Fix NodeManager to verify the application's user-name

svn merge --ignore-ancestry -c 1390825 ../../trunk/


git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1390826 13f79535-47bb-0310-9956-ffa450edef68

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ContainerTokenIdentifier.java

@@ -48,14 +48,16 @@ public class ContainerTokenIdentifier extends TokenIdentifier {
 
   private ContainerId containerId;
   private String nmHostAddr;
+  private String appSubmitter;
   private Resource resource;
   private long expiryTimeStamp;
   private int masterKeyId;
 
   public ContainerTokenIdentifier(ContainerId containerID, String hostName,
-      Resource r, long expiryTimeStamp, int masterKeyId) {
+      String appSubmitter, Resource r, long expiryTimeStamp, int masterKeyId) {
     this.containerId = containerID;
     this.nmHostAddr = hostName;
+    this.appSubmitter = appSubmitter;
     this.resource = r;
     this.expiryTimeStamp = expiryTimeStamp;
     this.masterKeyId = masterKeyId;
@@ -71,6 +73,10 @@ public class ContainerTokenIdentifier extends TokenIdentifier {
     return this.containerId;
   }
 
+  public String getApplicationSubmitter() {
+    return this.appSubmitter;
+  }
+
   public String getNmHostAddress() {
     return this.nmHostAddr;
   }
@@ -98,6 +104,7 @@ public class ContainerTokenIdentifier extends TokenIdentifier {
     out.writeInt(applicationAttemptId.getAttemptId());
     out.writeInt(this.containerId.getId());
     out.writeUTF(this.nmHostAddr);
+    out.writeUTF(this.appSubmitter);
     out.writeInt(this.resource.getMemory());
     out.writeLong(this.expiryTimeStamp);
     out.writeInt(this.masterKeyId);
@@ -112,6 +119,7 @@ public class ContainerTokenIdentifier extends TokenIdentifier {
     this.containerId = BuilderUtils.newContainerId(applicationAttemptId, in
         .readInt());
     this.nmHostAddr = in.readUTF();
+    this.appSubmitter = in.readUTF();
     this.resource = BuilderUtils.newResource(in.readInt());
     this.expiryTimeStamp = in.readLong();
     this.masterKeyId = in.readInt();

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/BaseContainerTokenSecretManager.java

@@ -128,7 +128,8 @@ public class BaseContainerTokenSecretManager extends
   public byte[] createPassword(ContainerTokenIdentifier identifier) {
     if (LOG.isDebugEnabled()) {
       LOG.debug("Creating password for " + identifier.getContainerID()
-          + " to be run on NM " + identifier.getNmHostAddress());
+          + " for user " + identifier.getUser() + " to be run on NM "
+          + identifier.getNmHostAddress());
     }
     this.readLock.lock();
     try {
@@ -155,7 +156,8 @@ public class BaseContainerTokenSecretManager extends
       throws org.apache.hadoop.security.token.SecretManager.InvalidToken {
     if (LOG.isDebugEnabled()) {
       LOG.debug("Retrieving password for " + identifier.getContainerID()
-          + " to be run on NM " + identifier.getNmHostAddress());
+          + " for user " + identifier.getUser() + " to be run on NM "
+          + identifier.getNmHostAddress());
     }
     return createPassword(identifier.getBytes(), masterKey.getSecretKey());
   }
@@ -173,11 +175,12 @@ public class BaseContainerTokenSecretManager extends
    * 
    * @param containerId
    * @param nodeId
+   * @param appSubmitter
    * @param capability
    * @return the container-token
    */
   public ContainerToken createContainerToken(ContainerId containerId,
-      NodeId nodeId, Resource capability) {
+      NodeId nodeId, String appSubmitter, Resource capability) {
     byte[] password;
     ContainerTokenIdentifier tokenIdentifier;
     long expiryTimeStamp =
@@ -188,8 +191,8 @@ public class BaseContainerTokenSecretManager extends
     try {
       tokenIdentifier =
           new ContainerTokenIdentifier(containerId, nodeId.toString(),
-            capability, expiryTimeStamp, this.currentMasterKey.getMasterKey()
+            appSubmitter, capability, expiryTimeStamp, this.currentMasterKey
-              .getKeyId());
+              .getMasterKey().getKeyId());
       password = this.createPassword(tokenIdentifier);
 
     } finally {

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java

@@ -329,7 +329,6 @@ public class ContainerManagerImpl extends CompositeService implements
             + remoteUgi.getTokenIdentifiers().size());
       }
 
-
       // Get the tokenId from the remote user ugi
       ContainerTokenIdentifier tokenId =
           selectContainerTokenIdentifier(remoteUgi);
@@ -341,8 +340,16 @@ public class ContainerManagerImpl extends CompositeService implements
                 + containerIDStr);
       } else {
 
+        // Is the container coming in with correct user-name?
+        if (!tokenId.getApplicationSubmitter().equals(launchContext.getUser())) {
+          unauthorized = true;
+          messageBuilder.append("\n Expected user-name "
+              + tokenId.getApplicationSubmitter() + " but found "
+              + launchContext.getUser());
+        }
+
         // Is the container being relaunched? Or RPC layer let startCall with 
-    	//  tokens generated off old-secret through 
+      	//  tokens generated off old-secret through?
         if (!this.context.getContainerTokenSecretManager()
           .isValidStartContainerRequest(tokenId)) {
           unauthorized = true;

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java

@@ -231,7 +231,6 @@ public class RMAppManager implements EventHandler<RMAppManagerEvent> {
     RMApp application = null;
     try {
       String clientTokenStr = null;
-      String user = UserGroupInformation.getCurrentUser().getShortUserName();
       if (UserGroupInformation.isSecurityEnabled()) {
         Token<ClientTokenIdentifier> clientToken = new 
             Token<ClientTokenIdentifier>(
@@ -256,10 +255,11 @@ public class RMAppManager implements EventHandler<RMAppManagerEvent> {
           submissionContext);
 
       // Create RMApp
-      application = new RMAppImpl(applicationId, rmContext,
+      application =
-          this.conf, submissionContext.getApplicationName(), user,
+          new RMAppImpl(applicationId, rmContext, this.conf,
-          submissionContext.getQueue(), submissionContext, clientTokenStr,
+            submissionContext.getApplicationName(),
-          appStore, this.scheduler,
+            submissionContext.getUser(), submissionContext.getQueue(),
+            submissionContext, clientTokenStr, appStore, this.scheduler,
             this.masterService, submitTime);
 
       // Sanity check - duplicate?

