syncTxid - lastReadTxid;
+    }
+  }
+
+  /**
+   * Returns the next event in the stream, waiting up to the specified amount of
+   * time for a new event. Returns null if a new event is not available at the
+   * end of the specified amount of time. The time before the method returns may
+   * exceed the specified amount of time by up to the time required for an RPC
+   * to the NameNode.
+   *
+   * @param time number of units of the given TimeUnit to wait
+   * @param tu the desired TimeUnit
+   * @throws IOException see {@link DFSInotifyEventInputStream#poll()}
+   * @throws MissingEventsException
+   * see {@link DFSInotifyEventInputStream#poll()}
+   * @throws InterruptedException if the calling thread is interrupted
+   */
+  public Event poll(long time, TimeUnit tu) throws IOException,
+      InterruptedException, MissingEventsException {
+    long initialTime = Time.monotonicNow();
+    long totalWait = TimeUnit.MILLISECONDS.convert(time, tu);
+    long nextWait = INITIAL_WAIT_MS;
+    Event next = null;
+    while ((next = poll()) == null) {
+      long timeLeft = totalWait - (Time.monotonicNow() - initialTime);
+      if (timeLeft <= 0) {
+        LOG.debug("timed poll(): timed out");
+        break;
+      } else if (timeLeft < nextWait * 2) {
+        nextWait = timeLeft;
+      } else {
+        nextWait *= 2;
+      }
+      LOG.debug("timed poll(): poll() returned null, sleeping for {} ms",
+          nextWait);
+      Thread.sleep(nextWait);
+    }
+
+    return next;
+  }
+
+  /**
+   * Returns the next event in the stream, waiting indefinitely if a new event
+   * is not immediately available.
+   *
+   * @throws IOException see {@link DFSInotifyEventInputStream#poll()}
+   * @throws MissingEventsException see
+   * {@link DFSInotifyEventInputStream#poll()}
+   * @throws InterruptedException if the calling thread is interrupted
+   */
+  public Event take() throws IOException, InterruptedException,
+      MissingEventsException {
+    Event next = null;
+    int nextWaitMin = INITIAL_WAIT_MS;
+    while ((next = poll()) == null) {
+      // sleep for a random period between nextWaitMin and nextWaitMin * 2
+      // to avoid stampedes at the NN if there are multiple clients
+      int sleepTime = nextWaitMin + rng.nextInt(nextWaitMin);
+      LOG.debug("take(): poll() returned null, sleeping for {} ms", sleepTime);
+      Thread.sleep(sleepTime);
+      // the maximum sleep is 2 minutes
+      nextWaitMin = Math.min(60000, nextWaitMin * 2);
+    }
+
+    return next;
+  }
+}
\ No newline at end of file
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
index 354640b42b9..fc4bd84b2e2 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
@@ -1940,4 +1940,13 @@ public Void next(final FileSystem fs, final Path p)
       }
     }.resolve(this, absF);
   }
+
+  public DFSInotifyEventInputStream getInotifyEventStream() throws IOException {
+    return dfs.getInotifyEventStream();
+  }
+
+  public DFSInotifyEventInputStream getInotifyEventStream(long lastReadTxid)
+      throws IOException {
+    return dfs.getInotifyEventStream(lastReadTxid);
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
index 1adfc1bfab0..fdc466a0658 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/client/HdfsAdmin.java
@@ -29,6 +29,7 @@
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.RemoteIterator;
+import org.apache.hadoop.hdfs.DFSInotifyEventInputStream;
 import org.apache.hadoop.hdfs.DistributedFileSystem;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveEntry;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveInfo;
@@ -275,4 +276,53 @@ public RemoteIterator<EncryptionZone> listEncryptionZones()
       throws IOException {
     return dfs.listEncryptionZones();
   }
+
+  /**
+   * Exposes a stream of namesystem events. Only events occurring after the
+   * stream is created are available.
+   * See {@link org.apache.hadoop.hdfs.DFSInotifyEventInputStream}
+   * for information on stream usage.
+   * See {@link org.apache.hadoop.hdfs.inotify.Event}
+   * for information on the available events.
+   * <p/>
+   * Inotify users may want to tune the following HDFS parameters to
+   * ensure that enough extra HDFS edits are saved to support inotify clients
+   * that fall behind the current state of the namespace while reading events.
+   * The default parameter values should generally be reasonable. If edits are
+   * deleted before their corresponding events can be read, clients will see a
+   * {@link org.apache.hadoop.hdfs.inotify.MissingEventsException} on
+   * {@link org.apache.hadoop.hdfs.DFSInotifyEventInputStream} method calls.
+   *
+   * It should generally be sufficient to tune these parameters:
+   * dfs.namenode.num.extra.edits.retained
+   * dfs.namenode.max.extra.edits.segments.retained
+   *
+   * Parameters that affect the number of created segments and the number of
+   * edits that are considered necessary, i.e. do not count towards the
+   * dfs.namenode.num.extra.edits.retained quota):
+   * dfs.namenode.checkpoint.period
+   * dfs.namenode.checkpoint.txns
+   * dfs.namenode.num.checkpoints.retained
+   * dfs.ha.log-roll.period
+   * <p/>
+   * It is recommended that local journaling be configured
+   * (dfs.namenode.edits.dir) for inotify (in addition to a shared journal)
+   * so that edit transfers from the shared journal can be avoided.
+   *
+   * @throws IOException If there was an error obtaining the stream.
+   */
+  public DFSInotifyEventInputStream getInotifyEventStream() throws IOException {
+    return dfs.getInotifyEventStream();
+  }
+
+  /**
+   * A version of {@link HdfsAdmin#getInotifyEventStream()} meant for advanced
+   * users who are aware of HDFS edits up to lastReadTxid (e.g. because they
+   * have access to an FSImage inclusive of lastReadTxid) and only want to read
+   * events after this point.
+   */
+  public DFSInotifyEventInputStream getInotifyEventStream(long lastReadTxid)
+      throws IOException {
+    return dfs.getInotifyEventStream(lastReadTxid);
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/inotify/Event.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/inotify/Event.java
new file mode 100644
index 00000000000..c7129ca324c
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/inotify/Event.java
@@ -0,0 +1,452 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.inotify;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.fs.XAttr;
+import org.apache.hadoop.fs.permission.AclEntry;
+import org.apache.hadoop.fs.permission.FsPermission;
+
+import java.util.List;
+
+/**
+ * Events sent by the inotify system. Note that no events are necessarily sent
+ * when a file is opened for read (although a MetadataUpdateEvent will be sent
+ * if the atime is updated).
+ */
+@InterfaceAudience.Public
+@InterfaceStability.Unstable
+public abstract class Event {
+  public static enum EventType {
+    CREATE, CLOSE, APPEND, RENAME, METADATA, UNLINK
+  }
+
+  private EventType eventType;
+
+  public EventType getEventType() {
+    return eventType;
+  }
+
+  public Event(EventType eventType) {
+    this.eventType = eventType;
+  }
+
+  /**
+   * Sent when a file is closed after append or create.
+   */
+  public static class CloseEvent extends Event {
+    private String path;
+    private long fileSize;
+    private long timestamp;
+
+    public CloseEvent(String path, long fileSize, long timestamp) {
+      super(EventType.CLOSE);
+      this.path = path;
+      this.fileSize = fileSize;
+      this.timestamp = timestamp;
+    }
+
+    public String getPath() {
+      return path;
+    }
+
+    /**
+     * The size of the closed file in bytes. May be -1 if the size is not
+     * available (e.g. in the case of a close generated by a concat operation).
+     */
+    public long getFileSize() {
+      return fileSize;
+    }
+
+    /**
+     * The time when this event occurred, in milliseconds since the epoch.
+     */
+    public long getTimestamp() {
+      return timestamp;
+    }
+  }
+
+  /**
+   * Sent when a new file is created (including overwrite).
+   */
+  public static class CreateEvent extends Event {
+
+    public static enum INodeType {
+      FILE, DIRECTORY, SYMLINK;
+    }
+
+    private INodeType iNodeType;
+    private String path;
+    private long ctime;
+    private int replication;
+    private String ownerName;
+    private String groupName;
+    private FsPermission perms;
+    private String symlinkTarget;
+
+    public static class Builder {
+      private INodeType iNodeType;
+      private String path;
+      private long ctime;
+      private int replication;
+      private String ownerName;
+      private String groupName;
+      private FsPermission perms;
+      private String symlinkTarget;
+
+      public Builder iNodeType(INodeType type) {
+        this.iNodeType = type;
+        return this;
+      }
+
+      public Builder path(String path) {
+        this.path = path;
+        return this;
+      }
+
+      public Builder ctime(long ctime) {
+        this.ctime = ctime;
+        return this;
+      }
+
+      public Builder replication(int replication) {
+        this.replication = replication;
+        return this;
+      }
+
+      public Builder ownerName(String ownerName) {
+        this.ownerName = ownerName;
+        return this;
+      }
+
+      public Builder groupName(String groupName) {
+        this.groupName = groupName;
+        return this;
+      }
+
+      public Builder perms(FsPermission perms) {
+        this.perms = perms;
+        return this;
+      }
+
+      public Builder symlinkTarget(String symlinkTarget) {
+        this.symlinkTarget = symlinkTarget;
+        return this;
+      }
+
+      public CreateEvent build() {
+        return new CreateEvent(this);
+      }
+    }
+
+    private CreateEvent(Builder b) {
+      super(EventType.CREATE);
+      this.iNodeType = b.iNodeType;
+      this.path = b.path;
+      this.ctime = b.ctime;
+      this.replication = b.replication;
+      this.ownerName = b.ownerName;
+      this.groupName = b.groupName;
+      this.perms = b.perms;
+      this.symlinkTarget = b.symlinkTarget;
+    }
+
+    public INodeType getiNodeType() {
+      return iNodeType;
+    }
+
+    public String getPath() {
+      return path;
+    }
+
+    /**
+     * Creation time of the file, directory, or symlink.
+     */
+    public long getCtime() {
+      return ctime;
+    }
+
+    /**
+     * Replication is zero if the CreateEvent iNodeType is directory or symlink.
+     */
+    public int getReplication() {
+      return replication;
+    }
+
+    public String getOwnerName() {
+      return ownerName;
+    }
+
+    public String getGroupName() {
+      return groupName;
+    }
+
+    public FsPermission getPerms() {
+      return perms;
+    }
+
+    /**
+     * Symlink target is null if the CreateEvent iNodeType is not symlink.
+     */
+    public String getSymlinkTarget() {
+      return symlinkTarget;
+    }
+  }
+
+  /**
+   * Sent when there is an update to directory or file (none of the metadata
+   * tracked here applies to symlinks) that is not associated with another
+   * inotify event. The tracked metadata includes atime/mtime, replication,
+   * owner/group, permissions, ACLs, and XAttributes. Fields not relevant to the
+   * metadataType of the MetadataUpdateEvent will be null or will have their default
+   * values.
+   */
+  public static class MetadataUpdateEvent extends Event {
+
+    public static enum MetadataType {
+      TIMES, REPLICATION, OWNER, PERMS, ACLS, XATTRS;
+    }
+
+    private String path;
+    private MetadataType metadataType;
+    private long mtime;
+    private long atime;
+    private int replication;
+    private String ownerName;
+    private String groupName;
+    private FsPermission perms;
+    private List<AclEntry> acls;
+    private List<XAttr> xAttrs;
+    private boolean xAttrsRemoved;
+
+    public static class Builder {
+      private String path;
+      private MetadataType metadataType;
+      private long mtime;
+      private long atime;
+      private int replication;
+      private String ownerName;
+      private String groupName;
+      private FsPermission perms;
+      private List<AclEntry> acls;
+      private List<XAttr> xAttrs;
+      private boolean xAttrsRemoved;
+
+      public Builder path(String path) {
+        this.path = path;
+        return this;
+      }
+
+      public Builder metadataType(MetadataType type) {
+        this.metadataType = type;
+        return this;
+      }
+
+      public Builder mtime(long mtime) {
+        this.mtime = mtime;
+        return this;
+      }
+
+      public Builder atime(long atime) {
+        this.atime = atime;
+        return this;
+      }
+
+      public Builder replication(int replication) {
+        this.replication = replication;
+        return this;
+      }
+
+      public Builder ownerName(String ownerName) {
+        this.ownerName = ownerName;
+        return this;
+      }
+
+      public Builder groupName(String groupName) {
+        this.groupName = groupName;
+        return this;
+      }
+
+      public Builder perms(FsPermission perms) {
+        this.perms = perms;
+        return this;
+      }
+
+      public Builder acls(List<AclEntry> acls) {
+        this.acls = acls;
+        return this;
+      }
+
+      public Builder xAttrs(List<XAttr> xAttrs) {
+        this.xAttrs = xAttrs;
+        return this;
+      }
+
+      public Builder xAttrsRemoved(boolean xAttrsRemoved) {
+        this.xAttrsRemoved = xAttrsRemoved;
+        return this;
+      }
+
+      public MetadataUpdateEvent build() {
+        return new MetadataUpdateEvent(this);
+      }
+    }
+
+    private MetadataUpdateEvent(Builder b) {
+      super(EventType.METADATA);
+      this.path = b.path;
+      this.metadataType = b.metadataType;
+      this.mtime = b.mtime;
+      this.atime = b.atime;
+      this.replication = b.replication;
+      this.ownerName = b.ownerName;
+      this.groupName = b.groupName;
+      this.perms = b.perms;
+      this.acls = b.acls;
+      this.xAttrs = b.xAttrs;
+      this.xAttrsRemoved = b.xAttrsRemoved;
+    }
+
+    public String getPath() {
+      return path;
+    }
+
+    public MetadataType getMetadataType() {
+      return metadataType;
+    }
+
+    public long getMtime() {
+      return mtime;
+    }
+
+    public long getAtime() {
+      return atime;
+    }
+
+    public int getReplication() {
+      return replication;
+    }
+
+    public String getOwnerName() {
+      return ownerName;
+    }
+
+    public String getGroupName() {
+      return groupName;
+    }
+
+    public FsPermission getPerms() {
+      return perms;
+    }
+
+    /**
+     * The full set of ACLs currently associated with this file or directory.
+     * May be null if all ACLs were removed.
+     */
+    public List<AclEntry> getAcls() {
+      return acls;
+    }
+
+    public List<XAttr> getxAttrs() {
+      return xAttrs;
+    }
+
+    /**
+     * Whether the xAttrs returned by getxAttrs() were removed (as opposed to
+     * added).
+     */
+    public boolean isxAttrsRemoved() {
+      return xAttrsRemoved;
+    }
+
+  }
+
+  /**
+   * Sent when a file, directory, or symlink is renamed.
+   */
+  public static class RenameEvent extends Event {
+    private String srcPath;
+    private String dstPath;
+    private long timestamp;
+
+    public RenameEvent(String srcPath, String dstPath, long timestamp) {
+      super(EventType.RENAME);
+      this.srcPath = srcPath;
+      this.dstPath = dstPath;
+      this.timestamp = timestamp;
+    }
+
+    public String getSrcPath() {
+      return srcPath;
+    }
+
+    public String getDstPath() {
+      return dstPath;
+    }
+
+    /**
+     * The time when this event occurred, in milliseconds since the epoch.
+     */
+    public long getTimestamp() {
+      return timestamp;
+    }
+  }
+
+  /**
+   * Sent when an existing file is opened for append.
+   */
+  public static class AppendEvent extends Event {
+    private String path;
+
+    public AppendEvent(String path) {
+      super(EventType.APPEND);
+      this.path = path;
+    }
+
+    public String getPath() {
+      return path;
+    }
+  }
+
+  /**
+   * Sent when a file, directory, or symlink is deleted.
+   */
+  public static class UnlinkEvent extends Event {
+    private String path;
+    private long timestamp;
+
+    public UnlinkEvent(String path, long timestamp) {
+      super(EventType.UNLINK);
+      this.path = path;
+      this.timestamp = timestamp;
+    }
+
+    public String getPath() {
+      return path;
+    }
+
+    /**
+     * The time when this event occurred, in milliseconds since the epoch.
+     */
+    public long getTimestamp() {
+      return timestamp;
+    }
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/inotify/EventsList.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/inotify/EventsList.java
new file mode 100644
index 00000000000..6d02d3c2980
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/inotify/EventsList.java
@@ -0,0 +1,63 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.inotify;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+
+import java.util.List;
+
+/**
+ * Contains a set of events, the transaction ID in the edit log up to which we
+ * read to produce these events, and the first txid we observed when producing
+ * these events (the last of which is for the purpose of determining whether we
+ * have missed events due to edit deletion). Also contains the most recent txid
+ * that the NameNode has sync'ed, so the client can determine how far behind in
+ * the edit log it is.
+ */
+@InterfaceAudience.Private
+public class EventsList {
+  private List<Event> events;
+  private long firstTxid;
+  private long lastTxid;
+  private long syncTxid;
+
+  public EventsList(List<Event> events, long firstTxid, long lastTxid,
+      long syncTxid) {
+    this.events = events;
+    this.firstTxid = firstTxid;
+    this.lastTxid = lastTxid;
+    this.syncTxid = syncTxid;
+  }
+
+  public List<Event> getEvents() {
+    return events;
+  }
+
+  public long getFirstTxid() {
+    return firstTxid;
+  }
+
+  public long getLastTxid() {
+    return lastTxid;
+  }
+
+  public long getSyncTxid() {
+    return syncTxid;
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/inotify/MissingEventsException.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/inotify/MissingEventsException.java
new file mode 100644
index 00000000000..e4b51c50c01
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/inotify/MissingEventsException.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.inotify;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public class MissingEventsException extends Exception {
+  private static final long serialVersionUID = 1L;
+
+  private long expectedTxid;
+  private long actualTxid;
+
+  public MissingEventsException() {}
+
+  public MissingEventsException(long expectedTxid, long actualTxid) {
+    this.expectedTxid = expectedTxid;
+    this.actualTxid = actualTxid;
+  }
+
+  public long getExpectedTxid() {
+    return expectedTxid;
+  }
+
+  public long getActualTxid() {
+    return actualTxid;
+  }
+
+  @Override
+  public String toString() {
+    return "We expected the next batch of events to start with transaction ID "
+        + expectedTxid + ", but it instead started with transaction ID " +
+        actualTxid + ". Most likely the intervening transactions were cleaned "
+        + "up as part of checkpointing.";
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
index ef0ac55dec2..093afcf80e9 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
@@ -43,10 +43,13 @@
 import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.inotify.Event;
+import org.apache.hadoop.hdfs.inotify.EventsList;
 import org.apache.hadoop.hdfs.protocol.HdfsConstants.RollingUpgradeAction;
 import org.apache.hadoop.hdfs.security.token.block.DataEncryptionKey;
 import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
 import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSelector;
+import org.apache.hadoop.hdfs.server.namenode.FSEditLogOp;
 import org.apache.hadoop.hdfs.server.namenode.NotReplicatedYetException;
 import org.apache.hadoop.hdfs.server.namenode.SafeModeException;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
@@ -1372,4 +1375,19 @@ public List<XAttr> listXAttrs(String src)
    */
   @Idempotent
   public void checkAccess(String path, FsAction mode) throws IOException;
+
+  /**
+   * Get the highest txid the NameNode knows has been written to the edit
+   * log, or -1 if the NameNode's edit log is not yet open for write. Used as
+   * the starting point for the inotify event stream.
+   */
+  @Idempotent
+  public long getCurrentEditLogTxid() throws IOException;
+
+  /**
+   * Get an ordered list of events corresponding to the edit log transactions
+   * from txid onwards.
+   */
+  @Idempotent
+  public EventsList getEditsFromTxid(long txid) throws IOException;
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
index 40dd8f03381..a162ec54c3f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java
@@ -91,12 +91,16 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetBlockLocationsResponseProto.Builder;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetContentSummaryRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetContentSummaryResponseProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetCurrentEditLogTxidRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetCurrentEditLogTxidResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDataEncryptionKeyRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDataEncryptionKeyResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDatanodeReportRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDatanodeReportResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDatanodeStorageReportRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDatanodeStorageReportResponseProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetEditsFromTxidRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetEditsFromTxidResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFileInfoRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFileInfoResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFileLinkInfoRequestProto;
@@ -1408,4 +1412,25 @@ public CheckAccessResponseProto checkAccess(RpcController controller,
     }
     return VOID_CHECKACCESS_RESPONSE;
   }
+
+  public GetCurrentEditLogTxidResponseProto getCurrentEditLogTxid(RpcController controller,
+      GetCurrentEditLogTxidRequestProto req) throws ServiceException {
+    try {
+      return GetCurrentEditLogTxidResponseProto.newBuilder().setTxid(
+          server.getCurrentEditLogTxid()).build();
+    } catch (IOException e) {
+      throw new ServiceException(e);
+    }
+  }
+
+  @Override
+  public GetEditsFromTxidResponseProto getEditsFromTxid(RpcController controller,
+      GetEditsFromTxidRequestProto req) throws ServiceException {
+    try {
+      return PBHelper.convertEditsResponse(server.getEditsFromTxid(
+          req.getTxid()));
+    } catch (IOException e) {
+      throw new ServiceException(e);
+    }
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
index 210828db914..79c4fcf260d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java
@@ -43,6 +43,7 @@
 import org.apache.hadoop.fs.permission.AclStatus;
 import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.hdfs.inotify.EventsList;
 import org.apache.hadoop.hdfs.protocol.AlreadyBeingCreatedException;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveEntry;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveInfo;
@@ -95,10 +96,12 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetBlockLocationsRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetBlockLocationsResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetContentSummaryRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetCurrentEditLogTxidRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDataEncryptionKeyRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDataEncryptionKeyResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDatanodeReportRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetDatanodeStorageReportRequestProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetEditsFromTxidRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFileInfoRequestProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFileInfoResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFileLinkInfoRequestProto;
@@ -159,6 +162,7 @@
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.SetXAttrRequestProto;
 import org.apache.hadoop.hdfs.security.token.block.DataEncryptionKey;
 import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
+import org.apache.hadoop.hdfs.server.namenode.FSEditLogOp;
 import org.apache.hadoop.hdfs.server.namenode.NotReplicatedYetException;
 import org.apache.hadoop.hdfs.server.namenode.SafeModeException;
 import org.apache.hadoop.hdfs.server.protocol.DatanodeStorageReport;
@@ -1430,4 +1434,25 @@ public void checkAccess(String path, FsAction mode) throws IOException {
       throw ProtobufHelper.getRemoteException(e);
     }
   }
+
+  public long getCurrentEditLogTxid() throws IOException {
+    GetCurrentEditLogTxidRequestProto req = GetCurrentEditLogTxidRequestProto
+        .getDefaultInstance();
+    try {
+      return rpcProxy.getCurrentEditLogTxid(null, req).getTxid();
+    } catch (ServiceException e) {
+      throw ProtobufHelper.getRemoteException(e);
+    }
+  }
+
+  @Override
+  public EventsList getEditsFromTxid(long txid) throws IOException {
+    GetEditsFromTxidRequestProto req = GetEditsFromTxidRequestProto.newBuilder()
+        .setTxid(txid).build();
+    try {
+      return PBHelper.convert(rpcProxy.getEditsFromTxid(null, req));
+    } catch (ServiceException e) {
+      throw ProtobufHelper.getRemoteException(e);
+    }
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
index 4dcac39a1a9..38ba7db1387 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java
@@ -46,6 +46,8 @@
 import org.apache.hadoop.ha.proto.HAServiceProtocolProtos;
 import org.apache.hadoop.hdfs.DFSUtil;
 import org.apache.hadoop.hdfs.StorageType;
+import org.apache.hadoop.hdfs.inotify.Event;
+import org.apache.hadoop.hdfs.inotify.EventsList;
 import org.apache.hadoop.hdfs.protocol.Block;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveEntry;
 import org.apache.hadoop.hdfs.protocol.CacheDirectiveInfo;
@@ -96,6 +98,7 @@
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.CreateFlagProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.DatanodeReportTypeProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.DatanodeStorageReportProto;
+import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetEditsFromTxidResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.GetFsStatsResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.RollingUpgradeActionProto;
 import org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos.RollingUpgradeInfoProto;
@@ -158,6 +161,7 @@
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.StorageTypeProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.StorageTypesProto;
 import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.StorageUuidsProto;
+import org.apache.hadoop.hdfs.protocol.proto.InotifyProtos;
 import org.apache.hadoop.hdfs.protocol.proto.JournalProtocolProtos.JournalInfoProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.GetXAttrsResponseProto;
 import org.apache.hadoop.hdfs.protocol.proto.XAttrProtos.ListXAttrsResponseProto;
@@ -2335,6 +2339,247 @@ public static ShmId convert(ShortCircuitShmIdProto shmId) {
     return new ShmId(shmId.getHi(), shmId.getLo());
   }
 
