From f87866446d33810a427d6267c8a165c3382ebbb6 Mon Sep 17 00:00:00 2001 From: Varun Saxena Date: Wed, 13 Jul 2016 07:40:10 +0530 Subject: [PATCH] YARN-5353. ResourceManager can leak delegation tokens when they are shared across apps. (Jason Lowe via Varun Saxena). --- .../resourcemanager/security/DelegationTokenRenewer.java | 7 +------ .../security/TestDelegationTokenRenewer.java | 3 +++ 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java index 4177ee21034..dfbf33397d1 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java @@ -773,7 +773,7 @@ public class DelegationTokenRenewer extends AbstractService { private void removeApplicationFromRenewal(ApplicationId applicationId) { rmContext.getSystemCredentialsForApps().remove(applicationId); - Set tokens = appTokens.get(applicationId); + Set tokens = appTokens.remove(applicationId); if (tokens != null && !tokens.isEmpty()) { synchronized (tokens) { @@ -798,15 +798,10 @@ public class DelegationTokenRenewer extends AbstractService { // cancel the token cancelToken(dttr); - it.remove(); allTokens.remove(dttr.token); } } } - - if(tokens != null && tokens.isEmpty()) { - appTokens.remove(applicationId); - } } /** diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java index afb04d22443..68b75fd87f9 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java @@ -1257,6 +1257,9 @@ public class TestDelegationTokenRenewer { Assert.assertTrue(dttr.referringAppIds.isEmpty()); Assert.assertTrue(dttr.isTimerCancelled()); Assert.assertTrue(Renewer.cancelled); + + // make sure the token also has been removed from appTokens + Assert.assertFalse(renewer.getDelegationTokens().contains(token1)); } }