From ea7ad50499db98d687a3bbdebcbda201fae20b55 Mon Sep 17 00:00:00 2001 From: Robert Kanter Date: Mon, 23 Apr 2018 15:44:15 -0700 Subject: [PATCH] HADOOP-15390. Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens (xiaochen via rkanter) (cherry picked from commit 7ab08a9c37a76edbe02d556fcfb2e637f45afc21) --- .../crypto/key/kms/KMSTokenRenewer.java | 12 ++++++------ .../security/DelegationTokenRenewer.java | 4 ++++ .../security/TestDelegationTokenRenewer.java | 19 +++++++++++++++++++ 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSTokenRenewer.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSTokenRenewer.java index 908ad39fe05..1fff2f9e6bc 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSTokenRenewer.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSTokenRenewer.java @@ -58,9 +58,9 @@ public class KMSTokenRenewer extends TokenRenewer { try { if (!(keyProvider instanceof KeyProviderDelegationTokenExtension.DelegationTokenExtension)) { - LOG.warn("keyProvider {} cannot renew token {}.", - keyProvider == null ? "null" : keyProvider.getClass(), token); - return 0; + throw new IOException(String + .format("keyProvider %s cannot renew token [%s]", + keyProvider == null ? "null" : keyProvider.getClass(), token)); } return ((KeyProviderDelegationTokenExtension.DelegationTokenExtension) keyProvider).renewDelegationToken(token); @@ -78,9 +78,9 @@ public class KMSTokenRenewer extends TokenRenewer { try { if (!(keyProvider instanceof KeyProviderDelegationTokenExtension.DelegationTokenExtension)) { - LOG.warn("keyProvider {} cannot cancel token {}.", - keyProvider == null ? "null" : keyProvider.getClass(), token); - return; + throw new IOException(String + .format("keyProvider %s cannot cancel token [%s]", + keyProvider == null ? "null" : keyProvider.getClass(), token)); } ((KeyProviderDelegationTokenExtension.DelegationTokenExtension) keyProvider).cancelDelegationToken(token); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java index abb8d59ff0b..220787c1604 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java @@ -592,6 +592,10 @@ public class DelegationTokenRenewer extends AbstractService { throws IOException { // calculate timer time long expiresIn = token.expirationDate - System.currentTimeMillis(); + if (expiresIn <= 0) { + LOG.info("Will not renew token " + token); + return; + } long renewIn = token.expirationDate - expiresIn/10; // little bit before the expiration // need to create new task every time RenewalTimerTask tTask = new RenewalTimerTask(token); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java index c708b921eea..8351860df2b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java @@ -20,6 +20,7 @@ package org.apache.hadoop.yarn.server.resourcemanager.security; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNull; import static org.junit.Assert.fail; import static org.mockito.Matchers.any; import static org.mockito.Mockito.doAnswer; @@ -1401,4 +1402,22 @@ public class TestDelegationTokenRenewer { .contains(YarnConfiguration.RM_DELEGATION_TOKEN_MAX_CONF_SIZE)); } } + + // Test if the token renewer returned an invalid expiration time, that token's + // renewal should be ignored. + @Test + public void testTokenRenewerInvalidReturn() throws Exception { + DelegationTokenToRenew mockDttr = mock(DelegationTokenToRenew.class); + mockDttr.expirationDate = 0; + delegationTokenRenewer.setTimerForTokenRenewal(mockDttr); + assertNull(mockDttr.timerTask); + + mockDttr.expirationDate = -1; + delegationTokenRenewer.setTimerForTokenRenewal(mockDttr); + assertNull(mockDttr.timerTask); + + mockDttr.expirationDate = System.currentTimeMillis() - 1; + delegationTokenRenewer.setTimerForTokenRenewal(mockDttr); + assertNull(mockDttr.timerTask); + } }