+  private static Event.CreateEvent.INodeType createTypeConvert(InotifyProtos.INodeType
+      type) {
+    switch (type) {
+    case I_TYPE_DIRECTORY:
+      return Event.CreateEvent.INodeType.DIRECTORY;
+    case I_TYPE_FILE:
+      return Event.CreateEvent.INodeType.FILE;
+    case I_TYPE_SYMLINK:
+      return Event.CreateEvent.INodeType.SYMLINK;
+    default:
+      return null;
+    }
+  }
+
+  private static InotifyProtos.MetadataUpdateType metadataUpdateTypeConvert(
+      Event.MetadataUpdateEvent.MetadataType type) {
+    switch (type) {
+    case TIMES:
+      return InotifyProtos.MetadataUpdateType.META_TYPE_TIMES;
+    case REPLICATION:
+      return InotifyProtos.MetadataUpdateType.META_TYPE_REPLICATION;
+    case OWNER:
+      return InotifyProtos.MetadataUpdateType.META_TYPE_OWNER;
+    case PERMS:
+      return InotifyProtos.MetadataUpdateType.META_TYPE_PERMS;
+    case ACLS:
+      return InotifyProtos.MetadataUpdateType.META_TYPE_ACLS;
+    case XATTRS:
+      return InotifyProtos.MetadataUpdateType.META_TYPE_XATTRS;
+    default:
+      return null;
+    }
+  }
+
+  private static Event.MetadataUpdateEvent.MetadataType metadataUpdateTypeConvert(
+      InotifyProtos.MetadataUpdateType type) {
+    switch (type) {
+    case META_TYPE_TIMES:
+      return Event.MetadataUpdateEvent.MetadataType.TIMES;
+    case META_TYPE_REPLICATION:
+      return Event.MetadataUpdateEvent.MetadataType.REPLICATION;
+    case META_TYPE_OWNER:
+      return Event.MetadataUpdateEvent.MetadataType.OWNER;
+    case META_TYPE_PERMS:
+      return Event.MetadataUpdateEvent.MetadataType.PERMS;
+    case META_TYPE_ACLS:
+      return Event.MetadataUpdateEvent.MetadataType.ACLS;
+    case META_TYPE_XATTRS:
+      return Event.MetadataUpdateEvent.MetadataType.XATTRS;
+    default:
+      return null;
+    }
+  }
+
+  private static InotifyProtos.INodeType createTypeConvert(Event.CreateEvent.INodeType
+      type) {
+    switch (type) {
+    case DIRECTORY:
+      return InotifyProtos.INodeType.I_TYPE_DIRECTORY;
+    case FILE:
+      return InotifyProtos.INodeType.I_TYPE_FILE;
+    case SYMLINK:
+      return InotifyProtos.INodeType.I_TYPE_SYMLINK;
+    default:
+      return null;
+    }
+  }
+
+  public static EventsList convert(GetEditsFromTxidResponseProto resp) throws
+    IOException {
+    List<Event> events = Lists.newArrayList();
+    for (InotifyProtos.EventProto p : resp.getEventsList().getEventsList()) {
+      switch(p.getType()) {
+      case EVENT_CLOSE:
+        InotifyProtos.CloseEventProto close =
+            InotifyProtos.CloseEventProto.parseFrom(p.getContents());
+        events.add(new Event.CloseEvent(close.getPath(), close.getFileSize(),
+            close.getTimestamp()));
+        break;
+      case EVENT_CREATE:
+        InotifyProtos.CreateEventProto create =
+            InotifyProtos.CreateEventProto.parseFrom(p.getContents());
+        events.add(new Event.CreateEvent.Builder()
+            .iNodeType(createTypeConvert(create.getType()))
+            .path(create.getPath())
+            .ctime(create.getCtime())
+            .ownerName(create.getOwnerName())
+            .groupName(create.getGroupName())
+            .perms(convert(create.getPerms()))
+            .replication(create.getReplication())
+            .symlinkTarget(create.getSymlinkTarget().isEmpty() ? null :
+            create.getSymlinkTarget()).build());
+        break;
+      case EVENT_METADATA:
+        InotifyProtos.MetadataUpdateEventProto meta =
+            InotifyProtos.MetadataUpdateEventProto.parseFrom(p.getContents());
+        events.add(new Event.MetadataUpdateEvent.Builder()
+            .path(meta.getPath())
+            .metadataType(metadataUpdateTypeConvert(meta.getType()))
+            .mtime(meta.getMtime())
+            .atime(meta.getAtime())
+            .replication(meta.getReplication())
+            .ownerName(
+                meta.getOwnerName().isEmpty() ? null : meta.getOwnerName())
+            .groupName(
+                meta.getGroupName().isEmpty() ? null : meta.getGroupName())
+            .perms(meta.hasPerms() ? convert(meta.getPerms()) : null)
+            .acls(meta.getAclsList().isEmpty() ? null : convertAclEntry(
+                meta.getAclsList()))
+            .xAttrs(meta.getXAttrsList().isEmpty() ? null : convertXAttrs(
+                meta.getXAttrsList()))
+            .xAttrsRemoved(meta.getXAttrsRemoved())
+            .build());
+        break;
+      case EVENT_RENAME:
+        InotifyProtos.RenameEventProto rename =
+            InotifyProtos.RenameEventProto.parseFrom(p.getContents());
+        events.add(new Event.RenameEvent(rename.getSrcPath(), rename.getDestPath(),
+            rename.getTimestamp()));
+        break;
+      case EVENT_APPEND:
+        InotifyProtos.AppendEventProto reopen =
+            InotifyProtos.AppendEventProto.parseFrom(p.getContents());
+        events.add(new Event.AppendEvent(reopen.getPath()));
+        break;
+      case EVENT_UNLINK:
+        InotifyProtos.UnlinkEventProto unlink =
+            InotifyProtos.UnlinkEventProto.parseFrom(p.getContents());
+        events.add(new Event.UnlinkEvent(unlink.getPath(), unlink.getTimestamp()));
+        break;
+      default:
+        throw new RuntimeException("Unexpected inotify event type: " +
+            p.getType());
+      }
+    }
+    return new EventsList(events, resp.getEventsList().getFirstTxid(),
+        resp.getEventsList().getLastTxid(), resp.getEventsList().getSyncTxid());
+  }
+
+  public static GetEditsFromTxidResponseProto convertEditsResponse(EventsList el) {
+    InotifyProtos.EventsListProto.Builder builder =
+        InotifyProtos.EventsListProto.newBuilder();
+    for (Event e : el.getEvents()) {
+      switch(e.getEventType()) {
+      case CLOSE:
+        Event.CloseEvent ce = (Event.CloseEvent) e;
+        builder.addEvents(InotifyProtos.EventProto.newBuilder()
+            .setType(InotifyProtos.EventType.EVENT_CLOSE)
+            .setContents(
+                InotifyProtos.CloseEventProto.newBuilder()
+                    .setPath(ce.getPath())
+                    .setFileSize(ce.getFileSize())
+                    .setTimestamp(ce.getTimestamp()).build().toByteString()
+            ).build());
+        break;
+      case CREATE:
+        Event.CreateEvent ce2 = (Event.CreateEvent) e;
+        builder.addEvents(InotifyProtos.EventProto.newBuilder()
+            .setType(InotifyProtos.EventType.EVENT_CREATE)
+            .setContents(
+                InotifyProtos.CreateEventProto.newBuilder()
+                    .setType(createTypeConvert(ce2.getiNodeType()))
+                    .setPath(ce2.getPath())
+                    .setCtime(ce2.getCtime())
+                    .setOwnerName(ce2.getOwnerName())
+                    .setGroupName(ce2.getGroupName())
+                    .setPerms(convert(ce2.getPerms()))
+                    .setReplication(ce2.getReplication())
+                    .setSymlinkTarget(ce2.getSymlinkTarget() == null ?
+                        "" : ce2.getSymlinkTarget()).build().toByteString()
+            ).build());
+        break;
+      case METADATA:
+        Event.MetadataUpdateEvent me = (Event.MetadataUpdateEvent) e;
+        InotifyProtos.MetadataUpdateEventProto.Builder metaB =
+            InotifyProtos.MetadataUpdateEventProto.newBuilder()
+                .setPath(me.getPath())
+                .setType(metadataUpdateTypeConvert(me.getMetadataType()))
+                .setMtime(me.getMtime())
+                .setAtime(me.getAtime())
+                .setReplication(me.getReplication())
+                .setOwnerName(me.getOwnerName() == null ? "" :
+                    me.getOwnerName())
+                .setGroupName(me.getGroupName() == null ? "" :
+                    me.getGroupName())
+                .addAllAcls(me.getAcls() == null ?
+                    Lists.<AclEntryProto>newArrayList() :
+                    convertAclEntryProto(me.getAcls()))
+                .addAllXAttrs(me.getxAttrs() == null ?
+                    Lists.<XAttrProto>newArrayList() :
+                    convertXAttrProto(me.getxAttrs()))
+                .setXAttrsRemoved(me.isxAttrsRemoved());
+        if (me.getPerms() != null) {
+          metaB.setPerms(convert(me.getPerms()));
+        }
+        builder.addEvents(InotifyProtos.EventProto.newBuilder()
+            .setType(InotifyProtos.EventType.EVENT_METADATA)
+            .setContents(metaB.build().toByteString())
+            .build());
+        break;
+      case RENAME:
+        Event.RenameEvent re = (Event.RenameEvent) e;
+        builder.addEvents(InotifyProtos.EventProto.newBuilder()
+            .setType(InotifyProtos.EventType.EVENT_RENAME)
+            .setContents(
+                InotifyProtos.RenameEventProto.newBuilder()
+                    .setSrcPath(re.getSrcPath())
+                    .setDestPath(re.getDstPath())
+                    .setTimestamp(re.getTimestamp()).build().toByteString()
+            ).build());
+        break;
+      case APPEND:
+        Event.AppendEvent re2 = (Event.AppendEvent) e;
+        builder.addEvents(InotifyProtos.EventProto.newBuilder()
+            .setType(InotifyProtos.EventType.EVENT_APPEND)
+            .setContents(
+                InotifyProtos.AppendEventProto.newBuilder()
+                    .setPath(re2.getPath()).build().toByteString()
+            ).build());
+        break;
+      case UNLINK:
+        Event.UnlinkEvent ue = (Event.UnlinkEvent) e;
+        builder.addEvents(InotifyProtos.EventProto.newBuilder()
+            .setType(InotifyProtos.EventType.EVENT_UNLINK)
+            .setContents(
+                InotifyProtos.UnlinkEventProto.newBuilder()
+                    .setPath(ue.getPath())
+                    .setTimestamp(ue.getTimestamp()).build().toByteString()
+            ).build());
+        break;
+      default:
+        throw new RuntimeException("Unexpected inotify event: " + e);
+      }
+    }
+    builder.setFirstTxid(el.getFirstTxid());
+    builder.setLastTxid(el.getLastTxid());
+    builder.setSyncTxid(el.getSyncTxid());
+    return GetEditsFromTxidResponseProto.newBuilder().setEventsList(
+        builder.build()).build();
+  }
+
   public static HdfsProtos.CipherSuite convert(CipherSuite suite) {
     switch (suite) {
     case UNKNOWN:
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/qjournal/client/IPCLoggerChannel.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/qjournal/client/IPCLoggerChannel.java
index 0196c5b0229..e37869c7975 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/qjournal/client/IPCLoggerChannel.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/qjournal/client/IPCLoggerChannel.java
@@ -79,7 +79,17 @@ public class IPCLoggerChannel implements AsyncLogger {
   protected final InetSocketAddress addr;
   private QJournalProtocol proxy;
 