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java

@@ -1197,7 +1197,7 @@ public class LeafQueue implements CSQueue {
     if (UserGroupInformation.isSecurityEnabled()) {
       containerToken =
           containerTokenSecretManager.createContainerToken(containerId, nodeId,
-            capability);
+            application.getUser(), capability);
       if (containerToken == null) {
         return null; // Try again later.
       }

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AppSchedulable.java

@@ -161,7 +161,7 @@ public class AppSchedulable extends Schedulable {
     if (UserGroupInformation.isSecurityEnabled()) {
       containerToken =
           containerTokenSecretManager.createContainerToken(containerId, nodeId,
-            capability);
+            application.getUser(), capability);
       if (containerToken == null) {
         return null; // Try again later.
       }

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java

@@ -539,7 +539,8 @@ public class FifoScheduler implements ResourceScheduler, Configurable {
         if (UserGroupInformation.isSecurityEnabled()) {
           containerToken =
               this.rmContext.getContainerTokenSecretManager()
-                .createContainerToken(containerId, nodeId, capability);
+                .createContainerToken(containerId, nodeId,
+                  application.getUser(), capability);
           if (containerToken == null) {
             return i; // Try again later.
           }

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-tests/src/test/java/org/apache/hadoop/yarn/server/TestContainerManagerSecurity.java

@@ -219,9 +219,10 @@ public class TestContainerManagerSecurity {
 
     // Malice user modifies the resource amount
     Resource modifiedResource = BuilderUtils.newResource(2048);
-    ContainerTokenIdentifier modifiedIdentifier = new ContainerTokenIdentifier(
+    ContainerTokenIdentifier modifiedIdentifier =
-        dummyIdentifier.getContainerID(), dummyIdentifier.getNmHostAddress(),
+        new ContainerTokenIdentifier(dummyIdentifier.getContainerID(),
-        modifiedResource, Long.MAX_VALUE, dummyIdentifier.getMasterKeyId());
+          dummyIdentifier.getNmHostAddress(), "testUser", modifiedResource,
+          Long.MAX_VALUE, dummyIdentifier.getMasterKeyId());
     Token<ContainerTokenIdentifier> modifiedToken = new Token<ContainerTokenIdentifier>(
         modifiedIdentifier.getBytes(), containerToken.getPassword().array(),
         new Text(containerToken.getKind()), new Text(containerToken
@@ -320,12 +321,14 @@ public class TestContainerManagerSecurity {
 
         callWithIllegalContainerID(client, tokenId);
         callWithIllegalResource(client, tokenId);
+        callWithIllegalUserName(client, tokenId);
 
         return client;
       }
     });
     
-    /////////// End of testing for illegal containerIDs and illegal Resources
+    // ///////// End of testing for illegal containerIDs, illegal Resources and
+    // illegal users
 
     /////////// Test calls with expired tokens
     RPC.stopProxy(client);
@@ -336,7 +339,7 @@ public class TestContainerManagerSecurity {
       resourceManager.getRMContainerTokenSecretManager(); 
     final ContainerTokenIdentifier newTokenId =
         new ContainerTokenIdentifier(tokenId.getContainerID(),
-          tokenId.getNmHostAddress(), tokenId.getResource(),
+          tokenId.getNmHostAddress(), "testUser", tokenId.getResource(),
           System.currentTimeMillis() - 1, 
           containerTokenSecreteManager.getCurrentKey().getKeyId());
     byte[] passowrd =
@@ -347,8 +350,6 @@ public class TestContainerManagerSecurity {
         newTokenId.getBytes(), passowrd, new Text(
             containerToken.getKind()), new Text(containerToken.getService()));
 
-    
-    
     unauthorizedUser.addToken(token);
     unauthorizedUser.doAs(new PrivilegedAction<Void>() {
       @Override
@@ -567,6 +568,29 @@ public class TestContainerManagerSecurity {
     }
   }
 
+  void callWithIllegalUserName(ContainerManager client,
+      ContainerTokenIdentifier tokenId) {
+    StartContainerRequest request = recordFactory
+        .newRecordInstance(StartContainerRequest.class);
+    // Authenticated but unauthorized, due to wrong resource
+    ContainerLaunchContext context =
+        createContainerLaunchContextForTest(tokenId);
+    context.setUser("Saruman"); // Set a different user-name.
+    request.setContainerLaunchContext(context);
+    try {
+      client.startContainer(request);
+      fail("Connection initiation with unauthorized "
+          + "access is expected to fail.");
+    } catch (YarnRemoteException e) {
+      LOG.info("Got exception : ", e);
+      Assert.assertTrue(e.getMessage().contains(
+          "Unauthorized request to start container. "));
+      Assert.assertTrue(e.getMessage().contains(
+        "Expected user-name " + tokenId.getApplicationSubmitter()
+            + " but found " + context.getUser()));
+    }
+  }
+
   private ContainerLaunchContext createContainerLaunchContextForTest(
       ContainerTokenIdentifier tokenId) {
     ContainerLaunchContext context =