-  private final ListeningExecutorService executor;
+  /**
+   * Executes tasks submitted to it serially, on a single thread, in FIFO order
+   * (generally used for write tasks that should not be reordered).
+   */
+  private final ListeningExecutorService singleThreadExecutor;
+  /**
+   * Executes tasks submitted to it in parallel with each other and with those
+   * submitted to singleThreadExecutor (generally used for read tasks that can
+   * be safely reordered and interleaved with writes).
+   */
+  private final ListeningExecutorService parallelExecutor;
   private long ipcSerial = 0;
   private long epoch = -1;
   private long committedTxId = HdfsConstants.INVALID_TXID;
@@ -160,8 +170,10 @@ public IPCLoggerChannel(Configuration conf,
         DFSConfigKeys.DFS_QJOURNAL_QUEUE_SIZE_LIMIT_KEY,
         DFSConfigKeys.DFS_QJOURNAL_QUEUE_SIZE_LIMIT_DEFAULT);
     
-    executor = MoreExecutors.listeningDecorator(
-        createExecutor());
+    singleThreadExecutor = MoreExecutors.listeningDecorator(
+        createSingleThreadExecutor());
+    parallelExecutor = MoreExecutors.listeningDecorator(
+        createParallelExecutor());
     
     metrics = IPCLoggerChannelMetrics.create(this);
   }
@@ -183,7 +195,8 @@ public synchronized void setCommittedTxId(long txid) {
   @Override
   public void close() {
     // No more tasks may be submitted after this point.
-    executor.shutdown();
+    singleThreadExecutor.shutdown();
+    parallelExecutor.shutdown();
     if (proxy != null) {
       // TODO: this can hang for quite some time if the client
       // is currently in the middle of a call to a downed JN.
@@ -230,15 +243,30 @@ public QJournalProtocol run() throws IOException {
    * Separated out for easy overriding in tests.
    */
   @VisibleForTesting
-  protected ExecutorService createExecutor() {
+  protected ExecutorService createSingleThreadExecutor() {
     return Executors.newSingleThreadExecutor(
         new ThreadFactoryBuilder()
           .setDaemon(true)
-          .setNameFormat("Logger channel to " + addr)
+          .setNameFormat("Logger channel (from single-thread executor) to " +
+              addr)
           .setUncaughtExceptionHandler(
               UncaughtExceptionHandlers.systemExit())
           .build());
   }
+
+  /**
+   * Separated out for easy overriding in tests.
+   */
+  @VisibleForTesting
+  protected ExecutorService createParallelExecutor() {
+    return Executors.newCachedThreadPool(
+        new ThreadFactoryBuilder()
+            .setDaemon(true)
+            .setNameFormat("Logger channel (from parallel executor) to " + addr)
+            .setUncaughtExceptionHandler(
+                UncaughtExceptionHandlers.systemExit())
+            .build());
+  }
   
   @Override
   public URL buildURLToFetchLogs(long segmentTxId) {
@@ -286,7 +314,7 @@ public synchronized boolean isOutOfSync() {
   @VisibleForTesting
   void waitForAllPendingCalls() throws InterruptedException {
     try {
-      executor.submit(new Runnable() {
+      singleThreadExecutor.submit(new Runnable() {
         @Override
         public void run() {
         }
@@ -299,7 +327,7 @@ public void run() {
 
   @Override
   public ListenableFuture<Boolean> isFormatted() {
-    return executor.submit(new Callable<Boolean>() {
+    return singleThreadExecutor.submit(new Callable<Boolean>() {
       @Override
       public Boolean call() throws IOException {
         return getProxy().isFormatted(journalId);
@@ -309,7 +337,7 @@ public Boolean call() throws IOException {
 
   @Override
   public ListenableFuture<GetJournalStateResponseProto> getJournalState() {
-    return executor.submit(new Callable<GetJournalStateResponseProto>() {
+    return singleThreadExecutor.submit(new Callable<GetJournalStateResponseProto>() {
       @Override
       public GetJournalStateResponseProto call() throws IOException {
         GetJournalStateResponseProto ret =
@@ -323,7 +351,7 @@ public GetJournalStateResponseProto call() throws IOException {
   @Override
   public ListenableFuture<NewEpochResponseProto> newEpoch(
       final long epoch) {
-    return executor.submit(new Callable<NewEpochResponseProto>() {
+    return singleThreadExecutor.submit(new Callable<NewEpochResponseProto>() {
       @Override
       public NewEpochResponseProto call() throws IOException {
         return getProxy().newEpoch(journalId, nsInfo, epoch);
@@ -347,7 +375,7 @@ public ListenableFuture<Void> sendEdits(
     
     ListenableFuture<Void> ret = null;
     try {
-      ret = executor.submit(new Callable<Void>() {
+      ret = singleThreadExecutor.submit(new Callable<Void>() {
         @Override
         public Void call() throws IOException {
           throwIfOutOfSync();
@@ -464,7 +492,7 @@ private synchronized void unreserveQueueSpace(int size) {
 
   @Override
   public ListenableFuture<Void> format(final NamespaceInfo nsInfo) {
-    return executor.submit(new Callable<Void>() {
+    return singleThreadExecutor.submit(new Callable<Void>() {
       @Override
       public Void call() throws Exception {
         getProxy().format(journalId, nsInfo);
@@ -476,7 +504,7 @@ public Void call() throws Exception {
   @Override
   public ListenableFuture<Void> startLogSegment(final long txid,
       final int layoutVersion) {
-    return executor.submit(new Callable<Void>() {
+    return singleThreadExecutor.submit(new Callable<Void>() {
       @Override
       public Void call() throws IOException {
         getProxy().startLogSegment(createReqInfo(), txid, layoutVersion);
@@ -497,7 +525,7 @@ public Void call() throws IOException {
   @Override
   public ListenableFuture<Void> finalizeLogSegment(
       final long startTxId, final long endTxId) {
-    return executor.submit(new Callable<Void>() {
+    return singleThreadExecutor.submit(new Callable<Void>() {
       @Override
       public Void call() throws IOException {
         throwIfOutOfSync();
@@ -510,7 +538,7 @@ public Void call() throws IOException {
   
   @Override
   public ListenableFuture<Void> purgeLogsOlderThan(final long minTxIdToKeep) {
-    return executor.submit(new Callable<Void>() {
+    return singleThreadExecutor.submit(new Callable<Void>() {
       @Override
       public Void call() throws Exception {
         getProxy().purgeLogsOlderThan(createReqInfo(), minTxIdToKeep);
@@ -522,7 +550,7 @@ public Void call() throws Exception {
   @Override
   public ListenableFuture<RemoteEditLogManifest> getEditLogManifest(
       final long fromTxnId, final boolean inProgressOk) {
-    return executor.submit(new Callable<RemoteEditLogManifest>() {
+    return parallelExecutor.submit(new Callable<RemoteEditLogManifest>() {
       @Override
       public RemoteEditLogManifest call() throws IOException {
         GetEditLogManifestResponseProto ret = getProxy().getEditLogManifest(
@@ -538,7 +566,7 @@ public RemoteEditLogManifest call() throws IOException {
   @Override
   public ListenableFuture<PrepareRecoveryResponseProto> prepareRecovery(
       final long segmentTxId) {
-    return executor.submit(new Callable<PrepareRecoveryResponseProto>() {
+    return singleThreadExecutor.submit(new Callable<PrepareRecoveryResponseProto>() {
       @Override
       public PrepareRecoveryResponseProto call() throws IOException {
         if (!hasHttpServerEndPoint()) {
@@ -556,7 +584,7 @@ public PrepareRecoveryResponseProto call() throws IOException {
   @Override
   public ListenableFuture<Void> acceptRecovery(
       final SegmentStateProto log, final URL url) {
-    return executor.submit(new Callable<Void>() {
+    return singleThreadExecutor.submit(new Callable<Void>() {
       @Override
       public Void call() throws IOException {
         getProxy().acceptRecovery(createReqInfo(), log, url);
@@ -567,7 +595,7 @@ public Void call() throws IOException {
   
   @Override
   public ListenableFuture<Void> doPreUpgrade() {
-    return executor.submit(new Callable<Void>() {
+    return singleThreadExecutor.submit(new Callable<Void>() {
       @Override
       public Void call() throws IOException {
         getProxy().doPreUpgrade(journalId);
@@ -578,7 +606,7 @@ public Void call() throws IOException {
   
   @Override
   public ListenableFuture<Void> doUpgrade(final StorageInfo sInfo) {
-    return executor.submit(new Callable<Void>() {
+    return singleThreadExecutor.submit(new Callable<Void>() {
       @Override
       public Void call() throws IOException {
         getProxy().doUpgrade(journalId, sInfo);
@@ -589,7 +617,7 @@ public Void call() throws IOException {
   
   @Override
   public ListenableFuture<Void> doFinalize() {
-    return executor.submit(new Callable<Void>() {
+    return singleThreadExecutor.submit(new Callable<Void>() {
       @Override
       public Void call() throws IOException {
         getProxy().doFinalize(journalId);
@@ -601,7 +629,7 @@ public Void call() throws IOException {
   @Override
   public ListenableFuture<Boolean> canRollBack(final StorageInfo storage,
       final StorageInfo prevStorage, final int targetLayoutVersion) {
-    return executor.submit(new Callable<Boolean>() {
+    return singleThreadExecutor.submit(new Callable<Boolean>() {
       @Override
       public Boolean call() throws IOException {
         return getProxy().canRollBack(journalId, storage, prevStorage,
@@ -612,7 +640,7 @@ public Boolean call() throws IOException {
 
   @Override
   public ListenableFuture<Void> doRollback() {
-    return executor.submit(new Callable<Void>() {
+    return singleThreadExecutor.submit(new Callable<Void>() {
       @Override
       public Void call() throws IOException {
         getProxy().doRollback(journalId);
@@ -623,7 +651,7 @@ public Void call() throws IOException {
 
   @Override
   public ListenableFuture<Void> discardSegments(final long startTxId) {
-    return executor.submit(new Callable<Void>() {
+    return singleThreadExecutor.submit(new Callable<Void>() {
       @Override
       public Void call() throws IOException {
         getProxy().discardSegments(journalId, startTxId);
@@ -634,7 +662,7 @@ public Void call() throws IOException {
 
   @Override
   public ListenableFuture<Long> getJournalCTime() {
-    return executor.submit(new Callable<Long>() {
+    return singleThreadExecutor.submit(new Callable<Long>() {
       @Override
       public Long call() throws IOException {
         return getProxy().getJournalCTime(journalId);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/qjournal/server/Journal.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/qjournal/server/Journal.java
index 1ffe6f7def0..b36e547056e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/qjournal/server/Journal.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/qjournal/server/Journal.java
@@ -651,7 +651,8 @@ public RemoteEditLogManifest getEditLogManifest(long sinceTxId,
         }
       }
       if (log != null && log.isInProgress()) {
-        logs.add(new RemoteEditLog(log.getStartTxId(), getHighestWrittenTxId()));
+        logs.add(new RemoteEditLog(log.getStartTxId(), getHighestWrittenTxId(),
+            true));
       }
     }
     
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EditLogBackupInputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EditLogBackupInputStream.java
index 0f6396658f9..36494374cca 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EditLogBackupInputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EditLogBackupInputStream.java
@@ -147,4 +147,9 @@ public boolean isInProgress() {
   public void setMaxOpSize(int maxOpSize) {
     reader.setMaxOpSize(maxOpSize);
   }
+
+  @Override
+  public boolean isLocalLog() {
+    return true;
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EditLogFileInputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EditLogFileInputStream.java
index fa25604d306..974860caf55 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EditLogFileInputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EditLogFileInputStream.java
@@ -506,4 +506,9 @@ public void setMaxOpSize(int maxOpSize) {
       reader.setMaxOpSize(maxOpSize);
     }
   }
+
+  @Override
+  public boolean isLocalLog() {
+    return log instanceof FileLog;
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EditLogInputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EditLogInputStream.java
index 969668d3d64..ac58616592c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EditLogInputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EditLogInputStream.java
@@ -203,4 +203,10 @@ FSEditLogOp getCachedOp() {
    * Set the maximum opcode size in bytes.
    */
   public abstract void setMaxOpSize(int maxOpSize);
+
+  /**
+   * Returns true if we are currently reading the log from a local disk or an
+   * even faster data source (e.g. a byte buffer).
+   */
+  public abstract boolean isLocalLog();
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSEditLog.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSEditLog.java
index b2adcd455fc..9d3538d4610 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSEditLog.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSEditLog.java
@@ -188,6 +188,13 @@ protected OpInstanceCache initialValue() {
    */
   private final List<URI> sharedEditsDirs;
 
+  /**
+   * Take this lock when adding journals to or closing the JournalSet. Allows
+   * us to ensure that the JournalSet isn't closed or updated underneath us
+   * in selectInputStreams().
+   */
+  private final Object journalSetLock = new Object();
+
   private static class TransactionId {
     public long txid;
 
@@ -252,20 +259,22 @@ private synchronized void initJournals(List<URI> dirs) {
         DFSConfigKeys.DFS_NAMENODE_EDITS_DIR_MINIMUM_KEY,
         DFSConfigKeys.DFS_NAMENODE_EDITS_DIR_MINIMUM_DEFAULT);
 
-    journalSet = new JournalSet(minimumRedundantJournals);
+    synchronized(journalSetLock) {
+      journalSet = new JournalSet(minimumRedundantJournals);
 
-    for (URI u : dirs) {
-      boolean required = FSNamesystem.getRequiredNamespaceEditsDirs(conf)
-          .contains(u);
-      if (u.getScheme().equals(NNStorage.LOCAL_URI_SCHEME)) {
-        StorageDirectory sd = storage.getStorageDirectory(u);
-        if (sd != null) {
-          journalSet.add(new FileJournalManager(conf, sd, storage),
-              required, sharedEditsDirs.contains(u));
+      for (URI u : dirs) {
+        boolean required = FSNamesystem.getRequiredNamespaceEditsDirs(conf)
+            .contains(u);
+        if (u.getScheme().equals(NNStorage.LOCAL_URI_SCHEME)) {
+          StorageDirectory sd = storage.getStorageDirectory(u);
+          if (sd != null) {
+            journalSet.add(new FileJournalManager(conf, sd, storage),
+                required, sharedEditsDirs.contains(u));
+          }
+        } else {
+          journalSet.add(createJournal(u), required,
+              sharedEditsDirs.contains(u));
         }
-      } else {
-        journalSet.add(createJournal(u), required,
-            sharedEditsDirs.contains(u));
       }
     }
  
@@ -349,7 +358,9 @@ synchronized void close() {
     } finally {
       if (journalSet != null && !journalSet.isEmpty()) {
         try {
-          journalSet.close();
+          synchronized(journalSetLock) {
+            journalSet.close();
+          }
         } catch (IOException ioe) {
           LOG.warn("Error closing journalSet", ioe);
         }
@@ -606,7 +617,9 @@ public void logSync() {
                 "due to " + e.getMessage() + ". " +
                 "Unsynced transactions: " + (txid - synctxid);
             LOG.fatal(msg, new Exception());
-            IOUtils.cleanup(LOG, journalSet);
+            synchronized(journalSetLock) {
+              IOUtils.cleanup(LOG, journalSet);
+            }
             terminate(1, msg);
           }
         } finally {
@@ -630,7 +643,9 @@ public void logSync() {
               "Could not sync enough journals to persistent storage. "
               + "Unsynced transactions: " + (txid - synctxid);
           LOG.fatal(msg, new Exception());
-          IOUtils.cleanup(LOG, journalSet);
+          synchronized(journalSetLock) {
+            IOUtils.cleanup(LOG, journalSet);
+          }
           terminate(1, msg);
         }
       }
@@ -1301,9 +1316,8 @@ synchronized void waitForSyncToFinish() {
 
   /**
    * Return the txid of the last synced transaction.
-   * For test use only
    */
-  synchronized long getSyncTxId() {
+  public synchronized long getSyncTxId() {
     return synctxid;
   }
 
@@ -1340,7 +1354,9 @@ synchronized void registerBackupNode(
     
     LOG.info("Registering new backup node: " + bnReg);
     BackupJournalManager bjm = new BackupJournalManager(bnReg, nnReg);
-    journalSet.add(bjm, false);
+    synchronized(journalSetLock) {
+      journalSet.add(bjm, false);
+    }
   }
   
   synchronized void releaseBackupStream(NamenodeRegistration registration)
@@ -1348,7 +1364,9 @@ synchronized void releaseBackupStream(NamenodeRegistration registration)
     BackupJournalManager bjm = this.findBackupJournal(registration);
     if (bjm != null) {
       LOG.info("Removing backup journal " + bjm);
-      journalSet.remove(bjm);
+      synchronized(journalSetLock) {
+        journalSet.remove(bjm);
+      }
     }
   }
   
@@ -1487,11 +1505,16 @@ public Collection<EditLogInputStream> selectInputStreams(
    * @param recovery recovery context
    * @param inProgressOk set to true if in-progress streams are OK
    */
-  public synchronized Collection<EditLogInputStream> selectInputStreams(
+  public Collection<EditLogInputStream> selectInputStreams(
       long fromTxId, long toAtLeastTxId, MetaRecoveryContext recovery,
       boolean inProgressOk) throws IOException {
+
     List<EditLogInputStream> streams = new ArrayList<EditLogInputStream>();
-    selectInputStreams(streams, fromTxId, inProgressOk);
+    synchronized(journalSetLock) {
+      Preconditions.checkState(journalSet.isOpen(), "Cannot call " +
+          "selectInputStreams() on closed FSEditLog");
+      selectInputStreams(streams, fromTxId, inProgressOk);
+    }
 
     try {
       checkForGaps(streams, fromTxId, toAtLeastTxId, inProgressOk);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FileJournalManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FileJournalManager.java
index 362c316cc2c..6001db5ccea 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FileJournalManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FileJournalManager.java
@@ -187,17 +187,27 @@ public List<RemoteEditLog> getRemoteEditLogs(long firstTxId,
     List<EditLogFile> allLogFiles = matchEditLogs(currentDir);
     List<RemoteEditLog> ret = Lists.newArrayListWithCapacity(
         allLogFiles.size());
-
     for (EditLogFile elf : allLogFiles) {
       if (elf.hasCorruptHeader() || (!inProgressOk && elf.isInProgress())) {
         continue;
       }
+      if (elf.isInProgress()) {
+        try {
+          elf.validateLog();
+        } catch (IOException e) {
+          LOG.error("got IOException while trying to validate header of " +
+              elf + ".  Skipping.", e);
+          continue;
+        }
+      }
       if (elf.getFirstTxId() >= firstTxId) {
-        ret.add(new RemoteEditLog(elf.firstTxId, elf.lastTxId));
+        ret.add(new RemoteEditLog(elf.firstTxId, elf.lastTxId,
+            elf.isInProgress()));
       } else if (elf.getFirstTxId() < firstTxId && firstTxId <= elf.getLastTxId()) {
         // If the firstTxId is in the middle of an edit log segment. Return this
         // anyway and let the caller figure out whether it wants to use it.
-        ret.add(new RemoteEditLog(elf.firstTxId, elf.lastTxId));
+        ret.add(new RemoteEditLog(elf.firstTxId, elf.lastTxId,
+            elf.isInProgress()));
       }
     }
     
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/InotifyFSEditLogOpTranslator.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/InotifyFSEditLogOpTranslator.java
new file mode 100644
index 00000000000..676f8874cf0
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/InotifyFSEditLogOpTranslator.java
@@ -0,0 +1,146 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.server.namenode;
+
+import com.google.common.collect.Lists;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.hdfs.inotify.Event;
+import org.apache.hadoop.hdfs.protocol.Block;
+
+import java.util.List;
+
+/**
+ * Translates from edit log ops to inotify events.
+ */
+@InterfaceAudience.Private
+public class InotifyFSEditLogOpTranslator {
+
+  private static long getSize(FSEditLogOp.AddCloseOp acOp) {
+    long size = 0;
+    for (Block b : acOp.getBlocks()) {
+      size += b.getNumBytes();
+    }
+    return size;
+  }
+
+  public static Event[] translate(FSEditLogOp op) {
+    switch(op.opCode) {
+    case OP_ADD:
+      FSEditLogOp.AddOp addOp = (FSEditLogOp.AddOp) op;
+      if (addOp.blocks.length == 0) { // create
+        return new Event[] { new Event.CreateEvent.Builder().path(addOp.path)
+            .ctime(addOp.atime)
+            .replication(addOp.replication)
+            .ownerName(addOp.permissions.getUserName())
+            .groupName(addOp.permissions.getGroupName())
+            .perms(addOp.permissions.getPermission())
+            .iNodeType(Event.CreateEvent.INodeType.FILE).build() };
+      } else {
+        return new Event[] { new Event.AppendEvent(addOp.path) };
+      }
+    case OP_CLOSE:
+      FSEditLogOp.CloseOp cOp = (FSEditLogOp.CloseOp) op;
+      return new Event[] {
+          new Event.CloseEvent(cOp.path, getSize(cOp), cOp.mtime) };
+    case OP_SET_REPLICATION:
+      FSEditLogOp.SetReplicationOp setRepOp = (FSEditLogOp.SetReplicationOp) op;
+      return new Event[] { new Event.MetadataUpdateEvent.Builder()
+          .metadataType(Event.MetadataUpdateEvent.MetadataType.REPLICATION)
+          .path(setRepOp.path)
+          .replication(setRepOp.replication).build() };
+    case OP_CONCAT_DELETE:
+      FSEditLogOp.ConcatDeleteOp cdOp = (FSEditLogOp.ConcatDeleteOp) op;
+      List<Event> events = Lists.newArrayList();
+      events.add(new Event.AppendEvent(cdOp.trg));
+      for (String src : cdOp.srcs) {
+        events.add(new Event.UnlinkEvent(src, cdOp.timestamp));
+      }
+      events.add(new Event.CloseEvent(cdOp.trg, -1, cdOp.timestamp));
+      return events.toArray(new Event[0]);
+    case OP_RENAME_OLD:
+      FSEditLogOp.RenameOldOp rnOpOld = (FSEditLogOp.RenameOldOp) op;
+      return new Event[] {
+          new Event.RenameEvent(rnOpOld.src, rnOpOld.dst, rnOpOld.timestamp) };
+    case OP_RENAME:
+      FSEditLogOp.RenameOp rnOp = (FSEditLogOp.RenameOp) op;
+      return new Event[] {
+          new Event.RenameEvent(rnOp.src, rnOp.dst, rnOp.timestamp) };
+    case OP_DELETE:
+      FSEditLogOp.DeleteOp delOp = (FSEditLogOp.DeleteOp) op;
+      return new Event[] { new Event.UnlinkEvent(delOp.path, delOp.timestamp) };
+    case OP_MKDIR:
+      FSEditLogOp.MkdirOp mkOp = (FSEditLogOp.MkdirOp) op;
+      return new Event[] { new Event.CreateEvent.Builder().path(mkOp.path)
+          .ctime(mkOp.timestamp)
+          .ownerName(mkOp.permissions.getUserName())
+          .groupName(mkOp.permissions.getGroupName())
+          .perms(mkOp.permissions.getPermission())
+          .iNodeType(Event.CreateEvent.INodeType.DIRECTORY).build() };
+    case OP_SET_PERMISSIONS:
+      FSEditLogOp.SetPermissionsOp permOp = (FSEditLogOp.SetPermissionsOp) op;
+      return new Event[] { new Event.MetadataUpdateEvent.Builder()
+          .metadataType(Event.MetadataUpdateEvent.MetadataType.PERMS)
+          .path(permOp.src)
+          .perms(permOp.permissions).build() };
+    case OP_SET_OWNER:
+      FSEditLogOp.SetOwnerOp ownOp = (FSEditLogOp.SetOwnerOp) op;
+      return new Event[] { new Event.MetadataUpdateEvent.Builder()
+          .metadataType(Event.MetadataUpdateEvent.MetadataType.OWNER)
+          .path(ownOp.src)
+          .ownerName(ownOp.username).groupName(ownOp.groupname).build() };
+    case OP_TIMES:
+      FSEditLogOp.TimesOp timesOp = (FSEditLogOp.TimesOp) op;
+      return new Event[] { new Event.MetadataUpdateEvent.Builder()
+          .metadataType(Event.MetadataUpdateEvent.MetadataType.TIMES)
+          .path(timesOp.path)
+          .atime(timesOp.atime).mtime(timesOp.mtime).build() };
+    case OP_SYMLINK:
+      FSEditLogOp.SymlinkOp symOp = (FSEditLogOp.SymlinkOp) op;
+      return new Event[] { new Event.CreateEvent.Builder().path(symOp.path)
+          .ctime(symOp.atime)
+          .ownerName(symOp.permissionStatus.getUserName())
+          .groupName(symOp.permissionStatus.getGroupName())
+          .perms(symOp.permissionStatus.getPermission())
+          .symlinkTarget(symOp.value)
+          .iNodeType(Event.CreateEvent.INodeType.SYMLINK).build() };
+    case OP_REMOVE_XATTR:
+      FSEditLogOp.RemoveXAttrOp rxOp = (FSEditLogOp.RemoveXAttrOp) op;
+      return new Event[] { new Event.MetadataUpdateEvent.Builder()
+          .metadataType(Event.MetadataUpdateEvent.MetadataType.XATTRS)
+          .path(rxOp.src)
+          .xAttrs(rxOp.xAttrs)
+          .xAttrsRemoved(true).build() };
+    case OP_SET_XATTR:
+      FSEditLogOp.SetXAttrOp sxOp = (FSEditLogOp.SetXAttrOp) op;
+      return new Event[] { new Event.MetadataUpdateEvent.Builder()
+          .metadataType(Event.MetadataUpdateEvent.MetadataType.XATTRS)
+          .path(sxOp.src)
+          .xAttrs(sxOp.xAttrs)
+          .xAttrsRemoved(false).build() };
+    case OP_SET_ACL:
+      FSEditLogOp.SetAclOp saOp = (FSEditLogOp.SetAclOp) op;
+      return new Event[] { new Event.MetadataUpdateEvent.Builder()
+          .metadataType(Event.MetadataUpdateEvent.MetadataType.ACLS)
+          .path(saOp.src)
+          .acls(saOp.aclEntries).build() };
+    default:
+      return null;
+    }
+  }
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/JournalSet.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/JournalSet.java
index 4e5bc666745..667b2e01ce8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/JournalSet.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/JournalSet.java
@@ -56,6 +56,17 @@
 public class JournalSet implements JournalManager {
 
   static final Log LOG = LogFactory.getLog(FSEditLog.class);
+
+  private static final Comparator<EditLogInputStream>
+    LOCAL_LOG_PREFERENCE_COMPARATOR = new Comparator<EditLogInputStream>() {
+    @Override
+    public int compare(EditLogInputStream elis1, EditLogInputStream elis2) {
+      // we want local logs to be ordered earlier in the collection, and true
+      // is considered larger than false, so we want to invert the booleans here
+      return ComparisonChain.start().compare(!elis1.isLocalLog(),
+          !elis2.isLocalLog()).result();
+    }
+  };
   
   static final public Comparator<EditLogInputStream>
     EDIT_LOG_INPUT_STREAM_COMPARATOR = new Comparator<EditLogInputStream>() {
@@ -180,6 +191,8 @@ public boolean isShared() {
   private final List<JournalAndStream> journals =
       new CopyOnWriteArrayList<JournalSet.JournalAndStream>();
   final int minimumRedundantJournals;
+
+  private boolean closed;
   
   JournalSet(int minimumRedundantResources) {
     this.minimumRedundantJournals = minimumRedundantResources;
@@ -233,6 +246,11 @@ public void apply(JournalAndStream jas) throws IOException {
         jas.close();
       }
     }, "close journal");
+    closed = true;
+  }
+
+  public boolean isOpen() {
+    return !closed;
   }
 
   /**
@@ -281,10 +299,25 @@ public static void chainAndMakeRedundantStreams(
       if (acc.isEmpty()) {
         acc.add(elis);
       } else {
-        long accFirstTxId = acc.get(0).getFirstTxId();
+        EditLogInputStream accFirst = acc.get(0);
+        long accFirstTxId = accFirst.getFirstTxId();
         if (accFirstTxId == elis.getFirstTxId()) {
-          acc.add(elis);
+          // if we have a finalized log segment available at this txid,
+          // we should throw out all in-progress segments at this txid
+          if (elis.isInProgress()) {
+            if (accFirst.isInProgress()) {
+              acc.add(elis);
+            }
+          } else {
+            if (accFirst.isInProgress()) {
+              acc.clear();
+            }
+            acc.add(elis);
+          }
         } else if (accFirstTxId < elis.getFirstTxId()) {
+          // try to read from the local logs first since the throughput should
+          // be higher
+          Collections.sort(acc, LOCAL_LOG_PREFERENCE_COMPARATOR);
           outStreams.add(new RedundantEditLogInputStream(acc, fromTxId));
           acc.clear();
           acc.add(elis);
@@ -296,6 +329,7 @@ public static void chainAndMakeRedundantStreams(
       }
     }
     if (!acc.isEmpty()) {
+      Collections.sort(acc, LOCAL_LOG_PREFERENCE_COMPARATOR);
       outStreams.add(new RedundantEditLogInputStream(acc, fromTxId));
       acc.clear();
     }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index a0b636f2ef8..e62d1622ece 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -34,6 +34,7 @@
 import java.util.List;
 import java.util.Set;
 
+import com.google.common.collect.Lists;
 import org.apache.commons.logging.Log;
 import org.apache.hadoop.HadoopIllegalArgumentException;
 import org.apache.hadoop.conf.Configuration;
@@ -66,6 +67,8 @@
 import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hdfs.DFSUtil;
 import org.apache.hadoop.hdfs.HDFSPolicyProvider;
+import org.apache.hadoop.hdfs.inotify.Event;
+import org.apache.hadoop.hdfs.inotify.EventsList;
 import org.apache.hadoop.hdfs.protocol.AclException;
 import org.apache.hadoop.hdfs.protocol.AlreadyBeingCreatedException;
 import org.apache.hadoop.hdfs.protocol.BlockListAsLongs;
@@ -1471,5 +1474,116 @@ public void removeXAttr(String src, XAttr xAttr) throws IOException {
   public void checkAccess(String path, FsAction mode) throws IOException {
     namesystem.checkAccess(path, mode);
   }
+
+  @Override // ClientProtocol
+  public long getCurrentEditLogTxid() throws IOException {
+    namesystem.checkOperation(OperationCategory.READ); // only active
+    namesystem.checkSuperuserPrivilege();
+    // if it's not yet open for write, we may be in the process of transitioning
+    // from standby to active and may not yet know what the latest committed
+    // txid is
+    return namesystem.getEditLog().isOpenForWrite() ?
+        namesystem.getEditLog().getLastWrittenTxId() : -1;
+  }
+
+  private static FSEditLogOp readOp(EditLogInputStream elis)
+      throws IOException {
+    try {
+      return elis.readOp();
+      // we can get the below two exceptions if a segment is deleted
+      // (because we have accumulated too many edits) or (for the local journal/
+      // no-QJM case only) if a in-progress segment is finalized under us ...
+      // no need to throw an exception back to the client in this case
+    } catch (FileNotFoundException e) {
+      LOG.debug("Tried to read from deleted or moved edit log segment", e);
+      return null;
+    } catch (TransferFsImage.HttpGetFailedException e) {
+      LOG.debug("Tried to read from deleted edit log segment", e);
+      return null;
+    }
+  }
+
+  @Override // ClientProtocol
+  public EventsList getEditsFromTxid(long txid) throws IOException {
+    namesystem.checkOperation(OperationCategory.READ); // only active
+    namesystem.checkSuperuserPrivilege();
+    int maxEventsPerRPC = nn.conf.getInt(
+        DFSConfigKeys.DFS_NAMENODE_INOTIFY_MAX_EVENTS_PER_RPC_KEY,
+        DFSConfigKeys.DFS_NAMENODE_INOTIFY_MAX_EVENTS_PER_RPC_DEFAULT);
+    FSEditLog log = namesystem.getFSImage().getEditLog();
+    long syncTxid = log.getSyncTxId();
+    // If we haven't synced anything yet, we can only read finalized
+    // segments since we can't reliably determine which txns in in-progress
+    // segments have actually been committed (e.g. written to a quorum of JNs).
+    // If we have synced txns, we can definitely read up to syncTxid since
+    // syncTxid is only updated after a transaction is committed to all
+    // journals. (In-progress segments written by old writers are already
+    // discarded for us, so if we read any in-progress segments they are
+    // guaranteed to have been written by this NameNode.)
+    boolean readInProgress = syncTxid > 0;
+
+    List<Event> events = Lists.newArrayList();
+    long maxSeenTxid = -1;
+    long firstSeenTxid = -1;
+
+    if (syncTxid > 0 && txid > syncTxid) {
+      // we can't read past syncTxid, so there's no point in going any further
+      return new EventsList(events, firstSeenTxid, maxSeenTxid, syncTxid);
+    }
+
+    Collection<EditLogInputStream> streams = null;
+    try {
+      streams = log.selectInputStreams(txid, 0, null, readInProgress);
+    } catch (IllegalStateException e) { // can happen if we have
+      // transitioned out of active and haven't yet transitioned to standby
+      // and are using QJM -- the edit log will be closed and this exception
+      // will result
+      LOG.info("NN is transitioning from active to standby and FSEditLog " +
+      "is closed -- could not read edits");
+      return new EventsList(events, firstSeenTxid, maxSeenTxid, syncTxid);
+    }
+
+    boolean breakOuter = false;
+    for (EditLogInputStream elis : streams) {
+      // our assumption in this code is the EditLogInputStreams are ordered by
+      // starting txid
+      try {
+        FSEditLogOp op = null;
+        while ((op = readOp(elis)) != null) {
+          // break out of here in the unlikely event that syncTxid is so
+          // out of date that its segment has already been deleted, so the first
+          // txid we get is greater than syncTxid
+          if (syncTxid > 0 && op.getTransactionId() > syncTxid) {
+            breakOuter = true;
+            break;
+          }
+
+          Event[] eventsFromOp = InotifyFSEditLogOpTranslator.translate(op);
+          if (eventsFromOp != null) {
+            events.addAll(Arrays.asList(eventsFromOp));
+          }
+          if (op.getTransactionId() > maxSeenTxid) {
+            maxSeenTxid = op.getTransactionId();
+          }
+          if (firstSeenTxid == -1) {
+            firstSeenTxid = op.getTransactionId();
+          }
+          if (events.size() >= maxEventsPerRPC || (syncTxid > 0 &&
+              op.getTransactionId() == syncTxid)) {
+            // we're done
+            breakOuter = true;
+            break;
+          }
+        }
+      } finally {
+        elis.close();
+      }
+      if (breakOuter) {
+        break;
+      }
+    }
+
+    return new EventsList(events, firstSeenTxid, maxSeenTxid, syncTxid);
+  }
 }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/RedundantEditLogInputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/RedundantEditLogInputStream.java
index 7c642c06961..674a9574499 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/RedundantEditLogInputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/RedundantEditLogInputStream.java
@@ -279,4 +279,9 @@ public void setMaxOpSize(int maxOpSize) {
       elis.setMaxOpSize(maxOpSize);
     }
   }
+
+  @Override
+  public boolean isLocalLog() {
+    return streams[curIdx].isLocalLog();
+  }
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/TransferFsImage.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/TransferFsImage.java
index 242c7d75461..160371a646e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/TransferFsImage.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/TransferFsImage.java
@@ -63,7 +63,7 @@
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.Lists;
-
+import org.mortbay.jetty.EofException;
 
 /**
  * This class provides fetching a specified file from the NameNode.
@@ -370,6 +370,9 @@ private static void copyFileToStream(OutputStream out, File localfile,
           throttler.throttle(num, canceler);
         }
       }
+    } catch (EofException e) {
+      LOG.info("Connection closed by client");
+      out = null; // so we don't close in the finally
     } finally {
       if (out != null) {
         out.close();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
index edffc9a99ce..f1673ffef43 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto
@@ -33,6 +33,7 @@ import "hdfs.proto";
 import "acl.proto";
 import "xattr.proto";
 import "encryption.proto";
+import "inotify.proto";
 
 /**
  * The ClientNamenodeProtocol Service defines the interface between a client 
@@ -664,6 +665,21 @@ message CheckAccessRequestProto {
 message CheckAccessResponseProto { // void response
 }
 
+message GetCurrentEditLogTxidRequestProto {
+}
+
+message GetCurrentEditLogTxidResponseProto {
+  required int64 txid = 1;
+}
+
+message GetEditsFromTxidRequestProto {
+  required int64 txid = 1;
+}
+
+message GetEditsFromTxidResponseProto {
+  required EventsListProto eventsList = 1;
+}
+
 service ClientNamenodeProtocol {
   rpc getBlockLocations(GetBlockLocationsRequestProto)
       returns(GetBlockLocationsResponseProto);
@@ -801,4 +817,8 @@ service ClientNamenodeProtocol {
       returns(ListEncryptionZonesResponseProto);
   rpc getEZForPath(GetEZForPathRequestProto)
       returns(GetEZForPathResponseProto);
+  rpc getCurrentEditLogTxid(GetCurrentEditLogTxidRequestProto)
+      returns(GetCurrentEditLogTxidResponseProto);
+  rpc getEditsFromTxid(GetEditsFromTxidRequestProto)
+      returns(GetEditsFromTxidResponseProto);
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/inotify.proto b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/inotify.proto
new file mode 100644
index 00000000000..b58bfcc3b5f
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/inotify.proto
@@ -0,0 +1,117 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * These .proto interfaces are private and stable.
+ * Please see http://wiki.apache.org/hadoop/Compatibility
+ * for what changes are allowed for a *stable* .proto interface.
+ */
+
+// This file contains protocol buffers used to communicate edits to clients
+// as part of the inotify system.
+
+option java_package = "org.apache.hadoop.hdfs.protocol.proto";
+option java_outer_classname = "InotifyProtos";
+option java_generate_equals_and_hash = true;
+package hadoop.hdfs;
+
+import "acl.proto";
+import "xattr.proto";
+import "hdfs.proto";
+
+enum EventType {
+  EVENT_CREATE = 0x0;
+  EVENT_CLOSE = 0x1;
+  EVENT_APPEND = 0x2;
+  EVENT_RENAME = 0x3;
+  EVENT_METADATA = 0x4;
+  EVENT_UNLINK = 0x5;
+}
+
+message EventProto {
+  required EventType type = 1;
+  required bytes contents = 2;
+}
+
+enum INodeType {
+  I_TYPE_FILE = 0x0;
+  I_TYPE_DIRECTORY = 0x1;
+  I_TYPE_SYMLINK = 0x2;
+}
+
+enum MetadataUpdateType {
+  META_TYPE_TIMES = 0x0;
+  META_TYPE_REPLICATION = 0x1;
+  META_TYPE_OWNER = 0x2;
+  META_TYPE_PERMS = 0x3;
+  META_TYPE_ACLS = 0x4;
+  META_TYPE_XATTRS = 0x5;
+}
+
+message CreateEventProto {
+  required INodeType type = 1;
+  required string path = 2;
+  required int64 ctime = 3;
+  required string ownerName = 4;
+  required string groupName = 5;
+  required FsPermissionProto perms = 6;
+  optional int32 replication = 7;
+  optional string symlinkTarget = 8;
+}
+
+message CloseEventProto {
+  required string path = 1;
+  required int64 fileSize = 2;
+  required int64 timestamp = 3;
+}
+
+message AppendEventProto {
+  required string path = 1;
+}
+
+message RenameEventProto {
+  required string srcPath = 1;
+  required string destPath = 2;
+  required int64 timestamp = 3;
+}
+
+message MetadataUpdateEventProto {
+  required string path = 1;
+  required MetadataUpdateType type = 2;
+  optional int64 mtime = 3;
+  optional int64 atime = 4;
+  optional int32 replication = 5;
+  optional string ownerName = 6;
+  optional string groupName = 7;
+  optional FsPermissionProto perms = 8;
+  repeated AclEntryProto acls = 9;
+  repeated XAttrProto xAttrs = 10;
+  optional bool xAttrsRemoved = 11;
+}
+
+message UnlinkEventProto {
+  required string path = 1;
+  required int64 timestamp = 2;
+}
+
+message EventsListProto {
+  repeated EventProto events = 1;
+  required int64 firstTxid = 2;
+  required int64 lastTxid = 3;
+  required int64 syncTxid = 4;
+}
\ No newline at end of file
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
index 201560d0ccd..557727b3d85 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
@@ -2066,4 +2066,14 @@
   </description>
 </property>
 
+<property>
+  <name>dfs.namenode.inotify.max.events.per.rpc</name>
+  <value>1000</value>
+  <description>Maximum number of events that will be sent to an inotify client
+    in a single RPC response. The default value attempts to amortize away
+    the overhead for this RPC while avoiding huge memory requirements for the
+    client and NameNode (1000 events should consume no more than 1 MB.)
+  </description>
+</property>
+
 </configuration>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStream.java
new file mode 100644
index 00000000000..c268281a0f7
--- /dev/null
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStream.java
@@ -0,0 +1,430 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.XAttrSetFlag;
+import org.apache.hadoop.fs.permission.AclEntry;
+import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.hdfs.inotify.Event;
+import org.apache.hadoop.hdfs.inotify.MissingEventsException;
+import org.apache.hadoop.hdfs.qjournal.MiniQJMHACluster;
+import org.apache.hadoop.hdfs.server.namenode.FSEditLogOpCodes;
+import org.apache.hadoop.hdfs.server.namenode.ha.HATestUtil;
+import org.apache.hadoop.util.ExitUtil;
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.net.URISyntaxException;
+import java.util.EnumSet;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
+
+public class TestDFSInotifyEventInputStream {
+
+  private static final int BLOCK_SIZE = 1024;
+  private static final Log LOG = LogFactory.getLog(
+      TestDFSInotifyEventInputStream.class);
+
+  private static Event waitForNextEvent(DFSInotifyEventInputStream eis)
+    throws IOException, MissingEventsException {
+    Event next = null;
+    while ((next = eis.poll()) == null);
+    return next;
+  }
+
+  /**
+   * If this test fails, check whether the newly added op should map to an
+   * inotify event, and if so, establish the mapping in
+   * {@link org.apache.hadoop.hdfs.server.namenode.InotifyFSEditLogOpTranslator}
+   * and update testBasic() to include the new op.
+   */
+  @Test
+  public void testOpcodeCount() {
+    Assert.assertTrue(FSEditLogOpCodes.values().length == 46);
+  }
+
+
+  /**
+   * Tests all FsEditLogOps that are converted to inotify events.
+   */
+  @Test(timeout = 120000)
+  @SuppressWarnings("deprecation")
+  public void testBasic() throws IOException, URISyntaxException,
+      InterruptedException, MissingEventsException {
+    Configuration conf = new HdfsConfiguration();
+    conf.setLong(DFSConfigKeys.DFS_BLOCK_SIZE_KEY, BLOCK_SIZE);
+    conf.setBoolean(DFSConfigKeys.DFS_NAMENODE_ACLS_ENABLED_KEY, true);
+    // so that we can get an atime change
+    conf.setLong(DFSConfigKeys.DFS_NAMENODE_ACCESSTIME_PRECISION_KEY, 1);
+
+    MiniQJMHACluster.Builder builder = new MiniQJMHACluster.Builder(conf);
+    builder.getDfsBuilder().numDataNodes(2);
+    MiniQJMHACluster cluster = builder.build();
+
+    try {
+      cluster.getDfsCluster().waitActive();
+      cluster.getDfsCluster().transitionToActive(0);
+      DFSClient client = new DFSClient(cluster.getDfsCluster().getNameNode(0)
+          .getNameNodeAddress(), conf);
+      FileSystem fs = cluster.getDfsCluster().getFileSystem(0);
+      DFSTestUtil.createFile(fs, new Path("/file"), BLOCK_SIZE, (short) 1, 0L);
+      DFSTestUtil.createFile(fs, new Path("/file3"), BLOCK_SIZE, (short) 1, 0L);
+      DFSTestUtil.createFile(fs, new Path("/file5"), BLOCK_SIZE, (short) 1, 0L);
+      DFSInotifyEventInputStream eis = client.getInotifyEventStream();
+      client.rename("/file", "/file4", null); // RenameOp -> RenameEvent
+      client.rename("/file4", "/file2"); // RenameOldOp -> RenameEvent
+      // DeleteOp, AddOp -> UnlinkEvent, CreateEvent
+      OutputStream os = client.create("/file2", true, (short) 2, BLOCK_SIZE);
+      os.write(new byte[BLOCK_SIZE]);
+      os.close(); // CloseOp -> CloseEvent
+      // AddOp -> AppendEvent
+      os = client.append("/file2", BLOCK_SIZE, null, null);
+      os.write(new byte[BLOCK_SIZE]);
+      os.close(); // CloseOp -> CloseEvent
+      Thread.sleep(10); // so that the atime will get updated on the next line
+      client.open("/file2").read(new byte[1]); // TimesOp -> MetadataUpdateEvent
+      // SetReplicationOp -> MetadataUpdateEvent
+      client.setReplication("/file2", (short) 1);
+      // ConcatDeleteOp -> AppendEvent, UnlinkEvent, CloseEvent
+      client.concat("/file2", new String[]{"/file3"});
+      client.delete("/file2", false); // DeleteOp -> UnlinkEvent
+      client.mkdirs("/dir", null, false); // MkdirOp -> CreateEvent
+      // SetPermissionsOp -> MetadataUpdateEvent
+      client.setPermission("/dir", FsPermission.valueOf("-rw-rw-rw-"));
+      // SetOwnerOp -> MetadataUpdateEvent
+      client.setOwner("/dir", "username", "groupname");
+      client.createSymlink("/dir", "/dir2", false); // SymlinkOp -> CreateEvent
+      client.setXAttr("/file5", "user.field", "value".getBytes(), EnumSet.of(
+          XAttrSetFlag.CREATE)); // SetXAttrOp -> MetadataUpdateEvent
+      // RemoveXAttrOp -> MetadataUpdateEvent
+      client.removeXAttr("/file5", "user.field");
+      // SetAclOp -> MetadataUpdateEvent
+      client.setAcl("/file5", AclEntry.parseAclSpec(
+          "user::rwx,user:foo:rw-,group::r--,other::---", true));
+      client.removeAcl("/file5"); // SetAclOp -> MetadataUpdateEvent
+
+      Event next = null;
+
+      // RenameOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.RENAME);
+      Event.RenameEvent re = (Event.RenameEvent) next;
+      Assert.assertTrue(re.getDstPath().equals("/file4"));
+      Assert.assertTrue(re.getSrcPath().equals("/file"));
+      Assert.assertTrue(re.getTimestamp() > 0);
+
+      long eventsBehind = eis.getEventsBehindEstimate();
+
+      // RenameOldOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.RENAME);
+      Event.RenameEvent re2 = (Event.RenameEvent) next;
+      Assert.assertTrue(re2.getDstPath().equals("/file2"));
+      Assert.assertTrue(re2.getSrcPath().equals("/file4"));
+      Assert.assertTrue(re.getTimestamp() > 0);
+
+      // DeleteOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.UNLINK);
+      Assert.assertTrue(((Event.UnlinkEvent) next).getPath().equals("/file2"));
+
+      // AddOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.CREATE);
+      Event.CreateEvent ce = (Event.CreateEvent) next;
+      Assert.assertTrue(ce.getiNodeType() == Event.CreateEvent.INodeType.FILE);
+      Assert.assertTrue(ce.getPath().equals("/file2"));
+      Assert.assertTrue(ce.getCtime() > 0);
+      Assert.assertTrue(ce.getReplication() > 0);
+      Assert.assertTrue(ce.getSymlinkTarget() == null);
+
+      // CloseOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.CLOSE);
+      Event.CloseEvent ce2 = (Event.CloseEvent) next;
+      Assert.assertTrue(ce2.getPath().equals("/file2"));
+      Assert.assertTrue(ce2.getFileSize() > 0);
+      Assert.assertTrue(ce2.getTimestamp() > 0);
+
+      // AddOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.APPEND);
+      Assert.assertTrue(((Event.AppendEvent) next).getPath().equals("/file2"));
+
+      // CloseOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.CLOSE);
+      Assert.assertTrue(((Event.CloseEvent) next).getPath().equals("/file2"));
+
+      // TimesOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.METADATA);
+      Event.MetadataUpdateEvent mue = (Event.MetadataUpdateEvent) next;
+      Assert.assertTrue(mue.getPath().equals("/file2"));
+      Assert.assertTrue(mue.getMetadataType() ==
+          Event.MetadataUpdateEvent.MetadataType.TIMES);
+
+      // SetReplicationOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.METADATA);
+      Event.MetadataUpdateEvent mue2 = (Event.MetadataUpdateEvent) next;
+      Assert.assertTrue(mue2.getPath().equals("/file2"));
+      Assert.assertTrue(mue2.getMetadataType() ==
+          Event.MetadataUpdateEvent.MetadataType.REPLICATION);
+      Assert.assertTrue(mue2.getReplication() == 1);
+
+      // ConcatDeleteOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.APPEND);
+      Assert.assertTrue(((Event.AppendEvent) next).getPath().equals("/file2"));
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.UNLINK);
+      Event.UnlinkEvent ue2 = (Event.UnlinkEvent) next;
+      Assert.assertTrue(ue2.getPath().equals("/file3"));
+      Assert.assertTrue(ue2.getTimestamp() > 0);
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.CLOSE);
+      Event.CloseEvent ce3 = (Event.CloseEvent) next;
+      Assert.assertTrue(ce3.getPath().equals("/file2"));
+      Assert.assertTrue(ce3.getTimestamp() > 0);
+
+      // DeleteOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.UNLINK);
+      Event.UnlinkEvent ue = (Event.UnlinkEvent) next;
+      Assert.assertTrue(ue.getPath().equals("/file2"));
+      Assert.assertTrue(ue.getTimestamp() > 0);
+
+      // MkdirOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.CREATE);
+      Event.CreateEvent ce4 = (Event.CreateEvent) next;
+      Assert.assertTrue(ce4.getiNodeType() ==
+          Event.CreateEvent.INodeType.DIRECTORY);
+      Assert.assertTrue(ce4.getPath().equals("/dir"));
+      Assert.assertTrue(ce4.getCtime() > 0);
+      Assert.assertTrue(ce4.getReplication() == 0);
+      Assert.assertTrue(ce4.getSymlinkTarget() == null);
+
+      // SetPermissionsOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.METADATA);
+      Event.MetadataUpdateEvent mue3 = (Event.MetadataUpdateEvent) next;
+      Assert.assertTrue(mue3.getPath().equals("/dir"));
+      Assert.assertTrue(mue3.getMetadataType() ==
+          Event.MetadataUpdateEvent.MetadataType.PERMS);
+      Assert.assertTrue(mue3.getPerms().toString().contains("rw-rw-rw-"));
+
+      // SetOwnerOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.METADATA);
+      Event.MetadataUpdateEvent mue4 = (Event.MetadataUpdateEvent) next;
+      Assert.assertTrue(mue4.getPath().equals("/dir"));
+      Assert.assertTrue(mue4.getMetadataType() ==
+          Event.MetadataUpdateEvent.MetadataType.OWNER);
+      Assert.assertTrue(mue4.getOwnerName().equals("username"));
+      Assert.assertTrue(mue4.getGroupName().equals("groupname"));
+
+      // SymlinkOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.CREATE);
+      Event.CreateEvent ce5 = (Event.CreateEvent) next;
+      Assert.assertTrue(ce5.getiNodeType() ==
+          Event.CreateEvent.INodeType.SYMLINK);
+      Assert.assertTrue(ce5.getPath().equals("/dir2"));
+      Assert.assertTrue(ce5.getCtime() > 0);
+      Assert.assertTrue(ce5.getReplication() == 0);
+      Assert.assertTrue(ce5.getSymlinkTarget().equals("/dir"));
+
+      // SetXAttrOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.METADATA);
+      Event.MetadataUpdateEvent mue5 = (Event.MetadataUpdateEvent) next;
+      Assert.assertTrue(mue5.getPath().equals("/file5"));
+      Assert.assertTrue(mue5.getMetadataType() ==
+          Event.MetadataUpdateEvent.MetadataType.XATTRS);
+      Assert.assertTrue(mue5.getxAttrs().size() == 1);
+      Assert.assertTrue(mue5.getxAttrs().get(0).getName().contains("field"));
+      Assert.assertTrue(!mue5.isxAttrsRemoved());
+
+      // RemoveXAttrOp
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.METADATA);
+      Event.MetadataUpdateEvent mue6 = (Event.MetadataUpdateEvent) next;
+      Assert.assertTrue(mue6.getPath().equals("/file5"));
+      Assert.assertTrue(mue6.getMetadataType() ==
+          Event.MetadataUpdateEvent.MetadataType.XATTRS);
+      Assert.assertTrue(mue6.getxAttrs().size() == 1);
+      Assert.assertTrue(mue6.getxAttrs().get(0).getName().contains("field"));
+      Assert.assertTrue(mue6.isxAttrsRemoved());
+
+      // SetAclOp (1)
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.METADATA);
+      Event.MetadataUpdateEvent mue7 = (Event.MetadataUpdateEvent) next;
+      Assert.assertTrue(mue7.getPath().equals("/file5"));
+      Assert.assertTrue(mue7.getMetadataType() ==
+          Event.MetadataUpdateEvent.MetadataType.ACLS);
+      Assert.assertTrue(mue7.getAcls().contains(
+          AclEntry.parseAclEntry("user::rwx", true)));
+
+      // SetAclOp (2)
+      next = waitForNextEvent(eis);
+      Assert.assertTrue(next.getEventType() == Event.EventType.METADATA);
+      Event.MetadataUpdateEvent mue8 = (Event.MetadataUpdateEvent) next;
+      Assert.assertTrue(mue8.getPath().equals("/file5"));
+      Assert.assertTrue(mue8.getMetadataType() ==
+          Event.MetadataUpdateEvent.MetadataType.ACLS);
+      Assert.assertTrue(mue8.getAcls() == null);
+
+      // Returns null when there are no further events
+      Assert.assertTrue(eis.poll() == null);
+
+      // make sure the estimate hasn't changed since the above assertion
+      // tells us that we are fully caught up to the current namesystem state
+      // and we should not have been behind at all when eventsBehind was set
+      // either, since there were few enough events that they should have all
+      // been read to the client during the first poll() call
+      Assert.assertTrue(eis.getEventsBehindEstimate() == eventsBehind);
+
+    } finally {
+      cluster.shutdown();
+    }
+  }
+
+  @Test(timeout = 120000)
+  public void testNNFailover() throws IOException, URISyntaxException,
+      MissingEventsException {
+    Configuration conf = new HdfsConfiguration();
+    MiniQJMHACluster cluster = new MiniQJMHACluster.Builder(conf).build();
+
+    try {
+      cluster.getDfsCluster().waitActive();
+      cluster.getDfsCluster().transitionToActive(0);
+      DFSClient client = ((DistributedFileSystem) HATestUtil.configureFailoverFs
+          (cluster.getDfsCluster(), conf)).dfs;
+      DFSInotifyEventInputStream eis = client.getInotifyEventStream();
+      for (int i = 0; i < 10; i++) {
+        client.mkdirs("/dir" + i, null, false);
+      }
+      cluster.getDfsCluster().shutdownNameNode(0);
+      cluster.getDfsCluster().transitionToActive(1);
+      Event next = null;
+      // we can read all of the edits logged by the old active from the new
+      // active
+      for (int i = 0; i < 10; i++) {
+        next = waitForNextEvent(eis);
+        Assert.assertTrue(next.getEventType() == Event.EventType.CREATE);
+        Assert.assertTrue(((Event.CreateEvent) next).getPath().equals("/dir" +
+            i));
+      }
+      Assert.assertTrue(eis.poll() == null);
+    } finally {
+      cluster.shutdown();
+    }
+  }
+
+  @Test(timeout = 120000)
+  public void testTwoActiveNNs() throws IOException, MissingEventsException {
+    Configuration conf = new HdfsConfiguration();
+    MiniQJMHACluster cluster = new MiniQJMHACluster.Builder(conf).build();
+
+    try {
+      cluster.getDfsCluster().waitActive();
+      cluster.getDfsCluster().transitionToActive(0);
+      DFSClient client0 = new DFSClient(cluster.getDfsCluster().getNameNode(0)
+          .getNameNodeAddress(), conf);
+      DFSClient client1 = new DFSClient(cluster.getDfsCluster().getNameNode(1)
+          .getNameNodeAddress(), conf);
+      DFSInotifyEventInputStream eis = client0.getInotifyEventStream();
+      for (int i = 0; i < 10; i++) {
+        client0.mkdirs("/dir" + i, null, false);
+      }
+
+      cluster.getDfsCluster().transitionToActive(1);
+      for (int i = 10; i < 20; i++) {
+        client1.mkdirs("/dir" + i, null, false);
+      }
+
+      // make sure that the old active can't read any further than the edits
+      // it logged itself (it has no idea whether the in-progress edits from
+      // the other writer have actually been committed)
+      Event next = null;
+      for (int i = 0; i < 10; i++) {
+        next = waitForNextEvent(eis);
+        Assert.assertTrue(next.getEventType() == Event.EventType.CREATE);
+        Assert.assertTrue(((Event.CreateEvent) next).getPath().equals("/dir" +
+            i));
+      }
+      Assert.assertTrue(eis.poll() == null);
+    } finally {
+      try {
+        cluster.shutdown();
+      } catch (ExitUtil.ExitException e) {
+        // expected because the old active will be unable to flush the
+        // end-of-segment op since it is fenced
+      }
+    }
+  }
+
+  @Test(timeout = 120000)
+  public void testReadEventsWithTimeout() throws IOException,
+      InterruptedException, MissingEventsException {
+    Configuration conf = new HdfsConfiguration();
+    MiniQJMHACluster cluster = new MiniQJMHACluster.Builder(conf).build();
+
+    try {
+      cluster.getDfsCluster().waitActive();
+      cluster.getDfsCluster().transitionToActive(0);
+      final DFSClient client = new DFSClient(cluster.getDfsCluster()
+          .getNameNode(0).getNameNodeAddress(), conf);
+      DFSInotifyEventInputStream eis = client.getInotifyEventStream();
+      ScheduledExecutorService ex = Executors
+          .newSingleThreadScheduledExecutor();
+      ex.schedule(new Runnable() {
+        @Override
+        public void run() {
+          try {
+            client.mkdirs("/dir", null, false);
+          } catch (IOException e) {
+            // test will fail
+            LOG.error("Unable to create /dir", e);
+          }
+        }
+      }, 1, TimeUnit.SECONDS);
+      // a very generous wait period -- the edit will definitely have been
+      // processed by the time this is up
+      Event next = eis.poll(5, TimeUnit.SECONDS);
+      Assert.assertTrue(next != null);
+      Assert.assertTrue(next.getEventType() == Event.EventType.CREATE);
+      Assert.assertTrue(((Event.CreateEvent) next).getPath().equals("/dir"));
+    } finally {
+      cluster.shutdown();
+    }
+  }
+
+}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/qjournal/MiniQJMHACluster.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/qjournal/MiniQJMHACluster.java
index 3166cccc94b..9380701c0f0 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/qjournal/MiniQJMHACluster.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/qjournal/MiniQJMHACluster.java
@@ -56,7 +56,9 @@ public static class Builder {
     
     public Builder(Configuration conf) {
       this.conf = conf;
-      this.dfsBuilder = new MiniDFSCluster.Builder(conf);
+      // most QJMHACluster tests don't need DataNodes, so we'll make
+      // this the default
+      this.dfsBuilder = new MiniDFSCluster.Builder(conf).numDataNodes(0);
     }
 
     public MiniDFSCluster.Builder getDfsBuilder() {
@@ -102,7 +104,7 @@ private MiniQJMHACluster(Builder builder) throws IOException {
         cluster = builder.dfsBuilder.nnTopology(topology)
             .manageNameDfsSharedDirs(false).build();
         cluster.waitActive();
-        cluster.shutdown();
+        cluster.shutdownNameNodes();
 
         // initialize the journal nodes
         Configuration confNN0 = cluster.getConfiguration(0);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/qjournal/client/TestQJMWithFaults.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/qjournal/client/TestQJMWithFaults.java
index 4783e8fb4fc..2e38d5fb406 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/qjournal/client/TestQJMWithFaults.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/qjournal/client/TestQJMWithFaults.java
@@ -382,7 +382,7 @@ public void afterCall(InvocationOnMock invocation, boolean succeeded) {
     }
 
     @Override
-    protected ExecutorService createExecutor() {
+    protected ExecutorService createSingleThreadExecutor() {
       return MoreExecutors.sameThreadExecutor();
     }
   }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/qjournal/client/TestQuorumJournalManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/qjournal/client/TestQuorumJournalManager.java
index fcb8e55bebd..8bb39f8c6af 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/qjournal/client/TestQuorumJournalManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/qjournal/client/TestQuorumJournalManager.java
@@ -939,7 +939,7 @@ private QuorumJournalManager createSpyingQJM()
       public AsyncLogger createLogger(Configuration conf, NamespaceInfo nsInfo,
           String journalId, InetSocketAddress addr) {
         AsyncLogger logger = new IPCLoggerChannel(conf, nsInfo, journalId, addr) {
-          protected ExecutorService createExecutor() {
+          protected ExecutorService createSingleThreadExecutor() {
             // Don't parallelize calls to the quorum in the tests.
             // This makes the tests more deterministic.
             return MoreExecutors.sameThreadExecutor();
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestEditLog.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestEditLog.java
index 8074a68e3a9..47a807afd92 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestEditLog.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestEditLog.java
@@ -916,6 +916,10 @@ public boolean isInProgress() {
     public void setMaxOpSize(int maxOpSize) {
       reader.setMaxOpSize(maxOpSize);
     }
+
+    @Override public boolean isLocalLog() {
+      return true;
+    }
   }
 
   @Test

From a0ccf83dfd6bff81944d6855652eae7f7f7b0ba9 Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Tue, 2 Sep 2014 14:22:20 -0700
Subject: [PATCH 352/354] HDFS-6954. With crypto, no native lib systems are too
 verbose. Contributed by Charles Lamb.

---
 .../org/apache/hadoop/crypto/CryptoCodec.java | 19 ++++++++++++-------
 .../hadoop/util/PerformanceAdvisory.java      |  7 ++++---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |  4 +++-
 .../org/apache/hadoop/hdfs/DFSClient.java     | 10 ++++++----
 4 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
index 9de7f95200f..9bd1846552d 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/CryptoCodec.java
@@ -24,6 +24,7 @@
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configurable;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.util.PerformanceAdvisory;
 import org.apache.hadoop.util.ReflectionUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -48,7 +49,7 @@ public abstract class CryptoCodec implements Configurable {
    * 
    * @param conf
    *          the configuration
-   * @param CipherSuite
+   * @param cipherSuite
    *          algorithm/mode/padding
    * @return CryptoCodec the codec object. Null value will be returned if no
    *         crypto codec classes with cipher suite configured.
@@ -66,15 +67,18 @@ public static CryptoCodec getInstance(Configuration conf,
         CryptoCodec c = ReflectionUtils.newInstance(klass, conf);
         if (c.getCipherSuite().getName().equals(cipherSuite.getName())) {
           if (codec == null) {
-            LOG.debug("Using crypto codec {}.", klass.getName());
+            PerformanceAdvisory.LOG.debug("Using crypto codec {}.",
+                klass.getName());
             codec = c;
           }
         } else {
-          LOG.warn("Crypto codec {} doesn't meet the cipher suite {}.", 
+          PerformanceAdvisory.LOG.debug(
+              "Crypto codec {} doesn't meet the cipher suite {}.",
               klass.getName(), cipherSuite.getName());
         }
       } catch (Exception e) {
-        LOG.warn("Crypto codec {} is not available.", klass.getName());
+        PerformanceAdvisory.LOG.debug("Crypto codec {} is not available.",
+            klass.getName());
       }
     }
     
@@ -108,7 +112,8 @@ private static List<Class<? extends CryptoCodec>> getCodecClasses(
         cipherSuite.getConfigSuffix();
     String codecString = conf.get(configName);
     if (codecString == null) {
-      LOG.warn("No crypto codec classes with cipher suite configured.");
+      PerformanceAdvisory.LOG.debug(
+          "No crypto codec classes with cipher suite configured.");
       return null;
     }
     for (String c : Splitter.on(',').trimResults().omitEmptyStrings().
@@ -117,9 +122,9 @@ private static List<Class<? extends CryptoCodec>> getCodecClasses(
         Class<?> cls = conf.getClassByName(c);
         result.add(cls.asSubclass(CryptoCodec.class));
       } catch (ClassCastException e) {
-        LOG.warn("Class " + c + " is not a CryptoCodec.");
+        PerformanceAdvisory.LOG.debug("Class {} is not a CryptoCodec.", c);
       } catch (ClassNotFoundException e) {
-        LOG.warn("Crypto codec " + c + " not found.");
+        PerformanceAdvisory.LOG.debug("Crypto codec {} not found.", c);
       }
     }
     
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/PerformanceAdvisory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/PerformanceAdvisory.java
index 306d47c805e..3304ebb4731 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/PerformanceAdvisory.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/PerformanceAdvisory.java
@@ -16,9 +16,10 @@
  */
 package org.apache.hadoop.util;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class PerformanceAdvisory {
-  public static final Log LOG = LogFactory.getLog(PerformanceAdvisory.class);
+  public static final Logger LOG =
+      LoggerFactory.getLogger(PerformanceAdvisory.class);
 }
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index ecf67827d20..7cfd6320fb4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -432,6 +432,7 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-6634. inotify in HDFS. (James Thomas via wang)
 
+
   OPTIMIZATIONS
 
     HDFS-6690. Deduplicate xattr names in memory. (wang)
@@ -672,7 +673,8 @@ Release 2.6.0 - UNRELEASED
       HDFS-6817. Fix findbugs and other warnings. (yliu)
   
       HDFS-6839. Fix TestCLI to expect new output. (clamb)
-    --
+
+      HDFS-6954. With crypto, no native lib systems are too verbose. (clamb via wang)
 
 Release 2.5.1 - UNRELEASED
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index ce0f133f349..8daf9124311 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -606,10 +606,12 @@ public DFSClient(URI nameNodeUri, ClientProtocol rpcNamenode,
       cipherSuites.add(codec.getCipherSuite());
     }
     provider = DFSUtil.createKeyProviderCryptoExtension(conf);
-    if (provider == null) {
-      LOG.info("No KeyProvider found.");
-    } else {
-      LOG.info("Found KeyProvider: " + provider.toString());
+    if (LOG.isDebugEnabled()) {
+      if (provider == null) {
+        LOG.debug("No KeyProvider found.");
+      } else {
+        LOG.debug("Found KeyProvider: " + provider.toString());
+      }
     }
     int numResponseToDrop = conf.getInt(
         DFSConfigKeys.DFS_CLIENT_TEST_DROP_NAMENODE_RESPONSE_NUM_KEY,

From 0340206a29ec21d9996e7f37c905d200e5485777 Mon Sep 17 00:00:00 2001
From: Allen Wittenauer <aw@apache.org>
Date: Tue, 2 Sep 2014 14:44:47 -0700
Subject: [PATCH 353/354] HADOOP-11033. shell scripts ignore JAVA_HOME on OS X.
 (aw)

---
 hadoop-common-project/hadoop-common/CHANGES.txt        |  2 ++
 .../hadoop-common/src/main/bin/hadoop-functions.sh     | 10 ++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index d73bf9a120f..2fb6f1f2ddf 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -328,6 +328,8 @@ Trunk (Unreleased)
 
     HADOOP-10748. HttpServer2 should not load JspServlet. (wheat9)
 
+    HADOOP-11033. shell scripts ignore JAVA_HOME on OS X. (aw)
+
   OPTIMIZATIONS
 
     HADOOP-7761. Improve the performance of raw comparisons. (todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
index dd5520cab11..d430188cbf0 100644
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
@@ -517,10 +517,12 @@ function hadoop_os_tricks
   # examples for OS X and Linux. Vendors, replace this with your special sauce.
   case ${HADOOP_OS_TYPE} in
     Darwin)
-      if [[ -x /usr/libexec/java_home ]]; then
-        export JAVA_HOME="$(/usr/libexec/java_home)"
-      else
-        export JAVA_HOME=/Library/Java/Home
+      if [[ -z "${JAVA_HOME}" ]]; then
+        if [[ -x /usr/libexec/java_home ]]; then
+          export JAVA_HOME="$(/usr/libexec/java_home)"
+        else
+          export JAVA_HOME=/Library/Java/Home
+        fi
       fi
     ;;
     Linux)

From 727331becc3902cb4e60ee04741e79703238e782 Mon Sep 17 00:00:00 2001
From: Colin Patrick Mccabe <cmccabe@cloudera.com>
Date: Tue, 2 Sep 2014 15:14:33 -0700
Subject: [PATCH 354/354] HDFS-4257. The ReplaceDatanodeOnFailure policies
 could have a forgiving option.  Contributed by szetszwo.

---
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt   |   2 +
 .../org/apache/hadoop/hdfs/DFSConfigKeys.java |   2 +
 .../apache/hadoop/hdfs/DFSOutputStream.java   |  12 +-
 .../ReplaceDatanodeOnFailure.java             | 163 +++++++++++++-----
 .../src/main/resources/hdfs-default.xml       |  22 +++
 .../hdfs/TestReplaceDatanodeOnFailure.java    |  45 ++++-
 6 files changed, 201 insertions(+), 45 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index 7cfd6320fb4..ae66b0d1ca1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -432,6 +432,8 @@ Release 2.6.0 - UNRELEASED
 
     HDFS-6634. inotify in HDFS. (James Thomas via wang)
 
+    HDFS-4257. The ReplaceDatanodeOnFailure policies could have a forgiving
+    option (szetszwo via cmccabe)
 
   OPTIMIZATIONS
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
index 7f96cf02b0d..ace2ae9df00 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
@@ -53,6 +53,8 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
   public static final boolean DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_ENABLE_DEFAULT = true;
   public static final String  DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_POLICY_KEY = "dfs.client.block.write.replace-datanode-on-failure.policy";
   public static final String  DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_POLICY_DEFAULT = "DEFAULT";
+  public static final String  DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_BEST_EFFORT_KEY = "dfs.client.block.write.replace-datanode-on-failure.best-effort";
+  public static final boolean DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_BEST_EFFORT_DEFAULT = false;
   public static final String  DFS_CLIENT_SOCKET_CACHE_CAPACITY_KEY = "dfs.client.socketcache.capacity";
   public static final int     DFS_CLIENT_SOCKET_CACHE_CAPACITY_DEFAULT = 16;
   public static final String  DFS_CLIENT_USE_DN_HOSTNAME = "dfs.client.use.datanode.hostname";
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
index 0b5ecda95fd..f3d66923b23 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSOutputStream.java
@@ -1178,7 +1178,17 @@ private boolean setupPipelineForAppendOrRecovery() throws IOException {
         // Check if replace-datanode policy is satisfied.
         if (dfsClient.dtpReplaceDatanodeOnFailure.satisfy(blockReplication,
             nodes, isAppend, isHflushed)) {
-          addDatanode2ExistingPipeline();
+          try {
+            addDatanode2ExistingPipeline();
+          } catch(IOException ioe) {
+            if (!dfsClient.dtpReplaceDatanodeOnFailure.isBestEffort()) {
+              throw ioe;
+            }
+            DFSClient.LOG.warn("Failed to replace datanode."
+                + " Continue with the remaining datanodes since "
+                + DFSConfigKeys.DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_BEST_EFFORT_KEY
+                + " is set to true.", ioe);
+          }
         }
 
         // get a new generation stamp and an access token
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/ReplaceDatanodeOnFailure.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/ReplaceDatanodeOnFailure.java
index 318455424aa..0f2c1abdf15 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/ReplaceDatanodeOnFailure.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/ReplaceDatanodeOnFailure.java
@@ -29,26 +29,90 @@
  */
 @InterfaceAudience.Private
 @InterfaceStability.Evolving
-public enum ReplaceDatanodeOnFailure {
-  /** The feature is disabled in the entire site. */
-  DISABLE,
-  /** Never add a new datanode. */
-  NEVER,
-  /**
-   * DEFAULT policy:
-   *   Let r be the replication number.
-   *   Let n be the number of existing datanodes.
-   *   Add a new datanode only if r >= 3 and either
-   *   (1) floor(r/2) >= n; or
-   *   (2) r > n and the block is hflushed/appended.
-   */
-  DEFAULT,
-  /** Always add a new datanode when an existing datanode is removed. */
-  ALWAYS;
+public class ReplaceDatanodeOnFailure {
+  /** The replacement policies */
+  public enum Policy {
+    /** The feature is disabled in the entire site. */
+    DISABLE(Condition.FALSE),
+    /** Never add a new datanode. */
+    NEVER(Condition.FALSE),
+    /** @see ReplaceDatanodeOnFailure.Condition#DEFAULT */
+    DEFAULT(Condition.DEFAULT),
+    /** Always add a new datanode when an existing datanode is removed. */
+    ALWAYS(Condition.TRUE);
+
+    private final Condition condition;
+
+    private Policy(Condition condition) {
+      this.condition = condition;
+    }
+    
+    Condition getCondition() {
+      return condition;
+    }
+  }
+
+  /** Datanode replacement condition */
+  private static interface Condition {
+    /** Return true unconditionally. */
+    static final Condition TRUE = new Condition() {
+      @Override
+      public boolean satisfy(short replication, DatanodeInfo[] existings,
+          int nExistings, boolean isAppend, boolean isHflushed) {
+        return true;
+      }
+    };
+
+    /** Return false unconditionally. */
+    static final Condition FALSE = new Condition() {
+      @Override
+      public boolean satisfy(short replication, DatanodeInfo[] existings,
+          int nExistings, boolean isAppend, boolean isHflushed) {
+        return false;
+      }
+    };
+
+    /**
+     * DEFAULT condition:
+     *   Let r be the replication number.
+     *   Let n be the number of existing datanodes.
+     *   Add a new datanode only if r >= 3 and either
+     *   (1) floor(r/2) >= n; or
+     *   (2) r > n and the block is hflushed/appended.
+     */
+    static final Condition DEFAULT = new Condition() {
+      @Override
+      public boolean satisfy(final short replication,
+          final DatanodeInfo[] existings, final int n, final boolean isAppend,
+          final boolean isHflushed) {
+        if (replication < 3) {
+          return false;
+        } else {
+          if (n <= (replication/2)) {
+            return true;
+          } else {
+            return isAppend || isHflushed;
+          }
+        }
+      }
+    };
+
+    /** Is the condition satisfied? */
+    public boolean satisfy(short replication, DatanodeInfo[] existings,
+        int nExistings, boolean isAppend, boolean isHflushed);
+  }
+
+  private final Policy policy;
+  private final boolean bestEffort;
+  
+  public ReplaceDatanodeOnFailure(Policy policy, boolean bestEffort) {
+    this.policy = policy;
+    this.bestEffort = bestEffort;
+  }
 
   /** Check if the feature is enabled. */
   public void checkEnabled() {
-    if (this == DISABLE) {
+    if (policy == Policy.DISABLE) {
       throw new UnsupportedOperationException(
           "This feature is disabled.  Please refer to "
           + DFSConfigKeys.DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_ENABLE_KEY
@@ -56,7 +120,20 @@ public void checkEnabled() {
     }
   }
 
-  /** Is the policy satisfied? */
+  /**
+   * Best effort means that the client will try to replace the failed datanode
+   * (provided that the policy is satisfied), however, it will continue the
+   * write operation in case that the datanode replacement also fails.
+   * 
+   * @return Suppose the datanode replacement fails.
+   *     false: An exception should be thrown so that the write will fail.
+   *     true : The write should be resumed with the remaining datandoes.
+   */
+  public boolean isBestEffort() {
+    return bestEffort;
+  }
+
+  /** Does it need a replacement according to the policy? */
   public boolean satisfy(
       final short replication, final DatanodeInfo[] existings,
       final boolean isAppend, final boolean isHflushed) {
@@ -64,40 +141,42 @@ public boolean satisfy(
     if (n == 0 || n >= replication) {
       //don't need to add datanode for any policy.
       return false;
-    } else if (this == DISABLE || this == NEVER) {
-      return false;
-    } else if (this == ALWAYS) {
-      return true;
     } else {
-      //DEFAULT
-      if (replication < 3) {
-        return false;
-      } else {
-        if (n <= (replication/2)) {
-          return true;
-        } else {
-          return isAppend || isHflushed;
-        }
-      }
+      return policy.getCondition().satisfy(
+          replication, existings, n, isAppend, isHflushed);
     }
   }
+  
+  @Override
+  public String toString() {
+    return policy.toString();
+  }
 
   /** Get the setting from configuration. */
   public static ReplaceDatanodeOnFailure get(final Configuration conf) {
+    final Policy policy = getPolicy(conf);
+    final boolean bestEffort = conf.getBoolean(
+        DFSConfigKeys.DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_BEST_EFFORT_KEY,
+        DFSConfigKeys.DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_BEST_EFFORT_DEFAULT);
+    
+    return new ReplaceDatanodeOnFailure(policy, bestEffort);
+  }
+
+  private static Policy getPolicy(final Configuration conf) {
     final boolean enabled = conf.getBoolean(
         DFSConfigKeys.DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_ENABLE_KEY,
         DFSConfigKeys.DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_ENABLE_DEFAULT);
     if (!enabled) {
-      return DISABLE;
+      return Policy.DISABLE;
     }
 
     final String policy = conf.get(
         DFSConfigKeys.DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_POLICY_KEY,
         DFSConfigKeys.DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_POLICY_DEFAULT);
-    for(int i = 1; i < values().length; i++) {
-      final ReplaceDatanodeOnFailure rdof = values()[i];
-      if (rdof.name().equalsIgnoreCase(policy)) {
-        return rdof;
+    for(int i = 1; i < Policy.values().length; i++) {
+      final Policy p = Policy.values()[i];
+      if (p.name().equalsIgnoreCase(policy)) {
+        return p;
       }
     }
     throw new HadoopIllegalArgumentException("Illegal configuration value for "
@@ -106,12 +185,16 @@ public static ReplaceDatanodeOnFailure get(final Configuration conf) {
   }
 
   /** Write the setting to configuration. */
-  public void write(final Configuration conf) {
+  public static void write(final Policy policy,
+      final boolean bestEffort, final Configuration conf) {
     conf.setBoolean(
         DFSConfigKeys.DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_ENABLE_KEY,
-        this != DISABLE);
+        policy != Policy.DISABLE);
     conf.set(
         DFSConfigKeys.DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_POLICY_KEY,
-        name());
+        policy.name());
+    conf.setBoolean(
+        DFSConfigKeys.DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_BEST_EFFORT_KEY,
+        bestEffort);
   }
 }
\ No newline at end of file
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
index 557727b3d85..cdb01005bf1 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
@@ -523,6 +523,28 @@
   </description>
 </property>
 
+<property>
+  <name>dfs.client.block.write.replace-datanode-on-failure.best-effort</name>
+  <value>false</value>
+  <description>
+    This property is used only if the value of
+    dfs.client.block.write.replace-datanode-on-failure.enable is true.
+
+    Best effort means that the client will try to replace a failed datanode
+    in write pipeline (provided that the policy is satisfied), however, it 
+    continues the write operation in case that the datanode replacement also
+    fails.
+
+    Suppose the datanode replacement fails.
+    false: An exception should be thrown so that the write will fail.
+    true : The write should be resumed with the remaining datandoes.
+  
+    Note that setting this property to true allows writing to a pipeline
+    with a smaller number of datanodes.  As a result, it increases the
+    probability of data loss.
+  </description>
+</property>
+
 <property>
   <name>dfs.blockreport.intervalMsec</name>
   <value>21600000</value>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestReplaceDatanodeOnFailure.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestReplaceDatanodeOnFailure.java
index fbfd6d423f7..f92f287e28e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestReplaceDatanodeOnFailure.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestReplaceDatanodeOnFailure.java
@@ -31,6 +31,7 @@
 import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
 import org.apache.hadoop.hdfs.protocol.datatransfer.DataTransferProtocol;
 import org.apache.hadoop.hdfs.protocol.datatransfer.ReplaceDatanodeOnFailure;
+import org.apache.hadoop.hdfs.protocol.datatransfer.ReplaceDatanodeOnFailure.Policy;
 import org.apache.hadoop.io.IOUtils;
 import org.apache.log4j.Level;
 import org.junit.Assert;
@@ -54,7 +55,8 @@ public class TestReplaceDatanodeOnFailure {
   /** Test DEFAULT ReplaceDatanodeOnFailure policy. */
   @Test
   public void testDefaultPolicy() throws Exception {
-    final ReplaceDatanodeOnFailure p = ReplaceDatanodeOnFailure.DEFAULT;
+    final Configuration conf = new HdfsConfiguration();
+    final ReplaceDatanodeOnFailure p = ReplaceDatanodeOnFailure.get(conf);
 
     final DatanodeInfo[] infos = new DatanodeInfo[5];
     final DatanodeInfo[][] datanodes = new DatanodeInfo[infos.length + 1][];
@@ -113,7 +115,7 @@ public void testReplaceDatanodeOnFailure() throws Exception {
     final Configuration conf = new HdfsConfiguration();
     
     //always replace a datanode
-    ReplaceDatanodeOnFailure.ALWAYS.write(conf);
+    ReplaceDatanodeOnFailure.write(Policy.ALWAYS, true, conf);
 
     final String[] racks = new String[REPLICATION];
     Arrays.fill(racks, RACK0);
@@ -239,8 +241,6 @@ public void testAppend() throws Exception {
     final Configuration conf = new HdfsConfiguration();
     final short REPLICATION = (short)3;
     
-    Assert.assertEquals(ReplaceDatanodeOnFailure.DEFAULT, ReplaceDatanodeOnFailure.get(conf));
-
     final MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf
         ).numDataNodes(1).build();
 
@@ -285,4 +285,41 @@ public void testAppend() throws Exception {
       if (cluster != null) {cluster.shutdown();}
     }
   }
+
+  @Test
+  public void testBestEffort() throws Exception {
+    final Configuration conf = new HdfsConfiguration();
+    
+    //always replace a datanode but do not throw exception
+    ReplaceDatanodeOnFailure.write(Policy.ALWAYS, true, conf);
+
+    final MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf
+        ).numDataNodes(1).build();
+
+    try {
+      final DistributedFileSystem fs = cluster.getFileSystem();
+      final Path f = new Path(DIR, "testIgnoreReplaceFailure");
+      
+      final byte[] bytes = new byte[1000];
+      {
+        LOG.info("write " + bytes.length + " bytes to " + f);
+        final FSDataOutputStream out = fs.create(f, REPLICATION);
+        out.write(bytes);
+        out.close();
+
+        final FileStatus status = fs.getFileStatus(f);
+        Assert.assertEquals(REPLICATION, status.getReplication());
+        Assert.assertEquals(bytes.length, status.getLen());
+      }
+
+      {
+        LOG.info("append another " + bytes.length + " bytes to " + f);
+        final FSDataOutputStream out = fs.append(f);
+        out.write(bytes);
+        out.close();
+      }
+    } finally {
+      if (cluster != null) {cluster.shutdown();}
+    }
+  }
 }